Re: ROA mirror to IRR?
‐‐‐ Original Message ‐‐‐ On Tuesday, October 26th, 2021 at 21:17, Shawn wrote: > Is it standard practice to accept more specifics (append IPv4 "le /24" and > IPv6 "le /48")? There was an blog post written somewhere (unfortunately I cannot locate it) that urged caution as to how you configure more specifics at RIRs and doing it the wrong way opened you up to spoofing or somesuch. I seem to recall the obvious way (your suggested "append le/24" etc.) was very much not recommended. No doubt some kind soul on list will have that blog post in their bookmarks and/or others may wish to comment on the concept.
Re: ROA mirror to IRR?
Hi Shawn, On 10/26, Shawn wrote: > > > IRR questions: > How do most large networks maintain (automate) their IRR records? > Is it standard practice to accept more specifics (append IPv4 "le /24" and > IPv6 "le /48")? > Or is it expected to have one IRR route per BGP announcement? > We (37271) use different policies depending on our relationship to the neighbor. From customers, we require an exactly matching route(6) object. From peers, we accept more specifics up to /24 or /48. The rationale for this is: 1. We consider that we have a higher "duty of care" with respect to routes that we intend to announce to the wider Internet; and 2. Having a customer facing policy that is at least as strict as our strictest neighbor helps eliminate hard to troubleshoot propagation issues. We've been doing things this way for several years now, and it seems to be a good middle ground. Cheers, Ben signature.asc Description: PGP signature
Re: ROA mirror to IRR?
❦ 26 October 2021 10:17 -10, Shawn: > Curious if any IRR databases are mirroring/importing ROA data - creating > route|6 objects from ROA? This is a feature of IRRd 4: https://irrd.readthedocs.io/en/stable/admins/rpki/ > IRR questions: > How do most large networks maintain (automate) their IRR records? > Is it standard practice to accept more specifics (append IPv4 "le /24" and > IPv6 "le /48")? > Or is it expected to have one IRR route per BGP announcement? IMO, many accept more specifics, but you shouldn't rely on this under normal circumnstance. -- Make sure input cannot violate the limits of the program. - The Elements of Programming Style (Kernighan & Plauger)
Re: ROA mirror to IRR?
TC(bgp.net.br) is using IRRd 4.2, which has an RPKI pseudo-source with exactly that. ROAs are downloaded from NTT. You can see how they look like at: https://bgp.net.br/whois/?q=-s%20RPKI%20200.160.0.0/20 But this is not used to create route(6) objects in the TC source, only to invalidate route(6) objects that users create at TC. Mirrored IRRs like RADB are not subject to RPKI validation, only to scope filter (private IP addresses, private ASNs). Rubens On Tue, Oct 26, 2021 at 5:29 PM Shawn wrote: > > Curious if any IRR databases are mirroring/importing ROA data - creating > route|6 objects from ROA? > > LACNIC requires a route object to be created when creating a ROA. > APNIC you create a route object, then may generate a ROA during that > process. > Other RIR's, curious if anything tries to bring the two together? > > Applicable for networks that only use IRR data (do not yet validate RPKI), > they could benefit. > > IRR questions: > How do most large networks maintain (automate) their IRR records? > Is it standard practice to accept more specifics (append IPv4 "le /24" and > IPv6 "le /48")? > Or is it expected to have one IRR route per BGP announcement? > >
Re: ROA mirror to IRR?
On Wed, Oct 27, 2021 at 6:31 AM Shawn wrote: > > Curious if any IRR databases are mirroring/importing ROA data - creating > route|6 objects from ROA? > > LACNIC requires a route object to be created when creating a ROA. > APNIC you create a route object, then may generate a ROA during that > process. This is a mis-characterisation of the situation. In APNIC, we have implemented abstract routing management: you tell us the routes you want to declare and have to elect to do ONLY route: object or ONLY ROA -we make the ROA & route: objects aligned, to represent what you asked for in the abstracted route. It's only if you specifically ask us to make discrete, unaligned states in both worlds we do that. By default, they mirror each other (modulo the limits of maxlen over the prefix at hand: we don't make the "forest" of routes which would be needed beyond a small distance maxlen - prefixlen) Separately we kept the old whois object update path. you can elect to make a route: object directly in the RPSL maintenance engine. If you come into routes management, we flag the mis-alignment such as it is, and you can make the ROA. cheers -George > Other RIR's, curious if anything tries to bring the two together? > > Applicable for networks that only use IRR data (do not yet validate RPKI), > they could benefit. > > IRR questions: > How do most large networks maintain (automate) their IRR records? > Is it standard practice to accept more specifics (append IPv4 "le /24" and > IPv6 "le /48")? > Or is it expected to have one IRR route per BGP announcement? > >
ROA mirror to IRR?
Curious if any IRR databases are mirroring/importing ROA data - creating route|6 objects from ROA? LACNIC requires a route object to be created when creating a ROA. APNIC you create a route object, then may generate a ROA during that process. Other RIR's, curious if anything tries to bring the two together? Applicable for networks that only use IRR data (do not yet validate RPKI), they could benefit. IRR questions: How do most large networks maintain (automate) their IRR records? Is it standard practice to accept more specifics (append IPv4 "le /24" and IPv6 "le /48")? Or is it expected to have one IRR route per BGP announcement?
