On 27 Mar, 2013, at 6:24 PM, Randy Bush <[email protected]> wrote: >> Yes, I assume >> http://tools.ietf.org/agenda/86/slides/slides-86-sidr-1.pdf slide 3. >> Which I think is a good estimate. > > actually, i think the number of pub points will be closer to the number > of entries in the rir's datamesses, as they will be issuing the certs > based on their data messes.
Indeed. I disagree that the number of AS#s is a good estimator for the number of publication points. As OIeg, and others, also mentioned the RIRs issue certificates based on the resources they know are held by organisations. Resources can be any combination of 0 or more AS#, 0 or more IPv4 prefixes and 0 or more IPv6 prefixes. So the number of distinct resource holders that the RIRs see is the estimator that is suitable here. There is a group of organisations that hold IP prefixes, but do not run their own AS. This group is missing from the slide. Oleg made this estimate based on current stats: > From the RIR stats files that RIRs publish daily we could get the numbers of > distinct resource holders. They are: > > AFRINIC 1310 > APNIC 7957 > ARIN 35380 > LACNIC 4278 > > For the RIPE NCC you could not get this data from stats files, and the exact > number is difficult to get because of our model of provider-independent end > users. But in our registry I could count that it is at least 28912. > That brings the total to 77837. After comments by Randy and John Curran it seems that the number for ARIN obtained here is too high. John suggested 50%. So then the total number would be roughly 60000. (no not trying to be more exact than the error term here, it's the ball park that matters) So that's roughly 60k certificates that are going to published and, associated, 60k mfts + 60k crls. Note, this is the boilerplate RPKI, just the 'publication points' and the objects necessary to support that. The, more useful, content is a different story. I was looking for ballpark total numbers for ghostbusters, roas and router certs, but I don't believe that the number of publication points (~certified organisations) is the most important variable in each case. See below. = ghostbusters Okay, in this case I actually do believe that it will correlate most strongly with the number of publication points.. It seems a reasonable estimate be that each publication point will publish one record for all their resources. But, there is room for error here.. maybe some organisations will publish many records for specific resources they have. Others may just have one with everything. Yet others may publish noneā¦ My current best guess is 1 per publication point, on average. So roughly 60k in total. I am more than happy to change this number in the model with a better estimate. Another approach could be to look at the current RIR databases and model this after the number of equivalent contacts found there now. = roas I am not convinced by the 1 ROA per AS. Aggregating all possible routes for an AS on a single ROA is not feasible. As mentioned above it's the prefix holders that make these ROAs. They may, or may not be holder of the AS. In practice there is a sizeable group of organisation who do not run their own AS. In our document we figured that looking at the number of announcements in the current routing table, and the maximum aggregation factor of prefixes per ROA that we see today gives a reasonable estimate for the amount of ROAs needed to make all intended announcements appear valid. But the aggregation factor is quite fuzzy.. in particular it's difficult to deal with max length this way... I just thought of another much simpler approach that seems better to me... Based on the RIPE NCC router collector dumps: http://www.ris.ripe.net/dumps/ And validation we do on the current RIR datasets. We see: = 479608 total announcements = 10692 valid announcements = 1197 ROA objects So, average number of routes made valid by a ROA: 10692 / 1197 => 8.9 something. So to get the number of ROAs needed to make all 479k announcements valid: 497608 / 8.9 => 53693 = router certificates We explicitly mention this in our document: > All in all it is not entirely clear to the authors how many certified keys > may be, but on list numbers as high as 2,000,000 have been mentioned. Router certificates are used by ASes. So the model proposed by Stephen en Sririam seems reasonable to me: # non-stub ASes * avg certs per non-stub AS + # stub ASes * avg certs per stub AS. Or with values: 36,120 non-stub AS * 10 + 6,880 stub AS * 2 = 374960. Open to suggestions.. Tim -- Back from long holidays.. _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
