maximum ipv4 bgp prefix length of /24 ?
Willy Manga
mangawilly at gmail.com
Wed Oct 11 05:44:46 UTC 2023
> On 11/10/2023 03:52, Delong.com wrote:
>
>> On Oct 10, 2023, at 13:36, Matthew Petach <mpetach at netflight.com> wrote:
>>[...]
>> Owen,
>>
>> RPKI only addresses accidental hijackings.
>> It does not help prevent intentional hijackings.
>
> OK, but at least they can help limit the extent of required desegregation in combat unless I misunderstand the whole MAXPREFIXLEN option.
Actually, RFC 9319 do recommend to "avoid using the maxLength attribute
in ROAs except in some specific cases". But I recognise that this RFC is
not yet implemented everywhere.
>>
>> RPKI only asserts that a specific ASN must originate a prefix. It does nothing to validate the authenticity of the origination.
>
> Nope… It ALSO asserts (or can assert) an attribute of “Maximum allowed prefix length”.
>
> E.g. if I have a ROA for AS65500 to originate 2001:db8::/32 with a “Maximum Length” attribute of /36, then any advertisement (even originated by 65500) that is longer than /36 should be considered invalid.
Yes, but in that scenario any advertisements between /32 and /36 from
that prefix originated by AS65500 are *valid* . That's why "ROAs should
be as precise as possible, meaning they should match prefixes as
announced in BGP" [1]
1.
https://rpki.readthedocs.io/en/latest/rpki/securing-bgp.html#maximum-prefix-length
--
Willy Manga
@ongolaboy
https://ongola.blogspot.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20231011/5fdc50c5/attachment.sig>
More information about the NANOG
mailing list