Re: maximum ipv4 bgp prefix length of /24 ?

[Owen DeLong via NANOG <nanog () nanog org>]

> On Oct 11, 2023, at 19:18, Willy Manga <mangawilly () gmail com> wrote:
>
> .
>
> On 11/10/2023 03:52, Delong.com wrote:
> > [...]
> > > RPKI only asserts that a specific ASN must originate a prefix.  It does nothing to validate the authenticity of the 
> > > origination.
> > Nope… It ALSO asserts (or can assert) an attribute of “Maximum allowed prefix length”.
> > E.g. if I have a ROA for AS65500 to originate 2001:db8::/32 with a “Maximum Length” attribute of /36, then any 
> > advertisement (even originated by 65500) that is longer than /36 should be considered invalid.
> > > If I am AS XX, and want to hijack a prefix from AS YY that has RPKI ROAs protecting it, and AS YY has allowed more 
> > > specifics to be announced within the prefix range covered by the ROA, I'm in like flynn, because I just need to 
> > > configure my router with AS YY as the origin AS, then insert the expected ASN for the neighbor adjacency with my 
> > > upstreams, and bob's your uncle, the more specific prefix passes RPKI validation, and traffic comes flying my way.
> > Yes, IF YY has allowed longer prefixes. If YY doesn’t allow longer prefixes and/or doesn’t supply AS0 ROAs for more 
> > specifics that should not be announced, then YY has indeed aimed a firearm squarely at their lower distal appendage 
> > and fired.
> > However, IF YY is paying attention, and YY wants to advertise 2001:db8::/32 as well as allow 2001:db8:8000::/36 and 
> > 2001:db8:f000::/36, I would expect AS YY would generate ROAs for
> >      2001:db8::/32 with ORIGIN-AS=YY MAXPREFIXLEN=36
> >      2001:db8:0::/33 with ORIGIN-AS=0 (no MAXPREFIXLEN needed)
> >      2001:db8:8000::/36 with ORIGIN-AS=YY MAXPREFIXLEN=36
> >      2001:db8:9000::/35 with ORIGIN-AS=0 (no MAXPREFIXLEN needed)
> >      2001:db8:a000::/34 with ORIGIN-AS=0 (no MAXPREFIXLEN needed)
> >      2001:db8:c000::/34 with ORIGIN-AS=0 (no MAXPREFIXLEN needed)
> >      2001:db8:e000::/36 with ORIGIN-AS=0 (no MAXPREFIXLEN needed)
> >      2001:db8:f000::/36 with ORIGIN-AS=YY MAXPREFIXLEN=36
>
> As Dale suggested in another email[1], it's better to just cover ROAs for what you are advertising. Why?

If that works, perhaps… OTOH, I’m not sure it does. I’m not sure the /32 MAXLEN 32 wouldn’t prevent effectiveness of 
the /36 ROAs.
> 1. I can't confirm at this stage that all the implementation allows you to leave the maxLength field empty.

I can… It’s an Optional Field in the specification.

> 2. If you want to follow that logic, what you are trying to accomplish with AS0 is basically the *complement* of what 
> you are not advertising. I believe that will be much more work and you might miss a lot of specifics. e.g : under 
> your 2001:db8::/32 , do not forget you have 16x/36, 2x/33,4x/34,... You will have to insert statement for every 
> single of them.

Yes, but if I issue a /34 AS0 with no MAXLEN, that _SHOULD_ mark ALL more specifics as invalid.

If that doesn’t work, then you’re right, the AS0 ROAs are essentially useless, but then one has to wonder what value 
any RIR issued AS0 ROAs would have as well, since they would obviously be less specific.

Owen