Look, you can never be certain that 100% of networks are going to accept your prefixes but for DDoS that shouldn't matter as others have pointed out. What I can say is please don't create 65536 route6 objects or otherwise I feel like we are going to have to start discussion about a policy to prevent people doing that. Also why do you need them to be advertised as /48s? If you just need them to be more specific than a /32 couldn't you just do /33s, /34s, /35s, /36s, or something like that? -Cynthia On Mon, Jul 10, 2023 at 2:13 PM Kaupo Ehtnurm via db-wg <db-wg@ripe.net> wrote:
Hello
Thank you very much for the explanation. But I think we have steered away a little bit from my original question.
As I can conclude from all the answers earlier, then still my only option if I want my ip transit provider to be able to advertise some /48 within my /32 at random times and for random durations is using /32 as route6 object and hope that everyone in the internet filters "2001:1234::/32 le 48 permit" or "2001:1234::/32 eq 48 permit" instead of "2001:1234::/32 permit"? Or actually make the 65536 route6 objects (for each of the /48 that fits into that /32)? Or is there a third possibility instead hoping that AS-s from all over the internet are familiar with this kind of issue and allow /48 prefixes into their routers instead of exact /32 prefix (although the route6 object states that our provider should advertise only /32) or making unnecessary amount(65536 objects for 1x/32) of route6 objects?
I ultimatelly want my ip transit provider to be able to advertise different /48 prefixes at random times for random durations. And want it to pass IRR filtering also, not just rpki filtering in different ASs across the globe.
Lugupidamisega / Best regards,
Kaupo Ehtnurm
Network & System administrator WaveCom AS ISO 9001 & 27001 Certified DC and verified VMware Cloud kaupo@wavecom.ee | +372 5685 0002 Endla 16, Tallinn 10142 Estonia | [ http://www.wavecom.ee/ | www.wavecom.ee ]
----- Original Message ----- From: "Job Snijders" <job@sobornost.net> To: "Kaupo Ehtnurm" <kaupo@wavecom.ee> Cc: "Nick Hilliard" <nick@foobar.org>, "Kaupo Ehtnurm via db-wg" <db-wg@ripe.net> Sent: Monday, July 10, 2023 2:18:57 PM Subject: Re: [db-wg] Route(6) objects
Dear Kaupo, others,
(Speaking as individual working group contributor.)
On Mon, Jul 10, 2023 at 10:06:30AM +0300, Kaupo Ehtnurm via db-wg wrote:
Since route6 object is a must and ROA is a should and they ultimately fill the same purpose, than why isn't there a "max length" in route6 object?
That's a good question!
The specification of IRR 'route6:' objects pre-dates the specification of RPKI ROAs by a number of years. One explanation might be that the designers of RPSL-NG simply didn't think of it.
Another aspect is that RPKI ROAs are used as an input into the RFC 6811 Origin Validation procedure (which yields invalid/valid/not-found as outcomes), but no such algorithm existed when RPSL-NG route/route6 objects were defined. I can see how RPKI ROAs and RPSL-NG route/route6 objects look kind of similar from a high level, but the devil is in the details: they do fulfill slightly different purposes.
It's important to note that in recent years new insights arose how to make the best use of RPKI ROAs: last year's BCP 185 / RFC 9319 recommends to avoid using the maxLength attribute in RPKI ROAs.
Porting 'maxLength' functionality to RPSL-NG route/route6 objects would represent a significant community effort: people would need to write an Internet-Draft to specify what the field really means, and lots of software toolchains would need updating. Given that maxLength in RPKI ROAs was not universially perceived as a good idea, I'm not very optimistic that porting such functionality to the 'legacy' IRR system is worth the effort.
Kind regards,
Job
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/db-wg