idnits 2.17.1 draft-ietf-sidrops-roa-considerations-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (April 2022) is 741 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2629 (Obsoleted by RFC 7749) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SIDR Operations Z. Yan 3 Internet-Draft CNNIC 4 Intended status: Informational R. Bush 5 Expires: 29 October 2022 Internet Initiative Japan 6 G.G. Geng 7 Jinan University 8 J. Yao 9 CNNIC 10 April 2022 12 Avoidance for ROA Containing Multiple IP Prefixes 13 draft-ietf-sidrops-roa-considerations-02 15 Abstract 17 In RPKI, the address space holder needs to issue an ROA object when 18 authorizing one or more ASes to originate routes to IP prefix(es). 19 During ROA issurance process, the address space holder may need to 20 specify an origin AS for a list of IP prefixes. Additionally, the 21 address space holder is free to choose to put multiple prefixes into 22 a single ROA or issue separate ROAs for each prefix according to the 23 current specification. This memo analyzes some operational problems 24 which may arise from ROAs containing multiple IP prefixes and 25 recommends avoiding placing multiple IP prefixes in one ROA. 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at https://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on 3 October 2022. 44 Copyright Notice 46 Copyright (c) 2022 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 51 license-info) in effect on the date of publication of this document. 52 Please review these documents carefully, as they describe your rights 53 and restrictions with respect to this document. Code Components 54 extracted from this document must include Revised BSD License text as 55 described in Section 4.e of the Trust Legal Provisions and are 56 provided without warranty as described in the Revised BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 3. Problem statement and Analysis . . . . . . . . . . . . . . . 3 63 4. Suggestions . . . . . . . . . . . . . . . . . . . . . . . . . 3 64 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 65 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 66 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 67 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 68 8.1. Normative References . . . . . . . . . . . . . . . . . . 4 69 8.2. Informative References . . . . . . . . . . . . . . . . . 4 70 Appendix A. ROA Analysis . . . . . . . . . . . . . . . . . . . . 5 71 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 73 1. Introduction 75 In Resource Public Key Infrastructure (RPKI), Route Origin 76 Authorization (ROA) is a digitally signed object which identifies 77 that a single AS has been authorized by the address space holder to 78 originate routes to one or more prefixes within the address 79 space[RFC6482]. 81 Each ROA contains an "asID" field and an "ipAddrBlocks" field. The 82 "asID" field contains one single AS number which is authorized to 83 originate routes to the given IP address prefixes. The 84 "ipAddrBlocks" field contains one or more IP address prefixes to 85 which the AS is authorized to originate the routes. If the address 86 space holder needs to authorize more than one ASes to advertise the 87 same set of address prefixes, the holder must issue multiple ROAs, 88 one for each AS number. However, at present there are no mandatory 89 requirements describing that the address space holders must issue a 90 separate ROA for each prefix or a ROA containing multiple prefixes. 92 2. Terminology 94 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 95 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 96 "OPTIONAL" in this document are to be interpreted as described in BCP 97 14 [RFC2119] [RFC8174] when, and only when, they appear in all 98 capitals, as shown here. 100 3. Problem statement and Analysis 102 Currently, there are about 24% ROAs containing two or more prefixes. 103 Among them, the average number of prefixes per ROA exceeds 10. 105 For ROAs containing multiple prefixes, adding or deleting one pair, the entire ROA must be withdrawn and reissued, or 107 covered by a new ROA. That is, although aggregating multiple IP 108 prefixes can reduce the number of issued ROA, updating an ROA 109 containing multiple IP address prefixes will result in redundant 110 transmission between RP and BGP routers because in reality just the 111 changed IP prefix needs to be updated by the new ROA. Updating these 112 ROAs frequently will increase the convergence time of BGP routers and 113 reduce the stability of RPKI and BGP system. 115 In addition, ROAs have a long validity period in default, during 116 which the prefix ownership is more likely to change (of course, 117 resource shrink may happen at any time), which will lead to the 118 withdrawal or reissue of the whole set of prefixes aggregated within 119 the same ROA. This will increase the mis-configuration possibility 120 and operational complexity [RFC8211]. If one prefix is included in 121 the list by mistake, the whole ROA will not be generated 122 successfully. 124 4. Suggestions 126 The following suggestions should be considered during the process of 127 ROA issurance: 129 1) It's the most important to guarantee the stability and security of 130 RPKI and BGP system, and it is recommended to include a single IP 131 prefix in each ROA in default. 133 2) In some special scenarios, where the resource is very stable or a 134 CA has operational problems producing increased number of individual 135 ROAs, multiple IP prefixes may be aggregated in one ROA. 137 5. Security Considerations 139 This memo does not give rise to additional security risks. 141 6. IANA Considerations 143 This document does not request any IANA action. 145 7. Acknowledgements 147 The authors would like to thanks the valuable comments made by 148 members of sidrops WG and the list will be updated later. 150 This work was supported by the Beijing Nova Program of Science and 151 Technology under grant Z191100001119113. 153 This document was produced using the xml2rfc tool [RFC2629]. 155 8. References 157 8.1. Normative References 159 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 160 Requirement Levels", BCP 14, RFC 2119, 161 DOI 10.17487/RFC2119, March 1997, 162 . 164 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 165 DOI 10.17487/RFC2629, June 1999, 166 . 168 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 169 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 170 May 2017, . 172 8.2. Informative References 174 [RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route 175 Origin Authorizations (ROAs)", RFC 6482, 176 DOI 10.17487/RFC6482, February 2012, 177 . 179 [RFC8211] Kent, S. and D. Ma, "Adverse Actions by a Certification 180 Authority (CA) or Repository Manager in the Resource 181 Public Key Infrastructure (RPKI)", RFC 8211, 182 DOI 10.17487/RFC8211, September 2017, 183 . 185 Appendix A. ROA Analysis 187 In order to illustrate the situations of the current ROA database, 188 the following analysis is made. 190 +-------------- -+----------------------+-------------------------+ 191 | The total | The number of ROAs | The number of ROAs with | 192 | number of ROAs | with a single prefix | multiple prefixes | 193 +----------------+----------------------+-------------------------+ 194 | 105542 | 81759 | 23783 | 195 +----------------+----------------------+-------------------------+ 197 Figure 1: Statistical results of global ROAs 199 As shown in Figure. 1, by April 24th 2022, the total number of ROA 200 objects issued is about 105542. Based on the further analysis on 201 these ROA objects, it is found that the number of ROAs containing 202 only one prefix is about 81759 (77.47% of all ROA objects), and the 203 number of ROAs containing two or more prefixes is about 23783 (22.53% 204 of all ROA objects). 206 In the 23783 ROA objects which each one contains two or more 207 prefixes, the number of IP address prefixes are calculated and 208 analyzed. The statistical results are shown in Figure. 2. 210 +----------------+----------------+--------------------------------+ 211 | The number of | The number of | The average number of prefixes | 212 | prefixes | ROAs | in each ROA | 213 +----------------+----------------+--------------------------------+ 214 | 248693 | 23783 | 10.46 | 215 +----------------+----------------+--------------------------------+ 217 Figure 2: Statistical results of the ROAs with multiple prefixes 219 As described in Figure. 2, there are 248693 IP address prefixes in 220 the 23783 ROA objects. And the average number of prefixes in each 221 ROA is 10.46 (248693/23783). In addition, four types of ROAs are 222 analyzed and calculated within the 23783 ROAs: ROAs each contains 223 2-10/11-50/51-100/>100 IP address prefixes. The statistical results 224 are presented in Figure. 3. 226 +----------+----------+----------+----------+----------+-------+ 227 | ROA | ROA with | ROA with | ROA with | ROA with | Total | 228 | types | 2-10 | 11-50 | 51-100 | >100 | number| 229 | | prefixes | prefixes | prefixes | prefixes | | 230 +----------+----------+----------+----------+----------+-------+ 231 | The | 20286 | 2880 | 322 | 295 | 23783 | 232 | number | | | | | | 233 | of ROAs | | | | | | 234 +----------+----------+----------+----------+----------+-------+ 235 | The | 85.30% | 12.11% | 1.35% | 1.24% | 100% | 236 | ratio of | | | | | | 237 | ROAs | | | | | | 238 +----------+----------+----------+----------+----------+-------+ 239 | The | 74504 | 59015 | 22244 | 92930 |248693 | 240 | number | | | | | | 241 | of | | | | | | 242 | prefixes | | | | | | 243 +----------+----------+----------+----------+----------+-------+ 244 | The | 29.96% | 23.73% | 8.94% | 37.37% | 100% | 245 | ratio of | | | | | | 246 | prefixes | | | | | | 247 +----------+----------+----------+----------+----------+-------+ 249 Figure 3: Statistical results of four types of ROAs 251 As shown in Figure. 3, taking the first type of ROA as an example, 252 there are 20286 ROAs (85.3% of the 23783 ROA objects) which each 253 contains 2-10 IP address prefixes, and the total number of IP 254 prefixes in these 20286 ROAs is 74504 (29.96% of the 248693 255 prefixes). 257 It shows that the address space holders tend to issue each ROA object 258 with fewer IP prefixes (more than 95% of ROAs containing less than 50 259 prefixes), but they still tend to put multiple prefixes into one 260 single ROA. 262 The longest and shortest validity periods of a single ROA is 28854 263 days and 2 days. In addition, the average validity period of each 264 ROA is 707.83 days. 266 Authors' Addresses 268 Zhiwei Yan 269 CNNIC 270 No.4 South 4th Street, Zhongguancun 271 Beijing, 100190 272 P.R. China 273 Email: yanzhiwei@cnnic.cn 274 Randy Bush 275 Internet Initiative Japan 276 Email: randy@psg.com 278 Guanggang Geng 279 Jinan University 280 No.601, West Huangpu Avenue 281 Guangzhou 282 510632 283 China 284 Email: gggeng@jnu.edu.cn 286 Jiankang Yao 287 CNNIC 288 No.4 South 4th Street, Zhongguancun 289 Beijing, 100190 290 P.R. China 291 Email: yaojk@cnnic.cn