2

According to RIPE's site, a BGP announcements is invalid if:

  • The prefix is announced from an unauthorized AS.
  • The announcement is more specific than is allowed by the maximum length set in a ROA that matches the prefix and AS.

Regarding the second condition, what does it mean more "more specific"?

Say I'm AS1, and I'm given a the block 10.1.0.0/16, and I have a valid ROA for that prefix. Now, I'm giving one of my customers, AS11, the sub block 10.1.2.0/24. Assume AS11 doesn't produce a ROA for his prefix.

Now, If I announce the path [AS1, AS11, 10.1.1.0/24] to my peers/provider (assuming they support ROV), will the validation fail? Is 10.1.2.0/24 a sub prefix of 10.1.0.0/16? What's the rule for deciding if a prefix is sub prefix of another prefix?

Ron Maupin
  • 99,565
  • 26
  • 120
  • 195
sel
  • 167
  • 4

1 Answers1

1

Regarding the second condition, what does it mean more "more specific"?

It means that the mask is longer. A longer mask is more specific than a shorter mask. The longest IPv4 mask is /32, and it is the most specific IPv4 address because it identifies an address all the way down to the host.

Is 10.1.2.0/24 a sub prefix of 10.1.0.0/24?

No.

What's the rule for deciding if a prefix is sub prefix of another prefix?

If you mask both addresses with the shortest mask, you will find out if they share a common network. This is the very basis for IP addressing (both IPv4 and IPv6). Even hosts do this to determine if a destination address is in the same network as the host itself. A host needs to know if it can send traffic directly to the destination (same network), or if it must send it to its configured gateway (different network).

There is an excellent answer to this question that explains how to do IP math. There is also an answer on Server Fault that gives a demonstration of checking two addresses to determine if there is a common network.

In your case:

10.1.2.0      -> 00001010000000010000001000000000
255.255.255.0 -> 11111111111111111111111100000000
          AND -> ================================
      Network -> 00001010000000010000001000000000 = 10.1.2.0

10.1.0.0      -> 00001010000000010000000000000000
255.255.255.0 -> 11111111111111111111111100000000
          AND -> ================================
      Network -> 00001010000000010000000000000000 = 10.1.0.0

The resulting two network addresses do not match: 10.1.2.0 <> 10.1.0.0.

EDIT:

You changed the question, and you now have a different question with a different answer.

Is 10.1.2.0/24 a sub prefix of 10.1.0.0/16?

Yes.

In your case:

10.1.2.0    -> 00001010000000010000001000000000
255.255.0.0 -> 11111111111111110000000000000000
        AND -> ================================
    Network -> 00001010000000010000000000000000 = 10.1.0.0

10.1.0.0    -> 00001010000000010000000000000000
255.255.0.0 -> 11111111111111110000000000000000
        AND -> ================================
    Network -> 00001010000000010000000000000000 = 10.1.0.0

The resulting two network addresses match: 10.1.0.0 = 10.1.0.0.

Ron Maupin
  • 99,565
  • 26
  • 120
  • 195
  • Thanks Ron, I screwed up the masks in the second question, I meant to ask if "Is 10.1.2.0/24 a sub prefix of 10.1.0.0/16?". – sel Jul 16 '17 at 21:44