[162900] in North American Network Operators' Group
Re: Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989
daemon@ATHENA.MIT.EDU (Nick Hilliard)
Mon May 6 16:42:11 2013
X-Envelope-To: nanog@nanog.org
Date: Mon, 06 May 2013 21:41:58 +0100
From: Nick Hilliard <nick@foobar.org>
To: Adam Vitkovsky <adam.vitkovsky@swan.sk>
In-Reply-To: <040901ce4a2b$c0692b10$413b8130$@swan.sk>
Cc: 'NANOG' <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 06/05/2013 08:31, Adam Vitkovsky wrote:
> Well you can always jus lower the preference for a particular prefix based
> on the roa state or roa missing.
> Than it is solely up to your customers whether they bother to register their
> prefixes to avoid hijacks or not, as you'll be ready on your part.
yep, you can depref stuff but it won't necessarily do what you want. E.g.
if someone in Iran decides to announce a more-specific for some prefix in
germany:
https://twitter.com/bgpmon/status/330777020395040768
then the roa validation process would return "invalid". If you depref
this, the more-specific will still provide the best path, so it's pretty
useless. The only way to handle this is to drop roa-invalid paths
completely, but it's not going to be possible to implement that as a
general routing policy until the rpki data is pretty good quality overall.
Nick
