RPKI unknown for superprefixes of existing ROA ?

• Previous message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Next message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 22 Oct 2023 at 18:10, William Herrin <bill at herrin.us> wrote:

> Then someone comes along and advertises a portion of the RIR space
> larger than any allocation. Since your subnet is intentionally absent
> from the Internet, that larger route draws the packets allowing a
> hijack of your address space.
>
> In essence, this means that a ROA to AS0 doesn't work as intended.
>


Right, so in order to discard packets towards a network, it’s more robust
to actually advertise the IP space which you don’t intend to publicly use,
and use ACLs on that edge to discard the packets yourself (rather than
relying on all other ISPs having deployed ROV and less-specifics not
existing).

Given the frequency of ISPs accidentally announcing giant blocks, and this
apparently not causing much grief
https://www.ripe.net/ripe/mail/archives/routing-wg/2022-July/004588.html
I’m skeptical there much need for change.

As to Ruben’s point - when an ISP is operating their network with a default
route & an incomplete routing table, indeed chances are packets will end up
on the wrong path … because the ISP is using an incomplete routing table.

Kind regards,

Job
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20231022/f6af34bc/attachment.html>

• Previous message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Next message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]