Regarding smaller prefix for hijack protection

George Herbert george.herbert at gmail.com
Thu Aug 30 17:48:41 CDT 2012


On Thu, Aug 30, 2012 at 8:41 AM, William Herrin <bill at herrin.us> wrote:
> On Thu, Aug 30, 2012 at 7:54 AM, Anurag Bhatia <me at anuragbhatia.com> wrote:
>> Is using /24 a must to protect (a bit) against route hijacking?
>
> Hi Anurag,
>
> Not only is it _not_ a must, it doesn't work and it impairs your
> ability to detect the fault.
>
> In a route hijacking scenario, traffic for a particular prefix will
> flow to the site with the shortest AS path from the origin. Your /24
> competes with their /24. Half the Internet, maybe more maybe less
> depending on how well connected each of you are, will be inaccessible
> to you.

Preventively there seems to be no utility to this.

Reactively, after a hijacking starts, has anyone tried announcing both
(say) /24s for the block and (say) 2x /25s for it as well, to get
more-specific under the hijacker?  Yes, a lot of places will filter
and ignore, but those that don't ...

(Yes, sign your prefixes now, on general principles)


-- 
-george william herbert
george.herbert at gmail.com



More information about the NANOG mailing list