Regarding smaller prefix for hijack protection

Anurag Bhatia me at anuragbhatia.com
Tue Sep 4 05:19:23 UTC 2012


I didn't realized the routing table size problem with /24's. Stupid me.



Thanks everyone for updates. Appreciate good answers.

On Fri, Aug 31, 2012 at 4:18 AM, George Herbert <george.herbert at gmail.com>wrote:

> On Thu, Aug 30, 2012 at 8:41 AM, William Herrin <bill at herrin.us> wrote:
> > On Thu, Aug 30, 2012 at 7:54 AM, Anurag Bhatia <me at anuragbhatia.com>
> wrote:
> >> Is using /24 a must to protect (a bit) against route hijacking?
> >
> > Hi Anurag,
> >
> > Not only is it _not_ a must, it doesn't work and it impairs your
> > ability to detect the fault.
> >
> > In a route hijacking scenario, traffic for a particular prefix will
> > flow to the site with the shortest AS path from the origin. Your /24
> > competes with their /24. Half the Internet, maybe more maybe less
> > depending on how well connected each of you are, will be inaccessible
> > to you.
>
> Preventively there seems to be no utility to this.
>
> Reactively, after a hijacking starts, has anyone tried announcing both
> (say) /24s for the block and (say) 2x /25s for it as well, to get
> more-specific under the hijacker?  Yes, a lot of places will filter
> and ignore, but those that don't ...
>
> (Yes, sign your prefixes now, on general principles)
>
>
> --
> -george william herbert
> george.herbert at gmail.com
>
>


-- 

Anurag Bhatia
anuragbhatia.com

Linkedin <http://in.linkedin.com/in/anuragbhatia21> |
Twitter<https://twitter.com/anurag_bhatia>|
Google+ <https://plus.google.com/118280168625121532854>



More information about the NANOG mailing list