Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine)

Nick Hilliard nick at foobar.org
Mon May 6 20:41:58 UTC 2013


On 06/05/2013 08:31, Adam Vitkovsky wrote:
> Well you can always jus lower the preference for a particular prefix based
> on the roa state or roa missing. 
> Than it is solely up to your customers whether they bother to register their
> prefixes to avoid hijacks or not, as you'll be ready on your part. 

yep, you can depref stuff but it won't necessarily do what you want.  E.g.
if someone in Iran decides to announce a more-specific for some prefix in
germany:

https://twitter.com/bgpmon/status/330777020395040768

then the roa validation process would return "invalid".  If you depref
this, the more-specific will still provide the best path, so it's pretty
useless.  The only way to handle this is to drop roa-invalid paths
completely, but it's not going to be possible to implement that as a
general routing policy until the rpki data is pretty good quality overall.

Nick





More information about the NANOG mailing list