AT&T/as7018 now drops invalid prefixes from peers

Matthew Walster matthew at walster.org
Tue Feb 12 14:50:53 UTC 2019


On Tue, 12 Feb 2019, 01:52 Jay Borkenhagen <jayb at braeburn.org wrote:

> ... but there is one place where I disagree with Niels.  He advised
> against lowering the local-pref of invalid routes.  I agree that this
> should not be anyone's target policy, but it is a useful step along
> the way.
>

For initial deployment, this can seem attractive, but remember that one of
the benefits an ROA gives is specifying the maximum prefix length. This
means that someone can't hijack a /23 with a /24.

Lowering local pref on invalid means you're no longer protected (just
generating alerts) because longer prefix length always beats local
preference.

Once you are confident that you're not dropping anything valuable, the
local preference rule should move to dropping the route (not the traffic!)
from being installed.

M

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190212/e199bcc3/attachment.html>


More information about the NANOG mailing list