<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello.., you are totally right, the first reason that came to my
mind is traffic engineering but there are other reasons too.<br>
</p>
<div class="moz-cite-prefix">On 5/22/19 12:40 PM, Tom Beecher wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAL9Qcx73SZ-o=1V8htNywMSjrCKZVUNnAifA4XSMgHKxp_hLXA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">There are sometimes legitimate reasons to have a
covering aggregate with some more specific announcements.
Certainly there's a lot of cleanup that many should do in this
area, but it might not be the best approach to this issue. </div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, May 21, 2019 at 5:30
AM Alejandro Acosta <<a
href="mailto:alejandroacostaalamo@gmail.com"
moz-do-not-send="true">alejandroacostaalamo@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
On 5/20/19 7:26 PM, John Kristoff wrote:<br>
> On Mon, 20 May 2019 23:09:02 +0000<br>
> Seth Mattinen <<a href="mailto:sethm@rollernet.us"
target="_blank" moz-do-not-send="true">sethm@rollernet.us</a>>
wrote:<br>
><br>
>> A good start would be killing any /24 announcement
where a covering<br>
>> aggregate exists.<br>
> I wouldn't do this as a general rule. If an attacker
knows networks are<br>
> 1) not pointing default, 2) dropping /24's, 3) not
validating the<br>
> aggregates, and 4) no actual legitimate aggregate exists,
(all<br>
> reasonable assumptions so far for many /24's), then they
have a pretty<br>
> good opportunity to capture that traffic.<br>
<br>
<br>
+1 John<br>
<br>
Seth approach could be an option _only_ if prefix has an
aggregate <br>
exists && as origin are the same<br>
<br>
<br>
> John<br>
</blockquote>
</div>
</blockquote>
</body>
</html>