On Thu, Mar 28, 2019 at 02:59:43PM +0100, Niels Bakker wrote:
* christopher.morrell.nanog@gmail.com (Christopher Morrell) [Thu 28 Mar 2019, 14:35 CET]:
I've been bit by this in the past at two different exchanges. I too have a policy applied to deny IXP LANs from upstreams and peers. It would be nice if there was a list of all IXP LANs somewhere that we could generically add to all upstream and peers.
I like Nick Hilliard's posted solution much better than creating static bogon lists that people will eventually forget about.
IXPs can use RPKI ROAs to signal to the world what their intentions are! IXPs could either create a ROA with an Origin ASN of '0' to suggest to the world that the peering lan prefix should never be visible in the DFZ, or they can specify their own services ASN and simply not announce the prefix. In either case IXPs should carefully specify the Max Length value to be the same as the Prefix Length value of the peering lan prefix. Kind regards, Job