Some IX'es set communities telling which member announced that prefix; if SIX is one of those, that can be used to automate origin verification. Rubens On Mon, Oct 4, 2021 at 2:08 PM Randy Bush <randy@psg.com> wrote:
so i have an AS (3130) which peers at the SIX (RSs and some direct).
in the hope that leak detectors such as artemis would stop false positives when they see my prefixes announced customer cones of SIX peers, i want to add the SIX peers to my aut-num: policy.
export: to AS-SEATTLEIX-RS-CLIENTS announce AS-RG-SEA
seems clear and obvious. but
import: from AS-SEATTLEIX-RS-CLIENTS accept AS-SEATTLEIX-RS-CLIENTS
would seem to allow bill's bait and sushi to announce microsoft to me. and i am not sure that expansive `from` clause is actually allowed.
what are others in this space doing?
[ and let's not descend into the rat-hole of dissing the IRR. i have heard of this RPKI thing and might try it some day. ]
randy
--- randy@psg.com `gpg --locate-external-keys --auto-key-locate wkd randy@psg.com` signatures are back, thanks to dmarc header butchery