On Sun, 22 Oct 2023 at 18:10, William Herrin <bill@herrin.us> wrote:
Then someone comes along and advertises a portion of the RIR space larger than any allocation. Since your subnet is intentionally absent from the Internet, that larger route draws the packets allowing a hijack of your address space.
In essence, this means that a ROA to AS0 doesn't work as intended.
Right, so in order to discard packets towards a network, it’s more robust to actually advertise the IP space which you don’t intend to publicly use, and use ACLs on that edge to discard the packets yourself (rather than relying on all other ISPs having deployed ROV and less-specifics not existing). Given the frequency of ISPs accidentally announcing giant blocks, and this apparently not causing much grief https://www.ripe.net/ripe/mail/archives/routing-wg/2022-July/004588.html I’m skeptical there much need for change. As to Ruben’s point - when an ISP is operating their network with a default route & an incomplete routing table, indeed chances are packets will end up on the wrong path … because the ISP is using an incomplete routing table. Kind regards, Job