Thus spake Niels Bakker (niels=nanog@bakker.net) on Thu, Sep 26, 2024 at 07:09:06PM +0200:
* ssw@internet2.edu (Steven Wallace) [Thu 26 Sep 2024, 18:36 CEST]:
One of the DDoS mitigation providers we work with creates proxy route objects for its customers´ prefixes. These route objects specify a common origin ASN rather than the actual origin ASN that would be seen in routing tables. Their rationale is to bind the prefixes to a single ASN, allowing the entire set of customer routes to be announced via an as-set.
Is this a common approach?
I don't think there really are enough DDoS mitigation providers to speak of anything being common in that industry.
Any IRRdb worth their salt will have such prefixes removed automatically if the protected entity is worth their salt and created RPKI ROAs for the prefixes in question, of course.
True enough...
Wouldn't route-set be the better way to create a collection of routes..? https://www.ripe.net/publications/docs/ripe-358/#1220
An issue I have seen here and there is that some folks have a sort of underlying expectation that their network should maintain one master IRR object representing their potential downstream cone. Given that one can't reference a route-set from an as-set, records like these potentially could have been created in that context. Dale