On Jan 10, 2020, at 13:18 , Brandon Martin <lists.nanog@monmotha.net> wrote:
On 1/10/20 2:49 PM, Baldur Norddahl wrote:
The only way for me to send out traffic to bogons is if one my peers announces a bogon prefix. Even if I did null route bogons, manually or through the use of the Cymru service, a peer could still announce a more specific and override that.
The idea isn't necessarily that you explicitly null-route them but rather that you block/ignore announcements of them on the assumption that malfeasants may be attepmting to squat on them or otherwise use them for some form of, well, malfeasance. As such, the filter you build isn't just e.g. "2a10::/12" (if indeed that range was to be considered a single bogon) but rather "2a10::/12 ge 12" which means you'd block more-specifics within that range, too.
Is there a way to use the RPKI system to ensure bogons are simply invalid? Seems much more effective to me.
Someone like ICANN or IANA could publish an ROA to a reserved ASN (or to no ASN - is that possible?) for all unallocated space or something of the like, I suppose.
There is, in fact, an RFC for this which covers use of AS0 in ROAs to represent “Should Not Be Announced”. Policy has been proposed in RIPE, AfriNIC, and LACNIC. Policy has been adopted in APNIC and is in the process of implementation. Policy has not (yet) been proposed in ARIN. IIRC, IANA (via ICANN) has committed to start doing this for space not yet allocated to RIRs. Owen