I oppose wholesale filtering by allocation size policy as an acceptable metric for reducing your RIB.
There are legitimate reasons to announce only /24s within a /21 or /22 PI allocation, for example. Perhaps an org has diverse networks in multiple cities and doesn't want to be beholden to upstream PA space. One may argue, "build a proper network, noob," but there may not be a business case for sufficient interconnect between sites to have a consistent origin AS.
If one could filter in such a way that one only aggregated prefixes
back to their allocated size when the AS path (or even origin AS) is
the same, then you won't be breaking anyone, and will put the kibosh on
the noobs who deagg for no good reason (but no vendor is giving us a
'filter-stupid' knob yet).
Filtering/aggregating outside your local RIR seems like a better plan to me (for some networks, anyway). You're a whole lot less likely to have a bad/missing path, and you still have sufficient knobs to engineer most outbound flows.
-Kevin Blackham
(recently moved from provider to end network using non-XL PFC)
Thus spake "Kevin Loch" < kloch@kl.net>
> Stephen Sprunk wrote:
>> Sucks to be them. If they do not have enough PA space to meet
>> the RIR minima, the community has decided they're not "worthy"
>> of a slot in the DFZ by denying them PI space.
>
> Not true, there is an ARIN policy that allows you to get a /24 from
> one of your providers even if you only need 1 IP address:
>
> NPRM 4.2.3.6
>
> "This policy allows a downstream customer's multihoming
> requirement to serve as justification for a /24 reassignment from
> their upstream ISP, regardless of host requirements."
>
> http://www.arin.net/policy/nrpm.html
If the PA /24 is under 199/8 or 204-207/8, then the filters being discussed
would allow their advertisement through, because ARIN's minimum allocation
for those blocks is /24. In ARIN's 22 other /8s, the filters would not
because the minimum is /20 (or /22, for 208/8).
Let's also keep in mind that if other folks block a PA more-specific, the
site doesn't lose connectivity unless they lose their upstream connection to
the LIR that assigned them the block. I suspect that many of them already
see that behavior today, at least partially; we're really discussing making
it a near-complete outage versus a semi-outage. That's life if you don't
qualify for a real routing slot via PI.
S
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking