Hello.., you are totally right, the first reason that came to my mind is traffic engineering but there are other reasons too. On 5/22/19 12:40 PM, Tom Beecher wrote:
There are sometimes legitimate reasons to have a covering aggregate with some more specific announcements. Certainly there's a lot of cleanup that many should do in this area, but it might not be the best approach to this issue.
On Tue, May 21, 2019 at 5:30 AM Alejandro Acosta <alejandroacostaalamo@gmail.com <mailto:alejandroacostaalamo@gmail.com>> wrote:
On 5/20/19 7:26 PM, John Kristoff wrote: > On Mon, 20 May 2019 23:09:02 +0000 > Seth Mattinen <sethm@rollernet.us <mailto:sethm@rollernet.us>> wrote: > >> A good start would be killing any /24 announcement where a covering >> aggregate exists. > I wouldn't do this as a general rule. If an attacker knows networks are > 1) not pointing default, 2) dropping /24's, 3) not validating the > aggregates, and 4) no actual legitimate aggregate exists, (all > reasonable assumptions so far for many /24's), then they have a pretty > good opportunity to capture that traffic.
+1 John
Seth approach could be an option _only_ if prefix has an aggregate exists && as origin are the same
> John