On Wed, Jul 01, 2015 at 12:02:40AM +0200, Tore Anderson wrote:
I was thinking that when I posted yesterday.
These were announcements from a peer, not customer routes.
We are lowering our max prefix limits on many peers as a result of this.
We are also going towards more prefix filtering on peers beyond bogons and martians.
You're not mentioning RPKI here. Any particular reason why not?
If I understand correctly, in today's leak the origin AS was changed/reset, so RPKI ought to have saved the day. (At least Grzegorz' day, considering that 33 of AS43996's prefixes are covered by ROAs.)
This assessment is correct, however there might be some constraints in play with regard to RPKI, which are not really related to RPKI itself, which prohibit meaningful deployment. I've seen a few obstacles myself: - equipment might not support the RTR protocol to validate announcements against the cache validator - Legal obstacles in obtaining the anchors from all RIRs - when not using the RTR protocol but generating prefix-list filters based on RPKI data, the devices might not support sufficient entries. Would be good if other people share obstacles, and possibly, the methods they used to overcome those. I'll count "not using brocade" as a valid method. Kind regards, Job