22 May
2019
22 May
'19
12:40 p.m.
There are sometimes legitimate reasons to have a covering aggregate with some more specific announcements. Certainly there's a lot of cleanup that many should do in this area, but it might not be the best approach to this issue. On Tue, May 21, 2019 at 5:30 AM Alejandro Acosta < alejandroacostaalamo@gmail.com> wrote: > > On 5/20/19 7:26 PM, John Kristoff wrote: > > On Mon, 20 May 2019 23:09:02 +0000 > > Seth Mattinen <sethm@rollernet.us> wrote: > > > >> A good start would be killing any /24 announcement where a covering > >> aggregate exists. > > I wouldn't do this as a general rule. If an attacker knows networks are > > 1) not pointing default, 2) dropping /24's, 3) not validating the > > aggregates, and 4) no actual legitimate aggregate exists, (all > > reasonable assumptions so far for many /24's), then they have a pretty > > good opportunity to capture that traffic. > > > +1 John > > Seth approach could be an option _only_ if prefix has an aggregate > exists && as origin are the same > > > > John >