is it common to proxy register route objects for the purpose of grouping them for use in an as-set
Greeting, One of the DDoS mitigation providers we work with creates proxy route objects for its customers’ prefixes. These route objects specify a common origin ASN rather than the actual origin ASN that would be seen in routing tables. Their rationale is to bind the prefixes to a single ASN, allowing the entire set of customer routes to be announced via an as-set. Is this a common approach? Just curious. thanks, steve Steven Wallace Director - Routing Integrity Internet2 ssw@internet2.edu
* ssw@internet2.edu (Steven Wallace) [Thu 26 Sep 2024, 18:36 CEST]:
One of the DDoS mitigation providers we work with creates proxy route objects for its customers’ prefixes. These route objects specify a common origin ASN rather than the actual origin ASN that would be seen in routing tables. Their rationale is to bind the prefixes to a single ASN, allowing the entire set of customer routes to be announced via an as-set.
Is this a common approach?
I don't think there really are enough DDoS mitigation providers to speak of anything being common in that industry. Any IRRdb worth their salt will have such prefixes removed automatically if the protected entity is worth their salt and created RPKI ROAs for the prefixes in question, of course. Wouldn't route-set be the better way to create a collection of routes..? https://www.ripe.net/publications/docs/ripe-358/#1220 -- Niels.
Thus spake Niels Bakker (niels=nanog@bakker.net) on Thu, Sep 26, 2024 at 07:09:06PM +0200:
* ssw@internet2.edu (Steven Wallace) [Thu 26 Sep 2024, 18:36 CEST]:
One of the DDoS mitigation providers we work with creates proxy route objects for its customers´ prefixes. These route objects specify a common origin ASN rather than the actual origin ASN that would be seen in routing tables. Their rationale is to bind the prefixes to a single ASN, allowing the entire set of customer routes to be announced via an as-set.
Is this a common approach?
I don't think there really are enough DDoS mitigation providers to speak of anything being common in that industry.
Any IRRdb worth their salt will have such prefixes removed automatically if the protected entity is worth their salt and created RPKI ROAs for the prefixes in question, of course.
True enough...
Wouldn't route-set be the better way to create a collection of routes..? https://www.ripe.net/publications/docs/ripe-358/#1220
An issue I have seen here and there is that some folks have a sort of underlying expectation that their network should maintain one master IRR object representing their potential downstream cone. Given that one can't reference a route-set from an as-set, records like these potentially could have been created in that context. Dale
What I can say as an operator of one IRR, is that any proxy object is killed on sight. So this DDoS mitigation provider will probably need to look elsewhere for pulling this off. Rubens On Thu, Sep 26, 2024 at 11:34 AM Steven Wallace <ssw@internet2.edu> wrote:
Greeting,
One of the DDoS mitigation providers we work with creates proxy route objects for its customers’ prefixes. These route objects specify a common origin ASN rather than the actual origin ASN that would be seen in routing tables. Their rationale is to bind the prefixes to a single ASN, allowing the entire set of customer routes to be announced via an as-set.
Is this a common approach?
Just curious.
thanks,
steve
Steven Wallace Director - Routing Integrity Internet2 ssw@internet2.edu
participants (4)
-
Dale W. Carder -
Niels Bakker -
Rubens Kuhl -
Steven Wallace