This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[db-wg] Route(6) objects
- Previous message (by thread): [db-wg] Route(6) objects
- Next message (by thread): [db-wg] Route(6) objects
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ben Cartwright-Cox
ripencc at benjojo.co.uk
Fri Jul 7 15:54:59 CEST 2023
Hey Kaupo, Typically there are two ways of handling route/route6 objects, (1) A provider/peer will take them literally and won't allow smaller prefixes (for example if I was to do a /22, then the provider who is building the filters may not allow a /24 from that /22). (However this practice seems to be less common) (2) The provider/peer will implicitly allow from that /22 all the way to a /24. (or on IPv6 /32 to /48). In this case you just need to create a matching /32 route6 and almost all peers and providers will allow more specifics of that /32 to be originated from that ASN as well. IRR does not really have a way to limit the "more specific" risk. However with RPKI adoption increasingly being deployed, a RPKI Invalid (due to max-length) won't get that far anyway, at least in transit carriers. tl;dr just make another route6 for your DDoS mitigation providers ASN and you should be fine for almost all cases. On Thu, Jul 6, 2023 at 8:14 AM Kaupo Ehtnurm via db-wg <db-wg at ripe.net> wrote: > > Hello > > For example I have 2001:1234::/32 ipv6 network. > And I want to start using DDoS protection service that one of my ip transit provider offers. > But my edge routers are multihomed and enabling ddos protection on one transit provider lets half of the attack still come in from our other ip transit providers in case of DDoS attack. > But if our ip transit provider that provides also a ddos protection would hijack the routes from us with more specific routes, then instead of traffic flowing from my other ip transit providers to my AS it flows to my DDOS protection providers AS. > Route hijacking solves the problem where half of the attack still comes in to my AS from other transit providers. > For in order for the DDoS protection service provider to be able to hijack the routes correctly from us we need to have more specific ROA and route(6) objects done. > With ROA it is easy, I just create the following ROA: "2001:1234::/32 max length 48 ASN AS1234" > But with route(6) objects this isn't so easy, because these objects don't have max length or any other operators that it accepts. > And because of that I need to hope the entire internet to accept all the /48s that fit into 2001:1234::/32 prefix if I have following route6 object: "2001:1234::/32 AS1234". > But to be correct with my db records I would need to make all the /48 route6 objects that fit into that /32 and instead of 1 object I need to create 65536 objects. > First of all I would hit the object creation limit per day in ripe DB. With this limit enabled, I would create the records over 2 months. > And the manageability of those records would be a nightmare. > > If ROAs and route(6) objects go hand-in-hand anyway for the most of the time, then why can't route objects have "max length" or somekind of operator like ROAs have? > > > Lugupidamisega / Best regards, > > Kaupo Ehtnurm > > > Network & System administrator > WaveCom AS > ISO 9001 & 27001 Certified DC and verified VMware Cloud > kaupo at wavecom.ee | +372 5685 0002 > Endla 16, Tallinn 10142 Estonia | www.wavecom.ee > -- > > To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://mailman.ripe.net/
- Previous message (by thread): [db-wg] Route(6) objects
- Next message (by thread): [db-wg] Route(6) objects
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]