[db-wg] Route(6) objects

Hello

Here the problem is "for longer defensive prefixes"
For example in normal situation I advertise /32 to my ip transit providers.
When DDoS happens then one of my providers will start advertisin 1x/48 of my /32 prefix to hi-jack the route from us and filter it.

But in order for that provider to be able to do that I need ROA records and route6 objects pointing that all of the /48s that fit into my /32 would be originated from that provider.
There is no issue with ROA records, because I can say that maximum prefix that this provider can advertise is /48 of my /32.
But as far as I know I cannot do the same with route6 objects, I need to create all the /48 route6 objects pointing to that provider(65535 objects).
But in ripe as far as I know there is 1000 objects per day limitation that I can create.
With this rate I will create more than 2 months these objects only for 1x/32.
What If I need to protect 5x/32? :)
In my opinion managing these is a nightmare and it also creates unnecessary amount of objects to IRR db.

Lugupidamisega / Best regards, 

Kaupo Ehtnurm 


Network & System administrator 
WaveCom AS 
ISO 9001 & 27001 Certified DC and verified VMware Cloud 
kaupo at wavecom.ee | +372 5685 0002 
Endla 16, Tallinn 10142 Estonia | [ http://www.wavecom.ee/ | www.wavecom.ee ]

----- Original Message -----
From: "Randy Bush" <randy at psg.com>
To: "Kaupo Ehtnurm" <kaupo at wavecom.ee>
Cc: "Kaupo Ehtnurm via db-wg" <db-wg at ripe.net>
Sent: Friday, July 7, 2023 5:36:19 PM
Subject: Re: [db-wg] Route(6) objects

> By doing this the internet will always (also under normal
> circumstances) prefer that one provider.

0 - register irr and rpki objects for aggregates and for longer
    defensive prefixes

1 - announce only aggregates to both providers

2 - when ddosed,
    - do not change announcement of aggregate to non-mediating
    - deaggregate announcement to mediating provider

3 - when ddos ends, return to state 1

randy