<html theme="default-light" iconset="color"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head><body style="font-family: Calibri; font-size: 14px;"
text="#485663"><div style="font-size: 14px;font-family: Calibri;">Did
your ddos provider say that their upstreams required exact route6
matches for your announcements? The bgp session between you and your
DDOS provider definitely won't require this, and the likelihood is that a
covering /32 route6: object will be sufficient in many cases for your
provider's providers. I.e. you won't have serious connectivity problems
if there aren't exact matches for your /48s.<br><br>In any event, this
isn't really catered for in RPSL. Some organisations implement strict
filtering on route objects; others loose. RPKI might be a better
option, as it allows you to specify a prefix length range. See RFC 9319
for some suggestions.<br><br>Nick<br><br><span>Kaupo Ehtnurm via db-wg
wrote on 07/07/2023 16:11:</span><br><blockquote type="cite"
cite="mid:346569673.46088.1688742671021.JavaMail.zimbra@wavecom.ee"><pre wrap="">Hello
Sorry, you didn't say.
But starting to manually advertise /48 to my DDoS protection provider beats the purpose of automatic DDoS protection.
Lugupidamisega / Best regards,
Kaupo Ehtnurm
Network & System administrator
WaveCom AS
ISO 9001 & 27001 Certified DC and verified VMware Cloud
<a class="moz-txt-link-abbreviated" href="mailto:kaupo@wavecom.ee">kaupo@wavecom.ee</a> | +372 5685 0002
Endla 16, Tallinn 10142 Estonia | [ <a class="moz-txt-link-freetext" href="http://www.wavecom.ee/">http://www.wavecom.ee/</a> | <a class="moz-txt-link-abbreviated" href="http://www.wavecom.ee">www.wavecom.ee</a> ]
----- Original Message -----
From: "Randy Bush via db-wg" <a class="moz-txt-link-rfc2396E" href="mailto:db-wg@ripe.net"><db-wg@ripe.net></a>
To: "Kaupo Ehtnurm via db-wg" <a class="moz-txt-link-rfc2396E" href="mailto:db-wg@ripe.net"><db-wg@ripe.net></a>
Sent: Friday, July 7, 2023 6:05:53 PM
Subject: Re: [db-wg] Route(6) objects
</pre><blockquote type="cite"><pre wrap="">Here the problem is "for longer defensive prefixes"
For example in normal situation I advertise /32 to my ip transit providers.
When DDoS happens then one of my providers will start advertisin 1x/48
of my /32 prefix to hi-jack the route from us and filter it.
</pre></blockquote><pre wrap="">i did not say that your provider advertised, did i?
</pre><blockquote type="cite"><blockquote type="cite"><pre wrap="">By doing this the internet will always (also under normal
circumstances) prefer that one provider.
0 - register irr and rpki objects for aggregates and for longer
defensive prefixes
1 - announce only aggregates to both providers
2 - when ddosed,
- do not change announcement of aggregate to non-mediating
- deaggregate announcement to mediating provider
3 - when ddos ends, return to state 1
</pre></blockquote></blockquote><pre wrap="">randy
</pre></blockquote><br></div></body></html>