On 01.10.2016 17:35, Gert Doering wrote: > I think this is an awesome idea. > > The situation is similar here in DE - nobody could stand an 1 Tbit > DDoS attack, and a large number of content offerings are targeted > only to german speaking customers, so if DE/A/CH work, 99% of the > customers are still able to reach the site.
Maybe we should widen the approach and define a collaborative BGP community "do announce only in country X", when X is some ISO-3166 country number? A prefix then can contain multiple communities, i.E. to cover the whole DACH region. https://de.wikipedia.org/wiki/ISO-3166-1-Kodierliste > I'm not really sure how this would work in your example - what if > you have two customers in a given BGP announcement, one of them > *does* want to be reached world-wide (like, corporate VPNs) and the > other one is attacked? Split the aggregate, or bit the bullet and > have all of them with limited reach, for the time being? I suppose the e-commerces using such a mechanism would be able to afford their own /24 and a decent block of IPv6 space (in other words: buy legacy PI or become LIR). Another option is new business for managed hosting "DDOS bullet proof Switzerland Hosting", where the hoster dedicates a /24 or bigger for permanent limited propagation. -- Fredy Kuenzler --------------------- Fiber7. No Limits. https://www.fiber7.ch --------------------- Init7 (Switzerland) Ltd. AS13030 St.-Georgen-Strasse 70 CH-8400 Winterthur Skype: flyingpotato Phone: +41 44 315 4400 Fax: +41 44 315 4401 Twitter: @init7 / @kuenzler http://www.init7.net/ _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog