Hello "you should be fine for almost all cases" - the "should" part is my problem. I cannot be certain that all the AS-s in the global internet will accept all the /48 routes of that /32 route6 object.
Lugupidamisega / Best regards, Kaupo Ehtnurm Network & System administrator WaveCom AS ISO 9001 & 27001 Certified DC and verified VMware Cloud [email protected] | +372 5685 0002 Endla 16, Tallinn 10142 Estonia | [ http://www.wavecom.ee/ | www.wavecom.ee ] ----- Original Message ----- From: "Ben Cartwright-Cox" <[email protected]> To: "Kaupo Ehtnurm" <[email protected]> Cc: "db-wg" <[email protected]> Sent: Friday, July 7, 2023 4:54:59 PM Subject: Re: [db-wg] Route(6) objects Hey Kaupo, Typically there are two ways of handling route/route6 objects, (1) A provider/peer will take them literally and won't allow smaller prefixes (for example if I was to do a /22, then the provider who is building the filters may not allow a /24 from that /22). (However this practice seems to be less common) (2) The provider/peer will implicitly allow from that /22 all the way to a /24. (or on IPv6 /32 to /48). In this case you just need to create a matching /32 route6 and almost all peers and providers will allow more specifics of that /32 to be originated from that ASN as well. IRR does not really have a way to limit the "more specific" risk. However with RPKI adoption increasingly being deployed, a RPKI Invalid (due to max-length) won't get that far anyway, at least in transit carriers. tl;dr just make another route6 for your DDoS mitigation providers ASN and you should be fine for almost all cases. On Thu, Jul 6, 2023 at 8:14 AM Kaupo Ehtnurm via db-wg <[email protected]> wrote: > > Hello > > For example I have 2001:1234::/32 ipv6 network. > And I want to start using DDoS protection service that one of my ip transit > provider offers. > But my edge routers are multihomed and enabling ddos protection on one > transit provider lets half of the attack still come in from our other ip > transit providers in case of DDoS attack. > But if our ip transit provider that provides also a ddos protection would > hijack the routes from us with more specific routes, then instead of traffic > flowing from my other ip transit providers to my AS it flows to my DDOS > protection providers AS. > Route hijacking solves the problem where half of the attack still comes in to > my AS from other transit providers. > For in order for the DDoS protection service provider to be able to hijack > the routes correctly from us we need to have more specific ROA and route(6) > objects done. > With ROA it is easy, I just create the following ROA: "2001:1234::/32 max > length 48 ASN AS1234" > But with route(6) objects this isn't so easy, because these objects don't > have max length or any other operators that it accepts. > And because of that I need to hope the entire internet to accept all the /48s > that fit into 2001:1234::/32 prefix if I have following route6 object: > "2001:1234::/32 AS1234". > But to be correct with my db records I would need to make all the /48 route6 > objects that fit into that /32 and instead of 1 object I need to create 65536 > objects. > First of all I would hit the object creation limit per day in ripe DB. With > this limit enabled, I would create the records over 2 months. > And the manageability of those records would be a nightmare. > > If ROAs and route(6) objects go hand-in-hand anyway for the most of the time, > then why can't route objects have "max length" or somekind of operator like > ROAs have? > > > Lugupidamisega / Best regards, > > Kaupo Ehtnurm > > > Network & System administrator > WaveCom AS > ISO 9001 & 27001 Certified DC and verified VMware Cloud > [email protected] | +372 5685 0002 > Endla 16, Tallinn 10142 Estonia | www.wavecom.ee > -- > > To unsubscribe from this mailing list, get a password reminder, or change > your subscription options, please visit: > https://lists.ripe.net/mailman/listinfo/db-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/db-wg
