> Imagine I owe /19 of IPv4 and I am allocating /24s in many of my > global DMZs. If I do not sign my /19 aggregate I have no problem as it > will be globally not found. But the moment I sign it I must also sign > all /24s I advertise as otherwise they will become INVALID - right ?
we have been here. the alternative is that an attacker can hole punch you. to steal an anology from geoff (crappy ipv6 peering and transit due to tunnels), as more money rides on correct roa registration, distribution, and use in routers, this will get cleaned up, both at the protocol and ops levels. at the moment, we're on the ugly part of the curve, with half-assed ops, half-assed vendor code, etc. things will get better; but keep measuring. randy _______________________________________________ GROW mailing list [email protected] https://www.ietf.org/mailman/listinfo/grow
