If networks are going to make unconventional announcements, I'm not concerned if they suffer because of it.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Sabri Berisha" <sa...@cluecentral.net> To: "Ross Tajvar" <r...@tajvar.io> Cc: "nanog" <nanog@nanog.org> Sent: Friday, May 24, 2019 12:03:52 PM Subject: Re: BGP prefix filter list Hi, They can, but they don't necessarily have to. In the example I mentioned, there was a private peering between them. Well, until very recently. My point being that it's not always black and white, and sometimes deaggregation is necessary for operational purposes. That's not to excuse lazy operators of course. Thanks, Sabri ----- On May 22, 2019, at 11:23 AM, Ross Tajvar <r...@tajvar.io> wrote: In that case shouldn't each company advertise a /21? On Wed, May 22, 2019, 1:11 PM Sabri Berisha < sa...@cluecentral.net > wrote: <blockquote> Hi, One legitimate reason is the split of companies. In some cases, IP space needs to be divided up. For example, company A splits up in AA and AB, and has a /20. Company AA may advertise the /20, while the new AB may advertise the top or bottom /21. I know of at least one worldwide e-commerce company that is in that situation. Thanks, Sabri ----- On May 22, 2019, at 9:40 AM, Tom Beecher <beec...@beecher.cc> wrote: <blockquote> There are sometimes legitimate reasons to have a covering aggregate with some more specific announcements. Certainly there's a lot of cleanup that many should do in this area, but it might not be the best approach to this issue. On Tue, May 21, 2019 at 5:30 AM Alejandro Acosta < alejandroacostaal...@gmail.com > wrote: <blockquote> On 5/20/19 7:26 PM, John Kristoff wrote: > On Mon, 20 May 2019 23:09:02 +0000 > Seth Mattinen < se...@rollernet.us > wrote: > >> A good start would be killing any /24 announcement where a covering >> aggregate exists. > I wouldn't do this as a general rule. If an attacker knows networks are > 1) not pointing default, 2) dropping /24's, 3) not validating the > aggregates, and 4) no actual legitimate aggregate exists, (all > reasonable assumptions so far for many /24's), then they have a pretty > good opportunity to capture that traffic. +1 John Seth approach could be an option _only_ if prefix has an aggregate exists && as origin are the same > John </blockquote> </blockquote> </blockquote>
