Thus spake Niels Bakker ([email protected]) on Thu, Sep 26, 2024 at 07:09:06PM +0200: > * [email protected] (Steven Wallace) [Thu 26 Sep 2024, 18:36 CEST]: > > One of the DDoS mitigation providers we work with creates proxy route > > objects for its customers´ prefixes. These route objects specify a > > common origin ASN rather than the actual origin ASN that would be seen > > in routing tables. Their rationale is to bind the prefixes to a single > > ASN, allowing the entire set of customer routes to be announced via an > > as-set. > > > > Is this a common approach? > > I don't think there really are enough DDoS mitigation providers to speak of > anything being common in that industry. > > Any IRRdb worth their salt will have such prefixes removed automatically if > the protected entity is worth their salt and created RPKI ROAs for the > prefixes in question, of course.
True enough... > Wouldn't route-set be the better way to create a collection of routes..? > https://www.ripe.net/publications/docs/ripe-358/#1220 An issue I have seen here and there is that some folks have a sort of underlying expectation that their network should maintain one master IRR object representing their potential downstream cone. Given that one can't reference a route-set from an as-set, records like these potentially could have been created in that context. Dale
