On Wed, 2 May 2018, Job Snijders wrote:
> > How would you recommend handling the case
> >
> > "normally I only announce a /16, but in case one of our customers i
> > DDoSed, I want to announce the affected IP address as part of their
> > /24 out of upstream-that-does-regional-blackholing"?
> >
> > If I create the /24 ROAs up front, I'm back in square one ("while I
> > am not announcing the /24, someone else could hijack with a faked
> > origin AS").
> >
> > If I do not create the /24 ROAs up front, I have propagation delays
> > (and might not be able to reach the RIPE RPKI tool at all while the
> > DDoS goes on).
> >
> > *scratch head*
>
> If your DDoS mitigator depends on BGP hijacking to deliver their
> scrubbing services to you ... indeed you'll have challenges. I have no
> good answer, this is an architectural flaw where one has to make a
> trade-off between wanting to protect against hijacks and having the
> ability to insert more-specifics for legitimate purposes.
>
RPKI origin validation does not protect against path manipulation.
Even if you announcing the /24, someone else could hijack with a faked
origin A. It just gets more difficult because there are competing
announcements.
Cheers
matthias
--
Matthias Waehlisch
. Freie Universitaet Berlin, Computer Science
.. http://www.cs.fu-berlin.de/~waehl
