Internet2 Network Security SIG

Greetings hive mind:

I'm seeking input to develop a best practice for creating ROAs for IP 
networks that are protected by a cloud-based scrubbing provider that 
announces a scrubbed prefix as originating from their AS.

Here's an example of the dilemma:

129.79.0.0/16 has a normal origin AS of 87. Assume IU normally announces the 
entire /16. During a DDoS attack, however, Zenedge might announce a more 
specific, say 129.79.5.0/24, with an origin of AS393676.

Should IU's ROAs include one that associates 129.79.0.0/16 with AS87 and a 
second ROA that includes 129.79.0.0/16 - 24 associated with AS393676?

Should IU consider putting in place a monitoring system that alerts if 
there's a discrepancy between what zenedge is scrubbing and what's being seen 
in the global table?

And given that IU's RON may be prepending AS towards its transit providers, 
is there something else that we should watch to detect a possible hi-jack 
attempt were the hijacker is using IU's AS as the origin, but relying on a 
shorter path?

Thanks,

Steve (member of the hive)

Attachment: smime.p7s
Description: S/MIME cryptographic signature