Internet2 Network Security SIG

[Andrew Gallo <>]

Very true.  I knew I was missing something.

I think it was Brad from Kansas that had the suggestion of having a ROA allow prefixes of multiple specific masks, such as /16 OR all /24s, but not in between.  There isn't a standard to allow that, and it's only slightly better than the current mask length option, but it does prevent an attacker (or mistaker? if I can make up a word) from spoofing prefixes of intermediate length.

On Wed, May 15, 2019 at 11:24 AM <> wrote:

>
> What's the opinion of having the DDoS vendor advertise the prefix using the original networks ASN, in which case, the original ROA would cover?  Is that bad form in terms of routing?
>

I’m not sure that fixes anything. The DDoS vendor will need to advertise a more specific, so you’re now stuck with creating many ROAs, or select an optional prefix length to cover the more specifics. Either will allow a hijacker to use spoof your origin and advertise more specific to effective divert traffic, all the while passing a validator test.