nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AT&T/as7018 now drops invalid prefixes from peers

From: Matthew Walster <matthew () walster org>
Date: Tue, 12 Feb 2019 15:50:53 +0100
On Tue, 12 Feb 2019, 01:52 Jay Borkenhagen <jayb () braeburn org wrote:


... but there is one place where I disagree with Niels.  He advised
against lowering the local-pref of invalid routes.  I agree that this
should not be anyone's target policy, but it is a useful step along
the way.



For initial deployment, this can seem attractive, but remember that one of
the benefits an ROA gives is specifying the maximum prefix length. This
means that someone can't hijack a /23 with a /24.

Lowering local pref on invalid means you're no longer protected (just
generating alerts) because longer prefix length always beats local
preference.

Once you are confident that you're not dropping anything valuable, the
local preference rule should move to dropping the route (not the traffic!)
from being installed.

M
Previous By Date Next
Previous By Thread Next

Current thread: