Re: BGP prefix filter list

[Alejandro Acosta <alejandroacostaalamo () gmail com>]

Hello.., you are totally right, the first reason that came to my mind is 
traffic engineering but there are other reasons too.

On 5/22/19 12:40 PM, Tom Beecher wrote:
> There are sometimes legitimate reasons to have a covering aggregate 
> with some more specific announcements. Certainly there's a lot of 
> cleanup that many should do in this area, but it might not be the best 
> approach to this issue.
>
> On Tue, May 21, 2019 at 5:30 AM Alejandro Acosta 
> <alejandroacostaalamo () gmail com 
> <mailto:alejandroacostaalamo () gmail com>> wrote:
>
>
>     On 5/20/19 7:26 PM, John Kristoff wrote:
>     > On Mon, 20 May 2019 23:09:02 +0000
>     > Seth Mattinen <sethm () rollernet us <mailto:sethm () rollernet us>>
>     wrote:
>     >
>     >> A good start would be killing any /24 announcement where a covering
>     >> aggregate exists.
>     > I wouldn't do this as a general rule.  If an attacker knows
>     networks are
>     > 1) not pointing default, 2) dropping /24's, 3) not validating the
>     > aggregates, and 4) no actual legitimate aggregate exists, (all
>     > reasonable assumptions so far for many /24's), then they have a
>     pretty
>     > good opportunity to capture that traffic.
>
>
>     +1 John
>
>     Seth approach could be an option _only_ if prefix has an aggregate
>     exists && as origin are the same
>
>
>     > John