nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AT&T/as7018 now drops invalid prefixes from peers

From: Denis Fondras <xxnog () ledeuns net>
Date: Tue, 12 Feb 2019 16:09:36 +0100
On Tue, Feb 12, 2019 at 03:05:28PM +0000, Nick Hilliard wrote:

Matthew Walster wrote on 12/02/2019 14:50:

For initial deployment, this can seem attractive, but remember that one
of the benefits an ROA gives is specifying the maximum prefix length.
This means that someone can't hijack a /23 with a /24.


they can if they forge the source ASN.  RPKI helps against misconfigs rather
than intentional hijackings.



Only if you specify a a minlen of /23 and a maxlen of /24 and you only
announce a /23. Which you should not.
Previous By Date Next
Previous By Thread Next

Current thread: