Re: "Tactical" /24 announcements

[Rabbi Rob Thomas <robt () cymru com>]

Dear team,

I have resorted to more specific announcements during hijacks, though
with only one purpose in mind:  To buy us a bit of time while the
upstreams and peers put blocks in place to thwart the hijack as close to
the source as possible.  The more specifics are an imperfect solution,
since they don't always propagate as widely or as quickly as the
hijacks, but it buys us a bit of time.

The more important part of that solution is to network with fellow
network operators.  This is my go-to solution for everything from
hijacking to DDoS to "what the heck is that?!"  :)

Be well,
Rabbi Rob.


On 8/9/21 1:38 PM, Tom Beecher wrote:
> Folks can announce longer than 24 masks all day. They're unlikely to
> propagate very far though, since most won't accept longer than 24 from
> the world at large.
>
> To the OP, there are some valid reasons to strategically deaggregate
> here and there, but a blanket "yolo my entire allocation into /24s"
> seems to be a pretty ill considered request.
>
> On Mon, Aug 9, 2021 at 1:34 PM Hank Nussbacher <hank () interall co il
> <mailto:hank () interall co il>> wrote:
>
>     On 09/08/2021 18:47, Billy Croan wrote:
>     > How does the community feel about using /24 originations in BGP as a
>     > tactical advantage against potential bgp hijackers?
>     >
>     > All of our allocations are larger and those prefixes we announce for
>     > clients as well usually are.  But we had a request recently to
>     > originate everything as distinct /24 prefixes, to reduce the effect of
>     > a potential bgp hijack.  It seemed a little bit like a tragedy of the
>     > commons situation.
>     >
>     > Is this seen as route table pollution, or a necessary evil in
>     today's world?
>     > How many routers out there today would be affected if everyone did
>     this?
>     > Are there any big networks that drop or penalize announcements
>     like this?
>     >
>
>     In addition to what everyone else said, announcing /24s will not help
>     you one bit since ASNs announce /25s, /26s, /27s, etc. Attached is a
>     7800+ line text file sorted by ASN with prefixes being announced that
>     are more specific than /24 (only /25+/26+/27 listed).
>
>     This is based on http://www.ris.ripe.net/dumps/riswhoisdump.IPv4.gz
>     <http://www.ris.ripe.net/dumps/riswhoisdump.IPv4.gz> from
>     about a month ago.
>
>     That dump lists all the IPv4 prefixes seen in the collective of latest
>     RIS table dumps, together with origin AS and number of peers that
>     passed
>     the routes to RIS.
>
>     So good luck with announcing /24s.
>
>     Regards,
>     Hank

-- 
Rabbi Rob Thomas                                           Team Cymru
   "It is easy to believe in freedom of speech for those with whom we
    agree." - Leo McKern

Attachment: OpenPGP_signature
Description: OpenPGP digital signature