mailing list archives
Re: Regarding smaller prefix for hijack protection
From: George Herbert <george.herbert () gmail com>
Date: Thu, 30 Aug 2012 15:48:41 -0700
On Thu, Aug 30, 2012 at 8:41 AM, William Herrin <bill () herrin us> wrote:
On Thu, Aug 30, 2012 at 7:54 AM, Anurag Bhatia <me () anuragbhatia com> wrote:
Is using /24 a must to protect (a bit) against route hijacking?
Not only is it _not_ a must, it doesn't work and it impairs your
ability to detect the fault.
In a route hijacking scenario, traffic for a particular prefix will
flow to the site with the shortest AS path from the origin. Your /24
competes with their /24. Half the Internet, maybe more maybe less
depending on how well connected each of you are, will be inaccessible
Preventively there seems to be no utility to this.
Reactively, after a hijacking starts, has anyone tried announcing both
(say) /24s for the block and (say) 2x /25s for it as well, to get
more-specific under the hijacker? Yes, a lot of places will filter
and ignore, but those that don't ...
(Yes, sign your prefixes now, on general principles)
-george william herbert
george.herbert () gmail com