nanog mailing list archives

RE: It can be challenging to advise DDoS mitigation subscribers on their RPKI-ROA needs

From: "Howard, Lee via NANOG" <nanog () nanog org>
Date: Fri, 18 Oct 2024 16:09:43 +0000

I'm very interested in this! 

I'd suggest talking with the smart folks at globalcyberalliance.org, who now operate MANRS. I'm sure Brad Gorman, the 
ARIN product owner for routing security, is also close by.

I was going to suggest an informal BoF at NANOG next week, but I see you aren't registered. 

One thought I haven't examined closely is creating a ROA during a DDoS attack, specific to the affected resources. But 
I suppose that's dependent on Validators downloading updated ROAs, which may be longer than the DDoS lasts.

Lee


-----Original Message-----
From: NANOG <nanog-bounces+leehoward=hilcostreambank.com () nanog org> On Behalf Of Steven Wallace
Sent: Friday, October 18, 2024 9:50 AM
To: nanog () nanog org
Subject: It can be challenging to advise DDoS mitigation subscribers on their RPKI-ROA needs

This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.



DDoS mitigation services, particularly those that dynamically announce more specific routes during an attack, add 
complexity when advising customers on creating their RPKI-ROAs. Smaller organizations, often served by networks that 
provide DDoS mitigation on their behalf, might be unaware of these services or lack an understanding of how traffic is 
rerouted.

In some cases, you can identify customers of DDoS mitigation services by looking at as-sets published by these 
providers or by investigating related IRR objects for the IP addresses. However, this approach isn’t reliable.

Currently, there’s no established best practice for helping organizations determine the correct ROAs to create. This 
can lead to confusion, especially when DDoS mitigation is involved.

ARIN plans to implement a check in their hosted RPKI interface that will help validate proposed ROAs against the 
current global routing table. While this feature will be useful, there is a risk that it could give DDoS mitigation 
customers a false sense of security. They might create ROAs that inadvertently block their DDoS scrubbing service from 
functioning properly.

I’d like to engage with stakeholders in this space to explore opportunities for improvement. Any suggestions or input 
on this topic would be greatly appreciated.

thanks,


steven


Steven Wallace
Director - Routing Integrity
Internet2
ssw () internet2 edu

Current thread:

It can be challenging to advise DDoS mitigation subscribers on their RPKI-ROA needs Steven Wallace (Oct 18)
- RE: It can be challenging to advise DDoS mitigation subscribers on their RPKI-ROA needs Howard, Lee via NANOG (Oct 18)
  - Re: It can be challenging to advise DDoS mitigation subscribers on their RPKI-ROA needs Steven Wallace (Oct 18)
- Re: It can be challenging to advise DDoS mitigation subscribers on their RPKI-ROA needs Compton, Rich via NANOG (Oct 18)
  - Re: It can be challenging to advise DDoS mitigation subscribers on their RPKI-ROA needs Steven Wallace (Oct 18)
  - Re: It can be challenging to advise DDoS mitigation subscribers on their RPKI-ROA needs Li, Weitong (Oct 18)
- Re: It can be challenging to advise DDoS mitigation subscribers on their RPKI-ROA needs Randy Bush (Oct 18)
  - Re: It can be challenging to advise DDoS mitigation subscribers on their RPKI-ROA needs Steven Wallace (Oct 18)
    - Re: It can be challenging to advise DDoS mitigation subscribers on their RPKI-ROA needs Randy Bush (Oct 18)