Re: It can be challenging to advise DDoS mitigation subscribers on their RPKI-ROA needs

[Steven Wallace <ssw () internet2 edu>]

Lee,

I’m attending an Internet Integrity meeting hosted by globalcyberalliance.org in a couple of weeks. I intend to discuss 
the topic there. I’ll also explore with MANRS if it makes sense to have recommended actions for DDoS scrubbing services.

It would be great to have the DDoS providers in the conversation.

steve


On 18 Oct 2024, at 12:09, Howard, Lee wrote:

> I'm very interested in this!
>
> I'd suggest talking with the smart folks at globalcyberalliance.org, who now operate MANRS. I'm sure Brad Gorman, the 
> ARIN product owner for routing security, is also close by.
>
> I was going to suggest an informal BoF at NANOG next week, but I see you aren't registered.
>
> One thought I haven't examined closely is creating a ROA during a DDoS attack, specific to the affected resources. 
> But I suppose that's dependent on Validators downloading updated ROAs, which may be longer than the DDoS lasts.
>
> Lee
>
>
> -----Original Message-----
> From: NANOG <nanog-bounces+leehoward=hilcostreambank.com () nanog org> On Behalf Of Steven Wallace
> Sent: Friday, October 18, 2024 9:50 AM
> To: nanog () nanog org
> Subject: It can be challenging to advise DDoS mitigation subscribers on their RPKI-ROA needs
>
> This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.
>
>
>
> DDoS mitigation services, particularly those that dynamically announce more specific routes during an attack, add 
> complexity when advising customers on creating their RPKI-ROAs. Smaller organizations, often served by networks that 
> provide DDoS mitigation on their behalf, might be unaware of these services or lack an understanding of how traffic 
> is rerouted.
>
> In some cases, you can identify customers of DDoS mitigation services by looking at as-sets published by these 
> providers or by investigating related IRR objects for the IP addresses. However, this approach isn’t reliable.
>
> Currently, there’s no established best practice for helping organizations determine the correct ROAs to create. This 
> can lead to confusion, especially when DDoS mitigation is involved.
>
> ARIN plans to implement a check in their hosted RPKI interface that will help validate proposed ROAs against the 
> current global routing table. While this feature will be useful, there is a risk that it could give DDoS mitigation 
> customers a false sense of security. They might create ROAs that inadvertently block their DDoS scrubbing service 
> from functioning properly.
>
> I’d like to engage with stakeholders in this space to explore opportunities for improvement. Any suggestions or input 
> on this topic would be greatly appreciated.
>
> thanks,
>
>
> steven
>
>
> Steven Wallace
> Director - Routing Integrity
> Internet2
> ssw () internet2 edu



Steven Wallace
Director - Routing Integrity
Internet2
ssw () internet2 edu