I was hoping that somebody is experienced with this situation and could advise me, what the correct way by-the-book would be.
a /32 will work just fine. The IRRDB design is too simplistic to model even basic inter-domain routing policies properly, so there is no "by the book" option which will work without breaking something else, badly. 65k /48 entries will break things on the internet. If you have a /29, then that's 512k entries, which will cause even more trouble.
Transit providers and DDOS mitigation companies understand this, and take it into account. Your only concern in this situation should be whether your DDOS mitigation provider will accept more-specifics, and this will depend on the relationship they have with their upstreams. I.e. it's not RIPE DB-WG you need to check this out with, it's your DDOS provider.
Nick
But I will just accept creating /32 route6 object and hope that the /48s won't be filtered out only because of the inaccuracy of route6 object in different ASs across the globe.Lugupidamisega / Best regards,
Kaupo Ehtnurm
Network & System administratorWaveCom ASISO 9001 & 27001 Certified DC and verified VMware CloudFrom: "Nick Hilliard" <nick@foobar.org>
To: "Kaupo Ehtnurm" <kaupo@wavecom.ee>
Cc: "Kaupo Ehtnurm via db-wg" <db-wg@ripe.net>
Sent: Wednesday, July 12, 2023 3:51:00 PM
Subject: Re: [db-wg] Route(6) objectsKaupo Ehtnurm wrote on 10/07/2023 08:06:No, but I was wondering what do other AS-s do with my ipv6 prefix, if they are using IRR filtering in bgp.I am not talking only about providers and providers providers. I am talking about all the AS-s in that participate in the global table and accept the full bgp table and filter it based on the IRR and/or ROA record. How can I be sure that they won't just drop my prefixes only because of the incorrect route6 object values?To eliminate the risk of my prefix getting blocked in some third party AS I would like to have correct route(6) objects, not almost correct (which technically are incorrect).
Most transit providers accept <= the route/route6 prefix length. Some IXPs filter strictly.
The best thing to do is to test this out and see if announcing an upstream /48 works. You can use e.g. ripe atlas or other measurement networks to test connectivity paths while upstream mitigation is in place, both with a /48 IRRDB entry for the announcement in question, and without. This should give you a clear idea about whether using individual /48s is worth the effort (I suspect the answer is probably not).
Nick
