Hello Here the problem is "for longer defensive prefixes" For example in normal situation I advertise /32 to my ip transit providers. When DDoS happens then one of my providers will start advertisin 1x/48 of my /32 prefix to hi-jack the route from us and filter it. But in order for that provider to be able to do that I need ROA records and route6 objects pointing that all of the /48s that fit into my /32 would be originated from that provider. There is no issue with ROA records, because I can say that maximum prefix that this provider can advertise is /48 of my /32. But as far as I know I cannot do the same with route6 objects, I need to create all the /48 route6 objects pointing to that provider(65535 objects). But in ripe as far as I know there is 1000 objects per day limitation that I can create. With this rate I will create more than 2 months these objects only for 1x/32. What If I need to protect 5x/32? :) In my opinion managing these is a nightmare and it also creates unnecessary amount of objects to IRR db. Lugupidamisega / Best regards, Kaupo Ehtnurm Network & System administrator WaveCom AS ISO 9001 & 27001 Certified DC and verified VMware Cloud kaupo@wavecom.ee | +372 5685 0002 Endla 16, Tallinn 10142 Estonia | [ http://www.wavecom.ee/ | www.wavecom.ee ] ----- Original Message ----- From: "Randy Bush" <randy@psg.com> To: "Kaupo Ehtnurm" <kaupo@wavecom.ee> Cc: "Kaupo Ehtnurm via db-wg" <db-wg@ripe.net> Sent: Friday, July 7, 2023 5:36:19 PM Subject: Re: [db-wg] Route(6) objects
By doing this the internet will always (also under normal circumstances) prefer that one provider.
0 - register irr and rpki objects for aggregates and for longer defensive prefixes 1 - announce only aggregates to both providers 2 - when ddosed, - do not change announcement of aggregate to non-mediating - deaggregate announcement to mediating provider 3 - when ddos ends, return to state 1 randy