On Wed, May 02, 2018 at 09:18:50PM +0200, Matthias Waehlisch wrote:
*scratch head*
If your DDoS mitigator depends on BGP hijacking to deliver their scrubbing services to you ... indeed you'll have challenges. I have no good answer, this is an architectural flaw where one has to make a trade-off between wanting to protect against hijacks and having the ability to insert more-specifics for legitimate purposes.
RPKI origin validation does not protect against path manipulation.
Even if you announcing the /24, someone else could hijack with a faked origin A. It just gets more difficult because there are competing announcements.
For path validation there are other tricks! It is a bit of a poor man's solution, but so much better than nothing. It only protects a subset of all ASNs, but combined with RPKI Origin Validation this would be extremely effective. https://www.nanog.org/sites/default/files/Snijders_Everyday_Practical_Bgp.pd... https://www.youtube.com/watch?v=CSLpWBrHy10 Kind regards, Job