Add filter to protect known peering subnets

Question

Add filter to protect known peering subnets

Closed this issue 4 years ago · 2 comments

Every once in a while some network operator makes a mistake and starts announcing a peering subnet like 80.249.208.0/21 (Ams-ix) or 193.239.116.0/22 (Nl-ix). In some of these cases even more specifics. You don't want to accept these routes.

Answer 1 · 2020-10-15T01:36:16.000Z

So that means virtually taking all IPv4 and IPv6 pools from all IXP's and putting them into filters... That sounds like a lot...

Answer 2 · 2020-10-15T06:01:48.000Z

The easiest solution to that type of problem is for IXPs to create RPKI ROAs covering their IXP Peering LAN prefixes, and for network operators to honor those ROAs and apply 'invalid == reject' policies on all EBGP sessions.

I think we can close this issue as RPKI Origin Validation scales sufficiently to solve this issue