Hello
For example I have 2001:1234::/32 ipv6 network.
And I want to start using DDoS protection service that one of my ip transit provider offers.
And I want to start using DDoS protection service that one of my ip transit provider offers.
But my edge routers are multihomed and enabling ddos protection on one transit provider lets half of the attack still come in from our other ip transit providers in case of DDoS attack.
But if our ip transit provider that provides also a ddos protection would hijack the routes from us with more specific routes, then instead of traffic flowing from my other ip transit providers to my AS it flows to my DDOS protection providers AS.
Route hijacking solves the problem where half of the attack still comes in to my AS from other transit providers.
For in order for the DDoS protection service provider to be able to hijack the routes correctly from us we need to have more specific ROA and route(6) objects done.
With ROA it is easy, I just create the following ROA: "2001:1234::/32 max length 48 ASN AS1234"
But with route(6) objects this isn't so easy, because these objects don't have max length or any other operators that it accepts.
And because of that I need to hope the entire internet to accept all the /48s that fit into 2001:1234::/32 prefix if I have following route6 object: "2001:1234::/32 AS1234".
But to be correct with my db records I would need to make all the /48 route6 objects that fit into that /32 and instead of 1 object I need to create 65536 objects.
First of all I would hit the object creation limit per day in ripe DB. With this limit enabled, I would create the records over 2 months.
And the manageability of those records would be a nightmare.
If ROAs and route(6) objects go hand-in-hand anyway for the most of the time, then why can't route objects have "max length" or somekind of operator like ROAs have?
Lugupidamisega / Best regards,
Kaupo Ehtnurm
Kaupo Ehtnurm
Network & System administrator
WaveCom AS
ISO 9001 & 27001 Certified DC and verified VMware Cloud