Hello.., you are totally right, the first reason that came to my mind is
traffic engineering but there are other reasons too.
On 5/22/19 12:40 PM, Tom Beecher wrote:
There are sometimes legitimate reasons to have a covering aggregate
with some more specific announcements. Certainly there's a lot of
cleanup that many should do in this area, but it might not be the best
approach to this issue.
On Tue, May 21, 2019 at 5:30 AM Alejandro Acosta
<alejandroacostaal...@gmail.com
<mailto:alejandroacostaal...@gmail.com>> wrote:
On 5/20/19 7:26 PM, John Kristoff wrote:
> On Mon, 20 May 2019 23:09:02 +0000
> Seth Mattinen <se...@rollernet.us <mailto:se...@rollernet.us>>
wrote:
>
>> A good start would be killing any /24 announcement where a covering
>> aggregate exists.
> I wouldn't do this as a general rule. If an attacker knows
networks are
> 1) not pointing default, 2) dropping /24's, 3) not validating the
> aggregates, and 4) no actual legitimate aggregate exists, (all
> reasonable assumptions so far for many /24's), then they have a
pretty
> good opportunity to capture that traffic.
+1 John
Seth approach could be an option _only_ if prefix has an aggregate
exists && as origin are the same
> John