Hi, One legitimate reason is the split of companies. In some cases, IP space needs to be divided up. For example, company A splits up in AA and AB, and has a /20. Company AA may advertise the /20, while the new AB may advertise the top or bottom /21. I know of at least one worldwide e-commerce company that is in that situation.
Thanks, Sabri ----- On May 22, 2019, at 9:40 AM, Tom Beecher <beec...@beecher.cc> wrote: > There are sometimes legitimate reasons to have a covering aggregate with some > more specific announcements. Certainly there's a lot of cleanup that many > should do in this area, but it might not be the best approach to this issue. > On Tue, May 21, 2019 at 5:30 AM Alejandro Acosta < [ > mailto:alejandroacostaal...@gmail.com | alejandroacostaal...@gmail.com ] > > wrote: >> On 5/20/19 7:26 PM, John Kristoff wrote: >> > On Mon, 20 May 2019 23:09:02 +0000 >> > Seth Mattinen < [ mailto:se...@rollernet.us | se...@rollernet.us ] > wrote: >> >> A good start would be killing any /24 announcement where a covering >> >> aggregate exists. >> > I wouldn't do this as a general rule. If an attacker knows networks are >> > 1) not pointing default, 2) dropping /24's, 3) not validating the >> > aggregates, and 4) no actual legitimate aggregate exists, (all >> > reasonable assumptions so far for many /24's), then they have a pretty >> > good opportunity to capture that traffic. >> +1 John >> Seth approach could be an option _only_ if prefix has an aggregate >> exists && as origin are the same >> > John
