Tom, thanks. I'm an academic researcher, no a network operator, sorry for the confusion, I should have been clearer.
The practice you described indeed shouldn't requite ROA. I didn't even consider it, probably since I've been working so much on prefix hijacks, and this prefix would result in increased vulnerability to prefix hijacks. But if there's only a DDoS attack on the prefix and it's not being hijacked at the same time, then I think this practice may be fine - which would make such `emergency ROA' unnecessary. So that's very very useful feedback, thanks a lot!! Amir -- Amir Herzberg Comcast professor of Security Innovations, Computer Science and Engineering, University of Connecticut Homepage: https://sites.google.com/site/amirherzberg/home `Applied Introduction to Cryptography' textbook and lectures: https://sites.google.com/site/amirherzberg/cybersecurity On Fri, Nov 17, 2023 at 12:09 AM Tom Krenn <tom.kr...@hennepin.us> wrote: > It has been a few years, but I recall advertising my routes to the > scrubbing center via a tunnel and just prepending to my other peers when in > mitigation. This was pre-RPKI days, but my ASN was still originating the > route. So, I would assume no change in ROA would be needed in that > scenario. Are you allowing them to originate your routes or are they just > another hop in your as-path? > > > > Tom Krenn > > Network Architect > > Enterprise Architecture - Information Technology > > [image: Hennepin County logo] > > > > > > *From:* NANOG <nanog-bounces+tom.krenn=hennepin...@nanog.org> *On Behalf > Of *Amir Herzberg > *Sent:* Thursday, November 16, 2023 19:58 > *To:* NANOG <nanog@nanog.org> > *Subject:* [External] announcing IPs by scrubbing service to help with > DDoS attacks and ROAs > > > > *CAUTION:* This email was sent from outside of Hennepin County. Unless > you recognize the sender and know the content, do not click links or open > attachments. > > Hi, do people use scrubbing services, when under DDoS attack, by having > the scrubbing service announce the attacked IP prefix(es)? > > > > If so, and you have a ROA for these prefixes, do you authorize the > scrubbing AS (by issuing ROA or otherwise), and if so, do you do it in > advance or only when you need the scrubbing service to announce your > prefix? > > > > To clarify: we have a possible method to allow such `emergency ROAs' but > I'm not convinced if we have a solution to a real problem - or if we just > found a cute crypto solution and will end up writing it for a non-real > problem. I prefer not to waste our time on presenting cute solutions to > non-real problems :) > > > > So thanks for your help! Use your judgement if to respond on list or off > list. > > > > Many thanks, Amir > > -- > > Amir Herzberg > > > > Comcast professor of Security Innovations, Computer Science and > Engineering, University of Connecticut > > Homepage: https://sites.google.com/site/amirherzberg/home > > `Applied Introduction to Cryptography' textbook and lectures: > https://sites.google.com/site/amirherzberg/cybersecurity > > > > > > > *Disclaimer:* If you are not the intended recipient of this message, > please immediately notify the sender of the transmission error and then > promptly permanently delete this message from your computer system. >
