I'm very interested in this! I'd suggest talking with the smart folks at globalcyberalliance.org, who now operate MANRS. I'm sure Brad Gorman, the ARIN product owner for routing security, is also close by.
I was going to suggest an informal BoF at NANOG next week, but I see you aren't registered. One thought I haven't examined closely is creating a ROA during a DDoS attack, specific to the affected resources. But I suppose that's dependent on Validators downloading updated ROAs, which may be longer than the DDoS lasts. Lee -----Original Message----- From: NANOG <nanog-bounces+leehoward=hilcostreambank....@nanog.org> On Behalf Of Steven Wallace Sent: Friday, October 18, 2024 9:50 AM To: nanog@nanog.org Subject: It can be challenging to advise DDoS mitigation subscribers on their RPKI-ROA needs This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments. DDoS mitigation services, particularly those that dynamically announce more specific routes during an attack, add complexity when advising customers on creating their RPKI-ROAs. Smaller organizations, often served by networks that provide DDoS mitigation on their behalf, might be unaware of these services or lack an understanding of how traffic is rerouted. In some cases, you can identify customers of DDoS mitigation services by looking at as-sets published by these providers or by investigating related IRR objects for the IP addresses. However, this approach isn’t reliable. Currently, there’s no established best practice for helping organizations determine the correct ROAs to create. This can lead to confusion, especially when DDoS mitigation is involved. ARIN plans to implement a check in their hosted RPKI interface that will help validate proposed ROAs against the current global routing table. While this feature will be useful, there is a risk that it could give DDoS mitigation customers a false sense of security. They might create ROAs that inadvertently block their DDoS scrubbing service from functioning properly. I’d like to engage with stakeholders in this space to explore opportunities for improvement. Any suggestions or input on this topic would be greatly appreciated. thanks, steven Steven Wallace Director - Routing Integrity Internet2 s...@internet2.edu
