On Tue, 12 Feb 2019, 01:52 Jay Borkenhagen <j...@braeburn.org wrote: > ... but there is one place where I disagree with Niels. He advised > against lowering the local-pref of invalid routes. I agree that this > should not be anyone's target policy, but it is a useful step along > the way. >
For initial deployment, this can seem attractive, but remember that one of the benefits an ROA gives is specifying the maximum prefix length. This means that someone can't hijack a /23 with a /24. Lowering local pref on invalid means you're no longer protected (just generating alerts) because longer prefix length always beats local preference. Once you are confident that you're not dropping anything valuable, the local preference rule should move to dropping the route (not the traffic!) from being installed. M >
