is it common to proxy register route objects for the purpose of grouping them for use in an as-set

Greeting,

One of the DDoS mitigation providers we work with creates proxy route objects for its customers’ prefixes. These route objects specify a common origin ASN rather than the actual origin ASN that would be seen in routing tables. Their rationale is to bind the prefixes to a single ASN, allowing the entire set of customer routes to be announced via an as-set.

Is this a common approach?

Just curious.

thanks,

steve

Steven Wallace
Director - Routing Integrity
Internet2
ssw@internet2.edu

* ssw@internet2.edu (Steven Wallace) [Thu 26 Sep 2024, 18:36 CEST]:

One of the DDoS mitigation providers we work with creates proxy route objects for its customers’ prefixes. These route objects specify a common origin ASN rather than the actual origin ASN that would be seen in routing tables. Their rationale is to bind the prefixes to a single ASN, allowing the entire set of customer routes to be announced via an as-set.

Is this a common approach?

I don't think there really are enough DDoS mitigation providers to speak of anything being common in that industry.

Any IRRdb worth their salt will have such prefixes removed automatically if the protected entity is worth their salt and created RPKI ROAs for the prefixes in question, of course.

Wouldn't route-set be the better way to create a collection of routes..?

  -- Niels.

What I can say as an operator of one IRR, is that any proxy object is
killed on sight. So this DDoS mitigation provider will probably need
to look elsewhere for pulling this off.

Rubens

1 Like