job
commented
3 months ago Dear @NickBouwhuis
The "Filtering IXP Peering LANs" guide actually has largely been overtaken by the rise and deployment of RPKI-ROV. As the guide notes:
When the IXP has created ROA’s and has not configured the maxLength attribute, rejecting RPKI invalid routes offers sufficient protection. The examples below are meant for scenario’s where there is no ROA, or in case you have not implemented RPKI ROV.
The trouble with the blanket "deny everything more-specific to the aggregate IXP prefix"-approach is that it also causes IXPs that do want their Peering LAN prefix to appear in the global Internet Routing Table to be rejected.
By prefering RPKI each individual IXP operator can make a choice about what should happen with their Peering LAN prefix. The examples in this guide merely exist for the case where there are no ROAs and the IXP doesn't want their Peering LAN prefix in the DFZ - a bit of an unlikely scenario these days.
Use RIPE assigned IXP prefix 2001:7f8::/32+ instead of seperate lines per IXP.
https://www.ripe.net/publications/docs/ripe-504/