[74518] in North American Network Operators' Group
Re: Blackhole Routes
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Thu Sep 30 12:51:41 2004
Date: Thu, 30 Sep 2004 16:50:55 +0000 (GMT)
From: "Christopher L. Morrow" <christopher.morrow@mci.com>
In-reply-to: <415C366B.7010900@ai.net>
To: Deepak Jain <deepak@ai.net>
Cc: Eric Germann <ekgermann@cctec.com>,
'Abhishek Verma' <abhishekv.verma@gmail.com>, nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 30 Sep 2004, Deepak Jain wrote:
>
>
> It sounds like you are confusing ideas here...
>
> If BGP is making a forwarding table entry, that's it. Ports are not
> really considered in forwarding decisions -- or if they are, the box is
> usually called a Firewall, not a router.
>
Just thinking out loud here... BUT, you could potentially (provided you
had the interfaces and time) re-next-hop certain traffic based on source
or destination address (dest would be easiest, which means catching
syn-ack and discarding it to drop the sessions as embryos) and filter out
'bad' stuff in a more centralized manner. There are risks with this, of
course, and complications which you'll probably want to avoid in any
decently large network. As Deepak points out though, this is leading down
some very dark paths of midnight-troubleshooting on complex configurations
:(
-Chris
