[74531] in North American Network Operators' Group
Re: Blackhole Routes
daemon@ATHENA.MIT.EDU (Mark Kasten)
Thu Sep 30 16:49:00 2004
Date: Thu, 30 Sep 2004 16:47:30 -0400
From: Mark Kasten <mark.kasten@savvis.net>
To: Richard A Steenbergen <ras@e-gerbil.net>, nanog@merit.edu
In-Reply-To: <20040930200748.GC24690@overlord.e-gerbil.net>
Errors-To: owner-nanog-outgoing@merit.edu
Richard A Steenbergen wrote:
> That said, it is still absolutely silly that we can't standardize on a
> globally accepted blackhole community. A provider with many transit
> upstreams who wishes to pass on blackhole routes for their customers could
> quickly find themselves with some very messy configs and announcements
> trying to get everyones' specific blackhole community in place. I know
> we've all been tossing this idea around for a number of years, but if it
> hasn't been done already will someone please get this put into a draft
> already.
>
The problem with this is authentication. I can authenticate prefixes my
customers advertise me (as much as currently possible anyway). I can't
authenticate a prefix coming in from a peer that is not filtered. If an
ISP were to accept any prefix with 65535:666 as a triggered blackhole,
how do you trust that? As much as I agree that a global blackhole
community would be nice, that's a big gotcha with potential liability
attached.
