[74559] in North American Network Operators' Group
Re: Blackhole Routes
daemon@ATHENA.MIT.EDU (Richard A Steenbergen)
Sat Oct 2 22:56:01 2004
Date: Sat, 2 Oct 2004 22:54:56 -0400
From: Richard A Steenbergen <ras@e-gerbil.net>
To: Ian Dickinson <ian.dickinson@pipex.net>
Cc: "Stephen J. Wilcox" <steve@telecomplete.co.uk>,
Deepak Jain <deepak@ai.net>, "Wayne E. Bouchard" <web@typo.org>,
Erik Haagsman <erik@we-dare.net>,
"Robert A. Hayden" <rhayden@geek.net>,
Abhishek Verma <abhishekv.verma@gmail.com>, nanog@merit.edu
In-Reply-To: <415F2667.9060408@pipex.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, Oct 02, 2004 at 11:06:31PM +0100, Ian Dickinson wrote:
> You'd need an additional community to flag this eg. 65001:666 means to
> blackhole, 65001:6666 means to propagate it as well. I can't speak for
> others but when we blackhole the destination (as opposed to blackholing
> the source or mitigating) we often only do it in the direction from
> which the attack is coming*. Why drop globally when you can drop
> traffic from a subset of the Internet? Your victim will thank you
> if 90% of their customer base can reach them, versus none. Similarly,
> if they're multi-homed, they may well rely on you NOT propagating.
> Maybe this looks different from the perspective of a global Tier-1.
No, 65001:666 (or whatever value is chosen for a well known community, for
the sake of argument) means to set the next-hop to something that discards
packets, and otherwise propagate the route as normal. If you don't want it
to be exported in a specific direction, you add no-export or no-advertise
or just don't advertise it to peer X just like you would do with any other
route. Don't complicate the protocol unnecessarily based on your specific
assumptions of how you might or might not use a feature.
There is nothing more or less complicated about this than adding a value
to the end of http://www.iana.org/assignments/bgp-well-known-communities
and declaring it a standard blackhole community. How you use it, how you
export it, and who you accept it from, are provider specific policy
decisions. However, based on the knowledge that a blackhole community
route is no different than a regular route in its ability to cause
unreachability if incorrectly announced, I would tend to suspect that most
people would choose to allow this to be propagated globally.
--
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
