On 1/23/20 2:45 PM, Frank Bulk wrote:
> Has support for a blackhole community been added? We’d like to start
> doing that.
AFAIK, no. I think we'd need:
- A BGP community*
- which when set** causes the route servers to set a next hop of a
specific IP address (and probably set no-export too)
- which the route servers (?) ARP for, returning a specific MAC
- which is blocked by a layer 2 ACL on the core switch and any remotes
that are able to do so
* At least the well-known blackhole community 65535:666 from RFC 7999.
** The route servers would also have to allow smaller prefixes when the
blackhole community is set, so that you could blackhole as small as a
single address (in IPv4 at least).
See also: https://www.seattleix.net/blackholing
In practice, this is probably behind IRR filtering in implemetation
priority, because we really should be using IRR filtering so that you
can only blackhole your own prefixes.
--
Richard
|