Print

Print


On 1/23/20 2:45 PM, Frank Bulk wrote:
> Has support for a blackhole community been added?  We’d like to start
> doing that.

AFAIK, no. I think we'd need:

- A BGP community*
- which when set** causes the route servers to set a next hop of a
  specific IP address (and probably set no-export too)
- which the route servers (?) ARP for, returning a specific MAC
- which is blocked by a layer 2 ACL on the core switch and any remotes
  that are able to do so

*  At least the well-known blackhole community 65535:666 from RFC 7999.

** The route servers would also have to allow smaller prefixes when the
   blackhole community is set, so that you could blackhole as small as a
   single address (in IPv4 at least).

See also: https://www.seattleix.net/blackholing

In practice, this is probably behind IRR filtering in implemetation
priority, because we really should be using IRR filtering so that you
can only blackhole your own prefixes.

-- 
Richard