This seems reasonable to me -- what is the timeline to IRR filter implementation?
Frank
-----Original Message-----
From: MICE Discuss <[log in to unmask]> On Behalf Of Richard Laager
Sent: Thursday, January 23, 2020 2:54 PM
To: [log in to unmask]
Subject: Re: [MICE-DISCUSS] Blackholing DoS traffic
On 1/23/20 2:45 PM, Frank Bulk wrote:
> Has support for a blackhole community been added? We’d like to start
> doing that.
AFAIK, no. I think we'd need:
- A BGP community*
- which when set** causes the route servers to set a next hop of a
specific IP address (and probably set no-export too)
- which the route servers (?) ARP for, returning a specific MAC
- which is blocked by a layer 2 ACL on the core switch and any remotes
that are able to do so
* At least the well-known blackhole community 65535:666 from RFC 7999.
** The route servers would also have to allow smaller prefixes when the
blackhole community is set, so that you could blackhole as small as a
single address (in IPv4 at least).
See also: https://www.seattleix.net/blackholing
In practice, this is probably behind IRR filtering in implemetation
priority, because we really should be using IRR filtering so that you
can only blackhole your own prefixes.
--
Richard
|