[nanog at Overkill.EnterZone.Net: Extensions to RFC1998 - WAS: Re: DoS Attacks]
Haesu
haesu at towardex.com
Thu Oct 9 04:01:56 UTC 2003
Forwarding to NANOG on behalf of Mr. Fraizer.
Please don't shoot the messenger for any arguable/discussions.
-hc
--
Haesu C.
TowardEX Technologies, Inc.
Consulting, colocation, web hosting, network design and implementation
http://www.towardex.com | haesu at towardex.com
Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170
Fax: (978)263-0033 | POC: HAESU-ARIN
----- Forwarded message from John Fraizer <nanog at Overkill.EnterZone.Net> -----
X-Original-To: haesu at mx01.bos.ma.towardex.com
Delivered-To: haesu at mx01.bos.ma.towardex.com
Date: Wed, 8 Oct 2003 21:58:26 -0400 (EDT)
From: John Fraizer <nanog at Overkill.EnterZone.Net>
To: Haesu <haesu at towardex.com>
Cc: nanog at merit.edu, a_spicer at bellsouth.net
Subject: Extensions to RFC1998 - WAS: Re: DoS Attacks
In-Reply-To: <20031009004646.GB88086 at scylla.towardex.com>
X-Spam-Status: No, hits=-2.0 required=5.0
tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,
REPLY_WITH_QUOTES,USER_AGENT_PINE
version=2.55
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
On Wed, 8 Oct 2003, Haesu wrote:
> Hmmmm? What did I miss? When did RFC1998 get updated to include Null
> community? Feel free to let me know if they updated RFC on that
> lately.. b/c I havent checked it in a while.
>
> As far as I know, my upstreams are fully RFC1998 compliant and I use them well.
>
> -hc
>
Note: please echo this to the list. I don't have post
access. Ahem... Sue...Ahem...
The RFC itself hasn't been updated to include a Null community but if you
think about it, providing a NULL community is fully within the concept of
allowing customers to influence routing policy with the use of community
strings.
For example:
!
router bgp 65534
neighbor a.a.a.a remote-as 65530
neighbor a.a.a.a description Customer AS65530
neighbor a.a.a.a prefix-list AS-65530 in
neighbor a.a.a.a route-map CUSTOMERS in
!
ip prefix-list AS-65530 seq 5 permit x.x.x.x/y le 32
!
ip community-list standard POISON permit 65534:666
!
route-map CUSTOMERS permit 10
match community POISON
set local-preference 500
set ip next-hop [ip address of your sink-hole]
!
Of course, the rest of the route-map CUSTOMERS is going to need to do some
sanity checks on the announcements you accept from the customers OTHER
than blackhole requests. In our case, we pass them through a prefix-list
match that includes:
ip prefix-list CUSTOMERS seq 10 deny 0.0.0.0/0 ge 25
As you can see, we're doing a prefix-list check against the announcements
that the customer sends us in the neighbor statement. Each customer gets
their own prefix-list that covers the networks that we have LOA to accept
from that customer. (Keeps boneheads from blackholing OTHER people!)
The first stanza in the CUSTOMERS route-map checks for the POISON
community. Any prefix that the customer sends us that includes this
community will be routed to our sink-hole.
The rest of the stanzas in the CUSTOMERS route-map look for other
communities from the customer. One stanza looks to see if the customer is
requesting us to pass their announcements of our address space on as
de-aggregated announcements. If we don't see that community, they're
aggregated. Other stanzas in the route-map are pretty cut and dry
RFC1998.
Our customers can do the following:
Community Action
---------------------------------------------
13944:0 Don't announce to any peer
13944:1 Don't announce to PEERS
13944:2 Don't announce to TRANSIT
13944:3 Don't announce to CUSTOMERS
13944:20 Announce specific from EnterZone aggregate
for customers who are running on our IPs.
13944:90 Set preference to 90
13944:100 Set preference to 100
13944:110 Set preference to 110
13944:120 Set preference to 120
13944:666 Poison a Route
13944:NNN0 don't announce to Peer NNN
13944:NNN1 prepend once towards Peer NNN
13944:NNN2 prepend twice towards Peer NNN
13944:NNN3 prepend thrice towards Peer NNN
Any time I do any consulting on another network, I recommend that they at
MINIMUM implement the Poisoned Route ability. It is not terribly
difficult to do as you can see above.
--
John Fraizer
EnterZone, Inc
(13944+$|13944+_14813+$|13944+_17266+$)
PGP Key = 6C5903C4
Fingerprint = 2AA6 6614 1B5E EDD2 38AD C417 3E61 F975 6C59 03C4
----- End forwarded message -----
More information about the NANOG
mailing list