Blackhole Routes

guy guy at 602.ORG
Mon Oct 4 05:35:54 UTC 2004


	I know that my current employer is setup to reject /32s from
peers as well as not to send them to peers. (Customers too for that
matter save for the ones that have a bgp session to our null router).
Having one's upstream propagate out /32s that they want null routed
because of an attack probably won't scale past the original upstream.
I guess all the tier1s could setup a whole network of special bgp sessions
to each other's blackhole routers (those that implement this method) set
up to implicitly trust each other's announcements, which in turn means
that said network would need to implicitly trust all their peers'
downstreams. Call me a realist, but I just don't see that happening
anytime soon.

Guy Tal

On Thu, 30 Sep 2004, Richard A Steenbergen wrote:

You can't authentication a prefix coming in from a peer that says to
route a /24 to them any better or any worse. What difference does it make
if you route the traffic to them and they blackhole it, or if you
blackhole it locally based on their routing information? If it is a leak
or a malicious route, you track it down and plug it the same way you do
with an existing route that doesn't have the blackhole community set. I'm
not saying that those methods are perfect by any means, but adding a
global blackhole community at least changes nothing from the status quo.




More information about the NANOG mailing list