Blackhole Routes

Will Yardley william+nanog at hq.dreamhost.com
Thu Sep 30 18:51:13 UTC 2004


On Thu, Sep 30, 2004 at 02:15:49PM -0400, Deepak Jain wrote:
 
> > It goes a little further than that these days. Folks are openly
> > allowing customers to advertize routes with something lika a 666
> > community which will then be blackholed within their network. So if
> > you're a service provider with your own blackhole system, you can
> > easily tie it into your upstream's system and dump the traffic many
> > hops away from you
 
> This is very dangerous however.....
 
> If providers start tying their customer's blackhole announcements to the 
> provider's upstreams' blackhole announcements in an AUTOMATIC process, 
> bad things <tm> are likely to happen. What happens when a customer of a 
> provider mistakenly advertises more routes than he should [lets say 
> specifics in case #1] you can flood your upstreams' routers with 
> specifics and potentially cause flapping or memory overflows...
> 
> In case #2, presumably the blackhole community takes precedence, so if a 
> customer is mistakenly readvertising their multihome provider's table 
> with a 666 tag, all of the upstream providers might be blackholing the 
> majority of their non-customer routes.

Well I think in most cases, there are some safeguards, in terms of the
number of blackhole prefixes that will be accepted, and the length of
the prefix (i.e., accept no more than 10 blackhole routes, only accept
blackhole routes that are within prefixes the customer is advertising,
only accept prefixes longer than /24).

GBLX's docs on this are at:
https://robin.gblx.net/api/docs/null_route.html
 -- one example of a "real life" implementation of such a system.

-- 
"Since when is skepticism un-American?
Dissent's not treason but they talk like it's the same..."
(Sleater-Kinney - "Combat Rock")




More information about the NANOG mailing list