RTBH no_export

Michel Py michel.py at tsisemi.com
Thu Jan 31 20:33:59 UTC 2019


> Roel Parijs wrote:
> To minimize the impact of DDoS, I have setup RTBH. For our own customers, we can set the RTBH community ourselves towards our transit suppliers and
> this works well. For our BGP customers the problem is more complex. Our BGP customers can send us the RTBH community, and we will drop the traffic
> at our borders. Since we're only running a small network, we don't have the capacity to deal with large attacks. If we would be able to forward (and maybe
> alter it) this RTBH community towards our upstream providers, the impact on our network would be limited. However, the RFC states that an announcement
> tagged with the blackhole community should get the no_advertise or no_export community.

I think the RFC is flexible enough; it's more about what you have agreed with your upstream(s) in terms of what they will accept as blackholes routes.
Many upstreams will accept a destination-based blackhole if the prefix belongs to you, but accepting blackholes for other prefixes or accepting source-based blackholes requires a lot of trust. It's more a political issue than a technical one, as I see it.

Michel.

TSI Disclaimer:  This message and any files or text attached to it are intended only for the recipients named above and contain information that may be confidential or privileged. If you are not the intended recipient, you must not forward, copy, use or otherwise disclose this communication or the information contained herein. In the event you have received this message in error, please notify the sender immediately by replying to this message, and then delete all copies of it from your system. Thank you!...


More information about the NANOG mailing list