Implementing RTBH filtering / BGP tagging
Kelly Cochran
kcochran at he.net
Tue Mar 20 19:42:05 CET 2012
On Mar 20, 2012, at 10:36 AM, Ondrej Zajicek wrote:
> I am not sure if i understad what you want. I suppose that for each
> route in blackhole table you want to export that prefix with 6939:666
> community through BGP.
I think you nailed it on the head, but then again, I do kind of have a better insight on the process he's trying to do, from the other side. ;-)
> Or much simpler solution - remove secondary tables, add blackhole routes
> to bird config as static routes (in static protocol) and have everything
> in the master table.
Which is exactly what I wound up doing when testing this sort of thing internally. Soft config reloads won't bounce the session when you change items in the static protocol. Good use for an include, generate the static protocol stub from scripts, and you now have a nice persistent state mechanism. Granted, I was also only using this for blackhole injections, and no other routes so the configuration can be really simple.
> BTW, in the filter bgp_out_he(), i guess you want accept all routes with
> proto = "blackhole", otherwise only your routes would be exported (and i
> suppose blackholed IPs are foreign).
Blackholed IPs would actually have to be local. This mechanism is common for dropping a DDoS at your upstream's borders, and not just your own border, as it's presumably not something you can effectively mitigate internally. Remote IPs would be S/RTBH, and that's not usually seen in transit networks due to the nature of what that would require to affect only the requestor of the blackhole, and not the network as a whole. (VRFs for everyone! Wait... that requires how much RAM? Nevermind...)
-- -H U R R I C A N E - E L E C T R I C-
Kelly Cochran Sr. Network Engineer
510-580-4100 http://www.he.net/ AS6939
More information about the Bird-users
mailing list