Implementing RTBH filtering / BGP tagging

Gregg Berkholtz gregg at tocici.com
Tue Mar 20 00:59:59 CET 2012 

In working to streamline our utilization of each upstream's RTBH filtering mechanisms (e.g. http://www.he.net/adm/blackhole.html ), I'm having a heck of a time configuring BIRD to "mirror" Cisco product behaviors.

Here's the Cisco Way (where X.X.X.X is the ip to blackhole):
 conf t
 ip route X.X.X.X 255.255.255.255 Null0
 router bgp YourAS
 network X.X.X.X mask 255.255.255.255 route-map blackhole
 route-map blackhole permit 10
 set community 6939:666
 end

What I believe needs to happen w/ BIRD, and the Linux Kernel route tables:
 1) Create and maintain a non-default Linux kernel route table, to accomplish blackholing at our gateways (working great). Also wanting to have BIRD to monitor this non-default route table, and :666 tag+announce upstream any /32 entries within our 199.127.224.0/22.

 2) BIRD imports the non-default kernel route table (seems to be working ok).

 3) For each "protocol bgp *Upstream*", use an export filter to identify and tag relevant "blackhole" route entries with a specific RTBH community (e.g. 6939:666)...this is what I'm struggling with.

While snippets are below, our entire bird.conf (minus comments) can be found at:
 http://pastebin.com/xE1AxtGe


Here's my breakdown of what seems to be happening:
 1) Create/edit/update the non-default kernel route table (works great, the Linux kernel/route config drops this traffic without issue):
"...
~$ sudo ip rule add from all table 10 priority 10; sudo ip route add blackhole 199.127.225.73/32 table 10; .....

~$ sudo ip route show table 10  |wc -l
456

~$ sudo ip rule 
0:	from all lookup local 
10:	from all lookup 10 
..."

 2) Read the non-default kernel route table (from bird.conf):
"...
table blackroutes;
protocol kernel blackhole {
  table blackroutes;
  kernel table 10;
  scan time 10;
  learn;
  import all;
  export all;
}
..."

BIRD seems to import the non-default kernel table without issue:
"...
~$ sudo birdc show protocols all |grep blackhole -C 10
blackhole Kernel   blackroutes up     Mar17       
  Preference:     10
  Input filter:   ACCEPT
  Output filter:  ACCEPT
  Routes:         454 imported, 0 exported, 454 preferred
  Route change stats:     received   rejected   filtered    ignored   accepted
    Import updates:           1363          0          0          0       1363
    Import withdraws:          909          0        ---          0        909
    Export updates:           1363       1363          0        ---          0
    Export withdraws:          909        ---        ---        ---          0

~$ sudo ip route show table 10  |wc -l
456

..."

BTW: the bulk of our "blacklist" entries come from http://www.spamhaus.org/drop/drop.lasso, although we only want to tag+announce what we control (e.g. /32's within 199.127.224.0/22).

3) Can't seem to figure out correct tagging method/commands (from bird.conf):
"...
filter bgp_out_he {
        if (proto = "blackhole" ) then
        {
          bgp_community = -empty-; bgp_community.add((6939,666));
        }
        if net ~ [65.49.94.0/24] then accept;
        if net ~ [199.127.224.0/22] then accept;
	reject;
}

...

protocol bgp HE {
    local as 14613;
    source address 65.19.175.14;
    neighbor 65.19.175.13 as 6939;
    import all; 
...
    export filter bgp_out_he;
}
..."

Am I missing something obvious? Going about this the wrong way?

Thanks greatly for any help,
Gregg Berkholtz

More information about the Bird-users mailing list