Implementing RTBH filtering / BGP tagging
Ondrej Zajicek
santiago at crfreenet.org
Tue Mar 20 18:36:08 CET 2012
On Mon, Mar 19, 2012 at 04:59:59PM -0700, Gregg Berkholtz wrote:
> In working to streamline our utilization of each upstream's RTBH filtering mechanisms (e.g. http://www.he.net/adm/blackhole.html ), I'm having a heck of a time configuring BIRD to "mirror" Cisco product behaviors.
>
> Here's the Cisco Way (where X.X.X.X is the ip to blackhole):
> conf t
> ip route X.X.X.X 255.255.255.255 Null0
> router bgp YourAS
> network X.X.X.X mask 255.255.255.255 route-map blackhole
> route-map blackhole permit 10
> set community 6939:666
> end
>
> What I believe needs to happen w/ BIRD, and the Linux Kernel route tables:
> 1) Create and maintain a non-default Linux kernel route table, to accomplish blackholing at our gateways (working great). Also wanting to have BIRD to monitor this non-default route table, and :666 tag+announce upstream any /32 entries within our 199.127.224.0/22.
>
> 2) BIRD imports the non-default kernel route table (seems to be working ok).
>
> 3) For each "protocol bgp *Upstream*", use an export filter to identify and tag relevant "blackhole" route entries with a specific RTBH community (e.g. 6939:666)...this is what I'm struggling with.
I am not sure if i understad what you want. I suppose that for each
route in blackhole table you want to export that prefix with 6939:666
community through BGP. For that, your current config has a problem that
BGP protocol is connected to master table, so there is no way how
blackhole routes could go from table blackroutes to the BGP protocol.
So you should connect the master and blackroutes table through pipe
(and add appropriate filtering to ensure that blackhole routes end only in BGP).
Another solution is to add one more table for BGP, connect BGP to that table
and add two pipes (master-this_new and blackroutes-this_new), this would make
filtering simpler.
Or much simpler solution - remove secondary tables, add blackhole routes
to bird config as static routes (in static protocol) and have everything
in the master table.
BTW, in the filter bgp_out_he(), i guess you want accept all routes with
proto = "blackhole", otherwise only your routes would be exported (and i
suppose blackholed IPs are foreign).
--
Elen sila lumenn' omentielvo
Ondrej 'SanTiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20120320/38b816e4/attachment-0001.asc>
More information about the Bird-users
mailing list