Implementing RTBH filtering / BGP tagging

Ondrej Zajicek santiago at crfreenet.org
Tue Mar 20 23:25:56 CET 2012


On Tue, Mar 20, 2012 at 11:42:05AM -0700, Kelly Cochran wrote:
> > Or much simpler solution - remove secondary tables, add blackhole routes
> > to bird config as static routes (in static protocol) and have everything
> > in the master table.
> 

> Which is exactly what I wound up doing when testing this sort of thing
> internally.  Soft config reloads won't bounce the session when you
> change items in the static protocol.  Good use for an include, generate

BTW, even 'hard' reconfiguration will not restart the session if there is
no change in the BGP session protocol (and its filters). The difference
between soft/hard reconfiguration in BIRD is just whether filter changes
are considered.

> > BTW, in the filter bgp_out_he(), i guess you want accept all routes with
> > proto = "blackhole", otherwise only your routes would be exported (and i
> > suppose blackholed IPs are foreign).
> 

> Blackholed IPs would actually have to be local.  This mechanism is
> common for dropping a DDoS at your upstream's borders, and not just your
> own border, as it's presumably not something you can effectively
> mitigate internally.  Remote IPs would be S/RTBH, and that's not usually
> seen in transit networks due to the nature of what that would require to
> affect only the requestor of the blackhole, and not the network as a
> whole.  (VRFs for everyone!  Wait... that requires how much RAM? 
> Nevermind...)

Yes, i thought more about S/RTBH. 

BTW, to implement other side of RTBH we would probably need to support
explicit change of received BGP route destination to
unreachable/blackhole/prohibit type. This currently could by done by
some tricks, so explicit filter operator for that would be useful, i
suppose.

-- 
Elen sila lumenn' omentielvo

Ondrej 'SanTiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20120320/0ddd11ff/attachment-0001.asc>


More information about the Bird-users mailing list