Blackholing: security considerations
Ondrej Zajicek
santiago at crfreenet.org
Fri Mar 7 12:29:24 CET 2014
On Thu, Mar 06, 2014 at 10:25:20PM +0200, Alexander Shikov wrote:
> Now let's assume that 109.68.40.0/21 is reachable via other peer, and we got
> new route, and it is better due to as-path length, and new peer does not want to
> blackhole 109.68.40.20. Then "109.68.40.0/21 via 193.25.180.17" will become
> inactive, but "109.68.40.20/32 via 193.25.181.253 from 193.25.180.17" will
> stay best, and new peer will lose traffic to 109.68.40.20.
>
> Thus, it'd be reasonable to compare received /32 against routing table, and
> accept it only if there is active less-specific route from same peer.
> Personally I was not able to find solution for bird. Now I'm wondering
> how do other IXPs perform such filtering?
Hello
That is not currently possible, as BIRD processes routes independently.
Also note that you can filter again [ 109.68.40.0/21, 109.68.40.0/21{32,32} ],
which would allow both 109.68.40.0/21 and 109.68.4X.X/32, but not intermediate
prefixes, but this does not help w.r.t. your main concern - a route from
another peer.
--
Elen sila lumenn' omentielvo
Ondrej 'SanTiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20140307/ebe743a5/attachment-0001.asc>
More information about the Bird-users
mailing list