[c-nsp] Sinkhole Routing
Pete Templin
petelists at templin.org
Wed Sep 29 09:53:07 EDT 2004
Marko Milivojevic wrote:
> This is actually quite brilliant, if your upstream will: A) accept
> all the more-specific routes you decide to throw at him (this includes
> all those /32's loopbacks and /30 interconnections) B) will announce
> blackholed route to his peers (which may or may not be the case).
IANABI (I am not a big ISP), but I am a transit ISP, and I do accept it
from my customers. I clearly outline it in the handoff documentation we
give to customers, and clearly indicate that we set maximum-prefixes to
the higher of 10 or 250% of their normal prefix list. We'll increase
that limit by request.
At this point, I don't actually pass a blackhole request upstream; I
just dump it in my network, based on the communities used by my
customers. This "blackhole default" policy would actually cause unique
challenges. If the customer is announcing their aggregate as blackhole
and more specifics as normal packet forwarding, the more specifics don't
specifically say "unblackhole" me. If I pass their aggregate to an
upstream with blackhole and the more specifics are already tagged
no-export, the upstream never gets the "whitehole" entries, and no
traffic ever arrives for the customer. So it's definitely a tricky one
to handle.
> Unfortunately, I am not sure how much all of this helps our original
> poster, who seems to be in DoS trouble, but unable to realise that there
> is nothing he can do about it without his ISP :-(.
Very true.
pt
More information about the cisco-nsp
mailing list