[c-nsp] DOS Mitigation on MPLS Networks

Tue Apr 12 12:18:05 EDT 2005

Hi all,

I'm looking at deploying a mechanism similar to those used on public ipv4
networks for killing off traffic destined for a given prefix.

The method I was thinking of was tagging a prefix at its ingress PE with a
BGP community. This community is then matched by all the PEs, which
redirect it to null0 or somesuch. This is on a homogenous Cisco IOS
network.

Unfortunately, IOS doesn't allow you to set the ip next hop to a 'martian'
address (eg 127.0.0.1) within a route map, and setting the next-hop
interface to null0 isn't allowed on a bgp import. So instead of being able
to use one route map and apply it to all VRFs equally, I'm looking at
having to opssibly having to specify the route-map for every individual vrf
on every PE, which isn't desirable.

Has anyone tackled this before or know of any good resources for it?

Cheers,
Christian

This message and any attachments (the "message") is 
intended solely for the addressees and is confidential. 
If you receive this message in error, please delete it and 
immediately notify the sender. Any use not in accord with
its purpose, any dissemination or disclosure, either whole 
or partial, is prohibited except formal approval. The internet 
can not guarantee the integrity of this message. 
BNP PARIBAS (and its subsidiaries) shall (will) not 
therefore be liable for the message if modified. 

**********************************************************************************************

BNP Paribas Private Bank London Branch is authorised 
by CECEI & AMF and is regulated by the Financial Services
Authority for the conduct of its investment business in the
United Kingdom.

BNP Paribas Securities Services London Branch is authorised
by CECEI & AMF and is regulated by the Financial Services
Authority for the conduct of its investment business in the 
United Kingdom.

BNP Paribas Fund Services UK Limited is authorised and 
regulated by the Financial Services Authority.