[c-nsp] Assistance configuring a router to trigger remote blackhole

Steve Bertrand steve at ibctech.ca
Fri Sep 18 20:04:22 EDT 2009


Naveen Nathan wrote:
>> If I understand you correctly, wouldn't one need an extra entry in the
>> OUTBOUND prefix-list that allows host routes to be advertised to the
>> transit?:
> 
> Steve, that was exactly the problem. I've been meaning to give an update.
> Kevin helped me off-list find the issue.
> 
> After adding host-routes to OUTBOUND prefix-list, it was advertising.
> Then a couple more hours later diddling with the config and skimming
> books I realized I needed to include:
> 
> ip community-list x:666 standard permit, and then the route-map
> began to match the host-routes and advertise to the eBGP peers.

Glad to hear that you got it working!

Out of curiosity, would you mind sharing the specific pref list entry
you ended up using?

Was it simply 'everything/32'?

Although I have a nice s/RTBH internally, I've never seen/experienced it
done in conjunction with an outside party before.

I'm paranoid about 'accidentally' advertising 'mistakes' to anyone. My
instinct would be to configure or append to a pref-list that
specifically has my_ip_blocks == 32, instead of a blanket allow 32 for all.

If I blackhole/sinkhole an external-to-my-ARIN-block IP that is
attacking my network, I'm deathly afraid that I may accidentally
advertise it to a peer. I *never* assume that my upstream is doing
proper filtering, so I *always* ensure that I can only allow out what I
should be sending out.

Is this paranoia too far fetched?

Steve

ps. Sorry to wane this thread away from it's original intent.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3233 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090918/94048186/attachment.bin>


More information about the cisco-nsp mailing list