[c-nsp] Assistance configuring a router to trigger remote blackhole
Naveen Nathan
naveen at lastninja.net
Fri Sep 18 20:26:16 EDT 2009
> Glad to hear that you got it working!
Thanks.
> Out of curiosity, would you mind sharing the specific pref list entry
> you ended up using?
>
> Was it simply 'everything/32'?
Tinkering with the prefix-list at first, got the results I expected.
I was redistributing the static routes to BGP, matching on tag and
applying matched routes with a community string.
However since the newly injected routes weren't advertising to eBGP peers,
I explicitly added the host routes to OUTBOUND prefix-list, and everything
started to work. This lead me to believe that the OUTBOUND route-map that
matches on the community string was ineffective. Also, the administrative
hassle of adding the static route and including it in the prefix-list
I found is unacceptable.
I reverted the configuration and focused my efforts on debugging the
route-map that matched on community string. I realized I missed a crucial
statement, ip community-list ... x:666 permit. After tweaking around I
came up with the following changes to the original configuration that
appears to work properly, and doesn't require any modifications of
the OUTBOUND prefix-list (not shown):
ip community-list standard BLACKHOLE permit 27524:666
route-map OUTBOUND permit 100
description Deny Null Routes
match community BLACKHOLE
!
route-map OUTBOUND permit 110
description Allow internal routes
match ip address prefix-list OUTBOUND
!
route-map STATIC-TO-BGP permit 50
description Upstream Blackhole
match tag 666
set community [UPSTREAM_AS]:666
!
> Although I have a nice s/RTBH internally, I've never seen/experienced it
> done in conjunction with an outside party before.
I noticed a lot of the docs discuss using RTBH intra-AS, so that edge
routers discard the packets. I come from the opposite side since I've
only worked on smaller networks where there's only one edge that is
single/multi-homed. Large providers such as Level3 usually offer
a blackhole community where you can blackhole routes for blocks that
you advertise.
> I'm paranoid about 'accidentally' advertising 'mistakes' to anyone. My
> instinct would be to configure or append to a pref-list that
> specifically has my_ip_blocks == 32, instead of a blanket allow 32 for all.
I think maintaining the prefix-list and static routes will lead to errors,
so that's why I went w/ the former option of matching on community string.
> If I blackhole/sinkhole an external-to-my-ARIN-block IP that is
> attacking my network, I'm deathly afraid that I may accidentally
> advertise it to a peer. I *never* assume that my upstream is doing
> proper filtering, so I *always* ensure that I can only allow out what I
> should be sending out.
>
> Is this paranoia too far fetched?
I'm not too experienced with provider mishaps, but I think most providers
esp. in the case of RTBH only allow for routes that belong to your own
blocks. I take for granted that the provider does proper filtering,
especially for the case of RTBH.
Hope the above helps.
More information about the cisco-nsp
mailing list