[c-nsp] Assistance configuring a router to trigger remote blackhole

Kevin Graham kgraham at industrial-marshmallow.com
Fri Sep 18 23:58:10 EDT 2009


> If I blackhole/sinkhole an external-to-my-ARIN-block IP that is

> attacking my network, I'm deathly afraid that I may accidentally
> advertise it to a peer.

Hadn't thought about it, but yeah, requiring a very long prefix
length before appending RTBH prefixes would be a good safety 
measure.

> I *never* assume that my upstream is doing proper filtering, so
> I *always* ensure that I can only allow out what I should be
> sending out.
> 
> Is this paranoia too far fetched?

Nope. Even with 'good' route-maps in place, a 'prefix-list out'
directly on the neighbor still makes be feel good. (Similarly,
as a stub network, we always add no-exports for imports from
all eBGP sessions as well).



More information about the cisco-nsp mailing list