From: Rick Astley (no email)
Date: Sat Feb 02 2008 - 20:02:06 EST
While I am not sure I fully understand your suggestion, I don't think it
would be that hard to set up manually.
Sure it would require asking the individual peers for their black hole
communities, but of they don't have one they are unlikely to honor the
infrastructure you describe anyway.
Assume your network is set up to discard packets marked with community
13005:666
Get a list of your peers blackhole communities, when you announce the route
from a location on your network, tag it with community 13005:666 but also
1111:777, 2222:888 etc. for the individual peers from the source. This
prevents you from having to update multiple policies in multiple locations
for each attack.
As long as they accept the /32 announced to them with their black hole
community, they should discard the traffic without sending it to you.
Not all peers will have a blackhole community, but you need some way to know
when the attack is over to know when to withdraw the route, and they are
useful for this.
If you are real lazy, on the router you announce the black hole from, add an
export policy that says from community 13005:666, then community add
1111:777, 2222:888 etc.
This way you only need to:
1. Update one policy in one place when peers change
2. Announce the route from one location adding one community to it.
|
|
|