From: Rick Astley (no email)
Date: Sun Feb 03 2008 - 01:56:08 EST
I see your point, but I think maintaining the box for the control session
would also require a decent amount of work.
Presumably, since you must all adhere to some quasi-standard to communicate
with the control peer, you could probably also agree on creating a standard
BGP community (ie. 64666:666 & no-export) to use and just skip the middle
man.
Granted, I am kind of new as well, and I assume if the solution were that
simple more people would be using it.
On Feb 2, 2008 9:07 PM, Ben Butler <> wrote:
> Hi,
>
> Agreed, but when you have >100 peers that is still a fair bit of work. I
> know technically how to do it and am doing this with transits but then there
> are only seven of those. It is not a question of how or can, but should /
> is it valuable / constructive?
>
> The starting point in the thought process having just done it for transits
> was right ok, now how do we sensibly scale this to apply it at IXes without
> everyone having to run round contacting everyone else and to see if there
> was an easier way of doing things, hence the suggestion. Plus it keeps
> things nice a separated, your IX peering sessions announce just the main
> prefixes, the session to the "blackhole reflector" can be in a separate
> peer-group and you only send the /32s to the reflector. You don't have to
> worry about who uses which communities as each member that chooses to peer
> with the reflector is able to apply an inbound routemaps of their own
> choosing to any prefixes they receive from this reflector at each individual
> IX.
>
> Given that an ISP has elected to Complete the attack on a host that is
> being DoSed, for whatever reason, and they have chosen to send blackhole
> announcements to transit the logical extension seems to be to automate the
> sending of them to IXs to try to further cut down on traffic. This seems
> like a easy way, internally you just community tag on the trigger box for
> where you want the announcement to go, transit, internal, customers, IX
> all,1 2 not 3 - whatever - and BGP sends it out. Easy, and a single system
> to send out all updates when you choose to and easy to remove when you want
> to take it out again.
>
> If you subscribe to completing the attack as a strategy, then the
> suggestion seemed like an easy way of rolling it out to the next logical
> point after transit.
>
> Kind Regards
>
> Ben
>
>
|
|
|