[RPKI] Accepting smaller routes than RPKI object allows (blackholing)
Klimek, Denis
DKlimek at Stadtwerke-Norderstedt.de
Thu Aug 29 12:34:34 UTC 2019
I think it would be much more easier to ask the software routers vendors (GoBGP,OpenBGP etc pp) to implement the feature to reply with different valid/invalid states for each routes.
This saves the community a lot of work with external scripts that needs to be triggered. But of course for the endcustomer it would cause setting up a 2nd BGP session only for blackholing :-/
Mit freundlichem Gruß
Stadtwerke Norderstedt
Denis Klimek
Professional Network Engineer
IP-Systemtechnik
Tel: 040 / 521 04 - 1049
Mobil: 0151 / 652 219 06
dklimek at stadtwerke-norderstedt.de
www.stadtwerke-norderstedt.de
-----Ursprüngliche Nachricht-----
Von: Job Snijders [mailto:job at ntt.net]
Gesendet: Donnerstag, 29. August 2019 14:34
An: Stavros Konstantaras
Cc: Klimek, Denis; rpki at nlnetlabs.nl
Betreff: Re: [RPKI] Accepting smaller routes than RPKI object allows (blackholing)
On Thu, Aug 29, 2019 at 02:21:21PM +0200, Stavros Konstantaras wrote:
> Based on the current standards and vendor implementations, I believe
> another potential solution to make this work is to use a separate
> routing instance (e.g a server running BIRD or other software), where
> customers can use it to send blackhole routes.
>
> With BIRD running on a simple box, you could easily implement an
> import filter where a customer is allowed to advertise a /32 route
> that carries the BLACKHOLE community as well (and only that, nothing
> else). Then, with a little bit of python scripting you could either
> program your basic Juniper or Cisco router accordingly or trigger your
> purchased anti-DDoS service.
What do you base the import filter on?
Kind regards,
Job
More information about the RPKI
mailing list