|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical [[email protected]: Extensions to RFC1998 - WAS: Re: DoS Attacks]
Forwarding to NANOG on behalf of Mr. Fraizer. Please don't shoot the messenger for any arguable/discussions. -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | [email protected] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | POC: HAESU-ARIN ----- Forwarded message from John Fraizer <[email protected]> ----- X-Original-To: [email protected] Delivered-To: [email protected] Date: Wed, 8 Oct 2003 21:58:26 -0400 (EDT) From: John Fraizer <[email protected]> To: Haesu <[email protected]> Cc: [email protected], [email protected] Subject: Extensions to RFC1998 - WAS: Re: DoS Attacks In-Reply-To: <[email protected]> X-Spam-Status: No, hits=-2.0 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REPLY_WITH_QUOTES,USER_AGENT_PINE version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) On Wed, 8 Oct 2003, Haesu wrote: > Hmmmm? What did I miss? When did RFC1998 get updated to include Null > community? Feel free to let me know if they updated RFC on that > lately.. b/c I havent checked it in a while. > > As far as I know, my upstreams are fully RFC1998 compliant and I use them well. > > -hc > Note: please echo this to the list. I don't have post access. Ahem... Sue...Ahem... The RFC itself hasn't been updated to include a Null community but if you think about it, providing a NULL community is fully within the concept of allowing customers to influence routing policy with the use of community strings. For example: ! router bgp 65534 neighbor a.a.a.a remote-as 65530 neighbor a.a.a.a description Customer AS65530 neighbor a.a.a.a prefix-list AS-65530 in neighbor a.a.a.a route-map CUSTOMERS in ! ip prefix-list AS-65530 seq 5 permit x.x.x.x/y le 32 ! ip community-list standard POISON permit 65534:666 ! route-map CUSTOMERS permit 10 match community POISON set local-preference 500 set ip next-hop [ip address of your sink-hole] ! Of course, the rest of the route-map CUSTOMERS is going to need to do some sanity checks on the announcements you accept from the customers OTHER than blackhole requests. In our case, we pass them through a prefix-list match that includes: ip prefix-list CUSTOMERS seq 10 deny 0.0.0.0/0 ge 25 As you can see, we're doing a prefix-list check against the announcements that the customer sends us in the neighbor statement. Each customer gets their own prefix-list that covers the networks that we have LOA to accept from that customer. (Keeps boneheads from blackholing OTHER people!) The first stanza in the CUSTOMERS route-map checks for the POISON community. Any prefix that the customer sends us that includes this community will be routed to our sink-hole. The rest of the stanzas in the CUSTOMERS route-map look for other communities from the customer. One stanza looks to see if the customer is requesting us to pass their announcements of our address space on as de-aggregated announcements. If we don't see that community, they're aggregated. Other stanzas in the route-map are pretty cut and dry RFC1998. Our customers can do the following: Community Action --------------------------------------------- 13944:0 Don't announce to any peer 13944:1 Don't announce to PEERS 13944:2 Don't announce to TRANSIT 13944:3 Don't announce to CUSTOMERS 13944:20 Announce specific from EnterZone aggregate for customers who are running on our IPs. 13944:90 Set preference to 90 13944:100 Set preference to 100 13944:110 Set preference to 110 13944:120 Set preference to 120 13944:666 Poison a Route 13944:NNN0 don't announce to Peer NNN 13944:NNN1 prepend once towards Peer NNN 13944:NNN2 prepend twice towards Peer NNN 13944:NNN3 prepend thrice towards Peer NNN Any time I do any consulting on another network, I recommend that they at MINIMUM implement the Poisoned Route ability. It is not terribly difficult to do as you can see above. -- John Fraizer EnterZone, Inc (13944+$|13944+_14813+$|13944+_17266+$) PGP Key = 6C5903C4 Fingerprint = 2AA6 6614 1B5E EDD2 38AD C417 3E61 F975 6C59 03C4 ----- End forwarded message -----
|