North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Blackhole Routes
On Thu, 30 Sep 2004 10:35:36 -0400, Eric Germann <[email protected]> wrote: > What I would to see (and have never researched in depth) is a way to apply > the blackhole routes on a community to port basis (i.e. we set up a specific > BGP community to filter mail, and that community goes to a route map that > kills only port 25, another community applies to a map that kills port 80, A not particularly scalable method of doing that, which should be ok for small data flows, is to set up routers port25killer.example.net, a port80killer.example.net, etc., with ACLs that block those ports regardless of address, use BGP or OSPF to advertise whichever IP address spaces should be routed there, and set up those machines in whatever sort of firewalling location makes sense. It's more of an enterprise solution than an ISP solution, but if you're a small ISP or dealing with a relatively specific set of problem sites you could probably do it. You may need to burn some CPE on GRE tunnels, depending on your topology, but if you're trying to solve a limited problem like letting your users access Korean web sites while blocking Korean email, it may work.