Re: Blackhole Routes

["Stephen J. Wilcox" <steve () telecomplete co uk>]

On Thu, 30 Sep 2004, Richard A Steenbergen wrote:

> I'd have to disagree with you. While you and many other networks may be 
> able to handle most DoS attacks without involving your upstreams, there 
> are still plenty (the majority I would say) of networks who can't. In 
> fact, the entire CONCEPT of a blackhole customer community is to move the 
> filtering up one level higher on the Internet, where it should 

here is the key point - one level higher

one level higher than my customer is me and one level higher than me is my 
upstream. if my customer is abel to propogate thro to my upstream that would be 
two levels.

but you're absolutely right it depends on individual networks to decide whether 
they should automatically or manually pass this up the chain however i dont 
beleive it shoudl automatically be propogated without limits. one level yes; two 
levels maybe; three+ doubt it.

Steve



> theoretically be easier for the larger network to filter. It would be 
> silly to assume that there is no attack which the person implementing the 
> blackhole community can not handle, or to assume that there will never be 
> tier 2/3 ISPs aggregating or reselling bandwidth.
>
> Also, since the point of a blackhole community is to block all traffic to 
> a destination prefix anyways, it doesn't matter whether the blackhole 
> takes place 1 network upstream or 10. Any prefix which can be announced 
> and routed on the global routing table should be able to be blackholed by 
> every network on the global Internet, using a standard well-known 
> community. This changes nothing of the current practices of accountability 
> for your announcements, filtering by prefix length, etc. There would still 
> remain a clear role for no-export and more specifics upto /32 between 
> networks who have negotiated this relationship, but there absolutely no 
> reason you couldn't and shouldn't have global blackholes available as 
> well.