On Thu, 30 Sep 2004, Richard A Steenbergen wrote:
I'd have to disagree with you. While you and many other networks may be able to handle most DoS attacks without involving your upstreams, there are still plenty (the majority I would say) of networks who can't. In fact, the entire CONCEPT of a blackhole customer community is to move the filtering up one level higher on the Internet, where it should
here is the key point - one level higher one level higher than my customer is me and one level higher than me is my upstream. if my customer is abel to propogate thro to my upstream that would be two levels. but you're absolutely right it depends on individual networks to decide whether they should automatically or manually pass this up the chain however i dont beleive it shoudl automatically be propogated without limits. one level yes; two levels maybe; three+ doubt it. Steve
theoretically be easier for the larger network to filter. It would be silly to assume that there is no attack which the person implementing the blackhole community can not handle, or to assume that there will never be tier 2/3 ISPs aggregating or reselling bandwidth.
Also, since the point of a blackhole community is to block all traffic to a destination prefix anyways, it doesn't matter whether the blackhole takes place 1 network upstream or 10. Any prefix which can be announced and routed on the global routing table should be able to be blackholed by every network on the global Internet, using a standard well-known community. This changes nothing of the current practices of accountability for your announcements, filtering by prefix length, etc. There would still remain a clear role for no-export and more specifics upto /32 between networks who have negotiated this relationship, but there absolutely no reason you couldn't and shouldn't have global blackholes available as well.