On Thu, Sep 30, 2004 at 02:15:49PM -0400, Deepak Jain wrote:
It goes a little further than that these days. Folks are openly allowing customers to advertize routes with something lika a 666 community which will then be blackholed within their network. So if you're a service provider with your own blackhole system, you can easily tie it into your upstream's system and dump the traffic many hops away from you meaning that the traffic is getting dumped closer to the source than the destination in a fair number of cases.
This is very dangerous however.....
If providers start tying their customer's blackhole announcements to the provider's upstreams' blackhole announcements in an AUTOMATIC process, bad things <tm> are likely to happen. What happens when a customer of a provider mistakenly advertises more routes than he should [lets say specifics in case #1] you can flood your upstreams' routers with specifics and potentially cause flapping or memory overflows...
Yes, well, in my case, I go through a dedicated server with multi-hop sessions and set a prefix limit of 25 or so so I don't get bombarded with 5 billion /32 routes and don't send those routes upstream. (I try to play nice when possible.) I expect that the upstreams have various defense mechanisms of their own to protect them against me misconfiguring my boxes as well. (It only makes sense..)
In case #2, presumably the blackhole community takes precedence, so if a customer is mistakenly readvertising their multihome provider's table with a 666 tag, all of the upstream providers might be blackholing the majority of their non-customer routes.
If the customer does themselves in, thats not something I can really protect against.
Non-automatic tying of customer blackholes to upstream or peer blackholes is a powerful tool to improve the stability of the net as a whole.
Yes, but far too slow when you're getting DOSd off the face of several planets. --- Wayne Bouchard web@typo.org Network Dude http://www.typo.org/~web/