I know that my current employer is setup to reject /32s from peers as well as not to send them to peers. (Customers too for that matter save for the ones that have a bgp session to our null router). Having one's upstream propagate out /32s that they want null routed because of an attack probably won't scale past the original upstream. I guess all the tier1s could setup a whole network of special bgp sessions to each other's blackhole routers (those that implement this method) set up to implicitly trust each other's announcements, which in turn means that said network would need to implicitly trust all their peers' downstreams. Call me a realist, but I just don't see that happening anytime soon. Guy Tal On Thu, 30 Sep 2004, Richard A Steenbergen wrote: You can't authentication a prefix coming in from a peer that says to route a /24 to them any better or any worse. What difference does it make if you route the traffic to them and they blackhole it, or if you blackhole it locally based on their routing information? If it is a leak or a malicious route, you track it down and plug it the same way you do with an existing route that doesn't have the blackhole community set. I'm not saying that those methods are perfect by any means, but adding a global blackhole community at least changes nothing from the status quo.
participants (1)
-
guy