>> Michel Py wrote : >> I foresee that IXPs and other organizations who would adopt the BLACKHOLE community would put limits just the >> same as UTRS does. At 25 routes per participant, the mitigation of a DDOS potentially coming from thousands >> of IP addresses is limited. I totally understand the reasons to permit only 25 (or n) blackholes routes. > Christopher Morrow wrote : > this implies that src-route blackholing (discard route + uRPF or similar) is required or targeted for this use-case, which > I don't think is a given. Surely, if you want to do that you'd have to accept very, very large prefix sets from your peer(s). The number of prefixes and the use of uRPF are orthogonal. BCP38 would be nice, OTOH I understand why it's not widely deployed. > this concern doesn't seem to be a blocker for this draft though... That's the difference between a draft that will become a deployed standard and one that will eventually be deprecated. Acceptance / adoption in the real world. > the state today is that three are 'many different communities' which is painful for an operator to manage. > It means custom policy for each peer, which is going to (has many times already) bite someone one. It means custom policy for each peer-group, which is what operators do and want. > 'compromised systmes' meaning a router at the IX? if somoene compromises a router on the IX fabric > we've all got much larger problems than 'someone could blackhole something with a community'. You should see what "IX fabric" means, in many places. I rest my case. Michel.