On 6/26/16 10:06 AM, John Kristoff wrote: > On Sun, 26 Jun 2016 16:31:17 +0000 > joel jaeggli <joelja@xxxxxxxxx> wrote: > >> It's not clear to me how that would even work. assuming for the sake >> of arguement that the IXP by way of configured policy on the >> route-server adds this community to a prefix. > > Here is some detail on how DE-CIX implements it: > > <https://www.de-cix.net/products-services/de-cix-frankfurt/blackholing/> At the the possible expense of belaboring my observation still further, i'm aware of how the community is implemented, I'm on those fabrics. What I wasn't and am not clear on is how that would lead to: Nick >> In the case of route servers, blackholing turns the IXP into >> a legal target. Job > I feel that this is not the appropiate forum to define what IXPs can, > can't, should and shouldn't in context of legal enforcement agencies. Short of the IXP engaging in prefix hijacking, or unilaterally applying the community to an existing prefix; the ixp is in not position to black-hole traffic except on request of the sender of the desitnation prefix. Likewise if you withdraw the prefix from the routeserver, the blackhole goes away, unless the route-server is engaged in prefix hijacking. I don't see either of those issues as serious threats. if you live under a regime that considers prefix hijacking acceptable, the community adds no capability that the exchange does not already have;they can afterall change the nexthop today, announce whatever prefix you're willing to accept and so on; any of those activities in most places would be immediate grounds for depeering and departure. > John >
Attachment:
signature.asc
Description: OpenPGP digital signature