Re: [GROW] Last Call: <draft-ietf-grow-blackholing-00.txt> (BLACKHOLE BGP Community for Blackholing) to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Jun 26, 2016 at 11:54 PM, joel jaeggli <joelja@xxxxxxxxx> wrote:
On 6/26/16 10:06 AM, John Kristoff wrote:
> On Sun, 26 Jun 2016 16:31:17 +0000
> joel jaeggli <joelja@xxxxxxxxx> wrote:
>
>> It's not clear to me how that would even work. assuming for the sake
>> of arguement that the IXP by way of configured policy on the
>> route-server adds this community to a prefix.
>
> Here is some detail on how DE-CIX implements it:
>
>   <https://www.de-cix.net/products-services/de-cix-frankfurt/blackholing/>


At the the possible expense of belaboring my observation still further,
i'm aware of how the community is implemented, I'm on those fabrics.
What I wasn't and am not clear on is how that would lead to:

Nick

>>  In the case of route servers, blackholing turns the IXP into
>>  a legal target.

Job

> I feel that this is not the appropiate forum to define what IXPs can,
> can't, should and shouldn't in context of legal enforcement agencies.

Short of the IXP engaging in prefix hijacking, or unilaterally applying
the community to an existing prefix; the ixp is in not position to
black-hole traffic except on request of the sender of the desitnation
prefix. Likewise if you withdraw the prefix from the routeserver, the
blackhole goes away, unless the route-server is engaged in prefix hijacking.

I don't see either of those issues as serious threats. if you live under
a regime that considers prefix hijacking acceptable, the community adds
no capability that the exchange does not already have;they can afterall
change the nexthop today, announce whatever prefix you're willing to
accept and so on; any of those activities in most places would be
immediate grounds for depeering and departure.


​Perhaps Nick is reacting to language like:
"​
 This well-known advisory transitive BGP
   community, namely BLACKHOLE, allows an origin AS to specify that a
   neighboring IP network or IXP should blackhole a specific IP prefix.
​"​

​which could be cleaned up a bit like:
"​This well-known advisory transitive BGP
   community, namely BLACKHOLE, allows an origin AS to specify that a
   neighboring IP network or IXP PARTICIPANT should blackhole a
   specific IP prefix."

This transform doesn't work through out the document though.


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]