Sat, Jul 02, 2016 at 07:44:02PM +0900, Randy Bush:
> >> and you are kinda peotected by the community not being well-known,
> >> i.e. different for each upstream. the attacker has to know the
> >> community for each upstream and be able to not only inject the prefix
> >> but also tag it with the correct community for each upstream.
> >
> > Your argument comes down to "security through obscurity"
>
> no. non-transitiveness through local naming, the reason this has not
> allowed serious damage in current practice.
>
> randy
a receiving operator could limit scope, if they chose. something like
route-map foo p 10
match community blackhole
match as-path ^([0-9]+_){1,2}$
set ip next-hop null0
route-map foo d 20
match community blackhole
route-map foo ...