BGP - IP Blackhole

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

BGP - IP Blackhole

Tristan PILAT
Hi,

I am trying to set up OpenBGPD with blackhole support in order to be able
to receive /32 announce from my neighbors with a specific community.

The man page didn't help me much or maybe i missed something. Is it this
rule that is the right one ?

match from any community 64514:888 set nexthop blackhole

And what about the client side ? Which command should he enter if he wishes
to blackhole ip 1.2.3.4 eg

Is it something like that ? bgpctl network add 1.2.3.4/32 community
64514:888

I hope to be clear enough in my explaination

Thanks in advance

--
Tristan

Reply | Threaded
Open this post in threaded view
|

Re: BGP - IP Blackhole

Laurent Caron (Mobile)
On 14 avril 2014 17:57:53 CEST, Tristan PILAT <[hidden email]> wrote:
>match from any community 64514:888 set nexthop blackhole
>

Hi,

Make sure you dont accept from any but eg from group customers, make sure the address *does* belong to your customers space (to avoid a customer installing a blackhole route on a route you advertise).
Make sure you do strip 64514:888 from other peers.
...

>And what about the client side ? Which command should he enter if he
>wishes
>to blackhole ip 1.2.3.4 eg
>
>Is it something like that ? bgpctl network add 1.2.3.4/32 community
>64514:888

Exactly.

Reply | Threaded
Open this post in threaded view
|

Re: BGP - IP Blackhole

Tristan PILAT
2014-04-15 18:42 GMT+02:00 Laurent Caron (Mobile) <[hidden email]>
:

> On 14 avril 2014 17:57:53 CEST, Tristan PILAT <[hidden email]>
> wrote:
> >match from any community 64514:888 set nexthop blackhole
> >
>
> Hi,
>
> Make sure you dont accept from any but eg from group customers, make sure
> the address *does* belong to your customers space (to avoid a customer
> installing a blackhole route on a route you advertise).
> Make sure you do strip 64514:888 from other peers.
> ...
>
> >And what about the client side ? Which command should he enter if he
> >wishes
> >to blackhole ip 1.2.3.4 eg
> >
> >Is it something like that ? bgpctl network add 1.2.3.4/32 community
> >64514:888
>
> Exactly.
>
> Hi,

Thanks for your reply ! I just tested this in my lab and it's working like
a charm but only if I set "allow from any inet prefixlen 8 - 32" and this
is annoying.

Is there a way to make this work with "allow from any inet prefixlen 8 -
24" to accept /32 only for the blackhole ?

--
Tristan

Reply | Threaded
Open this post in threaded view
|

Re: BGP - IP Blackhole

Gregory Edigarov-5
On 04/17/2014 12:24 PM, Tristan PILAT wrote:

> 2014-04-15 18:42 GMT+02:00 Laurent Caron (Mobile) <[hidden email]>
> :
>
>> On 14 avril 2014 17:57:53 CEST, Tristan PILAT <[hidden email]>
>> wrote:
>>> match from any community 64514:888 set nexthop blackhole
>>>
>> Hi,
>>
>> Make sure you dont accept from any but eg from group customers, make sure
>> the address *does* belong to your customers space (to avoid a customer
>> installing a blackhole route on a route you advertise).
>> Make sure you do strip 64514:888 from other peers.
>> ...
>>
>>> And what about the client side ? Which command should he enter if he
>>> wishes
>>> to blackhole ip 1.2.3.4 eg
>>>
>>> Is it something like that ? bgpctl network add 1.2.3.4/32 community
>>> 64514:888
>> Exactly.
>>
>> Hi,
> Thanks for your reply ! I just tested this in my lab and it's working like
> a charm but only if I set "allow from any inet prefixlen 8 - 32" and this
> is annoying.
>
> Is there a way to make this work with "allow from any inet prefixlen 8 -
> 24" to accept /32 only for the blackhole ?
>
> --
> Tristan
like this:

allow from any inet prefixlen 8 - 24
allow from any inet prefixlen 32 community 64514:888

Reply | Threaded
Open this post in threaded view
|

Re: BGP - IP Blackhole

Tristan PILAT
2014-04-17 12:25 GMT+02:00 Gregory Edigarov <[hidden email]>:

> On 04/17/2014 12:24 PM, Tristan PILAT wrote:
>
>> 2014-04-15 18:42 GMT+02:00 Laurent Caron (Mobile) <
>> [hidden email]>
>> :
>>
>>  On 14 avril 2014 17:57:53 CEST, Tristan PILAT <[hidden email]>
>>> wrote:
>>>
>>>> match from any community 64514:888 set nexthop blackhole
>>>>
>>>>  Hi,
>>>
>>> Make sure you dont accept from any but eg from group customers, make sure
>>> the address *does* belong to your customers space (to avoid a customer
>>> installing a blackhole route on a route you advertise).
>>> Make sure you do strip 64514:888 from other peers.
>>> ...
>>>
>>>  And what about the client side ? Which command should he enter if he
>>>> wishes
>>>> to blackhole ip 1.2.3.4 eg
>>>>
>>>> Is it something like that ? bgpctl network add 1.2.3.4/32 community
>>>> 64514:888
>>>>
>>> Exactly.
>>>
>>> Hi,
>>>
>> Thanks for your reply ! I just tested this in my lab and it's working like
>> a charm but only if I set "allow from any inet prefixlen 8 - 32" and this
>> is annoying.
>>
>> Is there a way to make this work with "allow from any inet prefixlen 8 -
>> 24" to accept /32 only for the blackhole ?
>>
>> --
>> Tristan
>>
> like this:
>
>
> allow from any inet prefixlen 8 - 24
> allow from any inet prefixlen 32 community 64514:888
>
>
That goes without saying after all :-) Thanks !

--
Tristan

Reply | Threaded
Open this post in threaded view
|

Re: BGP - IP Blackhole

Tristan PILAT
2014-04-17 13:20 GMT+02:00 Tristan PILAT <[hidden email]>:

> 2014-04-17 12:25 GMT+02:00 Gregory Edigarov <[hidden email]>:
>
>> On 04/17/2014 12:24 PM, Tristan PILAT wrote:
>>
>>  2014-04-15 18:42 GMT+02:00 Laurent Caron (Mobile) <
>>> [hidden email]>
>>> :
>>>
>>>  On 14 avril 2014 17:57:53 CEST, Tristan PILAT <[hidden email]>
>>>> wrote:
>>>>
>>>>> match from any community 64514:888 set nexthop blackhole
>>>>>
>>>>>  Hi,
>>>>
>>>> Make sure you dont accept from any but eg from group customers, make
>>>> sure
>>>> the address *does* belong to your customers space (to avoid a customer
>>>> installing a blackhole route on a route you advertise).
>>>> Make sure you do strip 64514:888 from other peers.
>>>> ...
>>>>
>>>>  And what about the client side ? Which command should he enter if he
>>>>> wishes
>>>>> to blackhole ip 1.2.3.4 eg
>>>>>
>>>>> Is it something like that ? bgpctl network add 1.2.3.4/32 community
>>>>> 64514:888
>>>>>
>>>> Exactly.
>>>>
>>>> Hi,
>>>>
>>> Thanks for your reply ! I just tested this in my lab and it's working
>>> like
>>> a charm but only if I set "allow from any inet prefixlen 8 - 32" and this
>>> is annoying.
>>>
>>> Is there a way to make this work with "allow from any inet prefixlen 8 -
>>> 24" to accept /32 only for the blackhole ?
>>>
>>> --
>>> Tristan
>>>
>> like this:
>>
>>
>> allow from any inet prefixlen 8 - 24
>> allow from any inet prefixlen 32 community 64514:888
>>
>>
> That goes without saying after all :-) Thanks !
>
> --
> Tristan
>

Another question... Anyone knows if there is a way to do Source
Base Remotely-Triggered Black Hole with OpenBGPd ? eg If I am attacked by a
single IP and i want to blackhole it.

Reply | Threaded
Open this post in threaded view
|

Re: BGP - IP Blackhole

Tristan PILAT
2014-04-17 15:23 GMT+02:00 Tristan PILAT <[hidden email]>:

> 2014-04-17 13:20 GMT+02:00 Tristan PILAT <[hidden email]>:
>
> 2014-04-17 12:25 GMT+02:00 Gregory Edigarov <[hidden email]>:
>>
>>> On 04/17/2014 12:24 PM, Tristan PILAT wrote:
>>>
>>>  2014-04-15 18:42 GMT+02:00 Laurent Caron (Mobile) <
>>>> [hidden email]>
>>>> :
>>>>
>>>>  On 14 avril 2014 17:57:53 CEST, Tristan PILAT <[hidden email]
>>>>> >
>>>>> wrote:
>>>>>
>>>>>> match from any community 64514:888 set nexthop blackhole
>>>>>>
>>>>>>  Hi,
>>>>>
>>>>> Make sure you dont accept from any but eg from group customers, make
>>>>> sure
>>>>> the address *does* belong to your customers space (to avoid a customer
>>>>> installing a blackhole route on a route you advertise).
>>>>> Make sure you do strip 64514:888 from other peers.
>>>>> ...
>>>>>
>>>>>  And what about the client side ? Which command should he enter if he
>>>>>> wishes
>>>>>> to blackhole ip 1.2.3.4 eg
>>>>>>
>>>>>> Is it something like that ? bgpctl network add 1.2.3.4/32 community
>>>>>> 64514:888
>>>>>>
>>>>> Exactly.
>>>>>
>>>>> Hi,
>>>>>
>>>> Thanks for your reply ! I just tested this in my lab and it's working
>>>> like
>>>> a charm but only if I set "allow from any inet prefixlen 8 - 32" and
>>>> this
>>>> is annoying.
>>>>
>>>> Is there a way to make this work with "allow from any inet prefixlen 8 -
>>>> 24" to accept /32 only for the blackhole ?
>>>>
>>>> --
>>>> Tristan
>>>>
>>> like this:
>>>
>>>
>>> allow from any inet prefixlen 8 - 24
>>> allow from any inet prefixlen 32 community 64514:888
>>>
>>>
>> That goes without saying after all :-) Thanks !
>>
>> --
>> Tristan
>>
>
> Another question... Anyone knows if there is a way to do Source
> Base Remotely-Triggered Black Hole with OpenBGPd ? eg If I am attacked by a
> single IP and i want to blackhole it.
>

I found something to do Source Base Remotely-Triggered Black Hole.

On the provider side, i can set labels like that :
In bgpd.conf --> match from any community 64514:999 set rtlabel dos
In pf.conf --> block drop from route dos

On the client side, if we want to black 4.3.2.1/32 source ip :
bgpctl network add 4.3.2.1/32 community 64514:999

Unfortunaly this is not working, i certainly missed something ! Please give
me hints :-)

Reply | Threaded
Open this post in threaded view
|

Re: BGP - IP Blackhole

Laurent Caron (Mobile)
In reply to this post by Tristan PILAT
On 17/04/2014 11:24, Tristan PILAT wrote:
> Is there a way to make this work with "allow from any inet prefixlen 8 -
> 24" to accept /32 only for the blackhole ?

What about: allow from group customers prefixlen = 32  community 64514:888

Please pay attention of not allowing one of your customers to blackhole
addresses from YOUR nets ;)

Don't hesitate to man bgpd.conf for syntax and options

Reply | Threaded
Open this post in threaded view
|

Re: BGP - IP Blackhole

Claudio Jeker
In reply to this post by Tristan PILAT
On Thu, Apr 17, 2014 at 05:17:15PM +0200, Tristan PILAT wrote:

> 2014-04-17 15:23 GMT+02:00 Tristan PILAT <[hidden email]>:
>
> > 2014-04-17 13:20 GMT+02:00 Tristan PILAT <[hidden email]>:
> >
> > 2014-04-17 12:25 GMT+02:00 Gregory Edigarov <[hidden email]>:
> >>
> >>> On 04/17/2014 12:24 PM, Tristan PILAT wrote:
> >>>
> >>>  2014-04-15 18:42 GMT+02:00 Laurent Caron (Mobile) <
> >>>> [hidden email]>
> >>>> :
> >>>>
> >>>>  On 14 avril 2014 17:57:53 CEST, Tristan PILAT <[hidden email]
> >>>>> >
> >>>>> wrote:
> >>>>>
> >>>>>> match from any community 64514:888 set nexthop blackhole
> >>>>>>
> >>>>>>  Hi,
> >>>>>
> >>>>> Make sure you dont accept from any but eg from group customers, make
> >>>>> sure
> >>>>> the address *does* belong to your customers space (to avoid a customer
> >>>>> installing a blackhole route on a route you advertise).
> >>>>> Make sure you do strip 64514:888 from other peers.
> >>>>> ...
> >>>>>
> >>>>>  And what about the client side ? Which command should he enter if he
> >>>>>> wishes
> >>>>>> to blackhole ip 1.2.3.4 eg
> >>>>>>
> >>>>>> Is it something like that ? bgpctl network add 1.2.3.4/32 community
> >>>>>> 64514:888
> >>>>>>
> >>>>> Exactly.
> >>>>>
> >>>>> Hi,
> >>>>>
> >>>> Thanks for your reply ! I just tested this in my lab and it's working
> >>>> like
> >>>> a charm but only if I set "allow from any inet prefixlen 8 - 32" and
> >>>> this
> >>>> is annoying.
> >>>>
> >>>> Is there a way to make this work with "allow from any inet prefixlen 8 -
> >>>> 24" to accept /32 only for the blackhole ?
> >>>>
> >>>> --
> >>>> Tristan
> >>>>
> >>> like this:
> >>>
> >>>
> >>> allow from any inet prefixlen 8 - 24
> >>> allow from any inet prefixlen 32 community 64514:888
> >>>
> >>>
> >> That goes without saying after all :-) Thanks !
> >>
> >> --
> >> Tristan
> >>
> >
> > Another question... Anyone knows if there is a way to do Source
> > Base Remotely-Triggered Black Hole with OpenBGPd ? eg If I am attacked by a
> > single IP and i want to blackhole it.
> >
>
> I found something to do Source Base Remotely-Triggered Black Hole.
>
> On the provider side, i can set labels like that :
> In bgpd.conf --> match from any community 64514:999 set rtlabel dos
> In pf.conf --> block drop from route dos
>
> On the client side, if we want to black 4.3.2.1/32 source ip :
> bgpctl network add 4.3.2.1/32 community 64514:999
>
> Unfortunaly this is not working, i certainly missed something ! Please give
> me hints :-)

You can't use rtlabels for matching the source, at least I think it does
not work.  I would try to use the "set pftable dos" in bgpd and
"block quick drop from <dos>" in pf.

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: BGP - IP Blackhole

Tristan PILAT
On 17 avril 2014 19:02:14 CEST, Claudio Jeker <[hidden email]> wrote:

>On Thu, Apr 17, 2014 at 05:17:15PM +0200, Tristan PILAT wrote:
>> 2014-04-17 15:23 GMT+02:00 Tristan PILAT <[hidden email]>:
>>
>> > 2014-04-17 13:20 GMT+02:00 Tristan PILAT <[hidden email]>:
>> >
>> > 2014-04-17 12:25 GMT+02:00 Gregory Edigarov <[hidden email]>:
>> >>
>> >>> On 04/17/2014 12:24 PM, Tristan PILAT wrote:
>> >>>
>> >>>  2014-04-15 18:42 GMT+02:00 Laurent Caron (Mobile) <
>> >>>> [hidden email]>
>> >>>> :
>> >>>>
>> >>>>  On 14 avril 2014 17:57:53 CEST, Tristan PILAT
><[hidden email]
>> >>>>> >
>> >>>>> wrote:
>> >>>>>
>> >>>>>> match from any community 64514:888 set nexthop blackhole
>> >>>>>>
>> >>>>>>  Hi,
>> >>>>>
>> >>>>> Make sure you dont accept from any but eg from group customers,
>make
>> >>>>> sure
>> >>>>> the address *does* belong to your customers space (to avoid a
>customer
>> >>>>> installing a blackhole route on a route you advertise).
>> >>>>> Make sure you do strip 64514:888 from other peers.
>> >>>>> ...
>> >>>>>
>> >>>>>  And what about the client side ? Which command should he enter
>if he
>> >>>>>> wishes
>> >>>>>> to blackhole ip 1.2.3.4 eg
>> >>>>>>
>> >>>>>> Is it something like that ? bgpctl network add 1.2.3.4/32
>community
>> >>>>>> 64514:888
>> >>>>>>
>> >>>>> Exactly.
>> >>>>>
>> >>>>> Hi,
>> >>>>>
>> >>>> Thanks for your reply ! I just tested this in my lab and it's
>working
>> >>>> like
>> >>>> a charm but only if I set "allow from any inet prefixlen 8 - 32"
>and
>> >>>> this
>> >>>> is annoying.
>> >>>>
>> >>>> Is there a way to make this work with "allow from any inet
>prefixlen 8 -
>> >>>> 24" to accept /32 only for the blackhole ?
>> >>>>
>> >>>> --
>> >>>> Tristan
>> >>>>
>> >>> like this:
>> >>>
>> >>>
>> >>> allow from any inet prefixlen 8 - 24
>> >>> allow from any inet prefixlen 32 community 64514:888
>> >>>
>> >>>
>> >> That goes without saying after all :-) Thanks !
>> >>
>> >> --
>> >> Tristan
>> >>
>> >
>> > Another question... Anyone knows if there is a way to do Source
>> > Base Remotely-Triggered Black Hole with OpenBGPd ? eg If I am
>attacked by a
>> > single IP and i want to blackhole it.
>> >
>>
>> I found something to do Source Base Remotely-Triggered Black Hole.
>>
>> On the provider side, i can set labels like that :
>> In bgpd.conf --> match from any community 64514:999 set rtlabel dos
>> In pf.conf --> block drop from route dos
>>
>> On the client side, if we want to black 4.3.2.1/32 source ip :
>> bgpctl network add 4.3.2.1/32 community 64514:999
>>
>> Unfortunaly this is not working, i certainly missed something !
>Please give
>> me hints :-)
>
>You can't use rtlabels for matching the source, at least I think it
>does
>not work.  I would try to use the "set pftable dos" in bgpd and
>"block quick drop from <dos>" in pf.

Ok i will try this tomorrow thanks. But if it does not work. How can I set up blockhole based on source address as described in RFC5635 with OpenBSD ?
--
Tristan

Reply | Threaded
Open this post in threaded view
|

Re: BGP - IP Blackhole

Tristan PILAT
2014-04-17 19:27 GMT+02:00 Tristan Pilat <[hidden email]>:

>
>
> On 17 avril 2014 19:02:14 CEST, Claudio Jeker <[hidden email]>
> wrote:
> >You can't use rtlabels for matching the source, at least I think it
> >does
> >not work.  I would try to use the "set pftable dos" in bgpd and
> >"block quick drop from <dos>" in pf.
>
> Ok i will try this tomorrow thanks. But if it does not work. How can I set
> up blockhole based on source address as described in RFC5635 with OpenBSD ?
> --
> Tristan


Me again.

This slide from a presentation by Henning Brauer is very interesting...
http://quigon.bsws.de/papers/2014/asiabsdcon/mgp00031.html

i'm keep digging :-)
--
Tristan

Reply | Threaded
Open this post in threaded view
|

Re: BGP - IP Blackhole

Tristan PILAT
2014-04-18 10:23 GMT+02:00 Tristan PILAT <[hidden email]>:

> 2014-04-17 19:27 GMT+02:00 Tristan Pilat <[hidden email]>:
>
>>
>>
>> On 17 avril 2014 19:02:14 CEST, Claudio Jeker <[hidden email]>
>> wrote:
>> >You can't use rtlabels for matching the source, at least I think it
>> >does
>> >not work.  I would try to use the "set pftable dos" in bgpd and
>> >"block quick drop from <dos>" in pf.
>>
>> Ok i will try this tomorrow thanks. But if it does not work. How can I
>> set up blockhole based on source address as described in RFC5635 with
>> OpenBSD ?
>> --
>> Tristan
>>
>
> Me again.
>
> This slide from a presentation by Henning Brauer is very interesting...
> http://quigon.bsws.de/papers/2014/asiabsdcon/mgp00031.html
>
> i'm keep digging :-)
> --
> Tristan
>

Thanks Claudio, I just tested it and it works with "set pftable dos" in
bgpd.conf and "block drop quick from <dos>" in pf.conf but there still a
small thing. In my lab i tried this, sending icmp, and it works only if i
stop the ping command and i relaunch it. I mean, if i'm pinging an IP
address and set the "bgpctl network add..." it don't hang ping.

How can I stop the flow immediatly with PF ?

--
Tristan

Reply | Threaded
Open this post in threaded view
|

Re: BGP - IP Blackhole

Marios Makassikis-2
On 18 April 2014 16:29, Tristan PILAT <[hidden email]> wrote:

> 2014-04-18 10:23 GMT+02:00 Tristan PILAT <[hidden email]>:
>
> > 2014-04-17 19:27 GMT+02:00 Tristan Pilat <[hidden email]>:
> >
> >>
> >>
> >> On 17 avril 2014 19:02:14 CEST, Claudio Jeker <[hidden email]
> >
> >> wrote:
> >> >You can't use rtlabels for matching the source, at least I think it
> >> >does
> >> >not work.  I would try to use the "set pftable dos" in bgpd and
> >> >"block quick drop from <dos>" in pf.
> >>
> >> Ok i will try this tomorrow thanks. But if it does not work. How can I
> >> set up blockhole based on source address as described in RFC5635 with
> >> OpenBSD ?
> >> --
> >> Tristan
> >>
> >
> > Me again.
> >
> > This slide from a presentation by Henning Brauer is very interesting...
> > http://quigon.bsws.de/papers/2014/asiabsdcon/mgp00031.html
> >
> > i'm keep digging :-)
> > --
> > Tristan
> >
>
> Thanks Claudio, I just tested it and it works with "set pftable dos" in
> bgpd.conf and "block drop quick from <dos>" in pf.conf but there still a
> small thing. In my lab i tried this, sending icmp, and it works only if i
> stop the ping command and i relaunch it. I mean, if i'm pinging an IP
> address and set the "bgpctl network add..." it don't hang ping.
>
> How can I stop the flow immediatly with PF ?
>
>
Sounds like your traffic is matching an existing state which is why it's
still passing.
Look at pfctl manpage, and more specifically the -k switch.

Marios

> --
> Tristan

Reply | Threaded
Open this post in threaded view
|

Re: BGP - IP Blackhole

Tristan PILAT
2014-04-18 16:34 GMT+02:00 Marios Makassikis <[hidden email]>:

>
>
>
> On 18 April 2014 16:29, Tristan PILAT <[hidden email]> wrote:
>
>> 2014-04-18 10:23 GMT+02:00 Tristan PILAT <[hidden email]>:
>>
>> > 2014-04-17 19:27 GMT+02:00 Tristan Pilat <[hidden email]>:
>> >
>> >>
>> >>
>> >> On 17 avril 2014 19:02:14 CEST, Claudio Jeker <
>> [hidden email]>
>> >> wrote:
>> >> >You can't use rtlabels for matching the source, at least I think it
>> >> >does
>> >> >not work.  I would try to use the "set pftable dos" in bgpd and
>> >> >"block quick drop from <dos>" in pf.
>> >>
>> >> Ok i will try this tomorrow thanks. But if it does not work. How can I
>> >> set up blockhole based on source address as described in RFC5635 with
>> >> OpenBSD ?
>> >> --
>> >> Tristan
>> >>
>> >
>> > Me again.
>> >
>> > This slide from a presentation by Henning Brauer is very interesting...
>> > http://quigon.bsws.de/papers/2014/asiabsdcon/mgp00031.html
>> >
>> > i'm keep digging :-)
>> > --
>> > Tristan
>> >
>>
>> Thanks Claudio, I just tested it and it works with "set pftable dos" in
>> bgpd.conf and "block drop quick from <dos>" in pf.conf but there still a
>> small thing. In my lab i tried this, sending icmp, and it works only if i
>> stop the ping command and i relaunch it. I mean, if i'm pinging an IP
>> address and set the "bgpctl network add..." it don't hang ping.
>>
>> How can I stop the flow immediatly with PF ?
>>
>>
> Sounds like your traffic is matching an existing state which is why it's
> still passing.
> Look at pfctl manpage, and more specifically the -k switch.
>
>
Yes it works with pfctl -k. Now I need to find a way to use "flush" in
pf.conf to kill the states.

Reply | Threaded
Open this post in threaded view
|

Re: BGP - IP Blackhole

Tristan PILAT
In reply to this post by Laurent Caron (Mobile)
2014-04-17 18:01 GMT+02:00 Laurent CARON <[hidden email]>:

> On 17/04/2014 11:24, Tristan PILAT wrote:
>
>> Is there a way to make this work with "allow from any inet prefixlen 8 -
>> 24" to accept /32 only for the blackhole ?
>>
>
>
> Please pay attention of not allowing one of your customers to blackhole
> addresses from YOUR nets ;)
>

Yes but how to do that without hard coded the network of the customer like
in this rule;
allow from group "customers" community 64514:888 prefix
192.0.33.0/24prefixlen = 32 set nexthope blackhole

Reply | Threaded
Open this post in threaded view
|

Re: BGP - IP Blackhole

Laurent Caron (Mobile)
On 22/04/2014 17:41, Tristan PILAT wrote:
> Yes but how to do that without hard coded the network of the customer like
> in this rule;
> allow from group "customers" community 64514:888 prefix
> 192.0.33.0/24prefixlen = 32 set nexthope blackhole

Don't you already filter your customers announcements ?

Reply | Threaded
Open this post in threaded view
|

Re: BGP - IP Blackhole

Tristan PILAT
2014-04-22 17:54 GMT+02:00 Laurent CARON <[hidden email]>:

> On 22/04/2014 17:41, Tristan PILAT wrote:
>
>> Yes but how to do that without hard coded the network of the customer like
>> in this rule;
>> allow from group "customers" community 64514:888 prefix
>> 192.0.33.0/24prefixlen = 32 set nexthope blackhole
>>
>
> Don't you already filter your customers announcements ?
>

That's just a template to show how to use RTBH so the configuration is very
simple.

#BGP1

AS 64514
router-id 172.0.0.2
listen on 172.0.0.2
network 192.0.32.0/24

group "customers" {
        remote-as 64515
        neighbor 172.0.0.3 {
                descr   "AS 64515"
                announce all
        }
}

deny from any
allow from group "customers" community 64514:888 inet prefix
192.0.33.0/24prefixlen = 32 set nexthope blackhole
#allow from group "customers" community 64514:999 prefixlen = 32 set
pftable dos
allow from any inet prefixlen 8 - 24


#BGP2

AS 64515
router-id 172.0.0.3
listen on 172.0.0.3
network 192.0.33.0/24

group "providers" {
        remote-as 64514
        neighbor 172.0.0.2 {
                descr   "AS 64514"
                announce all
        }
}

deny from any
allow from any inet prefixlen 8 - 24