[GTER] #JumboFrameNoIX.BR #BlackHoleNoIX.BR
Rubens Kuhl
rubensk at gmail.com
Tue Aug 11 11:51:23 -03 2020
On Tue, Aug 11, 2020 at 9:44 AM Job Snijders <job at ntt.net> wrote:
>
> Dear group,
>
> On Tue, Aug 11, 2020 at 09:14:39AM -0300, Douglas Fischer wrote:
> > Mas agora vem as perguntas:
> >
> > 1 - E o Black Hole no IX.BR vai sair?
> > 1.1 - Pelo menos no modo de redistribuição de rotas para:
> > 1.1.1 - Possibilitar que cada um aplique a ação de Blackhole na sua
> > respectiva caixa.
> > 1.1.2 - Redistribuir com um IP de destino da Lan do ATM que resolva para um
> > MAC DEAD.DEAD.DEAD, possibilitando que isso seja filtrado ACL-L2 na portas
> > de entrada do fabric das localidade.
> > (É o ideal? NÃO! Mas já vai ajudar BASTANTE!)
>
> The above method is not just 'not ideal', but actively dangerous. It
> requires all participants to adjust (set 'wide open') their filters,
> assume a risk about FIB exhaustion, and require changes on thousands of
> devices to be effective.
>
> The method of 'blackholing' by redistributing the to-be-blackholed IP
> address as a BGP NLRI to each participant, and asking each participant
> to accept the faux next-hop has proven to NOT BE EFFECTIVE.
>
> DE-CIX and other internet exchanges have tried this cheap shortcut and
> were never able to prove that the 'feature' actually helped. It turns
> out that participants generally are unwilling to make too many
> configuration changes, especially if it creates an insecure situation.
Job,
The L2 solution can be made not to be dependent on member
configuration. The IX can have an ARP responder for the blackholed IP
that answers with a specific MAC address, and the IX matrix can drop
all traffic destined to that MAC address. So if a member null routes
the blackhole IP address, great; the member saves bandwidth in its
connection to the IX. But if not, the ingress filter in the IX drops
it and the traffic doesn't traverse the IX matrix.
The same L2 filter can be suggested to CIX (remote IX accesses) so
this can be done nearest to the traffic source as possible, but also
not depends on whether this is done or not.
Rubens
More information about the gter
mailing list