Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] New Well-Known BGP Community for Blackholing

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] New Well-Known BGP Community for Blackholing


Chronological Thread 
  • From: David Farmer <>
  • To: , Grover Browning <>, Paul Howell <>
  • Cc: "" <>, "" <>, "" <>
  • Subject: Re: [Security-WG] New Well-Known BGP Community for Blackholing
  • Date: Tue, 26 Jul 2016 14:37:56 -0500



On Tue, Jul 26, 2016 at 9:46 AM, John Kristoff <> wrote:
On Mon, 25 Jul 2016 23:55:31 +0000
David Farmer <> wrote:

> We (the Internet2 Community) should discuss if the Internet2 Backbone
> should transition to using this Well-Known BGP Community, either
> keeping or eliminating the Internet2 specific Blackhole communities
> below.
>
> Internet2-R&E: 11537:911
> Internet2-TR-CPS: 11164:53666

Is the usage of these being monitored?  Statistics and trends on usage
and possibly a survey who is actually utilizing (announcing to I2) the
current communities would be nice to see.

That's a really good question, Grover, Paul?  I was thinking about this last night too.  I'd like to know; how many routes/IPs are blackholed, how often, what duration, some idea of the amount of traffic dropped, maybe how much each router is dropping.  Just doing some brainstorming, please don't actually take that as a formal request, at least yet.
 
> Additionally, this new community is defined as a transitive BGP
> community, so we should discuss if we want to propagate routes with
> this community from the Internet2 Backbone to other members of the
> Internet2 community.  This may or may not advantageous and is
> probably not appropriate in all cases, so we should only do this if
> there is a clear consensus for it.

I think this would be fine as long as these routes are originated from
within I2 and the announcements can be verified by connectors or the
backbone folks.  I may be wary of accepting those transitive
communities if they originated from outside of I2.  Perhaps add a tag
that indicates as much.

Like I said I'm skeptical of this really being useful, mostly because I too would only really consider this for routes for this community, and while there is a component of some DOS attacks coming from within this community it is a relatively small part of the overall issue most of the time.   

A web-based interface for a participants to use for managing black hole
routes would be really nice to have.  These should automatically expire
after some period.

This sounds interesting and maybe a more useful way to think about this, could you flesh this out a bit more.

Thanks


--
===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================



Archive powered by MHonArc 2.6.19.

Top of Page