nanog mailing list archives

Previous By Date Next
Previous By Thread Next

[nanog () Overkill EnterZone Net: Extensions to RFC1998 - WAS: Re: DoS Attacks]

From: Haesu <haesu () towardex com>
Date: Thu, 9 Oct 2003 00:01:56 -0400

Forwarding to NANOG on behalf of Mr. Fraizer.
Please don't shoot the messenger for any arguable/discussions.

-hc

-- 
Haesu C.
TowardEX Technologies, Inc.
Consulting, colocation, web hosting, network design and implementation
http://www.towardex.com | haesu () towardex com
Cell: (978)394-2867     | Office: (978)263-3399 Ext. 170
Fax: (978)263-0033      | POC: HAESU-ARIN

----- Forwarded message from John Fraizer <nanog () Overkill EnterZone Net> -----

X-Original-To: haesu () mx01 bos ma towardex com
Delivered-To: haesu () mx01 bos ma towardex com
Date: Wed, 8 Oct 2003 21:58:26 -0400 (EDT)
From: John Fraizer <nanog () Overkill EnterZone Net>
To: Haesu <haesu () towardex com>
Cc: nanog () merit edu, a_spicer () bellsouth net
Subject: Extensions to RFC1998 - WAS: Re: DoS Attacks
In-Reply-To: <20031009004646.GB88086 () scylla towardex com>
X-Spam-Status: No, hits=-2.0 required=5.0
        tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,
              REPLY_WITH_QUOTES,USER_AGENT_PINE
        version=2.55
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)


On Wed, 8 Oct 2003, Haesu wrote:


Hmmmm? What did I miss? When did RFC1998 get updated to include Null
community? Feel free to let me know if they updated RFC on that
lately.. b/c I havent checked it in a while.

As far as I know, my upstreams are fully RFC1998 compliant and I use them well.

-hc



Note: please echo this to the list.  I don't have post
access.  Ahem... Sue...Ahem...


The RFC itself hasn't been updated to include a Null community but if you
think about it, providing a NULL community is fully within the concept of
allowing customers to influence routing policy with the use of community
strings.

For example:


!
router bgp 65534
 neighbor a.a.a.a remote-as 65530
 neighbor a.a.a.a description Customer AS65530
 neighbor a.a.a.a prefix-list AS-65530 in
 neighbor a.a.a.a route-map CUSTOMERS in
!
ip prefix-list AS-65530 seq 5 permit x.x.x.x/y le 32
!
ip community-list standard POISON permit 65534:666
!
route-map CUSTOMERS permit 10
 match community POISON
 set local-preference 500
 set ip next-hop [ip address of your sink-hole]
!


Of course, the rest of the route-map CUSTOMERS is going to need to do some
sanity checks on the announcements you accept from the customers OTHER
than blackhole requests.  In our case, we pass them through a prefix-list
match that includes:

ip prefix-list CUSTOMERS seq 10 deny 0.0.0.0/0 ge 25

As you can see, we're doing a prefix-list check against the announcements
that the customer sends us in the neighbor statement.  Each customer gets
their own prefix-list that covers the networks that we have LOA to accept
from that customer. (Keeps boneheads from blackholing OTHER people!)

The first stanza in the CUSTOMERS route-map checks for the POISON
community.  Any prefix that the customer sends us that includes this
community will be routed to our sink-hole.

The rest of the stanzas in the CUSTOMERS route-map look for other
communities from the customer.  One stanza looks to see if the customer is
requesting us to pass their announcements of our address space on as
de-aggregated announcements.  If we don't see that community, they're
aggregated.  Other stanzas in the route-map are pretty cut and dry
RFC1998.

Our customers can do the following:

Community       Action
---------------------------------------------
13944:0         Don't announce to any peer
13944:1         Don't announce to PEERS
13944:2         Don't announce to TRANSIT
13944:3         Don't announce to CUSTOMERS

13944:20        Announce specific from EnterZone aggregate
                for customers who are running on our IPs.

13944:90        Set preference to 90
13944:100       Set preference to 100
13944:110       Set preference to 110
13944:120       Set preference to 120

13944:666       Poison a Route

13944:NNN0      don't announce to Peer NNN
13944:NNN1      prepend once towards Peer NNN
13944:NNN2      prepend twice towards Peer NNN
13944:NNN3      prepend thrice towards Peer NNN



Any time I do any consulting on another network, I recommend that they at
MINIMUM implement the Poisoned Route ability.  It is not terribly
difficult to do as you can see above.

--
John Fraizer
EnterZone, Inc
(13944+$|13944+_14813+$|13944+_17266+$)
PGP Key = 6C5903C4
Fingerprint = 2AA6 6614 1B5E EDD2 38AD C417 3E61 F975 6C59 03C4


----- End forwarded message -----
Previous By Date Next
Previous By Thread Next

Current thread: