Remote Triggered Blackhole
Remote Triggered Blackhole
I've added rtbh [remote triggered blackhole] policies to all internet facing peers. For many, the policy is rtbh-not-supported, which basically just blocks advertisements.
@r-uwmadison-hub-re1# show policy-options policy-statement rtbh-not-supported
term block {
from {
prefix-list special_lists-rtbh-igp-prefixes;
}
then reject;
}
term block-by-com {
from community [ uwsysnet_blackhole uwsysnet_blackhole_internet ];
then reject;
}
For peers that -do- support rtbh, the policy applied instead does a translation to the remote network's rtbh community. Example follows.
@r-uwmadison-hub-re1# show policy-options policy-statement rtbh-internet2
term block {
from {
prefix-list special_lists-rtbh-igp-prefixes;
}
then {
community add internet2-blackhole;
accept;
}
}
term block-by-com {
from community [ uwsysnet_blackhole uwsysnet_blackhole_internet ];
then {
community add internet2-blackhole;
accept;
}
}
Notice I immediately accept, which may not be 100% correct behavior but I also believe it is difficult for block-by-com to be abused as I clear 3128:* communities on ingress from the internet.
@r-uwmadison-hub-re1# show policy-options policy-statement rtbh-not-supported
term block {
from {
prefix-list special_lists-rtbh-igp-prefixes;
}
then reject;
}
term block-by-com {
from community [ uwsysnet_blackhole uwsysnet_blackhole_internet ];
then reject;
}
For peers that -do- support rtbh, the policy applied instead does a translation to the remote network's rtbh community. Example follows.
@r-uwmadison-hub-re1# show policy-options policy-statement rtbh-internet2
term block {
from {
prefix-list special_lists-rtbh-igp-prefixes;
}
then {
community add internet2-blackhole;
accept;
}
}
term block-by-com {
from community [ uwsysnet_blackhole uwsysnet_blackhole_internet ];
then {
community add internet2-blackhole;
accept;
}
}
Notice I immediately accept, which may not be 100% correct behavior but I also believe it is difficult for block-by-com to be abused as I clear 3128:* communities on ingress from the internet.