Remote Triggered Blackhole

Remote Triggered Blackhole

I've added rtbh [remote triggered blackhole] policies to all internet facing peers.  For many, the policy is rtbh-not-supported, which basically just blocks advertisements.

m7h@r-uwmadison-hub-re1# show policy-options policy-statement rtbh-not-supported
term block {
    from {
        prefix-list special_lists-rtbh-igp-prefixes;
    }
    then reject;
}
term block-by-com {
    from community [ uwsysnet_blackhole uwsysnet_blackhole_internet ];
    then reject;
}

For peers that -do- support rtbh, the policy applied instead does a translation to the remote network's rtbh community.  Example follows.  

m7h@r-uwmadison-hub-re1# show policy-options policy-statement rtbh-internet2
term block {
    from {
        prefix-list special_lists-rtbh-igp-prefixes;
    }
    then {
        community add internet2-blackhole;
        accept;
    }
}
term block-by-com {
    from community [ uwsysnet_blackhole uwsysnet_blackhole_internet ];
    then {
        community add internet2-blackhole;
        accept;
    }
}

Notice I immediately accept, which may not be 100% correct behavior but I also believe it is difficult for block-by-com to be abused as I clear 3128:* communities on ingress from the internet.

See Also:




Keywords:Remote Triggered Blackhole   Doc ID:50171
Owner:Michael H.Group:University of Wisconsin System Network
Created:2015-04-08 13:14 CDTUpdated:2015-04-08 13:15 CDT
Sites:University of Wisconsin System Network
Feedback:  0   1