I have to point out that, although it looks like a move in the right direction,
the newly created BLACKHOLE community is likely to meet severe max-prefixes
resistance. It is way too broad.
I did read the draft, and I do understand it is targeted at IXPs; the skeptical
part in me is suggesting that the max-prefixes limit will limit the efficiency
of this method. In order for this to be efficient to mitigate a DDOS attack, it
would require the prefix limit for the very generic BLACKHOLE community to be
in the tens of thousands. I just don't see this happening in the real world. A
BGP community with global significance will face significant challenges. I
don't see operators trusting this community.
Extreme caution should be used when purposefully propagating IP prefixes
tagged with the BLACKHOLE BGP community outside the local routing domain.
This is the part that I find out-of-touch with reality. Extreme caution should
be used not to announce RFC1918 prefixes, and not to announce the entire
Internet routing table. It happens all the time.
This draft creates a DDOS vector of its own : an attacker with good BGP feeds
to their upstreams could use the well-known community to craft a new DDOS
attack by injecting the target prefixe(s). Unlike the NO_ADVERTISE or NO_EXPORT
communities, this is a global DDOS bait.
As the operator of a large BGP Blackhole feed (1), the first requests that came
out of the beta-testers were asking for more granularity. My BGP blackhole feed
is over 100K prefixes; it works for me and my beta-tester buddies, but it won't
work for everyone.
I oppose this draft on the grounds that it creates more opportunities for DDOS
attacks than it solves.
Michel.
(1) http://arneill-py.sacramento.ca.us/cbbc/