Michel Py wrote :
I foresee that IXPs and other organizations who would adopt the BLACKHOLE
community would put limits just the
same as UTRS does. At 25 routes per participant, the mitigation of a DDOS
potentially coming from thousands
of IP addresses is limited. I totally understand the reasons to permit only
25 (or n) blackholes routes.
Christopher Morrow wrote :
this implies that src-route blackholing (discard route + uRPF or similar) is
required or targeted for this use-case, which
I don't think is a given. Surely, if you want to do that you'd have to
accept very, very large prefix sets from your peer(s).
The number of prefixes and the use of uRPF are orthogonal. BCP38 would be nice,
OTOH I understand why it's not widely deployed.
this concern doesn't seem to be a blocker for this draft though...
That's the difference between a draft that will become a deployed standard and
one that will eventually be deprecated. Acceptance / adoption in the real world.
the state today is that three are 'many different communities' which is
painful for an operator to manage.
It means custom policy for each peer, which is going to (has many times
already) bite someone one.
It means custom policy for each peer-group, which is what operators do and want.
'compromised systmes' meaning a router at the IX? if somoene compromises a
router on the IX fabric
we've all got much larger problems than 'someone could blackhole something
with a community'.
You should see what "IX fabric" means, in many places. I rest my case.
Michel.