ietf
[Top] [All Lists]

Re: [GROW] Last Call: <draft-ietf-grow-blackholing-00.txt> (BLACKHOLE BGP Community for Blackholing) to Proposed Standard

2016-06-28 10:11:50
On Sun, Jun 26, 2016 at 11:54 PM, joel jaeggli <joelja(_at_)bogus(_dot_)com> 
wrote:

On 6/26/16 10:06 AM, John Kristoff wrote:
On Sun, 26 Jun 2016 16:31:17 +0000
joel jaeggli <joelja(_at_)gmail(_dot_)com> wrote:

It's not clear to me how that would even work. assuming for the sake
of arguement that the IXP by way of configured policy on the
route-server adds this community to a prefix.

Here is some detail on how DE-CIX implements it:

  <
https://www.de-cix.net/products-services/de-cix-frankfurt/blackholing/>


At the the possible expense of belaboring my observation still further,
i'm aware of how the community is implemented, I'm on those fabrics.
What I wasn't and am not clear on is how that would lead to:

Nick

 In the case of route servers, blackholing turns the IXP into
 a legal target.

Job

I feel that this is not the appropiate forum to define what IXPs can,
can't, should and shouldn't in context of legal enforcement agencies.

Short of the IXP engaging in prefix hijacking, or unilaterally applying
the community to an existing prefix; the ixp is in not position to
black-hole traffic except on request of the sender of the desitnation
prefix. Likewise if you withdraw the prefix from the routeserver, the
blackhole goes away, unless the route-server is engaged in prefix
hijacking.

I don't see either of those issues as serious threats. if you live under
a regime that considers prefix hijacking acceptable, the community adds
no capability that the exchange does not already have;they can afterall
change the nexthop today, announce whatever prefix you're willing to
accept and so on; any of those activities in most places would be
immediate grounds for depeering and departure.


​Perhaps Nick is reacting to language like:
"​
 This well-known advisory transitive BGP
   community, namely BLACKHOLE, allows an origin AS to specify that a
   neighboring IP network or IXP should blackhole a specific IP prefix.
​"​

​which could be cleaned up a bit like:
"​This well-known advisory transitive BGP
   community, namely BLACKHOLE, allows an origin AS to specify that a
   neighboring IP network or IXP PARTICIPANT should blackhole a
   specific IP prefix."

This transform doesn't work through out the document though.
<Prev in Thread] Current Thread [Next in Thread>