On Mon, Mar 19, 2012 at 04:59:59PM -0700, Gregg Berkholtz wrote:
In working to streamline our utilization of each upstream's RTBH filtering mechanisms (e.g. http://www.he.net/adm/blackhole.html ), I'm having a heck of a time configuring BIRD to "mirror" Cisco product behaviors.
Here's the Cisco Way (where X.X.X.X is the ip to blackhole): conf t ip route X.X.X.X 255.255.255.255 Null0 router bgp YourAS network X.X.X.X mask 255.255.255.255 route-map blackhole route-map blackhole permit 10 set community 6939:666 end
What I believe needs to happen w/ BIRD, and the Linux Kernel route tables: 1) Create and maintain a non-default Linux kernel route table, to accomplish blackholing at our gateways (working great). Also wanting to have BIRD to monitor this non-default route table, and :666 tag+announce upstream any /32 entries within our 199.127.224.0/22.
2) BIRD imports the non-default kernel route table (seems to be working ok).
3) For each "protocol bgp *Upstream*", use an export filter to identify and tag relevant "blackhole" route entries with a specific RTBH community (e.g. 6939:666)...this is what I'm struggling with.
I am not sure if i understad what you want. I suppose that for each route in blackhole table you want to export that prefix with 6939:666 community through BGP. For that, your current config has a problem that BGP protocol is connected to master table, so there is no way how blackhole routes could go from table blackroutes to the BGP protocol. So you should connect the master and blackroutes table through pipe (and add appropriate filtering to ensure that blackhole routes end only in BGP). Another solution is to add one more table for BGP, connect BGP to that table and add two pipes (master-this_new and blackroutes-this_new), this would make filtering simpler. Or much simpler solution - remove secondary tables, add blackhole routes to bird config as static routes (in static protocol) and have everything in the master table. BTW, in the filter bgp_out_he(), i guess you want accept all routes with proto = "blackhole", otherwise only your routes would be exported (and i suppose blackholed IPs are foreign). -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."