BLACKHOLE community RFC7999
Hi! Just FYI: https://www.rfc-editor.org/rfc/rfc7999.txt I guess this feature deserves to be implemented. -- Alexander Shikov Technical Staff, Digital Telecom IX http://dtel-ix.net/
On 20.10.2016 14:38, Alexander Shikov wrote:
Hi!
Just FYI: https://www.rfc-editor.org/rfc/rfc7999.txt I guess this feature deserves to be implemented.
Oh, sure. We plan to implement it. Ondrej
Just FYI: https://www.rfc-editor.org/rfc/rfc7999.txt I guess this feature deserves to be implemented.
Oh, sure. We plan to implement it.
It would be nice if export filters for the Kernel protocol could set a route type, as in iproute(8): TYPE := [ unicast | local | broadcast | multicast | throw | unreachable | prohibit | blackhole | nat ] That would probably make more versatile than a static RFC7999 hack, while allowing to easily implement RFC7999 and others. Greetings, Clemens
On Thu, Oct 20, 2016 at 05:35:43PM +0200, Clemens Schrimpe wrote:
Just FYI: https://www.rfc-editor.org/rfc/rfc7999.txt I guess this feature deserves to be implemented.
Oh, sure. We plan to implement it.
It would be nice if export filters for the Kernel protocol could set a route type, as in iproute(8):
TYPE := [ unicast | local | broadcast | multicast | throw | unreachable | prohibit | blackhole | nat ]
That would probably make more versatile than a static RFC7999 hack, while allowing to easily implement RFC7999 and others.
Be careful not to overshoot: RFC 7999 says: 4. Vendor Implementation Recommendations Without an explicit configuration directive set by the operator, network elements SHOULD NOT discard traffic destined towards IP prefixes that are tagged with the BLACKHOLE community. The operator is expected to explicitly configure the network element to honor the BLACKHOLE community in a way that is compliant with the operator's routing policy. Vendors MAY provide a shorthand keyword in their configuration language to reference the well-known BLACKHOLE community attribute value. The suggested string to be used is "blackhole".
On 2016/10/20 10:51, Job Snijders wrote:
On Thu, Oct 20, 2016 at 05:35:43PM +0200, Clemens Schrimpe wrote:
Just FYI: https://www.rfc-editor.org/rfc/rfc7999.txt I guess this feature deserves to be implemented.
Oh, sure. We plan to implement it.
It would be nice if export filters for the Kernel protocol could set a route type, as in iproute(8):
TYPE := [ unicast | local | broadcast | multicast | throw | unreachable | prohibit | blackhole | nat ]
That would probably make more versatile than a static RFC7999 hack, while allowing to easily implement RFC7999 and others.
Be careful not to overshoot:
RFC 7999 says:
4. Vendor Implementation Recommendations
Without an explicit configuration directive set by the operator, network elements SHOULD NOT discard traffic destined towards IP prefixes that are tagged with the BLACKHOLE community. The operator is expected to explicitly configure the network element to honor the BLACKHOLE community in a way that is compliant with the operator's routing policy.
Vendors MAY provide a shorthand keyword in their configuration language to reference the well-known BLACKHOLE community attribute value. The suggested string to be used is "blackhole".
Exactly - it can't be a static config as requirements will differ between networks. But being able to set the type on routes exported to the kernel is definitely needed in order to implement many common policies.
On Thu, Oct 20, 2016 at 10:51:21AM -0500, Job Snijders wrote:
On Thu, Oct 20, 2016 at 05:35:43PM +0200, Clemens Schrimpe wrote:
Just FYI: https://www.rfc-editor.org/rfc/rfc7999.txt I guess this feature deserves to be implemented.
Oh, sure. We plan to implement it.
RFC 7999 says:
4. Vendor Implementation Recommendations
Without an explicit configuration directive set by the operator, network elements SHOULD NOT discard traffic destined towards IP prefixes that are tagged with the BLACKHOLE community. The operator is expected to explicitly configure the network element to honor the BLACKHOLE community in a way that is compliant with the operator's routing policy.
You are right. I already discussed this with Thomas King. In contrast to RFC 1997 well-known communities, which are processed by default, BLACKHOLE community should be ignored by default. So it is a question what really means to implement RFC 7999. We could simply add constant, say BC_BLACKHOLE, with value (65535, 666). We already have option 'interpret communities' (enabled by default), which can be used to disable processing of RFC 1997 well-known communities (e.g., NO_EXPORT). We could add option 'interpret blackhole' (disabled by default), which could be used to enable RFC 7999 behavior. But it is a question whether that would be more useful than simply using: if BC_BLACKHOLE ~ bgp_community then dest = RTD_BLACKHOLE; -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Fri, Oct 21, 2016 at 10:24:25AM +0000, Thomas King wrote:
Hi all,
We could add option 'interpret blackhole' (disabled by default), which could be used to enable RFC 7999 behavior.
I would prefer to have a 'interpret blackhole' switch because it makes it really easy to use.
how will the software know whether the bgp neighbor is authorised to advertise and blackhole a prefix? to me an important part of the RFC is that the operator is still obligated to do his/her work and create filters, policy, etc. Kind regards, Job
On 20 October 2016 at 16:35, Clemens Schrimpe <clemens.schrimpe@gmail.com> wrote:
It would be nice if export filters for the Kernel protocol could set a route type, as in iproute(8):
TYPE := [ unicast | local | broadcast | multicast | throw | unreachable | prohibit | *blackhole* | nat ]
So, we can already do stuff like this on a bgp filters, like this one on a a bgp import: if (64511,11) ~ bgp_community then { gw = RTD_BLACKHOLE; } ..with choices of: RTD_BLACKHOLE, RTD_UNREACHABLE or RTD_PROHIBIT But I guess direct support would be good. Cheers, Just -- Notice: This email is confidential and may contain copyright material of members of the Ocado Group. Opinions and views expressed in this message may not necessarily reflect the opinions and views of the members of the Ocado Group. If you are not the intended recipient, please notify us immediately and delete all copies of this message. Please note that it is your responsibility to scan this message for viruses. Fetch and Sizzle are trading names of Speciality Stores Limited and Fabled is a trading name of Marie Claire Beauty Limited, both members of the Ocado Group. References to the “Ocado Group” are to Ocado Group plc (registered in England and Wales with number 7098618) and its subsidiary undertakings (as that expression is defined in the Companies Act 2006) from time to time. The registered office of Ocado Group plc is Titan Court, 3 Bishops Square, Hatfield Business Park, Hatfield, Herts. AL10 9NE.
On Thu, Oct 20, 2016 at 06:33:17PM +0100, Justin Cattle wrote:
On 20 October 2016 at 16:35, Clemens Schrimpe <clemens.schrimpe@gmail.com> wrote:
It would be nice if export filters for the Kernel protocol could set a route type, as in iproute(8):
TYPE := [ unicast | local | broadcast | multicast | throw | unreachable | prohibit | *blackhole* | nat ]
So, we can already do stuff like this on a bgp filters, like this one on a a bgp import:
if (64511,11) ~ bgp_community then {
gw = RTD_BLACKHOLE; }
..with choices of:
RTD_BLACKHOLE, RTD_UNREACHABLE or RTD_PROHIBIT
You are almost right, but it is 'dest' attribute, not 'gw' attribute: To implement RFC 7999 in filters, you have to just add: if (65535, 666) ~ bgp_community then dest = RTD_BLACKHOLE; -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On 20 October 2016 at 20:46, Ondrej Zajicek <santiago@crfreenet.org> wrote:
You are almost right, but it is 'dest' attribute, not 'gw' attribute:
Sorry - yes you're right of course :) Cheers, Just -- Notice: This email is confidential and may contain copyright material of members of the Ocado Group. Opinions and views expressed in this message may not necessarily reflect the opinions and views of the members of the Ocado Group. If you are not the intended recipient, please notify us immediately and delete all copies of this message. Please note that it is your responsibility to scan this message for viruses. Fetch and Sizzle are trading names of Speciality Stores Limited and Fabled is a trading name of Marie Claire Beauty Limited, both members of the Ocado Group. References to the “Ocado Group” are to Ocado Group plc (registered in England and Wales with number 7098618) and its subsidiary undertakings (as that expression is defined in the Companies Act 2006) from time to time. The registered office of Ocado Group plc is Titan Court, 3 Bishops Square, Hatfield Business Park, Hatfield, Herts. AL10 9NE.
participants (8)
-
Alexander Shikov -
Clemens Schrimpe -
Job Snijders -
Justin Cattle -
Ondrej Filip -
Ondrej Zajicek -
Stuart Henderson -
Thomas King