Hi everyone, I am stuck with bird, could you please give me a hint? The setup: My router peers with Team Cymru to get fullbogons via BGP. I want to blackhole these routes using a filter. My filter looks like this: filter blackhole { gw = 2001:db8::1; accept; } However, the kernel refuses to import my blackholed routes: May 2 10:27:08 gw bird6: cymru1 > added [best] 2001:16a1::/32 via 2001:db8::1 on eth0 May 2 10:27:08 gw bird6: kernel1 < added 2001:16a1::/32 via 2001:db8::1 on eth0 May 2 10:27:08 gw bird6: cymru1 < rejected by protocol 2001:16a1::/32 via 2001:db8::1 on eth0 Any ideas how to accomplish blackholing? Other approaches maybe? Not that I like Cisco very much, but it is easier on their equipment :/ Here is the actual peering, just for the case it matters: protocol bgp cymru1 { description "Cymru IPv6 fullbogons #1"; local as 57821; neighbor 2620:0:6B0::26E5:4207 as 65332; source address 2001:67c:26f4::1; password "got lost during mail transfer somehow :)"; multihop 20; import filter blackhole; export all; } Regards, Dan -- Dan Luedtke http://www.danrl.de
On Wed, May 02, 2012 at 10:23:54AM +0200, Dan Luedtke wrote:
Hi everyone,
I am stuck with bird, could you please give me a hint?
The setup: My router peers with Team Cymru to get fullbogons via BGP. I want to blackhole these routes using a filter. My filter looks like this:
filter blackhole { gw = 2001:db8::1; accept; }
..
Any ideas how to accomplish blackholing? Other approaches maybe?
It is not directly possible in current version, but patch is already in GIT (see attachment). With that, you could use 'dest = RTD_UNREACHABLE;' (or RTD_PROHIBIT or RTD_BLACKHOLE) to change route destination type. Changing gw currently works only within one iface. BTW, what is 2001:db8::1? Some well known blackhole address or just any address unreachable on the router? Another idea is that if you use 'gateway recursive' BGP option (default for iBGP), you could use 'bgp_next_hop = some_unreachable_ip;' in BGP import filter to make the route unreachable. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Fri, 04 May 2012, Ondrej Zajicek wrote:
It is not directly possible in current version, but patch is already in GIT (see attachment). With that, you could use 'dest = RTD_UNREACHABLE;' (or RTD_PROHIBIT or RTD_BLACKHOLE) to change route destination type. Changing gw currently works only within one iface.
Yay! This will be quite useful.
BTW, what is 2001:db8::1? Some well known blackhole address or just any address unreachable on the router?
It is the documentation prefix for IPv6, same as 192.0.2.0/24 for IPv4 (which is a common prefix to abuse for discard gateways).
Another idea is that if you use 'gateway recursive' BGP option (default for iBGP), you could use 'bgp_next_hop = some_unreachable_ip;' in BGP import filter to make the route unreachable.
That can cause problems if someone finds a way to make that route reachable... -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
On Fri, 04 May 2012, Ondrej Zajicek wrote: It is not directly possible in current version, but patch is already in GIT (see attachment). With that, you could use 'dest = RTD_UNREACHABLE;' (or RTD_PROHIBIT or RTD_BLACKHOLE) to change route destination type. Changing gw currently works only within one iface. THE hole RTD_BLACKHOLE-thingy was read-only before, right? I remember that I tried this in the first place but something in the documentation stopped me at some point. So, in the future, RTD_BLACKHOLE plus a high preference would prevent the bogon routes to be overwritten if someone announces them accidentally.
Nice feature, I'll give it a try as soon as it shows up in bird's debian repo. -- Dan Luedtke http://www.danrl.de
On Mon, May 07, 2012 at 08:13:53AM +0200, Dan Luedtke wrote:
On Fri, 04 May 2012, Ondrej Zajicek wrote: It is not directly possible in current version, but patch is already in GIT (see attachment). With that, you could use 'dest = RTD_UNREACHABLE;' (or RTD_PROHIBIT or RTD_BLACKHOLE) to change route destination type. Changing gw currently works only within one iface. THE hole RTD_BLACKHOLE-thingy was read-only before, right? I remember that I tried this in the first place but something in the documentation stopped me at some point.
Yes, dest attribute is read-only in the current release. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Fri, May 04, 2012 at 10:38:12AM +0200, Ondrej Zajicek wrote:
It is not directly possible in current version, but patch is already in GIT (see attachment). With that, you could use 'dest = RTD_UNREACHABLE;' (or RTD_PROHIBIT or RTD_BLACKHOLE) to change route destination type.
This is good news! Waiting 1.3.8...
participants (4)
-
Dan Luedtke -
Henrique de Moraes Holschuh -
Oleg -
Ondrej Zajicek