On Mon, 2 Apr 2001, J S Russell wrote:
The problem is, you'd have to go back upstream quite a ways. To a major NAP or two in the US, you'd _have_ to take it back out of NZ, we're the ass-end of the net at best. :)
It's not something with an easy answer.
Maybe :) An interesting idea which came up at a meeting here a while ago : As people might be aware, adding routes to null0 isn't the most effective way sometimes of dropping flood traffic. Sending it to an IP address, and then staticly associating a bogus mac address to that IP is often better - the router simply forwards the packet out onto the lan, and the ethernet swallows it. This puts less load on the router. Now a thought I had while thinking about this... could a BGP community be agreed upon between peers, such that (for example) any static routes to the bogus IP/mac on my router are exported to my upstream with this community set. They see the community, set the next-hop address to their version of the blackhole IP, and possibly pass it on further upstream. Pro: A reasonably easy way to blackhole a target IP at upstream or peer ISPs without having to get their NOC to implement changes on routers. If the trust relationship for these communities extended far enough upstream, the target IP effectively disappears off the net. Con: You'd have to trust the downstreams who are injecting these blackhole routes. This could be done careful use of prefix or access-lists, allowing people to propagate /32 blackhole routes for IPs under their control. Thoughts? [1] Ok, so some configuration might also be needed on the switch to stop the traffic being flooded all over the place. David Robb --- Senior Network Engineer IHUG NZ "The Earth is a single point of failure" --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog