SlideShare a Scribd company logo

Selective blackholing - how to use & implement

APNIC
APNIC

A presentation given at APRICOT 2015 during the Routing Session.

Internet
1 of 28
Download to read offline
Selec%ve  blackholing   How  to  use  &  implement       Job  Snijders   job@n=.net     APRICOT  2015  
Who  am  I?   Job  Snijders     NTT  Communica%ons     Founder  of  NLNOG  RING     Twi=er:  @JobSnijders   Email:  job@ins%tuut.net     Hobbies:  IP  Rou%ng,  LISP,  MPLS,  IPv6,  RPSL     Shoe  size:  45/EU     APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   2  
Agenda   •  What  is  “selec&ve  blackholing”?   •  Defini%on   •  Examples  based  on  RIPE  ATLAS   •  How  to  set  up  selec%ve  blackholing  as  a  carrier   •  Defining  scopes   •  Route-­‐maps   •  Some  python   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   3  
What  is  selec%ve  blackholing?   Selec%ve  blackholing  ~  selec%ve  discarding      1.  Use  BGP  communi%es  to  instruct  your  Service   Provider  to  discard  packets  when  certain  condi0ons   are  met.      2.  A  region  of  space-­‐%me  from  which  gravity   prevents  anything,  including  light,  from  escaping,   except  the  colour  purple.     APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   4  
What  does  it  ma=er?!   Content  is  most  oben  the  vic%m  (webshop,   gameserver,  webserver)     Most  prefixes/content  have  a  geographical   significance  which  decreases  as  distance  between  the   sender  and  receiver  increases.      (theorem  stems  from  sFlow  data  gathered  at  global  ISP).   In  other  words:  Chances  are  a  Japanese  web-­‐shop   owner  cares  most  about  Japanese  eyeballs.   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   5  
Scope  is  relevant!   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   6  
What’s  wrong  with  normal   blackholing?   Classic  blackholing  is  an  all  or  nothing  proposi0on:     you  throw  away  all  revenue  generated  by  the  vic%m   IP  address,  in  order  to  avoid  conges%ng  your   upstream  links.   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   7  
Damage  control  is  not  mi%ga%on   Selec%ve  blackholing  should  be  considered  as  yet   another  tool  in  the  toolbox  when  under  duress.     Asser%on  #1:    “it  is  be6er  to  remain  par&ally  reachable  than  not   reachable  at  all  during  a  DDoS  a6ack”     Asser%on  #2:    “I  can  take  a  percentage  of  the  DDoS  traffic,  but   not  all”       APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   8  
Effects:   Discard  outside  1000  KM  radius   Customer  connects  in  Amsterdam,  Netherlands   White  dot  means  traffic  cannot  reach  des%na%on   Colored  dot  implies  reachability   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   9  
Effects:   Discard  outside  ‘this’  country   White  dot  means  traffic  cannot  reach  des%na%on   Color  dot  implies  reachability,  Customer  connected  in  Amsterdam,  NL   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   10  
White  dot  means  traffic  cannot  reach  des%na%on   Color  dot  implies  reachability   ‘discard  outside  NL’  is  perfect   reachability  inside  NL   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   11  
2914:664  -­‐  “only  blackhole  outside  the   country  the  announcement   originated”   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   12  
Part  2:  How  to  set  this  up  as  carrier   Focus  on  four  features:   Scope   End-­‐user  BGP  community   Outside  ‘This’  country   15562:664   Outside  ‘This’  con%nent   15562:660   Outside  1000  KM  radius   15562:663   Outside  2500  KM  radius   15562:662   ‘This’  means  ‘where  the  customer  interconnec%on  is  located’     Distance  is  from  Edge  router  to  Edge  router  in  the  SP’s  network  “as  the   crow  flies”  (not  actual  op%cal  fiber  path  length!).  Can  only  be   guaranteed  for  own  backbone   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   13  
Assign  your  routers  some  integers   name   Con0nent   id   ISO31661   City  ID   La0tude,  Longitude   tky.jp   3   392   46   35.65671,  139.80342   sjo.us   1   840   29   37.44569,-­‐122.16111   dal.us   1   840   33   32.80096,  -­‐96.81962   nyc.us   1   840   26   40.71780,  -­‐74.00885   lon.uk   2   276   23   51.51173,  -­‐0.00197   ams.nl   2   528   20   52.35600,  4.95068   sto.se   2   752   22   59.36264,  17.95560   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   14  
Router  specific  configura%on  –  IOS’ish   nyc.us:   ip community-list THIS:METRO seq 5 permit 65123:10026 ip community-list THIS:COUNTRY seq 5 permit 65123:840 ip community-list THIS:CONTINENT seq 5 permit 65123:1000 lon.uk:   ip community-list THIS:METRO seq 5 permit 65123:20023 ip community-list THIS:COUNTRY seq 5 permit 65123:276 ip community-list THIS:CONTINENT seq 5 permit 65123:2000   ams.nl:   ip community-list THIS:METRO seq 5 permit 65123:20020 ip community-list THIS:COUNTRY seq 5 permit 65123:528 ip community-list THIS:CONTINENT seq 5 permit 65123:2000   ……  etc!   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   15  
What  happens  where?   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   16  
iBGP  inbound  route-­‐map   ip route 10.0.0.1 255.255.255.255 null0 route-map INBOUND-IBGP permit 100 match community 15562:666 ! classic blackhole community set ip next-hop 10.0.0.1 ! discard route-map INBOUND-IBGP permit 200 match community 15562:660 15562:662 15562:663 15562:664 continue 1100 ! Jump over regular ‘accept’ @ 1000 ! towards scope checking route-map INBOUND-IBGP permit 1000 ! No match statement == accept anything route-map INBOUND-IBGP permit 1100 match community THIS:METRO THIS:COUNTRY THIS:CONTINENT ! If match is found, accept prefix and stop ! evaluating the route-map route-map INBOUND-IBGP permit 1101 ! Anything that arrives here: discard set ip next-hop 10.0.0.1 APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   17  
Customer  facing  route-­‐map   01. route-map IMPORT:FROM:CUSTOMER-A permit 200 02. match ip address prefix-list CUSTOMER-A-PREFIXES 03. match community 15562:666 04. set community no-export additive 05. set ip next-hop 10.0.0.1 06. route-map IMPORT:FROM:CUSTOMER-A permit 300 07. match ip address prefix-list CUSTOMER-A-PREFIXES 08. match community SCOPED:ACTION 09. continue 600 ! Remember this jump ! 10. route-map IMPORT:FROM:CUSTOMER-A permit 400 11. match ip address prefix-list CUSTOMER-A-PREFIXES 12. set local-preference 650 13. route-map IMPORT:FROM:CUSTOMER-A deny 500 APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   18  
Customer  facing  (cont.)   Add/Rewrite  scoping  informa%on  when  a  ‘scoped  ac%on’  is  used   14. route-map IMPORT:FROM:CUSTOMER-A permit 600 ! Here is 600 again 15. match community OUTSIDE:1000KM:RADIUS:DISCARD ! 15562:663 16. set community 65123:10029 additive 17. route-map IMPORT:FROM:CUSTOMER-A permit 700 18. match community OUTSIDE:2500KM:RADIUS:DISCARD ! 15562:662 19. set community 65123:10033 65123:10029 additive 20. route-map IMPORT:FROM:CUSTOMER-A permit 900 21. match community OUTSIDE:THIS:COUNTRY:DISCARD ! 15562:664 22. set community 65123:840 additive 23. route-map IMPORT:FROM:CUSTOMER-A permit 1100 24. match community OUTSIDE:THIS:CONTINENT:DISCARD ! 15562:660 25. set community 65123:1000 additive APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   19  
What  happens  where?   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   20  
But  wait  a  second…  how  do  you  figure  out  what   needs  to  be  rewri=en  to…  what?     Gratis download! http://instituut.net/~job/example_community_calculator.py   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   21  
Proof:  Sobware  is  cool  –  SDN  finally  arrived!   derp:~ job$ wget -q http://instituut.net/~job/example_community_calculator.py derp:~ job$ python example_community_calculator.py r1.lon.uk - rewrite targets: 1000 km: 65123:20020 65123:276 2500 km: 65123:2000 r1.dal.us - rewrite targets: 1000 km: 65123:10033 2500 km: 65123:840 r1.sjo.us - rewrite targets: 1000 km: 65123:10029 2500 km: 65123:10033 65123:10029 r1.nyc.us - rewrite targets: 1000 km: 65123:10026 2500 km: 65123:10026 65123:10033 <snip> APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   22  
The  integers  in  essence  provide   groupings  of  routers,  which  the   sobware/route-­‐maps  use   COMM /RTR   :276   :2000   :10033   :840   :10029   :10026   :30046   :20022   :20020   ams.nl   X   X   lon.uk   X   X   sto.se   X   X   nyc.us   X   X   dal.us   X   X   sjo.us   X   X   tky.jp   X   (incomplete  table,  but  you  get  the  gist…  )   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   23  
Considera%ons   •  Automate  all  route-­‐map  deployments  (actually,  automate  everything!)   •  Use  or  make  a  CMDB  where  you  store  integers   •  Selec%ve  Blackholing  is  a  pre=y  advanced  feature..    with  very  li=le  router  specific  configura%on  J   •  Can  be  deployed  on  any  vendor.  Crappy  vendors  are    not  an  excuse.  This  requires  no  extra  CAPEX   •  Customers  don’t  ask  for  this    feature  because  they  don’t      know  it  exists  (yet)     •  Saves  both  the  service  provider    and  customer  money:  win/win   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   24  
Selec%ve  blackholing  at  NTT  /  AS2914     available  today!   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   25   BGP  Community   Rou0ng  policy   2914:666   Global  discard  /  classic  blackhole   2914:660   Only  blackhole  outside  the  region   2914:664   Only  blackhole  outside  the  country   2914:661   Only  blackhole  inside  the  region   2914:663   Only  blackhole  inside  the  country  
And  you,  as  a  customer?   Announce  the  selec%ve  blackhole  prefix  but   don’t  blackhole  it  yourself!  To  achive  “blackhole   outside  this  region”   This is probably bad:
 set routing-options rib inet6.0 static route 2001:67c:208c::2/128 discard community 2914:660 Something like this is better:
 set routing-options rib inet6.0 static route 2001:67c:208c::2/128 no-install community 2914:660 NANOG63  -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   26  
Ques%ons?   Ask  now,  or  email  job@n=.net   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   27  
Resources  &  Credits   Technical  narra%ve  in  text  form:     h=p://mailman.nanog.org/pipermail/nanog/2014-­‐February/064381.html         I  want  to  thank  Saku  Yw,  Torsten  Blum  and  Peter  van  Dijk   for  contribu%ng  to  this  methodology.     APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   28  

Recommended

14 - IDNOG03 - George Michaelson (APNIC) - IPV6-in-2016-IDNOG
14 - IDNOG03 - George Michaelson (APNIC) - IPV6-in-2016-IDNOG14 - IDNOG03 - George Michaelson (APNIC) - IPV6-in-2016-IDNOG
14 - IDNOG03 - George Michaelson (APNIC) - IPV6-in-2016-IDNOG
Indonesia Network Operators Group
 
The $1000 Internet Exchange
The $1000 Internet ExchangeThe $1000 Internet Exchange
The $1000 Internet Exchange
APNIC
 
IPv6 at FPT Telecom
IPv6 at FPT TelecomIPv6 at FPT Telecom
IPv6 at FPT Telecom
APNIC
 
Latency Maps for Asia's mobile networks
Latency Maps for Asia's mobile networksLatency Maps for Asia's mobile networks
Latency Maps for Asia's mobile networks
Siddharth Mathur
 
Presentation olps vf
Presentation olps vfPresentation olps vf
Presentation olps vf
abdellah93
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
IntruGuard
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
ShortestPathFirst
 
Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points
Pavel Odintsov
 

Recommended

14 - IDNOG03 - George Michaelson (APNIC) - IPV6-in-2016-IDNOG
14 - IDNOG03 - George Michaelson (APNIC) - IPV6-in-2016-IDNOG14 - IDNOG03 - George Michaelson (APNIC) - IPV6-in-2016-IDNOG
14 - IDNOG03 - George Michaelson (APNIC) - IPV6-in-2016-IDNOG
Indonesia Network Operators Group
 
The $1000 Internet Exchange
The $1000 Internet ExchangeThe $1000 Internet Exchange
The $1000 Internet Exchange
APNIC
 
IPv6 at FPT Telecom
IPv6 at FPT TelecomIPv6 at FPT Telecom
IPv6 at FPT Telecom
APNIC
 
Latency Maps for Asia's mobile networks
Latency Maps for Asia's mobile networksLatency Maps for Asia's mobile networks
Latency Maps for Asia's mobile networks
Siddharth Mathur
 
Presentation olps vf
Presentation olps vfPresentation olps vf
Presentation olps vf
abdellah93
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
IntruGuard
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
ShortestPathFirst
 
Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points Using MikroTik routers for BGP transit and IX points
Using MikroTik routers for BGP transit and IX points
Pavel Odintsov
 
apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong
apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kongapidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong
apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong
apidays
 
CCNA17 CloudStack and NFV
CCNA17 CloudStack and NFVCCNA17 CloudStack and NFV
CCNA17 CloudStack and NFV
ShapeBlue
 
An IPv6 Update
An IPv6 UpdateAn IPv6 Update
An IPv6 Update
APNIC
 
SLT-IX Setting up an Internet Exchange : Sri Lankan experience
SLT-IX Setting up an Internet Exchange : Sri Lankan experienceSLT-IX Setting up an Internet Exchange : Sri Lankan experience
SLT-IX Setting up an Internet Exchange : Sri Lankan experience
APNIC
 
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Hello Cloud
 
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
Tatsuo Kudo
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!
APNIC
 
NPM10.5 Come See Whats New
NPM10.5 Come See Whats NewNPM10.5 Come See Whats New
NPM10.5 Come See Whats New
SolarWinds
 
Automating Networks by using API
Automating Networks by using APIAutomating Networks by using API
Automating Networks by using API
一清 井上
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
Wilson Rogerio Lopes
 
Automating Networks by Converting into API/Webs
Automating Networks by Converting into API/WebsAutomating Networks by Converting into API/Webs
Automating Networks by Converting into API/Webs
APNIC
 
CloudStack and NFV
CloudStack and NFVCloudStack and NFV
CloudStack and NFV
ShapeBlue
 
WiFi – Mobile BNG Offload Deployments
WiFi – Mobile BNG Offload DeploymentsWiFi – Mobile BNG Offload Deployments
WiFi – Mobile BNG Offload Deployments
Cisco Canada
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I started
Faelix Ltd
 
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
APNIC
 
Successfully Interconnecting Data Centers
Successfully Interconnecting Data CentersSuccessfully Interconnecting Data Centers
Successfully Interconnecting Data Centers
Cisco Canada
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
APNIC
 
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
gogo6
 
CoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenariosCoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenarios
carlosralli
 
GATTacking Bluetooth Smart
GATTacking Bluetooth SmartGATTacking Bluetooth Smart
GATTacking Bluetooth Smart
OWASP
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC
 

More Related Content

Similar to Selective blackholing - how to use & implement

apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong
apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kongapidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong
apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong
apidays
 
NPM10.5 Come See Whats New
NPM10.5 Come See Whats NewNPM10.5 Come See Whats New
NPM10.5 Come See Whats New
SolarWinds
 
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
gogo6
 

Similar to Selective blackholing - how to use & implement (20)

apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong
apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kongapidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong
apidays Paris 2022 - The Magic of Service Mesh, Charly Molter, Kong
 
CCNA17 CloudStack and NFV
CCNA17 CloudStack and NFVCCNA17 CloudStack and NFV
CCNA17 CloudStack and NFV
 
An IPv6 Update
An IPv6 UpdateAn IPv6 Update
An IPv6 Update
 
SLT-IX Setting up an Internet Exchange : Sri Lankan experience
SLT-IX Setting up an Internet Exchange : Sri Lankan experienceSLT-IX Setting up an Internet Exchange : Sri Lankan experience
SLT-IX Setting up an Internet Exchange : Sri Lankan experience
 
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
 
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!
 
NPM10.5 Come See Whats New
NPM10.5 Come See Whats NewNPM10.5 Come See Whats New
NPM10.5 Come See Whats New
 
Automating Networks by using API
Automating Networks by using APIAutomating Networks by using API
Automating Networks by using API
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
 
Automating Networks by Converting into API/Webs
Automating Networks by Converting into API/WebsAutomating Networks by Converting into API/Webs
Automating Networks by Converting into API/Webs
 
CloudStack and NFV
CloudStack and NFVCloudStack and NFV
CloudStack and NFV
 
WiFi – Mobile BNG Offload Deployments
WiFi – Mobile BNG Offload DeploymentsWiFi – Mobile BNG Offload Deployments
WiFi – Mobile BNG Offload Deployments
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I started
 
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
Who's Watching, by Geoff Huston [APNIC 38 / Technical Keynote]
 
Successfully Interconnecting Data Centers
Successfully Interconnecting Data CentersSuccessfully Interconnecting Data Centers
Successfully Interconnecting Data Centers
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
 
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
 
CoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenariosCoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenarios
 
GATTacking Bluetooth Smart
GATTacking Bluetooth SmartGATTacking Bluetooth Smart
GATTacking Bluetooth Smart
 

More from APNIC

More from APNIC (20)

APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 

Recently uploaded

Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 

Recently uploaded (20)

Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 

Selective blackholing - how to use & implement

  • 1. Selec%ve  blackholing   How  to  use  &  implement       Job  Snijders   job@n=.net     APRICOT  2015  
  • 2. Who  am  I?   Job  Snijders     NTT  Communica%ons     Founder  of  NLNOG  RING     Twi=er:  @JobSnijders   Email:  job@ins%tuut.net     Hobbies:  IP  Rou%ng,  LISP,  MPLS,  IPv6,  RPSL     Shoe  size:  45/EU     APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   2  
  • 3. Agenda   •  What  is  “selec&ve  blackholing”?   •  Defini%on   •  Examples  based  on  RIPE  ATLAS   •  How  to  set  up  selec%ve  blackholing  as  a  carrier   •  Defining  scopes   •  Route-­‐maps   •  Some  python   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   3  
  • 4. What  is  selec%ve  blackholing?   Selec%ve  blackholing  ~  selec%ve  discarding      1.  Use  BGP  communi%es  to  instruct  your  Service   Provider  to  discard  packets  when  certain  condi0ons   are  met.      2.  A  region  of  space-­‐%me  from  which  gravity   prevents  anything,  including  light,  from  escaping,   except  the  colour  purple.     APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   4  
  • 5. What  does  it  ma=er?!   Content  is  most  oben  the  vic%m  (webshop,   gameserver,  webserver)     Most  prefixes/content  have  a  geographical   significance  which  decreases  as  distance  between  the   sender  and  receiver  increases.      (theorem  stems  from  sFlow  data  gathered  at  global  ISP).   In  other  words:  Chances  are  a  Japanese  web-­‐shop   owner  cares  most  about  Japanese  eyeballs.   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   5  
  • 6. Scope  is  relevant!   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   6  
  • 7. What’s  wrong  with  normal   blackholing?   Classic  blackholing  is  an  all  or  nothing  proposi0on:     you  throw  away  all  revenue  generated  by  the  vic%m   IP  address,  in  order  to  avoid  conges%ng  your   upstream  links.   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   7  
  • 8. Damage  control  is  not  mi%ga%on   Selec%ve  blackholing  should  be  considered  as  yet   another  tool  in  the  toolbox  when  under  duress.     Asser%on  #1:    “it  is  be6er  to  remain  par&ally  reachable  than  not   reachable  at  all  during  a  DDoS  a6ack”     Asser%on  #2:    “I  can  take  a  percentage  of  the  DDoS  traffic,  but   not  all”       APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   8  
  • 9. Effects:   Discard  outside  1000  KM  radius   Customer  connects  in  Amsterdam,  Netherlands   White  dot  means  traffic  cannot  reach  des%na%on   Colored  dot  implies  reachability   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   9  
  • 10. Effects:   Discard  outside  ‘this’  country   White  dot  means  traffic  cannot  reach  des%na%on   Color  dot  implies  reachability,  Customer  connected  in  Amsterdam,  NL   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   10  
  • 11. White  dot  means  traffic  cannot  reach  des%na%on   Color  dot  implies  reachability   ‘discard  outside  NL’  is  perfect   reachability  inside  NL   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   11  
  • 12. 2914:664  -­‐  “only  blackhole  outside  the   country  the  announcement   originated”   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   12  
  • 13. Part  2:  How  to  set  this  up  as  carrier   Focus  on  four  features:   Scope   End-­‐user  BGP  community   Outside  ‘This’  country   15562:664   Outside  ‘This’  con%nent   15562:660   Outside  1000  KM  radius   15562:663   Outside  2500  KM  radius   15562:662   ‘This’  means  ‘where  the  customer  interconnec%on  is  located’     Distance  is  from  Edge  router  to  Edge  router  in  the  SP’s  network  “as  the   crow  flies”  (not  actual  op%cal  fiber  path  length!).  Can  only  be   guaranteed  for  own  backbone   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   13  
  • 14. Assign  your  routers  some  integers   name   Con0nent   id   ISO31661   City  ID   La0tude,  Longitude   tky.jp   3   392   46   35.65671,  139.80342   sjo.us   1   840   29   37.44569,-­‐122.16111   dal.us   1   840   33   32.80096,  -­‐96.81962   nyc.us   1   840   26   40.71780,  -­‐74.00885   lon.uk   2   276   23   51.51173,  -­‐0.00197   ams.nl   2   528   20   52.35600,  4.95068   sto.se   2   752   22   59.36264,  17.95560   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   14  
  • 15. Router  specific  configura%on  –  IOS’ish   nyc.us:   ip community-list THIS:METRO seq 5 permit 65123:10026 ip community-list THIS:COUNTRY seq 5 permit 65123:840 ip community-list THIS:CONTINENT seq 5 permit 65123:1000 lon.uk:   ip community-list THIS:METRO seq 5 permit 65123:20023 ip community-list THIS:COUNTRY seq 5 permit 65123:276 ip community-list THIS:CONTINENT seq 5 permit 65123:2000   ams.nl:   ip community-list THIS:METRO seq 5 permit 65123:20020 ip community-list THIS:COUNTRY seq 5 permit 65123:528 ip community-list THIS:CONTINENT seq 5 permit 65123:2000   ……  etc!   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   15  
  • 16. What  happens  where?   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   16  
  • 17. iBGP  inbound  route-­‐map   ip route 10.0.0.1 255.255.255.255 null0 route-map INBOUND-IBGP permit 100 match community 15562:666 ! classic blackhole community set ip next-hop 10.0.0.1 ! discard route-map INBOUND-IBGP permit 200 match community 15562:660 15562:662 15562:663 15562:664 continue 1100 ! Jump over regular ‘accept’ @ 1000 ! towards scope checking route-map INBOUND-IBGP permit 1000 ! No match statement == accept anything route-map INBOUND-IBGP permit 1100 match community THIS:METRO THIS:COUNTRY THIS:CONTINENT ! If match is found, accept prefix and stop ! evaluating the route-map route-map INBOUND-IBGP permit 1101 ! Anything that arrives here: discard set ip next-hop 10.0.0.1 APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   17  
  • 18. Customer  facing  route-­‐map   01. route-map IMPORT:FROM:CUSTOMER-A permit 200 02. match ip address prefix-list CUSTOMER-A-PREFIXES 03. match community 15562:666 04. set community no-export additive 05. set ip next-hop 10.0.0.1 06. route-map IMPORT:FROM:CUSTOMER-A permit 300 07. match ip address prefix-list CUSTOMER-A-PREFIXES 08. match community SCOPED:ACTION 09. continue 600 ! Remember this jump ! 10. route-map IMPORT:FROM:CUSTOMER-A permit 400 11. match ip address prefix-list CUSTOMER-A-PREFIXES 12. set local-preference 650 13. route-map IMPORT:FROM:CUSTOMER-A deny 500 APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   18  
  • 19. Customer  facing  (cont.)   Add/Rewrite  scoping  informa%on  when  a  ‘scoped  ac%on’  is  used   14. route-map IMPORT:FROM:CUSTOMER-A permit 600 ! Here is 600 again 15. match community OUTSIDE:1000KM:RADIUS:DISCARD ! 15562:663 16. set community 65123:10029 additive 17. route-map IMPORT:FROM:CUSTOMER-A permit 700 18. match community OUTSIDE:2500KM:RADIUS:DISCARD ! 15562:662 19. set community 65123:10033 65123:10029 additive 20. route-map IMPORT:FROM:CUSTOMER-A permit 900 21. match community OUTSIDE:THIS:COUNTRY:DISCARD ! 15562:664 22. set community 65123:840 additive 23. route-map IMPORT:FROM:CUSTOMER-A permit 1100 24. match community OUTSIDE:THIS:CONTINENT:DISCARD ! 15562:660 25. set community 65123:1000 additive APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   19  
  • 20. What  happens  where?   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   20  
  • 21. But  wait  a  second…  how  do  you  figure  out  what   needs  to  be  rewri=en  to…  what?     Gratis download! http://instituut.net/~job/example_community_calculator.py   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   21  
  • 22. Proof:  Sobware  is  cool  –  SDN  finally  arrived!   derp:~ job$ wget -q http://instituut.net/~job/example_community_calculator.py derp:~ job$ python example_community_calculator.py r1.lon.uk - rewrite targets: 1000 km: 65123:20020 65123:276 2500 km: 65123:2000 r1.dal.us - rewrite targets: 1000 km: 65123:10033 2500 km: 65123:840 r1.sjo.us - rewrite targets: 1000 km: 65123:10029 2500 km: 65123:10033 65123:10029 r1.nyc.us - rewrite targets: 1000 km: 65123:10026 2500 km: 65123:10026 65123:10033 <snip> APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   22  
  • 23. The  integers  in  essence  provide   groupings  of  routers,  which  the   sobware/route-­‐maps  use   COMM /RTR   :276   :2000   :10033   :840   :10029   :10026   :30046   :20022   :20020   ams.nl   X   X   lon.uk   X   X   sto.se   X   X   nyc.us   X   X   dal.us   X   X   sjo.us   X   X   tky.jp   X   (incomplete  table,  but  you  get  the  gist…  )   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   23  
  • 24. Considera%ons   •  Automate  all  route-­‐map  deployments  (actually,  automate  everything!)   •  Use  or  make  a  CMDB  where  you  store  integers   •  Selec%ve  Blackholing  is  a  pre=y  advanced  feature..    with  very  li=le  router  specific  configura%on  J   •  Can  be  deployed  on  any  vendor.  Crappy  vendors  are    not  an  excuse.  This  requires  no  extra  CAPEX   •  Customers  don’t  ask  for  this    feature  because  they  don’t      know  it  exists  (yet)     •  Saves  both  the  service  provider    and  customer  money:  win/win   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   24  
  • 25. Selec%ve  blackholing  at  NTT  /  AS2914     available  today!   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   25   BGP  Community   Rou0ng  policy   2914:666   Global  discard  /  classic  blackhole   2914:660   Only  blackhole  outside  the  region   2914:664   Only  blackhole  outside  the  country   2914:661   Only  blackhole  inside  the  region   2914:663   Only  blackhole  inside  the  country  
  • 26. And  you,  as  a  customer?   Announce  the  selec%ve  blackhole  prefix  but   don’t  blackhole  it  yourself!  To  achive  “blackhole   outside  this  region”   This is probably bad:
 set routing-options rib inet6.0 static route 2001:67c:208c::2/128 discard community 2914:660 Something like this is better:
 set routing-options rib inet6.0 static route 2001:67c:208c::2/128 no-install community 2914:660 NANOG63  -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   26  
  • 27. Ques%ons?   Ask  now,  or  email  job@n=.net   APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   27  
  • 28. Resources  &  Credits   Technical  narra%ve  in  text  form:     h=p://mailman.nanog.org/pipermail/nanog/2014-­‐February/064381.html         I  want  to  thank  Saku  Yw,  Torsten  Blum  and  Peter  van  Dijk   for  contribu%ng  to  this  methodology.     APRICOT  2015    -­‐  Job  Snijders  -­‐  Selec%ve  Blackholing   28