On 1/23/20 2:45 PM, Frank Bulk wrote:
Has support for a blackhole community been added? We’d like to start doing that.
AFAIK, no. I think we'd need: - A BGP community* - which when set** causes the route servers to set a next hop of a specific IP address (and probably set no-export too) - which the route servers (?) ARP for, returning a specific MAC - which is blocked by a layer 2 ACL on the core switch and any remotes that are able to do so * At least the well-known blackhole community 65535:666 from RFC 7999. ** The route servers would also have to allow smaller prefixes when the blackhole community is set, so that you could blackhole as small as a single address (in IPv4 at least). See also: https://www.seattleix.net/blackholing In practice, this is probably behind IRR filtering in implemetation priority, because we really should be using IRR filtering so that you can only blackhole your own prefixes. -- Richard