Blackholing IPv6 traffic RTBH
William F. Maton Sotomayor
wmaton at ryouko.imsb.nrc.ca
Fri Feb 4 20:40:34 CET 2011
On Fri, 4 Feb 2011, Jon Harald Bøvre wrote:
> For blackholing undesired a common practice (according to Cisco) is to route
> the undesired traffic to test-net 192.0.2.1.
> ip route 192.0.2.1 255.255.255.255 Null0
>
> Working on implementing this in a dual-stacked network I could easily find a
> /64 (or perhaps /128), but standarization in the internet community makes
> this easier to document and understand
> My idea was to to map 192.0.2.1 to a 6to4 prefix to ensure this to be unique:
> ipv6 route 2002:C000:0201::/64 Null0
>
> I wonder if there is any RFC or best practice for how to do this in IPv6?
I thought I read one somewhere, but on my dual-stacked black-hole server I
do this:
!
route-map static-to-bgpv6 permit 5
match tag 66
set ipv6 next-hop 2001:DB8::1
set local-preference 2500
set origin igp
set community no-export
!
!
ipv6 route 2001:DB8::/32 Null0 tag 66
!
(that's the IPv6 prefix for documentation purposes)
Which on my borders that peer with it, then I do this:
ipv6 route 2001:DB8::1/128 Null0
To get the following:
gate#sho ipv6 ro 2001:DB8::/32
Routing entry for 2001:DB8::/32
Known via "bgp 25689", distance 200, metric 0, type internal
Route count is 1/1, share count 0
Routing paths:
2001:DB8::1
MPLS label: none
Last updated 7w0d ago
gate#
>
>
> Jon Harald Bøvre
> Hafslund Telekom Nettjenester
> Norway
>
> My purpose is to do source and destination based remote triggered black hole
> routing (RTBH) for IPv4 and IPv6 equally. I believe there will be a lot of
> misconfigured IPv6 systems coming.
>
>
wfms
More information about the ipv6-ops
mailing list