Yes, it requires your upstream to support a blackhole BGP community. This allows you to advertise host routes (/32 or smaller) to them using a specific BGP community when you want your ISP to drop all traffic for the prefix before it reaches you. This is -very- useful for DDoS defense.
Josh On Sat, May 14, 2016 at 4:16 PM, That One Guy /sarcasm < thatoneguyst...@gmail.com> wrote: > That requires something specific? > On May 14, 2016 7:33 AM, "Erich Kaiser" <er...@northcentraltower.com> > wrote: > >> We have started requiring our upstreams to filter by ASN vs Netblock. We >> are moving away from upstreams that do not utilize IRR Entries and require >> intervention every time we want to make a change, but it is continuous for >> us, so for most guys the one time setup is not a big deal, plus the >> upstream has to be trusting enough that we will have the correct filtering >> on our end. >> >> Steve, I would add Blackhole BGP community or session to your list. >> >> Erich Kaiser >> The Fusion Network >> er...@gotfusion.net >> Office: 630-621-4804 >> Cell: 630-777-9291 >> >> On Sat, May 14, 2016 at 6:34 AM, Paul Stewart <p...@paulstewart.org> >> wrote: >> >>> Or, quite a number of carriers (especially in APAC, some carriers in >>> Canada, a few in the US, and definitely a large number in Europe) will say >>> “do you have an IRR entry at RADB?” and if you say yes then they will use >>> the route object information but if you say no then they will tell you to >>> open a ticket with their NOC each time you have a prefix to add/remove …. >>> >>> >>> >>> I’m actually surprised by the number of transit providers that don’t’ >>> support automation via IRR >>> >>> >>> >>> Paul >>> >>> >>> >>> >>> >>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Faisal Imtiaz >>> *Sent:* May 13, 2016 9:25 PM >>> *To:* af@afmug.com >>> *Subject:* Re: [AFMUG] Upstream BGP Questionairre >>> >>> >>> >>> Let me clarify this a bit more... >>> >>> >>> >>> You are recommending that one creates it's own AS Object in the >>> IRR..(aka learns and manages their own RR entries) (it really does not >>> matter which IRR it is, at the end of the day they are all sort of synced, >>> it is only a question of who is maintaining it, and who can provide help to >>> newbies). .. BTW, I agree with this.. however .... >>> >>> >>> >>> Cause at the end of the day, someone in the up-stream is very likely to >>> create the record for you, if it is needed by them... >>> >>> This is one of those things that most carriers find... "too much trouble >>> to teach vs just do it for that network !" >>> >>> >>> >>> :) >>> >>> >>> >>> Regards. >>> >>> >>> >>> Faisal Imtiaz >>> Snappy Internet & Telecom >>> 7266 SW 48 Street >>> Miami, FL 33155 >>> Tel: 305 663 5518 x 232 >>> >>> Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net >>> >>> >>> ------------------------------ >>> >>> *From: *"George Skorup" <geo...@cbcast.com> >>> *To: *af@afmug.com >>> *Sent: *Friday, May 13, 2016 7:15:26 PM >>> *Subject: *Re: [AFMUG] Upstream BGP Questionairre >>> >>> I recommend adding your route or AS objects in ARIN's IRR. Merit RADb is >>> not free. Most carriers use RADb, and RADb mirrors ARIN's IRR anyway. >>> >>> On 5/13/2016 3:49 PM, Faisal Imtiaz wrote: >>> >>> See answers in-line below:- >>> >>> >>> >>> Faisal Imtiaz >>> Snappy Internet & Telecom >>> 7266 SW 48 Street >>> Miami, FL 33155 >>> Tel: 305 663 5518 x 232 >>> >>> Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net >>> >>> >>> ------------------------------ >>> >>> *From: *"That One Guy /sarcasm" <thatoneguyst...@gmail.com> >>> <thatoneguyst...@gmail.com> >>> *To: *af@afmug.com >>> *Sent: *Friday, May 13, 2016 11:35:10 AM >>> *Subject: *[AFMUG] Upstream BGP Questionairre >>> >>> Im going to expose the breadth of my incompetence here, but there are >>> some questions in this document I want to make sure im answering accurately >>> >>> 1. Are you the owner of the AS Number with RIR- This im assuming is our >>> ARIN direct allocation? >>> >>> They are asking if you have a AS # assigned to you from ... (would be >>> ARIN for North America). >>> >>> 2. Are you registered with an Internet Routing Registry? - Im not sure >>> what this is, is this also ARIN or do I need to register something >>> elsewhere? >>> >>> Routing Registry.... it is a way to build authorized prefixes from a >>> DataBase... >>> >>> You can read up about it from here >>> https://www.arin.net/resources/routing/ >>> >>> >>> Justin Wilson did a blog about it too... http://www.mtin.net/blog/?p=245 >>> >>> >>> >>> and yes ARIN also provides a Routing Registry Service ... (along with a >>> few others) >>> >>> >>> >>> 3. Which type of routes do you want to receive? - Full routes is what >>> we want, but are there caveats in this answer I need to be prepared for? >>> >>> >>> >>> No Caveats, as long as your equipment is able to take full routes, then >>> do so. >>> >>> >>> >>> 4. Do you have downstream ASNs? - I assume this would be customers with >>> their own allocations? We currently do not, but do not want to close the >>> door on that in the future. Is this something easily updated in the future? >>> >>> Answer this question in the Present.. (you don't have any so say no)... >>> no future door is closed due to this... this is just info asked / collected >>> for the upstream to be able to build their ACL filters.... (This is also a >>> flag for them to collect your BGP LOA's as well as your Customers to you..) >>> >>> >>> >>> This becomes a mute topic, if you are versed in using the Routing >>> Registry and maintaining your own Route Objects etc. >>> >>> >>> >>> 5. List all prefixes to be announced so that we can confirm the BGP ACL >>> prior to activation: We only have a /22, but we do want the option down the >>> road to pull /24 from one provider if need be. Would we list the /24s >>> independently or the /22 as the aggregate? >>> >>> >>> >>> You want to ask them for the following:- >>> >>> >>> >>> xx.xx.xx.xx/22 please use the 'le 24' option with the filter. >>> >>> >>> >>> Note: this will have them build a filter that can accept larger prefixes >>> between 24 - 22, so it is not a 'specific' filter... >>> >>> >>> >>> >>> >>> 6. MD5 Password: On this is it standard practice to use the same >>> password with all providers or different ones? >>> >>> >>> >>> Your choice... either way.... no big deal, as long as you keep track of >>> them. >>> >>> >>> >>> -- >>> >>> If you only see yourself as part of the team but you don't see your team >>> as part of yourself you have already failed as part of the team. >>> >>> >>> >>> >>> >>> >>
