Hi Jeffrey et all, > On 15 Jun 2015, at 21:30, Jeffrey Haas <jh...@pfrc.org> wrote:
… > I'm generally supportive of this draft. The Security Considerations cover > the majority of the issues this standardized blackhole community introduces. Thanks for your feedback. > I would suggest one additional consideration be added: Since the presence of > this community may otherwise bypass prefix-limit checks, the presence of > this community may allow for a resource exhaustion attack by shorter than > usual prefixes. I added the following text to the draft: The presence of this BLACKHOLEIXP BGP community may introduce a resource exhaustion attack to BGP speakers. If a BGP speaker receives many IP prefixes containing the BLACKHOLE BGP community its internal resources such as CPU power and/or memory might get consumed, especially if usual prefix sanity checks (e.g. IP prefix length or number of prefixes) are disabled (see Section 3.2). Does this cover your point? > It would be good to see an example of integration of this feature with some > IXP's filtering mechanism, e.g. IRR database. Do you want to see the example in the document? If yes, how detailed do you want to see the example? Down to the configuration of BGP speakers and data records in the IRR database? In the EURO-IX community we discussed to rename the community to BLACKHOLE. Is this fine with everyone? I am going to upload a new version of the document right before the cut-off deadline. Best regards, Thomas
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ GROW mailing list GROW@ietf.org https://www.ietf.org/mailman/listinfo/grow
