[ixpmanager] Blackhole service on IXP manager route servers (RTBH)

Fri Oct 30 21:29:00 GMT 2020

Dear Shahab,

On Fri, 30 Oct 2020 21:56:33 +0330
Shahab Vahabzadeh <me at shahabv.com> wrote:

> Dear Leon,
> Thanks for your help, in
> $IXPROOT/resources/views/api/v4/router/server/bird2 inside which file we
> need to change next_hop for blackhole community or even specific community?

if you run seperate routeservers for blackholing, what Behnam talked
about, there is no technical need for a BGP community to set a
blackhole next-hop. If you want to do it on your regular routeservers,
there are a lot of ways to do it, thanks to birds configuration style.

Considering i'm not using the stock templates and not using bird2, my
approach would be to do

define mybhcommunity = (65535,666);

<?php if( $t->router->protocol() == 6 ): ?>
define mybhip = SOMEPEERINGLANIP6;
<?php else: ?>
define mybhip = SOMEPEERINGLANIP4;
<?php endif; ?>

and in neighbors.foil.php for your IXP's skin:

filter f_export_as<?= $int['autsys'] ?>
{
# ... stuff
if mybhcommunity ~ bgp_community then
    bgp_next_hop = mybhip;

# ... things
}

Perhaps others have already implemented it running bird2 and can give
more informed tips.

Regards,
Leon

> And how?
> Thanks
> 
> On Wed, Oct 28, 2020 at 7:00 PM Leon Meßner <l.messner at physik.tu-berlin.de>
> wrote:
> 
> > Dear Behnam,
> >
> > On Mon, 26 Oct 2020 11:27:31 +0330
> > Behnam Yazdani <behnamyazdani at gmail.com> wrote:  
> > > We want to implement RTBH service in our IX environment, currently we  
> > have activated IRRDB filtering. for this purpose we have deployed two
> > Servers used as blackhole next-hop, they inject an ARP response to members
> > that populate IX switches with BH-MAC, this BH-MAC is dropped on all IX
> > switches. In our current deployment members will have to establish a new
> > BGP session with a dedicated Blackhole Router. we want to integrate BH
> > service with IXP manager route servers, however, there are two issue what
> > we need to resolve for this purpose:  
> > > 1) We need to change BH next-hop to the IP address of BH servers that  
> > their MAC is later dropped in IX switches’ CAM table, and I need to know
> > how can we implement this in IXPmanager  
> > > 2) we need to change IRRDB filter so that generated prefix filters  
> > accepts /32 prefixes advertised by members, for example there’s a route
> > object for 192.0.2.0/24 with AS65535 as origin. By default generated
> > prefix-list will have /24 mask for AS65535 member, but we need  IXP
> > manager  to generate prefix filter that accepts 192.0.2.0/24 Le 32 from
> > AS65535
> >
> > have you considered skinning your routeserver templates[1]? You can
> > find the stock templates for bird v1(v2) at
> > $IXPROOT/resources/views/api/v4/router/server/bird(2). In your skinned
> > version you can then change bgp_next_hop in the sessions export filter.
> > Newer IXP-Managers have a checkbox in the Webinterface to accept
> > more-specifics. You can find the relevant line in the
> > bird2/neighbors.foil.php template looking for prefixExactToLessSpecific.
> > If you want the BH RS behaviour to be independent of that checkbox
> > something like
> >
> > allnet = [ <?= implode( ', ', preg_filter('/$/', '+',
> > $int['irrdbfilter_prefixes']) ) ?> ];
> >
> > should also work.
> >
> > Regards,
> > Leon
> >
> > [1] https://docs.ixpmanager.org/features/skinning/  
> > >
> > > How should we configure IXP manager to resolve these two issues
> > > P.S. we’re using bird as our route server
> > >
> > > Thanks for your help
> > > _______________________________________________
> > > INEX IXP Manager mailing list
> > > ixpmanager at inex.ie
> > > Unsubscribe or change options here:  
> > https://www.inex.ie/mailman/listinfo/ixpmanager
> >
> > _______________________________________________
> > INEX IXP Manager mailing list
> > ixpmanager at inex.ie
> > Unsubscribe or change options here:
> > https://www.inex.ie/mailman/listinfo/ixpmanager
> >  
> 
> 