Cenic.org

BGP Blackhole Community

Blackhole Routing: The CENIC CalREN DC, ISP, and HPR networks support the use of specific BGP communities to trigger blackhole routing. By tagging routes with specific BGP communities, the CENIC network will dump all traffic destined to the host or network tagged with the community. Specific communities will also be passed on to transit ISP providers that support blackhole routing.

Associate Network Connectivity Requirements: CENIC associates that wish to have this capability must EBGP peer with CENIC CalREN network. EBGP – Multihop with a TTL of 2 is required for CENIC side of peering and highly recommended for campus side. This allows the next hop destination to null to be inserted in to the routing table.

Communities: The following communities are currently supported for blackhole routing:

  • Accepted on DC peerings:
    • 2152:666 — Blackhole All
    • Triggers null routing of packets on all DC, ISP, and HPR routers. Sends blackhole communities to supported transit ISP providers and Internet2. This community effectively drops ALL traffic going to the tagged route at any supporting router. ISP transit providers not supporting blackhole routing do not receive the route.
    • 2152:667 — Blackhole ISP
    • Triggers null routing ONLY on ISP transit connections. Any traffic sourced from commodity peering, Internet2, or other CENIC CalREN associates is allowed to pass through.
  • Accepted on HPR peerings:
    • 2153:666 — Blackhole HPR — All
    • Null routes packets within the HPR backbone and coming from Internet2. Acts on all HPR routers so all traffic regardless the source is dropped when entering the HPR network.
Accepted Community DC ISP ISP-Transit HPR Internet2

DC 2152:666

X

X

X

X

 X

DC 2152:667

X

X

HPR 2153:666

X

 X

Additional Information: By default, CENIC will accept tagged routes with prefix length from standard advertised mask down to /32.

  • Prefixes that are to be advertised to Abilene must be /24 or longer.
  • If advertising a blackhole route with the same prefix length as the normally advertised network, it is highly recommended that the blackhole advertisement be split in half. For example a normally advertised /20 will be blackhole tagged as 2 /21′s.

Procedure to Activate Service:

  1. Open a ticket with the CENIC NOC by emailing noc@cenic.org requesting blackhole capability on DC, HPR, or ISP networks.
  2. CENIC will schedule a maintenance time to make configuration changes and reset the BGP session. EBGP — Multihop TTL 2 is required.

Sample Configuration: Below is a sample Cisco configuration that can be used to inject tagged routes in to BGP to be advertised to CENIC. This is only one of several ways this can be done.

!router bgp 54321redistribute static route-map static-to-bgp!route-map static-to-bgp permit 5match tag 666set community additive 2152:666!ip route 2.2.2.2 255.255.255.255 Null0 tag 666
About Network CENIC Membership News