Remotely Triggered Black Hole filtering for IPv6

November 30, 2011 - 0 Comments

Black holes, from a network security perspective, are placed in the network where traffic is forwarded and dropped. When an attack has been detected, black-holing can be used to drop all attack traffic at the edge of an Internet service provider (ISP) network, based on either destination or source IP addresses. Remotely triggered black hole (RTBH) filtering is a technique that uses routing protocol updates to manipulate route tables at the network edge or anywhere else in the network to specifically drop undesirable traffic before it enters the service provider network.

RTBH filtering provides a method for quickly dropping undesirable traffic at the edge of the network, based on either source addresses or destination addresses, by forwarding it to a Null0 interface. Null0 is a pseudo-interface that is always up and can never forward or receive traffic. Forwarding packets to Null0 is a common way to filter packets to a specific destination.

A typical deployment scenario for RTBH filtering would require running Internal Border Gateway Protocol (IBGP) at the access and aggregation points and configuring a separate device in the network operations center (NOC) to act as a trigger. The triggering device sends IBGP updates to the edge that cause undesirable traffic to be forwarded to a Null0 interface.

For more information read this new whitepaper that describes RTBH filtering in IPv6 and provides sample router configurations for IOS, IOS XE, and IOS XR.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.