[address-policy-wg] IPv6 access to K-root

On Wed, 2005-03-02 at 11:53 +0000, Jørgen Hovland wrote:
>From: "Iljitsch van Beijnum" <iljitsch at muada.com>
>> As for the DoS issue, your transit ISPs can create blackhole communities so you can have them blackhole the traffic for individual 
>> /32s (if desired) when those are under attack by announcing even more specific more specifics with this community on them.
>>
>>
>
>It would be interesting if this could be implemented in BGP5 as a standard so you can announce more specific prefixes that is not to 
>be routed instead of just announcing the ones that is supposed to be routed.

SSUD (Source Specific Unicast Deny), the reverse of SSM in Multicast?

The only issue with it is that if somebody has 200 prefixes and each
prefix has 100 SSUD entry's you have 200.000 extra prefixes in the
routing table...

Though you could say that one is allowed to have a max of 5 SSUD's per
prefix or some other limit and if the limit is hit the SSUD becomes an
exclude for ::/0 or 0.0.0.0 aka anything...

Unfortunately DDoS's come from botnets and botnets have more than 200
sources, read, more likely something like 200.000 or 500.000 sources,
depending on the person who likes you so very much...

Greets,
 Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 240 bytes
Desc: This is a digitally signed message part
URL: </ripe/mail/archives/address-policy-wg/attachments/20050302/a77a34d0/attachment.sig>