I’d like to automatically drop traffic originating from bogons, martians and select prefixes via BGP. Does reverse path forwarding (RPF), when set to either loose or strict mode, drop packets when their source IP matches a route which recursively resolves to a blackhole destination?
Should the kernel subsequently drop traffic from either 169.254.0.0/16 or 192.0.2.0/24?
Configuration:
set protocols static route 192.0.2.0/24 blackhole distance 254
set protocols static route6 ‘fc00::/7’ blackhole distance 254
set policy route community-list standard blackhole rule 10 action ‘permit’
set policy route community-list standard blackhole rule 10 community ‘64500:666’
set policy prefix-list all rule 10 action ‘permit’
set policy prefix-list all rule 10 le 32
set policy prefix-list all rule 10 prefix 0.0.0.0/0
set policy prefix-list6 all rule 10 action ‘permit’
set policy prefix-list6 all rule 10 le 128
set policy prefix-list6 all rule 10 prefix ‘::/0’
set policy route-map peer-in rule 10 action ‘permit’
set policy route-map peer-in rule 10 match community community-list blackhole
set policy route-map peer-in rule 10 match ip address prefix-list all
set policy route-map peer-in rule 10 set ip-next-hop 192.0.2.1
set policy route-map peer-in rule 20 action ‘permit’
set policy route-map peer-in rule 20 match community community-list blackhole
set policy route-map peer-in rule 20 match ipv6 address prefix-list all
set policy route-map peer-in rule 20 set ipv6-next-hop local ‘fc00::192:0:2:1’
I’m researching feature parity and don’t have a VyOs instance to test with yet. My sample configuration declares a static route for the entire 192.0.2.0/24 subnet which covers 192.0.2.1.
My interest is whether or not anyone has confirmed if VyOS discards traffic originating from a route which recursively resolves to a blackhole, if the receiving interface has RPF enabled in either loose or strict mode.
It could also simply be the following:
set protocols static route 169.254.0.0/16 next-hop 192.0.2.1
set protocols static route 192.0.2.0/24 blackhole
PS: A BGP route-map can’t set a prefix to target a blackhole directly, one has to accept them and set the next hop as a destination which then routes to a network sink, ideally local to the router.
ie: Does the kernel have sufficient ‘foresight’ to lookup and cache that the ultimate destination for 169.254.0.0/16 is a blackhole and does RPF then subsequently drop any packets, on interfaces where RPF is set to ‘loose’ mode, when their source originates from 169.254.0.0/16?
The route to the YYY network is configured via a gateway in XXX.
rp_filter set to 1 on the ethX interface.
Then traffic from YYY received on the ethX interface will be dropped.
But, you are close to reinventing BGP FlowSpec which currently is not supported by VyOS at CLI level but could be tried to implement if someone will help us, at least with testing.