Internet2 Network Adds Support for IPv6 RTBH Signaling and Filtering
By Paul Howell, Internet2 Chief Cyberinfrastructure Security Officer
Remote Triggered Blackhole Filtering (RTBH) is one among several mitigation techniques offered to the Internet2 community for mitigating Denial of Service (DoS) threats. Recently, the Internet2 network added support for RTBH signaling and filtering over the IPv6 R&E network. Inter-domain RTBH signaling requires a consistent and standardized approach that also conforms to best practices adopted by network providers around the globe.
The Internet2 implementation of IPv6 RTBH employs two industry standard RFC’s: an IPv6 discard prefix (RFC 6666) and a blackhole community (RFC 7999). When a route with the RFC 7999 (65535:666) community string is received at an Internet2 router by a IPv6 R&E member, a next hop re-write is performed to the destination discard prefix (100::/64) of RFC 6666. The discard prefix exists in the Internet2 routing table with a next hop to the discard (or null) interface. Before the route Is installed into the Internet2 table, the prefix must be validated and then accepted by the requesting Internet2 member. For validation, an ingress prefix filter evaluates whether the received prefix belongs to the requesting member.
Internet2 would like to acknowledge the Indiana Gigapop for assistance with testing the Internet2 R&E IPv6 deployment. The Indiana Gigapop assisted with testing by announcing an IPv6 address to be discarded, and revoking the announcement, using the new feature. This enabled us to confirm that it was working properly.
Related articles and blog posts: