Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
Remote Triggered Black Ho...

Remote Triggered Black Hole(RTBH) configuration

Latest reply: Jun 19, 2021 10:57:50 909 10 3 0 0
View the author 1#

Hi All,


Can I anybody help me to know, whether the Huawei routers are supporting RTBH ? If yes whihc series supprts and requesting to share the configuration details ?


Regards,

Manu M

Like (3) Dislike (0) Favorite(0) Share Report
Previous: Routing and Switching
Next: Overview of BGP
(1) (0)
2#
ViktorG
Created Feb 19, 2020 05:46:53

Hello @ManuM !
The BGP Remote Triggered Black Hole is a security technique used to divert undesirable
traffic from Customers routers to an appropriate point in the network (Inernet Border)
where it can be black holed/droped. This technique is accomplished by using a trigger router.
The trigger router (in Huawei can be AntiDDoS solution - kind of smart security device) will generate a BGP /32 advertisement towards all other routers and serves as a black hole for undesirable traffic.
This concept may be used to create black hole for traffic to mitigate a DoS attacks
in BGP AS Borders. In the first step a static route destined to NULL0 interface
must be created. The IP Address used for static route is 192.168.255.255 and
for IPv6 is 100::192.168.255.255. This IP Addresses are not routable in the public Internet space.
The route-policy will
check if there is any prefix with mask /32 and community marked XXX:666
If this prefix exists then the route-policy will change NEXT_HOP address to 192.168.255.255/32
or 100::192.168.255.255, which is destined to NULL0 interface.

route-policy RP_FROM_RTBH permit node 10 // import policy from trigger router
description BH_:666
if-match ip-prefix GREATER24 // Prefix list should be defined
if-match community-filter BH //community-filter should be defined
apply ip-address next-hop 192.168.255.255
#

route-policy RP_FROM_RTBH permit node 30
if-match ip-prefix GREATER24
View more
  • x
  • convention:
(0) (0)
3#
ManuM
Created Feb 21, 2020 04:07:59


Hi,


I would like to implement the RTBH method in Huawei NE40E edge router and my application is URL filtering. Firewall will be RTBH trigger router and I wanted to inject the null route from the firewall to the edge router based on black listed ULRs. So the firewall can perform the URL filtering while in offline mode.


Please share your suggessions.


Regards,

Manu M
View more
  • x
  • convention:
(0) (0)
4#
ViktorG
Created Feb 21, 2020 06:57:54

Good day,  @ManuM !

Usualy, we have two choices on the edge to block the DDoS traffic that targetting the client.
- The first one is the described above with accepting the routes with 666 community and redirect to next-hop - widely used.
- The second one is to create BGP FlowSpec session, where we need to establish new bgp SAFI ipv4-family flow - and it will be more granular filtering control on the edge up to port level - kind of complicated approach - need to cooperate with other vendors for their BGP FlowSpec details.
Please, see the links for the Huawei and other Vendors interoperability.

https://ripe74.ripe.net/presentations/93-20170512-ripe74-flowspec-interop.pdf
https://www.nextlayer.at/wp-content/uploads/2018/06/loibl-bacher-bgp-flowspec-interop-012017.pdf


Thank you and have a great day!
Viktor
View more
  • x
  • convention:
(1) (0)
5#
victorDa
Created Jun 14, 2020 23:12:09

very useful
View more
  • x
  • convention:
(0) (0)
6#
victorDa
Created Jun 14, 2020 23:12:17

thanks for share it with us!
View more
  • x
  • convention:
(0) (0)
7#
FrankWu
Created Jun 2, 2021 00:17:32

Posted by ViktorG at 2020-02-19 05:46 Hello @ManuM !The BGP Remote Triggered Black Hole is a security technique used to divert undesirable ...
Hello Viktor,

Appreciate your explanation for RTBH. Is there restriction on the "trigger router"? Can an eBGP speaker with direct connection trigger the RTBH?

I am triggering BH for 100.100.100.100/32 from an ASBR to another ASBR, the sink-hole address(NH) is 192.168.255.255.

From what I can see, the eBGP next_hop has changed to 192.168.255.255, but the prefix is "invalid for nexthop route unreachable". It looks like a recursive lookup issue on Huawei.

<SINCR0>disp ip routing-table 192.168.255.255
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
Summary Count : 1

Destination/Mask Proto Pre Cost Flags NextHop Interface

192.168.255.255/32 Static 1 0 DB 0.0.0.0 NULL0

<SINCR0>disp bgp routing-table 100.100.100.100

BGP local router ID : 172.25.4.67
Local AS number : 5511
Paths: 1 available, 0 best, 0 select, 0 best-external, 0 add-path
BGP routing table entry information of 100.100.100.100/32:
From: 10.251.87.29 (10.10.20.55)
Route Duration: 0d00h22m36s
Direct Out-interface:
Original nexthop: 192.168.255.255
Qos information : 0x0
Community: <5511:0>, no-export
AS-path 801, origin incomplete, MED 500, localpref 140, pref-val 0, external, pre 255, validation not-found, invalid for nexthop route unreachable
Not advertised to any peer yet

This is a NE40E running V800R010C10SPC500. Any comment ?

Frank
View more
  • x
  • convention:
(0) (0)
8#
FrankWu
Created Jun 2, 2021 00:26:03

Posted by FrankWu at 2021-06-02 00:17 Hello Viktor,Appreciate your explanation for RTBH. Is there restriction on the "trigger router"? C ...
@ViktorG, this question is for you. thanks.
View more
  • x
  • convention:
(0) (0)
9#
FrankWu
Created Jun 2, 2021 01:37:57

Posted by FrankWu at 2021-06-02 00:17 Hello Viktor,Appreciate your explanation for RTBH. Is there restriction on the "trigger router"? C ...
OK I am answering my own question.

I need "ebgp-max-hop".

An eBGP peer expects to have the direct inter-co IP@ as the next-hop. When we change it to anything else, it’s not in the same subnet anymore and the router will see it as unreachable. (Cisco is different in that sense)

I need to fool the eBGP peer session into thinking this is NOT a direct peer, ebgp multihop will do the trick. This is the same behavior on Huawei and on Juniper.

On Huawei, I need ebgp-max-hop’
On Juniper, I need “accept-remote-nexthop"


Frank
View more
  • x
  • convention:
(0) (0)
10#
andersoncf1
MVE Author Created Jun 5, 2021 17:06:34

Great explanation from the friend of the community.
View more
  • x
  • convention:
12
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.