Refer to the topology diagram shown in the exhibit and the partial configurations shown
below.
Once the attack from 209.165.201.144/28 to 209.165.202.128/28 has been detected, which
additional configurations are required on the P1 IOS-XR router to implement source-based
remote-triggered black hole filtering?
!
router bgp 123
address-family ipv4 unicast
redistribute static route-policy test
!
A.
router static
address-family ipv4 unicast
209.165.202.128/28 null0 tag 666
192.0.2.1/32 null0 tag 667
!
route-policy test
if tag is 666 then
set next-hop 192.0.2.1
endif
if tag is 667 then
set community (no-export)
endif
end-policy
!
B.
router static
address-family ipv4 unicast
209.165.201.144/28 null0 tag 666
192.0.2.1/32 null0 tag 667
!
route-policy test
if tag is 666 then
set next-hop 192.0.2.1
endif
if tag is 667 then
set community (no-export)
endif
end-policy
!
C.
router static
address-family ipv4 unicast
209.165.201.144/28 null0 tag 666
192.0.2.1/32 null0
!
route-policy test
if tag is 666 then
set next-hop 192.0.2.1
set community (no-export)
endif
end-policy
D.
router static
address-family ipv4 unicast
209.165.202.128/28 null0 tag 666
192.0.2.1/32 null0
!
route-policy test
if tag is 666 then
set next-hop 192.0.2.1
set community (no-export)
endif
end-policy
!
Explanation:
Source-Based RTBH Filtering
With destination-based black holing, all traffic to a specific destination is dropped after the
black hole has been activated, regardless of where it is coming from. Obviously, this could
include legitimate traffic destined for the target. Source-based black holes provide the ability
to drop traffic at the network edge based on a specific source address or range of source
addresses.
If the source address (or range of addresses) of the attack can be identified (spoofed or not), it
would be better to drop all traffic at the edge based on the source address, regardless of the
destination address. This would permit legitimate traffic from other sources to reach the
target. Implementation of source-based black hole filtering depends on Unicast Reverse Path
Forwarding (uRPF), most often loose mode uRPF. Loose mode uRPF checks the packet and
forwards it if there is a route entry for the source IP of the incoming packet in the router
forwarding information base (FIB). If the router does not have an FIB entry for the source
IP address, or if the entry points to a null interface, the Reverse Path Forwarding (RPF) check
fails and the packet is dropped, as shown in Figure 2. Because uRPF validates a source IP
address against its FIB entry, dropping traffic from specific source addresses is accomplished
by configuring loose mode uRPF on the external interface and ensuring the RPF check fails
by inserting a route to the source with a next hop of Null0. This can be done by using a
trigger device to send IBGP updates. These updates set the next hop for the source IP to an
unused IP address that has a static entry at the edge, setting it to null as shown in Figure 2.
