cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1493
Views
22
Helpful
34
Replies
Beginner

Null 0

My question might sound too naive.

When would the Null0 interface act as a black hole and when for prevention of loops.

Eg:- I know in case of Enhanced Interior Gateway Routing Protocol (EIGRP), for instance, always creates a route to the Null0 interface when it summarizes a group of routes. This is basically for prevention of loop.

Similarly if I want to deny access to a particular IP or Network i can poing it to a null 0 to discard the packet.

-Sai.

34 REPLIES 34
Rising star

Re: Null 0

HI Sai, [Pls rate if Helps]

Refer the Attachment(.mht):

Use a Static Route to the Null0 Interface for Loop Prevention.

Hope i am Informative.

Do Rate if HELPS

Best Regards,

Guru Prasad R

Beginner

Re: Null 0

Hey Hi Guru,

I had already gone thru this document. My Q is still unanswered.

Thanks for the quick reply. Much appreciated.

-sai.

Hall of Fame Master

Re: Null 0

Sai

I think that I do not understand well your question. Let me explain a few things and if they do not address your question then perhaps you can clarify your question so that I understand it better.

Interface null 0 is a virtual interface, much like loopbacks are virtual interfaces. The usage of null 0 is that it is an interface to which you forward traffic when you want to not forward it outside the router. In practical terms we have 2 general usages: we may create summary routes with null 0 as the next hop or we may create routes for specific hosts or particular subnets with null 0 as the next hop.

When we create a summary route we are claiming that we can forward to some range of addresses. Within that range will be some addresses that we really can get to and there may be some addresses that we can not get to (most often because those addresses have not yet been assigned and essentially they do not exist in the network). If we create the summary with null 0 as the next hop this will work with the principle that routing is based on the longest match. So the routing table has an entry for a summary (perhaps 172.18.0.0/16) with null 0 as the next hop. And it will have some specific subnets in the routing table (perhaps 172.18.10.0/24, 172.18.33.0/24, and 172.18.55.0/24). If the router receives a packet to forward to one of these subnets (perhaps 172.18.55.26) then it finds the subnet match in the routing table and forwards toward that subnet. But if the router receives a packet for some other address (perhaps 172.18.66.22 - which really does not exist) then the entry that it finds in the routing table is the one pointing to null 0 and the router has made the correct routing decision (the real purpose of this is to not forward to the default route).

Or you may have some specific host or a particular subnet to which you do not want to forward traffic (perhaps a security concern or a matter of some corporate policy). So you can create a static route for that host or that subnet and specify null 0 as the next hop. Now when the router receives a packet for that host or that subnet it will forward to null 0 rather than forwarding toward the real destination.

HTH

Rick

Beginner

Re: Null 0

Hi Rick,

I was just waiting for your post ;)

I have always been a big fan of urs.

Thanxs for the super explaination.

From what I understand.

A null0 is used as a virtual interface if there is summarization on the local router.

A null0 acts as a black hole, if i have to block any DESTINATION FROM THE LOCAL ROUTER.

what will happen in this scenario?

I have an outside firewall machine (1.1.1.1) and the machine is compromised and the destination is 2.2.2.2.

I have a static entry as follows,

ip route 1.1.1.1 255.255.255.255 null0

will the attacker still get access to 1.1.1.1?

-Sai.

Hall of Fame Master

Re: Null 0

Sai

Thank you for the compliment. I am very glad that you enjoy and benefit from my posts.

I am not entirely clear about your follow up question. If you have an outside firewall at 1.1.1.1 I understand, but I am not so clear about destination 2.2.2.2.

But to answer the specific question: if you have

ip route 1.1.1.1 255.255.255.255 null0

then the attacker will not be able to come through this router and get to the firewall (and neither will anyone else). Any traffic coming through this router with destination 1.1.1.1 will be discarded and not forwarded.

HTH

Rick

Highlighted
Beginner

Re: Null 0

Rick,

Let me reframe. Imagine this.

I have a machine 1.1.1.1 and this is being attacked by another machine 2.2.2.2 from the internet

1.1.1.1 ---- router ---internet cloud--- 2.2.2.2

To stop 2.2.2.2 from attacking 1.1.1.1, on the router I enter a route

ip route 1.1.1.1 255.255.255.255 null 0

will the attack stop?

-Sai.

Hall of Fame Master

Re: Null 0

Sai

Thank you for reframing the question. It does help me to understand it better.

To answer your reframed question: yes if you enter that static route with null 0 then the attack will stop. Be aware that this affects not only the traffic from 2.2.2.2. With this static route in place no one will be able to access 1.1.1.1 through this router.

HTH

Rick

Hall of Fame Guru

Re: Null 0

Sai

Just to add to Rick's excellent post. The only other use for null0 routes is to allow the advertisement of a sumary route in BGP ie.

For BGP to be able to advertise a route to an EBGP peer that route must be in the IGP routing table. If you have the following summary route under your bgp config

router bgp 64521

network 10.228.1.0 mask 255.255.248.0

For this to be advertised out BGP needs to find the EXACT route in the IGP routing table. So you could make the following entry on the router

ip route 10.228.1.0 255.255.248.0 Null0

The above route is added to the IGP routing table and so BGP can advertise it out.

The other way to advertise summary addresses in BGP is to use the aggregate-address command.

HTH

Jon

Beginner

Re: Null 0

Hi Jon,

Thanxs for your time.

I am quite comfortable about the use of the Null0 as a virtual interface.

I wanted to know the use of Null0 as a black hole.

-Sai.

Hall of Fame Master

Re: Null 0

Sai

I hope that we have cleared up the use of null 0 as a black hole. This use of null 0 as a black hole is to discard traffic for some destination (could be a specific host or particular subnet) rather than forwarding toward the destination. In this case it is somewhat similar to using an access list to filter traffic. But the use of routing to null 0 does not have as much overhead as doing it with an access-list. And in essence with an access-list if you deny traffic you have created an error condition and the default behavior of the router is to send an ICMP error message indicating that the traffic is administratively prohibited. If you discard the traffic with a route to null 0 there is no error condition and no ICMP message.

HTH

Rick

Beginner

Re: Null 0

Hi Rick,

Now its clear. Here comes one more question.

Eg:- There is a EIGRP process running and I am going a per interface summarization on the router.

Upon doing a summarization, the router would automatically creates a null0 and point the summarized network towards the null0.

In this case the null0 acts as a virtual interface for loop avoidance.

why doesnt this null0 act as a BLACKHOLE then?

means why doesnt any traffic destined for the summarized network upon hitting the router gets discarded?

-Sai.

Hall of Fame Guru

Re: Null 0

Sai

Apologies if i have misunderstood but the reason the Null0 does not blackhole all traffic is because you are relying on a more specific route being present in the routing table.

Traffic coming into the router will be using the summarized route to get to the router but once at the router there should be a more specific route for it to use. If there isn't a more specific route then the traffic will be blackholed (assuming no default route is present) which is exactly the behaviour you want.

HTH

Jon

Hall of Fame Master

Re: Null 0

Sai

I had attempted to address this question in this paragraph of my previous post:

When we create a summary route we are claiming that we can forward to some range of addresses. Within that range will be some addresses that we really can get to and there may be some addresses that we can not get to (most often because those addresses have not yet been assigned and essentially they do not exist in the network). If we create the summary with null 0 as the next hop this will work with the principle that routing is based on the longest match. So the routing table has an entry for a summary (perhaps 172.18.0.0/16) with null 0 as the next hop. And it will have some specific subnets in the routing table (perhaps 172.18.10.0/24, 172.18.33.0/24, and 172.18.55.0/24). If the router receives a packet to forward to one of these subnets (perhaps 172.18.55.26) then it finds the subnet match in the routing table and forwards toward that subnet. But if the router receives a packet for some other address (perhaps 172.18.66.22 - which really does not exist) then the entry that it finds in the routing table is the one pointing to null 0 and the router has made the correct routing decision (the real purpose of this is to not forward to the default route).

Your question seems to be based on an assumption that the null 0 route will be EITHER loop avoidance OR it will be black hole (as if they are mutually exclusive functions - but they are not mutually exclusive, they are complementary functions). The null 0 route does black hole as part of doing loop avoidance.

Perhaps it may help clarify if we make the point that the summary address/loop avoidance is typically done for us automatically by the routing protocol and the black hole is typically manually configured to implement some policy.

HTH

Rick

Advocate

Re: Null 0

So your summarization routes should normally be less specific than the routes they summarize. That way, the real EIGRP routes take priority over the discard route (for those subnets they cover) because they are more specific. And anything that falls within the summary, but which is not covered by a real EIGRP route, will be blackholed down the Null0 to stop the packets from looping.

(So, in answer to the original question, the Null0 prevents loops by blackholing any traffic we don't know what to do with.)

Now, that leaves me wondering: what happens if you configure a summary route that is equal (in address and mask) to the prefix that is being received by the EIGRP? Does the Null0 route take precedence, or does the summary not happen at all? If the static Null0 route does get inserted, isn't that a disaster? Shouldn't the discard route get put into the routing table with a very high AD for this reason?

I don't have access to a lab at the moment to try this out.

Kevin Dorrell

Luxembourg

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards