Null 0

Unanswered Question
Oct 29th, 2007

My question might sound too naive.

When would the Null0 interface act as a black hole and when for prevention of loops.

Eg:- I know in case of Enhanced Interior Gateway Routing Protocol (EIGRP), for instance, always creates a route to the Null0 interface when it summarizes a group of routes. This is basically for prevention of loop.

Similarly if I want to deny access to a particular IP or Network i can poing it to a null 0 to discard the packet.

-Sai.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.6 (5 ratings)
Loading.
saimbt Mon, 10/29/2007 - 04:59

Hey Hi Guru,

I had already gone thru this document. My Q is still unanswered.

Thanks for the quick reply. Much appreciated.

-sai.

Richard Burts Mon, 10/29/2007 - 06:00

Sai

I think that I do not understand well your question. Let me explain a few things and if they do not address your question then perhaps you can clarify your question so that I understand it better.

Interface null 0 is a virtual interface, much like loopbacks are virtual interfaces. The usage of null 0 is that it is an interface to which you forward traffic when you want to not forward it outside the router. In practical terms we have 2 general usages: we may create summary routes with null 0 as the next hop or we may create routes for specific hosts or particular subnets with null 0 as the next hop.

When we create a summary route we are claiming that we can forward to some range of addresses. Within that range will be some addresses that we really can get to and there may be some addresses that we can not get to (most often because those addresses have not yet been assigned and essentially they do not exist in the network). If we create the summary with null 0 as the next hop this will work with the principle that routing is based on the longest match. So the routing table has an entry for a summary (perhaps 172.18.0.0/16) with null 0 as the next hop. And it will have some specific subnets in the routing table (perhaps 172.18.10.0/24, 172.18.33.0/24, and 172.18.55.0/24). If the router receives a packet to forward to one of these subnets (perhaps 172.18.55.26) then it finds the subnet match in the routing table and forwards toward that subnet. But if the router receives a packet for some other address (perhaps 172.18.66.22 - which really does not exist) then the entry that it finds in the routing table is the one pointing to null 0 and the router has made the correct routing decision (the real purpose of this is to not forward to the default route).

Or you may have some specific host or a particular subnet to which you do not want to forward traffic (perhaps a security concern or a matter of some corporate policy). So you can create a static route for that host or that subnet and specify null 0 as the next hop. Now when the router receives a packet for that host or that subnet it will forward to null 0 rather than forwarding toward the real destination.

HTH

Rick

saimbt Mon, 10/29/2007 - 08:23

Hi Rick,

I was just waiting for your post ;)

I have always been a big fan of urs.

Thanxs for the super explaination.

From what I understand.

A null0 is used as a virtual interface if there is summarization on the local router.

A null0 acts as a black hole, if i have to block any DESTINATION FROM THE LOCAL ROUTER.

what will happen in this scenario?

I have an outside firewall machine (1.1.1.1) and the machine is compromised and the destination is 2.2.2.2.

I have a static entry as follows,

ip route 1.1.1.1 255.255.255.255 null0

will the attacker still get access to 1.1.1.1?

-Sai.

Richard Burts Mon, 10/29/2007 - 08:28

Sai

Thank you for the compliment. I am very glad that you enjoy and benefit from my posts.

I am not entirely clear about your follow up question. If you have an outside firewall at 1.1.1.1 I understand, but I am not so clear about destination 2.2.2.2.

But to answer the specific question: if you have

ip route 1.1.1.1 255.255.255.255 null0

then the attacker will not be able to come through this router and get to the firewall (and neither will anyone else). Any traffic coming through this router with destination 1.1.1.1 will be discarded and not forwarded.

HTH

Rick

saimbt Mon, 10/29/2007 - 08:45

Rick,

Let me reframe. Imagine this.

I have a machine 1.1.1.1 and this is being attacked by another machine 2.2.2.2 from the internet

1.1.1.1 ---- router ---internet cloud--- 2.2.2.2

To stop 2.2.2.2 from attacking 1.1.1.1, on the router I enter a route

ip route 1.1.1.1 255.255.255.255 null 0

will the attack stop?

-Sai.

Richard Burts Mon, 10/29/2007 - 09:51

Sai

Thank you for reframing the question. It does help me to understand it better.

To answer your reframed question: yes if you enter that static route with null 0 then the attack will stop. Be aware that this affects not only the traffic from 2.2.2.2. With this static route in place no one will be able to access 1.1.1.1 through this router.

HTH

Rick

Jon Marshall Mon, 10/29/2007 - 06:54

Sai

Just to add to Rick's excellent post. The only other use for null0 routes is to allow the advertisement of a sumary route in BGP ie.

For BGP to be able to advertise a route to an EBGP peer that route must be in the IGP routing table. If you have the following summary route under your bgp config

router bgp 64521

network 10.228.1.0 mask 255.255.248.0

For this to be advertised out BGP needs to find the EXACT route in the IGP routing table. So you could make the following entry on the router

ip route 10.228.1.0 255.255.248.0 Null0

The above route is added to the IGP routing table and so BGP can advertise it out.

The other way to advertise summary addresses in BGP is to use the aggregate-address command.

HTH

Jon

saimbt Mon, 10/29/2007 - 08:28

Hi Jon,

Thanxs for your time.

I am quite comfortable about the use of the Null0 as a virtual interface.

I wanted to know the use of Null0 as a black hole.

-Sai.

Richard Burts Mon, 10/29/2007 - 08:37

Sai

I hope that we have cleared up the use of null 0 as a black hole. This use of null 0 as a black hole is to discard traffic for some destination (could be a specific host or particular subnet) rather than forwarding toward the destination. In this case it is somewhat similar to using an access list to filter traffic. But the use of routing to null 0 does not have as much overhead as doing it with an access-list. And in essence with an access-list if you deny traffic you have created an error condition and the default behavior of the router is to send an ICMP error message indicating that the traffic is administratively prohibited. If you discard the traffic with a route to null 0 there is no error condition and no ICMP message.

HTH

Rick

saimbt Mon, 10/29/2007 - 21:28

Hi Rick,

Now its clear. Here comes one more question.

Eg:- There is a EIGRP process running and I am going a per interface summarization on the router.

Upon doing a summarization, the router would automatically creates a null0 and point the summarized network towards the null0.

In this case the null0 acts as a virtual interface for loop avoidance.

why doesnt this null0 act as a BLACKHOLE then?

means why doesnt any traffic destined for the summarized network upon hitting the router gets discarded?

-Sai.

Jon Marshall Tue, 10/30/2007 - 01:50

Sai

Apologies if i have misunderstood but the reason the Null0 does not blackhole all traffic is because you are relying on a more specific route being present in the routing table.

Traffic coming into the router will be using the summarized route to get to the router but once at the router there should be a more specific route for it to use. If there isn't a more specific route then the traffic will be blackholed (assuming no default route is present) which is exactly the behaviour you want.

HTH

Jon

Richard Burts Tue, 10/30/2007 - 03:43

Sai

I had attempted to address this question in this paragraph of my previous post:

When we create a summary route we are claiming that we can forward to some range of addresses. Within that range will be some addresses that we really can get to and there may be some addresses that we can not get to (most often because those addresses have not yet been assigned and essentially they do not exist in the network). If we create the summary with null 0 as the next hop this will work with the principle that routing is based on the longest match. So the routing table has an entry for a summary (perhaps 172.18.0.0/16) with null 0 as the next hop. And it will have some specific subnets in the routing table (perhaps 172.18.10.0/24, 172.18.33.0/24, and 172.18.55.0/24). If the router receives a packet to forward to one of these subnets (perhaps 172.18.55.26) then it finds the subnet match in the routing table and forwards toward that subnet. But if the router receives a packet for some other address (perhaps 172.18.66.22 - which really does not exist) then the entry that it finds in the routing table is the one pointing to null 0 and the router has made the correct routing decision (the real purpose of this is to not forward to the default route).

Your question seems to be based on an assumption that the null 0 route will be EITHER loop avoidance OR it will be black hole (as if they are mutually exclusive functions - but they are not mutually exclusive, they are complementary functions). The null 0 route does black hole as part of doing loop avoidance.

Perhaps it may help clarify if we make the point that the summary address/loop avoidance is typically done for us automatically by the routing protocol and the black hole is typically manually configured to implement some policy.

HTH

Rick

Kevin Dorrell Tue, 10/30/2007 - 04:23

So your summarization routes should normally be less specific than the routes they summarize. That way, the real EIGRP routes take priority over the discard route (for those subnets they cover) because they are more specific. And anything that falls within the summary, but which is not covered by a real EIGRP route, will be blackholed down the Null0 to stop the packets from looping.

(So, in answer to the original question, the Null0 prevents loops by blackholing any traffic we don't know what to do with.)

Now, that leaves me wondering: what happens if you configure a summary route that is equal (in address and mask) to the prefix that is being received by the EIGRP? Does the Null0 route take precedence, or does the summary not happen at all? If the static Null0 route does get inserted, isn't that a disaster? Shouldn't the discard route get put into the routing table with a very high AD for this reason?

I don't have access to a lab at the moment to try this out.

Kevin Dorrell

Luxembourg

Richard Burts Tue, 10/30/2007 - 04:39

Kevin

This is an interesting question that I have not previously investigated. I am not able to test it on routers right now (perhaps I can later) but have a couple of comments to offer.

- relative to your comment about Shouldn't the discard route get put into the routing table with a very high AD for this reason?

the summary/discard route is put into the routing table with an AD of 5 (very low).

- so I suspect that if you did configure a summary that duplicated a learned prefix and mask that it would displace them in the route table with a route to null 0.

- if you do careless or stupid things in the configuration sometimes there are consequences. Cisco can do only so much to protect us from poor choices in doing configuration.

HTH

Rick

Jon Marshall Tue, 10/30/2007 - 04:42

Rick

You beat me to it !!. I suspect the same as far as the AD goes so as i have a bit of spare time on my hands and i have access to a lab i'll have a quick look and see what happens.

Jon

Kevin Dorrell Tue, 10/30/2007 - 05:14

Rick,

Doesn't it go into this routing table as a normal static route (AD=1), and into the neighbors' routing tables at AD=5?

Kevin

Richard Burts Tue, 10/30/2007 - 05:29

Kevin

When you configure a summary address in EIGRP it creates a route in the local routing table with AD = 5. The summary is advertised to the neighbor on the configured interface and in the routing table of the neighbor it has the normal AD = 90.

Or have I missed something in the context of the question? If we are talking about EIGRP summary there is no static route entry created. Are you asking about configuring a static route to null 0? If so the answer is quite clear that if you configure a static route to null 0 that duplicates a route learned via EIGRP the static route will certainly displace the EIGRP learned route.

HTH

Rick

Jon Marshall Tue, 10/30/2007 - 05:40

Rick

This is where i was getting confused myself because as far as i know and i have just tested you cannot use the "ip summary-address eigrp.." command under the interface to direct traffic to Null0 because you can't specify the next hop with the above command.

Jon

Richard Burts Tue, 10/30/2007 - 06:14

Jon

I had overlooked this post - sorry. And I am puzzled about what you are saying. When you create the EIGRP summary you do not worry about null 0 because EIGRP will do that for us automatically.

If we create a manual static route then we must specify the next hop (in this discussion null 0). When we configure a summary-address in EIGRP then the null 0 is automatic.

From your description of the test I am assuming that you got this sorted out. Correct? Or does it need any more discussion?

HTH

Rick

Jon Marshall Tue, 10/30/2007 - 06:18

Rick

No problem, thanks for following up on this. I got my wires a bit crossed on this one but i think we have covered it all off with our other posts.

Jon

saimbt Wed, 10/31/2007 - 06:13

Hi Cisco Gurus,

I think I am puzzled u all, have I?

Please check it in ur labs and please get back to me..

I am dont have any labs and I have to rely on u guys.

-sai.

Jon Marshall Tue, 10/30/2007 - 05:30

Kevin / Rick

Bit of confusion here, maybe due to my understanding of what we are testing.

If we are talking about adding a summary route pointing to Null0 ie.

ip route 172.16.0.0 255.255.248.0 Null0

then it goes into the routing table on that router as directly connected. Unless you have a redistribute static statement under your EIGRP config then it won't be distributed to any other router. If you did it would be distributed as EIGRP 170 (external EIGRP).

If you use the "ip summary-address eigrp..." under the interface then it gets entered as AD 5 into the local routing table. I'll have a look in lab what happens in other routers.

The test i ran

(172.16.1.1/21) R2 (192.168.10.57/24) -> (192.168.10.56/24) R1 (192.168.12.1/24) -> (192.168.12.2/24) R3 (192.168.22.1/24)

All networks were added under the EIGRP config on relevant routers and "no auto-summary" also configured.

From R3 i could ping 172.16.1.1.

Added route to R1

ip route 172.16.0.0 255.255.248.0 Null0

This replaced the existing route on R1 for 172.16.0.0/21 received from R2 and the ping failed.

If i have misunderstood the testing while i have lab setup is there anything else i could test.

Jon

Richard Burts Tue, 10/30/2007 - 05:44

Jon

I do not want to put words into Kevin's mouth, so if what I am saying is different from what he meant then he should clarify. I thought the question was what if you configured an EIGRP summary on an interface that happened to duplicate a route learned by EIGRP. So in your test I would be interested in what happens if R1 does not have the static to null 0 but were to configure an EIGRP summary for 172.16.0.0 255.255.248.0.

I thought it was clear - and your test confirms it - that if you configure a static route to null 0 that duplicates an existing EIGRP route it clearly will displace the EIGRP route. It is not as clear what happens if you configure an EIGRP summary, so that EIGRP creates the null 0 route. I am guessing that it will also displace the learned route. I would be interested in the results if you can test that.

HTH

Rick

Jon Marshall Tue, 10/30/2007 - 05:56

Rick

Yes i think you intepreted question correctly but as you say I don't want to put words in anybody's mouth either.

Interestingly i added the following under the fa0/1 interface on R1

ip summary-address eigrp 172.16.0.0 255.255.248.0

It did not displace the route received from R2 and the AD for the route remained at 90.

Jon

Kevin Dorrell Tue, 10/30/2007 - 06:03

Jon,

So you are saying that the summary generates a discard route that goes into the table at AD=5. But if a real EIGRP route for the prefix comes along in the meantime, the summary discard route is no longer generated.

Is that right? That's cool: we have an AD=90 displacing an AD=5 route. So I guess it is done in the EIGRP process before it is even presented for arbitration by the AD arbitrator. A bit like the discussion we had the other day about arbitration between intra-area, inter-area, and external routes in OSPF.

Kevin Dorrell

Luxembourg

Jon Marshall Tue, 10/30/2007 - 06:21

Kevin

From the tests it does seem this way. It could be IOS dependant i guess. What we need now is for one of the Cisco guys who has access to the code to confirm or deny this is expected behaviour.

Where are they when you need them :)

Jon

Richard Burts Tue, 10/30/2007 - 06:09

Jon

Interesting result. I can not tell from your description of the test which interface is fa0/1 on R1. Does it face R2, R3, or does it point somewhere else?

In your test did the summary get into the routing table at all? (I am guessing from what you said that it did not).

HTH

Rick

Jon Marshall Tue, 10/30/2007 - 06:15

Rick

Apologies for that i forgot to say which interface.

The fa0/1 interface on R1 faces R3 from where i did all the pings.

The summary route did get entered into the routing table but it was the route being advertised from R3 as it has an AD of 90. It's a bit confusing talking about summary routes here i guess ie.

On R1 under fa0/1

"ip summary-address eigrp 172.16.0.0 255.255.248.0"

On R2

int fa0/1

ip address 172.16.1.1 255.255.248.0

router eigrp 1

network 172.16.0.0

no auto-summary

So i guess if we are being precise the route in the routing table on R1 for 172.16.0.0/21 is not a summary route as such.

Jon

Kevin Dorrell Tue, 10/30/2007 - 06:32

Jon,

On R2, rather than one interface on 172.16.1.1/21, can you make two loopbacks, one on 172.16.1.1/22 and the other on 172.16.5.1/22. Leave the ip summary-address eigrp 172.16.0.0 255.255.248.0 on R1 F0/1. I think R1 should have three routes:

172.16.0.0/22 via F0/1 with AD=90

172.16.4.0/22 via F0/1 with AD=90

172.16.0.0/21 via Null0 with AD=5, the discard route.

And you shoud be able to ping both the R2 loopbacks from R3.

Then remove the loopback on R2 with the 172.16.4.0/22, and change the mask on ,the 172.16.0.0/22 loopback to /21. Does the AD=5 discard route in R1 disappear and get replace by 172.16.0.0/21 via F0/1 at AD=90?

Can you still ping the remaining loopback?

Kevin Dorrell

Luxembourg

Jon Marshall Tue, 10/30/2007 - 08:21

Kevin

Apologies for the delay, got sidetracked with work !!

It happens exactly as you suggested it would. Once you remove the 172.16.5.1/22 loopback and change the subnet mask on the 172.16.1.1/22 loopback to 255.255.248.0 then R1 removes

ip route 172.16.0.0 255.255.248.0 Null0 and replaces it with

ip route 172.16.0.0 255.255.248.0 192.168.10.57 ie. the route being received from R2.

Does seem to prove the case.

Jon

Kevin Dorrell Tue, 10/30/2007 - 08:26

Jon,

Thank you very much for doing that lab experiment - I have learned something useful from it. I hope I shall be able to return the compliment some day.

For a moment there I was wondering whether you could get into trouble by summarising the same way two different places. I'm talking about real summaries here, with a mask that is shorter than the routes it is summarising.

If you do summarize the same way in two different places, I guess router A has the discard route, and router B gets the propagated summary from router A, and therefore supresses the discard route as we saw here. Effectively, router B does not need a discard route cos it gets router A to discard the unknown subnets for it.

Kevin Dorrell

Luxembourg

Jon Marshall Wed, 10/31/2007 - 00:28

Kevin

No problem, i learned something today as well which is what this forum is all about.

Appreciate the rating

Jon

Kevin Dorrell Tue, 10/30/2007 - 05:56

The AD=5 was a bit of a distraction, and I realise now I had misunderstood it. If I understand correctly now, the discard route goes into the local table at AD=5, and gets distributed to the other routers where it is picked up as a normal internal route and handled at AD=90.

Jon, what I was interested in knowing was what happens if you put a summary on R1 for the 172.16.0.0/21. Does it sink all the traffic on its way to R2?

I know that is a bit of an artifical test, but it could happen in the real world with a slightly different addressing scheme. Suppose, for example, R2 in your branch office had split 172.16.0.0/21 into two parts, 172.16.0.0/22 and 172.16.4.0/22, and you had summarised to 172.16.0.0/21 on R1 at HQ for administrative reasons. That would work. Then one day the local NetAdmin at the branch office decides to merge the two halves and gives you a route to 172.16.0.0/21 instead.

Kevin Dorrell

Luxembourg

Actions

This Discussion