nanog mailing list archives
Re: Announcing Peering-LAN prefixes to customers
From: Andy Davidson <andy () nosignal org>
Date: Thu, 3 Jan 2019 20:08:46 +0000
Hi, Dominic -- On 20/12/2018, 17:49, Dominic Schallert <ds () schallert com> wrote:
this might be a stupid question but today I was discussing with a colleague if Peering-LAN prefixes should be re-distributed/announced to direct customers/peers. My standpoint is that in any case, Peering-LAN prefixes should be filtered and not announced to peers/customers because a Peering-LAN represents some sort of DMZ and there is simply no need for them to be reachable by third-parties not being physically connected to an IXP themselves.
There are no stupid questions! It is a good idea to not BGP announce and perhaps also to drop traffic toward peering LAN prefixes at customer-borders, this was already well discussed in the thread. But there wasn’t a discussion on how we got to this point. Until the Cloudflare 2013 BGP speaker attack, that sought to flood Cloudflare’s transfer networks and exchange connectivity (and with it saturating IXP inter-switch links and IXP participant ports), it was common for IXP IPv4/6 peering LANs to be internet reachable and BGP transited. This facilitated troubleshooting (e.g. traceroutes showing peering lan interfaces in traceroutes instead of ‘starring out’) and PMTUD (e.g. see recommendation in https://www.ripe.net/ripe/mail/archives/ipv6-wg/2011-July/001839.html which actually asked for IXP peering LANs to be announced). There are good reasons to announce but there are better reasons to filter. The security benefits of filtering outweigh the upsides on today’s internet, but fashions and best practice may further evolve over time. Andy -- Andy Davidson Director, Asteroid International BV www.asteroidhq.com Director, Euro-IX - The European Internet Exchange Association www.euro-ix.net
Current thread:
- Re: Announcing Peering-LAN prefixes to customers Andy Davidson (Jan 03)
- Re: Announcing Peering-LAN prefixes to customers Mark Tinka (Jan 15)
- Re: Announcing Peering-LAN prefixes to customers Job Snijders (Jan 16)
- Re: Announcing Peering-LAN prefixes to customers Mark Tinka (Jan 16)
- Re: Announcing Peering-LAN prefixes to customers Christoffer Hansen (Jan 16)
- Re: Announcing Peering-LAN prefixes to customers Job Snijders (Jan 16)
- Re: Announcing Peering-LAN prefixes to customers Siyuan Miao (Jan 16)
- Re: Announcing Peering-LAN prefixes to customers Mark Tinka (Jan 16)
- Re: Announcing Peering-LAN prefixes to customers Job Snijders (Jan 16)
- Re: Announcing Peering-LAN prefixes to customers Amreesh Phokeer (Jan 16)
- Re: Announcing Peering-LAN prefixes to customers Matthias Waehlisch (Jan 16)
- Re: Announcing Peering-LAN prefixes to customers Job Snijders (Jan 16)
- Re: Announcing Peering-LAN prefixes to customers Mark Tinka (Jan 15)