Re: IXP

[Chris Caputo <ccaputo () alt net>]

On Sun, 19 Apr 2009, Mikael Abrahamsson wrote:
> On Sat, 18 Apr 2009, Nick Hilliard wrote:
> > - ruthless and utterly fascist enforcement of one mac address per 
> > port, using either L2 ACLs or else mac address counting, with no 
> > exceptions for any reason, ever.  This is probably the single more 
> > important stability / security enforcement mechanism for any IXP.
>
> Well, as long as it simply drops packets and doesn't shut the port or 
> some other "fascist" enforcement. We've had AMSIX complain that our 
> Cisco 12k with E5 linecard was spitting out a few tens of packets per 
> day during two months with random source mac addresses. Started 
> suddenly, stopped suddenly. It's ok for them to drop the packets, but 
> not shut the port in a case like that.

> From the IX operator perspective it is important to immediately shut down 
a port showing a packet from an extra MAC address, rather than just 
silently dropping them.  The "fascist" reason being that it is a quick and 
effective way of informing the participant that their recent maintenance 
has gone afoul.  At the SIX we have err-disable recovery set to 5 minutes 
so that the port will come back up automatically.  (sometimes only to be 
shutdown again two packets later, and usually before any BGP sessions have 
returned)

If the port is left up with the rogue packets simply being dropped, and 
the exchange sends the participant a followup email informing them of the 
problem, the participant's maintenance window may have already have passed 
and so problem resolution tends to get extended.

In cases that are temporarily unfixable, such as router bug, we have been 
known to change the port config such that the rogue packets are just 
dropped/logged rather than answered with a shutdown, but that is rare.

Chris
SIX Janitor