Re: Announcing Peering-LAN prefixes to customers

[Ross Tajvar <ross () tajvar io>]

This brings to mind the following (old) blog post from CloudFlare:
https://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/
Relevant excerpt here:

> Beyond attacking CloudFlare's direct peers, the attackers also attacked
> the core IX infrastructure on the London Internet Exchange (LINX), the
> Amsterdam Internet Exchange (AMS-IX), the Frankfurt Internet Exchange
> (DE-CIX), and the Hong Kong Internet Exchange (HKIX). From our perspective,
> the attacks had the largest effect on LINX which caused impact over the
> exchange and LINX's systems that monitor the exchange, as visible through
> the drop in traffic recorded by their monitoring systems. (Corrected: see
> below for original phrasing.)
> The congestion impacted many of the networks on the IXs, including
> CloudFlare's. As problems were detected on the IX, we would route traffic
> around them. However, several London-based CloudFlare users reported
> intermittent issues over the last several days. This is the root cause of
> those problems.
> The attacks also exposed some vulnerabilities in the architecture of some
> IXs. We, along with many other network security experts, worked with the
> team at LINX to better secure themselves. In doing so, we developed a list
> of best practices for any IX in order to make them less vulnerable to
> attacks.
> Two specific suggestions to limit attacks like this involve making it more
> difficult to attack the IP addresses that members of the IX use to
> interchange traffic between each other. We are working with IXs to ensure
> that: 1) these IP addresses should not be announced as routable across the
> public Internet; and 2) packets destined to these IP addresses should only
> be permitted from other IX IP addresses. We've been very impressed with the
> team at LINX and how quickly they've worked to implement these changes and
> add additional security to their IX and are hopeful other IXs will quickly
> follow their lead.


On Thu, Dec 20, 2018 at 12:51 PM Dominic Schallert <ds () schallert com> wrote:

> Hi all,
>
> this might be a stupid question but today I was discussing with a
> colleague if Peering-LAN prefixes should be re-distributed/announced to
> direct customers/peers. My standpoint is that in any case, Peering-LAN
> prefixes should be filtered and not announced to peers/customers because a
> Peering-LAN represents some sort of DMZ and there is simply no need for
> them to be reachable by third-parties not being physically connected to an
> IXP themselves. Also from a security point of view, a lot of new issues
> might occur in this situation.
>
> I’ve been seeing a few transit providers lately announcing (even
> reachable) Peering-LAN prefixes (for example DE-CIX Peering LAN) to their
> customers. I’m wondering if there is any document or RFC particularly
> describing this matter?
>
> Thanks
> Dominic