nanog mailing list archives

Re: Announcing Peering-LAN prefixes to customers

From: Steven Bakker <Steven.Bakker () ams-ix net>
Date: Fri, 21 Dec 2018 11:45:57 +0100

Hi Dominic,

On Thu, 2018-12-20 at 19:15 +0100, Dominic Schallert wrote:

Dear Job, Michael, Ross,
thank you very much for sharing your opinion, the detailed info and
references. That’s pretty much what I excpected.
Just wondered because I couldn’t find any IXP Conection Agreement
stating this „issue“ explicitly yet.

Maybe MANRS IXP actions has some recommendations regarding this,
checking that now.


We don't have it in our connection agreement as such, but it is in
section 3.2 of our (admittedly aged) Configuration Guide:

https://ams-ix.net/technical/specifications-descriptions/config-guide#3.2

   3.2. Peering LAN Prefix

   The IPv4 prefix for the AMS-IX peering LAN (80.249.208.0/21) is part
   of AS1200, and is not supposed to be globally routable. This means
   the following:

     1.  Do not configure "network 80.249.208.0/21" in your router's
         BGP configuration (seriously, we have seen this happen!).
     2.  Do not redistribute the route, a supernet, or a more specific
         outside of your AS. We (AS1200) announce it with a no-export
         attribute, please honour it.

   In short, you can take the view that the Peering LAN is a link-local 
   address range and you may decide to not even redistribute it
   internally (but in that case you may want to set a static route for
   management access so you can troubleshoot peering, etc.).

AFAIK, pretty much all IXP operators take this view.

Cheers,
Steven

Best wishes and happy holidays

Cheers
Dominic

Am 20.12.2018 um 19:06 schrieb Michael Still <stillwaxin () gmail com>
:

IXP LANs should not be announced via BGP (or your IGP either). See
section 3.1:
http://nabcop.org/index.php/BCOP-Exchange_Points_v2



On Thu, Dec 20, 2018 at 12:50 PM Dominic Schallert <
ds () schallert com> wrote:

Hi all,

this might be a stupid question but today I was discussing with a
colleague if Peering-LAN prefixes should be re-
distributed/announced to direct customers/peers. My standpoint is
that in any case, Peering-LAN prefixes should be filtered and not
announced to peers/customers because a Peering-LAN represents
some sort of DMZ and there is simply no need for them to be
reachable by third-parties not being physically connected to an
IXP themselves. Also from a security point of view, a lot of new
issues might occur in this situation.

I’ve been seeing a few transit providers lately announcing (even
reachable) Peering-LAN prefixes (for example DE-CIX Peering LAN)
to their customers. I’m wondering if there is any document or RFC
particularly describing this matter?

Thanks
Dominic



-- 
[stillwaxin () gmail com ~]$ cat .signature
cat: .signature: No such file or directory
[stillwaxin () gmail com ~]$

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Announcing Peering-LAN prefixes to customers Dominic Schallert (Dec 20)
- Re: Announcing Peering-LAN prefixes to customers Job Snijders (Dec 20)
- Re: Announcing Peering-LAN prefixes to customers Ross Tajvar (Dec 20)
- Re: Announcing Peering-LAN prefixes to customers Michael Still (Dec 20)
  - Re: Announcing Peering-LAN prefixes to customers Dominic Schallert (Dec 20)
    - Re: Announcing Peering-LAN prefixes to customers Steven Bakker (Dec 21)