nanog mailing list archives
Re: Announcing Peering-LAN prefixes to customers
From: Steven Bakker <Steven.Bakker () ams-ix net>
Date: Fri, 21 Dec 2018 11:45:57 +0100
Hi Dominic, On Thu, 2018-12-20 at 19:15 +0100, Dominic Schallert wrote:
Dear Job, Michael, Ross, thank you very much for sharing your opinion, the detailed info and references. That’s pretty much what I excpected. Just wondered because I couldn’t find any IXP Conection Agreement stating this „issue“ explicitly yet. Maybe MANRS IXP actions has some recommendations regarding this, checking that now.
We don't have it in our connection agreement as such, but it is in section 3.2 of our (admittedly aged) Configuration Guide: https://ams-ix.net/technical/specifications-descriptions/config-guide#3.2 3.2. Peering LAN Prefix The IPv4 prefix for the AMS-IX peering LAN (80.249.208.0/21) is part of AS1200, and is not supposed to be globally routable. This means the following: 1. Do not configure "network 80.249.208.0/21" in your router's BGP configuration (seriously, we have seen this happen!). 2. Do not redistribute the route, a supernet, or a more specific outside of your AS. We (AS1200) announce it with a no-export attribute, please honour it. In short, you can take the view that the Peering LAN is a link-local address range and you may decide to not even redistribute it internally (but in that case you may want to set a static route for management access so you can troubleshoot peering, etc.). AFAIK, pretty much all IXP operators take this view. Cheers, Steven
Best wishes and happy holidays Cheers DominicAm 20.12.2018 um 19:06 schrieb Michael Still <stillwaxin () gmail com> : IXP LANs should not be announced via BGP (or your IGP either). See section 3.1: http://nabcop.org/index.php/BCOP-Exchange_Points_v2 On Thu, Dec 20, 2018 at 12:50 PM Dominic Schallert < ds () schallert com> wrote:Hi all, this might be a stupid question but today I was discussing with a colleague if Peering-LAN prefixes should be re- distributed/announced to direct customers/peers. My standpoint is that in any case, Peering-LAN prefixes should be filtered and not announced to peers/customers because a Peering-LAN represents some sort of DMZ and there is simply no need for them to be reachable by third-parties not being physically connected to an IXP themselves. Also from a security point of view, a lot of new issues might occur in this situation. I’ve been seeing a few transit providers lately announcing (even reachable) Peering-LAN prefixes (for example DE-CIX Peering LAN) to their customers. I’m wondering if there is any document or RFC particularly describing this matter? Thanks Dominic-- [stillwaxin () gmail com ~]$ cat .signature cat: .signature: No such file or directory [stillwaxin () gmail com ~]$
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Announcing Peering-LAN prefixes to customers Dominic Schallert (Dec 20)
- Re: Announcing Peering-LAN prefixes to customers Job Snijders (Dec 20)
- Re: Announcing Peering-LAN prefixes to customers Ross Tajvar (Dec 20)
- Re: Announcing Peering-LAN prefixes to customers Michael Still (Dec 20)
- Re: Announcing Peering-LAN prefixes to customers Dominic Schallert (Dec 20)
- Re: Announcing Peering-LAN prefixes to customers Steven Bakker (Dec 21)
- Re: Announcing Peering-LAN prefixes to customers Dominic Schallert (Dec 20)