nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Announcing Peering-LAN prefixes to customers

From: Job Snijders <job () instituut net>
Date: Wed, 16 Jan 2019 11:06:06 +0300
On Wed, Jan 16, 2019 at 10:56 Mark Tinka <mark.tinka () seacom mu> wrote:


On 3/Jan/19 22:08, Andy Davidson wrote:


There are no stupid questions!  It is a good idea to not BGP announce

and perhaps also to drop traffic toward peering LAN prefixes at
customer-borders, this was already well discussed in the thread.  But there
wasn’t a discussion on how we got to this point. Until the Cloudflare 2013
BGP speaker attack, that sought to flood Cloudflare’s transfer networks and
exchange connectivity (and with it saturating IXP inter-switch links and
IXP participant ports), it was common for IXP IPv4/6 peering LANs to be
internet reachable and BGP transited.

That's interesting to learn.

Running a few exchange points in Africa since 2002, the news was that
the exchange point LAN should not be visible anywhere on the Internet.
It would be interesting to know that this wasn't the case in other parts
of the world.




Some IX’s use a globally reachable peering lan prefix as a convenience for
their participants as “poor man’s out-of-band”, or can’t designate a
separate /24 for the IXP’s website / public services.

I can see some use cases, but in today’s internet landscape the practice
just increases the attack surface, so it’s not the Best Current Practise.

Kind regards,

Job
Previous By Date Next
Previous By Thread Next

Current thread: