Вторник, 3 декабря 2013, 13:04 +01:00 от Alessandro Brega
<alessandro.bre...@gmail.com>:
>Hi guys,
>right now I have a quagga router, but I'm open to switch to bird if it makes
>sense and helps me with my problem below.
>My router has two transit neighbors and announcing my own IP space. I recently
>joined a public peering exchange (IXP) and so I'm part of their local network
>(/24), together with all other participants. So far everything works fine.
>Now for security I wonder if other participants could not simply route all
>their outgoing traffic through me? For example what happens if any other
>participant would point a default route to my IXP ip. If I understand
>correctly all outgoing traffic from that participant would then go to my
>router which would route it to the internet using my transit uplink, right?
>So I wonder if I have to take any measures against it. My ideas are:
>*
>Setup firewall (iptables) rules so that only traffic with a destination of my
>own IP space is accepted from other IXP participant. Drop any other traffic
>from IXP participants.
>*
>Somehow make quagga use a different kernel routing table for each neighbor (or
>peer-group). The routing table for the IXP neighbors would not contain any
>entries except for my own IP space and so no routing using my ip transit
>uplinks would occur. Looking at the output of ip rule showshows quagga is not
>doing this automatically? Would bird do this automatically? Not sure about
>quagga and multiple kernel routing tables (at least without external patch),
>but BIRD supports multiple routing tables internally and each internal table
>could be attached and synchronized with kernel. By using Linux PBR
>(Policy-Based Routing) mechanisms (see ip-rule(8) for more information) you
>could accomplish task in your second setup (different kernel routing tables).
An minimal PBR config might look like this:
-----------------------------------------------------
ip -4 rule add pref 10000 iif <iface2ixp> table ixp
ip -4 rule add pref 10000 iif lo from <ip_on_iface2ixp> table ixp
(do not forget to add mapping between symbolic name of the routing table "ixp"
and routing table number to /etc/iproute2/rt_tables)
In BIRD configuration you should create routing table instance, attach kernel
syncer protocol to it (kernel protocol).
Populate routing table at least with following routes: directly connected
network on <iface2ixp> (needed to establish
sessions with IXP RSes for example), routes to your ip space, blackhole default
route (to match all other routes not in table
and drop traffic).
Am I on the right track? How do other routers like bord or hardware routers
(cisco, juniper, ..) deal with this problem?
>Thank you for any help!
>Alessandro
--
SP5474-RIPE
Sergey Popovich
