On Thu, 22 Apr 2004, James wrote: > > 1. Backbone addresses: ISPs that hide interface addresses and/or primary > > loopback addresses, and best practices for doing so? (e.g. traceroutes don't > > break, but the router uses say Loopback1 address to respond to them, while iBGP > > uses Loopback0. All Loopback0 address blocks can be filtered at borders.) > > since ibgp's should be peered w/ loopbacks, loopback protection is all > needed as as far as this bgp hysteria goes.
no! these are so easy to find!!!! $ host 65.116.132.145 145.132.116.65.in-addr.arpa domain name pointer lo0.b1.box2.twdx.net. > > so loopback0 with "secret" addresses for ibgp peering, use a loopback1 > to publish router ip addrs to public via looking glass, etc. > > next thing to protect is customer ebgp sessions. some providers don't even > route the p2p /30 links used between cust and their backbone (i.e. Sprint). > so that's up to you. > > some backbones even filter all traffic destined to backbone prefixes at > ingress points (border routers, cust edge routers)... for example.. att > being one. for example, here comes random test: > > starbucks blahdy $ traceroute -M 8 12.123.205.65 > traceroute to 12.123.205.65 (12.123.205.65), 64 hops max, 44 byte packets > 8 jfk-brdr-02.inet.qwest.net (205.171.230.21) 6.404 ms 6.138 ms 6.145 ms > 9 * qwest-gw.n54ny.ip.att.net (192.205.32.169) 6.465 ms !X * > > > all above options don't necessarily break traceroute as long as you implement > it with care... > > -J > > > > > 2. Public IX addresses: ISPs that do not redistribute the IX prefix into their > > iBGP or IGP and do not use external next-hops (except local to the connected > > border router), but instead use the loopback of the border router when propogating > > these routes within their iBGP mesh. This should not break traceroutes "through" > > the exchange, but will break any traffic such as ping, spoofed packets, etc. to > > the exchange from a non-connected router. > > > > Can anyone provide pro/con, better description of config templates for doing this, > > and/or discussion of major networks that choose to do this, or not do this? > > > > Cheers, > > -Lane > >
