First of all I agree with Leo that not advertising IX prefixes permanently
causes more problems than it solves. 

> Even if the exchange does not advertise the exchange LAN, it's probably
the case that it is in the IGP (or at least IBGP) of everyone connected to
it 
 Well if I would peer with such an ISP at London and Frankfurt I could
create a GRE tunnel from London to Frankfurt via the other ISP and use it to
transport packets that would otherwise have to traverse my backbone. 
 Or if my peer has a router at IX that happens to have full routing view I
can just point a static default toward it and have a free transit. 


Check out: http://www.bcp38.info
adam
-----Original Message-----
From: Leo Bicknell [mailto:bickn...@ufp.org] 
Sent: Thursday, April 04, 2013 9:29 PM
To: NANOG
Subject: Re: route for linx.net in Level3?

In a message written on Thu, Apr 04, 2013 at 02:57:11PM -0400, Jay Ashworth
wrote:
> Yes.  In the fallout from the Cloudflare attack of last week it was 
> announced that several IXs were going to stop advertising the address 
> space of their peering lan, which properly does not need to be 
> advertised anyway.

Well, now that's a big maybe.  I was a big advocate for the peering
exchanges each having their own ASN and announcing the peering block back in
the day, and it seems people may have forgotten some of the issues with
unadvertised peering exchange blocks.

It breaks traceroute for many people:

  The ICMP TTL Unreachable will come from a non-routed network (the
  exchange LAN).  If it crosses another network boundary doing uRPF,
  even in loose mode, those unreachables will be dropped.

  It also reduces the utility of a tool like MTR.  Without the ICMP
  responese it won't know where to ping, and even if it receives
  the ICMP it's likely packets towards the LAN IP's will be dropped
  with no route to host.

It has the potential to break PMTU discovery for many people:

  If a router is connected to the exchange and a lower MTU link a
  packet coming in with DF set will get an ICMP would-fragment
  reply.  Most vendors source from the input interface, e.g. the
  exchange IP.  Like the traceorute case, if crosses another network
  boundary doing uRPF,   even in loose mode, those ICMP messages
  will be lost, resulting in a PMTU black hole.

  Some vendors have knobs to force the ICMP to be emitted from a
  loopback, but not all.  People would have to turn it on.

But hey, this is a good thing because a DDOS caused issues, right?
Well, not so much.  Even if the exchange does not advertise the exchange
LAN, it's probably the case that it is in the IGP (or at least IBGP) of
everyone connected to it, and by extension all of their customers with a
default route pointed at them.  For the most popular exchanges (AMS-IX, for
instance) I suspect the percentage of end users who can reach the exchange
LAN without it being explicitly routed to be well over 80%, perhaps into the
upper 90% range.  So when those boxes DDOS, they are going to all DDOS the
LAN anyway.

Security through obscurity does not work.  This is going to annoy some
people just trying to do their day job, and not make a statistical
difference to the attackers trying to take out infrastructure.

How about we all properly implement BCP 38 instead?

-- 
       Leo Bicknell - bickn...@ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/


Reply via email to