best practice for advertising peering fabric routes

• Previous message (by thread): best practice for advertising peering fabric routes
• Next message (by thread): best practice for advertising peering fabric routes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jan 15, 2014, at 11:41 AM, Patrick W. Gilmore <patrick at ianai.net> wrote:

> I repeat: NEVER EVER EVER put an IX prefix into BGP, IGP, or even static route. An IXP LAN should not be reachable from any device except those directly attached to that LAN. Period.

+1

Again, folks, this isn't theoretical.  When the particular attacks cited in this thread were taking place, I was astonished that the IXP infrastructure routes were even being advertised outside of the IXP network, because of these very issues.

IXPs are not the problem when it comes to breaking PMTU-D.  The problem is largely with enterprise networks, and with 'security' vendors who've propagated the myth that simply blocking all ICMP somehow increases 'security'.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 243 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140115/26dad211/attachment.sig>

• Previous message (by thread): best practice for advertising peering fabric routes
• Next message (by thread): best practice for advertising peering fabric routes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]