Announcing Peering-LAN prefixes to customers

• Previous message (by thread): Announcing Peering-LAN prefixes to customers
• Next message (by thread): Salesmen: ARIN Records are NOT Leads
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Dominic,

On Thu, 2018-12-20 at 19:15 +0100, Dominic Schallert wrote:
> Dear Job, Michael, Ross,
> thank you very much for sharing your opinion, the detailed info and
> references. That’s pretty much what I excpected.
> Just wondered because I couldn’t find any IXP Conection Agreement
> stating this „issue“ explicitly yet.
> 
> Maybe MANRS IXP actions has some recommendations regarding this,
> checking that now.

We don't have it in our connection agreement as such, but it is in
section 3.2 of our (admittedly aged) Configuration Guide:

https://ams-ix.net/technical/specifications-descriptions/config-guide#3.2

   3.2. Peering LAN Prefix

   The IPv4 prefix for the AMS-IX peering LAN (80.249.208.0/21) is part
   of AS1200, and is not supposed to be globally routable. This means
   the following:

     1.  Do not configure "network 80.249.208.0/21" in your router's
         BGP configuration (seriously, we have seen this happen!).
     2.  Do not redistribute the route, a supernet, or a more specific
         outside of your AS. We (AS1200) announce it with a no-export
         attribute, please honour it.

   In short, you can take the view that the Peering LAN is a link-local 
   address range and you may decide to not even redistribute it
   internally (but in that case you may want to set a static route for
   management access so you can troubleshoot peering, etc.).

AFAIK, pretty much all IXP operators take this view.

Cheers,
Steven


> Best wishes and happy holidays
> 
> Cheers
> Dominic
> 
> 
> > Am 20.12.2018 um 19:06 schrieb Michael Still <stillwaxin at gmail.com>
> > :
> > 
> > IXP LANs should not be announced via BGP (or your IGP either). See
> > section 3.1:
> > http://nabcop.org/index.php/BCOP-Exchange_Points_v2
> > 
> > 
> > 
> > On Thu, Dec 20, 2018 at 12:50 PM Dominic Schallert <
> > ds at schallert.com> wrote:
> > > Hi all,
> > > 
> > > this might be a stupid question but today I was discussing with a
> > > colleague if Peering-LAN prefixes should be re-
> > > distributed/announced to direct customers/peers. My standpoint is
> > > that in any case, Peering-LAN prefixes should be filtered and not
> > > announced to peers/customers because a Peering-LAN represents
> > > some sort of DMZ and there is simply no need for them to be
> > > reachable by third-parties not being physically connected to an
> > > IXP themselves. Also from a security point of view, a lot of new
> > > issues might occur in this situation.
> > > 
> > > I’ve been seeing a few transit providers lately announcing (even
> > > reachable) Peering-LAN prefixes (for example DE-CIX Peering LAN)
> > > to their customers. I’m wondering if there is any document or RFC
> > > particularly describing this matter?
> > > 
> > > Thanks
> > > Dominic
> > 
> > 
> > -- 
> > [stillwaxin at gmail.com ~]$ cat .signature
> > cat: .signature: No such file or directory
> > [stillwaxin at gmail.com ~]$
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20181221/17661ec9/attachment.sig>

• Previous message (by thread): Announcing Peering-LAN prefixes to customers
• Next message (by thread): Salesmen: ARIN Records are NOT Leads
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]