Advisory - tunneling of IP at exchange points.

Jeff Swinton jswinton at
Tue Nov 25 17:09:07 UTC 1997

	As I said, this solution isn't for everyone.  Some people do set a next-hop
self somewhere within their network, I would bet the majority.
If this is the case for you, you can at least prevent people you don't peer
from doing it.  Blackhole the NAP LANs, and add valid statics for the
people you peer with.  

Jeff Swinton

At 05:03 PM 11/25/97 +0000, Lyndon Levesley wrote:
>>>>>> On Tue, 25 Nov 1997 at around 11:44:17,
>>>>>> "JS" == Jeff Swinton penned:
> JS> Maybe I'm missing something, but couldn't you block this with routing
> JS> as well?  The attack seems to be based on the fact that your NAP
routers have
> JS> routes to other NAP LANs.
> JS> Let's say you connect to just MAE-E and MAE-W.  At MAE-E, add a route
> JS> for the MAE-W network to null0.  Do the opposite at MAE-W.  While
this may
> JS> not
> JS> work for everyone, is should work for the majority.  It may also be more
> JS> pleasant then adding filters to a high speed interface.
>No - this would involve much more work than that.
>Take the case of
>(ME peers)---[ME router]======[MW router]------(MW peers)
>all sitting inside the same AS. (put as many routers as you like in 
>between them or in other parts of your network - it still holds)
> The next hop that "MW router" sees for a ME peer's route would be 
>the address of that peer *on the ME LAN*.
> In general, any router that speaks iBGP needs to know a route to 
>every exit point of every other iBGP router. You /could/ do this 
>differently I suppose but it would be a ridiculous amount of work and 
>it would make debugging problems somewhat harder.
> JS> Jeff Swinton
>Lyndon Levesley
>GX Networks
>Penis Envy is a total Phallusy.

More information about the NANOG mailing list