Advisory - tunneling of IP at exchange points.

Lyndon Levesley lol at
Tue Nov 25 17:03:01 UTC 1997

>>>>> On Tue, 25 Nov 1997 at around 11:44:17,
>>>>> "JS" == Jeff Swinton penned:

 JS> Maybe I'm missing something, but couldn't you block this with routing
 JS> as well?  The attack seems to be based on the fact that your NAP routers have
 JS> routes to other NAP LANs.

 JS> Let's say you connect to just MAE-E and MAE-W.  At MAE-E, add a route
 JS> for the MAE-W network to null0.  Do the opposite at MAE-W.  While this may
 JS> not
 JS> work for everyone, is should work for the majority.  It may also be more
 JS> pleasant then adding filters to a high speed interface.

No - this would involve much more work than that.

Take the case of

(ME peers)---[ME router]======[MW router]------(MW peers)

all sitting inside the same AS. (put as many routers as you like in 
between them or in other parts of your network - it still holds)

 The next hop that "MW router" sees for a ME peer's route would be 
the address of that peer *on the ME LAN*.

 In general, any router that speaks iBGP needs to know a route to 
every exit point of every other iBGP router. You /could/ do this 
differently I suppose but it would be a ridiculous amount of work and 
it would make debugging problems somewhat harder.

 JS> Jeff Swinton


Lyndon Levesley
GX Networks

Penis Envy is a total Phallusy.

More information about the NANOG mailing list