Advisory - tunneling of IP at exchange points.
lol at gxn.net
Tue Nov 25 17:03:01 UTC 1997
>>>>> On Tue, 25 Nov 1997 at around 11:44:17,
>>>>> "JS" == Jeff Swinton penned:
JS> Maybe I'm missing something, but couldn't you block this with routing
JS> as well? The attack seems to be based on the fact that your NAP routers have
JS> routes to other NAP LANs.
JS> Let's say you connect to just MAE-E and MAE-W. At MAE-E, add a route
JS> for the MAE-W network to null0. Do the opposite at MAE-W. While this may
JS> work for everyone, is should work for the majority. It may also be more
JS> pleasant then adding filters to a high speed interface.
No - this would involve much more work than that.
Take the case of
(ME peers)---[ME router]======[MW router]------(MW peers)
all sitting inside the same AS. (put as many routers as you like in
between them or in other parts of your network - it still holds)
The next hop that "MW router" sees for a ME peer's route would be
the address of that peer *on the ME LAN*.
In general, any router that speaks iBGP needs to know a route to
every exit point of every other iBGP router. You /could/ do this
differently I suppose but it would be a ridiculous amount of work and
it would make debugging problems somewhat harder.
JS> Jeff Swinton
Penis Envy is a total Phallusy.
More information about the NANOG