IX port security
Andy Davidson
andy at nosignal.org
Sun Feb 24 15:58:07 UTC 2008
On 23 Feb 2008, at 11:19, Greg VILLAIN wrote:
> Thinking back about this thread we've had lately around IXes, I have
> some extra questions.
> It is I assume the IX's responsibility to protect members from
> harming each other through the peering LAN.
That depends what you mean by protect. Any IX participant must
remember that they're sharing an infrastructure with (by and large)
competitors, and that there are particular miscreant activities that
you as an IX participant must guard against, which your IX operators
can't completely protect you from (I'm thinking pointing default, or
attacks on port-facing router interfaces.)
All of your suggestions are very sane, with this comment
> - re 3/ should a certain number of allowed mac-addresses be
> configured to the port (1 or 2) ? or should the customer's port mac
> be explicitly configured on the port ?
This is largely down to local policy - one mac one port is sane, but
depending on how your exchange has evolved and the services it offers,
I can see the case for permitting different macs on different vlans
too. Port security violations are normally caused by participants
plugging IXes into a switch which ends up running some kind of chatty
protocol, and by participants changing l3 interfaces connected to the
exchange without informing IX support, rather than loops - but loops
do happen, so define a policy and apply it strictly.
> - more importantly, is there any other standard precaution that I'm
> missing and that should be considered ?
Euro-IX are working on a bcp of exchange recommendations, including
this point. Perhaps we should have a conversation offlist about these
topics, and perhaps I can introduce you to the euro-ix members working
on the document.
Best wishes
Andy Davidson, www.lonap.net
More information about the NANOG
mailing list