best practice for advertising peering fabric routes

• Previous message (by thread): best practice for advertising peering fabric routes
• Next message (by thread): best practice for advertising peering fabric routes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jan 14, 2014, at 9:35 PM, Patrick W. Gilmore <patrick at ianai.net> wrote:

> So Just Don't Do It. Setting next-hop-self is not just for "big guys", the crappiest, tiniest router that can do peering at an IXP has the same ability. Use it. Stop putting me and every one of your peers in danger because you are lazy.

I'm going to have to disagree here with Patrick, because this is security through obscurity, and that doesn't work well.

For some history about why people like Patrick take the position he did, read: http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet

Exchange points got attacked, so people yanked them from the routing table hoping to prevent attacks.  If you're on this list it should take you all of about 3 seconds to realize the attackers could do a traceroute, and attack the IP one hop on the far side of the exchange for a few dozen providers and still cause all sorts of havoc, or do any of another half dozen things I won't mention to cause problems.  The effect would be nearly, if not perfectly identical, since that traffic still has to cross the exchange.

I'll point out the MTU step-down issue is real, and it's part of why we can't have 9K MTU exchanges be the default on the Internet, which would really make things better for a significant number of users.  I think Patrick is a bit quick to dismiss some of the potential issues.

Every link on every router is subject to attack.  Exchange point LAN's really aren't special in that regard.  If anything the only thing that makes them slightly special is that they may in fact be more oversubscribed than most links.  Where a backbone might have a router with 20x10GE, so attackers could try and drive 190GE out a 10GE in theory; an exchange point may have 100 people with 20x10GE coming in.  An alternate view that mega-exchange points are massively oversubscribed potential single points of failure, and perhaps network operators should consider that.  While a DDOS taking an exchange down for half a day is bad, imagine if there was a more sinister attack, taking out the physical infrastructure of an exchange.  That can't be "fixed" with a routing advertisement.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 793 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140114/5296ed33/attachment.sig>

• Previous message (by thread): best practice for advertising peering fabric routes
• Next message (by thread): best practice for advertising peering fabric routes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]