[14026] in North American Network Operators' Group
Re: Advisory - tunneling of IP at exchange points.
daemon@ATHENA.MIT.EDU (Lyndon Levesley)
Tue Nov 25 12:23:18 1997
To: Jeff Swinton <jswinton@mci.net>
cc: nanog@merit.edu
Reply-to: lol@gxn.net
From: Lyndon Levesley <lol@gxn.net>
In-reply-to: Your message of "Tue, 25 Nov 1997 11:44:17 EST."
<3.0.3.32.19971125114417.007de100@mci.net>
Date: Tue, 25 Nov 1997 17:03:01 +0000
>>>>> On Tue, 25 Nov 1997 at around 11:44:17,
>>>>> "JS" == Jeff Swinton penned:
JS> Maybe I'm missing something, but couldn't you block this with routing
JS> as well? The attack seems to be based on the fact that your NAP routers have
JS> routes to other NAP LANs.
JS> Let's say you connect to just MAE-E and MAE-W. At MAE-E, add a route
JS> for the MAE-W network to null0. Do the opposite at MAE-W. While this may
JS> not
JS> work for everyone, is should work for the majority. It may also be more
JS> pleasant then adding filters to a high speed interface.
No - this would involve much more work than that.
Take the case of
(ME peers)---[ME router]======[MW router]------(MW peers)
all sitting inside the same AS. (put as many routers as you like in
between them or in other parts of your network - it still holds)
The next hop that "MW router" sees for a ME peer's route would be
the address of that peer *on the ME LAN*.
In general, any router that speaks iBGP needs to know a route to
every exit point of every other iBGP router. You /could/ do this
differently I suppose but it would be a ridiculous amount of work and
it would make debugging problems somewhat harder.
JS> Jeff Swinton
Cheers,
Lyndon Levesley
GX Networks
--
Penis Envy is a total Phallusy.
