[168181] in North American Network Operators' Group
Re: best practice for advertising peering fabric routes
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Tue Jan 14 23:03:54 2014
From: Leo Bicknell <bicknell@ufp.org>
In-Reply-To: <5365528F-94F6-4782-99E8-E8C85810F4E6@ianai.net>
Date: Tue, 14 Jan 2014 22:03:07 -0600
To: "Patrick W. Gilmore" <patrick@ianai.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_B75D223A-4CC9-4877-8C73-65DA0CF2E5B0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
On Jan 14, 2014, at 9:35 PM, Patrick W. Gilmore <patrick@ianai.net> =
wrote:
> So Just Don't Do It. Setting next-hop-self is not just for "big guys", =
the crappiest, tiniest router that can do peering at an IXP has the same =
ability. Use it. Stop putting me and every one of your peers in danger =
because you are lazy.
I'm going to have to disagree here with Patrick, because this is =
security through obscurity, and that doesn't work well.
For some history about why people like Patrick take the position he did, =
read: http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet
Exchange points got attacked, so people yanked them from the routing =
table hoping to prevent attacks. If you're on this list it should take =
you all of about 3 seconds to realize the attackers could do a =
traceroute, and attack the IP one hop on the far side of the exchange =
for a few dozen providers and still cause all sorts of havoc, or do any =
of another half dozen things I won't mention to cause problems. The =
effect would be nearly, if not perfectly identical, since that traffic =
still has to cross the exchange.
I'll point out the MTU step-down issue is real, and it's part of why we =
can't have 9K MTU exchanges be the default on the Internet, which would =
really make things better for a significant number of users. I think =
Patrick is a bit quick to dismiss some of the potential issues.
Every link on every router is subject to attack. Exchange point LAN's =
really aren't special in that regard. If anything the only thing that =
makes them slightly special is that they may in fact be more =
oversubscribed than most links. Where a backbone might have a router =
with 20x10GE, so attackers could try and drive 190GE out a 10GE in =
theory; an exchange point may have 100 people with 20x10GE coming in. =
An alternate view that mega-exchange points are massively oversubscribed =
potential single points of failure, and perhaps network operators should =
consider that. While a DDOS taking an exchange down for half a day is =
bad, imagine if there was a more sinister attack, taking out the =
physical infrastructure of an exchange. That can't be "fixed" with a =
routing advertisement.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--Apple-Mail=_B75D223A-4CC9-4877-8C73-65DA0CF2E5B0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
iQIVAwUBUtYIfrN3O8aJIdTMAQLmog//REhWO6HAMwzxMtbfc9aZjAzVKzJobqIS
AeRApNCt2HcIBAR7LqRi2g2ajbrJJLJCgTGZKyAxlmUA5dF+TN7xnuSZKdpX2u03
i9lkWwOHzdiaxK7wY8MfY1GtCTXTy4AjBHvc1G3mHcjk+YlzvkF7vAO94XiHTNfO
dC4I/+Gmvwai11/QDh/w6MrYojwtnWQqLEGculMFCq+h4B+lO5OmTpA8n0+mdfDN
zu6+G4XspAdZ2t7fUD1rVDhBzK36oMqBeIT12jwwDXgC33GE57yRLnBZgdFhlZlC
O+1ol4cjJXdkSAjv9obVPZHFDUbfM6SXKob6ZDypfZlKDdwPiQ9iDVwob7Ys0iJl
D6r5nWMxC/NGzor7Hu0RijC1QU7TrwyM6KNBgm/xVkyNci01D+Ls97xQObk5OaC0
s2N+JSrIvUt8NX8708vuLhgBBavBoaBI0SRlov0obBqbGsujPw48P/7sDsiYneLE
wxfhcdN2Hn4s0AYS+wUl38MNgl/F1APsER/9TNTGeCwkbC9QY4oeiOsKs/yaiwMk
Cu9E0nT62ohegD0hQVsA9WM3BDcMzVfFy7IAivDHuQ+ZD7j5ELCVBdFNU0sxonIB
dycvNNeM0OIbewCik/ZKJYDL7EXZyps9+UGtnnJ7GUsPwn00QvD1xwOr5Ib4nVWF
L5XUD9G8VU4=
=PxIR
-----END PGP SIGNATURE-----
--Apple-Mail=_B75D223A-4CC9-4877-8C73-65DA0CF2E5B0--
