[168183] in North American Network Operators' Group
Re: best practice for advertising peering fabric routes
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Wed Jan 15 01:03:16 2014
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Wed, 15 Jan 2014 06:02:41 +0000
In-Reply-To: <BF7738B6-3094-4F05-8959-8102753CB518@ianai.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_6D9ACE4E-F6FF-4BEB-9CCC-14DFABF62576
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
On Jan 15, 2014, at 11:41 AM, Patrick W. Gilmore <patrick@ianai.net> =
wrote:
> I repeat: NEVER EVER EVER put an IX prefix into BGP, IGP, or even =
static route. An IXP LAN should not be reachable from any device except =
those directly attached to that LAN. Period.
+1
Again, folks, this isn't theoretical. When the particular attacks cited =
in this thread were taking place, I was astonished that the IXP =
infrastructure routes were even being advertised outside of the IXP =
network, because of these very issues.
IXPs are not the problem when it comes to breaking PMTU-D. The problem =
is largely with enterprise networks, and with 'security' vendors who've =
propagated the myth that simply blocking all ICMP somehow increases =
'security'.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
--Apple-Mail=_6D9ACE4E-F6FF-4BEB-9CCC-14DFABF62576
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="signature.asc"
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAlLWJHMACgkQqFo5ORybTB3oRgCbBLVryPQhva57ejhF9Zc3B5lu
15QAoMofKRRXl4VQFhIx9KR0r0ELhCGk
=W75w
-----END PGP SIGNATURE-----
--Apple-Mail=_6D9ACE4E-F6FF-4BEB-9CCC-14DFABF62576--
