[183225] in North American Network Operators' Group
Re: [c-nsp] Peering + Transit Circuits
daemon@ATHENA.MIT.EDU (Nick Hilliard)
Wed Aug 19 04:59:40 2015
X-Original-To: nanog@nanog.org
X-Envelope-To: nanog@nanog.org
To: William Herrin <bill@herrin.us>
From: Nick Hilliard <nick@foobar.org>
Date: Wed, 19 Aug 2015 09:59:13 +0100
In-Reply-To: <CAP-guGU54m5e_bb2UgKnbgiJk314V3VfNkD44vF3L5g_LTJMgg@mail.gmail.com>
Cc: NANOG list <nanog@nanog.org>,
"cisco-nsp@puck.nether.net" <cisco-nsp@puck.nether.net>
Errors-To: nanog-bounces@nanog.org
On 18/08/2015 22:10, William Herrin wrote:
> This technique described isn't URPF, it's simple destination routing.
> The routes I offer you via BGP are the only routes in my table, hence
> the only routes I'm capable of routing. If you send me a packet for a
> _destination_ I didn't offer to you, I can't route it.
yep, I hit send too soon. The point I intended to make was that ixp
peering in a vrf will only protect you from transit theft, not clandestine
peering. If you want to stop third party organisations at an ixp from
getting peering by installing static routes, then l2 filters are what you need.
Nick
