[45684] in North American Network Operators' Group
RE: Ethernet EP - MAC Address Filtering
daemon@ATHENA.MIT.EDU (David Luyer)
Tue Feb 12 05:57:04 2002
From: "David Luyer" <david@luyer.net>
To: "'Lane Patterson'" <lane@laneandmimi.com>,
"'David McGaugh'" <david_mcgaugh@eli.net>
Cc: <nanog@merit.edu>
Date: Tue, 12 Feb 2002 22:01:57 +1100
Message-ID: <000801c1b3b4$b09ed910$46943ecb@pacific.net.au>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <20020212021248.C11239F3F2@okeeffe.bestweb.net>
Errors-To: owner-nanog-outgoing@merit.edu
> My impression of "best practices" would be to:
>
> 1. implement mac-filter or mac-counters to prevent
> any illegally statically routed non-peer traffic.
See my response to David McGaugh's e-mail - ICMP redirects could
present some serious pain here. I've seen them present pain at
peering points where for some reason during a routing glitch an
incorrect ICMP redirect is sent and cached by a router or host
(in Australia we have news servers at some peering exchanges,
run by the peering exchange), and the router or host caching
the redirect then continues to route traffic via a router with
an access list dropping said traffic.
You could see the same if you were doing MAC-layer filtering
and seeing traffic pointed directly at you due to a non-peer
accepting an ICMP redirect from a peer.
> 2. implement traceroute scripts to check that peers are
> not defaulting any partial transit thru you.
Sounds like an application for a MPLS virtual network without
any default or upstream routes for peer traffic, or separate
routers at peering exchanges which don't have default routes
or routes from peers at other peering exchanges. Rather than
checking peers aren't abusing you, make sure they can't.
David.
--
David Luyer Phone: +61 3 9674 7525
Network Development Manager P A C I F I C Fax: +61 3 9699 8693
Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 BYTE
http://www.pacific.net.au/ NASDAQ: PCNTF
