[69971] in North American Network Operators' Group
Alternate and/or hidden infrastructure addresses (BGP/TCP RST/SYN vulnerability)
daemon@ATHENA.MIT.EDU (Lane Patterson)
Thu Apr 22 18:48:52 2004
Date: Thu, 22 Apr 2004 15:36:07 -0700
From: "Lane Patterson" <lpatterson@equinix.com>
To: <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
Although someone mentioned using non-routable /30 or /31's on private =
eBGP peers, there hasn't been much broad-ranging discussion of keeping =
internal infrastructure addresses non-routable. I am thinking of a =
couple different things here:
1. Backbone addresses: ISPs that hide interface addresses and/or =
primary loopback addresses, and best practices for doing so? (e.g. =
traceroutes don't break, but the router uses say Loopback1 address to =
respond to them, while iBGP uses Loopback0. All Loopback0 address =
blocks can be filtered at borders.)
2. Public IX addresses: ISPs that do not redistribute the IX prefix =
into their iBGP or IGP and do not use external next-hops (except local =
to the connected border router), but instead use the loopback of the =
border router when propogating these routes within their iBGP mesh. =
This should not break traceroutes "through" the exchange, but will break =
any traffic such as ping, spoofed packets, etc. to the exchange from a =
non-connected router.
Can anyone provide pro/con, better description of config templates for =
doing this, and/or discussion of major networks that choose to do this, =
or not do this?
Cheers,
-Lane
