|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Advisory - tunneling of IP at exchange points.
As I said, this solution isn't for everyone. Some people do set a next-hop self somewhere within their network, I would bet the majority. If this is the case for you, you can at least prevent people you don't peer with from doing it. Blackhole the NAP LANs, and add valid statics for the people you peer with. Jeff Swinton At 05:03 PM 11/25/97 +0000, Lyndon Levesley wrote: > >>>>>> On Tue, 25 Nov 1997 at around 11:44:17, >>>>>> "JS" == Jeff Swinton penned: > > JS> Maybe I'm missing something, but couldn't you block this with routing > JS> as well? The attack seems to be based on the fact that your NAP routers have > JS> routes to other NAP LANs. > > JS> Let's say you connect to just MAE-E and MAE-W. At MAE-E, add a route > JS> for the MAE-W network to null0. Do the opposite at MAE-W. While this may > JS> not > JS> work for everyone, is should work for the majority. It may also be more > JS> pleasant then adding filters to a high speed interface. > >No - this would involve much more work than that. > >Take the case of > >(ME peers)---[ME router]======[MW router]------(MW peers) > >all sitting inside the same AS. (put as many routers as you like in >between them or in other parts of your network - it still holds) > > The next hop that "MW router" sees for a ME peer's route would be >the address of that peer *on the ME LAN*. > > In general, any router that speaks iBGP needs to know a route to >every exit point of every other iBGP router. You /could/ do this >differently I suppose but it would be a ridiculous amount of work and >it would make debugging problems somewhat harder. > > JS> Jeff Swinton > >Cheers, > >Lyndon Levesley >GX Networks > > >-- >Penis Envy is a total Phallusy. > > >
|