|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: de-peering and peering
On Wed, Apr 03, 2002 at 01:09:52AM +0530, Shashi Kumar wrote: > > Basically what I am trying to arrive at is: Suppose the peering > arrangement between A and B were to be for data originating from A and B > only(and not transited). Thats basically how peering agreements work. > Can A or B misuse the peering agreement by masquerading transit data as > if its originating from its own n/w? You can abuse a peer to make it carry traffic it normally wouldn't by doing things like: - Pointing default, or setting a default route to your peer. This implies that you are using the link in a transit capacity, but really any route that isn't being advertised to you qualifies. At older L2 exchange points with everyone in a single peering vlan, you can people people dump traffic on you without ever being a peer. - Resetting nexthop, or changing the nexthop on other existing routes, such as through a route-map. This accomplishes the same thing as above, but may be a little more stealthy, using routes that you know may not attract much attention, such as other peers of your peer. - Selling or giving next-hop to a third-party. This is basically just the act of selling your peering routes to someone else. It may or may not be that bad, but most people have rules against it anyways. If this is a peer with joe schmuck ISP down the street, there may not be any formal legal agreement preventing these activities, and the worst that would happen is they disconnect you and maybe spread the word about your activities to other people you might want to peer with. If this is a larger peer, they probably made you sign a peering agreement with specific legal language, and are probably also more then willing to take you to court for the services "stolen". I even recall Paul Vixie saying that if you were caught defaulting into a peer at a PAIX facility, they would seize your equipment and you would have to sue them to get it back (though you would probably win, and if you happened to have a recording of that NANOG you might even be able to prove that it was premeditated and/or malicious activity). I'm not a terribly big fan of people waving their lawyers around trying to scare others into believing they can do illegal things (like Exodus and the unilateral "by reading this email, you consent to our NDA" tagline nonsense), but lawyers do cost money and big providers probably have more of them then you do. That doesn't mean people don't abuse peers though. I don't know anyone offhand who does, but I do know quite a few large ISPs that either until very recently did nothing or continue to do nothing to prevent people from abusing them. But all it takes is one bored engineer or one traceroute from the wrong person, and you're busted. > What are the mechanisms in place in B's network to detect that Network A > is transiting the data( in this case network B looser) from Network X? Well for the kind of abuse we're talking about here (networks dumping traffic which doesn't belong into your peer), you can pretty much discourage them by not routing it. Some techniques that are used are: - For non-peers dumping traffic at shared-vlan peering points, MAC filters. - If you are big enough to have routers dedicated to just peering, don't carry anything other than customer routes on that router, and set a default route to null0. One peer can still route into another peer on that router, but it severely limits the scope of traffic they can dump into you. - If you are lucky smart to have Juniper routers, setup a seperate routing-instance for each peer, with a discard route as default. Cisco has this functionality too (VRF) but it is considered VPN and usually isn't available on the trains of code you want to be running on your routers. - If you have a Crisco, check out the BGP Policy Accounting feature. This will let you check counters and see if someone is dumping traffic they shouldn't be. Follow up with the clue bat. I don't really know of any good way to prevent another network from selling your nexthops. You can do something like RPF check your peers, but then you can run into asymetric routing issues. But just like anyone who is involved in selling "stolen" merchandise, they usually get busted when they piss off someone who knows about their activities and they get ratted out. -- Richard A Steenbergen <[email protected]> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
|