|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Alternate and/or hidden infrastructure addresses (BGP/TCP RST/SYN vulnerability)
Although someone mentioned using non-routable /30 or /31's on private eBGP peers, there hasn't been much broad-ranging discussion of keeping internal infrastructure addresses non-routable. I am thinking of a couple different things here: 1. Backbone addresses: ISPs that hide interface addresses and/or primary loopback addresses, and best practices for doing so? (e.g. traceroutes don't break, but the router uses say Loopback1 address to respond to them, while iBGP uses Loopback0. All Loopback0 address blocks can be filtered at borders.) 2. Public IX addresses: ISPs that do not redistribute the IX prefix into their iBGP or IGP and do not use external next-hops (except local to the connected border router), but instead use the loopback of the border router when propogating these routes within their iBGP mesh. This should not break traceroutes "through" the exchange, but will break any traffic such as ping, spoofed packets, etc. to the exchange from a non-connected router. Can anyone provide pro/con, better description of config templates for doing this, and/or discussion of major networks that choose to do this, or not do this? Cheers, -Lane
|