North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: IX port security
- From: Patrick W. Gilmore
- Date: Sun Feb 24 20:20:55 2008
On Feb 24, 2008, at 6:12 PM, Greg VILLAIN wrote:
On Feb 24, 2008, at 4:58 PM, Andy Davidson wrote:
On 23 Feb 2008, at 11:19, Greg VILLAIN wrote:
Thinking back about this thread we've had lately around IXes, I
have some extra questions.
It is I assume the IX's responsibility to protect members from
harming each other through the peering LAN.
That depends what you mean by protect. Any IX participant must
remember that they're sharing an infrastructure with (by and large)
competitors, and that there are particular miscreant activities
that you as an IX participant must guard against, which your IX
operators can't completely protect you from (I'm thinking pointing
default, or attacks on port-facing router interfaces.)
I've been thinking a lot about pointing defaults, I admit I think of
any solution to avoid that...
Anyone any idea ? (I was initially thinking making a route server
mandatory would solve that, but it actually doesn't...)
There are many. At the last NANOG peering BoF, a solution was
presented by cisco, others were discussed, and we compared /
contrasted other vendors' solutions as well.
But hey, who wants a peering BoF any more....
Got this idea of a member portal feature, where the IX member can
record one or more MACs via the web interfaces. Then a robot can
easily clear those on the port, read the new ones, compare to those
provided on the web portal, and ultimately lock them.
Some IXes already do this. Look at TorIX.