[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[af-ix-discuss] Your help please

Subject: [af-ix-discuss] Your help please
From: woody at pch.net (Bill Woodcock)
Date: Wed, 30 May 2018 09:50:35 -0700
In-reply-to: <A076B554B0EBC547A920AC0983E621EB01757BF610@BZV-MBX-02V.arpce.local>
References: <A076B554B0EBC547A920AC0983E621EB01757BF610@BZV-MBX-02V.arpce.local>

> We want to add different sevices (root server, reverse DNS, Looking glass, etc.) to our IXP.
> Can we use the/24 peering for these services? If so, why? If not, why?

You can split those into two categories.

One category are ?things people bring to you,? like the root servers and anything else that?s administered by someone else, not you.  Each of those would typically be within its own IP address space (which it would bring with it) and sitting behind a BGP router, using only one IP address from your peering /24.

The other category is ?things you manage yourself,? like the in-addr DNS for the IXP, any route-server or looking-glass you may be running, the email list, web site, etc.  Those you need your own IP addresses for, as you?re suggesting here:

> In addition to IP resources (IPv4, IPv6, and ASN) for peering, should all IXP also have other IP resources (IPv4, IPv6, and ASN) for management?
> This management network is cut out for the management and services of the IXP. Is that the way it is?

Yes.

There?s often a temptation to subnet the peering /24, and use the bottom half (which is typically already allocated) for the IXP, while splitting off the top half (which is typically not yet used) for services.  The problem with doing that is that the services need to be globally reachable (your web site and mailing list, for example) and most networks won't accept prefixes longer than /24, so you?d either need to provide transit for the whole /24, including the peering subnet, which you ABSOLUTELY SHOULD NOT DO because it enables a bunch of transit-stealing hacks, as well as the direct targeting of peering routers by external hackers; or you have to live with your services being only reachable from some locations.

So, yes, I?d strongly recommend that you get another /24 to use for your IXPs publicly-visible services in the ?things you manage yourself? category.

One last caution: don?t put the management interface of your peering switch on the publicly-routed subnet?  It should be firewalled and on a separate subnet that?s only reachable through a tightly-controlled bastion host, or locally at the IXP facility.  You really, really don?t want to expose that to hackers.

                                -Bill

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://af-ix.net/pipermail/af-ix-discuss_af-ix.net/attachments/20180530/106c4273/attachment.sig>

Follow-Ups:
- [af-ix-discuss] Your help please
  - From: Benny.MBOKO at arpce.cg (Benny.MBOKO at arpce.cg)

References:
- [af-ix-discuss] Your help please
  - From: Benny.MBOKO at arpce.cg (Benny.MBOKO at arpce.cg)

Prev by Date: [af-ix-discuss] Your help please
Next by Date: [af-ix-discuss] Your help please
Previous by thread: [af-ix-discuss] Your help please
Next by thread: [af-ix-discuss] Your help please
Index(es):
- Date
- Thread