Announcing Peering-LAN prefixes to customers

[job at instituut.net (Job Snijders)]

On Wed, Jan 16, 2019 at 10:56 Mark Tinka <mark.tinka at seacom.mu> wrote:

> On 3/Jan/19 22:08, Andy Davidson wrote:
>
> > There are no stupid questions!  It is a good idea to not BGP announce
> and perhaps also to drop traffic toward peering LAN prefixes at
> customer-borders, this was already well discussed in the thread.  But there
> wasnâ??t a discussion on how we got to this point. Until the Cloudflare 2013
> BGP speaker attack, that sought to flood Cloudflareâ??s transfer networks and
> exchange connectivity (and with it saturating IXP inter-switch links and
> IXP participant ports), it was common for IXP IPv4/6 peering LANs to be
> internet reachable and BGP transited.
>
> That's interesting to learn.
>
> Running a few exchange points in Africa since 2002, the news was that
> the exchange point LAN should not be visible anywhere on the Internet.
> It would be interesting to know that this wasn't the case in other parts
> of the world.



Some IXâ??s use a globally reachable peering lan prefix as a convenience for
their participants as â??poor manâ??s out-of-bandâ??, or canâ??t designate a
separate /24 for the IXPâ??s website / public services.

I can see some use cases, but in todayâ??s internet landscape the practice
just increases the attack surface, so itâ??s not the Best Current Practise.

Kind regards,

Job
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190116/691ad74e/attachment.html>