Hi Dominic, On Thu, 2018-12-20 at 19:15 +0100, Dominic Schallert wrote: > Dear Job, Michael, Ross, > thank you very much for sharing your opinion, the detailed info and > references. That’s pretty much what I excpected. > Just wondered because I couldn’t find any IXP Conection Agreement > stating this „issue“ explicitly yet. > > Maybe MANRS IXP actions has some recommendations regarding this, > checking that now.
We don't have it in our connection agreement as such, but it is in section 3.2 of our (admittedly aged) Configuration Guide: https://ams-ix.net/technical/specifications-descriptions/config-guide#3.2 3.2. Peering LAN Prefix The IPv4 prefix for the AMS-IX peering LAN (80.249.208.0/21) is part of AS1200, and is not supposed to be globally routable. This means the following: 1. Do not configure "network 80.249.208.0/21" in your router's BGP configuration (seriously, we have seen this happen!). 2. Do not redistribute the route, a supernet, or a more specific outside of your AS. We (AS1200) announce it with a no-export attribute, please honour it. In short, you can take the view that the Peering LAN is a link-local address range and you may decide to not even redistribute it internally (but in that case you may want to set a static route for management access so you can troubleshoot peering, etc.). AFAIK, pretty much all IXP operators take this view. Cheers, Steven > Best wishes and happy holidays > > Cheers > Dominic > > > > Am 20.12.2018 um 19:06 schrieb Michael Still <stillwa...@gmail.com> > > : > > > > IXP LANs should not be announced via BGP (or your IGP either). See > > section 3.1: > > http://nabcop.org/index.php/BCOP-Exchange_Points_v2 > > > > > > > > On Thu, Dec 20, 2018 at 12:50 PM Dominic Schallert < > > d...@schallert.com> wrote: > > > Hi all, > > > > > > this might be a stupid question but today I was discussing with a > > > colleague if Peering-LAN prefixes should be re- > > > distributed/announced to direct customers/peers. My standpoint is > > > that in any case, Peering-LAN prefixes should be filtered and not > > > announced to peers/customers because a Peering-LAN represents > > > some sort of DMZ and there is simply no need for them to be > > > reachable by third-parties not being physically connected to an > > > IXP themselves. Also from a security point of view, a lot of new > > > issues might occur in this situation. > > > > > > I’ve been seeing a few transit providers lately announcing (even > > > reachable) Peering-LAN prefixes (for example DE-CIX Peering LAN) > > > to their customers. I’m wondering if there is any document or RFC > > > particularly describing this matter? > > > > > > Thanks > > > Dominic > > > > > > -- > > [stillwa...@gmail.com ~]$ cat .signature > > cat: .signature: No such file or directory > > [stillwa...@gmail.com ~]$
signature.asc
Description: This is a digitally signed message part
