Hi, Dominic -- On 20/12/2018, 17:49, Dominic Schallert <d...@schallert.com> wrote:
> this might be a stupid question but today I was discussing with a colleague if > Peering-LAN prefixes should be re-distributed/announced to direct > customers/peers. > My standpoint is that in any case, Peering-LAN prefixes should be filtered > and not > announced to peers/customers because a Peering-LAN represents some sort of > DMZ and there is simply no need for them to be reachable by third-parties not > being > physically connected to an IXP themselves. There are no stupid questions! It is a good idea to not BGP announce and perhaps also to drop traffic toward peering LAN prefixes at customer-borders, this was already well discussed in the thread. But there wasn’t a discussion on how we got to this point. Until the Cloudflare 2013 BGP speaker attack, that sought to flood Cloudflare’s transfer networks and exchange connectivity (and with it saturating IXP inter-switch links and IXP participant ports), it was common for IXP IPv4/6 peering LANs to be internet reachable and BGP transited. This facilitated troubleshooting (e.g. traceroutes showing peering lan interfaces in traceroutes instead of ‘starring out’) and PMTUD (e.g. see recommendation in https://www.ripe.net/ripe/mail/archives/ipv6-wg/2011-July/001839.html which actually asked for IXP peering LANs to be announced). There are good reasons to announce but there are better reasons to filter. The security benefits of filtering outweigh the upsides on today’s internet, but fashions and best practice may further evolve over time. Andy -- Andy Davidson Director, Asteroid International BV www.asteroidhq.com Director, Euro-IX - The European Internet Exchange Association www.euro-ix.net
