interesting peering activities at the exchange points
DESCRIPTION
Interesting Peering Activities at the Exchange Points. Naiming Shen Cisco Systems. 1. Peering Activities at NAPs. During the Summer of 1997 Pointing default Rewrite eBGP nexthop Passing third party nexthop Misconfiguration. Case#1: Rewrite eBGP Nexthop. ACLs. ISP 3. cpe2. Mae-East - PowerPoint PPT PresentationTRANSCRIPT
Nanog 14, Atlanta
Interesting Peering Activities at the Exchange
Points
1
Naiming ShenCisco Systems
11/9/98 Nanog 14, Atlanta 2
Peering Activities at NAPs
• During the Summer of 1997• Pointing default• Rewrite eBGP nexthop• Passing third party nexthop• Misconfiguration
11/9/98 Nanog 14, Atlanta 3
Case#1: Rewrite eBGP Nexthop
Private Peering
ISP 3
ISP 1
iMCI
ISP 2
cpe2
Mae-EastNAP
ACLs
11/9/98 Nanog 14, Atlanta 4
Case#1: Continue...• Netflow shown 15% extra traffic from a single subnet• traceroute -g shown the traffic coming to us• Install a static route of 212.x.x.x pointing to this router and
traceroute stopped at ISP1• Install the route in BGP, traceroute shown it coming back
to us• Thus this router of ISP3 had to rewrite the eBGP nexthop
base on the AS numbers• This could not be misconfiguration or a simple pointing
default. Also this was not just used towards iMCI.
11/9/98 Nanog 14, Atlanta 5
Case#1: Continue...
• Install a packet filter on one of the links• Install the packet filter on both links, which forced
the traffic going to ISP2• After the filter was removed, it came back• A New packet filter was applied
11/9/98 Nanog 14, Atlanta 6
Case #1: Continue...
• ACL 123access-list 123 permit icmp x.x.x.0 0.0.31.255 anyaccess-list 123 permit udp x.x.x.0 0.0.31.255 any gt 32000access-list 123 permit udp x.x.x.0 0.0.31.255 any eq 53access-list 123 deny ip x.x.x.0 0.0.31.255 anyaccess-list permit ip any any
• The new filter was there for four days
11/9/98 Nanog 14, Atlanta 7
ISP 4
iMCIISP 5
Case#2: Passing 3rd Party Nexthop
Peering
NAP LANtraffic
Peering/customer
11/9/98 Nanog 14, Atlanta 8
Case#2: Continue...
• Netflow did not find this case• Even you can rewrite the nexthop to your
peer’s address, you can’t stop your peer passing your nexthop to the 3rd party
• route-map commandset ip next-hop peer-address
• Use “next-hop-self”
11/9/98 Nanog 14, Atlanta 9
ISP 7
iMCI
ISP 6
internetMCI.net
Case#3: Pointing Default
11/9/98 Nanog 14, Atlanta 10
Case#3: Continue...
• It first pointing to ISP6, then to iMCI• reverse DNS lookup was xxx.internetmci.net• SNMP query had default route MIB value:
ip.ipRouteTable.ipRouteEntry.ipRouteNexthop.0.0.0.0 = IpAddress:192.41.177.180
• After we exchanged some email, they pointed to someone else
11/9/98 Nanog 14, Atlanta 11
ISP 9
Case#4: Tunneling
ISP 8
ISP 9
GRE
NAP1
NAP2
11/9/98 Nanog 14, Atlanta 12
ISP 11
ISP 10Upstream Provider
NAP3
Case#4: Continue...
E1E3
11/9/98 Nanog 14, Atlanta 13
Other Activities
• Run IGP at the NAPs• Run Native Multicast• Inconsistent route announcement at
different peering points
• Run CDP
11/9/98 Nanog 14, Atlanta 14
Detection
• Netflow stats for reverse route lookup and traffic matrix
• traceroute -g• If LSR is disabled, use Ping-Pong trace• MAC address accounting
11/9/98 Nanog 14, Atlanta 15
Filtering
• Packet level filtering• MAC address filtering/rate-limit, sometimes
combined with WRED• Null out offender’s routes within your
domain
11/9/98 Nanog 14, Atlanta 16
Preventive Measures
• NAP GIGAswitch L2 filtering• NAP ATM PVCs• Use “next-hop-self” and reset peer-address• Remove non-customer routes from NAP
routers• Do not carry NAP subnets in the backbone• Enforce consistent route announcements