Nanog 14, Atlanta

Interesting Peering Activities at the Exchange

Points

1

Naiming ShenCisco Systems

11/9/98 Nanog 14, Atlanta 2

Peering Activities at NAPs

• During the Summer of 1997• Pointing default• Rewrite eBGP nexthop• Passing third party nexthop• Misconfiguration

11/9/98 Nanog 14, Atlanta 3

Case#1: Rewrite eBGP Nexthop

Private Peering

ISP 3

ISP 1

iMCI

ISP 2

cpe2

Mae-EastNAP

ACLs

11/9/98 Nanog 14, Atlanta 4

Case#1: Continue...• Netflow shown 15% extra traffic from a single subnet• traceroute -g shown the traffic coming to us• Install a static route of 212.x.x.x pointing to this router and

traceroute stopped at ISP1• Install the route in BGP, traceroute shown it coming back

to us• Thus this router of ISP3 had to rewrite the eBGP nexthop

base on the AS numbers• This could not be misconfiguration or a simple pointing

default. Also this was not just used towards iMCI.

11/9/98 Nanog 14, Atlanta 5

Case#1: Continue...

• Install a packet filter on one of the links• Install the packet filter on both links, which forced

the traffic going to ISP2• After the filter was removed, it came back• A New packet filter was applied

11/9/98 Nanog 14, Atlanta 6

Case #1: Continue...

• ACL 123access-list 123 permit icmp x.x.x.0 0.0.31.255 anyaccess-list 123 permit udp x.x.x.0 0.0.31.255 any gt 32000access-list 123 permit udp x.x.x.0 0.0.31.255 any eq 53access-list 123 deny ip x.x.x.0 0.0.31.255 anyaccess-list permit ip any any

• The new filter was there for four days

11/9/98 Nanog 14, Atlanta 7

ISP 4

iMCIISP 5

Case#2: Passing 3rd Party Nexthop

Peering

NAP LANtraffic

Peering/customer

11/9/98 Nanog 14, Atlanta 8

Case#2: Continue...

• Netflow did not find this case• Even you can rewrite the nexthop to your

peer’s address, you can’t stop your peer passing your nexthop to the 3rd party

• route-map commandset ip next-hop peer-address

• Use “next-hop-self”

11/9/98 Nanog 14, Atlanta 9

ISP 7

iMCI

ISP 6

internetMCI.net

Case#3: Pointing Default

11/9/98 Nanog 14, Atlanta 10

Case#3: Continue...

• It first pointing to ISP6, then to iMCI• reverse DNS lookup was xxx.internetmci.net• SNMP query had default route MIB value:

ip.ipRouteTable.ipRouteEntry.ipRouteNexthop.0.0.0.0 = IpAddress:192.41.177.180

• After we exchanged some email, they pointed to someone else

11/9/98 Nanog 14, Atlanta 11

ISP 9

Case#4: Tunneling

ISP 8

ISP 9

GRE

NAP1

NAP2

11/9/98 Nanog 14, Atlanta 12

ISP 11

ISP 10Upstream Provider

NAP3

Case#4: Continue...

E1E3

11/9/98 Nanog 14, Atlanta 13

Other Activities

• Run IGP at the NAPs• Run Native Multicast• Inconsistent route announcement at

different peering points

• Run CDP

11/9/98 Nanog 14, Atlanta 14

Detection

• Netflow stats for reverse route lookup and traffic matrix

• traceroute -g• If LSR is disabled, use Ping-Pong trace• MAC address accounting

11/9/98 Nanog 14, Atlanta 15

Filtering

• Packet level filtering• MAC address filtering/rate-limit, sometimes

combined with WRED• Null out offender’s routes within your

domain

11/9/98 Nanog 14, Atlanta 16

Preventive Measures

• NAP GIGAswitch L2 filtering• NAP ATM PVCs• Use “next-hop-self” and reset peer-address• Remove non-customer routes from NAP

routers• Do not carry NAP subnets in the backbone• Enforce consistent route announcements