[c-nsp] Peer pointing default route to us
Nick Hilliard
nick at foobar.org
Mon Sep 29 09:43:13 EDT 2014
On 29/09/2014 14:11, redscorpion69 wrote:
> What is the best way to filter traffic comming in from one of our peers and
> going upstream. Basically we see the peer is sending traffic to IPs we're
> not announcing to them. They may very well have a default route pointing to
> us as well.
>
> Not going into fact that this is breaking peering policy rules, is there a
> dynamic way to filter this on (Juniper/Cisco) ?
pointing a default route at a peer is theft of service.
In the shorter term (i.e. over no more than a couple of days) your best
option would be to collect evidence that they are abusing the peering
arrangement. Mid to longer term, this sort of behaviour is reasonable
cause for permanent de-peering.
If this is private peering, then you could create an access list and allow
srcip == their IP address ranges only.
If this is on an IXP, it's more complicated. If they are abusing your
peering relationship, then they could be abusing others' too, or if you
stop them from abusing your peering relationship by e.g. blackholing all
traffic from their mac address, then they will probably move to someone
else. Best to get the IXP operator involved and present them with hard
data about what's going on. IXP operators will take this seriously.
Dragging this into the legal arena is possible but probably not worthwhile.
Nick
More information about the cisco-nsp
mailing list