[j-nsp] Am I carrying this route or not ?
joel jaeggli
joelja at bogus.com
Sun Mar 24 17:05:20 EDT 2013
On 3/24/13 1:24 PM, Zehef Poto wrote:
> Thank you Payam. I think I got what you mean.
>
> In this particular case however, the X/22 route is not a customer or
> anything. It is the IXP's peering LAN !
>
> So... It means that the person requested all the IXP's members to
> null-route the whole peering LAN ? How can you possibly ask for this ?
>
> I peer with several members within this LAN. If I null-route the X/22 LAN,
> we agree that my peering sessions will go down, right ?
What they're asking is for you to not carry the prefix in your
network... The devices directly attached have that route at a lower
admin distance (e.g. direct) your peering routers will therefore no have
their sessions go down. However any bgp routes you learn over the
peering fabric need to have a nexthop that is in your routing table,
that could be the peering router (nexthop self) a more specific route
for the peer router or something else.
> Thanks again,
>
> 2013/3/24 Payam Chychi <pchychi at gmail.com>
>
>> Carry a route is the same as accepting a route and having it become
>> active, allowing traffic to traverse your network to the destination. In
>> this case the user is asking you to drop the route (attack traffic) at your
>> edge if possible and not to carry it through your network and deliver it to
>> the end destination(his network) because its probably saturating or causing
>> him performance issues.
>>
>> Normally networks well have a global community string that they can tag a
>> route with and it will send it to null0, dropping that traffic at the edge
>> v.s the user withdrawing its -/24 route from the advertise table. You can
>> also go on the peering router and set the next hop route for the attacked
>> destination ip to null0 (discard) and only traffic traversing that one
>> router well drop the traffic (global community well handle this if you
>> have a multi homed network)
>>
>> Local nullroute example:
>> "Set routing-options static route x.x.x.x/32 discard" ... Something like
>> this
>>
>> All your doing is dropping traffic for x.x.x.x/x at your edge, most cases
>> its a /32 nullroute.
>>
>> Google is your friend :)
>> Cheers,
>> --
>> Payam Chychi
>> Network Engineer / Security Specialist
>>
>> On Sunday, 24 March, 2013 at 6:47 AM, Zehef Poto wrote:
>>
>> Hey guys,
>>
>> Thank you all for the very valuable input. Actually yes, Tobias is right,
>> I'm having this question because of the (quoted by Tobias) e-mail we got
>> yesterday across several IXPs.
>>
>> I just don't understand what is to "carry a route in my backbone". Am I not
>> supposed to know all of (or most of) the Internet routes, since I work with
>> tier-1 upstream providers ? As a consequence, it means I'm carrying all
>> these routes right ?
>>
>> A "show route X/22" tells that it was advertised by an eBGP peer on one of
>> my edge routers, and the three other ones learnt this same route via OSPF.
>>
>> This is where I'm completely confused. What am I supposed to do to "carry"
>> a route or not ?
>>
>> Thanks again,
>>
>> 2013/3/24 Tobias Heister <lists at tobias-heister.de>
>>
>> Hi All,
>>
>> Am 24.03.2013 00:26, schrieb Jeff Wheeler:
>>
>> Whoever that person is that said something about "use next-hop-self"
>> in this context, either you misunderstood them, or you shouldn't
>> listen to them anymore. That has nothing to do with looking to see if
>> your router knows about a route.
>>
>>
>> This sounds like the OP wants to help the cloudfare guys who send the
>> following mail to DECIX/AMSIX (and probably other IX) yesterday.
>>
>> We're currently seeing a very large attack directed to our IP on AMS-IX
>>
>> (X).
>>
>>
>> We request that all peers:
>>
>> 1) Don't carry this route (X/22) in your backbone. (you can set
>>
>> next-hop-self, etc). It'll save other security concerns and possible free
>> transit you're giving away to others.
>>
>> 2) Filter any traffic within to the AMS-IX exchange fabric (again,
>>
>> X/22), except for your point to [multi]point BGP communications.
>>
>> --
>> Kind Regards
>> Tobias Heister
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list