On Thu, 22 Apr 2004, James wrote:
1. Backbone addresses: ISPs that hide interface addresses and/or primary loopback addresses, and best practices for doing so? (e.g. traceroutes don't break, but the router uses say Loopback1 address to respond to them, while iBGP uses Loopback0. All Loopback0 address blocks can be filtered at borders.)
since ibgp's should be peered w/ loopbacks, loopback protection is all needed as as far as this bgp hysteria goes.
no! these are so easy to find!!!! $ host 65.116.132.145 145.132.116.65.in-addr.arpa domain name pointer lo0.b1.box2.twdx.net.
so loopback0 with "secret" addresses for ibgp peering, use a loopback1 to publish router ip addrs to public via looking glass, etc.
next thing to protect is customer ebgp sessions. some providers don't even route the p2p /30 links used between cust and their backbone (i.e. Sprint). so that's up to you.
some backbones even filter all traffic destined to backbone prefixes at ingress points (border routers, cust edge routers)... for example.. att being one. for example, here comes random test:
starbucks blahdy $ traceroute -M 8 12.123.205.65 traceroute to 12.123.205.65 (12.123.205.65), 64 hops max, 44 byte packets 8 jfk-brdr-02.inet.qwest.net (205.171.230.21) 6.404 ms 6.138 ms 6.145 ms 9 * qwest-gw.n54ny.ip.att.net (192.205.32.169) 6.465 ms !X *
all above options don't necessarily break traceroute as long as you implement it with care...
-J
2. Public IX addresses: ISPs that do not redistribute the IX prefix into their iBGP or IGP and do not use external next-hops (except local to the connected border router), but instead use the loopback of the border router when propogating these routes within their iBGP mesh. This should not break traceroutes "through" the exchange, but will break any traffic such as ping, spoofed packets, etc. to the exchange from a non-connected router.
Can anyone provide pro/con, better description of config templates for doing this, and/or discussion of major networks that choose to do this, or not do this?
Cheers, -Lane