As I said, this solution isn't for everyone. Some people do set a next-hop self somewhere within their network, I would bet the majority. If this is the case for you, you can at least prevent people you don't peer with from doing it. Blackhole the NAP LANs, and add valid statics for the people you peer with. Jeff Swinton At 05:03 PM 11/25/97 +0000, Lyndon Levesley wrote:
On Tue, 25 Nov 1997 at around 11:44:17, "JS" == Jeff Swinton penned:
JS> Maybe I'm missing something, but couldn't you block this with routing JS> as well? The attack seems to be based on the fact that your NAP
JS> routes to other NAP LANs.
JS> Let's say you connect to just MAE-E and MAE-W. At MAE-E, add a route JS> for the MAE-W network to null0. Do the opposite at MAE-W. While
routers have this may
JS> not JS> work for everyone, is should work for the majority. It may also be more JS> pleasant then adding filters to a high speed interface.
No - this would involve much more work than that.
Take the case of
(ME peers)---[ME router]======[MW router]------(MW peers)
all sitting inside the same AS. (put as many routers as you like in between them or in other parts of your network - it still holds)
The next hop that "MW router" sees for a ME peer's route would be the address of that peer *on the ME LAN*.
In general, any router that speaks iBGP needs to know a route to every exit point of every other iBGP router. You /could/ do this differently I suppose but it would be a ridiculous amount of work and it would make debugging problems somewhat harder.
JS> Jeff Swinton
Cheers,
Lyndon Levesley GX Networks
-- Penis Envy is a total Phallusy.