What is normally done is that we configure BGP so that we only advertise routes to our AS (and our customers ASs) over a peering connection. This would prevent the peer from seeing any other networks through that connection. If it is a smaller peer we also put up filters that allow only their IP blocks as the source and only route to their IP blocks as the destination. For larger peers with lots of blocks, this is difficult but the honor system works pretty well and you would have to do quite a bit of hands on work to fake out the BGP filter. To prevent you from coming in via a peering connection and out over my transit links we also filter the incoming connection from the transit provider to make sure the traffic is going to one of my IP blocks or one of my customer owned blocks. This sounds complex but most of our allocations are large so you are only talking about 10 or so blocks. Because it is a peering connection, it would be easy enough to dump a peer you caught cheating. We have been known on occasion to help out an especially helpful peer. For example, if you were my peer and you had lost your main transit connection, I may have enough bandwidth to drop my filters and provide you transit for a reasonable time. This is kind of being a good citizen and usually you can count on having the favor returned. Another favor we have done is this. Say for example that Digex can't get to AboveNet (just an example), if I am peered with both, I might allow transit between them until they can get their routing sorted out. Abusing a peering session would be suicide from a business point of view because getting peering agreements at all means maintaining a good reputation. Regardless of all the studies that people claim to use to determine who to peer with, it all boils down to whether we like you or not and want to help out. One good example is that we generally allow peering with almost anyone as long as they are operating a good sized network and we will do alot to help schools, non-profits, and community networks. We also go out of our way to help research organizations such as the Department of Energy labs and university projects. Overall peering helps the overall reliability of the Internet and decentralizes traffic. We try to peer unless we can find a good reason no to. Unfortunately a lot of people do not adhere to bilateral peering agreement but we found them quite useful. Our policy was that we would look at private peering circuits on an individual basis and probably make you pay the line costs but if you are at one of the NAPs, we would peer with you there with no questions asked. The logic behind it is that if you have gone to the trouble of getting your own NAP connection, you are important enough to peer with and the expense of peering at the NAP is minimal anyway. It also limits my network isolation when my transit provider dies. Steve
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Stephane Bortzmeyer Sent: Tuesday, April 02, 2002 2:07 PM To: Shashi Kumar Cc: nanog; Venkatesh Seshasayee Subject: Re: de-peering and peering
On Wednesday 3 April 2002, at 1 h 9, "Shashi Kumar" <shashi.kumar@wipro.com> wrote:
Let us say Network A has a peering Agreement with Network B. Now let us say Network X wants to reach Network B. X and B do not have a peering agreement. Can Network A use the peering Link between A nd B to route the traffic of network X.
In the most common sense of the word "peering", no, it cannot.
What are the mechanisms in place in B's network to detect that Network A is transiting the data( in this case network B looser) from Network X?
Network monitoring, statistics, sometime actual packet filters fed from RADB. Sometimes pure luck: one day, a traceroute will reveal the trick.
Basically what I am trying to arrive at is: Suppose the peering arrangement between A and B were to be for data originating from A and B only(and not transited). Can A or B misuse the peering agreement by masquerading transit data as if its originating from its own n/w?
Technically yes (some technical measures can be used against that). But it is a violation of the typical peering agreement and it will raise trouble :-)