Re: de-peering and peering
Steve: Thanks for the reply. But when doing a traffic engineering i have the following problem. Consider the scenario. Let us say Network A has a peering Agreement with Network B. Now let us say Network X wants to reach Network B. X and B do not have a peering agreement. Can Network A use the peering Link between A nd B to route the traffic of network X. What are the mechanisms in place in B's network to detect that Network A is transiting the data( in this case network B looser) from Network X? Basically what I am trying to arrive at is: Suppose the peering arrangement between A and B were to be for data originating from A and B only(and not transited). Can A or B misuse the peering agreement by masquerading transit data as if its originating from its own n/w? thx, shashi Steve Naslund wrote:
Peering arrangements are when networks make connections between each other. Usually networks of equal size (traffic wise) will try to peer with each other. Although this may not be technically correct here are the basics.
Peering - connections between networks that our cooperative, there is no cost other than the physical connection itself. That cost might be shared or the smaller network may pay for the physical connection. Carries traffic that terminates on one of the two networks. i.e. you can't go through the peering connection you have with my network to get to another network. Consider peering connections to be express routes between two networks. You generally can get this type of connection if you are a service provider or public institution. It is harder to get if you are a private entity unless you can show a benefit for me in peering with you. In other words, I would like the traffic flow to be as symmetric as possible or improve service for an important customer.
Transit - connections between networks that I pay for an allow me to get to anything on the Internet. These are generally very expensive but allow you to reach anyone, anywhere. Consider transit connections to be the superhighway with exits to everywhere but with a lot of traffic. Anyone who buys service from an upstream provider has a transit connection although they usually refer to full BGP sessions.
Now you can see that if I am paying for a transit connection through say UUnet and I have a ton of traffic going to say Exodus, it is in my best interest to try to establish a peering agreement with Exodus so that I don't have to use my expensive bandwidth from UUnet. I can also get a more direct route to where my customers want to go and avoid congestion.
Peering and de-peering have a huge impact on traffic engineering because lack of peering means that most traffic is being carried by the biggest transit providers like UUnet and Cable & Wireless. Peering makes the Internet more redundant and reliable and evens out the loads better. Traffic engineering is all about peering and which paths are preferred over others. I your only connections are transit then there are not many options for traffic engineering.
Steve
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Shashi Kumar Sent: Tuesday, April 02, 2002 12:36 PM To: nanog@merit.edu Subject: de-peering and peering
Dear List:
Sorry for a naive question. Could some one on the list explain what is peering and de-peering ? and how peering and de-peering influence traffic engineering?. ( data traffic or otherwise..)
thanks in advance, shashi
On Wednesday 3 April 2002, at 1 h 9, "Shashi Kumar" <shashi.kumar@wipro.com> wrote:
Let us say Network A has a peering Agreement with Network B. Now let us say Network X wants to reach Network B. X and B do not have a peering agreement. Can Network A use the peering Link between A nd B to route the traffic of network X.
In the most common sense of the word "peering", no, it cannot.
What are the mechanisms in place in B's network to detect that Network A is transiting the data( in this case network B looser) from Network X?
Network monitoring, statistics, sometime actual packet filters fed from RADB. Sometimes pure luck: one day, a traceroute will reveal the trick.
Basically what I am trying to arrive at is: Suppose the peering arrangement between A and B were to be for data originating from A and B only(and not transited). Can A or B misuse the peering agreement by masquerading transit data as if its originating from its own n/w?
Technically yes (some technical measures can be used against that). But it is a violation of the typical peering agreement and it will raise trouble :-)
What is normally done is that we configure BGP so that we only advertise routes to our AS (and our customers ASs) over a peering connection. This would prevent the peer from seeing any other networks through that connection. If it is a smaller peer we also put up filters that allow only their IP blocks as the source and only route to their IP blocks as the destination. For larger peers with lots of blocks, this is difficult but the honor system works pretty well and you would have to do quite a bit of hands on work to fake out the BGP filter. To prevent you from coming in via a peering connection and out over my transit links we also filter the incoming connection from the transit provider to make sure the traffic is going to one of my IP blocks or one of my customer owned blocks. This sounds complex but most of our allocations are large so you are only talking about 10 or so blocks. Because it is a peering connection, it would be easy enough to dump a peer you caught cheating. We have been known on occasion to help out an especially helpful peer. For example, if you were my peer and you had lost your main transit connection, I may have enough bandwidth to drop my filters and provide you transit for a reasonable time. This is kind of being a good citizen and usually you can count on having the favor returned. Another favor we have done is this. Say for example that Digex can't get to AboveNet (just an example), if I am peered with both, I might allow transit between them until they can get their routing sorted out. Abusing a peering session would be suicide from a business point of view because getting peering agreements at all means maintaining a good reputation. Regardless of all the studies that people claim to use to determine who to peer with, it all boils down to whether we like you or not and want to help out. One good example is that we generally allow peering with almost anyone as long as they are operating a good sized network and we will do alot to help schools, non-profits, and community networks. We also go out of our way to help research organizations such as the Department of Energy labs and university projects. Overall peering helps the overall reliability of the Internet and decentralizes traffic. We try to peer unless we can find a good reason no to. Unfortunately a lot of people do not adhere to bilateral peering agreement but we found them quite useful. Our policy was that we would look at private peering circuits on an individual basis and probably make you pay the line costs but if you are at one of the NAPs, we would peer with you there with no questions asked. The logic behind it is that if you have gone to the trouble of getting your own NAP connection, you are important enough to peer with and the expense of peering at the NAP is minimal anyway. It also limits my network isolation when my transit provider dies. Steve
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Stephane Bortzmeyer Sent: Tuesday, April 02, 2002 2:07 PM To: Shashi Kumar Cc: nanog; Venkatesh Seshasayee Subject: Re: de-peering and peering
On Wednesday 3 April 2002, at 1 h 9, "Shashi Kumar" <shashi.kumar@wipro.com> wrote:
Let us say Network A has a peering Agreement with Network B. Now let us say Network X wants to reach Network B. X and B do not have a peering agreement. Can Network A use the peering Link between A nd B to route the traffic of network X.
In the most common sense of the word "peering", no, it cannot.
What are the mechanisms in place in B's network to detect that Network A is transiting the data( in this case network B looser) from Network X?
Network monitoring, statistics, sometime actual packet filters fed from RADB. Sometimes pure luck: one day, a traceroute will reveal the trick.
Basically what I am trying to arrive at is: Suppose the peering arrangement between A and B were to be for data originating from A and B only(and not transited). Can A or B misuse the peering agreement by masquerading transit data as if its originating from its own n/w?
Technically yes (some technical measures can be used against that). But it is a violation of the typical peering agreement and it will raise trouble :-)
On Wed, Apr 03, 2002 at 01:09:52AM +0530, Shashi Kumar wrote:
Basically what I am trying to arrive at is: Suppose the peering arrangement between A and B were to be for data originating from A and B only(and not transited).
Thats basically how peering agreements work.
Can A or B misuse the peering agreement by masquerading transit data as if its originating from its own n/w?
You can abuse a peer to make it carry traffic it normally wouldn't by doing things like: - Pointing default, or setting a default route to your peer. This implies that you are using the link in a transit capacity, but really any route that isn't being advertised to you qualifies. At older L2 exchange points with everyone in a single peering vlan, you can people people dump traffic on you without ever being a peer. - Resetting nexthop, or changing the nexthop on other existing routes, such as through a route-map. This accomplishes the same thing as above, but may be a little more stealthy, using routes that you know may not attract much attention, such as other peers of your peer. - Selling or giving next-hop to a third-party. This is basically just the act of selling your peering routes to someone else. It may or may not be that bad, but most people have rules against it anyways. If this is a peer with joe schmuck ISP down the street, there may not be any formal legal agreement preventing these activities, and the worst that would happen is they disconnect you and maybe spread the word about your activities to other people you might want to peer with. If this is a larger peer, they probably made you sign a peering agreement with specific legal language, and are probably also more then willing to take you to court for the services "stolen". I even recall Paul Vixie saying that if you were caught defaulting into a peer at a PAIX facility, they would seize your equipment and you would have to sue them to get it back (though you would probably win, and if you happened to have a recording of that NANOG you might even be able to prove that it was premeditated and/or malicious activity). I'm not a terribly big fan of people waving their lawyers around trying to scare others into believing they can do illegal things (like Exodus and the unilateral "by reading this email, you consent to our NDA" tagline nonsense), but lawyers do cost money and big providers probably have more of them then you do. That doesn't mean people don't abuse peers though. I don't know anyone offhand who does, but I do know quite a few large ISPs that either until very recently did nothing or continue to do nothing to prevent people from abusing them. But all it takes is one bored engineer or one traceroute from the wrong person, and you're busted.
What are the mechanisms in place in B's network to detect that Network A is transiting the data( in this case network B looser) from Network X?
Well for the kind of abuse we're talking about here (networks dumping traffic which doesn't belong into your peer), you can pretty much discourage them by not routing it. Some techniques that are used are: - For non-peers dumping traffic at shared-vlan peering points, MAC filters. - If you are big enough to have routers dedicated to just peering, don't carry anything other than customer routes on that router, and set a default route to null0. One peer can still route into another peer on that router, but it severely limits the scope of traffic they can dump into you. - If you are lucky smart to have Juniper routers, setup a seperate routing-instance for each peer, with a discard route as default. Cisco has this functionality too (VRF) but it is considered VPN and usually isn't available on the trains of code you want to be running on your routers. - If you have a Crisco, check out the BGP Policy Accounting feature. This will let you check counters and see if someone is dumping traffic they shouldn't be. Follow up with the clue bat. I don't really know of any good way to prevent another network from selling your nexthops. You can do something like RPF check your peers, but then you can run into asymetric routing issues. But just like anyone who is involved in selling "stolen" merchandise, they usually get busted when they piss off someone who knows about their activities and they get ratted out. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
participants (4)
-
Richard A Steenbergen -
Shashi Kumar -
Stephane Bortzmeyer -
Steve Naslund