p2p addresses for point-to-point connections with customers
I've been trying hard to come up with a solution regarding this, but i haven't decided yet which one is the best.
From the perspective of an ISP, how do you characterize the p2p addresses given for a point-to-point connection to a) customers with their own ASN b) customers without an ASN?
These are ip addresses configured on your router's border interface and on the customer's peer router interface (old WAN-style), so they actually are both infrastructure and customer addresses. So... Do you consider them infrastructure addresses or customer addresses? Do you put them in your IGP or in BGP? Do you filter them on your border routers (via iACLs) and if yes, how? -- Tassos
On Nov 6, 2012, at 6:32 PM, Tassos Chatzithomaoglou wrote:
Do you consider them infrastructure addresses or customer addresses?
They're infrastructure addresses.
Do you put them in your IGP or in BGP?
You should treat them as you do your other infrastructure addresses (i.e., if you're null-routing them at the peering edge, or what-have-you).
Do you filter them on your border routers (via iACLs)
Yes.
and if yes, how?
The same way you filter any other interface addresses in your iACLs. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
Having an iACL format like below, that means that i would have to add at least one extra "permit" entry before the spoofing entries. deny MARTIANS/BOGONS deny SPOOFING deny PROTOCOLS/PORTS permit BGP-PEERINGS permit TUNNELS deny INFRASTRUCTURE permit ANY If that's indeed the case, what non-routing protocols do you allow from/to these type of addresses? Only specific types of icmp messages? -- Tassos Dobbins, Roland wrote on 06/11/2012 14:05:
On Nov 6, 2012, at 6:32 PM, Tassos Chatzithomaoglou wrote:
Do you filter them on your border routers (via iACLs) Yes.
and if yes, how? The same way you filter any other interface addresses in your iACLs.
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
On Nov 6, 2012, at 7:31 PM, Tassos Chatzithomaoglou wrote:
Only specific types of icmp messages?
That, plus the routing session (if any) with your customer, plus anything else that's situationally-specific (GRE tunnel termination, etc.). ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
Roland, how do you handle customer requests regarding the remote management of their devices? i.e. if the customer wants to do any kind of management (ssh, snmp) from outside his router, he must use our infrastructure address (which is configured on his router) as a destination. Generally, the customer might want to use this wan address for many other things which you shouldn't actually care, since it's his router. -- Tassos Dobbins, Roland wrote on 06/11/2012 14:34:
On Nov 6, 2012, at 7:31 PM, Tassos Chatzithomaoglou wrote:
Only specific types of icmp messages? That, plus the routing session (if any) with your customer, plus anything else that's situationally-specific (GRE tunnel termination, etc.).
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
We generally perform all the management needed for our customer's circuits. If the customer is wanting to remotely manage their own router and etc then you should adjust your iACL to grant the customer access only on the IP on their router interface not the whole /30 or etc. Or if you've routed an IP range to that customer they can use that and pick an IP for mgmt stuff from that range and let your infrastructure be at peace. ;) Also, if you are going to adjust your iACL for them you will want that customer to have a static IP address or range (not dynamic address) they are using to monitor/manage/access the infrastructure IP you've assigned on their router. Otis -----Original Message----- From: Tassos Chatzithomaoglou [mailto:achatz@forthnetgroup.gr] Sent: Tuesday, November 06, 2012 7:45 AM To: Dobbins, Roland Cc: NANOG list Subject: Re: p2p addresses for point-to-point connections with customers Roland, how do you handle customer requests regarding the remote management of their devices? i.e. if the customer wants to do any kind of management (ssh, snmp) from outside his router, he must use our infrastructure address (which is configured on his router) as a destination. Generally, the customer might want to use this wan address for many other things which you shouldn't actually care, since it's his router.
On Nov 6, 2012, at 9:47 PM, Otis L. Surratt, Jr. wrote:
Also, if you are going to adjust your iACL for them you will want that customer to have a static IP address or range (not dynamic address) they are using to monitor/manage/access the infrastructure IP you've assigned on their router.
Yes, this is key. Management access to this router should not be possible from the public Internet at large. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
Well if you’re null routing the /30 then you or them should have a /32 or larger for NAT or no RFC space behind it. -----Original Message----- From: Tassos Chatzithomaoglou [mailto:achatz@forthnetgroup.gr] Sent: Wednesday, 7 November 2012 2:45 a.m. To: Dobbins, Roland Cc: NANOG list Subject: Re: p2p addresses for point-to-point connections with customers Roland, how do you handle customer requests regarding the remote management of their devices? i.e. if the customer wants to do any kind of management (ssh, snmp) from outside his router, he must use our infrastructure address (which is configured on his router) as a destination. Generally, the customer might want to use this wan address for many other things which you shouldn't actually care, since it's his router. -- Tassos Dobbins, Roland wrote on 06/11/2012 14:34:
On Nov 6, 2012, at 7:31 PM, Tassos Chatzithomaoglou wrote:
Only specific types of icmp messages? That, plus the routing session (if any) with your customer, plus anything else that's situationally-specific (GRE tunnel termination, etc.).
---------------------------------------------------------------------- - Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
On 11/6/2012 5:44 AM, Tassos Chatzithomaoglou wrote:
Roland, how do you handle customer requests regarding the remote management of their devices? i.e. if the customer wants to do any kind of management (ssh, snmp) from outside his router, he must use our infrastructure address (which is configured on his router) as a destination. Generally, the customer might want to use this wan address for many other things which you shouldn't actually care, since it's his router.
Why would the customer not have a loopback interface configured on his router with an accessible IP address? Relying on the WAN address is arguably a poor choice for a number of reasons including renumbering events and circuit outages.
participants (5)
-
Alastair Johnson -
Dobbins, Roland -
James Baker -
Otis L. Surratt, Jr. -
Tassos Chatzithomaoglou