Perhaps to combat this, unless I'm missing something, one could justifiably deploy GRE filters with source & destination addresses of the exchange subnets.
What's the point of this? Wouldn't it make more sense to just run a sniffer on the exchange fabric looking for such GRE tunnels and then kick the offending parties out of the exchange? Seems to me this has happened at least once at LINX.
It is a bit tricky figuring out exactly who can do the sniffing. There are a lot of parties, and agreements, and handshakes floating around any exchange point. In the USA, a number of communications laws were written in the days of Ma Bell. There was only one system, one network, one operator. While the Ma Bell exception is huge, an operator can do almost (but not quite) anything to protect its rights or property, it is unclear exactly how it applies at a 'exchange-point' between multiple operators. I feel sorry for the first FBI agent who has to serve a court order at 1919 Gallows Road. Interesting enough, at other multi-carrier meet-points, e.g. border crossing and trans-oceanic cable headends, there is often a very oddly worded warning/no trespassing sign about Presidential war powers and national defense installations. But back to the current issue, Internet exchange points between network providers. Can only the exchange point operator use the Ma Bell exception? Can the exchange point operator do this only with the consent of one or more of the attached carriers? Can an individual carrier monitor addressed to them? What about broadcast traffic? Some providers have gone so far as prohibit any modification to the infrastructure, but it is unclear exactly what this means. Is it yet another one of the useless paragraphs in the agreements? Most providers don't seem to show the same concern when someone points 'default' at them, bringing the full arsenal of debugging and monitoring tools to bear on tracking the source. OC3-MON anyone? I tend to view GRE tunnels like any other traffic. A tunnel to/from any of my customers is like any other traffic to/from those customers. However, a tunnel between two end-points, neither of which is on my network, is a form of third-party transit traffic and gets blocked when I figure out the new way they are doing it. I know, in theory you can encapsulate anything in anything. But even IP inside USENET still has the transitive property, which is what concerns folks. But like many problems on the Internet, it is often easier just to block it than try to track down the source. If it is an honest issue, the source will usually contact you in a while. And sometimes you can figure out a better way of doing it. More often, you hear about the source moving on to do the same thing to another provider until they block it. -- Sean Donelan, Data Research Associates, Inc, St. Louis, MO Affiliation given for identification not representation
Sean Donelan writes:
I tend to view GRE tunnels like any other traffic. A tunnel to/from any of my customers is like any other traffic to/from those customers. However, a tunnel between two end-points, neither of which is on my network, is a form of third-party transit traffic and gets blocked when I figure out the new way they are doing it. I know, in theory you can encapsulate anything in anything.
Moreover, if IPSEC is in use, you can't even sniff. .pm
participants (2)
-
Perry E. Metzger
-
Sean Donelan