IXP peering lan reachability
Following up on Andrea's presentation earlier (for the record, ripe75, apwg session #1, tuesday morning), there aren't compelling reasons for the RIPE NCC to get involved in whether an IXP announces their peering LAN prefix into the DFZ. It's really a matter of local policy for the ixp as to whether they want this to happen, and if a prefix is announced into the dfz, this doesn't make any statement one way or another about what the prefix is used for. Lots of IXPs announce their peering lan netblocks and many others choose not to. The reasons for announcing relate mostly to debugging and problem diagnosis, e.g. ping / traceroute. We know of several IXP members at various INEX LANs who use external reachability checking services to monitor their service's uptime, which is a good thing to do and they see a benefit from this, and they particularly don't want to see this benefit going away. Regarding traceroute, the udp/icmp replies can be dropped if the network you're tracing from has uRPF enabled, which makes problem diagnosis troublesome. The reason most IXPs don't announce their peering LANs relates to protecting against DDoS attacks. Although we've had occasional DDoS attacks launched against our infrastructures in the past, we have not had service-affecting problems as a result. If a service affecting problem happens, we can announce the blocks with no-export or no-announce, which would reduce the blast radius - or we could completely drop the announcement, if that didn't work. We're aware that the experience at other IXPs - especially larger IXPs - can be different, but given that announcing the blocks provides useful telemetry and diagnosis capabilities, and we've not had problems in the last, we don't see any particular reason to stop announcing the range. The risk/return ratio doesn't justify it. The experiences of other IXPs may be different regarding ddos problems, but many (most?) organisations connected to IXPs use "redistribute connected" to inject the peering LAN prefix into their IGPs, and the largest IXPs have visibility to most of the Internet prefixes, so in practice, not announcing the blocks makes less difference to DDoS than it might appear. I'd politely suggest that this is an area that the RIPE NCC should not get involved in, especially from the point of view of implicitly issuing recommended practice by implying that there is a problem with doing this. The IXP associations are better placed to gather consensus for creating best practices, and there is no general consensus in the IXP community on this issue. As regards using this as a metric for determining whether an ixp address assignment is being used for legitimate purposes, I'd suggest that this is of only marginal use at best. By all means run a port scan to see if there is any obvious mis-use (e.g. services listening on www/smtp/etc), but the presence or absence of the route in the dfz doesn't mean anything one way or another. Nick CTO, INEX
I'd politely suggest that this is an area that the RIPE NCC should not get involved in, especially from the point of view of implicitly issuing recommended practice by implying that there is a problem with doing this. The IXP associations are better placed to gather consensus for creating best practices, and there is no general consensus in the IXP community on this issue.
Full agreement with Nick, the (controlled) announcement or otherwise of an IXP prefix is not a registry policy issue. Cheers, Rob
On 24 Oct 2017, at 14:18, Rob Evans <rhe@nosc.ja.net> wrote:
Full agreement with Nick, the (controlled) announcement or otherwise of an IXP prefix is not a registry policy issue.
Cheers, Rob
Another +1 here with Nick’s email. There are good reasons to not announce the peering LAN prefix, but there are also good reasons to announce it. In the AMS-IX case, we have so many networks connected that: 1. Customers announce it inadvertently anyhow 2. Since 1. is the operational reality (which is unrealistic to stop anytime soon, if ever), we prefer (also) announcing it ourselves, in the hopes that traffic at least goes through its “legitimate" originator. From my point of view, RIPE could offer reasons for both options, as to educate in the matter, contributing in a way so IXPs can make an informed decision. Kind regards, Aris AMS-IX
Hi, On Tue, Oct 24, 2017 at 10:41:49AM +0100, Nick Hilliard wrote:
As regards using this as a metric for determining whether an ixp address assignment is being used for legitimate purposes, I'd suggest that this is of only marginal use at best. By all means run a port scan to see if there is any obvious mis-use (e.g. services listening on www/smtp/etc), but the presence or absence of the route in the dfz doesn't mean anything one way or another.
The *absence* of the route is a very strong indicator that no other services than directly peering-related are sitting on that network, no? Gert -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Gert Doering wrote:
The *absence* of the route is a very strong indicator that no other services than directly peering-related are sitting on that network, no?
or that the holder is squatting the space, or that it's being used for connectivity which is unrelated to the standard DFZ (e.g. l3vpn p2p addressing), or that it's just not being used at that time, or... By all means, the RIPE NCC should flag things as a problem if it sees server farms configured on an assigned ixp range, or sees traceroutes ending up in residential customer, or whatever, but the presence or absence of a prefix in the dfz, per se, does not mean anything. Nick
Hi, On Tue, 24 Oct 2017, Nick Hilliard wrote:
Gert Doering wrote:
The *absence* of the route is a very strong indicator that no other services than directly peering-related are sitting on that network, no?
or that the holder is squatting the space, or that it's being used for connectivity which is unrelated to the standard DFZ (e.g. l3vpn p2p addressing), or that it's just not being used at that time, or...
By all means, the RIPE NCC should flag things as a problem if it sees server farms configured on an assigned ixp range, or sees traceroutes ending up in residential customer, or whatever, but the presence or absence of a prefix in the dfz, per se, does not mean anything.
I understand it as a simple clue. Clues sometimes lead nowhere... Btw, is the NCC already monitoring this address space's usage somehow? (i may have missed this bit from Andrea's presentation, i didn't catch it from the beginning). Or we are simply relying on stat.ripe.net, atlas, and the like...? Cheers, Carlos
Nick
Hi Carlos, On 24/10/2017 13:12, Carlos Friaças wrote:
On Tue, 24 Oct 2017, Nick Hilliard wrote:
Gert Doering wrote:
The *absence* of the route is a very strong indicator that no other services than directly peering-related are sitting on that network, no?
or that the holder is squatting the space, or that it's being used for connectivity which is unrelated to the standard DFZ (e.g. l3vpn p2p addressing), or that it's just not being used at that time, or...
By all means, the RIPE NCC should flag things as a problem if it sees server farms configured on an assigned ixp range, or sees traceroutes ending up in residential customer, or whatever, but the presence or absence of a prefix in the dfz, per se, does not mean anything.
I understand it as a simple clue. Clues sometimes lead nowhere...
Btw, is the NCC already monitoring this address space's usage somehow? (i may have missed this bit from Andrea's presentation, i didn't catch it from the beginning).
Yes, we are monitoring the address space from the /16 reserved for IXPs peering LANs. When we see that one of the ranges is being announced, we contact the holder, reminding them the address space can only be used to run an IXP peering LAN, and that other uses are forbidden by policy. Usually the holder of the address space has indeed started using the IP range for other services, as they are often not aware of the policy in place. I hope this clarifies, Andrea Cima RIPE NCC
On Tue, 24 Oct 2017, Nick Hilliard wrote: (...)
I'd politely suggest that this is an area that the RIPE NCC should not get involved in, especially from the point of view of implicitly issuing recommended practice by implying that there is a problem with doing this. The IXP associations are better placed to gather consensus for creating best practices, and there is no general consensus in the IXP community on this issue.
As regards using this as a metric for determining whether an ixp address assignment is being used for legitimate purposes, I'd suggest that this is of only marginal use at best. By all means run a port scan to see if there is any obvious mis-use (e.g. services listening on www/smtp/etc), but the presence or absence of the route in the dfz doesn't mean anything one way or another.
Nick CTO, INEX
+1. I only have some doubts about running (regular) portscans. Cheers, Carlos
participants (6)
-
Andrea Cima
-
Aris Lambrianidis
-
Carlos Friaças
-
Gert Doering
-
Nick Hilliard
-
Rob Evans