[afnog] route in rib, not in fib - why? SOLVED
Mark Tinka
mtinka at globaltransit.net
Thu Jun 26 04:04:15 UTC 2008
On Wednesday 25 June 2008 05:31:08 pm Frank Habicht wrote:
> Hi all,
>
> Yes. Philip is spot on.
> All your assumptions (including about my stupidity) are
> right.
>
> But I have to admit thanks to earlier private mails from
> Nishal and Randy I got the right idea already. And it
> wasn't the first time....
Glad to hear this was sorted out!
As Philip has stressed, iBGP and the next-hop-self attribute
are highly recommended.
> Mark: they don't do BGP with upstream. They're $enduser
> with a /27 (and no IGP).
If I had to get very paranoid, I'd "suspect" the upstream of
trying to reach the exchange point members over their
customer's link - whether the traffic would have any hope
of getting back is another issue, but that's if I had to be
paranoid :-).
Seriously, though, at least have them put some anti-spoofing
filters in place - it's good practice for all edge/peering
routers.
> So more scary thing regarding stealing transit is that
> default route on their IXP-peering router....
> acl..... what acl????
Well, the default route is probably being used to provide
internal reachability between the box and their NOC,
perhaps (there's no real reason for it to be there, unless
they are selling transit at the exchange point).
Replacing that with an IGP (perhaps a more specific static
route, in case an IGP isn't feasible now) would help
minimize any potential risk.
That said, if they have a decent-enough upstream, bandwidth
theft should be thwarted with good anti-spoofing filters
installed on the transit side... but that's if they employ
any :-).
Cheers,
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <http://afnog.org/pipermail/afnog/attachments/20080626/4e738184/attachment-0002.bin>
More information about the afnog
mailing list