Routing and security

Alessandro Brega alessandro.brega1 at gmail.com
Tue Dec 3 13:04:03 CET 2013


Hi guys,

right now I have a quagga router, but I'm open to switch to bird if it
makes sense and helps me with my problem below.

My router has two transit neighbors and announcing my own IP space. I
recently joined a public peering exchange (IXP) and so I'm part of their
local network (/24), together with all other participants. So far
everything works fine.

Now for security I wonder if other participants could not simply route all
their outgoing traffic through me? For example what happens if any other
participant would point a default route to my IXP ip. If I understand
correctly all outgoing traffic from that participant would then go to my
router which would route it to the internet using my transit uplink, right?

So I wonder if I have to take any measures against it. My ideas are:

   1.

   Setup firewall (iptables) rules so that only traffic with a destination
   of my own IP space is accepted from other IXP participant. Drop any other
   traffic from IXP participants.
   2.

   Somehow make quagga use a different kernel routing table for each
   neighbor (or peer-group). The routing table for the IXP neighbors would not
   contain any entries except for my own IP space and so no routing using my
   ip transit uplinks would occur. Looking at the output of ip rule showshows
   quagga is not doing this automatically? Would bird do this automatically?

Am I on the right track? How do other routers like bord or hardware routers
(cisco, juniper, ..) deal with this problem?

Thank you for any help!

Alessandro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20131203/80f9d538/attachment.html>


More information about the Bird-users mailing list