Information Technology Reference
In-Depth Information
The dampening parameters have been adjusted to require four flaps before a prefix is
dampened, instead of the default of three flaps. A failed code upgrade can result in three
route flaps and a dampened prefix. The following sequence of events is an example of how
a failed code upgrade can result in dampened prefixes:
The router restarts to load new code.
1
The router crashes.
2
The router reloads on a previous version of code.
3
The maximum suppression time is 60 minutes for prefixes that are /24 or longer, 45 minutes
for /22 and /23, and 30 minutes for prefixes that are /21 or shorter.
Public Peering Security Concerns
Public peering points are a potential area of abuse by unethical network administrators. By
manipulating routing information, it is possible to redirect traffic over other providers'
networks. It is also possible to build tunnels over another provider's network, creating a
virtual backbone circuit that offloads traffic from the offending ISP's network onto the
unsuspecting peer.
This section describes the three most common abuses and the measures an ISP can take to
prevent the theft of network resources:
•
Pointing default
•
Third-party next hop
•
GRE tunneling
Pointing Default
The simplest method of peering point abuse is originating a default route into the ISP
network from the peering router at the NAP. The default route at the NAP is pointed to
another ISP. Traffic is then sent to the ISP's NAP router and to the unsuspecting ISP. This
is shown in Figure 9-6.
In Figure 9-6, ISP1 points its default route at ISP2 on the NAP router. Traffic sent to the
NAP router at ISP2 is unwittingly treated as transit traffic by ISP2. ISP1 can receive free
transit over Fast Ethernet. This scenario is most common when ISP1 is much smaller than
ISP2. The cost of the link to the NAP is cheaper than the transit connection.
The solution is not to carry full BGP routes on the NAP router. If ISP2 carries only
customer routes on the NAP router, the traffic sent from ISP1 to ISP2 is black-holed,
because ISP2 has no route for those destinations. A default route on the NAP router to null0
should also be configured to prevent any routing loops. However, traffic destined for ISP2's
customers is still delivered.
