On Feb 24, 2008, at 6:12 PM, Greg VILLAIN wrote:
> On Feb 24, 2008, at 4:58 PM, Andy Davidson wrote:
>> On 23 Feb 2008, at 11:19, Greg VILLAIN wrote:
>>
>>> Thinking back about this thread we've had
lately around IXes, I
>>> have some extra questions.
>>> It is I assume the IX's responsibility to
protect members from
>>> harming each other through the peering LAN.
>>
>> That depends what you mean by protect. Any IX
participant must
>> remember that they're sharing an infrastructure
with (by and large)
>> competitors, and that there are particular
miscreant activities
>> that you as an IX participant must guard against,
which your IX
>> operators can't completely protect you from (I'm
thinking pointing
>> default, or attacks on port-facing router
interfaces.)
>
> I've been thinking a lot about pointing defaults, I
admit I think of
> any solution to avoid that...
> Anyone any idea ? (I was initially thinking making a
route server
> mandatory would solve that, but it actually
doesn't...)
There are many. At the last NANOG peering BoF, a solution
was
presented by cisco, others were discussed, and we compared /
contrasted other vendors' solutions as well.
But hey, who wants a peering BoF any more....
> Got this idea of a member portal feature, where the IX
member can
> record one or more MACs via the web interfaces. Then a
robot can
> easily clear those on the port, read the new ones,
compare to those
> provided on the web portal, and ultimately lock them.
Some IXes already do this. Look at TorIX.
--
TTFN,
patrick
|
