On 28 Jul 2015, at 10:21, Todd Dickason wrote:
* Enforce router hygiene * NZIX2 will block IGP, CDP, STP etc noise leaked by peers, by only allowing DIX Ethernet (Ethernet II) encapsulated frames and not LLC/SNAP frames
Great. I'm not sure we needed an SDN to enforce this, but each to their own.
* ARP, DHCP, PIM, ICMPv6 ND-RA etc broadcast and multicast messages will be blocked. We have an exception for ARP messages sourced from the exchange peering subnet and IPv6 ND (NB: IPv6 traffic is still not supported in this demo version)
"IPv6 traffic is still not supported"? It's 2015. Why is this even a thing?
* Implement IETF BCP38 * Instead of relying on peers to implement BCP38, NZIX2 enforces it by only allowing traffic sourced from a prefix which has been registered on the NZIX2 portal to enter the exchange * Reflection attack mitigation * switch ports are tied to prefixes and mac addresses so the exchange SDN switch will not accept traffic sourced from a prefix which is not supposed to be coming from this particular port, as registered on the NZIX2 portal * Prevent capacity stealing * traffic is allowed on the exchange only if it's sourced/destined from/to a prefix that has been registered on the NZIX2 portal. This means that if a peer configures a static default route to an ISP that has the full internet routing table, his traffic destined to international prefixes will be dropped
The below is an extract from a message I sent to the IXAG list in April 2013:
Despite jumping up and down about the fact that there are plenty of networks on APE and/or WIX that are quite happy for their transit to be stolen, I must confess I'm a little bit on the fence as to whose problem this is to solve.
Certainly the exchange operator should protect the exchange itself. No ARP spoofing, one MAC per port, no proxy ARP, no non-IP packets, etc, etc. However, I tend to lean towards protection of member networks being up to each member.
This packet filtering based on advertised prefixes/prefixes in the portal thing is pretty new, and requires rather a different way of thinking compared to how other exchange points (and indeed "normal" switches) operate. We're already (in rev2!) at the point where we're disabling a lot of the network-network protection on bilateral sessions because we don't know the commercial relationships between member networks.
Recall recent discussion about trying to get Large International Content Providers into NZ. We want this to be easy as possible for them. These networks likely have defences that their operators deem sufficient to protect against badness. I wonder whether it could potentially discourage networks from participating on the exchange if it's deemed "too hard" compared to how they already operate at other exchanges.
Two years later, the only modification I'd make to the above text is to remove the ambiguity that responsibility for preventing abuse of member networks rests squarely with with the member. Anything else is insanity, for a variety of reasons that have been done to death in various fora. Cheers -Mike