<div dir="ltr"><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertical-align:baseline;clear:both;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
Hi guys,</p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertical-align:baseline;clear:both;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
right now I have a quagga router, but I'm open to switch to bird if it makes sense and helps me with my problem below.<br></p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertical-align:baseline;clear:both;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
My router has two transit neighbors and announcing my own IP space. I recently joined a public peering exchange (IXP) and so I'm part of their local network (/24), together with all other participants. So far everything works fine.</p>
<p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertical-align:baseline;clear:both;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">Now for security I wonder if other participants could not simply route all their outgoing traffic through me? For example what happens if any other participant would point a default route to my IXP ip. If I understand correctly all outgoing traffic from that participant would then go to my router which would route it to the internet using my transit uplink, right?</p>
<p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertical-align:baseline;clear:both;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">So I wonder if I have to take any measures against it. My ideas are:</p>
<ol style="margin:0px 0px 1em 30px;padding:0px;border:0px;font-size:14px;vertical-align:baseline;list-style-position:initial;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
<li style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"><p style="margin:0px 0px 1em;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;clear:both">Setup firewall (iptables) rules so that only traffic with a destination of my own IP space is accepted from other IXP participant. Drop any other traffic from IXP participants.</p>
</li><li style="margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:transparent"><p style="margin:0px 0px 1em;padding:0px;border:0px;vertical-align:baseline;background-color:transparent;clear:both">
Somehow make quagga use a different kernel routing table for each neighbor (or peer-group). The routing table for the IXP neighbors would not contain any entries except for my own IP space and so no routing using my ip transit uplinks would occur. Looking at the output of <code style="margin:0px;padding:1px 5px;border:0px;vertical-align:baseline;background-color:rgb(238,238,238);font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,serif">ip rule show</code>shows quagga is not doing this automatically? Would bird do this automatically?</p>
</li></ol><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertical-align:baseline;clear:both;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
Am I on the right track? How do other routers like bord or hardware routers (cisco, juniper, ..) deal with this problem?</p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertical-align:baseline;clear:both;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
Thank you for any help!</p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertical-align:baseline;clear:both;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
Alessandro</p></div>