[afnog] UIXP routing problem
Bill Woodcock
woody at pch.net
Mon Mar 10 16:28:16 UTC 2014
On Mar 10, 2014, at 7:04 AM, Mark Tinka <mark.tinka at seacom.mu> wrote:
> On Monday, March 10, 2014 04:00:36 PM Kyle Spencer wrote:
>
>> So, the best solution is to apply for a second /24? That
>> seems wasteful. Is there no other way? :)
>
> Although preferred, you don't have to apply for a second
> allocation. You can take hosted services from an existing
> provider within Uganda, who has good connectivity to the
> exchange point.
>
> The reason you won't find LAN address space of exchange
> points on the Internet is to, inter alia, reduce attack
> surface area.
Just seconding Mark here… It has always been the global best practice to use separate address blocks for IXP services and peering. And while there was still debate about the second issue, whether peering subnets should be globally reachable, up until a year or so ago, some serious DDoS attacks against IXPs resolved that one, and as Mark says, the danger of doing so is now recognized. You’ll find PCH’s discussion of this best practice at the end of the L3 section of the IXP policy template:
https://wiki.pch.net/pch:public:ixp-policy-document#layer_3_participant_technical_requirements
-Bill
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://afnog.org/pipermail/afnog/attachments/20140310/a83ec078/attachment.sig>
More information about the afnog
mailing list