On Tue, 25 Nov 1997 at around 11:44:17,
"JS" == Jeff Swinton penned:
> Maybe I'm missing something, but couldn't you block this with routing
> as well? The attack seems to be based on the fact that your NAP routers have
> routes to other NAP LANs.
> Let's say you connect to just MAE-E and MAE-W. At MAE-E, add a route
> for the MAE-W network to null0. Do the opposite at MAE-W. While this may
> not
> work for everyone, is should work for the majority. It may also be more
> pleasant then adding filters to a high speed interface.
No - this would involve much more work than that.
Take the case of
(ME peers)---[ME router]======[MW router]------(MW peers)
all sitting inside the same AS. (put as many routers as you like in
between them or in other parts of your network - it still holds)
The next hop that "MW router" sees for a ME peer's route would be
the address of that peer *on the ME LAN*.
In general, any router that speaks iBGP needs to know a route to
every exit point of every other iBGP router. You /could/ do this
differently I suppose but it would be a ridiculous amount of work and
it would make debugging problems somewhat harder.
> Jeff Swinton
Cheers,
Lyndon Levesley
GX Networks