Advisory - tunneling of IP at exchange points.


  As I said, this solution isn't for everyone. Some people do set a next-hop
self somewhere within their network, I would bet the majority.
If this is the case for you, you can at least prevent people you don't peer
from doing it. Blackhole the NAP LANs, and add valid statics for the
people you peer with.

This is possible but has other disadvantages. For instance, say you are
a non-peer of MCI, but reach MCI with an egress interface of your
IXP router (onto a 3rd party router). Let's say they reach MCI
through another IXP router (hardly unlikely). Then all traceroutes
from your IXP router will "*" out as MCI will have blackholed the
source address your traceroute has come from. Also it does not fix
the problem if it is a peer abusing your network (but very few
solutions do). What we tried to do was look at methods which only
hit the "illegal" traffic and had as little colateral damage as

However the most important thing probably isn't the suggested solutions,
just a heads up that it's out there, happening (or more accurately
was happening in at least one case). Once people know this, I'm
sure they'll all have their own imaginative and creative solutions
to fix this in a manner which best suits their network.