Hello NANOG,
Just curious if anyone is performing MAC Address Filtering at any of
the Ethernet Exchange Points. If so has it been found to be easy to
administer or difficult where by peers may be changing Layer 3 devices
or Interfaces without notice? Alternately is MAC Address Filtering
considered an unneeded security measure?
Thanks,
Dave
I'm aware that Juniper GigE interfaces support a mac-filter-list. I'm
not well versed on which versions of Cisco router products support this
well (and line rate), but I didn't think GSRs and 7xxx had any support for
this. Are the L2/L3 family (65xx, 76xx) able to handle mac-filters at
line rate w/o a slow path?
I too would be interested in knowing if folks perform mac-filtering.
Certainly there are other measures you can take as well, such as scripting
some default-pointing traceroute checks, to check both peers and non-peers
on an IXP fabric. These have been documented at various times, and Avi
at one point posted some form of this to Nanog (moons ago...search archives).
My impression of "best practices" would be to:
1. implement mac-filter or mac-counters to prevent
any illegally statically routed non-peer traffic.
2. implement traceroute scripts to check that peers are
not defaulting any partial transit thru you.
Feedback welcome 
Cheers,
-Lane
I would be planning deploy it on the Juniper Platforms and it appears
that at least the 4 port FE PICs support it as well. I would imagine
(without actually investigating it) you could do some sort of port
security on the 65xx/76xx platform though.
Primarily I am questioning whether it would be scalable in the long
term or whether it would become more trouble than what it would be
worth.
Also while Deepak pointed out that you could perform line rate packet
filtering only allowing packets to valid destinations on your network,
this would only stop someone defaulting you but would not stop someone
repointing next hop to valid destinations on your network.
-Dave
Lane Patterson wrote:
"Also while Deepak pointed out that you could perform line rate packet
filtering only allowing packets to valid destinations on your network,
this would only stop someone defaulting you but would not stop someone
repointing next hop to valid destinations on your network."
Besides politics, and QoS issues, is the latter scenario worth wasting
management time on?
I always thought that the biggest concern for most networks was a "peer"
defaulting to you such that your interface would then forward the packet to
its final destination [ostensibly a peer of yours at the same IX, but
potentially across your network first].
I would think that if you did mac address exclusion [mac addresses of those
you don't peer with] and ingress destination filtering a large percentage of
the problem would vanish.
Then again, if you are just doing mac address exclusion, it doesn't really
keep someone from changing their mac address in software as often as they
please.
If you did inclusion filtering [only those on the allow list] then anytime
someone swaps a card, you lose a peer.
Hmmm.
I guess that's the whole point of private cross connects.
Deepak Jain
AiNET