Perhaps to combat this, unless I'm missing something, one could justifiably
deploy GRE filters with source & destination addresses of the exchange
What's the point of this? Wouldn't it make more sense to just run a
sniffer on the exchange fabric looking for such GRE tunnels and then
kick the offending parties out of the exchange? Seems to me this has
happened at least once at LINX.
It is a bit tricky figuring out exactly who can do the sniffing. There
are a lot of parties, and agreements, and handshakes floating around any
In the USA, a number of communications laws were written in the days
of Ma Bell. There was only one system, one network, one operator.
While the Ma Bell exception is huge, an operator can do almost (but
not quite) anything to protect its rights or property, it is unclear
exactly how it applies at a 'exchange-point' between multiple operators.
I feel sorry for the first FBI agent who has to serve a court order
at 1919 Gallows Road. Interesting enough, at other multi-carrier
meet-points, e.g. border crossing and trans-oceanic cable headends,
there is often a very oddly worded warning/no trespassing sign about
Presidential war powers and national defense installations.
But back to the current issue, Internet exchange points between
network providers. Can only the exchange point operator use the Ma Bell
exception? Can the exchange point operator do this only with the consent
of one or more of the attached carriers? Can an individual carrier monitor
addressed to them? What about broadcast traffic? Some providers have gone
so far as prohibit any modification to the infrastructure, but it is unclear
exactly what this means. Is it yet another one of the useless paragraphs
in the agreements? Most providers don't seem to show the same concern
when someone points 'default' at them, bringing the full arsenal of
debugging and monitoring tools to bear on tracking the source. OC3-MON
I tend to view GRE tunnels like any other traffic. A tunnel to/from any
of my customers is like any other traffic to/from those customers. However,
a tunnel between two end-points, neither of which is on my network, is a
form of third-party transit traffic and gets blocked when I figure out the
new way they are doing it. I know, in theory you can encapsulate anything
in anything. But even IP inside USENET still has the transitive property,
which is what concerns folks.
But like many problems on the Internet, it is often easier just to block
it than try to track down the source. If it is an honest issue, the
source will usually contact you in a while. And sometimes you can figure
out a better way of doing it. More often, you hear about the source
moving on to do the same thing to another provider until they block it.