Hello, On 09/09/2015 01:13 PM, snash wrote:

If I receive some traffic at an IXpeering router interface, I might want to know how I got it.

How do I find out who did send it to me? If I capture a sample packet I could see the source MAC address. Now I have to identify who owns the device with that MAC.

There is no unified method for doing what you want apart from the above that would work on all IXPs. Some IXPs enforce a policy that their members have to use certain pre-determined MAC addresses. Here's an example: (scroll to bottom) http://www.trex.fi/service/unicast.html There are also some IXPs that use an SDN core where they are able to filter L2 traffic based on either IRR registered peering relationships or actual BGP negotiated routes. I remember seeing nice presentations about these at Euro-IX Fora, but I couldn't quickly find information about them in the wild. Both of the above examples are rare and both have problems which hinder their real world adoption. -- Aleksi Suhonen () ascii ribbon campaign /\ support plain text e-mail

On 9 September 2015 at 11:13, snash <snash@arbor.net> wrote:

If I receive some traffic at an IX peering router interface, I might want to know how I got it. If it is a stream of bad traffic I might want to ask my upstream peer to help turn it off.

How do I find out who did send it to me? If I capture a sample packet I could see the source MAC address. Now I have to identify who owns the device with that MAC.

On my peering router I look at the “ARP table”, it's a magical thing that lists layer 2 MAC addresses and the corresponding layer 3 IP address. Whilst not many IX's provide real time lists of member MACs (as members change hardware or ports on hardware, move links between IX edge devices etc) the IPs are usually (always?) manually assigned by the IX so they are fully know to which member they are in use by, at any given time. [1]

Is there any guidance from the IX operators on how to do this?

As above, I've not seen an IX that doesn't distribute the IPs manually so by giving them the IP they can tell me straight away (if it isn't listen in the members portal, which at LINX for example, it is!). Another option is looking through peeringDB through the existing MySQL interface or new API in version 2 of the site.

I'm sure phone calls / emails to Ops teams are not cost effective for anyone.

If I called an IXP I was present at and asked them to trace a MAC address through the MAC tables of their devices, and they couldn't, we have a much bigger problem than a bit of unwanted traffic. We have clowns running an IXP!

A common programmatic method across IXes would suit my use-case admirably.

I'd like to hear from anybody who either has a method in an IX, or who would like a method to exist.

I must be missing the point because this doesn't seem like a major issue, or am I spoilt in the UK and the IXPs here are just way better than everywhere else? [2] Cheers, James, [1] Any IX not limiting the number of MAC addresses per port (and doing ARP inspection if possible) is asking for trouble. [2] When I say “way better”, I mean being able to look at MAC tables and find a port that originates a MAC address, would be the minimum requirement to be better than "shit".