There was a problem loading the comments.

Is it safe to peer with the INX BGP route servers?

Support Portal  »  Knowledgebase  »  Viewing Article

  Print

Yes! We place high emphasis on filtering and security. INX-ZA maintains strict IRR filters for all route servers peers, as we well as performing checks against, and discarding RPKI invalid ROAs, and using sane max-prefix filters for all peers.

When we setup your port, we would have pulled in the max-prefix number that you would want entered into PeeringDB, and added 20% extra to that, to allow for growth. Once a week, we look through peers that are at an 80% threshold and advise them of this, and ask if we should increase our max-prefix for the peer.

If we do not find a valid IRR object for a prefix, we will filter that prefix from the set of routes, that we provide via our route server peering. Additionally, we flag this exception and publish a list of filtered routes for each peer to evaluate (and hopefully fix) on the INX portal. We rebuild our filter set automatically, every 4h starting at 0h40, so, if you do find yourself being filtered, it's really quite easy to have this rectified within the day.

Our route servers also filter out other common networks that should not be visible in the Internet routing table, like martians.

Here's the set of martian prefixes that we filter:
martians = [
0.0.0.0/32-, # rfc5735 Special Use IPv4 Addresses
0.0.0.0/0{25,32}, # Filter small prefixes
0.0.0.0/0{0,7}, # rfc1122 Requirements for Internet Hosts -- Communication Layers 3.2.1.3
10.0.0.0/8+, # rfc1918 Address Allocation for Private Internets
100.64.0.0/10+, # rfc6598 IANA-Reserved IPv4 Prefix for Shared Address Space
127.0.0.0/8+, # rfc1122 Requirements for Internet Hosts -- Communication Layers 3.2.1.3
169.254.0.0/16+, # rfc3927 Dynamic Configuration of IPv4 Link-Local Addresses
172.16.0.0/12+, # rfc1918 Address Allocation for Private Internets
192.0.0.0/24+, # rfc6890 Special-Purpose Address Registries
192.0.2.0/24+, # rfc5737 IPv4 Address Blocks Reserved for Documentation
192.168.0.0/16+, # rfc1918 Address Allocation for Private Internets
198.18.0.0/15+, # rfc2544 Benchmarking Methodology for Network Interconnect Devices
198.51.100.0/24+, # rfc5737 IPv4 Address Blocks Reserved for Documentation
203.0.113.0/24+, # rfc5737 IPv4 Address Blocks Reserved for Documentation
224.0.0.0/4+, # rfc1112 Host Extensions for IP Multicasting
240.0.0.0/4+ # rfc6890 Special-Purpose Address Registries
];

martians = [
::/0, # Default (can be advertised as a route in BGP to peers if desired)
::/96, # IPv4-compatible IPv6 address - deprecated by RFC4291
::/128, # Unspecified address
::1/128, # Local host loopback address
::ffff:0.0.0.0/96+, # IPv4-mapped addresses
::224.0.0.0/100+, # Compatible address (IPv4 format)
::127.0.0.0/104+, # Compatible address (IPv4 format)
::0.0.0.0/104+, # Compatible address (IPv4 format)
::255.0.0.0/104+, # Compatible address (IPv4 format)
0000::/8+, # Pool used for unspecified, loopback and embedded IPv4 addresses
0200::/7+, # OSI NSAP-mapped prefix set (RFC4548) - deprecated by RFC4048
3ffe::/16+, # Former 6bone, now decommissioned
2001:db8::/32+, # Reserved by IANA for special purposes and documentation
2002:e000::/20+, # Invalid 6to4 packets (IPv4 multicast)
2002:7f00::/24+, # Invalid 6to4 packets (IPv4 loopback)
2002:0000::/24+, # Invalid 6to4 packets (IPv4 default)
2002:ff00::/24+, # Invalid 6to4 packets
2002:0a00::/24+, # Invalid 6to4 packets (IPv4 private 10.0.0.0/8 network)
2002:ac10::/28+, # Invalid 6to4 packets (IPv4 private 172.16.0.0/12 network)
2002:c0a8::/32+, # Invalid 6to4 packets (IPv4 private 192.168.0.0/16 network)
fc00::/7+, # Unicast Unique Local Addresses (ULA) - RFC 4193
fe80::/10+, # Link-local Unicast
fec0::/10+, # Site-local Unicast - deprecated by RFC 3879 (replaced by ULA)
ff00::/8+, # Multicast
::/0{49,128} # Filter small prefixes
];


Finally, we also filter out prefixes from networks that are known to not peers with route servers, thus preventing accidental route leaks.

TRANSIT_ASNS = [ 174, # Cogent
209, # Qwest
701, # UUNET
702, # UUNET
1239, # Sprint
1299, # Telia
2914, # NTT Communications
3257, # GTT Backbone
3320, # Deutsche Telekom AG (DTAG)
3356, # Level3
3549, # Level3
3561, # Savvis / CenturyLink
5511, # Orange opentransit
6453, # Tata Communications
6762, # Seabone / Telecom Italia
7018 ]; # AT&T

Share via
Thank you for your feedback on this article.

Related Articles

© INX-ZA