Public
Child pages
  • BGP Route Servers

Versions Compared

Old Version 61

changes.mady.by.user Nishal Goburdhan

Saved on

compared with

New Version 62

changes.mady.by.user Nishal Goburdhan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Note
titleBi-lateral peering is considered best practice !

While the BGP Route Server service is made available as a convenience, it is strongly recommended that, in addition to any sessions you plan to establish with the BGP Route Servers, you still maintain direct bi-lateral peering sessions with peers that you feel are important to your network! BGP Route Servers should be used to pickup quick/easy/additional peers only, and not as a replacement for your discrete peering policy!

In particular there are many peers that advertise only a subset of their prefixes to the BGP Route Server. Always aim for a bilateral session !


There are two BGP separate route servers on each peering LAN.  It is recommended to always peer with both BGP Route Servers at a location, as sessions to both servers ensure that there is no disruption to your routing should it be necessary to performance maintenance.  The Route Servers do not peer with each other, so peering with only one server is an unnecessary risk.


Warning
titleBGP next-as

Ensure that if you do plan on peering with the BGP Route Servers, you understand that the BGP-RS does not attach its ASN to outbound BGP messages.

Please implement the IOS "no bgp enforce-next-as" (or IOS-XR "enforce-first-as disable"), or appropriate equivalent, for your platform.


INXASNHostnameTypeIPv4IPv6
JINX37700routeserver1.jinx.net.zaBIRD196.223.14.12001:43f8:1f0::1
routeserver2.jinx.net.zaBIRD196.223.14.22001:43f8:1f0::2
CINX37701routeserver1.cinx.net.zaBIRD196.223.22.12001:43f8:1f1::1
routeserver2.cinx.net.zaBIRD196.223.22.22001:43f8:1f1::2
DINX37699routeserver1.dinx.net.zaBIRD196.223.30.12001:43f8:1f2::1
routeserver2.dinx.net.zaBIRD196.223.30.22001:43f8:1f2::2


Tip
titleMax-prefix
We recommend that you set the BGP max-prefix to the BGP-RS to 100,000 prefixes for IPv4 and 50,000 prefixes for IPv6

Filtering policy and process

INX has always believed in filtering and we filter all client sessions to the BGP-RS service.  We encourage peers to keep their IRR objects accurate to help us to autogenerate these filters.  

  • Filters are built based on IRRDB registered objects.  
  • Filter generation happens automatically at 04h00 SAST daily.
  • We search the AfriNIC, RADB and RIPE registries (in that order).  
  • We permit more specific (longer match) paths for IPv4, but not for IPv6.   (Note:  we will soon perform only exact match filtering!)
  • Some prefixes are automatically filtered by the route servers (eg. bogons and martians).  
  • We do not accept BGP announcements from private ASNs

BGP Communities for policy control

A simple set of BGP communities are made available for rudimentary policy control.  These will be expanded on, as the BGP Route Server service is enhanced. 

Info
titleRemember to use the correct ASN
Note: The communities example below applies to peers using the JINX route servers. The appropriate ASN for each INX, should be substituted when using the BGP route servers, at other INXes.


CommunityActionExplanation
0:peer-asndeny to peer-asnblock announcement of prefix to peer-as
0:37700block allblock announcement of prefix to all peers
37700:peer-asnallow to peer-asnannounce prefix to specific peer-as (in conjunction with block all)
37700:37700allow allannounce prefix to all peers (implicit default)


We honour the well-known no-export and no-advertise communities as if they were sent to us as a regular peer.  If you would specifically like us to propagate these, then please tag as below: 

37700:65281add no-exportadds the well known no-export community to all routes sent to peers
37700:65282add no-advertiseadds the well known no-advertise community to all routes sent to peers

BGP Large Community Support for policy control

CommunityActionExplanation
37700:0:peer-asndeny to peer-asnblock announcement of prefix to peer-asn
37700:0:0block allblock announcement of prefix to all peers
37700:1:peer-asnallow to peer-asannounce prefix to specific peer-as (in conjunction with block all)
37700:1:0allow allannounce prefix to all peers (implicit default)


Individual network filtering

Tip
titleAS-Path Stripping

The BGP route servers do not add their own ASN in the advertised path, so if you're planning on constructing a filter list to filter the BGP Route servers, do not use the BGP route servers ASN in the path!

We do not yet publish a route object for the route-servers.  We will add that in the future, so, for now, please reach out to the Ops team to see how to do this most efficiently.

Prefixes auto-filtered by the Route Servers

For the overall safety and security of our participants, we actively filter the following prefixes at the Route Servers.  That is, advertisements from peers, containing the following networks, will be dropped, and not onward announced.

Code BlocklanguagebashtitleIPv4 prefixes

Route server Filters

If your prefix is filtered by the BGP-RS

(RFC6890)

, we'll return one of the BGP communities below, that should help aid in the debugging process.   (These go into effect on June5 2019)

Code Block
PREFIX_LEN_TOO_LONG      = ( routeserverasn, 1101, 1  )
PREFIX_LEN_TOO_SHORT     = ( routeserverasn, 1101, 2  )
BOGON                    = ( routeserverasn, 1101, 3  )
BOGON_ASN                = ( routeserverasn, 1101, martians4 = [
)
AS_PATH_TOO_LONG         = ( routeserverasn, 1101, 5   ::/0,)
AS_PATH_TOO_SHORT        = ( routeserverasn, 1101, 6  )
FIRST_AS_NOT_PEER_AS     = ( routeserverasn, 1101, 7 # Default (can be advertised as a route in BGP to peers if desired)
                ::/96,       )
NEXT_HOP_NOT_PEER_IP     = ( routeserverasn, 1101, 8  )
IRRDB_PREFIX_FILTERED    = ( routeserverasn, 1101, 9  )
IRRDB_ORIGIN_AS_FILTERED = ( routeserverasn, 1101, 10 )
PREFIX_NOT_IN_ORIGIN_AS  = ( routeserverasn, 1101, 11 )
RPKI_UNKNOWN            # IPv4-compatible= IPv6( addressrouteserverasn, -1101, deprecated12 by RFC4291
)
RPKI_INVALID             = (  ::/128routeserverasn, 1101, 13 )
TRANSIT_FREE_ASN         = ( routeserverasn, 1101,   # Unspecified address
14 )
TOO_MANY_COMMUNITIES     = ( routeserverasn, 1101,        ::1/128,15 )

Prefixes auto-filtered by the Route Servers

For the overall safety and security of our participants, we actively filter the following prefixes at the Route Servers.  That is, advertisements from peers, containing the following networks, will be dropped, and not onward announced.

Code Block
languagebash
titleIPv4 prefixes filtered by the BGP-RS (RFC6890)
        martians        # Local host loopback address= [
                ::ffff:0.0.0.0/96+/0,     # IPv4-mapped addresses
            # Default (can  ::224.0.0.0/100+,       # Compatible address (IPv4 formatbe advertised as a route in BGP to peers if desired)
                ::127.0.0.0/104+,/96,                  # IPv4-compatible CompatibleIPv6 address (IPv4 format)- deprecated by RFC4291
                ::0.0.0.0/104+/128,         # Compatible address (IPv4 format)
    #      Unspecified address
      ::255.0.0.0/104+,       # Compatible address (IPv4 format)
 ::1/128,                 0000::/8+,  # Local host loopback address
            # Pool used for unspecified, loopback and embedded IPv4 ::ffff:0.0.0.0/96+,     # IPv4-mapped addresses
                0200::/7::224.0.0.0/100+,              # OSICompatible NSAP-mapped prefix set (RFC4548) - deprecated by RFC4048address (IPv4 format)
                3ffe::/16+,      127.0.0.0/104+,       # FormerCompatible 6bone,address now(IPv4 decommissionedformat)
                2001:db8::/32::0.0.0.0/104+,         # ReservedCompatible byaddress IANA for special purposes and documentation(IPv4 format)
                2002:e000::/20:255.0.0.0/104+,        # InvalidCompatible 6to4 packetsaddress (IPv4 multicastformat)
                0000::/8+,           2002:7f00::/24+,   # Pool used for unspecified, #loopback Invalidand 6to4 packetsembedded (IPv4 loopback)addresses
                2002:00000200::/247+,              # OSI InvalidNSAP-mapped 6to4prefix packetsset (IPv4 default)RFC4548) - deprecated by RFC4048
                2002:ff003ffe::/2416+,             # Former Invalid6bone, 6to4now packetsdecommissioned
                20022001:0a00db8::/2432+,         # Reserved Invalidby 6to4IANA packetsfor (IPv4special private 10.0.0.0/8 network)purposes and documentation
                2002:ac10e000::/2820+,        # Invalid 6to4 packets (IPv4 private 172.16.0.0/12 network (IPv4 multicast)
                2002:c0a87f00::/3224+,        # Invalid 6to4 packets (IPv4 private 192.168.0.0/16 networkloopback)
                fc002002:0000::/724+,              # UnicastInvalid Unique6to4 Localpackets Addresses(IPv4 (ULA) - RFC 4193default)
                fe802002:ff00::/10+,   24+,        # Invalid # Link-local Unicast6to4 packets
                fec02002:0a00::/1024+,             # Site-localInvalid Unicast6to4 -packets deprecated(IPv4 by RFC 3879 (replaced by ULAprivate 10.0.0.0/8 network)
                ff002002:ac10::/828+,        # Invalid 6to4 packets (IPv4  # Multicastprivate 172.16.0.0/12 network)
                2002:c0a8::/0{49,128}32+,        # Invalid 6to4 packets #(IPv4 Filter small prefixes

        ];
Code Block
languagebash
titleIPv6 prefixes filtered by the BGP-RS
private 192.168.0.0/16 network)
                martians = [
fc00::/7+,              # Unicast Unique Local  ::/0, Addresses (ULA) - RFC 4193
                fe80::/10+,  # Default (can be advertised as a route in BGP to peers# if desired)Link-local Unicast
                fec0::/9610+,             # Site-local Unicast - deprecated #by IPv4-compatibleRFC IPv6 address - deprecated by RFC42913879 (replaced by ULA)
                ff00::/1288+,                 # Unspecified addressMulticast
                ::1/128,          0{49,128}      # Local host loopback address
  # Filter small prefixes

        ];


Code Block
languagebash
titleIPv6 prefixes filtered by the BGP-RS
   ::ffff:0.0.0.0/96+,     #martians IPv4-mapped= addresses[
                ::224.0.0.0/100+/0,       # Compatible address (IPv4 format)
        # Default (can be advertised as a  ::127.0.0.0/104+,   route in BGP to peers if desired)
    # Compatible address (IPv4 format)
        ::/96,        ::0.0.0.0/104+,          # CompatibleIPv4-compatible IPv6 address (IPv4 format)- deprecated by RFC4291
                ::255.0.0.0/104+,/128,                 # CompatibleUnspecified address (IPv4 format)
                0000::1/8+128,              # Pool used# forLocal unspecified,host loopback and embedded IPv4 addresses address
                0200::/7ffff:0.0.0.0/96+,              # OSI NSAPIPv4-mapped prefix set (RFC4548) - deprecated by RFC4048addresses
                3ffe::/16+,      224.0.0.0/100+,       # FormerCompatible 6bone,address now(IPv4 decommissionedformat)
                2001:db8::/32+,  :127.0.0.0/104+,       # ReservedCompatible byaddress IANA for special purposes and documentation(IPv4 format)
                2002:e000::/20:0.0.0.0/104+,         # InvalidCompatible 6to4 packetsaddress (IPv4 multicastformat)
                2002:7f00::/24::255.0.0.0/104+,        # InvalidCompatible 6to4 packetsaddress (IPv4 loopbackformat)
                2002:0000::/248+,              # Invalid 6to4 packets (IPv4 default) Pool used for unspecified, loopback and embedded IPv4 addresses
                2002:ff000200::/24+,7+,              # OSI NSAP-mapped prefix set # Invalid 6to4 packets(RFC4548) - deprecated by RFC4048
                2002:0a003ffe::/2416+,          # Invalid 6to4 packets# (IPv4Former private 10.0.0.0/8 network)6bone, now decommissioned
                20022001:ac10db8::/2832+,         # Reserved Invalidby 6to4IANA packetsfor (IPv4special private 172.16.0.0/12 network)purposes and documentation
                2002:c0a8e000::/3220+,        # Invalid 6to4 packets (IPv4 private 192.168.0.0/16 networkmulticast)
                fc002002:7f00::/724+,              # UnicastInvalid Unique6to4 Local Addressespackets (ULA) - RFC 4193IPv4 loopback)
                fe802002:0000::/1024+,        # Invalid 6to4 packets  # Link-local Unicast(IPv4 default)
                fec02002:ff00::/1024+,             # Site-localInvalid Unicast - deprecated by RFC 3879 (replaced by ULA)6to4 packets
                ff002002:0a00::/824+,        # Invalid 6to4 packets (IPv4  # Multicastprivate 10.0.0.0/8 network)
                2002:ac10::/0{49,128}28+,        # Invalid 6to4 packets #(IPv4 Filter small prefixes
        ];
Code Block
PREFIX_LEN_TOO_LONGprivate 172.16.0.0/12 network)
             = ( routeserverasn, 1101 2002:c0a8::/32+, 1  )
PREFIX_LEN_TOO_SHORT     =# Invalid (6to4 routeserverasn, 1101, 2  )
BOGONpackets (IPv4 private 192.168.0.0/16 network)
                fc00::/7+,     = ( routeserverasn, 1101, 3  )
BOGON_ASN   # Unicast Unique Local Addresses (ULA) - RFC 4193
     = ( routeserverasn, 1101, 4  )
AS_PATH_TOO_LONG       fe80::/10+,  = ( routeserverasn, 1101, 5  )
AS_PATH_TOO_SHORT     # Link-local Unicast
  = ( routeserverasn, 1101, 6  )
FIRST_AS_NOT_PEER_AS     = ( routeserverasn, 1101, 7  )
NEXT_HOP_NOT_PEER_IP fec0::/10+,       = ( routeserverasn, 1101, 8  )
IRRDB_PREFIX_FILTERED    = ( routeserverasn, 1101, 9  )
IRRDB_ORIGIN_AS_FILTERED = ( routeserverasn, 1101, 10 )
PREFIX_NOT_IN_ORIGIN_AS  = ( routeserverasn, 1101, 11 )
RPKI_UNKNOWN  # Site-local Unicast - deprecated by RFC 3879 (replaced by ULA)
                ff00::/8+,           = ( routeserverasn, 1101, 12 )
RPKI_INVALID# Multicast
             = ( routeserverasn, 1101, 13 )
TRANSIT_FREE_ASN ::/0{49,128}           = (# routeserverasn,Filter 1101, 14 )
TOO_MANY_COMMUNITIES  small prefixes
   = ( routeserverasn, 1101, 15 )];


Table of Contents