Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
| Note | ||
|---|---|---|
| ||
While the BGP Route Server service is made available as a convenience, it is strongly recommended that, in addition to any sessions you plan to establish with the BGP Route Servers, you still maintain direct bi-lateral peering sessions with peers that you feel are important to your network! BGP Route Servers should be used to pickup quick/easy/additional peers only, and not as a replacement for your discrete peering policy! In particular there are many peers that advertise only a subset of their prefixes to the BGP Route Server. Always aim for a bilateral session ! |
There are two BGP separate route servers on each peering LAN. It is recommended to always peer with both BGP Route Servers at a location, as sessions to both servers ensure that there is no disruption to your routing should it be necessary to performance maintenance. The Route Servers do not peer with each other, so peering with only one server is an unnecessary risk.
| Warning | ||
|---|---|---|
| ||
Ensure that if you do plan on peering with the BGP Route Servers, you understand that the BGP-RS does not attach its ASN to outbound BGP messages. Please implement the IOS "no bgp enforce-next-as" (or IOS-XR "enforce-first-as disable"), or appropriate equivalent, for your platform. |
| INX | ASN | Hostname | Type | IPv4 | IPv6 |
|---|---|---|---|---|---|
| JINX | 37700 | routeserver1.jinx.net.za | BIRD | 196.223.14.1 | 2001:43f8:1f0::1 |
| routeserver2.jinx.net.za | BIRD | 196.223.14.2 | 2001:43f8:1f0::2 | ||
| CINX | 37701 | routeserver1.cinx.net.za | BIRD | 196.223.22.1 | 2001:43f8:1f1::1 |
| routeserver2.cinx.net.za | BIRD | 196.223.22.2 | 2001:43f8:1f1::2 | ||
| DINX | 37699 | routeserver1.dinx.net.za | BIRD | 196.223.30.1 | 2001:43f8:1f2::1 |
| routeserver2.dinx.net.za | BIRD | 196.223.30.2 | 2001:43f8:1f2::2 |
| Tip | ||
|---|---|---|
| ||
| We recommend that you set the BGP max-prefix to the BGP-RS to 100,000 prefixes for IPv4 and 50,000 prefixes for IPv6 |
Filtering policy and process
INX has always believed in filtering and we filter all client sessions to the BGP-RS service. We encourage peers to keep their IRR objects accurate to help us to autogenerate these filters.
- Filters are built based on IRRDB registered objects.
- Filter generation happens automatically at 04h00 SAST daily.
- We search the AfriNIC, RADB and RIPE registries (in that order).
- We permit more specific (longer match) paths for IPv4, but not for IPv6. (Note: we will soon perform only exact match filtering!)
- Some prefixes are automatically filtered by the route servers (eg. bogons and martians).
- We do not accept BGP announcements from private ASNs
BGP Communities for policy control
A simple set of BGP communities are made available for rudimentary policy control. These will be expanded on, as the BGP Route Server service is enhanced.
| Info | ||
|---|---|---|
| ||
| Note: The communities example below applies to peers using the JINX route servers. The appropriate ASN for each INX, should be substituted when using the BGP route servers, at other INXes. |
| Community | Action | Explanation |
|---|---|---|
| 0:peer-asn | deny to peer-asn | block announcement of prefix to peer-as |
| 0:37700 | block all | block announcement of prefix to all peers |
| 37700:peer-asn | allow to peer-asn | announce prefix to specific peer-as (in conjunction with block all) |
| 37700:37700 | allow all | announce prefix to all peers (implicit default) |
We honour the well-known no-export and no-advertise communities as if they were sent to us as a regular peer. If you would specifically like us to propagate these, then please tag as below:
| 37700:65281 | add no-export | adds the well known no-export community to all routes sent to peers |
| 37700:65282 | add no-advertise | adds the well known no-advertise community to all routes sent to peers |
BGP Large Community Support for policy control
| Community | Action | Explanation |
|---|---|---|
| 37700:0:peer-asn | deny to peer-asn | block announcement of prefix to peer-asn |
| 37700:1:0 | block all | announce prefix to specific peer-as (in conjunction with block all) |
| 37700:0:peer-asn | allow to peer-as | block announcement of prefix to all peers |
| 37700:1:0 | allow all | announce prefix to all peers (implicit default) |
Individual network filtering
| Tip | ||
|---|---|---|
| ||
The BGP route servers do not add their own ASN in the advertised path, so if you're planning on constructing a filter list to filter the BGP Route servers, do not use the BGP route servers ASN in the path! |
We do not yet publish a route object for the route-servers. We will add that in the future, so, for now, please reach out to the Ops team to see how to do this most efficiently.
Prefixes auto-filtered by the Route Servers
For the overall safety and security of our participants, we actively filter the following prefixes at the Route Servers. That is, advertisements from peers, containing the following networks, will be dropped, and not onward announced.
| Code Block | ||||
|---|---|---|---|---|
| ||||
martians = [
10.0.0.0/8+,
100.64.0.0/10+,
127.0.0.0/8+,
169.254.0.0/16+,
172.16.0.0/12+,
192.0.0.0/24,
192.0.2.0/24,
192.168.0.0/16+,
198.18.0.0/24,
198.51.100.0/24,
203.0.113.0/24,
224.0.0.0/4+,
240.0.0.0/4+,
0.0.0.0/32-,
0.0.0.0/0{25,32},
0.0.0.0/0{0,7}
]; |
| Code Block | ||||
|---|---|---|---|---|
| ||||
martians = [ 0000::/8{8,128},0, # loopback, unspecified, v4-mapped Default (can be advertised as a route in BGP to peers if desired) 0064 :ff9b::/96{96,128},96, # IPv4-compatible IPv6 Translat. [RFC6052] address - deprecated by RFC4291 0100 ::/8{8,128},, # reserved for Discard-Only Address Block [RFC6666] Unspecified address 0200::1/7{7,128}, # ReservedLocal byhost IETFloopback [RFC4048]address 0400::/6{6,128}, ::ffff:0.0.0.0/96+, # IPv4-mapped addresses # Reserved by IETF [RFC4291] 0800::/5{5,128}224.0.0.0/100+, # ReservedCompatible byaddress IETF [RFC4291] (IPv4 format) 1000 ::/4{4,128}, 127.0.0.0/104+, # ReservedCompatible byaddress IETF [RFC4291] (IPv4 format) 2001 ::/32{33,128},0.0.0.0/104+, # Compatible Teredoaddress prefix [RFC4380] (IPv4 format) 2001:0002::/48{48,128}, # Benchmarking [RFC5180] 2001:0003::/32{32,128}, # Automatic Multicast Tunneling [RFC7450] 2001:10::/28{28,128}, # Deprecated ORCHID [RFC4843] 2001:20::/28{28,128}, # ORCHIDv2 [RFC7343] 2001:db8::/32{32,128}, # documentation purpose [RFC3849] 2002::/16{17,128}, ::255.0.0.0/104+, # Compatible address (IPv4 format) 0000::/8+, # Pool used for unspecified, loopback and embedded IPv4 addresses 0200::/7+, # OSI 6to4NSAP-mapped prefix [RFC3068] set (RFC4548) - deprecated by RFC4048 3ffe::/16{16,128}, +, # Former 6bone, now decommissioned # used for the 6bone but was returned [RFC5156] 40002001:db8::/3{3,128},32+, # Reserved by IETF [RFC4291] IANA for special purposes and documentation 5f00 2002:e000::/8{8,128},20+, # used for the 6bone but was returned [RFC5156] Invalid 6to4 packets (IPv4 multicast) 60002002:7f00::/3{3,128},24+, # ReservedInvalid 6to4 bypackets IETF [RFC4291] (IPv4 loopback) 8000 2002:0000::/3{3,128},24+, # Invalid Reserved6to4 bypackets IETF [RFC4291] (IPv4 default) a000 2002:ff00::/3{3,128}24+, # Reserved by IETF [RFC4291] Invalid 6to4 packets c0002002:0a00::/3{3,128},24+, # Reserved by IETF [RFC4291]Invalid 6to4 packets (IPv4 private 10.0.0.0/8 network) e000 2002:ac10::/4{4,128},28+, # Reserved by IETF [RFC4291] Invalid 6to4 packets (IPv4 private 172.16.0.0/12 network) f000 2002:c0a8::/5{5,128},32+, # ReservedInvalid by6to4 IETF [RFC4291] f800::/6{6,128},packets (IPv4 private 192.168.0.0/16 network) # Reserved by IETF [RFC4291] fc00::/7{7,128},+, # Unicast Unique Local Unicast [RFC4193] Addresses (ULA) - RFC 4193 fe80::/10{10,128},+, # Link Local Unicast [RFC4291] -local Unicast fec0::/10{10,128},+, # ReservedSite-local Unicast - deprecated by IETF [RFC3879]RFC 3879 (replaced by ULA) ff00::/8{8+, # Multicast ::/0{49,128} # Multicast [RFC4291] Filter small prefixes ]; |
| Table of Contents |
|---|