CHIX operates two route servers with the following configuration:
|ASN: 212100||ASN: 212100|
|IPv4: 184.108.40.206||IPv4: 220.127.116.11|
|IPv6: 2001:7f8:cc:333::254||IPv6: 2001:7f8:cc:333::253|
|System: FreeBSD + Bird 2.0.7||System: OpenBSD + OpenBGPd|
The configuration is generated using Arouteserver and data taken from PeeringDB (https://www.peeringdb.com/ix/2365). If you are a member and would like to peer with the Route Servers, you need to check the „Route Server“ box there.
BGP sessions default configuration
- Passive sessions are configured toward neighbors.
- GTSM (Generalized TTL Security Mechanism – RFC5082) is disabled on sessions toward the neighbors.
- ADD-PATH capability (RFC7911) is not negotiated by default.
Route server general behaviour
- Route server ASN is not prepended to the AS_PATH of routes announced to clients (RFC7947 section 18.104.22.168).
- Route server does not implement path-hiding mitigation techniques (RFC7947 section 2.3.1).
Default filtering policy
- The route server verifies that the NEXT_HOP attribute of routes received from a client matches the IP address of the client itself .
- Routes whose AS_PATH is longer than 32 ASNs are rejected.
- The left-most ASN in the AS_PATH of any route announced to the route server must be the ASN of the announcing client.
- Routes whose AS_PATH contains private or invalid ASNs are rejected.
- Routes with an AS_PATH containing one or more „never via route-servers“ networks‚ ASNs are rejected. List of „never via route-servers“ networks‘ ASNs is generated from PeeringDB.
IRRDBs prefix/origin ASN enforcement
- Origin ASN validity is enforced. Routes whose origin ASN is not authorized by the client’s AS-SET are rejected.
- Announced prefixes validity is enforced. Routes whose prefix is not part of the client’s AS-SET are rejected.
- Route validity state is signalled to route server clients using the following BGP communities:
|Prefix is included in client’s AS-SET||None||None||212100:65530:1|
|Prefix is NOT included in client’s AS-SET||None||None||212100:65530:2|
|Origin ASN is included in client’s AS-SET||None||None||212100:65530:3|
|Origin ASN is NOT included in client’s AS-SET||None||None||212100:65530:4|
|Prefix matched by a RPKI ROA for the authorized origin ASN||None||None||212100:65530:5|
|Prefix matched by an entry of the ARIN Whois DB dump||None||None||212100:65530:6|
|Prefix matched by an entry of the NIC.BR Whois DB dump||None||None||212100:65530:7|
|Route authorized soley because of a client white list entry||None||None||212100:65530:8|
RPKI BGP Prefix Origin Validation
- RPKI BGP Prefix Origin Validation of routes received by the route server is enabled.
- When an INVALID route is received by the route server, it is rejected.
- RPKI ROAs are fetched from the RIPE RPKI Validator format cache files at https://rpki-validator.ripe.net/api/export.json, https://rpki.gin.ntt.net/api/export.json. The following Trust Anchors are used: APNIC RPKI Root, AfriNIC RPKI Root, ARIN RPKI Root, LACNIC RPKI Root, RIPE NCC RPKI Root, apnic, afrinic, arin, lacnic, ripe
Min/max prefix length
- Only prefixes whose length is in the following range are accepted by the route server:
- IPv4: 8-24
- IPv6: 12-48
- Bogon prefixes are rejected;
- IPv6 prefixes are accepted only if part of the IPv6 Global Unicast space 2000::/3.
Announcement control via BGP communities
- Routes tagged with the NO_EXPORT or NO_ADVERTISE communities received by the route server are propagated to other clients with those communities unaltered.
|Do not announce to any client||None||None||212100:0:212100|
|Announce to peer, even if tagged with the previous community||None||None||212100:1:peer_as|
|Do not announce to peer||0:peer_as||None||212100:0:peer_as|
|Prepend the announcing ASN once to peer||None||None||212100:65511:peer_as|
|Prepend the announcing ASN twice to peer||None||None||212100:65512:peer_as|
|Prepend the announcing ASN thrice to peer||None||None||212100:65513:peer_as|
|Prepend the announcing ASN once to any||None||None||212100:65501:212100|
|Prepend the announcing ASN twice to any||None||None||212100:65502:212100|
|Prepend the announcing ASN thrice to any||None||None||212100:65503:212100|
- The following values are used to identify the reason for which routes are rejected. This is mostly used for troubleshooting, internal reporting purposes or in the route server log files.
|0||Generic code: the route must be treated as rejected|
|1||Invalid AS_PATH length|
|2||Prefix is bogon|
|3||Prefix is in global blacklist|
|6||Invalid left-most ASN|
|7||Invalid ASN in AS_PATH|
|8||Transit-free ASN in AS_PATH|
|9||Origin ASN not in IRRDB AS-SETs|
|10||IPv6 prefix not in global unicast space|
|11||Prefix is in client blacklist|
|12||Prefix not in IRRDB AS-SETs|
|13||Invalid prefix length|
|14||RPKI INVALID route|
|15||Never via route-servers ASN in AS_PATH|