Technical Requirements @DE-CIX India Internet Exchanges

Technical Requirements @DE-CIX India Internet Exchanges

I. GENERAL PROVISIONS

1. Overview, scope of application

This document contains the Technical Service Description (TSD) for the GlobePEER product. This TSD is part of the DE-CIX INTERWIRE contractual framework for domestic internet access.

This TSD shall apply only to the GlobePEER product. The GlobePEER product may, however, be a prerequisite for other DE-CIX INTERWIRE services. This document contains only technical specifications and documentation. Please consult the GlobePEER SLA for service levels.

2. Amendment

This document may be revised and amended at any time pursuant to the provisions of the DE- CIX INTERWIRE INTERNET SERVICES PVT LTD (in the following called the DE-CIX INTERWIRE) Agreement.

3. Product Prerequisites

The GlobePEER Product requires the following DE-CIX INTERWIRE products for its normal operation:

4. Applicable standards

Members' use of the DE-CIX INTERWIRE network shall at all times conform to the relevant standards as laid out in STD0001 and associated Internet STD documents.

II. DATA LINK-LAYER CONFIGURATION

1. Bandwidth

The bandwidth of the GlobePEER product must be explicitly configured if the agreed bandwidth for GlobePEER differs from the bandwidth of the access or bundle of aggregated accesses, on which the GlobePEER product is used.

2.Frame types

The following general policies shall apply:

Frame type (ether types)

Policy

Enforcement

0x0800 – IPv4
0x0806 – ARP
0x86dd – IPv6

Allow

-

All other types

Allow

Strict – all frames other than allowed types are dropped

3. MAC address configuration

All frames forwarded to the GlobePEER service shall have the same source MAC address.

4. Broadcast/Multicast Traffic

The following policies shall apply to broadcast/multicast traffic

Protocol

Policy

Enforcement

Broadcast ARP (excluding proxy ARP),
multicast IPv6 Neighbor Discovery (ND)

Allowed, but rate limited - to 1000kbps

-

All other types, i.e.including, but not limited to:
- IRDP
- ICMP redirects
- IEEE802 Spanning Tree
- Vendor proprietary discovery protocols (e.g. CDP)
- Interior routing protocol broad/multicasts (e.g. OSPF, IS-IS, IGRP, EIGRP) - BOOTP/DHCP
- PIM-SM
- PIM-DM
- DVMRP

Discard

Discarded, unless specifically allowed

III. IP LAYER CONFIGURATION (ISO/OSI LAYER 3)

1. Interface configuration

Interface configuration

Parameter

Policy

Remarks

IP addresses (IPv4, IPv6) including subnet mask for
your interfaces

IPv4 required

At least the IPv4 address has to be configured

All other types

Allow

Strict – all frames other than allowed types are dropped

IPv6 addresses (link-local & global scope)

No auto-configuration

All IPv6 addresses must be explicitly configured

IPv6 address (site-local)

Not allowed

IPv6 site-local addresses must not be used

Standard MTU

Fixed size

Standard IP MTU size must be explicitly set to
1500 Bytes, unless explicitly agreed in writing.

2. Routing configuration

The customer system’s routing configuration shall include the following policies/settings:

Parameter

Policy

Remarks

BGP Version

v. 4 only

-

AS numbers

Public only

No AS numbers allowed from ranges reserved for
private use across the entire DE-CIX INTERWIRE
network.

Multiple ASN

Allow

Members may use more than one ASN for their DE-
CIX INTERWIRE peering provided that each ASN
presented shares the same NOC and peering contact
details.

Route advertising

Maximum aggregation

All routes advertised shall be aggregated as far as
possible.

Route advertising – target IP

Advertising router only

All routes advertised across the DE-CIX India exchanges network
must point to the router advertising it unless an
the agreement has been made in advance in writing by
DE-CIX India and the members involved.

Route advertising – registration

Public registration required

All routes to be advertised in a peering session across
DE-CIX India exchange must be registered in the RIPE database
or another public routing registry.

IP-address space advertising

With permission only

IP address space assigned to DE-CIX India peering
LAN shall not be advertised to other networks without
explicit permission of DE-CIX India.

DE-CIX India advertised routes

Accept

You can safely accept any routes announced by us,
as all incoming advertisements are filtered according
to the configured policies.

3. Route server feature

The DE-CIX India exchanges route server system consists of two servers running BGP. For normal operation, only one is needed

3.1 Minimum configuration

In order for the DE-CIX India measurements of the route server feature to function, at least one connection to one route server must be set up with the following parameters:

Parameter

Policy

Remarks

connection mode

Active

DE-CIX India side is configured as passive

BGP enforce-first-as

Not allowed

Enabled by default, must be disabled manually

AS-Set

Required

DE-CIX India needs the customer AS-Set to build
the filter rules

martians/bogons

Will be discarded

 

3.2 BGP announcement validation

BGP announcement provided by the customer to the DE-CIX India route server is validated for security reasons. For the validation, route databases might be used (e.g. RADB).

3.3 Optional: communities

In addition to the one route server minimum configuration, the Customer may elect to control outgoing routing information directly on the DE-CIX India Internet Exchange's route server by joining communities. Communities are processed by the DE-CIX India Internet Exchange's route servers by the following set of filter rules:

  • 0:peer-as - Prevent announcement of a prefix to a specific peer
  • 59200:peer-as - Announce a prefix to a specific peer
  • 0:59200 - Prevent announcement of a prefix to all peers
  • 59200:59200 - Announce a prefix to all peers

BGP large communities are also supported (http://largebgpcommunities.net)

  • 59200:0:peer-as - Prevent announcement of a prefix to a specific peer
  • 59200:1:peer-as - Announce a prefix to a specific peer
  • 59200:0:0 - Prevent announcement of a prefix to all peers
  • 59200:1:0 - Announce a prefix to all peers

Customers are kindly asked to consult the location-specific documentation of existing communities, made available upon request.

4. Blackholing

Blackholing means diverting the flow of data to a different next hop (the “Blackhole”) where the traffic is discarded. The result is that no traffic reaches the original destination and hence hosts located within the "blackholed" prefix are protected from massive distributed denial of service (DDoS) attacks congesting the connection from the customer to DE-CIX India. Thus blackholing is an effective way of mitigating the effects of DDoS attacks, etc.

DE-CIX India provides the technical infrastructure to allow Blackholing to be set upped and used by customers. DE-CIX India, however, has no control in cases where a customer is accepting these “Blackholed” prefixes.

4.1 Basic principle

BGP announcement provided by the customer to the DE-CIX India route server is validated for security reasons. For the validation, route databases might be used (e.g. RADB).

4.4.1 In standard conditions
Customers advertise their prefixes with a Next Hop IP address belonging to their AS
  • IPv4: /8 <= and <= /24

  • IPv6: /19 <= and <= /48

4.4.2 In case of DDoS

Customers advertise their prefixes with a unique DE-CIX India provided Blackhole next hop IP address (BN)

  • IPv4: /8 <= up to = /32 (if and only if the BN is set)

  • IPv6: /19 <= up to = /128 (if and only if the BN is set)

Further, the standard announcement checks still apply.

4.2 L2 filtering
  • Blackhole next hop (BN) has a unique MAC address (determined by ARP for the BN IP address) e.g. de:ad:be:ef:66:95

  • ARP resolving for the Blackhole IP next hop is currently served by a host operated DE-CIX India

  • All edge nodes have a static entry for the unique MAC address

  • Attack traffic is forwarded from the customer to the service with the static MAC address, traffic is denied.

4.3 Result

As a result, all traffic to the attacked and "blackholed" IP prefix is discarded already on the incoming switch, and hence victim's resources (e.g. connection form customer to DE-CIX India ) are protected.

Getting in touch is easy!

Image CAPTCHA
Enter the characters shown in the image.

We are here to assist you…

Just let us know if you would like to schedule a meeting or if we should call you back.

IF YOU NEED URGENT TECHNICAL SUPPORT, PLEASE CONTACT OUR SUPPORT TEAM DIRECTLY!