CHIX operates two route servers with the following configuration:
| RS1 | RS2 |
| ASN: 212100 | ASN: 212100 |
| IPv4: 185.1.59.254 | IPv4: 185.1.59.253 |
| IPv6: 2001:7f8:cc:333::254 | IPv6: 2001:7f8:cc:333::253 |
| System: FreeBSD + Bird 2.0.7 | System: OpenBSD + OpenBGPd |
The configuration is generated using Arouteserver and data taken from PeeringDB (https://www.peeringdb.com/ix/2365). If you are a member and would like to peer with the Route Servers, you need to check the “Route Server” box there.
BGP sessions default configuration
- Passive sessions are configured toward neighbors.
- GTSM (Generalized TTL Security Mechanism – RFC5082) is disabled on sessions toward the neighbors.
- ADD-PATH capability (RFC7911) is not negotiated by default.
Route server general behaviour
- Route server ASN is not prepended to the AS_PATH of routes announced to clients (RFC7947 section 2.2.2.1).
- Route server does not implement path-hiding mitigation techniques (RFC7947 section 2.3.1).
Default filtering policy
NEXT_HOP attribute
- The route server verifies that the NEXT_HOP attribute of routes received from a client matches the IP address of the client itself .
AS_PATH attribute
- Routes whose AS_PATH is longer than 32 ASNs are rejected.
- The left-most ASN in the AS_PATH of any route announced to the route server must be the ASN of the announcing client.
- Routes whose AS_PATH contains private or invalid ASNs are rejected.
- Routes with an AS_PATH containing one or more “never via route-servers” networks‘ ASNs are rejected. List of “never via route-servers” networks’ ASNs is generated from PeeringDB.
IRRDBs prefix/origin ASN enforcement
- Origin ASN validity is enforced. Routes whose origin ASN is not authorized by the client’s AS-SET are rejected.
- Announced prefixes validity is enforced. Routes whose prefix is not part of the client’s AS-SET are rejected.
- Route validity state is signalled to route server clients using the following BGP communities:
| Validity State | Standard | Extended | Large |
| Prefix is included in client’s AS-SET | None | None | 212100:65530:1 |
| Prefix is NOT included in client’s AS-SET | None | None | 212100:65530:2 |
| Origin ASN is included in client’s AS-SET | None | None | 212100:65530:3 |
| Origin ASN is NOT included in client’s AS-SET | None | None | 212100:65530:4 |
| Prefix matched by a RPKI ROA for the authorized origin ASN | None | None | 212100:65530:5 |
| Prefix matched by an entry of the ARIN Whois DB dump | None | None | 212100:65530:6 |
| Prefix matched by an entry of the NIC.BR Whois DB dump | None | None | 212100:65530:7 |
| Route authorized soley because of a client white list entry | None | None | 212100:65530:8 |
RPKI BGP Prefix Origin Validation
- RPKI BGP Prefix Origin Validation of routes received by the route server is enabled.
- When an INVALID route is received by the route server, it is rejected.
RPKI ROAs
- RPKI ROAs are fetched from the RIPE RPKI Validator format cache files at https://rpki-validator.ripe.net/api/export.json, https://rpki.gin.ntt.net/api/export.json. The following Trust Anchors are used: APNIC RPKI Root, AfriNIC RPKI Root, ARIN RPKI Root, LACNIC RPKI Root, RIPE NCC RPKI Root, apnic, afrinic, arin, lacnic, ripe
Min/max prefix length
- Only prefixes whose length is in the following range are accepted by the route server:
- IPv4: 8-24
- IPv6: 12-48
Rejected prefixes
- Bogon prefixes are rejected;
- IPv6 prefixes are accepted only if part of the IPv6 Global Unicast space 2000::/3.
Announcement control via BGP communities
- Routes tagged with the NO_EXPORT or NO_ADVERTISE communities received by the route server are propagated to other clients with those communities unaltered.
| Function | Standard | Extended | Large |
|---|---|---|---|
| Do not announce to any client | None | None | 212100:0:212100 |
| Announce to peer, even if tagged with the previous community | None | None | 212100:1:peer_as |
| Do not announce to peer | 0:peer_as | None | 212100:0:peer_as |
| Prepend the announcing ASN once to peer | None | None | 212100:65511:peer_as |
| Prepend the announcing ASN twice to peer | None | None | 212100:65512:peer_as |
| Prepend the announcing ASN thrice to peer | None | None | 212100:65513:peer_as |
| Prepend the announcing ASN once to any | None | None | 212100:65501:212100 |
| Prepend the announcing ASN twice to any | None | None | 212100:65502:212100 |
| Prepend the announcing ASN thrice to any | None | None | 212100:65503:212100 |
Reject reasons
- The following values are used to identify the reason for which routes are rejected. This is mostly used for troubleshooting, internal reporting purposes or in the route server log files.
| ID | Reason |
|---|---|
| 0 | Generic code: the route must be treated as rejected |
| 1 | Invalid AS_PATH length |
| 2 | Prefix is bogon |
| 3 | Prefix is in global blacklist |
| 4 | Invalid AFI |
| 5 | Invalid NEXT_HOP |
| 6 | Invalid left-most ASN |
| 7 | Invalid ASN in AS_PATH |
| 8 | Transit-free ASN in AS_PATH |
| 9 | Origin ASN not in IRRDB AS-SETs |
| 10 | IPv6 prefix not in global unicast space |
| 11 | Prefix is in client blacklist |
| 12 | Prefix not in IRRDB AS-SETs |
| 13 | Invalid prefix length |
| 14 | RPKI INVALID route |
| 15 | Never via route-servers ASN in AS_PATH |
| 65535 | Unknown |