CHIX operates two route servers with the following configuration:
|System: FreeBSD + Bird 2.0.7
|System: OpenBSD + OpenBGPd
The configuration is generated using Arouteserver and data taken from PeeringDB (https://www.peeringdb.com/ix/2365). If you are a member and would like to peer with the Route Servers, you need to check the „Route Server“ box there.
BGP sessions default configuration
- Passive sessions are configured toward neighbors.
- GTSM (Generalized TTL Security Mechanism – RFC5082) is disabled on sessions toward the neighbors.
- ADD-PATH capability (RFC7911) is not negotiated by default.
Route server general behaviour
- Route server ASN is not prepended to the AS_PATH of routes announced to clients (RFC7947 section 22.214.171.124).
- Route server does not implement path-hiding mitigation techniques (RFC7947 section 2.3.1).
Default filtering policy
- The route server verifies that the NEXT_HOP attribute of routes received from a client matches the IP address of the client itself .
- Routes whose AS_PATH is longer than 32 ASNs are rejected.
- The left-most ASN in the AS_PATH of any route announced to the route server must be the ASN of the announcing client.
- Routes whose AS_PATH contains private or invalid ASNs are rejected.
- Routes with an AS_PATH containing one or more „never via route-servers“ networks‚ ASNs are rejected. List of „never via route-servers“ networks‘ ASNs is generated from PeeringDB.
IRRDBs prefix/origin ASN enforcement
- Origin ASN validity is enforced. Routes whose origin ASN is not authorized by the client’s AS-SET are rejected.
- Announced prefixes validity is enforced. Routes whose prefix is not part of the client’s AS-SET are rejected.
- Route validity state is signalled to route server clients using the following BGP communities:
|Prefix is included in client’s AS-SET
|Prefix is NOT included in client’s AS-SET
|Origin ASN is included in client’s AS-SET
|Origin ASN is NOT included in client’s AS-SET
|Prefix matched by a RPKI ROA for the authorized origin ASN
|Prefix matched by an entry of the ARIN Whois DB dump
|Prefix matched by an entry of the NIC.BR Whois DB dump
|Route authorized soley because of a client white list entry
RPKI BGP Prefix Origin Validation
- RPKI BGP Prefix Origin Validation of routes received by the route server is enabled.
- When an INVALID route is received by the route server, it is rejected.
- RPKI ROAs are fetched from the RIPE RPKI Validator format cache files at https://rpki-validator.ripe.net/api/export.json, https://rpki.gin.ntt.net/api/export.json. The following Trust Anchors are used: APNIC RPKI Root, AfriNIC RPKI Root, ARIN RPKI Root, LACNIC RPKI Root, RIPE NCC RPKI Root, apnic, afrinic, arin, lacnic, ripe
Min/max prefix length
- Only prefixes whose length is in the following range are accepted by the route server:
- IPv4: 8-24
- IPv6: 12-48
- Bogon prefixes are rejected;
- IPv6 prefixes are accepted only if part of the IPv6 Global Unicast space 2000::/3.
Announcement control via BGP communities
- Routes tagged with the NO_EXPORT or NO_ADVERTISE communities received by the route server are propagated to other clients with those communities unaltered.
|Do not announce to any client
|Announce to peer, even if tagged with the previous community
|Do not announce to peer
|Prepend the announcing ASN once to peer
|Prepend the announcing ASN twice to peer
|Prepend the announcing ASN thrice to peer
|Prepend the announcing ASN once to any
|Prepend the announcing ASN twice to any
|Prepend the announcing ASN thrice to any
- The following values are used to identify the reason for which routes are rejected. This is mostly used for troubleshooting, internal reporting purposes or in the route server log files.
|Generic code: the route must be treated as rejected
|Invalid AS_PATH length
|Prefix is bogon
|Prefix is in global blacklist
|Invalid left-most ASN
|Invalid ASN in AS_PATH
|Transit-free ASN in AS_PATH
|Origin ASN not in IRRDB AS-SETs
|IPv6 prefix not in global unicast space
|Prefix is in client blacklist
|Prefix not in IRRDB AS-SETs
|Invalid prefix length
|RPKI INVALID route
|Never via route-servers ASN in AS_PATH