GlobePeer Technical Service Description

I. GENERAL PROVISIONS

1. Overview, scope of application

This document contains the Technical Service Description (TSD) for the GlobePEER product. This TSD is part of the DE-CIX INTERWIRE contractual framework for domestic internet access.

This TSD shall apply only to the GlobePEER product. The GlobePEER product may, however, be a prerequisite for other DE-CIX INTERWIRE services. This document contains only technical specifications and documentation. Please consult the GlobePEER PSSLA for service levels.

2. Amendment

This document may be revised and amended at any time pursuant to the provisions of the DE- CIX INTERWIRE INTERNET SERVICES PVT LTD (in the following called the DE-CIX INTERWIRE) Agreement.

3. Product prerequisites

The GlobePEER Product requires the following DE-CIX INTERWIRE products for its normal operation:

4. Applicable standards

Members' use of the DE-CIX INTERWIRE network shall at all times conform to the relevant standards as laid out in STD0001 and associated Internet STD documents.

II. DATA LINK-LAYER CONFIGURATION

1. Bandwidth

Bandwidth of the GlobePEER product must be explicitly configured, if the agreed bandwidth for GlobePEER differs from the bandwidth of the access or bundle of aggregated accesses, on which the GlobePEER product is used.

2.Frametypes

The following general policies shall apply:

Frametype (ether types)PolicyEnforcement
0x0800 – IPv4
0x0806 – ARP
0x86dd – IPv6
Allow-
All other typesAllowStrict – all frames other than allowed types are dropped
3. MAC address configuration

All frames forwarded to the GlobePEER service shall have the same source MAC address.

3. Broadcast/Multicast Traffic

The following policies shall apply to broadcast/multicast traffic

ProtocolPolicyEnforcement
Broadcast ARP (excluding proxy ARP),
multicast IPv6 Neighbor Discovery (ND)
Allowed, but rate limited - to 1000kbps-
All other types, i.e.including, but not limited to:
- IRDP
- ICMP redirects
- IEEE802 Spanning Tree
- Vendor proprietary discovery protocols (e.g. CDP)
- Interior routing protocol broad/multicasts (e.g. OSPF, IS-IS, IGRP, EIGRP) - BOOTP/DHCP
- PIM-SM
- PIM-DM
- DVMRP
DiscardDiscarded, unless specifically allowed

III. IP LAYER CONFIGURATION (ISO/OSI LAYER 3)

1. Interface configuration

Interface configuration

ParameterPolicyRemarks
IP addresses (IPv4, IPv6) including subnet mask for
your interfaces
IPv4 requiredAt least the IPv4 address has to be configured
All other typesAllowStrict – all frames other than allowed types are dropped
IPv6 addresses (link-local & global scope)No auto-configurationAll IPv6 addresses must be explicitly configured
IPv6 address (site-local)Not allowedIPv6 site-local addresses must not be used
Standard MTUFixed sizeStandard IP MTU size must be explicitly set to
1500 Bytes, unless explicitly agreed in writing.
2. Routing configuration

The customer system’s routing configuration shall include the following policies/settings:

ParameterPolicyRemarks
BGP Versionv. 4 only-
AS numbersPublic onlyNo AS numbers allowed from ranges reserved for
private use across the entire DE-CIX INTERWIRE
network.
Multiple ASNAllowMembers may use more than one ASN for their DE-
CIX INTERWIRE peering, provided that each ASN
presented shares the same NOC and peering contact
details.
Route advertisingMaximum aggregationAll routes advertised shall be aggregated as far as
possible.
Route advertising – target IPAdvertising router onlyAll routes advertised across the Mumbai-IX network
must point to the router advertising it unless an
agreement has been made in advance in writing by
Mumbai-IX and the members involved.
Route advertising – registrationPublic registration requiredAll routes to be advertised in a peering session across
Mumbai-IX must be registered in the RIPE database
or another public routing registry.
IP-address space advertisingWith permission onlyIP address space assigned to Mumbai-IX peering
LAN shall not be advertised to other networks without
explicit permission of Mumbai-IX.
Mumbai-IX advertised routesAcceptYou can safely accept any routes announced by us,
as all incoming advertisements are filtered according
to the configured policies.
3. Route server feature

The Mumbai­IX route server system consists of two servers running BGP. For normal operation, only one is needed

3.1 Minimum configuration

In order for the Mumbai­IX measurements of the route server feature to function, at least one connection to one route server must be set up with the following parameters:

ParameterPolicyRemarks
connection modeActiveMumbai-IX side is configured as passive
bgp enforce-first-asNot allowedEnabled by default, must be disabled manually
AS-SetRequiredMumbai-IX needs the customer AS-Set to build
the filter rules
martians/bogonsWill be discarded 
3.2 BGP announcement validation

BGP announcement provided by the customer to the Mumbai­IX route server are validated for security reasons. For the validation route databases might be used (e.g. RADB).

3.3 Optional: communities

In addition to the one route server minimum configuration, the Customer may elect to control outgoing routing information directly on the Mumbai-IX route server by joining communities. Communities are processed by the Mumbai-IX route servers by the following set of filter rules:

 

0:peer-as - Prevent announcement of a prefix to a specific peer
59200:peer-as - Announce a prefix to a specific peer
0:59200 - Prevent announcement of a prefix to all peers
59200:59200 - Announce a prefix to all peers

BGP large communities are also supported (http://largebgpcommunities.net)

59200:0:peer-as - Prevent announcement of a prefix to a specific peer
59200:1:peer-as - Announce a prefix to a specific peer
59200:0:0 - Prevent announcement of a prefix to all peers
59200:1:0 - Announce a prefix to all peers

Customers are kindly asked to consult the location specific documentation of existing communities, made available upon request.

4. Blackholing

Blackholing means diverting the flow of data to a different next hop (the “Blackhole”) where the traffic is discarded. The result is that no traffic reaches the original destination and hence hosts located within the "blackholed" prefix are protected from massive distributed denial of service (DDoS) attacks congesting the connection from the customer to Mumbai-IX. Thus blackholing is an effective way of mitigating the effects of DDoS attacks, etc.

Mumbai-IX provides the technical infrastructure to allow Blackholing to be set upped and used by customers. Mumbai-IX however have no control in cases where a customer is accepting these “Blackholed” prefixes.

4.1 Basic principle

BGP announcement provided by the customer to the Mumbai­IX route server are validated for security reasons. For the validation route databases might be used (e.g. RADB).

4.4.1 In standard conditions

Customers advertise their prefixes with a Next Hop IP address belonging to their AS

  • IPv4: /8 <= and <= /24
  • IPv6: /19 <= and <= /48
4.4.2 In case of DDoS

Customers advertise their prefixes with a unique Mumbai-IX-provided Blackhole next hop IP address (BN)

  • IPv4: /8 <= up to = /32 (if and only if the BN is set)
  • IPv6: /19 <= up to = /128 (if and only if the BN is set)

Further, the standard announcement checks still apply.

4.2 L2 filtering
  • Blackhole next hop (BN) has a unique MAC address (determined by ARP for the BN IP address) e.g. de:ad:be:ef:66:95
  • ARP resolving for the Blackhole IP next hop is currently served by a host operated Mumbai-IX
  • All edge nodes have a static entry for the unique MAC address
  • Attack traffic is forwarded from the customer to the service with the static MAC address, traffic is denied.
4.3 Result

As a result, all traffic to the attacked and "blackholed" IP prefix is discarded already on the incoming switch, and hence victim's resources (e.g. connection form customer to Mumbai-IX) are protected.

Click here to download technical access description