Technical / Network
A Route Server is an essential simplifcation for peering sessions. Indeed, by configuring a single BGP session with the route server each Namex member can see announcements and receive routes from all the other members.
Besides being faster than establishing multiple BGP sessions, it also enhances transparency and routing security, since the route server performs an initial filtering on routes received from its peers, thus guaranteeing greater reliability of announced routes.
Namex has been an active sponsor of MANRS since 2018, implementing the following security policies within its datacentes.
- IRRdb filtering: Automatic generation of filters from the information contained within the Internet Routing Registry. Each Namex member must provide an AS-SET macro containing all ASes that are advertised by it on the NAP. Route server and filters configuration is updated daily in the eatly morning.
- ROA RPKI filtering: The prefixes received are filtered according to their ROA RPKI status: Invalid ROA are blocked and not propagated to the peers, instead ROAs with Valid and Not Found status are exported.
- RTBH Filtering: The Remote-Triggered Black-Hole mechanism enables the Route Server to mitigate a DDoS attack. Blackholing means diverting the flow of malicious data towards a specific next-hop (Blackhole), where traffic is discarded, guaranteeing protection for networks and hosts located within the blackholed prefix. RTBH is also avaiable on bilateral peering sessions.
Prefix filtering and validation in a Route Server infrastructure
Route Servers (RSes) are a critical piece of infrastructure used by prominent IXPs worldwide, especially in environments where a huge number (often more than a hundred) of peers exist. This can make filtering challenging.