Internet Exchanges (IXes) are an important infrastructure for exchanging Internet traffic between network service providers. For this reason, they must be operated in a way to maintain their stability and security.
Over the past 10 years, the Japanese IX community, like many other IX communities around the world, has witnessed massive changes in IX technologies, as well as growth in the number and diversity of members connecting to IXes. Such changes have been great for raising the profile of IXes and their importance for exchanging and encouraging local traffic. However, they have also resulted in many issues, particularly the misconfiguration of routers by new members.
“Such misconfigurations can result in unwanted broadcasts, malicious misrepresentation of routes, unknown unicast flooding, and bandwidth theft attacks, which can ultimately impact all members connecting to an IX,” says Masataka Mawatari of Japan Internet Exchange Co. Ltd.
“For this reason, a group of other IX operators in Japan and I [BBIX, JPIX, JPNAP, and KDDI] worked together to update a best practices document originally developed by the JANOG community a decade ago for configuring routers to connect to an IX.”
The document, which is now available for download in English, describes the recommended configuration for a router that is used by an AS operator to connect to an IX, that is, the Peering LAN — a LAN that many individual ASes are connected to.
“We hope that this document will help ensure that AS operators have a common understanding and awareness of the technical requirements,” says Masataka.
5 top tips to consider when configuring your routers to connect to an IX
- Stop sending ICMP redirects — Disable the ICMP redirects function on the router you are using to connect to your IX. This will ensure you won’t contaminate the routing tables of other routers connecting to the same IX.
- Prohibit the forwarding of packets of which the destination address is a directed broadcast address of an IX segment — Disable this function on your router as it may facilitate Smurf attacks to the IX segment, which are harmful to all the routers on the IX.
- Disable the proxy ARP — Doing this will stop your router from potentially bringing down all BGP sessions and traffic over the IX.
- Maximum prefix limit — Configure the maximum prefix limit for all your peers as this is an effective defensive measure for route leakage or router misconfiguration of your peers.
- Do NOT advertise the prefixes of IX segments — If you do, the reachability of an IX segment by the wider portion of the Internet will facilitate more attacks on the IX segment, which should be dedicated just for peering traffic.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.