Maximize the benefits of Peering
The goal of NL-ix's Route Servers is to make peering on the NL-ix peering platform easy. Normally, you would need to maintain separate BGP sessions to each of your peers' routers. With a Route Server you can replace all or a subset of these sessions with one session towards each Route Server.
Connecting to the NL-ix Route Server facilitates the exchange of traffic with other NL-ix peers. Each peer that connects to the NL-ix Route Server receives BGP announcements of all other Route Server peers.
The standard (default) session when connecting to the Route Server will re-distribute all your announcements to other peers and advertise all announcements from other peers to you.
Route Server setup
NL-ix operates multiple Route Servers. Even though Peering with only one Route Server is sufficient for exchanging routes, it is preferred to peer with all Route Servers available in your setup. Setting up redundant Route Server peers allows to carry out occasional maintenances without impacting your routing and guards against failures.
Preferably always setup 2 IPv4 sessions as well as 2 IPv6 sessions. This way the Route Servers help to get the majority of possible sessions and significantly leverage the burden of keeping track of newly arriving members.
RPKI filtering and RIPE administration
NL-ix secures "our part” of the Internet by protecting the peers connected to our Route Servers by actively clean-filtering all routing information using RPKI: a security framework that verifies the right to use an IP address or ASN. By default NL-ix declines routes where RPKI-validation fails.
Signing your prefixes in the routing database of RIPE is the best way to start with RPKI as the RIPE database provides essential information to keep individual networks and the overall Internet running.
Please make sure that you cover all prefixes you use, matching the ASN which they originate from. Also have all active ASNs and AS-SETs listed in your main AS-SET and remove unused ones. Please send an email to firstname.lastname@example.org if you require changes your AS-SET.
You can check on the status of your AS in the routing databases.
Please also keep your PeeringDB record up to date or create a record if you don’t have one yet as PeeringDB is THE tool for all peering administrators.
DDoS (Distributed Denial-of-Service) attacks are growing in number and evolving annually, and can slow or cripple your network performance.
Clean IX is a cutting-edge collaborative anti-DDOS service offered by NL-ix and supported by NaWas, the anti-DDoS service provided by The Dutch National Internet Providers Management Organisation (Nationale Beheersorganisatie Internet Providers or NBIP).
If a customer is under attack, traffic is re-routed away from the server to the Clean IX service. The attacked traffic is scrubbed clean and then re-routed back over a separate VLAN. Clean IX is a powerful service for DDoS mitigation, and it is constantly improved to keep ahead of the latest attack techniques. Normally the problem is detected and solved in a matter of minutes, well before the customer even sees it.
Please contact NL-ix if you are interested in getting Clean IX.
Secure direct traffic paths
Secure traffic paths to all those who are important for you with direct sessions. Many large operators (Liberty Global/UPC, DTAG, Vodafone) or CDNs (Google, Microsoft) don’t like to peer with Route Servers in general. Send more prefixes via a direct Peering session and/or give you more priority and traffic engineering focus on direct sessions. The same is true for your individually important partner networks.
Specifically for Liberty Global/UPC, DTAG and Vodafone, NL-ix has a Premium Peering service that provides transparent and zero-hop full access to these otherwise unpeerable networks.
The customer story of Parknet provides more inspiration on how to maximize peering traffic.
Bogon and martian filtering
A bogon prefix is a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPNs or other tunnels) should never have an address in a bogon range. These are commonly found as the source addresses of DDoS attacks.
Bogon filtering filters bogus (fake) IP addresses of a computer network. Bogons can be filtered by using router access-control lists (ACLs), or by BGP blackholing. Full bogons filtering is recommended but not enabled by default. You can start bogon filtering here
NL-ix advices customers using Peering to follow the BGP Filter Guides