Route Policy

The BGP Announcement Policy of Stacks Inc is as follows,

Route Announcement

Improper Route Announcement

In case there is reported case about one Stacks Inc participant announcing routes (no matter RTBH, or /24, etc.) that are not owned by that Stacks Inc participant, Stacks Inc will coordinate related parties to check with each other and may suspend the Stacks Inc switch port if necessary. If you find improper route announcement on Stacks Inc, please report the case to Stacks Inc NOC at noc[@]stacksinc.net.

1. Route Servers Filtering

a. IP address filtering

  • Applicable to general Stacks Inc members.
  • Filtering by IP addresses.

b. IRR filtering

  • Applicable to general Stacks Inc members.
  • Filtering by IP addresses.
  • Update automatically from Internet Routing Registry database.
  • Please register your AS-SET at IRR database.

Stacks Inc members should check the integrity of the IP address filters and submit only the IP addresses that require for update. Stacks Inc may reject the applications if the IP addresses had already included in the filter.

The minimum IP block accepted by the Stacks Inc route server is /24.

2. BGP Community Supported by Stacks Inc Route Servers

Route Prefix Advertisement Control by BGP Community

Stacks Inc route servers support route prefix advertisement control by standard BGP community. Stacks Inc participants can use below standard BGP community to control BGP prefix advertisement, targets for 2-Byte AS number ($Peer-AS).

 

Send prefix to all 398704:398704
Send prefix to $Peer-AS only 398704:$Peer-AS
Do not send prefix to all 0:398704
Do not send prefix to $Peer-AS 0:$Peer-AS
  • If there is none of above BGP community, a prefix will be sent to all by default.
  • Please set only one type of above BGP community, while $Peer-AS can be multiple (for example 398704:65501 & 398704:65502 to announce a prefix only to AS65501 and AS65502, or 0:65501 & 0:65502 to announce a prefix to all but not to AS65501 and AS65502).

3. RPKI Supported by Stacks Inc Route Servers

Stacks Inc supports RPKI on Stacks Inc Route Servers starting from mid-Jun 2020 in order to enhance routing security

What is RPKI?

Resource Public Key Infrastructure (RPKI) is a public key infrastructure framework designed to secure the Internet’s routing infrastructure. RPKI, can be used to prevent route hijacking and misconfigurations.

 

How RPKI helps to prevent route hijacking?

RPKI certificate proves the association between specific IP address blocks and owner. Stacks Inc can validate the legitimacy when Stacks Inc participants send prefixes to Stacks Inc Route Servers.

 

What is a ROA?

A Route Origin Authorization (ROA) associates a prefix with an origin AS number. ROA also provides the most specific prefix (maximum length) that the AS may announce.

 

How does Stacks Inc Route Servers validate ROA?

Stacks Inc Route Servers validate ROA with RPKI validator that verifies RPKI objects as one of the three RPKI validity states and tag with standard BGP communities if appropriate:

  • VALID: There is one ROA covers the BGP announcement, in terms of origin AS number, prefix and prefix length. (398704:65021)
  • UNKNOWN: There is no ROA for the prefix, Stacks Inc Route Servers will further check the prefix with either Stacks Inc IP address filtering or IRR filtering. (398704:65022)
  • INVALID: There is one ROA for the prefix, but either origin AS number or prefix length does not matched. Stacks Inc Route Servers will reject these prefixes.

 

ROUTE POLICY

 

How can you create your ROA?

For the case of APNIC, you can log in your MyAPNIC account and follow the step-by-step guide.

For other Regional Internet Registry (RIR), please refer to:

AFRINIC https://afrinic.net/resource-certification

ARIN https://www.arin.net/resources/rpki

LACNIC https://www.lacnic.net/640/2/lacnic/general-information-resource-certification-system-rpki

 

Stacks Inc RPKI Deployment FAQ:

      • Do I need to implement RPKI in order to peer with Stacks Inc Route Servers?

    No, but in case you have RPKI ROAs configured, then your BGP announcement prefixes must be covered by the ROAs.

      • What happen if I do not have ROA yet?

    If you don’t have any ROA – You won’t be affected. The RPKI validation status is UNKNOWN and the Stacks Inc route servers will further check the prefix with either Stacks Inc IP address filtering or IRR filtering.

      • Will Stacks Inc accept my blackholing (RTBH) prefix if it does not adapt the maximum prefix length (e.g. /32) in the ROA?

    Yes, Stacks Inc Route Servers will accept the /32 prefix for blackholing. It will be tagged with 398704:666 398704:65023 in the BGP announcement.

      • How to verify my prefix after Stacks Inc RPKI Deployment?

    You can check your prefix and the validation status at

 

Comments are closed.