Greetings, Thanks for the detailed update. It would be good if you can let us know when you can release aggregated traffic reporting on the exchange - standard for IXs in North America and Europe.
- Enforce router hygiene - NZIX2 will block IGP, CDP, STP etc noise leaked by peers, by only allowing DIX Ethernet (Ethernet II) encapsulated frames and not LLC/SNAP frames - ARP, DHCP, PIM, ICMPv6 ND-RA etc broadcast and multicast messages will be blocked. We have an exception for ARP messages sourced from the exchange peering subnet and IPv6 ND (NB: IPv6 traffic is still not supported in this demo version) - Implement IETF BCP38 - Instead of relying on peers to implement BCP38, NZIX2 enforces it by only allowing traffic sourced from a prefix which has been registered on the NZIX2 portal to enter the exchange
So you are going to require peers to register on your portal, rather than
using RADB which is the industry standard solution for exactly this problem? Why?
- - - Reflection attack mitigation - switch ports are tied to prefixes and mac addresses so the exchange SDN switch will not accept traffic sourced from a prefix which is not supposed to be coming from this particular port, as registered on the NZIX2 portal
So you are effectively implementing uRPF strict mode? That's an
*interesting* decision. There are many situations where a transit provider may be used by an ASN for outbound traffic only - or for outbound traffic for all prefixes, and inbound for only certain prefixes - for either load balancing or fault mitigation. By doing this you break the ability of NZ providers to allow this. You are effectively enforcing a standard which is not used on the major transit networks in NZ. Also if a user in NZ obtains a new prefix, and their transit provider has not yet updated you with this new prefix, but another transit provider they are dual homed to has, and they start using this, you may cause blackholing of this traffic.
- - - Prevent capacity stealing - traffic is allowed on the exchange only if it's sourced/destined from/to a prefix that has been registered on the NZIX2 portal. This means that if a peer configures a static default route to an ISP that has the full internet routing table, his traffic destined to international prefixes will be dropped
As per my comments above on your last point.
Cheers, Tim