Categories

We are excited to announce that we’re currently exploring opportunities to expand our network. Based on the team’s strategic planning session earlier this month, we thought it best to ask our Corporate and Affiliate members directly – where should we expand?

The survey is designed to determine where you would like us to build the next IX and if you would like to see any new points of presence on existing IXes. We’re also thinking of expanding into regional areas and would appreciate your thoughts on the locations.

As a member-run association, this survey gives us clear input on the best upgrade and expansion paths for our network. If you are a Corporate or Affiliate member, please take the time to complete the survey by Friday 4th March 2022, 5:00pm AEDT. So, go on – tell us where to go!

 

Our engineers applied new firmware to WA-IX to resolve a software bug – the switch located in QV1 (pe3.pe1) and NextDC P1 (pe2.pe5). The latest version has been tested in our lab and verified for deployment. This is the first of many firmware upgrades that will be progressively rolled out across all the IXes, as we prepare for automation and standardise the firmware across our hardware.

This year marks 25 years of WA-IX. As many of you know, our first Point of Presence (PoP) was located in the basement of QV1 and is still part of our network today. The action of creating the first PoP was described by Michael Malone – president of WAIA in 1997 – as “a laudable display of cooperation between competitors.”

First conceived in 1996 at a time when most people were using the wholesalers of the day: AARNet, connect.com.au or Access1, the traffic was very costly both internationally and locally ($1.46 per MB sent and received). Those who were part of WAIA at the time generally agreed that an IX was a great idea and that a neutral peering point made a lot of sense.

The first PoP comprised donated hardware from iiNet with engineers from iiNet, Wantree and Omen jointly managing it on a volunteer basis. Since then, our network has expanded significantly, and we now have more than 30 PoPs nationally.

A snippet from the original press release, “As of about half an hour ago, iiNet and Omen are the first two networks peering at the WA Internet Exchange. […] Wantree and Paradox digital expect to be connected to the peering point within a week, and PARNet (the four public universities and CSIRO) should be on by mid-July” – Michael Malone, 1997. Read the full version of the 1997 press release.

We would like to remind members that our network change embargo period is from 22nd December 2021 through to 10th January 2022 inclusive. During this time, we will not be provisioning any new services or changing any existing services. Rest assured, support staff will be on call to deal with urgent issues or network emergencies should they arise.

If you have any orders or change requests, please submit them by 10th December 2021.

It was with much sadness that our team farewelled Washif Ahmed, who joined Ausgrid as a Network Engineer. Washif joined us in 2019 and has been an asset to our technical team right from the outset. His caring and kind nature, fantastic work ethic, knowledge, skills and abilities and funny memes will be greatly missed. We wish him all the best with his future career.

Unfortunately, last month, New Zealand Internet Exchange’s plan to launch the much-anticipated WLG-IX was pushed back due to lockdown restrictions preventing important work needed to get it up and running. Thankfully, as Wellington lifted to level three restrictions, work resumed, and the new IX is now completed and in production, with the official launch date set for November 1 2021. WLG-IX is starting with a 12-month FREE period. Happy peering! 

All those eager to hear about the launch should keep an eye out on NZIX’s social media accounts.

 

We are excited to announce that Google has joined VIC-IX! With Google being only one hop away across VIC-IX, your customers can now access a wide range of their favourite content through our network.  

It’s always good to have quality content providers joining. If you have any content providers that you would like to see on our IX’s, we would love to hear from you! 

 

This year, our network change embargo period is from 22nd December 2021 through to 10th January 2022 inclusive. This means that we won’t be provisioning any new services or changing any existing services during this period. Support staff will, of course, be on call to deal with urgent issues or network emergencies should they arise. 

Please remember all orders and change requests need to be received by 10th December, 2021. Login to the portal now if you need that upgraded or extra port! 

We all know about Border Gateway Protocol (BGP). We also know that it’s permissive by nature and that serious problems can happen when routes are leaked or, worse still, hijacked. In previous years, even prominent organisations such as Google, Apple, Facebook, YouTube, and Microsoft have been victims of hijacking, which is a good reminder that we need to actively prevent it.

So, the question remains, how do we protect ourselves and reduce our networks’ vulnerability to leaking and hijacking? Think BGP security!

Although it’s a topic that has been widely discussed for many years, there are a few things you can do to instantly improve BGP security on your network by adopting some of our tips for good BGP hygiene.

 

Tip One: Block bogons

Plain and simple, by definition, bogon prefixes should not exist on the Internet. Bogon routes are bogus. They are those routes that comprise IP address ranges mistakenly, or purposely, advertised that are unassigned, or even reserved for something else altogether. We should not be receiving or sending packets from them, and if collectively blocked, we can protect our networks.

What do people achieve by using this space? SPAM! You can use a prefix that no one owns and spam to your heart’s content. TEAM CYMRU provides a BGP feed that you can use to drop these at your edges automatically.

 

Tip Two: Filter, filter, filter!

Filtering should be applied at every stage, starting with a ‘drop all’ and being specific about what to allow.

Transit Providers – Ingress:

  • Drop Bogons (including RFC1918 space) – DON’T RELY ON A DROP ALL RULE TO CATCH THESE
  • If you are expecting only a default route, DROP EVERYTHING ELSE
  • If you are expecting a full transit feed without default, DROP DEFAULT

 Transit Providers – Egress

  • Send your routes
  • Send your customer routes – send your customer tagged routes based on your internal community
  • Do not use prefix lists alone – you MUST use prefix lists and communities together

 Customers – Ingress

  • Drop Bogons (including RFC1918 space)
  • Validate prefixes with RIRs and get LOAs – if the customer does not own the prefix, do not accept it
  • Match BOTH prefix AND AS-Path
  • Drop RPKI invalids
  • Set max-prefixes – if a customer should only be sending you ten prefixes, set a limit of 15 on the session. That way, if they have a route leak, their session will be disabled and will stop you from propagating the leak (see tip three for more information on leaky routes)
  • Use communities – tag valid routes here with an internal community, and propagate to your providers based on the communities

 Peering Providers (that’s us) – Ingress:

  • Drop Bogons (including RFC1918 space)
  • Do not trust routes from route servers – we validate, but you MUST validate them too
  • Set max prefix limits on sessions and shut down route servers if it exceeds the max prefix limit (generally 10-20% of total routes)
  • Drop RPKI invalids
  • Set max-prefixes – our numbers are on PeeringDB

 Peering Providers – Egress:

  • See Transit Provider Egress
  • Send your internal routes
  • Send your customer routes – send your customer tagged routes based on your internal community
  • Do not use prefix lists alone – you MUST use prefix lists and communities together.

 

Tip Three: Adopt good routing practices

You should always have a consistent route advertisement policy. Don’t send /24s to peering and /22s to transit providers. Unfortunately, this adds junk into the ever-expanding global routing table and is not beneficial in any shape or form.

Our Tech Team Leader predicts that if we *remove* all the redundant specific routes – that is /24s when the same path exists with a /22 or something larger – we can reduce the size of the routing table from 870,317 routes all the way down to 390,074 routes (please note that this an internal finding and should be taken with a grain of salt).

 

 

The best local preference orders are:

  • Preference customer routes – they pay you, so if you have a route from a customer, you should use that first.
  • Preference peering routes – peering is cheap, so offload as much as you can here to reduce your transit bill
  • Preference transits – the *last* resort path, as it’s generally expensive

With everyone following the model above, using /24s on peering and /22s on transits makes no sense, as peering will already be preferred – YOU CAN HELP TO SAVE THE ROUTE TABLES!

 

Tip Four: Use Resource Public Key Infrastructure (RPKI)

If you haven’t already, deploy RPKI. This form of authentication helps by using Route Origin Authorisation (ROA), a form of authentication of the origin AS number to verify routes. Simply, it acts as a digital thumbprint.

Validate RPKI at every step. Validate routes from transit, peering, and customers.

  • If RPKI state is INVALID, then drop the route. Do not use it to route any packet – no matter what
  • If RPKI state is VALID, prefer this path over an unknown
  • If RPKI state is UNKNOWN, use this path at a lower preference

The Internet continues to be a place of opportunity, both good and bad, and we need to do our best to reduce our networks susceptibility to leaking and hijacking. To instantly reduce some of the vulnerabilities of your network, try following our tips for good BGP hygiene or get in contact to speak with one of our network experts at the Internet Association of Australia Ltd, who are always happy to help.

 

Disclaimer: Before choosing to action any of the tips in this post, please be sure to consult with your organisation’s network and security experts.

Sign up to IAA's mailing list

Complete this form to receive all our latest news, events and updates.