Skip to main content

Action 3: Protect the Peering Platform

The IXP has a published policy of traffic not allowed on the peering fabric and performs filtering of such traffic.

The main purpose of the peering platform is to allow IXP members to exchange Internet protocol (IP) traffic between their Autonomous Systems and those of their customers. The only function that routers connected to the IXP should accomplish is to establish BGP peerings and to forward IP traffic. Features that do not perform BGP-related functions that are active on member routers might be not only useless, but potentially dangerous to the operations of the IXP.

Like in all common environments, there must be rules that all should observe to ensure that the IXPs run safely for the benefit of all participants. While not strictly routing, applying hygiene on Layer 2 can ensure the smooth operation of the platform and contribute to the stability of the IXP infrastructure and routing. Misconfigurations can happen to anybody, so it is usually best to put some protection mechanisms in place on the peering platform, such as the following.

Each port of the peering platform should be filtered on the ethertype field so that only packets with proper payload are allowed:

  • 0x0800 -- IPv4

  • 0x0806 -- ARP

  • 0x86dd -- IPv6

Commonly, filtering applies to:

  • Blocked Ethernet frame formats

  • Blocked Ethertypes

  • Various Link-local protocols, such as IRDP, ICMP redirects, Discovery protocols (CDP, EDP), VLAN/trunking protocols (VTP, DTP), BOOTP/DHCP, etc.

Where possible, it is useful to filter the traffic listed above in order to guarantee high levels of security and robustness to the whole peering platform, and to avoid potential problems to the smooth flow of traffic between members. In general, all protocols that generate broadcast toward the switching infrastructure of the exchange point should be deactivated, with the sole exception of the ARP protocol and of all other protocols necessary for the correct functioning of the exchange point.

Other recommendations:

  • MAC Address Locking: for each port of the switches used by a member, only one MAC address should be authorized; that MAC address will be associated to the IP addresses used for peering by the member. For each peer connection, the MAC address of its router interface should statically "locked" to the switch port where it is connected. All packets coming from other MAC addresses should be dropped by the port;

  • Storm control: Together with MAC Locking, the IXP should enforce Broadcast Storm Control mechanisms on its switches, in order to prevent an accidentally generated broadcast storm to affect the whole Exchange. As a general rule, on each port the broadcast level is limited to 10% of available bandwidth;

  • Proxy-ARP on the router's interface should not be allowed. A router configured with Proxy ARP answers to all ARP queries passing through the network, which is dangerous as it could lead to the hijacking of packets destined for other members;

  • Disabling bridge control between IXP fabric and customers;

  • Quarantine Vlan: When members join the IXP, their port should be assigned to the Quarantine Vlan where a "dummy" peering is set up. Hence, all new ports are placed there for testing purposes before the member connection is moved into the production environment. Members are moved to the main peering vlan only after all the problems detected on the Quarantine Vlan have been fixed.

3-2 Examples: Layer 2 Hardening

Below is an example of layer 2 hardening on Nokia devices

Nokia Hardening techniques Product line: 7250 IXR (MD-CLI)

L2 protection configuration:

/configure filter mac-filter "CUSTOMER X" description "MANRS IXP Action 3: Protect the peering platform"
/configure filter mac-filter "CUSTOMER X" default-action drop
/configure filter mac-filter "CUSTOMER X" scope exclusive
/configure filter mac-filter "CUSTOMER X" filter-id 100
/configure filter mac-filter "CUSTOMER X" entry 10 { description "ARP" }
/configure filter mac-filter "CUSTOMER X" entry 10 { match etype 0x806 }
/configure filter mac-filter "CUSTOMER X" entry 10 { match src-mac address XX:XX:XX:XX:XX:XX }
/configure filter mac-filter "CUSTOMER X" entry 10 { match src-mac mask ff:ff:ff:ff:ff:ff }
/configure filter mac-filter "CUSTOMER X" entry 10 { action accept }
/configure filter mac-filter "CUSTOMER X" entry 20 { description "IPv4" }
/configure filter mac-filter "CUSTOMER X" entry 20 { match etype 0x800 }
/configure filter mac-filter "CUSTOMER X" entry 20 { match src-mac address XX:XX:XX:XX:XX:XX }
/configure filter mac-filter "CUSTOMER X" entry 20 { match src-mac mask ff:ff:ff:ff:ff:ff }
/configure filter mac-filter "CUSTOMER X" entry 20 { action accept }
/configure filter mac-filter "CUSTOMER X" entry 30 { description "IPv6 Unicast" }
/configure filter mac-filter "CUSTOMER X" entry 30 { match etype 0x86dd }
/configure filter mac-filter "CUSTOMER X" entry 30 { match src-mac address XX:XX:XX:XX:XX:XX }
/configure filter mac-filter "CUSTOMER X" entry 30 { match src-mac mask ff:ff:ff:ff:ff:ff }
/configure filter mac-filter "CUSTOMER X" entry 30 { match dst-mac address 00:00:00:00:00:00 }
/configure filter mac-filter "CUSTOMER X" entry 30 { match dst-mac mask 01:00:00:00:00:00 }
/configure filter mac-filter "CUSTOMER X" entry 30 { action accept }
/configure filter mac-filter "CUSTOMER X" entry 40 { description "IPv6 Multicast" }
/configure filter mac-filter "CUSTOMER X" entry 40 { match etype 0x86dd }
/configure filter mac-filter "CUSTOMER X" entry 40 { match src-mac address XX:XX:XX:XX:XX:XX }
/configure filter mac-filter "CUSTOMER X" entry 40 { match src-mac mask ff:ff:ff:ff:ff:ff }
/configure filter mac-filter "CUSTOMER X" entry 40 { match dst-mac address 33:33:00:00:00:00 }
/configure filter mac-filter "CUSTOMER X" entry 40 { match dst-mac mask ff:ff:00:00:00:00 }
/configure filter mac-filter "CUSTOMER X" entry 40 { action accept }

Product line: 7450 ESS, 7750 SR, and 7950 XRS (MD-CLI)

L2 protection configuration:

/configure filter mac-filter "CUSTOMER X" description "MANRS IXP
Action 3: Protect the peering platform"
/configure filter mac-filter "CUSTOMER X" default-action drop
/configure filter mac-filter "CUSTOMER X" scope exclusive
/configure filter mac-filter "CUSTOMER X" filter-id 100
/configure filter mac-filter "CUSTOMER X" entry 10 { description "ARP" }
/configure filter mac-filter "CUSTOMER X" entry 10 { match frame-type ethernet-ii }
/configure filter mac-filter "CUSTOMER X" entry 10 { match etype 0x806 }
/configure filter mac-filter "CUSTOMER X" entry 10 { match src-mac address XX:XX:XX:XX:XX:XX }
/configure filter mac-filter "CUSTOMER X" entry 10 { match src-mac mask ff:ff:ff:ff:ff:ff }
/configure filter mac-filter "CUSTOMER X" entry 10 { action accept }
/configure filter mac-filter "CUSTOMER X" entry 20 { description "IPv4" }
/configure filter mac-filter "CUSTOMER X" entry 20 { match frame-type ethernet-ii }
/configure filter mac-filter "CUSTOMER X" entry 20 { match etype 0x800 }
/configure filter mac-filter "CUSTOMER X" entry 20 { match src-mac address XX:XX:XX:XX:XX:XX }
/configure filter mac-filter "CUSTOMER X" entry 20 { match src-mac mask ff:ff:ff:ff:ff:ff }
/configure filter mac-filter "CUSTOMER X" entry 20 { action accept }
/configure filter mac-filter "CUSTOMER X" entry 30 { description "IPv6 Unicast" }
/configure filter mac-filter "CUSTOMER X" entry 30 { match frame-type ethernet-ii }
/configure filter mac-filter "CUSTOMER X" entry 30 { match etype 0x86dd }
/configure filter mac-filter "CUSTOMER X" entry 30 { match src-mac address XX:XX:XX:XX:XX:XX }
/configure filter mac-filter "CUSTOMER X" entry 30 { match src-mac mask ff:ff:ff:ff:ff:ff }
/configure filter mac-filter "CUSTOMER X" entry 30 { match dst-mac address 00:00:00:00:00:00 }
/configure filter mac-filter "CUSTOMER X" entry 30 { match dst-mac mask 01:00:00:00:00:00 }
/configure filter mac-filter "CUSTOMER X" entry 30 { action accept }
/configure filter mac-filter "CUSTOMER X" entry 40 { description "IPv6 Multicast" }
/configure filter mac-filter "CUSTOMER X" entry 40 { match frame-type ethernet-ii }
/configure filter mac-filter "CUSTOMER X" entry 40 { match etype 0x86dd }
/configure filter mac-filter "CUSTOMER X" entry 40 { match src-mac address XX:XX:XX:XX:XX:XX }
/configure filter mac-filter "CUSTOMER X" entry 40 { match src-mac mask ff:ff:ff:ff:ff:ff }
/configure filter mac-filter "CUSTOMER X" entry 40 { match dst-mac address 33:33:00:00:00:00 }
/configure filter mac-filter "CUSTOMER X" entry 40 { match dst-mac mask ff:ff:00:00:00:00 }
/configure filter mac-filter "CUSTOMER X" entry 40 { action accept }