PIE Karachi operates so-called route server systems (see RFC7947 for a detailed description) to facilitate the exchange of BGP announcements between peers at PIE Karachi. Each peer needs only to set up a BGP connection to the route server in order to receive the BGP announcements of all other peers having a BGP connection with the route server.
BGP session parameters
This section provides a brief overview of the BGP session parameters to connect to the route servers:
This section describes the filtering mechanism that can be used to filter BGP announcements.
Your side
You can safely accept any BGP announcements received via all route servers as PIE Karachi filters all incoming BGP announcements from all peers. The filtering mechanism is described in the section PIE Karachi side.
If you additionally want to filter on your side based on AS-SETs, you can do so by using one or more of the following AS-SETs registered in the RIPE database:
RIR macro (AS-SET)
Purpose
AS140307:AS-PIE-KARACHI
AS-SETs of all PIE-KARACHI customers (IPv4)
AS140307:AS-PIE-KARACHI-V6
AS-SETs of all PIE-KARACHI customers (IPv6)
AS140307:AS-PIE-KARACHI-CONNECTED
ASNs of all PIE-KARACHI customers
PIE Karachi side
At PIE Karachi, the route servers filter based on AS-path as well as IP prefixes. The BGP announcements that a route server receives from a peer are checked against the AS-SET the peer has provided. The AS-SET can be changed by contacting the PIE Karachi customer service team.
How and what the route servers filters
The PIE Karachi filters are updated every 6 hours. Don't forget to register your IP prefixes in the IRR database well in advance (at least 24h before announcing the first time).
are marked as "never via route servers" in PeeringDB
We will drop these kinds of routes.
Check the status of your routes
You can check the status of your announced routes to us in our Looking Glass – the reason why a route is filtered is also shown, as is a hint on how to fix the issue.
You can find more info on how to use the PIE Karachi Looking Glass here.
IRR and RPKI validation
Any routes you announce will also be RPKI (RFC6811, RFC7115) validated and checked against Internet Routing Registry (IRR) data. The AS-SET you provide to us will be recursively resolved. Then filtering is executed as follows:
Origin ASN needs to be in customer cone (make sure that your AS-SET is well maintained and that all your downstreams are included)
If no, the route undergoes strict RPKI validation filtering (both origin and maxLength):
if the result is RPKI Valid, the route is accepted (a missing route object will have no implication in this case)
if the result is RPKI Invalid, the route is rejected
if the result is RPKI NotFound, we check if the route is resolvable for its origin ASN (this will be the case if a proper route object exists) and it might get accepted or rejected depending on the result**
If yes, the route undergoes loose RPKI validation filtering (origin only):
if the result is RPKI Valid, the route is accepted
if the result is RPKI Invalid, the route is rejected
if the result is RPKI NotFound, we check if the route is resolvable for its origin ASN (this will be the case if a proper route object exists) and it might get accepted or rejected depending on the result**
**Loose filtering on IRRDB route objects We perform loose filtering on IRRDB route objects. For example: If you have a route object for 46.31.120.0/21 we will also accept e.g. 46.31.120.0/22 and other more specifics (up to /24 and up to /32 for blackholes). If this is not a desired behavior, we strongly encourage you to create a ROA and set the maxLength attribute accordingly. As RPKI validation is performed before the IRRDB route object check, it will render all undesired more specifics as RPKI Invalid, which will result in rejection of these. Please note that this method only works for non-blackholes as we perform loose RPKI validation on blackholes (i.e. ignore maxLength).
Route server setup
The route server setup at PIE Karachi consists of two machines. The software utilized to provide the route server service is BIRD. Of the two route servers only one is required. However, in order to use the route server service, every peer is requested to connect to both machines for redundancy purposes, so that if one machine is out of order (e.g. maintenance), the route server service can still be used.
If the route servers system receive a BGP announcement marked as a Blackhole, the NO-EXPORT community and the BLACKHOLE Community are added if these communities are not already present. This makes sure each BGP announcement marked as Blackhole can be easily filtered and does not spread widely in the Internet routing system.
Route server control
Action BGP Communities can be used to control various functions of the route server. With this communities, you can:
control the redistribution of advertised prefixes (on an ASN or geo location basis)
prepend your own ASN up to three times
trigger the calculation of a new alternate path (if available) for your advertised prefixes before you start commencing a maintenance
Informational BGP Communities are used to signal various information about redistributed prefixes. The PIE Karachi route servers tag all prefixes with certain BGP Communities to indicate their origin. You can use this information to determine where a certain prefix has been injected into the DE-CIX switching platform. This gives you the possibility to filter routes learned from the route servers based on geographical location.