Technical Guide

Connection Information

The following port speeds are available for connectivity into our peering points:

Auckland

10Gbit/s

10GBase-LR

100Gbit/s

100GBase-LR4

Wellington

10Gbit/s

10GBase-LR

100Gbit/s

100GBase-LR4

Christchurch

10Gbit/s

10GBase-LR

We offer Link Aggregation (LAG) for gradual capacity increases, with costs calculated by the number of ports times the port price.

General Notes

Security

We would appreciate it if you practice good network hygiene on your side to protect both your network and the broader internet community. This includes:

  • Creating ROAs (Route Origin Authorisations) for your prefixes.
  • Using RPKI to sign your route announcements, ensuring their authenticity and preventing route hijacking.
  • Implementing BCP38 broadly across your network to prevent IP address spoofing.
  • Enabling URPF (Unicast Reverse Path Forwarding) on your ports into the IX to prevent spoofed traffic.

Route servers

There are two route servers per exchange. The configuration of our Route Servers are re-deployed daily.

This means changes to peer configuration, AS-Sets and/or RPKI are reflected according to the following deployment schedule (NZ local time):

  • Route Server 1 = 1:00 PM
  • Route Server 2= 3:00 PM

We have communities which are universal across all exchanges. These communities allow peers to apply specific policies to their sessions.

Mac Limit

We request only one (1) layer 3 MAC per port on any of our Peering Points. This means frames forwarded to an individual IX port shall have the same MAC Address.
 
Additional MAC(s) for maintenance/migration purposes are allowed.

AS-Sets

Members are required to provide an AS-Set that defines the permitted ASNs your peering session is allowed to originate.

If you need assistance with creating an AS-Set, check our APNIC’s AS-Set page or contact us!

RPKI

In combination with AS-Sets for peers policies, we utilize Resource Public Key Infrastructure (RPKI) Route Origin Validation (ROV) to validate ROAs.

Currently; prefixes that are invalid are dropped, unknowns are tagged.

If you need assistance with RPKI, check out APNIC’s RPKI pages or contact us!

Limits

Advertisements

IX-assigned addresses shall not be advertised by its peers to other networks.

No Proxy ARP

Use of Proxy ARP on the routers interface to the IX is strictly prohibited.

No IP Directed Broadcasts

IP Directed Broadcasts are strictly prohibited.

Unicast Only

Frames forwarded shall only be Unicast, forwarding traffic to a Multicast or Broadcast MAC destination address is prohibited, except for the following:

  • Broadcast ARP Packets
  • Multicast ICMPv6 Neighbour Discovery packets (Excludes: Route Solicitation or Advertisement).

ALLOWED ETHERTYPES​

Ethernet types:

  • 0x800 – IPv4
  • 0x806 – ARP
  • 0x86DD – IPv6

Prefix Limits

In accordance with RFC 7454 (section 6.1.3) guidelines and to align with the generally accepted prefix lengths by BGP providers on the internet, we impose the following limits:

  • IPv4 max length = /24
  • IPv6 max length = /48

Port Rate limits

We ingress rate limit Broadcast, Unknown Unicast and Multicast (BUM) traffic to 500 packets per second on all IX ports.

NO Link Local Traffic

Link local traffic shall not be forward to the Peering VLAN(s), Link-Local protocols include but are not limited to:

  • ICMP redirects
  • IEEE 802 Spanning Tree
  • BOOTP/DHCP
  • ICMPv6 Router Advertisements
  • UDLD
  • BFD
  • PIM
  • Interior routing protocol broadcasts
    • OSPF/ISIS/IGRP/EIGRP etc.
  • L2 Keepalives
  • Vendor propriety protocols:
    • Discovery protocols: CDP, EDP, FDP
    • VLAN/trunking protocols: VTP, DTP

The following link-local protocols are exceptions and are allowed:

  • ARP
  • ICMPv6 Network Discovery

Policy Control

Policy control is achieved by the use of BGP Communities. Peers must tag their routes using the following, in order to control policy via the route server. The default behaviour is to advertise all prefixes to peers (63830:63830). Please ensure use of the following model:

0:PEER_AS

Do not advertise to specified peer

63830:PEER_AS

Advertise to specified peer

0:63830

Do not advertise to any peer

63830:63830

Advertise to all peers (Default)

1:PEER_AS

Prepend once to specified peer

2:PEER_AS

Prepend twice to specified peer

3:PEER_AS

Do not advertise to specified peer

For Extended Communities, prepend “rt:” to the community of choice, for example:

rt:0:PEER_AS

Do not advertise to specified peer

For Large Communities, prepend “63830:” to the community of choice, for example:

63830:0:PEER_AS

Do not advertise to specified peer

3rd Party Communities

3rd Party Communities are provided by Members across NZIX for serving content. If you wish to opt-in to any available services, please tag your prefixes with the below BGP community string:

CHC-IX

Community String

63830:40027

Content

Netflix

Supplied By

Vocus Group New Zealand (AS9790)

Purpose

Opt-in content cache for Netflix

Community StringContentSupplied byPurpose
63830:40027NetflixVocus Group New Zealand (AS9790)Opt-in content cache for Netflix