NLR PacketNet Technical Guide

NLR PacketNet Connection Information and Recommendations


Typical Member connection to NLR PacketNet

Connections Summary

1.)    Primary 10GE – Members get a 10GE interface on their 'local' NLR PacketNet CRS1.  For those members who are not local to a NLR PacketNet CRS node, NLR will provide a 10GE backhaul circuit over the NLR WaveNet to a pre-defined PacketNet node.

2.)    Secondary VLAN – In addition, members may request a 1GE port on their local NLR FrameNet 6509. This port, mapped to a VLAN, transports to a second NLR PacketNet CRS1 node. There is no bandwidth dedicated to this connection on the NLR FrameNet backbone.

Both these connections are included as part of NLR membership.

Physical

Cross-connect Responsibility – It is the responsibility of the member to provide any cross-connects or local loop connectivity to get to their assigned ports on the NLR device(s).  This includes providing and running fiber to the NLR device(s).  An option available is to arrange for NLR Implementation to perform this work via contracted hands-and-eyes support, and charge this back to the member at cost.

Optics – NLR will supply the optics for the members' connections on the PacketNet CRS1.  These are LR1310nm XENPAKs, with a power output of 0.5dBm to -8.2dBm and a receive sensitivity of 0.5dBm to -14.4dBm. NLR provides Attenuation if it is necessary, and Optics for the connection to the FrameNet 6509. Please see the document 'Connecting to the NLR Layer2 Network' for more information.

Fiber Connector Type – For the member's primary 10GE connection, the connector type will be SC.  For the member's secondary VLAN connection, the connector type will be LC.

MTU – By default, NLR will set the interfaces facing NLR members to a layer3 (IP) MTU of 9000 bytes.

IP numbering – By default, for IPv4 and IPv6, NLR will expect the member to provide IP addressing for their connections to the NLR PacketNet.  

 
Protocols
By Default, every member connection will be setup with the following protocols active:

1.)    BGP

2.)    MSDP

3.)    PIMv2

 
BGP
ASN - NLR AS is 19401

Peering Addresses – By default, BGP peering will be enabled between interface addresses.  This would mean one BGP session for each member's 10G primary connection and a second for the member's VLAN backup connection.

IPv6 – By default, NLR will plan to enable IPv4 and IPv6 for each member enabled using a separate BGP session for IPv4 and for IPv6. NLR will provide a /40 allocation to any member without their own IPv6 address space upon request.

Multicast – By default, NLR will plan to enable both unicast and multicast support for both IPv4 and IPv6 for each member.  Members who wish to use multicast must enable the multicast SAFI and advertise all multicast enabled networks in that SAFI.  If a member does not wish to configure multicast, communicate your preference to the NLR engineer bringing up the connection.

Prefix Lists – NLR will use a prefix-list for each member to protect against unintended route leakage. The member should submit a list of prefixes they intend to advertise to the NLR NOC. NLR will then add the advertised prefixes to their prefix database.

Route Type Limitations - There is no approval process for routes, but private addresses, bogons, and the routes from other 'upstream' providers are not allowed without further planning to ensure stability and proper route tagging.

Prefix Length Limitations – Members are encouraged to aggregate their routes wherever possible.   However, there is no limit to the maximum or minimum prefix length accepted by NLR, either for IPv4 or IPv6.

MEDs from NLR – NLR will set MEDs on route advertisements equal to the IGP metric.  It will be the member's responsibility to ensure that traffic flows, as they want.  For example, if the member wants to make sure all their NLR L3 traffic flows over their primary 10G connection, they will need to make sure they set local prefrences, since relying on MEDs will cause some traffic to prefer the backup connection.

Dampening – NLR disables BGP route dampening.

Authentication – By default, NLR will not use authentication. NLR will support MD5 authenticated peering sessions if requested.  NLR PacketNet supports GTSM.

BGP Communities – see the NLR BGP Communities page for details.  NLR will not strip BGP communities attached by members.

 
MSDP
Peering Addresses - MSDP peering will use interface addresses by default.

SA Limitations – Administratively scoped group addresses, and groups from the SSM block are blocked.  Private addresses and bogons do not show as source addresses.

MSDP SA Advertisement Limits – PacketNet is currently unable to limit the number of SAs.  This may be implemented in the future, with the type of limit (e.g. per source or per peer) depending on technical feasibility.

 
PIMv2
Versions - Only v2 PIM allowed.  NLR does not support Dense mode.

RP Election Limits – NLR will block all auto-rp and bsr packets from members.

 
Security
Blackhole Routing – Users of NLR PacketNet can tag a pre-specified BGP community to on of their routes (usually a /32) that is currently being attacked.  NLR will then blackhole traffic to that route rather than sending it on to the member.  Members will only be able to blackhole their own routes.

In addition, users can request (via a normal trouble ticket) that NLR investigates an incident or a more particular packet filter be put in place.

NLR PacketNet BGP Communities

NLR PacketNet BGP Communities

 

Communities with numbers less than 1000 are settable by NLR members and peers and advertised into NLR; communities 1000 and above are set by NLR.

---

Community ranges NLR sets on inbound routes:

peers and members connected to NLR can match on these. Typically the first number in each range is used by default, but other values are reserved for future use.

• NLR internal: 19401:1000-1999
  • default community 1000
• NLR members: 19401:2000-3999
  • default community 2000, set for members' 10G connections
  • community 2001 is set for members' 1G backup connections
  • default local-pref is 500 for members' 10G connections, 450 for 1G backup
• R&E peer networks: 19401:4000-4999
  • default community 4000
  • default local-pref 300
• International peer networks: 19401:5000-6999
  • default community 5000
  • default local-pref 300
• US Government and Federal Labs: 19401:7000-7999
  • default community 7000
  • default local-pref 300
• Commercial Labs/Partners: 19401:8000-8999
  • default community 8000
  • default local-pref 300
• Commodity Peers: 19401:9000-9999
  • default community 9000
  • default local-pref 100
• Special Events (e.g. SC, iGrid, meetings): 19401:10000-10999
  • default community 10000
  • default local-pref 1000

---

Communities NLR members may set to change default NLR behavior for their prefixes:

• Blackhole: 19401:911 – NLR will discard traffic toward this prefix. Only members who “own” this prefix may set the 911 community for it.
• Local-preference modification:
  • 19401:600 – set NLR local-pref to 600
  • 19401:500 – set NLR local-pref to 500 (may be useful for 1G backup)
  • 19401:400 – set NLR local-pref to 400
  • 19401:200 – set NLR local-pref to 200
• Export modification: default behavior is to send all learned NLR prefixes to all BGP peers. The following communities are available per-prefix to allow members and peers to modify the default behavior.
  • 19401:920 – do not send this prefix to NLR members.
  • 19401:921-923 – NLR should prepend one-three ASs to NLR members.
  • 19401:924 – NLR should send me only NLR-member prefixes (has the same effect as 940, 950, 970, 980, and 990 together) and NLR will send my prefixes only to NLR members (not to peer Federal or International networks).   This community does not affect EVENTs.
  • 19401:940 – do not send this prefix to R&E peer networks.
  • 19401:941-943 – NLR should prepend one-three ASs to R&E peer networks.
  • 19401:950 – do not send prefix to international peer networks.
  • 19401:951-953 – NLR should prepend one-three ASs to international peer networks.
  • 19401:960 – do not send prefix to special events.
  • 19401:961-963 – NLR should prepend one-three ASs to special-event peers.
  • 19401:970 – do not send prefix to US Government networks or labs.
  • 19401:971-973 – NLR should prepend one-three ASs to US FEDnets.
  • 19401:980 – do not send prefix to commercial labs/partners.
  • 19401:981-983 – NLR should prepend one-three ASs to commercial connections.
  • 19401:990 – do not send prefix to commodity peers.
  • 19401:991-993 – NLR should prepend one-three ASs to commodity peers.
  5 July 2007
  

Member Prefixes accepted by NLR

Member prefixes accepted by NLR are documented through the Routing Arbiter DataBase (RADB, http://www.radb.net, whois -h whois.radb.net) and NLR's general policy toward member and peer-network connections can be found summarized in an RADB "aut-num" object called 'AS19401', which refers to the specific "route-set" objects for each connection.  

For example, a user wants to find out what prefixes we accept from UCAR. She could first query the RADB for the aut-num object like this:

  % whois -h whois.radb.net as19401

looking for an import statement referring to UCAR (AS14041), and will find this:
  import:  from as14041 action pref = 500; accept rs-nlr-ucar
some peers have two terms after the 'accept', for ipv4 and ipv6 prefixes.

To see the list of prefixes, query the RADB again for the route-set named there:

  % whois -h whois.radb.net rs-nlr-ucar

which returns:

route-set: rs-NLR-UCAR
descr: prefixes accepted by NLR.net AS19401 from member UCAR
members: 128.116.0.0/16
members: 128.117.0.0/16
members: 128.138.0.0/16
members: 128.198.0.0/16
members: 129.19.0.0/16
members: 129.82.0.0/16^16-32 (a range of prefixes from /16 - /32)

etc.

 The date it was updated is given at the bottom, with the tag "changed".

The NLR NOC webpages also include a table, updated every 5 minutes, showing the numbers of ipv4, ipv6, unicast, and multicast prefixes received and accepted from each peer, along with links to historical graphs.  Find it under here.