AAPT Home > Support Information > Permanent Connections > Ingress Filtering
The following contains important information for customers who are multi-homed.
AAPT has deployed "ingress filtering" on all customer, peer and provider links. This means that filters will be installed to prevent traffic sourced from customer networks not registered for routing with AAPT from entering the AAPT network and will thus prevent this traffic from entering the networks of our peers and providers via AAPT.
This means that if you are multihoming but are not using BGP then the filters that AAPT will be putting in place will mean that we will not accept your route from one of our peers or providers because we will assume that it is someone "spoofing" your address. We will still route your traffic but should your link to us go down we will NOT see another route to you. This is an important component of AAPT's strategy against 'spamming'.
Note that if you are connected to someone else but they aren't providing you with transit, ie you can only reach them not the global Internet through that link, then you are not required to use BGP.
Initially it is planned to deploy filters on customer links where the customer is using BGP for route exchange but the system will be progressively expanded to include all customers.
All multi-homed customers are required to use BGP for route exchange. This will allow AAPT to deploy filters on our peering and provider links to ensure that no traffic enters the AAPT network that claims to be sourced by a single homed customer.
For most customers this change will have NO impact.
However AAPT recommends that all customers check that their networks are properly registered by the end of February by using the "Network Registration" script.
Once the ingress filters are deployed packets sourced from networks not registered with AAPT will be rejected.
Customers that are obtaining transit through other providers as well as being connected to the AAPT network should ensure that they are exchanging routing information via BGP (see the Routing section for more details on requesting BGP "peering" with AAPT). From the 6th of April any customer not doing this will be assumed to NOT be obtaining transit from another service provider, ie are single homed, and thus AAPT should not expect traffic sourced with their network addresses to be entering the AAPT network via any other source other than their links.
These filters will allow AAPT to ensure that customers are only able to inject traffic into the AAPT network which is identifiable back to the customer and thus allow us to readily identify the source of any "denial-of-service" attacks being initiated through a customer link and improving the overall network integrity. With AAPT's new settlement programs, this will also help to ensure fair and equitable traffic flows.
| Copyright © AAPT Limited |
|