***NEEDS REVISED TO OHIO-IX BEFORE PUBLIC
Allowed Traffic Types on Unicast Peering LANs
Important: The AMS-IX NOC reserves the right to disable ports that violate the rules below.
To ensure smooth operation of the AMS-IX infrastructure we impose a set of restrictions on what kind of traffic is allowed on the peering fabric. This page gives a summary of those restrictions. For more info, including hints on how to configure equipment, please see the AMS-IX Configuration Guide.
***CONFIG GUIDE LINK
1. Physical Connection
100base and 10base Ethernet interfaces attached to AMS-IX ports must be explicitly configured with speed, duplex other configuration settings, i.e. they should not be auto-sensing.
2. MAC Layer
2.1 Ethernet framing
The AMS-IX infrastructure is based on the Ethernet II (or “DIX Ethernet”) standard. This means that LLC/SNAP encapsulation (802.2) is not permitted. For more information on the differences, see the Ethernet FAQ, question 220.127.116.11 Ethernet types
Frames forwarded to AMS-IX ports must have one of the following ethertypes:
- 0x0800 – IPv4
- 0x0806 – ARP
- 0x86dd – IPv6
2.3 One MAC address per connection
Frames forwarded to an individual AMS-IX port shall all have the same source MAC address.
2.4 No proxy ARP
Use of proxy ARP on the router’s interface to the Exchange is not allowed.
2.5 Unicast only
Frames forwarded to AMS-IX ports shall not be addressed to a multicast or broadcast MAC destination address except as follows:
- broadcast ARP packets
- multicast ICMPv6 Neighbour Discovery, Neighbour Solicitation, and MLD packets. Please note that this does not include Router Solicitation or Advertisement packets.
2.6 No link-local traffic
Traffic related to link-local protocols shall not be forwarded to AMS-IX ports. Link-local protocols include, but are not limited to, the following list:
- ICMP redirects
- IEEE 802 Spanning Tree
- Vendor proprietary protocols. These include, but are not limited to:
- Discovery protocols: CDP, EDP, LLDP etc.
- VLAN/trunking protocols: VTP, DTP
- Interior routing protocol broadcasts (e.g. OSPF, ISIS, IGRP, EIGRP)
- ICMPv6 ND-RA
- L2 Keepalives
The following link-local protocols are exceptions and are allowed:
- IPv6 ND
3. IP Layer
3.1 No directed broadcast
IP packets addressed to AMS-IX peering LAN’s directed broadcast address shall not be automatically forwarded to AMS-IX ports.
3.2 no-export of AMS-IX peering LAN
IP address space assigned to AMS-IX Peering LANs must not be advertised to other networks without explicit permission of AMS-IX.
4. Application layer (TCP/IP model)
Using Application layer protocols to unleash malicious actions against other AMS-IX customers over AMS-IX infrastructure, is forbidden. AMS-IX reserves the right to disable a customer’s port in case of complaints of attacks/abuse originating from such customers. The following list includes, but is not limited to:
- BGP hijacking
- DNS amplification/flood
- HTTP flood
- NTP amplification
- UDP flood
- ICMP flood
- Simple Service Discovery Protocol (SSDP)
Did you experience or notice a customer abusing their AMS-IX connection for malicious actions?
Please get in touch to file a complaint providing information about:
- The timestamp of the event
- The type of the event
- The related prefixes/ASNs
- The parties involved
- Any other relevant information providing appropriate context.
Typically, this information can be found in (but is not limited to) router logs, syslog servers, packet captures, BGP monitoring services.
AMS-IX will investigate to confirm the complaint and take appropriate action.