Security and Restrictions

Basic Protection For the IX and You

The safest way to connect to an IX is with a router, and we prefer you connect to us with a router. However we do recognize many switches can perform most all of the routing functions that most enterprises need from a router these days.  We just ask if you are connecting with a switch that you make your switch’s port facing IX-Denver as router like as possible; for example 1 MAC address, L3 terminated p2p connection, no loops, no spanning-tree, no discovery protocols, but mostly a p2p broadcast domain between the IX fabric and your port. If you implement these basic best practices then our other basic protections listed below will likely be invisible to you and your network.

Current Implemented IX-Denver Fabric Protections:

  • BUM (Broadcast, Multicast, Unknown Unicast) traffic is rate limited to 5 mbits, for all interface speeds.
  • One MAC address is permitted per port.
  • MAC addresses are statically filtered.
  • No BPDUs are accepted on any port – If IX-Denver receives a BPDU from your router this will result in a link-down for 5 minutes.
  • BPDUs are sent out all edge ports of the switch fabric, hoping never to receive them back (see above).
  • The switch fabric forwards ARP, IPv4, IPv6
  • The route server(s) accept ARP, ICMP, ICMP6 and TCP/179
  • ARP/ND suppression is active in the switch fabric.
  • A small dedicated queue is available for bgp network control traffic, this traffic must be sourced from your IX /24 or /64 IP with a source or destination port of TCP/179.
  • We implement IETF BCP 214 “BGP Session Culling” during all maintenance activity.