Passive sessions are configured toward neighbors.

GTSM (Generalized TTL Security Mechanism - RFC5082) is disabled on sessions toward the neighbors.

ADD-PATH capability ( RFC7911) is not negotiated by default.

Route server ASN is not prepended to the AS_PATH of routes announced to clients ( RFC7947 section 2.2.2.1).

Route server does implement path-hiding mitigation techniques ( RFC7947 section 2.3.1).

The route server verifies that the NEXT_HOP attribute of routes received from a client matches the IP address of the client itself .

Routes whose AS_PATH is longer than 32 ASNs are rejected.

The left-most ASN in the AS_PATH of any route announced to the route server must be the ASN of the announcing client.

Routes whose AS_PATH contains invalid ASNs are rejected.

Routes with an AS_PATH containing one or more of the following "transit-free" networks' ASNs are rejected.

List of "transit-free" networks' ASNs: 174, 286, 701, 1239, 1299, 2828, 2914, 3257, 3320, 3356, 3549, 5511, 6453, 6461, 6762, 6830, 6939, 7018

Origin ASN validity is enforced. Routes whose origin ASN is not authorized by the client's AS-SET are rejected.

Announced prefixes validity is enforced. Routes whose prefix is not part of the client's AS-SET are rejected. Longer prefixes that are covered by one entry of the resulting route set are accepted.

Use RPKI ROAs to validate routes whose origin ASN is authorized by the client's AS-SET but whose prefix is not.

Route validity state is signalled to route server clients using the following BGP communities:

RPKI BGP Prefix Origin Validation of routes received by the route server is enabled.

When an INVALID route is received by the route server, it is rejected.

RPKI ROAs are fetched from the RIPE RPKI Validator cache file at ['https://rpki-validator.ripe.net/api/export.json', 'https://rpki.gin.ntt.net/api/export.json']. The following Trust Anchors are used: APNIC RPKI Root, AfriNIC RPKI Root, LACNIC RPKI Root, RIPE NCC RPKI Root, apnic, afrinic, lacnic, ripe

A max-prefix limit is enforced; when it triggers, the session with the announcing client is restarted after 30 minutes.

The limit, if not provided on a client-by-client basis, is learnt from the client's PeeringDB record.

If no more specific limits exist for the client, the general limit of 170000 IPv4 routes and 12000 IPv6 routes is enforced.

Only prefixes whose length is in the following range are accepted by the route server:

• IPv4: 8-24
• IPv6: 12-48

The following prefixes are unconditionally rejected:

Bogon prefixes are rejected too. Click to expand the list of these prefixes.

IPv6 prefixes are accepted only if part of the IPv6 Global Unicast space 2000::/3.

Routes tagged with the GRACEFUL_SHUTDOWN BGP community (65535:0) have their LOCAL_PREF attribute lowered to 0.

Routes tagged with the NO_EXPORT or NO_ADVERTISE communities received by the route server are propagated to other clients with those communities unaltered.