Route Servers Tested as Primary IX Peering Model

Cloudflare warns that BGP — the protocol that directs Internet traffic — remains insecure unless networks adopt RPKI route origin validation. The article lists a timeline of ISPs and major backbone operators that have implemented RPKI signing or begun rejecting or filtering RPKI-invalid prefixes, including Verizon, Comcast, Microsoft, AWS, Google, Netflix, Deutsche Telekom, Bell Canada, Sparkle and others. Cloudflare also offers a test to check whether an ISP enforces RPKI. Why it matters: BGP hijacks and misconfigurations can cause widespread outages and traffic interception; broader RPKI deployment reduces those risks but requires coordinated action by carriers and exchanges to be effective.

A new site, Is BGP Safe Yet? (isbgpsafeyet.com), maps ISP adoption of BGP security measures like RPKI and invalid-prefix filtering and shows many major networks still vulnerable. Hacker News commenters note mixed coverage: some big providers (Google, DigitalOcean) show partial or unclear status, while operators including BT, NTT Docomo, Vodafone España, Starlink and Rogers appear marked unsafe. Users suggest richer filtering by country and provider type and point out the site lists 254 operators as unsafe despite a smaller visible subset. The story matters because weak BGP routing security enables route hijacks and outages; public testing highlights gaps and pressures ISPs and cloud providers to deploy RPKI/ROA protections.

Cloudflare warns BGP remains insecure but progress toward fixing it is accelerating through RPKI adoption. The article explains BGP’s role in routing and highlights Resource Public Key Infrastructure (RPKI) as the certification system that enables origin validation and prevents accidental or malicious route hijacks. It lists recent carrier and cloud deployments—Verizon, Comcast, Lumen, AWS, Microsoft, Google, Bell Canada, Sparkle and others—that now validate or reject RPKI-invalid prefixes, showing industry momentum. The update timeline demonstrates why RPKI matters: broader filtering of invalid announcements reduces outages and routing abuse, but gaps in global deployment mean BGP is not yet fully safe. Readers are invited to test their ISP’s stance on RPKI.

The article investigates how far networks can rely solely on Internet Exchange (IX) route servers (RS) for interoperability and routing. Route servers act as BGP reflectors on the IX LAN, letting members peer once to receive routes from many peers, easing configuration and often enforcing stronger route-security practices (IRR, RPKI ROV, peerlock, AS_PATH checks) than many bilateral sessions. RSs don’t forward traffic themselves; they advertise next-hops on the shared layer-2 subnet, allowing terabit-scale exchanges limited only by port speeds. Challenges include incomplete adoption (peering with RSs is optional), varying import/export policies versus bilateral sessions, and huge aggregated route filters (e.g., DE-CIX RS IRR exports can exceed the global table). The piece uses bgp.tools visibility to analyze RS-only member reachability.

How far can you go with IX Route Servers only? | Hacker News Hacker News new | past | comments | ask | show | jobs | submit login How far can you go with IX Route Servers only? ( benjojo.co.uk ) 9 points by ingve 1 hour ago | hide | past | favorite | discuss help Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact Search: