Embed Size (px)
Citation preview
HKIXUpdatesatAPIX#16
KennethCHANTeamLead,HKIX
www.hkix.net11Sep2017
WhatisHKIX?
• EstablishedinApr1995,HongKongInterneteXchange(HKIX) isthemainlayer-2InterneteXchangePoint(IXP)inHongKongwherevariousautonomoussystemsinterconnectwithoneanotherandexchangetraffic
• HKIXisnowownedandoperatedbytheHongKongInterneteXchangeLimited(awholly-ownedsubsidiaryofTheChineseUniversityofHongKongFoundationLimited)incollaborationwithInformationTechnologyServicesCentre ofTheChineseUniversityofHongKong
• HKIXservesbothcommercialnetworksandR&Enetworks• Theoriginalgoalistokeepintra-HongKongtrafficwithin
HongKong
ISP DISP A ISP B ISP C
Routes of ISP A
Routes of All ISPs in HKIX
Routes of ISP B
Routes of ISP C
Routes of ISP D
Routes of All ISPs in HKIX
Routes of All ISPs in HKIX
Routes of All ISPs in HKIX
MLPARoute
Servers
Routes of All ISPs in HKIX
Routes from All ISPs Switched Ethernet
HKIXModel—MLPAoverLayer2+BLPA
• MLPA traffic exchanged directly over layer 2 without going through MLPA Route Server
• BLPA over layer 2 without involvement of MLPA Route Server
• Supports both IPv4 and IPv6 over the same layer 2 infrastructure
HelpKeepIntra-AsiaTrafficwithinAsia
• WehavealmostalltheHongKongnetworks• So,wecanattractparticipantsfromMainlandChina,Taiwan,
Korea,Japan,Singapore,Malaysia,Thailand,Indonesia,Philippines,Vietnam,IndiaandotherAsiancountries
• Wenowhavemorenon-HKroutesthanHKroutes• Wedohelpkeepintra-AsiatrafficwithinAsia• Intermsofnetworklatency,HongKongisagoodcentral
locationinAsia• HKIXdoeshelpHKmaintainasoneoftheInternethubsin
Asia• HKIXsupportsbothdomesticandinternationaltraffic
NewHKIXDual-CoreTwo-TierSpine-and-LeafArchitecture
For2014andBeyondHKIX1CoreSite@CUHK HKIX1bCoreSite@CUHK
CoreSwitch@HKIX1
CoreSwitch
@HKIX1b
AccessSwitch(es)@HKIX2
AccessSwitches@HKIX1
AccessSwitches@HKIX1b
AccessSwitch
@HKIX-R&E
------(<2km)------
n x100GE/10GEInter-Switch
Links
n x100GE/10GEInter-Switch
Links
ISP1 ISP2 ISP3 ISP4 ISP5 ISP6 ISP7
CoreSwitch@HKIX1
CoreSwitch
@HKIX1b
AccessSwitch(es)@HKIXm
AccessSwitch(es)@HKIXn
100GE/10GE/GELinks
100GE/10GE/GELinks
HistoricalStatisticsforHKIX’sTraffic(1)Year2010
HistoricalStatisticsforHKIX’sTraffic(2)Year2013
HistoricalStatisticsforHKIX’sTraffic(3)Year2016
HKIXToday• SupportsbothMLPA(MultilateralPeering)andBLPA(BilateralPeering)overlayer2
• SupportsIPv4/IPv6dual-stack• Moreandmorenon-HKparticipants• 270+differentnetworks(autonomoussystems)connected
• 500+physicalconnectionsintotal– 15100GE,290+10GE &200+GE
• 850+Gbps(5-min)totaltrafficatpeak• AnnualTrafficGrowth~30%
CurrentHKIXTrafficDailyGraph(5-minaverage)
CurrentHKIXTrafficYearlyGraph(1-dayaverage)
The100GETrends
0
3
5
7 7 7
9 9
11
12
14
15
0
2
4
6
8
10
12
14
16
2016-OCT 2016-NOV 2016-DEC 2017-JAN 2017-FEB 2017-MAR 2017-APR 2017-MAY 2017-JUN 2017-JUL 2017-AUG 2017-SEP
TotalHKIX100GEPortsConnected(2016OCT- 2017SEP)
100GEConnections
HKIX100GEParticipants
• Akamai• Amazon• CloudFlare• Facebook• Google• HurricaneElectric• Tencent• Yahoo
SetupMultipleHKIXSatelliteSitesHongKong,08Feb2017HKIXannouncesthat3newsatellitesiteswillbeestablishedincollaborationwith3commercialdatacentreswhichprovidecolocationservicesaswellaseasyconnectionstoHKIX.
SatelliteSite
SatelliteSiteCollaborator District PortsSupported Status
HKIX2 CITICTelecomInternational Kwai Chung GE/10GE ReadyforService
HKIX3 SUNeVision /iAdvantage FoTan GE/10GE/100GE ReadyforService28Feb2017
HKIX4 NTTComAsia Tseung KwanO GE/10GE/100GE ReadyforService19Jun2017
HKIX5 KDDI /Telehouse/HKCOLO.net
Tseung KwanO GE/10GE/100GE ReadyforService24Mar2017
• ForconnectionstoHKIXatSatelliteSites,specialconnectionchargeswillbechargedbyrelevantoperators,inadditiontotheportchargeschargedbyHKIX.
• ForHKIXparticipantsnotco-locatedatHKIXsatellitesites,theycanstillconnecttoanyofthetwoHKIXcoresites,i.e.HKIX1andHKIX1bsitesbylocalloopsvialocalloopproviders.
SetupMultipleHKIXSatelliteSites
• AllowparticipantstoconnecttoHKIXmoreeasilyatlowercost fromthosesatellitesitesinHongKong
• OpentocommercialdatacentresinHKwhichfulfilminimumrequirementssoastomaintainneutralitywhichisthekeysuccessfactorofHKIX
• Createawin-winsituationwithsatellitesitecollaborators• TobenamedHKIX2/3/4/5/6/etc
Recentupdates:– HKIX2hasbeenmigratedfromoldmodeltoHKIXSatelliteSite– HKIX3/4/5arenewSatelliteSitesandtheyareReadyforService now
• HKIX1 andHKIX1b (thetwoHKIXcoresiteslocatedwithinCUHKCampus)willcontinuetoserveparticipantsdirectly
HKIX’sAdvantages• Location
– HongKongisagoodcentrallocationinAsia~50mstoTokyoand~30mstoSingapore
• Neutral– Treatallpartnersequal,bigorsmall– NeutralamongISPs/telcos /localloopproviders/datacenters/
contentproviders/cloudservicesproviders• Trustable
– Treatallpartnersfairandconsistent– Respectbusinesssecretsofeverypartner/participant
• HighPerformance– Nointernalperformancebottleneck,nointernalpacketloss
• NotforProfit– Chargingmainlyforequipmentupgradeandlong-term
sustainability,notforprofit-making
PlannedWorksin2017
• ImprovedStability– BetterControlofProxyARP– MoreL2ACLonHKIXpeeringLAN
• ImprovedServices– SetupSatelliteSitesinmultiplecommercialDataCentre– SetupportalforHKIXparticipants– True24x7NOC– Improveafter-hoursupport– IntroduceadvancedRouteServerfunctions
• ImprovedSecurity– ISO27001– BettersupportforDDoSMitigation
SupportofBlackholing forAnti-DDoSonHKIXRouteServers
HKIXrouteserverssupportRemoteTriggeredBlackHoleFiltering(RTBH)forannouncementofblack-holefiltering
No.ofASNsParticipated:33
Howitworks?• Thevictim’saddressmustbeincludedintheparticipantfilterontheHKIXroute
serversforBGPannouncement• Participanttagthe/32prefixwith4635:666 foritscustomer• HKIXrouteserverssettheprefixwithnexthop123.255.90.66• OtherHKIXparticipantsacceptthe/32prefixandsetthenexthopaddressfor
123.255.90.66tonull
ExpectedResults:• Onlythevictim(/32)willbeunreachableviaHKIXnetworkwhilesavingtheothers• TheDDoStrafficwillbeblack-holedatthesideoftheparticipatingrouterswhichare
closertotheDDoStrafficsources
SupportofHidingAS4635onHKIXRouteServers
• HidingAS4635(ASNofHKIXRS)ontheASPathintheBGPannouncement
• SupportbothIPv4and/orIPv6
Steps:1. DisableBGPEnforcetheFirstAutonomousSystemPathonyour HKIX
peeringrouter- configuration:
Router(config)#routerbgp <Your-ASN>Router(config-router)#nobgp enforce-first-as
2. NotifyHKIXforhidingAS4635intheBGPannouncement3. SoftresettheBGPsession4. HKIXwillhidetheAS4635ontheASPathfortheIPv4and/orIPv6routes
sendingfromHKIXrouteserverstoyourHKIXpeering
