Peering with Tele2 / AS1257

This page describes Tele2s policies on the technical aspects surrounding peering with AS1257 as well as some general information on related matters. It is targeted towards existing peering partners of Tele2.

BGP MD5 authentication

Tele2 strongly prefer the use of MD5 authentication for BGP sessions.

BGP MD5 authentication is a technique to cryptographically sign the TCP packets used to transport a BGP session. It makes it significantly harder to reset or inject malicious packets into a BGP TCP session as well as preventing certain misconfigurations.
While it is true that MD5 authentication can increase CPU usage, it is miniscule on modern routers. See this excellent presentation by Tom Scholl of AT&T.

BGP GTSM / BTSH

Tele2 currently deploy GTSM in a very limited fashion due to poor platform support and lack of support of most peering partners. While the Cisco CRS, the core platform currently deployed by Tele2, supports GTSM in hardware, both the Cisco 7600 and 12000 routers, used mainly as peering platforms by Tele2, perform GTSM in software, greatly limiting its effectiveness.

The BGP TTL Security Hack (BTSH) and the Generalised TTL Security Mechanism (GTSM) are essentially a method of preventing spoofed packets to a routers control-plane. The latter is a generalisation applicable not only to BGP but to other protocols as well. As the TTL of a packet is virtually impossible to spoof, verifying that the TTL of a packet is of an expected value is a simple and robust way of preventing attacks towards peering routers. The TTL (or hop-limit in case of IPv6) is typically set to a value of 255 upon sending and it is verified on the receiving end to remain at that same value (255). In the event that someone tries to spoof packets to either router, the TTL will have been decreased by intermediate routers and will thus fail the check once it arrives at its destination. Any attacker thus needs to be directly connected to the router to circumvent GTSM. Modern router platforms support GTSM in hardware.

BFD

Tele2 support BFD in the majority of peering locations with timers of 150ms * 3

BFD is a protocol for fast hellos. It allows the sending of hello packets at intervals measured in tens of milliseconds rather than tens of seconds as is common today with BGP. While its use is limited on mediums where a proper link down event will be asserted it is very useful over Internet exchanges where a BGP peer may become unreachable with no link down event.

ICMP / traffic limits

Tele2 limits the bandwidth available for traffic destined to Tele2 infrastructure addresses

To protect the Tele2 network infrastructure, there are policers implemented to limit the amount of traffic destined to addresses that are used for Tele2 network infrastructure. This could impact ICMP based monitoring, such as ping or traceroute, as well. Please observe that no limits are imposed on customer prefixes.