TATA Communications Customer BGP Filter Update Policy for IP Transit

Basic Requirements

Mandatory Requirements

1. Customer must own an ASN (Autonomous System Number) and we validate the ownership by checking the proper registration of their ASN in the Routing Registries. Valid aut-num object is mandatory. See APNIC, RIPE or your RIR site for the syntax details.

aut-num: AS64511
as-name: ISP-C
descr: Company AS number
descr: Cityname
<-omitted->
mnt-by:     MAINT-COMPANY
changed:    ipadmin@example.com 20381228
source:     RIR

2. The customer must register "ROA" objects or "route" objects for all their IP blocks with a proper origin ASN. Multiple "route" objects per IP block are allowed. Multiple "ROA" objects per IP block are allowed. "ROA" objects have higher precedence than "route" objects.

route: 203.0.113.0/24
descr: Test
origin: AS64511
mnt-by: MAINT-COMPANY
changed: ipadmin@example.com 20381228
source: RIR

For the "route" object see APNIC, ARIN or your RIR site for the syntax details.

For the "ROA" object see RIPE, ARIN, APNIC, LACNIC or your RIR site for the syntax details.

Please note, 'route' and 'route6' must be created in the corresponding authoritative registry - AfriNIC, APNIC, ARIN, LACNIC, RIPE, NIC.br or IDNIC. Objects creation in non-authoritative registries is not supported.

Steps to be followed by the customer, if the customer is a transit AS

3. Register an AS-SET Object and add in the "members" field all the ASN/AS-SETs that will be transiting through the customer's network INCLUDING their ASN. Preferred AS-SET format is ASNNN:AS-YYYYY

as-set: AS64511:AS-ISPCUST
descr: Description of the as-set
descr: Country
members: AS64511, AS645113, AS64514:AS-CLIENT
members: AS64515:AS-CLIENT, AS64516:AS-CLIENT, ASAS64517
mnt-by: MAINT-COMPANY
changed: ipadmin@example.com 20381228
source: RIR

It is recommended to create an AS-SET in the corresponding to the ASN authoritative registry - AfriNIC, APNIC, ARIN, LACNIC, RIPE, RIPE, NIC.br or IDNIC. Objects creation in non-authoritative registries is discouraged and their functionality is not guaranteed.

4. Advise Tata Communications (IPServiceDesk@tatacommunications.com) about the new AS-SET creation (Only one AS-SET will be used).

Special note, deprecation of non-authoritative registries

Please note that 'route' and 'route6' objects created after 2023-Aug-15 in non-authoritative registries like RADB, NTTCOM, ALTDB won't be processed. It is recommended to create RPKI ROA objects instead. In rare cases if that's not possible, 'route' and 'route6' must be created in the authoritative registry - AfriNIC, APNIC, ARIN, LACNIC, RIPE, RIPE, NIC.br or IDNIC.

Update Process

Our route filtering engine gets updated regularly from all major routing registries and build the appropriate IP prefix-list and IP as-path access-list and forward it to the appropriate router within 24 hours.

Please note that all the as-set "members" must have their IP Blocks registered with the correct ASN as "origin" since Tata Communications only accepts announcement for the properly registered "route" or "ROA" objects that belong to their customer or their customers' customers. This feature provides our customers with full control on their Tata Communications BGP filters, once an update is done on the RIR database the routers BGP filters will be updated automatically within 24 hours. The customer can add or remove ASN from their as-set, can add or remove "route" or "ROA" objects with no manual intervention on Tata Communications side.

Verification Process

  1. Check "AS-SET" expansion to the ASN list

Install bgpq3

# apt install bgpq3

or visit bgpq3 site for the installation details

$ bgpq3 AS64511:AS-ISPCUST -t -j
{"NN": [
64511,64512,64513
64514,64515
]}

2. Check "route" object

$ whois 193.0.0.0
route:          193.0.0.0/21
descr:          RIPE-NCC
origin:         AS3333
mnt-by:         RIPE-NCC-MNT
created:        1970-01-01T00:00:00Z
last-modified:  2008-09-10T14:27:53Z
source:         RIPE

3. Check "ROA" object https://rpki-validator.ripe.net/roas