ISP and Hosting Network Operations
Service-provider networking adds operational and policy concerns that do not appear in a typical office network. An ISP or hosting provider must exchange routes with other autonomous systems, protect shared infrastructure, manage public address space, isolate customers, monitor capacity, and respond quickly when failures affect many services at once.
Autonomous Systems and BGP
An autonomous system is a network under one routing policy. Public BGP sessions use Autonomous System Numbers to identify networks and exchange reachable prefixes. Providers commonly maintain sessions with:
- Transit providers: Networks paid to provide global internet reachability.
- Peers: Networks that exchange customer traffic directly.
- Internet exchanges: Shared switching fabrics where many networks interconnect.
- Customers: Downstream networks receiving transit or routed connectivity.
Transit and Peering Strategy
Multiple transit providers improve resilience and create traffic-engineering options. Peering can reduce latency and transit cost, but every session adds route policy, monitoring, and maintenance work.
Before adding a provider or exchange, consider:
- Physical path diversity
- Commitment and burst pricing
- Route quality and geographic reach
- DDoS mitigation capability
- Support responsiveness
- Remote peering versus local presence
Route Filtering
Never treat a BGP neighbor as an unrestricted source of truth. Apply explicit inbound and outbound policy.
- Permit only authorized customer prefixes.
- Reject default routes unless intentionally accepted.
- Reject private, reserved, and otherwise invalid address space.
- Set maximum-prefix limits.
- Prevent internal infrastructure routes from being exported.
- Use route objects, RPKI data, and contractual information to build policy.
RPKI and Route-Origin Validation
Resource Public Key Infrastructure allows an address holder to publish a Route Origin Authorization, or ROA, identifying which autonomous systems may originate a prefix and the acceptable prefix length. Route-origin validation classifies announcements as valid, invalid, or not found.
RPKI does not replace all route filtering, but rejecting invalid route origins helps reduce accidental leaks and some forms of route hijacking.
IRR and Routing Records
Internet Routing Registry objects document routing policy and prefix authorization. Providers often use them to generate customer prefix filters. Registry data can be stale, so it should be combined with RPKI and direct customer authorization rather than trusted blindly.
Public Address Management
Public IPv4 space is scarce and operationally valuable. Accurate IP address management should track assignments, customers, route advertisements, reverse DNS, abuse contacts, and utilization. IPv6 plans should allocate enough space for clean customer delegation rather than repeating IPv4 scarcity habits.
Customer Edge Design
Customer connectivity may use static routes, BGP, VLAN handoffs, routed ports, tunnels, or virtual routing instances. The design should clearly define:
- Demarcation point
- Address ownership
- Accepted and advertised prefixes
- Maximum route count
- MTU
- Redundancy behavior
- Monitoring responsibility
Segmentation and Multi-Tenancy
Hosting networks must prevent one customer from affecting or reaching another. Common controls include VLANs, VRFs, routed access, private VLANs, hypervisor switching policy, firewalling, and anti-spoofing filters.
Anti-Spoofing
Customer-facing interfaces should normally permit only source addresses assigned or routed to that customer. Source validation reduces spoofed traffic leaving the network and helps prevent the provider from contributing to reflection attacks.
DDoS Operations
Prepare multiple mitigation paths:
- Provider blackhole communities
- Remotely Triggered Black Hole routing
- FlowSpec where supported and carefully controlled
- On-premises filtering for attacks below circuit capacity
- Cloud or carrier scrubbing for volumetric attacks
- Flow telemetry and automated detection
Network Operations
- Monitor BGP sessions, route counts, prefix changes, and path shifts.
- Track interface utilization at intervals short enough to reveal bursts.
- Collect flow records at internet and customer edges.
- Maintain configuration backups and change history.
- Test failover between routers, providers, and power systems.
- Maintain out-of-band console access.
- Document escalation paths for carriers, exchanges, and facilities.
Provider Maintenance Checklist
- Record baseline routes, traffic, errors, and adjacency state.
- Confirm console or out-of-band access.
- Review the rollback configuration.
- Drain or shift traffic when practical.
- Make the smallest controlled change.
- Validate both IPv4 and IPv6 routing.
- Verify customer reachability, flow, and monitoring.
- Document the final state and any deviations.