Transit manipulation across Indian IXPs
It’s a known secret across many ISPs in India that IP transit manipulation/stealing happens at IXPs. This practice has persisted for several years. In this post, I am going to analyse the number of ISPs who seem to be doing it intentionally or unintentionally.
Background
If you are from the BGP routing world and reading this for the first time, you would be wondering how is that even possible. Well, traditionally networks could steal IP transit in the outbound direction by randomly pointing the default route to a peer (who has not agreed to transit them) and this would give them “outbound bandwidth”. Unethical, and very likely illegal as well. But since it’s free outbound, most of the inbound heavy eyeball ISPs had nothing to gain from it. This blog post does not cover that well-known angle.
There’s an Indian-specific condition which allows eyeball ISPs to “steal” / “get free” IP transit bandwidth from some IXPs in some specific cases.
- Presence at IXPs: Large telco-run ISPs are at NIXI with limited capacity/routes but maintain a presence for mostly compliance reasons as many tenders/RFPs require them to be peering at NIXI. Some non-telco but reasonably large networks are also at some of the private IXPs as well.
- Overlapping Relationships: These same set of players sell IP transit to a similar set of eyeball-heavy ISPs some of which are present at these IXPs.
- Common Routing Tables: FIB for ISPs is mostly common for downstream as well as peering routes.
- Routing Behavior: In IP routing, a more specific route always wins.
So here’s how it works: an ISP connects at NIXI with a peering port, and they also take IP transit from one of the ISPs. Now, if the ISP announces a /22 on the IP transit port and 2 x /23s (or 4 x /24s) on the peering port, in many cases they will get almost all the traffic via IXP. ISP would learn /22, tag it as a customer route and announce it globally. They would usually tag /23 differently, keep announcements locally within India, and avoid announcing it to their peers as upstreams.
Now, /22 will “catch traffic” and bring it to India but /23 will take over as a more specific route and traffic will exit via a peering port. So, the ISP from whom bandwidth is being taken/stolen will appear to be sitting between its upstream (or a peer) on the international side and another peer on the Indian side. This is a classical case of peering with your customers while also selling them transit. It’s a tricky problem to solve. Furthermore, it’s a good practice to announce more specific at IX and less specific at transit and thus people doing that may not be all doing it with the intention of transit stealing.
Telcos know
When I originally found it (years ago), I shared it with friends in the larger networks. I showed them some of those interesting traceroutes and they agreed but not much happened. I had no personal stake in it and did not bother much beyond that point. Later, I was contacted by my good friend Mr Venkat from Worldphone. He lost a customer in Chennai and when he checked the local market to find out who the customer went to, he learnt “nowhere!” and that made him curious about what was happening. We had a long chat and discussed in detail how it works. He eventually reached out to senior management at one of the telcos to push them to drop their customer ASNs from peerings. Not technically the best (more on this later) but somewhat worked.
Analysing the impact
To find out who is doing it, I decided to trace to .1 of all possible unique /24s in India. That would give a clear FIB view instead of an RIB view. Selling of IP transit across IX fabric is not happening in India as far as I know. There could be some corner case but I don’t know of any larger networks doing it as of now. Now source of such a trace has to be outside of India for two specific reasons:
- By tracing from outside of India, there’s a very chance that entities outside of India will NOT be on the customer side of Indian ISPs. That way we can be sure that traces go either via upstream of Indian telcos or peering ports.
- Some hardware vendors like Mikrotik Router OS reply to TTL time exceeded with the SRC IP of the port which is returning packets. That creates confusing traceroutes during asymmetric routing. By tracing from outside of India source, there’s an extremely high chance that return packets will not be from a peering link and hence if we see IX IPs in the traces, those are indeed the cases of routing manipulation.
So with that - I put 10 Hetzner VMs to trace in a batch of 1000 IPs each to get me the result in few mins.
As I have said in past, to define the Indian routing table, I can pick routes behind a small set of ASNs which sell IP transit in India and connect to the outside world. Some of them connect to the outside world with the same ASN like Airtel AS9498 or Sify AS9583, some do so via different ASNs like AS4755-AS6453 in the case of Tata Communications or AS55836-AS64049 in the case of Jio. I can pick the domestic ones as they are the ones which connect at IXP (NIXI in the case of these telcos).
ASNs operating in India which connect to the outside world:
- Bharti Airtel AS9498
- Tata Comm AS4755
- Jio AS55836
- VI AS55410 / AS55644
- BSNL AS9829
- Sify AS9583
Notes:
- I picked routes from RIPE RIS RRC01 and RRC03. There isn’t a need to diversify much because the goal is not to get all routes and all possible peering but simply prefixes seen behind these ASNs to get the Indian table. This gives me 55621 routes.
- I skipped the own originated massive table by Airtel via AS24560, AS45609, BSNL AS9829 etc and looked only at their downstream routes. Technically AS24560 is a downstream but pointless for this analysis. Airtel would not steal bandwidth from itself via NIXI. This reduces the overall unique IPs to trace to just 37061 prefixes. When breaking to /24 levels, it gives me 94423 prefixes i.e. 94423 IPs to trace to.
- This check is only done for IPv4. It would take a while to map to each possible /48 in the Indian table due to the large bit size.
- There are many cases where a network is on both sides i.e. for some routes they are getting free transit via IX, while in some other cases, their customer is getting free transit out of them.
List of networks
Here is a list of networks which appear to be getting IP transit out of internet exchanges.
Note: It’s important to realise that this list is NOT reflecting people who are “stealing” bandwidth but effectively getting IP transit via an ISP out of IX. Some of them are purely following the good practice of announcing more specifics at IX to get more traffic.
| Beneficiary AS Number | Beneficiary AS Name | Impacted network ASN | Impacted Network Name | Name of Exchange | Trace links |
|---|---|---|---|---|---|
| AS133001 | Airnet Cable And Datacom | AS17665 | One OTT | AMS-IX Mumbai | Click here |
| AS141519 | Yuvaa Communications | AS134674 | Tata Play Broadband | Extreme IX Bangalore | Click here |
| AS17665 | One OTT | AS18229 | Ctrls | Extreme IX Bangalore | Click here |
| AS147279 | OPTO COMMUNICATIONS | AS17665 | One OTT | Extreme IX Bangalore | Click here |
| AS136956 | Assistive Networks and technologies | AS18229 | Ctrls | Extreme IX Bangalore | Click here |
| AS134911 | Sigaram Networks | AS58898 | Rainbow Communications India | Extreme IX Chennai | Click here |
| AS151732 | Onremote Telecom | AS45820 | Tata Tele (TTSL) | Extreme IX Delhi | Click here |
| AS135692 | Global Ra Net Services | AS17665 | One OTT | Extreme IX Delhi | Click here |
| AS24550 | Websurfer Nepal | AS9583 | Sify | Extreme IX Delhi | Click here |
| AS17665 | One OTT | AS133676 | PNPL-AS Precious netcom | Extreme IX Delhi | Click here |
| AS17665 | One OTT | AS136362 | Yes India Communications | Extreme IX Delhi | Click here |
| AS135716 | Sat International | AS135848 | Digitax India Communications | Extreme IX Delhi | Click here |
| AS18002 | Worldphone | AS17665 | One OTT | Extreme IX Delhi | Click here |
| AS134294 | R P World Telecom | AS45820 | Tata Tele (TTSL) | Extreme IX Delhi | Click here |
| AS142524 | Poem Techno | AS135848 | Digitax India Communications | Extreme IX Delhi | Click here |
| AS142488 | Nextia Broadband | AS9583 | Sify | Extreme IX Delhi | Click here |
| AS134922 | Renu Broadband | AS9583 | Sify | NIXI Delhi | Click here |
| AS134922 | Renu Broadband | AS133647 | ELXIRE DATA SERVICES | Extreme IX Delhi | Click here |
| AS141529 | VMPS Broadband | AS9583 | Sify | Extreme IX Delhi | Click here |
| AS137678 | Protoact Digital Network | AS9583 | Sify | Extreme IX Delhi | Click here |
| AS45117 | Ishan Netsol | AS55836 | Jio | NIXI Mumbai | Click here |
| AS134331 | Smartlink Solutions | AS9583 | Sify | NIXI Mumbai | Click here |
| AS58659 | Quest Consultancy | AS9583 | Sify | NIXI Mumbai | Click here |
| AS136334 | VORTEX NETSOL | AS55836 | Jio | NIXI Mumbai | Click here |
| AS133001 | Airnet Cable And Datacom | AS55352 | Microscan | NIXI Mumbai | Click here |
| AS55352 | Microscan | AS55836 | Jio | NIXI Mumbai | Click here |
| AS9885 | NKN - National Knowledge Network | AS55836 | Jio | NIXI Mumbai | Click here |
| AS24554 | Five Network | AS55352 | Microscan | NIXI Mumbai | Click here |
| AS132296 | Seven Star Digital Network | AS17762 | Tata Teleservices (Maharastra) | NIXI Mumbai | Click here |
Solution to the problem
To solve this problem, a not-so-good but easy way is to drop your customer’s ASNs from peers. However this is not efficient as many networks are multi-homed, they may announce some routes via one transit and some other routes via other transit. So it’s always possible that a given network may learn a few routes directly from customers and a few routes via its peers. So ultimately solution lies in the per-prefix action. It can be done with a basic script with certain logic:
- Run a BGP collector/software BGP speaker like FRR or BIRD etc on a server and feed it downstream and peer routes marked by clear BGP communities.
- Next, let a script read and compare peering routes with downstream routes to find cases where there is a more specific route on the peering table compared to the downstream table.
- Learnt routes can be sent back to the router in the form of a prefix list to drop those on peering for say next 4 hours.
- Reset after 4hrs and re-compute to ensure the filter stays dynamic.
Why only at IXP?
A similar issue is highly unlikely outside of IXPs between two large transit players. Imagine the case of Airtel and Tata Comm in the Indian context. If a network announces /22 on Airtel and /23 on Tata Comm, then Tata Comm will carry traffic and exit traffic from its customer port. Only if routing is influenced by the use of BGP communities in a way to keep /23 on Tata Comm local with India (i.e. AS4755 boundary) but /22 via Airtel goes through. In this case, Airtel will carry traffic from outside of India to India and will exit to Tata Comm who will deliver bit to the customer. Possible but unlikely. In the absence of such a limited announcement of more specific prefixes, this behaviour will not occur at large.
With hope that you are not sitting between two peers or your upstream & a peer, time to end this post!