By preventing unauthorized routing changes, route hijacking, and other malicious activities, we protect your network connectivity and safeguard your data transmission.
One of the key concerns in routing security is preventing unauthorized routing changes. Without adequate protection, attackers can inject false or malicious routing information, diverting network traffic to unauthorized destinations or causing disruptions. To mitigate this risk, routing security protocols and mechanisms are implemented.
Here at Arelion, we take our responsibility to secure Internet routing very seriously. Through a mix of industry best practices, our systems, and well-crafted policies, we minimize the chances of common routing threats, including BGP hijacks and route leaks.
Spanning 77,000 km and serving customers in 129 countries, our backbone extends across North America, Europe, and Asia. With fiber-up control, we deliver the scalability you need, whenever you need it – and a network experience so good, you won’t even know we’re here.
Explore our interactive map to see our full coverage and make direct service inquiries – or download your own copy of our network map.
In our efforts to improve Internet routing security, we have joined MANRS, which is a global initiative, supported by the Internet society, that provides essential fixes to reduce the most common routing threats.
As part of our membership with MANRS, Arelion commits to adhere to four concrete actions to reduce routing threats:
We encourage customers to follow the standards defined in MANRS regarding routing security, including filtering and maintaining database and contact information. More information can be found at https://www.manrs.org/.
RPKI is a method to help prevent BGP hijacking and route leaks. It uses cryptographic signatures to validate that an ASN is allowed to announce a particular prefix. Arelion’s ASN, AS1299, has deployed RPKI route validation and filtering. We reject RPKI unvalids on all BGP sessions; for both peers and customers. Read more about RPKI and what it is.
Please note: It is not our intention to do anything other than filter out invalids – we will not be rejecting unknowns.
| RPKI state | Description | Recommended action |
|---|---|---|
|
Valid |
Correct IP/masklength from the correct origin AS according to the ROA. |
All good. No need to do anything. |
|
Unknown |
No ROA registered. |
We recommend customers to register ROAs to protect their address space but it's not required. |
|
Invalid |
Incorrect masklength and/or origin AS according to the registered ROA. |
The address space owner should correct the ROA. |
We’ve been working hard on testing our validator infrastructure to ensure it is stable and scalable for a network of our size. In total, we have four validators deployed, two in North America and two in Europe, running two different versions of software. Each edge router has RTR sessions with each of the validators, giving us an extremely resilient deployment.
All BGP sessions have prefix filters based on a policy (AS or AS-set), with automated updates at 05:00 UTC and 19:00 UTC. Manual updates can be triggered through My Arelion portal. The AS-set must include all AS numbers and/or nested AS-sets intended to be announced. The originating AS for every prefix must be included. Each announced prefix must have a matching route object and/or RPKI ROA that specifies the prefix, mask length, and the originating AS.
We recommend registering AS-sets and route objects in an authenticated IRR database, preferably one operated by the RIRs: RIPE, ARIN, APNIC, LACNIC, or AFRINIC. Our filters also consider matching objects from select legacy IRRs, e.g. RADB.
