[AusNOG] Should we be a LIR for our customers and get them PI (Was: another ipv6 Q)

Robert Hudson hudrob at gmail.com
Sat Jul 5 11:49:05 EST 2014


Hi Jeroen,

Sorry for top-posting, I am on a mobile device.

I spoke before of SAGE-AU, but this post now comes from my other "persona"
- that of an employee of a multinational organisation.

We have recently put together an IPv6 strategy, and there are two options
we are investigating - either a single /32 PI allocation globally, or a /32
PI per region (aligned with the RIRs). The point is to have an internally
contiguous IP addressing scheme (or as close as possible, but then use the
same address space publicly as well (NAT is evil). The preference is for
the single global allocation, but I don't see  regional /32 allocations as
a significant overhead.

Either way, the plan is to take /32 PI space and split it into a /48 per
site. Some of those sites are aggregated with a single point of Internet
connectivity, but even so, just in Asia Pacific, we are talking about 5
different countries in which we'd be advertising our various /48
allocations - and there is a different carrier per Internet connection.

If I am reading what you are saying correctly, we can't use either a single
global /32 of PI space or even a /32 of PI space per region and split it up
into multiple sites. Globally we're looking at several hundred sites (which
incidently is probably more routes than SAGE-AU members are likely to
produce in the near future) - are you are suggesting that carriers will
drop/filter our advertisements and cause us issues with IPv6 Internet
connectivity?
On 05/07/2014 12:18 AM, "Jeroen Massar" <jeroen at massar.ch> wrote:

> On 2014-07-04 08:47, James Andrewartha wrote:
> > Hi Jeroen,
> >
> > On Fri, 4 Jul 2014, Jeroen Massar wrote:
> >
> >> Do note that anybody who is going to announce that prefix in a useful
> >> manner also needs to have proper routing equipment to handle a full BGP
> >> feed. The cost of that kind of equipment, the transit payments and the
> >> engineers that do that will add up to a LOT more than $1200 PA :)
> >
> > Obviously you haven't seen what people do with cheap Mikrotiks :P
>
> I (un)fortunately have seen them and other such setups.
>
> They are great for starting out, but people also think they can have
> more than 2 full-transits on them and have a stable connection and/or
> that they can compare to the more 'professional' grade routers that are
> out there ;)
>
> I do think that it is great that such systems, or just a simple
> Supermicro with a Xeon E5 and Bird or Quagga on it, exists as it does
> enable a lot more people to connect to this amazing thing called the
> Internet and start new businesses.
>
> For more networks to stay on connecting though, that table size should
> not be too huge as otherwise starting out on the edge will not be
> possible at one point or another.
>
> Hence this whole thread that networks do filter and that one should be
> aware of not using portions of PA space as PI, as that will not work.
>
> > More seriously, is wanting a different routing policy an acceptable
> reason
> > for a second allocation? I can imagine ISPs might want to advertise
> > seperate ranges in different states, do they then need multiple /32s?
>
> A real, full-on ISP, likely no, as they can backhaul that traffic; if
> they are unable to then they are not a full-on ISP IMHO.
>
> If you are located in two disparate locations though and do not want to
> backhaul one will have a teeny problem.
>
> It can be partially solved by having your transits announce the /32, but
> announcing more specifics to your PEERS. Note the word PEERS there,
> hence not transits. Having one transit leak the more specific will cause
> all traffic to go there. Hence do avoid that.
>
> More importantly: The other side of the world does not need to know
> where that traffic needs to be delivered locally.
>
> > Even I split my IPv4 /22 into two /23s so I can advertise them out
> > different links (broadly - school owned device to AARNet, non-school
> owned
> > to commodity transit).
>
> (You are part of the 44% of de-aggregated prefixes on the net)
>
> > Can I ask APNIC for another PI /48 to achieve this?
> > Their policies are unclear.
>
> You would have to justify why those locations are distinct and why they
> need separate routable blocks.
>
> IMHO, using the above trick of announcing more specifics to peers and
> the aggregate to transits is likely the better trick.
>
> The other variant would be to determine if you really need your own
> space (eg because of independence for whatever reason) or if you can
> live with a chunk of PA of somebody else.
>
> Note that quite a few universities/school networks in IPv6 simply use a
> /48 out of the /32 they get from their NREN. Though there is a school in
> Switzerland (Cantonsschule Zug) who have their own /32 that they use for
> connectivity for the multiple locations that they have and for
> connectivity of their students (yep, they do cable and dsl as a school).
>
> >
> https://www.apnic.net/publications/media-library/documents/resource-guidelines/ipv6-guidelines
> > seems to be the main one, and is somewhat contradictory. 6.2 says for
> > operational, geographic or regulatory reasons your network can be
> > considered as multiple discrete networks. So that covers the ISP case. My
> > site is multihomed, so I qualify under 9.1.1. However the end of section
> 2
> > says "Only one IPv6 address block is to be assigned to an organization
> > upon an initial request; subnets of this block may be assigned by the
> > organization to its different sites if needed."
> > But you claim (in contrast to Mark) that a /56 advertisement is verboten,
> > which conflicts with that.
>
> I have not claimed that a /56 advertisement is verboten, I did not even
> mention a /56 yet in this thread. But a /56 definitely will not go far
> in BGP, as that is not an allocation size that the RIRs give out.
>
> But yes, a end-site should get at minimum either a /56 or /48. Typically
> a /56 is "good enough" for home networks, while a /48 should be for any
> business type of situation.
>
> IMHO for ease of assignment one should just give everybody a /48.
>
> RIR policies allow fully for it and there are enough /48 in the global
> IPv6 space to do so for a long long time. (Note that German & France
> telecom both got /19s based on their /48 for every customer
> justification, for /56 they would have had enough with a lot less)
>
>
> Note also the differences between:
>
>  - allocation
>     RIR/NIR -> LIR
>     ~/16 - /32 PA or ~/40 - /48 PI
>
>  - assignment
>     LIR -> end-site
>     typically a /48, but up-to a /40 happens too
>
>  - advertisement/announcement
>     What you throw into BGP
>     depends on the allocation size as from the RIR, no more-specifics
>     See also http://www.space.net/~gert/RIPE/ipv6-filters.html
>
> > 9.2 then does say discrete netwoks qualify, so if I can demonstrate the
> > need APNIC should give me another /48 even though I could just as easily
> > split my original /48.
>
> Yes, you can "split" your network internally, but you should not be
> announcing it that way, possibly to peers, but definitely not to transits.
>
> > In the end there's no real difference to me, so is
> > the only gain that network operators have to fill out a bit more
> paperwork
> > to justify their operational reasons for extra prefixes to advertise for
> > traffic engineering?
>
> Indeed.
>
> > Seems a bit like overkill IMHO, and anyone who's
> > going to the effort of traffic engineering isn't going to be put off by a
> > little paperwork.
>
> Bingo.
>
> It is a bit overkill in a way, but in the long term it might be
> beneficial to the size of the routing tables, see above.
>
> Note that you can get a /32 PA with 65k /48s, but the RIRs will never
> give you 65k PI blocks for your distinct locations, you should be
> aggregating those. Unless you are an insanely popular and big LIR with a
> huge 200k businesses as distinct customers, but if you are then you
> would not be discussing these rules here asking questions and would have
> done so already ;)
>
> Greets,
>  Jeroen
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140705/d49f7ef2/attachment.html>


More information about the AusNOG mailing list