asymmetric routing

Michel Py michel@arneill-py.sacramento.ca.us
Mon, 28 Jan 2002 13:06:42 -0800


I mostly agree with Pim's postings.

> Does anybody have info on situations where a customer would want
> more than one AS to uplink to.

Practically speaking, it is not possible today. Unless you are a transit
provider, there are no practical advantages today in peering with two
different ASNs except experimenting.


1. In the current situation (meaning, no IPv6 multihoming), I don't see
a reason NOT to filter customer's (ACL) by denying everything except the
customer's PA prefixes. The only IPv6 addresses being assigned today are
PA (provider assigned), not PI (provider independent). Assymetric
routing (meaning, across different providers connected to one customer)
should (eventually) occur only with PI addresses.

If a provider sees traffic from a customer originating from PA address
space that does not belong to that customer/provider pair, it means:
a) spoofing
b) the customer's is multihomed and the multihoming source address
selection or policy routing (that currently does not exist) is broken.
c) the customer is being used as a transit provider. This means a
cluster f... in the routing and the customer should also filter to avoid
this.


2. In the future, and as both the acting editor for the IPv6 multihoming
requirements draft and the author of an IPv6 solution draft,
http://search.ietf.org/internet-drafts/draft-py-multi6-mhtp-01.txt
I think that IPv6 multihoming solutions to be developped will either:
a) be host-based multi-address solution with a PA address selection
mechanism combined with source-address based policy routing.
b) implement a PI (provider independent) address space.

In either case, filtering customer's PA traffic by restricting traffic
from and to the address space that the provider assigned to the customer
will NOT break the multihoming scheme.

The difference between IPv4 and IPv6 is that IPv6 is strongly
aggregated. As of today, no provider should accept routes from customers
that they do not own. There is no reason to accept traffic from prefixes
that they do not own eiher. ACL filtering should match BGP filtering.

In short: it is too early to assume anything about IPv6 PI addresses as
of today. For IPv6 PA addresses, DO filter. If you break something, that
something should not have happened in the first place.

Michel.