[6bone] pTLA request NDSOFTWARE - review closes 23 October 2002

John Fraizer tvo@EnterZone.Net
Sun, 20 Oct 2002 10:24:50 -0400 (EDT)


On 20 Oct 2002, Nicolas DEFFAYET wrote:

> On Sun, 2002-10-20 at 10:42, John Fraizer wrote: 
> 
> > (1) Who are the following and what are their qualifications to be
> > technical contacts?  The last thing I want to hear on the other end of the
> 
> There is a common phone contact for a best manegement. 
> 

OK.  So, _someone_ is going to answer that phone number when we call at
zero-dark:thirty with a peering issue, right?

> I'm NOT at school because i'm NOT a kid. 
> I work for NDSoftware all the day. 

OK.  I'm still wondering what NDSoftware does.  Don't get me wrong.  The
ASPath Tree is slick, the ftp site is handy for some I'm sure, providing
6bone connectivity is definately a service but, there has to be something
going on that actually generates income, otherwise, you're hemorrhaging
money on colocation and IP transit charges.  Generally, when someone forms
a company, as you state you have done, it is to generate income.  To do
that, you have to offer services that people will purchase.  You _can't_
sell 6bone access and thus-far, every "service" you claim to provide is
6bone-centric.

I'm simply looking at the overall health of the 6bone here.  If you're
issued a pTLA and start providing "services" to folks with that address
space and suddenly, your "company" goes tits-up because you're not able to
pay your colocation/transit fees (because your "company" isn't actually
SELLING anything to generate revenue) then not only have you embarrassed
yourself but, you will have inconvenienced who knows how many other 
people.

> 
> All tech contact in NDSoftware's whois have a root access on each
> routers. They understand v4/v6 routing, unix administration,... 
> 

Wow.  You're a trusting soul there.  SUDU is your friend, Dude.  You might
want to look at the man page for it.

> > (2) Do you have a network plan?  IE; How are your current /32's
> > dispersed?
> 
> Yes we have a network plan. Our network plan is not clear for this 3
> /32, but now i know my errors of IP management, and NDSoftware pTLA
> address plan will be clear. 

OK so, you _plan_ to have a network plan then.  While not a requirement
for being issued a pTLA of v6 space, most every RIR I've looked at will
require you to show proper utilization of current upstream assigned
address space, along with appropriate SWIP or rwhois entries for your
subsequent assignment of that address space to your downstreams prior to
issuing Provider Independent v4 address space to you.

I'm simply looking for you to demonstrate that you or one of your
employees can properly maintain appropriate records for address
allocation.  Just because the 6bone is experimental does not relieve you,
the administrator of a network, from the burdon of due diligence.  Suppose
one of your downstreams started a SPAM campaign to v6 connected
mailservers or started trying to hack into other v6 connected
systems?  How long does it take you to track down the appropriate contact
information for the source address?  Do you have appropriate records to
provide to law enforcement agencies in the event that you are subpoenaed
for this type of information?

> 
> We have 3 /32, but 1 /32 is enough. We have 3 /32 for have a backup if
> one of our upstream can't provide us anymore a BGP peering. 
> 

Ya, like if they were to say "your peering session is going to die in a
week because our routers are overloaded with BGP sessions.  We've decided
to drop all of our BGP peers who are using reserved ASNs." -- Something
like that?


> > (3) Do _you_ have a network or are you simply colocated someplace on
> > someone elses network?
> 
> The both currently because our network is not finish. 
> 

OK.  What does your network consist of?  Keep in mind that I went to your
website looking for this information.  You don't have it listed.  If I
could find it, I wouldn't be asking these questions.

> > If you're colocated, do you #1 have 24hr _physical_ access to the
> > equipment?  Can you be onsite within a reasonable amount of time in the
> > event that physical access to equipment is required to remedy a
> > problem?  If not, do you have a "remote hands" contract in place?
> 
> Yes, we have an 24x7 access. 
> 
> > (4) If you don't have your own network, how do you propose to provide
> > "production quality" 6bone backbone services?  
> 
> No need to have your network for provide a production quality service...

Tell that to the KPNQwest folks.

> > I submit that without your own portable v4 address space for an endpoint
> > of tunnels, you're at the mercy of your upstreams.  If they require you to
> > renumber, every one of your peers will have to reconfigure their tunnels.
> 
> Yes, i know. 
> 

So, when you went after your ASN, did you try to brow-beat some v4 space
out of RIPE as well?

> > (5) I find this strange.  Can you explain it?
> > 
> > Nice routing loop there.  Have you considered: (1) Not having a v6 default on your border
> > router. (2) Having a connection between your two border routers and running an IGP between them?
> 
> Ops, fixed. 
> 
> I have forgot to add "ifconfig lo add 3ffe:81f1:2:1::1/64" in the init
> scripts of parcr1.fr.ndsoftwarenet.net. 

Wow.  I can't imagine trying to explain that to one of my customers.  This
is all about attention to detail Nicolas.  So, you get your own pTLA and
people start actually listening to and propagating your announcements and
you "forget" a little thing like applying an access-list or route-map to
a peering session.  Guess what?  Your lack of attention to detail does
more than embarrass you.  It can cause service effecting outages for a
whole ton of OTHER people.

> 
> 2  eth1-0-parcr2.fr.ndsoftwarenet.net (3ffe:81f1:12:1::1)  1.023 ms 
> 1.068 ms  0.961 ms 
> 3  lo0-0-parcr1.fr.ndsoftwarenet.net (3ffe:81f1:2:1::1)  189.781 ms 
> 227.238 ms  212.632 ms 

Wow!  Just how much distance is between those two routers?  I'm just
wondering because that's a longer RTT than from here to London.

Oh, something for you to ponder since the previous routing loop certainly 
looked like you had a default route set up on that router::

>From RFC2772:

3.7 Default routes

   6Bone core pTLA routers MUST be default-free.

   pTLAs MAY advertise a default route to any downstream peer (non-pTLA
   site). Transit pNLAs MAY advertise a default route to any of their
   downstreams (other transit pNLA or leaf site).

> 
> > (6) It can't be a good sign for a "production quality" network when your
> > route-server can't maintain a BGP peering session with your own routers:
> 
> Yes, i know, it's because i use peer group. 
> This problem will be fixed when parcr1.fr.ndsoftwarenet.net will have
> the new AS (i will do the migration of parcr1.fr.ndsoftwarenet.net after
> the 23th October). 

Hrm...  Guess what.  You can override nearly ANY "peer group" setting with
a per-peer setting.

> 
> > (7) "a. Fully maintained, up to date, 6Bone Registry entries for their
> >     ipv6-site inet6num, mntner, and person objects, including each
> >     tunnel that the Applicant has."
> > 
> > You've got parcr3.fr.ndsoftwarenet.net listed in your ipv6-site object but:
> 
> Removed of the whois the time that we update the DNS. 
> 
> parcr3.fr.ndsoftwarenet.net is the first pre-production router on our
> network and don't have IPv4 connectivity. 

OK.  If you say so.  Just wondering.  How long does it take to update a
zone file and type "kill -HUP [pid of named]"?

>  
> > (8) With regards to #7 above, I suggest that with your recent policy
> > change regarding BGP peers, you remove the following line from your
> > ipb6-site object:
> > 
> > remarks:      NDSoftware have an open peering policy.
> 
> We are open, why remove this ? 
> 
> It's not because we have delete 5-6 BGP sessions with private ASN for
> new peer with pTLA and sTLA that we aren't open... 
> 

Well, if you're full, as in, you're having to remove current peers to
bring on NEW peers, I wouldn't consider you to be "open."


> > (9) What is your "potential user community" IE; What gap are you going to
> > be filling in the service delivery arena that is not already served by
> > other pTLAs?
> 
> NDSoftware operates an IPv6 network and provide a lot of IPv6 services
> to many projects. 
> 

Inquiring minds would like to see a network map for your network.  I'm
serious.  What geographic points does it connect?  What media?  Is it a
meshed network?  227ms from one NDSoftware router in France to another
NDSoftware router in France doesn't exactly scream "I've got a production
quality network!" if you know what I mean.

> We provide to: 
> 
> IPv6-FR (a non profit organisation for the developement of IPv6 in
> France) 
> tunnel broker:  200 users, each user have a /48. 
> 

Hrm...

role:         IPv6-FR NOC
address:      IPv6-FR
address:      57 rue du president Wilson
address:      92300 Levallois-Perret
address:      France
phone:        +33 671887502

role:         NDSoftware NOC
address:      NDSoftware
address:      57 rue du president Wilson
address:      92300 Levallois-Perret
address:      France
phone:        +33 671887502


I'm sorry Nicolas.  Providing address space to YOURSELF doesn't
count!  Sheesh! 


> 
> NexGentCollective (http://www.nextgencollective.net/)
> tunnel broker:  150 users, each user have a /48. 

ipv6-site:    NEXTGENCOLLECTIVE
origin:       AS65055
descr:        NextGenCollective IPv6 Research Organization
country:      US
prefix:       3FFE:8271:A020::/44
prefix:       3FFE:8271:A030::/44
prefix:       3FFE:8271:B000::/40
prefix:       3FFE:2C01:1000::/36
tunnel:       IPv6 in IPv4 wireless.cs.twsu.edu ->
parcr1.fr.ndsoftwarenet.net NDSOFTWARE BGP4+
contact:      AB12-6BONE
contact:      BP6-6BONE
remarks:      Report abuses at abuse@nextgencollective.net
url:          http://www.nextgencollective.net
mnt-by:       MNT-NEXTGENCOLLECTIVE
changed:      basit@nextgencollective.net 20020819
source:       6BONE

person:       Bryce PORTER
address:      Peoria, IL
phone:        +1 555-555-5555
e-mail:       x86@nextgencollective.net
nic-hdl:      BP6-6BONE
mnt-by:       MNT-NEXTGENCOLLECTIVE
changed:      x86@nextgencollective.net 20020405
source:       6BONE

person:       Abdul Basit
address:      3116 E.18th Street
address:      Wichita , KS 67214 USA
phone:        +1 316 978-3729
e-mail:       basit@nextgencollective.net
e-mail:       basit@basit.cc
nic-hdl:      AB12-6BONE
url:          http://basit.cc
notify:       basit@basit.cc
mnt-by:       MNT-NEXTGENCOLLECTIVE
changed:      basit@basit.cc 20020220
source:       6BONE



Don't you think that a tunnel-broker housed in Wichita, KS, USA would be
better served by a 6bone pTLA *IN* the USA?  Also, with your current
peering policy change, isn't this site going to get NIXED?  I note their
use of a Reserved ASN.


> 
> ATI (A tunisian ISP, http://www.ipv6net.tn/)
> 

$ traceroute6 3FFE:8271:A010::1
traceroute to 3FFE:8271:A010::1 (3ffe:8271:a010::1) from
3ffe:4010:ff09::1, 30 hops max, 16 byte packets
 1  enterzone-ndsoftware-gw.paris.ipv6.enterzone.net (3ffe:4010:ff09::2)  762.094 ms  797.236 ms  815.096 ms
 2  feth0-1-parcr1.fr.ndsoftwarenet.net (3ffe:81f1:0:1::1)  1286.27 ms 1567.95 ms  1651.54 ms
 3  3ffe:8270:0:1::64 (3ffe:8270:0:1::64)  1021.78 ms  1088.46 ms  1132.56 ms

I do believe that they would also be better served by someone
geographically closer to them.  Note: Our peering session with you is up
at YOUR request.  RTTs to you are over 6X longer than any other peer we
have. Also note: reverse for 3ffe:8270:0:1::64 is broken or non-existant.


> We do many actions in IPv6 research, we created FNIX6 (French 
> International Internet Exchange IPv6, http://www.fnix6.net/), we host


ipv6-site:    FNIX6
origin:       AS25358
descr:        French National Internet eXchange IPv6
country:      FR
contact:      NDS1-6BONE
url:          http://www.fnix6.net/
notify:       notify@ndsoftwarenet.com
mnt-by:       MNT-NDSOFTWARE
changed:      nicolas.deffayet@ndsoftware.net 20021018
source:       6BONE


Which is it?  French National Internet eXchange or the French
International Internet Exchange?

2002-10-08 NDSoftware launch FNIX6 - I get it.  You haven't decided.  It's
not even two weeks old!  I must say that you've got more information on
that website than you do on the NDSoftware site though.


> many mirrors available in IPv6, we created ftp://ftp.openipv6.com/ (a
> FTP with a lot of IPv6 stuff). 

ncftp ...patched/eggdrop/1.6.12 > ls
eggdrop1.6.12.ipv6.precomp.linux.tgz            info.txt

Now there's a serious service.  Robbie Pointer will be
proud.  (Sidenote:  I went to school with Robbie.  I hope he's changed
since then!)


> > (10) What purpose will having your OWN pTLA serve that your current 3
> > /32's don't already serve?  Keep in mind that _wanting_ your own pTLA !=
> > _NEEDING_ your own pTLA and _NEEDING_ to announce a pTLA into the DFZ
> > because it's a requirement for you to have your own ASN is _not_
> > sufficient justification for you to be issued a 
> 
> A lot of peers filter our /32 because it's not a pTLA. 
> We want a pTLA for can announce without any problems our network, don't
> break the IPv6 aggregation and be independant of a upstream (we don't
> want be down because our upstream is down). 
> 

Well, that's a valid wish and I can understand your point.  Didn't you say
earlier though that you had 3 /32's for redundancy already?


> > (11) "d. A fully maintained, and reliable, IPv6-accessible system
> >       providing, at a mimimum, one or more web pages, describing the
> >       Applicant's IPv6 services.  This server must be IPv6 pingable."
> > 
> > Looking at http://noc.ndsoftwarenet.com, information about what
> > NDSOFTWARE actually *does* is strangely absent.  Your peering-policy link
> > returns a 404 error. Your route-filtering link returns a 404 error. Your
> > usenet-policy link returns a 404 error.  Register, Login and Help all
> > point to your bgp-communities page, as do your "go" button and the
> > advanced-search link.  Home, Products & Services,  Support, Download, Buy
> > and Contact links at the top page simply link the whatever page you're
> > currently viewing.  There is no information about what your
> > "company?" actually does or offers to do even.
> 
> NDSoftware website is not ready for the moment, but the NOC website is
> ready. 
> 
> We will fix this 404 errors. 
> 

That *was* the NOC website I was talking about.  Again, I'm simply
pointing out attention to detail flaws here Nicolas.  I'll take 10 seconds
of attention to detail over 10 hours of the best intentions EVERY TIME.


> > I don't know about in France but, in the US, 84 + 9 = 93 peering sessions,
> > not 101 peering sessions.
> > 
> > Can you perhaps explain your math to us?
> 
> "We have currently 101 BGP4+ sessions."
>          ^^^^^^^^^ 
> We have delete many peering down since many weeks after our pTLA
> request, for prepare the migration of parcr1.fr.ndsoftwarenet.net 

So, that should have read "when I wrote this, we had 101 BGP4+ peering
sessions but, I'm getting ready to axe a bunch of them."

> 
> > (13) Of those 84 peering sessions, have you verified that they have
> > appropriate entries in their ipv6-site objects for the tunnel/connection
> > or that they have ipv6-site objects AT-ALL?  Before you answer this, take
> > a look at this:
> 
> A lot don't want create an ipv6-site. 
> 
> > Part of properly maintaining _YOUR_ ipv6-site object is making sure that
> > you don't reference an object that doesn't exist.  If someone is unable or
> > unwilling to create & maintain an ipv6-site object, do you really feel
> > that they are a good peering candidate?  I certainly don't.
> 
> They can be a good peering candidate !
> 
> A whois updated or not don't make the quality of a peering. 


I SERIOUSLY BEG TO DIFFER!  If someone is too damned lazy to create and
maintain an ipv6-site object, how on earth can you expect them to maintain
appropriate BGP filters, allocation records, etc, etc, etc?  Man, it is
_OBVIOUS_ that this is a *toy* to you.

By virtue of your ipv6-site object referencing tunnel endpoints that have
no corresponding ipv6-site object, it is NOT accurate and you (and your
sites with nonexistant or invalid ipv6-site objects) are in violation of
RFC2772:

5. The 6Bone Registry

   The 6Bone registry is a RIPE-181 database with IPv6 extensions used
   to store information about the 6Bone, and its sites. The 6bone is
   accessible at:

         <http://www.6bone.net/whois.html>)

   Each 6Bone site MUST maintain the relevant entries in the 6Bone
   registry. In particular, the following object MUST be present for all
   6Bone leaf sites, pNLAs and pTLAs:

   -  IPv6-site: site description

   -  Inet6num: prefix delegation (one record MUST exist for each
      delegation)

   -  Mntner: contact info for site maintance/administration staff.

   Other object MAY be maintained at the discretion of the sites such as
   routing policy descriptors, person, or role objects.  The Mntner
   object MUST make reference to a role or person object, but those MAY
   NOT necessarily reside in the 6Bone registry. They can be stored
   within any of the Internet registry databases (ARIN, APNIC, RIPE-NCC,
   etc.)

6. Guidelines for new sites joining the 6Bone

   New sites joining the 6Bone should seek to connect to a transit pNLA
   or a pTLA within their region, and preferably as close as possible to
   their existing IPv4 physical and routing path for Internet service.
   The 6Bone web site at <http://www.6bone.net> has various information
   and tools to help find candidate 6bone networks.

   Any site connected to the 6Bone MUST maintain a DNS server for
   forward name lookups and reverse address lookups.  The joining site
   MUST maintain the 6Bone objects relative to its site, as describe in
   section 5.

   The upstream provider MUST delegate the reverse address translation
   zone in DNS to the joining site, or have an agreement in place to
   perform primary DNS for that downstream. The provider MUST also
   create the 6Bone registry inet6num object reflecting the delegated
   address space.






Now, from section 7 of RFC2772, a bit more for you to ponder:

      During the entire qualifying period the Applicant must be
      operational providing the following:

      a. Fully maintained, up to date, 6Bone Registry entries for their
         ipv6-site inet6num, mntner, and person objects, including each
         tunnel that the Applicant has.

<snip>


   4. The pTLA Applicant MUST commit to abide by the current 6Bone
      operational rules and policies as they exist at time of its
      application, and agree to abide by future 6Bone backbone
      operational rules and policies as they evolve by consensus of the
      6Bone backbone and user community.



Now, since you obviously don't care if your peers maintain their ipv6-site
objects or even HAVE them for that matter, how is it that you are abiding
by RFC2772, Section 5?



> 
> Why all this questions ? 
> I don't have asked all this questions, when you have request your
> pTLA.... 


Nicolas, NOBODY asked any questions when I requested a pTLA for EnterZone.  
We already held an sTLA, our website provided accurate, up-to-date
information about our service offerings as well as our company and we had,
at the time of the request, been in business for nearly 7 years providing
IP transit and datacenter services.  A large portion of the v6 community
is running the looking-glass code that I wrote, I wrote the first exchange
point route-server hack (which has become the "transparent" features) for
the Zebra code and am VERY active in the Zebra mailing list, NANOG, and am
one of the moderators for the Linux-ATM project.  Suffice it to say that
people knew who I was, who EnterZone, Inc was and they didn't have any
question about our ability to provide "production quality" services, or if
we had a potential "user community."

Had anyone had questions for us, I would have personally sat down and in
great detail answered any concern that they had.  Your defensive posture
is doing nothing to ease any anxieties people may have over your becoming
a pTLA holder and participating the Default Free Zone.


This is _not_ anything personal Nicolas.  It's all about due
diligence.  Any BUSINESSMAN should understand that.


---
John Fraizer              | High-Security Datacenter Services |
President                 | Dedicated circuits 64k - 155M OC3 |
EnterZone, Inc            | Virtual, Dedicated, Colocation    |
http://www.enterzone.net/ | Network Consulting Services       |