[6bone] private ASNs and the Default-Free-Zone

John Fraizer tvo@EnterZone.Net
Fri, 25 Oct 2002 11:26:10 -0400 (EDT)



On 25 Oct 2002, Nicolas DEFFAYET wrote:

> On Fri, 2002-10-25 at 12:15, John Fraizer wrote:
> 
> > This is not a problem:
> > 
> > ipv6-site:    COMPENDIUM-AR
> > origin:       AS45328
> > descr:        Compendium, Buenos Aires, AR
> > country:      AR
> > prefix:       3FFE:8260::/28
> 
> Do you think that it's normal to allocate a pTLA with an unallocated ASN
> ?

Considering the age of that allocation, yes, I _do_ think it is normal.


> 
> > Beyond that, if you peer with someone who uses a private ASN, use the
> > following command (or equiv for your router) on the peering session:
> > 
> >  neighbor 3ffe:xxxx::xxxx remove-private-AS
> > 
> > If your router code doesn't support that command or one like it, might I
> > suggest that you UPGRADE? 
> 
> remove-private-AS will remove the private ASN in ASpath, not the route
> with private ASN...
> 
> Exemple:
> 
> 3ffe:ffff::/32
> 
> 1 2 3 65000
> 
> If AS3 use remove-private-AS, other network will get this:
> 
> 3ffe:ffff::/32
> 
> 1 2 3
> 
> AS3 is not the source of 3ffe:ffff::/32, the source is 65000

As far as those of us who operate in the DFZ are concerned, AS3 is the
source.

> => private ASN _MUST_ send their routes with the community no-export
> (like i do before)

Nicolas, the no-export on your prefixes is to prevent you breaking
aggregation in the DFZ.  If you had been announcing a pTLA or sTLA, the
route DOES belong in the DFZ.  Otherwise, it would be unreachable to a
large percentage of the v6 community.

> 
> Using this for don't announce route with private ASN is better:
> 
> ip as-path access-list private-asn-out deny
> _(6451[2-9]|645[2-9][0-9]|64[6-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5])_
> ip as-path access-list private-asn-out permit .*

While I agree that private ASNs should be stripped, we don't want to block
the PREFIX.  It just needs to show up as sourced from the upstream that
*HAS* a real ASN.

We don't want to break connectivity.  We want to police what SOURCE ASNs
show up in the DFZ.  Private and unallocated ASNs should NOT show up in
the DFZ.


---
John Fraizer              | High-Security Datacenter Services |
President                 | Dedicated circuits 64k - 155M OC3 |
EnterZone, Inc            | Virtual, Dedicated, Colocation    |
http://www.enterzone.net/ | Network Consulting Services       |