[6bone] non-global address space for IXs (was: 2001:478:: as /48)

Jeroen Massar jeroen@unfix.org
Sat, 6 Sep 2003 14:32:23 +0200


-----BEGIN PGP SIGNED MESSAGE-----

Chris Liljenstolpe [mailto:cds@io.com] wrote:

> Greetings,
> 
>         Thank's Jeroen.  That's not what I was specifically 
> referring to, btw.
> I was referring to a proposal to make IX address non-globally 
> routed, which I think is a bad idea.

Effectively the current 3 IX prefixes are non-globally routable.
But because the fact that many people don't filter _at all_
you will find them running around in the wild.

Also see: http://www.ripe.net/ripe/docs/ipv6-policy-ixp.html#4

Check the "strict" filters which should be applied IMHO:
http://www.space.net/~gert/RIPE/ipv6-filters.html

As the EP.NET space is not a RIR IX prefix, but a privately hold
one, they are not included there and will never be either.
The EP.NET actually has an advantage as they are allowed to
announce the /32 making the networks reachable. For the IX
prefixes this will never happen.
Unless ARIN marks it as an IX prefix too, but then it will have
the same effect that they can't announce the /32 ;)

But as the IX prefixes are only intended for peering exchanges
and not for services this all should not be a problem unless you
are at that IX, in which case you have a static route, not in BGP.
People should set up loopback interfaces anyways and use that
address for their routers, so that the IX prefix never appears
on the wire to the outside world.

Greets,
 Jeroen

> --It is whispered that on 2003-09-05 09:54 +0200, jeroen@unfix.org
> mumbled 
> this regarding RE: [6bone] non-global address space for IXs (was: 
> 2001:478:: as /48)
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > Chris Liljenstolpe wrote:
> >
> >> I have to disagree here.  Having globally routable address
> >> space for each hop on a network path is really, really useful for
> >> troubleshooting.  We've run into issues where folks have 
> used private
> >> address space in the v4 world for "private" portions of the public
> >> Internet, and it make troubleshooting and operational support very
> >> painful.  Please  do not go down this road in v6.
> >
> > 2001:478::/32 is *NOT* an IX prefix. It's a normal TLA allocated
> > from ARIN to a LIR. If the "IX's" in that prefix want to be 
> reachable
> > they should announce the /32 and handle all the AS4555 IPv6 traffic
> > themselves. The /32 is not and has never been present in the GRT.
> >
> > Also note that the 3 IX prefixes from the RIR's nicely note that
> > they are quite probably not globaly reachable because they 
> are /48's.
> > Also note that for those 3 IX prefixes the /32 will not be announced
> > and those will quite probably not be reachable because of the /48's.
> >
> > Note that some ISP's drop no-export's and thus simply do reannounce
> > prefixes coming from IX's. See my RIPE46 presentation and GRH.
> >
> > Ofcourse anyone could announce a more specific. It's up to their
> > peers to filter or not.
> >
> > IMHO currently, at least filter anything /48 - /128 and </16.
> > Aka at least use Gert's "relaxed" filter:
> > http://www.space.net/~gert/RIPE/ipv6-filters.html
> >
> > If you are a thinking forward then use the "strict" filter.
> >
> > Greets,
> >  Jeroen
> >
> >> > Date: Fri, 05 Sep 2003 00:34:43 +0900 (JST)
> >> > To: bmanning@ISI.EDU
> >> > Cc: 6bone@ISI.EDU
> >> > Subject: Re: [6bone] 2001:478:: as /48
> >> > From: Akira Kato <kato@wide.ad.jp>
> >> >
> >> >
> >> >> this prefix has/is being carved up into /48 and /64 subnets for
> >> >> use at exchange points and other infrastructure support 
> services.
> >> >
> >> >> Do not expect to see it aggregated.
> >> >
> >> > I have a question: do we need to make such a prefix assigned to
> >> > an exchange point reachable globally?
> >> >
> >> > Provided if every ISP uses "next-hop-self" to their I-BGP
> >> peering, the
> >> > addresses on an IX is used only for E-BGP peering. What 
> we loose if
> >> > nobody advertises the IX prefix globally (or even locally)?
> >> >
> >> > If the address is not globally reachable, it is 
> impossible to send
> >> > packets to the routers on the IX and this will be a 
> measure for the
> >> > remote DoS attack if not perfect.
> >> >
> >> > In order to make traceroute happy we may need to 
> establish a DNS zone
> >> > for reverse lookup. But such a DNS server does not have 
> to be on the
> >> > IX.
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: Unfix PGP for Outlook Alpha 13 Int.
> > Comment: Jeroen Massar / jeroen@unfix.org / 
> http://unfix.org/~jeroen/
> >
> > 
> iQA/AwUBP1hBFSmqKFIzPnwjEQJS3ACglwf0bDfxBaMw8qiQZtd0C7kfcNgAni4Z
> > rxCrAjWROrtAZ93vkZOp5cns
> > =51ex
> > -----END PGP SIGNATURE-----
> >
> >
> 
> 
> 
> -- 
> Chris Liljenstolpe
> GPG Keys: http://www.io.com/~cds/cdl-keys.asc
> 

-----BEGIN PGP SIGNATURE-----
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / jeroen@unfix.org / http://unfix.org/~jeroen/

iQA+AwUBP1nT1ymqKFIzPnwjEQL99wCYgsr0WRG5R5P1K71rqz55iCgctwCdGdYT
DZCSyLrWVDQh3qL96yd7+/Q=
=Lsje
-----END PGP SIGNATURE-----