Re: Point 2 point IPs between ASes

[Job Snijders]

On Tue, 27 Jun 2017 at 22:29, Krunal Shah  wrote:

> Hello,
>
> What subnet mask you are people using for point to point IPs between two
> ASes? Specially with IPv6, We have a transit provider who wants us to use
> /64 which does not make sense for this purpose. isn’t it recommended to use
> /127 as per RFC 6164 like /30 and /31 are common for IPv4.



Yes, "longer than /64" subnets are fine for point2point. If the equipment
on both sides supports RFC 6164 I'd use a /127, otherwise a /126.


I was thinking, if someone is using RFC7404 for point to point IP between
> two ASes and establish BGP over link local addresses. This way you have
> your own IP space on your router and transit provider does not have to
> allocate IP space for point to point interface between two ASes. In
> traceroutes you would see only loopback IP address with GUA assigned from
> your allocated routable address space. Remotely DDoS to this link isn’t
> possible this way. Thoughts?


I wouldn't use link-local in context of Inter-Domain Routing. Too hard to
troubleshoot, many networks expect globally unique IP addresses for their
BGP neighbors, you want to be able to call a NOC and have the IPs function
as semaphore for the circuit ID.

What you could do is set aside a block which you blackhole or tarpit
through ingress ACLs, and use linknets from that "globally unusable ip
space". Some providers can offer you a router2router linknet from such
unreachable IP space so you don't have to set it apart.

Kind regards,

Job

>

Re: Point 2 point IPs between ASes

[Niels Bakker]

* ks...@primustel.ca (Krunal Shah) [Tue 27 Jun 2017, 22:28 CEST]:
What subnet mask you are people using for point to point IPs between 
two ASes? Specially with IPv6, We have a transit provider who wants 
us to use /64 which does not make sense for this purpose. isn’t it 
recommended to use /127 as per RFC 6164 like /30 and /31 are common 
for IPv4.


Whatever you want.


I was thinking, if someone is using RFC7404 for point to point IP 
between two ASes and establish BGP over link local addresses. This 
way you have your own IP space on your router and transit provider 
does not have to allocate IP space for point to point interface 
between two ASes. In traceroutes you would see only loopback IP 
address with GUA assigned from your allocated routable address 
space. Remotely DDoS to this link isn’t possible this way. Thoughts?


If you can protect the loopback IP from DDoS you can equally protect 
linknet IPs.



-- Niels.

Point 2 point IPs between ASes

[Krunal Shah]

Hello,

What subnet mask you are people using for point to point IPs between two ASes? 
Specially with IPv6, We have a transit provider who wants us to use /64 which 
does not make sense for this purpose. isn’t it recommended to use /127 as per 
RFC 6164 like /30 and /31 are common for IPv4.

I was thinking, if someone is using RFC7404 for point to point IP between two 
ASes and establish BGP over link local addresses. This way you have your own IP 
space on your router and transit provider does not have to allocate IP space 
for point to point interface between two ASes. In traceroutes you would see 
only loopback IP address with GUA assigned from your allocated routable address 
space. Remotely DDoS to this link isn’t possible this way. Thoughts?



[Description: cid:image010.png@01D1ECB6.5D17D120]





Krunal Shah
Network Analyst, IP & Transport Network Engineering
O: 416-855-1805
ks...@primustel.ca





[Description: cid:image011.png@01D1ECB6.5D17D120]  
[Description: cid:image012.png@01D1ECB6.5D17D120] 
   [Description: 
cid:image013.png@01D1ECB6.5D17D120] 
[Description: 
cid:image014.png@01D1ECB6.5D17D120] 






 This electronic message contains information from Primus Management ULC 
("PRIMUS") , which may be legally privileged and confidential. The information 
is intended to be for the use of the individual(s) or entity named above. If 
you are not the intended recipient, be aware that any disclosure, copying, 
distribution or use of the contents of this information is prohibited. If you 
have received this electronic message in error, please notify us by telephone 
or e-mail (to the number or address above) immediately. Any views, opinions or 
advice expressed in this electronic message are not necessarily the views, 
opinions or advice of PRIMUS. It is the responsibility of the recipient to 
ensure that any attachments are virus free and PRIMUS bears no responsibility 
for any loss or damage arising in any way from the use thereof.The term 
"PRIMUS" includes its affiliates.


 Pour la version en français de ce message, veuillez voir
http://www.primustel.ca/fr/legal/cs.htm

someone at chef.io ?

[Jim Mercer]

hi,

can someone from chef.io reach out to me?

seems we got blocked for downloads somehow.

--jim

-- 
Jim Mercer Reptilian Research  j...@reptiles.org+1 416 410-5633

Life should not be a journey to the grave with the intention of
arriving safely in a pretty and well preserved body, but rather
to skid in broadside in a cloud of smoke, thoroughly used up,
totally worn out, and loudly proclaiming "Wow! What a Ride!"
 -- Hunter S. Thompson

Re: Long AS Path

[Jakob Heitz (jheitz)]

The reason that a private ASN in the public routing table is an error is that 
the AS Path is used to prevent loops. You may have private AS 65000 in your 
organization and I may have another private AS 65000 in my organization. If my 
ASN 65000 is in the AS path of a route sent to you, then your AS 65000 will 
drop it, thinking it were looping back.

BTW, this is different from a confederation member AS.

Thanks,
Jakob.


> Date: Mon, 26 Jun 2017 16:27:39 +
> From: Mel Beckman 
> To: Michael Hare 
> Cc: Hunter Fuller , James Bensley
>,  "nanog@nanog.org" 
> Subject: Re: Long AS Path
> Message-ID: <5cc4ba8e-8fbf-4ad4-835d-2c06265ce...@beckman.org>
> Content-Type: text/plain; charset="us-ascii"
> 
> Michael,
> 
> Filtering private ASNs is actually part of the standard. It's intrinsic in 
> the term "private ASN". A private ASN in the public routing table is a clear 
> error, so filtering them is reasonable. Long AS paths are not a clear error.'
> 
> I'm surprised nobody here who complains about long paths is has followed my 
> suggestion: call the ASN operator and ask them why they do it, and report the 
> results here. 
> 
> Until somebody does that, I don't see long path filtering as morally 
> defensible :)
> 
> -mel beckman
> 
>> On Jun 26, 2017, at 8:09 AM, Michael Hare  wrote:
>> 
>> Couldn't one make the same argument with respect to filtering private ASNs 
>> from the global table?  Unlike filtering of RFC1918 and the like a private 
>> ASN in the path isn't likely to leak RFC1918 like traffic, yet I believe 
>> several major ISPs have done just that.  This topic was discussed ~1 year 
>> ago on NANOG.
>> 
>> I do filter private ASNs but have not yet filtered long AS paths.  Before I 
>> did it I had to contact a major CDN because I would have dropped their 
>> route, in the end costing me money (choosing transit vs peering).