-----BEGIN PGP SIGNED MESSAGE-----
Gert Doering [mailto:gert(_at_)space(_dot_)net] wrote:
On Mon, Dec 08, 2003 at 10:01:53PM +0100, Jeroen Massar wrote:
There are currently quite some ISP's who filter anything >/35.
Generally ISP's should be filtering on allocation boundaries.
Thus if a certain prefix is allocated as a /32, they should not
be accepting anything smaller (/33, /34 etc)
There is no commonly agreed-upon best practice for this yet.
Some ISP's do it, most don't.
Btw CH-SUNRISE-20031124 = 2001:1700::/27, so Libertel isn't the
biggest girl on the block anymore with their /31 :)
We do *not* suppress more-specifics from those address blocks, as we
think it's a legitimate wish for certain networks to be multihomed,
and currently there is no other solution than to go for the pragmatic
approach, and just announce a /40 or even /48.
I agree that things that are more specific than a /48 should not be
out there.
Indeed. And yes there are ISP's announcing /128's etc.
And private ASN's for that matter or even using them as transit.
<SNIP>
As you cite my page, you will also know that it does not make a specific
recommendation on the subject of "filtering things between /35 and /48"...
Yups and I fully support that argument.
If it was done we would currently see 413 prefixes, those are the
'allocated' prefixes that are getting announced.
In GRH each of the ~30 peers have an average of 459 prefixes.
Checking just know, the highest number of prefixes send to GRH
was 515 prefixes, which is far from the 20k or even 30k if all
the ASN's would announce 1 IPv6 prefix.
At the moment that is certainly no problem and it shouldn't be
for years to come, unless IPv6 really takes off. Google/Doom3 IPv6 anyone?
The biggest advantage that IPv6 already has is that a single
ISP already gets enough space, thus it doesn't need to
Iljitsch van Beijnum [mailto:iljitsch(_at_)muada(_dot_)com] wrote:
On 8-dec-03, at 22:01, Jeroen Massar wrote:
There are currently quite some ISP's who filter anything >/35.
Generally ISP's should be filtering on allocation boundaries.
Thus if a certain prefix is allocated as a /32, they should not
be accepting anything smaller (/33, /34 etc)
So how are ISPs supposed to know what the allocation size for a
particular prefix is? This type of filtering only works if the filter
list is relatively short and pretty much never changes. Anything else
and the cure is worse than the disease.
The proposed "Redistribution of Cooperative Filtering Information" draft
could help out there which allows one to redistribute 'good prefix' lists.
See https://www1.ietf.org/mail-archive/working-groups/idr/current/msg00201.html
for the draft or http://arneill-py.sacramento.ca.us/redisfilter.ppt for
the presentation given in Minneapolis.
Without that or a similar system, it would be a pain indeed.
That's why I pointed to Gert's page which has a better and
currently working solution.
<SNIP>
Currently the !3! IX blocks (2001:7f8::/32 + 2001:504::/32 +
2001:7fa::/32)
are seen being announced in pieces too. Maybe these IX blocks, which
are common already could be used for assigning 'critical infra' from?
Note that announcing the actual prefix for an internet exchange subnet
tickles an undesirable BGP feature in places where the prefix isn't
filtered, so these prefixes are best not announced.
As far as I can see with the GRH tools etc, all the prefixes
that are allocated as "IX Prefixes" and those that are in use
are currently visible worldwide.
The allocations seem to be /48s and not /64s though, so in
practice this shouldn't be a problem but still no reason why
these should be globally visible.
The only reason I heared so far is so that people in Tokio can
ping the IX interface in London or a similar kind of scenario.
They argue that it is handy for debugging. My take is that if
it isn't your network, you can't fix it either, so if a traceroute
ends on that box, contact them, they can really figure it out.
Root nameservers are a very different story of course...
A /32 contains 65k /48's, so these IX blocks could provide for
enough /48's for 65k IX's, thus unless that switch at the back
of my desk, which connects 'neighbours' too is to be called an
IX, because they have a linux router and me too and they speak
BGP is going to be called an IX it shouldn't be a problem if
the same block is used for 26? and maybe 3 tld servers per country.
At least everybody will know that that /32 will have more specifics.
Greets,
Jeroen
-----BEGIN PGP SIGNATURE-----
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / jeroen(_at_)unfix(_dot_)org / http://unfix.org/~jeroen/
iQA/AwUBP9UHMymqKFIzPnwjEQLiLwCgta1mOkrixvXcZD8mTLheePv9ERYAn3GK
Rt2Hp+dk8HVBDuFaub0lf6Rt
=OqJO
-----END PGP SIGNATURE-----