- ipv6-wg - mailman.ripe.net

RE: Getting addresses
by Michel Py 12 May '02

12 May '02

> This is very I advocate separate, "earmarked" blocks for > dialup/DSL/whatever, if it is done in such a big scale that /48 > for organization or /32 for an ISP would not be enough. > If you just give out an /32 which should be used for everything, > I think the problem is more serious. One can not know beforehand > how big a block of that /32 must be reserved to dialup/DSL/whatever. > And after it is reserved, what if there is a need to expand? These > things do happen within a time span of 2-3 years. This is where HD > ratio is useful. I have not seen many universities growing their number of students that fast, but any there is a word to address this: PLANNING. If one evaluates that they would need more than a /32 in three years and don't have the 7,100 sites now, there is legitimate reason to ask why they think they need more a /32. I don't have a problem with that figure of 7,100 except that I would have placed the bar a little higher. As far as having multiple blocks, I personally prefer having only one. Michel.

1 0

RE: Getting addresses
by Michel Py 12 May '02

12 May '02

> Gert Doering wrote: As a side note: nothing prevents you from > making better usage of a /32 - 7100 users is the minimum value > you have to document to get a bigger block. > Depending on the way the internal network hierarchy works (if > it has few levels, and all entities at one level are similarily > sized) it is perfectly allowed to utilize 20.000 /48s or more :-) > - it all depends on your network structure. Pekka, I don't know how you came with these figures but Gert is absolutely right. The HD of a dial pool or tunnel pool depends on two things: 1. The HD of the hardware itself, as there are some strong operational incentives to allocate a block per device, such as allocating a block of 256 sites to an access server that has only 192 modems. 2. The network structure. For a dial pool that size, there is absolutely no need for more than one level of aggregation (that would be the pop level). The device with the worst HD I have used is Cisco AS5400, it has 648 modems and it is temping to allocate a block of 1,024 sites to it. That device itself has a HD of 0.934. Then you have the pop aggregate. In a single pop, the worst you can have is 33 of these boxes. This is 21384 sites on a /32, which is a HD of 0.899. On a 3-pop setup, the worst you would have 9 boxes per pop, which still is 17,496 sites and a HD of 0.881. This is the absolute worst case scenario. The bottom line is that a typically organized /32 dial pool has up to 40k sites. Michel.

2 1

Getting addresses
by Peter B . Juul 11 May '02

11 May '02

Hi! The danish research network is part of the native IPv6 project 6net. We've tried for some months to get some IPv6 addresses assigned for this, but the active guidelines - specifically the demand for three peers in the default-free zone, a demand that can't be met for political and economical reasons - made this impossible. I gathered that changes were a-coming and RIPE-42 might be a turning point in this. However, I was unable to attend, so I'd like to hear if any consensus was achieved in this? Peter B. Juul, Uniï¿½C (PBJ255-RIPE)

10 28

RE: Multi homed IPv6 (was: Re: Regarding IPv6 prefix filtering)
by Michel Py 11 May '02

11 May '02

> Arien Vijn wrote: > Sorry for the late reply. No need to apologize. > Layer 2/switch software issues kept my attention all week. You mean you had to _work_ ? That's terrible. > All right. But what about these VLANs then? Do you mean that VLANs have > to be defined on both sites of this router/firewall? That's the way I would do it. > Why do you think we need VLANs anyway? Why not just configure n > addresses in the same VLAN? For security issues. Having 90 different prefixes on the same VLAN does not sound good to me anyway. > - VLANs must be defined an must not conflict with those of other > members. Many members do have switches them selves in-between the > IX infrastructure and their border routers. This is not mandatory. In the study case, RIPE-NCC needs to connect to each AMS-IX participant. Let's say that RIPE-NCC has a router in front of the DNS server, that router connects to AMS-IX fabric via a trunk (Cisco's term would be routing on a stick). That router, on the RIPE side, connects to RIPE's switch fabric. - Vlan 277 on one side of the RIPE router can be vlan 377 on the other side. In that kind of setup, you have strict policy routing between the router subinterfaces anyway, so there can be a conversion matrix. - The connection between AMS-IX' fabric and a participant does not need to be a trunk. If the port is an ordinary one that belongs to only one vlan, there is nothing wrong in having two different VLAN numbers. > - VLANs must be configured correctly in multiple places by > multiple parties. You do use something like VTP domains, don't you? > - Administer all these subnets and then hoping peers will route > it correctly. The peers' issue, not AMS-IX. > Suppose we can deal with this. Then it *might* work for UDP but what > about TCP sessions? Failover is a MH requirement too. Failover is a requirement of _real_ multihoming, which is available next year not today. > Is this worth the manpower? > In other words it is too much of a hassle for a solution which, might > be working (but not all the time). Your decision, not mine. > Advertising /48 is unsatisfactory from an aggregation point of view. > But it is the only working MH "solution" at the moment. I actually have less of a problem with the new policy that basically gives an allocation to anyone that wants one. It is a collective hypocrisy that is nothing less than recreating the pre-CIDR swamp. Nevertheless from a design standpoint it is preferable than punching holes in PA. > Our neutrality at least makes us reluctant to use provider space anyway. Find a reason to allocate 200x /48s to foreign entities and get a /32 by the new policy. The only problem with that is that you would appear as the fireman that puts gas on the fire. > I would very much like to see a working and scalable solution. It > would solve one of the main IPv6 issues for neutral, in-depended > entities, which just do not fit the customer-ISP-upstream model. You are encouraged to comment on what we have in the pipe. Michel.

1 0

RE: Getting addresses
by Michel Py 11 May '02

11 May '02

David, >> Michel Py wrote: >> There is no such thing as a default-free zone for IPv6 anyway. Not in >> the v4 sense, and there is no definition for IPv6 DFZ. I presented this >> at the 6bone meeting in Minneapolis, might want to have a look at it. >> http://arneill-py.sacramento.ca.us/ipv6mh/ietf53.ppt > David Kessens Wrote: > You can present whatever you want, but I don't have a 'default > route' that points to any of my ipv6 peers. Me neither, but it does not make me nor you part of the DFZ. This is called a defaultless setup. Unless there is a document that gives a definition of "DFZ" specific to IPv6 (I am not aware of it, please point me to it) this is the way it works in v4: - The DFZ and the DFZ's routing table are two different things. The DFZ's routing table expands outside the DFZ itself. - There is no relation in running a defaultless setup and being part of the DFZ. A defaultless setup does get the DFZ's routing table, though. - There is no relation in having a global prefix and being part of the DFZ either. What is the DFZ: It is where tier-1s peer together. In other words, in order to be part of a DFZ, you need to be a tier-1, which means you do not get transit from anybody. If you are a multihomed tier-2, you might run defaultless but you can always dump the traffic on one of your tier-1 transit providers (after all that's why you are paying them); a floating static default route might be useful for tier-2s in case of routing snafus. One of the requirements of the DFZ is that all tier-1s must be fully meshed. Since they do not have transit, they need to know all the routes, and since they announce only their own routes to other tier-1 peers, they get only the connected peer's own routes as well, which means they need to be fully meshed. As of today, the situation we have in IPv6 is that everyone peers nicely together without much filtering, resulting in people actually providing transit to their peers, which exists very little in v4. In v4, the only routes you advertise to your peers are your own, not in v6 today. So, it can be one of three things: 1. There is a specification of "DFZ" specific to IPv6 (I am not aware of it, please send link). 2. The Big Eight have actually completed their full v6 mesh (I am not aware of this, did I miss something?). 3. There is not such thing as an IPv6 DFZ. Michel.

1 0

RE: Regarding IPv6 prefix filtering
by Michel Py 10 May '02

10 May '02

Arien, > Arien Vijn wrote: > This is how I understand your proposed setup: > - Connect this DNS server directly to the L2 IXP infrastructure > via an 802.1q NIC. > - Configure n VLANs on it - one for each peer. > - In each VLAN, the server answers DNS queries on a different > /64 address. > - Each of these /64 belongs to the aggregate of the respective peers. > Is this an accurate description? You got it. I think that behind a router or firewall instead of directly on the L2 fabric would be better, though. >> Where is your problem? > Well, *if* my understanding is correct. Then I do see a number of issues. A number of them, indeed. And half of them, to be resolved, might require major annoyances including but not limited to: extra hardware, tedious or dirty configuration, hacks, and longs evenings swearing at debugging the darn thing. But none that can't be solved, AFAIK; can you be more specific please? I am not saying this a good configuration as there is none today. I'm not even saying this is the best (or the less worst) that would solve your problem short term. The points I am trying to make are: 1. You want to do multihoming without a multihoming protocol. - It can't be a free lunch. - If you want to do it today anyway, what you have is described above and some other methods equally un-satisfactory. 2. Whatever you do over PA is unlikely to be mergeable with any future multihoming solution including short-term ones. Do not build a multihomed infrastructure on PA, it is not going anywhere. In other words: I'm afraid that whatever you can do today is quick and dirty. Try to make it easier on the community and yourself to clean up later. Local messes are easier to clean than global messes. There is no way nobody has found yet that you will get the multihoming solution both RIPE-NCC and AMS-IX need without an allocation. A PA allocation is not a long-term solution. Every multihoming solution that I have seen requires a clean PA space. Every shot someone takes at PA aggregation diminishes the viability of a good multihoming solution. Don't play with that too much or the only multihoming solution you might ever get is a PI swamp. I short: PA is not what you need in the long run. If you don't want to end up in the PI swamp, don't make my job impossible in delivering the local /48 allocation you need. Michel.

2 1

Re: Getting addresses
by Wilfried Woeber, UniVie/ACOnet 10 May '02

10 May '02

Dear Philip, thanks for circulating the URL! >The document containing the revised allocation and assignment policy: > > IPv6 Address Allocation and Assignment Global Policy > ftp://ftp.cs.duke.edu/pub/narten/ietf/global-ipv6-assign-2002-04-25.txt > >was discussed (in the LIR WG meeting) and consensus was achieved within the >RIPE community (joining consensus achieved in APNIC's and ARIN's >communities).... > >I suspect the doc will answer your question. > >philip >-- Dear Peter, may I suggest that we discuss your situation off-line? I definitely don't want to stop any discussion on a list, but I don't see a point in re-opening the discussion *right now* and *right here* for your situation. Unless my background is wrong (and you are actually trying to achieve something else) I'm pretty sure that we can find a *proper* way now with this new policy to supply you with IPv6 addresses (for 6NET). I would expect that either the Danish NREN and/or NORDUnet would be involved in one way or another. Regards, Wilfried.

1 0

RE: Getting addresses
by Michel Py 10 May '02

10 May '02

> Peter B. Juul wrote > but the active guidelines - specifically the demand for three peers > in the default-free zone, a demand that can't be met for political > and economical reasons - made this impossible. There is no such thing as a default-free zone for IPv6 anyway. Not in the v4 sense, and there is no definition for IPv6 DFZ. I presented this at the 6bone meeting in Minneapolis, might want to have a look at it. http://arneill-py.sacramento.ca.us/ipv6mh/ietf53.ppt > Francis Dupont wrote > => sub-TLAs are for ISPs, not for NRENs. The solution for a NREN > is either to disguise itself as an ISP, Which is really easy to do. When you look at the requirements, you can even meet the 200 /48s assigned to end-users quickly, just get all your local linux chapter buddies and some of your co-workers and students and voila, you have 200 users and now you are an ISP. As far as I know, there is no requirement for the links to be native v6, so tunnels would work fine. Gee, you don't have to be a NREN, you can even get that for your home. </sarcasm> > or to join the 6bone. Or both. There are some experiments that you could run over 6bone address space and don't want your "production" v6 network to be affected. Michel.

2 1

RE: Regarding IPv6 prefix filtering
by Michel Py 05 May '02

05 May '02

Sorry about the bad English; you should have read: I short: PA is not what you need in the long run. If you don't want to end up in the PI swamp, don't make my job impossible if you want me to deliver the local /48 allocation you need. Michel.

1 0

RE: Regarding IPv6 prefix filtering
by Michel Py 05 May '02

05 May '02

>>> neither are "use a /48 from each of the upstreams" >> Why not? All of the upstreams is probably overkill, but from three or >> four big ones? > For optimum routing, and neutrality, at least in the case of the > RIPE NCC (and maybe some of the IXes service networks), you want > all upstreams (90) to reach their network directly, not going over > other peers. So you either take 90 /48s, or take one, and announce > that to all the peers/ upstreams (which is mostly the same in these > situations). Note that we are not talking about 90 /48s here, but 90 /64s, one from each of the peers. So, you connect your DNS server with an 802.1Q compliant NIC, two-thirds of these 90 VLANS already exist in the exchange's L2 fabric. Where is your problem? > I can very well imagine a scenario where ISPs are willing to > accept more-specifics *in their own (RIR) region*, and filtering > out those from other regions. Except for global players (that > can't say "this is my region" because they're present everywhere) > this would result in near-perfect connectivity to all networks, > while not being forced to take all the crap. Gert, What you describe is a geographically based prefix filtering system. This does _not_ belong into PA space. It belongs to geographically aggregatable space, which like its name implies will be not only filtered based on geographical criteria but also aggregated. We have a project in ipv6mh called "geo for now" which is similar to what you describe and that we think is the short-term answer you and others are seeking. Aggregation of PA can _not_ be broke. Please allocate the resources of your brain into getting the solution out instead of futile attempts. Michel.

2 1