Re: [members-discuss] An ISP offers to announce our prefix. Is that normal?
Hi Matthias, But that's the point, we can and would prefer to maintain our own gear. I'm just find it curious that the provider states, that in this case we would get no L3 SLA. And regarding "someone else announces our prefix": I just never heard of it that this is common. That's why I'm asking. With this provider, or at this location we have not yet BGP in place. To recap: Announcing "someone else" prefix is OK, and the ROA can be signed. As I have not seen this in the RPKI FAQ: can I also sign i.e. the aggregate ROA prefix, one time from our ASN and one time from the providers ASN? And things are still valid? In this case I would not see a reason not to do it that way. Bernd On 12.11.19 12:50, Matthias Brumm | tkrz Stadtwerke GmbH wrote:
Hi!
We have done simlar things, if the customer does not want to maintain his own router or has no knowledge in this. Could you please explain, why there is such a problem? If you have an ASN and there are BGP sessions in place, announcing your prefix, you just change one session for the other.
Regards, Mit freundlichen Grüßen,
Hi,
I have a question about the validly of an option provided by our ISP.
Back story: We will move one of your office uplinks in germany next year to an other provider. They offered us various options how it could be implemented. In my personal option one option sounds technical crazier then the other, even that it is "enterprise".
The management involved raised concern when the ISP noticed that if we wanna use "just BGP" we will loose any SLA for L3 services. With no doubt I see managements point but now it comes:
Then the ISP offered us to announce _our_ prefix for us, from their ASN, and here I lost trust, and stopped the planning for now to get either confirmation or an other red flag.
- Is this even "allowed" or recommend by RIPE policies or BCPs? - Wouldn't that be at least looks like a/an BGP hijacking (attempt)? Because I have not seen / read about that implementation anywhere... - Just in case this is ok-ish, how would I setup the ROA with RPKI so that it would be come valid?
An other but related question: Regarding the "No SLA" thing: Could someone point me on how other ISPs handle this or what would be "industrial standard". I highly doubt the reasoning, that just because the customer is using his own gear that the ISP will get way with any disturbance of their service...
Naive me thought that it would be like in your data center installations: You get transit v4 and v6 networks from the provider, configure BGP and are done. Yes this does not prevent a customer to mis-configure things but in this case we would just get a default route and announcing one or more prefixes. I hardly see any pitfalls here.
Thanks in advise and for your time, Best, Bernd
Hi Bernd, It can be done indeed, you need to create a proper route object for your prefix originated from their ASN, that is then signed for RPKI. To do so you need to have the proper auth from both the route mainainer and AS mantainer in the db. As far as L3 SLA, I never heard of doing BGP causing an SLA problem, can you ask them why is that? If that would be true, nobody would do IP transit anymore ;) Daniel -- Daniel Ponticello Direttore Tecnico e CEO REDDER Telco T: 0444 1783651 | F: 0444 1783652 | daniel.ponticello@redder.it www.redder.it Il 12/11/2019 13:01, Bernd Naumann ha scritto:
Hi Matthias,
But that's the point, we can and would prefer to maintain our own gear. I'm just find it curious that the provider states, that in this case we would get no L3 SLA.
And regarding "someone else announces our prefix": I just never heard of it that this is common. That's why I'm asking.
With this provider, or at this location we have not yet BGP in place.
To recap: Announcing "someone else" prefix is OK, and the ROA can be signed. As I have not seen this in the RPKI FAQ: can I also sign i.e. the aggregate ROA prefix, one time from our ASN and one time from the providers ASN? And things are still valid?
In this case I would not see a reason not to do it that way.
Bernd
On 12.11.19 12:50, Matthias Brumm | tkrz Stadtwerke GmbH wrote:
Hi!
We have done simlar things, if the customer does not want to maintain his own router or has no knowledge in this. Could you please explain, why there is such a problem? If you have an ASN and there are BGP sessions in place, announcing your prefix, you just change one session for the other.
Regards, Mit freundlichen Grüßen,
Hi,
I have a question about the validly of an option provided by our ISP.
Back story: We will move one of your office uplinks in germany next year to an other provider. They offered us various options how it could be implemented. In my personal option one option sounds technical crazier then the other, even that it is "enterprise".
The management involved raised concern when the ISP noticed that if we wanna use "just BGP" we will loose any SLA for L3 services. With no doubt I see managements point but now it comes:
Then the ISP offered us to announce _our_ prefix for us, from their ASN, and here I lost trust, and stopped the planning for now to get either confirmation or an other red flag.
- Is this even "allowed" or recommend by RIPE policies or BCPs? - Wouldn't that be at least looks like a/an BGP hijacking (attempt)? Because I have not seen / read about that implementation anywhere... - Just in case this is ok-ish, how would I setup the ROA with RPKI so that it would be come valid?
An other but related question: Regarding the "No SLA" thing: Could someone point me on how other ISPs handle this or what would be "industrial standard". I highly doubt the reasoning, that just because the customer is using his own gear that the ISP will get way with any disturbance of their service...
Naive me thought that it would be like in your data center installations: You get transit v4 and v6 networks from the provider, configure BGP and are done. Yes this does not prevent a customer to mis-configure things but in this case we would just get a default route and announcing one or more prefixes. I hardly see any pitfalls here.
Thanks in advise and for your time, Best, Bernd
_______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/daniel.ponticello%40r...
Hi, On Tue, Nov 12, 2019 at 01:19:05PM +0100, Daniel Ponticello wrote:
As far as L3 SLA, I never heard of doing BGP causing an SLA problem, can you ask them why is that? If that would be true, nobody would do IP transit anymore ;)
It depends a bit on the specific wording and the definition of "S"ervice that you have SLAs on. If one of our customers runs their own BGP with their own BGP policies and a second BGP uplink, and then complains to us "we cannot reach someone else iin the Internet?", and I *can* reach this prefix, debugging this is much harder than "it does not work from our AS" - because there's another ISP involved, some unknown-to-us BGP config, it might be route flap dampening triggered "somewhere". So, of course we help our customer troubleshoot this, and usually we can get it fixed. Can I give a SLA on something I do not fully control? No... Now, if you give a L3 SLA on "can reach ISP network" and "ISP network can reach the world", this is easy, but not helping the end customer who expects "can reach the whole Internet"... but, given that they can easily mess up their own BGP setup ("set community $no-export-to-foo"), nobody can put hard guarantees on that. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi, I see your point and I agree. In the end it is just a matter of setting the boundaries of up to where the responsability of the ISP is limited to, like with any other service. WBR, Daniel Il 12/11/2019 17:24, Gert Doering ha scritto:
Hi,
On Tue, Nov 12, 2019 at 01:19:05PM +0100, Daniel Ponticello wrote:
As far as L3 SLA, I never heard of doing BGP causing an SLA problem, can you ask them why is that? If that would be true, nobody would do IP transit anymore ;)
It depends a bit on the specific wording and the definition of "S"ervice that you have SLAs on.
If one of our customers runs their own BGP with their own BGP policies and a second BGP uplink, and then complains to us "we cannot reach someone else iin the Internet?", and I *can* reach this prefix, debugging this is much harder than "it does not work from our AS" - because there's another ISP involved, some unknown-to-us BGP config, it might be route flap dampening triggered "somewhere".
So, of course we help our customer troubleshoot this, and usually we can get it fixed.
Can I give a SLA on something I do not fully control? No...
Now, if you give a L3 SLA on "can reach ISP network" and "ISP network can reach the world", this is easy, but not helping the end customer who expects "can reach the whole Internet"... but, given that they can easily mess up their own BGP setup ("set community $no-export-to-foo"), nobody can put hard guarantees on that.
Gert Doering -- NetMaster
participants (3)
-
Bernd Naumann -
Daniel Ponticello -
Gert Doering