Routing parts of another LIR's PA block
Hi, We have the usual case of a customer asking us to route a /24 out of somebody else's PA block, which I was about to send back to the customer (or at least have him ask for authorization from the "owner" of that range to have it routed as a more specific), but I wanted to give our support people the right RIPE document that says we're not allowed to do that, and I didn't find it... The docs I found (mainly ripe-185) talk about the assignment of the address space, but do not talk about the routing of such blocks. So, is there really a document saying so, or is a customer allowed to ask that as long as he keeps a contractual relationship with the other ISP that allows him to keep the address space? Any pointers welcome. Thanks, Jacques. --- Jacques Caron PSINetworks Europe Network Engineer PSINet Europe Regional Peering Coordinator Mail: Rue Friz-Courvoisier 103 - CH-2100 La Chaux-de-Fonds Phone: +41 32 967 5418
Jacques,
We have the usual case of a customer asking us to route a /24 out of somebody else's PA block, which I was about to send back to the customer (or at least have him ask for authorization from the "owner" of that range to have it routed as a more specific), but I wanted to give our support people the right RIPE document that says we're not allowed to do that, and I didn't find it...
We had that issue here several times and I discussed that with many people. We actually did exactly that thing several times in the past. The only thing that is definitely not allowed due to bgp4-specifications is to announce the same prefix from different origin-ASes. On Ciscos you would see them when doing "sh ip bgp incon".
So, is there really a document saying so, or is a customer allowed to ask that as long as he keeps a contractual relationship with the other ISP that allows him to keep the address space?
I don't think that there is some kind of document prohibiting that setup. We did that in the past and it's definitely working. The only problem is, that many ISPs don't want to set up this kind of custom configuration since it doesn't fit into their "standard procedures". Anyway, setting things up this way doesn't really differ from setting up customer's PI-Space or whatever.
Any pointers welcome.
Thanks,
Jacques.
Hope that helps! Regards, Sascha --- Sascha E. Pollok Internet Port Hamburg Technical Staff / Network Operations Grosse Reichenstrasse 27 D-20457 Hamburg Germany Tel.�� +49 (0)40 37 49 19-0 Fax��� +49 (0)40 37 49 19-29 Email: sp@iphh.de ICQ #38955239
Hi Sascha, I agree that it works, no problem with that (it even works with the same announcement in different ASes, though it is clearly not nice at all...). But the whole point of PA address space is to avoid having zillion of small blocks lying around. If a customer can use PA address space the same way as PI, what's the point of making a difference? Note also that in the case of a multi-homed customer not using BGP, the route would indeed appear in multiple ASes, and would require the other ISP to announce its whole PA block _and_ the more specific for load-sharing to occur... It looks to me like it should be prohibited to announce parts of a PA block. If the customer needs to announce addresses via multiple providers, he should switch to PI, shouldn't he? Jacques. --- Jacques Caron PSINetworks Europe Network Engineer PSINet Europe Regional Peering Coordinator Mail: Rue Friz-Courvoisier 103 - CH-2100 La Chaux-de-Fonds Phone: +41 32 967 5418
Jacques, The only addition I'd like to make to Sascha's comments is that we, as standard practice, allow the origination of more specifics for a probation/migration period of 3-6 months. If the prefix is larger than /24 the client is advised of it's possibilities of being blocked by tier 1 backbones. The migration period is for the client to either obtain PI space, become a registry (if the request is for a significant number of prefixes), or migrate into our PA block. There are no strict deadlines, it's reviewed at the end of agreed migration period .. this is simply encouraging the practice of drilling holes in PA aggregate blocks ... though deadlines have been imposed in some extreme cases :) Regards, Rush
Jacques,
We have the usual case of a customer asking us to route a /24 out of somebody else's PA block, which I was about to send back to the customer (or at least have him ask for authorization from the "owner" of that range to have it routed as a more specific), but I wanted to give our support people the right RIPE document that says we're not allowed to do that, and I didn't find it...
We had that issue here several times and I discussed that with many people. We actually did exactly that thing several times in the past.
The only thing that is definitely not allowed due to bgp4-specifications is to announce the same prefix from different origin-ASes. On Ciscos you would see them when doing "sh ip bgp incon".
So, is there really a document saying so, or is a customer allowed to ask that as long as he keeps a contractual relationship with the other ISP that allows him to keep the address space?
I don't think that there is some kind of document prohibiting that setup. We did that in the past and it's definitely working. The only problem is, that many ISPs don't want to set up this kind of custom configuration since it doesn't fit into their "standard procedures". Anyway, setting things up this way doesn't really differ from setting up customer's PI-Space or whatever.
Any pointers welcome.
Thanks,
Jacques.
Hope that helps!
Regards, Sascha
--- Sascha E. Pollok Internet Port Hamburg Technical Staff / Network Operations Grosse Reichenstrasse 27 D-20457 Hamburg Germany Tel.�� +49 (0)40 37 49 19-0 Fax��� +49 (0)40 37 49 19-29 Email: sp@iphh.de ICQ #38955239
The only thing that is definitely not allowed due to bgp4-specifications is to announce the same prefix from different origin-ASes.
this is not bgp spec. it is rfc 1930, see appended, and is not a MUST NOT. randy 7. One prefix, one origin AS Generally, a prefix can should belong to only one AS. This is a direct consequence of the fact that at each point in the Internet there can be exactly one routing policy for traffic destined to each prefix. In the case of an prefix which is used in neighbor peering between two ASes, a conscious decision should be made as to which AS this prefix actually resides in. With the introduction of aggregation it should be noted that a prefix may be represented as residing in more than one AS, however, this is very much the exception rather than the rule. This happens when aggregating using the AS_SET attribute in BGP, wherein the concept of origin is lost. In some cases the origin AS is lost altogether if there is a less specific aggregate announcement setting the ATOMIC_AGGREGATE attribute.
My interpretation of "generally should belong to one AS" does not equate to "MUST NOT be announced by more than one AS". Not commenting on the rights and wrong, but if this is really a "MUST NOT" it needs to be documented as such. philip -- At 02:59 01/09/00 +0900, Randy Bush wrote:
The only thing that is definitely not allowed due to bgp4-specifications is to announce the same prefix from different origin-ASes.
this is not bgp spec. it is rfc 1930, see appended, and is not a MUST NOT.
randy
7. One prefix, one origin AS
Generally, a prefix can should belong to only one AS. This is a direct consequence of the fact that at each point in the Internet there can be exactly one routing policy for traffic destined to each prefix. In the case of an prefix which is used in neighbor peering between two ASes, a conscious decision should be made as to which AS this prefix actually resides in.
With the introduction of aggregation it should be noted that a prefix may be represented as residing in more than one AS, however, this is very much the exception rather than the rule. This happens when aggregating using the AS_SET attribute in BGP, wherein the concept of origin is lost. In some cases the origin AS is lost altogether if there is a less specific aggregate announcement setting the ATOMIC_AGGREGATE attribute.
Philip,
My interpretation of "generally should belong to one AS" does not equate to "MUST NOT be announced by more than one AS".
Not commenting on the rights and wrong, but if this is really a "MUST NOT" it needs to be documented as such.
Somewhere in Basham Halabi's "Internet Routing Architectures" (Cisco Press) he mentions that two different origins for a prefix is an "illegal configuration". Unfortunately I just can't find the exact phrase in the book. Anyway, I am sure that announcing the same prefix under 2 different origins should work although I never did something like this.
philip
Let's further discuss this at ripe-37. Regards, Sascha
--
At 02:59 01/09/00 +0900, Randy Bush wrote:
The only thing that is definitely not allowed due to bgp4-specifications is to announce the same prefix from different origin-ASes.
this is not bgp spec. it is rfc 1930, see appended, and is not a MUST NOT.
randy
7. One prefix, one origin AS
Generally, a prefix can should belong to only one AS. This is a direct consequence of the fact that at each point in the Internet there can be exactly one routing policy for traffic destined to each prefix. In the case of an prefix which is used in neighbor peering between two ASes, a conscious decision should be made as to which AS this prefix actually resides in.
With the introduction of aggregation it should be noted that a prefix may be represented as residing in more than one AS, however, this is very much the exception rather than the rule. This happens when aggregating using the AS_SET attribute in BGP, wherein the concept of origin is lost. In some cases the origin AS is lost altogether if there is a less specific aggregate announcement setting the ATOMIC_AGGREGATE attribute.
--- Sascha E. Pollok Internet Port Hamburg Technical Staff / Network Operations Grosse Reichenstrasse 27 D-20457 Hamburg Germany Tel.�� +49 (0)40 37 49 19-0 Fax��� +49 (0)40 37 49 19-29 Email: sp@iphh.de ICQ #38955239
Somewhere in Basham Halabi's "Internet Routing Architectures" (Cisco Press) he mentions that two different origins for a prefix is an "illegal configuration". Unfortunately I just can't find the exact phrase in the book.
Anyway, I am sure that announcing the same prefix under 2 different origins should work although I never did something like this.
Indeed, it happens today, and my guess is that it works, or networks wouldn't do it (not necessarily a valid assumption, I know). :) Shane
Somewhere in Basham Halabi's "Internet Routing Architectures" (Cisco Press) he mentions that two different origins for a prefix is an "illegal configuration". Unfortunately I just can't find the exact phrase in the book.
Anyway, I am sure that announcing the same prefix under 2 different origins should work although I never did something like this.
Indeed, it happens today, and my guess is that it works, or networks wouldn't do it (not necessarily a valid assumption, I know). :)
Shane
This can probably be made to work, but it is quite easy to create a routing loop, as by default an external BGP learnt route is preferred (admin dist) over an iGP or iBGP: so provider 'A' would prefer to route via provider 'B', rather than via the direct customers interface. This can be got around by not carrying this route in IGP, but only in iBGP with local preference higher than any eBGP peerings. i.e. carry customer static routes in iBGP with your highest local-prefernce. Which is usually the best way anyhow. Both providers would need to implement it this way, or one provider would end up carrying all the traffic. Not that I have tried this, just thought it ought to work. It's getting a bit away from the original question ... -- ---- Steve Alvey Email: steve.alvey@ip-engineering.bt.com Global IP Design Specialist
At 09:53 01/09/00 +0200, Sascha E. Pollok wrote:
Somewhere in Basham Halabi's "Internet Routing Architectures" (Cisco Press) he mentions that two different origins for a prefix is an "illegal configuration". Unfortunately I just can't find the exact phrase in the book.
Yes, I remember seeing it in there. I'm kinda curious why a "generally should not" in an RFC becomes a "must not" in the real world though.
Anyway, I am sure that announcing the same prefix under 2 different origins should work although I never did something like this.
It obviously does - I counted around 600 today.
Let's further discuss this at ripe-37.
And like RIPE-210/route-flap dampening, maybe we can come up with some recommendation in writing which says "must not", if that is the right thing to do. Ofcourse, as to the original topic, it is perfectly possible to set up a net to multihome between two different ISPs, using a private AS, and not cause any issue with inconsistent origin ASes... Nor cause too much problem with routing a subprefix of another LIR's PA block. best wishes, philip --
participants (7)
-
Jacques Caron -
Philip Smith -
Randy Bush -
Rushdul Mannan -
Sascha E. Pollok -
Shane Kerr -
Steve Alvey