Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: ipv6

How to choose IPv6 addresses for customer links?

 

 

nsp ipv6 RSS feed   Index | Next | Previous | View Threaded


maho at nic

Jan 30, 2009, 4:04 AM

Post #1 of 20 (4649 views)
Permalink
How to choose IPv6 addresses for customer links?

Hello,

I'd like to collect opinions from the experienced IPv6 network
engineers that meet here so nicely:

Consider a service provider that provides IPv6 services to leased line
customers.
In almost all cases the customer gets a /48 out of the aggregate of
the service provider.
In many cases and probaly in most future-oriented cases the physical
interface is some kind of ethernet (10/100/100/10000 Mbit/s). Thus the
link to the customer needs its own addresses.
Some customers might want operate their own routers and maintain
several subnets. But some customers might also be happy with having
just one subnet and probably some kind of (layer-2) switches.

My questions is now: How should the addresses for the link network be
chosen?

My understanding would be that it might be best to select one /64 out
of the customer's /48. And to route the complete /48 to one address of
that /64.
Thus the customer can easily put their hosts in the simple /64 if they
only have layer-2 devices.
Or they can set up their own router. It would have to use the address
mentioned above from the link network and can use up to 65535 more /64
subnets. They lose one /64 for the link network, though.

Would that be a sensible addressing scheme? Or would a customer insist
to get a completely independet /64 for the link addresses?


Best regards, Martin

--
Dr. Martin Horneffer
Deutsche Telekom Netzproduktion GmbH
Technical Engineering Center

Deutsche Telekom Netzproduktion GmbH
Supervisory Board: Timotheus Hoettges (Chairman)
Managing Board: Friedrich Fuß (Chairman), Albert Matheis, Klaus Peren
Commercial register: Amtsgericht Bonn HRB 14190
Registered office: Bonn
VAT ident. no.: DE 814645262


md at Linux

Jan 30, 2009, 4:23 AM

Post #2 of 20 (4540 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

On Jan 30, Martin Horneffer <maho [at] nic> wrote:

> My understanding would be that it might be best to select one /64 out
> of the customer's /48. And to route the complete /48 to one address of
> that /64.
This is what I do for colocation customers.
I especially like having a single prefix from which the customer can
originate traffic.

The only open issue is if I should use :FFFF::/64 or :0000::/64 for the
link, but so far I asked the customer for their preference. :-)

> subnets. They lose one /64 for the link network, though.
I do no think that this should be a concern...

--
ciao,
Marco
Attachments: signature.asc (0.19 KB)


martin at airwire

Jan 30, 2009, 4:50 AM

Post #3 of 20 (4541 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

Martin Horneffer wrote:
[SNIP]
> Would that be a sensible addressing scheme? Or would a customer insist
> to get a completely independet /64 for the link addresses?

SixXS uses the approach commonly of assigning the link-addresses out of
a seperate /48 in the PoP. One /40 per PoP.

For native customers, we'll assign one /64 on the lan-side interface of
the customers CPE and route the remainder of their allocation to a fixed
address within that allocation.

Kind regards,
Martin List-Petersen
--
Airwire - Ag Nascadh Pobal an Iarthar
http://www.airwire.ie
Phone: 091-865 968


mohacsi at niif

Jan 30, 2009, 6:06 AM

Post #4 of 20 (4561 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

On Fri, 30 Jan 2009, Martin Horneffer wrote:

> Hello,
>
> I'd like to collect opinions from the experienced IPv6 network
> engineers that meet here so nicely:
>
> Consider a service provider that provides IPv6 services to leased line
> customers.
> In almost all cases the customer gets a /48 out of the aggregate of
> the service provider.
> In many cases and probaly in most future-oriented cases the physical
> interface is some kind of ethernet (10/100/100/10000 Mbit/s). Thus the
> link to the customer needs its own addresses.
> Some customers might want operate their own routers and maintain
> several subnets. But some customers might also be happy with having
> just one subnet and probably some kind of (layer-2) switches.
>
> My questions is now: How should the addresses for the link network be
> chosen?
>
> My understanding would be that it might be best to select one /64 out
> of the customer's /48. And to route the complete /48 to one address of
> that /64.
> Thus the customer can easily put their hosts in the simple /64 if they
> only have layer-2 devices.
> Or they can set up their own router. It would have to use the address
> mentioned above from the link network and can use up to 65535 more /64
> subnets. They lose one /64 for the link network, though.
>
> Would that be a sensible addressing scheme? Or would a customer insist
> to get a completely independet /64 for the link addresses?

I would ask you:

- Did you implement infrastructure protection with infrastructure ACL? -
protecting all you devices with edge filtering

If yes, then I would ask a customer to allocate /64 from their address
block, otherwise would be mode difficult to manage protection against the
potential malicius traffic coming from outside.


The selecting address for the last 64 bit is also a kind of challenge to
prevent scanning attacks on this links see: rfc 5157
http://www.ietf.org/rfc/rfc5157.txt

Best Regards,


>
>
> Best regards, Martin
>
> --
> Dr. Martin Horneffer
> Deutsche Telekom Netzproduktion GmbH
> Technical Engineering Center
>
> Deutsche Telekom Netzproduktion GmbH
> Supervisory Board: Timotheus Hoettges (Chairman)
> Managing Board: Friedrich Fuß (Chairman), Albert Matheis, Klaus Peren
> Commercial register: Amtsgericht Bonn HRB 14190
> Registered office: Bonn
> VAT ident. no.: DE 814645262
>


jeroen at unfix

Jan 30, 2009, 6:38 AM

Post #5 of 20 (4542 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

Martin List-Petersen wrote:
> Martin Horneffer wrote:
> [SNIP]
>> Would that be a sensible addressing scheme? Or would a customer insist
>> to get a completely independet /64 for the link addresses?
>
> SixXS uses the approach commonly of assigning the link-addresses out of
> a seperate /48 in the PoP. One /40 per PoP.

To put a bit background there for that decision, if you 'steal' a /64
out of the customers /48 then the whole idea that the customer 'never
has to change their numberplan because they keep a /48 when changing
ISPs' goes away. Thus if they move from A t to B, and A uses the first
/64 for the link, but B uses the last /64 or another for the
transfer-link, then they have to renumber their network again. Also, it
quite inconvieniences the customer who can't nicely chunk the /48 into
/56's or something for eg per-building routes etc, as you stole a /64
out of one of those blocks. DHCP-PD also becomes easier as you say to it
"this /48" instead of "this /48 but not this /64 out of that".

Also if the complete /48 goes to the customer, then that is only one
route. If you steal a /64 from it, you have a /48 and a /64 from the
same block. Makes whois entries also clearer (you do register those
/48's nicely with an IRT object in whois do you?)


Thus IMHO and from my POV, use a /48 (or larger if you need >65k of
these links) for transfer links. This also makes it easy for you to
protect access links, eg just allow that /48 to do BGP with your routers
and exclude anything else. And route a full /48 to the customer.

Btw, you should have already done all of this when REQUESTING your
prefix from RIPE. Numberplans are important to them, they should also be
important to you.


Sidenote: In the SixXS case where we effectively fully control the
device that does the routing over the tunnels this addressingplan
simplifies routing a lot as we know that prefixes from <x>/48 are
'interfaces' (read: tunnels) to the users, while everything else has no
specifics, we where thus able to optimize routing a lot because of that
basically ignoring anything else ;)

Greets,
Jeroen
Attachments: signature.asc (0.18 KB)


dwhite at olp

Jan 30, 2009, 7:54 AM

Post #6 of 20 (4535 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

Martin Horneffer wrote:
> Hello,
>
> I'd like to collect opinions from the experienced IPv6 network
> engineers that meet here so nicely:
>
> Consider a service provider that provides IPv6 services to leased line
> customers.
> In almost all cases the customer gets a /48 out of the aggregate of
> the service provider.
> In many cases and probaly in most future-oriented cases the physical
> interface is some kind of ethernet (10/100/100/10000 Mbit/s). Thus the
> link to the customer needs its own addresses.
> Some customers might want operate their own routers and maintain
> several subnets. But some customers might also be happy with having
> just one subnet and probably some kind of (layer-2) switches.
>
> My questions is now: How should the addresses for the link network be
> chosen?
>
> My understanding would be that it might be best to select one /64 out
> of the customer's /48. And to route the complete /48 to one address of
> that /64.
> Thus the customer can easily put their hosts in the simple /64 if they
> only have layer-2 devices.
> Or they can set up their own router. It would have to use the address
> mentioned above from the link network and can use up to 65535 more /64
> subnets. They lose one /64 for the link network, though.
>
> Would that be a sensible addressing scheme? Or would a customer insist
> to get a completely independet /64 for the link addresses?
>
>
> Best regards, Martin
>
>


I can't offer much experience on this situation, but I have a somewhat
similar network environment, except that we use the VLAN-per-subscriber
model.

It seems that splitting out a /64 and routing to a specific IP defeats
the purpose of having router advertisements.

The approach I'm trying to design for is this (pardon the ASCII diagram):

---------------- ----------------
| Router A | | Router B |
---------------- ----------------
\ /
\ /
-----------------
| Transport |
-----------------
/ \
/ \
--------------
| CPE |
--------------
| |
-------------- -------------
| cust. | | cust. |
| router 1| | router 2|
-------------- ---------------


With all four routers (2 customer routers, 2 provider routers)
participating in the same VLAN/Network. This should facilitate the
failure of any one router, without operator intervention, as long as the
two customer routers are allowed to advertise the same /48. Assignment
to customer may be a static assignment or DHCP prefix delegation, but
the IP block numbering will be based on some hash of the customer's VLAN
(as previously suggested on this list).

For the two routers on the provider side, Dibbler running on a Linux box
seems to look promising. I can configure a VLAN interface on each router
corresponding to each customer, which allows me to control DHCP/RA *to*
the customer. It also gives me the option of configuring a /64
advertisement to each customer that does not wish to use a router, but
connects clients directly to the (bridged) CPE.

An issue I'm struggling with is how to filter router advertisements
*from* the customer. I know which /48 advertisement I want to allow, on
the specific vlan interface, but IP tables does not seem to let me
filter on specific incoming RA routes. I'd be interested in any ideas
how to accomplish that.

- Dan


gert at space

Jan 30, 2009, 9:15 AM

Post #7 of 20 (4535 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

Hi,

On Fri, Jan 30, 2009 at 09:54:18AM -0600, Dan White wrote:
> It seems that splitting out a /64 and routing to a specific IP defeats
> the purpose of having router advertisements.

Router-Advertisements are not actually there to exchange information
*among routers* - they convey information about things *on* this link,
and not behind the other box.

For your design, a routing protocol is what you want to use - preferably
BGP (= easy filtering).

Gert Doering
-- NetMaster
--
Total number of prefixes smaller than registry allocations: 128645

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279


sabt at sabt

Jan 30, 2009, 10:07 AM

Post #8 of 20 (4544 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

* Martin Horneffer wrote:
> My understanding would be that it might be best to select one /64 out
> of the customer's /48. And to route the complete /48 to one address of
> that /64.
> Thus the customer can easily put their hosts in the simple /64 if they
> only have layer-2 devices.
> Or they can set up their own router. It would have to use the address
> mentioned above from the link network and can use up to 65535 more /64
> subnets. They lose one /64 for the link network, though.

This is exactly what we do with our DSL-based IPv6 offer. Worked for us
as well as for our customers so far. While I see the issues with this
adressing scheme Jeroen mentioned, personally I don't believe that
they're relevant in practice. Our motivation basically was to have a
/48 assigned to/reserved for a customer and to not have to think about
further adresses for this client.

regards,
sebastian

--
SABT-RIPE PGPKEY-D008DA9C


martin at airwire

Jan 30, 2009, 11:14 AM

Post #9 of 20 (4534 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

Sebastian Abt wrote:
> * Martin Horneffer wrote:
>> My understanding would be that it might be best to select one /64 out
>> of the customer's /48. And to route the complete /48 to one address of
>> that /64.
>> Thus the customer can easily put their hosts in the simple /64 if they
>> only have layer-2 devices.
>> Or they can set up their own router. It would have to use the address
>> mentioned above from the link network and can use up to 65535 more /64
>> subnets. They lose one /64 for the link network, though.
>
> This is exactly what we do with our DSL-based IPv6 offer. Worked for us
> as well as for our customers so far. While I see the issues with this
> adressing scheme Jeroen mentioned, personally I don't believe that
> they're relevant in practice. Our motivation basically was to have a
> /48 assigned to/reserved for a customer and to not have to think about
> further adresses for this client.
>

With residential or consumer customers the need a seperate /64 (from the
/48) shouldn't really arise. (talking about BGP etc.)

Also from an allocation perspective it might be easier to just allocate
a /48 (or reserve it), because you can give the customer a /64, increase
it to /56 or /48 on demand.

Obviously the claim could be made, that the SixXS approach is more IP
conserving.

Kind regards,
Martin List-Petersen
--
Airwire - Ag Nascadh Pobal an Iarthar
http://www.airwire.ie
Phone: 091-865 968


pekkas at netcore

Jan 30, 2009, 11:27 AM

Post #10 of 20 (4544 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

On Fri, 30 Jan 2009, Martin Horneffer wrote:
> Consider a service provider that provides IPv6 services to leased
> line customers. In almost all cases the customer gets a /48 out of
> the aggregate of the service provider. In many cases and probaly in
> most future-oriented cases the physical interface is some kind of
> ethernet (10/100/100/10000 Mbit/s). Thus the link to the customer
> needs its own addresses.

Actually, the link already has link-local addresses. You could just
run it without any global address. But that has a caveat for another
reason. When you need to configure static routes towards the customer,
you're kinda stuck because you'd need to configure the nexthop to be a
link-local address and that would not be fun for many reasons,
including changes in CPE (MAC address change). Otherwise link-local
would be great.

FWIW, we're using an address out of customer's block; they can choose
but the customers are organisations so this is not a provisioning
problem.

We also advertise those p2p addresses to our core. This has some
tradeoffs. The good is that the link is pingable even if the address
aggregate would happen to change so that the p2p link is no longer
covered, and that if a customer is multihomed, pinging the p2p link
from different places would cause non-deterministic routing. The bad
is that for multihomed customers, strict uRPF requires a workaround.
(See S3.2 of draft-savola-bcp84-urpf-experiences-03 for more.)

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings


dwhite at olp

Jan 30, 2009, 12:38 PM

Post #11 of 20 (4534 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

Gert Doering wrote:
> Hi,
>
> On Fri, Jan 30, 2009 at 09:54:18AM -0600, Dan White wrote:
>
>> It seems that splitting out a /64 and routing to a specific IP defeats
>> the purpose of having router advertisements.
>>
>
> Router-Advertisements are not actually there to exchange information
> *among routers* - they convey information about things *on* this link,
> and not behind the other box.
>
> For your design, a routing protocol is what you want to use - preferably
> BGP (= easy filtering).
>
> Gert Doering
> -- NetMaster
>
Yeah, I'm definitely confused.

In the case where a customer router is performing DHCP prefix
delegation, is the provider router installing a route at the time of
assignment?

With BGP, I suppose I will need to know the customer's two router
addresses (or link layer addresses) at configuration time.

- Dan


gert at space

Jan 30, 2009, 1:49 PM

Post #12 of 20 (4554 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

Hi,

On Fri, Jan 30, 2009 at 02:38:00PM -0600, Dan White wrote:
> In the case where a customer router is performing DHCP prefix
> delegation, is the provider router installing a route at the time of
> assignment?

It better should. (But this is not RA, this is DHCP PD :-) ).

Actually, I have no practical experience with DHCP PD yet - but I can't
really think of any useful way to have DHCP PD without installing a route
at delegation time.

> With BGP, I suppose I will need to know the customer's two router
> addresses (or link layer addresses) at configuration time.

Yep. Either "know" or just mandate ("we have :0:1 and :0:2, you have
:1:1 and :1:2, period").

Gert Doering
-- NetMaster
--
Total number of prefixes smaller than registry allocations: 128645

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279


steve at ibctech

Jan 30, 2009, 6:23 PM

Post #13 of 20 (4528 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

Gert Doering wrote:
> Hi,
>
> On Fri, Jan 30, 2009 at 02:38:00PM -0600, Dan White wrote:
>> In the case where a customer router is performing DHCP prefix
>> delegation, is the provider router installing a route at the time of
>> assignment?
>
> It better should. (But this is not RA, this is DHCP PD :-) ).
>
> Actually, I have no practical experience with DHCP PD yet - but I can't
> really think of any useful way to have DHCP PD without installing a route
> at delegation time.
>
>> With BGP, I suppose I will need to know the customer's two router
>> addresses (or link layer addresses) at configuration time.
>
> Yep. Either "know" or just mandate ("we have :0:1 and :0:2, you have
> :1:1 and :1:2, period").

...and, if you assign a /64 global between eBGP peers (as opposed to
anything longer), BGP will automagically configure the next-hop to the
link-local:

B>* 2001:478:235::/48 [20/0] via fe80::d8ea:2f09, gif1, 06:07:43

...as opposed to this route, where a /128 global PtP is in place:

B>* 2001:478:178::/48 [20/0] via 2001:4978:1:600::1, gif0, 06:08:14

What I haven't tested, but plan on doing so, is whether my theory that
moving the IPv6 peering address from one source interface to another
will not disrupt this link-local next-hop.

You (Dan) are going to like BGP. I have had much fortune finding people
to help me out with it, particularly in the v6 context. If you ever need
any help testing a setup in the global context, email me off-list. So
long as it's low-bandwidth, I'll do anything I can to pass along
knowledge I've gained from others (including sessions (non-transit),
VMs, test routers etc). When I help others learn, I'm either reinforcing
knowledge, or having to research the unknown.

Another thing that I'd like to point out, is that if _anyone_ is to
consider toying with BGP, read, understand and ensure that you follow
BCP 38, at minimum. Ask for guidance if necessary. This should be a
prerequisite to turning-up your first test session.

I've recently found that when one sanely organizes a question relating
to proper network behaviour prior to implementation, and posts it to a
high-profile list, the feedback is astounding. The 'big' good-guys
really seem to like helping out the 'little' guys who are trying to do
the right thing.

As a matter of fact, (in my experience), they will go miles out of their
way to help you become a trusted, albeit small, network.

Sorry for swaying OT. I just felt that if BGP was mentioned, a
recommendation to ensure network cleanliness was in order.

Steve


spz at serpens

Feb 1, 2009, 4:33 AM

Post #14 of 20 (4504 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

Thus wrote Jeroen Massar (jeroen [at] unfix):

> Martin List-Petersen wrote:
> > Martin Horneffer wrote:
> > [SNIP]
> >> Would that be a sensible addressing scheme? Or would a customer insist
> >> to get a completely independet /64 for the link addresses?
> >
> > SixXS uses the approach commonly of assigning the link-addresses out of
> > a seperate /48 in the PoP. One /40 per PoP.

[some good technical points]

> Btw, you should have already done all of this when REQUESTING your
> prefix from RIPE. Numberplans are important to them, they should also be
> important to you.

I wouldn't exactly call it wrong to check ones plans against other
peoples experience every once in a while. Best practise does change over
time.

That said: an address plan I was involved with in the past asked for
leased lines to be numbered with a /64 from the specific PoPs /48,
expecting a router on the other side, and throwing a full /48 to the
customer. That makes routing easier if the customer has site resilient
links, too.

For datacenter connections it also fed /64 from the datacenter /48
and only gave /48 if the customer had a router installed. It's expected
that the customer would rarely exhaust a /64 in a flat network ;-P
All in all, KISS is a very useful principle and one ought to step away
from it only if it's really neccessary. :)

regards,
spz
--
spz [at] serpens (S.P.Zeidler)


dwhite at olp

Feb 1, 2009, 7:51 PM

Post #15 of 20 (4499 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

Steve Bertrand wrote:
> ...and, if you assign a /64 global between eBGP peers (as opposed to
> anything longer), BGP will automagically configure the next-hop to the
> link-local:
>
> B>* 2001:478:235::/48 [20/0] via fe80::d8ea:2f09, gif1, 06:07:43
>
> ...as opposed to this route, where a /128 global PtP is in place:
>
> B>* 2001:478:178::/48 [20/0] via 2001:4978:1:600::1, gif0, 06:08:14
>
> What I haven't tested, but plan on doing so, is whether my theory that
> moving the IPv6 peering address from one source interface to another
> will not disrupt this link-local next-hop.
>
> You (Dan) are going to like BGP. I have had much fortune finding people
> to help me out with it, particularly in the v6 context. If you ever need
> any help testing a setup in the global context, email me off-list. So
> long as it's low-bandwidth, I'll do anything I can to pass along
> knowledge I've gained from others (including sessions (non-transit),
> VMs, test routers etc). When I help others learn, I'm either reinforcing
> knowledge, or having to research the unknown.
>
>

Thanks Steve, I appreciate all the pointers in the right direction.

What is the benefit of using BGP in a scenario like this (ethernet link
to customer)? Would OSPF6 or RIPNG make more sense since shouldn't need
to know their address?

- Dan


gert at space

Feb 4, 2009, 7:41 AM

Post #16 of 20 (4471 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

Hi,

On Sun, Feb 01, 2009 at 09:51:11PM -0600, Dan White wrote:
> What is the benefit of using BGP in a scenario like this (ethernet link
> to customer)? Would OSPF6 or RIPNG make more sense since shouldn't need
> to know their address?

Control.

With BGP, you can easily filter which routes you are going to accept
from your customer - even if it's a bit more tedious to set up.

With OSPF, the customer can just inject you funny things like "hey,
give all packets to google's IPv6 address to me"...

Even if you know that your customers do not have any malicious intent,
mistakes and typos happen.

Gert Doering
-- NetMaster
--
Total number of prefixes smaller than registry allocations: 128645

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279


dwhite at olp

Feb 4, 2009, 8:07 AM

Post #17 of 20 (4473 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

Gert Doering wrote:
> Hi,
>
> On Sun, Feb 01, 2009 at 09:51:11PM -0600, Dan White wrote:
>
>> What is the benefit of using BGP in a scenario like this (ethernet link
>> to customer)? Would OSPF6 or RIPNG make more sense since shouldn't need
>> to know their address?
>>
>
> Control.
>
> With BGP, you can easily filter which routes you are going to accept
> from your customer - even if it's a bit more tedious to set up.
>
> With OSPF, the customer can just inject you funny things like "hey,
> give all packets to google's IPv6 address to me"...
>
> Even if you know that your customers do not have any malicious intent,
> mistakes and typos happen.
>
> Gert Doering
> -- NetMaster
>

I would think that I could filter ospf6/ripng advertisements based on
which interface (customer) i'm receiving them from.

I just need to set this up in a lab and learn from experience.

Thanks,
- Dan


steve at ibctech

Feb 4, 2009, 8:49 AM

Post #18 of 20 (4469 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

Dan White wrote:
> Gert Doering wrote:
>> Hi,
>>
>> On Sun, Feb 01, 2009 at 09:51:11PM -0600, Dan White wrote:
>>
>>> What is the benefit of using BGP in a scenario like this (ethernet
>>> link to customer)? Would OSPF6 or RIPNG make more sense since
>>> shouldn't need to know their address?
>>>
>>
>> Control.
>>
>> With BGP, you can easily filter which routes you are going to accept
>> from your customer - even if it's a bit more tedious to set up.
>>
>> With OSPF, the customer can just inject you funny things like "hey,
>> give all packets to google's IPv6 address to me"...
>>
>> Even if you know that your customers do not have any malicious intent,
>> mistakes and typos happen.
>>
>> Gert Doering
>> -- NetMaster
>>
>
> I would think that I could filter ospf6/ripng advertisements based on
> which interface (customer) i'm receiving them from.
>
> I just need to set this up in a lab and learn from experience.

I absolutely, totally agree with the 'lab-it-up' and learn from
experience statement.

RIP/OSPF are not scalable for containing all routes within even a small
size network. It is also not designed with security in mind. You could
do all sorts of ACL's and other trickery to prevent
malicious/accidentally mis-configured hosts from messing things up, but
BGP generally does this inherently.

As Gert stated, BGP is about control. You can do all manner of route
management/manipulation from within the protocol itself. You can go as
far as to allow your customers to manipulate their own routes on your
routers, without the fear of them causing you issues.

Definitely lab it up... but then do some research on BGP in general,
eBGP and how/what it is for, and then iBGP over OSPF-carried loopbacks
(vs. static routes) for within your own network.

Cheers,

Steve


tore at linpro

Feb 4, 2009, 8:54 AM

Post #19 of 20 (4471 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

* Dan White

> I would think that I could filter ospf6/ripng advertisements based on
> which interface (customer) i'm receiving them from.

With OSPF you can't filter prefixes, since it's a link-state routing
protocol. At least most implementations I've dealt with does not allow it.

With RIPv2 you can, though, so I guess you can with RIPng as well. FWIW
I've used RIP to connect customers that doesn't want the complexity of
BGP, where I generally just send them a default route, and import
whatever they send me into OSPF - if it passes my RIP filters, that is.

Best regards,
--
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com/


truman at suspicious

Feb 4, 2009, 2:08 PM

Post #20 of 20 (4466 views)
Permalink
Re: How to choose IPv6 addresses for customer links? [In reply to]

Hi,

As noted you can't filter prefixes if you run OSPF with the customer.
You can always do things like run a totally stubby area or not-so-
stubby-area with you customer, but it's just a pain and it doesn't
prevent the customer from sending you LSAs that can grow your LSDB.

If your customer's routes are contained within a specific routing
context (other than your default routing context, ie. VPN) you can
decide to run OSPFv3 on your customer links. These routes will not
affect other routing contexts.

Ideally you will want to run BGP, it scales better for inter-domain
routing.

Truman Boyes


On 5/02/2009, at 3:54 AM, Tore Anderson wrote:

> * Dan White
>
>> I would think that I could filter ospf6/ripng advertisements based on
>> which interface (customer) i'm receiving them from.
>
> With OSPF you can't filter prefixes, since it's a link-state routing
> protocol. At least most implementations I've dealt with does not
> allow it.
>
> With RIPv2 you can, though, so I guess you can with RIPng as well.
> FWIW
> I've used RIP to connect customers that doesn't want the complexity of
> BGP, where I generally just send them a default route, and import
> whatever they send me into OSPF - if it passes my RIP filters, that
> is.
>
> Best regards,
> --
> Tore Anderson
> Redpill Linpro AS - http://www.redpill-linpro.com/
>

nsp ipv6 RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.