Advertising rented IPv4 prefix from a different ASN.
Hello List, I work for a medium sized ISP. We are entering an agreement to rent some IPv4 space from a local higher education institution. Being a multi-homed ISP we would like to advertise the rented prefix from our ASN. The prefix that will be advertised is a smaller subnet from the higher educations block; they will continue to advertise the larger prefix. What is the best way to accomplish this? Is there any way of doing this without having to tunnel the traffic through the origin ASN? I feel if we just adverse the prefix it get put on a bogon list for prefix hijacking. This space is rented long term but they are not interested in reassigning the space to us. They also want to keep advertising their prefix as one contiguous block. I appreciate any insight and information. Thank you for your time, Andrew.
If you are just announcing more specific address space that you've obtained legitimately off their assigned address space, it should be no problem, just obtain an LoA and register it on the different databases and you should be set to ask your upstreams to allow the announcements. Regards, Neo Soon Keat 2016-08-05 3:39 GMT+08:00 Andrew <andrew@vianet.ca>:
Hello List,
I work for a medium sized ISP. We are entering an agreement to rent some IPv4 space from a local higher education institution. Being a multi-homed ISP we would like to advertise the rented prefix from our ASN. The prefix that will be advertised is a smaller subnet from the higher educations block; they will continue to advertise the larger prefix.
What is the best way to accomplish this? Is there any way of doing this without having to tunnel the traffic through the origin ASN?
I feel if we just adverse the prefix it get put on a bogon list for prefix hijacking. This space is rented long term but they are not interested in reassigning the space to us. They also want to keep advertising their prefix as one contiguous block.
I appreciate any insight and information. Thank you for your time, Andrew.
On 5/Aug/16 15:40, Soon Keat Neo wrote:
If you are just announcing more specific address space that you've obtained legitimately off their assigned address space, it should be no problem, just obtain an LoA and register it on the different databases and you should be set to ask your upstreams to allow the announcements.
Do people actually do this? A customer asked us to do this for them and we refused, because inconsistent AS has never been a thing. I'm apprehensive about a subnet and its aggregate appearing from multiple AS's at the same time. But, I'm old school, so... Mark.
On Aug 5, 2016, at 9:52 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:
On 5/Aug/16 15:40, Soon Keat Neo wrote:
If you are just announcing more specific address space that you've obtained legitimately off their assigned address space, it should be no problem, just obtain an LoA and register it on the different databases and you should be set to ask your upstreams to allow the announcements.
Do people actually do this? A customer asked us to do this for them and we refused, because inconsistent AS has never been a thing.
I'm apprehensive about a subnet and its aggregate appearing from multiple AS's at the same time. But, I'm old school, so...
Mark.
I agree with you...not a great practice. Each AS should just announce the prefix that they actually use. The school could be used as a transit for the ISP, which may be undesirable.
* Mark Tinka
On 5/Aug/16 15:40, Soon Keat Neo wrote:
If you are just announcing more specific address space that you've obtained legitimately off their assigned address space, it should be no problem, just obtain an LoA and register it on the different databases and you should be set to ask your upstreams to allow the announcements.
Do people actually do this?
Just as an example: There are hundreds of more-specifics coming out of 8/8 that has a different origin AS than 8/8 itself, so yes, people do. Tore
I'm not sure how bad of a practice it really is, however, I've seen it in use in multiple networks and ASes who sublet their IP space, and far as I've known, seem to work fine for most networks. Of course, this may also cause the University itself to be subject to unwanted traffic if for example the BGP session announcing the subletted space goes down. And, whether this violates the RIR regulations is another thing altogether. SoonKeat Regards, Neo Soon Keat 2016-08-05 22:38 GMT+08:00 Tore Anderson <tore@fud.no>:
* Mark Tinka
On 5/Aug/16 15:40, Soon Keat Neo wrote:
If you are just announcing more specific address space that you've obtained legitimately off their assigned address space, it should be no problem, just obtain an LoA and register it on the different databases and you should be set to ask your upstreams to allow the announcements.
Do people actually do this?
Just as an example: There are hundreds of more-specifics coming out of 8/8 that has a different origin AS than 8/8 itself, so yes, people do.
Tore
On Aug 5, 2016, at 8:52 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:
On 5/Aug/16 15:40, Soon Keat Neo wrote:
If you are just announcing more specific address space that you've obtained legitimately off their assigned address space, it should be no problem, just obtain an LoA and register it on the different databases and you should be set to ask your upstreams to allow the announcements.
Do people actually do this? A customer asked us to do this for them and we refused, because inconsistent AS has never been a thing.
I'm apprehensive about a subnet and its aggregate appearing from multiple AS's at the same time. But, I'm old school, so...
Mark.
Yes, this is quite prevalent. For example a popular resolver within prefix 8.8.8.0/24 (and also 8.8.4.0/24) has 8.0.0.0/9 advertised by 3356. Theodore Baschak - AS395089 - Hextet Systems https://ciscodude.net/ - https://hextet.systems/ https://theodorebaschak.com/ - http://mbix.ca/
Just create a more specific route obejct (for the /nn you plan to announce) at your RIR, ask the institute to sign a LOA and inform your upstreams. Announcing the more specific is nothing unusual. Jürgen Jaritsch Head of Network & Infrastructure ANEXIA Internetdienstleistungs GmbH Telefon: +43-5-0556-300 Telefax: +43-5-0556-500 E-Mail: jjaritsch@anexia-it.com Web: http://www.anexia.at Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601 -----Original Message----- From: Andrew [andrew@vianet.ca] Received: Freitag, 05 Aug. 2016, 15:33 To: nanog@nanog.org [nanog@nanog.org] Subject: Advertising rented IPv4 prefix from a different ASN. Hello List, I work for a medium sized ISP. We are entering an agreement to rent some IPv4 space from a local higher education institution. Being a multi-homed ISP we would like to advertise the rented prefix from our ASN. The prefix that will be advertised is a smaller subnet from the higher educations block; they will continue to advertise the larger prefix. What is the best way to accomplish this? Is there any way of doing this without having to tunnel the traffic through the origin ASN? I feel if we just adverse the prefix it get put on a bogon list for prefix hijacking. This space is rented long term but they are not interested in reassigning the space to us. They also want to keep advertising their prefix as one contiguous block. I appreciate any insight and information. Thank you for your time, Andrew.
On 04.08.2016 21:39, Andrew wrote:
Hello List,
I work for a medium sized ISP. We are entering an agreement to rent some IPv4 space from a local higher education institution. Being a multi-homed ISP we would like to advertise the rented prefix from our ASN. The prefix that will be advertised is a smaller subnet from the higher educations block; they will continue to advertise the larger prefix.
What is the best way to accomplish this? Is there any way of doing this without having to tunnel the traffic through the origin ASN?
I feel if we just adverse the prefix it get put on a bogon list for prefix hijacking. This space is rented long term but they are not interested in reassigning the space to us. They also want to keep advertising their prefix as one contiguous block.
Make sure proper route-objects exist. Should be no big deal then imho. Others do it as well - also advertising the larger block from one ASN and a smaller portion of it from another. Kind regards, Stefan
Hi Andrew, It is possible, but I would do it....Here is how and why. If they announce the larger CDIR you will need to keep them as one of you ISP's or you risk losing traffic due to other's inbound policy filtering. However, if they provide you a simple Letter of Authorization to announce the smaller rented CDIR you can use this letter to show other networks that you have the right to announce it and they can email/call to confirm. By announcing the smaller CDIR to others you should see the bulk of the traffic come in via the other backbones. You can "not reliably" multi-home the IPs without keeping the institution as one of your backbone providers (reason I wouldn't do it). You will always need a peering session with them where you announce to them your CDIR or they static route that traffic to you. Thank You Bob Evans CTO
Hello List,
I work for a medium sized ISP. We are entering an agreement to rent some IPv4 space from a local higher education institution. Being a multi-homed ISP we would like to advertise the rented prefix from our ASN. The prefix that will be advertised is a smaller subnet from the higher educations block; they will continue to advertise the larger prefix.
What is the best way to accomplish this? Is there any way of doing this without having to tunnel the traffic through the origin ASN?
I feel if we just adverse the prefix it get put on a bogon list for prefix hijacking. This space is rented long term but they are not interested in reassigning the space to us. They also want to keep advertising their prefix as one contiguous block.
I appreciate any insight and information. Thank you for your time, Andrew.
Andrew wrote on 8/4/2016 2:39 PM:
This space is rented long term but they are not interested in reassigning the space to us.
Isn't this a violation of their agreement with ARIN (https://www.arin.net/resources/request/reassignments.html)?
It's possible that it is a university that has legacy IPs. You have to check. Thank You Bob Evans CTO
Andrew wrote on 8/4/2016 2:39 PM:
This space is rented long term but they are not interested in reassigning the space to us.
Isn't this a violation of their agreement with ARIN (https://www.arin.net/resources/request/reassignments.html)?
On Fri, Aug 5, 2016 at 10:01 AM, Blake Hudson <blake@ispn.net> wrote:
Andrew wrote on 8/4/2016 2:39 PM:
This space is rented long term but they are not interested in reassigning the space to us.
Isn't this a violation of their agreement with ARIN (https://www.arin.net/resources/request/reassignments.html)?
If the space in question is post-1997 then yes, either renting space as an "end user" or failing to swip reassigned space as an ISP violates their agreement with ARIN. It could be reported as fraud making everybody unhappy. If the edu's space is a legacy assignment then they have no agreement with ARIN to violate. On a more practical level, you'll encounter three kinds of trouble: 1. Despite your best efforts, the school will receive some packets intended for you. Make sure you have a tunnel in place to catch them. 2. Reverse path filtering may trip you up if the school hasn't already addressed that with their ISPs. 3. Their own internal firewalls and access control mechanisms which have, over the years, been programmed to act on their entire address space. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
I would not recommend to do that. If you really do this, please make sure that the owner of the supernet (in this case the university) also does transit for the subnet (which they should as they are supposed to accept and forward traffic for the whole aggregate that they are announcing). Otherwise, for networks that only do partial routing (basically defaults from transits + peering routes), this will create a blackhole in case they peer with the ISP that announces only the supernet, but not with the ISP that announces the subnet, because traffic will always be routed towards the announcement of the supernet only. Same applies if the subnet gets filtered by some people for policy reasons (like no more-specifics of PA space, or smaller than /24...). Also, be careful that the owner of the supernet doesn't apply inbound anti-spoofing filters at their borders towards transits and peers for traffic from your subnet that is part of their supernet. Chris On 04/08/16 21:39, Andrew wrote:
Hello List,
I work for a medium sized ISP. We are entering an agreement to rent some IPv4 space from a local higher education institution. Being a multi-homed ISP we would like to advertise the rented prefix from our ASN. The prefix that will be advertised is a smaller subnet from the higher educations block; they will continue to advertise the larger prefix.
What is the best way to accomplish this? Is there any way of doing this without having to tunnel the traffic through the origin ASN?
I feel if we just adverse the prefix it get put on a bogon list for prefix hijacking. This space is rented long term but they are not interested in reassigning the space to us. They also want to keep advertising their prefix as one contiguous block.
I appreciate any insight and information. Thank you for your time, Andrew.
On Thu, Aug 4, 2016 at 3:39 PM, Andrew <andrew@vianet.ca> wrote:
Hello List,
[ clip, plenty of advice on these points ]
I feel if we just adverse the prefix it get put on a bogon list for prefix hijacking. This space is rented long term but they are not interested in reassigning the space to us. They also want to keep advertising their prefix as one contiguous block.
You will also likely need a letter of authorization from the network lending you their space for your upstreams or others. Here's a usable template that you can customize for your own purposes. Hope this helps: http://bit.ly/LOA-0805201601 Caveats, IPv6? Be sure to consult with lawyers, comply with your favorite RIR policy and compare the cost of "renting" to "leasing" or acquiring on the open market. There are a number of sources to acquire IPv4 address space easily found using your favorite search engine. You may be also be eligible for a last /22 allocation from RIPE if you qualify under their current policy. See http://bit.ly/LASTCALL-22 for further information. Best Regards, -M<
participants (13)
-
Andrew
-
Blake Hudson
-
Bob Evans
-
Chris Welti
-
David Bass
-
Jürgen Jaritsch
-
Mark Tinka
-
Martin Hannigan
-
Soon Keat Neo
-
Stefan Neufeind
-
Theodore Baschak
-
Tore Anderson
-
William Herrin