Is it best practice to have the internet facing BGP router's peering ip (or for that matter any key gateway or security appliance) use a statically configured address or use EUI-64 auto config? I have seen comments on both sides and am leaning to EUI-64 (except for the VIP's like the ASA's failover ip ) -Philip
On Jan 29, 2014, at 12:35 PM, Philip Lavine <source_route@yahoo.com> wrote:
Is it best practice to have the internet facing BGP router's peering ip (or for that matter any key gateway or security appliance) use a statically configured address or use EUI-64 auto config?
I have seen comments on both sides and am leaning to EUI-64 (except for the VIP's like the ASA's failover ip )
We configure customers with a statically assigned IP address for BGP peering. They get the IP assigned to them as part of the turn-up process. The same process happens for "IP Classic" aka v4 as v6. - Jared (If you are a AS2914 customer and aren't doing IPv6 with us, don't hesitate to ping me and I will get your information over to that team).
On 29/01/2014 17:35, Philip Lavine wrote:
Is it best practice to have the internet facing BGP router's peering ip (or for that matter any key gateway or security appliance) use a statically configured address or use EUI-64 auto config?
how are you going to set up the bgp session from the remote side to an eui-64 auto configured address on your side? best use static here. And make sure to disable RA (with fire, i.e. disable send + receive + answering solicited requests) and EUI64. If it's a point to point link, use a /126 or /127 netmask. Nick
On Wed, 29 Jan 2014, Nick Hilliard wrote:
On 29/01/2014 17:35, Philip Lavine wrote:
Is it best practice to have the internet facing BGP router's peering ip (or for that matter any key gateway or security appliance) use a statically configured address or use EUI-64 auto config?
how are you going to set up the bgp session from the remote side to an eui-64 auto configured address on your side?
best use static here. And make sure to disable RA (with fire, i.e. disable send + receive + answering solicited requests) and EUI64. If it's a point to point link, use a /126 or /127 netmask.
+1. I've seem some providers do /64 on their point-to-point links. I don't have an issue with that, and the whole /64 vs /126 or /127 debate has been thoroughly beaten into the ground. No need to re-hash it. I have never seen a provider use a pseudo-dynamic address on an interface/BGP peer. Having to reconfigure a BGP session because a provider did a hardware upgrade or moved my link to a new interface would not make me happy. jms
Agreed, We do a /64 allocation which is reserved for each point to point link, but then subnet it to a /126 for actual use. That way we've got a /64 available if it's ever needed, while keeping the broadcast domain small for now when we don't. JJ Stonebraker IP Network Engineering Grande Communications 512.878.5627 -----Original Message----- From: Justin M. Streiner [mailto:streiner@cluebyfour.org] Sent: Wednesday, January 29, 2014 8:44 AM To: NANOG list Subject: Re: Fw: ipv6 newbie question On Wed, 29 Jan 2014, Nick Hilliard wrote:
On 29/01/2014 17:35, Philip Lavine wrote:
Is it best practice to have the internet facing BGP router's peering ip (or for that matter any key gateway or security appliance) use a statically configured address or use EUI-64 auto config?
how are you going to set up the bgp session from the remote side to an eui-64 auto configured address on your side?
best use static here. And make sure to disable RA (with fire, i.e. disable send + receive + answering solicited requests) and EUI64. If it's a point to point link, use a /126 or /127 netmask.
+1. I've seem some providers do /64 on their point-to-point links. I don't have an issue with that, and the whole /64 vs /126 or /127 debate has been thoroughly beaten into the ground. No need to re-hash it. I have never seen a provider use a pseudo-dynamic address on an interface/BGP peer. Having to reconfigure a BGP session because a provider did a hardware upgrade or moved my link to a new interface would not make me happy. jms
Hi,
Is it best practice to have the internet facing BGP router's peering ip (or for that matter any key gateway or security appliance) use a statically configured address or use EUI-64 auto config?
I have seen comments on both sides and am leaning to EUI-64 (except for the VIP's like the ASA's failover ip )
Static. You don't want to have to contact all of your peers when the EUI-64 address changes when you replace hardware. Cheers Sander
There are tradeoffs in both directions. Personally I think administrative simplicity wins over security through obscurity, so I recommend each organization pick a random pair of static addresses and use those two addresses for all of their point to point links. e.g. If your prefix for a given link is 2001:db8:xxxx:yyyy::/64, and you randomly choose the suffixes dead:beef:cafe:babe and dead:beef:cafe:feed as your end-point addresses, then the links would be numbered 2001:db8:xxxx:yyyy:dead:beef:cafe:{babe,feed}. YMMV and I don't recommend using my examples in practice. Owen
On Jan 29, 2014, at 12:35 PM, Philip Lavine <source_route@yahoo.com> wrote:
Is it best practice to have the internet facing BGP router's peering ip (or for that matter any key gateway or security appliance) use a statically configured address or use EUI-64 auto config?
I have seen comments on both sides and am leaning to EUI-64 (except for the VIP's like the ASA's failover ip )
-Philip
If only there was a best practices doc to help here... Oh wait there is! http://bcop.nanog.org/index.php/IPv6_Subnetting It doesn't specifically mention BGP so as to be protocol agnostic but does recommend allocating a /64 and using a /126 or /127. On Wed, Jan 29, 2014 at 12:35 PM, Philip Lavine <source_route@yahoo.com> wrote:
Is it best practice to have the internet facing BGP router's peering ip (or for that matter any key gateway or security appliance) use a statically configured address or use EUI-64 auto config?
I have seen comments on both sides and am leaning to EUI-64 (except for the VIP's like the ASA's failover ip )
-Philip
-- [stillwaxin@gmail.com ~]$ cat .signature cat: .signature: No such file or directory [stillwaxin@gmail.com ~]$
I guess as a follow up question. Do you use the EUI-64 address as the Default gateway or the link local. On Wednesday, January 29, 2014 2:19 PM, Randy Bush <randy@psg.com> wrote: rfc 6164
participants (9)
-
Jack Stonebraker -
Jared Mauch -
Justin M. Streiner -
Michael Still -
Nick Hilliard -
Owen DeLong -
Philip Lavine -
Randy Bush -
Sander Steffann