Multi-homing without PI space

newer
So what're people using to label...

older
APRICOT 2014 call for papers is...

Matthew Poole

5 Nov 2013 5 Nov '13

3:30 a.m.

A "small company wanting to play big company" question: My employer is investigating options for network redundancy as having a functional internet connection is critical to our operation. We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28), and are in no way close to being ready to think about going to pure IPv6. Clients push to us, so we need to have functional DNS as well as link fail-over. We also have multiple public-facing servers offering the same services, so moving to *shudder* NAT or some kind of port proxying isn't an easy option (clients' internal bureaucracies to get firewall ports opened, client configuration, blah blah blah). So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards? Cheers -- Matthew Poole "The difference between theory and practice is that practice is easier in theory than theory is in practice"

Show replies by date

Chris Jones

5 Nov 5 Nov

3:35 a.m.

How important is it that the addresses stay the same? Your simplest option might be to put in some GSLB-type appliances (Both Citrix and F5 have Virtual Appliance versions of these). Stick these in front of your app servers, one on each internet connection, and let them handle failover/load balancing using DNS. As a bonus, you also get a load balancer :) As far as the address space goes, IIRC needing to multihome alone is justification for a /24, as this is the smallest block acceptable for routing. However if you don't want to go directly down the APNIC route you might be able to work with an upstream to get them to lease you a /24 and AS you can re-announce. Regards, Chris On 6 Nov 2013, at 9:30 am, Matthew Poole wrote:

...

A "small company wanting to play big company" question: My employer is investigating options for network redundancy as having a functional internet connection is critical to our operation. We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28), and are in no way close to being ready to think about going to pure IPv6. Clients push to us, so we need to have functional DNS as well as link fail-over. We also have multiple public-facing servers offering the same services, so moving to *shudder* NAT or some kind of port proxying isn't an easy option (clients' internal bureaucracies to get firewall ports opened, client configuration, blah blah blah).

So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards?

Cheers

-- Matthew Poole "The difference between theory and practice is that practice is easier in theory than theory is in practice" _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Michael Andreas Schipp

4:37 a.m.

Further to Chris comments; You can add A10 Networks and Riverbed to the list of vendors that offer VM based GSLB services. Disclaimer - I work for A10 Networks. -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Chris Jones Sent: Wednesday, 6 November 2013 9:36 AM To: Matthew Poole Cc: NZNOG Subject: Re: [nznog] Multi-homing without PI space How important is it that the addresses stay the same? Your simplest option might be to put in some GSLB-type appliances (Both Citrix and F5 have Virtual Appliance versions of these). Stick these in front of your app servers, one on each internet connection, and let them handle failover/load balancing using DNS. As a bonus, you also get a load balancer :) As far as the address space goes, IIRC needing to multihome alone is justification for a /24, as this is the smallest block acceptable for routing. However if you don't want to go directly down the APNIC route you might be able to work with an upstream to get them to lease you a /24 and AS you can re-announce. Regards, Chris On 6 Nov 2013, at 9:30 am, Matthew Poole wrote:

...

A "small company wanting to play big company" question: My employer is investigating options for network redundancy as having a functional internet connection is critical to our operation. We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28), and are in no way close to being ready to think about going to pure IPv6. Clients push to us, so we need to have functional DNS as well as link fail-over. We also have multiple public-facing servers offering the same services, so moving to *shudder* NAT or some kind of port proxying isn't an easy option (clients' internal bureaucracies to get firewall ports opened, client configuration, blah blah blah).

So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards?

Cheers

-- Matthew Poole "The difference between theory and practice is that practice is easier in theory than theory is in practice" _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Matthew Poole

5:41 a.m.

Well, it's a right nuisance trying to deal with things if the addresses need to change, but having two very-much-competitor ISPs providing different addresses over two different physical links would seem to make that a necessity. So it's then about how to handle triggering the change in DNS records and routing for multiple servers that have public IP addresses in as seamless a manner as possible with the shortest possible delay between link 1 failing and link 2 becoming the path for inbound and outbound traffic. On 6/11/2013 11:35, Chris Jones wrote:

...

How important is it that the addresses stay the same?

-- Matthew Poole "The difference between theory and practice is that practice is easier in theory than theory is in practice"

Andrew McBeath

5:45 a.m.

We've just set up an account with dnsmadeeasy.com - cheap service and will monitor ips using multiple protocols (http/s tcp snmp) and can do dns failover with a 3 minute ttl -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Matthew Poole Sent: Wednesday, 6 November 2013 1:42 p.m. To: Chris Jones Cc: NZNOG Subject: Re: [nznog] Multi-homing without PI space Well, it's a right nuisance trying to deal with things if the addresses need to change, but having two very-much-competitor ISPs providing different addresses over two different physical links would seem to make that a necessity. So it's then about how to handle triggering the change in DNS records and routing for multiple servers that have public IP addresses in as seamless a manner as possible with the shortest possible delay between link 1 failing and link 2 becoming the path for inbound and outbound traffic. On 6/11/2013 11:35, Chris Jones wrote:

...

How important is it that the addresses stay the same?

-- Matthew Poole "The difference between theory and practice is that practice is easier in theory than theory is in practice" _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Mark Tees

5:46 a.m.

You could do that with 1:1 NAT instead of having public IPs directly on the servers. Then you simply need to update DNS records pointing to the other IP. You could have multiple failure layers there - default gateway redundancy through your ISP, external services monitoring the IP,s and triggering DNS update in the event of a certain failure. On Wed, Nov 6, 2013 at 11:41 AM, Matthew Poole wrote:

...

Well, it's a right nuisance trying to deal with things if the addresses need to change, but having two very-much-competitor ISPs providing different addresses over two different physical links would seem to make that a necessity. So it's then about how to handle triggering the change in DNS records and routing for multiple servers that have public IP addresses in as seamless a manner as possible with the shortest possible delay between link 1 failing and link 2 becoming the path for inbound and outbound traffic.

On 6/11/2013 11:35, Chris Jones wrote:

...
How important is it that the addresses stay the same?

-- Matthew Poole "The difference between theory and practice is that practice is easier in theory than theory is in practice"

NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- Regards, Mark L. Tees

Michael Andreas Schipp

5:52 a.m.

Two ISP's and GSLB for inbound services and LLB (link load balancing) for outbound will also do what you need. From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Mark Tees Sent: Wednesday, 6 November 2013 11:47 AM To: Matthew Poole Cc: NZNOG Subject: Re: [nznog] Multi-homing without PI space You could do that with 1:1 NAT instead of having public IPs directly on the servers. Then you simply need to update DNS records pointing to the other IP. You could have multiple failure layers there - default gateway redundancy through your ISP, external services monitoring the IP,s and triggering DNS update in the event of a certain failure. On Wed, Nov 6, 2013 at 11:41 AM, Matthew Poole mailto:matt(a)p00le.net> wrote: Well, it's a right nuisance trying to deal with things if the addresses need to change, but having two very-much-competitor ISPs providing different addresses over two different physical links would seem to make that a necessity. So it's then about how to handle triggering the change in DNS records and routing for multiple servers that have public IP addresses in as seamless a manner as possible with the shortest possible delay between link 1 failing and link 2 becoming the path for inbound and outbound traffic. On 6/11/2013 11:35, Chris Jones wrote: How important is it that the addresses stay the same? -- Matthew Poole "The difference between theory and practice is that practice is easier in theory than theory is in practice" _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nzmailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog -- Regards, Mark L. Tees

Dobbins, Roland

6 Nov 6 Nov

3:19 p.m.

On Nov 6, 2013, at 7:46 AM, Mark Tees wrote:

...

You could do that with 1:1 NAT instead of having public IPs directly on the servers.

And then watch the NAT fall over whenever some attacker breathes a few packets across it. ;> https://app.box.com/s/a3oqqlgwe15j8svojvzl Not a good idea. ----------------------------------------------------------------------- Roland Dobbins // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton

Tony Wicks

7 Nov 7 Nov

1:33 a.m.

Not that I'm saying that NAT is the appropriate solution, if you are having "NAT fall over whenever some attacker breathes a few packets across it" then you are doing it waaaay wrong.

...

You could do that with 1:1 NAT instead of having public IPs directly on the servers.

And then watch the NAT fall over whenever some attacker breathes a few packets across it. ;>

Dobbins, Roland

7:18 a.m.

On Nov 8, 2013, at 3:33 AM, Tony Wicks wrote:

...

Not that I'm saying that NAT is the appropriate solution, if you are having "NAT fall over whenever some attacker breathes a few packets across it" then you are doing it waaaay wrong.

It's easy to cause NATs to tip over due to state-exhaustion. There's no way to do it 'right', heh. ----------------------------------------------------------------------- Roland Dobbins // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton

bmanning＠vacation.karoshi.com

5 Nov 5 Nov

3:49 a.m.

On Wed, Nov 06, 2013 at 11:30:49AM +1300, Matthew Poole wrote:

...

So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards?

Cheers

-- Matthew Poole

Expand your scope beyond APNIC. The goal is still reachable. /bill

Gareth Davies

4:09 a.m.

Hello, How about using a third party cloud load balancer, you could add multiple internet connections at your office but public IP in the cloud. This would have the benefit of no expensive equipment at your office. I am unsure of pricing but some options also support DDoS/IPS/WAF. I believe Slashdot uses one Gareth Davies Senior Systems Administrator DD +64 9 574 0123 EXT 8465 www.fphcare.com -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Matthew Poole Sent: Wednesday, 6 November 2013 11:31 AM To: NZNOG Subject: [nznog] Multi-homing without PI space A "small company wanting to play big company" question: My employer is investigating options for network redundancy as having a functional internet connection is critical to our operation. We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28), and are in no way close to being ready to think about going to pure IPv6. Clients push to us, so we need to have functional DNS as well as link fail-over. We also have multiple public-facing servers offering the same services, so moving to *shudder* NAT or some kind of port proxying isn't an easy option (clients' internal bureaucracies to get firewall ports opened, client configuration, blah blah blah). So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards? Cheers -- Matthew Poole "The difference between theory and practice is that practice is easier in theory than theory is in practice" _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog ____________________________________________________________ This e-mail and any attachments may contain confidential information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

Matt Richards

4:15 a.m.

On 6/11/2013 11:30 a.m., Matthew Poole wrote:

...

A "small company wanting to play big company" question: My employer is investigating options for network redundancy as having a functional internet connection is critical to our operation. We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28), and are in no way close to being ready to think about going to pure IPv6. Clients push to us, so we need to have functional DNS as well as link fail-over. We also have multiple public-facing servers offering the same services, so moving to *shudder* NAT or some kind of port proxying isn't an easy option (clients' internal bureaucracies to get firewall ports opened, client configuration, blah blah blah).

So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards?

Cheers

"We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28)" Why not? From APNIC's website: /Criteria for small multihoming delegations// /// * /An organization is eligible if it is currently multihomed with provider-based addresses, or demonstrates a plan to multihome within one month./ * /Organizations requesting a delegation under these terms must demonstrate that they are able to use 25% of the requested addresses immediately and 50% within one year./ Very easy criteria to meet.. We had a /27 from our ISP and had no trouble getting a /24 from apnic. Matt.

Alexander Neilson

4:22 a.m.

Not sure if I am correct here but if they are using a /28 now to comply with the APNIC rules as per the below they would need to show use for 25% now (a /26) and within one year using a /25 (50% of address space). It may be that APNIC may let them be a bit fuzzy about the exact number “in use” but the rules would seem to exclude them as they would need to quadruple their use of IP Addressing /28 to /26 immediately. Again - not an APNIC rules expert and I could be wrong here. Regards Alexander Alexander Neilson Neilson Productions Limited alexander(a)neilson.net.nz 021 329 681 022 456 2326 On 6/11/2013, at 12:15 pm, Matt Richards wrote:

...

On 6/11/2013 11:30 a.m., Matthew Poole wrote:

...
A "small company wanting to play big company" question: My employer is investigating options for network redundancy as having a functional internet connection is critical to our operation. We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28), and are in no way close to being ready to think about going to pure IPv6. Clients push to us, so we need to have functional DNS as well as link fail-over. We also have multiple public-facing servers offering the same services, so moving to *shudder* NAT or some kind of port proxying isn't an easy option (clients' internal bureaucracies to get firewall ports opened, client configuration, blah blah blah).

So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards?

Cheers

"We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28)"

Why not? From APNIC's website:

Criteria for small multihoming delegations An organization is eligible if it is currently multihomed with provider-based addresses, or demonstrates a plan to multihome within one month. Organizations requesting a delegation under these terms must demonstrate that they are able to use 25% of the requested addresses immediately and 50% within one year. Very easy criteria to meet.. We had a /27 from our ISP and had no trouble getting a /24 from apnic.

Matt. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Matt Richards

4:26 a.m.

"immediately" not "currently" :) perhaps you need the new space to host a bunch of HTTPS web sites, which don't currently exist? Finding a use for the new space is the easy part. We went from using about half a /27 to getting our second /24 within 2 years. Matt. On 6/11/2013 12:22 p.m., Alexander Neilson wrote:

...

Not sure if I am correct here but if they are using a /28 now to comply with the APNIC rules as per the below they would need to show use for 25% now (a /26) and within one year using a /25 (50% of address space).

It may be that APNIC may let them be a bit fuzzy about the exact number “in use” but the rules would seem to exclude them as they would need to quadruple their use of IP Addressing /28 to /26 immediately.

Again - not an APNIC rules expert and I could be wrong here.

Regards Alexander

Alexander Neilson Neilson Productions Limited

alexander(a)neilson.net.nz mailto:alexander(a)neilson.net.nz 021 329 681 022 456 2326

On 6/11/2013, at 12:15 pm, Matt Richards mailto:matt(a)shakesbeare.com> wrote:

...
On 6/11/2013 11:30 a.m., Matthew Poole wrote:

...
A "small company wanting to play big company" question: My employer is investigating options for network redundancy as having a functional internet connection is critical to our operation. We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28), and are in no way close to being ready to think about going to pure IPv6. Clients push to us, so we need to have functional DNS as well as link fail-over. We also have multiple public-facing servers offering the same services, so moving to *shudder* NAT or some kind of port proxying isn't an easy option (clients' internal bureaucracies to get firewall ports opened, client configuration, blah blah blah).

So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards?

Cheers

"We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28)"

Why not? From APNIC's website:

/Criteria for small multihoming delegations// ///

* /An organization is eligible if it is currently multihomed with provider-based addresses, or demonstrates a plan to multihome within one month./ * /Organizations requesting a delegation under these terms must demonstrate that they are able to use 25% of the requested addresses immediately and 50% within one year./

Very easy criteria to meet.. We had a /27 from our ISP and had no trouble getting a /24 from apnic.

Matt. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz mailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Mark Foster

4:32 a.m.

You probably need to consider the level of diversity you require and the costs of achieving it; another possibility would be to select an ISP who are able to deliver connectivity via multiple circuits (say, one via Vector, one via TelstraVodaWhatever) with common Layer 3. Then you could arrange private-AS BGP peering with your ISP for physical and carrier level diversity, but the usual rules would not apply regarding IP space as you'd continue to use a smaller block routed to you by your ISP. Doing this would remove the need to be an APNIC member, and perhaps save you on your diverse connectivity option if your ISP does you a deal. Also depending on the way you pay for bandwidth it could work out to your advantage to do this if you don't want to become your own real-world AS with the overheads that apply to this. Mark. From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Matt Richards Sent: Wednesday, 6 November 2013 12:27 p.m. To: Alexander Neilson Cc: NZNOG Subject: Re: [nznog] Multi-homing without PI space "immediately" not "currently" :) perhaps you need the new space to host a bunch of HTTPS web sites, which don't currently exist? Finding a use for the new space is the easy part. We went from using about half a /27 to getting our second /24 within 2 years. Matt. On 6/11/2013 12:22 p.m., Alexander Neilson wrote: Not sure if I am correct here but if they are using a /28 now to comply with the APNIC rules as per the below they would need to show use for 25% now (a /26) and within one year using a /25 (50% of address space). It may be that APNIC may let them be a bit fuzzy about the exact number "in use" but the rules would seem to exclude them as they would need to quadruple their use of IP Addressing /28 to /26 immediately. Again - not an APNIC rules expert and I could be wrong here. Regards Alexander Alexander Neilson Neilson Productions Limited alexander(a)neilson.net.nz 021 329 681 022 456 2326 On 6/11/2013, at 12:15 pm, Matt Richards wrote: On 6/11/2013 11:30 a.m., Matthew Poole wrote: A "small company wanting to play big company" question: My employer is investigating options for network redundancy as having a functional internet connection is critical to our operation. We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28), and are in no way close to being ready to think about going to pure IPv6. Clients push to us, so we need to have functional DNS as well as link fail-over. We also have multiple public-facing servers offering the same services, so moving to *shudder* NAT or some kind of port proxying isn't an easy option (clients' internal bureaucracies to get firewall ports opened, client configuration, blah blah blah). So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards? Cheers "We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28)" Why not?

...

From APNIC's website:

Matthew Poole

4:41 a.m.

With a /whole/ hell of a lot of fudging we could just about make it to halfway between a /27 and a /26. Maybe. We're not that kind of service provider. Also, we're into the IPv4 end-times, which I would imagine has changed APNIC's attitude towards application vetting rather substantially. Curious about the suggestion to look beyond APNIC. Google suggests to me that all the RIRs are applying very similar policies to PI allocation as APNIC, as all except ARIN are into their last /8. For link diversity, our premises are not located on any existing fibre routes. The current ISP had to lay in fibre to get us connected and any future ISP will similarly have to do the same since the current one is unlikely to be willing to share (or be asked to share). On that basis, doing this at layer three is really the only feasible option if we do it at all. On 6/11/2013 12:26, Matt Richards wrote:

...

"immediately" not "currently" :)

perhaps you need the new space to host a bunch of HTTPS web sites, which don't currently exist? Finding a use for the new space is the easy part. We went from using about half a /27 to getting our second /24 within 2 years.

Matt.

On 6/11/2013 12:22 p.m., Alexander Neilson wrote:

...
Not sure if I am correct here but if they are using a /28 now to comply with the APNIC rules as per the below they would need to show use for 25% now (a /26) and within one year using a /25 (50% of address space).

It may be that APNIC may let them be a bit fuzzy about the exact number “in use” but the rules would seem to exclude them as they would need to quadruple their use of IP Addressing /28 to /26 immediately.

Again - not an APNIC rules expert and I could be wrong here.

Regards Alexander

Alexander Neilson Neilson Productions Limited

-- Matthew Poole "The difference between theory and practice is that practice is easier in theory than theory is in practice"

Mark Foster

4:48 a.m.

If you don't have physical link diversity, why not simply choose an ISP with multiple backhauls and leave it at that? I.e. pay your ISP to provide the Layer 3 diversity for you. Without layer 1/2 I don't see what advantage you're really getting out of the mucking around. Mark. -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Matthew Poole Sent: Wednesday, 6 November 2013 12:42 p.m. To: Matt Richards; Alexander Neilson Cc: NZNOG Subject: Re: [nznog] Multi-homing without PI space With a /whole/ hell of a lot of fudging we could just about make it to halfway between a /27 and a /26. Maybe. We're not that kind of service provider. Also, we're into the IPv4 end-times, which I would imagine has changed APNIC's attitude towards application vetting rather substantially. Curious about the suggestion to look beyond APNIC. Google suggests to me that all the RIRs are applying very similar policies to PI allocation as APNIC, as all except ARIN are into their last /8. For link diversity, our premises are not located on any existing fibre routes. The current ISP had to lay in fibre to get us connected and any future ISP will similarly have to do the same since the current one is unlikely to be willing to share (or be asked to share). On that basis, doing this at layer three is really the only feasible option if we do it at all. On 6/11/2013 12:26, Matt Richards wrote:

...

"immediately" not "currently" :)

perhaps you need the new space to host a bunch of HTTPS web sites, which don't currently exist? Finding a use for the new space is the easy part. We went from using about half a /27 to getting our second /24 within 2 years.

Matt.

On 6/11/2013 12:22 p.m., Alexander Neilson wrote:

...
Not sure if I am correct here but if they are using a /28 now to comply with the APNIC rules as per the below they would need to show use for 25% now (a /26) and within one year using a /25 (50% of address space).

It may be that APNIC may let them be a bit fuzzy about the exact number "in use" but the rules would seem to exclude them as they would need to quadruple their use of IP Addressing /28 to /26 immediately.

Again - not an APNIC rules expert and I could be wrong here.

Regards Alexander

Alexander Neilson Neilson Productions Limited

Gerard Creamer

5:05 a.m.

Or use radio for the second link, assuming it's about not falling off the tubes as opposed to having reduced capacity for a short period. Having said that radio is fairly amazing now - we have a 17km link that's easily as good as, if not better than, any of the low end copper based consumer products. Gerard On 6/11/2013 12:48 p.m., Mark Foster wrote:

...

If you don't have physical link diversity, why not simply choose an ISP with multiple backhauls and leave it at that? I.e. pay your ISP to provide the Layer 3 diversity for you.

Without layer 1/2 I don't see what advantage you're really getting out of the mucking around.

Mark.

-----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Matthew Poole Sent: Wednesday, 6 November 2013 12:42 p.m. To: Matt Richards; Alexander Neilson Cc: NZNOG Subject: Re: [nznog] Multi-homing without PI space

With a /whole/ hell of a lot of fudging we could just about make it to halfway between a /27 and a /26. Maybe. We're not that kind of service provider. Also, we're into the IPv4 end-times, which I would imagine has changed APNIC's attitude towards application vetting rather substantially.

Curious about the suggestion to look beyond APNIC. Google suggests to me that all the RIRs are applying very similar policies to PI allocation as APNIC, as all except ARIN are into their last /8.

For link diversity, our premises are not located on any existing fibre routes. The current ISP had to lay in fibre to get us connected and any future ISP will similarly have to do the same since the current one is unlikely to be willing to share (or be asked to share). On that basis, doing this at layer three is really the only feasible option if we do it at all.

...
"immediately" not "currently" :)

perhaps you need the new space to host a bunch of HTTPS web sites, which don't currently exist? Finding a use for the new space is the easy part. We went from using about half a /27 to getting our second /24 within 2 years.

Matt.

On 6/11/2013 12:22 p.m., Alexander Neilson wrote:

...
Not sure if I am correct here but if they are using a /28 now to comply with the APNIC rules as per the below they would need to show use for 25% now (a /26) and within one year using a /25 (50% of address space).

It may be that APNIC may let them be a bit fuzzy about the exact number "in use" but the rules would seem to exclude them as they would need to quadruple their use of IP Addressing /28 to /26 immediately.

Again - not an APNIC rules expert and I could be wrong here.

Regards Alexander

Alexander Neilson Neilson Productions Limited

-- Matthew Poole "The difference between theory and practice is that practice is easier in

On 6/11/2013 12:26, Matt Richards wrote: theory than theory is in practice" _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- Netspace Services Limited http://www.netspace.net.nz Phone +64 4 917 8098 Mobile +64 21 246 2266 Level 4, 191 Thorndon Quay, Thorndon PO Box 12-082, Thorndon, Wellington 6004, New Zealand

Matthew Poole

5:29 a.m.

I should point out that I'm quite happy to have one ISP delivering over one physical circuit, provided the ISP has demonstrated sufficient historic availability. But the man who pays my salary is interested in having a second link for redundancy purposes, which means I will ask the question and try to provide him some meaningful information. I've already explained about the hurdle of being too small for PI so needing to engage in complicated internal trickery. Unless someone from APNIC wants to pop up and clarify that the rules for PI don't actually mean what they appear to mean, and you can get PI if the entire need is based on multi-homing regardless of how many addresses are actually going to be utilised? Which would seem to be an extraordinarily dangerous policy. On 6/11/2013 12:48, Mark Foster wrote:

...

If you don't have physical link diversity, why not simply choose an ISP with multiple backhauls and leave it at that? I.e. pay your ISP to provide the Layer 3 diversity for you.

Without layer 1/2 I don't see what advantage you're really getting out of the mucking around.

Mark.

-- Matthew Poole "The difference between theory and practice is that practice is easier in theory than theory is in practice"

Mark Foster

5:38 a.m.

Just throwing another concept out there (the cloud solution someone posted earlier inspired it): - Two ISP connections - Two ISP /28's (non PI) - Short DNS TTLs - Failover means --- Change to DNS --- Change to default gateway / outbound router on your edge (or use some sort of appliance to manage this your end). To move to second carrier update the DNS to point at your alternative ISPs, and require your external sources to follow DNS and adhere to TTLs. ? If you can't meet the APNIC requirements for delegation from them, this would seem an easy enough option...? -----Original Message----- From: Matthew Poole [mailto:matt(a)p00le.net] Sent: Wednesday, 6 November 2013 1:29 p.m. To: Mark Foster Cc: 'NZNOG' Subject: Re: [nznog] Multi-homing without PI space I should point out that I'm quite happy to have one ISP delivering over one physical circuit, provided the ISP has demonstrated sufficient historic availability. But the man who pays my salary is interested in having a second link for redundancy purposes, which means I will ask the question and try to provide him some meaningful information. I've already explained about the hurdle of being too small for PI so needing to engage in complicated internal trickery. Unless someone from APNIC wants to pop up and clarify that the rules for PI don't actually mean what they appear to mean, and you can get PI if the entire need is based on multi-homing regardless of how many addresses are actually going to be utilised? Which would seem to be an extraordinarily dangerous policy. On 6/11/2013 12:48, Mark Foster wrote:

...

If you don't have physical link diversity, why not simply choose an ISP with multiple backhauls and leave it at that? I.e. pay your ISP to provide the Layer 3 diversity for you.

Without layer 1/2 I don't see what advantage you're really getting out of the mucking around.

Mark.

-- Matthew Poole "The difference between theory and practice is that practice is easier in theory than theory is in practice"

Jeremy Visser

6 Nov 6 Nov

5:16 a.m.

On 6/11/2013 10:26, Matt Richards wrote:

...

perhaps you need the new space to host a bunch of HTTPS web sites, which don't currently exist?

With Windows XP due to be EOL'ed in April 2014 (less than 6 months away), and market share at 31% and falling, [0] is HTTPS *still* a justifiable reason to be hoarding IPv4 space? (No.) -- [0] XP is falling faster than IPv6 is gaining, which is what counts.

Joe Abley

5:44 a.m.

On 2013-11-06, at 16:16, Jeremy Visser wrote:

...

On 6/11/2013 10:26, Matt Richards wrote:

...
perhaps you need the new space to host a bunch of HTTPS web sites, which don't currently exist?

With Windows XP due to be EOL'ed in April 2014 (less than 6 months away), and market share at 31% and falling, [0] is HTTPS *still* a justifiable reason to be hoarding IPv4 space?

(No.)

I think the useful advice for people on this list concerns the intersection between operations and existing policy. You seem to be talking about an opinion about what future policy should look like. It almost feels like you're confused nznog with an APNIC policy list. Full marks for the .name domain though! Yours is only the second I've ever actually seen used by someone (the other one is on the business card of a Canadian magician that I keep proudly displayed as a rare artefact on my desk). Joe

Simon Lyall

6:53 a.m.

On Thu, 7 Nov 2013, Jeremy Visser wrote:

...

On 6/11/2013 10:26, Matt Richards wrote:

...
perhaps you need the new space to host a bunch of HTTPS web sites, which don't currently exist?

With Windows XP due to be EOL'ed in April 2014 (less than 6 months away), and market share at 31% and falling, [0] is HTTPS *still* a justifiable reason to be hoarding IPv4 space?

It is not just Windows XP that doesn't support SNI, more details here: http://en.wikipedia.org/wiki/Server_Name_Indication#Support and specificly RHEL/Centos 5.x doesn't support SNI: http://centoshelp.org/security/apache-httpd-with-ssl-https-secure-socket-lay... -- Simon Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.

Scott Pettit

5 Nov 5 Nov

4:30 a.m.

For a small customer why not just build redundancy with your ISP? Eg 2x circuits with two different access providers, BGP with a private ASN to two different routers at the ISP side. Outages tend to affect a particular router/BRAS/access handover so by making that redundant you're achieving "pretty good" redundancy. -Scott Sent using OWA for iPhone ________________________________ From: nznog-bounces(a)list.waikato.ac.nz on behalf of Alexander Neilson Sent: Wednesday, 6 November 2013 12:22:04 p.m. To: Matt Richards Cc: NZNOG Subject: Re: [nznog] Multi-homing without PI space Not sure if I am correct here but if they are using a /28 now to comply with the APNIC rules as per the below they would need to show use for 25% now (a /26) and within one year using a /25 (50% of address space). It may be that APNIC may let them be a bit fuzzy about the exact number “in use” but the rules would seem to exclude them as they would need to quadruple their use of IP Addressing /28 to /26 immediately. Again - not an APNIC rules expert and I could be wrong here. Regards Alexander Alexander Neilson Neilson Productions Limited alexander(a)neilson.net.nzmailto:alexander(a)neilson.net.nz 021 329 681 022 456 2326 On 6/11/2013, at 12:15 pm, Matt Richards mailto:matt(a)shakesbeare.com> wrote: On 6/11/2013 11:30 a.m., Matthew Poole wrote: A "small company wanting to play big company" question: My employer is investigating options for network redundancy as having a functional internet connection is critical to our operation. We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28), and are in no way close to being ready to think about going to pure IPv6. Clients push to us, so we need to have functional DNS as well as link fail-over. We also have multiple public-facing servers offering the same services, so moving to *shudder* NAT or some kind of port proxying isn't an easy option (clients' internal bureaucracies to get firewall ports opened, client configuration, blah blah blah). So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards? Cheers "We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28)" Why not?

...

From APNIC's website:

Criteria for small multihoming delegations * An organization is eligible if it is currently multihomed with provider-based addresses, or demonstrates a plan to multihome within one month. * Organizations requesting a delegation under these terms must demonstrate that they are able to use 25% of the requested addresses immediately and 50% within one year. Very easy criteria to meet.. We had a /27 from our ISP and had no trouble getting a /24 from apnic. Matt. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nzmailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog ________________________________ The content of this message and any attachments may be privileged, confidential or sensitive. Any unauthorised used is prohibited. Views expressed in this message are those of the individual sender, except where stated otherwise with appropriate authority. All pricing provided is valid at the time of writing only and due to factors such as the exchange rate, may change without notice. Sales are made subject to our Terms & Conditions, available on our website or on request. ________________________________

Matt Richards

4:33 a.m.

We went the apnic/small multihoming route because our ISP had a entire-state (NSW) all-day outage :) Matt. On 6/11/2013 12:30 p.m., Scott Pettit wrote:

...

For a small customer why not just build redundancy with your ISP? Eg 2x circuits with two different access providers, BGP with a private ASN to two different routers at the ISP side. Outages tend to affect a particular router/BRAS/access handover so by making that redundant you're achieving "pretty good" redundancy.

-Scott

Sent using OWA for iPhone ------------------------------------------------------------------------ *From:* nznog-bounces(a)list.waikato.ac.nz on behalf of Alexander Neilson *Sent:* Wednesday, 6 November 2013 12:22:04 p.m. *To:* Matt Richards *Cc:* NZNOG *Subject:* Re: [nznog] Multi-homing without PI space Not sure if I am correct here but if they are using a /28 now to comply with the APNIC rules as per the below they would need to show use for 25% now (a /26) and within one year using a /25 (50% of address space).

It may be that APNIC may let them be a bit fuzzy about the exact number “in use” but the rules would seem to exclude them as they would need to quadruple their use of IP Addressing /28 to /26 immediately.

Again - not an APNIC rules expert and I could be wrong here.

Regards Alexander

Alexander Neilson Neilson Productions Limited

alexander(a)neilson.net.nz mailto:alexander(a)neilson.net.nz 021 329 681 022 456 2326

On 6/11/2013, at 12:15 pm, Matt Richards mailto:matt(a)shakesbeare.com> wrote:

...
On 6/11/2013 11:30 a.m., Matthew Poole wrote:

...
A "small company wanting to play big company" question: My employer is investigating options for network redundancy as having a functional internet connection is critical to our operation. We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28), and are in no way close to being ready to think about going to pure IPv6. Clients push to us, so we need to have functional DNS as well as link fail-over. We also have multiple public-facing servers offering the same services, so moving to *shudder* NAT or some kind of port proxying isn't an easy option (clients' internal bureaucracies to get firewall ports opened, client configuration, blah blah blah).

So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards?

Cheers

"We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28)"

Why not? From APNIC's website:

/Criteria for small multihoming delegations// /

* /An organization is eligible if it is currently multihomed with provider-based addresses, or demonstrates a plan to multihome within one month./ * /Organizations requesting a delegation under these terms must demonstrate that they are able to use 25% of the requested addresses immediately and 50% within one year./

Very easy criteria to meet.. We had a /27 from our ISP and had no trouble getting a /24 from apnic.

Matt. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz mailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

------------------------------------------------------------------------ The content of this message and any attachments may be privileged, confidential or sensitive. Any unauthorised used is prohibited. Views expressed in this message are those of the individual sender, except where stated otherwise with appropriate authority. All pricing provided is valid at the time of writing only and due to factors such as the exchange rate, may change without notice. Sales are made subject to our Terms & Conditions, available on our website or on request. ------------------------------------------------------------------------

McDonald Richards

4:38 a.m.

You can step outside your comfort zone and use LISP with two ISPs to build a fully redundant and multi-homed office environment over two commodity ISP connections….. Something like… http://vinciconsulting.com/blog/-/blogs/what-does-lisp-have-to-do-with-multi... Macca From: Matt Richards mailto:matt(a)shakesbeare.com> Date: Wednesday, 6 November 2013 10:33 AM To: Scott Pettit mailto:SPettit(a)end2end.co.nz> Cc: NZNOG mailto:nznog(a)list.waikato.ac.nz> Subject: Re: [nznog] Multi-homing without PI space We went the apnic/small multihoming route because our ISP had a entire-state (NSW) all-day outage :) Matt. On 6/11/2013 12:30 p.m., Scott Pettit wrote: For a small customer why not just build redundancy with your ISP? Eg 2x circuits with two different access providers, BGP with a private ASN to two different routers at the ISP side. Outages tend to affect a particular router/BRAS/access handover so by making that redundant you're achieving "pretty good" redundancy. -Scott Sent using OWA for iPhone ________________________________ From: nznog-bounces(a)list.waikato.ac.nzmailto:nznog-bounces(a)list.waikato.ac.nz mailto:nznog-bounces(a)list.waikato.ac.nz on behalf of Alexander Neilson mailto:alexander(a)neilson.net.nz Sent: Wednesday, 6 November 2013 12:22:04 p.m. To: Matt Richards Cc: NZNOG Subject: Re: [nznog] Multi-homing without PI space Not sure if I am correct here but if they are using a /28 now to comply with the APNIC rules as per the below they would need to show use for 25% now (a /26) and within one year using a /25 (50% of address space). It may be that APNIC may let them be a bit fuzzy about the exact number “in use” but the rules would seem to exclude them as they would need to quadruple their use of IP Addressing /28 to /26 immediately. Again - not an APNIC rules expert and I could be wrong here. Regards Alexander Alexander Neilson Neilson Productions Limited alexander(a)neilson.net.nzmailto:alexander(a)neilson.net.nz 021 329 681 022 456 2326 On 6/11/2013, at 12:15 pm, Matt Richards mailto:matt(a)shakesbeare.com> wrote: On 6/11/2013 11:30 a.m., Matthew Poole wrote: A "small company wanting to play big company" question: My employer is investigating options for network redundancy as having a functional internet connection is critical to our operation. We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28), and are in no way close to being ready to think about going to pure IPv6. Clients push to us, so we need to have functional DNS as well as link fail-over. We also have multiple public-facing servers offering the same services, so moving to *shudder* NAT or some kind of port proxying isn't an easy option (clients' internal bureaucracies to get firewall ports opened, client configuration, blah blah blah). So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards? Cheers "We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28)" Why not?

...

From APNIC's website:

Mark Foster

4:33 a.m.

Arrr snap... beaten by 3 minutes... From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Scott Pettit Sent: Wednesday, 6 November 2013 12:31 p.m. To: Alexander Neilson; Matt Richards Cc: NZNOG Subject: Re: [nznog] Multi-homing without PI space For a small customer why not just build redundancy with your ISP? Eg 2x circuits with two different access providers, BGP with a private ASN to two different routers at the ISP side. Outages tend to affect a particular router/BRAS/access handover so by making that redundant you're achieving "pretty good" redundancy. -Scott Sent using OWA for iPhone _____ From: nznog-bounces(a)list.waikato.ac.nz on behalf of Alexander Neilson Sent: Wednesday, 6 November 2013 12:22:04 p.m. To: Matt Richards Cc: NZNOG Subject: Re: [nznog] Multi-homing without PI space Not sure if I am correct here but if they are using a /28 now to comply with the APNIC rules as per the below they would need to show use for 25% now (a /26) and within one year using a /25 (50% of address space). It may be that APNIC may let them be a bit fuzzy about the exact number "in use" but the rules would seem to exclude them as they would need to quadruple their use of IP Addressing /28 to /26 immediately. Again - not an APNIC rules expert and I could be wrong here. Regards Alexander Alexander Neilson Neilson Productions Limited alexander(a)neilson.net.nz 021 329 681 022 456 2326 On 6/11/2013, at 12:15 pm, Matt Richards wrote: On 6/11/2013 11:30 a.m., Matthew Poole wrote: A "small company wanting to play big company" question: My employer is investigating options for network redundancy as having a functional internet connection is critical to our operation. We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28), and are in no way close to being ready to think about going to pure IPv6. Clients push to us, so we need to have functional DNS as well as link fail-over. We also have multiple public-facing servers offering the same services, so moving to *shudder* NAT or some kind of port proxying isn't an easy option (clients' internal bureaucracies to get firewall ports opened, client configuration, blah blah blah). So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards? Cheers "We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28)" Why not?

...

From APNIC's website:

Criteria for small multihoming delegations * An organization is eligible if it is currently multihomed with provider-based addresses, or demonstrates a plan to multihome within one month. * Organizations requesting a delegation under these terms must demonstrate that they are able to use 25% of the requested addresses immediately and 50% within one year. Very easy criteria to meet.. We had a /27 from our ISP and had no trouble getting a /24 from apnic. Matt. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _____ The content of this message and any attachments may be privileged, confidential or sensitive. Any unauthorised used is prohibited. Views expressed in this message are those of the individual sender, except where stated otherwise with appropriate authority. All pricing provided is valid at the time of writing only and due to factors such as the exchange rate, may change without notice. Sales are made subject to our Terms & Conditions, available on our website or on request. _____

Joe Abley

6:21 a.m.

On 2013-11-05, at 15:22, Alexander Neilson wrote:

...

Not sure if I am correct here but if they are using a /28 now to comply with the APNIC rules as per the below they would need to show use for 25% now (a /26) and within one year using a /25 (50% of address space).

Late to this party, but perhaps worth mentioning that there's no requirement to use RFC1918 space in your network plan. Add up your phones, printers, laptops, IP-enabled fridges, and bingo, you qualify. Quite some time ago a few people wrote up a description of options relating to IPv4 multi-homing. It's old, and it doesn't really touch address assignment or AS number assignment. It's from before "GSLB" was a thing, too. Might still be worth a read, though. http://www.ietf.org/rfc/rfc4116.txt Joe

Matthew Poole

6:37 a.m.

On 6/11/2013 14:21, Joe Abley wrote:

...

On 2013-11-05, at 15:22, Alexander Neilson wrote:

...
Not sure if I am correct here but if they are using a /28 now to comply with the APNIC rules as per the below they would need to show use for 25% now (a /26) and within one year using a /25 (50% of address space). Late to this party, but perhaps worth mentioning that there's no requirement to use RFC1918 space in your network plan. Add up your phones, printers, laptops, IP-enabled fridges, and bingo, you qualify.

Quite some time ago a few people wrote up a description of options relating to IPv4 multi-homing. It's old, and it doesn't really touch address assignment or AS number assignment. It's from before "GSLB" was a thing, too. Might still be worth a read, though.

http://www.ietf.org/rfc/rfc4116.txt

Joe

Oh, now that really does change things! -- Matthew Poole "The difference between theory and practice is that practice is easier in theory than theory is in practice"

Joel van Velden

6 Nov 6 Nov

5:59 a.m.

My understanding is multi-homing alone is enough to get a /24 from APNIC without justifying each address (after all you cant multi-home with less than a /24). Is this not the case? Presumably the same would be true for wanting a /24 to peer on APE/etc. Although what with APNIC fees it wouldn't be real cheap. PS: why do citylink require a /24 to peer? Joel van Velden On 6/11/2013 12:22 p.m., Alexander Neilson wrote:

...

Not sure if I am correct here but if they are using a /28 now to comply with the APNIC rules as per the below they would need to show use for 25% now (a /26) and within one year using a /25 (50% of address space).

It may be that APNIC may let them be a bit fuzzy about the exact number "in use" but the rules would seem to exclude them as they would need to quadruple their use of IP Addressing /28 to /26 immediately.

Again - not an APNIC rules expert and I could be wrong here.

Regards Alexander

Alexander Neilson Neilson Productions Limited

alexander(a)neilson.net.nz mailto:alexander(a)neilson.net.nz 021 329 681 022 456 2326

On 6/11/2013, at 12:15 pm, Matt Richards mailto:matt(a)shakesbeare.com> wrote:

...
On 6/11/2013 11:30 a.m., Matthew Poole wrote:

...
A "small company wanting to play big company" question: My employer is investigating options for network redundancy as having a functional internet connection is critical to our operation. We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28), and are in no way close to being ready to think about going to pure IPv6. Clients push to us, so we need to have functional DNS as well as link fail-over. We also have multiple public-facing servers offering the same services, so moving to *shudder* NAT or some kind of port proxying isn't an easy option (clients' internal bureaucracies to get firewall ports opened, client configuration, blah blah blah).

So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards?

Cheers

"We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28)"

Why not? From APNIC's website:

/Criteria for small multihoming delegations// ///

* /An organization is eligible if it is currently multihomed with provider-based addresses, or demonstrates a plan to multihome within one month./ * /Organizations requesting a delegation under these terms must demonstrate that they are able to use 25% of the requested addresses immediately and 50% within one year./

Very easy criteria to meet.. We had a /27 from our ISP and had no trouble getting a /24 from apnic.

Matt. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz mailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Joe Abley

6:05 a.m.

On 2013-11-06, at 16:59, Joel van Velden wrote:

...

My understanding is multi-homing alone is enough to get a /24 from APNIC without justifying each address (after all you cant multi-home with less than a /24). Is this not the case?

It's difficult to persuade anybody other than the person you're directly paying money to to accept a longer v4 prefix than a /24. When you multi-home, you're usually interested in the propagation of your prefixes being as global as possible. So in every practical sense, you're right, you need to advertise prefixes of length 24 bits or shorter if you want to multi-home.

...

Presumably the same would be true for wanting a /24 to peer on APE/etc.

Although what with APNIC fees it wouldn't be real cheap.

PS: why do citylink require a /24 to peer?

Consenting peers (in the BGP sense) can exchange whatever routes they want. There's no reason you can't exchange /32s with your direct peers, if you have an agreement to do so. Joe

Dean Pemberton

3:10 p.m.

Hmmmm I might need to do an "Applying for addresses from APNIC Mythbusters" session at the conference in January[1] Dean [1] NZNOG conference is in January, registrations are now open, you should all come. This has been a shameless plug for an awesome event. http://nznog.org !!!

Don Stokes

5 Nov 5 Nov

4:48 a.m.

This technique may help you for inbound services: http://www.don.nz.net/wordpress/poor-mans-anycast/ For outbound, if you can't do a redundant connection with your ISP (or if such an arrangement with one ISP is not acceptable), you'll need some kind of link fail-over on your border gateway, possibly based on a ping of an upstream gateway or known-good host (or hosts). You'll lose active NAT sessions as your external IP changes, but new connections will work. -- don On 06/11/13 11:30, Matthew Poole wrote:

...

A "small company wanting to play big company" question: My employer is investigating options for network redundancy as having a functional internet connection is critical to our operation. We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28), and are in no way close to being ready to think about going to pure IPv6. Clients push to us, so we need to have functional DNS as well as link fail-over. We also have multiple public-facing servers offering the same services, so moving to *shudder* NAT or some kind of port proxying isn't an easy option (clients' internal bureaucracies to get firewall ports opened, client configuration, blah blah blah).

So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards?

Cheers

Andy Linton

4:56 a.m.

On Wed, Nov 6, 2013 at 11:30 AM, Matthew Poole wrote:

...

A "small company wanting to play big company" question: My employer is investigating options for network redundancy as having a functional internet connection is critical to our operation. We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28), and are in no way close to being ready to think about going to pure IPv6.

I don't understand "Not in any position to even try applying".... Any organisation joining can apply for up to a /22 of IPv4 and get up to a /32 of IPv6 for no additional cost. This is not a problem that needs a convoluted hardware solution.

Matthew Poole

5:11 a.m.

On 6/11/2013 12:56, Andy Linton wrote:

...

I don't understand "Not in any position to even try applying"....

Any organisation joining can apply for up to a /22 of IPv4 and get up to a /32 of IPv6 for no additional cost.

This is not a problem that needs a convoluted hardware solution.

Oh, sure, we *could* absolutely apply, but we're so far away from meeting APNIC's criteria to be given a v4 allocation that it would be a wasted effort. Have to be using a /26 now (or within a month of allocation) and be able to use a /25 within a year. We would have to fudge and bluff and make crap up just to stretch things to a /26 after 12 months. Getting to a /25 would mean putting public addresses on all our desktops and all our internal servers. -- Matthew Poole "The difference between theory and practice is that practice is easier in theory than theory is in practice"

Brian E Carpenter

6:05 a.m.

I simply don't have time to read this thread in the middle of an IETF meeting, but I do suggest reading the following draft, which is stuck in the RFC publication queue waiting for a reference to be published (i.e. it is fully approved). http://tools.ietf.org/html/draft-ietf-v6ops-ipv6-multihoming-without-ipv6nat... Regards Brian Carpenter On 06/11/2013 11:30, Matthew Poole wrote:

...

A "small company wanting to play big company" question: My employer is investigating options for network redundancy as having a functional internet connection is critical to our operation. We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28), and are in no way close to being ready to think about going to pure IPv6. Clients push to us, so we need to have functional DNS as well as link fail-over. We also have multiple public-facing servers offering the same services, so moving to *shudder* NAT or some kind of port proxying isn't an easy option (clients' internal bureaucracies to get firewall ports opened, client configuration, blah blah blah).

So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards?

Cheers

Dobbins, Roland

6 Nov 6 Nov

3:23 p.m.

On Nov 6, 2013, at 5:30 AM, Matthew Poole wrote:

...

So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards?

Per the many other comments on this thread, multihoming can almost certainly be accomplished by your organization with IPv4 PI space. But you're still single-threaded in terms of your IDC. Not to mention the possibility of converged fibre paths, et. al. Other folks in this thread have mentioned moving your public-facing properties into a cloud-type deployment. This is by far the most sensible thing to do, IMHO. And don't forget about any single-threaded issues in your middle and back-end tiers. ----------------------------------------------------------------------- Roland Dobbins // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton

Matthew Poole

7 Nov 7 Nov

1:11 a.m.

There's a degree of fibre path convergence due to our premises location (only one practical approach, without spending six figures to trench through a very, very long parking lot or trying to get easement under the Parnell rail switching yards), but it will be separate conduits going to separate provider end-points. In terms of sticking stuff into "the cloud", going properly into the cloud is a no-go because the data some of our clients provide has significant data sovereignty concerns associated; Banks, health insurers, etc. Keeping it in NZ is easier but if we can't get the data into our processing systems it's useless to us, and putting *those* into someone else's DC carries significant cost, as well as making it even more vital to have full link redundancy because if our staff can't connect to those systems they can't do their work. If any of you who have looked me up on LinkedIn have then gone and looked up my employer, you will have seen that we're not a "service provider" in the normal sense. We need to have public-facing systems so clients can push data and we can place data for them to retrieve, but we don't provide services to the public at large. I've certainly seen some good ideas come out of this, but if I just need to come up with a numbering plan to put all our networked systems onto public space I'm nearly at a /25 without even accounting for the WiFI DHCP pool or some additional system/head count increases. On 7/11/2013 23:23, Dobbins, Roland wrote:

...

But you're still single-threaded in terms of your IDC. Not to mention the possibility of converged fibre paths, et. al.

Other folks in this thread have mentioned moving your public-facing properties into a cloud-type deployment. This is by far the most sensible thing to do, IMHO.

And don't forget about any single-threaded issues in your middle and back-end tiers.

-- Matthew Poole "The difference between theory and practice is that practice is easier in theory than theory is in practice"

Tony Wicks

1:43 a.m.

To be frank, with the limitations imposed around your physical access (no colo in a datacenter or use of "cloud") you are really not going to achieve much useful by complex PI routing of any sort. I would highly recommend you find a good business class ISP that can tailor a BGP failover solution (Fibre/VDSL?) to suit your physical assess limitations. This will be the most reliable and effective solution. If your boss wants full PI, then colo in a datacenter with real diversity and get an APNIC block. Don’t try and do a half pie hybrid that will make your service less reliable. -----Original Message----- From: Matthew Poole Sent: Friday, November 08, 2013 9:11 AM To: Dobbins, Roland Cc: NZNOG Subject: Re: [nznog] Multi-homing without PI space There's a degree of fibre path convergence due to our premises location (only one practical approach, without spending six figures to trench through a very, very long parking lot or trying to get easement under the Parnell rail switching yards), but it will be separate conduits going to separate provider end-points.

Matthew Poole

3:18 a.m.

Oh, and I didn't mention that we have no legacy copper (yes, really) to the building. Anything other than the existing provider's fibre is a new install. The suggestion of fail-over to some kind of radio link has been raised with the boss and he's not totally agin the idea, but I need to investigate that further. On 8/11/2013 09:43, Tony Wicks wrote:

...

To be frank, with the limitations imposed around your physical access (no colo in a datacenter or use of "cloud") you are really not going to achieve much useful by complex PI routing of any sort. I would highly recommend you find a good business class ISP that can tailor a BGP failover solution (Fibre/VDSL?) to suit your physical assess limitations. This will be the most reliable and effective solution. If your boss wants full PI, then colo in a datacenter with real diversity and get an APNIC block. Don’t try and do a half pie hybrid that will make your service less reliable.

-- Matthew Poole "The difference between theory and practice is that practice is easier in theory than theory is in practice"

Dobbins, Roland

7:26 a.m.

On Nov 8, 2013, at 5:18 AM, Matthew Poole wrote:

...

The suggestion of fail-over to some kind of radio link has been raised with the boss and he's not totally agin the idea, but I need to investigate that further.

I've done a deal of microwave for WAN applications, and it can work quite well in that context, but no way would I ever consider it for a transit uplink in any kind of HA-type scenario. It seems there's a certain reluctance to look at moving onto someone else's patch and onto someone else's hardware; it might be worth determining whether that reluctance is really warranted, in this day and age. ----------------------------------------------------------------------- Roland Dobbins // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton

Pete Mundy

9:38 a.m.

Maybe from a practical implementation perspective in this one instance, but never the less the theoretical discussion on what is technically achievable and the way to do it is quite interesting to some readers. Believe it or not, I actually went and read both of Joe's earlier-referenced RFCs right through from start to end! To throw something else into the mix with this discussion (apologies if I'm hijacking your thread here Matthew), here's a scenario: A company is looking to host a VPS somewhere 'in the cloud'. They don't need any IPv4 address space, but they do need a couple of IPv6 addresses (maybe a prefix). I'll just repeat that bit to clarify - the VPS doesn't need any v4 connectivity at all, it will communicate via v6 only! They would like their VPS to be connected via dual upstreams each with a physically diverse path into the datacenter. The DC would of course have all the usual power backup bells and whistles etc. For latency reasons, the VPS needs to be hosted on hardware that is housed within a DC physically located in New Zealand. As a side note, it will communicate solely with (v6) client IPs who are on NZ UFB links. Ie the clients are only ever on fibre, and are only to be connected to ISPs offering v6 over their UFB links (you know who you are, you sweeties ;-) The question: what NZ 'cloud hosting'(*) providers would currently offer a service(**) suitable for this VPS? Second question: if the server operator decided to 'do it themselves' instead, what kind of list of fake and 'possible' devices would they have to come up with for a minimum v6 allocation from APNIC? (or maybe that's better a topic for another talk from Dean at conference ;) (***) Pete (*) They don't have to actually use this term in their marketing to qualify! In fact, they may perhaps even score better if they don't. (**) I'm happy to take replies off-list if it's not good etiquette to discuss such lists on-list or if you're shy (***) I'm semi-serious here too though. It is plausible for small v6 operators to PI allocations and look to multi-home themselves like has been done with v4 in the past? Or is that undesirable with v6 from the perspective of the global routing tables? (yes I've already registered for the BGP training workshop pre-conference ;) On 8/11/2013, at 3:26 PM, "Dobbins, Roland" wrote:

...

It seems there's a certain reluctance to look at moving onto someone else's patch and onto someone else's hardware; it might be worth determining whether that reluctance is really warranted, in this day and age.

Dobbins, Roland

10:10 a.m.

On Nov 8, 2013, at 11:38 AM, Pete Mundy wrote:

...

It is plausible for small v6 operators to PI allocations and look to multi-home themselves like has been done with v4 in the past?

Sure.

...

Or is that undesirable with v6 from the perspective of the global routing tables? (yes I've already registered for the BGP training workshop pre-conference ;)

The global routing table issues are something for the vendors and the operational community to work on together: http://lisp.cisco.com/lisp_tech.html ----------------------------------------------------------------------- Roland Dobbins // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton

Dobbins, Roland

7:17 a.m.

On Nov 8, 2013, at 3:11 AM, Matthew Poole wrote:

...

putting *those* into someone else's DC carries significant cost,

It's generally less expensive than doing it yourself, in my experience. Not moving your gear - moving your apps and data onto someone else's gear. Right there in NZ.

...

as well as making it even more vital to have full link redundancy because if our staff can't connect to those systems they can't do their work.

Home DSL/3G/DOCSIS over VPN for each staff member makes for a *lot* of link redundancy, heh. ;> ----------------------------------------------------------------------- Roland Dobbins // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton

Matthew Poole

8:31 a.m.

It's cheaper until your storage requirements are several dozens of terabytes (based on current disk utilisation) and you have to pay NZ hosting prices. We're only going to be growing that disk need, too, and in the last six months the rate of growth has been measured in TB-per-month "Dobbins, Roland" wrote:

...

On Nov 8, 2013, at 3:11 AM, Matthew Poole wrote:

...
putting *those* into someone else's DC carries significant cost,

It's generally less expensive than doing it yourself, in my experience. Not moving your gear - moving your apps and data onto someone else's gear. Right there in NZ.

...
as well as making it even more vital to have full link redundancy because if our staff can't connect to those systems they can't do their work.

Home DSL/3G/DOCSIS over VPN for each staff member makes for a *lot* of link redundancy, heh.

;>

----------------------------------------------------------------------- Roland Dobbins // http://www.arbornetworks.com

Luck is the residue of opportunity and design.

-- John Milton

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- Matthew Poole "The difference between theory and practice is that practice is much easier in theory than theory is in practice."

Rob McDonald

12:10 a.m.

Hi Matthew, I figured everyone else as weighed in on this I might as well too. Doing it yourself is most certainly do-able. Give all your phones and laptops, a dhcp pool for visitors and so forth public v4 addresses, you'll meet the APNIC requirement easy enough. My main suggestion is to consider your core business, is it building networks, or is it delivering a service over a network. It's easy for us geeks to get carried away with building awesome technical solutions, but what are the business benefits? sometimes there aren't many. Just a good excuse to buy plenty of nice toys. Perhaps there is an inter-tubes provider of some kind around you could approach to tailor a solution, you can provide your requirements to them (such as their core must be diverse physically and logically, their access to you must be physically diverse. Their hand-overs to upstream must be equally as diverse... If they can't explain why their network is the best fit for your high availability requirements move to the next one. Its very possible you would get a better solution, also cheaper by working with an existing ISP. Good luck. *Rob McDonald | *Director Level 2 Systems Ltd *M:* +64 21 902 929 *eFax:* +64 9 974 4734 *W:* http://www.L2.co.nz http://www.l2.co.nz/ On 6 November 2013 11:30, Matthew Poole wrote:

...

A "small company wanting to play big company" question: My employer is investigating options for network redundancy as having a functional internet connection is critical to our operation. We're not in any position to even try applying for PI IPv4 space from APNIC (only using a /28), and are in no way close to being ready to think about going to pure IPv6. Clients push to us, so we need to have functional DNS as well as link fail-over. We also have multiple public-facing servers offering the same services, so moving to *shudder* NAT or some kind of port proxying isn't an easy option (clients' internal bureaucracies to get firewall ports opened, client configuration, blah blah blah).

So, my question, what are our operational course of action for multi-homing when becoming an AS on the global tubes isn't on the cards?

Cheers

-- Matthew Poole "The difference between theory and practice is that practice is easier in theory than theory is in practice" _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

4063

Age (days ago)

4065

Last active (days ago)

List overview

Download

46 comments

25 participants

participants (25)

Alexander Neilson
Andrew McBeath
Andy Linton
bmanning＠vacation.karoshi.com
Brian E Carpenter
Chris Jones
Dean Pemberton
Dobbins, Roland
Don Stokes
Gareth Davies
Gerard Creamer
Jeremy Visser
Joe Abley
Joel van Velden
Mark Foster
Mark Tees
Matt Richards
Matthew Poole
McDonald Richards
Michael Andreas Schipp
Pete Mundy
Rob McDonald
Scott Pettit
Simon Lyall
Tony Wicks