On 12 Sep 2002, James Tyson wrote:

form a "working group" (not the InternetNZ sense, the NZNOG sense, where we all go out for curry and beer) to discuss a standard for this sort of thing within NZ. I know this sounds yuck, but what about carefully So how many are showing up for Curry and beer tonight?

Tonight in Auckland: http://auckland.thursdaynightcurry.com/ And other cities info can be found at Wellington, Melbourne, Sydney, and San Francisco . Thought not quite sure if convo at other cities apart from auck and wgtn would be fruitful. grin Lin - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

On Wed, Sep 11, 2002 at 05:10:39PM -0400, Joe Abley said:

Just out of interest, what's the benefit in running yet another RPSL database?

WIX has 50+ private ASN peers, AFAIK you can't put info about private ASN into the public RPSL services, so if you want the value RPSL provides for private ASN (and I ohh so do), you run your own database.

...

efficient local mesh at WIX and APE. Perhaps I should consider moving to a provider who...."

... is willing to surrender control of her routing policy to a best-effort coordination service with no responsibility for the quality of the routing data sent to or from her network?

...

Ewen says:

One of the clients I have in mind has a /27 CIDR block. They're starting to run out of public address space (despite using RFC1918 everywhere it can be used, and lots of NAT), and will probably try asking for more space. But even that more space is likely to be only another /28, another /27, or maybe if they're very lucky one /26.

Tell your client that a requirement to multi-home (whether to multiple transit providers, or to a single transit providers and multiple peers) is adequate justification for being allocated a /24 netblock from their transit provider. Ask, and it will be given.

...

If the answer is "everyone use RPSL, and persuade people to accept all properly described RPSL lists" then I'm all for it. If the answer is "only providers get to do peering", then that's tantamount to "only people with public ASes get to do peering". And may well lead to a bunch of people chasing public ASes (and provider independant space for that matter) when they don't otherwise need them.

If you want to multi-home using BGP, and you don't want to violate RFC1930, you need a globally-unique ASN. ASNs are not just allocated to providers. So, only people with public ASNs get to do peering, but that doesn't mean that only providers get to do peering.

None of this is new. In fact, there was enough of this going on when I was still involved in AS4768 that I *documented* it:

http://www.clear.net.nz/documentation/dedicated/multi.html

Some of those documents are old enough that they have NZIX in their diagrams :)

Joe

- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Oh for crying out loud. Four years ago, we started agressively filtering incoming advertisments on WIX from new peers. Three years ago, we had filter lists in place for *every* *single* *peer*. New peers are independantly vetted (I check with their upstreams that what they want to advertise is plausible). We are no longer just "best efforts", and have not been for many years, conversely, we haven't had a routing catastrophe for years either. I've pointed this out several times on NZNOG, and yet you continue to assert that it's not the case. <sigh> Cheers Si - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

On Wed, Sep 11, 2002 at 06:48:08PM -0400, Joe Abley said:

On Thu, Sep 12, 2002 at 10:02:10AM +1200, Simon Blake wrote:

...

On Wed, Sep 11, 2002 at 05:10:39PM -0400, Joe Abley said:

...

Just out of interest, what's the benefit in running yet another RPSL database?

WIX has 50+ private ASN peers, AFAIK you can't put info about private ASN into the public RPSL services, so if you want the value RPSL provides for private ASN (and I ohh so do), you run your own database.

... or you use globally-unique ASNs. Using private ASNs for non-private applications is surely broken, especially when it's so trivial to obtain a globally-unique one.

From my perspective, it *is* private usage - I want RPSL to manage the peers of the route servers on APE and WIX. If it gets used in a wider sense by the NZ Internet, then that's well and good.

You might argue that it's inefficient use of a finite resource for enterprises (in the AS1918 sense) that are not transit providers to be allocated globally-unique ASNs, and I might agree with you. That's not a problem that's going to be solved in New Zealand, though; that's a problem that will be managed by IANA and the RIRs with allocation policies until someone comes up with a multi-homing and routing system that scales better than the one we have.

Surely. But we all work with the tools we have, and there is a perception that global ASN are hard to obtain. I don't know if that's true (I haven't asked for one for years), but the perception is still there.

I'm not talking about ingress filtering done by the WIX route servers. By "responsibility for the quality", I mean:

+ having a route propagation path which is different to the packet forwarding path, which is a general problem of route servers on non-trivial layer-2 exchange fabrics;

Sure, but that's an equally good arguement for fixing the exchange fabric, since if you're under some kind of partial reachability cloud, then you're not getting full value for your connection anyway. WIX has never had such problems (presumably because its L2 fabric is primarily under the control of a single administrator). I have seen it happen on APE a couple of times though, so I agree that it is an issue. Eitherway, I think it's a compelling argument to fix the fabric, rather than abandon route servers.

+ having no contract/support relationship/whatever between operators connected to the route server, which is a general problem of multi-lateral peering.

Sure. We have various contracts available if people want to look at them, but generally, people don't. Funny, that :-). We're not seeking to supplant bilateral peering with the route servers, and we never will. What I am seeking to achieve is "lowest common denominator" peering where every entity attached to WIX/APE can advertise routes that it regards as "free", and listen to the "free" routes from other peers. Every entity can define "free" in whatever way it likes, and "none of my routes", "all of my routes" and "local Wellington or Auckland routes" are all valid definitions.

Nope. I don't remember making any comments ever about what ingress policy you were using for the route servers. I do remember making comments about it being generally hard for *other* people to come up with a sensible ingress policy for their session to the route server, though, which is quite different.

Sure, and I believe the RPSL stuff we've got planned with Andy will go a long way to helping peers make sensible ingress policy for their route server sessions.

I was objecting to the idea that operators who don't use the route servers must be bad or stupid, or be otherwise unworthy of attracting customers, because I don't think that's reasonable; there are arguments for not using them, just as there are arguments *for* using them.

Undoubtedly. I just think the arguements for peering with the route servers are significantly stronger than the arguements for not peering with the route servers, but then I'm biased :-). Cheers Si - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

On Wed, Sep 11, 2002 at 09:16:38PM -0400, Joe Abley said:

On Wednesday, September 11, 2002, at 07:39 PM, Simon Blake wrote:

...

...

+ having a route propagation path which is different to the packet forwarding path, which is a general problem of route servers on non-trivial layer-2 exchange fabrics;

Sure, but that's an equally good arguement for fixing the exchange fabric, since if you're under some kind of partial reachability cloud, then you're not getting full value for your connection anyway.

Right.

The issue arises when there is a functional layer-2 path from the route-server to your router, but no functional layer-2 path from your router to the next-hop address for particular routes you learn from the route server.

In those circumstances you will black-hole traffic across the exchange instead of losing the route and sending the traffic by some other path (which is what would happen if you only learnt routes directly from the other operator's router, with no route server involved).

It's a failure mode thing, not a value for money thing.

Well, that's debatable - it's still broken, you're not getting value for money, and if the L2 connection over the exchange between the two ISP's is the only path between them, then you're still screwed. I think my observation still stands - if your L2 infrastructure is broken such that you don't have reachability between points A and B on that infrastructure, then that is the real problem, and that's what has to be fixed. What we're really discussing is whether the advantages the route servers bring in normal operation is outweighed by the disadvantages when the L2 exchange goes pear shaped. I think the advantages are greater (because experience tells me that the NZ L2 exchanges are reliable), you think the disadvantages are greater (presumably coz you've seen exchanges elsewhere go mental). I don't think you can broad brush the arguement either way.

There is no contract between ISP A and ISP B who receive each others' routes from the route server, though. That's what I was getting at. That's important to some people, and not just for lawyers-run-the-company, my-hair-is-pointy reasons.

Again, I'm interested in the local, specific cases, rather than in general contract theory :-). I fully agree that some peers may want to have contracts between each other, and the associated bilateral peering, and I've no problem with that whatsoever. That doesn't mean, however, that route servers are immediately removed from the discussion, it just means ISP's have different policies for routes learnt from the route server vs from bilateral peers. It is, as always, a value thing - you're getting a bunch of routes with little effort from the route servers - how much value do you get from that, vs the effort involved with initiating bilateral contractural arrangements with specific providers. How much do you trust the routes from each source? How important do you rank the need for legal comeback if stuff goes wonky? Each provider gets to make their own judgements on these things.

I ordered the ASNs for the APE and WIX route servers, back in the day.

Not strictly - I obtained the WIX ASN by mine own fair hand, it was the APE one you obtained (and for which we are eternally grateful, since it doesn't cost us anything :-).

I wouldn't have necessarily bothered if I thought they were a bad idea

Nor I :-). Cheers Si - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

The reason I mentioned this ... non-RFC compliant idea in the first place, was the number of comments I get from customers who state that the cost and ease of obtaining the AS number is not as Joe says "trivial". It costs a fair bit of money and takes a fair bit of time. I also wanted to say that even though NZ isn't going to fix the global AS number crisis, NZ is not excused from thinking about opportunities to help, if some minor bending of 1930 allows us to do that, then we can at least consider it. The hippocritical part of my proposal is actually the address space requirements, in which I see no easy option other than the allocation of /24's as suggested by Joe. These are easier to come by, and justify as it is often done through the ISP, removing that complexity from the end-user. Thanks for everyone's input, the question I am left with is ... if customer X designing their network with our Routers asks me how to multihome to 2 ISPs, do I say go and talk to APNIC first or forget it, or do I say, the ISPs have jointly agreed on a method of using Private AS numbers, go and talk to them about how it's done ? If we just want to make it happen I would be happy to offer a suitable forum to thrash it out (the three critical components being Beer/Pizza/Chairs). If not I rest my case ... thanks again Arron *********************************************************************** Arron Scott (CCIE #4099) Phone: +64-9-3551951 Systems Engineer Mobile: +64-27-4883163 Cisco New Zealand mailto:ascott(a)cisco.com http://www.cisco.com *********************************************************************** -----Original Message----- From: owner-nznog(a)list.waikato.ac.nz [mailto:owner-nznog(a)list.waikato.ac.nz]On Behalf Of Joe Abley Sent: Thursday, 12 September 2002 10:48 a.m. To: Simon Blake Cc: nznog(a)list.waikato.ac.nz Subject: Re: BGP Private ASes On Thu, Sep 12, 2002 at 10:02:10AM +1200, Simon Blake wrote:

On Wed, Sep 11, 2002 at 05:10:39PM -0400, Joe Abley said:

...

Just out of interest, what's the benefit in running yet another RPSL database?

WIX has 50+ private ASN peers, AFAIK you can't put info about private ASN into the public RPSL services, so if you want the value RPSL provides for private ASN (and I ohh so do), you run your own database.

... or you use globally-unique ASNs. Using private ASNs for non-private applications is surely broken, especially when it's so trivial to obtain a globally-unique one. You might argue that it's inefficient use of a finite resource for enterprises (in the AS1918 sense) that are not transit providers to be allocated globally-unique ASNs, and I might agree with you. That's not a problem that's going to be solved in New Zealand, though; that's a problem that will be managed by IANA and the RIRs with allocation policies until someone comes up with a multi-homing and routing system that scales better than the one we have.

...

...

efficient local mesh at WIX and APE. Perhaps I should consider moving to a provider who...."

... is willing to surrender control of her routing policy to a best-effort coordination service with no responsibility for the quality of the routing data sent to or from her network?

Oh for crying out loud.

I'm not talking about ingress filtering done by the WIX route servers. By "responsibility for the quality", I mean: + having a route propagation path which is different to the packet forwarding path, which is a general problem of route servers on non-trivial layer-2 exchange fabrics; + having no contract/support relationship/whatever between operators connected to the route server, which is a general problem of multi-lateral peering. As to the "best-effort" bit, I thought you were; sorry if that's not the case.

I've pointed this out several times on NZNOG, and yet you continue to assert that it's not the case.

Nope. I don't remember making any comments ever about what ingress policy you were using for the route servers. I do remember making comments about it being generally hard for *other* people to come up with a sensible ingress policy for their session to the route server, though, which is quite different. Lots of people find your route servers useful, and that's great. They *are* useful. I was objecting to the idea that operators who don't use the route servers must be bad or stupid, or be otherwise unworthy of attracting customers, because I don't think that's reasonable; there are arguments for not using them, just as there are arguments *for* using them. Joe - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

At 13:04 12/09/2002 +1200, Arron Scott wrote:

The reason I mentioned this ... non-RFC compliant idea in the first place, was the number of comments I get from customers who state that the cost and ease of obtaining the AS number is not as Joe says "trivial". It costs a fair bit of money and takes a fair bit of time.

Hmmm, throughout Asia, any organisation who has complained about it being difficult to get any resources from APNIC usually has not tried. Just want to reiterate Joe's experience - it really isn't that hard, and that's the feedback I get when people who said it was hard actually tried. There are two ways of getting an ASN from APNIC: from my multihoming tutorial at the last APNIC conference (www.apnic.net/meetings/14/programme/docs/bgp-tut-slides-pfs.pdf) these are: - existing APNIC member - fill up http://ftp.apnic.net/apnic/docs/asn-request - costs nothing more than you already pay - become an APNIC member (takes some time, and money), then do the above - apply as a non-member - http://www.apnic.net/member/non-member-application.html - cost US$500, annual US$50. Using a private ASN for multihoming of a customer between two ISPs works just fine so long as the two ISPs actually agree that the ASN can be used for that. In my past life I've done that, it's worked. But it definitely falls into the category of "unnecessary" - that's what public ASNs are for.

I also wanted to say that even though NZ isn't going to fix the global AS number crisis, NZ is not excused from thinking about opportunities to help, if some minor bending of 1930 allows us to do that, then we can at least consider it.

What global ASN crisis? http://www.ietf.org/internet-drafts/draft-ietf-idr-as4bytes-05.txt fixes that one, hopefully. :-)

Thanks for everyone's input, the question I am left with is ... if customer X designing their network with our Routers asks me how to multihome to 2 ISPs, do I say go and talk to APNIC first or forget it, or do I say, the ISPs have jointly agreed on a method of using Private AS numbers, go and talk to them about how it's done ? If we just want to make it happen I would be happy to offer a suitable forum to thrash it out (the three critical components being Beer/Pizza/Chairs). If not I rest my case ... thanks again

Go to upstreams - if either is an APNIC member, they get the ASN for them. As per Joe's example, it takes little time, costs nothing, or close to nothing (if the upstream chooses to charge). If upstreams refuse, or are not APNIC/ARIN/RIPE NCC members, the org has the two choices I highlighted above. If they still find they are having problems, let me know, and I will be more than happy to follow up. hth, philip -- - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog