[Mispa-management-l] (Fwd) managing the resources for your IXP peering lan. [af-ix]

Dr P Nyirenda paulos at sdnp.org.mw
Tue Dec 18 16:55:19 CAT 2018 

Fyi ...

------- Forwarded message follows -------
From:	"Nishal Goburdhan" <nishal at ispa.org.za>
To:	af-ix <af-ix at af-ix.net>
Date sent:	Tue, 18 Dec 2018 13:21:08 +0200
Subject:	[af-ix] managing the resources for your IXP peering lan.


folks,
when you first apply to afrinic for resources, they will allocate the
following to you:

for your peering lan (the main thing that your IXP does)
* a 16bit ASN for your BGP route server (if you ask for it)
* a /24 of IPv4
* a /48 of IPv6

afrinic is currently allocating IPv4 space out of 196.60.x.y.  a few
years ago, some community members got together, and decided that afrinic
needed to reserve IPv4 space for IXP, and this is the result:
inetnum:        196.60.0.0 - 196.60.255.255
netname:        IXP-RESERVATIONS
descr:          This block is reserved for IXPs as per policy AFPUB-2014-GEN-004
descr:          For IXP peering purposes

older allocations for IXP peering lans are from 196.223.x.y

regardless, this address space is intended for use for *peering*
purposes only.  please do not subnet this space.  there seems to be an
increasing trend for new IXPs to subnet that to something smaller.
please don´t do this needlessly.  it´s bad practice.  use the entire
/24 for your IXP.  it might seems wasteful now, but consider that you
don´t really want to have to renumber  (this is not a trivial thing to
accomplish).

one core value of the IXP peering subnet, is that it should not be
visible on the globally routed internet.  to make sure that the IXP had
address space to use for "services" at the IX - like stats,
websites, etc., we convinced afrinic that they should allocate
additional address space to an IX - for management/transit.  so, if you
ask for it, they will also give you the following:
* an ASN for transit
* a /24 for transit/management and services your IXP will provide
* a /48 for transit/management and services your IXP will provide

you can subnet this second block, any which way you like to support your
transit purposes.  that´s what it´s there for.  please don´t use
the first network (aka the peering subnet) for services!  there is a
well documented example of what happened when the london IX did this a
few years ago, and how this backfired during a denial of service attack.
  please, learn from this mistake - just don´t do it ..



IPv6:
regarding IPv6, you´ll have noted that your peering subnet allocation
is a /48.  it´s widely accepted that a "lan" in IPv6, is a /64.
that means that you have 65,536 potential networks of length /64.

you only need _one_ network to start.  (so yes, the rest is wasted)

good practice, is to pick the first (aka shortest) /64 and assign that
to your peering lan.  it´s the shortest, and the easiest for your
peers to type.  so, if you were allocated 2001:43f8:7f0::/48, you would
choose 2001:43f8:7f0:0000:0000:0000:0000:0000/64 to use for your peering
lan.
that is otherwise written as:  2001:43f8:7f0::/64.  it´s normally
recommended to save the first few IP addresses for your own usage (i
generally reserve the first 1-F).  and start your peers after that, eg:

2001:43f8:7f0:0000:0000:0000:0000:0010/64 = 2001:43f8:7f0:10/64  = peer1
2001:43f8:7f0:0000:0000:0000:0000:0011/64 = 2001:43f8:7f0:11/64  = peer2
2001:43f8:7f0:0000:0000:0000:0000:0012/64 = 2001:43f8:7f0:12/64  = peer3

there are many systems that IXPs have used for v6.  some have tried to
convert the ASN of the peering network, to hexadecimal, and encode that,
into the earlier octets, eg:    2001:43f8:7f0::2A:1/64 would be the
first IP address for AS42.  personally, i think that this is unnecessary
confusion;  if you were trying to make a correlation, i would use the
same last octet for IPv4 and IPv6, to make it easier for operators to
read, and that´s it.

there is *no* good reason to make your peering lan larger than a /64.
in fact, that´s bad idea, and you can more easily open up your network
to IPv6 NDP exhaustion attacks.  you _can_ make your v6 peering lan
_smaller_  than a /64  (eg.  /80 or /96).  the convention for /64 mostly
came from an earlier time, when routers were not able to do hardware
forwarding for netblocks that were not in /64.


if you´re having trouble please post here for assistance;  there are
lots of folks that can help you, and even two helpful afrinic staff
sub´d to the list, who can discuss your issue directly with you, if
necessary.

-n.

_______________________________________________
af-ix mailing list
af-ix at af-ix.net
http://af-ix.net/mailman/listinfo/af-ix_af-ix.net
------- End of forwarded message -------



---
This email has been checked for viruses by AVG.
https://www.avg.com

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: WPM$AWTS.PM$
Type: application/octet-stream
Size: 4460 bytes
Desc: Mail message body
URL: <http://chambo3.sdnp.org.mw/pipermail/mispa-management-l/attachments/20181218/27718be1/attachment.obj>

More information about the Mispa-management-l mailing list