[146032] in North American Network Operators' Group
Re: using IPv6 address block across multiple locations
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Mon Oct 31 13:09:48 2011
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <4EAECD39.2070507@bogus.com>
Date: Mon, 31 Oct 2011 13:08:35 -0400
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Oct 31, 2011, at 12:30 49PM, Joel jaeggli wrote:
> On 10/31/11 03:43 , Jeroen Massar wrote:
>> On 2011-10-31 08:56 , Dmitry Cherkasov wrote:
>>> Hello,
>>>=20
>>> Please advice what is the best practice to use IPv6 address block
>>> across distributed locations.
>>=20
>> You go to multiple RIRs and get multiple prefixes.
>>=20
>> Heck, you apparently can even get multiple disjunct prefixes from the
>> same RIR.
>>=20
>> There went the whole idea of aggregation....
>=20
> or you could just get an aggregateable block of the appropiate size =
from
> one RIR and deaggregate it as necessary which should be the normal
> course of action...
>=20
One important question: if data for one of your locations were to be =
sent
from somewhere that is closer (as the packets fly) to another, would you
prefer that it be sent over your VPN or over the open Internet? The =
latter
may be cheaper for you, since you don't have to pay for that bandwidth; =
the
former may be more secure if your VPN is encrypted.
To send stuff only over the open Internet in this situation, use a =
separate=20
/48 for each location. To send stuff only over your VPN, put everything =
in
a single /44 or so and advertise only it. Advertising the /44 and =
having
each location advertising its own /48 within that /44 will usually cause =
the
traffic to go over the open Internet, with your VPN as backup in case of
reachability problems if some ISPs won't carry the longer /48s because =
of their
own policies.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
