[157901] in North American Network Operators' Group
Re: What is BCP re De-Aggregation: strict filtering /48s out of /32
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Wed Nov 14 12:59:40 2012
Date: Wed, 14 Nov 2012 09:59:18 -0800
From: Leo Bicknell <bicknell@ufp.org>
To: "'NANOG'" <nanog@nanog.org>
Mail-Followup-To: 'NANOG' <nanog@nanog.org>
In-Reply-To: <416A23FC91E34449999D047BF540B46901689658E2EF@EXCHANGE.atlasbiz.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--mYCpIKhGyMATD0i+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Wed, Nov 14, 2012 at 01:10:57PM +0000, Ben S. Butle=
r wrote:
> I am hoping for a bit of advice. We are rolling out IPv6 en mass now to =
peers and I am finding that our "strict" IPv6 ingress prefix filter is mean=
ing a lot of peers are sending me zero prefixes. Upon investigation I dete=
rmine they have de-agregrated their /32 for routing reasons / non interconn=
ected islands of address space and in consequence advertise no covering /32=
route. The RIR block that the allocation is from is meant to have a minim=
um assignment of /32.
You are conflating two different issues, which are essentially
toally unrelated. There is the smallest size block an RIR will
allocate out of some chuck of address space, and then there is how
people announce it on the Internet. In the real world they have
almost nothing to do with each other, something folks understand today
in IPv4 but seem to think IPv6 magically fixes, it doesn't.
[Historically there were folks who maintained filters on IPv4 space, but
they gradually disappeared as the filters became so long they were
unmaintinable, and people discovered when your job is to connect people
throwing away routes is a bad thing.]
For instance, there are folks who could use the "multiple discrete
networks" policy to get a /48 for each of their 5 sites. But instead
they get on /32, use a /48 at each site, and announce them
independantly. Same prefixes in the table, but filtering on the
RIR /32 boundry means you won't hear them.
I'll point out it's not just longer, but shorter prefixes as well:
> ipv6 prefix-list ipv6-ebgp-strict permit 2001:500::/30 ge 48 le 48
F-Root announces 2001:4f8:500:2e::/47. You're going to miss it.
There are other servers in this block that are in /47's or /46's.
If connectivity is what you value, here's the right filter:
ipv6 prefix-list ipv6-ebgp-permissive 2001::/12 ge 13 le 48
Yes, the DOD has a /13, and yes, people expect to be able to announce
down to a /48.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--mYCpIKhGyMATD0i+
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQIVAwUBUKPb9bN3O8aJIdTMAQK2EhAAiTdZTUH7Y/wyVzlfuqHIUfahCl9byL4q
Y+vqVO4vEpHLuW7O+LQILat2vWXmsr5B3x3+/n9JSgrdQQV1sRBN5cMIVunDq8EI
QS6J4rL6avrtrJvyu8R+na/VyjehWMVCrBHzyL/q6xabY9ByP3ztBpZYw5779EIz
dZtUk8tTX56LTcoU+JlYUJN0dzCuE+jBkOfzZO+iU1XrZ0AHBVJW1VxLGzZISMG2
z2aFU+vA2BgxN4T4zCazNrZUCaoN2hP5r4EkMcj0YMoKiCNQ8Gj9ce/0p8XPLzCU
NcfYUVQCL0IcNtuwkdVUPE6C1JQ+S2B+aDzqwotd2FIH08IMvSwgx5mn4zA5q7fs
diJ9D/0bsaqNlYGDsK6krJoH3Y6ylPWBWqC2Gf7UBY+pPyjZ6eid4h+duvw0Cbj+
M/AbDuGymw0WIO8EJlwFSEdTznWnkqUCorwu8TroTZNRgfmd//AKZyE/c0ICG0bT
uTfKhKxS64XAjs2nENGltbqA1QwdWLnsfd2AeWI1tnjpbGFwEBv9UMUsQR/FZhln
fceN6Zh3cDpez9djTuNFS3vBkDY7GYhSrT3QnLA3G4Cax8X8dD7ecOesddMG3e/2
32vZ5miIlQ73QrrJgLJ11Lji+8ta8iSAheMovfwqFooUBPj6NaXaKmESEFeLvjIp
iEl37OFD6LE=
=C4C9
-----END PGP SIGNATURE-----
--mYCpIKhGyMATD0i+--
