Hello List,
I work for a medium sized ISP. We are entering an agreement to rent some IPv4 space from a local higher education institution. Being a multi-homed ISP we would like to advertise the rented prefix from our ASN. The prefix that will be advertised is a smaller subnet from the higher educations block; they will continue to advertise the larger prefix.
What is the best way to accomplish this? Is there any way of doing this without having to tunnel the traffic through the origin ASN?
I feel if we just adverse the prefix it get put on a bogon list for prefix hijacking. This space is rented long term but they are not interested in reassigning the space to us. They also want to keep advertising their prefix as one contiguous block.
I appreciate any insight and information.
Thank you for your time,
Andrew.
If you are just announcing more specific address space that you've obtained
legitimately off their assigned address space, it should be no problem,
just obtain an LoA and register it on the different databases and you
should be set to ask your upstreams to allow the announcements.
Regards,
Neo Soon Keat
Just create a more specific route obejct (for the /nn you plan to announce) at your RIR, ask the institute to sign a LOA and inform your upstreams. Announcing the more specific is nothing unusual.
Jürgen Jaritsch
Head of Network & Infrastructure
ANEXIA Internetdienstleistungs GmbH
Telefon: +43-5-0556-300
Telefax: +43-5-0556-500
E-Mail: jjaritsch@anexia-it.com
Web: http://www.anexia.at
Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
Geschäftsführer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601
Make sure proper route-objects exist. Should be no big deal then imho.
Others do it as well - also advertising the larger block from one ASN
and a smaller portion of it from another.
Kind regards,
Stefan
Do people actually do this? A customer asked us to do this for them and
we refused, because inconsistent AS has never been a thing.
I'm apprehensive about a subnet and its aggregate appearing from
multiple AS's at the same time. But, I'm old school, so...
Mark.
Hi Andrew,
It is possible, but I would do it....Here is how and why.
If they announce the larger CDIR you will need to keep them as one of you
ISP's or you risk losing traffic due to other's inbound policy filtering.
However, if they provide you a simple Letter of Authorization to announce
the smaller rented CDIR you can use this letter to show other networks
that you have the right to announce it and they can email/call to confirm.
By announcing the smaller CDIR to others you should see the bulk of the
traffic come in via the other backbones. You can "not reliably" multi-home
the IPs without keeping the institution as one of your backbone providers
(reason I wouldn't do it). You will always need a peering session with
them where you announce to them your CDIR or they static route that
traffic to you.
Thank You
Bob Evans
CTO
It's possible that it is a university that has legacy IPs.
You have to check.
Thank You
Bob Evans
CTO
I agree with you...not a great practice. Each AS should just announce the prefix that they actually use. The school could be used as a transit for the ISP, which may be undesirable.
I would not recommend to do that.
If you really do this, please make sure that the owner of the supernet (in this case the university) also does transit for the subnet (which they should as they are supposed to accept and forward traffic for the whole aggregate that they are announcing).
Otherwise, for networks that only do partial routing (basically defaults from transits + peering routes), this will create a blackhole in case they peer with the ISP that announces only the supernet,
but not with the ISP that announces the subnet, because traffic will always be routed towards the announcement of the supernet only.
Same applies if the subnet gets filtered by some people for policy reasons (like no more-specifics of PA space, or smaller than /24...).
Also, be careful that the owner of the supernet doesn't apply inbound anti-spoofing filters at their borders towards transits and peers for traffic from your subnet that is part of their supernet.
Chris
I'm not sure how bad of a practice it really is, however, I've seen it in
use in multiple networks and ASes who sublet their IP space, and far as
I've known, seem to work fine for most networks.
Of course, this may also cause the University itself to be subject to
unwanted traffic if for example the BGP session announcing the subletted
space goes down.
And, whether this violates the RIR regulations is another thing altogether.
SoonKeat
Regards,
Neo Soon Keat
If the space in question is post-1997 then yes, either renting space
as an "end user" or failing to swip reassigned space as an ISP
violates their agreement with ARIN. It could be reported as fraud
making everybody unhappy.
If the edu's space is a legacy assignment then they have no agreement
with ARIN to violate.
On a more practical level, you'll encounter three kinds of trouble:
1. Despite your best efforts, the school will receive some packets
intended for you. Make sure you have a tunnel in place to catch them.
2. Reverse path filtering may trip you up if the school hasn't already
addressed that with their ISPs.
3. Their own internal firewalls and access control mechanisms which
have, over the years, been programmed to act on their entire address
space.
Regards,
Bill Herrin
Yes, this is quite prevalent. For example a popular resolver within prefix 8.8.8.0/24 (and also 8.8.4.0/24) has 8.0.0.0/9 advertised by 3356.
Theodore Baschak - AS395089 - Hextet Systems
https://ciscodude.net/ - https://hextet.systems/
https://theodorebaschak.com/ - http://mbix.ca/
Hello List,
[ clip, plenty of advice on these points ]
I feel if we just adverse the prefix it get put on a bogon list for prefix
hijacking. This space is rented long term but they are not interested in
reassigning the space to us. They also want to keep advertising their
prefix as one contiguous block.
You will also likely need a letter of authorization from the network
lending you their space for your upstreams or others.
Here's a usable template that you can customize for your own purposes.
Hope this helps:
http://bit.ly/LOA-0805201601
Caveats, IPv6? Be sure to consult with lawyers, comply with your
favorite RIR policy and compare the cost of "renting" to "leasing" or
acquiring on the open market. There are a number of sources to acquire
IPv4 address space easily found using your favorite search engine.
You may be also be eligible for a last /22 allocation from RIPE if you
qualify under their current policy. See http://bit.ly/LASTCALL-22 for
further information.
Best Regards,
-M<