Hello NANOG,
I like would to know what are best practices for an internet exchange. I
have some concerns about the following;
Can the IXP members use RFC 1918 ip addresses for their peering?
Can the IXP members use private autonomous numbers for their peering?
Maybe the answer is obviuos, but I like to know from any IXP admins what
their setup/experiences have been.
15 years into the exchange trade has given me the following insights:
RFC1918 space can be used - but virtually everyone who starts there
migrates to globally unique space.
Private ASNs - same deal. Private ASNs tend to have special treatment
inside ISPs - so path matching gets you in the end.
--bill
me@sharloncarty.net (Sharlon R. Carty) wrote:
I like would to know what are best practices for an internet exchange. I
have some concerns about the following;
Can the IXP members use RFC 1918 ip addresses for their peering?
No. Those IP addresses will at least appear on traceroutes; also,
it might not be such a good idea to use the same RFC1918 space
(accidentally) on different IXPs. This will get your skin crawling
(thing IGP, or at least config databases)... IXPs can usually get
a v4 and a v6 block for their peering grid easily.
Can the IXP members use private autonomous numbers for their peering?
They could, but what would you then do with them inside your IGP?
And apart from that - ISPs that want to peer tend to have their
ASNs ready...
I am not an IXP operator, but I know of no exchange (public or
private, big or closet-style) that uses private ASNs or RFC1918
space.
Elmar.
Theorically it's doable.
But mostly No to your questions.
IXP means Internet eXchange Point.
So it is public Internet. Why do you want to use private IP address ?
Most RIR allocate /24 unit for IXP.
For troubleshooting purpose, it is better to use public IP address as it
is designed.
Unless you want to have MPLS/VPN only connections, and use private IP
Addr/ASN between them.
Sharlon R. Carty wrote:
> I like would to know what are best practices for an
internet exchange.
> I have some concerns about the following; Can the IXP
members use RFC
> 1918 ip addresses for their peering?No. Those IP addresses will at least appear on traceroutes;
also, it might not be such a good idea to use the same RFC1918 space
(accidentally) on different IXPs. This will get your skin
crawling (thing IGP, or at least config databases)... IXPs
can usually get a v4 and a v6 block for their peering grid easily.
Anyone with a decently configured firewall would block IP packets with
source address from RFC1918 coming from the Internet. Your IXP would appear
as a black hole in traceroute printout because the ICMP replies sent from
the IXP IP addresses would be blocked.
A while ago I've described a few more caveats in an article (see
http://blog.ioshints.info/2008/08/private-ip-addresses-in-public-networks.ht
ml).
Ivan
with the advent of vlan tags, the whole idea of CSMA for IXP networks is passe.
just put each pair of peers into their own private tagged vlan and let one of
them allocate a V4 /30 and a V6 /64 for it. as a bonus, this prevents third
party BGP (which nobody really liked which sometimes got turned on by mistake)
and prevents transit dumping and/or "pointing default at" someone. the IXP no
longer needs any address space, they're just a VPN provider. shared-switch
connections are just virtual crossconnects.
Uh, I'm not sure whether you're being sarcastic or not.
-Bill
Large IXP have >300 customers. You would need up to 45k vlan tags,
wouldn't you?
Arnold
QinQ could solve this
Kris
not really
Sorry, hit "send" a little early, by accident.
with the advent of vlan tags, the whole idea of CSMA for IXP networks is passe.
just put each pair of peers into their own private tagged vlan.
I'm not sure whether you're being sarcastic, and if I'm not sure, I bet people who don't know you really aren't sure. So: the only nominal IXP I know of where that's really been experimented with seriously is MYIX, in Kuala Lumpur, where it's been a notable failure. The other 300-and-some IXPs do things normally, with an IX subnet that people can peer across. So, the advent of standardized .1Q tags in 1998, preceded by ISL for many years before that, has not yet rendered the 99.6% majority best-practice passe.
Just a clarification.
-Bill
... and exchanging multicast would be... err.. suboptimal.
painfully, with multiple circuits into the IX 
I'm not advocating Paul's suggestion at all here
Kris
the vlan tagging idea is a virtualization of the PNI construct.
why use an IX when running 10's/100's/1000's of private network
interconnects will do?
granted, if out of the 120 ASN's at an IX, 100 are exchanging on
average - 80KBs - then its likley safe to dump them all into a single
physical port and vlan tag the heck out of it.
its those other 20 that demand some special care.
(welcome to "how to grow your presence at an IX and when to leave"-101
--bill
Large IXP have >300 customers. You would need up to 45k vlan tags,
wouldn't you?
the 300-peer IXP's i've been associated with weren't quite full mesh
in terms of who actually wanted to peer with whom, so, no.
Not only that, but when faced with the requirement of making the vlan
IDs match on both sides of the exchange, most members running layer 3
switches with global vlan significance are going to hit major layer 8
hurdles negotiating the available IDs very quickly.
A far better way to implement this is with a web portal brokered virtual
crossconnect system, which provisions MPLS martini pwe or vpls circuits
between members. This eliminates the vlan scaling and clash issues, as
it shifts you from as 12-bit identifier to a 32-bit identifier with vlan
tag handoffs to the clients being arbitrarily mapped as the client
wishes. Such a system has significant advantages over traditional flat
layer 2 switches, in things like security, reliability, flexibility,
scalability (in members, traffic, and number of locations within the
network), and multiservice use (since you can accurately bill with snmp
counters per vlan-ID instead of just guestimating w/sflow).
Of course trying to deploy such a system in the current IX market space
(especially in the US) has its own unique challenges.
The construct also doesn't scale well for multicast traffic exchange if there's a significant number of multicast peers even though the traffic might be low for individual source ASNs. On the other hand, if the IXP doesn't use IGMP/MLD snooping capable switches, then I suppose it doesn't matter.
Antonio Querubin
whois: AQ7-ARIN
The construct also doesn't scale well for multicast traffic exchange if
there's a significant number of multicast peers even though the traffic
might be low for individual source ASNs. On the other hand, if the IXP
doesn't use IGMP/MLD snooping capable switches, then I suppose it doesn't
matter.
the people who do massive volumes of multicast in my experience have also
been the ones whose network policies, or unicast traffic volumes, or both,
prevented them from joining CSMA peering fabrics. CSMA assumes a large
number of small flows, which is not what i see in the multicast market, but
i admit that i'm not as involved as i used to be.
Much depends on your definition of "quite". Would 30% qualify?
Arnold
> the 300-peer IXP's i've been associated with weren't quite full mesh
> in terms of who actually wanted to peer with whom, so, no.Much depends on your definition of "quite". Would 30% qualify?
30% would be an over-the-top success. has anybody ever run out of 1Q tags
in an IXP context?