Are there any policies set by internet registries and/or transit
providers today that prohibits organizations from using a Partially
used IP Block allocated in one region say AP through APNIC to be
comissioned and Propagated in another region such as EMEA serviced by
RIPE?.
Obv, the best approach would be to acquire a new Block in the 2nd
region through its own registry, but sometimes due to strict
prvisioning timelines, legal delays in getting the necessary approvals
involved etc make this option less attractive. From an IPV4 space
depletion perspective as well, it might be feasible if organizations
having a large block in one region could split it amongst multiple
regions to prevent Wastage.
Any thoughts/expereinces and feedback would be appreciated.
IP space to let's say on the RIPE side (Im on the LACNIC side) for
reasons like greater visibility (some how). I believe that RIPE
requires me to have a company registered on the EMEA side or have my
provider place it for me. but i guess when i disengage with that
provider, I may need to give back the IP space they have provided me.
There is absolutely nothing wrong with an organization getting all of it's
IP resources world wide from a single registry if they prefer to do so.
There is no policy prohibiting this in any registry. The policies are
designed to prevent "registry shopping" by organizations with neither
infrastructure nor presence in a region. There is no need, whatsoever
to procure multiple address chunks from multiple registries in order
to have infrastructure in more than one region.
You state "Obv, the best approach...". I don't think so. I think the best
approach is whatever allows you to make most efficient use of your
address space. Usually this will be from a single RIR rather than a
multiple RIR approach.
The one drawback to that would be people who attempt to do geographical
based service provisioning. Say a company based in the US uses part of
their block in Europe or APAC. When they do a DNS request for a service
address from $GLOBAL_CONTENT_PROVIDER, they end up getting the US
service address because the content provider believes the request is
coming from the US resulting in poor performance. In other words, if a
service relies on connection to other services that try to do
geographical affinity, it could lead to a sub-optimal experience.
It could also cause problems where the content is different (or possibly
prohibited) depending on the geographical location of the requestor
which some folks try to determine by source address (but which is
actually quite idiotic, in my opinion, because as you see from this
thread, an IP address in no way relates to where the person really is,
it only relates to where the entity to whom it was issued is located).
Been there and experienced issues like that before. It can even be bad
when you are given an IP block that might have been used before by
someone in another region.
From: Owen DeLong [mailto:owen@delong.com]
Sent: Thursday, May 20, 2010 7:37 AM
To: Net
Cc: nanog@nanog.org
Subject: Re: Partial Use Of one Regions IP Block in another
You state "Obv, the best approach...". I don't think so. I think the
best
approach is whatever allows you to make most efficient use of your
address space. Usually this will be from a single RIR rather than a
multiple RIR approach.
Owen
The one drawback to that would be people who attempt to do geographical
based service provisioning. Say a company based in the US uses part of
their block in Europe or APAC. When they do a DNS request for a service
address from $GLOBAL_CONTENT_PROVIDER, they end up getting the US
service address because the content provider believes the request is
coming from the US resulting in poor performance. In other words, if a
service relies on connection to other services that try to do
geographical affinity, it could lead to a sub-optimal experience.
I have ZERO sympathy for people who attempt to do this getting wrong
answers. There is little correlation between geography and IP addresses.
In fact, I know lots of people who consider it a benefit to have ARIN addresses
in other parts of the world because it allows them to get to content that isn't
allowed to APNIC addresses on the belief that this somehow protects
copyright or other issues for content distribution. I find that pretty amusing.
It could also cause problems where the content is different (or possibly
prohibited) depending on the geographical location of the requestor
which some folks try to determine by source address (but which is
actually quite idiotic, in my opinion, because as you see from this
thread, an IP address in no way relates to where the person really is,
it only relates to where the entity to whom it was issued is located).
Again, ZERO sympathy here. Especially where someone is trying to
use source IP as a mechansim for determining who they are willing
to distribute their content to.
Been there and experienced issues like that before. It can even be bad
when you are given an IP block that might have been used before by
someone in another region.
Can be bad when given an IP block that might have been used before
by someone in the same region. That's not particularly different.
Can be bad if you get space from one of the more recent /8s that has
lots of cruft from having been used as pseudo-RFC-1918 space, too.
We're scraping the bottom of the barrel for IPv4 space these days.
It is what it is, and it's only going to get worse in IPv4. Time to go
to IPv6.
Exactly. So migrating to v6 has no bearing on the conversation. The
same "problem" (a problem which some people create themselves by relying
on the source IP to determine geographic location) exists with either
protocol. There is just no way to tell where the device initiating the
conversation is located by looking at the IP and the extent to which you
can tell by where the traffic enters your network depends on the
temperature of the potato as perceived by the network downstream from
you. Did they haul it across an ocean before handing it to you?
Geographical location by IP address is just plain nuts, but people will
find a way to sell anything, I suppose.
Some pseudo random thoughts and questions? (my BGP is rusty.)
1. Does it violate your AUP with APNIC?
2. If the larger routing prefix is from APNIC will your upstream in the EMEA region filter or black hole the sub prefix since it is from APNIC and not RIPE and would appear to be a hijacked block? (In my experience in some European countries "rules" are more strictly enforced than in other areas of the globe. I will spare you the American, Russian and French standards organization joke.)
3. It would appear that again since it is in an APNIC sub-prefix would you need to "carry" the packets from a PoP in APNIC region to your facility in the EMEA assuming the sub prefix is not large enough to be propagated in normal BPG updates?
4. And if the bits did get through for a period of time would the transit provider determine that they did not want to carry them any more and add filtering at any random point in time?
These questions assume that you do not have a single transit provider that covers both of your locations in the two different regions and can "custom route" the packets.
Some pseudo random thoughts and questions? (my BGP is rusty.)
1. Does it violate your AUP with APNIC?
Not if he has infrastructure in the remote location and infrastructure and/or HQ in APNIC region.
2. If the larger routing prefix is from APNIC will your upstream in the EMEA region filter or black hole the sub prefix since it is from APNIC and not RIPE and would appear to be a hijacked block? (In my experience in some European countries "rules" are more strictly enforced than in other areas of the globe. I will spare you the American, Russian and French standards organization joke.)
LoL... In my experience, the guys that are getting money from you will route what you want routed
unless they have reason to believe you are not legitimately entitled to route it.
3. It would appear that again since it is in an APNIC sub-prefix would you need to "carry" the packets from a PoP in APNIC region to your facility in the EMEA assuming the sub prefix is not large enough to be propagated in normal BPG updates?
If that is true, yes. i was assuming that he was using a sub-prefix length <=/24 for EMEA region. If he's trying to run a /25 or longer, then, life will indeed suck, but, not because of the RIR issues, because of the long-prefix problem.
4. And if the bits did get through for a period of time would the transit provider determine that they did not want to carry them any more and add filtering at any random point in time?
Unlikely if it's a legitimate route. It wouldn't appear any less legitimate than any other route and there are many inter-regional routes advertised just like this already that work just fine.
These questions assume that you do not have a single transit provider that covers both of your locations in the two different regions and can "custom route" the packets.
Like spammers buying IPs from RIPE region LIRs such as jump.ro, and then announcing those IPs only in the North American data centers where they're buying server hosting?
In some circumstances, deaggregation of your rir-assigned prefix might lead to partial reachability (some networks filter on rir minimum assignment sizes - not a problem in itself, but some unclever networks exist, that don't additionally take a default).
Whatever you announce, make sure it's irr registered too, for the networks who transit or peer with you, who automatically build pfx filters.