Dear Akamai, you got a /32 there not a bunch of /48s - how to break Facebook and annoy lots of users
Tore Anderson
tore.anderson at redpill-linpro.com
Tue Aug 21 08:50:01 CEST 2012
Hi again,
* Patrick W. Gilmore
> Assignments implies too much. We just need addresses. We prefer
> they are SWIP'ed to us, but it is not a requirement.
In RIPE land, if you get a block of addresses out of another LIR's PA
allocation for your node, it's by definition an assignment. The status
field in the RIPE db will be saying «ASSIGNED PA» - unless the LIR opted
not to register the assignment in the db at all, which is allowed for
assignment up to and including /48. It's still an assignment, though.
> Because we felt getting a /32 from each RIR and splitting as we
> please was quicker, easier, and cleaner. Plus it is completely
> within the rules.
>
> Why isn't that a second best option?
Well, obviously some people aren't too happy about it...
>> Seriously though, you *can* go to the RIPE NCC and say in one
>> single request «I've got 1000+ sites, please give me a /48 for each
>> of them». I can't see any reason why such a request would be
>> rejected. You'd probably get a nice contiguous /38 (shorter if you
>> document a growth expectation) from the PI range, from which
>> people that filter strictly allow /48s. Win-win.
>
> Perhaps we should consider it.
>
> I still don't think we've done anything wrong (other than mess up a
> few route6 objects).
As far as *I'm* concerned, you haven't. I'm happy to accept your /48s,
regardless of which range they come out of. But - it seems to me that by
using a PI range instead you can placate the more conservative folks
too, without any real downside.
NATO does it in this way, for example - see 2001:67c:1a00::/42.
> Never underestimate the power of human stupidity.
Very true! And that is perhaps the single best argument for doing strict
filtering. Under current RIPE policies, any back-yard LIR can get an
IPv6 /29. That's 524288 /48s. Next consider the possibility that someone
will fat finger and leak every single one of those into the DFZ. It will
be very difficult to automatically distinguish between such a leak and
your current use of /48s.
Best regards,
--
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com
More information about the ipv6-ops
mailing list