Dear Akamai, you got a /32 there not a bunch of /48s - how to break Facebook and annoy lots of users

Tore Anderson tore.anderson at redpill-linpro.com
Tue Aug 21 08:50:01 CEST 2012 

Hi again,

* Patrick W. Gilmore

> Assignments implies too much.  We just need addresses.  We prefer 
> they are SWIP'ed to us, but it is not a requirement.

In RIPE land, if you get a block of addresses out of another LIR's PA
allocation for your node, it's by definition an assignment. The status
field in the RIPE db will be saying «ASSIGNED PA» - unless the LIR opted
not to register the assignment in the db at all, which is allowed for
assignment up to and including /48. It's still an assignment, though.

> Because we felt getting a /32 from each RIR and splitting as we 
> please was quicker, easier, and cleaner.  Plus it is completely 
> within the rules.
> 
> Why isn't that a second best option?

Well, obviously some people aren't too happy about it...

>> Seriously though, you *can* go to the RIPE NCC and say in one 
>> single request «I've got 1000+ sites, please give me a /48 for each
>> of them». I can't see any reason why such a request would be 
>> rejected. You'd probably get a nice contiguous /38 (shorter if you
>> document a growth expectation) from the PI range, from which
>> people that filter strictly allow /48s. Win-win.
> 
> Perhaps we should consider it.
> 
> I still don't think we've done anything wrong (other than mess up a 
> few route6 objects).

As far as *I'm* concerned, you haven't. I'm happy to accept your /48s,
regardless of which range they come out of. But - it seems to me that by
using a PI range instead you can placate the more conservative folks
too, without any real downside.

NATO does it in this way, for example - see 2001:67c:1a00::/42.

> Never underestimate the power of human stupidity.

Very true! And that is perhaps the single best argument for doing strict
filtering. Under current RIPE policies, any back-yard LIR can get an
IPv6 /29. That's 524288 /48s. Next consider the possibility that someone
will fat finger and leak every single one of those into the DFZ. It will
be very difficult to automatically distinguish between such a leak and
your current use of /48s.

Best regards,
-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com

More information about the ipv6-ops mailing list