Dear Akamai, you got a /32 there not a bunch of /48s - how to break Facebook and annoy lots of users
Patrick W. Gilmore
patrick at ianai.net
Fri Aug 24 20:11:12 CEST 2012
[Yeah, I'm a little slow responding.]
On Aug 21, 2012, at 02:50 , Tore Anderson <tore.anderson at redpill-linpro.com> wrote:
>> Because we felt getting a /32 from each RIR and splitting as we
>> please was quicker, easier, and cleaner. Plus it is completely
>> within the rules.
>> Why isn't that a second best option?
> Well, obviously some people aren't too happy about it...
Trust me, no matter what we do, or do not do, we will upset someone.
Call it one of the mysteries of life.
>>> Seriously though, you *can* go to the RIPE NCC and say in one
>>> single request «I've got 1000+ sites, please give me a /48 for each
>>> of them». I can't see any reason why such a request would be
>>> rejected. You'd probably get a nice contiguous /38 (shorter if you
>>> document a growth expectation) from the PI range, from which
>>> people that filter strictly allow /48s. Win-win.
>> Perhaps we should consider it.
>> I still don't think we've done anything wrong (other than mess up a
>> few route6 objects).
> As far as *I'm* concerned, you haven't. I'm happy to accept your /48s,
> regardless of which range they come out of. But - it seems to me that by
> using a PI range instead you can placate the more conservative folks
> too, without any real downside.
Despite implications to the contrary on this very list, Akamai -does- care about $50K. (We may be profitable, but we got there by being f*@#ing cheap!) So that is one downside.
Also, we discussed this with multiple RIPE employees before making the request and came to the group decision as to the best / most proper way to get the addresses we needed. After caucusing with my group internally, we have decided to stand by our decision.
>> Never underestimate the power of human stupidity.
> Very true! And that is perhaps the single best argument for doing strict
> filtering. Under current RIPE policies, any back-yard LIR can get an
> IPv6 /29. That's 524288 /48s. Next consider the possibility that someone
> will fat finger and leak every single one of those into the DFZ. It will
> be very difficult to automatically distinguish between such a leak and
> your current use of /48s.
I'm having trouble thinking that someone spewing half a million v6 prefixes will do more than get his own connectivity shut by every peer & upstream.
The Internet is a wild, dangerous place. You don't like it, get your pr0n at the corner magazine rack like your parents did. :)
More information about the ipv6-ops