[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ULA (was Re: ARIN Board Advises Internet Community on Migration to IPv6)

To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: ULA (was Re: ARIN Board Advises Internet Community on Migration to IPv6)
From: Fred Baker <fred@cisco.com>
Date: Thu, 24 May 2007 16:38:23 -0700
Cc: Jason Schiller <schiller@uu.net>, Jason Schiller <jason.schiller@verizonbusiness.com>, Shane Kerr <shane@time-travellers.org>, IETF V6OPS WG <v6ops@ops.ietf.org>
In-reply-to: <4653F88E.5070802@gmail.com>
References: <Pine.GSO.4.20.0705221744050.17821-100000@meno.corp.us.uu.net> <F68B4E54-A4C0-4408-9A0C-8EB553034984@cisco.com> <4653F88E.5070802@gmail.com>

On May 23, 2007, at 1:17 AM, Brian E Carpenter wrote:

With the difference that ULAs should be filtered by default inshipping products, IMHO.

there is a fundamental problem with that. Shipping products don'tgenerally *change* their customer's configurations. Since BGPfiltering is something that is set up a little differently every timea BGP peering relationship is established, I would be very hesitantto presume to add something that changed an existing filter designedby that administration.

As far as Cisco products go, Cisco route maps, like its ACLs, refusewhat they don't explicitly allow. "permit" means to include somethingin what one will send or believe on receipt, and deny is theopposite. So a typical configuration says something like


     route-map <map name> permit
	match <this set of prefixes>
	match <that set of prefixes>
	...
[default] deny <everything else>

That would preclude the ULA because it is not listed in the contractbetween two companies and is therefore not listed as something thatwould be permitted - not because it is a ULA, but because it is notin the [addendum to the] contract. This breaks down between twolarger networks, where such a list becomes impractical. In suchcases, it becomes a multistep procedure - multiple route maps withthe same name are supplied successively to a prefix until one of themmatches it, at which point we know whether to use it or not, or werun out, in which case we don't.


     route-map <map name> permit 1
	match <this specific thing>
	match <that specific thing>
	...
     route-map <map name> deny 2
	match <this more general thing>
	match <that more general thing>
	...
     route-map <map name> permit 3
        match <everything else>
[default] deny <everything else>

One never actually gets to the default case because it is explicitlyoverridden. Clearly, in such a case one wants to permit zero or moremutually agreed ULAs, and then deny ULAs as a class. One of thethings the "deny" route map wants to do is deny ULAs as a class,along with various bogon prefixes, prefixes longer than a certainlength, and so on.

In SoBGP there is a cute side-effect that could be brought into play.If SoBGP is used to preclude advertisements that aren't authorized bythe relevant registry, and ULAs aren't listed as authorized, ULAswill be precluded. So will global prefixes assigned by the RIR buttagged as "unroutable" if the registry chooses to list such in aseparate list that SoBGP doesn't look at.

At any rate, I don't think the products should be doing classfulthings on prefixes. IPv6 operates under CIDR rules, not classfulrules. The fact that it is a ULA is guidance to the guy setting upthe filters, not something the product should slip in sideways whenhe's not looking and screw up the filter he wrote.

References:
- Re: ULA (was Re: ARIN Board Advises Internet Community on Migration to IPv6)
  - From: Fred Baker <fred@cisco.com>
- Re: ULA (was Re: ARIN Board Advises Internet Community on Migration to IPv6)
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>

Prev by Date: Re: DNS and ULA
Next by Date: Call for Agenda Items
Previous by thread: Re: ULA (was Re: ARIN Board Advises Internet Community on Migration to IPv6)
Next by thread: Call for Agenda Items
Index(es):
- Date
- Thread