Re: [v6ops] [GROW] Deaggregation by large organizations

[Iljitsch van Beijnum <iljitsch@muada.com>]

On 25 Oct 2014, at 16:43, Ray Hunter <v6ops@globis.net> wrote:

> I'm not convinced your draft is in line with my own understanding of how multinationals I know either use, or want to use the Internet, and why the de-aggregation occurs in the first place.

> I'd thus like to see more data on where/why the de-aggregation is occurring.

Yes, that would be good to know. I guess when I have some time I'll take the Fortune 500 and see what they inject in the global routing table.

However, it's still early days for IPv6 so what we see today isn't necessarily a reflection of what's needed in the future.

> Internet "offload" is a common requirement for low value traffic, in conjunction with a private high quality internal Intranet for corporate apps like design tools, with both networks active simultaneously.

> My thinking is that SADR, and running multiple (PA) prefixes within an enterprise will address this requirement. So each sub unit would carry both the multinational/global PI space and one or more local PA space prefixes obtained from the local ISP. Only the local PA space would be advertised out of each break out. That would be and prevent the need for de-aggregate routes to be advertised back into the individual ISPs serving the sub unit satellite sites.

Do you have any examples of networks doing this? Using multiple addresses is not easy.

> Equally GRE tunnels or IPSEC tunnels over Internet are already common-practice to create virtual enterprise networks.

But that doesn't mean you want all your employees in Europe browsing the web through a tunnel to North America.

> > This way, deaggregates only have to be carried by ISPs providing the
>   aggregate of last resort service and the ISPs connecting subunits of
>   the organization.

> I don't think enterprises want to be tied to ISP's at all.

What do you mean? That they run their own network? Or that they can switch ISPs easily? No reason the latter couldn't be accomplished with the aggregate of last resort service.

> I don't know of any small set of ISPs that can economically provide service in 50+ countries in some sort of coordinated aggregate ISP manner.

Simple. Pay ISPs 1 and 2 to announce the aggregate. Then go look for ISPs 3 - 50 and tell them if they want your business, they have to interconnect with 1 and 2 (as customers or peers, you do't care). 1 and 2 need to be present globally or close to it but not necessarily locally, while 3+ need to be available locally but not necessarily globally.

> > In theory, a user in Tokyo could connect to the internet in Madrid. In practice, this is is exceedingly rare.

> I don't agree with this observation. I know of many cases e.g. where a break in/out for a 3rd party from China is made in Europe. Or where a US based company manages systems remotely in Europe, LATAM, Asia Pacific, and the US and has regional links to the customer (with a break in/out per region).

Can you provide IP addresses that can be tracerouted?

> My particular worry with aggregates of last resort would be that with longest prefix match matching, it's becoming increasingly easy for longer prefixes to hijack important enterprise aggregates. So advertising an aggregate of last resort, whilst allowing sub units to advertise longer prefixes to other ISPs, might not be such a great idea for security.

I guess the draft adds one issue here: an attacker could inject a longer prefix but add communities that cause it to be filtered before it reaches certain places so the hijacking is less obvious.

But unless you want the IPv4 table to be 14M /24s and the IPv6 table be some unholy number of /48s, the real solution to prefix hijacking needs to be found elsewhere.