Mailing List Archive

On Jul 27, Joe Abley <jabley@isc.org> wrote:

> We've had problems reported before now (e.g. from NetBSD developers,
> trying to reach the NetBSD development cluster hosted at ISC) that 6to4
> access from the wilds of the Internet to our network is patchy.
In the last few weeks I noticed that many users, usually from the US,
reported the same kind of problems.
I think that having more public 6to4 relays is a good thing, even if
announced only at the local IXes.

> Anybody know if the various 6to4 relay router operators are
> coordinating their efforts in any way? We're happy to host a web page
> and keep it up-to-date if that seems like it might be helpful.
In the RIPE region, we share access to the related IRR objects.
Having some documentation to help new sites setting up relays would
probably be useful too, many large backbones have IPv6 connectivity but
do not announce the IPv4 anycast prefix even to their customers
(possibly because of DoS concerns).

--
ciao,
Marco

On Wed, 27 Jul 2005, Joe Abley wrote:
> I see 2002::/16 is currently originated by a number of ASes, but (I think)
> often only towards customers, and not towards peers. I see a larger number of
> advertisements for 192.88.99.0/24. I don't see any public signs of
> coordination between the various people originating these prefixes.
>
> Anybody know if the various 6to4 relay router operators are coordinating
> their efforts in any way? We're happy to host a web page and keep it
> up-to-date if that seems like it might be helpful.

In RIPE region, you can do 'whois 192.88.99.0/24@whois.ripe.net' ir
RFC3068-MNT and you see a number of folks.

There's also a mailing list for 6to4 operators that are part of that
RIPE record (the address escapes me at the moment), but during the
last year or so, it has only been used for spamming.

More coordination etc. would be good, but this seems to be a more
urgent matter in the North America area.

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

We keep a list at:

http://www.ipv6tf.org/using/connectivity/6to4.php

I will check if someone registered at whois is not in our list and update it
tomorrow.

If anyone else is missing, please, let me know !

Regards,
Jordi




> De: Pekka Savola <pekkas@netcore.fi>
> Responder a: <ipv6-ops-bounces+jordi.palet=consulintel.es@lists.cluenet.de>
> Fecha: Wed, 27 Jul 2005 17:33:14 +0300 (EEST)
> Para: Joe Abley <jabley@isc.org>
> CC: "ipv6-ops@lists.cluenet.de" <ipv6-ops@lists.cluenet.de>
> Asunto: Re: 6to4 relay routers
>
> On Wed, 27 Jul 2005, Joe Abley wrote:
>> I see 2002::/16 is currently originated by a number of ASes, but (I think)
>> often only towards customers, and not towards peers. I see a larger number of
>> advertisements for 192.88.99.0/24. I don't see any public signs of
>> coordination between the various people originating these prefixes.
>>
>> Anybody know if the various 6to4 relay router operators are coordinating
>> their efforts in any way? We're happy to host a web page and keep it
>> up-to-date if that seems like it might be helpful.
>
> In RIPE region, you can do 'whois 192.88.99.0/24@whois.ripe.net' ir
> RFC3068-MNT and you see a number of folks.
>
> There's also a mailing list for 6to4 operators that are part of that
> RIPE record (the address escapes me at the moment), but during the
> last year or so, it has only been used for spamming.
>
> More coordination etc. would be good, but this seems to be a more
> urgent matter in the North America area.
>
> --
> Pekka Savola "You each name yourselves king, yet the
> Netcore Oy kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings




************************************
The IPv6 Portal: http://www.ipv6tf.org

Barcelona 2005 Global IPv6 Summit
Information available at:
http://www.ipv6-es.com

This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.

On Wed, 27 Jul 2005, JORDI PALET MARTINEZ wrote:
> We keep a list at:
>
> http://www.ipv6tf.org/using/connectivity/6to4.php
>
> I will check if someone registered at whois is not in our list and update it
> tomorrow.

The "list" is about non-192.88.99.0/24 relays, which (IMHO) are close
to useless from a random user's perspective.

It might be more interesting to have a list of relays providing
service at 192.88.99.1, because that's what the implementations use by
default, and which is always the latest among anycast relays.

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

On 27 Jul 2005, at 14:04, Pekka Savola wrote:

> It might be more interesting to have a list of relays providing
> service at 192.88.99.1, because that's what the implementations use by
> default, and which is always the latest among anycast relays.

Yes, coordination of the anycast distribution of 192.88.99.0/24 was
what I meant in my original question.


Joe

Btw, as it happens, David Malone has done some study on the amount and
placement of 6to4 relays (copied), if you have some data on 2002::/16
and/or 192.88.99.1 deployment in particular.

On Wed, 27 Jul 2005, Pekka Savola wrote:
> On Wed, 27 Jul 2005, JORDI PALET MARTINEZ wrote:
>> We keep a list at:
>>
>> http://www.ipv6tf.org/using/connectivity/6to4.php
>>
>> I will check if someone registered at whois is not in our list and update
>> it
>> tomorrow.
>
> The "list" is about non-192.88.99.0/24 relays, which (IMHO) are close to
> useless from a random user's perspective.
>
> It might be more interesting to have a list of relays providing service at
> 192.88.99.1, because that's what the implementations use by default, and
> which is always the latest among anycast relays.
>
>

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

--On 27 July 2005 21:04:05 +0300 Pekka Savola <pekkas@netcore.fi> wrote:

> It might be more interesting to have a list of relays providing service
> at 192.88.99.1, because that's what the implementations use by default,
> and which is always the latest among anycast relays.

I would say this isn't quite right:

route-views.oregon-ix.net>show ip bgp 192.88.99.1
BGP routing table entry for 192.88.99.1/32, version 22599194
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
16150
217.75.96.60 from 217.75.96.60 (217.75.96.60)
Origin incomplete, metric 0, localpref 100, valid, external, best


Michael

--
Michael H. Lambert, Network Engineer Phone: +1 412 268-4960
Pittsburgh Supercomputing Center FAX: +1 412 268-8200
4400 Fifth Avenue, Pittsburgh, PA 15213 USA lambert@psc.edu

On Wed, 27 Jul 2005, Michael H Lambert wrote:
>> It might be more interesting to have a list of relays providing service
>> at 192.88.99.1, because that's what the implementations use by default,
>> and which is always the [closest] among anycast relays.
>
> I would say this isn't quite right:
>
> route-views.oregon-ix.net>show ip bgp 192.88.99.1
> BGP routing table entry for 192.88.99.1/32, version 22599194
> Paths: (1 available, best #1, table Default-IP-Routing-Table)
> Not advertised to any peer
> 16150
> 217.75.96.60 from 217.75.96.60 (217.75.96.60)
> Origin incomplete, metric 0, localpref 100, valid, external, best

I guess what route views sees only minor bearing on what's out
there.

There are at least half a dozen or so publicly advertised relays that
just for some reason don't show on route-views. And if you look at
Abilene, you see at least four as well.

For example, if you look at http://stats.geant.net/lg/lgform.cgi, you
can see 4 relays, and that's even not the full list of them (at least
ours, from AS1741 through AS2603 [NORDUnet] doesn't show up there,
maybe GEANT doesn't allow it anymore for some reason).

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

--On 27 July 2005 21:29:34 +0300 Pekka Savola <pekkas@netcore.fi> wrote:

> I guess what route views sees only minor bearing on what's out there.
>
> There are at least half a dozen or so publicly advertised relays that
> just for some reason don't show on route-views. And if you look at
> Abilene, you see at least four as well.

My point was that someone is announcing a /32 instead of the full /24
anycast block (lots of /24 announcements heard on route views). Even if
6to4 relays are working well in general, we still have to worry about
leakages like this.

Michael

On Wed, 27 Jul 2005, Michael H Lambert wrote:
>> I guess what route views sees only minor bearing on what's out there.
>>
>> There are at least half a dozen or so publicly advertised relays that
>> just for some reason don't show on route-views. And if you look at
>> Abilene, you see at least four as well.
>
> My point was that someone is announcing a /32 instead of the full /24 anycast
> block (lots of /24 announcements heard on route views). Even if 6to4 relays
> are working well in general, we still have to worry about leakages like this.

Oh sorry, I missed your point. This may not be a real worry though.
I know the AS number in question (it's used as a backup here when our
primary relay goes down), and they don't seem to actually advertise
the /32 anywhere (because otherwise it'd be used all the time), or
everyone is rejecting it (which folks should be doing anyway -- I know
of no one accepting /32's from eBGP peers).

I guess they're just dumping the contents of their iBGP to route-views
or something.

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Pekka is correct, we announce the /32 to route-views, but we announce
the /24 to our peers.

/Peter Salanki
Port80 AB
AS16150
Stockholm, Sweden

27 jul 2005 kl. 21.05 skrev Pekka Savola:

> On Wed, 27 Jul 2005, Michael H Lambert wrote:
>
>>> I guess what route views sees only minor bearing on what's out
>>> there.
>>> There are at least half a dozen or so publicly advertised relays
>>> that
>>> just for some reason don't show on route-views. And if you look at
>>> Abilene, you see at least four as well.
>>>
>>
>> My point was that someone is announcing a /32 instead of the full /
>> 24 anycast block (lots of /24 announcements heard on route
>> views). Even if 6to4 relays are working well in general, we still
>> have to worry about leakages like this.
>>
>
> Oh sorry, I missed your point. This may not be a real worry
> though. I know the AS number in question (it's used as a backup
> here when our primary relay goes down), and they don't seem to
> actually advertise the /32 anywhere (because otherwise it'd be used
> all the time), or everyone is rejecting it (which folks should be
> doing anyway -- I know of no one accepting /32's from eBGP peers).
>
> I guess they're just dumping the contents of their iBGP to route-
> views or something.
>
> --
> Pekka Savola "You each name yourselves king, yet the
> Netcore Oy kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>

Joe Abley wrote:

Hi Joe,

> In the cases that I have debugged, it has turned out that the problem
> was an unreachable (or apparently malfunctioning) RFC3608-numbered relay
> router from the 6to4-numbered client, or a missing route to 2002::/16
> from our network.

In cases where the relay (either IPv4 or IPv6) is unreachable I've seen
(several times) well connected public relays advertised to peers with
the no-export community to limit propagation and thus the bandwidth
usage on the local relay. Unfortunately this can break visibility for
downstream neighbors which just don't get the routes from their upstreams.

> I am looking at providing a public relay router in AS 3557 in
> California, and advertising both 2002::/16 and 192.88.99.0/24 for global
> transit as a public service. This seems very much in keeping with ISC's
> goals as a public-benefit corporation, and hopefully would also have the
> side effect of reducing NOC calls about 6to4 reachability of stuff
> hosted in our network :-)

I fully encourage you to do that :-)

Maybe you want to to some fiddling with the communities for your
upstreams since advertising 192.88.99.0/24 to your intercontinental
upstream is less than optimal for latencies. Especially european users
might not be that happy to see their packets go to .us first.

> Anybody know if the various 6to4 relay router operators are coordinating
> their efforts in any way? We're happy to host a web page and keep it
> up-to-date if that seems like it might be helpful.

There is the mailinglist 6to4-ops@bit.nl run by Pim van Pelt which
occasionally has some 6to4 related traffic (sorry, I don't know the
subscription address or webpage). But generally there is no real
coordination, whoever asks to be added to RFC3068-MNT to be able to
create a route object is added, but there are several operators
announcing the prefix without route object.

Unfortunately 6to4 is a mess to debug, as long as you don't have a node
in your network doing both directions though your relay you can't even
monitor it reliably.

For the parties interested I've written a config sample in the
#networker-wiki some time ago

http://wiki.denog.de/twiki/bin/view/NETWORKER/CiscoSixToFourRelay

Configuring a relay is quite straight forward, but to keep it running
(see monitoring) is not that easy. Basically you have to trust your
Cisco. For intrasite users we're now doing tests with ISATAP, since all
relays are in your own control it is easier to debug and has usually
better latency.

Bernhard

On 27 Jul 2005, at 14:55, Michael H Lambert wrote:

> --On 27 July 2005 21:29:34 +0300 Pekka Savola <pekkas@netcore.fi>
> wrote:
>
>> I guess what route views sees only minor bearing on what's out there.
>>
>> There are at least half a dozen or so publicly advertised relays that
>> just for some reason don't show on route-views. And if you look at
>> Abilene, you see at least four as well.
>
> My point was that someone is announcing a /32 instead of the full /24
> anycast block (lots of /24 announcements heard on route views).

There is little consistency in the views that people send route-views.
Some people treat route-views as a customer, some as a peer, and some
send them an internal view that would never normally be sent to an EBGP
peer.

Just because it shows up on route-views doesn't mean there's a problem.


Joe

Hi,

On Wed, Jul 27, 2005 at 02:15:54PM -0400, Michael H Lambert wrote:
> route-views.oregon-ix.net>show ip bgp 192.88.99.1
> BGP routing table entry for 192.88.99.1/32, version 22599194

Someone is announcing a /32, which is not what people are supposed
to do (and not what other people are supposed to accept...).

That way you won't see the heap of announced /24s...

route-views.oregon-ix.net>sh ip b 192.88.99.0
BGP routing table entry for 192.88.99.0/24, version 22599193
Paths: (50 available, best #6, table Default-IP-Routing-Table)
...

Gert Doering
-- NetMaster
--
Total number of prefixes smaller than registry allocations: 71007 (66629)

SpaceNet AG Mail: netmaster@Space.Net
Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0
D- 80807 Muenchen Fax : +49-89-32356-234

On Wed, Jul 27, 2005 at 09:12:51PM +0300, Pekka Savola wrote:
> Btw, as it happens, David Malone has done some study on the amount and
> placement of 6to4 relays (copied), if you have some data on 2002::/16
> and/or 192.88.99.1 deployment in particular.

I've a paper about trying to find both public and private relay
routers. If the techniques I'm using are to be trusted, then there
may be over 50 relay routers, but most of them are only advertised
internally.

David.

On Wed, Jul 27, 2005 at 04:35:25PM -0400, Joe Abley wrote:
>
> On 27 Jul 2005, at 14:55, Michael H Lambert wrote:
>
> >--On 27 July 2005 21:29:34 +0300 Pekka Savola <pekkas@netcore.fi>
> >wrote:
> >
> >>I guess what route views sees only minor bearing on what's out there.
> >>
> >>There are at least half a dozen or so publicly advertised relays that
> >>just for some reason don't show on route-views. And if you look at
> >>Abilene, you see at least four as well.
> >
> >My point was that someone is announcing a /32 instead of the full /24
> >anycast block (lots of /24 announcements heard on route views).
>
> There is little consistency in the views that people send route-views.
> Some people treat route-views as a customer, some as a peer, and some
> send them an internal view that would never normally be sent to an EBGP
> peer.

Brief update on this: We (routeviews) are in the process
of trying to regularize what routes we're
carrying. However, the difficulty we've run into is that
routeviews has quite a few (different) constituencies
which are asking for different route sets. Of course,
there are many ways to approach this problem, each with
its own cost/benefit.

In any event, I am interested in which route sets you
would like to see for (your) operational purposes.

Thanks,

Dave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20050731/26618410/attachment.bin

On 28 Jul 2005, at 07:28, David Malone wrote:

> On Wed, Jul 27, 2005 at 09:12:51PM +0300, Pekka Savola wrote:
>> Btw, as it happens, David Malone has done some study on the amount and
>> placement of 6to4 relays (copied), if you have some data on 2002::/16
>> and/or 192.88.99.1 deployment in particular.
>
> I've a paper about trying to find both public and private relay
> routers. If the techniques I'm using are to be trusted, then there
> may be over 50 relay routers, but most of them are only advertised
> internally.

Belated follow-up.

There's now a 6to4 relay router running in AS 3557, 6to4.sql1.isc.org
(192.5.4.242). That router is originating the RFC 3068 prefix
192.88.99.0/24 and the 6to4 covering prefix 2002::/16, but neither of
those routes are being advertised to peers or transit providers at
present.

If anybody feels like manually pointing stf0 at 192.5.4.242 to try
things out, I'd be interested to hear any feedback. This may be of
particular interest to people wanting to use 6to4 tunnels to reach
v6-hosted services which live at ISC (e.g. ftp.netbsd.org,
ftp.freebsd.org).


Joe

On Sun, Jul 31, 2005 at 02:00:57AM -0700, David Meyer wrote:
> In any event, I am interested in which route sets you
> would like to see for (your) operational purposes.

Ideally exactly what $ISP would send to customers too. That usually
means a full table minus IBGP more-specifics.

Only on this data you can do meaningful leak analysis...

Ideally, a looking glass would receive a really full view BUT routes
tagged with three (locally) well-known communities declaring them as
either "part of the peering route set", "part of the full table route
set" and "part of the full IBGP route set". So one can filter on the
looking glass to answer questions like:

- does anybody have any routes (if only internal) to some IP?
- does XYZ handle route x/y as customer or peer/upstream route?


Best regards,
Daniel

--
CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0