topics: BGP / IPv6 / more · settings · b&w · my business: inet⁶ consult · Twitter · Mastodon · LinkedIn · email · 🇺🇸 🇳🇱

These are all posts about BGP. Archive for 2006.

IPv4-IPv6 Compatibility

Some people, such as D.J. Bernstein in his The IPv6 mess article and Todd Underwood in his Bashing IPv6 at TelecomNEXT blog post argue that the IETF made a critical mistake when creating IPv6 by not making the protocol "compatible" with IPv4. What they mean is that a system that only runs IPv6 can't communicate with a system that only runs IPv4. That indeed seems like a significant oversight: without this, it's necessary to run parallel networks for a long time, and there must be a significant amount of logic to determine which of the two protocols can and should be used for a particular communication session. The alternative seems so easy: just reserve some space for the 32-bit IPv4 address space somewhere in the enormous 128-bit IPv6 address space. For instance, IPv4 addresses could be expressed as IPv6 addresses where the first 96 bits are zero.

This way, an IPv6 host host with address 0:0:0:0:0:0:c000:201 (which we are allowed to write down as :: can communicate with an IPv4 host with address as long as somewhere along the way, there is a router or gateway that takes the IPv6 packet and transforms it into an IPv4 packet or the other way around, a fairly simple process. At the same time, our IPv6 host with address :: can communicate with another IPv6 host that has 3ffe:2500:310:4::1 (well, for the rest of today, at least...) as per IPv6 conventions.

But... The problems start when 3ffe:2500:310:4::1 wants to communicate with When the IPv6 packet arrives at the IPv6-to-IPv4 gateway, the 3ffe:2500:310:4::1 IPv6 address can't be translated into a 32-bit IPv4 address without loss of information. So hosts with "real" IPv6 addresses can't communicate with IPv4 hosts. Even worse, there is no way to determine whether a given IPv4-compatible address belongs to an IPv4 host or an IPv6 host. It gets really bad when a host can do IPv6, but it doesn't have IPv6 connectivity to the rest of the internet.

The solution is to forget IPv4 compatible addresses for IPv6 hosts. If an IPv6 hosts is going to get an IPv4 address in the first place, it's much simpler to let the IPv6 host generate IPv4 packets where appropriate. So such a host would simply have an IPv6 address to communicate over IPv6 and an IPv4 address to communicate over IPv4.

Communication between IPv6-only and IPv4-only hosts can be accomplished using a gateway as outlined above, with the addition of NAT functionality to allow multiple IPv6 hosts behind a gateway to share the gateway's IPv4 address. This is called NAT-PT (Network Address Translation - Protocol Translation) and it has the same downsides of regular NAT in that IPv6 hosts can connect to IPv4 servers, but not the other way around. So IPv6 is more compatible with IPv4 than many people think.

Todd Underwood concludes that "IPv6 is dead, and I think pretty much everyone already knows it" and "I guess that's just about enough time for the stubborn IPv6 camp to admit they're wrong and for all of us to come together and make something that we can easily migrate to." It continues to amaze me in what a hurry people are to declare defeat. I think Todd and others who think along the same lines massively underestimate the amount of time and effort a project like this takes. It's debatable at what point IPv6 was (or will be) mature enough to replace IPv4, but I don't think anyone can seriously maintain that it reached this point before 2002. So that's at least 7 years between publication of the first RFCs and barely adequate. By extension, any new effort won't be ready before 2013. I also fail to see what the critical difference between IPv6 and any new protocol could be: obviously, it has to stay fairly close to the IP we know to avoid unnecessary complications (which IPv6 does, for the most part at least) and even more obviously, it must support longer addresses (which IPv6 certainly does). So how would the new protocol be so much better to warrant the effort?

Permalink - posted 2006-06-06

Provider Independent IPv6 addresses

Last week, ARIN, the organization in charge of distributing IP addresses in North America, changed its IPv6 address policy so it's now possible to get Provider Independent (PI) IPv6 address space.

According to the ARIN Number Resource Policy Manual:

To qualify for a direct assignment, an organization must:

  1. not be an IPv6 LIR; and
  2. qualify for an IPv4 assignment or allocation from ARIN under the IPv4 policy currently in effect.

This is both good news, and bad news. The good news is that if (in the ARIN region) you are currently connected to two or more ISPs for IPv4, you can now do this in much the same way with IPv6. Since IPv6 routing is almost identical to IPv4 routing, all of this should be fairly easy.

However, since both the routing protocols (including BGP) and the rules for getting address space are now mostly the same, this means that in the future, IPv6 routing will suffer from the same problems that have been plaguing IPv4 inter-domain routing: a "global routing table" that is much larger than necessary, requiring network operators to invest in bigger routers and causing unnecessary instability. It also means that multihoming (the practice of connecting to two or more ISPs) will never be possible for truly large numbers of internet users.

The Internet Engineering Task Force has been working on alternative ways to gain multihoming benefits in the multi6 and shim6 working groups. But the ARIN constituents decided not to wait for the completion of this work, which will likely have the effect that the shim6 mechanisms won't be adopted widely or quickly when they become available. One reason cited for moving ahead with a known problematic solution for multihoming was the statement by some organizations that they wouldn't adopt IPv6 in the absence of a multihoming solution. Prediction: they won't implement IPv6 with multihoming anytime soon either.

And unfortunately ARIN (and the other RIRs) still claim that you can filter out any IPv6 prefixes longer than /32 even though they give out micro allocations and now PI blocks that are longer than that, mostly /48. See my article from nearly three years ago.

Permalink - posted 2006-09-05

Changing BGP TCP MD5 passwords

The BGP TCP MD5 password mechanism (RFC 2385) is very useful to protect BGP sessions from attempts at unpleasantness by third parties. However, it is rather simplistic. One of the flaws is that there are no provisions for changing the password. In the old days, setting a new password for a neighbor would cause Cisco routers to tear down and reestablish the BGP session. Today, the session survives if the password or key is changed at more or less the same time at both ends. This requires a good deal of coordination. I must say that I can't remember anyone asking me to change an existing BGP password. But the security people insist that it's important to do this regularly, for instance, when employees leave. I think they have a different appreciation of the sensitivity of this key than those of us working in operations.

Anyway, Steve Bellovin, a well-known member of the IETF, has written this "internet draft" and submitted it for publication as an RFC: (will be deleted after 6 months)

What he proposes is that a router can have more than one active key so it's possible for one end to change keys and the other end to go along with this without the need to coordinate the password change very closely. Unfortunately, it's still possible to configure the wrong key, or forget to change the key after agreeing to do so, and then the BGP session will go down at some point, probably conveniently in the middle of the night. See my posting to the IETF discussion list for details.

Well, progress isn't always progress, I guess. If you have any opinions on the matter, email me.

Permalink - posted 2006-09-30

32-bit AS numbers are here

If you want to use the BGP routing protocol, you need an Autonomous System number. These AS numbers were 16 bits in size until now, allowing for around 64000 ASes, and more than half of those have been given out already. To avoid problems when we run out of AS numbers, the IETF came up with modifications to BGP to allow for 32-bit AS numbers, as I explained in a posting about a year ago.

Obviously, at some point someone has to bite the bullet and start using one of these new AS numbers. This bullet biting may happen fairly soon, as the five Regional Internet Registries have all adopted, or are in the process of adopting, the following policy:

So what does this mean for people who run BGP today? Not all that much, really, because the changes to BGP to support the longer AS numbers are completely backward compatible. The only change is that you'll see the AS number 23456 appear in more and more places. In routers that don't yet support 32-bit ASes, the special 16-bit AS number 23456 shows up as a placeholder in places where a 32-bit AS is supposed to appear.

If you have scripts that perform AS-related operations on the Routing Registries (such as the RIPE database), you'll have to adjust your software to parse the new format for 32-bit AS numbers. They are written down as <16bits>.<16bits>, for instance, 3.1099 is a new 32-bit AS number and 0.23456 is the 32-bit version of AS 23456. However, this format isn't standardized so 32-bit AS numbers may show up differently in your router. Have a look at the RIPE announcement.

As soon as the first 32-bit AS number appears in the wild I'll report it here so you can check whether it shows up in its full 32-bit glory or as 23456. In the mean time, you may want to ask your router vendor for 32-bit AS support. At least one of the big vendors isn't implementing it in all of their lines just yet because they claim there is no customer demand for it.

Permalink - posted 2006-12-29

Search for:

Archives: 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2010, 2011, 2013, 2014, 2015, 2016, 2018, 2019, 2020, 2021, 2022, 2023, 2024