This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[members-discuss] An ISP offers to announce our prefix. Is that normal?
- Previous message (by thread): [members-discuss] An ISP offers to announce our prefix. Is that normal?
- Next message (by thread): [members-discuss] An ISP offers to announce our prefix. Is that normal?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Job Snijders
job at ntt.net
Tue Nov 12 13:37:04 CET 2019
Dear Bernd,
Good questions, thanks for bringing them up, this topic indeed doesn't
receive much attention.
I can't comment on the specifics of your case in regard to SLA and what
the best choices are for your organisation, but I can share one small
data point.
On Tue, Nov 12, 2019 at 12:16:53PM +0100, Bernd Naumann wrote:
> Then the ISP offered us to announce _our_ prefix for us, from their
> ASN, and here I lost trust, and stopped the planning for now to get
> either confirmation or an other red flag.
This actually is a common practise!
Speaking from NTT's perspective we see that customer's used to run BGP
in the past, but no longer have interest in maintaining that
infrastructure and switch to a "Direct Internet Access" (DIA) product
which usually is statically routing the IP space and perhaps using a
first-hop redundancy protocol. In such cases the customers request NTT
to announce the space on their behalf - which we can do provided that a
RPKI ROA and IRR route object are created to demonstrate to the world
that we in fact are allowed to originate the prefix.
> - Is this even "allowed" or recommend by RIPE policies or BCPs?
yes, this is allowed; and if it adequately addresses the challenges you
are trying to solve for your organisation I'd say it is even
'recommended' ;-) - the real answer is "it depends".
> - Wouldn't that be at least looks like a/an BGP hijacking (attempt)?
it would not look like a BGP hijack if RPKI ROAs / IRR "route:/route6:"
objects are created in the appropriate places authorising the ASN that
originates the prefix.
> - Just in case this is ok-ish, how would I setup the ROA with RPKI so that
> it would be come valid?
You'd go to the RIPE web portal, and create a RPKI ROA like you'd
normally do, but instead of inputting your own ASN you input the ASN of
the provider that will announce the space on your behalf. You
create/have multiple ROAs covering the same prefix but with different
Origin ASNs co-exist - this allows you to make-before-break in
transitions such as you might be going through at this moment.
A variant of the scenario you describe is "BYOIP" in context of the
cloud providers. The analogy is that instead of routing your IP space to
your office, some cloud providers offer to announce your IP space and
route it to your virtual datacenter:
https://aws.amazon.com/vpc/faqs/#Bring_Your_Own_IP
https://developers.cloudflare.com/spectrum/getting-started/byoip/
https://cloud.ibm.com/docs/tutorials?topic=solution-tutorials-byoip
https://www.zdnet.com/article/google-cloud-now-lets-you-bring-your-own-ip-address-to-all-20-regions/
https://ideas.digitalocean.com/ideas/DO-I-566#:~:targetText=Support%20Bring%20Your%20Own%20IP%20Space,their%20AS%20to%20your%20server.
Your IP resources are yours*, and you are free to authorize anyone to
route them on your behalf on the public internet.
Kind regards,
Job
* not meaning to start debate about ownership, just wanted to emphasize
that whether you do your own BGP or have someone do it on your behalf
is the same.
- Previous message (by thread): [members-discuss] An ISP offers to announce our prefix. Is that normal?
- Next message (by thread): [members-discuss] An ISP offers to announce our prefix. Is that normal?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]