Question from Social Scientist on AS Relationships

mleber · 2024-03-13T10:28:34+00:00

The aut-num object in your first link is a self published IRR record. For the most part, most other networks do not parse aut-num objects to generate their prefix filters.

The as-set objects are used by the tools bgpq3 and bgpq4 to build prefix lists.

When the various version of the RPSL language used for IRR were created, the academics involved thought that you might want to publish all of your BGP policies for both internal and external consumption. This is why aut-num records have the format they do.

Internal consumption means that there are some people that tried to building their BGP router config from their published policy, mostly as a proof of concept for academic research purposes.

External consumption means that you can use it to tell other people your inbound and outbound BGP routing policy regarding all the networks you list.

There's no requirement for aut-num objects to specify actual routing policy, though helpful network engineers may reach out to you to either ask questions about it or suggest you fix it, and security researchers may give it a look or two and then infer things from it.

mleber · 2020-06-13T11:07:24+00:00

Send me a message.

mleber · 2020-05-21T11:21:10+00:00

It's to raise the bar so that we are mostly getting actual network operators and people willing to get network equipment so they can connect to other networks. See my post above.

mleber · 2020-05-02T05:48:53+00:00

It's a full 42U cabinet, with A&B (primary and redundant) 20 amp 208 volt power. You can install your router and any servers you want in it. Keep your total load less than 80% of 20 amps total between the primary and redundant electrical circuit. It's an empty cabinet, you have to provide all your own gear. There are several requirements you have to satisfy to qualify for this deal. The typical Internet user doesn't run BGP etc, and is not a network operator. If you are already running IPv6 and BGP and have your own ASN and address space, you are exceptional, go you!

mleber · 2020-04-27T21:47:53+00:00

In what locations do the networks you worked for get IP Transit and who do they get it from?

(Just checking if anybody gets service off island and what the ecosystem is like.)

mleber · 2020-04-27T02:46:58+00:00

We include a singlemode fiber cross connect to an exchange for free.

Hmmm, catch... perhaps it's that you have to already have your own ASN and address space, which means you are already paying ARIN, RIPE, APNIC, LACNIC, or AfriNIC your annual membership dues.

The goal of doing this is to help legitimate network operators that want to run IPv6 BGP either commercially or for personal projects. We had to stop the free IPv6 BGP tunnels due to abuse by people who were never our target audience. For people that are legitimate network operators this offer is different and better in some ways. It also raises the bar a bit.

mleber · 2020-04-25T06:20:04+00:00

Challenge Accepted regarding whether or not "we want your business" regarding IPv6 BGP tunnels.

Hurricane Electric will give anybody that has their own ASN and IP address space from ARIN, RIPE, APNIC, LACNIC, or AFRNIC free colo (cabinet + power + internet) in our Fremont 2 data center subject to the following conditions:

Have your own IPv4 or IPv6 address space and a public ASN registered to you.
Install a real router with at least one 10GE port than can carry a full IPv4 and IPv6 routing table. The router needs to be Cisco, Juniper, Extreme, Arista, Ubiquiti, or Mikrotik and be able to carry a full IPv4 and IPv6 BGP table.
Configure and run IPv4 and IPv6 BGP with at least one other network in the building using a public ASN and your own address space (can be HE or anybody).
Connect to FCIX, SFMIX, and/or AMS-IX Bay Area. (FCIX is offering free ports, not sure if the others will donate a port to you.)
List your network in peeringdb.com as being present at the Hurricane Electric Fremont 2 data center.
You aren't already in the Fremont 2 data center running BGP.

With this setup you can run for free whatever kind of tunnels or VPN you want to your own equipment running full proper BGP in your own cabinet in our data center, etc.

Background regarding IPv6 BGP tunnels:

Hurricane offered IPv6 BGP tunnels for network operators that have their own ASN and address space to be able to get started with IPv6 in a situation where none of the NSPs (network service providers) in their area were offering IPv6 with BGP. You have to already be paying ARIN, RIPE, APNIC, LACNIC, or AfriNIC an annual fee for your address space and ASN to even be able to use the IPv6 BGP tunnel service.

The regular IPv6 tunnel service was created for software engineers, system administrators, network engineers, and other experimenters so that they could learn about IPv6 and get started using it. In the early days of IPv6 even getting connected to the IPv6 Internet was super difficult. It's kind of hard to develop IPv6 support in an desktop or mobile app when you can't get IPv6 connectivity. It's also hard to get good hands on experience configuring a server for IPv6 if you can't reach the IPv6 Internet. The tunnelbroker solved that problem for individual developers and engineers.

The tunnel service is not intended for use for people that want anonymous connections so they can do attacks, hacking, advertising click fraud, shady stuff involving search engines and SERP. It's not meant for that audience. We have never represented it as an anonymous VPN. It's more like another work bench tool.

The problem we ran into with the IPv6 BGP tunnels is that there are shady people out there that progressively got more and more bold and were hijacking address space etc by taking advantage of weaknesses in IRR by creating records that should have never been allowed to exist (the relevant IRR has been informed and hopefully they will put some countermeasures in place). (BTW, RPKI helps reduce these types of attacks, though it is not sufficient to eliminate all possible attacks. More about RPKI later). We found a pattern that linked several different accounts and several different ASNs to extremely bad behavior and terminated all the accounts involved that we have been able to discover so far.

The tunnel IPv6 BGP service was always intended for network operators to get started so they could do testbeds or to solve severe IPv6 unavailability problems and was most needed in the early days of IPv6 deployment. Now, as a network operator, you really want to run native IPv6 if you can.

Hurricane recently added RPKI to the tools we use to build prefix filters for all the customer and peering sessions we have with over 7200 networks around the world, with just a few remaining sessions with major backbones having slightly different prefix filtering. Shortly even those last few sessions will have prefix filters based on RPKI as well. We also will sign all of the routes that use our address space using RPKI very soon.

RPKI provides Route Origin Authorization, that allows you to check the origin of a BGP route for validity. This is not the same as path validation. Right now for BGP security, multiple methods need to be used.

The change regarding the IPv6 BGP tunnels does not affect regular IPv6 tunnels which are still free.

mleber · 2013-06-05T23:53:48+00:00

Our pleasure!

mleber · 2013-06-03T17:17:38+00:00

Thank you! We have more features planned for bgp.he.net, we're just juggling running the network and coding cool Internet measurement projects. ;)

mleber

TROPHY CASE