From d8ee09ac176e3fa59ea7f722a91da259ca3ca6b5 Mon Sep 17 00:00:00 2001 From: uvok cheetah Date: Fri, 18 Aug 2023 15:03:01 +0200 Subject: Add post about network stuff --- ...tworking-adventure-my-own-ipv6-prefix-and-as.md | 144 +++++++++++++++++++++ 1 file changed, 144 insertions(+) create mode 100644 _posts/2023-08-18-networking-adventure-my-own-ipv6-prefix-and-as.md (limited to '_posts') diff --git a/_posts/2023-08-18-networking-adventure-my-own-ipv6-prefix-and-as.md b/_posts/2023-08-18-networking-adventure-my-own-ipv6-prefix-and-as.md new file mode 100644 index 0000000..f22912a --- /dev/null +++ b/_posts/2023-08-18-networking-adventure-my-own-ipv6-prefix-and-as.md @@ -0,0 +1,144 @@ +--- +layout: post +title: 'Networking adventure: My own IPv6 prefix and AS' +date: 2023-08-18 13:18 +0200 +lang: "en" +categories: ["tech"] +--- + +*First off: I'm no expert in this topic. Most of that I know / +think I know is self-learnt. I also won't get into too much detail +in regards to networking theory.* + +*Links in this article to providers should be seen as +examples, not necessarily as recommendations. Your mileage +may vary, do your own research.* + +After I played around with [DN42]({% link dn42.md %}) a bit, I +got curious to try out some "real networking stuff". That is, +"how can I get my own IPv6 address? And what can I do with it?". + +Aside: Why IPv6, and no IPv4? Because IPv4 assignments are really hard +and expensive to get by, since the pool has run very low. Also, +I don't care about IPv4. (Sadly, my webhoster still doesn't +have IPv6 \*grumps\*). + +## IPv6 Prefixes + +The first option to get and IPv6 prefix are tunnel brokers. +Which are fine for simply providing some services, say a web server. +These are also used to get IPv6 access if your ISP only +offers IPv4. + +But what if I want my very own IPv6 prefix? + +For me in Europe, the responsible organization, a so-called +[RIR](https://en.wikipedia.org/wiki/Regional_Internet_registry), +is the [RIPE NCC](https://ripe.net/). +To get IPv6 prefixes *directly* from them, you have to become a +member, and, if I understood correctly, a +[LIR](https://en.wikipedia.org/wiki/Local_Internet_registry) +(which costs *lots* of money, at least for my budget as a +person / for private use). + +There's also the possibility to get address space +(or resources in general) from already-RIPE-NCC-members. +This is a so called LIR sponsoring. +There are basically two kinds of prefixes you can get, +[PI and PA address space](https://www.ripe.net/participate/member-support/faqs/isp-related-questions/pa-pi). + +While with PI space, you "really own" the address space, it's +usually more expensive than PA space. With PA space, +if the provider you are getting the same from goes bankrupt +or changes its terms about the service, you may lose your +address space. + +In any case, you have to register for an RIPE NCC account first +(which is not the same as becoming a LIR) to be able to access +the [RIPE database](https://apps.db.ripe.net/). There, you have to +create several "objects". These describe… hm… basically +everything that happens on the internet on the "IP level" on a +regulatory level (?). Whom do +IP addresses belong to? Who is allowed to announce them via +[BGP](https://en.wikipedia.org/wiki/BGP). Who is to be contacted +in case someone does DoS attacks from a certain IP range? + +Aside: BGP runs on the internet and tells routers where they should +send packages to reach, say, Wikipedia or my blog. + +With several objects (1) created, you can contact a provider which offers +so-called "LIR services". I for myself went with the +[Securebit AGs Tunnelbroker](https://tunnelbroker.ch/) to request my +IPv6 prefix in the PA space. A /48 prefix is even free and completely sufficient +for my purposes. + +(1) Aside: Maintainer, Person, Organisation, and Abuse-C role. + +## AS - Autonomous Systems + +With the IPv6 prefix assigned, now what? The routers on the internet +won't know where to send the IP packages for that address space to. +For this, the prefix needs to be announced via BGP. + +Now, how do you do that? You can't simply shout out into the internet +that the other routers should send packages for your IPv6 prefixes to you. +They won't listen (2). +For this to succeed, you need an AS, an +[Autonomous System](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)). +This is a single computer or group of computers which handle routing. + +(2) And for a good reason. Imagine everyone could tell the internet +to route all Google traffic to them. Though such things happened +in the past, with authoratorian states forcing their ISPs to +"blackhole" or reroute traffic to certain sites... + +An AS is registered in the RIPE NCC database with an AS number (and +within in, some contact info). This AS number will be the origin +of your announcements of your prefix. IP prefixes are registered there as +well. The database also states which AS is allowed to announce which +prefix(es). + +I got my AS number from the [iFog GmbH](https://ifog.ch/en/ip/lir-services). +This is the only provider I could find which only charges a one-time fee, +as opposed to an annual fee. + +Now that you have your AS number... Who do you shout your prefixes +at? + +## Peering + +When registering your AS, no matter if via RIPE NCC or via a +LIR service provider, you have to provide "peerings". These +are the other LIRs you will announce your prefixes to. + +RIPE NCC requires you to have +[at least two peerings](https://www.ripe.net/manage-ips-and-asns/resource-management/supporting-notes-for-internet-address-space-request-forms#ASN) +when you request an AS number. Also, the network must +be "multihomed". +The [RIPE NCC glossary](https://www.ripe.net/participate/member-support/lir-basics/ncc_glossary_print.pdf) +says that means you must be "connected to two or more networks" or +"have two or more network addresses". (I am not sure if this means the +same than the requirement that you have to have two peers. +I *assume* you can't have just a single VPS connected to +two peers, though - unless the VPS provider provides +two network interfaces to different ISPs on that VPS). + +Again, peering *usually* costs money, it seems, from +the offers I gathered. There are also hosting +providers which offer BGP sessions. That means, you announce your +prefixes to them. + +At this point, thank you to +[@mark22k@layer8.space on Mastodon](https://layer8.space/@mark22k/) which +[linked me](https://layer8.space/@mark22k/110893290832697638) +to a [Google Doc](https://bgp.services/) with some providers +of peering services. + +Aside: Especially with this point I was initially +*very confused*, assuming that I could simply let the provider +announce my prefix, so I wouldn't need an own AS number. Apparently, +this is not the case. + +To visualize all that stuff, you may take a look at the +[Hurricane Electric BGP toolkit](https://bgp.he.net/) +to get a feeling how AS are connected with each other. -- cgit v1.2.3