--- layout: post title: 'Networking adventure: My own IPv6 prefix and AS' date: 2023-08-18 13:18 +0200 lang: "en" categories: ["tech"] description: "How I run my own Autonomous System, with my own IPv6 prefix" --- *Update: You can read the second part [here]({% post_url 2024-03-17-further-learnings-from-running-my-as %}).* *First off: I'm no expert in this topic. Most of that I know / think I know is self-learnt. I also won't get into too much detail in regards to networking theory.* *Links in this article to providers should be seen as examples, not necessarily as recommendations. Your mileage may vary, do your own research.* After I played around with [DN42]({% link dn42.md %}) a bit, I got curious to try out some "real networking stuff". That is, "how can I get my own IPv6 address? And what can I do with it?". Aside: Why IPv6, and no IPv4? Because IPv4 assignments are really hard and expensive to get by, since the pool has run very low. Also, I don't care about IPv4. (Sadly, my webhoster still doesn't have IPv6 \*grumps\*). ## IPv6 Prefixes The first option to get and IPv6 prefix are tunnel brokers. Which are fine for simply providing some services, say a web server. These are also used to get IPv6 access if your ISP only offers IPv4. But what if I want my very own IPv6 prefix? For me in Europe, the responsible organization, a so-called [RIR](https://en.wikipedia.org/wiki/Regional_Internet_registry), is the [RIPE NCC](https://ripe.net/). To get IPv6 prefixes *directly* from them, you have to become a member, and, if I understood correctly, a [LIR](https://en.wikipedia.org/wiki/Local_Internet_registry) (which costs *lots* of money, at least for my budget as a person / for private use). There's also the possibility to get address space (or resources in general) from already-RIPE-NCC-members. This is a so called LIR sponsoring. There are basically two kinds of prefixes you can get, [PI and PA address space](https://www.ripe.net/participate/member-support/faqs/isp-related-questions/pa-pi). While with PI space, you "really own" the address space, it's usually more expensive than PA space. With PA space, if the provider you are getting the same from goes bankrupt or changes its terms about the service, you may lose your address space. In any case, you have to register for an RIPE NCC account first (which is not the same as becoming a LIR) to be able to access the [RIPE database](https://apps.db.ripe.net/). There, you have to create several "objects". These describe… hm… basically everything that happens on the internet on the "IP level" on a regulatory level (?). Whom do IP addresses belong to? Who is allowed to announce them via [BGP](https://en.wikipedia.org/wiki/BGP). Who is to be contacted in case someone does DoS attacks from a certain IP range? Aside: BGP runs on the internet and tells routers where they should send packages to reach, say, Wikipedia or my blog. With several objects (1) created, you can contact a provider which offers so-called "LIR services". I for myself went with the [Securebit AGs Tunnelbroker](https://tunnelbroker.ch/) to request my IPv6 prefix in the PA space. A /48 prefix is even free and completely sufficient for my purposes. (1) Aside: Maintainer, Person, Organisation, and Abuse-C role. ## AS - Autonomous Systems With the IPv6 prefix assigned, now what? The routers on the internet won't know where to send the IP packages for that address space to. For this, the prefix needs to be announced via BGP. Now, how do you do that? You can't simply shout out into the internet that the other routers should send packages for your IPv6 prefixes to you. They won't listen (2). For this to succeed, you need an AS, an [Autonomous System](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)). This is a single computer or group of computers which handle routing. (2) And for a good reason. Imagine everyone could tell the internet to route all Google traffic to them. Though such things happened in the past, with authoratorian states forcing their ISPs to "blackhole" or reroute traffic to certain sites... An AS is registered in the RIPE NCC database with an AS number (and within in, some contact info). This AS number will be the origin of your announcements of your prefix. IP prefixes are registered there as well. The database also states which AS is allowed to announce which prefix(es). I got my AS number from the [iFog GmbH](https://ifog.ch/en/ip/lir-services). This is the only provider I could find which only charges a one-time fee, as opposed to an annual fee. Now that you have your AS number... Who do you shout your prefixes at? ## Peering When registering your AS, no matter if via RIPE NCC or via a LIR service provider, you have to provide "peerings". These are the other LIRs you will announce your prefixes to. RIPE NCC requires you to have [at least two peerings](https://www.ripe.net/manage-ips-and-asns/resource-management/supporting-notes-for-internet-address-space-request-forms#ASN) when you request an AS number. Also, the network must be "multihomed". The [RIPE NCC glossary](https://www.ripe.net/participate/member-support/lir-basics/ncc_glossary_print.pdf) says that means you must be "connected to two or more networks" or "have two or more network addresses". (I am not sure if this means the same than the requirement that you have to have two peers. I *assume* you can't have just a single VPS connected to two peers, though - unless the VPS provider provides two network interfaces to different ISPs on that VPS). Again, peering *usually* costs money, it seems, from the offers I gathered. There are also hosting providers which offer BGP sessions. That means, you announce your prefixes to them. At this point, thank you to [@mark22k@layer8.space on Mastodon](https://layer8.space/@mark22k/) which [linked me](https://layer8.space/@mark22k/110893290832697638) to a [Google Doc](https://bgp.services/) with some providers of peering services. EDIT: Alternatively, try [this link](https://docs.google.com/spreadsheets/d/1abmV_mXWWCsVxHLfouSivyS7ch-PcUww8S6ksY66c5o/). Aside: Especially with this point I was initially *very confused*, assuming that I could simply let the provider announce my prefix, so I wouldn't need an own AS number. Apparently, this is not the case. To visualize all that stuff, you may take a look at the [Hurricane Electric BGP toolkit](https://bgp.he.net/) to get a feeling how AS are connected with each other.