summaryrefslogtreecommitdiff
path: root/_posts/2023-08-18-networking-adventure-my-own-ipv6-prefix-and-as.md
blob: e13044d15bab1b79e6a6681ec4e6eec5c5fd30e4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
---
layout: post
title: 'Networking adventure: My own IPv6 prefix and AS'
date: 2023-08-18 13:18 +0200
lang: "en"
categories: ["tech"]
description: "How I run my own Autonomous System, with my own IPv6 prefix"
---

*Update: You can read the second part [here]({% post_url 2024-03-17-further-learnings-from-running-my-as %}).*

*First off: I'm no expert in this topic. Most of that I know /
think I know is self-learnt. I also won't get into too much detail
in regards to networking theory.*

*Links in this article to providers should be seen as
examples, not necessarily as recommendations. Your mileage
may vary, do your own research.*

After I played around with [DN42]({% link dn42.md %}) a bit, I
got curious to try out some "real networking stuff". That is,
"how can I get my own IPv6 address? And what can I do with it?".

Aside: Why IPv6, and no IPv4? Because IPv4 assignments are really hard
and expensive to get by, since the pool has run very low. Also,
I don't care about IPv4. (Sadly, my webhoster still doesn't
have IPv6 \*grumps\*).

## IPv6 Prefixes

The first option to get and IPv6 prefix are tunnel brokers.
Which are fine for simply providing some services, say a web server.
These are also used to get IPv6 access if your ISP only
offers IPv4.

But what if I want my very own IPv6 prefix?

For me in Europe, the responsible organization, a so-called
[RIR](https://en.wikipedia.org/wiki/Regional_Internet_registry),
is the [RIPE NCC](https://ripe.net/).
To get IPv6 prefixes *directly* from them, you have to become a
member, and, if I understood correctly, a 
[LIR](https://en.wikipedia.org/wiki/Local_Internet_registry)
(which costs *lots* of money, at least for my budget as a
person / for private use).

There's also the possibility to get address space 
(or resources in general) from already-RIPE-NCC-members.
This is a so called LIR sponsoring.
There are basically two kinds of prefixes you can get,
[PI and PA address space](https://www.ripe.net/participate/member-support/faqs/isp-related-questions/pa-pi).

While with PI space, you "really own" the address space, it's
usually more expensive than PA space. With PA space,
if the provider you are getting the same from goes bankrupt
or changes its terms about the service, you may lose your
address space.

In any case, you have to register for an RIPE NCC account first
(which is not the same as becoming a LIR) to be able to access
the [RIPE database](https://apps.db.ripe.net/). There, you have to
create several "objects". These describe… hm… basically
everything that happens on the internet on the "IP level" on a
regulatory level (?). Whom do
IP addresses belong to? Who is allowed to announce them via
[BGP](https://en.wikipedia.org/wiki/BGP). Who is to be contacted
in case someone does DoS attacks from a certain IP range?

Aside: BGP runs on the internet and tells routers where they should
send packages to reach, say, Wikipedia or my blog.

With several objects (1) created, you can contact a provider which offers
so-called "LIR services". I for myself went with the
[Securebit AGs Tunnelbroker](https://tunnelbroker.ch/) to request my
IPv6 prefix in the PA space. A /48 prefix is even free and completely sufficient
for my purposes.

(1) Aside: Maintainer, Person, Organisation, and Abuse-C role.

## AS - Autonomous Systems

With the IPv6 prefix assigned, now what? The routers on the internet
won't know where to send the IP packages for that address space to.
For this, the prefix needs to be announced via BGP.

Now, how do you do that? You can't simply shout out into the internet
that the other routers should send packages for your IPv6 prefixes to you.
They won't listen (2).
For this to succeed, you need an AS, an
[Autonomous System](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)).
This is a single computer or group of computers which handle routing.

(2) And for a good reason. Imagine everyone could tell the internet
to route all Google traffic to them. Though such things happened
in the past, with authoratorian states forcing their ISPs to
"blackhole" or reroute traffic to certain sites...

An AS is registered in the RIPE NCC database with an AS number (and
within in, some contact info). This AS number will be the origin
of your announcements of your prefix. IP prefixes are registered there as
well. The database also states which AS is allowed to announce which
prefix(es).

I got my AS number from the [iFog GmbH](https://ifog.ch/en/ip/lir-services).
This is the only provider I could find which only charges a one-time fee,
as opposed to an annual fee.

Now that you have your AS number... Who do you shout your prefixes
at?

## Peering

When registering your AS, no matter if via RIPE NCC or via a
LIR service provider, you have to provide "peerings". These
are the other LIRs you will announce your prefixes to.

RIPE NCC requires you to have
[at least two peerings](https://www.ripe.net/manage-ips-and-asns/resource-management/supporting-notes-for-internet-address-space-request-forms#ASN)
when you request an AS number. Also, the network must
be "multihomed".
The [RIPE NCC glossary](https://www.ripe.net/participate/member-support/lir-basics/ncc_glossary_print.pdf)
says that means you must be "connected to two or more networks" or
"have two or more network addresses". (I am not sure if this means the
same than the requirement that you have to have two peers.
I *assume* you can't have just a single VPS connected to
two peers, though - unless the VPS provider provides
two network interfaces to different ISPs on that VPS).

Again, peering *usually* costs money, it seems, from
the offers I gathered. There are also hosting
providers which offer BGP sessions. That means, you announce your
prefixes to them.

At this point, thank you to
[@mark22k@layer8.space on Mastodon](https://layer8.space/@mark22k/) which
[linked me](https://layer8.space/@mark22k/110893290832697638)
to a [Google Doc](https://bgp.services/) with some providers
of peering services.

EDIT: Alternatively, try
[this link](https://docs.google.com/spreadsheets/d/1abmV_mXWWCsVxHLfouSivyS7ch-PcUww8S6ksY66c5o/).

Aside: Especially with this point I was initially
*very confused*, assuming that I could simply let the provider
announce my prefix, so I wouldn't need an own AS number. Apparently,
this is not the case.

To visualize all that stuff, you may take a look at the
[Hurricane Electric BGP toolkit](https://bgp.he.net/)
to get a feeling how AS are connected with each other.