WISPs: IPv6 is the answer to some of your issues

Many Wireless Internet Service Providers (WISPs), especially newer startups, struggle with nat issues and having enough public Ip addresses to go around. Invariably, you start running into double nat issues pretty quickly. Then you get the dreaded gamer call:

Many times they don’t know why they are even calling. They just know the magic box is saying this is bad. This is related to how many layers of nat between your edge and them. Many times you are natting at the edge, then you are natting at the customer router. If you have multiple customers behind the same nat at the edge this compounds it even more.

So what is the fix? Give the customer public addresses. But IPv4 is hard to get! I didn’t say IPV4 I said public addresses. IPv6 is a public address. When given the choice between v4 and v6 most modern streaming and gaming platforms will prefer v6. Xbox has supported a protocol called Teredo for a long time. You can learn all about Teredo in this PDF. Basically, it is a tunnel in which the Xbox speaks ipv6 over the tunnel. The ISP does not have to support v6, which does away with the above-mentioned nat issues.

Great! I don’t have to worry about IPv6, Microsoft has it taken care of for me. There are two problems with this statement. Problem number one. There are more companies out there than Microsoft. Sony Playstation Online, Apple gaming, and Steam are just a few. Second, you have overhead of tunnels. In the world of who can pull the joystick quicker, milliseconds count. You don’t want them wasted in tunnel overhead. Plus, v6 is beneficial for other service such as Netflix.

Any other service that runs into port issues behind nat can be solved with Ipv6, This can be voip, cameras, and other type services. This is providing the product or service supports v6 addresses.

So what is an ISP to do?
Awhile back I put together a resource guide for ISPs. You can find it at https://blog.j2sw.com/networking/ipv6/ipv6-planning-and-implementation-resources-for-the-xisp/

ARIN resources and the Service Provider

Internet Service Providers (ISPs) can be intimidated by all of the facets of working with the American Registry of Internet Numbers (ARIN). I have put together a guide that outlines common things you, as a service provider, need to do.

This guide is not an end-all how-to. Throughout, I am posting videos and links taken from the ARIN site to help. This article is more of an outline of what a service provider needs to do.

The majority of the steps below will be done through ARIN’s online ticketing system.

This is broken down into the following Sections
1. Create a Point of Contact (POC) record
2. Creating an Organization (ORG-ID)
3. Requesting an Autonomous System Number (ASN)
4. Requesting IPv6 space
5. Requesting IPV4 space
6. Source Validation
7. Reverse DNS
8. Routing Registry
9. RPKI
10. Notes and tips

Creating a Point of Contact (POC)
Point of Contact (POC) records are the foundation of your ARIN account. This record is the way you manage your resources. There are different types of POC accounts. https://www.arin.net/resources/guide/account/records/poc/ will tell you everything you need to know about POC records. Creating this record will take mere minutes to make.

Creating an Organization
Once you have a POC record created, you will create an Organization and associate your POC with that ORG-ID. ARIN will attach your resources to your org-id. You will need your federal EIN and your registered business address for this stage. This stage takes a few days to get verified due to ARIN needing to verify you are who you say you are

Requesting an ASN
An Autonomous System Number (ASN) will be the first resource an ISP will request. The ASN allows you to participate in BGP by advertising your IP blocks to peers. The ASN will require to state your routing policy, usually BGP, and at least two peers, you will be establishing BGP. If you don’t have two peers, say your plans in this section.

Once you have met the criteria and you will be asked to fill out an officer attest paper. This statement is a paper stating the information you have submitted is correct and truthful. Once you will out this form and submit it you will then receive an invoice. Once this invoice is paid, you will receive your ASN. This stage can take several days, depending on how much back and forth goes on, asking to clarify information.

Request IPv6 space
I put this as the next stage for a few reasons. The first is you should be moving toward IPv6. At the very least, dual-stack your network. Second, requesting IPV6 space will get you familiar with how ARIN looks at requests.

You are required to state how your network is laid out, what type of network, and how you plan to deploy addresses. Be prepared to give a diagram of your system. You may have to go back and forth a few times, depending on how much detail you provided on your first request.

Just like your ASN, you will be required to sign another office attest, pay the bill, and then the Ip space will be allocated.

Requesting IPV4 space
Requesting IPV4 space is pretty close to requesting V6 space, but ARIN is more strict on their criteria these days due to the shortage of space. If you are looking to transition you can get. /24 of v4 for your v6 transition.

If you choose to request IPV4 space you will be put on a waiting list with others who have also requested space. Details on the waiting list can be found at https://www.arin.net/resources/guide/ipv4/waiting_list/ . ARIN is currently doing quarterly distributions to folks on the waitlist*. I put an asterisk on the previous statement because there are several variables listed at the waitlist site linked above. Some include:

  • Only organizations holding an aggregate of a /20 or less of IPv4 address space may apply and be approved.
  • The maximum-size aggregate that an organization may qualify for at any one time is a /22.

The site says they do quarterly distributions. I believe this gives ARIN time to reclaim IP space and do a cleanup on it. Depending on when you submit you may have to wait several months or longer for an allocation.

As with V6 space and ASN, you have to do another officer attest, pay your invoice, and then it is allocated.

Origin AS
Origin AS validation is a check and balance. From Arin’s https://www.arin.net/resources/registry/originas/
The Origin Autonomous System (AS) field is an optional field collected by ARIN during all IPv4 and IPv6 block transactions (allocation and assignment requests, reallocation and reassignment actions, transfer and experimental requests). This additional field is used by IP address block holders (including legacy address holders) to record a list of the Autonomous System Numbers (ASNs), separated by commas or whitespace, from which the addresses in the address block(s) may originate.

This is simply a field you fill in on your ARIN account. When you get IP space from ARIN this is *usually* automatic.

Reverse DNS
You will need to point your IP blocks to your or hosted DNS servers for the reverse entries. Many different entities pay attention to reverse DNS entries. If you have clients who run mail servers or similar services, you will need a reverse DNS entry. More information at https://www.arin.net/resources/manage/reverse/

Routing Registry
More and more companies, such as Hurricane Electric, are requiring routing registry entries. I did a pretty in-depth article on routing registries. https://blog.j2sw.com/networking/routing-registries-and-you/
ARIN now has a web-based system for setting up route objects. This web mehtod takes some of the learning curve out of adding things into the ARIN registry. Many exchanges, including FD-IX, are moving toward routing registry support.

RPKI
RPKI is another validation method for verifying you are the proper owner of resources, especially IP blocks. https://www.arin.net/resources/manage/rpki/ . Hosted RPKI is the easiest way to get started with RPKI.

I did an article related to RPKI at https://blog.j2sw.com/networking/bgp/hurricane-electric-now-requires-irr-and-rpki/

Notes
Working with ARIN is a pretty straightforward, but sometimes confusing for the newbie. I offer a package for $799 (plus ARIN fees) where I do all the above for you. I have done this so much over the years we have templates and other shortcuts for the various things done.

If you choose to do this on your own some tips.
1. Don’t be afraid to provide more detail than asked.
2. The ARIN helpdesk is actually helpful. If you get stuck call or e-mail them. They have probably answered your question before and are willing to help.
3. Be prepared to provide information about your network, especially with IPv4 requests. ARIN is wanting to know if you are/will be using resources efficiently.

If you get IPv4 space I would recommend adding the new IP block to your advertisements. Allow it to be learned by the various reverse Geolocation folks. After a week check your blocks using the links on this page: http://thebrotherswisp.com/index.php/geo-and-vpn/. This applies to space allocated from ARIN or purchased from a broker.

If you are looking to purchase blocks for a broker, yu need to get pre-approval from ARIN. Learn more at https://www.arin.net/resources/registry/transfers/preapproval/

IPV6 Point-to-point addressing

Recently, there has been a discussion on what to use for point-to-point links under ipv6. Over the years I have seen providers use a wide variety of subnets across a point-to-point link.  Anything from a /64, to /122,124, and the 127. There are arguments for each. But let’s look at some RFCs.

https://tools.ietf.org/html/rfc6164
This was the original RFC on point-to-point links advocating for a /127. It was moved to a “historical” status in 2012 after a /127 was found to be damaging.

https://tools.ietf.org/html/rfc3627
This RFC explains some of the issues with using a /127. In a nutshell.

 Using /127 can be especially harmful on a point-to-point link when
   Subnet-router anycast address is implemented.

All of this brings us to some current RFC drafts and further reading
https://tools.ietf.org/id/draft-palet-v6ops-p2p-links-00.html

Some notes on point-to-point addressing
1. A subnet mask using something shorter than a /64 breaks some IPv6 functionality. A point-to-point link does not use the “broken” features anyway.

  1. The above 6164 RFC said vendors had to support /127s.  Many wrote code to comply with the RFC, which has now been obsoleted.
  2. A /64 could expose the link to security issues.

As of this writing, there are many approaches.  One approach is to set aside a /64 for the point-to-point but only use a /127 out of that /64.  You don’t re-use anything else out of that /64.  Other approaches involve using a  /126, /120 or a /112 are being accepted until this is all figured out.  So, why not a /122 or something? In short, it all has to do with the math of the subnet breakdown.

Need an ASN, IP space? I have a package for you.

Are you intimidated by getting an ASN to participate in BGP? Do you not have the time to learn all the ins and out of dealing with ARIN to get IP space or routing registries? Let me help you.

The ARIN starter package
-Organization ID and POC IDs setup
-Paperwork to get your own ASN
-Paperwork for your own IPV6 allocation
-Paperwork for an IPV4 /24
-ASN validation
-Documentation and maintenance documents
Cost $899 plus ARIN fees

Add Ons
-RPKI Setup $199
-Routing Registry setup $199

Add-ons are priced to add-on to the starter package.  Please let me know if you need just the add-ons for a proper quote.

Types of IPV6 addresses

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon at $0.01 or more
Already a qualifying Patreon member? Refresh to access this content.

More IPV6 resources

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon at $0.01 or more
Already a qualifying Patreon member? Refresh to access this content.

IPV6 NAT-PT to communicate to an ipv4 only device

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon at $0.01 or more
Already a qualifying Patreon member? Refresh to access this content.

Another BGP blunder.but not THAT one

Recently, there has been much talk about the Cloudflare BGP blunder and others. The Network Collective even did a video about such things. But did you know there was one involving the entire /12 of IPV6 space? Airtel AS9498 announced the entire IPv6 block 2400::/12 for a week and no-one noticed. Someone typed a /12 instead of a /127.

So why did no one notice? I think part of it is due to the low usage of v6 space.  Sure, all kinds of people claim stats on IPV6 usage.  They talk about X number of traffic is v6, etc. There is a difference between users and connections.  A connection may not actually represent unique users.

Secondly, people are used to IPV6 being buggy.  I know many ISPs who disabled v6 as part of their troubleshooting steps.

I know there will be several folks who jump all over me about IPV6 being the wave of the future and we all should be using it.  Yes, we should, but there is no huge hurry when it comes to business cases.

Types of IPV6 addresses

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon at $1 or more
Already a qualifying Patreon member? Refresh to access this content.

Flash Briefing: April 29. Spectrum, IoT, WPA compromises

Spectrum use Article
https://www.networkworld.com/article/3343040/wireless-spectrum-shortage-not-so-fast.html
The wireless industry has always had to deal with regular (and alarming) pronouncements that we’re somehow running out of radio spectrum. We’re not. But the misconception regardless gives many IT and network managers pause. 

It does not mention WiSPs, but is a perspective nonetheless.

IoT Links
How many of you are focusing on Internet of Everything (IoT)? I have posted some links to how healthcare and others are using IoT to further their business.  As a service provider, you should be coming up with an IoT strategy.

https://www.entrepreneur.com/article/331792
https://www.worldbuild365.com/blog/internet-of-things-iot-the-future-of-smart-roads-skRTWO

WPA Compromises
https://www.theregister.co.uk/2019/04/11/bughunters_punch_holes_in_wpa3_wifi_security/

Microsoft and IPV6

I have written about IPV6 lately and Microsoft has published a post where they are moving their internal network to an IPV6 only network.

Microsoft works toward IPv6-only single stack network

TeamArin at CanWISP
https://teamarin.net/2019/04/02/how-arin-can-help-wireless-internet-service-providers-wisps/