[c-nsp] IPv6 - Using link-local addresses for BGP Peering
Justin M. Streiner
streiner at cluebyfour.org
Thu Mar 15 14:18:05 EDT 2012
On Thu, 15 Mar 2012, Peter Subnovic wrote:
> we will be having our first BGP Peering over IPv6 in the near future and
> would like to know if there is a general consens whether or not to use
> link-local addresses for the Peering.
On external connections we use global addresses for our v6 sessions. For
internal sessions, that would depend on how you number(ed) your v6
infrastructure.
> 1) What are the pros/cons of using link.local addresses for the BGP
> Peering?
If you need to set up a BGP session to a device that's not directly
connected to your router (over a tunnel, EBGP multihop, etc), you want
global addresses.
If you or your provider change hardware, the session would need to be
reconfigured because one or both neighbor addresses would change. Why
deal with that extra hassle if you don't have to?
> 2) What is the (from an operational and security pov) best way to set up
> the BGP Peering?
Some of that depends on your environment. Some of that comes from good
operational practices, and the syntax-specific stuff will depend on what
platform you're using for your BGP session. Beyond that, the configuration
of an IPv6 BGP session is really no different than an IPv4 BGP session -
just using IPv6 neighbor addresses, prefix lists, policies, etc.
General tips:
1. Have good contact info for the people at the other end of that link,
and make sure they have good contact for you/your technical people.
2. Don't bother with MD5 encryption unless you're on a public fabric, like
an exchange point (even then, somewhat iffy). For the most part, that has
been a solution in search of a problem.
3. Tell the other provider what prefixes you will announce and what you
need to accept (full routes? default-only? default+customer?, some other
mix?), and write your announce/accept policies accordingly.
4. Consider setting a sane outbound max-prefix filter, to act as a circuit
breaker to shut the session down if something goes horribly wrong and your
router tries to re-feed the whole IPv6 table to your neighbor. Remeber to
adjust the max-prefix value as the number of prefixes you announce
changes.
5. Aggregate wherever possible. Be nice to your neighbors' routers :)
jms
More information about the cisco-nsp
mailing list