Natural persons have been registering ASNs for a long time, and for many reasons, from running small businesses to keeping up a hobby. This isn't something wrong that needs to be fixed. ASNs should be assigned based on need. But 'need' should not be defined as “my friends have one so I need one too”.
Keeping track of registered unique numbers is the RIPE NCC’s primary role. Some are 32-bit (ASNs, old IPs), some are 128-bit (the newer IPs). As a Regional Internet Registry, the RIPE NCC assigns and allocates these numbers inside its service region and maintains a registry of them. Assignments are made to network operators based on availability or need, according to RIPE policies.
When it comes to ASNs - the numbers used to uniquely identify Autonomous Systems (or, loosely speaking, networks) - we might usually think of them as requested by ISPs or other large organisations. But for a long time, natural persons have also been registering them too, and the demand for "personal ASNs" is growing.
There are lots of reasons someone might want their own hobby network, but handing out ASNs to individuals has its issues. For example, to maintain the Registry, the RIPE NCC needs information about the network operators receiving ASNs (similar to banking Know Your Customer procedures). But natural persons might not want their personal details in the RIPE Database for privacy reasons. This is a problem when, for instance, law enforcement agencies need to find out who is responsible for a network. And if hiding this information is allowed or tolerated for natural persons, it opens a loophole for bad actors to register resources as natural persons.
For these and other reasons, I want to focus on personal ASNs, to think about why people request them, and to explore some of the consequences for the rest of the Internet. I want to show that while requesting these networks is fine in principle, the reasons for wanting them are not always sound, and the impact on the Internet is not always good.
Hobby networks, personal ASNs
In the RIPE NCC service region, there is no restriction on natural persons registering number resources. A need has to be shown by providing some documents, either directly to the RIPE NCC or through a sponsoring LIR. As a result, hobby networks have existed for a long time before they recently came into the spotlight.
None of this is a bad thing in itself, and early on, many of these networks were operated by people who had prior knowledge of BGP and networking in general. One such example was provided in 2014 by Nat Morris at RIPE 69, where he showed how he deployed a small anycast network on a low budget as a proof of concept.
However, in a graph from a recent RIPE Labs article by James Kennedy, we see that there has been an increasing trend in natural persons registering ASNs, indicating a growing popularity for individuals to operate networks. And while there are surely still some experienced people requesting these ASNs, others are registering ASNs to "learn BGP", or "to help with IPv6 deployment", or even because there’s an impression that "having your name in the RIPE Database" is something cool.
There is no technical difference between an ISP/organisation and an individual operating an ASN
This is an important side note before we move on. Though there might be some differences in policies on how ASN assignments are handled - such as if the ASN is intended for LIR infrastructure or an End-User - from a technical point of view, once the number is assigned and put in use, there is no way of signalling that it is operated by a hobbyist or an ISP or other organisation.
In other words, the policy differences effectively disappear once the numbers are used in the Global Routing Table (GRT). From a router’s point of view, ASNs are just numbers that identify networks, hobby networks are just networks, therefore the same rules should apply to all network operators on the Internet.
Why hobby networks? Some myths and misconceptions
There are a number of reasons why people want personal ASNs, but some of the more commonly stated reasons I have heard are questionable. Let’s look at a few of these:
These networks are better run than “traditional” networks
Yes, some might be. However, as a general rule, could it be possible to compare a “network” that exists based only on VMs linked with (international) GRE tunnels as a “backbone” to the network of an ISP? Can we really say that one such hobby network that has deployed IPv6, has ROAs, does ROV, and uses BGP communities is better run than, say, AWS or Hurricane Electric?
There is also a difference when errors happen: large operators face different consequences for their mistakes. A whole ISP network being down because they hijacked Google prefixes could mean a lot of unhappy eyeballs, broken SLAs, and other contracts. But when the whole hobby network is down, the hobby would just take a short break, while Google prefixes are still hijacked and affecting other networks, because the hobby was not properly contained. Another significant difference is represented by the number of people involved in operating the network.
Hobby networks help with IPv6 deployment
Does IPv6 deployment really increase, or is it just the number of routes in the GRT? By removing the pressure of calling your ISP and asking when IPv6 will be available on your home connection, the deployment might even be delayed as the ISP has less incentive to do so. Moreover, if the lack of IPv6 of an ISP is the main issue, an ASN is not required. Tunnel brokers offer IPv6 for free. Even using a VM provider to tunnel the VM’s IPv6 to the home does not require an ASN.
Virtual Internet Exchanges
The idea that peering at virtual Internet Exchanges provides the “best routes”, even over low MTU tunnels without direct connectivity is also repeated by people misunderstanding what peering is, how it works, and under what circumstances it could provide “better” routes or performance. These virtual Internet Exchanges are treated as joining a group of friends for a party. The more friends that are present, the better the party is.
It is not possible to get the same experience with a private ASN (or “reading books and documentation is not how I learn”)
If the purpose is to learn BGP, the protocol operates in the same way with both private and public ASNs. There is no such thing as a “limited trial version” of BGP. The “this is not how I learn” part sounds more like a learning style choice of the person stating this rather than an argument for obtaining an ASN assignment. However, it is not always possible or recommended to learn this way. Most people can’t just wake up and decide to become train drivers, order a train online, and start learning to drive it on the high-speed line immediately after it is delivered a couple of days later. Driving cars, trucks, or buses also starts with professional driving instructors, using learning vehicles, with the instructors responsible if a crash happens. It also includes a theory part before obtaining a licence (and the truck is not included).
Why not hobby networks? Some worries for the wider Internet
Having said something about why people want hobby networks, here are some of the downsides and bad behaviours that are associated with their overuse and misuse.
The big sponsoring-org business
A business model has appeared based on the increased demand for ASNs, with some LIRs dedicated to providing services to this market. The average number of sponsored ASNs by the top 50 such LIRs is 135. Doing some maths gives us at least 6750 ASNs.
Remember that ASNs are numbers that represent networks without any differentiating bits or tags that would make them personal, business, or ISP.
Networks cannot operate with only ASNs. In order to operate a (hobby) network, there is also a need for IP addresses that can be catered to by these LIRs, either by providing the cheaper 128-bit version or the more expensive vintage 32-bit one. The IPs, either IPv6 or IPv4, require connectivity – IP Transit, that can also be provided at a low, low fee, with invoices showing exactly what the RIPE NCC requires in order to approve the ASN request.
In the RIPE NCC service region, LIRs have a contractual relationship with their RIR, which, at least in theory, makes them responsible for respecting and enforcing current policies. However, in practice, some LIRs deliberately misinterpret or push the boundaries of the policies in order to be able to sell add-on services to their customers. Some examples of shady practices include pre-filled forms with partner ASNs (thus automatically fulfilling the multi-homing requirement), or offering ASNs and IPs to children (“Minors can still request resources!”). Out-of-region assignments require some proof of network presence in the service region, which is satisfied with even more cheap VMs.
Another selling point of such LIRs is represented by “your name in the RIPE DB” as a “cool” benefit, with also the option to help more privacy-focused individuals in providing less information than normally required, similar to privacy services offered for domain registration. Offers for reseller packages, including 5 or more new ASN registrations monthly most likely do not follow the intent of current policies.
Instead of the LIR doing some due diligence and establishing there is an actual need for an ASN, automatically fulfilling the multi-homing requirement shows the LIR’s awareness of the policies and also the intent of bypassing them, either by providing two ASNs from the LIR itself or a partner LIR that shares the business. Is throwing customers in the water (DFZ) to teach them how to swim (operate a network) the best way? Since it is not affecting the LIR directly, it is something the rest of the Internet has to handle.
PA space as PI
One other issue to mention is how PA address space is used. If we look at the current IPv6 Address Allocation and Assignment Policy, we might notice phrasing such as “In IPv6 address policy, the goal of aggregation is considered to be the most important”. This most important goal is defeated by LIRs de-aggregating their allocations to provide service to small virtual networks.
Another interesting policy fact refers to the inet6num status ALLOCATED-BY-LIR, which is described as an assignment made by the LIR to an ISP. Since natural persons are usually not ISPs, this can be seen as another shady practice by the LIRs that achieves both de-aggregation and bypassing RIPE NCC checks that would otherwise be performed upon assigning PI space, where in most cases more than a /48 would not be assigned, while allowing the End-Users to use the space in the same way PI is used.
ISPs are usually registered with the national telecoms agency in their countries of operation, and, at least for Europe, this should be easy to check if more policy enforcement is desired.
The de-aggregation of PA space is also common practice in IPv4. It has generated conflicts with LIRs because End-Users did not properly understand the differences between PI and PA space and went for the cheaper option. This also generates issues when the LIR providing the PA space is closed. But since IPv4 has run out, there is no point in trying to fix that. We could at least learn from the past and not repeat the same mistakes.
Misuse and abuse of the policy, of public databases or protocols
Because obtaining globally unique numbers is so effortless, it may not be taken seriously enough by the potential customers of these LIRs. As multi-homing is not an issue because partnering ASNs are supplied by the LIR directly in the registration form, it skips an important part where the aspiring hobbyist would understand why multi-homing is a requirement or how it works.
This generates situations where the same natural person would request a second ASN to “learn how to provide transit”, a third one to “try anycast”, and a fourth “to learn how to manage an IXP”, with a fifth “for a Route Collector project”. Do these “learning purposes” really require globally unique ASNs for each and every slightly interested individual? Most such networks share the same upstream providers and “virtually peer” among themselves, thus lacking unique routing policies required for showing a need to register an ASN.
Another type of policy abuse is when the received ASN does not represent a number that is perceived as a nice, vanity ASN. Thus, it stays unused, and another one is requested, similar to a lottery. Will the next ASN assigned be 16-bit? The price of the request is low enough to allow abuse of the system in this way, generating a significant workload on Registration Services.
Gamification of virtual peering turns into peer pressure for registering even more ASNs since some websites provide rankings based on the number of peers or other metrics.
When some proudly say: “I am better than my colleagues at networking because I operate an ASN” the logical outcome would be that more colleagues would also register ASNs to be at least just as good at networking, even though registering an ASN has nothing to do with the ability to operate one.
While we’re on the topic, it’s worth adding that deliberately providing wrong information, such as geolocation, makes RFC 8805 useless, and justifying doing so because “others also do it” should not be the default, it is just normalising something wrong. Furthermore, adding non-operational information to the database, such as EICAR test signatures or XSS attempts, makes the data less useful for legitimate purposes.
The Internet is a global thing
An important thing we really need to keep in mind is that what a network operator does propagates globally and affects everybody, including but not limited to network operators from other regions, LIRs not involved in this type of business, and researchers. Again, everybody with an ASN is a network operator with the same responsibilities, without any differences based on the size or type of the network, geographical location, or juridical status.
Network operators trying to use databases such as PeeringDB might have a hard time differentiating between an ISP and a network run as a hobby. Inputting a large number of prefixes there does not make the hobby network larger than multinational ISPs. Instead, it just breaks the accuracy and usefulness of the whole database for everybody, where rules are not strictly enforced as the system works based on trust.
Researchers also use these public databases for various things, such as but not limited to classifying networks based on type, so self-declaring a wrong network type in PeeringDB goes into the research as-is. They might also try to establish network size based on the number of peers, and there is no way of signalling which peers are “virtual” or just fake. So you might end up comparing a national ISP with 200 peers to a hobby network with 900.
Some hobby networks suggest they are running experiments. However, running experiments on the public Internet is usually announced in advance with details of what the experiment will be, as this might affect other network operators.
Alternatives to everyone registering ASNs
Nobody can argue that using the real thing is different from simulations. However, it is not feasible for everyone interested to use the real thing without affecting others.
BGP messages have the same content/format even when used with private ASNs. All BGP features can be tested or learned with private ASNs within contained environments such as labs at school or university or virtual networks such as DN42 (that also uses tunnels to operate).
It is not that difficult to obtain a full BGP feed over to a private ASN, and instead of de-aggregating PA space it can still be aggregated by the LIR when announced to the DFZ, providing the learning experience of having the real GRT. All this without every person interested in learning increasing the costs for the rest of the networks with “experiments” with already well-known results such as prepending hundreds of times.
Operating with private ASNs in contained environments prevents mistakes made by inexperienced users without any training or supervision, who consider they learn better by doing, not by reading from affecting other networks and being recorded in public databases.
Similar to obtaining a driving licence, a lot of courses (generic or vendor-specific, free or paid, included in the educational plan at schools/universities), books or other materials are available either online or physically for those interested in learning.
Conclusions
Natural persons have been registering ASNs for a long time, and for various reasons, from running small businesses to hobbies. This is not something wrong that needs to be fixed. ASNs should continue being assigned based on need, however “need” should not be defined as “my friends have one so I need one too”.
Better education, starting with the basics of networking, such as how routing works, or what MTU is, would also help bring up the quality of the next generation of network engineers. It is also important to contain the education process so that it does not affect the operation of already "educated" networks.
The Internet currently self-regulates, which means abuse is handled inside the community, and policies are also developed by the community for the community. Among the possible consequences of not handling this type of abuse inside the community is external regulation that would add more restrictions, thus making it harder for legitimate use cases to operate. This is why it is essential that network operators understand the consequences of their actions that might seem "harmless" and respect the other network operators, public tools and databases.
However, the business practices of some LIRs encouraging this irresponsible behaviour add operational costs for the RIPE NCC, the rest of the LIRs, and decrease the quality of data available for research. Even though these LIRs advertise themselves as trying to help the community, they are, in fact, for profit entities, not NGOs, trying to help themselves.
More responsibility should be placed on LIRs in order to prevent this, either by better enforcing the existing policies or adjusting them as needed. The recently introduced maintenance fee for ASNs could take longer until showing any visible results, but developments regarding this are interesting to follow. Will less ASNs be assigned? How many abandoned ASNs will be returned? The maintenance fee is not so large to stop people from registering them, but it might make them reconsider registering 10 ASNs.
This article was modified by the author on 27 August, 2024.
Comments 12
Pavel Odintsov •
Hello! Thank you for your contribution. Unfortunately, I find language used in this article as pretty rude against people who run hobby networks. Hobby or not hobby networks are equally important parts of the Internal and no discrimination is accepted in professional conversations in reference to any members of the Internet community.
Richard •
While some aspects of this article are correct it is full of insinuations and judgement. This feels inappropriate for content published on a RIPE platform! It also indicates that apparently some want to gate-keep and redefine the "need" of others. How unbecoming for the RIPE community. I'd wish that instead of such articles they'd write a policy proposal and work on that in the usual process instead of publishing inflammatory posts that - directly and indirectly - attack significant portions of the community. Not just flaming in this comment took all the strength I have in this moment. I am really angered about this! I am shocked by the - by now obvious - disconnect between some people in the community and their audacity to make such statements.
Hide replies
Dan •
I do not read this as additional gate-keeping, if that were the case then RIPE is already gate-keeping by forcing resource registration. I read it as 'get your feet on the ground', operating networks is ok, if you operate a network please continue to do so, no matter how many digits your AS has. Without any oversight (gate-keeping) you could use any resource for any reason, any time you feel like it and RIPE doesn't even need to exist.
Alice Wyan Garcia Martin •
I've been following Radu's crusade against hobbynets since RIPE88, and all the "issues" he claims these networks are causing can be summarized in two: * "I just don't like it" * It causes additional work to RIPE The second of these has already been addressed with the new yearly charge for ASNs, which will cause most of the "bogus" ASNs to be lapsed. As to the first objection, I see in it no technical merit whatsoever, and no technical issues have been yet pointed to, not in the RIPE talks, not in this article. The point of an AS is precisely to have full authority in regards to internal routing policy, and routing policy sometimes happening over tunnels (nowadays called SD-WAN) is in no way a disqualifier. I'm just confused as to the virulency of this article regarding a non-issue, and confused as to why RIPE is giving this topic such a massive importance and such a fearmongering attitude.
Peter Kowalsky •
The language that you choose to write this text is very disregarding for actual research. Many people that I know that run hobbynets are actually testing things that find their ways into a lot of Tier I and II providers. I don't run my network as a "silly smöl meow meow" network, but to test things that I might not deploy at day one in a 4-digit ASN. Or to give other hobbyists transit that are located in my rack. For many people this is also the first interaction with the greatest machine on this planet - the internet - and how it is run.
Alun Davies •
I'm sorry to see that the tone of the article has infuriated some of our readers. Speaking for RIPE Labs, our only goal is to give people in the community a space where they can express views on community-relevant topics. That's important to us - but we do understand that there will sometimes be disagreement and debate over the views expressed. We would of course be equally happy to publish an article making a positive case for the use of personal ASNs.
Hide replies
Gus Caplan •
Hi Alun, I appreciate that RIPE Labs is so actively invested in community discourse. I would like to address, however, the notion of debate you have expressed. While I don't see any reason to question that Radu is acting in good faith, he has repeatedly refused to substantiate any of his claims, including the claims in this article. He has also, to my knowledge, never proposed any concrete policy. I would hold that, lacking either of these, there is nothing to debate here. As a RIPE NCC member registered as a sole trader, it is frustrating to continually see this content, and it be suggested that the onus is on *me* to refute unsubstantiated claims, rather than on authors to substantiate them in the first place, or on RIPE Labs to ensure a consistent editorial direction to this effect.
Tobias Fiebig •
I have already been rather vocal about this topic during RIPE88; Hence, I decided to summarize my thoughts on the arguments (as an individual member not representing any affiliation) in a small blog post (esp. given that it is a bit longer than what fits into a comment ;)): https://doing-stupid-things.as59645.net/ripe/policy/personal/asn/2024/07/19/putting-the-mau-into-meowmeow.html
Andrew Asciutto •
My issue with this post is insistence that hobby run networks cause damage: "...while Google prefixes are still hijacked and affecting other networks, because the hobby was not properly contained." I genuinely have never seen a hobby network given unfiltered sessions nor cause damage like this. Every big leak/hijack is by some random tier 2 isp somewhere. Additionally, it is 2024, maybe everyone needs more motivation to implement RPKI and IRR filtering. Point is, the Internet is an open place, you can never get rid of people playing with the DFZ as a hobby, implement filters or cry when things break, up to you.
Manuel Gatterer •
I agree with Pavel, Alice, Peter, Richard, ... Thanks for sharing your thoughts. Seeing such content being published on a RIPE platform is concerning. Additionally i want to note, that most or all BGP sessions with small networks are filtered, so there is no harm at all.
Randy Bush •
i would be actually concerned if this was being done by unnatural persons. having a wide and diverse bgp ecology seems in the interest of the internet. but what do i know?
Wren Blue •
To weigh in from a student perspective who's new to all this - the phrasing of this just...kills my interest a bit. I do understand the underlying points (and there are some fair ones raised), but it's not sitting well. The whole point of having my own ASN is that no, this is not a "learning style choice". I genuinely can't learn this from a book. The additional complexity of having to setup a private ASN network is greater than connecting with the wider internet, and also has really helped my understanding of the physical side of the network. Esp. with being so isolated from the physical side during the pandemic, being given the opportunity to actually understand how the internet works, is really helpful.