Tobias Fiebig

Putting the MAU Into meowmeow: On Personal ASNs

Tobias Fiebig

14 min read

0

Is the use of personal ASNs to gain hands-on operational experience really such a bad idea, or is this one of the ways we make sure the Internet remains a place of equitable participation, expression and learning? In this guest article, Tobias Fiebig shares his views.


Disclaimer: I am writing this article as an individual member of the RIPE community, and do not represent my employer. Furthermore, I am a person prone to ‘doing stupid things’, and a repeated offender when it comes to personal ASes: I have three. Furthermore, I am on friendly terms with several LIRs mentioned in the original article.

Last week, an article about personal ASNs was published on RIPE Labs that has been ‘critically acclaimed’ in the community. It follows two talks at RIPE88, during which there was already an ‘engaged’ discussion around the propositions in the corresponding talks.

As I had already been rather vocal during the talks at RIPE88, it is not overly surprising that I have ‘some thoughts’ regarding the article. Well, keeping thoughts to yourself may make you less non-friends, but it is also less fun, so here we go.

The article itself

The article titled “Driving the ASN Truck Without a Licence” essentially revisits the arguments of the presentations held at the last meeting given the increasing number of personal ASNs. To summarise them:

  • Personal ASes are not run ‘better’ than ‘traditional’ networks, but likely worse, causing issues. If they seem to be run better, it is because it is easier to do so at smaller scale, and also, a tunnel-based ASN is simply not relevant, even if it does RPKI correctly.
  • Hobby networks do not help with IPv6 deployment, but instead hinder it, as individuals no longer need to pressure their ISP into rolling out v6.
  • Virtual Internet Exchanges are useless and – along with all the tunnel ASes – degrade the MTU below 1500, leading to further issues.
  • You do not need a ‘real’ personal ASN to get experience. Read a book or join dn42.
  • LIRs misrepresent the policy to implement ‘shady business practices’ to push end-users to request resources
  • IPv6 PA is being abused as a PI-ish resource, especially by those ‘shady business practice’ LIRs
  • Personal ASNs are regularly leveraged for policy abuse, and to pollute public databases and protocols

In conclusion, the article calls for stronger restrictions on handing out personal ASNs, curbing “the business practices of some LIRs” promoting “irresponsible behaviour”, and making resources less accessible, ideally by making them more expensive.

The tone of the article

The article, in several points, tends to use an authoritative language. The comments that already came in also suggest that the article creates an impression of trying to gate-keep the Internet from those, mostly defined by their nature as natural persons wanting to hold resources, possibly unworthy but certainly unqualified for actually doing so.

I personally know the author, and know that there are some good intention (and partially even very sensible points) behind the article. Hence, while I personally agree with the statements on the phrasing, I will focus on engaging the underlying arguments in this post.

But first, a message from…

…the reason we are talking about this. Kind of: me. I personally hold three different ASes, all of them ‘personal ASes’. I do acknowledge that my little personal AS might be ‘a bit bigger’ than the usual personal AS, including a few more gbit of 9000MTU L2 connectivity between PoPs, and a couple more big-name-brand routers than usually seen in personal ASes. Also, following the article’s definition, these are not really personal ASes, as I am also an LIR. However, I also sponsor some end-users’ PI/ASN resources… so, I think I can confidently say that I am ‘part of the problem’.

Still… the question remains… why would I need three ASes?

Note: AS211286 and AS215250 are funded via the RIPE community fund and supported by contributions of various other RIPE community members, including LWLcom, OpenFactory, DE-CIX, VirtuaCloud, and WIIT AG, see measurement.network.

AS59645: Where it all begins

The ‘root cause’ of me being an LIR is a combination of ‘mild frustration’ with the state of the Internet, academia, and the general realisation that I kind of picked a day job that is more on the management and less on the ‘doing things with my hands’ side than is generally good for my well-being.

So, AS59645 is there to make it ping; learn and automate things, and get the practice necessary to, say, work on some documents about the Internet.

AS211286: Crisis, ethics, reliability and a measurement.network

The next issue I stumbled upon was the aforementioned academia thing. Researchers doing researcher things (speaking as a researcher myself…) can kind of be… difficult… So, I set out and started building something, in an attempt to get ahead of the bike-shed. And well… for reasons.

AS215250: V4LESS-AS

As we already went about me having a thing for doing stupid things, it should be no surprise that I can have very weird ideas. Like, why not build an AS that does not have IPv4 on any of its routers.

Obviously, this is a rather great idea, and RFC8950 is simply the future. Surprisingly, even some of the serious not-so-personal-ASes seem to think so.

Naturally, the only thing to do then is to make something that allows people to try out RFC8950; without actually having to break production infrastructure. Well, this is what V4LESS-AS does.

On the arguments for an ASN-Driving-License

So, with the reason for which I have some ASes out of the way, let’s delve into the arguments around personal ASes made in the original article.

Make the Internet worse by being badly run

This argument centres around an (implicit) idea that ‘companies know better’. They will, more likely, run a better service, and employees do have to answer to management, and the company to customers if something goes wrong.

For personal ASes, though, this is not the case. Instead, they can do whatever, and if the Internet breaks… well. They do not need to care.

Or, to put it into a nice quote from a related talk:

“OSPF is amazing, because it allows you to break your own network in ways you do not understand. BGP on the other hand allows you to break everyone’s network in ways nobody understands.”

Good thing that Facebook never head to deal with a global BGP outage due to a misconfiguration, and there is not a single actual company that does anything remotely shady with their AS.

I am skipping on examples for the latter to protect the guilty; but you know who you are.

Also, running your ISP from a couple of re-flashed 100G switches tends to be a thing as well… And the number of ISPs without any form of filtering I have seen…

Well, I guess the point is clear. And I did not even get into the point that all this tunnel stuff… Well, MPLS is not exactly not tunnelled, is it? (Keeps starring in BGP-free core…)

Does not help but hinder IPv6 Deployment

The argument around IPv6 adoption is a bit… weird. While, yes, you should not just get an AS because you need v6, you could use the same argument around HE’s tunnel broker service.

In turn, you could also argue that HE’s tunnel broker service is a better option anyway.

Ultimately, this creates an impression of a bit of straw burning…

Virtual Internet Exchanges are useless

Well, besides the whole ‘tunnels are bad’ issue–given that basically everything these days goes through a lasagna of tunnels–there is the point of these things being practically pointless. This is something I very much agree with (even though I do connect to some of these Toaster-IXes). Still, there is a lot of self-inflicted foot-shooting going on on these… and I mean… better shoot yourself in the foot with a toaster than with a truck. Or something like that.

Besides that, there is of course the MTU argument; However… to be frank… it is not like actual big players aren’t doing things that may er… restrict the MTU to say… 1492b, no?

Just go for DN42

Again, the recommendation to, instead, go learning in a very much enclosed environment pretty much holds true, and is one I gave out myself (and will happily give out again). However, here, there is not much of an argument left beyond you also could do similar stuff elsewhere. And honestly, part of the appeal of the personal AS is that you can make yourself eat your own dogfood, which usually works wonders on service quality and learning outcomes.

There are LIRs with ‘shady business practices’ pushing Personal ASes

This point is, in my opinion, ‘somewhat difficult and maybe not necessarily ideally phrased’, up to a point of ‘maybe attributing a bit too much malice to third parties’. Note, though, I am on rather friendly terms with mentioned entities, and they also support measurement.network.

The issue here is that a lot of things are going into the same bucket. To grab the reference to freetransit.ch as an example, the article suggests that freetransit.ch is “not respecting and enforcing current policies” of the RIPE region. Instead they execute “shady practices” like “offering ASNs and IPs to children (“Minors can still request resources!”)”, all in a bit to “help themselves”.

I would argue that the argumentation taken here is, at least, severely worrisome. First, the insinuation that ASNs and IPs are marketed to children is an arguable stretch for a checkbox in the contact form inquiring whether the sender is able to legally sign legal documents, i.e., not a minor:

The statement thereunder is also not something “not respecting and enforcing current policies”. In fact, it is pretty much exactly what RIPE-637 is saying about contractual relationships: There has to be one.

RIPE-812 also clarifies that a member can be “A natural person or a legal entity that has entered into the RIPE NCC Standard Service Agreement with the RIPE NCC.” There is no need for a member to be (at least depending on jurisdiction, but generally for the EU, IANAL) 18. A 17 year old can very much become a member, if they enter into a legal relationship with the RIPE NCC. Usually, this will require consent and signature from their legal guardian. At least that is my rather naive non-lawyer reading of the absence of any age restrictions in RIPE-812. (Also: How else would minors otherwise join the local football club of a small town in northern Friesland? It, after all, has the same legal structure as RIPE…). Hence, I see no reason why this could not be the case for an end user’s relationship to a sponsoring LIR.

This leaves the whole issue of framing a statement around minors to children out of the picture; I am not making a value statement regarding the contents, but do note that I find using the framing to be a discussion style I personally do not necessarily associate with content-directed argumentation.

Finally, there is the argument that this is being done for ‘own gains’ by these LIRs. (Note: I am not contesting that there also are some actors trying to leverage end-users to create a (quick) profit; In fact, I am pretty sure there are some; Just not necessarily the specific examples selected here.)

However, again going back to the explicitly chosen example, using an LIR invoicing customers a yearly re-occurring cost very close to the actual cost billed by the NCC (EUR145 YRC for ASN+PI, i.e., a ‘profit’ of EUR20… which still includes VAT and covering costs) is ‘somewhat a stretch’. Considering how much time usually goes into a registration process (KYC, contract, interaction with the NCC etc.), I would argue that this is, best case, covering the actual costs, even when considering the higher fee billed during the first year.

Hence, overall… this argument especially feels… difficult.

IPv6 PA is being abused for PI

Subsequently, the argument is made that, indeed, some LIRs are also offering end-users to use PA instead of applying for PA. In general, the argument vaguely alludes to this being misuse of resources.

My point here, first and foremost, would be that there are indeed some issues with the current IPv6 assignment policy that lead to not ideal effects.

However, I would also argue that it might make sense to, instead, participate in the policy-development-process in order to actually do something about the underlying operational issues.

Personal ASNs are used for Policy Abuse and to pollute databases/the GRT

The final argument revolves around an argument of PI/personal ASN resources being used for abusing the policy. It leads with the argument of a person requesting multiple ASNs for multiple projects, noting that it is rather unlikely that the person actually needs that many ASNs. I feel somewhat called-out. ;-)

However, argumentatively, this section feels a bit like a lot of straw burning again. After all, for any personal AS used for nefarious stuff, I can likely name an AS registered to a ‘real’ company or even LIR that is no less engaged in annoying or directly malicious activity.

Similarly, I think that the author of the initial article is insanely lucky that no Secret-WG does not even not not exist, that may or may not even have the audacity to pollute the database with limericks. Otherwise, rather black helicopters would already be circling overhead, given this straight out attack on such a non-existing organisation.

And knowing the (PI and personal ASN holding) person who put in the XSS referenced (and was the one thereby finding an issue with the web edits tooling in the process, reporting it, and getting it fixed)… I am not sure whether it makes it more of an argument for personal ASNs.

Conclusion

In conclusion, the arguments presented in the RIPE Labs post are not able to convince this revie^H^H^H^H^Hmember. Despite acknowledging that there are serious issues around some of these developments, and that we certainly do need more care in the operation of the Internet, we also need a wide availability of operational experience currently often far too lacking even for professional companies. Picking on some of the LIRs actually rather engaged in poking the end users they sponsor to do (and learn to do) the right thing may also be… ‘not necessarily the ideal approach’ toward improving the situation. And – based on my engagement with the arguments – I, indeed, find myself seeing how commenters reached the conclusion that the article creates an impression of ‘gate keeping’.

So, as a herder of cats, reading the conclusion, I kind of do not feel too bad about being the one to put the ‘Mau’ into (“silly smöl meow meow”[sic]) networks. And I think I will continue doing that; responsibly, for the good of the Internet. For it to become again the open distributed end-to-end infrastructure ultimately owned by no one, enabling equitable participation, expression and learning which it was once envisioned to be. Making sure that those I take responsibility for do not break the Internet. Well, at least I will keep trying that (as well as not breaking it myself).

(Final Note: Yes, I know, AS59645 also sometimes does stupid things, like leaking routes because of an algorithmic error in community handling for exported prefixes leading to an overloaded router, which collided with FRR’s non-atomic config application. But hey, at least that motivated me ultimately to take a shot at updating BCP194. Thee who is without any weird configuration body in their basement, throweth the first depeering; or something like that.)


This article was originally published over on Tobias's blog Doing stupid things (with packets and OpenBSD).

0

You may also like

View more

About the author

I am a system administrator turned network & security researcher, looking at digital infrastructures & society, and operators. Currently working at the Max-Planck Institut for Informatics as a senior researcher; Usually speaking for myself and not my affiliation.

Comments 0