Using the IP unnumbered configuration FAQ

Using the IP unnumbered configuration FAQ

Content

  • What is APNIC's position on IP unnumbered?
  • What is IP unnumbered?
  • Can you see if the serial interface is up?
  • Can the "ping" utility still be used to determine whether the interface is up?
  • Can SNMP be used to remotely monitor interface status?
  • Can a runnable image be netbooted over an unnumbered serial interface?
  • Can IP security options be supported on an unnumbered interface?
  • Where can I find more information about the use of IP unnumbered configuration?

What is APNIC's position on IP unnumbered?

APNIC encourages the use of the IP unnumbered functionality as it helps conserve IPv4 address space. See section 7 of APNIC guidelines for IPv4 allocation and assignment requests.

What is IP unnumbered?

Depending on the router vendor, IP unnumbered allows you to do IP processing on a serial interface without assigning an explicit IP address for point-to-point links. This is applicable to statically routed, singly homed customers. It is not applicable to those doing BGP.

Can you see if the serial interface is up?

Yes. Please note that while the interface defined by the interface name must be enabled (listed as "up" in the show interfaces command display), the physical state of an interface (layer 1) does not relate to protocol activity (layer 3).

Can the "ping" utility still be used to determine whether the interface is up?

Yes, although the interface has no address, you can still determine whether or not the interface is up by "pinging" the ethernet IP address. If the serial interface is up and the ethernet interface is down, the serial interface "adopts" the ethernet's IP address, so the router will still respond to pings received on the serial interface.

Can SNMP be used to remotely monitor interface status?

No, it cannot. But many ISPs produce their own software tools for interface monitoring.

Can a runnable image be netbooted over an unnumbered serial interface?

No. But as frequent upgrades interrupt stability, many operators choose to do this once or twice a year.

Can IP security options be supported on an unnumbered interface?

Yes, most security options do support unnumbered interfaces. This includes security options such as filtering, tunnels and IPsec. If you find any that do not work, APNIC would appreciate it if you could email the examples to helpdesk@apnic.net.

Where can I find more information about the use of IP unnumbered configuration?

See Cisco's Understanding and Configuring the ip unnumbered Command.

APNIC policy on Network Address Translation (NAT)

APNIC policies do not require any ISP or Internet user to employ Network Address Translation (NAT). The choice of whether to use NAT is left entirely to the discretion of address space users, namely ISPs and their customers.

APNIC policies do support the assignment of public address space by ISPs for use with any permanent or semi-permanent Internet connection, and address space is made readily available to ISPs for this purpose.

If you have any questions regarding the use of public address space or NAT, please send an email to helpdesk@apnic.net to discuss the matter further.

For further information on NAT and APNIC policies regarding its use, see section 12 of:

  • APNIC guidelines for IPv4 allocation and assignment requests

Deprecation of ip6.int reverse DNS service FAQs

Contents

  • What exactly does "deprecation of ip6.int reverse DNS service" mean, and why was it done?
  • How does this affect me?
  • How will a failed reverse DNS look-up affect me?
  • I am delegated under ip6.arpa - how can this change affect to me?
  • What can I do about problems with services I use?
  • Can APNIC re-delegate under ip6.int?
  • I run services which use ip6.int and I don't see a problem. Why?

What exactly does "deprecation of ip6.int reverse DNS service" mean, and why was it done?

At 00:00 UTC, Thursday 1 June, 2006, all sub-domains under 1.0.0.2.ip6.int were withdrawn. This reflects a decision taken by the IAB in August 2005 to cease use of ip6.int for reverse DNS registration, and an agreement between the IETF and the RIR community to remove these entries on 1 June, 2006.

The decision to withdraw ip6.int is documented in RFC3152, which specifies that reverse DNS domains in IPv6 should be registered under ip6.arpa.

How does this affect me?

If your computer performs reverse address look-up, then it is vital that it is configured to use ip6.arpa, and not ip6.int. All modern operating systems which support IPv6 now use ip6.arpa, so you should have no difficulty upgrading to a version which supports this domain for reverse DNS resolution.

If any of your systems perform reverse address look-up using ip6.int, then when you receive IPv6 traffic, or need to do reverse DNS look-up on IPv6 for any other reason, your look-up will fail.

There was a brief disruption of some ip6.arpa services in Japan, due to a error which occurred at the time of the ip6.int withdrawal. This error has been rectified.

How will a failed reverse DNS look-up affect me?

When reverse DNS look-ups fail, there are typically two consequences:

1. Everything runs slower at connect time: it usually takes up to 30 seconds for the failing request to be logged as having 'timed out' - during this time, your connections are not being processed.

For example, if you run a web server that attempts to perform a reverse address look-up on every IPv6 request, there will be a 30 second delay for any IPv6 request before the server can continue. This may be a problem for you, or it may be a problem for clients accessing your web server.

2. Because reverse DNS fails, your services may refuse to continue.

Some higher security services regard reverse DNS failure as an indication of a security or other problem, and will not continue. This may apply to any services, including web, mail, or remote access.

It is possible that because the ip6.int listings have been withdrawn 'high' in the DNS tree, you will not see these problems. You may, in some circumstances, see faster connection, because there will be no apparent ip6.int delegation to check. Or, you may see rapid refusal to connect (for the same reason). You should therefore not assume that a 30 second delay is the only possible consequence.

I am delegated under ip6.arpa - how can this change affect to me?

Unfortunately, even if you are correctly delegated under ip6.arpa you can still be affected by this problem if servers you connect to continue to look up addresses under ip6.int.

What can I do about problems with services I use?

You should contact the operators of these services and advise them to investigate the problem and, if necessary, upgrade their service to use ip6.arpa for reverse DNS resolution.

Can APNIC re-delegate under ip6.int?

Unfortunately this is not possible. The decision to make this change was taken globally, and APNIC is bound by that decision.

I run services which use ip6.int and I don't see a problem. Why?

If you host your own ip6.int server, it is possible that you will not see any problems after the global ip6.int services are withdrawn by APNIC and the other RIRs. In such cases, it would be possible for you to continue listing ip6.int delegations and for all internal services to find the DNS server, and satisfy these look-ups. However, it is likely that you will begin to have other problems, including difficulty with external access, offsite access, and with progressive upgrades to your services which change to ip6.arpa. If you depend on reverse DNS resolution, you need to maintain your ip6.arpa delegation.

1 comments:

mamatha said...

Thanks for sharing this information,i really like your article.

Hosting forums