3

I’m trying to better my understanding of PI and PA addresses, and I want to know if ISPs generally assign PI or PA addresses to their customers, or if this distinction even matters at this scope.

Assuming no NAT, do ISPs assign customers IPs from a PI block or a PA block? Does it matter? Or, under what circumstances is there a difference?

Jeff Wheeler
  • 5,469
  • 10
  • 19
teemaw
  • 33
  • 1
  • 6

3 Answers3

4

Customer address pools & re-assignments come from PA space.

You can use PI for your own network/business but it's not intended to be delegated to customers.

Jeff Wheeler
  • 5,469
  • 10
  • 19
  • 2
    Where do you think PA space comes from? (hint: PI) – Ricky Jan 04 '21 at 02:05
  • 1
    No, @Ricky, PA space does not come from PI. They are distinct types of allocations made by RIPE. You cannot carve PA out of PI. – Jeff Wheeler Jan 04 '21 at 12:54
  • The LIR assigns a block of addresses. The holder of that block can do whatever they want with it. Including divide it up and let others announce it. "ADDRESS IN THIS BLOCK ARE NON-PORTABLE" is only words, they are not policy. (I've done it many times.) – Ricky Jan 04 '21 at 21:18
  • No, you cannot make PI addresses from PA space. PI addresses are a special thing in the RIPE region. This is completely distinct from how things operate in the ARIN region -- where your statements would be correct, if that was what the OP was asking about. He's not. – Jeff Wheeler Jan 04 '21 at 21:37
  • Again, it's just words on a page. [RIPE-738 for IPv6] I see it all the time (for v4.) The only thing RIPE can actually enforce is not allowing whois records for dividing PI space. They don't police the internet routing table. [PI is an assignment, not an allocation, so it's not supposed to be sub-assigned. If you report it to them, they might do something about it, but I doubt it.] – Ricky Jan 04 '21 at 22:45
  • The issue isn't if RIPE were to do something about it but that RIPE has different requirements for PA vs PI space. A typical small ISP or hosting co might start out with a /19 of PA for its users but a /24 of PI for its own network (if any PI at all -- it's not always needed.) An enterprise, on the other hand, often won't have its own PA, and will get its addresses from its ISPs; perhaps with a mix of PI for permitted uses. If you ignore all this and misuse your address space, it will be harder to get more when you need it. – Jeff Wheeler Jan 04 '21 at 22:54
4

Firstly, it's important to understand who allocates each address space. PI (Provider Independent) are assigned by a local RIR (RIPE, APNIC, AFRINIC, ARIN, etc) to a Provider/Business/Entity. Whereas PA (Provider Aggregates) are allocated by an ISP/Entity to a customer.

With PIs, as the name suggests, the PI address space allocated is independent of a single ISP. The entity that has been allocated this space by the RIR can freely advertise this space anywhere on the Global Internet from their allocated ASN. One thing to note is that a PI must be in length from a /1 up-to a /24, nothing longer than a /24 will be allocated by a RIR.

PA's (Provider Aggregates) on the other hand are allocations performed by ISPs to their downstream customers. These can be anywhere from a /25 up-to a /32. These PAs will be allocated from a larger block that the ISP/Entity has received from its local RIR.

ditrapanij
  • 1,307
  • 5
  • 11
  • 1
    In the current environment, you should probably also refer to IPv6 because the RIRs no longer have IPv4 addressing to assign (except that some have reserved a small amount to facilitate conversion to IPv6). – Ron Maupin Jan 04 '21 at 00:15
  • Does this mean there are no distinction between PI and PA blocks at the RIR level? And that an IP block assigned by an RSR becomes PA at the discretion of an ISP? – teemaw Jan 04 '21 at 00:20
  • 1
    @teemaw, the ISP is a company, just like any other company asking an RIR for address space, but an ISP can use its assigned addressing in any way it wants, including letting its customers use some of its space. The RIRs only look at the number of required addresses, and ISPs will have a need for more addresses than most companies, although there are companies (like the one I work for) that have networks larger than many ISPs. – Ron Maupin Jan 04 '21 at 00:24
  • @RonMaupin, is the distinction between PI and PA purely semantic? Is there no mechanical difference between routing for PI and PA addresses? If so, how does an ISP know that an advertised address is a PA address belonging to another AS instead of a PI address and denies its advertisement? – teemaw Jan 04 '21 at 00:40
  • 1
    @teemaw, not exactly. PI is provider-independent, meaning you can connect to any provider (ISP) (as long as it is willing to advertise your network, and not all will do that). PA is provider-assigned. To the ISP that has that addressing, it is PI (can be connected to any other ISPs by the ISP, which is how the Internet works), but to its customers, it is PA because it is assigned by the provider (ISP), and it can only be used with the assigning provider. – Ron Maupin Jan 04 '21 at 00:44
  • @RonMaupin, if I were to lease IPv6 PA for my AS from an LIR, who is the “provider” in that case? Does it mean that those IP addresses will only be able to advertise in my AS? – teemaw Jan 04 '21 at 02:33
  • 1
    If you get provider-independent addressing, you can have any ISP to which you are connected to advertise it for you. If you get provider-assigned addressing from an ISP, then only that ISP will advertise it for you because the ISP will object if other ISPs advertise it not through it. As I understand it, the LIR can sell you provider-independent addressing. – Ron Maupin Jan 04 '21 at 02:40
  • PA address space may be announced by others (/24 or larger) with a LOA (letter of authorization) from the ISP owning the block. Most will allow it as long as you are still a customer. I've been on both ends of that equation. (and had to call in the lawyers when a former customer insisted on keeping a chunk of our address space. The contract was very clear on this.) – Ricky Jan 04 '21 at 22:37
3

A business wanting provider-independent addressing gets that directly from its RIR. Any addressing a business gets from an ISP belongs to the ISP.

An ISP cannot assign addressing not assigned to it.

Ron Maupin
  • 99,565
  • 26
  • 120
  • 195
  • The terminology in this question indicates the user is probably asking about the RIPE region. LIRs can facilitate PI allocations; one reason for this option is language & currency barriers. I think your answer is meant to answer for the ARIN region, and it's correct there; but RIPE is quite different. – Jeff Wheeler Jan 04 '21 at 00:12
  • Actually, the OP is in the U.S., or at least asking from a host in the U.S. – Ron Maupin Jan 04 '21 at 00:18
  • I am located in the U.S., but I had been looking into getting an ASN from RIPE when these PI/PA distinctions started appearing in my research. I was unaware that such a difference in terminology existed between ARIN and RIPE when asking my question. – teemaw Jan 04 '21 at 00:25
  • @teemaw, the only provider-independent address space available from the RIRs now is IPv6 addressing. You could join a (very long) waiting list for any IPv4 addressing that may get returned to an RIR, but I doubt that will amount to much. You can try to purchase IPv4 addressing on the open market, but you still need to qualify to the RIR to have it assigned to you. – Ron Maupin Jan 04 '21 at 00:29
  • 1
    @teemaw, when IANA got down to five /8 networks (16,777,216 addresses in each network) left to assign to the RIRs, It gave each RIR one, and that addressing was reserved to facilitate conversion to IPv6. There is a live widget on this page that show how many IPv4 addresses each RIR has left to assign. – Ron Maupin Jan 04 '21 at 00:51
  • "An ISP cannot assign addressing not assigned to it." - it can. What happens if it does? Blacklisting by well-behaved ISPs? Legal threats? – user253751 Jan 04 '21 at 11:02
  • 1
    @user253751, It doesn't really work that way in theory. The Internet is made up of a collection of neighbours, these neighbours speak using BGP. BGP is a routing protocol with a heavy reliance on trust. If a BGP speaker begins to advertise space that does not belong to them this is known as a "BGP Hijack" (You can find plenty of examples on Google). Usually, a BGP Speakers neighbours will configure filters to only allow the BGP Speaker to advertise prefixes its allowed to. – ditrapanij Jan 04 '21 at 11:45
  • @ditrapanij That sounds like "blacklisting by well-behaved ISPs" – user253751 Jan 04 '21 at 12:06
  • @user253751 There is no "blacklisting" per say. Its more of a "I'm not going to allow you to advertise this to me because you don't own it/have authority to". However, some ISPs won't do this and will trust anything their peers send them. This is how we end up having massive BGP Hijacks that take out crucial parts of the Internet. – ditrapanij Jan 04 '21 at 12:08
  • @ditrapanij "I'm not going to allow you to advertise this" literally sounds like the definition of blacklisting. – user253751 Jan 04 '21 at 13:58
  • 1
    Hijacking (active space) and squatting (abandoned space) are unfortunate modern realities. Reputable operators filter what they send and receive -- they don't blindly accept whatever you say you own. (sadly, there are a lot of ISPs -- many of whom know better -- that don't.) Filtering is not blacklisting -- that would be ignoring everything being claimed. (i.e. turning off the link) – Ricky Jan 04 '21 at 22:52