Hurricane Electric no longer offers free BGP tunnels

This is the message I got trying to setup a BGP tunnel today:

Due to recent abuse activity, at this time we will no longer be offering the BGP tunnel option for free with tunnelbroker.net. You may inquire with [email protected] or call 1-510-580-4190 for a quote for this commercial service, which is $500/month. Regular non-BGP tunnels will continue to be offered freely though this service.

That’s why we can’t have nice things. People…

Sad, will the existing ones stay?
EDIT: They will

Wow this has changed very recently. I setup a BGP tunnel with them 2 or 3 weeks ago and didn’t have any issues. Guess this must be very recent abuse. I know its not me…

My God, that’s more than a GigE link at an on net data center!

well, on the bright side, raise a ticket at freetransit.ch (shameless plug, I know)

We always offered a redundancy solution, just asked RIPE for a different ASN to seperate these users a bit out due to the added strain on OPS.

ping me, we will do a tunnel. We already got another Tier1 (apart from HE in this case) agreeing to give us transit to pass on, as well as my employer offering tunnels.

Too bad. I’ve just bought an IPv6 prefix as well as a private ASN, and then heard of this…

My existing is still working, but they will probably phase it out eventually then.

Anyone without the requirements to colo at HE looking for space in ‪HE Fremont, CA Datacenter? Maybe we can work out something.

Tunnelbroker.ch is a free tunnel broker service, which allows you to reach the IPv6 Internet by tunneling over existing IPv4 connections from your IPv6-enabled host or router to one of our IPv6 routers.

We provide free IPv6 Tunnels and Prefixes with RPKI (ROA):

IPv6 Prefix (from /48 to /44) $0.00/mo) - Details
/44 to /48 IPv6 Prefixes
Assigned to your ORG Object
Authorization for your Maintainer Object
RPKI Support
RIPE Sub-Allocation
Set own Geolocation
Sub-Allocation from 2a0e:b107::/32
Tunnels (SIT or GRE) $0.00/mo) - Details
IPv4 BGP Session (optional)
IPv6 BGP Session
Automatic Prefix Filtering
SIT (for IPv6) and GRE (DualStack)
/64 Allocation for every Tunnel
Locations: Zurich, Dusseldorf, London and Sandefjord

Securebit AG provides virtual servers, Colocation, Internet Resouces (ASN, IPv4, IPv6) and other Solutions in data centers in Europe (Zurich, Frankfurt, Dusseldorf and London).

Our services are based on latest HPE and DELL servers, offering outstanding performance and reliability . We also operate our own fully redundant network across multiple data centers.

Securebit AG was founded in 2018 and has more than 14 years of experience in the field of networks, virtualization and internet services.

Securebit provide now Tunnels in Fremont (US):

https://www.securebit.ch/internet/tunnel

For private use we also provide free Tunnels:

https://www.tunnelbroker.ch

So how does this affect typical 6 in 4 HE tunnels? I have been working about adding this tunnel to my home study lab and BGP would be a part of that education. Is there any reason BGP routes/tables could not be trafficked via 6 in 4 tunnel? A major purpose of 6 in 4 is to be able to travel from IPv4 TO IPv6 so you should be able to trade the BGP route files that way. YES / NO ???

There are already a few flavors of abusers attempting to take advantage of IPv6 while anti-abuse measures are still immature.

And while I don’t like regional content restrictions, Netflix had to block access from HE’s IPv6 tunnels because people were using those tunnels as a “free VPN”. At some point, when most resources are accessible over IPv6, that’s what it becomes.

Came here to same same thing

Challenge Accepted regarding whether or not “we want your business” regarding IPv6 BGP tunnels.

Hurricane Electric will give anybody that has their own ASN and IP address space from ARIN, RIPE, APNIC, LACNIC, or AFRNIC free colo (cabinet + power + internet) in our Fremont 2 data center subject to the following conditions:

  • Have your own IPv4 or IPv6 address space and a public ASN registered to you.

  • Install a real router with at least one 10GE port than can carry a
    full IPv4 and IPv6 routing table. The router needs to be Cisco, Juniper,
    Extreme, Arista, Ubiquiti, or Mikrotik and be able to carry a full IPv4
    and IPv6 BGP table.

  • Configure and run IPv4 and IPv6 BGP with at least one other network in
    the building using a public ASN and your own address space (can be HE or
    anybody).

  • Connect to FCIX, SFMIX, and/or AMS-IX Bay Area. (FCIX is offering
    free ports, not sure if the others will donate a port to you.)

  • List your network in peeringdb.com as being present at the Hurricane
    Electric Fremont 2 data center.

  • You aren’t already in the Fremont 2 data center running BGP.

With this setup you can run for free whatever kind of tunnels or VPN you want to your own equipment running full proper BGP in your own cabinet in our data center, etc.

Background regarding IPv6 BGP tunnels:

Hurricane offered IPv6 BGP tunnels for network operators that have their own ASN and address space to be able to get started with IPv6 in a situation where none of the NSPs (network service providers) in their area were offering IPv6 with BGP. You have to already be paying ARIN, RIPE, APNIC, LACNIC, or AfriNIC an annual fee for your address space and ASN to even be able to use the IPv6 BGP tunnel service.

The regular IPv6 tunnel service was created for software engineers, system administrators, network engineers, and other experimenters so that they could learn about IPv6 and get started using it. In the early days of IPv6 even getting connected to the IPv6 Internet was super difficult. It’s kind of hard to develop IPv6 support in an desktop or mobile app when you can’t get IPv6 connectivity. It’s also hard to get good hands on experience configuring a server for IPv6 if you can’t reach the IPv6 Internet. The tunnelbroker solved that problem for individual developers and engineers.

The tunnel service is not intended for use for people that want anonymous connections so they can do attacks, hacking, advertising click fraud, shady stuff involving search engines and SERP. It’s not meant for that audience. We have never represented it as an anonymous VPN. It’s more like another work bench tool.

The problem we ran into with the IPv6 BGP tunnels is that there are shady people out there that progressively got more and more bold and were hijacking address space etc by taking advantage of weaknesses in IRR by creating records that should have never been allowed to exist (the relevant IRR has been informed and hopefully they will put some countermeasures in place). (BTW, RPKI helps reduce these types of attacks, though it is not sufficient to eliminate all possible attacks. More about RPKI later). We found a pattern that linked several different accounts and several different ASNs to extremely bad behavior and terminated all the accounts involved that we have been able to discover so far.

The tunnel IPv6 BGP service was always intended for network operators to get started so they could do testbeds or to solve severe IPv6 unavailability problems and was most needed in the early days of IPv6 deployment. Now, as a network operator, you really want to run native IPv6 if you can.

Hurricane recently added RPKI to the tools we use to build prefix filters for all the customer and peering sessions we have with over 7200 networks around the world, with just a few remaining sessions with major backbones having slightly different prefix filtering. Shortly even those last few sessions will have prefix filters based on RPKI as well. We also will sign all of the routes that use our address space using RPKI very soon.

RPKI provides Route Origin Authorization, that allows you to check the origin of a BGP route for validity. This is not the same as path validation. Right now for BGP security, multiple methods need to be used.

The change regarding the IPv6 BGP tunnels does not affect regular IPv6 tunnels which are still free.

It has always been a risky decision using HE free services for any professional application.

check https://bgp.services.

it ain’t free but it’s cheap.

I emailed them about it, and they replied that existing tunnels will continue to work.
So it seems we don’t have to worry about that for now.

Which was annoying, because I had to disable my HE IPv6 tunnel to watch Netflix.

Thanks for providing the service in the first place. I really appreciated it to get started with some IPv6 at a very low cost.