As you may know, I am currently writing a series on BGP and how the Internet works, from my perspective as the operator of a small autonomous system, AS200351. While we haven’t really exhausted the theoretical material, I think I’ve covered enough to enable readers to set up their own basic autonomous system. Rather than forcing you to do your own research based on outdated and potentially incorrect information on the Internet, or allowing you to fall victim to scams, I think it would be wise to talk about the process of getting your own ASN.
For readers who haven’t read the previous parts of the series and are unfamiliar with why one might want an ASN, here’s a brief explanation:
An autonomous system (AS) is a constituent part of the Internet that can define its own routing to the remainder of the Internet, and ASes exchange routes with each other over Border Gateway Protocol (BGP) to form the Internet itself. By receiving a globally unique identifier, an AS number (ASN), which in my case is 200351, I can exchange routes over BGP with other ASes, announce my own IP addresses to the Internet, and control how traffic flows in and out of my network, as opposed to simply exchanging traffic from a default gateway to reach the Internet with an IP address assigned by my ISP. This comes with several advantages, such as being able to switch upstream ISPs at will (or when such an ISP fails) without changing my IP addresses or breaking a single connection; or to advertise the same IP addresses from multiple locations (anycasting) to allow users to reach my services with lower latency than otherwise permissible by the speed of light with automatic failover.
I will now share what I wish I knew when I impulsively decided to apply for an ASN at 3 a.m. on a cold December night last year, now that I’ve been doing this for a while. I’ll walk through the process as objectively and thoroughly as possible, demystifying the role of any player in this space. I would like you to go into this with full knowledge of the risks and a full understanding of where your money is going. In the end, I will offer some subjective suggestions on providers, but those can be ignored if you would rather do your own research.
Choosing an RIR
As mentioned before in this series, ASNs and IP addresses are Internet numbers, which are resources ultimately managed by the IANA, whose assignment is delegated to the Regional Internet Registries (RIRs). There are five RIRs in the world, but since I only have experience with ARIN and RIPE NCC, I will mostly focus on these two.
Typically, RIRs allocate ASNs directly to end users, whereas RIRs may allocate IP addresses directly, but also to Local Internet Registries (LIRs) who allocate them to end users. In order for RIRs to issue an ASN, they typically require you to have your own IP addresses that you can announce with BGP, so you probably want to get IP addresses first—either from an RIR directly or from an LIR—or get them with the ASN if that’s an option. Note that it’s possible to use your own IP addresses without your own ASN by getting an ISP to announce them for you, a service typically called “bring your own IP” or BYOIP, but we aren’t doing that here.
Given the current state of IPv4 address exhaustion, you will almost certainly be getting IPv6 addresses, likely exclusively. As such, IPv6 will be the main focus.
No matter what, you need to choose an RIR for your ASN and IP addresses. Even if you choose to use an LIR for your IP addresses, they ultimately come from an RIR, and the choice of RIR affects how you manage your resources as well as how the resources can be used. The “conventional wisdom” here—espoused by the top search results from hobbynet bloggers—is that ARIN is focused on businesses and RIPE is more hobbynet-friendly, but that’s a rather distorted version of the truth. I’ve done my reading in the past and thought this way once, but I’ve come to realize that things are a lot more complicated than that.
At this point, it might be worth noting that each RIR has its own policies on how resources are allocated and how membership is managed, and these policies are mostly motivated by the situation in their service region.
Either way, let’s start with RIPE—or really, RIPE NCC, the Réseaux IP Européens Network Coordination Centre. This is the RIR responsible for “Europe and the Middle East”. Due to the relative difficulty of creating companies or getting a trade name for sole proprietors in Europe, RIPE allows “organisations”1 to be created directly with personal names without question.2 For this reason, RIPE is perceived to be a lot more friendly toward hobbyists.
RIPE will only serve users who live or have “network presence” in their service region. As far as RIPE is concerned, the latter means having at least a single VPS in the region, which should be announcing at least one route under your ASN, if you choose to get an ASN from them. If you aren’t a resident in the region, you will be asked to produce an invoice for it. As long as you fulfill this requirement, your RIPE resources may be used anywhere in the world.
IP resources in RIPE are broadly divided into two categories—Provider Aggregatable (PA) and Provider Independent (PI). PA addresses are large blocks (typically /29 or larger) allocated by RIPE to LIRs, who can in turn hand them to whoever they please—well, subject to RIPE policy. In practice, there aren’t many restrictions, and I’ve seen smaller blocks (especially /44 or smaller) regularly being given away for free. It is important to note that as far as RIPE is concerned, the PA block belongs to the LIR and not to the end users to whom the LIR has assigned subblocks. This means that should the LIR go under, RIPE will take back the entire IP block and end users will lose their allocations without much warning. Therefore, when using PA addresses, it is important to use an LIR that you can trust to continue existing.
You should also understand how LIRs operate. To become an LIR, RIPE will charge a one-time fee, currently €1000, along with an annual fee, currently €1550, to be paid in January of every year, which is prorated for new LIRs. RIPE subscribes to the “one LIR, one fee” policy, which means large and small LIRs pay the same. For details, see the RIPE payments page. By policy, each new LIR is entitled to a /24 of IPv4 (due to IPv4 exhaustion, any new LIR will wait a long time before receiving it) and no more. For IPv6, new LIRs are entitled to a /29 without justification.
If you choose to get PA addresses from an LIR, keep in mind they probably have at least a /29 (which is 512k /48s) and are paying €1550/year for it. This means that if they manage to fully sell their initial /29, they’ll break even selling each /40 for 76 cents, each /44 for 4.8 cents, or each /48 for 0.3 cents per year. Taking into account the sales and management overhead and the fact the LIR might not sell 99% of their space, an LIR should probably not charge more than $20/year for a PA block of /44 or smaller, or more than $40/year for a /40.
PI addresses are small blocks, typically no larger than /48, issued by RIPE directly to end users. Of course, RIPE doesn’t deal with end users directly—instead, users need to get an LIR to sponsor their request and act as the intermediary. For each PI request, RIPE currently charges €50/year. A single request may result in multiple /48s being allocated if the requester has multiple sites and requests a /48 for each, as that’s the minimum routable size on the Internet. It is very rare if not impossible for RIPE to allocate a /44 or larger block of PI addresses, whether contiguously or in aggregate, so any LIR purporting to sell that is unlikely to be able to deliver.
Typically, an LIR would charge a bit more than €50/year to handle the request, but they are probably ripping you off if they charge more than double that. Also, note that PI addresses are severely limited in use cases compared to PA. For the exact details, see the RIPE policy on this. Furthermore, if the sponsoring LIR for a PI block goes under, RIPE will ask the end user to find another LIR sponsor within 30 days or take back the resource.
ASNs function very similarly to PI resources and require the same sponsorship process, but they currently cost the LIRs nothing to get. This may change one day. There was a proposal this year at the RIPE NCC General Meeting to add a €50/year/ASN fee, but the motion has been defeated, though it may show up again. For this reason, I think LIRs that charge annual fees for ASNs are being unreasonable. In general, I don’t think an ASN should cost more than $100 one-time to issue.
Since IP addresses are required for an ASN to be issued, it’s also common for LIRs to sell ASN and IP bundles. In these cases, the one-time fee should cover the ASN and the recurring fee for the IP range.
On the other hand, the American Registry for Internet Numbers (ARIN) is the RIR responsible for the US, Canada, and some Caribbean islands. In this region, it is a lot easier to start a business, so ARIN requires you to be some form of business before they will deal with you. From this, people get the impression that ARIN hates hobbyists. This is not true, since ARIN will accept the simplest business structure—the sole proprietorship. Typically, they would like you to have a trade name, which you can typically request from your local government for a small sum of money. For example, in the province of Ontario, Canada, the government issued me a “Business Name” for “Dynamic Quantum Networks” for $60 CAD, which is valid for 5 years. This is not more expensive than a domain name. Alternatively, ARIN will let you use your personal name if you can prove you have been doing business under that name.
For IP addresses, ARIN has two styles of allocations—ISP/LIR and end user. ISP/LIR allocations are quite similar to RIPE’s concept of PA addresses. An ARIN LIR can allocate their IP range to their customers as they please, provided that records are kept to demonstrate that suballocations have been reasonable when requesting more addresses. End user allocations are similar to PI, but ARIN doesn’t have the concept of sponsorships. Instead, ARIN allocates resources directly to the end user. In general, it probably makes more sense to request resources as an ISP/LIR if possible, since the policies are a lot less restrictive. For details, see the Number Resource Policy Manual (NRPM), specifically sections 4.2, 4.3, and 6.5.
Note that, unlike RIPE which allows your resources to be used anywhere, ARIN has a more strict out-of-region use policy, requiring /22 of IPv4 to be used in-region before you can use any IPv4 out-of-region. For IPv6, this is a /44 used in-region. For ASNs, the ASN must be present on at least one peering session in-region. For details, see the policy.
ARIN has several one-time fees, such as for creating an organization, which is required to receive any allocation. This fee is currently $50. ARIN’s annual fees are based on the amount of resources that you have, currently starting at $250 for up to a /24 of IPv4 and a /403 of IPv6. Currently, ARIN charges $550 to allocate an ASN and $150/year/ASN for ASN-only organizations. If you have any IP addresses, you instead pay the annual fee and all ASNs are free once issued. For details, see the fee schedule.
In 2024, this fee schedule is changing to be more reasonable—ASNs will be free to allocate, and the smallest $250 annual fee covers up to 3 ASNs. For details, see the FAQ for this change.
The simplified summary of ARIN’s allocation policy is as follows:
- An LIR can request an initial IPv6 allocation of /32 without justification. An LIR may choose to receive a /36 or a /40 instead to save on fees, but ARIN reserves the full /32 and you can choose to upgrade at any time without justification;
- An LIR can request an IPv4 allocation of /22 by going on the waitlist, for a total of /20. An LIR may also request special reserved blocks with proper justification; and
- An LIR can request an ASN with two peering partners.
APNIC may be an option if you live in the Asia-Pacific region. I am not familiar with their policies, but I know they give a /23 of IPv4 addresses to each new LIR, which is also the maximum amount of IPv4 APNIC will ever allocate.
AfriNIC and LACNIC don’t have all the features you’d expect from APNIC, ARIN, and RIPE. For example, neither has an RPKI publication service for their members, requiring the user to maintain their own. AfriNIC in particular is also involved in many controversies and scandals.
I am not qualified to speak about APNIC, AfriNIC, or LACNIC, so I won’t. If you live in their service region, you are welcome to do your own research and compare them with RIPE, which remains a popular option for hobbyists in those regions.
This leaves us with ARIN and RIPE. At first glance, ARIN might seem a lot more expensive than RIPE, but keep in mind that:
- even paying the lowest possible annual fee, you are a full member of ARIN and can receive resources directly. This means you don’t need to worry about your LIR going under; and
- ARIN has reserved pools of IPv4 addresses that can be immediately allocated if you qualify for them. Given that the market rate of an IPv4 /24 is around $1000/year, and that you will need to pay the full LIR fee to even get on RIPE’s waitlist for a /24, ARIN’s $250/year fee for a /24 seems quite reasonable. ARIN also has an IPv4 waitlist, but at least you don’t pay for the resources until you receive them and you can request up to a /22 at once.
In conclusion, RIPE seems like a decent choice for a beginner on a budget trying to get the cheapest ASN and an IPv6 block possible, as long as the caveat with PA addresses is understood. For a more serious network operating in ARIN’s service region, especially one looking to run IPv4, ARIN is a strong contender.
Note that you can get IP space from one RIR and announce it with an ASN from another RIR without issue. I personally operate AS200351, an ASN from RIPE, with IP space from ARIN. If I were starting next year, given the knowledge that I have now, I would probably have just gone with ARIN for everything.
Getting an ASN
First, regardless of RIR, you need to have two peers to justify having an ASN. You can ask people in the IPv6 networking discord if they are willing to peer.
You are also strongly encouraged to familiarize yourself with the policies of your chosen RIR:
- For RIPE, these are RIPE-804 for IPv4, RIPE-738 for IPv6, and RIPE-679 for ASNs; and
- For ARIN, this is the NRPM.
If you choose to use RIPE, you will need to find an LIR with a good reputation that charges reasonable fees and get some PA addresses from them, which they should be able to allocate very quickly, then request an ASN. Many LIRs offer some IP+ASN bundle that does both together. If you are unsure which LIR to pick, feel free to ask in the IPv6 networking discord, and I’ll also post some recommendations below. Once you’ve done this, you will need to:
- Register an RIPE NCC Access account;
- Create a person and maintainer pair in the RIPE database (the form should be self-explanatory);
- Create an “organisation” object in the RIPE database. For
org-name, use your legal name or the name of a company that you control. For
mnt-ref, enter the
mntneryou created earlier. By the way, you will also need to add a second
mnt-refentry later for your LIR to be able to assign you an ASN or IP space, and they should tell you which one to add. Everything else should be self-explanatory;
- Give the chosen LIR information on all the objects you’ve created in the RIPE database and probably pay them as well;
- Sign an agreement with the LIR;
- Wait for the LIR to give you an identity verification link from RIPE4 and then complete the verification; and
- Wait for RIPE to issue your ASN.
If you are going with ARIN, they have video guides for setting up your Org ID and requesting IP addresses. You want to create an Org ID, sign the Registration Services Agreement, request an initial allocation for IPv6, then request an ASN.
What to do with an ASN
Once you have an ASN, there are a few things you should probably do:
- Create an AS-set for your AS-macro, which I talked about earlier.
You want to create this in the database of whichever RIR you used. You should
use the hierarchical form, naming it something like
xis your ASN, and add your own ASN as its sole member; and
- (Optional but recommended) Register on PeeringDB and create a profile for your ASN on it. You can use mine as a reference.
Then, you will need to find a BGP-capable server or colocation provider and pick
an IP range (/24 or larger for IPv4, /48 or larger for IPv6) to announce from
that server. You will most likely need to ask your provider to request a BGP
session, at which point you should tell them your ASN, AS-macro, and the IP
ranges you plan to announce. They may send a random string to the contact on
your organization object or the
aut-num object for your ASN in the RIR whois
database and ask you to produce it, or ask you to set up RPSL declaring that
your provider is allowed to act as your upstream. In the latter case, if you
received AS64500 and your upstream is AS64510, you will need to add the
following lines to your
import: from AS64510 accept ANY export: to AS64510 announce AS64500:as-all
You can set up a basic BGP session with any BGP daemon. I would recommend using
whatever your BGP-capable router uses, or bird if you are just using a
Linux server. If you are using
bird, you can build a configuration yourself
with the sample snippets from my
bird filter library, or use a
configuration generator like PathVector.
Now comes the hard part—building up your own network. There are many things you can do, such as joining Internet Exchanges and getting multiple upstreams. The possibilities are endless, and I can’t begin to explain everything that’s possible. You will likely need to learn through trial and error. Good luck! If you have any questions, feel free to ask them in the IPv6 networking discord, where there are many people happy to help you out.
If there is popular demand, I may write a more in-depth post on setting up your ASN. Otherwise, I’d probably just continue writing about the theory.
This is when things get subjective. The providers listed here are believed to have a good reputation by me or by people that I believe to be trustworthy and charge reasonable rates. However, please use your common sense in case things change. Also, if I use an affiliate link, I will offer an unaffiliated option as well.
Note that you can probably get a PA /48 from a reputable LIR for free if you ask around on Discord.
- Accuris (non-affiliate)
- BuyVM (non-affiliate)
- Cloudie Networks in Toronto (non-affiliate) and Fremont (non-affiliate)
- F4 Networks (non-affiliate)
- iFog (non-affiliate)
- Limewave (non-affiliate)
- Vultr (non-affiliate)
- Xenyth (non-affiliate)
These cover the ones with which I’ve had personal experience. There are more providers available on bgp.cheap and bgp.directory maintained by community members, but I can’t vouch for all of them personally.
Yes, RIPE, like APNIC, spells “organisation” in the British style, which is quite jarring every time I see it. ↩
Actually, it’s a bit more than that. RIPE considers sole proprietorships and partnerships to be purely fictional and requires the full legal name of the entity to be used. For example, even though I have the trade name “Dynamic Quantum Networks”, RIPE will insist that my “organisation” be called “Guanzhong Chen” or “Guanzhong Chen trading as Dynamic Quantum Networks”. This has led to disputes in the past with RIPE members over certain corporate entity types. Meanwhile, ARIN happily displays just “Dynamic Quantum Networks”. This may be a vanity thing, but it’s something to keep in mind if you don’t want your full legal name on display. ↩
ARIN currently has a fee waiver that allows you to hold up to a /36 at the $250/year tier, expiring at the end of 2026, after which you must pay $500/year for it. ↩
RIPE will directly verify your identity. Your LIR may also ask for identity verification themselves, because RIPE penalizes them if they apply for resources on behalf of customers that fail this verification. In these cases, be careful and make sure your LIR is storing your identity document securely. ↩