ARIN-PPML Message

[ppml] Fw: IRS goes IPv6!

Thus spake "Jeroen Massar" <jeroen at unfix.org>
>On Tue, 2006-02-14 at 14:33 -0600, Stephen Sprunk wrote:
>> How, exactly, did the IRS manage to get a direct allocation from
>> ARIN?  Did they somehow qualify as an LIR?  Did they snow the
>> staffers?  Did the US Govt put some sort of pressure on ARIN?
>
> There are two points I wanted to make with the email, though not
> many caught it I guess (could be because of the broken sentence ;) :
>  - a pun: 'how taxing the IRS would find IPv6'
>    * difficulty of getting the address space (alloc)
>    * difficulty of setting up and starting to use it (deploy)
>  - the fact that everybody can get address space.
>
> It is very simple: Current policy has 1 main entry:
>  - requirement for more than 200 'sites'

Not exactly.

    6.5.1.1. Initial allocation criteria

    To qualify for an initial allocation of IPv6 address space, an 
organization must:
    ...
    d) be an existing, known ISP in the ARIN region or have a plan for 
making at least 200 /48 assignments to other organizations within five 
years.

There are several different ways to read that, but one can't interpret that 
as merely requiring "200 sites".

> The word 'site' is very open.

No, it is not:

    6.2.9. End site

    An end site is defined as an end user (subscriber) who has a business 
relationship with a service provider that involves:

        1. that service provider assigning address space to the end user

        2. that service provider providing transit service for the end user 
to other sites

        3. that service provider carrying the end user's traffic.

        4. that service provider advertising an aggregate prefix route that 
contains the end user's assignment


> Every single office building of the IRS can be counted as a seperate
> entity. They most likely don't have connectity to the $world, but they
> do need address space.  Thus they request from ARIN their address
> space, specify that they have 200++ sites and simply get it (after
> having paid up etc).

They'd have to prove that either they were a known ISP (which I doubt) or 
that they planned to assign 200 /48s to other organizations (which I also 
doubt).  My reading of this is that ARIN allowed them to claim each physical 
location was a separate "organization" because there was no other way to 
fulfill their request, which was probably reasonable otherwise.

If this sort of game passes muster with ARIN, that means any company with at 
least 200 locations (or at least a plan to have that many) or that pays a 
few bucks to create 200 shell companies can get a LIR allocation.  This is a 
very slippery slope, and IMHO we need a true PI policy to put a stop to this 
nonsense.

I've gotten a few private emails that list dozens of companies and other 
govt orgs that have supposedly done exactly this; it's apparently the 
best-known hole in IPv6 address policy.  If end users are going to be 
getting space, though, we should provide a more appropriate policy for them 
(and assign from a dedicated block).

> Most likely it will never pop up on the internet, but that is not what
> the RIR's are for; they only provide address space and this
> organisation showed a requirement for address space.

No, we assume they did.  We're not privvy to what the ARIN staff saw or did 
not see.  Nor do I see why you assume that the IRS's computers will never 
talk to the Internet; I agree it's irrelevant to the v6 
allocation/assignment process, but I see no basis for your claim.  Do IRS 
auditors not surf the web on their lunch break like everyone else?

> > If end sites like the IRS can get direct allocations today, perhaps
> > all this discussion about PI space is moot and we don't need
> > 2005-1 et al.
>
> The policy doesn't cover 1 case: SMB's who who want their own
> address space for various reasons (mostly being independent). For
> these cases their should come a new policy which allows them to
> get a /48 or upto something like a /40 depending on how much
> they really need and if they consist out of a lot of networks or just
> a few.

See my note above about shell companies and the slippery slope.  I don't 
know about your SMB, but mine could easily file some papers at the 
courthouse Monday morning and qualify for an LIR allocation by that 
afternoon.

> These 'small' blocks should be allocated from a single large block,
> per RIR or globally chunked into a portion each for a RIR. This would,
> in case of routing scalability issues to start some aggregation or
> other weird tricks in those blocks, assuming that they will become
> the gross of the table. Shim6 and future work could then use the
> /48 as an ID, while using the /48 they receive from their upstream
> as the IP which is routed. But that is just keeping in mind the
> future and that we can't envision what will happen, though the
> math is pretty easy (every business a /48, X million businesses/
> other-sites globally...)

There are some folks here who think every location within an end user org 
should get its own /48, so that is potentially off by several bits, but 
otherwise I agree with you.

S

Stephen Sprunk        "Stupid people surround themselves with smart
CCIE #3723           people.  Smart people surround themselves with
K5SSS         smart people who disagree with them."  --Aaron Sorkin