[ppml] Fw: IRS goes IPv6!

[Jeroen Massar]

On Sat, 2006-02-18 at 16:13 -0600, Stephen Sprunk wrote:
> Thus spake "Jeroen Massar" <jeroen at unfix.org>
> >On Tue, 2006-02-14 at 14:33 -0600, Stephen Sprunk wrote:
[..]
> > It is very simple: Current policy has 1 main entry:
> >  - requirement for more than 200 'sites'
> 
> Not exactly.
> 
>     6.5.1.1. Initial allocation criteria
> 
>     To qualify for an initial allocation of IPv6 address space, an 
> organization must:
>     ...
>     d) be an existing, known ISP in the ARIN region or have a plan for 
> making at least 200 /48 assignments to other organizations within five 
> years.
> 
> There are several different ways to read that, but one can't interpret that 
> as merely requiring "200 sites".

This is how I interpret it and many other folks too.

> > The word 'site' is very open.
> 
> No, it is not:
> 
>     6.2.9. End site
[..]
These points show exactly that it is very open; because what do you
define as an 'end user':

8<-----
2.6
An end-user is an organization receiving assignments of IP addresses
exclusively for use in its operational networks.
----->8

Any 'branch' of a company is already a (seperate) organization, in most
cases legally and financially.

> > Every single office building of the IRS can be counted as a seperate
> > entity. They most likely don't have connectity to the $world, but they
> > do need address space.  Thus they request from ARIN their address
> > space, specify that they have 200++ sites and simply get it (after
> > having paid up etc).
> 
> They'd have to prove that either they were a known ISP (which I doubt)

Why? They are most likely a very known Internet Service Provider to
their own sub-organizations. The definition here is also very open.

> or 
> that they planned to assign 200 /48s to other organizations (which I also 
> doubt).

Depends on how one define organization. The "Dallas Chapter" is already
a different organization (different director, accounting etc).

>   My reading of this is that ARIN allowed them to claim each physical 
> location was a separate "organization" because there was no other way to 
> fulfill their request, which was probably reasonable otherwise.

Indeed.

> If this sort of game passes muster with ARIN, that means any company with at 
> least 200 locations (or at least a plan to have that many) or that pays a 
> few bucks to create 200 shell companies can get a LIR allocation.  This is a 
> very slippery slope, and IMHO we need a true PI policy to put a stop to this 
> nonsense.

The nonsense part is that this big "loophole" exists and that
organisations that need address space are not using it.

> I've gotten a few private emails that list dozens of companies and other 
> govt orgs that have supposedly done exactly this; it's apparently the 
> best-known hole in IPv6 address policy.

There are indeed *loads* of allocations made to companies which will
never use the amount of address space they requested, but in most cases
them getting the address space is a reasonable thing.

It depends on the viewpoint though: do those organisations need address
space or do they need independent routing. If they only need the latter
they should fall under a new small-site policy, otherwise the /32 or so
is fine for them.

> If end users are going to be 
> getting space, though, we should provide a more appropriate policy for them 
> (and assign from a dedicated block).

Full-ack.

> > Most likely it will never pop up on the internet, but that is not what
> > the RIR's are for; they only provide address space and this
> > organisation showed a requirement for address space.
> 
> No, we assume they did.  We're not privvy to what the ARIN staff saw or did 
> not see.  Nor do I see why you assume that the IRS's computers will never 
> talk to the Internet; I agree it's irrelevant to the v6 
> allocation/assignment process, but I see no basis for your claim.  Do IRS 
> auditors not surf the web on their lunch break like everyone else?

I dunno, they most likely like that like everybody else. But from a
'security through obscurity' point of view I would not make the
resources that use that address space available directly routed onto the
internet (of course there is a thing called a firewall but that is not
entiry safe in most misconfig cases either). Another reason would be the
distribution of traffic. Where do you announce the aggregate and how do
you get the packets from the branches to those places and back. They
could thus use the allocation for their internal resources while using a
local ISP for actually surfing the web and sending mail etc.
All theoretical assumptions of course.

> > > If end sites like the IRS can get direct allocations today, perhaps
> > > all this discussion about PI space is moot and we don't need
> > > 2005-1 et al.
> >
> > The policy doesn't cover 1 case: SMB's who who want their own
> > address space for various reasons (mostly being independent). For
> > these cases their should come a new policy which allows them to
> > get a /48 or upto something like a /40 depending on how much
> > they really need and if they consist out of a lot of networks or just
> > a few.
> 
> See my note above about shell companies and the slippery slope.  I don't 
> know about your SMB, but mine could easily file some papers at the 
> courthouse Monday morning and qualify for an LIR allocation by that 
> afternoon.

It's indeed quite slippery and that needs to be fixed. It does currently
already allow most organisations to get an allocation, even without a
court to come in betwween ;) I have not seen a landrush yet, but the
hole should be closed before the dam breaks.

> > These 'small' blocks should be allocated from a single large block,
> > per RIR or globally chunked into a portion each for a RIR. This would,
> > in case of routing scalability issues to start some aggregation or
> > other weird tricks in those blocks, assuming that they will become
> > the gross of the table. Shim6 and future work could then use the
> > /48 as an ID, while using the /48 they receive from their upstream
> > as the IP which is routed. But that is just keeping in mind the
> > future and that we can't envision what will happen, though the
> > math is pretty easy (every business a /48, X million businesses/
> > other-sites globally...)
> 
> There are some folks here who think every location within an end user org 
> should get its own /48, so that is potentially off by several bits, but 
> otherwise I agree with you.

The /48 is indeed very up for debate. According to some calculations
I've seen and also my own usage, a /56 seems to be better covering and
also allows more future growth. Eg a SMB could get a /48 and give /56's
or so to it's sub-organisations.

I do think though that having global routing entries </48 should be
avoided. Though address space requirements != routing, which is
something that should be kept in mind too. The expected routing problem
should not cause limit anyone to get the correct amount of address space
that they would need.

Greets,
 Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 240 bytes
Desc: This is a digitally signed message part
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20060219/d4a4c44a/attachment.sig>