ARIN-PPML Message

[ppml] Fw: IRS goes IPv6!

Thus spake "Jeroen Massar" <jeroen at unfix.org>
> On Sat, 2006-02-18 at 16:13 -0600, Stephen Sprunk wrote:
> >     d) be an existing, known ISP in the ARIN region or have a plan for
> > making at least 200 /48 assignments to other organizations within five
> > years.
> >
> > There are several different ways to read that, but one can't interpret 
> > that
> > as merely requiring "200 sites".
>
> This is how I interpret it and many other folks too.

If you do multiple (IMHO dubious) substitutions of terms, yes, but I think 
there's still room for debate on that (below).

> > > The word 'site' is very open.
> >
> > No, it is not:
> >
> >     6.2.9. End site
> [..]
> These points show exactly that it is very open; because what do you
> define as an 'end user':
>
> 8<-----
> 2.6
> An end-user is an organization receiving assignments of IP addresses
> exclusively for use in its operational networks.
> ----->8
>
> Any 'branch' of a company is already a (seperate) organization, in most
> cases legally and financially.

I don't buy that.  In the case of a franchise, it's clear that the location 
is a separate legal entity (i.e. organization), but in the case of an IRS 
office (or other integral property of some parent org), I have trouble 
seeing any legal separation.  The separation is only logical or physical, 
which IMHO does not meet the standard.

> > > Every single office building of the IRS can be counted as a seperate
> > > entity. They most likely don't have connectity to the $world, but they
> > > do need address space.  Thus they request from ARIN their address
> > > space, specify that they have 200++ sites and simply get it (after
> > > having paid up etc).
> >
> > They'd have to prove that either they were a known ISP (which I doubt)
>
> Why? They are most likely a very known Internet Service Provider to
> their own sub-organizations. The definition here is also very open.

Absent a comment from the author, a reasonable reading of the text gives the 
original intent not as "some small closed group of people know the org is an 
ISP" but rather "is known to the public as an ISP".  IRS-IT fails the 
latter.

> > or that they planned to assign 200 /48s to other organizations (which I
> > also doubt).
>
> Depends on how one define organization. The "Dallas Chapter" is
> already a different organization (different director, accounting etc).

A middle manager and his/her budget does not a distinct organization make.

> > If this sort of game passes muster with ARIN, that means any
> > company with at least 200 locations (or at least a plan to have that
> > many) or that pays a few bucks to create 200 shell companies can
> > get a LIR allocation.  This is a very slippery slope, and IMHO we
> > need a true PI policy to put a stop to this nonsense.
>
> The nonsense part is that this big "loophole" exists and that
> organisations that need address space are not using it.

I suppose that's one way to look at it.

Hey, ISP guys:  the big bad enterprises can already get all the precious 
routing slots they want today; how about you support 2005-1 or 2006-4 so 
that we can limit the potential for problems (and segregate them into a 
different block)?

Maybe that'll work better than the "Please Sir, may I have another?" we've 
been using to date.

> > I've gotten a few private emails that list dozens of companies and other
> > govt orgs that have supposedly done exactly this; it's apparently the
> > best-known hole in IPv6 address policy.
>
> There are indeed *loads* of allocations made to companies which will
> never use the amount of address space they requested, but in most
> cases them getting the address space is a reasonable thing.

I wasn't arguing that it was unreasonable for the various orgs with dubious 
IPv6 allocations to get them, merely that they had abused the ISP policy due 
to lack of an end-site one.

> It depends on the viewpoint though: do those organisations need
> address space or do they need independent routing. If they only
> need the latter they should fall under a new small-site policy,
> otherwise the /32 or so is fine for them.

> > If end users are going to be getting space, though, we should provide
> > a more appropriate policy for them (and assign from a dedicated block).
>
> Full-ack.

At least we agree on that much.

> > > Most likely it will never pop up on the internet, but that is not what
> > > the RIR's are for; they only provide address space and this
> > > organisation showed a requirement for address space.
> >
> > No, we assume they did.  We're not privvy to what the ARIN staff
> > saw or did not see.  Nor do I see why you assume that the IRS's
> > computers will never talk to the Internet; I agree it's irrelevant to 
> > the
> > v6 allocation/assignment process, but I see no basis for your claim.
> > Do IRS auditors not surf the web on their lunch break like everyone
> > else?
>
> I dunno, they most likely like that like everybody else. But from a
> 'security through obscurity' point of view I would not make the
> resources that use that address space available directly routed onto the
> internet (of course there is a thing called a firewall but that is not
> entiry safe in most misconfig cases either).

If they didn't want to use globally-reachable addresses inside the firewall, 
they could use ULAs.  That, of course, opens the door for things like NAT, 
in which case they might as well just stick to IPv4.  The main driving 
factor for IPv6 is that you're able to give a unique global address to every 
host.

There's no challenge to putting all of their addresses behind a firewall 
minus one or two for the DMZ.  Pleanty of folks with pre-CIDR assignments do 
that with IPv4, even.

> Another reason would be the distribution of traffic. Where do you
> announce the aggregate and how do you get the packets from the
> branches to those places and back. They could thus use the
> allocation for their internal resources while using a local ISP for
> actually surfing the web and sending mail etc.  All theoretical
> assumptions of course.

Based on my experience with similar large orgs, I find that unlikely, but if 
true they've got problems regardless of what type of addresses are where.

> > See my note above about shell companies and the slippery slope.
> > I don't know about your SMB, but mine could easily file some
> > papers at the courthouse Monday morning and qualify for an LIR
> > allocation by that afternoon.
>
> It's indeed quite slippery and that needs to be fixed. It does currently
> already allow most organisations to get an allocation, even without
> a court to come in betwween ;) I have not seen a landrush yet, but
> the hole should be closed before the dam breaks.

I don't agree with "most organizations", though if that were "most 
organizations that have the resources to multihome" I would.  There's 
millions of SMBs out there, most with under 50 employees and a single 
location.  BGP-capable sites are few and far between, relatively speaking, 
and the IPv4 table confirms that.

> > There are some folks here who think every location within an end
> > user org should get its own /48, so that is potentially off by several
> > bits, but otherwise I agree with you.
>
> The /48 is indeed very up for debate. According to some calculations
> I've seen and also my own usage, a /56 seems to be better covering
> and also allows more future growth. Eg a SMB could get a /48 and
> give /56's or so to it's sub-organisations.

I think it'd be simpler to define an acceptable HD ratio based purely on 
subnet count.  There is little sense in delegating /48s (or /56s) to various 
sub-organizations which share the same network; let topology (not arbitrary 
org-charts) dictate where the addresses go, and give people more if they 
need them.

> I do think though that having global routing entries </48 should be
> avoided. Though address space requirements != routing, which is
> something that should be kept in mind too. The expected routing
> problem should not cause limit anyone to get the correct amount of
> address space that they would need.

I don't have a problem with shorter prefixes -- I just don't see a point in 
gratuitously wasting address space, no matter how much we have.  The 
standards for justification of more than the minimum can be fairly lax, but 
if a /48 meets 95% of applicants' needs, why make the minimum any larger?

S

Stephen Sprunk        "Stupid people surround themselves with smart
CCIE #3723           people.  Smart people surround themselves with
K5SSS         smart people who disagree with them."  --Aaron Sorkin