From Keith at jcc.com Sat Sep 1 00:23:50 2007 From: Keith at jcc.com (Keith W. Hare) Date: Sat, 1 Sep 2007 00:23:50 -0400 Subject: [ppml] Policy Proposal 2007-15: Authentication of Legacy Resources - version 1.1 Message-ID: <933be923a2dcb358a88b584c6b12359f46d8e956@jcc.com> > -----Original Message----- > From: Scott Leibrand [mailto:sleibrand at internap.com] > > The policy states that the RSA should be ready on January 1, > 2008. If that doesn't happen until December, then the > following section of the policy proposal will apply: > > > If this policy is > > implemented after December 31, 2007, the trigger dates in > the policy > > should be adjusted appropriately. > > The intent of the policy proposal is to provide 1 year from > the date the RSA becomes available and the date that it > becomes required for all updates to legacy registrations. That's not what the policy says. It says "No changes shall be made to legacy resource records which are not covered by a registration services agreement after December 31, 2007." So, the RSA is ready on January 1, 2008, but legacy resource holders can't update stuff that is not covered by the RSA after December 31, 2007? There is not a year there. I would be happier if the year you claim is the intent were actually in the proposed policy. I would be even happier to leave the sentence out entirely. Why do we need a stick today for the legacy address holders who have not responded to the invitation that has not yet been issued? Keith From jr at jrw.org Sat Sep 1 07:54:49 2007 From: jr at jrw.org (J. R. Westmoreland) Date: Sat, 1 Sep 2007 05:54:49 -0600 Subject: [ppml] Legacy /24s References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <46D8D83A.7020306@Dilkie.com> Message-ID: <000101c7ec8e$e9489df0$bbd9d9d0$@org> Let's try this again and send it to the whole list this time. Sorry, Lee, for causing you to get a double copy. ---------------------------------------- J. R. Westmoreland Custom Computers & Consulting Email: jr at jrw.org > -----Original Message----- > From: J. R. Westmoreland [mailto:jr at jrw.org] > Sent: Saturday, September 01, 2007 5:48 AM > To: 'Lee Dilkie' > Subject: RE: [ppml] Legacy /24s > > Mack, > > I, sinceI fall into your category, being a very small consulting > company, would support your proposal whole heartedly. > > Maybe I'll go find the form, and using some of your good wording, see > about making a proposal. I figure that it wouldn't start much more fuss > than there already is. > > J. R. > > ---------------------------------------- > J. R. Westmoreland > Email: jr at jrw.org > > > -----Original Message----- > > From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net] On Behalf > Of > > Lee Dilkie > > Sent: Friday, August 31, 2007 9:11 PM > > To: mack > > Cc: ppml at arin.net > > Subject: Re: [ppml] Legacy /24s > > > > What? > > > > no restrictive RSA? > > > > no outrageous $100/yr scalper fee? > > > > no justification of usage? > > > > You're daft man! > > > > A common sense proposal like this has no place on ppml. > > > > {pardon my sarcasm, been here too long I guess. But being a /24 > legacy > > holder in the same shoes as probably many, this would fit the bill > but > > I > > wouldn't hold my breath} > > > > -lee > > > > mack wrote: > > > I don't have the time to write it but I would support a > > > proposal that gives legacy /24 holders a permanent IPv4 fee waiver, > > > an efficient usage waiver so that they don't have to worry about > > reclamation, > > > and allows assignment of an appropriate sized block of IPv6 if they > > > start paying a fee after some specified date (ie. Jan 1, 2010) or > > whenever > > > the regular IPv6 waiver expires if it is extended beyond this date. > > > With the only contingency that the space be actively used in the > DFZ > > > or showing that the space is in use in a manner that cannot be > > readily > > > replaced by 1918 space. > > > > > > I personally feel that the /24 space needs to be handled > differently > > than > > > the /16 and /8 space. > > > > > > 1) Because there are more of these than the others numerically. > > > 2) Because there is no significant reclamation benefit if they are > > being used. > > > 3) Most of these are individuals or small companies that don't have > > significant resources. > > > > > > The use contingency allows for private use in organizations that > may > > find > > > it difficult to convert to 1918 space. > > > > > > This would be neutral in overall effect. It cost them nothing > unless > > they want IPv6 space. > > > It will encourage adoption of IPv6 by these users. It will move a > > significant number of > > > legacy blocks under a policy umbrella. > > > > > > This obviously would be for the 2008 timeframe. > > > > > > > > > LR Mack McBride > > > Network Administrator > > > Alpha Red, Inc. > > > _______________________________________________ > > > PPML > > > You are receiving this message because you are subscribed to the > ARIN > > Public Policy > > > Mailing List (PPML at arin.net). > > > Unsubscribe or manage your mailing list subscription at: > > > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > > Member Services > > > Help Desk at info at arin.net if you experience any issues. > > > > > _______________________________________________ > > PPML > > You are receiving this message because you are subscribed to the ARIN > > Public Policy > > Mailing List (PPML at arin.net). > > Unsubscribe or manage your mailing list subscription at: > > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > > Member Services > > Help Desk at info at arin.net if you experience any issues. From Lee at Dilkie.com Sat Sep 1 08:36:53 2007 From: Lee at Dilkie.com (Lee Dilkie) Date: Sat, 01 Sep 2007 08:36:53 -0400 Subject: [ppml] Legacy /24s In-Reply-To: <000101c7ec8e$e9489df0$bbd9d9d0$@org> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <46D8D83A.7020306@Dilkie.com> <000101c7ec8e$e9489df0$bbd9d9d0$@org> Message-ID: <46D95CE5.5020807@Dilkie.com> The list might as well see my reply back... Hey Mack, I agree with you. I think I even proposed a very minor fee as well ($5 is reasonable considering that all a legacy holder gets is an entry in a DB). I proposed something similar a few months ago, well, I "argued" that a number of the legacy holders are interested in ipv6 and perhaps should be given PI space to aid in general adoption. The argument being that these folks were early adopters of the original network and created the demand that we have today. We definitely need something like this for ipv6, something beyond just being a network infrastructure replacement or it'll be a very slow adoption rate. Anyway, your "proposal" is spot on, for me anyway. I'm currently playing with ipv6 (I am a s/w programmer) and I have two ipv6 networks via tunnel brokers but I would like to have a small bit (/48) of PI space. The tunnels are okay for connectivity but they have high latency (>200ms) and unsuitable for a number of things (I'm a VoIP programmer... having a chat with 200ms+ is not very pleasant). My ISP has no IPv6 yet but they've not seen any demand. I think if I, a current business customer they are routing for, asks to route my IPv6 PI block, it might make them think harder about their own deployment. (faced with losing existing business, if I should move my network to another ISP that offers v6). Are you going to write this up as a formal proposal? -lee J. R. Westmoreland wrote: > Let's try this again and send it to the whole list this time. > Sorry, Lee, for causing you to get a double copy. > > ---------------------------------------- > J. R. Westmoreland > Custom Computers & Consulting > Email: jr at jrw.org > > > >> -----Original Message----- >> From: J. R. Westmoreland [mailto:jr at jrw.org] >> Sent: Saturday, September 01, 2007 5:48 AM >> To: 'Lee Dilkie' >> Subject: RE: [ppml] Legacy /24s >> >> Mack, >> >> I, sinceI fall into your category, being a very small consulting >> company, would support your proposal whole heartedly. >> >> Maybe I'll go find the form, and using some of your good wording, see >> about making a proposal. I figure that it wouldn't start much more fuss >> than there already is. >> >> J. R. >> >> ---------------------------------------- >> J. R. Westmoreland >> Email: jr at jrw.org >> >> >>> -----Original Message----- >>> From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net] On Behalf >>> >> Of >> >>> Lee Dilkie >>> Sent: Friday, August 31, 2007 9:11 PM >>> To: mack >>> Cc: ppml at arin.net >>> Subject: Re: [ppml] Legacy /24s >>> >>> What? >>> >>> no restrictive RSA? >>> >>> no outrageous $100/yr scalper fee? >>> >>> no justification of usage? >>> >>> You're daft man! >>> >>> A common sense proposal like this has no place on ppml. >>> >>> {pardon my sarcasm, been here too long I guess. But being a /24 >>> >> legacy >> >>> holder in the same shoes as probably many, this would fit the bill >>> >> but >> >>> I >>> wouldn't hold my breath} >>> >>> -lee >>> >>> mack wrote: >>> >>>> I don't have the time to write it but I would support a >>>> proposal that gives legacy /24 holders a permanent IPv4 fee waiver, >>>> an efficient usage waiver so that they don't have to worry about >>>> >>> reclamation, >>> >>>> and allows assignment of an appropriate sized block of IPv6 if they >>>> start paying a fee after some specified date (ie. Jan 1, 2010) or >>>> >>> whenever >>> >>>> the regular IPv6 waiver expires if it is extended beyond this date. >>>> With the only contingency that the space be actively used in the >>>> >> DFZ >> >>>> or showing that the space is in use in a manner that cannot be >>>> >>> readily >>> >>>> replaced by 1918 space. >>>> >>>> I personally feel that the /24 space needs to be handled >>>> >> differently >> >>> than >>> >>>> the /16 and /8 space. >>>> >>>> 1) Because there are more of these than the others numerically. >>>> 2) Because there is no significant reclamation benefit if they are >>>> >>> being used. >>> >>>> 3) Most of these are individuals or small companies that don't have >>>> >>> significant resources. >>> >>>> The use contingency allows for private use in organizations that >>>> >> may >> >>> find >>> >>>> it difficult to convert to 1918 space. >>>> >>>> This would be neutral in overall effect. It cost them nothing >>>> >> unless >> >>> they want IPv6 space. >>> >>>> It will encourage adoption of IPv6 by these users. It will move a >>>> >>> significant number of >>> >>>> legacy blocks under a policy umbrella. >>>> >>>> This obviously would be for the 2008 timeframe. >>>> >>>> >>>> LR Mack McBride >>>> Network Administrator >>>> Alpha Red, Inc. >>>> _______________________________________________ >>>> PPML >>>> You are receiving this message because you are subscribed to the >>>> >> ARIN >> >>> Public Policy >>> >>>> Mailing List (PPML at arin.net). >>>> Unsubscribe or manage your mailing list subscription at: >>>> http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN >>>> >>> Member Services >>> >>>> Help Desk at info at arin.net if you experience any issues. >>>> >>>> >>> _______________________________________________ >>> PPML >>> You are receiving this message because you are subscribed to the ARIN >>> Public Policy >>> Mailing List (PPML at arin.net). >>> Unsubscribe or manage your mailing list subscription at: >>> http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN >>> Member Services >>> Help Desk at info at arin.net if you experience any issues. >>> > > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the ARIN Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services > Help Desk at info at arin.net if you experience any issues. > From jr at jrw.org Sat Sep 1 08:48:28 2007 From: jr at jrw.org (J. R. Westmoreland) Date: Sat, 1 Sep 2007 06:48:28 -0600 Subject: [ppml] Legacy /24s In-Reply-To: <46D95CE5.5020807@Dilkie.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <46D8D83A.7020306@Dilkie.com> <000101c7ec8e$e9489df0$bbd9d9d0$@org> <46D95CE5.5020807@Dilkie.com> Message-ID: <000001c7ec96$67dfacb0$379f0610$@org> > -----Original Message----- > From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net] On Behalf Of > Lee Dilkie > Sent: Saturday, September 01, 2007 6:37 AM > To: 'ARIN Address Policy' > Subject: Re: [ppml] Legacy /24s > > The list might as well see my reply back... > > Hey Mack, > > I agree with you. I think I even proposed a very minor fee as well ($5 > is reasonable considering that all a legacy holder gets is an entry in > a > DB). > I'd even be willing to make that $10/year with the ability to purchase multiple years at one time. > I proposed something similar a few months ago, well, I "argued" that a > number of the legacy holders are interested in ipv6 and perhaps should > be given PI space to aid in general adoption. The argument being that > these folks were early adopters of the original network and created the > demand that we have today. We definitely need something like this for > ipv6, something beyond just being a network infrastructure replacement > or it'll be a very slow adoption rate. Agreed. > > Anyway, your "proposal" is spot on, for me anyway. I'm currently > playing > with ipv6 (I am a s/w programmer) and I have two ipv6 networks via > tunnel brokers but I would like to have a small bit (/48) of PI space. > The tunnels are okay for connectivity but they have high latency > (>200ms) and unsuitable for a number of things (I'm a VoIP > programmer... > having a chat with 200ms+ is not very pleasant). My ISP has no IPv6 yet > but they've not seen any demand. I think if I, a current business > customer they are routing for, asks to route my IPv6 PI block, it might > make them think harder about their own deployment. (faced with losing > existing business, if I should move my network to another ISP that > offers v6). > > Are you going to write this up as a formal proposal? I'm interested and would be willing to help or do the writing with some suggestions from both of you. > > -lee > > > > J. R. Westmoreland wrote: > > Let's try this again and send it to the whole list this time. > > Sorry, Lee, for causing you to get a double copy. > > > > ---------------------------------------- > > J. R. Westmoreland > > Custom Computers & Consulting > > Email: jr at jrw.org > > > > > > > >> -----Original Message----- > >> From: J. R. Westmoreland [mailto:jr at jrw.org] > >> Sent: Saturday, September 01, 2007 5:48 AM > >> To: 'Lee Dilkie' > >> Subject: RE: [ppml] Legacy /24s > >> > >> Mack, > >> > >> I, sinceI fall into your category, being a very small consulting > >> company, would support your proposal whole heartedly. > >> > >> Maybe I'll go find the form, and using some of your good wording, > see > >> about making a proposal. I figure that it wouldn't start much more > fuss > >> than there already is. > >> > >> J. R. > >> > >> ---------------------------------------- > >> J. R. Westmoreland > >> Email: jr at jrw.org > >> > >> > >>> -----Original Message----- > >>> From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net] On > Behalf > >>> > >> Of > >> > >>> Lee Dilkie > >>> Sent: Friday, August 31, 2007 9:11 PM > >>> To: mack > >>> Cc: ppml at arin.net > >>> Subject: Re: [ppml] Legacy /24s > >>> > >>> What? > >>> > >>> no restrictive RSA? > >>> > >>> no outrageous $100/yr scalper fee? > >>> > >>> no justification of usage? > >>> > >>> You're daft man! > >>> > >>> A common sense proposal like this has no place on ppml. > >>> > >>> {pardon my sarcasm, been here too long I guess. But being a /24 > >>> > >> legacy > >> > >>> holder in the same shoes as probably many, this would fit the bill > >>> > >> but > >> > >>> I > >>> wouldn't hold my breath} > >>> > >>> -lee > >>> > >>> mack wrote: > >>> > >>>> I don't have the time to write it but I would support a > >>>> proposal that gives legacy /24 holders a permanent IPv4 fee > waiver, > >>>> an efficient usage waiver so that they don't have to worry about > >>>> > >>> reclamation, > >>> > >>>> and allows assignment of an appropriate sized block of IPv6 if > they > >>>> start paying a fee after some specified date (ie. Jan 1, 2010) or > >>>> > >>> whenever > >>> > >>>> the regular IPv6 waiver expires if it is extended beyond this > date. > >>>> With the only contingency that the space be actively used in the > >>>> > >> DFZ > >> > >>>> or showing that the space is in use in a manner that cannot be > >>>> > >>> readily > >>> > >>>> replaced by 1918 space. > >>>> > >>>> I personally feel that the /24 space needs to be handled > >>>> > >> differently > >> > >>> than > >>> > >>>> the /16 and /8 space. > >>>> > >>>> 1) Because there are more of these than the others numerically. > >>>> 2) Because there is no significant reclamation benefit if they are > >>>> > >>> being used. > >>> > >>>> 3) Most of these are individuals or small companies that don't > have > >>>> > >>> significant resources. > >>> > >>>> The use contingency allows for private use in organizations that > >>>> > >> may > >> > >>> find > >>> > >>>> it difficult to convert to 1918 space. > >>>> > >>>> This would be neutral in overall effect. It cost them nothing > >>>> > >> unless > >> > >>> they want IPv6 space. > >>> > >>>> It will encourage adoption of IPv6 by these users. It will move a > >>>> > >>> significant number of > >>> > >>>> legacy blocks under a policy umbrella. > >>>> > >>>> This obviously would be for the 2008 timeframe. > >>>> > >>>> > >>>> LR Mack McBride > >>>> Network Administrator > >>>> Alpha Red, Inc. > >>>> _______________________________________________ > >>>> PPML > >>>> You are receiving this message because you are subscribed to the > >>>> > >> ARIN > >> > >>> Public Policy > >>> > >>>> Mailing List (PPML at arin.net). > >>>> Unsubscribe or manage your mailing list subscription at: > >>>> http://lists.arin.net/mailman/listinfo/ppml Please contact the > ARIN > >>>> > >>> Member Services > >>> > >>>> Help Desk at info at arin.net if you experience any issues. > >>>> > >>>> > >>> _______________________________________________ > >>> PPML > >>> You are receiving this message because you are subscribed to the > ARIN > >>> Public Policy > >>> Mailing List (PPML at arin.net). > >>> Unsubscribe or manage your mailing list subscription at: > >>> http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > >>> Member Services > >>> Help Desk at info at arin.net if you experience any issues. > >>> > > > > > > _______________________________________________ > > PPML > > You are receiving this message because you are subscribed to the ARIN > Public Policy > > Mailing List (PPML at arin.net). > > Unsubscribe or manage your mailing list subscription at: > > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > Member Services > > Help Desk at info at arin.net if you experience any issues. > > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the ARIN > Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > Member Services > Help Desk at info at arin.net if you experience any issues. From paul at vix.com Sat Sep 1 10:36:46 2007 From: paul at vix.com (Paul Vixie) Date: Sat, 01 Sep 2007 14:36:46 +0000 Subject: [ppml] Legacy /24s In-Reply-To: Your message of "Sat, 01 Sep 2007 05:54:49 CST." <000101c7ec8e$e9489df0$bbd9d9d0$@org> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <46D8D83A.7020306@Dilkie.com> <000101c7ec8e$e9489df0$bbd9d9d0$@org> Message-ID: <8582.1188657406@sa.vix.com> > > I, since I fall into your category, being a very small consulting > > company, would support your proposal whole heartedly. > > ... > > J. R. 192.5.5.0/24 was once held by a small consulting company. if that were still the case, i would not feel that that consulting company's ability to multihome was worth a slot in every routing table on every router on the internet, given how globally expensive that has turned out to be. (the block was later used for a root name server, and then, later, given into the control of a 501(c)(3) nonprofit who operates that server, and for that, i think the community of router owners would say it's worth a routing slot... i'm just saying if that hadn't happened, i'd've stopped using the space by now, on a "think globally, act locally" basis.) From bicknell at ufp.org Sat Sep 1 10:45:53 2007 From: bicknell at ufp.org (Leo Bicknell) Date: Sat, 1 Sep 2007 10:45:53 -0400 Subject: [ppml] Legacy /24s In-Reply-To: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> Message-ID: <20070901144553.GA494@ussenterprise.ufp.org> In a message written on Fri, Aug 31, 2007 at 03:03:08PM -0500, mack wrote: > 3) Most of these are individuals or small companies that don't have significant resources. So individuals and small businesses should be allowed to eat up routing slots in tens of thousands of routers worldwide collectively costing ISP's millions of dollars in capital, if and only if they were smart enough to get an "early" IPv4 allocation? What about the billions of other individuals and millions of other businesses in the world? Why do they not qualify for such special treatment? -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available URL: From andrew.dul at quark.net Sat Sep 1 12:32:46 2007 From: andrew.dul at quark.net (Andrew Dul) Date: Sat, 01 Sep 2007 09:32:46 -0700 Subject: [ppml] Policy Proposal 2007-15: Authentication ofLegacyResources - version 1.1 In-Reply-To: <59bca099a787ac5b0479b5655fda49b446d88cd4@jcc.com> Message-ID: <20070901163246.CB53B1446B8@smtp2.arin.net> At 05:47 PM 8/31/2007 -0400, Keith W. Hare wrote: > > >> -----Original Message----- >> From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net] On >> Behalf Of Scott Leibrand >> Sent: Friday, August 31, 2007 4:54 PM >> To: David Conrad >> Cc: Public Policy Mailing List >> Subject: Re: [ppml] Policy Proposal 2007-15: Authentication >> of Legacy Resources - version 1.1 >> >> David Conrad wrote: >> > On Aug 31, 2007, at 10:20 AM, Member Services wrote: >> > >> >> 1. Policy Proposal Name: Authentication of Legacy Resources >> >> No changes shall be made to legacy resource records which are not >> >> covered by a registration services agreement after >> December 31, 2007. >> >> >> > >> > I suspect that refusal to update registration information >> will likely >> > not be very popular with folks trying to fight spam, >> phishing, fraud, >> > etc. It could also have the effect of spurring the >> establishment of >> > alternative registries that maintain "accurate" information. >> >> Is requiring registrants to sign a contract that codifies >> their rights >> and responsibilities "refusal"? I don't see the requirements >> here as at >> all onerous, and wouldn't see alternate registries as viable. As an >> ISP, if a customer asked me to route space based on the >> information in >> some alternate registry because they were unwilling to sign >> an RSA and >> pay ARIN $100/year, I would consider that suspicious enough to have >> another abuse scrub run on the customer, and refuse to route >> the space. > >By the time the RSA for legacy resource holders is available, and ARIN >starts an outreach to legacy resoure holders, it is going to be >December, 2007. > >How about saying "No changes shall be made to legacy resource records >which are not covered by a registration services agreement after >December 31, 2008." If the date of implementation is a stumbling block, then it certainly can be changed to accomodate the consensus of the community. Andrew From jr at jrw.org Sat Sep 1 12:35:30 2007 From: jr at jrw.org (J. R. Westmoreland) Date: Sat, 1 Sep 2007 10:35:30 -0600 Subject: [ppml] FW: Legacy /24s Message-ID: <000d01c7ecb6$1f547460$5dfd5d20$@org> ---------------------------------------- J. R. Westmoreland Email: jr at jrw.org > -----Original Message----- > From: J. R. Westmoreland [mailto:jr at jrw.org] > Sent: Saturday, September 01, 2007 10:32 AM > To: 'Leo Bicknell' > Subject: RE: [ppml] Legacy /24s > > So, this is not for the users but only for the ISPs and their money > investments? > If we want to go back to it maybe small people should band together > with the BIG legacy holders and really have a good time. > > ---------------------------------------- > J. R. Westmoreland > Email: jr at jrw.org > > > > -----Original Message----- > > From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net] On Behalf > Of > > Leo Bicknell > > Sent: Saturday, September 01, 2007 8:46 AM > > To: ppml at arin.net > > Subject: Re: [ppml] Legacy /24s > > > > In a message written on Fri, Aug 31, 2007 at 03:03:08PM -0500, mack > > wrote: > > > 3) Most of these are individuals or small companies that don't have > > significant resources. > > > > So individuals and small businesses should be allowed to eat up > routing > > slots in tens of thousands of routers worldwide collectively costing > > ISP's millions of dollars in capital, if and only if they were smart > > enough to get an "early" IPv4 allocation? > > > > What about the billions of other individuals and millions of other > > businesses in the world? Why do they not qualify for such special > > treatment? > > > > -- > > Leo Bicknell - bicknell at ufp.org - CCIE 3440 > > PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - > > tmbg-list-request at tmbg.org, www.tmbg.org From jr at jrw.org Sat Sep 1 12:35:39 2007 From: jr at jrw.org (J. R. Westmoreland) Date: Sat, 1 Sep 2007 10:35:39 -0600 Subject: [ppml] FW: Legacy /24s Message-ID: <000e01c7ecb6$24d7e480$6e87ad80$@org> ---------------------------------------- J. R. Westmoreland Email: jr at jrw.org > -----Original Message----- > From: J. R. Westmoreland [mailto:jr at jrw.org] > Sent: Saturday, September 01, 2007 10:33 AM > To: 'Paul Vixie' > Subject: RE: [ppml] Legacy /24s > > That is silly. We are talking about ONE group and not MANY. The item is > not even close to being the same. > > ---------------------------------------- > J. R. Westmoreland > Email: jr at jrw.org > > > > -----Original Message----- > > From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net] On Behalf > Of > > Paul Vixie > > Sent: Saturday, September 01, 2007 8:37 AM > > To: 'ARIN Address Policy' > > Subject: Re: [ppml] Legacy /24s > > > > > > I, since I fall into your category, being a very small consulting > > > > company, would support your proposal whole heartedly. > > > > ... > > > > J. R. > > > > 192.5.5.0/24 was once held by a small consulting company. if that > were > > still the case, i would not feel that that consulting company's > ability > > to multihome was worth a slot in every routing table on every router > on > > the internet, given how globally expensive that has turned out to be. > > > > (the block was later used for a root name server, and then, later, > > given > > into the control of a 501(c)(3) nonprofit who operates that server, > and > > for that, i think the community of router owners would say it's worth > a > > routing slot... i'm just saying if that hadn't happened, i'd've > stopped > > using the space by now, on a "think globally, act locally" basis.) > > _______________________________________________ > > PPML > > You are receiving this message because you are subscribed to the ARIN > > Public Policy > > Mailing List (PPML at arin.net). > > Unsubscribe or manage your mailing list subscription at: > > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > > Member Services > > Help Desk at info at arin.net if you experience any issues. From briand at ca.afilias.info Sat Sep 1 13:26:42 2007 From: briand at ca.afilias.info (briand at ca.afilias.info) Date: Sat, 1 Sep 2007 13:26:42 -0400 (EDT) Subject: [ppml] Legacy /24s In-Reply-To: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphare d.local> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> Message-ID: <63408.74.122.168.81.1188667602.squirrel@look.libertyrms.com> > I don't have the time to write it but I would support a > proposal that gives legacy /24 holders a permanent IPv4 fee waiver, > an efficient usage waiver so that they don't have to worry about > reclamation, I agree that reclamation on IPv4 is truly orthogonal to the deployment of IPv6. IPv6 will be necessary to support new allocations beyond 2010, and we need to remove as many barriers to IPv6 deployment as we can. There is little or no benefit to reclamation of IPv4 swamp space. Much more benefit could be achieved by placing pressure on operators who deaggregate, to stop doing so - and I would encourage adoption of any such policy, e.g. requiring fees per globally announced prefix, regardless of whether it is covered by another prefix. > With the only contingency that the space be actively used in the DFZ > or showing that the space is in use in a manner that cannot be readily > replaced by 1918 space. The ideas being circulated relating to the DFZ, that have widespread support, are those that avoid polluting it with large numbers of prefixes, where the prefixes in question could/should be aggregated. To wit: if any current IPv4 prefix is single-homed, but not aggregateable, the most likely reason is that it was assigned pre-CIDR. Post-CIDR, the assignment would/should have been made from an LIR/ISP, from a PA block. We want to drain the swamp, not move it whole-hog (us who like the idea of an IPv6 DFZ that scales to global use and lasts more than a year.) So, if we change the wording to: "... cannot be readily replaced by PA space.". This would need to be emphasized by adding the additional requirement that the policy would apply only to prefixes, where the requester operates an active AS in IPv4 or IPv6, originating one or more prefixes registered to them (or assigned to them via legacy assignment(s)). This keeps the number of PI prefixes in par with the number of ASNs, while bringing legacy /24's into the RSA fold. > > I personally feel that the /24 space needs to be handled differently than > the /16 and /8 space. Agreed. > This obviously would be for the 2008 timeframe. I think that it would be suitable for immediate implementation, actually. Brian Dickson From arin-contact at dirtside.com Sat Sep 1 14:40:25 2007 From: arin-contact at dirtside.com (William Herrin) Date: Sat, 1 Sep 2007 14:40:25 -0400 Subject: [ppml] Legacy /24s In-Reply-To: <20070901144553.GA494@ussenterprise.ufp.org> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> Message-ID: <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> On 9/1/07, Leo Bicknell wrote: > So individuals and small businesses should be allowed to eat up > routing slots in tens of thousands of routers worldwide collectively > costing ISP's millions of dollars in capital, if and only if they > were smart enough to get an "early" IPv4 allocation? Leo, Lets put some numbers to this so that we're arguing facts rather than opinions. There are 233,000 IPv4 routes and a little under 1000 IPv6 routes in the default-free zone (DFZ) today. 10%-30% of the routers in the DFZ today have a hard limit between 244,000 and 260,000 IPv4 routes or half that number of IPv6 routes. When the limit is reached within the next few months, those routers will experience various degrees of falling over dead. Upgrading these routers to accomodate 1M IPv4 or 500k IPv6 routes will cost $30,000-$150,000 each. In the more general case, these routers have to be upgraded every 3-5 years. The number of routes and ASes in the DFZ implies that there are somewhere between 200,000 and 300,000 routers in the DFZ. Lets start with the low numbers. If its $30k to put 233k routes in the DFZ then each route in each router costs around 13 cents. Times 200k routers offers an aggregate worldwide cost of $26,000 to announce an IPv4 route. The IPv6 routes consume twice the capacity in the router, so that means the worldwide cost of announcing an IPv6 prefix is $52,000. On a 3-year upgrade cycle that's an annual attributable cost of $17,300 per prefix. Lets try the high numbers. $150k to handle 500,000 IPv6 routes = 30 cents per route. Times 300k routers = $90l. Divide by a 5 year upgrade cycle = an annual attributable cost of $18,000 per prefix. While this is not a thorough cost analysis, its reasonable for ballparking. I can say with an acceptable degree of confidence that the worldwide attributable cost of announcing one IPv6 prefix is between $17k and $18k per year. So, with any proposal to expand the availability of IPv6 PI, the question that should be asked is: "Does the proposed use in the expansion justify asking the rest of the world to pay $17k?" My opinion is that in the case of a multihomed content provider, the answer is yes. Why should he receive poor treatment in IPv6 merely because his mechanism for providing content was efficient enough to require only a few IP addresses? If you're willing to pay the prices that the network operators require to be mulithomed (whatever that happens to be) then you should be eligible for the necessary IPv6 PI assignment. That's just how the Internet functions and the $17k is a cost of doing business. In the case of single-homed folks who just want to avoid renumbering hassles, I think you'd need an awfully large number of computers before the renumbering hassle adds up to $17k/yr. Many many computers. As for the folks who want to weasel out of the $100/yr annual maintenance fee for an IPv6 PI assignment, I would ask why anyone should take your request seriously when you're simultaneously asking the rest of the world to spend $17,000/yr on your behalf. Regards, Bill Herrin -- William D. Herrin herrin at dirtside.com bill at herrin.us 3005 Crane Dr. Web: Falls Church, VA 22042-3004 From JOHN at egh.com Sat Sep 1 16:56:02 2007 From: JOHN at egh.com (John Santos) Date: Sat, 1 Sep 2007 16:56:02 -0400 Subject: [ppml] Legacy /24s In-Reply-To: <20070901144553.GA494@ussenterprise.ufp.org> Message-ID: <1070901165207.964D-100000@Ives.egh.com> I would like to point out for the millionth time that having PI space and taking up a routing slot are *NOT* the same thing. There are many legitimate uses of globally unique address space that don't require routing in the DFZ. (For example private internets either on leased circuits or via VPN tunnels over the public Internet.) -- John Santos Evans Griffiths & Hart, Inc. 781-861-0670 ext 539 From paul at vix.com Sat Sep 1 17:05:29 2007 From: paul at vix.com (Paul Vixie) Date: Sat, 01 Sep 2007 21:05:29 +0000 Subject: [ppml] Legacy /24s In-Reply-To: Your message of "Sat, 01 Sep 2007 13:26:42 -0400." <63408.74.122.168.81.1188667602.squirrel@look.libertyrms.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <63408.74.122.168.81.1188667602.squirrel@look.libertyrms.com> Message-ID: <93195.1188680729@sa.vix.com> > There is little or no benefit to reclamation of IPv4 swamp space. well, the space itself has no reassignment value, so this is mostly true. but every reclaimation that removes a swamp route from the DFZ has "some benefit". From paul at vix.com Sat Sep 1 17:10:03 2007 From: paul at vix.com (Paul Vixie) Date: Sat, 01 Sep 2007 21:10:03 +0000 Subject: [ppml] Legacy /24s In-Reply-To: Your message of "Sat, 01 Sep 2007 16:56:02 -0400." <1070901165207.964D-100000@Ives.egh.com> References: <1070901165207.964D-100000@Ives.egh.com> Message-ID: <93792.1188681003@sa.vix.com> > I would like to point out for the millionth time that having PI > space and taking up a routing slot are *NOT* the same thing. > > There are many legitimate uses of globally unique address space > that don't require routing in the DFZ. (For example private > internets either on leased circuits or via VPN tunnels over > the public Internet.) while i agree with this, the cause it represents is hopeless. the IETF intelligensia has killed, at least for now and probably forever, any hope of globally unrouteable unique address space. if ARIN or the RIR community want to add this feature, it'll have to be done regionally and bottomly-uply. if we get an RPKI then perhaps routability could be a routing object attribute, or something like that. "unroutable PI" could be a huge relief to a lot of people. but right now, with no way to enforce it, the policy development process has to assume that all PI will be routed, and so, the policies disfavour PI. i called this "the tyranny of the DFZ" in one particularly-harshly-worded missive on the topic. From Lee at Dilkie.com Sat Sep 1 17:34:58 2007 From: Lee at Dilkie.com (Lee Dilkie) Date: Sat, 01 Sep 2007 17:34:58 -0400 Subject: [ppml] Legacy /24s In-Reply-To: <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> Message-ID: <46D9DB02.7070509@Dilkie.com> William Herrin wrote: > ... > As for the folks who want to weasel out of the $100/yr annual > maintenance fee for an IPv6 PI assignment, I would ask why anyone > should take your request seriously when you're simultaneously asking > the rest of the world to spend $17,000/yr on your behalf. > Interesting argument. However, the cost isn't borne by the network operators, it's passed down to the end users (like me) and we all pay our share to cover that. But thank you Bill, for again for reinforcing the need for me to keep my mouth shut. I really did see this coming. From jcurran at istaff.org Sat Sep 1 18:58:07 2007 From: jcurran at istaff.org (John Curran) Date: Sat, 1 Sep 2007 18:58:07 -0400 Subject: [ppml] Legacy /24s In-Reply-To: <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.lo cal> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> Message-ID: At 2:40 PM -0400 9/1/07, William Herrin wrote: >Lets put some numbers to this so that we're arguing facts rather than opinions. Nice analysis, by the way... One comment, see below. >... >The number of routes and ASes in the DFZ implies that there are >somewhere between 200,000 and 300,000 routers in the DFZ. Hmm. Could you expand on this part of the calculation? I know lots of backbones operating in the default-free zone, and can take an estimate at number of routers each, but I'm not certain that the product gets us to 200000 routers. Also, there are often IGP routers which don't participate in global routing but have the entry purely for internal traffic engineering... Is it fair to reflect the cost of upgrading such routers onto the cost for a global routing entry? /John From sleibrand at internap.com Sat Sep 1 19:18:53 2007 From: sleibrand at internap.com (Scott Leibrand) Date: Sat, 01 Sep 2007 16:18:53 -0700 Subject: [ppml] Policy Proposal 2007-15: Authentication of Legacy Resources - version 1.1 In-Reply-To: <933be923a2dcb358a88b584c6b12359f46d8e956@jcc.com> References: <933be923a2dcb358a88b584c6b12359f46d8e956@jcc.com> Message-ID: <46D9F35D.6030802@internap.com> Keith W. Hare wrote: > > That's not what the policy says. It says "No changes shall be made to > legacy resource records which are not covered by a registration services > agreement after December 31, 2007." > > So, the RSA is ready on January 1, 2008, but legacy resource holders > can't update stuff that is not covered by the RSA after December 31, > 2007? There is not a year there. > My apologies, you're correct. I misread the policy to read the way I thought it should, not the way it's written. > I would be happier if the year you claim is the intent were actually in > the proposed policy. I would support a further revision to 2007-15 to provide a grace period (such as 1 year) between availability of a Legacy Resource Record Holder RSA and the requirement of being covered by such an RSA before making changes to records. > I would be even happier to leave the sentence out > entirely. > And I wouldn't oppose that. > Why do we need a stick today for the legacy address holders who have not > responded to the invitation that has not yet been issued? > I don't think we need to invoke the stick before putting out the formal invitation. I suspect we'll need the stick eventually. If we choose not to require the RSA initially, I think we need to get a report from ARIN staff after a certain amount of time (6 months or so maybe) on the adoption rate of the new RSA, and discuss requirements at that point. -Scott From arin-contact at dirtside.com Sat Sep 1 21:01:08 2007 From: arin-contact at dirtside.com (William Herrin) Date: Sat, 1 Sep 2007 21:01:08 -0400 Subject: [ppml] Legacy /24s In-Reply-To: References: <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> Message-ID: <3c3e3fca0709011801oc9c7acbm5518e4f81cd89ead@mail.gmail.com> On 9/1/07, John Curran wrote: > At 2:40 PM -0400 9/1/07, William Herrin wrote: > >The number of routes and ASes in the DFZ implies that there are > >somewhere between 200,000 and 300,000 routers in the DFZ. > > Hmm. Could you expand on this part of the calculation? John, Its purely a SWAG. There are a little under 30k AS's announcing around 233k IPv4 routes. In the operations I've been involved in, the organization usually originated about as many DFZ routes as it had routers that took a full BGP feed. Sometimes a little more, sometimes a little less. If you have a more solid estimate, lets roll with it and re-run the numbers. I'd be very surprised if it got us below 100k routers or changed the point that its wildly expensive to announce a prefix into the DFZ. Regards, Bill Herrin -- William D. Herrin herrin at dirtside.com bill at herrin.us 3005 Crane Dr. Web: Falls Church, VA 22042-3004 From arin-contact at dirtside.com Sat Sep 1 21:20:37 2007 From: arin-contact at dirtside.com (William Herrin) Date: Sat, 1 Sep 2007 21:20:37 -0400 Subject: [ppml] Legacy /24s In-Reply-To: <1070901165207.964D-100000@Ives.egh.com> References: <20070901144553.GA494@ussenterprise.ufp.org> <1070901165207.964D-100000@Ives.egh.com> Message-ID: <3c3e3fca0709011820m736ab56ata444f2368294735d@mail.gmail.com> On 9/1/07, John Santos wrote: > I would like to point out for the millionth time that having PI > space and taking up a routing slot are *NOT* the same thing. > > There are many legitimate uses of globally unique address space > that don't require routing in the DFZ. (For example private > internets either on leased circuits or via VPN tunnels over > the public Internet.) John, The solution to this is staring you in the face. We have great gobs of unroutable / semi-routable IPv6 space within the 6to4 spec. If you already have unrouted IPv4 space, why not use the corresponding unrouted 6to4 space for your non-DFZ tasks? Each /24 of IPv4 space maps to a /40 of IPv6 space or 24M subnets. Regards, Bill Herrin -- William D. Herrin herrin at dirtside.com bill at herrin.us 3005 Crane Dr. Web: Falls Church, VA 22042-3004 From bicknell at ufp.org Sat Sep 1 21:23:34 2007 From: bicknell at ufp.org (Leo Bicknell) Date: Sat, 1 Sep 2007 21:23:34 -0400 Subject: [ppml] Legacy /24s In-Reply-To: <1070901165207.964D-100000@Ives.egh.com> References: <20070901144553.GA494@ussenterprise.ufp.org> <1070901165207.964D-100000@Ives.egh.com> Message-ID: <20070902012334.GA31369@ussenterprise.ufp.org> In a message written on Sat, Sep 01, 2007 at 04:56:02PM -0400, John Santos wrote: > I would like to point out for the millionth time that having PI > space and taking up a routing slot are *NOT* the same thing. > > There are many legitimate uses of globally unique address space > that don't require routing in the DFZ. (For example private > internets either on leased circuits or via VPN tunnels over > the public Internet.) I agree, however from the post that started this thread: > With the only contingency that the space be actively used in the DFZ > or showing that the space is in use in a manner that cannot be readily > replaced by 1918 space. So this proposal explicitly excluded the case you're referring to from the start. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available URL: From bicknell at ufp.org Sat Sep 1 21:40:03 2007 From: bicknell at ufp.org (Leo Bicknell) Date: Sat, 1 Sep 2007 21:40:03 -0400 Subject: [ppml] Legacy /24s In-Reply-To: <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> Message-ID: <20070902014003.GB31369@ussenterprise.ufp.org> In a message written on Sat, Sep 01, 2007 at 02:40:25PM -0400, William Herrin wrote: > 10%-30% of the routers in the DFZ today have a hard limit between > 244,000 and 260,000 IPv4 routes or half that number of IPv6 routes. > When the limit is reached within the next few months, those routers > will experience various degrees of falling over dead. Upgrading these > routers to accomodate 1M IPv4 or 500k IPv6 routes will cost > $30,000-$150,000 each. You've nicely bounded the problem of upgrading Sup2+MSFC boxes to Sup720 boxes. (I'm guessing, because I've seen you talking about the problem on the nanog mailing list and all the numbers fit.) On the flip side, there are a lot of M40, 7513, 12008 and the list goes on boxes that either have no direct upgrade path, or the upgrade path is so costly and painful that replacing the box in total is the only option. In many cases the replacement cost includes upgrades (some of which you want, some of which you don't), and can easily be in the range of $500,000-$2,000,000 per box. Your numbers also only account for the hardware cost. Particularly in the case of a forklift upgrade you're talking about a significant amount of engineer time, and on-site time at what may not be manned pops. You also do not account for customer credits and/or losses attributed to the down time of upgrading. In short, I'm afraid your estimate is WAY low on cost per device. > The number of routes and ASes in the DFZ implies that there are > somewhere between 200,000 and 300,000 routers in the DFZ. I can't come up with anyway to estimate, but my gut tells me this is a little high. > Lets try the high numbers. $150k to handle 500,000 IPv6 routes = 30 > cents per route. Times 300k routers = $90l. Divide by a 5 year upgrade > cycle = an annual attributable cost of $18,000 per prefix. Ok, so, we keep talking about a 50-100 year lifetime for IPv6. Using your numbers, assuming it's a one time cost, and there's no inflation means if ARIN makes an allocation it will cost $900,000 to $5,000,000. If there are 10,000 swamp routes that would qualify we're talking about $9,000,000,000 to $50,000,000,000. That's 9 billion to 50 billion dollars, over the lifetime of IPv6. So individuals and small businesses who jumped on IPv4 early can continue to reap the same benefits. IPv6 was supposed to be different. The concept is rooted in really good principals. Unfortunately the execution has been lacking. > As for the folks who want to weasel out of the $100/yr annual > maintenance fee for an IPv6 PI assignment, I would ask why anyone > should take your request seriously when you're simultaneously asking > the rest of the world to spend $17,000/yr on your behalf. Excellent point. I personally believe if $100 a year is an issue for you that's a sign you should not have your own block, for the economic reasons above. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available URL: From Keith at jcc.com Sat Sep 1 23:36:35 2007 From: Keith at jcc.com (Keith W. Hare) Date: Sat, 1 Sep 2007 23:36:35 -0400 Subject: [ppml] Legacy /24s Message-ID: <49acf4a61c88ad505f77404265e260e546da2fc6@jcc.com> > -----Original Message----- > From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net] On > Behalf Of William Herrin > Sent: Saturday, September 01, 2007 2:40 PM > To: ppml at arin.net > Subject: Re: [ppml] Legacy /24s > >... > In the case of single-homed folks who just want to avoid > renumbering hassles, I think you'd need an awfully large > number of computers before the renumbering hassle adds up to > $17k/yr. Many many computers. > Nope. All you really need is a small number of computers, several firewalls, and a requirement that you have to comply with a security and security auditing specification, such as the payment card industry (PCI) specification. Part of the cost would be renumbering, part would be revising the rules in the firewalls, intrusion detection system, etc. A big part would be in re-auditing the information security configuration. And the cost of making a mistake on the security configurations is about $10 per exposed credit card number for a year's subscription to a credit report watch service, not to mention the cost of making the front page of the newspapers and computer trade press. Keith ______________________________________________________________ Keith W. Hare JCC Consulting, Inc. keith at jcc.com 600 Newark Road Phone: 740-587-0157 P.O. Box 381 Fax: 740-587-0163 Granville, Ohio 43023 http://www.jcc.com USA ______________________________________________________________ From michel at arneill-py.sacramento.ca.us Sun Sep 2 00:08:29 2007 From: michel at arneill-py.sacramento.ca.us (Michel Py) Date: Sat, 1 Sep 2007 21:08:29 -0700 Subject: [ppml] IPv6 flawed? In-Reply-To: References: <200708311233.l7VCXYBj005107@cjbsys.bdb.com><82435.1188567258@sa.vix.com><6F089EC1-589B-4192-AE7E-9DAC2BE6ACC4@virtualized.org> Message-ID: > David Conrad wrote: > I'm beginning to believe that IPv6 as it exists is so flawed and > the business/economic/political factors are such that in the end, > [...] Please do not confuse IPv6 with the business/economic/political factors. The protocol suite itself, while certainly not perfect, is not what I call flawed. Yes, there are many things associated with it that are indeed flawed, but not IPv6 itself. There are several technical aspects that I do not agree with, or would not have designed the same way though. The main issues associated with IPv6 are: - It was designed as a protocol (with heavy input from protocol purity zealots), not as a product. Very large numbers within the IETF crowd is outright stupid about economic issues. They still live in an ivory tower where (for example) Unix and MacIntosh are the only acceptable ways, while the rest of the world is running windblows from the evil empire. - It never delivered initial promises, such as aggregation (the "8K DFZ"). In their great wisdom, the IETF pushed the protocol out with the promise that they will deliver the missing features (such as multihoming and effortless renumbering) later. Problem, nobody figured it out. - As it turned out down the road, the multiple-addresses-per-host are too much of an administrative overhead. So we're in a situation where the only remaining real reason to upgrade to IPv6 is IPv4 address space exhaustion, while IPv6 still does not have hugely popular features such as NAT and no equivalent either. Technically, I consider NAT more flawed than IPv6. Nevertheless, NAT has addressed market needs, while IPv6 is a solution without a market. Michel. From arin-contact at dirtside.com Sun Sep 2 00:29:31 2007 From: arin-contact at dirtside.com (William Herrin) Date: Sun, 2 Sep 2007 00:29:31 -0400 Subject: [ppml] Legacy /24s In-Reply-To: <20070902014003.GB31369@ussenterprise.ufp.org> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> <20070902014003.GB31369@ussenterprise.ufp.org> Message-ID: <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> On 9/1/07, Leo Bicknell wrote: > In a message written on Sat, Sep 01, 2007 at 02:40:25PM -0400, William Herrin wrote: > > 10%-30% of the routers in the DFZ today have a hard limit between > > 244,000 and 260,000 IPv4 routes or half that number of IPv6 routes. > > You've nicely bounded the problem of upgrading Sup2+MSFC boxes to > Sup720 boxes. (I'm guessing, because I've seen you talking about > the problem on the nanog mailing list and all the numbers fit.) That includes most of the Sup720 boxes too; they're bounded at 260k. In the 6500/7600 product line, only the Sup720-3BXL and RSP720-3CXL accommodate more than 260k routes. And as you point out there are no in-place upgrades for the remaining 7200 and 7500 routers. > upgrades (some of which you want, some of which you don't), and can > easily be in the range of $500,000-$2,000,000 per box. Relatively speaking, there are few routers in the DFZ whose street price exceeds $150k. More, once you're past $150k the major cost driver is traffic capacity rather than route capacity. > Your numbers also only account for the hardware cost. [...] > In short, I'm afraid your estimate is WAY low on cost per device. They don't account for the electricity cost for running the power-hungry TCAMs and the required air conditioning capacity either. Nor do they exclude the cost attribution associated with the routers' traffic capacity and age-related upgrades rather than route capacity. Like I said, its not a thorough analysis. I selected only the most significant factors in order to produce a ballpark figure. > > The number of routes and ASes in the DFZ implies that there are > > somewhere between 200,000 and 300,000 routers in the DFZ. > > I can't come up with anyway to estimate, but my gut tells me this is a > little high. Could be. I'm open to better grounded numbers than the ones I offered. > Ok, so, we keep talking about a 50-100 year lifetime for IPv6. > Using your numbers, assuming it's a one time cost, and there's no > inflation means if ARIN makes an allocation it will cost $900,000 > to $5,000,000. You really can't project a lifetime cost that way. For one thing, the cost of one route in one router is falling faster than the number of routers in the DFZ is growing. For another, there are a variety of proposals on RRG which on a 5-year horizon would adjust routing technology in a way that radically alters the cost structure associated with PI space. The more PI space there is, the higher the probability of one of these technologies being adopted. You can only really project the annual cost for the next few years with any degree of accuracy. > IPv6 was supposed to be different. The concept is rooted in really > good principals. Unfortunately the execution has been lacking. I pulled out and leafed through my old "Internet Protocol Next Generation" book from 1997. Do you realize just how few of the design goals have panned out operationally? Its appalling. Regards, Bill Herrin -- William D. Herrin herrin at dirtside.com bill at herrin.us 3005 Crane Dr. Web: Falls Church, VA 22042-3004 From paul at vix.com Sun Sep 2 00:37:12 2007 From: paul at vix.com (Paul Vixie) Date: Sun, 02 Sep 2007 04:37:12 +0000 Subject: [ppml] IPv6 flawed? In-Reply-To: Your message of "Sat, 01 Sep 2007 21:08:29 MST." References: <200708311233.l7VCXYBj005107@cjbsys.bdb.com><82435.1188567258@sa.vix.com><6F089EC1-589B-4192-AE7E-9DAC2BE6ACC4@virtualized.org>

Message-ID: <1712.1188707832@sa.vix.com> > - It never delivered initial promises, such as aggregation (the "8K > DFZ"). In their great wisdom, the IETF pushed the protocol out with the > promise that they will deliver the missing features (such as multihoming > and effortless renumbering) later. agreed. > Problem, nobody figured it out. disagreed. see A6, DNAME, bitstring labels, and 8+8. i've learned a lot about the ietf intelligensia over the years, starting with those losses. we would actually be in a comparatively good position if only our tools could be made by the lowest bidders. what you said (not quoted here) about purity, could be said louder. > - As it turned out down the road, the multiple-addresses-per-host are > too much of an administrative overhead. the thing i keep asking is, where was the per-address default route for inbound, and where was the LCR hook for outbound? without those, simply adding multiple subnets to a LAN and hoping hosts would figure it out was just vaporware. (note well: A6/DNAME/bitstrings didn't have solutions to those problems, either.) > So we're in a situation where the only remaining real reason to upgrade > to IPv6 is IPv4 address space exhaustion, while IPv6 still does not have > hugely popular features such as NAT and no equivalent either. > > Technically, I consider NAT more flawed than IPv6. Nevertheless, NAT has > addressed market needs, while IPv6 is a solution without a market. with respect to the oft-quoted axiom that if pigs had wings they could fly, i remember telling a lot of people (who reported to me inside an ISP) in Y2K or so is that "the rocket boosters have been attached to the pig called IPv6". what i meant by this is anybody's guess, really, but i think i was trying to say that even though it was useless and solved the wrong problem, it was also inevitable. nothing's changed: ipv6 fails to solve the problems ipv4 had, and makes the problems ipv4 had even worse, but nevertheless it's what we'll have to use while awaiting real innovation, to come, presumably or hopefully, some time later. note: i'm not speaking as an arin trustee here. From arin-contact at dirtside.com Sun Sep 2 00:41:40 2007 From: arin-contact at dirtside.com (William Herrin) Date: Sun, 2 Sep 2007 00:41:40 -0400 Subject: [ppml] Legacy /24s In-Reply-To: <49acf4a61c88ad505f77404265e260e546da2fc5@jcc.com> References: <49acf4a61c88ad505f77404265e260e546da2fc5@jcc.com> Message-ID: <3c3e3fca0709012141h14012e77hb0ed9a85cad99477@mail.gmail.com> On 9/1/07, Keith W. Hare wrote: > requirement that you have to comply with a security and > security auditing specification, such as the payment card industry (PCI) > specification. Part of the cost would be renumbering, part would be > revising the rules in the firewalls, intrusion detection system, etc. A > big part would be in re-auditing the information security configuration. Keith, That's an interesting argument. Having been through the PCI auditing process I don't buy that it increases the renumbering cost enough to merit requiring everybody else to pay $17k per year but its an interesting argument. Here's another interesting argument: For better or for worse, spam filtering is heavily biased towards the IP address. Current software is extremely suspicious of IP addresses which suddenly begin emiting large amounts of mail. Getting the new IP address back on everybody's whitelist is very manpower-expensive. If you're a large non-profit organization who uses email to solicit donations from constituents, the lost opportunity cost while correcting those filtering problems very rapidly runs to hundreds of thousands of dollars. If you make PI addresses available on those criteria, how would you measure? How much credit card activity justifies PI addresses? How much email? Regards, Bill Herrin -- William D. Herrin herrin at dirtside.com bill at herrin.us 3005 Crane Dr. Web: Falls Church, VA 22042-3004 From paul at vix.com Sun Sep 2 00:43:07 2007 From: paul at vix.com (Paul Vixie) Date: Sun, 02 Sep 2007 04:43:07 +0000 Subject: [ppml] Legacy /24s In-Reply-To: Your message of "Sun, 02 Sep 2007 00:29:31 -0400." <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> <20070902014003.GB31369@ussenterprise.ufp.org> <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> Message-ID: <2994.1188708187@sa.vix.com> > > Your numbers also only account for the hardware cost. [...] > > In short, I'm afraid your estimate is WAY low on cost per device. > > They don't account for the electricity cost for running the > power-hungry TCAMs and the required air conditioning capacity either. > Nor do they exclude the cost attribution associated with the routers' > traffic capacity and age-related upgrades rather than route capacity. i think that as with dotcomenomics, we're expected to grow our way outta this. > I pulled out and leafed through my old "Internet Protocol Next Generation" > book from 1997. Do you realize just how few of the design goals have panned > out operationally? Its appalling. yes, it is. but from a policy standpoint, that doesn't matter. we're going to run out of new ipv4 soon, and there are three ways to jump: 1. stop growing the network 2. dramatically increase NATism 3. use IPv6 of the three, i like #4. of the three we actually have, though, i pick #3. From arin-contact at dirtside.com Sun Sep 2 01:31:28 2007 From: arin-contact at dirtside.com (William Herrin) Date: Sun, 2 Sep 2007 01:31:28 -0400 Subject: [ppml] Legacy /24s In-Reply-To: <2994.1188708187@sa.vix.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> <20070902014003.GB31369@ussenterprise.ufp.org> <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> <2994.1188708187@sa.vix.com> Message-ID: <3c3e3fca0709012231w69e35815y30612954bab767c2@mail.gmail.com> On 9/2/07, Paul Vixie wrote: > > I pulled out and leafed through my old "Internet Protocol Next Generation" > > book from 1997. Do you realize just how few of the design goals have panned > > out operationally? Its appalling. > > yes, it is. but from a policy standpoint, that doesn't matter. we're going > to run out of new ipv4 soon, and there are three ways to jump: > > 1. stop growing the network > 2. dramatically increase NATism > 3. use IPv6 > > of the three, i like #4. Paul, I like option #29: IP extra large. If IP option header #29 is present starting at the sixth word in the IPv4 header then the "source" part of the IP header actually contains the four high-order bytes of the 64-bit IP destination address while the seventh and eighth words contain the 64-bit source address. I guess it would have been too easy to let us grow incrementally with only changes on the software side of the house. > of the three we actually have, though, i pick #3. Yeah, I can live with that. But I will gripe about it now and then. Regards, Bill Herrin -- William D. Herrin herrin at dirtside.com bill at herrin.us 3005 Crane Dr. Web: Falls Church, VA 22042-3004 From stephen at sprunk.org Sun Sep 2 01:43:00 2007 From: stephen at sprunk.org (Stephen Sprunk) Date: Sun, 2 Sep 2007 00:43:00 -0500 Subject: [ppml] Legacy /24s References: <49acf4a61c88ad505f77404265e260e546da2fc6@jcc.com> Message-ID: <07fd01c7ed27$db607e30$5c3816ac@atlanta.polycom.com> Thus spake "Keith W. Hare" > And the cost of making a mistake on the security configurations is > about $10 per exposed credit card number for a year's subscription > to a credit report watch service, not to mention the cost of making > the front page of the newspapers and computer trade press. It was a PR cost when laws were first passed requiring notification. Now, security breach notices are so common that the media doesn't even bother reporting them anymore except for the most extreme cases. Until we get laws requiring companies to pay non-trivial fines and/or restitution for each record compromised, it'll remain a non-event. S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking From woody at pch.net Sun Sep 2 02:16:59 2007 From: woody at pch.net (=?utf-8?B?QmlsbCBXb29kY29jaw==?=) Date: Sun, 2 Sep 2007 06:16:59 +0000 Subject: [ppml] Legacy /24s In-Reply-To: References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org><3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> Message-ID: <1449649690-1188714008-cardhu_decombobulator_blackberry.rim.net-1144185577-@bxe102.bisx.prod.on.blackberry> If it's helpful, we (PCH) believed there to be about 8,400 ASNs in the world which were providing transit services, last I checked. From experience, I can tell you that the long tail of the curve of how-many-full-table-routers-per-ISP-of-that-type is between one and three. So, really roughly, the 8,300 smaller of those 8,400 might be contributing 20,000 routers to the total. It's still quite plausible, however, that the top hundred are contributing another 180,000, so I don't dispute 200,000 as a possible total. I think if I were to guess, I'd guess somewhere between 120,000 and 250,000. But that's just a guess, supported only by what you see above, and no more detailed analysis. And this is my first email of the morning, which should always be viwed with some additional degree of scepticism. :-) -Bill Please excuse the brevity of this message; I typed it on my pager. I could be more loquacious, but then I'd crash my car. -----Original Message----- From: John Curran Date: Sat, 1 Sep 2007 18:58:07 To:"William Herrin" Cc:"ppml at arin.net" Subject: Re: [ppml] Legacy /24s At 2:40 PM -0400 9/1/07, William Herrin wrote: >Lets put some numbers to this so that we're arguing facts rather than opinions. Nice analysis, by the way... One comment, see below. >... >The number of routes and ASes in the DFZ implies that there are >somewhere between 200,000 and 300,000 routers in the DFZ. Hmm. Could you expand on this part of the calculation? I know lots of backbones operating in the default-free zone, and can take an estimate at number of routers each, but I'm not certain that the product gets us to 200000 routers. Also, there are often IGP routers which don't participate in global routing but have the entry purely for internal traffic engineering... Is it fair to reflect the cost of upgrading such routers onto the cost for a global routing entry? /John _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues. From paul at vix.com Sun Sep 2 04:11:20 2007 From: paul at vix.com (Paul Vixie) Date: Sun, 02 Sep 2007 08:11:20 +0000 Subject: [ppml] FW: Legacy /24s In-Reply-To: Your message of "Sat, 01 Sep 2007 10:35:39 CST." <000e01c7ecb6$24d7e480$6e87ad80$@org> References: <000e01c7ecb6$24d7e480$6e87ad80$@org> Message-ID: <47015.1188720680@sa.vix.com> > > (the block was later used for a root name server, and then, later, given > > into the control of a 501(c)(3) nonprofit who operates that server, and > > for that, i think the community of router owners would say it's worth a > > routing slot... i'm just saying if that hadn't happened, i'd've stopped > > using the space by now, on a "think globally, act locally" basis.) > That is silly. We are talking about ONE group and not MANY. The item is not > even close to being the same. the aphorism "thing globally, act locally" means trying to deduce the impact of global behaviour that'd be reflective of local behaviour. for example, think of tossing a used styrofoam cup out of a car window. if you're the only one who acts this way, it would have no global impact. but if you consider what might happen to the world "if everybody behaved this way" -- all of us waist deep in used styrofoam cups, etc -- then it becomes possible to respond from principle: "somebody's got to be the first person to do the right thing, if i want doing the right thing ought to become common, so, it might as well be me." or think of it another way. right now about 30000 people have swamp /24's who would likely not qualify for them under current rules. from a policy development standpoint, we can do only one of exactly two things: 1. treat them as an exception, merely an early deployment necessity 2. treat them as the rule, something to emulate in new policy i choose #1. so if you have activity that can't operate in PA space, like an anycasted root name server, then you'd better make sure that it's an activity that the global community of "router operators" think is worth their expense in carrying a route for you. most of the time, these days, the "value proposition" is in terms of compelling content or massive numbers of eyeballs, and so RIR policy tends to favour large blocks occuping routing table slots vs. small blocks, unless the small block has compelling content that wouldn't be as economically viable in PA space as in PI space. so, we really are talking about many groups, not one. or at least i am. note: i'm not speaking as an ARIN trustee in this message. From paul at vix.com Sun Sep 2 04:26:37 2007 From: paul at vix.com (Paul Vixie) Date: Sun, 02 Sep 2007 08:26:37 +0000 Subject: [ppml] Legacy /24s In-Reply-To: Your message of "Sun, 02 Sep 2007 01:31:28 -0400." <3c3e3fca0709012231w69e35815y30612954bab767c2@mail.gmail.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> <20070902014003.GB31369@ussenterprise.ufp.org> <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> <2994.1188708187@sa.vix.com> <3c3e3fca0709012231w69e35815y30612954bab767c2@mail.gmail.com> Message-ID: <51731.1188721597@sa.vix.com> > > of the three, i like #4. > > I like option #29: IP extra large. If IP option header #29 is present > starting at the sixth word in the IPv4 header then the "source" part of the > IP header actually contains the four high-order bytes of the 64-bit IP > destination address while the seventh and eighth words contain the 64-bit > source address. that wouldn't've been unambiguous. what several of us were hoping for was where the IP version number went to 6 and the addresses got larger and that was all. but because this would not have enabled all of the many things promised for IPng in the document you referenced earlier (most of which weren't delivered and are now undeliverable), the IETF intelligensia ruled against this approach. note that with either your option-29 approach or my described IPVx approach, the ethertype would still be 0800. that in itself explains that IPv6 is really a "new internet" not an "internet extension". (and it leads to IPv6's lack of backward compatibility with IPv4, which is one of the now-undeliverable promises made in the document you cited before.) > I guess it would have been too easy to let us grow incrementally with > only changes on the software side of the house. IPv6 has made more than a few careers. someone early on called it the "full employment act for programmers", and so it's been. but nobody i know has said that it was made difficult just to build careers or employ programmers. more like, it is the product of an extensive committee process. > > of the three we actually have, though, i pick #3. > > Yeah, I can live with that. But I will gripe about it now and then. and i don't mind griping, either, even though at the end of the day we're all going to have to deploy it, no matter how we feel, warts and all. perhaps DRC would choose "vastly increased NATism" now that IPv6's warts are really showing, but from an industry standpoint, that's just sooooo not an option. note: i am not speaking as an ARIN trustee in this message. From michael.dillon at bt.com Sun Sep 2 12:00:58 2007 From: michael.dillon at bt.com (michael.dillon at bt.com) Date: Sun, 2 Sep 2007 17:00:58 +0100 Subject: [ppml] Policy Proposal: Decreasing Exponential Rationingof IPv4 IP Addresses In-Reply-To: <8CC5B9B8-FB3D-4C7F-BD6B-089E31979FAD@muada.com> References: <85975A4A-0077-4B71-B303-FD9FE27615F6@muada.com> <8CC5B9B8-FB3D-4C7F-BD6B-089E31979FAD@muada.com> Message-ID: > A few = generally 2 or 3 years. Is that enough to call a trend? If your data is monthly or weekly, then yes. > > And the > > changes have been explained due to macro events (CIDR introduction, > > telecoms collapse) so even though the trends go through > step changes, > > they are still trends. > > If you can tell the trends from the macro events, please do > so because as far as I know, nobody else has been able to. I said changes were explained by macro events. In other words, pre-CIDR there was a trend, then CIDR was introduced and the trend changed. > > One could still do a worst-case scenario based on the pre telecoms > > collapse trend > > I guess that would be going from 86 million in 2001 to 69 > million in 2002. Pre telecoms collapse means *BEFORE* the telecoms collaps. Therefore I was referring to the trend which existed *BEFORE* the drop in 2001-2002. > > and then estimate the probability that macroeconomic events > will lead > > to that scenario. You then have an estimated runout date, and a > > probability that it will occur. > You can arrive at pretty much any outcome by just selecting > the right start date. But can you find macroeconomic explanations to reinforce your choice of a starting date, and your choice of a trend? Unless you can tie your numbers to macroeconomic triggers, they are just meaningless numbers. > But 1995 was the first year with growth > after the introduction of CIDR so we only have 12 years. > It's just not enough to come up with something better than 5 > - 25 % growth per year = running out between Q3 2011 and Q3 2013. Instead of playing amateur statistician, I suggest that you give the data to a professional and see what they say. > However, you can't predict a run on the bank, hoarding and > all kinds of other interesting end games by looking at the past. Of course not. You need to look at the macroeconomic factors. In the case of a run on real banks, you need to look at the contracts that banks have with their customers. They are not the same terms as contracts in the 1920's and 30's. Then you need to look are reserve bank systems and financial regulations in effect. All of these things allow you to predict that there cannot be a run on the bank. In the case of the RIRs, the fact that people must present technical justification for IPv4 address requests pretty well prevents a run on the RIR banks. > Let me put it this way: would either of them care to publish > an error margin to go along with their prediction? Or run the > numbers on historical data and see how well the predictions > fit what actually happened? While this may be interesting, it does not change the fact that both Tony and Geoff are using substantially the same data sources and substantially the same methodology. > I don't think there's another source of data. IPv4 is used to address hosts. Hosts are computers. Computers are purchased. Governments collect and publish statistics on purchases of various types of things. Companies consume IP addresses when they grow their network. It costs a lot of money to grow a network. You need to have income to justify any growth. Income is something that publicly traded companies must regularly report. And then there is RIR membership stats which might be used in conjunction with corporate income reporting. Router manufacturers tend to sell specialized routers for CPE. They might be convinced to give a researcher access to statistics on CPE devices sold. Statistics and forecasting are disciplines which are taught at the graduate level. Graduates are often given real-world problems to work on. Professors of any given discipline tend to be chronically short of ideas for such real-world statistical/forecasting problems. Etc. --Michael Dillon From jonathan at qx.net Sun Sep 2 12:17:55 2007 From: jonathan at qx.net (Jonathan Barker) Date: Sun, 02 Sep 2007 12:17:55 -0400 Subject: [ppml] Legacy /24s In-Reply-To: <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> <20070902014003.GB31369@ussenterprise.ufp.org> <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> Message-ID: <46DAE233.9010004@qx.net> >> You've nicely bounded the problem of upgrading Sup2+MSFC boxes to >> Sup720 boxes. (I'm guessing, because I've seen you talking about >> the problem on the nanog mailing list and all the numbers fit.) >> > > That includes most of the Sup720 boxes too; they're bounded at 260k. > In the 6500/7600 product line, only the Sup720-3BXL and RSP720-3CXL > accommodate more than 260k routes. And as you point out there are no > in-place upgrades for the remaining 7200 and 7500 routers. > > We upgraded to the 7613, 3BXL a few years ago from a 7513, RSP8. It was one of the best upgrades we ever made for our network. The 7513's backplane is nowhere near as capable as the 7613, and quite a few of the backplane performance bottlenecks we saw before evaporated with the new hardware. Similarly the problem of DoS attacks evaporated for us, as we've been fortunate enough to not see one over 180,000 pps, and at that it just increased the router's CPU a couple percent. Despite the fact we have 2, 4000 watt power supplies, the chassis and cards only use 1537.62 Watts, with the requisite air conditioning requirements - so it's actually about the same as our old 7513 on power and cooling load. I just hope they come up with something better than the RSP720-3CXL for our next upgrade cycle. It really doesn't offer much more than we already have with the 3BXL, and we've had it for nearly 2 and a half years. If you are lucky enough to have a 7200VXR chassis - there is a NPE-G2 available (we just ordered a couple to serve as agg / VPN routers.) I know the G-2 comes default with 1 Gig RAM, and can be upgraded to 2 Gigs. Surely that router will be able to take more than 256k routes - and the upgrade for the VXR chassis is only 15k or so.... I can't find the statistic on Cisco's site - but having the capability of more ram than the 3BXL, I don't see why it would choke with the increased routes. The only thing the Cisco docs state is that the NPE-G2 "Supports more routes, and routing tables" Of course... I have to say I don't like running BGP on 7200s. With the way Cisco prioritizes the BGP scan process, it spikes the single CPU each time it runs, and it 'can' in some configurations with large route tables, cause a little lag for a second or two every minute. With the distributed processing on the 7600 series, that's not an issue. Jonathan From drc at virtualized.org Sun Sep 2 12:24:04 2007 From: drc at virtualized.org (David Conrad) Date: Sun, 2 Sep 2007 09:24:04 -0700 Subject: [ppml] Legacy /24s In-Reply-To: <51731.1188721597@sa.vix.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> <20070902014003.GB31369@ussenterprise.ufp.org> <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> <2994.1188708187@sa.vix.com> <3c3e3fca0709012231w69e35815y30612954bab767c2@mail.gmail.com> <51731.1188721597@sa.vix.com> Message-ID: <36F46686-972E-4A99-B0C0-4D541895847E@virtualized.org> On Sep 2, 2007, at 1:26 AM, Paul Vixie wrote: > and i don't mind griping, either, even though at the end of the day > we're all > going to have to deploy it, no matter how we feel, warts and all. > perhaps > DRC would choose "vastly increased NATism" now that IPv6's warts > are really > showing, Not sure why you think these are either/or. I suspect the answer will be vastly increased NATism _and_ IPv6 deployment. ISPs will likely migrate their infrastructure to IPv6 without too much pain (reusing the IPv4 addresses for customer assignments and using IPv4 tunneling). The vast majority of end users will continue to use IPv4 + NAT. The real challenge I see is figuring out how to convince content providers that they need to spend the money to add IPv6 support along side their IPv4-based content. > but from an industry standpoint, that's just sooooo not an option. Sorry, which industry is that? Regards, -drc From Keith at jcc.com Sun Sep 2 15:48:59 2007 From: Keith at jcc.com (Keith W. Hare) Date: Sun, 2 Sep 2007 15:48:59 -0400 Subject: [ppml] Legacy /24s Message-ID: <9c74501455b027cd51685a2e6c1e864546db13ac@jcc.com> > -----Original Message----- > From: wherrin at gmail.com [mailto:wherrin at gmail.com] On Behalf > Of William Herrin > Sent: Sunday, September 02, 2007 12:42 AM > To: Keith W. Hare > Cc: ppml at arin.net > Subject: Re: [ppml] Legacy /24s > > On 9/1/07, Keith W. Hare wrote: > > requirement that you have to comply with a security and security > > auditing specification, such as the payment card industry (PCI) > > specification. Part of the cost would be renumbering, part > would be > > revising the rules in the firewalls, intrusion detection > system, etc. > > A big part would be in re-auditing the information security > configuration. > > Keith, > > That's an interesting argument. Having been through the PCI > auditing process I don't buy that it increases the > renumbering cost enough to merit requiring everybody else to > pay $17k per year but its an interesting argument. > I do not have anywhere close to enough knowledge about now all of this works to evaluate your $17k per year number. What I'm claiming is that the cost implementing IPv6 is significantly higher than the cost of the hardware, and it is the difficult to quantify costs, such as tying one's IP addresses to a single ISP, that are going to impede IPv6 adoption. You claim that letting too many organizations have Provider Independent address space adds cost to everyone. I claim that without PI space, there are a lot of small to medium size business that are going to be more reluctant to adopt IPv6. We could both be correct, in which case the ARIN policy question is what set of policies promote IPv6 sufficiently without overwhelming the infrastructure? Keith ______________________________________________________________ Keith W. Hare JCC Consulting, Inc. keith at jcc.com 600 Newark Road Phone: 740-587-0157 P.O. Box 381 Fax: 740-587-0163 Granville, Ohio 43023 http://www.jcc.com USA ______________________________________________________________ From iljitsch at muada.com Sun Sep 2 16:21:13 2007 From: iljitsch at muada.com (Iljitsch van Beijnum) Date: Sun, 2 Sep 2007 22:21:13 +0200 Subject: [ppml] IPv6 flawed? In-Reply-To: <1712.1188707832@sa.vix.com> References: <200708311233.l7VCXYBj005107@cjbsys.bdb.com><82435.1188567258@sa.vix.com><6F089EC1-589B-4192-AE7E-9DAC2BE6ACC4@virtualized.org>

<1712.1188707832@sa.vix.com> Message-ID: <11A63A70-EFD7-49CD-9DCB-78F81B1FB2BC@muada.com> On 2-sep-2007, at 6:37, Paul Vixie wrote: >> - It never delivered initial promises, such as aggregation (the "8K >> DFZ"). In their great wisdom, the IETF pushed the protocol out >> with the >> promise that they will deliver the missing features (such as >> multihoming >> and effortless renumbering) later. > agreed. IETF is still working... And it's not like adopting PI in the mean time helps. >> Problem, nobody figured it out. > disagreed. see A6, DNAME, bitstring labels, What's the deal here? This was removed very quickly from BIND. Wouldn't it have made more sense to keep it in there to allow further experimentation at least? Although I can understand the problems with A6, it's a shame that the IETF abandoned efforts to make renumbering easier. > and 8+8. That's only half a solution, the way it was written down 10 years ago doesn't do anything useful. If you fix the problems, you end up with something like shim6. >> - As it turned out down the road, the multiple-addresses-per-host are >> too much of an administrative overhead. > the thing i keep asking is, where was the per-address default route > for > inbound, and where was the LCR hook for outbound? without those, > simply > adding multiple subnets to a LAN and hoping hosts would figure it out > was just vaporware. (note well: A6/DNAME/bitstrings didn't have > solutions > to those problems, either.) I think it was Itojun who told me that they looked at tying the default route to the source address but there were problems with that. No answers to my questions about what those problems are. The implementers need to do something here. > nothing's changed: ipv6 fails to solve the problems ipv4 had, > and makes the problems ipv4 had even worse, but nevertheless it's > what we'll > have to use while awaiting real innovation, to come, presumably or > hopefully, > some time later. The problem isn't that we don't know how to fix the problems: we do, and often the protocols exist. It's living with the tradeoffs that we as a community have a problem with. We want small routing tables, but we also want PI. We want stable addresses for applications so the network must figure out reachability, but we also want to connect to a remote host without delay. We want security and encryption, but not a PKI. IPv6 has some innovation on the link, such as autoconfiguration, which many people don't like, by the way, but other than that, it's just IP that we know and love with larger addresses. So it has all the downsides of IPv4, only now we get to build a bigger network so the downsides are all the more troublesome. > note: i'm not speaking as an arin trustee here. Really? :-) From iljitsch at muada.com Sun Sep 2 16:22:46 2007 From: iljitsch at muada.com (Iljitsch van Beijnum) Date: Sun, 2 Sep 2007 22:22:46 +0200 Subject: [ppml] Legacy /24s In-Reply-To: <1070901165207.964D-100000@Ives.egh.com> References: <1070901165207.964D-100000@Ives.egh.com> Message-ID: <28888CC0-AAFC-44F5-99A7-AB3E7B52DF34@muada.com> On 1-sep-2007, at 22:56, John Santos wrote: > I would like to point out for the millionth time that having PI > space and taking up a routing slot are *NOT* the same thing. > There are many legitimate uses of globally unique address space > that don't require routing in the DFZ. (For example private > internets either on leased circuits or via VPN tunnels over > the public Internet.) So maybe we should set aside a specific block of PI prefixes for purposes that don't require them to be injected in the DFZ? From iljitsch at muada.com Sun Sep 2 16:36:35 2007 From: iljitsch at muada.com (Iljitsch van Beijnum) Date: Sun, 2 Sep 2007 22:36:35 +0200 Subject: [ppml] Policy Proposal: Decreasing Exponential Rationingof IPv4 IP Addresses In-Reply-To: References: <85975A4A-0077-4B71-B303-FD9FE27615F6@muada.com> <8CC5B9B8-FB3D-4C7F-BD6B-089E31979FAD@muada.com> Message-ID: On 2-sep-2007, at 18:00, wrote: >> A few = generally 2 or 3 years. Is that enough to call a trend? > If your data is monthly or weekly, then yes. Have a look at the monthly data since 2006 and tell me if you can spot a trend: 14.05 M 2006-01 15.46 M 2006-02 19.02 M 2006-03 11.68 M 2006-04 15.01 M 2006-05 9.54 M 2006-06 21.43 M 2006-07 10.61 M 2006-08 15.29 M 2006-09 10.27 M 2006-10 20.30 M 2006-11 10.14 M 2006-12 16.59 M 2007-01 16.92 M 2007-02 20.75 M 2007-03 8.52 M 2007-04 20.08 M 2007-05 19.03 M 2007-06 21.12 M 2007-07 16.92 M 2007-08 >> You can arrive at pretty much any outcome by just selecting >> the right start date. > But can you find macroeconomic explanations to reinforce your > choice of > a starting date, and your choice of a trend? Unless you can tie your > numbers to macroeconomic triggers, they are just meaningless numbers. Well, you wouldn't want to jump in at either the height of the boom or the depth of the bust, so you need to start in 2002 or so or before 1999... >> But 1995 was the first year with growth >> after the introduction of CIDR so we only have 12 years. >> It's just not enough to come up with something better than 5 >> - 25 % growth per year = running out between Q3 2011 and Q3 2013. > Instead of playing amateur statistician, I suggest that you give the > data to a professional and see what they say. The data is there for everyone to download, so professionals: have at it. But my "amateur" take is that the data is simply to volatile and there have been too many fundamental changes (CIDR, broadband, .com boom, telecom bust) in too short a time to arrive at a real prediction. But in another couple of years it doesn't matter anymore because we'll be so close that we know for sure we'll run out soon. From colin at thusa.co.za Sun Sep 2 17:55:59 2007 From: colin at thusa.co.za (Colin Alston) Date: Sun, 02 Sep 2007 23:55:59 +0200 Subject: [ppml] IPv6 flawed? In-Reply-To: References: <200708311233.l7VCXYBj005107@cjbsys.bdb.com><82435.1188567258@sa.vix.com><6F089EC1-589B-4192-AE7E-9DAC2BE6ACC4@virtualized.org>

Message-ID: <46DB316F.5050009@thusa.co.za> On 02/09/2007 06:08 Michel Py wrote: > - As it turned out down the road, the multiple-addresses-per-host are > too much of an administrative overhead. > > So we're in a situation where the only remaining real reason to upgrade > to IPv6 is IPv4 address space exhaustion, while IPv6 still does not have > hugely popular features such as NAT and no equivalent either. > > Technically, I consider NAT more flawed than IPv6. Nevertheless, NAT has > addressed market needs, while IPv6 is a solution without a market. While I agree with a number of areas lacking in IPv6 implementation (DHCPv6 for example which is a bit broken on every implementation I've touched), I don't quite grok how that is a flaw in the protocol itself or how it influences adoption (aside from the argument that it has no market yet). Mostly though, I don't understand the idea that peoples hardware hardware capabilities (router memory) and software implementations (NAT etc) are a fixed constraint that policy should work around. -- Colin Alston From bicknell at ufp.org Sun Sep 2 18:41:27 2007 From: bicknell at ufp.org (Leo Bicknell) Date: Sun, 2 Sep 2007 18:41:27 -0400 Subject: [ppml] Legacy /24s In-Reply-To: <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> <20070902014003.GB31369@ussenterprise.ufp.org> <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> Message-ID: <20070902224127.GA93562@ussenterprise.ufp.org> In a message written on Sun, Sep 02, 2007 at 12:29:31AM -0400, William Herrin wrote: > Relatively speaking, there are few routers in the DFZ whose street > price exceeds $150k. More, once you're past $150k the major cost > driver is traffic capacity rather than route capacity. *blink* I have to say you're way off. Many routers in the DFZ don't have linecards that cost less than $150k. Priced out an OC-192 card for a T640 lately? I've helped bring up many routers that cost well over $2M when you consider the cost of all the cards in them. A T640, 12416, or CSR-1 are all well over 150k to get the empty chassis, and have linecards that run $100-$300k each. > I pulled out and leafed through my old "Internet Protocol Next > Generation" book from 1997. Do you realize just how few of the design > goals have panned out operationally? Its appalling. I believe the number that panned out would be zero so far, right? -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available URL: From paul at vix.com Sun Sep 2 19:32:29 2007 From: paul at vix.com (Paul Vixie) Date: Sun, 02 Sep 2007 23:32:29 +0000 Subject: [ppml] Legacy /24s In-Reply-To: Your message of "Sun, 02 Sep 2007 18:41:27 -0400." <20070902224127.GA93562@ussenterprise.ufp.org> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> <20070902014003.GB31369@ussenterprise.ufp.org> <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> <20070902224127.GA93562@ussenterprise.ufp.org> Message-ID: <17006.1188775949@sa.vix.com> > > I pulled out and leafed through my old "Internet Protocol Next > > Generation" book from 1997. Do you realize just how few of the design > > goals have panned out operationally? Its appalling. > > I believe the number that panned out would be zero so far, right? judge for yourself at . i especially like section 11, "IPng Transition Mechanisms", which gets funnier every year, even without considering RFC 4966. consider this gem: The IPng transition mechanisms ensures that IPv6 hosts can interoperate with IPv4 hosts anywhere in the Internet up until the time when IPv4 addresses run out, and allows IPv6 and IPv4 hosts within a limited scope to interoperate indefinitely after that. This feature protects the huge investment users have made in IPv4 and ensures that IPv6 does not render IPv4 obsolete. Hosts that need only a limited connectivity range (e.g., printers) need never be upgraded to IPv6. that was the face that launched a thousand ships, yes. From arin-contact at dirtside.com Sun Sep 2 19:33:21 2007 From: arin-contact at dirtside.com (William Herrin) Date: Sun, 2 Sep 2007 19:33:21 -0400 Subject: [ppml] Legacy /24s In-Reply-To: <20070902224127.GA93562@ussenterprise.ufp.org> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> <20070902014003.GB31369@ussenterprise.ufp.org> <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> <20070902224127.GA93562@ussenterprise.ufp.org> Message-ID: <3c3e3fca0709021633g5a02d19u3b7ab8e27ce48f56@mail.gmail.com> On 9/2/07, Leo Bicknell wrote: > A T640, 12416, or CSR-1 are all well over 150k to get the empty > chassis, and have linecards that run $100-$300k each. Leo, Well, the 12416 fully loaded is running in the $10k to $80k range on the second hand market right now. The T640 is running moderately higher. I don't know about the CSR-1. Anyway how many of these have been sold? 10k? 20k? And of the number sold, how many have been deployed to Internet DFZ functions as opposed to interior functions or enterprise functions? And where they were deployed, was it because the prior router couldn't expand to meet the traffic demand or was it because the prior router couldn't handle the number of routes? If you're telling me that 50% of the DFZ routers are these biggest of the big iron and they face the same FIB issues as my poor Sup2 then my estimate of a PI route's cost needs some revision. If you're talking 10% and and traffic capacity as the main driver then the impact on the final numbers won't be enough to waste time on the analysis. > > I pulled out and leafed through my old "Internet Protocol Next > > Generation" book from 1997. Do you realize just how few of the design > > goals have panned out operationally? Its appalling. > > I believe the number that panned out would be zero so far, right? I didn't want to be the one to say it for fear that someone would point out some clever function I overlooked. Regards, Bill Herrin -- William D. Herrin herrin at dirtside.com bill at herrin.us 3005 Crane Dr. Web: Falls Church, VA 22042-3004 From randy at psg.com Sun Sep 2 20:51:04 2007 From: randy at psg.com (Randy Bush) Date: Mon, 03 Sep 2007 09:51:04 +0900 Subject: [ppml] Legacy /24s In-Reply-To: <3c3e3fca0709021633g5a02d19u3b7ab8e27ce48f56@mail.gmail.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> <20070902014003.GB31369@ussenterprise.ufp.org> <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> <20070902224127.GA93562@ussenterprise.ufp.org> <3c3e3fca0709021633g5a02d19u3b7ab8e27ce48f56@mail.gmail.com> Message-ID: <46DB5A78.5010807@psg.com> William Herrin wrote: > On 9/2/07, Leo Bicknell wrote: >> A T640, 12416, or CSR-1 are all well over 150k to get the empty >> chassis, and have linecards that run $100-$300k each. > Well, the 12416 fully loaded is running in the $10k to $80k range on > the second hand market right now. The T640 is running moderately > higher. I don't know about the CSR-1. so, to be a multi-homed enterprise on tomorrow's internet i need to run one of these which i buy on the used market? > Anyway how many of these have been sold? 10k? 20k? hmmmmm randy From owen at delong.com Mon Sep 3 03:14:22 2007 From: owen at delong.com (Owen DeLong) Date: Mon, 3 Sep 2007 00:14:22 -0700 Subject: [ppml] IPv6 flawed? In-Reply-To: <11A63A70-EFD7-49CD-9DCB-78F81B1FB2BC@muada.com> References: <200708311233.l7VCXYBj005107@cjbsys.bdb.com><82435.1188567258@sa.vix.com><6F089EC1-589B-4192-AE7E-9DAC2BE6ACC4@virtualized.org>

<1712.1188707832@sa.vix.com> <11A63A70-EFD7-49CD-9DCB-78F81B1FB2BC@muada.com> Message-ID: <7EF0D548-D8E5-4DC2-A956-21657A8B96F3@delong.com> On Sep 2, 2007, at 1:21 PM, Iljitsch van Beijnum wrote: > On 2-sep-2007, at 6:37, Paul Vixie wrote: > >>> - It never delivered initial promises, such as aggregation (the "8K >>> DFZ"). In their great wisdom, the IETF pushed the protocol out >>> with the >>> promise that they will deliver the missing features (such as >>> multihoming >>> and effortless renumbering) later. > >> agreed. > > IETF is still working... And it's not like adopting PI in the mean > time helps. > I strongly disagree. Adopting PI in the mean time can serve as very useful input to express to IETF that they _MUST_ solve the routing problem in a scalable way. And ID-Locator split is long overdue. > > That's only half a solution, the way it was written down 10 years ago > doesn't do anything useful. If you fix the problems, you end up with > something like shim6. > Shim6 is far too complicated to actually see reliable implementation in the average enterprise and it does nothing to help with easy renumbering. > The problem isn't that we don't know how to fix the problems: we do, > and often the protocols exist. It's living with the tradeoffs that we > as a community have a problem with. We want small routing tables, but > we also want PI. We want stable addresses for applications so the > network must figure out reachability, but we also want to connect to > a remote host without delay. We want security and encryption, but not > a PKI. > We don't want small routing tables. We want routing tables that fit in existing hardware and a churn-rate which can be handled by the hardware. I don't think anyone actually cares if the routing table is 10,000, 150,000, or 230,000 routes. Sure, they worry if it's 500,000 routes or more, but, wanting to avoid an excruciatingly large routing table is different from wanting a small one. PI is a necessity. CIDR and PA were horrible hacks put in place as a band-aid until IPv6 could be engineered to truly solve the routing problem in a scalable fashion. I have no idea why an ID/Locator split was not made a built-in part of IPv6, but, I believe it can be added without reworking the protocol, so, there is still a way forward. > IPv6 has some innovation on the link, such as autoconfiguration, > which many people don't like, by the way, but other than that, it's > just IP that we know and love with larger addresses. So it has all > the downsides of IPv4, only now we get to build a bigger network so > the downsides are all the more troublesome. > IPv6 has worse downsides than IPv4. I can see a few rare instances where autoconfiguraiton could be considered a useful feature, but, even in those cases, I don't see where it is significantly better than DHCPv4. Hopefully, eventually, DHCPv6 will be full featured, too, and, stateless autoconf will take it's rightful place next to RARP as something which works but is rarely used any more. Owen From owen at delong.com Mon Sep 3 03:30:55 2007 From: owen at delong.com (Owen DeLong) Date: Mon, 3 Sep 2007 00:30:55 -0700 Subject: [ppml] Legacy /24s In-Reply-To: <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> Message-ID: > Leo, > > Lets put some numbers to this so that we're arguing facts rather > than opinions. > > There are 233,000 IPv4 routes and a little under 1000 IPv6 routes in > the default-free zone (DFZ) today. > Agreed... > 10%-30% of the routers in the DFZ today have a hard limit between > 244,000 and 260,000 IPv4 routes or half that number of IPv6 routes. > When the limit is reached within the next few months, those routers > will experience various degrees of falling over dead. Upgrading these > routers to accomodate 1M IPv4 or 500k IPv6 routes will cost > $30,000-$150,000 each. > I'm not so sure about your estimate of the number of routers in the DFZ that would need to be upgraded or where you came up with that number, but, for the moment, I can go with it. > In the more general case, these routers have to be upgraded every > 3-5 years. > Most internet-oriented technology needs to be refreshed on a 2-4 year life-cycle, actually. > The number of routes and ASes in the DFZ implies that there are > somewhere between 200,000 and 300,000 routers in the DFZ. > Here, I think you go off the rails with a big hand-wave. How, exactly do you think you can correlate the routes+ASs in the DFZ to the number of routers participating in the DFZ? > Lets start with the low numbers. If its $30k to put 233k routes in the > DFZ then each route in each router costs around 13 cents. Times 200k > routers offers an aggregate worldwide cost of $26,000 to announce an > IPv4 route. The IPv6 routes consume twice the capacity in the router, > so that means the worldwide cost of announcing an IPv6 prefix is > $52,000. On a 3-year upgrade cycle that's an annual attributable cost > of $17,300 per prefix. > Why is an IPv6 prefix 2x an IPv4 prefix? It's 4x the prefix size, but, given all the other path attributes and such, I still don't see that doubling the storage requirements. > Lets try the high numbers. $150k to handle 500,000 IPv6 routes = 30 > cents per route. Times 300k routers = $90l. Divide by a 5 year upgrade > cycle = an annual attributable cost of $18,000 per prefix. > While I can potentially accept your price per route per router, I am not sure I accept your computation of the number of routers it is multiplied by. This means that your $17-$18k per prefix per anum number is very suspect since the 200k routers is a much bigger component of the end number than the price per route. > While this is not a thorough cost analysis, its reasonable for > ballparking. I can say with an acceptable degree of confidence that > the worldwide attributable cost of announcing one IPv6 prefix is > between $17k and $18k per year. > I have less confidence in the number than you do. > > So, with any proposal to expand the availability of IPv6 PI, the > question that should be asked is: "Does the proposed use in the > expansion justify asking the rest of the world to pay $17k?" > Since that's 17k divided amongst 30k or so organizations, you're really asking each other org. to foot a $0.50 bill per prefix. > > My opinion is that in the case of a multihomed content provider, the > answer is yes. Why should he receive poor treatment in IPv6 merely > because his mechanism for providing content was efficient enough to > require only a few IP addresses? If you're willing to pay the prices > that the network operators require to be mulithomed (whatever that > happens to be) then you should be eligible for the necessary IPv6 PI > assignment. That's just how the Internet functions and the $17k is a > cost of doing business. > What about a multihomed content consumer? Why should they be treated any worse than a multihomed content provider? > In the case of single-homed folks who just want to avoid renumbering > hassles, I think you'd need an awfully large number of computers > before the renumbering hassle adds up to $17k/yr. Many many computers. > You are missing a fundamental factor here. The pain/cost of renumbering is only marginally proportional to the number of hosts you own. It is much more affected by the number of hosts with your IPs in their configuration files that you do not control. > As for the folks who want to weasel out of the $100/yr annual > maintenance fee for an IPv6 PI assignment, I would ask why anyone > should take your request seriously when you're simultaneously asking > the rest of the world to spend $17,000/yr on your behalf. > Nobody really cares about the $100/yr. Proposals to waive that have been targeted at providing what little incentive we can towards other behaviors for the common good. Owen From michael.dillon at bt.com Mon Sep 3 04:32:54 2007 From: michael.dillon at bt.com (michael.dillon at bt.com) Date: Mon, 3 Sep 2007 09:32:54 +0100 Subject: [ppml] Policy Proposal: Decreasing Exponential Rationingof IPv4 IP Addresses In-Reply-To: References: <85975A4A-0077-4B71-B303-FD9FE27615F6@muada.com> <8CC5B9B8-FB3D-4C7F-BD6B-089E31979FAD@muada.com>

Message-ID: > >> A few = generally 2 or 3 years. Is that enough to call a trend? > > > If your data is monthly or weekly, then yes. > > Have a look at the monthly data since 2006 and tell me if you > can spot a trend: Why? Geoff Huston has already done this at http://www.potaroo.net/presentations/2007-07-23-ietf69-intarea-v4.pdf If you look at slide 14, it seems pretty close to a linear trend. Of course, the early stages of an exponential trend, also look pretty much linear. In any case, that time period does not show any step changes in the trend. The steps in the chart are the result of pent up demand being satisfied, i.e. the short term trend appears to decrease but then sharply rises. Over the longer term shown in slide 14, those steps converge on a smooth trend that has show no inflection points, just a slight uplift. > But in another couple of years it doesn't matter anymore > because we'll be so close that we know for sure we'll run out soon. And there you have a compelling business case for IPv6 deployment. --Michael Dillon From iljitsch at muada.com Mon Sep 3 04:39:49 2007 From: iljitsch at muada.com (Iljitsch van Beijnum) Date: Mon, 3 Sep 2007 10:39:49 +0200 Subject: [ppml] The myth of IPv6-IPv4 interoperation, was: Re: Legacy /24s In-Reply-To: <17006.1188775949@sa.vix.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> <20070902014003.GB31369@ussenterprise.ufp.org> <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> <20070902224127.GA93562@ussenterprise.ufp.org> <17006.1188775949@sa.vix.com> Message-ID: <4CBA7EA2-DF77-4587-8063-9B7E1270F0C2@muada.com> On 3-sep-2007, at 1:32, Paul Vixie wrote: > . > i especially like section 11, "IPng Transition Mechanisms", which gets > funnier every year, even without considering RFC 4966. consider > this gem: > The IPng transition mechanisms ensures that IPv6 hosts can > interoperate with IPv4 hosts anywhere in the Internet up until the > time when IPv4 addresses run out, and allows IPv6 and IPv4 hosts > within a limited scope to interoperate indefinitely after that. This > feature protects the huge investment users have made in IPv4 and > ensures that IPv6 does not render IPv4 obsolete. Hosts that need only > a limited connectivity range (e.g., printers) need never be upgraded > to IPv6. > that was the face that launched a thousand ships, yes. It looks like you suffer from the (fairly common) misconception that goes along these lines: "If only the IETF had made IPv6 interoperable with IPv4, we wouldn't have any transition issues." (See http://cr.yp.to/djbdns/ipv6mess.html ) The assumption here of course is that it would have been POSSIBLE to build IPv6 in such a way that an IPv6 host can talk to an IPv4 host. Unfortunately, it isn't. Or rather, the only way to do that is for the IPv6 host to stick to 32-bit addresses (by setting the other 96 bits to 0 or some such and having something in the middle do the IPv6- IPv4 translation), because that's the only thing an IPv4 host understands. This would work well as long as IPv6 hosts only use 32-bit addresses, but obviously, the idea behind IPv6 is that at some point, someone starts using an address that uses more than 32 bits. But this would be impossible, as there is no way to know whether a destination is a real IPv6 host that can handle the extra bits, or a fake IPv6 host that really does IPv4 behind the scenes which won't handle the longer addresses. Today, the situation is much cleaner: do IPv4 and be limited to all that that entails, do IPv6 and the IPv4 limits go away. The presence or absense of AAAA records in the DNS tell you if someone you want to talk to can do IPv6 or not. That is not to say that things couldn't have been better: rather than revisit all protocols that touch addresses and replace all the instances of 32-bit addresses with 128-bit ones, the IETF could have gone from 32-bit addresses to variable length, higher level identifiers, i.e., FQDNs, so the protocols became address length agnostic. From iljitsch at muada.com Mon Sep 3 04:57:21 2007 From: iljitsch at muada.com (Iljitsch van Beijnum) Date: Mon, 3 Sep 2007 10:57:21 +0200 Subject: [ppml] IPv6 flawed? In-Reply-To: <7EF0D548-D8E5-4DC2-A956-21657A8B96F3@delong.com> References: <200708311233.l7VCXYBj005107@cjbsys.bdb.com><82435.1188567258@sa.vix.com><6F089EC1-589B-4192-AE7E-9DAC2BE6ACC4@virtualized.org>

<1712.1188707832@sa.vix.com> <11A63A70-EFD7-49CD-9DCB-78F81B1FB2BC@muada.com> <7EF0D548-D8E5-4DC2-A956-21657A8B96F3@delong.com> Message-ID: <647B3B9C-575A-44EE-B266-3AD5A40D1496@muada.com> On 3-sep-2007, at 9:14, Owen DeLong wrote: >> IETF is still working... And it's not like adopting PI in the mean >> time helps. > I strongly disagree. Adopting PI in the mean time can serve as very > useful input to express to IETF that they _MUST_ solve the routing > problem in a scalable way. And ID-Locator split is long overdue. That's like everyone buying SUVs to signal that this global warming issue _MUST_ be solved. My interpretation of the adoption of IPv6 PI was "the operational community doesn't consider routing table size an important issue". > Shim6 is far too complicated to actually see reliable implementation > in the average enterprise Did you ever read the IPsec or SNMP RFCs? Those are at least an order of magnitude more complex, and enterprises managed to implement/ deploy them just fine. > and it does nothing to help with easy renumbering. My wireless keyboard doesn't help with easy renumbering either. I guess this means it's not a good keyboard. > PI is a necessity. CIDR and PA were horrible hacks Without aggregation, routing only works by coincidence. Even WITH PA 30k ASes results in a 230k routing table... > put in > place as a band-aid until IPv6 could be engineered to truly > solve the routing problem in a scalable fashion. Engineering scalable routing is not hard: create a big, fat hierarchy. It's getting scalable routing deployed and breaking pretty much all ISP business models in the process that is a challenge. > I have no > idea why an ID/Locator split was not made a built-in part > of IPv6, but, I believe it can be added without reworking the > protocol, so, there is still a way forward. An id/loc split is certainly interesting, but what it basically does is say "having stable FQDNs and renumbering IP addresses is too hard, so now we're going to have stable FQDNs that map to stable id addresses which map to loc addresses which we WILL be able to renumber". It would be helpful to see evidence of that last part before we go down this road. > IPv6 has worse downsides than IPv4. I can see a few rare instances > where autoconfiguraiton could be considered a useful feature, but, > even in those cases, I don't see where it is significantly better than > DHCPv4. At the last IETF meeting, the DHCP server flaked out several times. IPv6 stateless autoconfig was solid as a rock. Same thing at a RIPE meeting a few years ago, unless I misremember. DHCP is actually not that easy to get right in the presence of failing hard- and software. With stateless autoconfig you can boot up a new router and take the old one down a few minutes later with no real service interruption. From iljitsch at muada.com Mon Sep 3 05:28:41 2007 From: iljitsch at muada.com (Iljitsch van Beijnum) Date: Mon, 3 Sep 2007 11:28:41 +0200 Subject: [ppml] Policy Proposal: Decreasing Exponential Rationingof IPv4 IP Addresses In-Reply-To: References: <85975A4A-0077-4B71-B303-FD9FE27615F6@muada.com> <8CC5B9B8-FB3D-4C7F-BD6B-089E31979FAD@muada.com>

Message-ID: On 3-sep-2007, at 10:32, wrote: >> Have a look at the monthly data since 2006 and tell me if you >> can spot a trend: > Why? Geoff Huston has already done this at > http://www.potaroo.net/presentations/2007-07-23-ietf69-intarea-v4.pdf Ok. This looks fairly smooth: whether any given month sees 10 or 20 million new addresses doesn't mean much relative to the ~ 2.5 billion already given out. > If you look at slide 14, it seems pretty close to a linear trend. You have to remember that in 2005 and 2006, almost exactly the same number of addresses was given out, hence the linearity. However, 2007 so far is noticeably higher, which doesn't show up. If you go back to before 2005, things look very different. I'm not sure what the number on the Y axis are, by the way. Apparently, on january first this year, we were at about "163". However, the total amount of address space given out to end-users/ LIRs/ISPs at that time, excluding the IANA free space and the RIR space that wasn't further delegated, was 2407 million addresses, 143.5 /8s. There are 3707 million usable IPv4 addresses = 221 /8s, so the projection on this slide would indicate complete IPv4 depletion somewhere in 2013. > The steps in the chart are the result of pent up demand being > satisfied, How can you have pent-up demand for IP addresses?? From colin at thusa.co.za Mon Sep 3 06:01:57 2007 From: colin at thusa.co.za (Colin Alston) Date: Mon, 03 Sep 2007 12:01:57 +0200 Subject: [ppml] IPv6 flawed? In-Reply-To: <647B3B9C-575A-44EE-B266-3AD5A40D1496@muada.com> References: <200708311233.l7VCXYBj005107@cjbsys.bdb.com><82435.1188567258@sa.vix.com><6F089EC1-589B-4192-AE7E-9DAC2BE6ACC4@virtualized.org>

<1712.1188707832@sa.vix.com> <11A63A70-EFD7-49CD-9DCB-78F81B1FB2BC@muada.com> <7EF0D548-D8E5-4DC2-A956-21657A8B96F3@delong.com> <647B3B9C-575A-44EE-B266-3AD5A40D1496@muada.com> Message-ID: <46DBDB95.6010408@thusa.co.za> On 03/09/2007 10:57 Iljitsch van Beijnum wrote: > At the last IETF meeting, the DHCP server flaked out several times. > IPv6 stateless autoconfig was solid as a rock. Same thing at a RIPE > meeting a few years ago, unless I misremember. DHCP is actually not > that easy to get right in the presence of failing hard- and software. > With stateless autoconfig you can boot up a new router and take the > old one down a few minutes later with no real service interruption. Off-topic, but RADV can't provide autoconfiguration of DNS [1], WINS, TFTP, dynamic DNS updates and NTP servers etc - something critical to most operations especially in the VoIP world with PnP SIP phones. I think the volume of current DHCPv4 capabilities would be easiest to (and, well, already have been) implement in DHCPv6 rather than hacks to stateless autoconfiguration as part of the IPv6 standard. [1] - There is this draft RFC.. http://www-users.cs.umn.edu/~jjeong/publications/ietf-internet-draft/draft-jeong-ipv6-ra-dns-autoconf-00.txt -- Colin Alston ______ Linux & Internet Services /\_\_\_\ Thusa Business Support (Pty) Ltd /\/\_\_\_\ http://www.thusa.co.za/ /\/\/\_\_\_\ Tel: (+27) 031 277 1257 \/\/\/_/_/_/ Fax: (+27) 031 277 1269 \/\/_/_/_/ \/_/_/_/ "To the world you may be one person, to one person you may be the world" ~ Rachel Ann Nunes. From arin-contact at dirtside.com Mon Sep 3 10:27:14 2007 From: arin-contact at dirtside.com (William Herrin) Date: Mon, 3 Sep 2007 10:27:14 -0400 Subject: [ppml] Legacy /24s In-Reply-To: References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> Message-ID: <3c3e3fca0709030727v6caddbccsea573ddd3b288c76@mail.gmail.com> On 9/3/07, Owen DeLong wrote: > Most internet-oriented technology needs to be refreshed on a 2-4 year > life-cycle, actually. I generally get better results from my equipment buy YMMV. > > The number of routes and ASes in the DFZ implies that there are > > somewhere between 200,000 and 300,000 routers in the DFZ. > > > Here, I think you go off the rails with a big hand-wave. How, exactly > do you think you can correlate the routes+ASs in the DFZ to the > number of routers participating in the DFZ? As I said before, its a SWAG. Some of the better educated responders suggest that I'm around 50k too high here with the actual number in the 150k-250k range. > Why is an IPv6 prefix 2x an IPv4 prefix? That's what Cisco is claiming in their documentation. 1M IPv4 routes or 500k IPv6 routes. I assume this probably means they're stashing the first 64 bits into the TCAM and bouncing it up to the software if you need a route more specific than /64. Sounds sloppy to me but I'm not Cisco. > > So, with any proposal to expand the availability of IPv6 PI, the > > question that should be asked is: "Does the proposed use in the > > expansion justify asking the rest of the world to pay $17k?" > > Since that's 17k divided amongst 30k or so organizations, you're > really asking each other org. to foot a $0.50 bill per prefix. 26109 AS's according to the latest routing table report yielding closer to $0.65. But that's a false way of looking at problem. Some AS's have one DFZ router. Some have many. None interact with the problem in terms of individual routes; they have to deal with the whole route count. Looking at the cost of an individual route is useful in terms of the whole systemic cost accross the entire DFZ. > > My opinion is that in the case of a multihomed content provider, the > > answer is yes. Why should he receive poor treatment in IPv6 merely > > What about a multihomed content consumer? Why should they > be treated any worse than a multihomed content provider? Because non-PI multihoming solutions for the NATed content consumer are relatively trivial to build. > Nobody really cares about the $100/yr. Proposals to waive that > have been targeted at providing what little incentive we can towards > other behaviors for the common good. Yet the original posters in this thread brought it up as a complaint. Regards, Bill Herrin -- William D. Herrin herrin at dirtside.com bill at herrin.us 3005 Crane Dr. Web: Falls Church, VA 22042-3004 From paul at vix.com Mon Sep 3 11:11:43 2007 From: paul at vix.com (Paul Vixie) Date: Mon, 03 Sep 2007 15:11:43 +0000 Subject: [ppml] The myth of IPv6-IPv4 interoperation, was: Re: Legacy /24s In-Reply-To: Your message of "Mon, 03 Sep 2007 10:39:49 +0200." <4CBA7EA2-DF77-4587-8063-9B7E1270F0C2@muada.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> <20070902014003.GB31369@ussenterprise.ufp.org> <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> <20070902224127.GA93562@ussenterprise.ufp.org> <17006.1188775949@sa.vix.com> <4CBA7EA2-DF77-4587-8063-9B7E1270F0C2@muada.com> Message-ID: <53709.1188832303@sa.vix.com> > It looks like you suffer from the (fairly common) misconception what an unnecessarily harsh way to phrase your difference of opinion. "ouch." > that goes along these lines: > > "If only the IETF had made IPv6 interoperable with IPv4, > we wouldn't have any transition issues." > > (See http://cr.yp.to/djbdns/ipv6mess.html ) no. we would still have transition issues. just not this one. > The assumption here of course is that it would have been POSSIBLE to > build IPv6 in such a way that an IPv6 host can talk to an IPv4 host. that was a design goal. of the IPng candidates being proferred, the one we've got now was chosen to become IPv6 on the basis of the features it offered. if it wasn't possible to deliver this, then it's possible a different choice might have been made. but more to the point, if the paragraph i quoted had been true then IPv6 would be in wide deployment today and the IPv4 runout would be a yawner. > The IPng transition mechanisms ensures that IPv6 hosts can > interoperate with IPv4 hosts anywhere in the Internet up until the > time when IPv4 addresses run out, and allows IPv6 and IPv4 hosts > within a limited scope to interoperate indefinitely after that. This > feature protects the huge investment users have made in IPv4 and > ensures that IPv6 does not render IPv4 obsolete. Hosts that need only > a limited connectivity range (e.g., printers) need never be upgraded > to IPv6. > > (From .) From arin-contact at dirtside.com Mon Sep 3 11:15:45 2007 From: arin-contact at dirtside.com (William Herrin) Date: Mon, 3 Sep 2007 11:15:45 -0400 Subject: [ppml] The myth of IPv6-IPv4 interoperation, was: Re: Legacy /24s In-Reply-To: <4CBA7EA2-DF77-4587-8063-9B7E1270F0C2@muada.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> <20070902014003.GB31369@ussenterprise.ufp.org> <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> <20070902224127.GA93562@ussenterprise.ufp.org> <17006.1188775949@sa.vix.com> <4CBA7EA2-DF77-4587-8063-9B7E1270F0C2@muada.com> Message-ID: <3c3e3fca0709030815s35f15bb1m8bdcf4125057b4e8@mail.gmail.com> On 9/3/07, Iljitsch van Beijnum wrote: > It looks like you suffer from the (fairly common) misconception that > goes along these lines: > > "If only the IETF had made IPv6 interoperable with IPv4, > we wouldn't have any transition issues." > > The assumption here of course is that it would have been POSSIBLE to > build IPv6 in such a way that an IPv6 host can talk to an IPv4 host. Iljitsch, That's nonsense. Perhaps you misunderstand the character of backwards compatibility. Its not a deep technical concept. It has much more to do with technical and administrative policy decisions and it could have been implemented with the IPv6 protocol that we actually created. Consider the following theoretical ruleset: 1. IPv4 addresses map to the IPv6 address space by placing zeros at the front. 2. Any router which receives an IPv4 packet for a destination that is only served through an IPv6-only trunk must translate the IPv4 packet to a corresponding IPv6 packet. 3. Any router which receives an IPv6 packet for a destination that is only served through an IPv4-only trunk must translate the IPv6 packet to a corresponding IPv4 packet. 4. Any host which implements both IPv4 and IPv6 must consider a return packet of the other type than the originated packet to be a valid part of the same communication and should attempt to synchronize with the same IP version as the remote host. What are the compatibility consequences of such a ruleset? A. Once I upgrade the IOS on my Cisco and install the patch from Microsoft, all of my equipment automatically operates with the new protocol. There are no new IP addresses to obtain and no configuration changes to make. B. The old sockets API works until you want to initiate a connection to an address that's beyond the scope of the IPv4 addresses. It can even originate IPv6 packets and accept connections from high-order addresses, albeit with faulty logging. C. You can't accomplish most of the subsidiary goals that IPv6 was intended to accomplish. But then, none of them actually panned out opertionally anyway. That's a pretty high level of compatibility. And that's just with the IPv6 protocol we have. Even greater compatibility gains are possible with something like http://bill.herrin.us/network/ipxl.html Regards, Bill Herrin -- William D. Herrin herrin at dirtside.com bill at herrin.us 3005 Crane Dr. Web: Falls Church, VA 22042-3004 From iljitsch at muada.com Mon Sep 3 11:33:38 2007 From: iljitsch at muada.com (Iljitsch van Beijnum) Date: Mon, 3 Sep 2007 17:33:38 +0200 Subject: [ppml] The myth of IPv6-IPv4 interoperation, was: Re: Legacy /24s In-Reply-To: <53709.1188832303@sa.vix.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> <20070902014003.GB31369@ussenterprise.ufp.org> <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> <20070902224127.GA93562@ussenterprise.ufp.org> <17006.1188775949@sa.vix.com> <4CBA7EA2-DF77-4587-8063-9B7E1270F0C2@muada.com> <53709.1188832303@sa.vix.com> Message-ID: <2DA9EA61-683C-437C-BE47-BA8FB44097AC@muada.com> On 3-sep-2007, at 17:11, Paul Vixie wrote: >> It looks like you suffer from the (fairly common) misconception > what an unnecessarily harsh way to phrase your difference of > opinion. "ouch." Sorry about that, but I figured you'd set me straight if you didn't. :-) >> The assumption here of course is that it would have been POSSIBLE to >> build IPv6 in such a way that an IPv6 host can talk to an IPv4 host. > that was a design goal. A few years in the multi6 trenches taught me a thing or two about design goals... > of the IPng candidates being proferred, the one we've > got now was chosen to become IPv6 on the basis of the features it > offered. if > it wasn't possible to deliver this, then it's possible a different > choice > might have been made. but more to the point, if the paragraph i > quoted had > been true then IPv6 would be in wide deployment today and the IPv4 > runout > would be a yawner. The point is that the transition to another address length inherently means that hosts only implementing the shorter length can't talk to ones only implementing the larger length if those actually get to use that length as opposed to the old length and a bunch of 0 bits. From michael.dillon at bt.com Mon Sep 3 12:38:17 2007 From: michael.dillon at bt.com (michael.dillon at bt.com) Date: Mon, 3 Sep 2007 17:38:17 +0100 Subject: [ppml] The myth of IPv6-IPv4 interoperation, was: Re: Legacy /24s In-Reply-To: <2DA9EA61-683C-437C-BE47-BA8FB44097AC@muada.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local><20070901144553.GA494@ussenterprise.ufp.org><3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com><20070902014003.GB31369@ussenterprise.ufp.org><3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com><20070902224127.GA93562@ussenterprise.ufp.org><17006.1188775949@sa.vix.com><4CBA7EA2-DF77-4587-8063-9B7E1270F0C2@muada.com><53709.1188832303@sa.vix.com> <2DA9EA61-683C-437C-BE47-BA8FB44097AC@muada.com> Message-ID: > The point is that the transition to another address length > inherently means that hosts only implementing the shorter > length can't talk to ones only implementing the larger length > if those actually get to use that length as opposed to the > old length and a bunch of 0 bits. Hmmm... Hosts implementing globally unique IPv4 addresses can't talk to ones only implementing non-unique addresses. True on the surface of it, but in practice people use NAT proxies and a significant percentage of Internet traffic is between such incompatible IPv4 hosts. Given that IPv4-IPv6 proxying is as simple to implement as PNAT, one wonders why people are making such a fuss. --Michael Dillon From cliffb at cjbsys.bdb.com Mon Sep 3 13:09:47 2007 From: cliffb at cjbsys.bdb.com (Cliff Bedore) Date: Mon, 3 Sep 2007 13:09:47 -0400 (EDT) Subject: [ppml] Legacy /24s (fwd) Message-ID: <200709031709.l83H9lW9023907@cjbsys.bdb.com> I forgot to CC PPML for this Stuff deleted > > > > Nobody really cares about the $100/yr. Proposals to waive that > > have been targeted at providing what little incentive we can towards > > other behaviors for the common good. > > Yet the original posters in this thread brought it up as a complaint. I don't know if I was one of the original posters but I think I mentioned the fee as one more thing that takes away from enthusiasm to go to ipv6. No legacy user who is paying for a /24 connection has any right to complain about the $100.00. I assume most are far more concerned about having the /24 reclaimed or in some way restricted if they sign an RSA and become an "official" part of ARIN. I think many believe that since ARIN has taken no action to bring them into the fold for 10 years, they are "common law" grandfathered into the internet and any actions they take to acknowledge ARIN oversight would jeopardize that. I tend to be suspicious of anybody who says "We're from the government/ARIN/... and we're here to help you". :-) Put another way, "Just because I'm paranoid doesn't mean they're not out to get me" Policy Proposal 2007-15 to stop allowing changes to our resource records to force us to join ARIN does not give me a warm and fuzzy feeling about ARIN's intentions. Paranoid? maybe but see above. :-) Cliff > > Regards, > Bill Herrin > > > -- > William D. Herrin herrin at dirtside.com bill at herrin.us > 3005 Crane Dr. Web: > Falls Church, VA 22042-3004 > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the ARIN Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services > Help Desk at info at arin.net if you experience any issues. > -- Cliff Bedore 7403 Radcliffe Dr. College Park MD 20740 cliffb at cjbsys.bdb.com http://www.bdb.com Amateur Radio Call Sign W3CB For info on ham radio, http://www.arrl.org/ From colin at thusa.co.za Mon Sep 3 13:09:51 2007 From: colin at thusa.co.za (Colin Alston) Date: Mon, 03 Sep 2007 19:09:51 +0200 Subject: [ppml] The myth of IPv6-IPv4 interoperation, was: Re: Legacy /24s In-Reply-To: References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local><20070901144553.GA494@ussenterprise.ufp.org><3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com><20070902014003.GB31369@ussenterprise.ufp.org><3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com><20070902224127.GA93562@ussenterprise.ufp.org><17006.1188775949@sa.vix.com><4CBA7EA2-DF77-4587-8063-9B7E1270F0C2@muada.com><53709.1188832303@sa.vix.com> <2DA9EA61-683C-437C-BE47-BA8FB44097AC@muada.com> Message-ID: <46DC3FDF.80203@thusa.co.za> On 03/09/2007 18:38 michael.dillon at bt.com wrote: > Given that IPv4-IPv6 proxying is as simple to implement as PNAT, one > wonders why people are making such a fuss. I think you mean IPv6 to IPv4 proxying? Letting IPv4-only hosts talk to IPv6 is an impossibility. Unless CERN finish the LHC and find the "answers to the universe" soon or something that is ;-) -- Colin Alston ______ Linux & Internet Services /\_\_\_\ Thusa Business Support (Pty) Ltd /\/\_\_\_\ http://www.thusa.co.za/ /\/\/\_\_\_\ Tel: (+27) 031 277 1257 \/\/\/_/_/_/ Fax: (+27) 031 277 1269 \/\/_/_/_/ \/_/_/_/ "To the world you may be one person, to one person you may be the world" ~ Rachel Ann Nunes. From michael.dillon at bt.com Mon Sep 3 14:42:56 2007 From: michael.dillon at bt.com (michael.dillon at bt.com) Date: Mon, 3 Sep 2007 19:42:56 +0100 Subject: [ppml] The myth of IPv6-IPv4 interoperation, was: Re: Legacy /24s In-Reply-To: <46DC3FDF.80203@thusa.co.za> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local><20070901144553.GA494@ussenterprise.ufp.org><3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com><20070902014003.GB31369@ussenterprise.ufp.org><3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com><20070902224127.GA93562@ussenterprise.ufp.org><17006.1188775949@sa.vix.com><4CBA7EA2-DF77-4587-8063-9B7E1270F0C2@muada.com><53709.1188832303@sa.vix.com> <2DA9EA61-683C-437C-BE47-BA8FB44097AC@muada.com> <46DC3FDF.80203@thusa.co.za> Message-ID: > > Given that IPv4-IPv6 proxying is as simple to implement as > PNAT, one > > wonders why people are making such a fuss. > > I think you mean IPv6 to IPv4 proxying? Letting IPv4-only > hosts talk to IPv6 is an impossibility. Unless CERN finish > the LHC and find the "answers to the universe" soon or > something that is ;-) Proxying is always possible. Sometimes it mixes layers, but it is always possible. Let's give a concrete example. Joe's ISP in Lower Podunk has 80% of the households on his dial-up IPv4 service. There is no broadband in Lower Podunk and likely never will be due to the limited population, lack of growth in the county, and generally rural spread of households. So Joe's ISP has no plans to switch to IPv6 for at least the next 5 - 10 years. Google acquires Facebook, launches the new GoogleBook service on the IPv6 Internet only, and the state department of education announces that all universities will be closed and higher education will only be available on GoogleBook. Does Joe have a problem? No, of course not. He puts A records for GoogleBook into his DNS servers pointing at his V6 proxy. The proxy is actually hosted in the state capital where IPv6 service is readly available. Joe's customers can now use GoogleBook's IPv6 services via Joe's proxy server. Since GoogleBook is implemented using the standard HTTP protocol, it doesn't much matter whether there is IPv6 or v4 underneath. In fact, Joe's proxy functions much like an IPv4 NAT box except that it uses unique IPv6 addresses for each customer session rather than an address/port pair as in IPv4 NAT. Operationally, you can expect people to just fix problems and make it work, not agonize over whether or not the IETF could have documented that solution 10 years ago. --Michael Dillon From bicknell at ufp.org Mon Sep 3 15:12:27 2007 From: bicknell at ufp.org (Leo Bicknell) Date: Mon, 3 Sep 2007 15:12:27 -0400 Subject: [ppml] Legacy /24s In-Reply-To: <3c3e3fca0709021633g5a02d19u3b7ab8e27ce48f56@mail.gmail.com> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> <20070902014003.GB31369@ussenterprise.ufp.org> <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> <20070902224127.GA93562@ussenterprise.ufp.org> <3c3e3fca0709021633g5a02d19u3b7ab8e27ce48f56@mail.gmail.com> Message-ID: <20070903191227.GB61706@ussenterprise.ufp.org> In a message written on Sun, Sep 02, 2007 at 07:33:21PM -0400, William Herrin wrote: > Well, the 12416 fully loaded is running in the $10k to $80k range on > the second hand market right now. The T640 is running moderately > higher. I don't know about the CSR-1. And the second hand market generally provids them at around $0.10 on the dollar, so there's an idea of what the companies paid for them brand new. > If you're telling me that 50% of the DFZ routers are these biggest of > the big iron and they face the same FIB issues as my poor Sup2 then my > estimate of a PI route's cost needs some revision. If you're talking > 10% and and traffic capacity as the main driver then the impact on the > final numbers won't be enough to waste time on the analysis. No, that's not what I'm telling you. I'm telling you that if I'm a large ISP, and I have a POP with 20 Cisco 7513's still aggregating DS-3 customers that my upgrade is not going to be 20 new whatevers. It's going to be 5 new 12416's or T640's, perhaps not with DS-3 cards but with channelized OC-48 cards, which require upgrades to my telco infrastructure as well. Now, that's not all for IPv6. If you were trying to divide up cost, some is convenience, some is what is supported, some is where you think your business is going. Even if you can pull out a Sup720-3B and replace it with a Sup720-3BLX (which is a relatively cheap upgrade as box upgrades go) that still may not be a smart move. If you're running all older linecards and about to hit the traffic wall that requires all distributed linecards in less than a year you may look at swapping out the entire chassis anyway. At the end of the day, there's two costs to consider. The cost directly attributable to IPv6, and the additional cost of "if we're going to do these upgrades now, we might as well do these other things because it makes sense." However, I think we are running fairly far afield here, point is, adding routes to the global table is "expensive", which is why the community likes to avoid it, where possible. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available URL: From paul at vix.com Mon Sep 3 16:48:54 2007 From: paul at vix.com (Paul Vixie) Date: Mon, 03 Sep 2007 20:48:54 +0000 Subject: [ppml] Legacy /24s In-Reply-To: Your message of "Mon, 03 Sep 2007 15:12:27 -0400." <20070903191227.GB61706@ussenterprise.ufp.org> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> <3c3e3fca0709011140h3cf98b99teed4982f4d01be3b@mail.gmail.com> <20070902014003.GB31369@ussenterprise.ufp.org> <3c3e3fca0709012129j2488d83fv9895236f75284deb@mail.gmail.com> <20070902224127.GA93562@ussenterprise.ufp.org> <3c3e3fca0709021633g5a02d19u3b7ab8e27ce48f56@mail.gmail.com> <20070903191227.GB61706@ussenterprise.ufp.org> Message-ID: <32810.1188852534@sa.vix.com> i was with you right up to this: > However, I think we are running fairly far afield here, point is, adding > routes to the global table is "expensive", which is why the community likes > to avoid it, where possible. all human actions, according to von mises and others, have costs and benefits. for the action of "add one more route to the global table" the cost is borne by the community and the principle benefit comes to the actor. what the community is looking for isn't growth avoidance per se, but rather, cost:benefit symmetry. if someone's bringing in compelling content or large populations of new eyeballs, then global table growth has a community benefit that offsets its community cost. if myspace wants to multihome a /24 for a web service that makes 3G cell phones sell like hotcakes, then the community would be ready to say "sure, take a slot for that." if vixie enterprises wants to multihome a /24 so as to avoid a renumbering penalty when we change providers, the community would be ready to say, "why don't you go pound sand?" again, table growth isn't by itself a leading indicator of goodness/badness. it's cost:benefit symmetry at the community level that gets people out of bed and has them flaming on PPML in their bathrobes in the middle of sunday night. From peter at boku.net Mon Sep 3 17:39:18 2007 From: peter at boku.net (Peter Eisch) Date: Mon, 03 Sep 2007 16:39:18 -0500 Subject: [ppml] Legacy /24s In-Reply-To: <32810.1188852534@sa.vix.com> Message-ID: On 9/3/07 3:48 PM, "Paul Vixie" wrote: >> However, I think we are running fairly far afield here, point is, adding >> routes to the global table is "expensive", which is why the community likes >> to avoid it, where possible. > > all human actions, according to von mises and others, have costs and benefits. > for the action of "add one more route to the global table" the cost is borne > by the community and the principle benefit comes to the actor. Let's roll back the clock, I want to run full routes on my c1750! I need all the "big ISPs" with their non-aggregated advertisements to renumber into a single network that they announce in their single AS (not multiple ASes, but SINGLE AS). One route per slot and slot per org, no more for all traffic they originate! Bless the multi-homed nets. If small-time vixienet is multi-homed, we have to pay for the slot regardless if it's a /24 or a /20 and nobody needs to be pounding sand. If vixienet or myspace isn't multi-homed, then, I agree, that it is an exception that needs to be eliminated for the purposes of "the community." Why is the elephant in the room, er this list, that while costs need to be managed on all sides that there is a specific cost of doing business. If you want to be a carrier, then be a carrier. If you can only afford to do aggregation to a carrier, then be an aggregator. As the requirements for the routing hardware increase, the number of organizations able to carry full routes will decrease. (Notably if they're not able to budget and plan for the growth.) Where's the problem? peter From michael.dillon at bt.com Tue Sep 4 08:15:34 2007 From: michael.dillon at bt.com (michael.dillon at bt.com) Date: Tue, 4 Sep 2007 13:15:34 +0100 Subject: [ppml] IPv6 addressing plans Message-ID: Does anyone have any reasoning why a network spanning two or more of the RIR regions, should or should not get separate ISP allocations from each region? I'm not just interested in opinions, but also the reasoning behind them, especially any technical pros and cons. In addition, are there any characteristics that define a good IPv6 addressing plan for a network operator? We've just received an IPv6 /22 from RIPE based solely on projections in our European network infrastructure. Fairly soon we will have to decide whether to internally assign chunks of that space to our North American network or to go to ARIN for a separate IPv6 allocation based on North American needs only. I imagine that a number of other companies are in this position and if there is actually a best practice for IPv6 addressing, it would be good to document it and follow it before deployment gets much further ahead. On the other hand, if it is a coin-toss scenario from a technical point of view, it would be nice to see general acknowledgement of that fact. --Michael Dillon From kkargel at polartel.com Tue Sep 4 10:13:31 2007 From: kkargel at polartel.com (Kevin Kargel) Date: Tue, 4 Sep 2007 09:13:31 -0500 Subject: [ppml] Legacy /24s In-Reply-To: <20070901144553.GA494@ussenterprise.ufp.org> References: <859D2283FD04CA44986CC058E06598F84B1D9AA7AC@exchange4.exchange.alphared.local> <20070901144553.GA494@ussenterprise.ufp.org> Message-ID: <70DE64CEFD6E9A4EB7FAF3A0631410667073CB@mail> As for the untold billions out there, "a day late or a dollar short" applies to everything else in business.. why should this be any different? > -----Original Message----- > From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net] On > Behalf Of Leo Bicknell > Sent: Saturday, September 01, 2007 9:46 AM > To: ppml at arin.net > Subject: Re: [ppml] Legacy /24s > > In a message written on Fri, Aug 31, 2007 at 03:03:08PM > -0500, mack wrote: > > 3) Most of these are individuals or small companies that > don't have significant resources. > > So individuals and small businesses should be allowed to eat > up routing slots in tens of thousands of routers worldwide > collectively costing ISP's millions of dollars in capital, if > and only if they were smart enough to get an "early" IPv4 allocation? > > What about the billions of other individuals and millions of > other businesses in the world? Why do they not qualify for > such special treatment? > > -- > Leo Bicknell - bicknell at ufp.org - CCIE 3440 > PGP keys at http://www.ufp.org/~bicknell/ Read TMBG > List - tmbg-list-request at tmbg.org, www.tmbg.org > From owen at delong.com Tue Sep 4 10:45:29 2007 From: owen at delong.com (Owen DeLong) Date: Tue, 4 Sep 2007 07:45:29 -0700 Subject: [ppml] IPv6 addressing plans In-Reply-To: References: Message-ID: I would tend to think that the correct answer would depend a lot on your internal topology and how those segments connect to the internet. If they are a single contiguous autonomous system with a consistent routing policy, then, it makes sense to advertise an aggregate and accept traffic wherever it is presented. OTOH, if you need to manage the arrival location of traffic on a continental or other topological basis, then, it probably makes more sense to get separate assignments accordingly. I don't think there is a good one-size-fits all BCP answer to your question. Owen On Sep 4, 2007, at 5:15 AM, wrote: > Does anyone have any reasoning why a network spanning two or more > of the > RIR regions, should or should not get separate ISP allocations from > each > region? > > I'm not just interested in opinions, but also the reasoning behind > them, > especially any technical pros and cons. > > In addition, are there any characteristics that define a good IPv6 > addressing plan for a network operator? > > We've just received an IPv6 /22 from RIPE based solely on > projections in > our European network infrastructure. Fairly soon we will have to > decide > whether to internally assign chunks of that space to our North > American > network or to go to ARIN for a separate IPv6 allocation based on North > American needs only. > > I imagine that a number of other companies are in this position and if > there is actually a best practice for IPv6 addressing, it would be > good > to document it and follow it before deployment gets much further > ahead. > On the other hand, if it is a coin-toss scenario from a technical > point > of view, it would be nice to see general acknowledgement of that fact. > > --Michael Dillon > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the > ARIN Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > Member Services > Help Desk at info at arin.net if you experience any issues. From stephen at sprunk.org Tue Sep 4 12:00:37 2007 From: stephen at sprunk.org (Stephen Sprunk) Date: Tue, 4 Sep 2007 11:00:37 -0500 Subject: [ppml] IPv6 addressing plans References: Message-ID: <010501c7ef0f$2bdcb160$533816ac@atlanta.polycom.com> Thus spake > Does anyone have any reasoning why a network spanning two or > more of the RIR regions, should or should not get separate ISP > allocations from each region? > > I'm not just interested in opinions, but also the reasoning behind > them, especially any technical pros and cons. > > In addition, are there any characteristics that define a good IPv6 > addressing plan for a network operator? > > We've just received an IPv6 /22 from RIPE based solely on > projections in our European network infrastructure. Fairly soon > we will have to decide whether to internally assign chunks of that > space to our North American network or to go to ARIN for a > separate IPv6 allocation based on North American needs only. It is generally assumed, if not stated explicitly in policy, that addresses issued by an RIR are for use within that region only. If the use outside the region is a negligible part of address use, nobody's going to complain, but you shouldn't be assigning space _to customers_ in the US from a RIPE block, and vice versa. Also, if your network in the US is of non-negligible size, it's assumed that the topology is going to be mostly independent and will be a separate AS speaking BGP to your AS in Europe. In that case, your US network would be a separate "organization", and would be no different in the RIRs' eyes than if your networks were two independent companies. You probably have separate legal entities in such a case anyways, though that's not technically required for you to claim multi-organization status. Multiple organizations should not "share" blocks between them, because that makes paperwork -- and routing -- a mess. Another thought is that using the same block in multiple regions would defeat RIR-level aggregation; if RIPE-issued blocks are all exclusively used in the RIPE region, smaller (i.e. non-global) players in other regions can filter them from their routers and just point a static route for all of RIPE's address space "that way", i.e. towards Europe. If, in contrast, you use your RIPE block in the US, people can't do that and we're doomed to every DFZ player having to carry redundant routes for other regions (or implement difficult-to-maintain filter lists) just to handle the few exceptions. The main justification I see for using a block outside the region that issued it is if your use in the other region is not sufficient to get a block from the appropriate RIR. This might be the case for a European ISP that buys a pipe to show up at a US IXP, or vice versa; addressing a couple routers is not enough to get a block from the "correct" RIR, but it makes sense to use addresses from the "wrong" RIR in such a case. Likewise, if an end-user org has a PI assignment from a certain region, it makes sense that all their sites worldwide would use addresses from that block _if they did not have connectivity to the outside world except through the issuing region_. For instance, if a office in Moscow has to go through HQ in the US to reach the Internet (which is not unusual), they should be addressed from that company's ARIN block; if they got a second connection in Europe, the sites behind that connection should be renumbered to RIPE space. S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking From packetgrrl at gmail.com Tue Sep 4 12:27:58 2007 From: packetgrrl at gmail.com (cja@daydream.com) Date: Tue, 4 Sep 2007 10:27:58 -0600 Subject: [ppml] IPv6 addressing plans In-Reply-To: References: Message-ID: Michael, I used to run a network that had allocations from the (at the time) 3 RIRs. I did that on purpose for a couple of reasons. - The networks were connected in a way that it made sense to have RIR based allocations - I wanted our networks and the people who ran them to be active in the appropriate communities. - The deployment schedules and address space utilization rates were significantly different from region to region. If we had it all from ARIN we probably would have had to have three separate allocations with different maintainer IDs anyway. I can tell you this. And I know you're not going to believe me but it was much much easier to deal with ARIN's policies than the policies of the other RIRs. We had a very small allocation window size from RIPE and so if we wanted to assign a subnet greater than a /29 to a customer we had to ask permission. Even when it was raised to a /24 it was a total pain. Further there were some really interesting requirements of cable providers in RIPE and APNIC that we had to work with the communities to fix. That actually went very smoothly. We were certainly told that we could have all of our allocations from ARIN because our company headquarters was in the US. There were days that I wished I had done just that. I think we did greatly benefit from being active in all the regions and knowing the regional ISP communities was also a great benefit. I hope this helps. ----Cathy On 9/4/07, michael.dillon at bt.com wrote: > > Does anyone have any reasoning why a network spanning two or more of the > RIR regions, should or should not get separate ISP allocations from each > region? > > I'm not just interested in opinions, but also the reasoning behind them, > especially any technical pros and cons. > > In addition, are there any characteristics that define a good IPv6 > addressing plan for a network operator? > > We've just received an IPv6 /22 from RIPE based solely on projections in > our European network infrastructure. Fairly soon we will have to decide > whether to internally assign chunks of that space to our North American > network or to go to ARIN for a separate IPv6 allocation based on North > American needs only. > > I imagine that a number of other companies are in this position and if > there is actually a best practice for IPv6 addressing, it would be good > to document it and follow it before deployment gets much further ahead. > On the other hand, if it is a coin-toss scenario from a technical point > of view, it would be nice to see general acknowledgement of that fact. > > --Michael Dillon > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the ARIN > Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member > Services > Help Desk at info at arin.net if you experience any issues. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marla.azinger at frontiercorp.com Tue Sep 4 12:57:07 2007 From: marla.azinger at frontiercorp.com (Azinger, Marla) Date: Tue, 4 Sep 2007 12:57:07 -0400 Subject: [ppml] IPv6 addressing plans Message-ID: <454810F09B5AA04E9D78D13A5C39028A0272FA02@nyrofcs2ke2k01.corp.pvt> You might find the following document that is working its way through IETF right now useful. http://www.ietf.org/internet-drafts/draft-ietf-v6ops-addcon-05.txt Also, I would stick to getting IPv6 Allocations from the respective RIR. All the same routing reasons still apply to IPv6 at this time as they do for IPv4. Maybe architectural changes could occur in the future...but we are not there yet. Another one to read: ftp://ftp.isi.edu/in-notes/rfc1519.txt and http://www.ietf.org/rfc/rfc3177.txt. I thought there was another document for guidance to ISP's...but I cant seem to find it. Cheers! Marla -----Original Message----- From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of cja at daydream.com Sent: Tuesday, September 04, 2007 9:28 AM To: michael.dillon at bt.com Cc: ppml at arin.net Subject: Re: [ppml] IPv6 addressing plans Michael, I used to run a network that had allocations from the (at the time) 3 RIRs. I did that on purpose for a couple of reasons. - The networks were connected in a way that it made sense to have RIR based allocations - I wanted our networks and the people who ran them to be active in the appropriate communities. - The deployment schedules and address space utilization rates were significantly different from region to region. If we had it all from ARIN we probably would have had to have three separate allocations with different maintainer IDs anyway. I can tell you this. And I know you're not going to believe me but it was much much easier to deal with ARIN's policies than the policies of the other RIRs. We had a very small allocation window size from RIPE and so if we wanted to assign a subnet greater than a /29 to a customer we had to ask permission. Even when it was raised to a /24 it was a total pain. Further there were some really interesting requirements of cable providers in RIPE and APNIC that we had to work with the communities to fix. That actually went very smoothly. We were certainly told that we could have all of our allocations from ARIN because our company headquarters was in the US. There were days that I wished I had done just that. I think we did greatly benefit from being active in all the regions and knowing the regional ISP communities was also a great benefit. I hope this helps. ----Cathy On 9/4/07, michael.dillon at bt.com < michael.dillon at bt.com> wrote: Does anyone have any reasoning why a network spanning two or more of the RIR regions, should or should not get separate ISP allocations from each region? I'm not just interested in opinions, but also the reasoning behind them, especially any technical pros and cons. In addition, are there any characteristics that define a good IPv6 addressing plan for a network operator? We've just received an IPv6 /22 from RIPE based solely on projections in our European network infrastructure. Fairly soon we will have to decide whether to internally assign chunks of that space to our North American network or to go to ARIN for a separate IPv6 allocation based on North American needs only. I imagine that a number of other companies are in this position and if there is actually a best practice for IPv6 addressing, it would be good to document it and follow it before deployment gets much further ahead. On the other hand, if it is a coin-toss scenario from a technical point of view, it would be nice to see general acknowledgement of that fact. --Michael Dillon _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ( PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues. -------------- next part -------------- An HTML attachment was scrubbed... URL: From iljitsch at muada.com Tue Sep 4 14:09:21 2007 From: iljitsch at muada.com (Iljitsch van Beijnum) Date: Tue, 4 Sep 2007 20:09:21 +0200 Subject: [ppml] IPv6 addressing plans In-Reply-To: References: Message-ID: <689E3E7C-82E0-4470-ACD4-11A6FEB4F0B7@muada.com> On 4-sep-2007, at 14:15, wrote: > Does anyone have any reasoning why a network spanning two or more > of the > RIR regions, should or should not get separate ISP allocations from > each > region? Well obviously arbitrary administrativia trumps using up routing table slots. Although in your case it doesn't matter much because by the time all the IPv6 space is sliced in /22s (or /23s) we can route a million of them without any trouble. > We've just received an IPv6 /22 from RIPE Yeah, they should stop doing that. > based solely on projections in our European network infrastructure. Especially based on projections that may or may not pan out. From briand at ca.afilias.info Tue Sep 4 14:13:53 2007 From: briand at ca.afilias.info (briand at ca.afilias.info) Date: Tue, 4 Sep 2007 14:13:53 -0400 (EDT) Subject: [ppml] IPv6 flawed? In-Reply-To: <7EF0D548-D8E5-4DC2-A956-21657A8B96F3@delong.com> References: <200708311233.l7VCXYBj005107@cjbsys.bdb.com><82435.1188567258@sa.vix.com><6F089EC1-589B-4192-AE7E-9DAC2BE6ACC4@virtualized.org>

<1712.1188707832@sa.vix.com> <11A63A70-EFD7-49CD-9DCB-78F81B1FB2BC@muada.com> <7EF0D548-D8E5-4DC2-A956-21657A8B96F3@delong.com> Message-ID: <60037.74.122.168.81.1188929633.squirrel@look.libertyrms.com> Owen DeLong wrote: > On Sep 2, 2007, at 1:21 PM, Iljitsch van Beijnum wrote: >> >> IETF is still working... And it's not like adopting PI in the mean >> time helps. >> > I strongly disagree. Adopting PI in the mean time can serve as very > useful input to express to IETF that they _MUST_ solve the routing > problem in a scalable way. And ID-Locator split is long overdue. > We don't want small routing tables. We want routing tables that fit > in existing hardware and a churn-rate which can be handled by the > hardware. I don't think anyone actually cares if the routing table > is 10,000, 150,000, or 230,000 routes. Sure, they worry if it's > 500,000 routes or more, but, wanting to avoid an excruciatingly > large routing table is different from wanting a small one. There are a number of considerations we need, as a community, to address: - in the short-term, much/most of the DFZ will be dual-stack - the DFZ routers will carry both IPv4 and IPv6 - collectively, the short-term needs of DFZ networks cannot be ignored - this specifically includes hard limits on DFZ prefix counts - breaking the hard limit will most likely result in IPv6 getting tossed - IPv6 needs to not be tossed to avoid a "big crunch" around 2010 So, the short term need, to avoid a "tragedy of the commons" effect, where short term is likely 3-5 years, is that O(IPv6 PI) == O(ASNs). Meaning, we need to keep PI space down to about 1 per ASN. And after 3-5 years, with widespread adoption, there may not be any (compelling) reason to change that policy. So, as long as you mean "routing table" to be "IPv4 + IPv6" routing table aggregate, then yes, 10k vs 150k vs 250k is mostly unimportant. Which translates into "very few IPv6 routes". Brian Dickson From info at arin.net Wed Sep 5 08:44:04 2007 From: info at arin.net (Member Services) Date: Wed, 05 Sep 2007 08:44:04 -0400 Subject: [ppml] Policy Proposal 2007-24: IPv6 Assignment Guidelines Message-ID: <46DEA494.9040001@arin.net> On 30 August 2007, the ARIN Advisory Council (AC) concluded their initial review of "IPv6 Assignment Guidelines" and accepted it as a formal policy proposal for discussion by the community. The proposal is designated Policy Proposal 2007-24: IPv6 Assignment Guidelines. The proposal text is below and can be found at: http://www.arin.net/policy/proposals/2007_24.html All persons in the community are encouraged to discuss Policy Proposal 2007-24 prior to it being presented at the ARIN Public Policy Meeting in Albuquerque, New Mexico, 17-18 October 2007. Both the discussion on the Public Policy Mailing List and at the Public Policy Meeting will be used to determine the community consensus regarding this policy proposal. The ARIN Internet Resource Policy Evaluation Process can be found at: http://www.arin.net/policy/irpep.html ARIN's Policy Proposal Archive can be found at: http://www.arin.net/policy/proposals/proposal_archive.html Regards, Member Services American Registry for Internet Numbers (ARIN) ## * ## Proposal 2007-24 IPv6 Assignment Guidelines Author: Leo Bicknell and Ed Lewis Proposal type: new Policy term: permanent Policy statement: Delete the text in 6.5.4.2 and Replace the text in section 6.5.4.1 with the following text: Assignments by LIRs /48 or smaller will not be reviewed by ARIN. Assignments greater than /48 will be reviewed to see if the additional space is warranted according to the 0.94 HD ratio policy. If the space is not warranted, ARIN will consider the excess space to be available for a different assignment, lowering the overall utilization score of the LIR. Rationale: The existing section 6.5.4.1 does not provide clear guidance on how ARIN should treat prefixes allocated to a site should an ISP come back for additional space in the future. This makes it difficult for LIR's to know if they are allocating in accordance with the rules under which they will be judged in the future. The existing section also provides no guidence on what the LIR or ARIN should do in the case a larger prefix is necessary. Timetable for implementation: immediate From info at arin.net Wed Sep 5 08:45:06 2007 From: info at arin.net (Member Services) Date: Wed, 05 Sep 2007 08:45:06 -0400 Subject: [ppml] Policy Proposal 2007-25: IPv6 Policy Housekeeping Message-ID: <46DEA4D2.3070409@arin.net> On 30 August 2007, the ARIN Advisory Council (AC) concluded their initial review of "IPv6 Policy Housekeeping" and accepted it as a formal policy proposal for discussion by the community. The proposal is designated Policy Proposal 2007-25: IPv6 Policy Housekeeping. The proposal text is below and can be found at: http://www.arin.net/policy/proposals/2007_25.html All persons in the community are encouraged to discuss Policy Proposal 2007-25 prior to it being presented at the ARIN Public Policy Meeting in Albuquerque, New Mexico, 17-18 October 2007. Both the discussion on the Public Policy Mailing List and at the Public Policy Meeting will be used to determine the community consensus regarding this policy proposal. The ARIN Internet Resource Policy Evaluation Process can be found at: http://www.arin.net/policy/irpep.html ARIN's Policy Proposal Archive can be found at: http://www.arin.net/policy/proposals/proposal_archive.html Regards, Member Services American Registry for Internet Numbers (ARIN) ## * ## Policy Proposal 2007-25 IPv6 Policy Housekeeping Author: Leo Bicknell Proposal type: modify Policy term: permanent Policy statement: Change I: In section 6.5.1.1.d, replace the existing statement with the new statement: "be an existing, known ISP in the ARIN region or have a plan for making at least 200 end-site assignments to other organizations within 5 years." Change J: Remove section 6.5.3 entirely. Update all subsequent sections to have new section numbers (6.5.[n-1]). Replace part of the text as (new) section 6.5.4.4: "All /56 and larger assignments to end sites are required to be registered either by the LIR or its subordinate ISPs in such a way that the RIR/NIR can properly evaluate the HD-Ratio when a subsequent allocation becomes necessary." Change K: Section 6.5.8.2, add the following sentence to the end of the first paragraph: "An HD-Ratio of .94 must be met for all assignments larger than a /48." Add to the end of the second paragraph: "This reservation may be assigned to other organizations later, at ARIN's discretion." Change L: Section 6.5.8.3, add a sentence between the two existing sentences: "Justification will be determined based on the .94 HD-Ratio metric." Rationale: When the IPv6 policy was passed, it was considered to be an "interim" policy, and it was intended to be similar in all 5 RIR's. Since that time it has become clear the policy is no longer interim (and proposal 2007-4 was passed to change just that) and it has also been modified separately in the different RIR's. It was brought to the ARIN AC's attention that there were a number of problems with "Section 6" of the NRPM as a result of this legacy: * The policy contained a large number of items that were not policy. * The policy contained a few items that were self contradictory. * The added text was redundant in some cases with existing text. * The policy was overly vague in a few areas, leaving ARIN staff to have to make interpretations of what the policy intended. * Policy changes made since the initial IPv6 policy was adopted have not always updated all of the relevant sections due to the complexity of section 6. The intent of these changes is not to change any existing policy, but rather to remove all non-policy items, and update any ambiguous items with the way that ARIN staff is currently interprets the policy. Change I: Proposal 2005-8 amended section 6.5.4.1 to allow /56 and /64 allocations, but section 6.5.1.1.d was never updated to match the change. It is believed the intent of the policy, and ARIN staff's current interpretation of the policy match the updated text. Change J: The first part is not policy, and incorrectly states there is no policy as section 6.5.4 has the policy in it. Take the one useful part and make it part of the 6.5.4 criteria. Change K: No metric is currently listed to justify a larger initial assignment. It is believed ARIN staff is currently applying the HD-Ratio similar to the ISP policy, this puts that in writing. Make it clear that the reservation may not exist in perpetuity. Change L: No metric is given to justify additional assignments. It is believed that ARIN staff is currently applying the HD_Ratio similar to the ISP policy, this puts that in writing. Timetable for implementation: Immediate From briand at ca.afilias.info Wed Sep 5 10:36:02 2007 From: briand at ca.afilias.info (briand at ca.afilias.info) Date: Wed, 5 Sep 2007 10:36:02 -0400 (EDT) Subject: [ppml] Policy Proposal: Decreasing Exponential Rationingof IPv4 IP Addresses In-Reply-To: References: <85975A4A-0077-4B71-B303-FD9FE27615F6@muada.com> <8CC5B9B8-FB3D-4C7F-BD6B-089E31979FAD@muada.com>

Message-ID: <64004.74.122.168.81.1189002962.squirrel@look.libertyrms.com> Iljitch wrote: > Have a look at the monthly data since 2006 and tell me if you can > spot a trend: [monthly data snipped] Taking the monthly data, and doing sliding window averages, trends show up pretty quickly. There's annual cyclical variances, but year over year, each month should show the same trend. Sliding average data on 4-month window: 4 month sliding window average ending 2006-04 is 15.05 4 month sliding window average ending 2006-05 is 15.29 4 month sliding window average ending 2006-06 is 13.81 4 month sliding window average ending 2006-07 is 14.41 4 month sliding window average ending 2006-08 is 14.15 4 month sliding window average ending 2006-09 is 14.22 4 month sliding window average ending 2006-10 is 14.40 4 month sliding window average ending 2006-11 is 14.12 4 month sliding window average ending 2006-12 is 14.00 4 month sliding window average ending 2007-01 is 14.32 4 month sliding window average ending 2007-02 is 15.99 4 month sliding window average ending 2007-03 is 16.10 4 month sliding window average ending 2007-04 is 15.70 4 month sliding window average ending 2007-05 is 16.57 4 month sliding window average ending 2007-06 is 17.09 4 month sliding window average ending 2007-07 is 17.19 4 month sliding window average ending 2007-08 is 19.29 Two observations: - monthly averages > 14M/month - trending upwards (however slightly) > But in another couple of years it doesn't matter anymore because > we'll be so close that we know for sure we'll run out soon. Bingo. Monotonically increasing usage, and increasing rate of usage. We will run out, and reasonably soon. Even if the rate flattens, e.g at 20M/month, we will still exhaust the pool in << 5 years. Whether it is 3, 4, or 5 years, that's still a very short time to be fully IPv6+IPv4, for those who want to be around after IPv4 addresses are very hard to get. Brian From sleibrand at internap.com Wed Sep 5 14:08:15 2007 From: sleibrand at internap.com (Scott Leibrand) Date: Wed, 05 Sep 2007 11:08:15 -0700 Subject: [ppml] Policy Proposal 2007-24: IPv6 Assignment Guidelines In-Reply-To: <46DEA494.9040001@arin.net> References: <46DEA494.9040001@arin.net> Message-ID: <46DEF08F.8080209@internap.com> I support this policy, as it seems to be a reasonable clarification of ARIN policy on the subject, without any onerous restrictions on LIR decision making. I would hope that ARIN staff would interpret "Assignments greater than /48 will be reviewed" to mean that they would review the assignments only if/when the LIR asks for additional IPv6 address space. (That's my interpretation of the intent of the proposal. If the Author's intent differs, please speak up.) -Scott Member Services wrote: > On 30 August 2007, the ARIN Advisory Council (AC) concluded their > initial review of "IPv6 Assignment Guidelines" and accepted it as a > formal policy proposal for discussion by the community. > > The proposal is designated Policy Proposal 2007-24: IPv6 Assignment > Guidelines. The proposal text is below and can be found at: > http://www.arin.net/policy/proposals/2007_24.html > > All persons in the community are encouraged to discuss Policy Proposal > 2007-24 prior to it being presented at the ARIN Public Policy Meeting in > Albuquerque, New Mexico, 17-18 October 2007. Both the discussion on the > Public Policy Mailing List and at the Public Policy Meeting will be used > to determine the community consensus regarding this policy proposal. > > The ARIN Internet Resource Policy Evaluation Process can be found at: > http://www.arin.net/policy/irpep.html > > ARIN's Policy Proposal Archive can be found at: > http://www.arin.net/policy/proposals/proposal_archive.html > > Regards, > > Member Services > American Registry for Internet Numbers (ARIN) > > > ## * ## > > > Proposal 2007-24 > IPv6 Assignment Guidelines > > Author: Leo Bicknell and Ed Lewis > > Proposal type: new > > Policy term: permanent > > Policy statement: > > Delete the text in 6.5.4.2 and Replace the text in section 6.5.4.1 with > the following text: > > Assignments by LIRs /48 or smaller will not be reviewed by ARIN. > Assignments greater than /48 will be reviewed to see if the additional > space is warranted according to the 0.94 HD ratio policy. If the space > is not warranted, ARIN will consider the excess space to be available > for a different assignment, lowering the overall utilization score of > the LIR. > > Rationale: > > The existing section 6.5.4.1 does not provide clear guidance on how ARIN > should treat prefixes allocated to a site should an ISP come back for > additional space in the future. This makes it difficult for LIR's to > know if they are allocating in accordance with the rules under which > they will be judged in the future. The existing section also provides no > guidence on what the LIR or ARIN should do in the case a larger prefix > is necessary. > > Timetable for implementation: immediate > > > > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the ARIN Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services > Help Desk at info at arin.net if you experience any issues. > From bicknell at ufp.org Wed Sep 5 20:18:26 2007 From: bicknell at ufp.org (Leo Bicknell) Date: Wed, 5 Sep 2007 20:18:26 -0400 Subject: [ppml] Policy Proposal 2007-24: IPv6 Assignment Guidelines In-Reply-To: <46DEF08F.8080209@internap.com> References: <46DEA494.9040001@arin.net> <46DEF08F.8080209@internap.com> Message-ID: <20070906001826.GA84006@ussenterprise.ufp.org> In a message written on Wed, Sep 05, 2007 at 11:08:15AM -0700, Scott Leibrand wrote: > I would hope that ARIN staff would interpret "Assignments greater than > /48 will be reviewed" to mean that they would review the assignments > only if/when the LIR asks for additional IPv6 address space. (That's my > interpretation of the intent of the proposal. If the Author's intent > differs, please speak up.) It's probably not wrong to think about it that way, but that's not exactly my intent. ARIN today does sometimes do reviews outside of a renewal request. I don't know when those occur today, but they would also be an appropriate time. I don't think this language would increase (or decrease) the number of times ARIN would ask for the information, it just clarifies what they will ask for when they do ask. I'm not interested in changing the frequency of review, just clarifing what happens when there is a review. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available URL: From sleibrand at internap.com Wed Sep 5 21:01:05 2007 From: sleibrand at internap.com (Scott Leibrand) Date: Wed, 05 Sep 2007 18:01:05 -0700 Subject: [ppml] Policy Proposal 2007-24: IPv6 Assignment Guidelines In-Reply-To: <20070906001826.GA84006@ussenterprise.ufp.org> References: <46DEA494.9040001@arin.net> <46DEF08F.8080209@internap.com> <20070906001826.GA84006@ussenterprise.ufp.org> Message-ID: <46DF5151.70906@internap.com> Leo Bicknell wrote: > > ARIN today does sometimes do reviews outside > of a renewal request. I don't know when those occur today, but > they would also be an appropriate time. > > I don't think this language would increase (or decrease) the number > of times ARIN would ask for the information, it just clarifies what > they will ask for when they do ask. I'm not interested in changing > the frequency of review, just clarifing what happens when there is > a review. > Fair enough: as long as it doesn't require ARIN to review more than they otherwise would that's fine with me. -Scott From drc at virtualized.org Wed Sep 5 21:30:22 2007 From: drc at virtualized.org (David Conrad) Date: Wed, 5 Sep 2007 18:30:22 -0700 Subject: [ppml] IPv6 flawed? In-Reply-To: <60037.74.122.168.81.1188929633.squirrel@look.libertyrms.com> References: <200708311233.l7VCXYBj005107@cjbsys.bdb.com><82435.1188567258@sa.vix.com><6F089EC1-589B-4192-AE7E-9DAC2BE6ACC4@virtualized.org>

<1712.1188707832@sa.vix.com> <11A63A70-EFD7-49CD-9DCB-78F81B1FB2BC@muada.com> <7EF0D548-D8E5-4DC2-A956-21657A8B96F3@delong.com> <60037.74.122.168.81.1188929633.squirrel@look.libertyrms.com> Message-ID: Brian, On Sep 4, 2007, at 11:13 AM, briand at ca.afilias.info wrote: > - breaking the hard limit will most likely result in IPv6 getting > tossed Very true. An interesting point I hadn't really considered. > So, the short term need, to avoid a "tragedy of the commons" effect, > where short term is likely 3-5 years, is that O(IPv6 PI) == O(ASNs). > Meaning, we need to keep PI space down to about 1 per ASN. According to , we're seeing the "deaggregation factor" increase "slowly and steadily since 'records began'", with the fastest growth occurring in the "new" Internet (the graph on page 15 is very interesting). Since IPv6 uses the same routing and traffic engineering technology as IPv4, I am curious what constraints could be put in place to keep PI space down to about 1 per ASN. Particularly given PI allocation policies either have been or are being liberalized in all the RIRs (for sound economic and business reasons, at least from the perspective of the Internet end users). Perhaps more distressingly, if you believe the post IPv4 run out world is going to be awash with long prefixes taken from holders of legacy space as IPv4 address space is used more efficiently after free pool run out, the deaggregation factor of the "old" Internet is likely going to ramp up quite quickly. This would seem to imply IPv6 could get strangled long before it could take off, regardless of RIR allocation policies. Regards, -drc From dlw+arin at tellme.com Thu Sep 6 12:30:42 2007 From: dlw+arin at tellme.com (David Williamson) Date: Thu, 6 Sep 2007 09:30:42 -0700 Subject: [ppml] IPv6 flawed? In-Reply-To: References:

<1712.1188707832@sa.vix.com> <11A63A70-EFD7-49CD-9DCB-78F81B1FB2BC@muada.com> <7EF0D548-D8E5-4DC2-A956-21657A8B96F3@delong.com> <60037.74.122.168.81.1188929633.squirrel@look.libertyrms.com> Message-ID: <20070906163042.GE23217@shell01.cell.sv2.tellme.com> On Wed, Sep 05, 2007 at 06:30:22PM -0700, David Conrad wrote: > Since IPv6 uses the same > routing and traffic engineering technology as IPv4, I am curious what > constraints could be put in place to keep PI space down to about 1 > per ASN. Particularly given PI allocation policies either have been > or are being liberalized in all the RIRs (for sound economic and > business reasons, at least from the perspective of the Internet end > users). I don't understand why you single out PI holders in this. I'm wondering how many ASNs now advertise more than 2 PI prefixes...I know that the six ASNs I have some control over have single PI chunks assigned to them. I have an association with another org that has two PI announcements from a single AS, primarily because one of them is from the class C swamp. I suspect that PA holders are just as guilty of deaggregation. Outside of TE or simple sloppiness, there's been a lot of business activity that leads to a lot of mergers and associated extra announcements. Finally, there's all of the PA space that's getting used for multi-homing. From a routing point of view, that's exactly the same as PI space - it's some smallish chunk in the middle of some other block that's still attached to a single ASN (and different from the parent chunk). I'm sorry, but I don't see how PI space (when used responsibly) is a culprit in the growth of the routing table any more than PA space. The real culprit is multi-homing and TE. Clearly, we should just forbid that. (Yeah, right.) As a network operator, I entirely agree that the problem is going to come to a head at some point, and things are going to break. What things break and how remains to be seen...but something has got to change. Personally, I suspect we're going to see more and more long IPv4 prefixes in the DFZ. I don't think it's up to ARIN or the other RIRs to figure out how that will work. I do think it's up to ARIN to hand out space in a sensible manner, possibly including longer prefix PI and PA space. The routing community is going to have to figure out how to either: a) scale the routing system appropriately, or b) figure out how to value a specific prefix. For the latter, consider if windowsupdate.microsoft.com was a single VIP or set of VIPs that resides in a /29. As an ISP, would you route that /29? You bet you would...or you'd lose customers to the guy that is. How do you differentiate the value of that /29 versus some random /29 that appears in the routing system for something of much lesser value? I haven't the faintest idea on that. If I did, I'd quit may day job and start consulting full-time. Anyway, now that I've ranted on this topic space a bit, I'm hoping someone can provide some numbers to show that PI space is more responsible than PA space for the deaggregation noted in the posts in this thread. I really don't see it as any different. -David From marla.azinger at frontiercorp.com Thu Sep 6 12:42:40 2007 From: marla.azinger at frontiercorp.com (Azinger, Marla) Date: Thu, 6 Sep 2007 12:42:40 -0400 Subject: [ppml] IPv6 flawed? Message-ID: <454810F09B5AA04E9D78D13A5C39028A0272FA07@nyrofcs2ke2k01.corp.pvt> ok. you got me wondering... Do you have any stats you can provide that show PA IPv6 being subnetted down more specific than a /32 and actually getting through routers that way? And if yes, how many? I would love to see the actual numbers. I dont mean to be snarky, I just really want to know if this is really happening with PA space on large, medium or small scale. And whether its perception or reality, I dont know. I would love to see the stats on PI space being routed and successfully making its way through filters in anything more specific than the original allocation from its RIR. I believe just based on the nature of how current policy is written in ARIN RIR for PI, it naturally lends itself to being used for multihoming and TE. And just for the record. Long live multihoming and TE! ;o) Cheers! Marla Azinger Frontier Communications -----Original Message----- From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of David Williamson Sent: Thursday, September 06, 2007 9:31 AM To: David Conrad Cc: Public Policy Mailing List Subject: Re: [ppml] IPv6 flawed? On Wed, Sep 05, 2007 at 06:30:22PM -0700, David Conrad wrote: > Since IPv6 uses the same > routing and traffic engineering technology as IPv4, I am curious what > constraints could be put in place to keep PI space down to about 1 > per ASN. Particularly given PI allocation policies either have been > or are being liberalized in all the RIRs (for sound economic and > business reasons, at least from the perspective of the Internet end > users). I don't understand why you single out PI holders in this. I'm wondering how many ASNs now advertise more than 2 PI prefixes...I know that the six ASNs I have some control over have single PI chunks assigned to them. I have an association with another org that has two PI announcements from a single AS, primarily because one of them is from the class C swamp. I suspect that PA holders are just as guilty of deaggregation. Outside of TE or simple sloppiness, there's been a lot of business activity that leads to a lot of mergers and associated extra announcements. Finally, there's all of the PA space that's getting used for multi-homing. From a routing point of view, that's exactly the same as PI space - it's some smallish chunk in the middle of some other block that's still attached to a single ASN (and different from the parent chunk). I'm sorry, but I don't see how PI space (when used responsibly) is a culprit in the growth of the routing table any more than PA space. The real culprit is multi-homing and TE. Clearly, we should just forbid that. (Yeah, right.) As a network operator, I entirely agree that the problem is going to come to a head at some point, and things are going to break. What things break and how remains to be seen...but something has got to change. Personally, I suspect we're going to see more and more long IPv4 prefixes in the DFZ. I don't think it's up to ARIN or the other RIRs to figure out how that will work. I do think it's up to ARIN to hand out space in a sensible manner, possibly including longer prefix PI and PA space. The routing community is going to have to figure out how to either: a) scale the routing system appropriately, or b) figure out how to value a specific prefix. For the latter, consider if windowsupdate.microsoft.com was a single VIP or set of VIPs that resides in a /29. As an ISP, would you route that /29? You bet you would...or you'd lose customers to the guy that is. How do you differentiate the value of that /29 versus some random /29 that appears in the routing system for something of much lesser value? I haven't the faintest idea on that. If I did, I'd quit may day job and start consulting full-time. Anyway, now that I've ranted on this topic space a bit, I'm hoping someone can provide some numbers to show that PI space is more responsible than PA space for the deaggregation noted in the posts in this thread. I really don't see it as any different. -David _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues. From sethm at rollernet.us Thu Sep 6 12:44:59 2007 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 06 Sep 2007 09:44:59 -0700 Subject: [ppml] IPv6 flawed? In-Reply-To: <20070906163042.GE23217@shell01.cell.sv2.tellme.com> References:

<1712.1188707832@sa.vix.com> <11A63A70-EFD7-49CD-9DCB-78F81B1FB2BC@muada.com> <7EF0D548-D8E5-4DC2-A956-21657A8B96F3@delong.com> <60037.74.122.168.81.1188929633.squirrel@look.libertyrms.com> <20070906163042.GE23217@shell01.cell.sv2.tellme.com> Message-ID: <46E02E8B.3080204@rollernet.us> David Williamson wrote: > On Wed, Sep 05, 2007 at 06:30:22PM -0700, David Conrad wrote: >> Since IPv6 uses the same >> routing and traffic engineering technology as IPv4, I am curious what >> constraints could be put in place to keep PI space down to about 1 >> per ASN. Particularly given PI allocation policies either have been >> or are being liberalized in all the RIRs (for sound economic and >> business reasons, at least from the perspective of the Internet end >> users). > > I don't understand why you single out PI holders in this. I'm > wondering how many ASNs now advertise more than 2 PI prefixes...I know > that the six ASNs I have some control over have single PI chunks > assigned to them. I have an association with another org that has two > PI announcements from a single AS, primarily because one of them is > from the class C swamp. > > I suspect that PA holders are just as guilty of deaggregation. Outside > of TE or simple sloppiness, there's been a lot of business activity > that leads to a lot of mergers and associated extra announcements. > When I was forced to use PA space (because I didn't qualify for PI space at the time) I didn't have any choice but to announce all my /24's individually. Now that I finally have PI space I have the ability to announce one prefix once I finish renumbering. It's not my fault, the rules made me announce extra cruft into the routing table even though I knew better. I'd say multihoming PA holders are more likely to deaggregate because they're forced to pick up and announce random /24's here and there until they can get PI space. ~Seth From iljitsch at muada.com Thu Sep 6 13:30:19 2007 From: iljitsch at muada.com (Iljitsch van Beijnum) Date: Thu, 6 Sep 2007 19:30:19 +0200 Subject: [ppml] IPv6 flawed? In-Reply-To: References: <200708311233.l7VCXYBj005107@cjbsys.bdb.com><82435.1188567258@sa.vix.com><6F089EC1-589B-4192-AE7E-9DAC2BE6ACC4@virtualized.org>

<1712.1188707832@sa.vix.com> <11A63A70-EFD7-49CD-9DCB-78F81B1FB2BC@muada.com> <7EF0D548-D8E5-4DC2-A956-21657A8B96F3@delong.com> <60037.74.122.168.81.1188929633.squirrel@look.libertyrms.com> <20070906163042.GE23217@shell01.cell.sv2.tellme.com> Message-ID: <20070909192527.GA11504@gweep.net> On Thu, Sep 06, 2007 at 09:30:42AM -0700, David Williamson wrote: [snip] > I'm sorry, but I don't see how PI space (when used responsibly) is a > culprit in the growth of the routing table any more than PA space. The > real culprit is multi-homing and TE. Clearly, we should just forbid > that. (Yeah, right.) Assuming global-scope 'TE' by abusing longest-match is the single most common instance I've run across when discussing fixing the announcements with the culprit deaggregators over the last decade. Out of the stack of offered solutions in many fora, providing a set of well-known communities to allow the standardization of provider- by-provider often-implemented redistribution communities was the best I had seen at addressing real operator desires (deaggregation based TE) and problems (easily limiting the scope of the announcements). ISTR more generalized approach being discussed in ptomaine/grow, but rfc3765 seems to be the only result. However, allowing customers to tell you how to manage your capacity or finances isn't the same as "this route doesn't need to be seen N ASNs away". Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE From dean at av8.com Mon Sep 10 18:15:36 2007 From: dean at av8.com (Dean Anderson) Date: Mon, 10 Sep 2007 18:15:36 -0400 (EDT) Subject: [ppml] IPv6 flawed? In-Reply-To: Message-ID: On Wed, 5 Sep 2007, David Conrad wrote: > On Sep 4, 2007, at 11:13 AM, briand at ca.afilias.info wrote: > > - breaking the hard limit will most likely result in IPv6 getting > > tossed > > Very true. An interesting point I hadn't really considered. Of course, one might use separate hardware for IPv4 and IPv6 as a solution to such problems. There seems to be way too much emphasis on trying to load IPv6 onto IPv4. While I can see that you might want to send IPv4 and IPv6 packets over the same WAN connections, and over the same LAN hardware, there is no reason to mix them further. Indeed, probably there are more good reasons not to mix them. Indeed, embedded systems builders have to replace some IPv4/IPv6-muddled programs when they turn off IPv6, or suffer build problems. > This would seem to imply IPv6 could get strangled long before it could > take off, regardless of RIR allocation policies. Its sort of ironic that the motivation for creating IPv6 was address depletion, when address depletion will kill IPv6. IPv6 was supposed to "take off" between 1995 and 2005. Seems we are behind schedule by a lot. Maybe IPv6 is already dead, suffocated by a variety of things, but most notably by market rejection and government refusal. The IPng book is a useful roadmap to what's wrong with IPv6: (just a few quotes) "It should be explicitly noted that the reasons which are compelling the Internet Community to create IPng [...] are not themselves adequate motivations for users to deploy IPng within their own private networks" "The IETF firmly believed that it must "own" the standards" pg 199 "Therefore, for a number of reasons, unfortunately including prejudice in a few cases..." pg 199 So, here it is: 'the users won't want it, and unsavory politics drives the process.' Hmm... Let me think... No, not something I want to buy into, I think. Unsavory politics has since turned into bad science. (e.g. Stateful Anycast fraud, Patent fraud, see http://www.av8.net/IETF-watch/) I bought the IPng book in 1996. I haven't looked at it in years. In retrospect, this book contains just exactly the things one hopes not to hear. So, I think it means more now than it did then. Its no wonder things are not working out... The important question is whether there is an alternative. Indeed, there might still be a viable alternative. I think if we have to pull together an alternative in the next few years, it has to be ISO/CLNP TUBA (TCP/UDP over CLNP, RFC1347, RFC1561, et al). This was an early contentious proposal for IPng. In retrospect, maybe that would be better. The reason it is still viable is that CLNP is already (still) supported by router vendors, and still used for IS-IS. To entirely replace IPv6 with CLNP/TUBA requires: CLNP stacks for host computers setting up a Nameservice Allocating global address space setting up IDRP (basically BGP for OSI) porting/deploying applications Basically, this is about the same as what remains to do with IPv6. [hmm. after 14+ years work on IPv6, we are still where we were in 1993...sigh] There are some advantages, though: An advantage is that CLNP interoperability between vendors is already guaranteed, and developers of host implmentations can test with existing working implementations, rather than trying to read unimplemented specifications and hoping they do what everyone else will do. No such problems plague CLNP, so, we have none of the interoperability problems that continue to plague IPv6. Large private networks could keep their IPv4 infrastructure, and connect via IPv4 gateways and proxies and upgrade to CLNP/TUBA as necessary. Doing 'gateway/proxy of IPv4' is probably same as they would otherwise do with IPv6, so this will be pretty transparent to most users. Private networks that need CLNS features directly could upgrade all or part of their network as necessary. The situation is even better for ISPs: Dual stack (IPv4/CLNP) network operation is _already_ implemented, so ISPs don't need to upgrade very much, or make very much change at all--basically just configure/upgrade for IDRP (the OSI BGP), perform address assignment to customers, configure ISIS for CLNP routing The big one: Customers continue to run IPv4 until they choose to upgrade. Bringing up CLNP stack on hosts is easier than IPv6 because the protocol is stable and well-defined, and already implemented by multiple vendors who solved interoperation problems long ago. Another advantage is that we all can completely bypass the IPv6 profiteers and their baggage, including Root DNS mismanagement. Cisco and other vendors support CLNP now. Here's a Cisco page on CLNP: http://www.cisco.com/warp/public/535/2.html Maybe we can still get IPv6 to work; the saying goes that one can't polish a t*rd; I think one can get just about anything to run, though maybe not well. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 From drc at virtualized.org Mon Sep 10 21:12:09 2007 From: drc at virtualized.org (David Conrad) Date: Mon, 10 Sep 2007 18:12:09 -0700 Subject: [ppml] IPv6 flawed? In-Reply-To: <6724492E-7A08-4B58-827F-96CDB5A9D23F@muada.com> References: <200708311233.l7VCXYBj005107@cjbsys.bdb.com><82435.1188567258@sa.vix.com><6F089EC1-589B-4192-AE7E-9DAC2BE6ACC4@virtualized.org>

<1712.1188707832@sa.vix.com> <11A63A70-EFD7-49CD-9DCB-78F81B1FB2BC@muada.com> <7EF0D548-D8E5-4DC2-A956-21657A8B96F3@delong.com> <60037.74.122.168.81.1188929633.squirrel@look.libertyrms.com> <6724492E-7A08-4B58-827F-96CDB5A9D23F@muada.com> Message-ID: Iljitsch, On Sep 6, 2007, at 10:30 AM, Iljitsch van Beijnum wrote: >> According to > sanog10-pfs-deaggregation-report.pdf>, we're seeing the >> "deaggregation factor" increase "slowly and steadily since 'records >> began'", with the fastest growth occurring in the "new" Internet (the >> graph on page 15 is very interesting). > > Note that this is "prefixes with maximum achievable aggregation" vs > "currently seen prefixes". If you count the number of prefixes per > AS, you'll be getting the same number for a good number of years: 8. Well, yes. And if you truncate the deaggregation factor, you get 1 since data collection started. Looking at the historic data from the published routing analysis of prefixes per AS, you'll see a fairly rapid decent from 12.13 in Feb 1999 to 7.97 in Jan 2004 after which it has been increasing "slowly and steadily" ever since (we're at 8.81 now). Interestingly, if you look at the ratio of ASes that are announcing a single prefix to all ASes, it has consistently gone up (from 27% in 1999 to 42% today). I suspect both of these are causes for worry. The first is likely driven primarily by people breaking up aggregates for good or bad reasons. The second is likely due to multihoming. Fortunately, the growth isn't that great right now. The big question is how these trends will change in the future. >> Since IPv6 uses the same >> routing and traffic engineering technology as IPv4, I am curious what >> constraints could be put in place to keep PI space down to about 1 >> per ASN. > > Prefixes per AS aren't limited by routing technology (if only it > could...) so this is irrelevant. Yet you go ahead and address this irrelevancy: > in IPv6, you'll be either getting a /32 or a /48 as a PI block. So > unless you manage to get multiple PI blocks, any efforts to inject > more than a single prefix will easily be thwarted by prefix length > filters. Of course, this assumes people will implement and maintain prefix length filters. I'm told by some in the ISP business that the economic pressure to remove such filters is sufficiently high that they don't believe prefix length filters are viable in the long term (I'm paraphrasing a bit). Regards, -drc From john at quonix.net Mon Sep 10 22:14:19 2007 From: john at quonix.net (John Von Essen) Date: Mon, 10 Sep 2007 22:14:19 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy Message-ID: Disclaimer: This is my first post, so be kind! A run-in with a local ISP in my area was a cause for concern. That lead me to a closer understanding of ARINs reverse DNS policy, then an email to ARINs hostmaster, and now an email to this list. First, let me describe the scenario that spawned all of this. 1. I signup for DSL and receive an account with an IP address that does not resolve. 2. Upon review, its more then a missing PTR, the IP I was given belongs to an in-addr.arpa zone which is not mapped at all in the ISP's DNS servers - the servers indicated in their IP assignments from ARIN. It is not site-wide however, some in-addr.arpa's they map, others they do not. 3. Several functions on my PC incur long reverse DNS timeouts (up to 30 seconds) as a result. i.e. sending mail through smtp, telnet and ssh connections, and any other protocol which natively has built in reverse DNS checks. 4. Contact ISP to resolve, no luck. 5. Contacted ISPs ARIN Tech/Abuse/NOC POCs, still no luck. After contacting the ARIN hostmaster, it is my understanding that under the current policy the ISP in question is not violating anything. Since at least one in-addr.arpa prefix in their range is properly mapped, their reverse DNS servers are not considered Lame. I do not agree with this. I feel that every prefix advertised from an AS should have all of its in-addr.arpa zones mapped, that is 100% compliancy for reverse DNS. I feel that the scenario of these dns timeouts is significant and should be avoided. Theoretically, it is causing an environment that wastes UDP connections. Consider GoDaddy's public SMTP server for email customers. Every user that hits that smtp server causes a reverse dns check - so a UDP connection is needed, but quickly recycled because it finishes within a few milliseconds. But users who come from ISPs who do not map their in-addr.arpa cause GoDaddy's resolvers to open a UDP connection and wait for a timeout, then retry, wait, then try secondary, server, etc.,. Thereby wasting resources on GoDaddy's internal resolving DNS servers. What are other peoples thoughts on this? Could the policy be updated requiring full mapping of ALL in-addr.arpa zones that an AS advertises? ARIN wont have to police behavior of ISPs, just have the policy in place so the community can say to a rogue ISP, "Hey, you violate policy". Down the road automated systems would be nice to automatically find AS's who violate. Thanks, John Von Essen (800) 248-1736 ext 100 President, Quonix Networks, Inc. john at quonix.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From HRyu at norlight.com Mon Sep 10 22:26:05 2007 From: HRyu at norlight.com (Hyunseog Ryu) Date: Mon, 10 Sep 2007 21:26:05 -0500 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy Message-ID: I don't think this should be considered as policy discussion. It's their way to manage reverse zone data. it seems to me that they have inverse dns setup for allocated ip block, but they don't maintain the data as up-to-dated. It should be dealt between you and your ISP, and there is not much ARIN can do. If your ISP doesn't update reverse DNS data for your IP, it's their customer case handling problem. You can escalate the case with your ISP, or find somebody else. This is my humble opinion. Hyun Sent from blackberry on the road ----- Original Message ----- From: John Von Essen [john at quonix.net] Sent: 09/10/2007 10:14 PM AST To: Public Policy Mailing List Subject: [ppml] Comments on ARIN's reverse DNS mapping policy Disclaimer: This is my first post, so be kind! A run-in with a local ISP in my area was a cause for concern. That lead me to a closer understanding of ARINs reverse DNS policy, then an email to ARINs hostmaster, and now an email to this list. First, let me describe the scenario that spawned all of this. 1. I signup for DSL and receive an account with an IP address that does not resolve. 2. Upon review, its more then a missing PTR, the IP I was given belongs to an in-addr.arpa zone which is not mapped at all in the ISP's DNS servers - the servers indicated in their IP assignments from ARIN. It is not site-wide however, some in-addr.arpa's they map, others they do not. 3. Several functions on my PC incur long reverse DNS timeouts (up to 30 seconds) as a result. i.e. sending mail through smtp, telnet and ssh connections, and any other protocol which natively has built in reverse DNS checks. 4. Contact ISP to resolve, no luck. 5. Contacted ISPs ARIN Tech/Abuse/NOC POCs, still no luck. After contacting the ARIN hostmaster, it is my understanding that under the current policy the ISP in question is not violating anything. Since at least one in-addr.arpa prefix in their range is properly mapped, their reverse DNS servers are not considered Lame. I do not agree with this. I feel that every prefix advertised from an AS should have all of its in-addr.arpa zones mapped, that is 100% compliancy for reverse DNS. I feel that the scenario of these dns timeouts is significant and should be avoided. Theoretically, it is causing an environment that wastes UDP connections. Consider GoDaddy's public SMTP server for email customers. Every user that hits that smtp server causes a reverse dns check - so a UDP connection is needed, but quickly recycled because it finishes within a few milliseconds. But users who come from ISPs who do not map their in-addr.arpa cause GoDaddy's resolvers to open a UDP connection and wait for a timeout, then retry, wait, then try secondary, server, etc.,. Thereby wasting resources on GoDaddy's internal resolving DNS servers. What are other peoples thoughts on this? Could the policy be updated requiring full mapping of ALL in-addr.arpa zones that an AS advertises? ARIN wont have to police behavior of ISPs, just have the policy in place so the community can say to a rogue ISP, "Hey, you violate policy". Down the road automated systems would be nice to automatically find AS's who violate. Thanks, John Von Essen (800) 248-1736 ext 100 President, Quonix Networks, Inc. john at quonix.net -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues. From john at quonix.net Mon Sep 10 22:44:18 2007 From: john at quonix.net (John Von Essen) Date: Mon, 10 Sep 2007 22:44:18 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: References: Message-ID: <500EA4D6-1C28-46C9-89CE-103B4B6E3DF7@quonix.net> Couple of quick points. I have spent three weeks with the ISP, and they are either incompetent or unwilling to resolve, or both. And it is definitely not a case of them rolling out a new /24 and simply forgetting to add it to their DNS server. I have done some digging around, and they have massive amounts of IPs ranges that have no in-addr.arpa mappings. I understand some people think that this is an ISP-and-customer issue, but when an ISP who has a /16 or larger assignment and they engage in activity that literally slows down external resolvers throughout the internet by causing tons of excessive reverse DNS timeouts, I do feel it is ARIN's responsibility to have a policy that will official denounce this practice -John On Sep 10, 2007, at 10:26 PM, Hyunseog Ryu wrote: > > I don't think this should be considered as policy discussion. > It's their way to manage reverse zone data. > it seems to me that they have inverse dns setup for allocated ip > block, but they don't maintain the data as up-to-dated. > It should be dealt between you and your ISP, and there is not much > ARIN can do. > If your ISP doesn't update reverse DNS data for your IP, it's their > customer case handling problem. > You can escalate the case with your ISP, or find somebody else. > This is my humble opinion. > > Hyun > Sent from blackberry on the road > > ----- Original Message ----- > From: John Von Essen [john at quonix.net] > Sent: 09/10/2007 10:14 PM AST > To: Public Policy Mailing List > Subject: [ppml] Comments on ARIN's reverse DNS mapping policy > > > Disclaimer: This is my first post, so be kind! > > A run-in with a local ISP in my area was a cause for concern. That > lead me to a closer understanding of ARINs reverse DNS policy, then > an email to ARINs hostmaster, and now an email to this list. > > First, let me describe the scenario that spawned all of this. > > 1. I signup for DSL and receive an account with an IP address that > does not resolve. > 2. Upon review, its more then a missing PTR, the IP I was given > belongs to an in-addr.arpa zone which is not mapped at all in the > ISP's DNS servers - the servers indicated in their IP assignments > from ARIN. It is not site-wide however, some in-addr.arpa's they > map, others they do not. > 3. Several functions on my PC incur long reverse DNS timeouts (up > to 30 seconds) as a result. i.e. sending mail through smtp, telnet > and ssh connections, and any other protocol which natively has > built in reverse DNS checks. > 4. Contact ISP to resolve, no luck. > 5. Contacted ISPs ARIN Tech/Abuse/NOC POCs, still no luck. > > After contacting the ARIN hostmaster, it is my understanding that > under the current policy the ISP in question is not violating > anything. Since at least one in-addr.arpa prefix in their range is > properly mapped, their reverse DNS servers are not considered Lame. > > I do not agree with this. I feel that every prefix advertised from > an AS should have all of its in-addr.arpa zones mapped, that is > 100% compliancy for reverse DNS. > > I feel that the scenario of these dns timeouts is significant and > should be avoided. Theoretically, it is causing an environment that > wastes UDP connections. Consider GoDaddy's public SMTP server for > email customers. Every user that hits that smtp server causes a > reverse dns check - so a UDP connection is needed, but quickly > recycled because it finishes within a few milliseconds. But users > who come from ISPs who do not map their in-addr.arpa cause > GoDaddy's resolvers to open a UDP connection and wait for a > timeout, then retry, wait, then try secondary, server, etc.,. > Thereby wasting resources on GoDaddy's internal resolving DNS servers. > > What are other peoples thoughts on this? Could the policy be > updated requiring full mapping of ALL in-addr.arpa zones that an AS > advertises? > > ARIN wont have to police behavior of ISPs, just have the policy in > place so the community can say to a rogue ISP, "Hey, you violate > policy". Down the road automated systems would be nice to > automatically find AS's who violate. > > > > Thanks, > John Von Essen > (800) 248-1736 ext 100 > President, Quonix Networks, Inc. > john at quonix.net > > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the > ARIN Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > Member Services > Help Desk at info at arin.net if you experience any issues. Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From BehmJL at bv.com Mon Sep 10 23:21:10 2007 From: BehmJL at bv.com (Behm, Jeffrey L.) Date: Mon, 10 Sep 2007 22:21:10 -0500 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy References: <500EA4D6-1C28-46C9-89CE-103B4B6E3DF7@quonix.net> Message-ID: <0C3670BC9169B244AA6E7B2E436180D1F9BC7D@TSMC-MAIL-04.na.bvcorp.net> I would say it's time to find a new ISP. On Mon 9/10/2007 9:44 PM, John Von Essen said: >I understand some people think that this is an ISP-and-customer issue, but when an ISP who >has a /16 or larger assignment and they engage in activity that literally slows down external >resolvers throughout the internet by causing tons of excessive reverse DNS timeouts, I do >feel it is ARIN's responsibility to have a policy that will official denounce this practice -------------- next part -------------- An HTML attachment was scrubbed... URL: From marla.azinger at frontiercorp.com Mon Sep 10 23:44:57 2007 From: marla.azinger at frontiercorp.com (Azinger, Marla) Date: Mon, 10 Sep 2007 23:44:57 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy Message-ID: <454810F09B5AA04E9D78D13A5C39028A0272FA0D@nyrofcs2ke2k01.corp.pvt> Hi John- Thank you for posting for the first time. I understand your desire to make this an ARIN policy. However, it has long been a position of the ARIN Community (for the most part) that ARIN policy is not to dictate or guarantee routing. Thus, the majority of the responses you will get here will have people telling you to go find a new ISP that has a clue. I hate to say it, but that is what I would suggest too. Hopefully you are in a location that provides you the opportunity to shop around for a clueful ISP. If you really think policy of some kind may help, your best bet is collecting up RFC and BCP's written within the IETF that address cluefull mapping of in-addr. Cheers! Marla Azinger Frontier Communications -----Original Message----- From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of John Von Essen Sent: Monday, September 10, 2007 7:14 PM To: Public Policy Mailing List Subject: [ppml] Comments on ARIN's reverse DNS mapping policy Disclaimer: This is my first post, so be kind! A run-in with a local ISP in my area was a cause for concern. That lead me to a closer understanding of ARINs reverse DNS policy, then an email to ARINs hostmaster, and now an email to this list. First, let me describe the scenario that spawned all of this. 1. I signup for DSL and receive an account with an IP address that does not resolve. 2. Upon review, its more then a missing PTR, the IP I was given belongs to an in-addr.arpa zone which is not mapped at all in the ISP's DNS servers - the servers indicated in their IP assignments from ARIN. It is not site-wide however, some in-addr.arpa's they map, others they do not. 3. Several functions on my PC incur long reverse DNS timeouts (up to 30 seconds) as a result. i.e. sending mail through smtp, telnet and ssh connections, and any other protocol which natively has built in reverse DNS checks. 4. Contact ISP to resolve, no luck. 5. Contacted ISPs ARIN Tech/Abuse/NOC POCs, still no luck. After contacting the ARIN hostmaster, it is my understanding that under the current policy the ISP in question is not violating anything. Since at least one in-addr.arpa prefix in their range is properly mapped, their reverse DNS servers are not considered Lame. I do not agree with this. I feel that every prefix advertised from an AS should have all of its in-addr.arpa zones mapped, that is 100% compliancy for reverse DNS. I feel that the scenario of these dns timeouts is significant and should be avoided. Theoretically, it is causing an environment that wastes UDP connections. Consider GoDaddy's public SMTP server for email customers. Every user that hits that smtp server causes a reverse dns check - so a UDP connection is needed, but quickly recycled because it finishes within a few milliseconds. But users who come from ISPs who do not map their in-addr.arpa cause GoDaddy's resolvers to open a UDP connection and wait for a timeout, then retry, wait, then try secondary, server, etc.,. Thereby wasting resources on GoDaddy's internal resolving DNS servers. What are other peoples thoughts on this? Could the policy be updated requiring full mapping of ALL in-addr.arpa zones that an AS advertises? ARIN wont have to police behavior of ISPs, just have the policy in place so the community can say to a rogue ISP, "Hey, you violate policy". Down the road automated systems would be nice to automatically find AS's who violate. Thanks, John Von Essen (800) 248-1736 ext 100 President, Quonix Networks, Inc. john at quonix.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From randy at psg.com Tue Sep 11 00:05:28 2007 From: randy at psg.com (Randy Bush) Date: Mon, 10 Sep 2007 18:05:28 -1000 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <454810F09B5AA04E9D78D13A5C39028A0272FA0D@nyrofcs2ke2k01.corp.pvt> References: <454810F09B5AA04E9D78D13A5C39028A0272FA0D@nyrofcs2ke2k01.corp.pvt> Message-ID: <46E61408.5000100@psg.com> > I understand your desire to make this an ARIN policy. However, it > has long been a position of the ARIN Community (for the most part) > that ARIN policy is not to dictate or guarantee routing. perhaps re-reading the OP's post would reveal that nothing about routing is mentioned. my guess is that you are making an inference from routing to reverse dns. but such a leap may not be completely defensible, as reverse dns is something about which arin does have policy, just not the policy which i think the OP wants. many fora have looked at reverse mapping policy and not made much progress. this is mostly due to a large and loud contingent of "who cares? it does not matter. those who check are s. etc." the problem is that it is the user (that silly person who pays all our salaries) who gets screwed, as you can see from the whining of this particular screwee. most do not know why they get long hangs when doing simple things, they think crap is normal. perhaps it should not be. randy From john at quonix.net Tue Sep 11 00:37:49 2007 From: john at quonix.net (John Von Essen) Date: Tue, 11 Sep 2007 00:37:49 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <46E61408.5000100@psg.com> References: <454810F09B5AA04E9D78D13A5C39028A0272FA0D@nyrofcs2ke2k01.corp.pvt> <46E61408.5000100@psg.com> Message-ID: <091ECDC1-0112-4FCC-9F2B-E50E0D04158C@quonix.net> Randy - Thanks, you are the first person to not write this off as a "find another ISP" comment. Maria, I understand your comments, but consider this... The current policy on reverse dns mapping "almost" does the job - it just needs to go a tiny bit further. Current policy dictates that you have to map an in-addr.arpa zone for your prefix in order for your nameservers to not be considered lame. Problem is, an AS only has to properly map a single in-addr.arpa to satisfy that requirement. What I am saying is just go a bit further, and have policy dictate that the AS must properly map ALL in- addr.arpa's for advertised prefixes in order for their nameservers to not be considered lame. Seems simple enough. The problem goes beyond the ISP-to-customer scenario. Take Verizon DSL, what if they didn't map the in-addr.arpa's for all their DSL IP's - thats probably 10 or so /16's easily. That would cause tons of problems for various 3rd party organizations all throughout the internet; people like vonage (sip traffic), gmail, postini, or any large smtp environment or protocol dependent on reverse DNS. But the current policy would not consider Verizon's reverse DNS servers as being lame. Because even though there are 1000's of in- addr.arpa zones not mapped (thereby causing excessive timeout on resolvers throughout the world), they do have one mapped to meet the minimum ARIN requirement for non-lameness. That simply doesn't make sense. The threat of one's reverse DNS server being declared lame is the only way to ensure proper reverse DNS mapping. I dont see why 100% enforcement across all advertised prefixes for a given AS is a problem. Lets not forget that reverse DNS plays an important role in the proper operation of many protocols throughout the internet, and one of ARINs most important jobs is delegation of reverse dns authority. ARIN has a responsibility to make sure that the DNS server they are delegating reverse authority too is maintained to at least a minimum level of efficiency. -John On Sep 11, 2007, at 12:05 AM, Randy Bush wrote: >> I understand your desire to make this an ARIN policy. However, it >> has long been a position of the ARIN Community (for the most part) >> that ARIN policy is not to dictate or guarantee routing. > > perhaps re-reading the OP's post would reveal that nothing about > routing > is mentioned. > > my guess is that you are making an inference from routing to reverse > dns. but such a leap may not be completely defensible, as reverse dns > is something about which arin does have policy, just not the policy > which i think the OP wants. > > many fora have looked at reverse mapping policy and not made much > progress. this is mostly due to a large and loud contingent of "who > cares? it does not matter. those who check are s. etc." > > the problem is that it is the user (that silly person who pays all our > salaries) who gets screwed, as you can see from the whining of this > particular screwee. most do not know why they get long hangs when > doing > simple things, they think crap is normal. perhaps it should not be. > > randy Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From marla.azinger at frontiercorp.com Tue Sep 11 01:12:35 2007 From: marla.azinger at frontiercorp.com (Azinger, Marla) Date: Tue, 11 Sep 2007 01:12:35 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy Message-ID: <454810F09B5AA04E9D78D13A5C39028A0272FA0E@nyrofcs2ke2k01.corp.pvt> Well, as Randy pointed out ...maybe I am leaping a bit. But I have had circular conversations where that wasnt viewed as such a leap. Be it strictly routing or dns success/failures, they both have fallen into the "it shouldnt be dictated by ARIN" conversations. And I guess pointing out in an obviouse way that they shouldnt be in the same conversation is needed. So...thanks Randy for getting me thinking straight again. So to your point John, I would say its worth writing up and submitting it. Clearly you have good rational and a need. I would be interested to see how many people would support it and what type of Con's would be pointed out. Cheers! Marla [Azinger, Marla] -----Original Message----- From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of John Von Essen Sent: Monday, September 10, 2007 9:38 PM To: Public Policy Mailing List Subject: Re: [ppml] Comments on ARIN's reverse DNS mapping policy Randy - Thanks, you are the first person to not write this off as a "find another ISP" comment. Maria, I understand your comments, but consider this... The current policy on reverse dns mapping "almost" does the job - it just needs to go a tiny bit further. Current policy dictates that you have to map an in-addr.arpa zone for your prefix in order for your nameservers to not be considered lame. Problem is, an AS only has to properly map a single in-addr.arpa to satisfy that requirement. What I am saying is just go a bit further, and have policy dictate that the AS must properly map ALL in-addr.arpa's for advertised prefixes in order for their nameservers to not be considered lame. Seems simple enough. The problem goes beyond the ISP-to-customer scenario. Take Verizon DSL, what if they didn't map the in-addr.arpa's for all their DSL IP's - thats probably 10 or so /16's easily. That would cause tons of problems for various 3rd party organizations all throughout the internet; people like vonage (sip traffic), gmail, postini, or any large smtp environment or protocol dependent on reverse DNS. But the current policy would not consider Verizon's reverse DNS servers as being lame. Because even though there are 1000's of in-addr.arpa zones not mapped (thereby causing excessive timeout on resolvers throughout the world), they do have one mapped to meet the minimum ARIN requirement for non-lameness. That simply doesn't make sense. The threat of one's reverse DNS server being declared lame is the only way to ensure proper reverse DNS mapping. I dont see why 100% enforcement across all advertised prefixes for a given AS is a problem. Lets not forget that reverse DNS plays an important role in the proper operation of many protocols throughout the internet, and one of ARINs most important jobs is delegation of reverse dns authority. ARIN has a responsibility to make sure that the DNS server they are delegating reverse authority too is maintained to at least a minimum level of efficiency. -John On Sep 11, 2007, at 12:05 AM, Randy Bush wrote: I understand your desire to make this an ARIN policy. However, it has long been a position of the ARIN Community (for the most part) that ARIN policy is not to dictate or guarantee routing. perhaps re-reading the OP's post would reveal that nothing about routing is mentioned. my guess is that you are making an inference from routing to reverse dns. but such a leap may not be completely defensible, as reverse dns is something about which arin does have policy, just not the policy which i think the OP wants. many fora have looked at reverse mapping policy and not made much progress. this is mostly due to a large and loud contingent of "who cares? it does not matter. those who check are s. etc." the problem is that it is the user (that silly person who pays all our salaries) who gets screwed, as you can see from the whining of this particular screwee. most do not know why they get long hangs when doing simple things, they think crap is normal. perhaps it should not be. randy Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From randy at psg.com Tue Sep 11 01:14:00 2007 From: randy at psg.com (Randy Bush) Date: Mon, 10 Sep 2007 19:14:00 -1000 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <091ECDC1-0112-4FCC-9F2B-E50E0D04158C@quonix.net> References: <454810F09B5AA04E9D78D13A5C39028A0272FA0D@nyrofcs2ke2k01.corp.pvt> <46E61408.5000100@psg.com> <091ECDC1-0112-4FCC-9F2B-E50E0D04158C@quonix.net> Message-ID: <46E62418.7030603@psg.com> > Problem is, an AS only has to properly map a single in-addr.arpa to > satisfy that requirement. What I am saying is just go a bit further, and > have policy dictate that the AS must properly map ALL in-addr.arpa's for > advertised prefixes in order for their nameservers to not be considered > lame. well, one technicality is that is not what 'lame' means. lame means that the servers are not authoritative for the named zone, i.e. do not return an SOA with the authoritative bit set. it says nothing about having reasonable content within the zone. but that is a technicality. we know what you mean. as i said, attempts to address the actual operational problem have foundered. the nay-sayers might be dealt with if there was not a problem of specifying what actually is 'correct' operation. remember, your particular case is one of a wide range of incorrect in-addr.arpa behavior. a memorable failure to fix silliness was an ivtf effort to label as broken dns servers which return 1918 A RRs for public look-ups. so it is rather a wide subject. but maybe, when all the arin policy experts wake up in the us mainland morning, someone can make a succinct prescription of how arin might help with your problem. and maybe cash will fall from the sky. fwiw, i buy dsl bearer from the local telcos because i am forced to, but use local isps (lavanet and infinity) for layer three so i can talk to someone with clue. randy From marla.azinger at frontiercorp.com Tue Sep 11 01:18:33 2007 From: marla.azinger at frontiercorp.com (Azinger, Marla) Date: Tue, 11 Sep 2007 01:18:33 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy Message-ID: <454810F09B5AA04E9D78D13A5C39028A02A4C9B1@nyrofcs2ke2k01.corp.pvt> >but maybe, when all the arin policy experts wake up in the us mainland morning, someone can make a succinct prescription of how arin might help with your problem. and maybe cash will fall from the sky.< Experts. LOL. We are legends in our own minds. I would like the cash to fall from the sky... ...but I would still help John if he wants to pursue this. ;o) Marla -----Original Message----- From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of Randy Bush Sent: Monday, September 10, 2007 10:14 PM To: John Von Essen Cc: Public Policy Mailing List Subject: Re: [ppml] Comments on ARIN's reverse DNS mapping policy > Problem is, an AS only has to properly map a single in-addr.arpa to > satisfy that requirement. What I am saying is just go a bit further, and > have policy dictate that the AS must properly map ALL in-addr.arpa's for > advertised prefixes in order for their nameservers to not be considered > lame. well, one technicality is that is not what 'lame' means. lame means that the servers are not authoritative for the named zone, i.e. do not return an SOA with the authoritative bit set. it says nothing about having reasonable content within the zone. but that is a technicality. we know what you mean. as i said, attempts to address the actual operational problem have foundered. the nay-sayers might be dealt with if there was not a problem of specifying what actually is 'correct' operation. remember, your particular case is one of a wide range of incorrect in-addr.arpa behavior. a memorable failure to fix silliness was an ivtf effort to label as broken dns servers which return 1918 A RRs for public look-ups. so it is rather a wide subject. but maybe, when all the arin policy experts wake up in the us mainland morning, someone can make a succinct prescription of how arin might help with your problem. and maybe cash will fall from the sky. fwiw, i buy dsl bearer from the local telcos because i am forced to, but use local isps (lavanet and infinity) for layer three so i can talk to someone with clue. randy _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues. From bmanning at vacation.karoshi.com Tue Sep 11 02:17:09 2007 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Tue, 11 Sep 2007 06:17:09 +0000 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <091ECDC1-0112-4FCC-9F2B-E50E0D04158C@quonix.net> References: <454810F09B5AA04E9D78D13A5C39028A0272FA0D@nyrofcs2ke2k01.corp.pvt> <46E61408.5000100@psg.com> <091ECDC1-0112-4FCC-9F2B-E50E0D04158C@quonix.net> Message-ID: <20070911061709.GA8969@vacation.karoshi.com.> On Tue, Sep 11, 2007 at 12:37:49AM -0400, John Von Essen wrote: > > Problem is, an AS only has to properly map a single in-addr.arpa to > satisfy that requirement. What I am saying is just go a bit further, > and have policy dictate that the AS must properly map ALL in- > addr.arpa's for advertised prefixes in order for their nameservers to > not be considered lame. Seems simple enough. ... > > The threat of one's reverse DNS server being declared lame is the > only way to ensure proper reverse DNS mapping. I dont see why 100% > enforcement across all advertised prefixes for a given AS is a problem. > > Lets not forget that reverse DNS plays an important role in the > proper operation of many protocols throughout the internet, and one > of ARINs most important jobs is delegation of reverse dns authority. > ARIN has a responsibility to make sure that the DNS server they are > delegating reverse authority too is maintained to at least a minimum > level of efficiency. > > -John > John, you point out an interesting conundrum in the administration of DNS... your forward map is usually owned by you (via a registrar or in some cases a registry) while the reverse map is owned by your ISP (in most cases) ... the use of secure dynamic update allows you to maintain your DNS entries in a secure fashion, however your ISP is refusing to update the information (at all, let alone what you want it to be) one might observe that since address space is not "owned" - that a stewardship obligation be applied to delegations - and that ARIN *might* pre-populate the reverse maps before delegation. for some DNSSEC usage models, having teh forward and reverse maps converge is highly desirable... e.g. foo.bar. a 127.0.0.1 1.0.0.127.in-addr.arpa. ptr foo.bar. which will require the ISP to rethink who it will allow its clients to update the reverse maps themselves, in a secure fashion. thoughts for your consideration. --bill From weiler at tislabs.com Tue Sep 11 02:19:40 2007 From: weiler at tislabs.com (Sam Weiler) Date: Tue, 11 Sep 2007 02:19:40 -0400 (EDT) Subject: [ppml] Comments on ARIN's reverse DNS mapping policy Message-ID: > 3. Several functions on my PC incur long reverse DNS timeouts (up to > 30 seconds) as a result. i.e. sending mail through smtp, telnet and > ssh connections, and any other protocol which natively has built in > reverse DNS checks. 4. Contact ISP to resolve, no luck. 5. Contacted > ISPs ARIN Tech/Abuse/NOC POCs, still no luck. I'm wondering if it would be sufficient to have ARIN act _far_ more swiftly to remove the lame delegations. While that wouldn't get good PTR records published, it should cure the long timeout problem. We already require ARIN to do that removal, but, in my experience, it can take ARIN months to do so. Might it be more reasonable to ask ARIN to act faster, perhaps within a week or two? To be clear, I'm only talking about removing the DNS delegations (NS records) for the address blocks, not revoking the IP assignment/allocation. Section 7.2 of the NRPM (from policy proposal 2005-3) says: "ARIN will actively identify lame DNS name server(s) for reverse address delegations associated with address blocks allocated, assigned or administered by ARIN. Upon identification of a lame delegation, ARIN shall attempt to contact the POC for that resource and resolve the issue. If, following due diligence, ARIN is unable to resolve the lame delegation, ARIN will update the WHOIS database records resulting in the removal of lame servers." [Note that this just changed on August 22nd; before that, the NRPM had the text from policy proposal 2002-1, which required flagging of lame records. The replacement policy was adopted in June 2005 but just made it into the NRPM in the last month.] Perhaps the AC will work with you on a modification of this policy that requires a faster response time from ARIN. -- Sam From randy at psg.com Tue Sep 11 02:36:29 2007 From: randy at psg.com (Randy Bush) Date: Mon, 10 Sep 2007 20:36:29 -1000 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <20070911061709.GA8969@vacation.karoshi.com.> References: <454810F09B5AA04E9D78D13A5C39028A0272FA0D@nyrofcs2ke2k01.corp.pvt> <46E61408.5000100@psg.com> <091ECDC1-0112-4FCC-9F2B-E50E0D04158C@quonix.net> <20070911061709.GA8969@vacation.karoshi.com.> Message-ID: <46E6376D.1030302@psg.com> > one might observe that since address space is not "owned" - that a > stewardship obligation be applied to delegations - and that ARIN > *might* pre-populate the reverse maps before delegation. a - this is orthogonal to the religious discussions of address space ownership. b - when arin *delegates* the pre-populated zone file, the population stays home at arin, and would not magically appear in the delegatee's zone. randy From bonomi at mail.r-bonomi.com Tue Sep 11 02:49:46 2007 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Tue, 11 Sep 2007 01:49:46 -0500 (CDT) Subject: [ppml] Comments on ARIN's reverse DNS mapping policy Message-ID: <200709110649.l8B6nkUp021038@mail.r-bonomi.com> > Date: Tue, 11 Sep 2007 02:19:40 -0400 (EDT) > From: Sam Weiler > Subject: Re: [ppml] Comments on ARIN's reverse DNS mapping policy > > I'm wondering if it would be sufficient to have ARIN act _far_ more > swiftly to remove the lame delegations. While that wouldn't get good > PTR records published, it should cure the long timeout problem. Does an inompletely populated zone constitute a 'lame' server? Does a zone with _no_ data other than a SOA constitute a 'lame' server? Is a server that fails to return NXDOMAIN in a _timely_ manner for something it doesn't know about a 'lame' server? It's not at all clear to me that requiring faser action for 7.2 addresses any of those situations. My understading of a lame server is one that is listed (elsewhere) as 'authoritative' for a zone, but does NOT report itself as athoritative when queried. Policy is that the zone has to 'be there'. I haven't found anything that says abot 'if' or 'what' has to be in the zone -- beyond the SOA that makes it 'authoritative', that is. From randy at psg.com Tue Sep 11 02:51:28 2007 From: randy at psg.com (Randy Bush) Date: Mon, 10 Sep 2007 20:51:28 -1000 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <200709110649.l8B6nkUp021038@mail.r-bonomi.com> References: <200709110649.l8B6nkUp021038@mail.r-bonomi.com> Message-ID: <46E63AF0.60302@psg.com> > Does an inompletely populated zone constitute a 'lame' server? rat-hole. we know what the op meant. > Does a zone with _no_ data other than a SOA constitute a 'lame' server? no, a broken one. needs ns rrs. randy From bmanning at vacation.karoshi.com Tue Sep 11 04:08:30 2007 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Tue, 11 Sep 2007 08:08:30 +0000 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <46E6376D.1030302@psg.com> References: <454810F09B5AA04E9D78D13A5C39028A0272FA0D@nyrofcs2ke2k01.corp.pvt> <46E61408.5000100@psg.com> <091ECDC1-0112-4FCC-9F2B-E50E0D04158C@quonix.net> <20070911061709.GA8969@vacation.karoshi.com.> <46E6376D.1030302@psg.com> Message-ID: <20070911080830.GA9719@vacation.karoshi.com.> On Mon, Sep 10, 2007 at 08:36:29PM -1000, Randy Bush wrote: > > one might observe that since address space is not "owned" - that a > > stewardship obligation be applied to delegations - and that ARIN > > *might* pre-populate the reverse maps before delegation. > > a - this is orthogonal to the religious discussions of address space > ownership. > > b - when arin *delegates* the pre-populated zone file, the population > stays home at arin, and would not magically appear in the delegatee's zone. > > randy a) the point was a "proper" steward might be expected to perform certain functions as a measure of their stewardship b) true enough... but it would set a useful example to the new steward as to the expected behaviour. --bill From michael.dillon at bt.com Tue Sep 11 05:16:50 2007 From: michael.dillon at bt.com (michael.dillon at bt.com) Date: Tue, 11 Sep 2007 10:16:50 +0100 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <500EA4D6-1C28-46C9-89CE-103B4B6E3DF7@quonix.net> References: <500EA4D6-1C28-46C9-89CE-103B4B6E3DF7@quonix.net> Message-ID: I have spent three weeks with the ISP, and they are either incompetent or unwilling to resolve, or both. And it is definitely not a case of them rolling out a new /24 and simply forgetting to add it to their DNS server. I have done some digging around, and they have massive amounts of IPs ranges that have no in-addr.arpa mappings. I understand some people think that this is an ISP-and-customer issue, but when an ISP who has a /16 or larger assignment and they engage in activity that literally slows down external resolvers throughout the internet by causing tons of excessive reverse DNS timeouts, I do feel it is ARIN's responsibility to have a policy that will official denounce this practice Wrong! It is not ARIN's responsibility to police the Internet. And ARIN policy should not get involved in such things. And, in fact, it is not an error to have missing in-addr.arpa delegations. My company has several such missing delegations on purpose. And I know of at least one company whose multibillion dollar per year business depends on a lame delegation for a .com domain name. Reality is much stranger than you can imagine. If you want to make a formal suggestion to ARIN that it contact ISPs who have not registered in-addr.arpa nameservers to suggest that it is a good idea, if the address range is in use on the public Internet, then I would support that. The formal suggestion box is here: http://www.arin.net/acsp/index.html ARIN offers in-addr.arpa service to all holders of IP allocations. It seems reasonable to contact organization who are not using this service to inform them that the service is available and how to get their nameservers properly registered. Further, it wouldn't hurt to point them to some Internet DNS best practices documents so they have a guide that covers things like putting some zone files into the registered nameservers as well. --Michael Dillon -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.dillon at bt.com Tue Sep 11 05:22:40 2007 From: michael.dillon at bt.com (michael.dillon at bt.com) Date: Tue, 11 Sep 2007 10:22:40 +0100 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <454810F09B5AA04E9D78D13A5C39028A0272FA0E@nyrofcs2ke2k01.corp.pvt> References: <454810F09B5AA04E9D78D13A5C39028A0272FA0E@nyrofcs2ke2k01.corp.pvt> Message-ID: > So to your point John, I would say its worth writing up and submitting it. > Clearly you have good rational and a need. I would be interested to see > how many people would support it and what type of Con's would be pointed out. I personally think that it is inappropriate for an ARIN AC member to be encouraging people to submit policy proposals that are clearly out of the scope of ARIN's charter. It is most UNhelpful to encourage such pollution of the policymaking process. We already have more than enough volume of proposals to deal with. --Michael Dillon -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.dillon at bt.com Tue Sep 11 05:30:05 2007 From: michael.dillon at bt.com (michael.dillon at bt.com) Date: Tue, 11 Sep 2007 10:30:05 +0100 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <46E62418.7030603@psg.com> References: <454810F09B5AA04E9D78D13A5C39028A0272FA0D@nyrofcs2ke2k01.corp.pvt> <46E61408.5000100@psg.com><091ECDC1-0112-4FCC-9F2B-E50E0D04158C@quonix.net> <46E62418.7030603@psg.com> Message-ID: > but maybe, when all the arin policy experts wake up in the us > mainland morning, someone can make a succinct prescription of > how arin might help with your problem. and maybe cash will > fall from the sky. Education! No need to run around beating people with a stick when they don't even know what they are doing wrong. That's just plain sadism and is economically harmful to your enterprise. ARIN offers in-addr.arpa service for a reason; because it makes the Internet run better. ARIN knows who is not using this service. ARIN could have a program of identifying appropriate contacts within organizations who do not have non-lame servers registered for each block. ARIN could then contact these people with educational material to explain the benefits of ARIN's free service and what needs to be done to make use of it. Just sending email to POCs offering in-addr.arpa is not enough. An email message to POCs should ask for DNS server administrator contacts. Then these people, who can be expected to have a better understanding of the technical issues as well as the ability to act and put in-addr.arpa zones in nameservers, could be offered the service. It wouldn't be a bad idea to also send some material by postal mail to Domain Name Service Administrator c/o Network Operator, in cases where the POC request fails to elicit a viable response. This type of educational outreach *IS* within the scope of ARIN's charter, but still outside the scope of ARIN policy. --Michael Dillon From jcurran at istaff.org Tue Sep 11 06:59:27 2007 From: jcurran at istaff.org (John Curran) Date: Tue, 11 Sep 2007 06:59:27 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: References: <454810F09B5AA04E9D78D13A5C39028A0272FA0D@nyrofcs2ke2k01.corp.pvt> <46E61408.5000100@psg.com><091ECDC1-0112-4FCC-9F2B-E50E0D04158C@quonix.net > <46E62418.7030603@psg.com> Message-ID: At 10:30 AM +0100 9/11/07, wrote: > >Just sending email to POCs offering in-addr.arpa is not enough. An email >message to POCs should ask for DNS server administrator contacts. Then >these people, who can be expected to have a better understanding of the >technical issues as well as the ability to act and put in-addr.arpa >zones in nameservers, could be offered the service. It wouldn't be a bad >idea to also send some material by postal mail to Domain Name Service >Administrator c/o Network Operator, in cases where the POC request fails >to elicit a viable response. Does anyone know how this issue is handled in other regions? /John From dogwallah at gmail.com Tue Sep 11 07:18:29 2007 From: dogwallah at gmail.com (McTim) Date: Tue, 11 Sep 2007 14:18:29 +0300 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: References: <454810F09B5AA04E9D78D13A5C39028A0272FA0D@nyrofcs2ke2k01.corp.pvt> <46E61408.5000100@psg.com> <46E62418.7030603@psg.com> Message-ID: On 9/11/07, John Curran wrote: > At 10:30 AM +0100 9/11/07, wrote: > > > >Just sending email to POCs offering in-addr.arpa is not enough. An email > >message to POCs should ask for DNS server administrator contacts. Then > >these people, who can be expected to have a better understanding of the > >technical issues as well as the ability to act and put in-addr.arpa > >zones in nameservers, could be offered the service. It wouldn't be a bad > >idea to also send some material by postal mail to Domain Name Service > >Administrator c/o Network Operator, in cases where the POC request fails > >to elicit a viable response. > > Does anyone know how this issue is handled in other regions? In RIPEland there is a rev-srv: attribute whose value is meant to be the email address of the person handling reverse. This is being deprecated however, since it has only been used sparingly by only a very few folk. Mr. Van Essen has hinted that the block in question may be a /16, in which case it seems that perhaps his upstream might not know they can do reverse on the whole /16 in one go, and not need to reverse individual /24s. -- Cheers, McTim $ whois -h whois.afrinic.net mctim From arno at ripe.net Tue Sep 11 07:41:20 2007 From: arno at ripe.net (arno meulenkamp) Date: Tue, 11 Sep 2007 13:41:20 +0200 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: References: <454810F09B5AA04E9D78D13A5C39028A0272FA0D@nyrofcs2ke2k01.corp.pvt> <46E61408.5000100@psg.com> <46E62418.7030603@psg.com> Message-ID: On Sep 11, 2007, at 1:18 PM, McTim wrote: > On 9/11/07, John Curran wrote: >> At 10:30 AM +0100 9/11/07, wrote: >>> >>> Just sending email to POCs offering in-addr.arpa is not enough. >>> An email >>> message to POCs should ask for DNS server administrator contacts. >>> Then >>> these people, who can be expected to have a better understanding >>> of the >>> technical issues as well as the ability to act and put in-addr.arpa >>> zones in nameservers, could be offered the service. It wouldn't >>> be a bad >>> idea to also send some material by postal mail to Domain Name >>> Service >>> Administrator c/o Network Operator, in cases where the POC >>> request fails >>> to elicit a viable response. >> >> Does anyone know how this issue is handled in other regions? > > In RIPEland there is a rev-srv: attribute whose value is meant to > be the email > address of the person handling reverse. This is being deprecated > however, > since it has only been used sparingly by only a very few folk. > > Mr. Van Essen has hinted that the block in question may be a /16, in > which case it seems that perhaps his upstream might not know they can > do reverse on the whole /16 in one go, and not need to reverse > individual /24s. Actually, for address space obtained in the RIPE region, the reverse DNS is handled through domain objects in the RIPE database. The rev- srv attribute in the inetnum objects is legacy and pointed to the DNS servers that were supposed to handle reverse DNS for that address space. On another note.. I don't see an issue with the lack of PTR records for a given rDNS name. An NXDOMAIN answer is just as fast as an answer with a PTR record. I have no opinion on wether the RIRs should or should not police lameness in the reverse zones though. :) regards, Arno From Ed.Lewis at neustar.biz Tue Sep 11 08:47:34 2007 From: Ed.Lewis at neustar.biz (Edward Lewis) Date: Tue, 11 Sep 2007 08:47:34 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: References: Message-ID: As an "arin mainland policy expert" with a lot of experience in lameness and DNS... ARIN lame delegation proposals: 2002-1 and 2005-3. 2002-1 was ratified by the BoT on 17 November 2002 and 2005-3 was ratified on 16 June 2005 and has an implementation date of 22 August 2007. (From the ARIN web site. BTW, the link from 2002-1's archive to the ARIN IX minuted is broken [404].) In 2003 an update on this was presented to NANOG (http://www.nanog.org/mtg-0306/lewis.html). The term "lame" in the context of DNS is defined by the IETF in RFC 1612, 1713, 1912, and 3658. The word lame is defined more narrowly than is used in practice. Lameness is in the eye of the client and applies only when the client *receives a response* indicating that the server does not *know* the answer. In practice, situations when a response does not arrive at the client has been called lame, even if the reason for the failure is due to an underlying network layer event (like packets being filtered at a firewall). Why did ARIN pass 2002-1? Because a widely popular implementation of DNS (back in the day) would be sent into a loop when it received a DNS referral message pointing back "up" the tree. This made the presence of lame delegations an operational issue. This implementation has apparently faded from general use, the operational impact diminished, and the topic of correcting lame delegations has taken a back seat to other work. As far as general DNS reverse mapping policy, there has been an ongoing discussion within the IETF to produce a document on this. Here is the URL for a DNS Operations Working Group document in progress: http://tools.ietf.org/wg/dnsop/draft-ietf-dnsop-reverse-mapping-considerations/ To give an idea of how much trouble specifying operational requirements for reverse mapping is, the topic first appears in the IETF Meeting archives at http://www3.ietf.org/proceedings/00dec/I-D/draft-ietf-dnsop-inaddr-required-00.txt in the report of the December 2000 meeting of the DNSOP WG. (I have a personal recollection of the topic being raised at the meeting a few months earlier, in August 2000.) Given the date of the cited document, it's been over seven years for the IETF to generate any statement on the topic. What would happen if a policy were to be introduced into ARIN on this? First an argument over the nature of reverse mapping would happen. As you could imagine, if the IETF takes seven plus years to come to consensus on this, it'll take ARIN about as long. (Neither organization is smarter than the other.) Even is there is an IETF RFC, I would bet that there will still be at least a small debate held here. Second, the policy would really have to make a statement on what ARIN does regarding reverse mapping. ARIN already offers to make delegations. If the delegations are lame ARIN will cull them (per 2005-3). There has been talk of using the threat of culling delegations as a carrot/stick to make legacy holders sign agreements with ARIN - I say this only as an example of ARIN's action be to stop delegations, not because I agree with that. I could imagine a policy proposal that says "operate reverse mapping DNS or lose your allocation" as being the one way to force reverse mapping to happen. But I also imagine that any such proposal would "go down in flames." I'll conclude by saying that the anal-retentive DNS-wonk engineer in me really wants to see a fully populated reverse map zone. But observing the behavior of humans who make decisions, reverse mapping is something that isn't going to become mandatory. I would be willing to help any policy that encourages population of the reverse map, but given what I've witnessed I think the effort is Quixotic. ARIN could institute a service of offering free slave service to all allocations to encourage reverse map population. However there are problems with this. One, such an offering is not a topic for a policy proposal (see proposals 2007-1,2,3 for what I mean). Two, this would conflict with commercial efforts to provide slave service. (A unit of my employer is in that market.) I raise this because RIPE has historically provided slave service but requests have been made to cease the free service. (See: http://ripe.net/ripe/maillists/archives/dns-wg/2006/msg00173.html 51.3 Lars-Johan Liman -- NCC Secondary Service Policy Lars commented that the RIPE NCC has announced it will limit involvement in provision of slave servers for TLDs. Lars suggested this be closed for now and marked as overtaken by events. The working group agreed. [[Done, pending mailing list approval]] ) PS - In digging up references I came across these other links to related topics: These refer to 2003 discussions about lame delegations within RIPE: http://ripe.net/ripe/maillists/archives/dns-wg/2003/msg00069.html http://ripe.net/ripe/maillists/archives/dns-wg/2003/msg00088.html This is an APNIC meeting that covered lame delegations and a general reverse map tool, as well as a report of an operational failure incident: http://www.apnic.net/meetings/21/programme/sigs/dns.html -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Think glocally. Act confused. -------------- next part -------------- An HTML attachment was scrubbed... URL: From owen at delong.com Tue Sep 11 09:04:11 2007 From: owen at delong.com (Owen DeLong) Date: Tue, 11 Sep 2007 06:04:11 -0700 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <454810F09B5AA04E9D78D13A5C39028A0272FA0E@nyrofcs2ke2k01.corp.pvt> References: <454810F09B5AA04E9D78D13A5C39028A0272FA0E@nyrofcs2ke2k01.corp.pvt> Message-ID: <13110A43-314E-44F4-855D-2C379CE1E96E@delong.com> On Sep 10, 2007, at 10:12 PM, Azinger, Marla wrote: > Well, as Randy pointed out ...maybe I am leaping a bit. But I have > had circular conversations where that wasnt viewed as such a leap. > Be it strictly routing or dns success/failures, they both have > fallen into the "it shouldnt be dictated by ARIN" conversations. > And I guess pointing out in an obviouse way that they shouldnt be > in the same conversation is needed. So...thanks Randy for getting > me thinking straight again. > > So to your point John, I would say its worth writing up and > submitting it. Clearly you have good rational and a need. I would > be interested to see how many people would support it and what type > of Con's would be pointed out. > 1. This is not about lame server delegations. It's about operationally incomplete DNS data. 2. DNS is not routing, but, DNS Operations, like routing, are outside of ARIN's scope. 3. It still doesn't have anything to do with stewardship over the address space or address assignment policy. 4. This is an operational issue. 5. ARIN is an address policy forum and not an operational forum. If you want a policy body, I'd say this belongs to IETF more than any other policy body I can think of. It is clearly out of scope for ARIN in my opinion. Owen -------------- next part -------------- An HTML attachment was scrubbed... URL: From arin-contact at dirtside.com Tue Sep 11 09:33:23 2007 From: arin-contact at dirtside.com (William Herrin) Date: Tue, 11 Sep 2007 09:33:23 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: References: Message-ID: <3c3e3fca0709110633x1b6e2a70w4cdcbc0d5ec988f6@mail.gmail.com> On 9/10/07, John Von Essen wrote: > What are other peoples thoughts on this? Could the policy be updated > requiring full mapping of ALL in-addr.arpa zones that an AS advertises? John, The posters so far are essentially correct: no policy has been broken here. Its entirely up to the ISP to decide how (or even if) they manage or delegate RDNS. If you can, you should fine another provider. If your provider is a monopoly like the Bells or cable companies, there may be a local venue in which you can file an actionable complaint. At the very least you can try a complaint at the better business bureau. Two additional thoughts: ARIN's preference to refer to the ISP as a "Local Internet Registry" is a problem here. It implies that the ISP has a duty to competently manage all of the delegated resources but at least for the RDNS that's simply not true. If we're not going to require reasonable management of the resources, we shouldn't be referring to them as LIRs. Who's the ISP? I'd like to call up their marketing manager and suggest that their customers have been hurt and reputation damaged by their mismanagement of the RDNS. A little ridicule placed in the right ear can go a long way towards correcting undesirable behavior. Regards, Bill Herrin -- William D. Herrin herrin at dirtside.com bill at herrin.us 3005 Crane Dr. Web: Falls Church, VA 22042-3004 From stephen at sprunk.org Tue Sep 11 09:31:05 2007 From: stephen at sprunk.org (Stephen Sprunk) Date: Tue, 11 Sep 2007 08:31:05 -0500 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy References: <454810F09B5AA04E9D78D13A5C39028A0272FA0D@nyrofcs2ke2k01.corp.pvt><46E61408.5000100@psg.com> <091ECDC1-0112-4FCC-9F2B-E50E0D04158C@quonix.net> Message-ID: <00ec01c7f47c$b407a370$393816ac@atlanta.polycom.com> Thus spake John Von Essen > Maria, I understand your comments, but consider this... The > current policy on reverse dns mapping "almost" does the job > - it just needs to go a tiny bit further. > > Current policy dictates that you have to map an in-addr.arpa > zone for your prefix in order for your nameservers to not be > considered lame. ... > Lets not forget that reverse DNS plays an important role in the > proper operation of many protocols throughout the internet, and > one of ARINs most important jobs is delegation of reverse dns > authority. ARIN has a responsibility to make sure that the DNS > server they are delegating reverse authority too is maintained > to at least a minimum level of efficiency. I'm tempted to say "your ISP should be free to sell you bad service if you're willing to buy it", but that's not terribly helpful to you. Instead, what I'll say is that you are welcome to submit a proposal to modify the policy "a tiny bit" in the way you wish. Unfortunately you've missed the cut-off for the current cycle, but that means you have about five months to get the details worked out for the next cycle. If you're looking for someone to help you with the wording or process for such a proposal, please make a more explicit request for that so we know how to help. I'm personally neutral on the topic until we have a proposal to debate (preferably after Albuquerque). S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking From john at quonix.net Tue Sep 11 10:34:49 2007 From: john at quonix.net (John Von Essen) Date: Tue, 11 Sep 2007 10:34:49 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <7989754C-C7A0-4E4B-8095-A4FE8E785F89@delong.com> References: <454810F09B5AA04E9D78D13A5C39028A0272FA0D@nyrofcs2ke2k01.corp.pvt> <46E61408.5000100@psg.com> <091ECDC1-0112-4FCC-9F2B-E50E0D04158C@quonix.net> <7989754C-C7A0-4E4B-8095-A4FE8E785F89@delong.com> Message-ID: <995886AB-001D-4C91-A787-4572BFB0ED1E@quonix.net> Wrong, wrong, wrong. I appreciate the comments, but I think some people still are misunderstanding the issues. Let me clarify, my post has nothing to do with Org's reversing IPs with valid PTRs. If an Org doesn't want to reverse an an IP thats fine, and like Owen said, with no PTR, and instantaneous NX Domain error comes back, no timeout. But that is not that scenario I am describing. Consider the following real-world example: # nslookup 208.72.239.200 Server: 4.2.2.2 Address: 4.2.2.2#53 ** server can't find 200.239.72.208.in-addr.arpa: NXDOMAIN Thats good. The AS who advertises 208.72.239.0/24 has the 239.72.208.in-addr.arpa zone configured in their name server, an SOA an NS record exists, but there is no PTR data. And that is perfectly fine. Now consider this... # nslookup 76.161.191.192 ;; connection timed out; no servers could be reached And the above took about 20 seconds to return. The AS who advertises 76.161.192.0/24 (and many other /24's) does not have the 192.161.76.in-addr.arpa zone configured at all on their DNS server. This is a problem for the user of that IP, and any person on the internet that has to talk to that IP since it will create a burdensome dns timeouts. I'm sorry, but that second example is simply unacceptable. This may sound rude, but the amount of money ARIN brings in for ASN registrations, membership, and IP range allocations - the buck has to stop with ARIN when it comes to AS's who completely misconfigure massive in-addr.arpa zones and potentially create the environment to slow down dns traffic throughout the internet. When ARIN delegates reverse authority to the DNS servers of an AS that does not have in-addr.arpa zone configured at all (for IP's in use), ARIN is openly supporting a practice that hurts the internet by allowing these dns timeouts to propagate. ARIN should take responsibility. All I am saying is simply state in policy, that if an AS advertises a prefix and uses an IP range, that in-addr.arpa zone for those IPs has to be at least be configured to return an SOA and avoid this problem of timeouts. If they dont, that AS is violating policy, and if they dont resolve it, the dns delegation would be removed all together - with a specified time table (say within 30 days). -John On Sep 11, 2007, at 8:34 AM, Owen DeLong wrote: > Also, such a server should _NOT_ cause delays. It should > instantaneously > return an NXDOMAIN result. > > Your issue isn't lame servers. Your issue is servers with > incomplete data, > which is an operational issue well outside of the scope of Address > Assignment > policy. Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From marla.azinger at frontiercorp.com Tue Sep 11 11:02:44 2007 From: marla.azinger at frontiercorp.com (Azinger, Marla) Date: Tue, 11 Sep 2007 11:02:44 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy Message-ID: <454810F09B5AA04E9D78D13A5C39028A0272FA0F@nyrofcs2ke2k01.corp.pvt> Michael- One, If you look at my posting I posted as a member and an employee from Frontier. I may be on AC but I did not post as "AC". Two, I believe John has a valid point. I believe it should be discussed and I believe that draft proposals tend to help further discussion. And as someone else pointed out, this potential proposal would be inserted into the next conference cycle not this one. But yet, had it been brought up in time, it is no less valid than other topics. Three, as you point out in another email education is needed. Like it or not, the whole proposal discussion realm is a large classroom. You can debate the correctness of this reality, but its still reality. Cheers! Marla -----Original Message----- From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of michael.dillon at bt.com Sent: Tuesday, September 11, 2007 2:23 AM To: ppml at arin.net Subject: Re: [ppml] Comments on ARIN's reverse DNS mapping policy > So to your point John, I would say its worth writing up and submitting it. > Clearly you have good rational and a need. I would be interested to see > how many people would support it and what type of Con's would be pointed out. I personally think that it is inappropriate for an ARIN AC member to be encouraging people to submit policy proposals that are clearly out of the scope of ARIN's charter. It is most UNhelpful to encourage such pollution of the policymaking process. We already have more than enough volume of proposals to deal with. --Michael Dillon -------------- next part -------------- An HTML attachment was scrubbed... URL: From stephen at sprunk.org Tue Sep 11 11:28:47 2007 From: stephen at sprunk.org (Stephen Sprunk) Date: Tue, 11 Sep 2007 10:28:47 -0500 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy References: <454810F09B5AA04E9D78D13A5C39028A0272FA0E@nyrofcs2ke2k01.corp.pvt> Message-ID: <01ff01c7f489$b5b1be10$393816ac@atlanta.polycom.com> Thus spake michael.dillon at bt.com >> So to your point John, I would say its worth writing up and >> submitting it. Clearly you have good rational and a need. I >> would be interested to see how many people would support it >> and what type of Con's would be pointed out. > > I personally think that it is inappropriate for an ARIN AC member > to be encouraging people to ... We're supposed to be electing people to the AC because they have Clue(tm) on numbering resource matters, so it is counter-productive to attempt to muzzle them. I am happy with the recent trend by BoT members to indicate whether they're speaking with their BoT "hats" on or not; perhaps it would be appropriate for AC members to do so as well to avoid the appearance of them trying to unduly influence the process. Personally, I think it should not be necessary, since any official statements from the BoT or AC come in an easily-recognized form, but it's a friendly, voluntary process that helps remind people. > ... submit policy proposals that are clearly out of the scope of > ARIN's charter. I disagree that such a proposal is "clearly" out of scope. We have existing policy (7.2) against lame delegations. It is not much of a stretch to extend that policy to include lame subdelegations. At most, the point is debatable, which means it's not "clear". If such a proposal were accepted by the community, it would be up to counsel to determine whether it was within the charter. We have been told to make the policy we feel is best for the community without regard to legal complications until told otherwise. S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking From weiler at tislabs.com Tue Sep 11 12:08:49 2007 From: weiler at tislabs.com (Sam Weiler) Date: Tue, 11 Sep 2007 12:08:49 -0400 (EDT) Subject: [ppml] Comments on ARIN's reverse DNS mapping policy Message-ID: On Tue, 11 Sep 2007, William Herrin wrote: > The posters so far are essentially correct: no policy has been > broken here. I disagree. Current policy requires ARIN to remove lame delegations from the reverse DNS zones it manages. I've seen evidence that ARIN isn't doing that, and I think ARIN is in violation of NRPM Section 7.2. In this case, I'm using a broad definition of "lame" that includes "all nameservers listed in the NS RRset are unreachable". Here's another example that was reported to ARIN on May 11th, four months ago to the day: 'dig +trace 79.114.208.in-addr.arpa.' Perhaps some guidance from the staff would be useful here. Is the current policy sufficient for you to clean these up? Are you reading "lame" broadly enough to cover the cases raised by Mr. Von Essen and myself? Absent instructions from the community specifying a timetable[1], how long will it take between these being reported and them being cleaned up? (FWIW, I'd prefer to see a short timetable, on the order of two weeks.) -- Sam [1] Not that I'm optimistic about the chances of ARIN listening to the community: 2005-3 included an implementation timetable of 90 days after adoption. It appears to have taken 797 days. From Ed.Lewis at neustar.biz Tue Sep 11 12:13:28 2007 From: Ed.Lewis at neustar.biz (Edward Lewis) Date: Tue, 11 Sep 2007 12:13:28 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <995886AB-001D-4C91-A787-4572BFB0ED1E@quonix.net> References: <454810F09B5AA04E9D78D13A5C39028A0272FA0D@nyrofcs2ke2k01.corp.pvt> <46E61408.5000100@psg.com> <091ECDC1-0112-4FCC-9F2B-E50E0D04158C@quonix.net> <7989754C-C7A0-4E4B-8095-A4FE8E785F89@delong.com> <995886AB-001D-4C91-A787-4572BFB0ED1E@quonix.net> Message-ID: At 10:34 -0400 9/11/07, John Von Essen wrote: >All I am saying is simply state in policy, that if an AS advertises a >prefix and uses an IP range, that in-addr.arpa zone for those IPs has to >be at least be configured to return an SOA and avoid this problem of >timeouts. If they dont, that AS is violating policy, and if they dont >resolve it, the dns delegation would be removed all together - with a >specified time table (say within 30 days). 2005-3 kind of already answers this, but it does say "lame" delegations. If we expand the scope to include all name servers that fail to respond we have to define what fail to respond means. "Fail to respond over an X day window, tested a few times daily." "Fail to respond to queries issued from set point/s in the public Internet." (UDP is pain when it comes to specifying what constitutes a failure case because the protocol is inherently unreliable.) The irritation is where to draw the line between policy and specifics of the implementation. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Think glocally. Act confused. From MOHLER at graceland.edu Tue Sep 11 12:26:27 2007 From: MOHLER at graceland.edu (Dave Mohler) Date: Tue, 11 Sep 2007 11:26:27 -0500 Subject: [ppml] AC Members' participation in ppml discussions -- was Comments on ARIN's reverse DNS mapping policy In-Reply-To: <01ff01c7f489$b5b1be10$393816ac@atlanta.polycom.com> Message-ID: I have also found AC (and BoT) members' contributions to the policy discussion here on this list helpful. I have _not_ felt that their contributions included a tone suggesting that their AC membership added any weight to the thoughts they expressed beyond that of any other contributors' thoughts. To the contrary, I would feel that it was a less open process if AC members withheld their views until the meeting at which a vote was to be taken. Having AC members' views shared on the list allows list participants with opposing (or even slightly varying) views more time to thoughtfully challenge those positions. Issues withheld until the meeting could leave those with opposing views with the feeling of having been blindsided. -- Just my "two cents"(tm) -- dave > -----Original Message----- > From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net] On Behalf Of > Stephen Sprunk > Sent: Tuesday, September 11, 2007 10:29 AM > To: michael.dillon at bt.com > Cc: ARIN PPML > Subject: Re: [ppml] Comments on ARIN's reverse DNS mapping policy > > Thus spake michael.dillon at bt.com > >> So to your point John, I would say its worth writing up and > >> submitting it. Clearly you have good rational and a need. I > >> would be interested to see how many people would support it > >> and what type of Con's would be pointed out. > > > > I personally think that it is inappropriate for an ARIN AC member > > to be encouraging people to ... > > We're supposed to be electing people to the AC because they have Clue(tm) > on > numbering resource matters, so it is counter-productive to attempt to > muzzle > them. > > I am happy with the recent trend by BoT members to indicate whether > they're > speaking with their BoT "hats" on or not; perhaps it would be appropriate > for AC members to do so as well to avoid the appearance of them trying to > unduly influence the process. Personally, I think it should not be > necessary, since any official statements from the BoT or AC come in an > easily-recognized form, but it's a friendly, voluntary process that helps > remind people. > ... From john at quonix.net Tue Sep 11 12:29:07 2007 From: john at quonix.net (John Von Essen) Date: Tue, 11 Sep 2007 12:29:07 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: References: Message-ID: <81245675-0736-467F-9EF2-A20A0FC0E904@quonix.net> Identical issues to what I am experiencing. If people look deeply enough, I am confident there are many Org's who operate AS's with no in-addr.arpa SOA on there DNS servers. If anything, can we agree on the fact the current policy is too vague. I had to email ARIN's hostmaster 2 or 3 times to understand it - it can be read many ways. And the explanation I got from hostmaster was if an AS properly configures at least one in-addr.arpa zone, then Arin will bless the entire delegation and not consider the dns server as lame. To be honest, I have no idea how one draws that conclusion from the wording on the policy. DNS is a standard protocol. The policy should specifically state the dns servers must return a valid SOA for each in-addr.arpa in their IP prefix that they advertise from their AS (i.e. they dont have to do it for IPs they dont use). If any in-addr.arpa does not return an SOA, then that AS is in violation, and their nameserver will be considered lame and suspect for removal from reverse delegation. I dont think it is a requirement that ARIN proactively seek and find AS's that are in violation, but it should be in the policy. Those 2 or 3 sentences are all that is needed. On Sep 11, 2007, at 12:08 PM, Sam Weiler wrote: > dig +trace 79.114.208.in-addr.arpa. Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From packetgrrl at gmail.com Tue Sep 11 14:15:20 2007 From: packetgrrl at gmail.com (cja@daydream.com) Date: Tue, 11 Sep 2007 12:15:20 -0600 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <81245675-0736-467F-9EF2-A20A0FC0E904@quonix.net> References: <81245675-0736-467F-9EF2-A20A0FC0E904@quonix.net> Message-ID: If the policy needs updating I really hope one of you will take on the project and submit suggested changes in the form of a policy proposal. There are a number of us on the AC who are more than willing to help and shepherd it through the process. The great thing about the policy process is that if you don't like a policy you can take action and fix/change it. Thanks! ----Cathy On 9/11/07, John Von Essen wrote: > > Identical issues to what I am experiencing. If people look deeply enough, > I am confident there are many Org's who operate AS's with no in-addr.arpaSOA on there DNS servers. > If anything, can we agree on the fact the current policy is too vague. I > had to email ARIN's hostmaster 2 or 3 times to understand it - it can be > read many ways. And the explanation I got from hostmaster was if an AS > properly configures at least one in-addr.arpa zone, then Arin will bless > the entire delegation and not consider the dns server as lame. To be honest, > I have no idea how one draws that conclusion from the wording on the policy. > > DNS is a standard protocol. The policy should specifically state the dns > servers must return a valid SOA for each in-addr.arpa in their IP prefix > that they advertise from their AS (i.e. they dont have to do it for IPs > they dont use). If any in-addr.arpa does not return an SOA, then that AS > is in violation, and their nameserver will be considered lame and suspect > for removal from reverse delegation. > > I dont think it is a requirement that ARIN proactively seek and find AS's > that are in violation, but it should be in the policy. > > Those 2 or 3 sentences are all that is needed. > > > On Sep 11, 2007, at 12:08 PM, Sam Weiler wrote: > > dig +trace 79.114.208.in-addr.arpa. > > > Thanks, > John Von Essen > (800) 248-1736 ext 100 > john at quonix.net > > > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the ARIN > Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member > Services > Help Desk at info at arin.net if you experience any issues. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at quonix.net Tue Sep 11 14:30:44 2007 From: john at quonix.net (John Von Essen) Date: Tue, 11 Sep 2007 14:30:44 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: References: <81245675-0736-467F-9EF2-A20A0FC0E904@quonix.net> Message-ID: <01422249-3F8A-466D-B309-DABA555D92F3@quonix.net> Well, I for one would like to take on this project. How does one begin to submit a policy proposal? -John On Sep 11, 2007, at 2:15 PM, cja at daydream.com wrote: > If the policy needs updating I really hope one of you will take on > the project and submit suggested changes in the form of a policy > proposal. There are a number of us on the AC who are more than > willing to help and shepherd it through the process. The great > thing about the policy process is that if you don't like a policy > you can take action and fix/change it. > > Thanks! > ----Cathy > > On 9/11/07, John Von Essen wrote: > Identical issues to what I am experiencing. If people look deeply > enough, I am confident there are many Org's who operate AS's with > no in-addr.arpa SOA on there DNS servers. > > If anything, can we agree on the fact the current policy is too > vague. I had to email ARIN's hostmaster 2 or 3 times to understand > it - it can be read many ways. And the explanation I got from > hostmaster was if an AS properly configures at least one in- > addr.arpa zone, then Arin will bless the entire delegation and not > consider the dns server as lame. To be honest, I have no idea how > one draws that conclusion from the wording on the policy. > > DNS is a standard protocol. The policy should specifically state > the dns servers must return a valid SOA for each in-addr.arpa in > their IP prefix that they advertise from their AS (i.e. they dont > have to do it for IPs they dont use). If any in-addr.arpa does not > return an SOA, then that AS is in violation, and their nameserver > will be considered lame and suspect for removal from reverse > delegation. > > I dont think it is a requirement that ARIN proactively seek and > find AS's that are in violation, but it should be in the policy. > > Those 2 or 3 sentences are all that is needed. > > > On Sep 11, 2007, at 12:08 PM, Sam Weiler wrote: > >> dig +trace 79.114.208.in-addr.arpa. > > Thanks, > John Von Essen > (800) 248-1736 ext 100 > john at quonix.net > > > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the > ARIN Public Policy > Mailing List ( PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > Member Services > Help Desk at info at arin.net if you experience any issues. > > Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From packetgrrl at gmail.com Tue Sep 11 14:34:21 2007 From: packetgrrl at gmail.com (cja@daydream.com) Date: Tue, 11 Sep 2007 12:34:21 -0600 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <01422249-3F8A-466D-B309-DABA555D92F3@quonix.net> References: <81245675-0736-467F-9EF2-A20A0FC0E904@quonix.net> <01422249-3F8A-466D-B309-DABA555D92F3@quonix.net> Message-ID: All the info you need is here http://www.arin.net/policy/irpep.html ----Cathy On 9/11/07, John Von Essen wrote: > > Well, I for one would like to take on this project. How does one begin to > submit a policy proposal? > -John > > On Sep 11, 2007, at 2:15 PM, cja at daydream.com wrote: > > If the policy needs updating I really hope one of you will take on the > project and submit suggested changes in the form of a policy proposal. > There are a number of us on the AC who are more than willing to help and > shepherd it through the process. The great thing about the policy process > is that if you don't like a policy you can take action and fix/change it. > > Thanks! > ----Cathy > > On 9/11/07, John Von Essen wrote: > > > > Identical issues to what I am experiencing. If people look deeply > > enough, I am confident there are many Org's who operate AS's with no > > in-addr.arpa SOA on there DNS servers. > > If anything, can we agree on the fact the current policy is too vague. I > > had to email ARIN's hostmaster 2 or 3 times to understand it - it can be > > read many ways. And the explanation I got from hostmaster was if an AS > > properly configures at least one in-addr.arpa zone, then Arin will bless > > the entire delegation and not consider the dns server as lame. To be honest, > > I have no idea how one draws that conclusion from the wording on the policy. > > > > DNS is a standard protocol. The policy should specifically state the dns > > servers must return a valid SOA for each in-addr.arpa in their IP prefix > > that they advertise from their AS (i.e. they dont have to do it for IPs > > they dont use). If any in-addr.arpa does not return an SOA, then that AS > > is in violation, and their nameserver will be considered lame and suspect > > for removal from reverse delegation. > > > > I dont think it is a requirement that ARIN proactively seek and find > > AS's that are in violation, but it should be in the policy. > > > > Those 2 or 3 sentences are all that is needed. > > > > > > On Sep 11, 2007, at 12:08 PM, Sam Weiler wrote: > > > > dig +trace 79.114.208.in-addr.arpa. > > > > > > Thanks, > > John Von Essen > > (800) 248-1736 ext 100 > > john at quonix.net > > > > > > > > _______________________________________________ > > PPML > > You are receiving this message because you are subscribed to the ARIN > > Public Policy > > Mailing List ( PPML at arin.net). > > Unsubscribe or manage your mailing list subscription at: > > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > > Member Services > > Help Desk at info at arin.net if you experience any issues. > > > > > > Thanks, > John Von Essen > (800) 248-1736 ext 100 > john at quonix.net > > > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the ARIN > Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member > Services > Help Desk at info at arin.net if you experience any issues. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tme at multicasttech.com Tue Sep 11 14:48:08 2007 From: tme at multicasttech.com (Marshall Eubanks) Date: Tue, 11 Sep 2007 14:48:08 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <01422249-3F8A-466D-B309-DABA555D92F3@quonix.net> References: <81245675-0736-467F-9EF2-A20A0FC0E904@quonix.net> <01422249-3F8A-466D-B309-DABA555D92F3@quonix.net> Message-ID: <87FE5159-7A05-4F50-B509-0748C715395F@multicasttech.com> On Sep 11, 2007, at 2:30 PM, John Von Essen wrote: > Well, I for one would like to take on this project. How does one > begin to submit a policy proposal? > Go to http://www.arin.net/policy/index.html read down, follow directions. Regards Marshall > -John > > On Sep 11, 2007, at 2:15 PM, cja at daydream.com wrote: > >> If the policy needs updating I really hope one of you will take on >> the project and submit suggested changes in the form of a policy >> proposal. There are a number of us on the AC who are more than >> willing to help and shepherd it through the process. The great >> thing about the policy process is that if you don't like a policy >> you can take action and fix/change it. >> >> Thanks! >> ----Cathy >> >> On 9/11/07, John Von Essen wrote: >> Identical issues to what I am experiencing. If people look deeply >> enough, I am confident there are many Org's who operate AS's with >> no in-addr.arpa SOA on there DNS servers. >> >> If anything, can we agree on the fact the current policy is too >> vague. I had to email ARIN's hostmaster 2 or 3 times to understand >> it - it can be read many ways. And the explanation I got from >> hostmaster was if an AS properly configures at least one in- >> addr.arpa zone, then Arin will bless the entire delegation and not >> consider the dns server as lame. To be honest, I have no idea how >> one draws that conclusion from the wording on the policy. >> >> DNS is a standard protocol. The policy should specifically state >> the dns servers must return a valid SOA for each in-addr.arpa in >> their IP prefix that they advertise from their AS (i.e. they dont >> have to do it for IPs they dont use). If any in-addr.arpa does not >> return an SOA, then that AS is in violation, and their nameserver >> will be considered lame and suspect for removal from reverse >> delegation. >> >> I dont think it is a requirement that ARIN proactively seek and >> find AS's that are in violation, but it should be in the policy. >> >> Those 2 or 3 sentences are all that is needed. >> >> >> On Sep 11, 2007, at 12:08 PM, Sam Weiler wrote: >> >>> dig +trace 79.114.208.in-addr.arpa. >> >> Thanks, >> John Von Essen >> (800) 248-1736 ext 100 >> john at quonix.net >> >> >> >> _______________________________________________ >> PPML >> You are receiving this message because you are subscribed to the >> ARIN Public Policy >> Mailing List ( PPML at arin.net). >> Unsubscribe or manage your mailing list subscription at: >> http://lists.arin.net/mailman/listinfo/ppml Please contact the >> ARIN Member Services >> Help Desk at info at arin.net if you experience any issues. >> >> > > Thanks, > John Von Essen > (800) 248-1736 ext 100 > john at quonix.net > > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the > ARIN Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > Member Services > Help Desk at info at arin.net if you experience any issues. From tedm at ipinc.net Tue Sep 11 17:07:14 2007 From: tedm at ipinc.net (Ted Mittelstaedt) Date: Tue, 11 Sep 2007 14:07:14 -0700 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <01422249-3F8A-466D-B309-DABA555D92F3@quonix.net> Message-ID: John, Sorry for the top post but allow me to interject my $0.02 here. The purpose of this mailing list is to flesh out proposals. There have been enough postings on this topic for you to get an idea of what would happen to such a proposal - it would be voted down as it's not in the RIR's scope of responsibilities. I therefore think your wasting your time filing a proposal. Now I have read your ranting and some of the responses. But there is one response that I didn't see and that you obviously didn't consider. In my opinion, the network manager at your ISP is fully aware of the PTR issues and has chosen to DELIBERATELY not entered the in-addr.arpa zone for your numbers. "Why would those bozos do this" I hear you ask. Very simple. I am assuming from the background information you have posted that your DSL account is a simple retail DSL account. Well, the ISP that your buying it from may not want you running servers on that account. Nor may they not want you making direct SMTP connections to other people's mailservers from that IP address. They have their own mailserver - maybe they think if you want to relay outbound mail then relay it through their server. Most of the gloom-and-doom scenarios you describe about the lack of PTR records simply do not apply. We have NEVER had valid PTR's on our modem dialup IP pools for the simple reason that in any given time at least 20% of our modem customers are running systems that are infected with SMTP mailer viruses. If one of our infected customers transmits spam to a destination mailserver, it is very simple for that server to reject the SMTP handshake on a failure to have either a forward or a reverse record in the DNS without having to spend lots of CPU time scanning the message for spamliness. And sure, we could block outbound SMTP - which then is going to cause other complaints, plus there is the philosophical argument about blocking. A dialup user could have a perfectly legitimate need for outbound SMTP so why block. By contrast, chances a user would have a legitimate need for in-addr.arpa is far lower, and much easier to accomodate in any case. As for our DSL customers, we do not by default add in PTR records (although we do have the in-addr.arpa zones properly setup and referred to the nameserver) If you were our customer and you called complaining I would have a very serious and long discussion with you to figure out exactly what you were doing and whether you were violating any of our AUPs. Assuming you were in the category of "home user that wants to dink around with a personal mailserver" I'd set it up for you. We have a number of those. But, if your trying to scam us, that would be a different story. We have had, for example, people in the past who have purchased RESIDENTIAL dsl accounts from us then attempted to setup a mailserver using fetchmail or some such at a business site. Not all businesses use commercial buildings or have business telephone numbers and it's possible for some of them to slip in a residential order without the ISP knowing. Those customers then find a month into it that a large percentage of their outbound mail is spam-blocked by other ISPs for failure to have proper DNS setup - they then call us complaining and that flushes them out of the woodwork. To get the desired DNS mapping they have to pay more money for a business account, of course. (and usually most of them do, with a comment along the lines of "I guess ya caught me") Today with organizations like dydns.org who's sole purpose is to assist businesses to cheat ISP's, there are not a lot of tools an ISP has at it's disposal to catch cheaters that don't have a lot of side effects. Control of in-addr.arpa records is one of the few. I am not saying it is a great way. But dydns.org is a far, far more horrible hack. I have seen cheaters setting up DNS records with SOA timers set at under a minute, causing virtually EVERY SINGLE dns query for their domain to cause a root server query - costing the Internet hundreds of dollars of extra network load a month just so the cheater can save $20 a month on a business DSL line. If you want to start throwing around policy proposals to police the Internet well then how about a minimum DNS expiration requirement of 6 hours? Don't start with the stone throwing if your sitting in a glass house. As for your GoDaddy scenario, well the application controls UDP timeout. If GoDaddy is finding - like we have found with our own mailservers - that a 5 minute retry timeout is to long for a missing PTR check, then it is trivial to change the sendmail config to lower the timeout. So, people not loading in-addr.arpa isn't going to be a problem for them any more than it's a problem for us for other ISP's who also don't load in-addr.arpa As for Telnet and SSH yes well that is an annoyance if your setting a SSH or Telnet server up on your DSL line and you want to telnet into it. But the vast majority of users don't do this. Your story sounds like your just being given the usual brush-off by your ISP, they are pretending they are stupid about this issue, because they don't want to engage you in a discussion to explain their reasons for not setting up in-addr.arpa I noticed your mail is coming from 76.161.192.192 so you obviously figured out how to get a static IP that doesen't have this problem. I would submit that your real beef is that you want to pay residential rates on a dynamic IP not business rates on a static IP. I would also ask you if you would like it if one of your business customers on quonix.net were to setup a bunch of mailboxes ostensibly for users in their business, when in reality they were doing a fetchmail solution for a bunch of other companies and using you merely as a spam filter, and reselling your service (and making far more money doing that then your making from them) Take care! Ted -----Original Message----- From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of John Von Essen Sent: Tuesday, September 11, 2007 11:31 AM To: Public Policy Mailing List Subject: Re: [ppml] Comments on ARIN's reverse DNS mapping policy Well, I for one would like to take on this project. How does one begin to submit a policy proposal? -John On Sep 11, 2007, at 2:15 PM, cja at daydream.com wrote: If the policy needs updating I really hope one of you will take on the project and submit suggested changes in the form of a policy proposal. There are a number of us on the AC who are more than willing to help and shepherd it through the process. The great thing about the policy process is that if you don't like a policy you can take action and fix/change it. Thanks! ----Cathy On 9/11/07, John Von Essen wrote: Identical issues to what I am experiencing. If people look deeply enough, I am confident there are many Org's who operate AS's with no in-addr.arpa SOA on there DNS servers. If anything, can we agree on the fact the current policy is too vague. I had to email ARIN's hostmaster 2 or 3 times to understand it - it can be read many ways. And the explanation I got from hostmaster was if an AS properly configures at least one in-addr.arpa zone, then Arin will bless the entire delegation and not consider the dns server as lame. To be honest, I have no idea how one draws that conclusion from the wording on the policy. DNS is a standard protocol. The policy should specifically state the dns servers must return a valid SOA for each in-addr.arpa in their IP prefix that they advertise from their AS (i.e. they dont have to do it for IPs they dont use). If any in-addr.arpa does not return an SOA, then that AS is in violation, and their nameserver will be considered lame and suspect for removal from reverse delegation. I dont think it is a requirement that ARIN proactively seek and find AS's that are in violation, but it should be in the policy. Those 2 or 3 sentences are all that is needed. On Sep 11, 2007, at 12:08 PM, Sam Weiler wrote: dig +trace 79.114.208.in-addr.arpa. Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ( PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues. Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net From owen at delong.com Tue Sep 11 17:10:09 2007 From: owen at delong.com (Owen DeLong) Date: Tue, 11 Sep 2007 14:10:09 -0700 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy Message-ID: Template: ARIN-POLICY-PROPOSAL-TEMPLATE-1.0 1. Policy Proposal Name: Deprecate Lame Server Policy 2. Author a. name: Owen DeLong b. email: owen at delong.com c. telephone: 408-921-6984 d. organization: JITTR Networks 3. Proposal Version: 1.0 4. Submission Date: 11 September, 2007 5. Proposal type: delete new, modify, or delete. 6. Policy term: permanent temporary, permanent, or renewable. 7. Policy statement: Delete section 7 from the NRPM 8. Rationale: Recent PPML discussion has called attention to the fact that lame DNS delegations are more an operational issue than one of policy. As such, the existing lame delegation policy should be removed from the NRPM to remove the resultant confusion. This is not meant to prevent ARIN staff from taking reasonable action WRT DNS operational issues related to resources issued by ARIN, but, such action can be covered by staff operational guidelines and is not within the scope of Address Policy. 9. Timetable for implementation: 1 June, 2008 10. Meeting presenter: END OF TEMPLATE From john at quonix.net Tue Sep 11 17:32:34 2007 From: john at quonix.net (John Von Essen) Date: Tue, 11 Sep 2007 17:32:34 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: References: Message-ID: Ted, Your are making the same incorrect judgement over my original post. Let me repeat, the issue is NOT about ISP's and forcing them to have PTRs. I agree with you, the ISP doesn't need to have a PTR record for DSL IPs. It even helps curb spam. But that is not the issue. The issue is the ISP is operating a given IP range, say 5.5.5.0/24, and the DNS server that ARIN delegates reverse authority to does NOT have the 5.5.5.in-addr.arpa zone conigured at all, which means there is no SOA or NS record for in-addr.arpa zone. This is all way before we get to PTR records. The problem with this is when you try to reverse the 5.5.5.0/24 IP you get a long timeout. (See dig +trace 191.161.76.in-addr.arpa.) If they map the in-addr.arpa zone, and decide to NOT enter any PTR's (which is okay) a reverse query would immediately return NXDOMAIN error, thereby not causing a timeout. So why is this an issue? Creation of that timeout extends beyond the ISP's local customer base. It effects 3rd party's that the ISP customer talks to. So the ISP is purposely creating excessive dns query timeouts on 3rd party resolvers because they failed to do a simple, and what I believe to be a required task - which is... mapping all in-addr.arpa's with at least an SOA and NS record. Last time I checked, causing excessive resource utilization on somebody else's system is called a DoS attack. It is my opinion that if large scale abuse like this were to continue and grow, it could develop into a serious issue affecting global DNS resolver health. I feel ARIN policy has a responsibility to curb this potentional anomaly. So please, no more posts about... "ISP's dont have to have PTR's". If you are making that statement, you are completely missing the point of the initial argument. -John On Sep 11, 2007, at 5:07 PM, Ted Mittelstaedt wrote: > John, > > Sorry for the top post but allow me to interject my $0.02 here. > > The purpose of this mailing list is to flesh out proposals. > There have > been enough postings on > this topic for you to get an idea of what would happen to such a > proposal - > it would be voted > down as it's not in the RIR's scope of responsibilities. I > therefore think > your wasting your time > filing a proposal. > > Now I have read your ranting and some of the responses. But > there is one > response that I > didn't see and that you obviously didn't consider. In my opinion, the > network manager at > your ISP is fully aware of the PTR issues and has chosen to > DELIBERATELY not > entered > the in-addr.arpa zone for your numbers. > > "Why would those bozos do this" I hear you ask. Very simple. I am > assuming from the > background information you have posted that your DSL account is a > simple > retail DSL account. > Well, the ISP that your buying it from may not want you running > servers on > that account. > Nor may they not want you making direct SMTP connections to other > people's > mailservers from > that IP address. They have their own mailserver - maybe they think > if you > want to relay outbound > mail then relay it through their server. > > Most of the gloom-and-doom scenarios you describe about the lack > of PTR > records > simply do not apply. We have NEVER had valid PTR's on our modem > dialup IP > pools > for the simple reason that in any given time at least 20% of our modem > customers are > running systems that are infected with SMTP mailer viruses. If one > of our > infected > customers transmits spam to a destination mailserver, it is very > simple for > that server > to reject the SMTP handshake on a failure to have either a forward > or a > reverse record > in the DNS without having to spend lots of CPU time scanning the > message for > spamliness. > > And sure, we could block > outbound SMTP - which then is going to cause other complaints, plus > there is > the > philosophical argument about blocking. A dialup user could have a > perfectly > legitimate need for > outbound SMTP so why block. By contrast, chances a user would have a > legitimate > need for in-addr.arpa is far lower, and much easier to accomodate > in any > case. > > As for our DSL customers, we do not by default add in PTR records > (although we do > have the in-addr.arpa zones properly setup and referred to the > nameserver) > If you were our > customer and you called complaining I would have a very serious and > long > discussion with > you to figure out exactly what you were doing and whether you were > violating > any of our > AUPs. Assuming you were in the category of "home user that wants > to dink > around with > a personal mailserver" I'd set it up for you. We have a number of > those. > But, if your > trying to scam us, that would be a different story. > > We have had, for example, people in the past who have purchased > RESIDENTIAL > dsl accounts from us then attempted to setup a mailserver using > fetchmail or > some > such at a business site. Not all businesses use commercial > buildings or > have business > telephone numbers and it's possible for some of them to slip in a > residential order without > the ISP knowing. Those customers then find a month into it that a > large > percentage of their > outbound mail is spam-blocked by other ISPs for failure to have > proper DNS > setup - they > then call us complaining and that flushes them out of the > woodwork. To get > the desired > DNS mapping they have to pay more money for a business account, of > course. > (and > usually most of them do, with a comment along the lines of "I guess ya > caught me") > > Today with organizations like dydns.org who's sole purpose is to > assist > businesses to cheat ISP's, there are not a lot of tools an ISP has > at it's > disposal to > catch cheaters that don't have a lot of side effects. Control of > in-addr.arpa records > is one of the few. I am not saying it is a great way. But > dydns.org is a > far, far more horrible > hack. I have seen cheaters setting up DNS records with SOA timers > set at > under a minute, > causing virtually EVERY SINGLE dns query for their domain to cause > a root > server query - > costing the Internet hundreds of dollars of extra network load a > month just > so the cheater > can save $20 a month on a business DSL line. If you want to start > throwing > around > policy proposals to police the Internet well then how about a > minimum DNS > expiration > requirement of 6 hours? Don't start with the stone throwing if > your sitting > in a > glass house. > > As for your GoDaddy scenario, well the application controls UDP > timeout. If > GoDaddy > is finding - like we have found with our own mailservers - that a 5 > minute > retry timeout is > to long for a missing PTR check, then it is trivial to change the > sendmail > config to lower > the timeout. So, people not loading in-addr.arpa isn't going to be a > problem for them any > more than it's a problem for us for other ISP's who also don't load > in-addr.arpa > > As for Telnet and SSH yes well that is an annoyance if your setting > a SSH or > Telnet server > up on your DSL line and you want to telnet into it. But the vast > majority > of users don't > do this. > > Your story sounds like your just being given the usual brush-off by > your > ISP, they are pretending they are stupid about this issue, because > they > don't want > to engage you in a discussion to explain their reasons for not > setting up > in-addr.arpa > I noticed your mail is coming from 76.161.192.192 so you obviously > figured > out how > to get a static IP that doesen't have this problem. I would submit > that > your real beef > is that you want to pay residential rates on a dynamic IP not > business rates > on a > static IP. I would also ask you if you would like it if one of your > business customers on > quonix.net were to setup a bunch of mailboxes ostensibly for users > in their > business, > when in reality they were doing a fetchmail solution for a bunch of > other > companies > and using you merely as a spam filter, and reselling your service (and > making far more > money doing that then your making from them) > > Take care! > Ted > > -----Original Message----- > From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf > Of John > Von Essen > Sent: Tuesday, September 11, 2007 11:31 AM > To: Public Policy Mailing List > Subject: Re: [ppml] Comments on ARIN's reverse DNS mapping policy > > > Well, I for one would like to take on this project. How does one > begin to > submit a policy proposal? > > > -John > > > On Sep 11, 2007, at 2:15 PM, cja at daydream.com wrote: > > > If the policy needs updating I really hope one of you will take on the > project and submit suggested changes in the form of a policy > proposal. There > are a number of us on the AC who are more than willing to help and > shepherd > it through the process. The great thing about the policy process is > that if > you don't like a policy you can take action and fix/change it. > > Thanks! > ----Cathy > > > On 9/11/07, John Von Essen wrote: > Identical issues to what I am experiencing. If people look deeply > enough, I > am confident there are many Org's who operate AS's with no in- > addr.arpa SOA > on there DNS servers. > > > If anything, can we agree on the fact the current policy is too > vague. I had > to email ARIN's hostmaster 2 or 3 times to understand it - it can > be read > many ways. And the explanation I got from hostmaster was if an AS > properly > configures at least one in-addr.arpa zone, then Arin will bless the > entire > delegation and not consider the dns server as lame. To be honest, I > have no > idea how one draws that conclusion from the wording on the policy. > > > DNS is a standard protocol. The policy should specifically state > the dns > servers must return a valid SOA for each in-addr.arpa in their IP > prefix > that they advertise from their AS (i.e. they dont have to do it for > IPs they > dont use). If any in-addr.arpa does not return an SOA, then that AS > is in > violation, and their nameserver will be considered lame and suspect > for > removal from reverse delegation. > > > I dont think it is a requirement that ARIN proactively seek and > find AS's > that are in violation, but it should be in the policy. > > > Those 2 or 3 sentences are all that is needed. > > > > > On Sep 11, 2007, at 12:08 PM, Sam Weiler wrote: > > > dig +trace 79.114.208.in-addr.arpa. > > > Thanks, > John Von Essen > (800) 248-1736 ext 100 > john at quonix.net > > > > > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the > ARIN Public > Policy > Mailing List ( PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > Member > Services > Help Desk at info at arin.net if you experience any issues. > > > > > > > Thanks, > John Von Essen > (800) 248-1736 ext 100 > john at quonix.net > Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From briand at ca.afilias.info Tue Sep 11 17:33:27 2007 From: briand at ca.afilias.info (Brian Dickson) Date: Tue, 11 Sep 2007 17:33:27 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: References: Message-ID: <46E709A7.9060105@ca.afilias.info> Ted Mittelstaedt wrote: > There have > been enough postings on > this topic for you to get an idea of what would happen to such a proposal - > There have been enough people commenting on their misinterpretation of John's observation (complaint), and the underlying technical issue, that the proposal would need to be very clearly written to avoid this. That said, the *actual* issue, if addressed, most certainly would be in-scope for RIR policies, and as such would be suitable for normal discussion, and likely would get support, enough to be adopted as policy. > Now I have read your ranting and some of the responses. But there is one > response that I > didn't see and that you obviously didn't consider. In my opinion, the > network manager at > your ISP is fully aware of the PTR issues and has chosen to DELIBERATELY not > entered > the in-addr.arpa zone for your numbers. > If that is what you think the issue is, then I think you misread the original message and several of the follow-ups. The issue isn't the *content* (present or absent) of the in-addr zone that has been delegated, it is that the server to which the delegation has been made, fails to answer queries for the *specific* in-addr zone. It is lame *for that zone*. [discussion relevant only to non-lame zones with no PTRs in them, omitted for brevity.] > As for your GoDaddy scenario, well the application controls UDP timeout. The problem is fundamentally tied to resolvers. Unless the application is doing a roll-your-own implementation of name resolution, it is likely sharing a common fate with all clients of resolution service on whatever box is acting as a recursive resolver. Tweaking timeouts on nameserver lookups is something, to paraphrase Randy Bush, I encourage anyone foolish enough to want to, to do so. > Take care! > Ted > If you were to "take care" yourself and read and understand what the original poster said, IMHO reasonably clearly and with all due emphasis, you would have been able to avoid making your misunderstanding so visible on a public mailing list. No offense intended. Brian > with no in-addr.arpa SOA > on there DNS servers. P.S. Aside from s/there/their/, the above quote summarizes the problem reported in 10 words or less. Less is more, IMHO. From tedm at ipinc.net Tue Sep 11 17:43:21 2007 From: tedm at ipinc.net (Ted Mittelstaedt) Date: Tue, 11 Sep 2007 14:43:21 -0700 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: Message-ID: Hi John, No, I understood perfectly that is why I took pains to explain that while we don't put in PTR records we do have the in-addr.arpa stuff setup for our in-use numbers in our block. What I was trying to make as a point is that your assuming your ISP forgot to put them in. I'm saying they may be deliberately not putting them in precisely to create those annoying long timeouts. Note this doesen't qualify as a DDoS attack because the delays don't happen if the recipeint TCP host doesen't do a PTR query. There's no requirement in the standard that requires a host like a mailserver or suchlike to do a reverse record lookup. I didn't say this was optimal. Ted -----Original Message----- From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of John Von Essen Sent: Tuesday, September 11, 2007 2:33 PM To: Public Policy Mailing List Subject: Re: [ppml] Comments on ARIN's reverse DNS mapping policy Ted, Your are making the same incorrect judgement over my original post. Let me repeat, the issue is NOT about ISP's and forcing them to have PTRs. I agree with you, the ISP doesn't need to have a PTR record for DSL IPs. It even helps curb spam. But that is not the issue. The issue is the ISP is operating a given IP range, say 5.5.5.0/24, and the DNS server that ARIN delegates reverse authority to does NOT have the 5.5.5.in-addr.arpa zone conigured at all, which means there is no SOA or NS record for in-addr.arpa zone. This is all way before we get to PTR records. The problem with this is when you try to reverse the 5.5.5.0/24 IP you get a long timeout. (See dig +trace 191.161.76.in-addr.arpa.) If they map the in-addr.arpa zone, and decide to NOT enter any PTR's (which is okay) a reverse query would immediately return NXDOMAIN error, thereby not causing a timeout. So why is this an issue? Creation of that timeout extends beyond the ISP's local customer base. It effects 3rd party's that the ISP customer talks to. So the ISP is purposely creating excessive dns query timeouts on 3rd party resolvers because they failed to do a simple, and what I believe to be a required task - which is... mapping all in-addr.arpa's with at least an SOA and NS record. Last time I checked, causing excessive resource utilization on somebody else's system is called a DoS attack. It is my opinion that if large scale abuse like this were to continue and grow, it could develop into a serious issue affecting global DNS resolver health. I feel ARIN policy has a responsibility to curb this potentional anomaly. So please, no more posts about... "ISP's dont have to have PTR's". If you are making that statement, you are completely missing the point of the initial argument. -John On Sep 11, 2007, at 5:07 PM, Ted Mittelstaedt wrote: John, Sorry for the top post but allow me to interject my $0.02 here. The purpose of this mailing list is to flesh out proposals. There have been enough postings on this topic for you to get an idea of what would happen to such a proposal - it would be voted down as it's not in the RIR's scope of responsibilities. I therefore think your wasting your time filing a proposal. Now I have read your ranting and some of the responses. But there is one response that I didn't see and that you obviously didn't consider. In my opinion, the network manager at your ISP is fully aware of the PTR issues and has chosen to DELIBERATELY not entered the in-addr.arpa zone for your numbers. "Why would those bozos do this" I hear you ask. Very simple. I am assuming from the background information you have posted that your DSL account is a simple retail DSL account. Well, the ISP that your buying it from may not want you running servers on that account. Nor may they not want you making direct SMTP connections to other people's mailservers from that IP address. They have their own mailserver - maybe they think if you want to relay outbound mail then relay it through their server. Most of the gloom-and-doom scenarios you describe about the lack of PTR records simply do not apply. We have NEVER had valid PTR's on our modem dialup IP pools for the simple reason that in any given time at least 20% of our modem customers are running systems that are infected with SMTP mailer viruses. If one of our infected customers transmits spam to a destination mailserver, it is very simple for that server to reject the SMTP handshake on a failure to have either a forward or a reverse record in the DNS without having to spend lots of CPU time scanning the message for spamliness. And sure, we could block outbound SMTP - which then is going to cause other complaints, plus there is the philosophical argument about blocking. A dialup user could have a perfectly legitimate need for outbound SMTP so why block. By contrast, chances a user would have a legitimate need for in-addr.arpa is far lower, and much easier to accomodate in any case. As for our DSL customers, we do not by default add in PTR records (although we do have the in-addr.arpa zones properly setup and referred to the nameserver) If you were our customer and you called complaining I would have a very serious and long discussion with you to figure out exactly what you were doing and whether you were violating any of our AUPs. Assuming you were in the category of "home user that wants to dink around with a personal mailserver" I'd set it up for you. We have a number of those. But, if your trying to scam us, that would be a different story. We have had, for example, people in the past who have purchased RESIDENTIAL dsl accounts from us then attempted to setup a mailserver using fetchmail or some such at a business site. Not all businesses use commercial buildings or have business telephone numbers and it's possible for some of them to slip in a residential order without the ISP knowing. Those customers then find a month into it that a large percentage of their outbound mail is spam-blocked by other ISPs for failure to have proper DNS setup - they then call us complaining and that flushes them out of the woodwork. To get the desired DNS mapping they have to pay more money for a business account, of course. (and usually most of them do, with a comment along the lines of "I guess ya caught me") Today with organizations like dydns.org who's sole purpose is to assist businesses to cheat ISP's, there are not a lot of tools an ISP has at it's disposal to catch cheaters that don't have a lot of side effects. Control of in-addr.arpa records is one of the few. I am not saying it is a great way. But dydns.org is a far, far more horrible hack. I have seen cheaters setting up DNS records with SOA timers set at under a minute, causing virtually EVERY SINGLE dns query for their domain to cause a root server query - costing the Internet hundreds of dollars of extra network load a month just so the cheater can save $20 a month on a business DSL line. If you want to start throwing around policy proposals to police the Internet well then how about a minimum DNS expiration requirement of 6 hours? Don't start with the stone throwing if your sitting in a glass house. As for your GoDaddy scenario, well the application controls UDP timeout. If GoDaddy is finding - like we have found with our own mailservers - that a 5 minute retry timeout is to long for a missing PTR check, then it is trivial to change the sendmail config to lower the timeout. So, people not loading in-addr.arpa isn't going to be a problem for them any more than it's a problem for us for other ISP's who also don't load in-addr.arpa As for Telnet and SSH yes well that is an annoyance if your setting a SSH or Telnet server up on your DSL line and you want to telnet into it. But the vast majority of users don't do this. Your story sounds like your just being given the usual brush-off by your ISP, they are pretending they are stupid about this issue, because they don't want to engage you in a discussion to explain their reasons for not setting up in-addr.arpa I noticed your mail is coming from 76.161.192.192 so you obviously figured out how to get a static IP that doesen't have this problem. I would submit that your real beef is that you want to pay residential rates on a dynamic IP not business rates on a static IP. I would also ask you if you would like it if one of your business customers on quonix.net were to setup a bunch of mailboxes ostensibly for users in their business, when in reality they were doing a fetchmail solution for a bunch of other companies and using you merely as a spam filter, and reselling your service (and making far more money doing that then your making from them) Take care! Ted -----Original Message----- From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of John Von Essen Sent: Tuesday, September 11, 2007 11:31 AM To: Public Policy Mailing List Subject: Re: [ppml] Comments on ARIN's reverse DNS mapping policy Well, I for one would like to take on this project. How does one begin to submit a policy proposal? -John On Sep 11, 2007, at 2:15 PM, cja at daydream.com wrote: If the policy needs updating I really hope one of you will take on the project and submit suggested changes in the form of a policy proposal. There are a number of us on the AC who are more than willing to help and shepherd it through the process. The great thing about the policy process is that if you don't like a policy you can take action and fix/change it. Thanks! ----Cathy On 9/11/07, John Von Essen wrote: Identical issues to what I am experiencing. If people look deeply enough, I am confident there are many Org's who operate AS's with no in-addr.arpa SOA on there DNS servers. If anything, can we agree on the fact the current policy is too vague. I had to email ARIN's hostmaster 2 or 3 times to understand it - it can be read many ways. And the explanation I got from hostmaster was if an AS properly configures at least one in-addr.arpa zone, then Arin will bless the entire delegation and not consider the dns server as lame. To be honest, I have no idea how one draws that conclusion from the wording on the policy. DNS is a standard protocol. The policy should specifically state the dns servers must return a valid SOA for each in-addr.arpa in their IP prefix that they advertise from their AS (i.e. they dont have to do it for IPs they dont use). If any in-addr.arpa does not return an SOA, then that AS is in violation, and their nameserver will be considered lame and suspect for removal from reverse delegation. I dont think it is a requirement that ARIN proactively seek and find AS's that are in violation, but it should be in the policy. Those 2 or 3 sentences are all that is needed. On Sep 11, 2007, at 12:08 PM, Sam Weiler wrote: dig +trace 79.114.208.in-addr.arpa. Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ( PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues. Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ed.Lewis at neustar.biz Tue Sep 11 18:22:55 2007 From: Ed.Lewis at neustar.biz (Edward Lewis) Date: Tue, 11 Sep 2007 18:22:55 -0400 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: References: Message-ID: At 14:10 -0700 9/11/07, Owen DeLong wrote: >8. Rationale: > Recent PPML discussion has called attention to the > fact that lame DNS delegations are more an operational > issue than one of policy. As such, the existing lame > delegation policy should be removed from the NRPM > to remove the resultant confusion. This is not meant > to prevent ARIN staff from taking reasonable action > WRT DNS operational issues related to resources issued > by ARIN, but, such action can be covered by staff > operational guidelines and is not within the scope > of Address Policy. Hmmmm. Mmmmmmmmm. First I want to ask for a definition of the "scope of Address Policy." I have a vague idea, I gather it refers to IPv4 address ranges, IPv6 address ranges, and Autonomous System number(s). (It's that I don't think of AS numbers as addresses; I usually refer to the triad of parameters as IP numbering resources. Okay, okay, splitting terminology hairs here, what I'm asking for is a pointer or statement about the scope.) I may or may not agree that the lame delegation "policy" should be excluded from the NRPM. I am unsure about that. What I would be against is dropping any membership requirement on the staff to enforce clean health (lexically stretching "lameness") on the DNS systems operated by ARIN. I think it is incumbent upon ARIN not to refer DNS traffic to servers which answer "incorrectly." I could argue that (all?) IP address allocation policy is an operational consideration. Poor address allocation policy would cause an undue burden on the routing system. E.g., what if we only gave a (IPv6) /48 to LIRs each time the asked regardless of need and wound up with highly fragmented allocations? I'm being silly here, to stress the point that I disagree that with the criteria of being an operational issue means removal from the NRPM. Still, I am not necessarily against what is proposed here. I'm just saying I have questions for now, but I don't want to see this lost. I don't want sloppy servers. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Think glocally. Act confused. From michael at rancid.berkeley.edu Tue Sep 11 18:29:32 2007 From: michael at rancid.berkeley.edu (Michael Sinatra) Date: Tue, 11 Sep 2007 15:29:32 -0700 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: References: Message-ID: <46E716CC.6050900@rancid.berkeley.edu> Owen DeLong wrote: > 8. Rationale: > Recent PPML discussion has called attention to the > fact that lame DNS delegations are more an operational > issue than one of policy. As such, the existing lame > delegation policy should be removed from the NRPM > to remove the resultant confusion. This is not meant > to prevent ARIN staff from taking reasonable action > WRT DNS operational issues related to resources issued > by ARIN, but, such action can be covered by staff > operational guidelines and is not within the scope > of Address Policy. There are actually three issues in this discussion: 1. in-addr.arpa zones that are not populated with PTR records that match A records in forward zones. There seems to be consensus that this is not under ARIN's purview. As has already been pointed out is NOT the issue that the OP raised. 2. in-addr.arpa zones with lame delegations. I define "lame delegation" here as a server that returns SERVFAIL, upward referral, REFUSED, or simply times out for queries in a particular zone. The OP appeared to be concerned about the delays involved in the time-out issue, but as I mention below, there is a difference in my mind as to whether the lame delegation comes directly from ARIN or is the result of a further (re-)delegation within the ISP's DNS configuration. 2a. A subset of the lame delegation is what RFC 1912 states is "an even worse form of lame delegation," which is listing someone else's nameserver without their permission because a) that was the example in the book; b) you needed two nameservers and heck, this one seems to work for some other zone, and you really don't have time to contact the owner of that DNS server and set up the zone, but they won't mind; or c) some other reason too baroque for anyone clueful to even understand. I had a case of 2a that went on for years, where a major financial services company selected ns{1,2}.berkeley.edu as in-addr.arpa nameservers for the /16 it had. We had no relationship with this company and had never agreed to provide nameservice for their /16's in-addr.arpa. But it was our nameservers that received the traffic, our logs that had numerous entries in it for the lame zone, and in some cases, *we* had to answer complaints that our name server were lame for this zone. I contacted the POC for the /16. No answer. Contacted again. No answer. I contacted the ARIN hostmaster. They told me to contact the POC. I told them I had. Contacted the POC and the ARIN hostmaster. This actually went on for years until, after the lame server policy was passed, I escalated the issue to someone fairly high in the organization and our records were removed from the /16 that wasn't ours and for which we had not agreed to provide in-addr.arpa service. It occurred to me that before the lame delegation policy, there was really no way for the ARIN hostmaster to know what to do in a situation like 2a. I am not sure how they dealt with it in the past, but I certainly had a hard time getting anything to happen until such a time as there was a guideline to deal with it. In general, I do not think there is consensus in the PPML thread that 2 and 2a are not within ARIN's purview, where the delegations come directly from ARIN. As operators of the parent DNS zone in which this lame delegation was made, ARIN did have a role to play when the POC refused to respond to repeated requests over a period of years. I think the policy regarding lame delegations that are made directly from ARIN (in whois and in the zones served by the ARIN.NET nameservers) is appropriate. If people who receive delegations from ARIN either a) do not populate their zones with PTR records; or b) re-delegate within their zones (say a /16 with delegated zones representing /24-sized blocks) and some of those re-delegations are lame, then I agree that this is not under ARIN's purview. (It is not clear to me from the OP whether the lame delegation comes from ARIN or whether it is a lame re-delegation from the ISP's nameservers, but it sounds like the latter.) Since the policy only covers the former case, I do not believe it needs to be deprecated. Moreover, as my experience shows, I believe that the policy needs to be explicitly stated in order to convince POCs that they need to take action, and to provide a written rationale, procedure, and escalation path where situations like 2a exist. Staff operational guidelines would work, if they were appropriately publicized, but this did not appear to be the case before the lame delegation policy was in place. I also have a hard time thinking about how an expanded policy would actually be within ARIN's purview, but without seeing such a policy, I can't really comment much more on that. michael From arin-contact at dirtside.com Tue Sep 11 18:31:58 2007 From: arin-contact at dirtside.com (William Herrin) Date: Tue, 11 Sep 2007 18:31:58 -0400 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: References: Message-ID: <3c3e3fca0709111531u656b79fv8f9b1155b34a2402@mail.gmail.com> On 9/11/07, Owen DeLong wrote: > 1. Policy Proposal Name: Deprecate Lame Server Policy > 7. Policy statement: > Delete section 7 from the NRPM Owen, Are you sure this is the right way to move on this? If we're going to call ISPs "Local Internet Registries," shouldn't we expect them to behave as internet registries and do the things that internet registries do, including reallocation and assignment of the RDNS attached to every IP address? Regards, Bill Herrin -- William D. Herrin herrin at dirtside.com bill at herrin.us 3005 Crane Dr. Web: Falls Church, VA 22042-3004 From owen at delong.com Tue Sep 11 18:39:45 2007 From: owen at delong.com (Owen DeLong) Date: Tue, 11 Sep 2007 15:39:45 -0700 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: References: Message-ID: On Sep 11, 2007, at 3:22 PM, Edward Lewis wrote: > At 14:10 -0700 9/11/07, Owen DeLong wrote: > >> 8. Rationale: >> Recent PPML discussion has called attention to the >> fact that lame DNS delegations are more an operational >> issue than one of policy. As such, the existing lame >> delegation policy should be removed from the NRPM >> to remove the resultant confusion. This is not meant >> to prevent ARIN staff from taking reasonable action >> WRT DNS operational issues related to resources issued >> by ARIN, but, such action can be covered by staff >> operational guidelines and is not within the scope >> of Address Policy. > > Hmmmm. Mmmmmmmmm. > > First I want to ask for a definition of the "scope of Address > Policy." I have a vague idea, I gather it refers to IPv4 address > ranges, IPv6 address ranges, and Autonomous System number(s). > (It's that I don't think of AS numbers as addresses; I usually > refer to the triad of parameters as IP numbering resources. Okay, > okay, splitting terminology hairs here, what I'm asking for is a > pointer or statement about the scope.) > I suppose I should have said "Number Resource Policy". I suppose there isn't really much in the way of a pointer about scope that I can give you. However, it is my opinion that the responsibility and scope of ARIN policy should be limited to the assignment and delegation of number resources. Operational concerns about routing and DNS are, in my opinion outside of that scope and only serve to muddy the waters of good number resource policy. > I may or may not agree that the lame delegation "policy" should be > excluded from the NRPM. I am unsure about that. > Understood. > What I would be against is dropping any membership requirement on > the staff to enforce clean health (lexically stretching "lameness") > on the DNS systems operated by ARIN. I think it is incumbent upon > ARIN not to refer DNS traffic to servers which answer "incorrectly." > I have no problem with that as a general procedure, but, that's a procedural and operational question and not what I would consider to be number resource policy. Certainly such a consideration could go well through the ACSP and I would even support such a suggestion. > I could argue that (all?) IP address allocation policy is an > operational consideration. Poor address allocation policy would > cause an undue burden on the routing system. E.g., what if we only > gave a (IPv6) /48 to LIRs each time the asked regardless of need > and wound up with highly fragmented allocations? I'm being silly > here, to stress the point that I disagree that with the criteria of > being an operational issue means removal from the NRPM. > Sure, but, not all operational considerations are IP address allocation policy. Operational considerations are a superset of IP address allocation policy. Actual operations, operational tactics, and operational requirements and standards are not, however, number resource policy. As to fragmented allocations, I'm not 100% convinced that's a bad thing. While I agree that we should do what we can to reduce the degree to which we fragment things in order to accommodate limitations of today's routing system, I firmly believe that our rather high degree of success in doing so has been one of the factors in our failure to develop a workable and scalable routing system. So... I don't advocate going out and fragmenting for the sake of fragmenting, but, I do think that we should stop basing policy on concerns over routing table growth, and, instead manage policy based on rational allocation and assignment concerns. ISPs who run routers should take the responsibility for the operational concerns of routing table size. > Still, I am not necessarily against what is proposed here. I'm > just saying I have questions for now, but I don't want to see this > lost. > Yep... Understood. > I don't want sloppy servers. > Neither do I, but, I am not convinced that it is ARINs place to attempt to force or even pressure others to clean up their sloppy servers. Owen From randy at psg.com Tue Sep 11 18:58:43 2007 From: randy at psg.com (Randy Bush) Date: Tue, 11 Sep 2007 12:58:43 -1000 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <46E709A7.9060105@ca.afilias.info> References: <46E709A7.9060105@ca.afilias.info> Message-ID: <46E71DA3.40005@psg.com> Brian Dickson wrote: > Ted Mittelstaedt wrote: procmail is your friend arin delegates 42.666.in-addr.arpa to the member isp. the servers properly respond for that delegation. this seems to be about as far as current policy goes; though there are reported gaps in implementation. the op wants us to say that, if the delegatee further delegates sub-zones, then the service for those sub-zones must not be lame. aside from issues of whether the community has the right to descend into the delegation, how would we text the sub-delegations? if they are on byte boundaries, we can probe for them. but goddesses help us if they use rfc 2317. and is it our prerogative to probe 256 sub-delegations of a /16? 64k of a /8? and how many of a /32 in ipv6 space? randy From michael at rancid.berkeley.edu Tue Sep 11 19:06:09 2007 From: michael at rancid.berkeley.edu (Michael Sinatra) Date: Tue, 11 Sep 2007 16:06:09 -0700 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: References:

Message-ID: <46E71F61.9080500@rancid.berkeley.edu> Owen DeLong wrote: > I suppose I should have said "Number Resource Policy". I suppose > there isn't really > much in the way of a pointer about scope that I can give you. > However, it is my > opinion that the responsibility and scope of ARIN policy should be > limited to > the assignment and delegation of number resources. Operational > concerns about > routing and DNS are, in my opinion outside of that scope and only > serve to muddy > the waters of good number resource policy. [snip] >> I don't want sloppy servers. >> > Neither do I, but, I am not convinced that it is ARINs place to > attempt to > force or even pressure others to clean up their sloppy servers. Okay, I see the point that it shouldn't be part of the NRPM, and I'd be willing to accept that if there were somehow able to be some explicit, public policy regarding lame delegations that come directly from ARIN. Basically, there should be some way for ARIN staff to deal with inappropriate delegations where the POC is unresponsive, and that method should be public. Thanks for the proposal. michael From marla.azinger at frontiercorp.com Tue Sep 11 19:21:05 2007 From: marla.azinger at frontiercorp.com (Azinger, Marla) Date: Tue, 11 Sep 2007 19:21:05 -0400 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy Message-ID: <454810F09B5AA04E9D78D13A5C39028A02A4C9D6@nyrofcs2ke2k01.corp.pvt> I would like to see a proposal that is along the lines of clarifying in addition to Owens proposal to just take it away. Hopefully we havnt scared John off and he will give a wack at it. Cheers! Marla -----Original Message----- From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of William Herrin Sent: Tuesday, September 11, 2007 3:32 PM To: Owen DeLong Cc: Public Policy Mailing List Subject: Re: [ppml] Policy Proposal -- Eliminate Lame Server policy On 9/11/07, Owen DeLong wrote: > 1. Policy Proposal Name: Deprecate Lame Server Policy > 7. Policy statement: > Delete section 7 from the NRPM Owen, Are you sure this is the right way to move on this? If we're going to call ISPs "Local Internet Registries," shouldn't we expect them to behave as internet registries and do the things that internet registries do, including reallocation and assignment of the RDNS attached to every IP address? Regards, Bill Herrin -- William D. Herrin herrin at dirtside.com bill at herrin.us 3005 Crane Dr. Web: Falls Church, VA 22042-3004 _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues. From tedm at ipinc.net Tue Sep 11 19:47:13 2007 From: tedm at ipinc.net (Ted Mittelstaedt) Date: Tue, 11 Sep 2007 16:47:13 -0700 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <46E709A7.9060105@ca.afilias.info> Message-ID: >-----Original Message----- >From: Brian Dickson [mailto:briand at ca.afilias.info] >Sent: Tuesday, September 11, 2007 2:33 PM >To: Ted Mittelstaedt >Cc: John Von Essen; Public Policy Mailing List >Subject: Re: [ppml] Comments on ARIN's reverse DNS mapping policy > > >Ted Mittelstaedt wrote: >> There have >> been enough postings on >> this topic for you to get an idea of what would happen to such a >proposal - >> >There have been enough people commenting on their misinterpretation of >John's observation (complaint), >and the underlying technical issue, that the proposal would need to be >very clearly written to avoid this. > >That said, the *actual* issue, if addressed, most certainly would be >in-scope for RIR policies, and as such >would be suitable for normal discussion, and likely would get support, >enough to be adopted as policy. Go for it, man. I still don't think it will pass. I have seen many reasonable proposals get shot down already. Such as ones requiring legacy holders to return unused IPv4 addressing. >> Now I have read your ranting and some of the responses. But >there is one >> response that I >> didn't see and that you obviously didn't consider. In my opinion, the >> network manager at >> your ISP is fully aware of the PTR issues and has chosen to >DELIBERATELY not >> entered >> the in-addr.arpa zone for your numbers. >> >If that is what you think the issue is, then I think you misread the >original message and several of the follow-ups. > >The issue isn't the *content* (present or absent) of the in-addr zone >that has been delegated, it is that the server to which >the delegation has been made, fails to answer queries for the *specific* >in-addr zone. It is lame *for that zone*. > I understand that, no that wasn't the issue I was bringing up. What I was pointing out is John's original assumption insofar that he was taking the ISPs excuses at face value. >[discussion relevant only to non-lame zones with no PTRs in them, >omitted for brevity.] >> As for your GoDaddy scenario, well the application controls UDP timeout. >The problem is fundamentally tied to resolvers. Unless the application >is doing a roll-your-own implementation >of name resolution, it is likely sharing a common fate with all clients >of resolution service on whatever box is acting as a recursive resolver. > >Tweaking timeouts on nameserver lookups is something, to paraphrase >Randy Bush, I encourage anyone foolish enough to want to, to do so. I disagree the problem is tied to resolvers. The original Godaddy scenario is that if godaddy does a PTR query that fails that it ties up resources. This is true - but the resources it ties up are -not- resolver or network resources. They are server resources. If "everyone on the Internet did this" then assuming Godaddy's mailservers started a process for each incoming SMTP and waited around for 5 minutes for a response, you have 5 minutes that a very significant large memory consumptive SMTP process is sitting in core ram waiting. You get hundreds of these doing that and for sure your going to seriously impact your SMTP receiver. That is why I said to fix that they can adjust their application timeout timers for the SMTP application accepting the incoming mail. Not to adjust timeouts in the resolver. >From the resolvers POV it's going to get a PTR query for every incoming mail anyway no matter if a in-addr.arpa exists or not. Or perhaps there is some other aspect of the example I'm missing? >> Take care! >> Ted >> >If you were to "take care" yourself and read and understand what the >original poster said, IMHO reasonably clearly and with all due emphasis, >you would have been able to avoid making your misunderstanding so >visible on a public mailing list. No offense intended. > None taken since I don't think you got the point of my response. Since you like things simple I'll summarize: 1) His proposal won't pass. 2) His ISP knows what they are not doing, and is being a lying jerk to him. 3) Even if his proposal does pass unless it has teeth it won't have any value to compel a jerk ISP to stop being a jerk ISP. 4) If it has teeth it definitely won't pass since people don't support proposals that have teeth. 5) The problem the proposal purports to solve can be worked around so people will use that as yet another excuse to not support it. It would be nice to be proved wrong and see the policy process actually produce a policy that had some teeth and solved a problem. God knows it's failed miserably with the IPv4 pending runout problem. Ted From sleibrand at internap.com Tue Sep 11 19:48:48 2007 From: sleibrand at internap.com (Scott Leibrand) Date: Tue, 11 Sep 2007 16:48:48 -0700 Subject: [ppml] Is this Lame or what? In-Reply-To: <454810F09B5AA04E9D78D13A5C39028A02A4C9D6@nyrofcs2ke2k01.corp.pvt> References: <454810F09B5AA04E9D78D13A5C39028A02A4C9D6@nyrofcs2ke2k01.corp.pvt> Message-ID: <46E72960.4030805@internap.com> After doing some research (which I highly recommend everyone do before posting), I'm not sure any policy changes are needed to deal with the two specific cases raised so far. ARIN's Lame Delegations page at http://www.arin.net/reference/lame_delegations.html states that "ARIN tests a reverse zone by requesting the SOA (Start of Authority) record from the name servers registered in WHOIS. ... Any other answer (or an inability to reach the nameserver due to a forward lookup failure) results in the delegation being deemed lame. If all of zones for a given name server of a specific network registration are lame, the delegation registration is deemed lame." The way I read that, the fact that the authoritative servers for 160.76.in-addr.arpa., 161.76.in-addr.arpa., and 64.114.208.in-addr.arpa. through 95.114.208.in-addr.arpa. do not respond to queries qualifies them as lame. Under ARIN's own policy, that further means that "After 30 consecutive days of lameness, ARIN notifies the points-of-contact of record via e-mail." and then if they get no response and it's not fixed, "After 90 consecutive days of lameness, ARIN strips the lame delegations from the WHOIS registration record and notifies the points-of-contact of record of the actions taken." Can anyone from ARIN comment as to whether they share my interpretation that a non-responsive name server is deemed lame, and subject to removal under the procedure outlined above? Thanks, Scott Azinger, Marla wrote: > I would like to see a proposal that is along the lines of clarifying in addition to Owens proposal to just take it away. Hopefully we havnt scared John off and he will give a wack at it. > > Cheers! > Marla > > -----Original Message----- > From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of > William Herrin > Sent: Tuesday, September 11, 2007 3:32 PM > To: Owen DeLong > Cc: Public Policy Mailing List > Subject: Re: [ppml] Policy Proposal -- Eliminate Lame Server policy > > > On 9/11/07, Owen DeLong wrote: > >> 1. Policy Proposal Name: Deprecate Lame Server Policy >> 7. Policy statement: >> Delete section 7 from the NRPM >> > > Owen, > > Are you sure this is the right way to move on this? If we're going to > call ISPs "Local Internet Registries," shouldn't we expect them to > behave as internet registries and do the things that internet > registries do, including reallocation and assignment of the RDNS > attached to every IP address? > > Regards, > Bill Herrin > > From john at quonix.net Tue Sep 11 19:54:42 2007 From: john at quonix.net (John Von Essen) Date: Tue, 11 Sep 2007 19:54:42 -0400 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: <454810F09B5AA04E9D78D13A5C39028A02A4C9D6@nyrofcs2ke2k01.corp.pvt> References: <454810F09B5AA04E9D78D13A5C39028A02A4C9D6@nyrofcs2ke2k01.corp.pvt> Message-ID: <24EB9466-293D-409F-A3BD-2A9FDAFABC5D@quonix.net> I do plan to submit my proposal. My final comment on all of this is with regards to ARIN's stance on operational issues. I agree ARIN should be careful, but keep in mind ARIN does provide an operational function of reverse DNS authority delegation. Because ARIN engages in this very-real activity, policy must exist to cover its implementation, design, and overall operational health. If ARIN just did AS numbers and IP allocation, and another organization did reverse delegation, say Network Solutions, then YES - ARIN should not get involved with operational issues of reverse DNS. But that fact is ARIN does do reverse DNS delegation. When I do a dig on an IP, I see alot of ARIN servers in the output! -John On Sep 11, 2007, at 7:21 PM, Azinger, Marla wrote: > I would like to see a proposal that is along the lines of > clarifying in addition to Owens proposal to just take it away. > Hopefully we havnt scared John off and he will give a wack at it. > > Cheers! > Marla > > -----Original Message----- > From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of > William Herrin > Sent: Tuesday, September 11, 2007 3:32 PM > To: Owen DeLong > Cc: Public Policy Mailing List > Subject: Re: [ppml] Policy Proposal -- Eliminate Lame Server policy > > > On 9/11/07, Owen DeLong wrote: >> 1. Policy Proposal Name: Deprecate Lame Server Policy >> 7. Policy statement: >> Delete section 7 from the NRPM > > Owen, > > Are you sure this is the right way to move on this? If we're going to > call ISPs "Local Internet Registries," shouldn't we expect them to > behave as internet registries and do the things that internet > registries do, including reallocation and assignment of the RDNS > attached to every IP address? > > Regards, > Bill Herrin > > -- > William D. Herrin herrin at dirtside.com bill at herrin.us > 3005 Crane Dr. Web: > Falls Church, VA 22042-3004 > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the > ARIN Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > Member Services > Help Desk at info at arin.net if you experience any issues. > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the > ARIN Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > Member Services > Help Desk at info at arin.net if you experience any issues. Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From marla.azinger at frontiercorp.com Tue Sep 11 20:05:43 2007 From: marla.azinger at frontiercorp.com (Azinger, Marla) Date: Tue, 11 Sep 2007 20:05:43 -0400 Subject: [ppml] Is this Lame or what? Message-ID: <454810F09B5AA04E9D78D13A5C39028A0272FA13@nyrofcs2ke2k01.corp.pvt> LOL. I understand your point about research...but there is value in the postings. Eventually it should progress toward clarification to all. And I do believe from all the confusion the current written text has caused, that some clarification is needed. Be it policy, definitions clarified or just staff process clarification publicly posted somewhere. There is clearly some work to be done here in order to minimize confusion and/or resolve something that seems to be not fully baked. And you might have also noticed how many different views surrounding the whole topic are out there...so the discussion in my view is good. Is daunting and does it add to more ppml to read? yes. But...that is how we keep the process open and able to change if the community realizes later on down the road that they do or dont like what currently is written as policy or process. Cheers! Marla -----Original Message----- From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of Scott Leibrand Sent: Tuesday, September 11, 2007 4:49 PM To: Member Services Cc: Public Policy Mailing List Subject: [ppml] Is this Lame or what? After doing some research (which I highly recommend everyone do before posting), I'm not sure any policy changes are needed to deal with the two specific cases raised so far. ARIN's Lame Delegations page at http://www.arin.net/reference/lame_delegations.html states that "ARIN tests a reverse zone by requesting the SOA (Start of Authority) record from the name servers registered in WHOIS. ... Any other answer (or an inability to reach the nameserver due to a forward lookup failure) results in the delegation being deemed lame. If all of zones for a given name server of a specific network registration are lame, the delegation registration is deemed lame." The way I read that, the fact that the authoritative servers for 160.76.in-addr.arpa., 161.76.in-addr.arpa., and 64.114.208.in-addr.arpa. through 95.114.208.in-addr.arpa. do not respond to queries qualifies them as lame. Under ARIN's own policy, that further means that "After 30 consecutive days of lameness, ARIN notifies the points-of-contact of record via e-mail." and then if they get no response and it's not fixed, "After 90 consecutive days of lameness, ARIN strips the lame delegations from the WHOIS registration record and notifies the points-of-contact of record of the actions taken." Can anyone from ARIN comment as to whether they share my interpretation that a non-responsive name server is deemed lame, and subject to removal under the procedure outlined above? Thanks, Scott Azinger, Marla wrote: > I would like to see a proposal that is along the lines of clarifying in addition to Owens proposal to just take it away. Hopefully we havnt scared John off and he will give a wack at it. > > Cheers! > Marla > > -----Original Message----- > From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of > William Herrin > Sent: Tuesday, September 11, 2007 3:32 PM > To: Owen DeLong > Cc: Public Policy Mailing List > Subject: Re: [ppml] Policy Proposal -- Eliminate Lame Server policy > > > On 9/11/07, Owen DeLong wrote: > >> 1. Policy Proposal Name: Deprecate Lame Server Policy >> 7. Policy statement: >> Delete section 7 from the NRPM >> > > Owen, > > Are you sure this is the right way to move on this? If we're going to > call ISPs "Local Internet Registries," shouldn't we expect them to > behave as internet registries and do the things that internet > registries do, including reallocation and assignment of the RDNS > attached to every IP address? > > Regards, > Bill Herrin > > _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues. From arin-contact at dirtside.com Tue Sep 11 20:11:53 2007 From: arin-contact at dirtside.com (William Herrin) Date: Tue, 11 Sep 2007 20:11:53 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <46E71DA3.40005@psg.com> References: <46E709A7.9060105@ca.afilias.info> <46E71DA3.40005@psg.com> Message-ID: <3c3e3fca0709111711n3940aa58j5bec0584e1b13567@mail.gmail.com> On 9/11/07, Randy Bush wrote: > aside from issues of whether the community has the right to descend into > the delegation, how would we text the sub-delegations? if they are on > byte boundaries, we can probe for them. but goddesses help us if they > use rfc 2317. and is it our prerogative to probe 256 sub-delegations of > a /16? 64k of a /8? and how many of a /32 in ipv6 space? Randy, That's the easy part: kick off action only after receiving a complaint. Where no one minds, it doesn't matter and the complaint will tell us exactly where to look. Regards, Bill Herrin -- William D. Herrin herrin at dirtside.com bill at herrin.us 3005 Crane Dr. Web: Falls Church, VA 22042-3004 From john at quonix.net Tue Sep 11 20:15:30 2007 From: john at quonix.net (John Von Essen) Date: Tue, 11 Sep 2007 20:15:30 -0400 Subject: [ppml] Is this Lame or what? In-Reply-To: <46E72960.4030805@internap.com> References: <454810F09B5AA04E9D78D13A5C39028A02A4C9D6@nyrofcs2ke2k01.corp.pvt> <46E72960.4030805@internap.com> Message-ID: Scott, That is a good point, and I had the very same question before posting. So I emailed the ARIN hostmaster for a clarification. Hostmaster confirmed what you state below: "Only if all of zones for a given name server of a specific network registration are lame, is the delegation registration deemed lame" That is valid, correct, and should stay as-is. Here is the problem. There is an ISP with a /22 network registration (4 /24's). Everything is delegated to a set of DNS servers. Those DNS servers correctly answer SOA request for 3 out of 4 of the /24 in- addr.arpa's. However, that last /24 was left out, and the ISPs DNS server does not answer on the SOA request, even though the ISP uses that /24. So the question is, what do we do? Under current ARIN policy it sounds like the above scenario does not deem the ISP's /22 reverse dns delegation lame. Its only lame if all 4 /24's were lame, but in this case only one is lame. So nothing is done. Problem is, this is a problem! If any /24 in-addr.arpa is lame, even though other /24's in the ISP's network registration are not, the ISP should still be considered "partially" lame, and should still be contacted by ARIN to remedy the situation. And the overriding rationale for all of this is that the one lame /24 is causing issues (like timeouts) for other people on the internet. Its like sending 4 kids to school. 3 have their books and homework, and 1 has nothing. The 1 kid with nothing will cause issues for the teacher and the rest of the class. Now is it as bad as sending all 4 kids to school if all 4 had no books or homework... No. But its still bad, and the parents should be called in for a teachers meeting due to their irresponsibility! -John On Sep 11, 2007, at 7:48 PM, Scott Leibrand wrote: > After doing some research (which I highly recommend everyone do before > posting), I'm not sure any policy changes are needed to deal with the > two specific cases raised so far. > > ARIN's Lame Delegations page at > http://www.arin.net/reference/lame_delegations.html states that "ARIN > tests a reverse zone by requesting the SOA (Start of Authority) record > from the name servers registered in WHOIS. ... Any other answer (or an > inability to reach the nameserver due to a forward lookup failure) > results in the delegation being deemed lame. If all of zones for a > given > name server of a specific network registration are lame, the > delegation > registration is deemed lame." > > The way I read that, the fact that the authoritative servers for > 160.76.in-addr.arpa., 161.76.in-addr.arpa., and 64.114.208.in- > addr.arpa. > through 95.114.208.in-addr.arpa. do not respond to queries qualifies > them as lame. Under ARIN's own policy, that further means that "After > 30 consecutive days of lameness, ARIN notifies the points-of- > contact of > record via e-mail." and then if they get no response and it's not > fixed, > "After 90 consecutive days of lameness, ARIN strips the lame > delegations > from the WHOIS registration record and notifies the points-of- > contact of > record of the actions taken." > > Can anyone from ARIN comment as to whether they share my > interpretation > that a non-responsive name server is deemed lame, and subject to > removal > under the procedure outlined above? > > Thanks, > Scott > > Azinger, Marla wrote: >> I would like to see a proposal that is along the lines of >> clarifying in addition to Owens proposal to just take it away. >> Hopefully we havnt scared John off and he will give a wack at it. >> >> Cheers! >> Marla >> >> -----Original Message----- >> From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On >> Behalf Of >> William Herrin >> Sent: Tuesday, September 11, 2007 3:32 PM >> To: Owen DeLong >> Cc: Public Policy Mailing List >> Subject: Re: [ppml] Policy Proposal -- Eliminate Lame Server policy >> >> >> On 9/11/07, Owen DeLong wrote: >> >>> 1. Policy Proposal Name: Deprecate Lame Server Policy >>> 7. Policy statement: >>> Delete section 7 from the NRPM >>> >> >> Owen, >> >> Are you sure this is the right way to move on this? If we're going to >> call ISPs "Local Internet Registries," shouldn't we expect them to >> behave as internet registries and do the things that internet >> registries do, including reallocation and assignment of the RDNS >> attached to every IP address? >> >> Regards, >> Bill Herrin >> >> > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the > ARIN Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > Member Services > Help Desk at info at arin.net if you experience any issues. Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net From tedm at ipinc.net Tue Sep 11 20:26:18 2007 From: tedm at ipinc.net (Ted Mittelstaedt) Date: Tue, 11 Sep 2007 17:26:18 -0700 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: <24EB9466-293D-409F-A3BD-2A9FDAFABC5D@quonix.net> Message-ID: Yes John you are correct but the way things often work on this list is someone like Owen will submit a policy to remove something that shouldn't obviously be removed, the result of which will convert a bunch of fence sitters into proponents of keeping it. The list membership needs Owens "just kill it" proposal precisely to have something to vote down. A no vote commits the person voting no, to supporting the policy. If Owens proposal is voted down, that will destroy all of the "it's not the RIR's responsibility to enforce sanctions against bad nameserver operators" arguments, and we can move the discussion to something productive of how to actually fix the problem. Your proposal might be premature - you might find it better to campaign against Owens proposal first. Ted -----Original Message----- From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of John Von Essen Sent: Tuesday, September 11, 2007 4:55 PM To: Public Policy Mailing List Subject: Re: [ppml] Policy Proposal -- Eliminate Lame Server policy I do plan to submit my proposal. My final comment on all of this is with regards to ARIN's stance on operational issues. I agree ARIN should be careful, but keep in mind ARIN does provide an operational function of reverse DNS authority delegation. Because ARIN engages in this very-real activity, policy must exist to cover its implementation, design, and overall operational health. If ARIN just did AS numbers and IP allocation, and another organization did reverse delegation, say Network Solutions, then YES - ARIN should not get involved with operational issues of reverse DNS. But that fact is ARIN does do reverse DNS delegation. When I do a dig on an IP, I see alot of ARIN servers in the output! -John On Sep 11, 2007, at 7:21 PM, Azinger, Marla wrote: I would like to see a proposal that is along the lines of clarifying in addition to Owens proposal to just take it away. Hopefully we havnt scared John off and he will give a wack at it. Cheers! Marla -----Original Message----- From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of William Herrin Sent: Tuesday, September 11, 2007 3:32 PM To: Owen DeLong Cc: Public Policy Mailing List Subject: Re: [ppml] Policy Proposal -- Eliminate Lame Server policy On 9/11/07, Owen DeLong wrote: 1. Policy Proposal Name: Deprecate Lame Server Policy 7. Policy statement: Delete section 7 from the NRPM Owen, Are you sure this is the right way to move on this? If we're going to call ISPs "Local Internet Registries," shouldn't we expect them to behave as internet registries and do the things that internet registries do, including reallocation and assignment of the RDNS attached to every IP address? Regards, Bill Herrin -- William D. Herrin herrin at dirtside.com bill at herrin.us 3005 Crane Dr. Web: Falls Church, VA 22042-3004 _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues. _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues. Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at arin.net Tue Sep 11 20:29:29 2007 From: info at arin.net (Member Services) Date: Tue, 11 Sep 2007 20:29:29 -0400 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: References: Message-ID: <46E732E9.5030108@arin.net> ARIN received the following policy proposal. In accordance with the ARIN Internet Resource Policy Evaluation Process, the proposal is being posted to the ARIN Public Policy Mailing List (PPML) and being placed on ARIN's website. The ARIN Advisory Council (AC) will review this proposal at their next regularly scheduled meeting. The AC may decide to: 1. Accept the proposal as a formal policy proposal as written. If the AC accepts the proposal, it will be posted as a formal policy proposal to PPML and it will be presented at a Public Policy Meeting. 2. Postpone their decision regarding the proposal until the next regularly scheduled AC meeting in order to work with the author. The AC will work with the author to clarify, combine or divide the proposal. At their following meeting the AC will accept or not accept the proposal. 3. Not accept the proposal. If the AC does not accept the proposal, the AC will explain their decision. If a proposal is not accepted, then the author may elect to use the petition process to advance their proposal. If the author elects not to petition or the petition fails, then the proposal will be closed. The AC will assign shepherds in the near future. ARIN will provide the names of the shepherds to the community via the PPML. In the meantime, the AC invites everyone to comment on this proposal on the PPML, particularly their support or non-support and the reasoning behind their opinion. Such participation contributes to a thorough vetting and provides important guidance to the AC in their deliberations. The ARIN Internet Resource Policy Evaluation Process can be found at: http://www.arin.net/policy/irpep.html Mailing list subscription information can be found at: http://www.arin.net/mailing_lists/ Regards, Member Services American Registry for Internet Numbers (ARIN) ## * ## Owen DeLong wrote: > Template: ARIN-POLICY-PROPOSAL-TEMPLATE-1.0 > > 1. Policy Proposal Name: Deprecate Lame Server Policy > 2. Author > a. name: Owen DeLong > b. email: owen at delong.com > c. telephone: 408-921-6984 > d. organization: JITTR Networks > > 3. Proposal Version: 1.0 > 4. Submission Date: 11 September, 2007 > 5. Proposal type: delete > new, modify, or delete. > 6. Policy term: permanent > temporary, permanent, or renewable. > 7. Policy statement: > Delete section 7 from the NRPM > > 8. Rationale: > Recent PPML discussion has called attention to the > fact that lame DNS delegations are more an operational > issue than one of policy. As such, the existing lame > delegation policy should be removed from the NRPM > to remove the resultant confusion. This is not meant > to prevent ARIN staff from taking reasonable action > WRT DNS operational issues related to resources issued > by ARIN, but, such action can be covered by staff > operational guidelines and is not within the scope > of Address Policy. > > 9. Timetable for implementation: > 1 June, 2008 > 10. Meeting presenter: > END OF TEMPLATE > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the ARIN Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services > Help Desk at info at arin.net if you experience any issues. > From randy at psg.com Tue Sep 11 20:38:17 2007 From: randy at psg.com (Randy Bush) Date: Tue, 11 Sep 2007 14:38:17 -1000 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <3c3e3fca0709111711n3940aa58j5bec0584e1b13567@mail.gmail.com> References: <46E709A7.9060105@ca.afilias.info> <46E71DA3.40005@psg.com> <3c3e3fca0709111711n3940aa58j5bec0584e1b13567@mail.gmail.com> Message-ID: <46E734F9.6020809@psg.com> >> aside from issues of whether the community has the right to descend into >> the delegation, how would we text the sub-delegations? if they are on >> byte boundaries, we can probe for them. but goddesses help us if they >> use rfc 2317. and is it our prerogative to probe 256 sub-delegations of >> a /16? 64k of a /8? and how many of a /32 in ipv6 space? > That's the easy part: kick off action only after receiving a > complaint. Where no one minds, it doesn't matter and the complaint > will tell us exactly where to look. problem is that, of a thousand users who get screwed, how many will know they they are screwed, let alone how to diagnose? randy From randy at psg.com Tue Sep 11 20:41:14 2007 From: randy at psg.com (Randy Bush) Date: Tue, 11 Sep 2007 14:41:14 -1000 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: <46E732E9.5030108@arin.net> References: <46E732E9.5030108@arin.net> Message-ID: <46E735AA.901@psg.com> please reject this silliness. we're trying to improve the net, not show that we're s. randy From tedm at ipinc.net Tue Sep 11 20:51:31 2007 From: tedm at ipinc.net (Ted Mittelstaedt) Date: Tue, 11 Sep 2007 17:51:31 -0700 Subject: [ppml] Is this Lame or what? In-Reply-To: Message-ID: >-----Original Message----- >From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of >John Von Essen >Sent: Tuesday, September 11, 2007 5:16 PM >To: Public Policy Mailing List >Subject: Re: [ppml] Is this Lame or what? > > >Scott, > >That is a good point, and I had the very same question before >posting. So I emailed the ARIN hostmaster for a clarification. > >Hostmaster confirmed what you state below: > >"Only if all of zones for a given name server of a specific network >registration are lame, is the delegation registration deemed lame" > >That is valid, correct, and should stay as-is. > >Here is the problem. There is an ISP with a /22 network registration >(4 /24's). Everything is delegated to a set of DNS servers. Those DNS >servers correctly answer SOA request for 3 out of 4 of the /24 in- >addr.arpa's. However, that last /24 was left out, and the ISPs DNS >server does not answer on the SOA request, even though the ISP uses >that /24. > >So the question is, what do we do? Under current ARIN policy it >sounds like the above scenario does not deem the ISP's /22 reverse >dns delegation lame. Its only lame if all 4 /24's were lame, but in >this case only one is lame. So nothing is done. > >Problem is, this is a problem! If any /24 in-addr.arpa is lame, even >though other /24's in the ISP's network registration are not, the ISP >should still be considered "partially" lame, and should still be >contacted by ARIN to remedy the situation. > John I disagree - the ISP should only be contacted by ARIN after an attempt is made to contact the ISP by the complaintant and the ISP has proven nonresponsive. >And the overriding rationale for all of this is that the one lame /24 >is causing issues (like timeouts) for other people on the internet. > >Its like sending 4 kids to school. 3 have their books and homework, >and 1 has nothing. The 1 kid with nothing will cause issues for the >teacher and the rest of the class. Now is it as bad as sending all 4 >kids to school if all 4 had no books or homework... No. But its still >bad, and the parents should be called in for a teachers meeting due >to their irresponsibility! > No this isn't an exact analogy because the privacy laws basically prevent other parents from contacting the parent of the kid without his homework (since the teachers are prohibited from discussing the kid with other parents) so the school has to be the one to call the bad parent. Ted From tedm at ipinc.net Tue Sep 11 20:59:31 2007 From: tedm at ipinc.net (Ted Mittelstaedt) Date: Tue, 11 Sep 2007 17:59:31 -0700 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <46E734F9.6020809@psg.com> Message-ID: >-----Original Message----- >From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of >Randy Bush >Sent: Tuesday, September 11, 2007 5:38 PM >To: William Herrin >Cc: Public Policy Mailing List >Subject: Re: [ppml] Comments on ARIN's reverse DNS mapping policy > > >>> aside from issues of whether the community has the right to descend into >>> the delegation, how would we text the sub-delegations? if they are on >>> byte boundaries, we can probe for them. but goddesses help us if they >>> use rfc 2317. and is it our prerogative to probe 256 sub-delegations of >>> a /16? 64k of a /8? and how many of a /32 in ipv6 space? >> That's the easy part: kick off action only after receiving a >> complaint. Where no one minds, it doesn't matter and the complaint >> will tell us exactly where to look. > >problem is that, of a thousand users who get screwed, how many will know >they they are screwed, let alone how to diagnose? > There was a big tide one day and on the beach a thousand starfish were washed up, and lay dying in the hot sun. A boy walked along the beach picking up starfish and throwing them back into the water one by one. A man told the boy: "Give up, there is no way you can save all these starfish, what you are doing does not matter" The boy answered: "It matters to the starfish I threw back" If even 1 of the thousand screwed users is clueful enough to use the policy to fix their problem, the policy has done it's work. Ted From kmedcalf at dessus.com Tue Sep 11 21:09:39 2007 From: kmedcalf at dessus.com (Keith Medcalf) Date: Tue, 11 Sep 2007 21:09:39 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <81245675-0736-467F-9EF2-A20A0FC0E904@quonix.net> Message-ID: > Identical issues to what I am experiencing. If people look > deeply enough, I am confident there are many Org's who > operate AS's with no in-addr.arpa SOA on there DNS servers. You remember that once upon a time in a land far far away the lack of functioning in-addr.arpa. DNS would act to actually prohibit those addresses for being useful for anything other than crawling the dirtpath though CIX and accessing advertizing gophers and the "Commercial internet". As I recall when I signed the AUP for NSFNet access and transit, working DNS closure was a requirement for access to almost any resource subject those and similar AUP's in common use at that time. Then along came the clueless johhny-come-lately ISPs (mostly telco's and cableco's) and people stopped checking in-addr.arpa DNS because the sheer volume of the clueless created massive operational issues. For example, even merit's ftp servers (and uu's also) *required* not only non-lame in-addr.arpa delegations, but also closure of the forward and reverse mapping. After a while (measured in years) many of the telco/cableco's managed to *buy* a clue. Many even have proper closure of the forward and reverse zones. Despite this fact many more recent arrivals (some of them really really big software companies, like Microsoft) still haven't managed to either find or buy a clue. Perhaps because the clue-store is sold out or all clues are on back-order :) There is a reason why in-addr.arpa and forward DNS closure is a good thing: often the operators of each DNS zone are different (or at least those in control of the delegations are different) and therefore proper closure demonstrates that the end-ip is authorized to operate by both the "network" (in-addr.arpa) operator *and* the forward "domain" operator. If attempting resolution though both domains does not result in closure it is reasonable to assume that the ip/netblock in question is not "authentic" -- and thus any service requiring bare minimum of authenticity verification shoulod be denied to those unable to demonstrate such closure. From sleibrand at internap.com Tue Sep 11 21:23:30 2007 From: sleibrand at internap.com (Scott Leibrand) Date: Tue, 11 Sep 2007 18:23:30 -0700 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: <46E732E9.5030108@arin.net> References: <46E732E9.5030108@arin.net> Message-ID: <46E73F92.8080101@internap.com> I oppose this policy proposal. I believe that the current policy (section 7) defines reasonable policy guidelines for ARIN staff, and does not micro-manage operational details. The fact that ARIN took the single paragraph of section 7.2 and expanded it into an entire page of procedure for dealing with lame delegations gives me confidence that we're striking the right balance here. It may be worthwhile to use the ACSP to suggest improvements to ARIN's lame delegation procedure, and may even be appropriate to refine lame delegation policy to require delegated servers to answer authoritatively for all delegated subdomains covering an allocation. However, I don't think it's appropriate to remove section 7. -Scott Member Services wrote: > ARIN received the following policy proposal. In accordance with the ARIN > Internet Resource Policy Evaluation Process, the proposal is being > posted to the ARIN Public Policy Mailing List (PPML) and being placed on > ARIN's website. > > The ARIN Advisory Council (AC) will review this proposal at their next > regularly scheduled meeting. The AC may decide to: > > 1. Accept the proposal as a formal policy proposal as written. If the > AC accepts the proposal, it will be posted as a formal policy proposal > to PPML and it will be presented at a Public Policy Meeting. > > 2. Postpone their decision regarding the proposal until the next > regularly scheduled AC meeting in order to work with the author. The AC > will work with the author to clarify, combine or divide the proposal. At > their following meeting the AC will accept or not accept the proposal. > > 3. Not accept the proposal. If the AC does not accept the proposal, > the AC will explain their decision. If a proposal is not accepted, then > the author may elect to use the petition process to advance their > proposal. If the author elects not to petition or the petition fails, > then the proposal will be closed. > > The AC will assign shepherds in the near future. ARIN will provide the > names of the shepherds to the community via the PPML. > > In the meantime, the AC invites everyone to comment on this proposal on > the PPML, particularly their support or non-support and the reasoning > behind their opinion. Such participation contributes to a thorough > vetting and provides important guidance to the AC in their deliberations. > > The ARIN Internet Resource Policy Evaluation Process can be found at: > http://www.arin.net/policy/irpep.html > > Mailing list subscription information can be found at: > http://www.arin.net/mailing_lists/ > > Regards, > > Member Services > American Registry for Internet Numbers (ARIN) > > > ## * ## > > > Owen DeLong wrote: > >> Template: ARIN-POLICY-PROPOSAL-TEMPLATE-1.0 >> >> 1. Policy Proposal Name: Deprecate Lame Server Policy >> 2. Author >> a. name: Owen DeLong >> b. email: owen at delong.com >> c. telephone: 408-921-6984 >> d. organization: JITTR Networks >> >> 3. Proposal Version: 1.0 >> 4. Submission Date: 11 September, 2007 >> 5. Proposal type: delete >> new, modify, or delete. >> 6. Policy term: permanent >> temporary, permanent, or renewable. >> 7. Policy statement: >> Delete section 7 from the NRPM >> >> 8. Rationale: >> Recent PPML discussion has called attention to the >> fact that lame DNS delegations are more an operational >> issue than one of policy. As such, the existing lame >> delegation policy should be removed from the NRPM >> to remove the resultant confusion. This is not meant >> to prevent ARIN staff from taking reasonable action >> WRT DNS operational issues related to resources issued >> by ARIN, but, such action can be covered by staff >> operational guidelines and is not within the scope >> of Address Policy. >> >> 9. Timetable for implementation: >> 1 June, 2008 >> 10. Meeting presenter: >> END OF TEMPLATE >> _______________________________________________ >> PPML >> You are receiving this message because you are subscribed to the ARIN Public Policy >> Mailing List (PPML at arin.net). >> Unsubscribe or manage your mailing list subscription at: >> http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services >> Help Desk at info at arin.net if you experience any issues. >> >> > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the ARIN Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services > Help Desk at info at arin.net if you experience any issues. > From jlewis at lewis.org Tue Sep 11 21:26:39 2007 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 11 Sep 2007 21:26:39 -0400 (EDT) Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <995886AB-001D-4C91-A787-4572BFB0ED1E@quonix.net> References: <454810F09B5AA04E9D78D13A5C39028A0272FA0D@nyrofcs2ke2k01.corp.pvt> <46E61408.5000100@psg.com> <091ECDC1-0112-4FCC-9F2B-E50E0D04158C@quonix.net> <7989754C-C7A0-4E4B-8095-A4FE8E785F89@delong.com> <995886AB-001D-4C91-A787-4572BFB0ED1E@quonix.net> Message-ID: On Tue, 11 Sep 2007, John Von Essen wrote: > Now consider this... > > # nslookup 76.161.191.192 > ;; connection timed out; no servers could be reached > > And the above took about 20 seconds to return. The AS who advertises > 76.161.192.0/24 (and many other /24's) does not have the > 192.161.76.in-addr.arpa zone configured at all on their DNS server. This is a > problem for the user of that IP, and any person on the internet that has to > talk to that IP since it will create a burdensome dns timeouts. > > I'm sorry, but that second example is simply unacceptable. This may sound > rude, but the amount of money ARIN brings in for ASN registrations, > membership, and IP range allocations - the buck has to stop with ARIN when it > comes to AS's who completely misconfigure massive in-addr.arpa zones and > potentially create the environment to slow down dns traffic throughout the > internet. ARIN hands out IP space and ASNs. Other than some general rules as to what ARIN members can do with their IP space, ARIN doesn't tell them how to run their networks. Annoying as it may be, if you don't like the way your ISP runs _their_ network, you have two choices. 1) Leave. 2) Buy them and run the network your way. If you want ARIN to start imposing rules on how members do things, make it something useful and have ARIN forbid BGP deaggregation of allocated / assigned CIDRs into subnets having the same as-path. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From john at quonix.net Tue Sep 11 21:35:02 2007 From: john at quonix.net (John Von Essen) Date: Tue, 11 Sep 2007 21:35:02 -0400 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: References: Message-ID: <353F859A-78CA-4886-8B29-33D428224158@quonix.net> Its goes without saying, but I guess I should officially make my opinion known now that it is under review. I do not agree with this policy proposal. It would be a major step backwards. -John On Sep 11, 2007, at 5:10 PM, Owen DeLong wrote: > Template: ARIN-POLICY-PROPOSAL-TEMPLATE-1.0 > > 1. Policy Proposal Name: Deprecate Lame Server Policy > 2. Author > a. name: Owen DeLong > b. email: owen at delong.com > c. telephone: 408-921-6984 > d. organization: JITTR Networks > > 3. Proposal Version: 1.0 > 4. Submission Date: 11 September, 2007 > 5. Proposal type: delete > new, modify, or delete. > 6. Policy term: permanent > temporary, permanent, or renewable. > 7. Policy statement: > Delete section 7 from the NRPM > > 8. Rationale: > Recent PPML discussion has called attention to the > fact that lame DNS delegations are more an operational > issue than one of policy. As such, the existing lame > delegation policy should be removed from the NRPM > to remove the resultant confusion. This is not meant > to prevent ARIN staff from taking reasonable action > WRT DNS operational issues related to resources issued > by ARIN, but, such action can be covered by staff > operational guidelines and is not within the scope > of Address Policy. > > 9. Timetable for implementation: > 1 June, 2008 > 10. Meeting presenter: > END OF TEMPLATE > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the > ARIN Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > Member Services > Help Desk at info at arin.net if you experience any issues. Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From mac at pt.com Tue Sep 11 22:36:16 2007 From: mac at pt.com (Mark A Conrad) Date: Tue, 11 Sep 2007 22:36:16 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: Message-ID: >Annoying as it may be, if you don't like the way your ISP runs _their_ >network, you have two choices. > >1) Leave. >2) Buy them and run the network your way. But I don't like how someone else's ISP is running _their_ network, because it's affecting _my_ network by causing timeouts due to missing reverse DNS servers. That is exactly the kind of thing that ARIN policy should prevent. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bicknell at ufp.org Tue Sep 11 22:52:32 2007 From: bicknell at ufp.org (Leo Bicknell) Date: Tue, 11 Sep 2007 22:52:32 -0400 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: References: Message-ID: <20070912025232.GA76366@ussenterprise.ufp.org> In a message written on Tue, Sep 11, 2007 at 02:10:09PM -0700, Owen DeLong wrote: > 8. Rationale: > Recent PPML discussion has called attention to the > fact that lame DNS delegations are more an operational > issue than one of policy. As such, the existing lame > delegation policy should be removed from the NRPM > to remove the resultant confusion. This is not meant > to prevent ARIN staff from taking reasonable action > WRT DNS operational issues related to resources issued > by ARIN, but, such action can be covered by staff > operational guidelines and is not within the scope > of Address Policy. With several recent issues staff has indicated a reluctance to take action if items were not spelled out in the NRPM. There is at least one proposal for the next meeting aimed at giving staff more clarity in the NRPM so they have backing to take action. As such I could not support this unless staff issued a strong statement that they would still feel empowered to take on lame servers if this policy were to pass, and section 7 were to be removed. I am afraid passing this proposal would leave them unwilling to take any action. I do think there's a deeper issue here, but for now I'm going to just look at the can of worms and not open it. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available URL: From owen at delong.com Tue Sep 11 23:51:43 2007 From: owen at delong.com (Owen DeLong) Date: Tue, 11 Sep 2007 20:51:43 -0700 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: References: Message-ID: <288AEB42-E021-4582-82F6-D4FD924EA551@delong.com> Ted, I believe you miss the point of my proposal. While I do believe that ARIN has a role to play in applying the clue bat to lame or partially lame ISPs and addressing John's issue, my point is that it belongs in operational guidelines to ARIN staff and not in the NRPM. My proposal talks about what I think belongs in the NRPM and is not a direct expression of how I feel about what ARIN staff should or should not be doing with respect to this particular issue. I would fully support an ACSP recommendation that ARIN address all IN-ADDR lameness whether complete or not on any direct assignment. This will potentially require ARIN to examine as many as 255 zones in IPv4 for a single assignment. I would oppose any suggestion requiring ARIN to drill down to lame delegations made by the ISPs relating to reassignment or reallocations made by the ISP because of dramatically increasing workload for dramatically decreasing return on investment and because there is a limit to the extent to which I believe ARIN should engage in telling operators how to run their network (let alone their customers' networks). I will also oppose any policy regarding the operational and/or implementation details of lame delegations because I firmly believe this is not the role of the NRPM and should be addressed with operational procedures and recommendations rather than with number resource policies. Owen On Sep 11, 2007, at 5:26 PM, Ted Mittelstaedt wrote: > Yes John you are correct but the way things often work on this list > is someone like Owen will > submit a policy to remove something that shouldn't obviously be > removed, the result of > which will convert a bunch of fence sitters into proponents of > keeping it. > > The list membership needs Owens "just kill it" proposal precisely > to have something to > vote down. A no vote commits the person voting no, to supporting > the policy. > > If Owens proposal is voted down, that will destroy all of the "it's > not the RIR's responsibility > to enforce sanctions against bad nameserver operators" arguments, > and we can move the discussion > to something productive of how to actually fix the problem. > > Your proposal might be premature - you might find it better to > campaign against Owens > proposal first. > > Ted > -----Original Message----- > From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf > Of John Von Essen > Sent: Tuesday, September 11, 2007 4:55 PM > To: Public Policy Mailing List > Subject: Re: [ppml] Policy Proposal -- Eliminate Lame Server policy > > I do plan to submit my proposal. My final comment on all of this is > with regards to ARIN's stance on operational issues. > > I agree ARIN should be careful, but keep in mind ARIN does provide > an operational function of reverse DNS authority delegation. > Because ARIN engages in this very-real activity, policy must exist > to cover its implementation, design, and overall operational health. > > If ARIN just did AS numbers and IP allocation, and another > organization did reverse delegation, say Network Solutions, then > YES - ARIN should not get involved with operational issues of > reverse DNS. But that fact is ARIN does do reverse DNS delegation. > When I do a dig on an IP, I see alot of ARIN servers in the output! > > -John > > On Sep 11, 2007, at 7:21 PM, Azinger, Marla wrote: > >> I would like to see a proposal that is along the lines of >> clarifying in addition to Owens proposal to just take it away. >> Hopefully we havnt scared John off and he will give a wack at it. >> >> Cheers! >> Marla >> >> -----Original Message----- >> From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On >> Behalf Of >> William Herrin >> Sent: Tuesday, September 11, 2007 3:32 PM >> To: Owen DeLong >> Cc: Public Policy Mailing List >> Subject: Re: [ppml] Policy Proposal -- Eliminate Lame Server policy >> >> >> On 9/11/07, Owen DeLong wrote: >>> 1. Policy Proposal Name: Deprecate Lame Server Policy >>> 7. Policy statement: >>> Delete section 7 from the NRPM >> >> Owen, >> >> Are you sure this is the right way to move on this? If we're going to >> call ISPs "Local Internet Registries," shouldn't we expect them to >> behave as internet registries and do the things that internet >> registries do, including reallocation and assignment of the RDNS >> attached to every IP address? >> >> Regards, >> Bill Herrin >> >> -- >> William D. Herrin herrin at dirtside.com bill at herrin.us >> 3005 Crane Dr. Web: >> Falls Church, VA 22042-3004 >> _______________________________________________ >> PPML >> You are receiving this message because you are subscribed to the >> ARIN Public Policy >> Mailing List (PPML at arin.net). >> Unsubscribe or manage your mailing list subscription at: >> http://lists.arin.net/mailman/listinfo/ppml Please contact the >> ARIN Member Services >> Help Desk at info at arin.net if you experience any issues. >> _______________________________________________ >> PPML >> You are receiving this message because you are subscribed to the >> ARIN Public Policy >> Mailing List (PPML at arin.net). >> Unsubscribe or manage your mailing list subscription at: >> http://lists.arin.net/mailman/listinfo/ppml Please contact the >> ARIN Member Services >> Help Desk at info at arin.net if you experience any issues. > > Thanks, > John Von Essen > (800) 248-1736 ext 100 > john at quonix.net > > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the > ARIN Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > Member Services > Help Desk at info at arin.net if you experience any issues. -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.morrow at gmail.com Wed Sep 12 00:18:29 2007 From: christopher.morrow at gmail.com (Christopher Morrow) Date: Wed, 12 Sep 2007 00:18:29 -0400 Subject: [ppml] IPv6 flawed? In-Reply-To: References: <200708311233.l7VCXYBj005107@cjbsys.bdb.com>

Message-ID: At 15:39 -0700 9/11/07, Owen DeLong wrote: >Operational concerns about routing and DNS are, in my opinion outside >of that scope and only serve to muddy the waters of good number >resource policy. I've decided that I'm against the proposal because it is a bureaucratic step to fix a bureaucratic issue in response to a report of an operational issue. I think operational issues trump bureaucratic issues. The premise of the proposal is sound, there's no argument from me that, considered in a vacuum, the proposal cleans up a messy issue in the NRPM. In 2005 I used the existence of 2002-1 and 2003-5 as examples why there was a need to have a mechanism to provide operational input to ARIN. However I think trying to make sure we have a clean running process for policies is not as important as making sure the Internet benefits (operationally) by ARIN's presence. I'd support a movement of the lame delegation directions in to some formal, stable and binding ARIN document from where they now reside. But I won't support removing the home they have now until there is a new place for the lame delegation directions that membership achieved consensus on in response to the operational issue caused. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Think glocally. Act confused. From bicknell at ufp.org Wed Sep 12 09:34:22 2007 From: bicknell at ufp.org (Leo Bicknell) Date: Wed, 12 Sep 2007 09:34:22 -0400 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: <20070912042907.GD2901@nsn.com> References: <20070912025232.GA76366@ussenterprise.ufp.org> <20070912042907.GD2901@nsn.com> Message-ID: <20070912133422.GA23451@ussenterprise.ufp.org> In a message written on Tue, Sep 11, 2007 at 09:29:07PM -0700, David Kessens wrote: > On Tue, Sep 11, 2007 at 10:52:32PM -0400, Leo Bicknell wrote: > > With several recent issues staff has indicated a reluctance to take > > action if items were not spelled out in the NRPM. There is at least > > one proposal for the next meeting aimed at giving staff more clarity > > in the NRPM so they have backing to take action. > > This is not something you can fix by means of spelling out more and > more operational details in policies. In fact, this would make the > problem worse. You misunderstood my statement. I don't want to add operational details to the NRPM, and I think the debate about what is a "lame" server only reenforces why that is a bad idea. If there are operational details in the NRPM they should be removed. However, my fear is that without section 7.2 ARIN staff will feel they have no authority to police DNS delegations. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available URL: From michael.dillon at bt.com Wed Sep 12 09:58:26 2007 From: michael.dillon at bt.com (michael.dillon at bt.com) Date: Wed, 12 Sep 2007 14:58:26 +0100 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: <20070912133422.GA23451@ussenterprise.ufp.org> References: <20070912025232.GA76366@ussenterprise.ufp.org><20070912042907.GD2901@nsn.com> <20070912133422.GA23451@ussenterprise.ufp.org> Message-ID: > However, my fear is that without section 7.2 ARIN staff will > feel they have no authority to police DNS delegations. With section 7.2, my fear is that ARIN staff will feel that they cannot take any action with regard to in-addr.arpa delegations unless it meets the letter of the policy. By removing this from policy, staff will be free to take any reasonable actions under the direction of management and the board without fear of contravening ARIN policy. This is an ops issue, not a policy issue. As for policing, I hope that ARIN staff never police DNS delegations. I would like to seem them audit such delegations, and maintain contact with DNS ops people inside the various organizations. I would like to see them offer free in-addr.arpa services to orgs with ARIN allocations/assignments and I would like to see them track which orgs actively refuse the free services so as not to pester them every 6 months or so. But I would not like to see any policing and especially not any policing which assumes that there is one right way for the Internet and therefore all IP network users must toe that line. --Michael Dillon From briand at ca.afilias.info Wed Sep 12 10:07:47 2007 From: briand at ca.afilias.info (Brian Dickson) Date: Wed, 12 Sep 2007 10:07:47 -0400 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: <46E732E9.5030108@arin.net> References: <46E732E9.5030108@arin.net> Message-ID: <46E7F2B3.1070205@ca.afilias.info> I oppose the proposal. Argument on why follows: >> Recent PPML discussion has called attention to the >> fact that lame DNS delegations are more an operational >> issue than one of policy. As such, the existing lame >> delegation policy should be removed from the NRPM >> to remove the resultant confusion. This is not meant >> to prevent ARIN staff from taking reasonable action >> WRT DNS operational issues related to resources issued >> by ARIN, but, such action can be covered by staff >> operational guidelines and is not within the scope >> of Address Policy. >> The point of having policy documents which are public, is not to inform ARIN staff what they're allowed to do, but to inform recipients of ARIN-provided services what *they're* allowed to do. It is important that Section 7 remain part of the policy document for this reason, more than anything else. Without explicit rules governing expected behaviour, the problem space can only be expected to mushroom. Why this would likely happen, includes scofflaws, lazy administrators, as well as "bad actors", the latter of which are dwarfed in volume by the first two. Anything which increases the potential workload for enforcement, regardless of intent, is a big step backwards. And *that* is why I oppose the proposal. Brian Dickson From HRyu at norlight.com Wed Sep 12 10:45:45 2007 From: HRyu at norlight.com (Hyunseog Ryu) Date: Wed, 12 Sep 2007 09:45:45 -0500 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: <46E7F2B3.1070205@ca.afilias.info> Message-ID: I'm against for this proposal with same reason. Hyun Hyunseog Ryu Senior Network Engineer Norlight Telecommunications, Inc./Cinergy Communications. Q-Comm Company Applications Engineering 13935 Bishops Drive Brookfield, WI 53005 Phone. +1-262-792-7965 Fax. +1-262-792-7733 Email. hryu at norlight.com Brian Dickson Sent by: ppml-bounces at arin.net 09/12/2007 09:07 AM To Member Services cc ppml at arin.net Fax to Subject Re: [ppml] Policy Proposal -- Eliminate Lame Server policy I oppose the proposal. Argument on why follows: >> Recent PPML discussion has called attention to the >> fact that lame DNS delegations are more an operational >> issue than one of policy. As such, the existing lame >> delegation policy should be removed from the NRPM >> to remove the resultant confusion. This is not meant >> to prevent ARIN staff from taking reasonable action >> WRT DNS operational issues related to resources issued >> by ARIN, but, such action can be covered by staff >> operational guidelines and is not within the scope >> of Address Policy. >> The point of having policy documents which are public, is not to inform ARIN staff what they're allowed to do, but to inform recipients of ARIN-provided services what *they're* allowed to do. It is important that Section 7 remain part of the policy document for this reason, more than anything else. Without explicit rules governing expected behaviour, the problem space can only be expected to mushroom. Why this would likely happen, includes scofflaws, lazy administrators, as well as "bad actors", the latter of which are dwarfed in volume by the first two. Anything which increases the potential workload for enforcement, regardless of intent, is a big step backwards. And *that* is why I oppose the proposal. Brian Dickson _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Tommy.Perniciaro at thomson.net Wed Sep 12 10:48:47 2007 From: Tommy.Perniciaro at thomson.net (Perniciaro Tommy) Date: Wed, 12 Sep 2007 07:48:47 -0700 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy Message-ID: <23480D326186CF49819F5EF363276C9002E755DC@BRBKSMAIL04.am.thmulti.com> I am also against this proposal. ----- Original Message ----- From: ppml-bounces at arin.net To: Brian Dickson Cc: ppml at arin.net ; ppml-bounces at arin.net Sent: Wed Sep 12 07:45:45 2007 Subject: Re: [ppml] Policy Proposal -- Eliminate Lame Server policy I'm against for this proposal with same reason. Hyun Hyunseog Ryu Senior Network Engineer Norlight Telecommunications, Inc./Cinergy Communications. Q-Comm Company Applications Engineering 13935 Bishops Drive Brookfield, WI 53005 Phone. +1-262-792-7965 Fax. +1-262-792-7733 Email. hryu at norlight.com Brian Dickson Sent by: ppml-bounces at arin.net 09/12/2007 09:07 AM To Member Services cc ppml at arin.net Fax to Subject Re: [ppml] Policy Proposal -- Eliminate Lame Server policy I oppose the proposal. Argument on why follows: >> Recent PPML discussion has called attention to the >> fact that lame DNS delegations are more an operational >> issue than one of policy. As such, the existing lame >> delegation policy should be removed from the NRPM >> to remove the resultant confusion. This is not meant >> to prevent ARIN staff from taking reasonable action >> WRT DNS operational issues related to resources issued >> by ARIN, but, such action can be covered by staff >> operational guidelines and is not within the scope >> of Address Policy. >> The point of having policy documents which are public, is not to inform ARIN staff what they're allowed to do, but to inform recipients of ARIN-provided services what *they're* allowed to do. It is important that Section 7 remain part of the policy document for this reason, more than anything else. Without explicit rules governing expected behaviour, the problem space can only be expected to mushroom. Why this would likely happen, includes scofflaws, lazy administrators, as well as "bad actors", the latter of which are dwarfed in volume by the first two. Anything which increases the potential workload for enforcement, regardless of intent, is a big step backwards. And *that* is why I oppose the proposal. Brian Dickson _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues. From briand at ca.afilias.info Wed Sep 12 10:51:12 2007 From: briand at ca.afilias.info (Brian Dickson) Date: Wed, 12 Sep 2007 10:51:12 -0400 Subject: [ppml] Is this Lame or what? In-Reply-To: References: <454810F09B5AA04E9D78D13A5C39028A02A4C9D6@nyrofcs2ke2k01.corp.pvt> <46E72960.4030805@internap.com> Message-ID: <46E7FCE0.2030300@ca.afilias.info> John Von Essen wrote: > Scott, > > > Hostmaster confirmed what you state below: > > "Only if all of zones for a given name server of a specific network > registration are lame, is the delegation registration deemed lame" > > That is valid, correct, and should stay as-is. > > > Actually, that is, IMHO, incorrect. It is backwards. It *should* read: "Only if all name servers for a zone of a specific network registration are lame, is the delegation deemed lame." Meaning: If 4 /24's are delegated, and all 4 have the same NS sets on their in-addr.arpa. delegations, but none of them in fact serve one of the /24 in-addr.arpa. zones, then the zone delegataion for *that* /24 should be deemed lame. This will fix the /24 problem. The /16 problem is another kettle of fish. How do we address this via Public Policy process? Since it directly affects the NRPM, should not the definition itself be part of it, e.g. in an Appendix? Brian Dickson > On Sep 11, 2007, at 7:48 PM, Scott Leibrand wrote: > > >> After doing some research (which I highly recommend everyone do before >> posting), I'm not sure any policy changes are needed to deal with the >> two specific cases raised so far. >> >> ARIN's Lame Delegations page at >> http://www.arin.net/reference/lame_delegations.html states that "ARIN >> tests a reverse zone by requesting the SOA (Start of Authority) record >> from the name servers registered in WHOIS. ... Any other answer (or an >> inability to reach the nameserver due to a forward lookup failure) >> results in the delegation being deemed lame. If all of zones for a >> given >> name server of a specific network registration are lame, the >> delegation >> registration is deemed lame." From info at arin.net Wed Sep 12 11:06:36 2007 From: info at arin.net (Member Services) Date: Wed, 12 Sep 2007 11:06:36 -0400 Subject: [ppml] Policy Proposal: Modification to Reverse Mapping Policy In-Reply-To: References: Message-ID: <46E8007C.6010507@arin.net> ARIN received the following policy proposal. In accordance with the ARIN Internet Resource Policy Evaluation Process, the proposal is being posted to the ARIN Public Policy Mailing List (PPML) and being placed on ARIN's website. The ARIN Advisory Council (AC) will review this proposal at their next regularly scheduled meeting. The AC may decide to: 1. Accept the proposal as a formal policy proposal as written. If the AC accepts the proposal, it will be posted as a formal policy proposal to PPML and it will be presented at a Public Policy Meeting. 2. Postpone their decision regarding the proposal until the next regularly scheduled AC meeting in order to work with the author. The AC will work with the author to clarify, combine or divide the proposal. At their following meeting the AC will accept or not accept the proposal. 3. Not accept the proposal. If the AC does not accept the proposal, the AC will explain their decision. If a proposal is not accepted, then the author may elect to use the petition process to advance their proposal. If the author elects not to petition or the petition fails, then the proposal will be closed. The AC will assign shepherds in the near future. ARIN will provide the names of the shepherds to the community via the PPML. In the meantime, the AC invites everyone to comment on this proposal on the PPML, particularly their support or non-support and the reasoning behind their opinion. Such participation contributes to a thorough vetting and provides important guidance to the AC in their deliberations. The ARIN Internet Resource Policy Evaluation Process can be found at: http://www.arin.net/policy/irpep.html Mailing list subscription information can be found at: http://www.arin.net/mailing_lists/ Regards, Member Services American Registry for Internet Numbers (ARIN) ## * ## Policy Proposal Name: Modification to Reverse Mapping Policy Author: John Von Essen Proposal Version: 1.0 Submission Date: September 11, 2007 Proposal type: modify Policy term: permanent Policy statement: I am proposing a modification to section 7 of the IPv4 policy such that a more precise definition and overview of lameness is described. Below is how I think section 7 should be re-written. START NEW Section 7. Reverse Mapping 7.1. Maintaining IN-ADDRs All ISPs receiving one or more distinct /16 CIDR blocks of IP addresses from ARIN will be responsible for maintaining all IN- ADDR.ARPA domain records for their respective customers. For blocks smaller than /16, and for the segment of larger blocks which start or end with a CIDR prefix longer than /16, ARIN can maintain IN-ADDRs through the use of the SWIP (Reallocate and Reassign) templates or the Netmod template for /24 and shorter prefixes. 7.2 Definitions 7.2.1 Lame Delegation A delegation is defined as being lame if all of the in-addr.arpa zones for a given name server of a specific network registration are lame. An in- addr.arpa zone is defined as lame when ARIN requests the SOA record from the name server registered in whois, but does not receive an answer. 7.2.2 Partially Lame Delegation A delegation is defined as being partially lame if at least one in- addr.arpa zone for a given name server of a specific network registration is lame. An in- addr.arpa zone is defined as lame when ARIN requests the SOA record from the name server registered in whois, but does not receive an answer. 7.3. Handling of Lame and Partially Lame Delegations in IN-ADDR.ARPA ARIN will actively identify lame and partially lame DNS name server (s) for reverse address delegations associated with address blocks allocated, assigned or administered by ARIN. Upon identification of a lame or partially lame delegation, ARIN shall attempt to contact the POC for that resource and resolve the issue. If, following due diligence, ARIN is unable to resolve the lame or partially lame delegation, ARIN will update the WHOIS database records resulting in the removal of lame or partially lame DNS servers. ARIN's actions in resolving lame and partially lame delegations is governed by the procedures set forth in (Lame-Ref). 7.4 References (Lame-Ref) "Lame Delegations In IN-ADDR.ARPA", http://www.arin.net/ reference/lame_delegations.html STOP NEW Section Rationale: Current policy only considers an Org's delegation being deemed lame if all of in-addr.arpa zones for a given name server of a specific network registration are lame. Lame is defined when ARIN tests an in-addr.arpa zone by requesting the SOA record from the name server registered in whois, but does not receive an answer. If deemed lame, ARIN has an appropriate procedure for contacting the Org and handling the issue as per "http://www.arin.net/ reference/lame_delegations.html". Unfortunately, the policy does not cover the situation of a so-called partially lame delegation. That is, some of the in-addr.arpa zones belonging to the network registration return a valid SOA upon testing, and some do not. Even if only one /24 in-addr.arpa reverse tests comes back as lame, it is my opinion that this still taints the reputation of entire network registration. IPs belonging to that lame in-addr.arpa zone will cause query timeouts to 3rd party dns resolvers, both public and private. These excessive timeouts in my opinion can harm the overall well-being of reverse dns functionality throughout the internet. The only way to prevent such harm is for ARIN to not delegate reverse authority to the so-called partially lame dns server as registered in whois. That is the purpose of this policy proposal, to consider partial lameness with the same prejudice as traditionally defined lameness. Org's who are partially lame should be contacted by ARIN and lame in-addr.arpa zones should be resolved as the procedures per "http://www.arin.net/reference/ lame_delegations.html" dictate. Timetable for implementation: June 1, 2008 From briand at ca.afilias.info Wed Sep 12 11:24:08 2007 From: briand at ca.afilias.info (Brian Dickson) Date: Wed, 12 Sep 2007 11:24:08 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <46E71DA3.40005@psg.com> References: <46E709A7.9060105@ca.afilias.info> <46E71DA3.40005@psg.com> Message-ID: <46E80498.3010109@ca.afilias.info> Randy Bush wrote: > arin delegates 42.666.in-addr.arpa to the member isp. the servers > properly respond for that delegation. this seems to be about as far as > current policy goes; though there are reported gaps in implementation. > > the op wants us to say that, if the delegatee further delegates > sub-zones, then the service for those sub-zones must not be lame. > > aside from issues of whether the community has the right to descend into > the delegation, how would we text the sub-delegations? if they are on > byte boundaries, we can probe for them. but goddesses help us if they > use rfc 2317. and is it our prerogative to probe 256 sub-delegations of > a /16? 64k of a /8? and how many of a /32 in ipv6 space? > The "probing" is in fact, an exercise in tree-walking. Writing a script to handle this should be within the capabilities of ARIN, given the scope of other tools they no doubt need to handle administration of address assignments. The basic tree-walking should be limited to following delegations of expected form (numeric subzones within the expected ranges, either 0-1 or 0-255). Those are the only sub-delegations "of interest", i.e. which would otherwise have been directly delegated by ARIN. Optimizations can be done, since the expectation is one of positive responses to SOA queries. Low timeouts may generate false negatives, but no false positives. Re-testing false negatives with longer timeouts, produces the true negatives. The *main* question is, since in rfc 2317 the distance from ARIN in delegations can be >2, what should be done? I think the classic "him or you" answer scales best. Arin requests the delegatee to fix the subordinate, or have their delegation pulled, with the recommendation that they use the same tactic. At the leaf, the broken delegatee must either fix the problem or get pruned. If the delegator does not prune a still-broken leaf, then *his* delegator must do the same, or face being pruned him/herself. Etc. The responsibility with ARIN rests only in running test scripts, and contacting direct delegatees. All further communication is between third parties, within some set time frame. I *think* this would be able to be codified in the NRPM, as well as passing the scaling, sanity, and legitimacy/legality tests. Thoughts? Brian Dickson From linda at sat-tel.com Wed Sep 12 11:56:45 2007 From: linda at sat-tel.com (Linda) Date: Wed, 12 Sep 2007 11:56:45 -0400 Subject: [ppml] Policy Proposal: Modification to Reverse Mapping Policy Message-ID: <02cd01c7f555$8556c4f0$966600d0@accountsrec> Policy Proposal: Modification to Reverse Mapping Policy I oppose this proposal, this is an operational issue. Regards, Linda Werner Satellite Communication Systems, Inc. > ----- Original Message ----- > From: "Member Services" > To: > Sent: Wednesday, September 12, 2007 11:06 AM > Subject: [ppml] Policy Proposal: Modification to Reverse Mapping Policy > > >> ARIN received the following policy proposal. In accordance with the ARIN >> Internet Resource Policy Evaluation Process, the proposal is being >> posted to the ARIN Public Policy Mailing List (PPML) and being placed on >> ARIN's website. >> >> The ARIN Advisory Council (AC) will review this proposal at their next >> regularly scheduled meeting. The AC may decide to: >> >> 1. Accept the proposal as a formal policy proposal as written. If the >> AC accepts the proposal, it will be posted as a formal policy proposal >> to PPML and it will be presented at a Public Policy Meeting. >> >> 2. Postpone their decision regarding the proposal until the next >> regularly scheduled AC meeting in order to work with the author. The AC >> will work with the author to clarify, combine or divide the proposal. At >> their following meeting the AC will accept or not accept the proposal. >> >> 3. Not accept the proposal. If the AC does not accept the proposal, >> the AC will explain their decision. If a proposal is not accepted, then >> the author may elect to use the petition process to advance their >> proposal. If the author elects not to petition or the petition fails, >> then the proposal will be closed. >> >> The AC will assign shepherds in the near future. ARIN will provide the >> names of the shepherds to the community via the PPML. >> >> In the meantime, the AC invites everyone to comment on this proposal on >> the PPML, particularly their support or non-support and the reasoning >> behind their opinion. Such participation contributes to a thorough >> vetting and provides important guidance to the AC in their deliberations. >> >> The ARIN Internet Resource Policy Evaluation Process can be found at: >> http://www.arin.net/policy/irpep.html >> >> Mailing list subscription information can be found at: >> http://www.arin.net/mailing_lists/ >> >> Regards, >> >> Member Services >> American Registry for Internet Numbers (ARIN) >> >> >> ## * ## >> >> >> Policy Proposal Name: Modification to Reverse Mapping Policy >> >> Author: John Von Essen >> >> Proposal Version: 1.0 >> >> Submission Date: September 11, 2007 >> >> Proposal type: modify >> >> Policy term: permanent >> >> Policy statement: >> >> I am proposing a modification to section 7 of the IPv4 policy such that >> a more precise definition and overview of lameness is described. >> Below is how I think section 7 should be re-written. >> >> START NEW Section >> >> 7. Reverse Mapping >> >> 7.1. Maintaining IN-ADDRs >> >> All ISPs receiving one or more distinct /16 CIDR blocks of IP addresses >> from ARIN will be responsible for maintaining all IN- ADDR.ARPA domain >> records for their respective customers. For blocks smaller than /16, and >> for the segment of larger blocks which start or end with a CIDR prefix >> longer than /16, ARIN can maintain IN-ADDRs through the use of the SWIP >> (Reallocate and Reassign) templates or the Netmod template for /24 and >> shorter prefixes. >> >> 7.2 Definitions >> >> 7.2.1 Lame Delegation >> >> A delegation is defined as being lame if all of the in-addr.arpa zones >> for a given name server of a specific network registration are lame. An >> in- addr.arpa zone is defined as lame when ARIN requests the SOA record >> from the name server registered in whois, but does not receive an answer. >> >> 7.2.2 Partially Lame Delegation >> >> A delegation is defined as being partially lame if at least one in- >> addr.arpa zone for a given name server of a specific network >> registration is lame. An in- addr.arpa zone is defined as lame when ARIN >> requests the SOA record from the name server registered in whois, but >> does not receive an answer. >> >> 7.3. Handling of Lame and Partially Lame Delegations in IN-ADDR.ARPA >> >> ARIN will actively identify lame and partially lame DNS name server >> (s) for reverse address delegations associated with address blocks >> allocated, assigned or administered by ARIN. Upon identification of a >> lame or partially lame delegation, ARIN shall attempt to contact the POC >> for that resource and resolve the issue. If, following due diligence, >> ARIN is unable to resolve the lame or partially lame delegation, ARIN >> will update the WHOIS database records resulting in the removal of lame >> or partially lame DNS servers. ARIN's actions in resolving lame and >> partially lame delegations is governed by the procedures set forth in >> (Lame-Ref). >> >> 7.4 References >> >> (Lame-Ref) "Lame Delegations In IN-ADDR.ARPA", http://www.arin.net/ >> reference/lame_delegations.html >> >> >> STOP NEW Section >> >> >> Rationale: >> >> Current policy only considers an Org's delegation being deemed lame if >> all of in-addr.arpa zones for a given name server of a specific network >> registration are lame. Lame is defined when ARIN tests an in-addr.arpa >> zone by requesting the SOA record from the name server registered in >> whois, but does not receive an answer. If deemed lame, ARIN has an >> appropriate procedure for contacting the Org and handling the issue as >> per "http://www.arin.net/ reference/lame_delegations.html". >> >> Unfortunately, the policy does not cover the situation of a so-called >> partially lame delegation. That is, some of the in-addr.arpa zones >> belonging to the network registration return a valid SOA upon testing, >> and some do not. Even if only one /24 in-addr.arpa reverse tests comes >> back as lame, it is my opinion that this still taints the reputation of >> entire network registration. IPs belonging to that lame in-addr.arpa >> zone will cause query timeouts to 3rd party dns resolvers, both public >> and private. These excessive timeouts in my opinion can harm the overall >> well-being of reverse dns functionality throughout the internet. The >> only way to prevent such harm is for ARIN to not delegate reverse >> authority to the so-called partially lame dns server as registered in >> whois. That is the purpose of this policy proposal, to consider partial >> lameness with the same prejudice as traditionally defined lameness. >> Org's who are partially lame should be contacted by ARIN and lame >> in-addr.arpa zones should be resolved as the procedures per >> "http://www.arin.net/reference/ lame_delegations.html" dictate. >> >> Timetable for implementation: June 1, 2008 >> >> _______________________________________________ >> PPML >> You are receiving this message because you are subscribed to the ARIN >> Public Policy >> Mailing List (PPML at arin.net). >> Unsubscribe or manage your mailing list subscription at: >> http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN >> Member Services >> Help Desk at info at arin.net if you experience any issues. >> >> > From john at quonix.net Wed Sep 12 11:58:32 2007 From: john at quonix.net (John Von Essen) Date: Wed, 12 Sep 2007 11:58:32 -0400 Subject: [ppml] Comments on ARIN's reverse DNS mapping policy In-Reply-To: <46E80498.3010109@ca.afilias.info> References: <46E709A7.9060105@ca.afilias.info> <46E71DA3.40005@psg.com> <46E80498.3010109@ca.afilias.info> Message-ID: <057C2792-D000-4200-81BA-03BC74E97C40@quonix.net> I agree. I have no sympathy for the response of "testing all these in- addr.arpa zones is too much work". Granted, we are only talking about /24 prefixes. The entire process can be easily automated, and that includes the SOA query testing to delegated DNS servers for an Org's address block, updating an internal tracking database, and even the process of emailing the Org's POC for DNS. The Org's that get emailed the warning could even be given a link to click when they have resolved the issue. That link would automatically re-check, and if SOA response is valid, would automatically remove them from the database of "delinquents". So for the Org's that fix things in a timely fashion following the automatic email - ARIN staff will never even have to get involved. Staff would only get involved with those Org's that dont respond to the initial emails. -john On Sep 12, 2007, at 11:24 AM, Brian Dickson wrote: > Randy Bush wrote: >> arin delegates 42.666.in-addr.arpa to the member isp. the servers >> properly respond for that delegation. this seems to be about as >> far as >> current policy goes; though there are reported gaps in >> implementation. >> >> the op wants us to say that, if the delegatee further delegates >> sub-zones, then the service for those sub-zones must not be lame. >> >> aside from issues of whether the community has the right to >> descend into >> the delegation, how would we text the sub-delegations? if they >> are on >> byte boundaries, we can probe for them. but goddesses help us if >> they >> use rfc 2317. and is it our prerogative to probe 256 sub- >> delegations of >> a /16? 64k of a /8? and how many of a /32 in ipv6 space? >> > The "probing" is in fact, an exercise in tree-walking. > > Writing a script to handle this should be within the capabilities of > ARIN, given the scope of other > tools they no doubt need to handle administration of address > assignments. > > The basic tree-walking should be limited to following delegations of > expected form (numeric subzones > within the expected ranges, either 0-1 or 0-255). Those are the only > sub-delegations "of interest", > i.e. which would otherwise have been directly delegated by ARIN. > > Optimizations can be done, since the expectation is one of positive > responses to SOA queries. > Low timeouts may generate false negatives, but no false positives. > Re-testing false negatives with > longer timeouts, produces the true negatives. > > The *main* question is, since in rfc 2317 the distance from ARIN in > delegations can be >2, > what should be done? > > I think the classic "him or you" answer scales best. Arin requests the > delegatee to fix the subordinate, > or have their delegation pulled, with the recommendation that they use > the same tactic. > > At the leaf, the broken delegatee must either fix the problem or > get pruned. > If the delegator does not prune a still-broken leaf, then *his* > delegator must do the same, or face > being pruned him/herself. Etc. > > The responsibility with ARIN rests only in running test scripts, and > contacting direct delegatees. > All further communication is between third parties, within some set > time > frame. > > I *think* this would be able to be codified in the NRPM, as well as > passing the scaling, sanity, > and legitimacy/legality tests. > > Thoughts? > > Brian Dickson > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the > ARIN Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > Member Services > Help Desk at info at arin.net if you experience any issues. Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From briand at ca.afilias.info Wed Sep 12 12:13:51 2007 From: briand at ca.afilias.info (Brian Dickson) Date: Wed, 12 Sep 2007 12:13:51 -0400 Subject: [ppml] Policy Proposal: Modification to Reverse Mapping Policy In-Reply-To: <46E8007C.6010507@arin.net> References: <46E8007C.6010507@arin.net> Message-ID: <46E8103F.5050002@ca.afilias.info> I support the proposal, although I would like to see a modification of the language proposed, specifically: Member Services wrote: > 7.2.1 Lame Delegation > > A delegation is defined as being lame if all of the in-addr.arpa zones > for a given name server of a specific network registration are lame. An > in- addr.arpa zone is defined as lame when ARIN requests the SOA record > from the name server registered in whois, but does not receive an answer. > > This subsection should be about lame *servers*, not delegations. A delegation is the delegation of a zone, to *multiple* servers, and is only lame if *all* servers are lame for *that* zone. s/Delegation/Server/ s/delegation/server/ 7.2.1 Lame Server A server is defined as being lame if all of the in-addr.arpa zones for the specific name server of a specific network registration are lame. An in-addr.arpa zone is defined as lame when ARIN requests the SOA record from the name server registered in whois, but does not receive an answer (within 30s on 3 successive queries). > 7.2.2 Partially Lame Delegation > > A delegation is defined as being partially lame if at least one in- > addr.arpa zone for a given name server of a specific network > registration is lame. An in- addr.arpa zone is defined as lame when ARIN > requests the SOA record from the name server registered in whois, but > does not receive an answer. > s/Partially Lame Delegation/Lame Zone Delegation/ 7.2.2 Lame Zone Delegation A zone delegation is defined as being lame if the in-addr.arpa zone of a specific network registration is lame, for all listed name servers. An in-addr.arpa zone is defined as lame when ARIN requests the SOA record from the name server registered in whois, but does not receive an answer (within 30s on 3 successive queries). Brian Dickson From sleibrand at internap.com Wed Sep 12 12:36:32 2007 From: sleibrand at internap.com (Scott Leibrand) Date: Wed, 12 Sep 2007 09:36:32 -0700 Subject: [ppml] Policy Proposal: Modification to Reverse Mapping Policy In-Reply-To: <46E8007C.6010507@arin.net> References: <46E8007C.6010507@arin.net> Message-ID: <46E81590.9040304@internap.com> John, Do you have any examples of Partially Lame Delegations (or, to use Brian's slightly more precise terminology, Lame Zone Delegations to a non-Lame Server)? I'm not opposed to your policy rewrite, but I'm as yet unconvinced that we have a real life non-hypothetical problem that can't be fixed by application of current policies and procedures. Thanks, Scott Member Services wrote: > ARIN received the following policy proposal. In accordance with the ARIN > Internet Resource Policy Evaluation Process, the proposal is being > posted to the ARIN Public Policy Mailing List (PPML) and being placed on > ARIN's website. > > The ARIN Advisory Council (AC) will review this proposal at their next > regularly scheduled meeting. The AC may decide to: > > 1. Accept the proposal as a formal policy proposal as written. If the > AC accepts the proposal, it will be posted as a formal policy proposal > to PPML and it will be presented at a Public Policy Meeting. > > 2. Postpone their decision regarding the proposal until the next > regularly scheduled AC meeting in order to work with the author. The AC > will work with the author to clarify, combine or divide the proposal. At > their following meeting the AC will accept or not accept the proposal. > > 3. Not accept the proposal. If the AC does not accept the proposal, > the AC will explain their decision. If a proposal is not accepted, then > the author may elect to use the petition process to advance their > proposal. If the author elects not to petition or the petition fails, > then the proposal will be closed. > > The AC will assign shepherds in the near future. ARIN will provide the > names of the shepherds to the community via the PPML. > > In the meantime, the AC invites everyone to comment on this proposal on > the PPML, particularly their support or non-support and the reasoning > behind their opinion. Such participation contributes to a thorough > vetting and provides important guidance to the AC in their deliberations. > > The ARIN Internet Resource Policy Evaluation Process can be found at: > http://www.arin.net/policy/irpep.html > > Mailing list subscription information can be found at: > http://www.arin.net/mailing_lists/ > > Regards, > > Member Services > American Registry for Internet Numbers (ARIN) > > > ## * ## > > > Policy Proposal Name: Modification to Reverse Mapping Policy > > Author: John Von Essen > > Proposal Version: 1.0 > > Submission Date: September 11, 2007 > > Proposal type: modify > > Policy term: permanent > > Policy statement: > > I am proposing a modification to section 7 of the IPv4 policy such that > a more precise definition and overview of lameness is described. > Below is how I think section 7 should be re-written. > > START NEW Section > > 7. Reverse Mapping > > 7.1. Maintaining IN-ADDRs > > All ISPs receiving one or more distinct /16 CIDR blocks of IP addresses > from ARIN will be responsible for maintaining all IN- ADDR.ARPA domain > records for their respective customers. For blocks smaller than /16, and > for the segment of larger blocks which start or end with a CIDR prefix > longer than /16, ARIN can maintain IN-ADDRs through the use of the SWIP > (Reallocate and Reassign) templates or the Netmod template for /24 and > shorter prefixes. > > 7.2 Definitions > > 7.2.1 Lame Delegation > > A delegation is defined as being lame if all of the in-addr.arpa zones > for a given name server of a specific network registration are lame. An > in- addr.arpa zone is defined as lame when ARIN requests the SOA record > from the name server registered in whois, but does not receive an answer. > > 7.2.2 Partially Lame Delegation > > A delegation is defined as being partially lame if at least one in- > addr.arpa zone for a given name server of a specific network > registration is lame. An in- addr.arpa zone is defined as lame when ARIN > requests the SOA record from the name server registered in whois, but > does not receive an answer. > > 7.3. Handling of Lame and Partially Lame Delegations in IN-ADDR.ARPA > > ARIN will actively identify lame and partially lame DNS name server > (s) for reverse address delegations associated with address blocks > allocated, assigned or administered by ARIN. Upon identification of a > lame or partially lame delegation, ARIN shall attempt to contact the POC > for that resource and resolve the issue. If, following due diligence, > ARIN is unable to resolve the lame or partially lame delegation, ARIN > will update the WHOIS database records resulting in the removal of lame > or partially lame DNS servers. ARIN's actions in resolving lame and > partially lame delegations is governed by the procedures set forth in > (Lame-Ref). > > 7.4 References > > (Lame-Ref) "Lame Delegations In IN-ADDR.ARPA", http://www.arin.net/ > reference/lame_delegations.html > > > STOP NEW Section > > > Rationale: > > Current policy only considers an Org's delegation being deemed lame if > all of in-addr.arpa zones for a given name server of a specific network > registration are lame. Lame is defined when ARIN tests an in-addr.arpa > zone by requesting the SOA record from the name server registered in > whois, but does not receive an answer. If deemed lame, ARIN has an > appropriate procedure for contacting the Org and handling the issue as > per "http://www.arin.net/ reference/lame_delegations.html". > > Unfortunately, the policy does not cover the situation of a so-called > partially lame delegation. That is, some of the in-addr.arpa zones > belonging to the network registration return a valid SOA upon testing, > and some do not. Even if only one /24 in-addr.arpa reverse tests comes > back as lame, it is my opinion that this still taints the reputation of > entire network registration. IPs belonging to that lame in-addr.arpa > zone will cause query timeouts to 3rd party dns resolvers, both public > and private. These excessive timeouts in my opinion can harm the overall > well-being of reverse dns functionality throughout the internet. The > only way to prevent such harm is for ARIN to not delegate reverse > authority to the so-called partially lame dns server as registered in > whois. That is the purpose of this policy proposal, to consider partial > lameness with the same prejudice as traditionally defined lameness. > Org's who are partially lame should be contacted by ARIN and lame > in-addr.arpa zones should be resolved as the procedures per > "http://www.arin.net/reference/ lame_delegations.html" dictate. > > Timetable for implementation: June 1, 2008 > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the ARIN Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services > Help Desk at info at arin.net if you experience any issues. > From john at quonix.net Wed Sep 12 13:24:41 2007 From: john at quonix.net (John Von Essen) Date: Wed, 12 Sep 2007 13:24:41 -0400 Subject: [ppml] Policy Proposal: Modification to Reverse Mapping Policy In-Reply-To: <46E81590.9040304@internap.com> References: <46E8007C.6010507@arin.net> <46E81590.9040304@internap.com> Message-ID: <01623EDD-5F06-408D-B5BA-32C293A5BD66@quonix.net> Yes, I have several examples of what I call partially lame dns servers. Let me put together a more in-depth list with prefixes from several different providers, and I'll email it to the list later today. -John On Sep 12, 2007, at 12:36 PM, Scott Leibrand wrote: > John, > > Do you have any examples of Partially Lame Delegations (or, to use > Brian's slightly more precise terminology, Lame Zone Delegations to a > non-Lame Server)? I'm not opposed to your policy rewrite, but I'm as > yet unconvinced that we have a real life non-hypothetical problem that > can't be fixed by application of current policies and procedures. > > Thanks, > Scott > > Member Services wrote: >> ARIN received the following policy proposal. In accordance with >> the ARIN >> Internet Resource Policy Evaluation Process, the proposal is being >> posted to the ARIN Public Policy Mailing List (PPML) and being >> placed on >> ARIN's website. >> >> The ARIN Advisory Council (AC) will review this proposal at their >> next >> regularly scheduled meeting. The AC may decide to: >> >> 1. Accept the proposal as a formal policy proposal as written. >> If the >> AC accepts the proposal, it will be posted as a formal policy >> proposal >> to PPML and it will be presented at a Public Policy Meeting. >> >> 2. Postpone their decision regarding the proposal until the next >> regularly scheduled AC meeting in order to work with the author. >> The AC >> will work with the author to clarify, combine or divide the >> proposal. At >> their following meeting the AC will accept or not accept the >> proposal. >> >> 3. Not accept the proposal. If the AC does not accept the >> proposal, >> the AC will explain their decision. If a proposal is not accepted, >> then >> the author may elect to use the petition process to advance their >> proposal. If the author elects not to petition or the petition >> fails, >> then the proposal will be closed. >> >> The AC will assign shepherds in the near future. ARIN will provide >> the >> names of the shepherds to the community via the PPML. >> >> In the meantime, the AC invites everyone to comment on this >> proposal on >> the PPML, particularly their support or non-support and the reasoning >> behind their opinion. Such participation contributes to a thorough >> vetting and provides important guidance to the AC in their >> deliberations. >> >> The ARIN Internet Resource Policy Evaluation Process can be found at: >> http://www.arin.net/policy/irpep.html >> >> Mailing list subscription information can be found at: >> http://www.arin.net/mailing_lists/ >> >> Regards, >> >> Member Services >> American Registry for Internet Numbers (ARIN) >> >> >> ## * ## >> >> >> Policy Proposal Name: Modification to Reverse Mapping Policy >> >> Author: John Von Essen >> >> Proposal Version: 1.0 >> >> Submission Date: September 11, 2007 >> >> Proposal type: modify >> >> Policy term: permanent >> >> Policy statement: >> >> I am proposing a modification to section 7 of the IPv4 policy such >> that >> a more precise definition and overview of lameness is described. >> Below is how I think section 7 should be re-written. >> >> START NEW Section >> >> 7. Reverse Mapping >> >> 7.1. Maintaining IN-ADDRs >> >> All ISPs receiving one or more distinct /16 CIDR blocks of IP >> addresses >> from ARIN will be responsible for maintaining all IN- ADDR.ARPA >> domain >> records for their respective customers. For blocks smaller than / >> 16, and >> for the segment of larger blocks which start or end with a CIDR >> prefix >> longer than /16, ARIN can maintain IN-ADDRs through the use of the >> SWIP >> (Reallocate and Reassign) templates or the Netmod template for /24 >> and >> shorter prefixes. >> >> 7.2 Definitions >> >> 7.2.1 Lame Delegation >> >> A delegation is defined as being lame if all of the in-addr.arpa >> zones >> for a given name server of a specific network registration are >> lame. An >> in- addr.arpa zone is defined as lame when ARIN requests the SOA >> record >> from the name server registered in whois, but does not receive an >> answer. >> >> 7.2.2 Partially Lame Delegation >> >> A delegation is defined as being partially lame if at least one in- >> addr.arpa zone for a given name server of a specific network >> registration is lame. An in- addr.arpa zone is defined as lame >> when ARIN >> requests the SOA record from the name server registered in whois, but >> does not receive an answer. >> >> 7.3. Handling of Lame and Partially Lame Delegations in IN-ADDR.ARPA >> >> ARIN will actively identify lame and partially lame DNS name server >> (s) for reverse address delegations associated with address blocks >> allocated, assigned or administered by ARIN. Upon identification of a >> lame or partially lame delegation, ARIN shall attempt to contact >> the POC >> for that resource and resolve the issue. If, following due diligence, >> ARIN is unable to resolve the lame or partially lame delegation, ARIN >> will update the WHOIS database records resulting in the removal of >> lame >> or partially lame DNS servers. ARIN's actions in resolving lame and >> partially lame delegations is governed by the procedures set forth in >> (Lame-Ref). >> >> 7.4 References >> >> (Lame-Ref) "Lame Delegations In IN-ADDR.ARPA", http://www.arin.net/ >> reference/lame_delegations.html >> >> >> STOP NEW Section >> >> >> Rationale: >> >> Current policy only considers an Org's delegation being deemed >> lame if >> all of in-addr.arpa zones for a given name server of a specific >> network >> registration are lame. Lame is defined when ARIN tests an in- >> addr.arpa >> zone by requesting the SOA record from the name server registered in >> whois, but does not receive an answer. If deemed lame, ARIN has an >> appropriate procedure for contacting the Org and handling the >> issue as >> per "http://www.arin.net/ reference/lame_delegations.html". >> >> Unfortunately, the policy does not cover the situation of a so-called >> partially lame delegation. That is, some of the in-addr.arpa zones >> belonging to the network registration return a valid SOA upon >> testing, >> and some do not. Even if only one /24 in-addr.arpa reverse tests >> comes >> back as lame, it is my opinion that this still taints the >> reputation of >> entire network registration. IPs belonging to that lame in-addr.arpa >> zone will cause query timeouts to 3rd party dns resolvers, both >> public >> and private. These excessive timeouts in my opinion can harm the >> overall >> well-being of reverse dns functionality throughout the internet. The >> only way to prevent such harm is for ARIN to not delegate reverse >> authority to the so-called partially lame dns server as registered in >> whois. That is the purpose of this policy proposal, to consider >> partial >> lameness with the same prejudice as traditionally defined lameness. >> Org's who are partially lame should be contacted by ARIN and lame >> in-addr.arpa zones should be resolved as the procedures per >> "http://www.arin.net/reference/ lame_delegations.html" dictate. >> >> Timetable for implementation: June 1, 2008 >> >> _______________________________________________ >> PPML >> You are receiving this message because you are subscribed to the >> ARIN Public Policy >> Mailing List (PPML at arin.net). >> Unsubscribe or manage your mailing list subscription at: >> http://lists.arin.net/mailman/listinfo/ppml Please contact the >> ARIN Member Services >> Help Desk at info at arin.net if you experience any issues. >> > _______________________________________________ > PPML > You are receiving this message because you are subscribed to the > ARIN Public Policy > Mailing List (PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN > Member Services > Help Desk at info at arin.net if you experience any issues. Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From tedm at ipinc.net Wed Sep 12 14:40:53 2007 From: tedm at ipinc.net (Ted Mittelstaedt) Date: Wed, 12 Sep 2007 11:40:53 -0700 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: <288AEB42-E021-4582-82F6-D4FD924EA551@delong.com> Message-ID: In cases where a policy must apply uniformly, it has to be official and not an internal staff guideline. The big problem with taking this out of the NRPM is that unless there's sanctions available to enforce correct DNS behavior, the staff can't do anything because all the non-compliant network operator has to do is say since it's not spelled out in the NRPM, you can't do anything to me if I don't do it. At this point I'm personally not sure any changes need to be made at all. But clearly the OP has a problem and the purpose of this list and the policy process is essentially to present problems to the community and see what the response is. Thus I think your proposal is as needed as Johns. If the membership really doesen't want the RIR to bother with this, they will vote your policy in. If not, they will vote John's policy in (whenever it's submitted) So let's see what they want to do. Ted -----Original Message----- From: Owen DeLong [mailto:owen at delong.com] Sent: Tuesday, September 11, 2007 8:52 PM To: Ted Mittelstaedt Cc: John Von Essen; Public Policy Mailing List Subject: Re: [ppml] Policy Proposal -- Eliminate Lame Server policy Ted, I believe you miss the point of my proposal. While I do believe that ARIN has a role to play in applying the clue bat to lame or partially lame ISPs and addressing John's issue, my point is that it belongs in operational guidelines to ARIN staff and not in the NRPM. My proposal talks about what I think belongs in the NRPM and is not a direct expression of how I feel about what ARIN staff should or should not be doing with respect to this particular issue. I would fully support an ACSP recommendation that ARIN address all IN-ADDR lameness whether complete or not on any direct assignment. This will potentially require ARIN to examine as many as 255 zones in IPv4 for a single assignment. I would oppose any suggestion requiring ARIN to drill down to lame delegations made by the ISPs relating to reassignment or reallocations made by the ISP because of dramatically increasing workload for dramatically decreasing return on investment and because there is a limit to the extent to which I believe ARIN should engage in telling operators how to run their network (let alone their customers' networks). I will also oppose any policy regarding the operational and/or implementation details of lame delegations because I firmly believe this is not the role of the NRPM and should be addressed with operational procedures and recommendations rather than with number resource policies. Owen On Sep 11, 2007, at 5:26 PM, Ted Mittelstaedt wrote: Yes John you are correct but the way things often work on this list is someone like Owen will submit a policy to remove something that shouldn't obviously be removed, the result of which will convert a bunch of fence sitters into proponents of keeping it. The list membership needs Owens "just kill it" proposal precisely to have something to vote down. A no vote commits the person voting no, to supporting the policy. If Owens proposal is voted down, that will destroy all of the "it's not the RIR's responsibility to enforce sanctions against bad nameserver operators" arguments, and we can move the discussion to something productive of how to actually fix the problem. Your proposal might be premature - you might find it better to campaign against Owens proposal first. Ted -----Original Message----- From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of John Von Essen Sent: Tuesday, September 11, 2007 4:55 PM To: Public Policy Mailing List Subject: Re: [ppml] Policy Proposal -- Eliminate Lame Server policy I do plan to submit my proposal. My final comment on all of this is with regards to ARIN's stance on operational issues. I agree ARIN should be careful, but keep in mind ARIN does provide an operational function of reverse DNS authority delegation. Because ARIN engages in this very-real activity, policy must exist to cover its implementation, design, and overall operational health. If ARIN just did AS numbers and IP allocation, and another organization did reverse delegation, say Network Solutions, then YES - ARIN should not get involved with operational issues of reverse DNS. But that fact is ARIN does do reverse DNS delegation. When I do a dig on an IP, I see alot of ARIN servers in the output! -John On Sep 11, 2007, at 7:21 PM, Azinger, Marla wrote: I would like to see a proposal that is along the lines of clarifying in addition to Owens proposal to just take it away. Hopefully we havnt scared John off and he will give a wack at it. Cheers! Marla -----Original Message----- From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of William Herrin Sent: Tuesday, September 11, 2007 3:32 PM To: Owen DeLong Cc: Public Policy Mailing List Subject: Re: [ppml] Policy Proposal -- Eliminate Lame Server policy On 9/11/07, Owen DeLong wrote: 1. Policy Proposal Name: Deprecate Lame Server Policy 7. Policy statement: Delete section 7 from the NRPM Owen, Are you sure this is the right way to move on this? If we're going to call ISPs "Local Internet Registries," shouldn't we expect them to behave as internet registries and do the things that internet registries do, including reallocation and assignment of the RDNS attached to every IP address? Regards, Bill Herrin -- William D. Herrin herrin at dirtside.com bill at herrin.us 3005 Crane Dr. Web: Falls Church, VA 22042-3004 _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues. _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues. Thanks, John Von Essen (800) 248-1736 ext 100 john at quonix.net _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN Member Services Help Desk at info at arin.net if you experience any issues. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tedm at ipinc.net Wed Sep 12 14:52:16 2007 From: tedm at ipinc.net (Ted Mittelstaedt) Date: Wed, 12 Sep 2007 11:52:16 -0700 Subject: [ppml] Policy Proposal -- Eliminate Lame Server policy In-Reply-To: Message-ID: >-----Original Message----- >From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of >michael.dillon at bt.com >Sent: Wednesday, September 12, 2007 6:58 AM >To: ppml at arin.net >Subject: Re: [ppml] Policy Proposal -- Eliminate Lame Server policy > >But I would not like to see any policing and especially >not any policing which assumes that there is one right way for the >Internet and therefore all IP network users must toe that line. > This is a rather silly statement. The entire DNS system depends on everyone doing things "one right way". The TCP/IP protocol itself won't work if everyone did their own version. I could point to numerous examples of everyone on the Internet having to do things "one right way" If you want to argue that in-addr.arpa handing is not a requirement for DNS and thus is optional, fine. But arguing to allow everyone to do their own thing merely for the sake of being able to do their own thing is preposterous on a shared network. One of ARINs jobs is policing. You may not like the police but they serve a required function in a community. Ted From Ed.Lewis at neustar.biz Wed Sep 12 14:52:49 2007 From: Ed.Lewis at neustar.biz (Edward Lewis) Date: Wed, 12 Sep 2007 14:52:49 -0400 Subject: [ppml] Policy Proposal: Modification to Reverse Mapping Policy In-Reply-To: <46E8007C.6010507@arin.net> References: <46E8007C.6010507@arin.net> Message-ID: Overall I like the idea, but to give an idea of how much of a pain it is to cover this in policy, here is my first pass for nits. (Keep in mind I've written lame delegation test code before and have seen all of the "weird" cases.) I would rather take what we (=community that came to consensus on proposals) have, request a review of the tools ARIN (=staff) is using to implement 2002-1 and 2003-5 and see where the tools are deemed to be insufficient by the community. >START NEW Section > >7. Reverse Mapping > >7.1. Maintaining IN-ADDRs > >All ISPs receiving one or more distinct /16 CIDR blocks of IP addresses >from ARIN will be responsible for maintaining all IN- ADDR.ARPA domain >records for their respective customers. For blocks smaller than /16, and >for the segment of larger blocks which start or end with a CIDR prefix >longer than /16, ARIN can maintain IN-ADDRs through the use of the SWIP >(Reallocate and Reassign) templates or the Netmod template for /24 and >shorter prefixes. Not all of the delegations from ARIN published zones are to "customers" of ARIN. Because of the Early Registration Transfers about 5 years ago, some of the delegations are for registrants of APNIC, RIPE, et.al. We will have to keep this in mind when it comes to trying to contact the registrant to report a detected problem. >7.2 Definitions > >7.2.1 Lame Delegation > >A delegation is defined as being lame if all of the in-addr.arpa zones >for a given name server of a specific network registration are lame. An >in- addr.arpa zone is defined as lame when ARIN requests the SOA record >from the name server registered in whois, but does not receive an answer. A delegation in DNS terminology is the subsetting of the name space and yielding it to another authority and is indicated by the set of name servers where the subsetted name space can be found. In the field of DNS, we have never grouped all of the NS records with common "RHS (right hand sides)" to make a set of zones delegated to the RHS, and from this declare the "delegation" to be lame. For a network with 4 zones, using one implementation of DNS, and only configuring 3 zones, if you ask the name server in the NS record for the SOA of the 3 working zones, you get good answers. For the fourth you will get no response, making it appear that there was a network error. It would not be proper to call the delegation to the name server "lame" (sic). The mapping is "network"->"zone"->"domain name"->"IP address". A network (e.g., a /19) will beget 32 /24 zones. Each of the 32 zones will inherit the, say, 3 name servers registered to the network. Those 3 name servers may each have multiple addresses - IPv4 and/or IPv6 - so there may be 4 IP addresses to try. Further, if there is anycast there could be many name servers to test for a given network. What if the only server for a network is one that is anycasting locally to the site from which testing is done? (I'm pointing this out to give a taste of how much you see from the trenches.) Requesting an SOA and failing to receive and answer is a very inaccurate characterization of lameness (sic). (Please, don't redefine terms, in the DNS context, lame already has a, ok a few, IETF documented definitions.) I'll lay aside the call to use a different term for "broken." The following would also be "broken" - non-recursive query for T=SOA and getting back anything other than the appropriate SOA alone in the Answer Section (ANCOUNT=1) with the Authoritative Answer (aa) bit set to 1. That covers the use of recursive servers to look like they slave the zone. >7.2.2 Partially Lame Delegation > >A delegation is defined as being partially lame if at least one in- >addr.arpa zone for a given name server of a specific network >registration is lame. An in- addr.arpa zone is defined as lame when ARIN >requests the SOA record from the name server registered in whois, but >does not receive an answer. There will be many cases where for a network, one server will be broken at any moment in time. But this is an inaccurate characterization of the problem. >7.3. Handling of Lame and Partially Lame Delegations in IN-ADDR.ARPA > >ARIN will actively identify lame and partially lame DNS name server >(s) for reverse address delegations associated with address blocks >allocated, assigned or administered by ARIN. Upon identification of a >lame or partially lame delegation, ARIN shall attempt to contact the POC >for that resource and resolve the issue. If, following due diligence, >ARIN is unable to resolve the lame or partially lame delegation, ARIN >will update the WHOIS database records resulting in the removal of lame >or partially lame DNS servers. ARIN's actions in resolving lame and >partially lame delegations is governed by the procedures set forth in >(Lame-Ref). I would rephrase this as something like this: ARIN will actively monitor DNS delegations from it's DNS servers to ARIN registrants and inform registrants of malfunctioning servers . (Insert time and retry parameters here). If a registered name server for a network object is found to be unsuitably operating, it will be removed from the network object's definition in the database. The important point is to make the policy specify an action ARIN can easily take - that is the removal of the name server. (Hey, it wasn't working anyway!) But note "suitably" because it could be the case that the name server answers to it's selected population of clients and the ARIN tester but to no one else in the Internet, thanks to ACLs. >7.4 References > >(Lame-Ref) "Lame Delegations In IN-ADDR.ARPA", http://www.arin.net/ >reference/lame_delegations.html >and some do not. Even if only one /24 in-addr.arpa reverse tests comes >back as lame, it is my opinion that this still taints the reputation of >entire network registration. IPs belonging to that lame in-addr.arpa I don't want ARIN to make judgements about "reputation." >zone will cause query timeouts to 3rd party dns resolvers, both public >and private. These excessive timeouts in my opinion can harm the overall >well-being of reverse dns functionality throughout the internet. The >only way to prevent such harm is for ARIN to not delegate reverse >authority to the so-called partially lame dns server as registered in >whois. That is the purpose of this policy proposal, to consider partial >lameness with the same prejudice as traditionally defined lameness. >Org's who are partially lame should be contacted by ARIN and lame >in-addr.arpa zones should be resolved as the procedures per >"http://www.arin.net/reference/ lame_delegations.html" dictate. I have a hard time following the rest of the rationale. What I can buy is asking ARIN to suspend/remove a name server if it's inclusion in the DNS causes sustained negative operational consequences. This is limited to the zone involved (not the network), as that is the extent of the DNS "damage." -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Think glocally. Act confused. From tedm at ipinc.net Wed Sep 12 14:58:10 2007 From: tedm at ipinc.net (Ted Mittelstaedt) Date: Wed, 12 Sep 2007 11:58:10 -0700 Subject: [ppml] Policy Proposal: Modification to Reverse Mapping Policy In-Reply-To: <46E81590.9040304@internap.com> Message-ID: