From fred at cisco.com Thu Apr 1 01:34:27 2010 From: fred at cisco.com (Fred Baker) Date: Wed, 31 Mar 2010 22:34:27 -0700 Subject: [arin-ppml] ULA-C In-Reply-To: References: <014501cacc77$5573fe00$005bfa00$@net> <4BB20FA7.1020100@gmail.com> <54827055-3AFB-4510-9592-4B2DD47F3086@delong.com> <4E376686-1540-433A-BC0B-26D1F5445D09@cisco.com> Message-ID: <76101A88-2A2E-4FB4-8264-E842F9B3D581@cisco.com> well, OK. If they don't re-up, and continue using it, they risk your wrath. When they were validly signed up, you didn't exchange that route with them. Now that they are not validly signed up, you adamantly refuse to exchange that route with them. And....? On Mar 31, 2010, at 8:51 PM, Chris Grundemann wrote: > On Wed, Mar 31, 2010 at 18:48, Fred Baker wrote: >> well, you didn't answer my question, so maybe I shouldn't have to answer yours :-) > > Fair enough - answer below. =) > >> I have no problem with your statement in principle. I'm just wondering how you enforce it. > > Annual renewal required of the registrant and annual > registrant-data-verification required of the registry (whois poc > verification or equivalent). Or, in the case of ULA-C, perhaps > pentennial renewal and verification would be adequate and appropriate. > > ...Or maybe annual for those blocks which the registry is providing > reverse DNS and pentennial for those with no service beyond basic > registration. > >>>> On Mar 31, 2010 6:17 PM, "Fred Baker" queried: >>>> If you give a prefix to your favorite admin and have them number their network with it, and then re-assign the prefix to someone else, what's the probability that you have a collision? > > Much greater than if you don't re-assign it. ;-) > >>>> I think you need to accept that once put into use, a ULA will be in use by that administration permanently. You obviously see otherwise. Fill me in? > > See my previous statements regarding the impermanence of organizations > and their networks. > > ~Chris > > > > -- > @ChrisGrundemann > weblog.chrisgrundemann.com > www.burningwiththebush.com > www.coisoc.org http://www.ipinc.net/IPv4.GIF From alain_durand at cable.comcast.com Thu Apr 1 09:17:30 2010 From: alain_durand at cable.comcast.com (Durand, Alain) Date: Thu, 01 Apr 2010 09:17:30 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: <4BE237E0-147E-4F48-883E-052A2136898B@cisco.com> Message-ID: So here we are, re-hashing the discussion from a couple years ago... To answer Fred's point bellow, the issue is that nothing prevents those ULAs to be routed on the Internet. It is essentially a matter of how much an organization is willing to pay its service provider to announce the prefix. This is more likely to happen with centrally registered prefixes (guaranteed unique) rather than with self-originated, randomly generated ones. - Alain. On 3/31/10 8:46 PM, "Fred Baker" wrote: > well, question. Do you need whois and all that for a local address? We don't > use them for RFC 1918 addresses... > > If they were global addresses, I'd be right there with you. But a ULA is used > by your favorite IT department and is not normally shared with very many other > organizations. It seems like the response to "whois" should be "your IT > department". From mcr at sandelman.ca Thu Apr 1 09:41:19 2010 From: mcr at sandelman.ca (Michael Richardson) Date: Thu, 01 Apr 2010 09:41:19 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: <4BE237E0-147E-4F48-883E-052A2136898B@cisco.com> References: <014501cacc77$5573fe00$005bfa00$@net> <4BB20FA7.1020100@gmail.com> <54827055-3AFB-4510-9592-4B2DD47F3086@delong.com> <4BB3E8F4.2010403@gmail.com> <4BE237E0-147E-4F48-883E-052A2136898B@cisco.com> Message-ID: <9575.1270129279@marajade.sandelman.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "Fred" == Fred Baker writes: Fred> well, question. Do you need whois and all that for a local Fred> address? We don't use them for RFC 1918 addresses... Whois and reverse DNS is the major reason, in my opinion, for ULA-C. If ULA-C hasn't got that, then it's just ULA-R with a much lower probability of non-collision. Why is whois and reverse DNS useful? Whois, because it lets you identify who is leaking. Reverse DNS because it means that organizations do not need to concern themselves so much with split-DNS. Without reverse DNS, IPv6 is really hard to cope with in my experience. Split-DNS was easy when enterprises were completely convex, but thanks to our success, IP is everywhere, and many devices are "inside" some of the time. Fred> On the other hand, I could imagine an allocation "policy" that Fred> consists of a web page (not my idea originally, it comes from Fred> Brian Carpenter). The web page has some variation on a Fred> counter, perhaps using a pseudo-random number generator or a Fred> cyclic feedback shift register to spread the numbers all Fred> over. When a site accesses the web page, they get a prefix, Fred> and the next person that accesses the web page gets the "next" Fred> prefix. Next question is who runs the web page; could be IANA, Fred> your favorite RIR, or anyone else the community deemed Fred> suitable. Along with that, I could imagine the person Fred> allocating the prefix having to provide some information, and Fred> some checks and balances to limit the probability of Fred> issues. The checks and balances would require discussion. They Fred> might include a name, address, and email address. Yes, we can do this. It has already been done for ULA-R by sixxs: http://www.sixxs.net/tools/grh/ula/ If IANA were to delegate the reverse to sixxs, well, we'd be pretty much done, as far as I'm concerned. - -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video then sign the petition. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Finger me for keys iQEUAwUBS7SifoCLcPvd0N1lAQKFhQf4xTDdNMztRBUx9M9rDKx+jBk+YSXZgxoI +52SZ4c+83Rg+VwoBCWYQhhZu/3Apfpi84wg/QvR1kbh5CRBvv61G2zE5X6cvLHY g4RQxd5P7yIThAgXwUTyJLEj1tWWeHp+No1N3WeIdn0G/PIEj33pNkHD0GtvQYCE BoLugeBQ7Oz4qsbUmtgzlG1AF3BFp7ZCq2EhU+3+Ztp3Aibh3mKpBQq5K13Hp0mD sWpHmDvDUsvwFhwgXz1RKsM+5WY+AahnBMsNGzNgSgdIdYLVaVIcommAIQCoqYUf IFOKZn5fnqWMnNpcSJvCXlD+nvB5c05yqvPmRzVqdUNTlEbALhjd =05VX -----END PGP SIGNATURE----- From michael.dillon at bt.com Thu Apr 1 09:58:05 2010 From: michael.dillon at bt.com (michael.dillon at bt.com) Date: Thu, 1 Apr 2010 14:58:05 +0100 Subject: [arin-ppml] ULA-C In-Reply-To: Message-ID: <28E139F46D45AF49A31950F88C49745805AF0188@E03MVZ2-UKDY.domain1.systemhost.net> > To answer Fred's point bellow, the issue is that nothing > prevents those ULAs to be routed on the Internet. WRONG! Filters and ACLs prevent those ULA addresses from being routed to the Internet, but these are technical measures and they can be misconfigured, as they often are in the case of RFC 1918 addresses. ULA-C offers us the opportunity to record the registrant of each block in a central directory and when someone encounters packets with ULA-C addresses, they can find out where they are coming from and more easily get the problem fixed. > It is > essentially a matter of how much an organization is willing > to pay its service provider to announce the prefix. Show me some evidence. You can black out the supplier's name and the amount, but I want to see a copy of a signed contract from any ISP, anywhere, that has agreed to announce an RFC 1918 prefix. Without such evidence, I simply do not believe that what you say is possible. -- Michael Dillon From alain_durand at cable.comcast.com Thu Apr 1 11:09:47 2010 From: alain_durand at cable.comcast.com (Durand, Alain) Date: Thu, 01 Apr 2010 11:09:47 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: <28E139F46D45AF49A31950F88C49745805AF0188@E03MVZ2-UKDY.domain1.systemhost.net> Message-ID: The IPv4 parallel to draw is not with RFC1918 (it is meaningless to advertize net10 because it is not unique), but with long prefixes in IPv4. How many /24s in your routing table? Or longer? - Alain. On 4/1/10 9:58 AM, "michael.dillon at bt.com" wrote: >> To answer Fred's point bellow, the issue is that nothing >> prevents those ULAs to be routed on the Internet. > > WRONG! > > Filters and ACLs prevent those ULA addresses from being routed > to the Internet, but these are technical measures and they > can be misconfigured, as they often are in the case of > RFC 1918 addresses. ULA-C offers us the opportunity to record > the registrant of each block in a central directory and when > someone encounters packets with ULA-C addresses, they can > find out where they are coming from and more easily get the > problem fixed. > >> It is >> essentially a matter of how much an organization is willing >> to pay its service provider to announce the prefix. > > Show me some evidence. You can black out the supplier's name > and the amount, but I want to see a copy of a signed contract > from any ISP, anywhere, that has agreed to announce an RFC 1918 > prefix. Without such evidence, I simply do not believe that > what you say is possible. > > -- Michael Dillon > _______________________________________________ > PPML > You are receiving this message because you are subscribed to > the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/arin-ppml > Please contact info at arin.net if you experience any issues. From kkargel at polartel.com Thu Apr 1 12:23:24 2010 From: kkargel at polartel.com (Kevin Kargel) Date: Thu, 1 Apr 2010 11:23:24 -0500 Subject: [arin-ppml] ULA-C In-Reply-To: <68D14357-C52A-4790-A14E-5026D37A495F@delong.com> References: <014501cacc77$5573fe00$005bfa00$@net> <4BB20FA7.1020100@gmail.com> <54827055-3AFB-4510-9592-4B2DD47F3086@delong.com> <4BB2BF86.8000000@ibctech.ca> <8695009A81378E48879980039EEDAD28876D43D1@MAIL1.polartel.local> <68D14357-C52A-4790-A14E-5026D37A495F@delong.com> Message-ID: <8695009A81378E48879980039EEDAD28876D43F0@MAIL1.polartel.local> > > I concur that renewal is necessary, though renewal requirements do not > necessarily need to include money, data refresh could be sufficient. > > > > Kevin > > I disagree. Without fees, data-refresh is often responded to out of rote > without thought or consideration. > > Owen In this instance I think rote would be sufficient. The main objective being a live person ping to test that the organization is live and present. To my understanding the thing we want to make sure of is that the network has not been abandoned. Kevin From farmer at umn.edu Thu Apr 1 12:41:36 2010 From: farmer at umn.edu (David Farmer) Date: Thu, 01 Apr 2010 11:41:36 -0500 Subject: [arin-ppml] ULA-C In-Reply-To: <8695009A81378E48879980039EEDAD28876D43F0@MAIL1.polartel.local> References: <014501cacc77$5573fe00$005bfa00$@net> <4BB20FA7.1020100@gmail.com> <54827055-3AFB-4510-9592-4B2DD47F3086@delong.com> <4BB2BF86.8000000@ibctech.ca> <8695009A81378E48879980039EEDAD28876D43D1@MAIL1.polartel.local> <68D14357-C52A-4790-A14E-5026D37A495F@delong.com> <8695009A81378E48879980039EEDAD28876D43F0@MAIL1.polartel.local> Message-ID: <4BB4CCC0.7050005@umn.edu> Kevin Kargel wrote: >>> I concur that renewal is necessary, though renewal requirements do not >> necessarily need to include money, data refresh could be sufficient. >>> Kevin >> I disagree. Without fees, data-refresh is often responded to out of rote >> without thought or consideration. >> >> Owen > In this instance I think rote would be sufficient. The main objective being a live person ping to test that the organization is live and present. To my understanding the thing we want to make sure of is that the network has not been abandoned. I believe what ever the policy is it should be the same as for PI assignments. A fundamental tenant of the consensus that I think is developing is if the policy for PI and ULA-C are essentially the same, then ULA-C can be implemented without much risk of abuse. If ULA-C is easier to get or maintain, or even if it is only perceived as such, there is a risk of abuse. -- =============================================== David Farmer Email:farmer at umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 =============================================== From cgrundemann at gmail.com Thu Apr 1 13:00:13 2010 From: cgrundemann at gmail.com (Chris Grundemann) Date: Thu, 1 Apr 2010 11:00:13 -0600 Subject: [arin-ppml] ULA-C In-Reply-To: <76101A88-2A2E-4FB4-8264-E842F9B3D581@cisco.com> References: <014501cacc77$5573fe00$005bfa00$@net> <4BB20FA7.1020100@gmail.com> <54827055-3AFB-4510-9592-4B2DD47F3086@delong.com> <4E376686-1540-433A-BC0B-26D1F5445D09@cisco.com> <76101A88-2A2E-4FB4-8264-E842F9B3D581@cisco.com> Message-ID: On Wed, Mar 31, 2010 at 23:34, Fred Baker wrote: > well, OK. If they don't re-up, and continue using it, they risk your wrath. When they were validly signed up, you didn't exchange that route with them. Now that they are not validly signed up, you adamantly refuse to exchange that route with them. > > And....? > And... this is exactly why we have ARIN and why we pay them. If the Org doesn't renew (re-up) then it is the registries duty to determine if they have refused or if they have ceased to exist (or just don't need the IPs anymore). By not renewing, the Org runs the risk of no longer having a unique block of ULA-C and they lose reverse DNS (and any other) services on said block. This is likely reason enough to keep re-upping as long as they keep using the IPs (assuming that the process is not overly onerous). Another point to consider is that most organizations will likely have ULA-C AND IPv4 and/or GUA and/or an AS. Assuming that the ULA-C is not their only resource, the renewal (re-up) process should be a single touch for all resources - another reason that a functioning Org which is using the space assigned is unlikely to stop renewing. And finally, if the Org in question really has only one block of ULA-C and they stop renewing; then the registry (ARIN) is responsible to track the Org down and determine if the block can be reclaimed for some other Org to use. Plus they get my wrath. ~Chris > > http://www.ipinc.net/IPv4.GIF > > -- @ChrisGrundemann weblog.chrisgrundemann.com www.burningwiththebush.com www.coisoc.org From mcr at sandelman.ca Thu Apr 1 15:05:03 2010 From: mcr at sandelman.ca (Michael Richardson) Date: Thu, 01 Apr 2010 15:05:03 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: References: Message-ID: <1443.1270148703@marajade.sandelman.ca> >>>>> "Alain" == Alain Durand writes: Alain> The IPv4 parallel to draw is not with RFC1918 (it is Alain> meaningless to advertize net10 because it is not unique), but Alain> with long prefixes in IPv4. How many /24s in your routing Alain> table? Or longer? So what? Show me the IETF or ARIN or RIPE or ... policy that says that they shouldn't be announced? (I'm irked when I see /24s without covering aggregate announcements, and I could, I'd filter them, and I have done so when I had such powers) -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video then sign the petition. From joelja at bogus.com Thu Apr 1 15:19:38 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Thu, 01 Apr 2010 12:19:38 -0700 Subject: [arin-ppml] ULA-C In-Reply-To: <1443.1270148703@marajade.sandelman.ca> References: <1443.1270148703@marajade.sandelman.ca> Message-ID: <4BB4F1CA.4030803@bogus.com> On 04/01/2010 12:05 PM, Michael Richardson wrote: > >>>>>> "Alain" == Alain Durand writes: > Alain> The IPv4 parallel to draw is not with RFC1918 (it is > Alain> meaningless to advertize net10 because it is not unique), but > Alain> with long prefixes in IPv4. How many /24s in your routingb > Alain> table? Or longer? > > So what? > Show me the IETF or ARIN or RIPE or ... policy that says that they > shouldn't be announced? More to the point there are direct analogies betwen the class-c swamp and the concerns expressed about the potential for unique assignments to be advertised at some point in the future. fwiw we do advertise our swamp space in an aggregated fashion because it's possible to do... The swamp almost broke the internet the last time around... > (I'm irked when I see /24s without covering aggregate announcements, and > I could, I'd filter them, and I have done so when I had such powers) > From farmer at umn.edu Thu Apr 1 15:51:53 2010 From: farmer at umn.edu (David Farmer) Date: Thu, 01 Apr 2010 14:51:53 -0500 Subject: [arin-ppml] ULA-C In-Reply-To: <4BB4F1CA.4030803@bogus.com> References: <1443.1270148703@marajade.sandelman.ca> <4BB4F1CA.4030803@bogus.com> Message-ID: <4BB4F959.4020701@umn.edu> Joel Jaeggli wrote: > > On 04/01/2010 12:05 PM, Michael Richardson wrote: >>>>>>> "Alain" == Alain Durand writes: >> Alain> The IPv4 parallel to draw is not with RFC1918 (it is >> Alain> meaningless to advertize net10 because it is not unique), but >> Alain> with long prefixes in IPv4. How many /24s in your routingb >> Alain> table? Or longer? >> >> So what? >> Show me the IETF or ARIN or RIPE or ... policy that says that they >> shouldn't be announced? > > More to the point there are direct analogies betwen the class-c swamp > and the concerns expressed about the potential for unique assignments to > be advertised at some point in the future. fwiw we do advertise our > swamp space in an aggregated fashion because it's possible to do... > > The swamp almost broke the internet the last time around... Is this an issue of ULA-C or PI, I see more of an analogy between the swamp and PI, and lest in the fact of lots of unaggregatable routes. For a majority of the ISPs ULA or ULA-C can be filtered with a single policy statement and have a covering aggregate point at null. One of the reasons that I believe the RIRs need to be involved in and control the policy under which ULA-C is given out is to impose good stewardship on the ULA-C resources. This should help avoid the other problem of the swamp, lots of stale or even rotted POC and assignment information. If you are going to have a registry it needs to be properly maintained, that cost at least some money and if you doing want to pay for that then use ULA-L. And, this is not just a one-time payment, it costs money to maintain the registry over time too. Further, the costs of maintaining a registry for PI or ULA-C are probably not going to be significantly different, you are doing most of the same things. -- =============================================== David Farmer Email:farmer at umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 =============================================== From kkargel at polartel.com Thu Apr 1 16:12:48 2010 From: kkargel at polartel.com (Kevin Kargel) Date: Thu, 1 Apr 2010 15:12:48 -0500 Subject: [arin-ppml] ULA-C In-Reply-To: <4BB4CCC0.7050005@umn.edu> References: <014501cacc77$5573fe00$005bfa00$@net> <4BB20FA7.1020100@gmail.com> <54827055-3AFB-4510-9592-4B2DD47F3086@delong.com> <4BB2BF86.8000000@ibctech.ca> <8695009A81378E48879980039EEDAD28876D43D1@MAIL1.polartel.local> <68D14357-C52A-4790-A14E-5026D37A495F@delong.com> <8695009A81378E48879980039EEDAD28876D43F0@MAIL1.polartel.local> <4BB4CCC0.7050005@umn.edu> Message-ID: <8695009A81378E48879980039EEDAD28876D43F3@MAIL1.polartel.local> > I believe what ever the policy is it should be the same as for PI > assignments. > > A fundamental tenant of the consensus that I think is developing is if > the policy for PI and ULA-C are essentially the same, then ULA-C can be > implemented without much risk of abuse. If ULA-C is easier to get or > maintain, or even if it is only perceived as such, there is a risk of > abuse. > > I will buy in to that. On a global level I can see that if many people want ULA-C I guess it won't hurt anything so long as it doesn't start finding it's way to the global routing table. Even if it shows up in local peer routing tables it is pretty benign. The danger I see with ULA peer relationships is that if I advertise my ULA-* to a peer for private uses I have no control over my peers BGP policies and they may through design or neglect advertise my ULA to their peers, which would/could pollute the global table. This could get *me* in trouble through no fault of my own. On a local (personal)level I just don't see the need for dedicated ULA pools when anyone can roll their own ULA-* out of their GUA. My interpretation is that ULA-ish GUA consumption would count toward utilization requirements, so it would not handicap further allocation requests. Perhaps I am wrong on this one. Kevin From farmer at umn.edu Thu Apr 1 18:09:30 2010 From: farmer at umn.edu (David Farmer) Date: Thu, 01 Apr 2010 17:09:30 -0500 Subject: [arin-ppml] ULA-C In-Reply-To: <8695009A81378E48879980039EEDAD28876D43F3@MAIL1.polartel.local> References: <014501cacc77$5573fe00$005bfa00$@net> <4BB20FA7.1020100@gmail.com> <54827055-3AFB-4510-9592-4B2DD47F3086@delong.com> <4BB2BF86.8000000@ibctech.ca> <8695009A81378E48879980039EEDAD28876D43D1@MAIL1.polartel.local> <68D14357-C52A-4790-A14E-5026D37A495F@delong.com> <8695009A81378E48879980039EEDAD28876D43F0@MAIL1.polartel.local> <4BB4CCC0.7050005@umn.edu> <8695009A81378E48879980039EEDAD28876D43F3@MAIL1.polartel.local> Message-ID: <4BB5199A.5040506@umn.edu> Kevin Kargel wrote: > The danger I see with ULA peer relationships is that if I advertise my ULA-* to a peer for private uses I have no control over my peers BGP policies and they may through design or neglect advertise my ULA to their peers, which would/could pollute the global table. This could get *me* in trouble through no fault of my own. You are right you don't have ultimate control of this issue, your peer does, and their other peer has control over what they accept. This is not that much different the GUA though. Yes, since your peer's, peer's, peer is not seeing your ULA route in the global table it is more likely they will believe the route, if they are not filtering ULA. However, you can at least try to help you peer do the right thing and add the well-known community "no-export" when sending any routes you don't want your peer to announce to anyone else. They can alway strip the community off and do what ever they want but it would help prevent them from accidentally announcing it to someone else. Even with that there is no substitute for good peering practices. > On a local (personal)level I just don't see the need for dedicated ULA pools when anyone can roll their own ULA-* out of their GUA. As I said my local (personal) reasons for wanting this are not technical, they are political and to allow me to appease others, both within my large organization and at numerous business partners all over the world. > My interpretation is that ULA-ish GUA consumption would count toward utilization requirements, so it would not handicap further allocation requests. Perhaps I am wrong on this one. Good question, I do not thinking there should be such thing as PA ULA-C, in other words as a provider you don't get a ULA-C allocation and give some to your customer. If your customer wants ULA-C they get it from an RIR. You as a provider could get ULA-C for your internal use only, sized appropriately for your network infrastructure. For a end-user they could get ULA-C equivalent to what they would qualify for PI. An example, if an end-user qualified for a /46 of PI they could get a /46 of ULA-C. In fact I believe they should be able to have both at the same time. Further, it is entirely possible from a policy point of view for a end-user site to have a PI /46, a ULA /46, a PA /46 assigned from a provider, additional PA /46s from any number of providers, and be completely justified. And, each of those prefixes could have an RA on every one of the subnets within the end-users network. I'm not sure how the hosts are going to know how to select the right prefix to use, but that is not an number resource policy question, that is an operational one. From a policy point of view this should be valid. -- =============================================== David Farmer Email:farmer at umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 =============================================== From mcr at sandelman.ca Thu Apr 1 21:04:45 2010 From: mcr at sandelman.ca (Michael Richardson) Date: Thu, 01 Apr 2010 21:04:45 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: <8695009A81378E48879980039EEDAD28876D43F3@MAIL1.polartel.local> References: <014501cacc77$5573fe00$005bfa00$@net> <4BB20FA7.1020100@gmail.com> <54827055-3AFB-4510-9592-4B2DD47F3086@delong.com> <4BB2BF86.8000000@ibctech.ca> <8695009A81378E48879980039EEDAD28876D43D1@MAIL1.polartel.local> <68D14357-C52A-4790-A14E-5026D37A495F@delong.com> <8695009A81378E48879980039EEDAD28876D43F0@MAIL1.polartel.local> <4BB4CCC0.7050005@umn.edu> <8695009A81378E48879980039EEDAD28876D43F3@MAIL1.polartel.local> Message-ID: <16249.1270170285@marajade.sandelman.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "Kevin" == Kevin Kargel writes: >> I believe what ever the policy is it should be the same as for PI >> assignments. >> >> A fundamental tenant of the consensus that I think is developing >> is if the policy for PI and ULA-C are essentially the same, then >> ULA-C can be implemented without much risk of abuse. If ULA-C is >> easier to get or maintain, or even if it is only perceived as >> such, there is a risk of abuse. >> >> Kevin> I will buy in to that. Kevin> On a global level I can see that if many people want ULA-C I Kevin> guess it won't hurt anything so long as it doesn't start Kevin> finding it's way to the global routing table. Even if it Kevin> shows up in local peer routing tables it is pretty benign. Kevin> The danger I see with ULA peer relationships is that if I Kevin> advertise my ULA-* to a peer for private uses I have no Kevin> control over my peers BGP policies and they may through Kevin> design or neglect advertise my ULA to their peers, which Kevin> would/could pollute the global table. This could get *me* in Kevin> trouble through no fault of my own. So, that's why we need ULA-C, rather than "tainted GUA". The ULA-C will *not* leak into the global routing table, because there will be lots and lots of filters that reject it. Kevin> On a local (personal)level I just don't see the need for Kevin> dedicated ULA pools when anyone can roll their own ULA-* out Kevin> of their GUA. Sure. Show me again, where the 20-person operation that have a cable connection, and a DSL connection (and thus two sets of GUA-PA), get this GUA-PI that they need to have stable addresses internally? Said company has two different types of connections because neither is reliable enough. ULA-C is not about ISPs. It's about SME. - -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video then sign the petition. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Finger me for keys iQEVAwUBS7VCqoCLcPvd0N1lAQKfMggAqPLdf9Xt1gPa2H+UrWZXReNkKCLzkE7X AFnJNub+TUhFTViHfYiF8CiHjM3I6+XP5o8vztkVmMfDi6h9oD8IFw8+wqTBfSb4 +6ewawDWlTlTV6Uxn3Hq0pg2p/WltJvkLGs5Fy9MXjKd8dfxZPhrTbFOY0+zSUYR kR/DmlupONzPHP522JNySRrxDPG3t9YRm5+B5FC32ljUX2gNbUDManaUHRHYQhdy /1WxqdcrhmS217OEgtUcqkisc0mER/HxTdksbCw8UltXbwtG2hLAo2eiAeb2L6aS I2QFkWT1jwaB+IU0FXgGzhgCYbqwE0Jqr371sHWssPbr4/aL5FZH5A== =dlfF -----END PGP SIGNATURE----- From owen at delong.com Thu Apr 1 17:38:10 2010 From: owen at delong.com (Owen DeLong) Date: Thu, 1 Apr 2010 14:38:10 -0700 Subject: [arin-ppml] ULA-C In-Reply-To: <8695009A81378E48879980039EEDAD28876D43F0@MAIL1.polartel.local> References: <014501cacc77$5573fe00$005bfa00$@net> <4BB20FA7.1020100@gmail.com> <54827055-3AFB-4510-9592-4B2DD47F3086@delong.com> <4BB2BF86.8000000@ibctech.ca> <8695009A81378E48879980039EEDAD28876D43D1@MAIL1.polartel.local> <68D14357-C52A-4790-A14E-5026D37A495F@delong.com> <8695009A81378E48879980039EEDAD28876D43F0@MAIL1.polartel.local> Message-ID: On Apr 1, 2010, at 9:23 AM, Kevin Kargel wrote: >>> I concur that renewal is necessary, though renewal requirements do not >> necessarily need to include money, data refresh could be sufficient. >>> >>> Kevin >> >> I disagree. Without fees, data-refresh is often responded to out of rote >> without thought or consideration. >> >> Owen > In this instance I think rote would be sufficient. The main objective being a live person ping to test that the organization is live and present. To my understanding the thing we want to make sure of is that the network has not been abandoned. > > Kevin I'd rather actually make sure the resources are still in active use for something someone considers a useful purpose. A fee which also helps defray the costs of those annual pings and records maintenance is not a bad idea. Otherwise, someone somewhere is subsidizing all that ULA registration. I don't see any reason ULA shouldn't pay its own way. Owen From info at arin.net Fri Apr 2 12:08:45 2010 From: info at arin.net (Member Services) Date: Fri, 02 Apr 2010 12:08:45 -0400 Subject: [arin-ppml] ARIN XXV Open Policy Hour Message-ID: <4BB6168D.8080007@arin.net> Sign up today to present your ideas at the ARIN XXV Open Policy Hour, Sunday, 18 April, from 5:00-6:00 PM (EDT). The Open Policy Hour (OPH) is a showcase for new policy ideas, and we want to hear from you. Sign up before Friday, 16 April to guarantee your chance at the microphone. Everyone is invited to attend the session and raise ideas and suggestions. You do not need to have a formal presentation in order to participate. Signing up in advance allows us to confirm your turn to present your policy idea, but is not required. Part One - Draft Policy Background Briefing: ARIN staff provides summary information regarding the draft policies up for discussion at the meeting. Advisory Council representatives answer general questions about the draft policies. The intent is to increase understanding of the nature of the proposals, not to discuss the pros or cons of the draft policies. Part Two - Policy Proposal BoF: If you have a policy suggestion for which you would like to receive feedback prior to formally submitting it to the community, here is your opportunity. You?ll be given a few minutes to present your idea before other attendees are invited to comment. To sign up to give a presentation, please send an e-mail to policy at arin.net by 16 April 2010 with your name, organization, and a brief description of your policy subject. More details are available at: https://www.arin.net/ARIN-XXV/. If you won?t be with us in Toronto, we are offering remote participation during the Open Policy Hour, and throughout the Public Policy and Members Meeting. Get all the details and register as a remote participant at https://www.arin.net/ARIN-XXV/remote.html. We look forward to your participation in ARIN XXV. Please contact Member Services at info at arin.net if you have any questions. Regards, Member Services American Registry for Internet Numbers (ARIN) From kkargel at polartel.com Fri Apr 2 14:03:14 2010 From: kkargel at polartel.com (Kevin Kargel) Date: Fri, 2 Apr 2010 13:03:14 -0500 Subject: [arin-ppml] ULA-C In-Reply-To: <16249.1270170285@marajade.sandelman.ca> References: <014501cacc77$5573fe00$005bfa00$@net> <4BB20FA7.1020100@gmail.com> <54827055-3AFB-4510-9592-4B2DD47F3086@delong.com> <4BB2BF86.8000000@ibctech.ca> <8695009A81378E48879980039EEDAD28876D43D1@MAIL1.polartel.local> <68D14357-C52A-4790-A14E-5026D37A495F@delong.com> <8695009A81378E48879980039EEDAD28876D43F0@MAIL1.polartel.local> <4BB4CCC0.7050005@umn.edu> <8695009A81378E48879980039EEDAD28876D43F3@MAIL1.polartel.local> <16249.1270170285@marajade.sandelman.ca> Message-ID: <8695009A81378E48879980039EEDAD28876D43FA@MAIL1.polartel.local> > Sure. Show me again, where the 20-person operation that have a cable > connection, and a DSL connection (and thus two sets of GUA-PA), get this > GUA-PI that they need to have stable addresses internally? > Said company has two different types of connections because neither is > reliable enough. > > ULA-C is not about ISPs. It's about SME. > So you are telling me that as an ISP I will need to make special routes for each and every DSL customer that has two xSL connections? Why doesn't that customer just get his own GUA if this is so important to his business? From bill at herrin.us Fri Apr 2 18:13:42 2010 From: bill at herrin.us (William Herrin) Date: Fri, 2 Apr 2010 18:13:42 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: References: <4BE237E0-147E-4F48-883E-052A2136898B@cisco.com> Message-ID: On Thu, Apr 1, 2010 at 9:17 AM, Durand, Alain wrote: > To answer Fred's point bellow, the issue is that nothing prevents those ULAs > to be routed on the Internet. It is essentially a matter of how much an > organization is willing to pay its service provider to announce the prefix. That's essentially the same as saying that routing an IPv4 /32 in the Internet DFZ is "essentially a matter of how much an organization is willing to pay its service provider to announce the prefix." It's an intellectually dishonest statement. -Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From alain_durand at cable.comcast.com Fri Apr 2 19:08:21 2010 From: alain_durand at cable.comcast.com (Durand, Alain) Date: Fri, 02 Apr 2010 19:08:21 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: Message-ID: On 4/2/10 6:13 PM, "William Herrin" wrote: > On Thu, Apr 1, 2010 at 9:17 AM, Durand, Alain > wrote: >> To answer Fred's point bellow, the issue is that nothing prevents those ULAs >> to be routed on the Internet. It is essentially a matter of how much an >> organization is willing to pay its service provider to announce the prefix. > > That's essentially the same as saying that routing an IPv4 /32 in the > Internet DFZ is "essentially a matter of how much an organization is > willing to pay its service provider to announce the prefix." It's an > intellectually dishonest statement. Do you remember the efforts from Randy Bush & others to limit the length of the prefixes advertized in the DMZ to /21s? Well, how many /24 (or longer) do you see now? - Alain. From bill at herrin.us Fri Apr 2 20:11:15 2010 From: bill at herrin.us (William Herrin) Date: Fri, 2 Apr 2010 20:11:15 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: References: Message-ID: On Fri, Apr 2, 2010 at 7:08 PM, Durand, Alain wrote: >> That's essentially the same as saying that routing an IPv4 /32 in the >> Internet DFZ is "essentially a matter of how much an organization is >> willing to pay its service provider to announce the prefix." It's an >> intellectually dishonest statement. > > Do you remember the efforts from Randy Bush & others to limit the length of > the prefixes advertized in the DMZ to /21s? Well, how many /24 (or longer) > do you see now? /24? Lots. Longer? Zero that I see announced from more than one of my transits. And that's my point. Netops already know to exclude fc00::/7 from the DFZ. More precisely, netops know to include only 2000::/3 in the Internet DFZ (http://www.iana.org/assignments/ipv6-address-space/). Too many people at too many organizations would have to choose to exceptionally accept a given ULA prefix from within fc00::/8 for it to be usefully routed on the Internet. this would be -effectively- impossible. As for Randy's efforts, you never had a strong consensus to limit IPv4 announcements to /21. A weak consensus sure, but "weak consensus" is just a fancy way of saying "boisterous minority." The strong consensus to filter IPv4 at /24 is all but set in stone these days and the consensus that the IPv6 Internet consists of 2000:/3 until IETF says otherwise seems likely to stick. Likely enough to stick, at any rate, that you can tweak fc00::/8 with the reasonable expectation that there won't be any impact on the IPv6 Internet DFZ. As you are not an idiot, you already knew all this. That's why I called your claim that getting a ULA into the DFZ would just be a question of money intellectually dishonest. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From alain_durand at cable.comcast.com Fri Apr 2 22:22:42 2010 From: alain_durand at cable.comcast.com (Durand, Alain) Date: Fri, 02 Apr 2010 22:22:42 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: Message-ID: On 4/2/10 8:11 PM, "William Herrin" wrote: > The strong consensus > to filter IPv4 at /24 is all but set in stone these days Do you think this is going to stay that way very long after IANA exhaust? I personally don't. There is already provision in a policy adopted by ARIN to allocate /28s out of a reserved /10 to help IPv6 deployment after exhaustion. > As you are not an idiot, you already knew all this. That's why I > called your claim that getting a ULA into the DFZ would just be a > question of money intellectually dishonest. Words like these do not help much. We may agree to disagree, but the discussion should remain courteous. - Alain. From bill at herrin.us Sun Apr 4 00:00:53 2010 From: bill at herrin.us (William Herrin) Date: Sun, 4 Apr 2010 00:00:53 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: References: Message-ID: On Fri, Apr 2, 2010 at 10:22 PM, Durand, Alain wrote: > On 4/2/10 8:11 PM, "William Herrin" wrote: >> The strong consensus >> to filter IPv4 at /24 is all but set in stone these days > > Do you think this is going to stay that way very long after IANA exhaust? Alain, I think the cost of an IPv4 address has a long way to rise and the cost of an IPv4 route has a long way to fall before the economics favor a general shift towards accepting longer prefixes in the DFZ. Converting allocation to a zero-sum game will certainly increase the cost of an IPv4 address. But that much? My magic 8-ball says: Very Doubtful. For that matter, if the /21 crew hadn't overstepped by also pushing the notion that folks couldn't multihome unless they had yay many computers, they'd have probably have managed to pull the bulk of the /8's back to a maximum prefix length of /21. They had a compelling case, but boxing small multihomers into a corner where they had to use PA cutouts proved self-destructive. >> As you are not an idiot, you already knew all this. That's why I >> called your claim that getting a ULA into the DFZ would just be a >> question of money intellectually dishonest. > > Words like these do not help much. We may agree to disagree, but the > discussion should remain courteous. You're right. I'm just frustrated with the direction this discussion has gone. The need here is real simple. ULA. From the already-defined ULA pool. But with registry-guaranteed uniqueness (instead of statistical uniqueness) and a DNS PTR delegation. It ain't supposed to be a global unicast address. It's useless if it we unify policies to the point where the registry function costs the same as it does for a global unicast address. The NAT boogieman isn't going to get us any faster with or without it. And for God's sake, we need an RFC to tell IANA to hand addresses off to a registry or registries, not micromanage every little detail. -Bill -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From info at arin.net Mon Apr 5 14:44:58 2010 From: info at arin.net (Member Services) Date: Mon, 05 Apr 2010 14:44:58 -0400 Subject: [arin-ppml] Draft Policy 2010-8: Rework of IPv6 assignment criteria - revised Message-ID: <4BBA2FAA.9040000@arin.net> Draft Policy 2010-8 Rework of IPv6 assignment criteria 2010-8 has been revised. "The Change made since the last version that went to PPML are; 1. Section 6.5.8.4 was removed and the current Community Networks policy was moved as-is from 6.5.9 to 6.5.10. This move is necessary to make room for section 6.5.9 Subsequent assignments from this policy to immediately follow section 6.5.8. Initial assignments. 2. A number of small editorial changes and grammatical corrections." This draft policy is open for discussion on this mailing list and will be on the agenda at the upcoming ARIN Public Policy Meeting in Toronto. Draft Policy 2010-8 is below and can be found at: https://www.arin.net/policy/proposals/2010_8.html Regards, Member Services American Registry for Internet Numbers (ARIN) ## * ## Draft Policy 2010-8 Rework of IPv6 assignment criteria Version/Date: 5 April 2010 Policy statement: 6.5.8. Initial assignments 6.5.8.1. Initial assignment size Organizations that meet at least one of the following criteria are eligible to receive a minimum assignment of /48. Requests for larger initial assignments, reasonably justified with supporting documentation, will be evaluated based on the number of sites and the number of subnets needed to support a site. Organizations may request up to a /48 for each site in their network, with the overall allocation rounded up to the next whole prefix only as necessary. A subnet plan demonstrating a utilization of 33,689 or more subnets within a site is necessary to justify an additional /48 for any individual site, beyond this the 0.94 HD-Ratio metric of the number of subnets is used. All assignments shall be made from distinctly identified prefixes, with each assignment receiving a reservation for growth of at least a /44. Such reservations are not guaranteed and ARIN, at its discretion, may assign them to other organizations at any time. Note: Organizations with multiple sites are encouraged to consider the use of /56s for smaller satellite sites. 6.5.8.2. Criteria for initial assignment to Internet connected end-users Organizations may justify an initial assignment for connecting their own network to the IPv6 Internet, with an intent to provide global reachability for the assignment within 12 months, and for addressing devices directly attached to their network infrastructure, by meeting one of the following additional criteria: a. Having a previously justified IPv4 end-user assignment from ARIN or one of its predecessor registries, or; b. Currently being IPv6 Multihomed or immediately becoming IPv6 Multihomed and using an assigned valid global AS number, or; c. By providing a reasonable technical justification indicating why other IPv6 addresses from an ISP or other LIR are unsuitable and a plan detailing the utilization of sites and subnets for one, two and five year periods. Examples of justifications for why addresses from an ISP or other LIR may be unsuitable include, but are not limited to: * An organization that operates infrastructure critical to life safety or the functioning of society, has justification based on the fact that renumbering would have a broader than expected impact than simply the number of hosts involved. These would include; hospitals, fire fighting, police, emergency response, power or energy distribution, water or waste treatment, traffic management and control, etc? * Regardless of the number of hosts involved, an organization has justification if renumbering would affect 1000 or more individuals either internal or external to the organization. 6.5.8.3 Criteria for initial assignment to non-connected networks Organizations may justify an initial assignment for operating their own non-connected IPv6 network and for addressing devices directly attached to their network infrastructure, by meeting one of the following additional criteria: a. Having a previously justified IPv4 end-users assignment from ARIN or one of its predecessor registries, or; b. By providing a reasonable technical justification indicating why an assignment for a non-connected networks is necessary, including the intended purpose for the assignment, and describing the network infrastructure the assignment will be used to support. Justification must include why Unique Local IPv6 Unicast Addresses (ULA) is unsuitable and a plan detailing the utilization of sites and subnets for one, two and five year periods. Examples of justifications for why ULA may be unsuitable include, but are not limited to: * The need for authoritative delegation of reverse DNS, including documentation why this is necessary. * The need for documented uniqueness, beyond the statistical uniqueness provided by ULA, including documentation why this is necessary. * A documented need to connect with other networks connected to or not connected to the Internet NOTE: Organizations are encouraged to consider the use of ULA, for non-connected networks, see RFC 4193 for details. 6.5.9. Subsequent assignments Subsequent assignments may be made when the need for additional sites or subnets are justified with reasonable supporting documentation. When possible, subsequent assignments will be made from an adjacent address block. Organizations may request up to a /48 for each site in their network, with the overall allocation rounded up to the next whole prefix only as necessary. A subnet plan demonstrating a utilization of 33,689 or more subnets within a site is necessary to justify an additional /48 for any individual site, beyond this the 0.94 HD-Ratio metric of the number of subnets is used. Note: Organizations with multiple sites are encouraged to consider the use of /56s for smaller satellite sites. Move current 6.5.9 Community Network Assignments as-is to section 6.5.10. Rationale: This proposal provides a complete rework of the IPv6 end-user assignment criteria, removing the dependency on IPv4 policy, while maintaining many of the basic concepts contained in the current policies. The order of the subsections of 6.5.8 was rearranged moving the initial assignment size to 6.5.8.1 and subsequent assignments to 6.5.9. This will facilitate adding future criteria without additional renumbering of current policies. The initial assignment criteria include the following general concepts: * When Internet connectivity is use to justify resources it is implied the resources should be advertised to the Internet, within some reasonable time frame after they are received. * Previously justified IPv4 resources may be used to justify the need for IPv6 resources. * Internet multihoming is sufficient justification for an end-user assignment in and of itself. * Other Internet connected end-users must justify why an ISP or LIR assignment is not sufficient for their needs. * Non-connected networks must describe the purpose and network infrastructure the assignment will be supporting, including why ULA is not sufficient for their needs. * Organizations with multiple sites are allowed to request a /48 for each site, with a suggestion to use /56s for smaller sites. * While HD-Ratio is not completely eliminated it really only applies to situations that an individual site of an organization needs more that a /48. Timetable for implementation: Immediate From mcr at sandelman.ca Mon Apr 5 22:09:04 2010 From: mcr at sandelman.ca (Michael Richardson) Date: Mon, 05 Apr 2010 22:09:04 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: <8695009A81378E48879980039EEDAD28876D43FA@MAIL1.polartel.local> References: <014501cacc77$5573fe00$005bfa00$@net> <4BB20FA7.1020100@gmail.com> <54827055-3AFB-4510-9592-4B2DD47F3086@delong.com> <4BB2BF86.8000000@ibctech.ca> <8695009A81378E48879980039EEDAD28876D43D1@MAIL1.polartel.local> <68D14357-C52A-4790-A14E-5026D37A495F@delong.com> <8695009A81378E48879980039EEDAD28876D43F0@MAIL1.polartel.local> <4BB4CCC0.7050005@umn.edu> <8695009A81378E48879980039EEDAD28876D43F3@MAIL1.polartel.local> <16249.1270170285@marajade.sandelman.ca> <8695009A81378E48879980039EEDAD28876D43FA@MAIL1.polartel.local> Message-ID: <10692.1270519744@marajade.sandelman.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "Kevin" == Kevin Kargel writes: >> Sure. Show me again, where the 20-person operation that have a >> cable connection, and a DSL connection (and thus two sets of >> GUA-PA), get this GUA-PI that they need to have stable addresses >> internally? Said company has two different types of connections >> because neither is reliable enough. >> >> ULA-C is not about ISPs. It's about SME. Kevin> So you are telling me that as an ISP I will need to make Kevin> special routes for each and every DSL customer that has two Kevin> xSL connections? Kevin> Why doesn't that customer just get his own GUA if this is so Kevin> important to his business? If you follow Owen's advice: yes. If ARIN can get it's head around giving out non-routable address space for intranet use, and having customers use multiple PA addresses on their desktops, then the answer is no. Either shim6 will get completed and deployed, or there will be NAT66. (As an ISP, btw, you won't be able to tell the difference. As someone who does support into the enterprise from remote, usually working with ISPs that can't spell ARIN, I sure know which I am rooting for) - -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video then sign the petition. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Finger me for keys iQEVAwUBS7qXvYCLcPvd0N1lAQLkYQf7BUnk0R2C6ShUvq6M+FQ27dBZjqfAgfL9 k5nkOsKBYqtajXpRhF2n2rW1pIRonkN5a6hUXdIN2HDQyMSUkzgMPjwKoRrqPtZj KrPIkL7aZVGvbl+S9/iReMCndiqmigI4ujaq/hy0mT7iWu5WDgVKA/gCZ5l2P/JO pVxprx6UGkDt0xyw3B2ZNZICZ3Lcwp6JjLnzGEDJRKraidUHoI9NXxhSZDf297OH 8yGwawoYtvTJiuU8LG9S//RdyZ9wrqai7GwNxjOoTSMGv2kie5b5xe/8Wq1BK78g 04LGuTXrtPwWanPVpQGv2Xsgt9Yg7Os9gTlvouGroMsqLzOuBwvtPA== =5RgL -----END PGP SIGNATURE----- From mcr at sandelman.ca Mon Apr 5 22:09:45 2010 From: mcr at sandelman.ca (Michael Richardson) Date: Mon, 05 Apr 2010 22:09:45 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: References: Message-ID: <10747.1270519785@marajade.sandelman.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "Alain" == Alain Durand writes: >> On Thu, Apr 1, 2010 at 9:17 AM, Durand, Alain >> wrote: >>> To answer Fred's point bellow, the issue is that nothing >>> prevents those ULAs to be routed on the Internet. It is >>> essentially a matter of how much an organization is willing to >>> pay its service provider to announce the prefix. >> That's essentially the same as saying that routing an IPv4 /32 in >> the Internet DFZ is "essentially a matter of how much an >> organization is willing to pay its service provider to announce >> the prefix." It's an intellectually dishonest statement. Alain> Do you remember the efforts from Randy Bush & others to limit Alain> the length of the prefixes advertized in the DMZ to /21s? Alain> Well, how many /24 (or longer) do you see now? Yes. And how many /26s do you see? - -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video then sign the petition. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Finger me for keys iQEVAwUBS7qX6ICLcPvd0N1lAQIAqQf/bxnF6TvlQjX5V5cfQ2iiKA56fhIYwyHF MRcIhMEptghYFR+xHvjieBMtQmDFcKs0XbvyGhn/lE9ncgrb4gJzyK8sUPvTpitK A1YgErkilojkBmYNLKd7smAmtwT1G5UTUaJTfnWn58qsrBJy5k2JMpoPTbfLoBfS RAs7aB/PIRho0kxb9JY/n/Y6DTAiB5FuUHTlja9IySuwqjaXMfxeoQMDUaXzu0PI lrkzE8talOq7LsHzE9+EiRRKspmnr7UAUtzd1jYVHzsQwOSEgXs63sndg/KouWaC xTIK25b/rw9Q+5hacMGZ9PxRg13l3+2dG8/tC8CWbyPcxI7ERg3kTg== =QRa/ -----END PGP SIGNATURE----- From christopher.morrow at gmail.com Tue Apr 6 01:42:16 2010 From: christopher.morrow at gmail.com (Christopher Morrow) Date: Tue, 6 Apr 2010 01:42:16 -0400 Subject: [arin-ppml] ULA-C and reverse DNS In-Reply-To: <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> Message-ID: On Mon, Mar 22, 2010 at 8:51 AM, Owen DeLong wrote: > I agree. > > I think that it makes far more sense to make a liberal GUA policy that allows > people to get GUA if they need it regardless of whether they need it for for the record I'd vote +1 for essentially no ULA-* ... and just allowing folks to get GUA for their needs. -Chris From ggiesen at akn.ca Tue Apr 6 02:17:12 2010 From: ggiesen at akn.ca (Gary Giesen) Date: Tue, 6 Apr 2010 02:17:12 -0400 Subject: [arin-ppml] The role of NAT in IPv6 In-Reply-To: Message-ID: Because 65535 subnets isn't enough? GG On 10-04-06 2:14 AM, "Christopher Morrow" wrote: > On Fri, Mar 26, 2010 at 6:23 PM, Gary T. Giesen wrote: >> Just a clarification on my comments, that's PI GUA space... Few >> organizations will need more than a single /48, which would at least > > as a clarification, any end site organization with more than a single > office location is prone to want more than a single /48. > > -Chris > >> contain the number of prefixes being advertised. And with most ISP's >> (LIR's) only requiring a single prefix for their own PA space, we should >> a nice reset in table size, allowing hardware to catch up with routing >> table growth. >> >> GG >> >> On Fri, 2010-03-26 at 18:05 -0400, Gary T. Giesen wrote: >>> If that's a concern, then get GUA space out of the gate and you'll never >>> renumber again. I believe GUA should be made cheap and relatively easy >>> to get (instead of something using something like ULA and NATing it). >>> >>> While some will argue this will lead to an explosion in the v6 routing >>> table (and there is definitely merit to their argument), the aggregation >>> gains from people who don't need the capability (especially residential >>> customers) should more than offset it in the near term, buying time for >>> for the technology to progress and offer us more TCAM slots to deal with >>> it in the longer term. >>> >>> GG >>> >>> On Fri, 2010-03-26 at 17:54 -0400, Matthew Kaufman wrote: >>>> Gary T. Giesen wrote: >>>>> IMHO it's better to get people used to having no NAT at all (since >>>>> they're getting used to a new protocol anyways)... >>>> Please explain how you intend to eliminate manual renumbering for >>>> corporate internal networks every time they change ISPs. >>>> >>>> (And note that RA and even DHCP6 don't fix all the manual setup of >>>> things like "what is the address of the intranet web server".) >>>> >>>> There is a real cost to this, and the cost of a NAT device is pretty >>>> much paid off the first or second time you're forced to renumber. >>>> >>>> Matthew Kaufman >>> >>> _______________________________________________ >>> PPML >>> You are receiving this message because you are subscribed to >>> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). >>> Unsubscribe or manage your mailing list subscription at: >>> http://lists.arin.net/mailman/listinfo/arin-ppml >>> Please contact info at arin.net if you experience any issues. >> >> _______________________________________________ >> PPML >> You are receiving this message because you are subscribed to >> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). >> Unsubscribe or manage your mailing list subscription at: >> http://lists.arin.net/mailman/listinfo/arin-ppml >> Please contact info at arin.net if you experience any issues. >> From christopher.morrow at gmail.com Tue Apr 6 02:14:31 2010 From: christopher.morrow at gmail.com (Christopher Morrow) Date: Tue, 6 Apr 2010 02:14:31 -0400 Subject: [arin-ppml] The role of NAT in IPv6 In-Reply-To: <1269642185.5400.460.camel@ggiesen-workstation.netsurf.net> References: <3c3e3fca1003261246o56e7d92s3be1d576a1566ea2@mail.gmail.com> <1CD5FFB3-383F-4741-BABF-6F9AFBC1501A@delong.com> <3c3e3fca1003261318p2354576eye3ee2fa272c878@mail.gmail.com> <20100326205555.D66402B2126@mx5.roble.com> <4BAD250E.10805@gmail.com> <1269640096.5400.411.camel@ggiesen-workstation.netsurf.net> <4BAD2D10.4060107@matthew.at> <1269641156.5400.439.camel@ggiesen-workstation.netsurf.net> <1269642185.5400.460.camel@ggiesen-workstation.netsurf.net> Message-ID: On Fri, Mar 26, 2010 at 6:23 PM, Gary T. Giesen wrote: > Just a clarification on my comments, that's PI GUA space... Few > organizations will need more than a single /48, which would at least as a clarification, any end site organization with more than a single office location is prone to want more than a single /48. -Chris > contain the number of prefixes being advertised. And with most ISP's > (LIR's) only requiring a single prefix for their own PA space, we should > a nice reset in table size, allowing hardware to catch up with routing > table growth. > > GG > > On Fri, 2010-03-26 at 18:05 -0400, Gary T. Giesen wrote: >> If that's a concern, then get GUA space out of the gate and you'll never >> renumber again. I believe GUA should be made cheap and relatively easy >> to get (instead of something using something like ULA and NATing it). >> >> While some will argue this will lead to an explosion in the v6 routing >> table (and there is definitely merit to their argument), the aggregation >> gains from people who don't need the capability (especially residential >> customers) should more than offset it in the near term, buying time for >> for the technology to progress and offer us more TCAM slots to deal with >> it in the longer term. >> >> GG >> >> On Fri, 2010-03-26 at 17:54 -0400, Matthew Kaufman wrote: >> > Gary T. Giesen wrote: >> > > IMHO it's better to get people used to having no NAT at all (since >> > > they're getting used to a new protocol anyways)... >> > Please explain how you intend to eliminate manual renumbering for >> > corporate internal networks every time they change ISPs. >> > >> > (And note that RA and even DHCP6 don't fix all the manual setup of >> > things like "what is the address of the intranet web server".) >> > >> > There is a real cost to this, and the cost of a NAT device is pretty >> > much paid off the first or second time you're forced to renumber. >> > >> > Matthew Kaufman >> >> _______________________________________________ >> PPML >> You are receiving this message because you are subscribed to >> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). >> Unsubscribe or manage your mailing list subscription at: >> http://lists.arin.net/mailman/listinfo/arin-ppml >> Please contact info at arin.net if you experience any issues. > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to > the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/arin-ppml > Please contact info at arin.net if you experience any issues. > From christopher.morrow at gmail.com Tue Apr 6 02:23:28 2010 From: christopher.morrow at gmail.com (Christopher Morrow) Date: Tue, 6 Apr 2010 02:23:28 -0400 Subject: [arin-ppml] The role of NAT in IPv6 In-Reply-To: <4BB0ED8C.1020607@matthew.at> References: <4BB0D390.2040502@gih.com> <8695009A81378E48879980039EEDAD28876D43A8@MAIL1.polartel.local> <4BB0ED8C.1020607@matthew.at> Message-ID: On Mon, Mar 29, 2010 at 2:12 PM, Matthew Kaufman wrote: > This is easy to do. Assign it from space for which there is an IETF standard > telling router vendors to never, ever, accept that route via external > routing protocols. > don't businesses use EGP's with their businss partners in today's network on private links on private networks? One of the complications with ULA* is address selection, another is arbitrary breakages like the above. Another is the inability to have an actually unique (not just semi-unique) address block. Using GUA everywhere just fits better, folks that want to drop it at their exit for 'security' or 'privacy' can certainly do that. -chris From christopher.morrow at gmail.com Tue Apr 6 02:27:45 2010 From: christopher.morrow at gmail.com (Christopher Morrow) Date: Tue, 6 Apr 2010 02:27:45 -0400 Subject: [arin-ppml] The role of NAT in IPv6 In-Reply-To: References: Message-ID: On Tue, Apr 6, 2010 at 2:17 AM, Gary Giesen wrote: > Because 65535 subnets isn't enough? because I have 2 locations, one in NYC one in SFO. Running a private network link between them is more expensive than 2 commodity internet links, I can't (today) expect longer than a /48 to pass through inter-AS boundaries... so I need (now) a /47. Now, look at a business like 'the Limited' who has (at last count) +1200 remote/disconnected sites... they could need a much larger block than a /48, if they wanted the benefits of easy multihoming/no-renumbering. Look at Allstate Insurance that had, at last count +10k remote sites... a /48 is a single SITE, not a single ORGANIZATION. Note that none of the above colors the discussion about NAT nor internal numbering schemes related to ULA*, I was simply pointing out that it's entirely inaccurate to believe that 'Few Organizations will need more than a single /48'. -Chris > GG > > > On 10-04-06 2:14 AM, "Christopher Morrow" > wrote: > >> On Fri, Mar 26, 2010 at 6:23 PM, Gary T. Giesen wrote: >>> Just a clarification on my comments, that's PI GUA space... Few >>> organizations will need more than a single /48, which would at least >> >> as a clarification, any end site organization with more than a single >> office location is prone to want more than a single /48. >> >> -Chris >> >>> contain the number of prefixes being advertised. And with most ISP's >>> (LIR's) only requiring a single prefix for their own PA space, we should >>> a nice reset in table size, allowing hardware to catch up with routing >>> table growth. >>> >>> GG >>> >>> On Fri, 2010-03-26 at 18:05 -0400, Gary T. Giesen wrote: >>>> If that's a concern, then get GUA space out of the gate and you'll never >>>> renumber again. I believe GUA should be made cheap and relatively easy >>>> to get (instead of something using something like ULA and NATing it). >>>> >>>> While some will argue this will lead to an explosion in the v6 routing >>>> table (and there is definitely merit to their argument), the aggregation >>>> gains from people who don't need the capability (especially residential >>>> customers) should more than offset it in the near term, buying time for >>>> for the technology to progress and offer us more TCAM slots to deal with >>>> it in the longer term. >>>> >>>> GG >>>> >>>> On Fri, 2010-03-26 at 17:54 -0400, Matthew Kaufman wrote: >>>>> Gary T. Giesen wrote: >>>>>> IMHO it's better to get people used to having no NAT at all (since >>>>>> they're getting used to a new protocol anyways)... >>>>> Please explain how you intend to eliminate manual renumbering for >>>>> corporate internal networks every time they change ISPs. >>>>> >>>>> (And note that RA and even DHCP6 don't fix all the manual setup of >>>>> things like "what is the address of the intranet web server".) >>>>> >>>>> There is a real cost to this, and the cost of a NAT device is pretty >>>>> much paid off the first or second time you're forced to renumber. >>>>> >>>>> Matthew Kaufman >>>> >>>> _______________________________________________ >>>> PPML >>>> You are receiving this message because you are subscribed to >>>> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). >>>> Unsubscribe or manage your mailing list subscription at: >>>> http://lists.arin.net/mailman/listinfo/arin-ppml >>>> Please contact info at arin.net if you experience any issues. >>> >>> _______________________________________________ >>> PPML >>> You are receiving this message because you are subscribed to >>> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). >>> Unsubscribe or manage your mailing list subscription at: >>> http://lists.arin.net/mailman/listinfo/arin-ppml >>> Please contact info at arin.net if you experience any issues. >>> > > From owen at delong.com Tue Apr 6 02:58:22 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 5 Apr 2010 23:58:22 -0700 Subject: [arin-ppml] The role of NAT in IPv6 In-Reply-To: References: <3c3e3fca1003261246o56e7d92s3be1d576a1566ea2@mail.gmail.com> <1CD5FFB3-383F-4741-BABF-6F9AFBC1501A@delong.com> <3c3e3fca1003261318p2354576eye3ee2fa272c878@mail.gmail.com> <20100326205555.D66402B2126@mx5.roble.com> <4BAD250E.10805@gmail.com> <1269640096.5400.411.camel@ggiesen-workstation.netsurf.net> <4BAD2D10.4060107@matthew.at> <1269641156.5400.439.camel@ggiesen-workstation.netsurf.net> <1269642185.5400.460.camel@ggiesen-workstation.netsurf.net> Message-ID: Chris is right. You should have no problem getting a /48 per location. Owen On Apr 5, 2010, at 11:14 PM, Christopher Morrow wrote: > On Fri, Mar 26, 2010 at 6:23 PM, Gary T. Giesen wrote: >> Just a clarification on my comments, that's PI GUA space... Few >> organizations will need more than a single /48, which would at least > > as a clarification, any end site organization with more than a single > office location is prone to want more than a single /48. > > -Chris > >> contain the number of prefixes being advertised. And with most ISP's >> (LIR's) only requiring a single prefix for their own PA space, we should >> a nice reset in table size, allowing hardware to catch up with routing >> table growth. >> >> GG >> >> On Fri, 2010-03-26 at 18:05 -0400, Gary T. Giesen wrote: >>> If that's a concern, then get GUA space out of the gate and you'll never >>> renumber again. I believe GUA should be made cheap and relatively easy >>> to get (instead of something using something like ULA and NATing it). >>> >>> While some will argue this will lead to an explosion in the v6 routing >>> table (and there is definitely merit to their argument), the aggregation >>> gains from people who don't need the capability (especially residential >>> customers) should more than offset it in the near term, buying time for >>> for the technology to progress and offer us more TCAM slots to deal with >>> it in the longer term. >>> >>> GG >>> >>> On Fri, 2010-03-26 at 17:54 -0400, Matthew Kaufman wrote: >>>> Gary T. Giesen wrote: >>>>> IMHO it's better to get people used to having no NAT at all (since >>>>> they're getting used to a new protocol anyways)... >>>> Please explain how you intend to eliminate manual renumbering for >>>> corporate internal networks every time they change ISPs. >>>> >>>> (And note that RA and even DHCP6 don't fix all the manual setup of >>>> things like "what is the address of the intranet web server".) >>>> >>>> There is a real cost to this, and the cost of a NAT device is pretty >>>> much paid off the first or second time you're forced to renumber. >>>> >>>> Matthew Kaufman >>> >>> _______________________________________________ >>> PPML >>> You are receiving this message because you are subscribed to >>> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). >>> Unsubscribe or manage your mailing list subscription at: >>> http://lists.arin.net/mailman/listinfo/arin-ppml >>> Please contact info at arin.net if you experience any issues. >> >> _______________________________________________ >> PPML >> You are receiving this message because you are subscribed to >> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). >> Unsubscribe or manage your mailing list subscription at: >> http://lists.arin.net/mailman/listinfo/arin-ppml >> Please contact info at arin.net if you experience any issues. >> > _______________________________________________ > PPML > You are receiving this message because you are subscribed to > the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/arin-ppml > Please contact info at arin.net if you experience any issues. From michael.dillon at bt.com Tue Apr 6 04:49:47 2010 From: michael.dillon at bt.com (michael.dillon at bt.com) Date: Tue, 6 Apr 2010 09:49:47 +0100 Subject: [arin-ppml] The role of NAT in IPv6 In-Reply-To: Message-ID: <28E139F46D45AF49A31950F88C49745805AF0623@E03MVZ2-UKDY.domain1.systemhost.net> > because I have 2 locations, one in NYC one in SFO. Running a > private network link between them is more expensive than 2 > commodity internet links, I can't (today) expect longer than > a /48 to pass through inter-AS boundaries... so I need (now) > a /47. Why would you want to run a national network when you have only two locations? > Look at Allstate Insurance that had, at last count +10k > remote sites... a /48 is a single SITE, not a single ORGANIZATION. Why would an insurance company want to run a national network? > Note that none of the above colors the discussion about NAT > nor internal numbering schemes related to ULA*, I was simply > pointing out that it's entirely inaccurate to believe that > 'Few Organizations will need more than a single /48'. Those of us who believe that few organizations will need more than a single /48 expect that most organizations will stick to their knitting and buy network services from an ISP. In other words the ones that need more than a single /48 will not be interested in talking to ARIN. --Michael Dillon From farmer at umn.edu Tue Apr 6 07:48:48 2010 From: farmer at umn.edu (David Farmer) Date: Tue, 06 Apr 2010 06:48:48 -0500 Subject: [arin-ppml] /48 per Site In-Reply-To: References: Message-ID: <4BBB1FA0.8000605@umn.edu> Christopher Morrow wrote: > On Tue, Apr 6, 2010 at 2:17 AM, Gary Giesen wrote: >> Because 65535 subnets isn't enough? > > because I have 2 locations, one in NYC one in SFO. Running a private > network link between them is more expensive than 2 commodity internet > links, I can't (today) expect longer than a /48 to pass through > inter-AS boundaries... so I need (now) a /47. Now, look at a business > like 'the Limited' who has (at last count) +1200 remote/disconnected > sites... they could need a much larger block than a /48, if they > wanted the benefits of easy multihoming/no-renumbering. > > Look at Allstate Insurance that had, at last count +10k remote > sites... a /48 is a single SITE, not a single ORGANIZATION. > > Note that none of the above colors the discussion about NAT nor > internal numbering schemes related to ULA*, I was simply pointing out > that it's entirely inaccurate to believe that 'Few Organizations will > need more than a single /48'. Could I please direct you to Draft Policy 2010-8 up for discussion in Toronto in less than two weeks, and specifically the following section; 6.5.8.1. Initial assignment size Organizations that meet at least one of the following criteria are eligible to receive a minimum assignment of /48. Requests for larger initial assignments, reasonably justified with supporting documentation, will be evaluated based on the number of sites and the number of subnets needed to support a site. Organizations may request up to a /48 for each site in their network, with the overall allocation rounded up to the next whole prefix only as necessary. A subnet plan demonstrating a utilization of 33,689 or more subnets within a site is necessary to justify an additional /48 for any individual site, beyond this the 0.94 HD-Ratio metric of the number of subnets is used. All assignments shall be made from distinctly identified prefixes, with each assignment receiving a reservation for growth of at least a /44. Such reservations are not guaranteed and ARIN, at its discretion, may assign them to other organizations at any time. Note: Organizations with multiple sites are encouraged to consider the use of /56s for smaller satellite sites. Would this policy text provide what you are looking for? Do you support this text? Do you support DP 2010-8 in general? Thanks -- =============================================== David Farmer Email:farmer at umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 =============================================== From trejrco at gmail.com Tue Apr 6 09:21:09 2010 From: trejrco at gmail.com (TJ) Date: Tue, 6 Apr 2010 09:21:09 -0400 Subject: [arin-ppml] /48 per Site In-Reply-To: <4BBB1FA0.8000605@umn.edu> References: <4BBB1FA0.8000605@umn.edu> Message-ID: > > (Christopher Morrow): because I have 2 locations, one in NYC one in SFO. >> Running a private >> network link between them is more expensive than 2 commodity internet >> links, I can't (today) expect longer than a /48 to pass through >> inter-AS boundaries... so I need (now) a /47. Now, look at a business >> like 'the Limited' who has (at last count) +1200 remote/disconnected >> sites... they could need a much larger block than a /48, if they >> wanted the benefits of easy multihoming/no-renumbering. >> > These remote sites probably don't host publicly reachable services, so a simple "use PA addresses (/48 or even /56) and tunnel to corporate" approach would work just fine, yes? They could even be multi-homed, but use something like GRE to have multiple concurrent tunnels over different providers' addresses to get back to the hub. > >> Look at Allstate Insurance that had, at last count +10k remote >> sites... a /48 is a single SITE, not a single ORGANIZATION. >> > And how many of those remote sites have, say, ~33k network segments? (I only ask because ... well, see below) > Note that none of the above colors the discussion about NAT nor >> internal numbering schemes related to ULA*, I was simply pointing out >> that it's entirely inaccurate to believe that 'Few Organizations will >> need more than a single /48'. >> > "Few" is subjective. Comparable to every company out there, yes - I think "few" is an accurate term. In absolute numbers, perhaps resembles a different descriptor? > (David Farmer): Could I please direct you to Draft Policy 2010-8 up for > discussion in Toronto in less than two weeks, and specifically the following > section; > > 6.5.8.1. Initial assignment size > > Organizations that meet at least one of the following criteria are > eligible to receive a minimum assignment of /48. Requests for larger > initial assignments, reasonably justified with supporting documentation, > will be evaluated based on the number of sites and the number of subnets > needed to support a site. > > Organizations may request up to a /48 for each site in their network, > with the overall allocation rounded up to the next whole prefix only as > necessary. A subnet plan demonstrating a utilization of 33,689 or more > subnets within a site is necessary to justify an additional /48 for any > individual site, beyond this the 0.94 HD-Ratio metric of the number of > subnets is used. > So an org with multiple "fairly large" sites (or that can draft an address plan making it appear so ... ) can get multiple, discrete, noncontiguous blocks. Don't most networks of that size have their own mechanism(s) for back-hauling traffic between sites? I guess I am trying to say that I don't see this solving a common problem ... happy to be wrong though! All assignments shall be made from distinctly identified prefixes, with > each assignment receiving a reservation for growth of at least a /44. > Such reservations are not guaranteed and ARIN, at its discretion, may > assign them to other organizations at any time. > > Note: Organizations with multiple sites are encouraged to consider the > use of /56s for smaller satellite sites. > /TJ -------------- next part -------------- An HTML attachment was scrubbed... URL: From cengel at sponsordirect.com Tue Apr 6 10:54:55 2010 From: cengel at sponsordirect.com (Chris Engel) Date: Tue, 6 Apr 2010 10:54:55 -0400 Subject: [arin-ppml] /48 per Site In-Reply-To: Message-ID: Not everyone's needs nor approach will be the same, which is kinda the whole point behind this discussion of allowing people different addressing options (PA, PI , ULA-R, ULA-C) to find the one that THEY feel works best for them. However my general approach for multiple branch offices would definately be some variation of below. Get a small PA assigment from whatever ISP makes the most sense for each branch office, setup tunnels back to corporate from thier branch office/soho firewalls and use private address space (ULA) for everything inside the firewalls. If it made sense for a branch office to advertise something public (probably wouldn't be very much) setup a DMZ off thier firewall with the couple of public addresses they need from thier local ISP and NAT them on the FW to whatever devices are running those. For my book, this gives the most bang for the buck in terms of flexibility, security and compliance. If your using ULA-C space in this scenerio, you don't even need to worry so much about merger issues from an addressing scheme. > These remote sites probably don't host publicly reachable > services, so a simple "use PA addresses (/48 or even /56) and > tunnel to corporate" approach would work just fine, yes? > They could even be multi-homed, but use something like GRE to > have multiple concurrent tunnels over different providers' > addresses to get back to the hub. Christopher Engel Network Infrastructure Manager SponsorDirect cengel at sponsordirect.com www.SponsorDirect.com p(914) 729-7218 f (914) 729-7201 From kkargel at polartel.com Tue Apr 6 11:13:38 2010 From: kkargel at polartel.com (Kevin Kargel) Date: Tue, 6 Apr 2010 10:13:38 -0500 Subject: [arin-ppml] ULA-C and reverse DNS In-Reply-To: References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> Message-ID: <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> > > for the record I'd vote +1 for essentially no ULA-* ... and just > allowing folks to get GUA for their needs. > > -Chris I have to agree. As long as it has a "U" in it then it depletes the pool the same. We have a big enough pool, let's just make GUA easy and cheap and not worry about ULA. If they have sufficient GUA then rolling your own ULA is trivial. From bill at herrin.us Tue Apr 6 11:23:40 2010 From: bill at herrin.us (William Herrin) Date: Tue, 6 Apr 2010 11:23:40 -0400 Subject: [arin-ppml] ULA-C and reverse DNS In-Reply-To: <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> Message-ID: On Tue, Apr 6, 2010 at 11:13 AM, Kevin Kargel wrote: >> for the record I'd vote +1 for essentially no ULA-* ... and just >> allowing folks to get GUA for their needs. > > I have to agree. ?As long as it has a "U" in it then it depletes >the pool the same. ?We have a big enough pool, let's just >make GUA easy and cheap and not worry about ULA. ?If >they have sufficient GUA then rolling your own ULA is trivial. Respectfully suggest you figure out how to make registered ULA work in the $20-$50 range and _then_ think about how to make GUA more like it. GUA costs $1250, based more or less on the costs of running a registry according to the policies we've created for GUA. ULA isn't workable at $1250 a pop and while you guys talk fantasies of shaving two orders of magnitude off GUA's registry cost the ULA need continues to go unserved. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From mcr at sandelman.ca Tue Apr 6 11:52:16 2010 From: mcr at sandelman.ca (Michael Richardson) Date: Tue, 06 Apr 2010 11:52:16 -0400 Subject: [arin-ppml] ULA-C and reverse DNS In-Reply-To: References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> Message-ID: <17207.1270569136@marajade.sandelman.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "William" == William Herrin writes: William> On Tue, Apr 6, 2010 at 11:13 AM, Kevin Kargel William> wrote: >>> for the record I'd vote +1 for essentially no ULA-* ... and just >>> allowing folks to get GUA for their needs. >> I have to agree. ?As long as it has a "U" in it then it depletes >> the pool the same. ?We have a big enough pool, let's just make >> GUA easy and cheap and not worry about ULA. ?If they have >> sufficient GUA then rolling your own ULA is trivial. William> Respectfully suggest you figure out how to make registered William> ULA work in the $20-$50 range and _then_ think about how to William> make GUA more like it. GUA costs $1250, based more or less William> on the costs of running a registry according to the William> policies we've created for GUA. ULA isn't workable at $1250 William> a pop and while you guys talk fantasies of shaving two William> orders of magnitude off GUA's registry cost the ULA need William> continues to go unserved. +1 RFC1918 is used in all sorts of places where it shouldn't, not because getting address space is so hard, but because it requires someone else to sign off. - -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video then sign the petition. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Finger me for keys iQEVAwUBS7tYr4CLcPvd0N1lAQLUkAf+JhSiU4G3UZaaUZ9FrS11K00uNKIcAm2R hPfuw9yVmNZpvSD97qwYvyLVjVxH/R0clEZ0SAiCrL6qnVIUBc0Xu/c0zrCh7iN4 ZBMd2tA6Ec3eUkqxf2wHS3KO5n7rFusotO4oHD1bbIeIwqlMHnvHxImbv3Qa1Tlt xcqMPOvGYqMdJH/xvj99uKhUQWx4evZas6FaM47omso5CcPAtslkTvnh0yDjJJF5 Uh20KaKfYZT5rxgUjTdbmVXWg1SL6CtCpyUUkpyZTSCNFO4yAHK+GHKK8jvEcjmU BVH120Q+x0fd0VHfxHwa34XJ91WGfOtaewJXNjnDVEQNOS5UqPIERQ== =Smup -----END PGP SIGNATURE----- From kkargel at polartel.com Tue Apr 6 12:24:25 2010 From: kkargel at polartel.com (Kevin Kargel) Date: Tue, 6 Apr 2010 11:24:25 -0500 Subject: [arin-ppml] ULA-C and reverse DNS In-Reply-To: References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> Message-ID: <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> > Respectfully suggest you figure out how to make registered ULA work in > the $20-$50 range and _then_ think about how to make GUA more like it. > GUA costs $1250, based more or less on the costs of running a registry > according to the policies we've created for GUA. ULA isn't workable at > $1250 a pop and while you guys talk fantasies of shaving two orders of > magnitude off GUA's registry cost the ULA need continues to go > unserved. > > Regards, > Bill Herrin > Hmmm.. what makes ULA cheaper to administer than GUA from an RIR perspective? One or the other is an artificial economy. From ggiesen at akn.ca Tue Apr 6 12:26:39 2010 From: ggiesen at akn.ca (Gary T. Giesen) Date: Tue, 6 Apr 2010 12:26:39 -0400 Subject: [arin-ppml] ULA-C and reverse DNS In-Reply-To: <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> Message-ID: <1270571199.18403.11.camel@ggiesen-workstation.netsurf.net> Absolutely nothing (maybe a little less paperwork). That's why ULA-C is pointless and GUA should be assigned. GG On Tue, 2010-04-06 at 12:24 -0400, Kevin Kargel wrote: > > > > Respectfully suggest you figure out how to make registered ULA work in > > the $20-$50 range and _then_ think about how to make GUA more like it. > > GUA costs $1250, based more or less on the costs of running a registry > > according to the policies we've created for GUA. ULA isn't workable at > > $1250 a pop and while you guys talk fantasies of shaving two orders of > > magnitude off GUA's registry cost the ULA need continues to go > > unserved. > > > > Regards, > > Bill Herrin > > > Hmmm.. what makes ULA cheaper to administer than GUA from an RIR perspective? One or the other is an artificial economy. > _______________________________________________ > PPML > You are receiving this message because you are subscribed to > the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/arin-ppml > Please contact info at arin.net if you experience any issues. From mcr at sandelman.ca Tue Apr 6 12:40:13 2010 From: mcr at sandelman.ca (Michael Richardson) Date: Tue, 06 Apr 2010 12:40:13 -0400 Subject: [arin-ppml] ULA-C and reverse DNS In-Reply-To: <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> Message-ID: <20342.1270572013@marajade.sandelman.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "Kevin" == Kevin Kargel writes: >> Respectfully suggest you figure out how to make registered ULA >> work in the $20-$50 range and _then_ think about how to make GUA >> more like it. GUA costs $1250, based more or less on the costs >> of running a registry according to the policies we've created for >> GUA. ULA isn't workable at $1250 a pop and while you guys talk >> fantasies of shaving two orders of magnitude off GUA's registry >> cost the ULA need continues to go unserved. Kevin> Hmmm.. what makes ULA cheaper to administer than GUA from an Kevin> RIR perspective? One or the other is an artificial economy. There is a needs test associated with GUA, and some human involvement in determining if you've asked for the correct size, and the preservation of the /44 (or whatever the bigger amount is), etc. - -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video then sign the petition. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Finger me for keys iQEVAwUBS7tj7ICLcPvd0N1lAQLDuAf/SKpl1geNwRm6/bpoCBLEcA/3Xom8X0wp aZwUR/kxEp/XHKIO3PKG4AK1RX2mISy162hIGOeuEl4PBCdsizYosl7KrZmNAR3a kTDaggIl9jsLCMZOUWxGM1tGyyKctTasb1X3GcNN4pHSMaCNOrq3pPpHf8A+4Y10 R49fqnnLUxWNC8m6HJWFLXdLzw7vQiGg2OZS14keRTu29AvNDJfviPxDwGhf+lOU WgVpzhQzuZBbur0G1R1Tvl2OcgZmcnyYZfVlO8YTFZlH/TNmbSpOu6MFe4v7l07+ 4fu9ePoxwFALk1J9orv5zv+jUhgkLpxP5UwHCRpy4SY0D1js3UK/Kw== =cmcA -----END PGP SIGNATURE----- From kkargel at polartel.com Tue Apr 6 12:42:13 2010 From: kkargel at polartel.com (Kevin Kargel) Date: Tue, 6 Apr 2010 11:42:13 -0500 Subject: [arin-ppml] FW: ULA-C and reverse DNS Message-ID: <8695009A81378E48879980039EEDAD28876D443D@MAIL1.polartel.local> > ARIN PPML can not, I'm told, set prices, only policies. > So, we can't make GUA cheap directly. > > Further, since the AC acknowledges that they are using the allocation > policies as a proxy for limiting DFZ table size, anything that makes GUA > cheaper will cause the DFZ to grow. > > Thus the reason to have ULA is a seperate space that mostly can not be > used for global routing. > > - -- > ] He who is tired of Weird Al is tired of life! | > firewalls [ > ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net > architect[ If any part - even one address - of ULA can be routed then it is not ULA, it is GUA. If it is GUA then current policy and pricing apply. Simple. From owen at delong.com Tue Apr 6 12:56:25 2010 From: owen at delong.com (Owen DeLong) Date: Tue, 6 Apr 2010 09:56:25 -0700 Subject: [arin-ppml] ULA-C and reverse DNS In-Reply-To: <20342.1270572013@marajade.sandelman.ca> References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> <20342.1270572013@marajade.sandelman.ca> Message-ID: <8F86B89C-78E8-4E18-8806-33753C107123@delong.com> > > Kevin> Hmmm.. what makes ULA cheaper to administer than GUA from an > Kevin> RIR perspective? One or the other is an artificial economy. > > There is a needs test associated with GUA, and some human involvement in > determining if you've asked for the correct size, and the preservation > of the /44 (or whatever the bigger amount is), etc. There are may more /48s in a /3 than there are in a /8. GUA can be expanded beyond the current /3. ULA is limited to a /8. I think that there should be a needs test and human involvement in the sizing policies in both cases. Owen -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry1upton at aol.com Tue Apr 6 13:43:00 2010 From: jerry1upton at aol.com (jerry1upton at aol.com) Date: Tue, 06 Apr 2010 13:43:00 -0400 Subject: [arin-ppml] MAAWG Comments on ARIN Draft Proposal 2010-3 Message-ID: <8CCA3C7BC2AEC69-FD8-E831@webmail-m099.sysops.aol.com> The attached are comments from the Messaging Anti-Abuse Working Group regarding ARIN's Draft Policy 2010-3. The MAAWG Board of Directors have approved these comments. Regards, Jerry Upton Executive Director -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: MAAWG Comments ARIN Draft Policy 2010-3.pdf Type: application/pdf Size: 121861 bytes Desc: not available URL: From michael.dillon at bt.com Tue Apr 6 13:52:28 2010 From: michael.dillon at bt.com (michael.dillon at bt.com) Date: Tue, 6 Apr 2010 18:52:28 +0100 Subject: [arin-ppml] ULA-C and reverse DNS In-Reply-To: <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> Message-ID: <28E139F46D45AF49A31950F88C49745805AF0C4D@E03MVZ2-UKDY.domain1.systemhost.net> > Hmmm.. what makes ULA cheaper to administer than GUA from an > RIR perspective? One or the other is an artificial economy. No analysis necessary. No rules to apply. No justifications needed. It can be done with a web page that the customer must fill in completely, with help instructions embedded on the page. When they click the final button with their credit card details, ARIN's system collects the money and queues up a request. All that a human has to do is a simple check for complete info as requested, and that the payment has cleared. Then they push another button that causes ARIN's server to do a "create" transaction with the IANA ULA-C registry server. The address block is allocated and added into IANA's registry. The ARIN server does a quick lookup check to be sure that it is properly recorded in the registry and then fires off an email to the registrant. Occasionally something will fail and need a few minutes of human attention to sort out. That is why ULA-C registration should be cheaper. I would expect that the IETF instructs ICANN/IANA/NRO to collect a fee of no more than USD 4.00 for each "create" transaction and no more than USD 1.00 for each modify transaction. Then I would expect that the RIRs would set their fees to the registrant to be compatible with their local fee structure, and a lot cheaper than global unicast addresses from 2000::/3 If you want to argue the IETF imposed fee structure then do it on the 6MAN WG mailing list. As for ARIN fees, if you are a member, ARIN operates a member mailing list where you could discuss this. Since it is not open to influence by the policy development process we shouldn't get into big discussions of it here. --Michael Dillon From michael.dillon at bt.com Tue Apr 6 13:57:08 2010 From: michael.dillon at bt.com (michael.dillon at bt.com) Date: Tue, 6 Apr 2010 18:57:08 +0100 Subject: [arin-ppml] FW: ULA-C and reverse DNS In-Reply-To: <8695009A81378E48879980039EEDAD28876D443D@MAIL1.polartel.local> Message-ID: <28E139F46D45AF49A31950F88C49745805AF0C4F@E03MVZ2-UKDY.domain1.systemhost.net> > If any part - even one address - of ULA can be routed then it > is not ULA, it is GUA. If it is GUA then current policy and > pricing apply. Simple. GUA (Global Unicast Address) is defined by the IETF as an address from the 2000::/3 block. ULA is defined by the IETF as an address from the FC00::/7 block. Clearly ULA is not GUA. Also quite clearly, ULA addresses can be routed. There is not restriction on how ULA addresses are to be used, unlike, for instance, multicast addresses. On a policy level, routability is determined by network operators not by ARIN. And as far as fees are concerned, this mailing list cannot influence ARIN's fee structure, nor can it influence how the IETF sets up the fee structure, nor can it influence the fees that ICANN might set in the future for one reason or another. --Michael Dillon From kkargel at polartel.com Tue Apr 6 14:34:07 2010 From: kkargel at polartel.com (Kevin Kargel) Date: Tue, 6 Apr 2010 13:34:07 -0500 Subject: [arin-ppml] FW: ULA-C and reverse DNS In-Reply-To: <28E139F46D45AF49A31950F88C49745805AF0C4F@E03MVZ2-UKDY.domain1.systemhost.net> References: <8695009A81378E48879980039EEDAD28876D443D@MAIL1.polartel.local> <28E139F46D45AF49A31950F88C49745805AF0C4F@E03MVZ2-UKDY.domain1.systemhost.net> Message-ID: <8695009A81378E48879980039EEDAD28876D4442@MAIL1.polartel.local> > > > If any part - even one address - of ULA can be routed then it > > is not ULA, it is GUA. If it is GUA then current policy and > > pricing apply. Simple. > > GUA (Global Unicast Address) is defined by the IETF as an > address from the 2000::/3 block. ULA is defined by the IETF > as an address from the FC00::/7 block. Clearly ULA is not GUA. > > Also quite clearly, ULA addresses can be routed. There is not > restriction on how ULA addresses are to be used, unlike, for > instance, multicast addresses. > > On a policy level, routability is determined by network operators > not by ARIN. > > And as far as fees are concerned, this mailing list cannot influence > ARIN's fee structure, nor can it influence how the IETF sets up > the fee structure, nor can it influence the fees that ICANN might > set in the future for one reason or another. > > --Michael Dillon > _______________________________________________ Thank you for explaining plainly and in detail exactly how ULA is designed as an end run around GUA policies. From wes at ren-isac.net Tue Apr 6 14:34:43 2010 From: wes at ren-isac.net (Wes Young) Date: Tue, 6 Apr 2010 14:34:43 -0400 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality Message-ID: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net> On behalf of the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC), we submit these comments on ARIN Draft Policy 2010-3: Customer Confidentiality, herein referred to as "the Policy". The mission of the REN-ISAC is to aid and promote cyber security operational protection and response within the higher education and research (R&E) communities. The mission is conducted within the context of a private community of trusted representatives at member institutions, and in service to the R&E community at-large. REN-ISAC serves as the R&E trusted partner for served networks, the formal U.S. ISAC community, and in other commercial, governmental, and private security information sharing relationships. Among the activities conducted, REN-ISAC sends notifications to EDU abuse contacts regarding compromised or otherwise maliciously behaving machines. Hundreds of notifications are sent daily. Numerous commercial, non-commercial, and governmental organizations rely on REN- ISAC's performance in this role, in addition to the EDUs receiving the notifications. Although the REN-ISAC develops and maintains its own contact database, unfettered access to contact information in the ARIN registry permits us to: + Identify new or existing institutions that have obtained or returned allocated IP space within our scope of concern. + Identify a technical contact at an institution. Should the Policy be implemented and adopted, it would hamper our ability to execute the mission. Implications would include: + Significantly increase lead-times and human interrupts required to perform notifications regarding compromised and misbehaving machines. + Increase the difficulty of identifying a technical contact at the organization that is in the best position to deal with a cyber security incident. + Add a layer of process that would either prevent or inhibit timely event notification. + Add to the costs of performing notifications. While we appreciate the need for a balance of privacy on the Internet, we don't believe that the Internet or its users would be well-served by confidential registrations at above a /x. The policy would prove to be a detriment to global cyber security. Ultimately it would equate to a reduced ability to deal with active criminal threat. on behalf of the REN-ISAC, -- Wes Young Principal Security Engineer -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 195 bytes Desc: This is a digitally signed message part URL: From aaron at wholesaleinternet.net Tue Apr 6 15:01:36 2010 From: aaron at wholesaleinternet.net (Aaron Wendel) Date: Tue, 6 Apr 2010 14:01:36 -0500 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net> References: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net> Message-ID: <018901cad5bb$95108950$bf319bf0$@net> Hi Wes, Thank you for contributing to the discussion on Draft Policy 2010-3. I've been contacted recently by several people who have expressed concerns such as yours over this policy. In all cases these people, such as yourself, seem to be unaware of the ARIN whois structure or how this policy changes it. There are broad assumptions being made that this would do away with the whois information or somehow "obscure" it and make life tough for people like yourself. Most respondents I've talked to have said that they need to know who ARIN has allocated IP space to. This proposal does nothing to change the information that ARIN provides in a public format on who IPs are allocated to. It does not obscure any data currently available on who has IPs from ARIN. Since I will be presenting the proposal at the upcoming ARIN meeting I'd like to get a better idea of what is perpetuating these misunderstandings so I can present in a way that is understandable to all. As it stands, the policy is 2 sentences and does nothing to obscure any information that ARIN currently reports on the allocations it makes. If you could help me understand what makes you think otherwise it would be a great help to me. There is still time for me to change the wording of the policy before the meeting in a week. Any help is appreciated. Thanks for your time. Aaron -----Original Message----- From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On Behalf Of Wes Young Sent: Tuesday, April 06, 2010 1:35 PM To: arin-ppml at arin.net Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality On behalf of the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC), we submit these comments on ARIN Draft Policy 2010-3: Customer Confidentiality, herein referred to as "the Policy". The mission of the REN-ISAC is to aid and promote cyber security operational protection and response within the higher education and research (R&E) communities. The mission is conducted within the context of a private community of trusted representatives at member institutions, and in service to the R&E community at-large. REN-ISAC serves as the R&E trusted partner for served networks, the formal U.S. ISAC community, and in other commercial, governmental, and private security information sharing relationships. Among the activities conducted, REN-ISAC sends notifications to EDU abuse contacts regarding compromised or otherwise maliciously behaving machines. Hundreds of notifications are sent daily. Numerous commercial, non-commercial, and governmental organizations rely on REN- ISAC's performance in this role, in addition to the EDUs receiving the notifications. Although the REN-ISAC develops and maintains its own contact database, unfettered access to contact information in the ARIN registry permits us to: + Identify new or existing institutions that have obtained or returned allocated IP space within our scope of concern. + Identify a technical contact at an institution. Should the Policy be implemented and adopted, it would hamper our ability to execute the mission. Implications would include: + Significantly increase lead-times and human interrupts required to perform notifications regarding compromised and misbehaving machines. + Increase the difficulty of identifying a technical contact at the organization that is in the best position to deal with a cyber security incident. + Add a layer of process that would either prevent or inhibit timely event notification. + Add to the costs of performing notifications. While we appreciate the need for a balance of privacy on the Internet, we don't believe that the Internet or its users would be well-served by confidential registrations at above a /x. The policy would prove to be a detriment to global cyber security. Ultimately it would equate to a reduced ability to deal with active criminal threat. on behalf of the REN-ISAC, -- Wes Young Principal Security Engineer No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.800 / Virus Database: 271.1.1/2792 - Release Date: 04/06/10 01:32:00 From wes at ren-isac.net Tue Apr 6 15:51:41 2010 From: wes at ren-isac.net (Wes Young) Date: Tue, 6 Apr 2010 15:51:41 -0400 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: <018901cad5bb$95108950$bf319bf0$@net> References: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net> <018901cad5bb$95108950$bf319bf0$@net> Message-ID: <6D251AF0-1FE5-4184-9032-014EBCB9E6CB@ren-isac.net> On Apr 6, 2010, at 3:01 PM, Aaron Wendel wrote: > Hi Wes, > > Thank you for contributing to the discussion on Draft Policy 2010-3. > > I've been contacted recently by several people who have expressed > concerns > such as yours over this policy. In all cases these people, such as > yourself, seem to be unaware of the ARIN whois structure or how this > policy > changes it. There are broad assumptions being made that this would > do away > with the whois information or somehow "obscure" it and make life > tough for > people like yourself. Most respondents I've talked to have said > that they > need to know who ARIN has allocated IP space to. This proposal does > nothing > to change the information that ARIN provides in a public format on > who IPs > are allocated to. It does not obscure any data currently available > on who > has IPs from ARIN. "ISPs may choose to enter the customer's name along with the ISP's address and phone number in reassignments and reallocations in lieu of the customer's address and phone number. The customer's actual information must be provided to ARIN on request and will be held in the strictest confidence." Those "two lines" (at-least to me), represent sort of the "domains by proxy feature". When dealing with security incidents, if the contact information is virtually proxy'd, then thats more time/money spent trying to get a- hold of someone close enough to the problem to do away with it. A single domain can't wipe out half of the internet, a single address (or set of addresses, or /29--) could. When we can't keep track of those closest to the situation (who care about the situation), the threat potential increases. I understand what you say about the change in allocations, maybe that shouldn't have been listed as a primary reason (more so than the obfuscation of "last mile" contact information). However, the very thing you're trying to protect against (eg: customer lists), is one of the very things security ops handlers are trying to build up and keep current. The public information in an unstructured and federated environment helps us do that. It is only two sentences, and that's dangerous when you're setting a standard for the backbone of the federated environment that is the internet. We are enumerating those customer lists on a daily basis to help make the internet a safer place. By design, this policy appears to be aimed at taking that functionality away. What appears to do (if executed by the isp), is force us to call upstream' ISP's first, and assuming we get a response, try to enumerate to them that we aren't looking to cherry-pick their customers, but have legit security concerns we need to discuss with them (assuming they're even willing to share that information with us anymore, in an effort to protect their customer lists). Not to mention if "address" is interpreted as "e-mail address" too, meaning "now we must go through abuse at upstream to get at abuse at downstream" ? In many cases we need those addresses and phone numbers to reach out to the down-streams. If the upstream IPS's do make it easy to get in touch with the downstream, then it's easy to enumerate those contact lists anyway, so then what's the point? I don't want to rat-hole this (since it is policy after all). Just voicing an opinion that there are some ramifications for implementing a two-sentence policy that shifts accountability of a resource virtually "upstream". Although there are somewhat legitimate business drivers behind it, the costs of re-routing notifications will ultimately be placed on the security handlers and whoever's phone/"address" is listed on that allocations page. The question is, are those costs worth it or not. My opinion is that they aren't ("to us", generally speaking as an incident handler). > Since I will be presenting the proposal at the upcoming ARIN meeting > I'd > like to get a better idea of what is perpetuating these > misunderstandings so > I can present in a way that is understandable to all. As it stands, > the > policy is 2 sentences and does nothing to obscure any information > that ARIN > currently reports on the allocations it makes. If you could help me > understand what makes you think otherwise it would be a great help > to me. > There is still time for me to change the wording of the policy > before the > meeting in a week. on behalf of my own opinions, =) -- Wes http://claimid.com/wesyoung -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 195 bytes Desc: This is a digitally signed message part URL: From bill at herrin.us Tue Apr 6 16:02:49 2010 From: bill at herrin.us (William Herrin) Date: Tue, 6 Apr 2010 16:02:49 -0400 Subject: [arin-ppml] ULA-C and reverse DNS In-Reply-To: <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> Message-ID: On Tue, Apr 6, 2010 at 12:24 PM, Kevin Kargel wrote: > Hmmm.. ?what makes ULA cheaper to administer than GUA from > an RIR perspective? ?One or the other is an artificial economy. There are no public-interest requirements to be analyzed with ULA save that you pay the bill. Thus it can be fully automated and even farmed out to the likes of Godaddy. We're not likely to get the same economy of scale, so it's going to still be more expensive than than a $10 dot-com, but sub-$100 is entirely achievable. That isn't true of GUA. Who qualifies for how much GUA has major public policy compliance concerns tied to it. Artificial or not, managing that compliance process costs money. Perhaps GUA can be reformatted so that the remaining public interest requirements lend themselves to automation but while we're arguing about how to do that it would be irresponsible to ask the folks who need ULA space to suffer. > If any part - even one address - of ULA can be routed [on the > public Internet] then it is not ULA, it is GUA. If it is GUA then > current policy and pricing apply. Simple. IFYP. ULA can be routed between private systems. That's the whole point of making them unique instead of repeating RFC 1918. The restriction is that ULA space isn't to be introduced into the public Internet's DFZ and if introduced, it should fail to propagate. That's the IETF's direction for ULA and no one appears to be challenging it. I note that subroutes of 2002::/16 are also successfully blocked from the IPv6 DFZ even though the address space is registered. For example, 2002:c721:e000::/39 is registered to me: {lily:herrin:/home/herrin:!} whois 2002:c721:e000::/39 Querying for the IPv4 endpoint 199.33.224.0 of a 6to4 IPv6 address. OrgName: Why? InterNetworking OrgID: WHYINT Address: 3005 Crane Drive City: Falls Church StateProv: VA PostalCode: 22042 Country: US NetRange: 199.33.224.0 - 199.33.225.255 CIDR: 199.33.224.0/23 NetName: WHY NetHandle: NET-199-33-224-0-1 Parent: NET-199-0-0-0-0 NetType: Direct Assignment NameServer: MINOC.DIRTSIDE.NET NameServer: LILY.DIRTSIDE.COM Comment: RegDate: 1994-01-20 Updated: 2005-05-02 RTechHandle: WH23-ARIN RTechName: Herrin, William Dennis RTechPhone: +1-703-534-2652 RTechEmail: arin-contact at herrin.us OrgTechHandle: WH23-ARIN OrgTechName: Herrin, William Dennis OrgTechPhone: +1-703-534-2652 OrgTechEmail: arin-contact at herrin.us # ARIN WHOIS database, last updated 2010-04-05 20:00 # Enter ? for additional hints on searching ARIN's WHOIS database. # # ARIN WHOIS data and services are subject to the Terms of Use # available at https://www.arin.net/whois_tou.html But any route I announce for 2002:c721:e000::/39 dies hard. I fail to see what compelling reason would cause the DFZ operators to open routing to fc00::/7 when they haven't opened it to 2002::/16. This fear is not well grounded. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From wes at ren-isac.net Tue Apr 6 16:10:53 2010 From: wes at ren-isac.net (Wes Young) Date: Tue, 6 Apr 2010 16:10:53 -0400 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: References: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net> Message-ID: Yes. But if it's all obfuscated by the upstream isp, we still have to go through the upstream to get to the downstream (unfettered access to "last mile" contact information is how we meant it). example: i have an address, I whois it and it comes back the ISP name, but Verizon's contact phone number (as an example) and address. I have to now jump through hoops with verizon to "get access" to their customer. I may be able to share that information with verizon, I may not. Either way, it add's a significant cost. Or at-least that was my interpretation. It is my understanding that the "database can be obtained" is valid, my question is "will that data contain the last-mile information, or whatever the up-stream throws in there"? My perception was "no, it will not" given the clause: "The customer's actual information must be provided to ARIN on request and will be held in the strictest confidence." given that ARIN will no longer warehouse this data (again, this is how *I* read it anyway). Please correct me if i'm missing something obvious though... On Apr 6, 2010, at 3:58 PM, Davey, George wrote: > I am concerned about this policy and would like further information: > > "unfettered access to contact information in the ARIN registry" > > It is my understanding the ARIN database can be obtained on a > periodic basis in its entirety so long as the reason can be > justified, the user can be verified and the usage does not allow > bulk queries of the data. > Has this policy changed? > > I was able to obtain a copy a few years back for my spam reporting > software by signing several documents and proving my identity. > > > > > > > > > George Davey, B.S. MCSE > Network Administrator > 3200 Grand Avenue > Des Moines, IA 50312 > DESK 515.271.1544 > FAX 515.271.7063 > CELL 515.221.2500 > George.Davey at dmu.edu > www.dmu.edu > > > > -----Original Message----- > From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] > On Behalf Of Wes Young > Sent: Tuesday, April 06, 2010 1:35 PM > To: arin-ppml at arin.net > Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer > Confidentiality > > On behalf of the Research and Education Networking Information > Sharing and Analysis Center (REN-ISAC), we submit these comments on > ARIN Draft Policy 2010-3: Customer Confidentiality, herein referred > to as "the Policy". > > The mission of the REN-ISAC is to aid and promote cyber security > operational protection and response within the higher education and > research (R&E) communities. The mission is conducted within the > context of a private community of trusted representatives at member > institutions, and in service to the R&E community at-large. REN-ISAC > serves as the R&E trusted partner for served networks, the formal U.S. > ISAC community, and in other commercial, governmental, and private > security information sharing relationships. > > Among the activities conducted, REN-ISAC sends notifications to EDU > abuse contacts regarding compromised or otherwise maliciously > behaving machines. Hundreds of notifications are sent daily. > Numerous commercial, non-commercial, and governmental organizations > rely on REN- ISAC's performance in this role, in addition to the > EDUs receiving the notifications. > > Although the REN-ISAC develops and maintains its own contact > database, unfettered access to contact information in the ARIN > registry permits us to: > > + Identify new or existing institutions that have obtained or returned > allocated IP space within our scope of concern. > > + Identify a technical contact at an institution. > > Should the Policy be implemented and adopted, it would hamper our > ability to execute the mission. Implications would include: > > + Significantly increase lead-times and human interrupts required to > perform notifications regarding compromised and misbehaving machines. > > + Increase the difficulty of identifying a technical contact at the > organization that is in the best position to deal with a cyber > security incident. > > + Add a layer of process that would either prevent or inhibit timely > event notification. > > + Add to the costs of performing notifications. > > While we appreciate the need for a balance of privacy on the > Internet, we don't believe that the Internet or its users would be > well-served by confidential registrations at above a /x. The policy > would prove to be a detriment to global cyber security. Ultimately > it would equate to a reduced ability to deal with active criminal > threat. > > on behalf of the REN-ISAC, > -- > Wes Young > Principal Security Engineer > -- Wes http://claimid.com/wesyoung -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 195 bytes Desc: This is a digitally signed message part URL: From george at dmu.edu Tue Apr 6 15:58:07 2010 From: george at dmu.edu (Davey, George) Date: Tue, 6 Apr 2010 14:58:07 -0500 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net> References: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net> Message-ID: I am concerned about this policy and would like further information: "unfettered access to contact information in the ARIN registry" It is my understanding the ARIN database can be obtained on a periodic basis in its entirety so long as the reason can be justified, the user can be verified and the usage does not allow bulk queries of the data. Has this policy changed? I was able to obtain a copy a few years back for my spam reporting software by signing several documents and proving my identity. ? George Davey, B.S. MCSE Network Administrator 3200 Grand Avenue Des Moines, IA? 50312 DESK 515.271.1544 FAX 515.271.7063 CELL 515.221.2500 George.Davey at dmu.edu www.dmu.edu -----Original Message----- From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On Behalf Of Wes Young Sent: Tuesday, April 06, 2010 1:35 PM To: arin-ppml at arin.net Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality On behalf of the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC), we submit these comments on ARIN Draft Policy 2010-3: Customer Confidentiality, herein referred to as "the Policy". The mission of the REN-ISAC is to aid and promote cyber security operational protection and response within the higher education and research (R&E) communities. The mission is conducted within the context of a private community of trusted representatives at member institutions, and in service to the R&E community at-large. REN-ISAC serves as the R&E trusted partner for served networks, the formal U.S. ISAC community, and in other commercial, governmental, and private security information sharing relationships. Among the activities conducted, REN-ISAC sends notifications to EDU abuse contacts regarding compromised or otherwise maliciously behaving machines. Hundreds of notifications are sent daily. Numerous commercial, non-commercial, and governmental organizations rely on REN- ISAC's performance in this role, in addition to the EDUs receiving the notifications. Although the REN-ISAC develops and maintains its own contact database, unfettered access to contact information in the ARIN registry permits us to: + Identify new or existing institutions that have obtained or returned allocated IP space within our scope of concern. + Identify a technical contact at an institution. Should the Policy be implemented and adopted, it would hamper our ability to execute the mission. Implications would include: + Significantly increase lead-times and human interrupts required to perform notifications regarding compromised and misbehaving machines. + Increase the difficulty of identifying a technical contact at the organization that is in the best position to deal with a cyber security incident. + Add a layer of process that would either prevent or inhibit timely event notification. + Add to the costs of performing notifications. While we appreciate the need for a balance of privacy on the Internet, we don't believe that the Internet or its users would be well-served by confidential registrations at above a /x. The policy would prove to be a detriment to global cyber security. Ultimately it would equate to a reduced ability to deal with active criminal threat. on behalf of the REN-ISAC, -- Wes Young Principal Security Engineer From Bill.Smith at paypal.com Tue Apr 6 16:10:41 2010 From: Bill.Smith at paypal.com (Smith, Bill) Date: Tue, 6 Apr 2010 14:10:41 -0600 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: <018901cad5bb$95108950$bf319bf0$@net> References: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net> <018901cad5bb$95108950$bf319bf0$@net> Message-ID: <39BF0C2785E4044E81A4D55B333D5106611D2ADB14@DEN-MEXMS-001.corp.ebay.com> > -----Original Message----- > From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On > Behalf Of Aaron Wendel > Sent: Tuesday, April 06, 2010 12:02 PM > To: 'Wes Young' > Cc: ppml at arin.net > Subject: Re: [arin-ppml] Comments on Draft Policy 2010-3: Customer > Confidentiality > > Hi Wes, > > Thank you for contributing to the discussion on Draft Policy 2010-3. > > I've been contacted recently by several people who have expressed > concerns > such as yours over this policy. In all cases these people, such as > yourself, seem to be unaware of the ARIN whois structure or how this > policy > changes it. There are broad assumptions being made that this would do > away > with the whois information or somehow "obscure" it and make life tough > for > people like yourself. Most respondents I've talked to have said that > they > need to know who ARIN has allocated IP space to. This proposal does > nothing > to change the information that ARIN provides in a public format on who > IPs > are allocated to. It does not obscure any data currently available on > who > has IPs from ARIN. If I understand this argument correctly, Policy Proposal 2010-3 is a request for a policy change that will result in no actual, operational change. If that's the case, why do we need the policy change? > > Since I will be presenting the proposal at the upcoming ARIN meeting > I'd > like to get a better idea of what is perpetuating these > misunderstandings so > I can present in a way that is understandable to all. As it stands, > the > policy is 2 sentences and does nothing to obscure any information that > ARIN > currently reports on the allocations it makes. If you could help me > understand what makes you think otherwise it would be a great help to > me. > There is still time for me to change the wording of the policy before > the > meeting in a week. > > Any help is appreciated. Thanks for your time. > > Aaron > > > > -----Original Message----- > From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On > Behalf Of Wes Young > Sent: Tuesday, April 06, 2010 1:35 PM > To: arin-ppml at arin.net > Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer > Confidentiality > > On behalf of the Research and Education Networking Information Sharing > and > Analysis Center (REN-ISAC), we submit these comments on ARIN Draft > Policy > 2010-3: Customer Confidentiality, herein referred to as "the Policy". > > The mission of the REN-ISAC is to aid and promote cyber security > operational > protection and response within the higher education and research (R&E) > communities. The mission is conducted within the context of a private > community of trusted representatives at member institutions, and in > service > to the R&E community at-large. REN-ISAC serves as the R&E trusted > partner > for served networks, the formal U.S. > ISAC community, and in other commercial, governmental, and private > security > information sharing relationships. > > Among the activities conducted, REN-ISAC sends notifications to EDU > abuse > contacts regarding compromised or otherwise maliciously behaving > machines. > Hundreds of notifications are sent daily. Numerous commercial, > non-commercial, and governmental organizations rely on REN- ISAC's > performance in this role, in addition to the EDUs receiving the > notifications. > > Although the REN-ISAC develops and maintains its own contact database, > unfettered access to contact information in the ARIN registry permits > us to: > > + Identify new or existing institutions that have obtained or returned > allocated IP space within our scope of concern. > > + Identify a technical contact at an institution. > > Should the Policy be implemented and adopted, it would hamper our > ability to > execute the mission. Implications would include: > > + Significantly increase lead-times and human interrupts required to > perform notifications regarding compromised and misbehaving machines. > > + Increase the difficulty of identifying a technical contact at the > organization that is in the best position to deal with a cyber security > incident. > > + Add a layer of process that would either prevent or inhibit timely > event notification. > > + Add to the costs of performing notifications. > > While we appreciate the need for a balance of privacy on the Internet, > we > don't believe that the Internet or its users would be well-served by > confidential registrations at above a /x. The policy would prove to be > a > detriment to global cyber security. Ultimately it would equate to a > reduced > ability to deal with active criminal threat. > > on behalf of the REN-ISAC, > -- > Wes Young > Principal Security Engineer > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 9.0.800 / Virus Database: 271.1.1/2792 - Release Date: > 04/06/10 > 01:32:00 > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to > the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/arin-ppml > Please contact info at arin.net if you experience any issues. From cgrundemann at gmail.com Tue Apr 6 16:36:33 2010 From: cgrundemann at gmail.com (Chris Grundemann) Date: Tue, 6 Apr 2010 14:36:33 -0600 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: References: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net>

Message-ID: On Tue, Apr 6, 2010 at 14:10, Wes Young wrote: > Yes. But if it's all obfuscated by the upstream isp, we still have to go > through the upstream to get to the downstream (unfettered access to "last > mile" contact information is how we meant it). > > example: i have an address, I whois it and it comes back the ISP name, but > Verizon's contact phone number (as an example) and address. I have to now > jump through hoops with verizon to "get access" to their customer. I may be > able to share that information with verizon, I may not. Either way, it add's > a significant cost. > > Or at-least that was my interpretation. > > It is my understanding that the "database can be obtained" is valid, my > question is "will that data contain the last-mile information, or whatever > the up-stream throws in there"? > > My perception was "no, it will not" given the clause: > > "The customer's actual information must be provided to ARIN on request and > will be held in the strictest confidence." > > given that ARIN will no longer warehouse this data (again, this is how *I* > read it anyway). Please correct me if i'm missing something obvious > though... You are not wrong Wes. If this policy were to pass, every ISP with an ARIN allocation could obfuscate the SWIPs for all space allocated to them. This would cause exactly the disaster you have described. ~Chris > -- > Wes > http://claimid.com/wesyoung > > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to > the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/arin-ppml > Please contact info at arin.net if you experience any issues. > -- @ChrisGrundemann weblog.chrisgrundemann.com www.burningwiththebush.com www.coisoc.org From owen at delong.com Tue Apr 6 16:40:05 2010 From: owen at delong.com (Owen DeLong) Date: Tue, 6 Apr 2010 13:40:05 -0700 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: <018901cad5bb$95108950$bf319bf0$@net> References: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net> <018901cad5bb$95108950$bf319bf0$@net> Message-ID: On Apr 6, 2010, at 12:01 PM, Aaron Wendel wrote: > Hi Wes, > > Thank you for contributing to the discussion on Draft Policy 2010-3. > > I've been contacted recently by several people who have expressed concerns > such as yours over this policy. In all cases these people, such as > yourself, seem to be unaware of the ARIN whois structure or how this policy > changes it. There are broad assumptions being made that this would do away > with the whois information or somehow "obscure" it and make life tough for > people like yourself. Most respondents I've talked to have said that they > need to know who ARIN has allocated IP space to. This proposal does nothing > to change the information that ARIN provides in a public format on who IPs > are allocated to. It does not obscure any data currently available on who > has IPs from ARIN. > While this is technically true, I do not believe it is an accurate reflection of the net effects of the policy proposal. The proposal would allow ISPs to anonymize and/or remove significant information from records currently published in whois as well as allowing them to not submit much of that information to publication in the future. I think that the issue is you are making a distinction between who has IP addresses DIRECTLY from ARIN vs. who has IP addresses from an upstream which received them either directly or indirectly from ARIN. I believe that Wes and others who have commented actually care about who the end-user of an IP address block is rather than merely who it was issued to by ARIN. Wes, could you please clarify your intent here? Thanks, Owen -------------- next part -------------- An HTML attachment was scrubbed... URL: From cgrundemann at gmail.com Tue Apr 6 17:07:00 2010 From: cgrundemann at gmail.com (Chris Grundemann) Date: Tue, 6 Apr 2010 15:07:00 -0600 Subject: [arin-ppml] Policy Proposal 109: Standardize IP Reassignment Registration Requirements - Revised In-Reply-To: <4B8FAD94.2040509@arin.net> References: <4B8FAD94.2040509@arin.net> Message-ID: With the renewed conversations regarding draft policy 2010-3 I thought it may be appropriate to remind everyone of the proposal that I wrote in response to earlier debate surrounding this issue: policy proposal 109. Unfortunately my proposal will not be up for adoption in Toronto, however I will be presenting it along side the open policy hour on Sunday afternoon (come throw tomatoes). The reason I bring it up now is that I believe it strikes a fair balance between the need for complete whois data, residential customer privacy, and protecting corporate customer lists. Specific to the third point: Under pp109, the legal name, city, state, zip code equivalent and one POC is required for every SWIP'd block (/29 or larger IPv4, /56 or larger IPv6). Street name and number are optional as is POC telephone number (email address is required). This means that the specific contact information most valuable to competing sales teams (street address and phone number) is optional, allowing you to protect your customer list if needed while still allowing security and abuse personnel to understand who is (whois) actually using any particular block of IPs. There are other factors at play in this policy of course (as it is a complete re-write of both IPv4 and IPv6 registration policy) and the full text and rational is included below. ~Chris On Thu, Mar 4, 2010 at 06:54, Member Services wrote: > The proposal originator submitted a revised version of the proposal. > > The AC will review this proposal at their next regularly scheduled > meeting and decide how to utilize the proposal. Their decision will be > announced to the PPML. > > Regards, > > Member Services > American Registry for Internet Numbers (ARIN) > > ## * ## > > Policy Proposal Name: Standardize IP Reassignment Registration Requirements > > Proposal Originator: Chris Grundemann > > Proposal Version: 3.0 > > Date: 03-MAR-2010 > > Proposal type: New > > Policy term: Permanent > > Policy statement: > > ## Definitions ## > > - Add: > > 2.3. Organizational Information > > When required, organization Information must include at a minimum: Legal > name, city, state, zip code equivalent and at least one valid technical or > abuse POC; inclusion of street address is highly encouraged. The POC shall > be designated by the organization and must include at least one verifiable > email address, inclusion of a phone number is highly encouraged. > > 2.12. Residential Customer > > End-users who are individual persons and not organizations and who recieve > service at a place of residence are considered residential customers. > > ## IPv4 ## > > - Rename 4.2.3.7. "Reassignment information" to "Registration" and add text: > > ISPs are required to demonstrate efficient use of IP address space > allocations by providing appropriate documentation, including assignment > histories, showing their efficient use. > > - Rename 4.2.3.7.1. "Customer organization information" to "Reassignment > Information" and replace text with: > > Each IPv4 assignment containing a /29 or more addresses shall be registered > in the WHOIS directory via SWIP or a distributed service which meets the > standards set forth in section 3.2. Reassignment registrations shall include > each client's organizational information, except where specifically exempted > by this policy. > > - Strike sections 4.2.3.7.2., 4.2.3.7.4. and 4.2.3.7.5. > > - Renumber section 4.2.3.7.3. to 4.2.3.7.2., rename to "Assignments visible > within 7 days" and replace text with: > > All assignments shall be made visible as required in section 4.2.3.7.1 > within seven calendar days of assignment. > > - Renumber and replace 4.2.3.7.6. Residential Customer Privacy with: > > 4.2.3.7.3. Residential Subscribers > > 4.2.3.7.3.1. Residential Market Area > > ISPs that assign address space to the infrastructure to which their > customers connect rather than to individual subscribers must register > assignment information regarding each market area holding such an address > block. Market area reassignments shall be registered with the network name > used to identify each market area. Any assignment to specific end-users > holding /29 and larger blocks still requires registration. A >50% > utilization rate shall be considered efficient for market area reassignments > from the ISPs most recent allocation. > > 4.2.3.7.3.2. Residential Customer Privacy > > To maintain the privacy of their residential customers, an organization with > downstream residential customers holding /29 and larger blocks may > > substitute that organization's name for the customer's name, e.g. 'Private > Customer - XYZ Network', and the customer's street address may read 'Private > Residence'. Each private downstream residential reassignment must have > accurate upstream Abuse and Technical POCs visible on the WHOIS directory > record for that block. > > - Strike section 4.2.6. "Cable Address Space Policy" > > ## IPv6 ## > > - Replace Section 6.5.5. with: > > 6.5.5. Registration > > ISPs are required to demonstrate efficient use of IP address space > allocations by providing appropriate documentation, including assignment > histories, showing their efficient use. > > 6.5.5.1. Reassignment information > > Each IPv6 assignment containing a /56 or more addresses shall be registered > in the WHOIS directory via SWIP or a distributed service which meets the > standards set forth in section 3.2. Reassignment registrations shall include > each client's organizational information, except where specifically exempted > by this policy. > > 6.5.5.2. Assignments visible within 7 days > > All assignments shall be made visible as required in section 4.2.3.7.1 > within seven calendar days of assignment. > > 6.5.5.3. Residential Subscribers > > 6.5.5.3.1. Residential Market Area > > ISPs that assign address space to the infrastructure to which their > customers connect rather than to individual subscribers must register > assignment information regarding each market area holding such an address > block. Market area reassignments shall be registered with the network name > used to identify each market area. Any assignment to specific end-users > holding /56 and larger blocks still requires registration. A >50% > utilization rate shall be considered efficient for market area reassignments > from the ISPs most recent allocation. > > > 6.5.5.3.2. Residential Customer Privacy > > To maintain the privacy of their residential customers, an organization with > downstream residential customers holding /56 and larger blocks may > substitute that organization's name for the customer's name, e.g. 'Private > Customer - XYZ Network', and the customer's street address may read 'Private > Residence'. Each private downstream residential reassignment must have > accurate upstream Abuse and Technical POCs visible on the WHOIS record for > that block. > > > Rationale: > > #New and Improved! Specific changes in this version (based on Staff and PPML > comments): > 1) Added section 2.12. to define residential customers. There is no current > definition of residential customers and this has reportedly been an on-going > problem for ARIN and it?s customers. > 2) 4.2.3.7. and 6.5.5. were re-written to include current text in order to > aid ARIN staff when requesting detailed utilization information as part of > the normal request process. > 3) 4.2.3.7.1. and 6.5.5.1. were re-written to simplify policy by combining > the /29 and /56 rules as well as the WHOIS directory visibility requirements > directly in a single statement (thanks to Owen DeLong for the suggestion). > 3) Several sections were struck do to the clarity and detail gained in > revision 3, above. > 4) The "7-day" provision was renamed and rewritten for clarity (thanks again > to Owen DeLong for the wording). > 5) 4.2.3.7.3.1 & 6.5.5.3.1 were re-written for clarity based on many > comments on and off list. > > #Short Rational: > This proposal intends to do several things: > 1) Bring IPv4 and IPv6 policy more in line with each other to make the NRPM > easier to understand and comply with - at least as it relates to > reassignment information. > 2) Specifically define what organizational information is required to be > added to WHOIS when reassignments are made to client organizations. > 3) To specifically state that a client organization may designate the POC of > their choice for any/all WHOIS entries in policy. This includes designating > an upstream POC as their own prefered POC (which allows for simple > reassignments). > 4) Expands the priviledges previously reserved solely for IPv4 cable ISPs to > all ISPs/LIRs with residential/dhcp-type subscribers. > 5) Specifically define the term "residential customer." > > #Expanded Rational: > 1) This policy restructures the reassignment and registration sections > of the IPv4 and IPv6 policies. > a) The IPv4 section is renamed "registration." > b) The IPv4 policy is shortened and rewritten for clarity. > c) The IPv6 policy is totally rewritten in a format that matches the IPv4 > policy. > * These structural changes are meant to make it easier to compare the two > sections. I believe that having the IPv6 and IPv4 policies written in > completely different formats and structures (as they are in many cases now) > confuses the issues and makes it very hard to understand what is different > and what is the same across the two sections. Bringing them into a similar > format should help ease the migration to IPv6 as folks can quickly and > easily understand the differences and the similarities. > > 2) This policy adds a definition of "organizational information" which is > used in the existing policy but not currently defined anywhere in the NRPM. > a) The definition states that specific addresses are not required for client > organizations but asks that they be included when possible. > b) The definition states that a POC is required but can be designated by the > client organization - it spells out that the client org can choose to use > their upstream as a POC. > c) The definition requires that the POC have a valid email address but only > suggests that it include a phone number. > * This definition is meant to address the customer confidentiality concerns > that have been brought up recently (by specifically removing the requirement > to publish client addresses and telephone numbers), with the smallest > negative impact to whois usefulness (retains a valid POC w/ email contact). > > 3) This policy takes the privileges granted specifically to IPv4 cable > operators in section 4.2.6. "Cable Address Space Policy" and grants them to > all ISPs who serve residential areas. > a) It allows all ISPs with residential coverage to register/swip/rwhois an > entire market area. > b) It retains the existing residential customer privacy policy for all > customers with larger IP blocks. > * This change removes the need for any ISP to enter residential customers > into whois at all. > > 4) This policy also extends the >50% utilization rate, currently granted > only to IPv4 cable operators, to all ISPs with a residential footprint. > * This change will make it easier for ISPs serving residential areas to get > the addresses they need - this is key for FTTH operators as well as > fixed-wireless and other residential ISPs. > *The 50% mark on the most recent allocation is because you can quickly > distribute most of your address space across your provisioning footprint, > leaving nothing left for growth while the lease count of the provisioned > customers catches up to the blocks allocated. (Dan Alexander's words) > > 5) Current policy references "residential customers" but there is no current > definition of residential customers in the NRPM. This has reportedly been an > on-going problem for ARIN and it?s customers. > > > Timetable for implementation: Immediate > _______________________________________________ > PPML > You are receiving this message because you are subscribed to > the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/arin-ppml > Please contact info at arin.net if you experience any issues. > -- @ChrisGrundemann weblog.chrisgrundemann.com www.burningwiththebush.com www.coisoc.org From jay at impulse.net Tue Apr 6 17:27:51 2010 From: jay at impulse.net (Jay Hennigan) Date: Tue, 06 Apr 2010 14:27:51 -0700 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: <6D251AF0-1FE5-4184-9032-014EBCB9E6CB@ren-isac.net> References: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net> <018901cad5bb$95108950$bf319bf0$@net> <6D251AF0-1FE5-4184-9032-014EBCB9E6CB@ren-isac.net> Message-ID: <4BBBA757.2020500@impulse.net> On 4/6/10 12:51 PM, Wes Young wrote: > "ISPs may choose to enter the customer's name along with the ISP's > address and phone number in reassignments and reallocations in lieu of > the customer's address and phone number. The customer's actual > information must be provided to ARIN on request and will be held in the > strictest confidence." > > Those "two lines" (at-least to me), represent sort of the "domains by > proxy feature". > > When dealing with security incidents, if the contact information is > virtually proxy'd, then thats more time/money spent trying to get a-hold > of someone close enough to the problem to do away with it. A single > domain can't wipe out half of the internet, a single address (or set of > addresses, or /29--) could. When we can't keep track of those closest to > the situation (who care about the situation), the threat potential > increases. I have to respectfully disagree. The vast majority of our customers are small to medium sized businesses who have very little operational clue. Law firms, insurance agents, warehouse firms, etc. The contacts at the phone number or physical address of these operations can barely spell BGP, let alone describe it. As their ISP, we are much more likely to able to do away with any problems that they may create than their on-premise staff. Listing their phone number and address instead of ours results in total confusion as their receptionist is likely to want to have someone call you back. And that someone is likely to be "Geek Squad" or equivalent LAN vendor after a lengthy delay if at all. Good luck reaching anything other than voice mail evenings and weekends. Considering the number of scams going on, that receptionist is likely to be highly suspicious of a phone call from some stranger speaking what will seem to be gibberish about some computer security issue and asking them to disconnect themselves from the Internet or shut off an offending host. Calling a clueful ISP and being able to reach a NOC person with the ability to deal with the problem when a customer gets pwn3d at 02:00 local time on a Sunday morning is going to be much more useful than leaving a voice mail for the receptionist at the wholesale carpet distributor whose server got hacked. > I understand what you say about the change in allocations, maybe that > shouldn't have been listed as a primary reason (more so than the > obfuscation of "last mile" contact information). However, the very thing > you're trying to protect against (eg: customer lists), is one of the > very things security ops handlers are trying to build up and keep > current. The public information in an unstructured and federated > environment helps us do that. It is only two sentences, and that's > dangerous when you're setting a standard for the backbone of the > federated environment that is the internet. The change is the *ability* to list the ISP's contact number and address, not a *requirement* to do so. For cases where the end user customer has a security and technical staff that is willing able to deal with these issues when they come up, said staff will probably want to have their own contact number listed in WHOIS. Indeed it should be. If anything, I view this proposal as facilitating, not hindering, rapid response to security incidents by those with the knowledge and ability to deal with them. Note that this proposal in my opinion is better for *technical* reasons, without regard to any business and privacy concerns driving it. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From marty at akamai.com Tue Apr 6 17:46:35 2010 From: marty at akamai.com (Hannigan, Martin) Date: Tue, 06 Apr 2010 17:46:35 -0400 Subject: [arin-ppml] Policy Proposal 109: Standardize IP Reassignment Registration Requirements - Revised In-Reply-To: Message-ID: > From: Chris Grundemann > Date: Tue, 6 Apr 2010 15:07:00 -0600 > To: arin ppml > Subject: Re: [arin-ppml] Policy Proposal 109: Standardize IP Reassignment > Registration Requirements - Revised > > With the renewed conversations regarding draft policy 2010-3 I thought > it may be appropriate to remind everyone of the proposal that I wrote > in response to earlier debate surrounding this issue: policy proposal > 109. > Honestly? I don't think that it's helpful at all and I mean that in a "helpful" way. :-) We lose focus _a lot_ on the proposals at hand, both on the list and through other "mechanisms". That has happened with this proposal. I think that the spate of recent comments has helped to regain that focus; this proposal is not truly addressing what it was intended to. For that matter, I think that the ARIN should not get dragged into this scrum and let competition be competition. Whois is inaccurate, you can accomplish exactly the same thing using other, similarly easy, cheap and perhaps even more accurate, means Also, who will reach ARIN in an exigent circumstance, at 0500, on Sunday morning to ask them to ask someone else for something that we should be able to ask for related to internet security, personal safety or other valid reason? I don't think that we should have to pay for that or any other "service" to provide competition protection. To be clear; not in favor. Best Regards, -M< From cgrundemann at gmail.com Tue Apr 6 18:26:48 2010 From: cgrundemann at gmail.com (Chris Grundemann) Date: Tue, 6 Apr 2010 16:26:48 -0600 Subject: [arin-ppml] Policy Proposal 109: Standardize IP Reassignment Registration Requirements - Revised In-Reply-To: References: Message-ID: On Tue, Apr 6, 2010 at 15:46, Hannigan, Martin wrote: > > >> From: Chris Grundemann >> Date: Tue, 6 Apr 2010 15:07:00 -0600 >> To: arin ppml >> Subject: Re: [arin-ppml] Policy Proposal 109: Standardize IP Reassignment >> Registration Requirements - Revised >> >> With the renewed conversations regarding draft policy 2010-3 I thought >> it may be appropriate to remind everyone of the proposal that I wrote >> in response to earlier debate surrounding this issue: policy proposal >> 109. >> > > Honestly? I don't think that it's helpful at all and I mean that in a > "helpful" way. :-) We lose focus _a lot_ on the proposals at hand, both on > the list and through other "mechanisms". That has happened with this > proposal. I think that the spate of recent comments has helped to regain > that focus; this proposal is not truly addressing what it was intended to. Point taken. I do not wish to muddy the water. I still think that understanding the currently offered policy options and seeing another take on the issue may be helpful to some. > For that matter, I think that the ARIN should not get dragged into this > scrum and let competition be competition. Whois is inaccurate, you can > accomplish exactly the same thing using other, similarly easy, cheap and > perhaps even more accurate, means To dissect this a bit: 1) "Whois is inaccurate" - Agreed but with hopes that we can (even if slowly) fix that. 2) "you can accomplish the same thing..." - Do you mean gathering customer lists or gathering abuse and technical POCs? I agree with the former but not as much the latter. Whois with all it's flaws is still the best first choice for making those contacts. > Also, who will reach ARIN in an exigent circumstance, at 0500, on Sunday > morning to ask them to ask someone else for something that we should be able > to ask for related to internet security, personal safety or other valid > reason? I don't think that we should have to pay for that or any other > "service" to provide competition protection. My policy intends to avoid this. I agree that 2010-3 could very well cause this problem. > To be clear; not in favor. Fair enough, but based on your last paragraph I have a suspicion that you may misunderstand this proposal (or I may just misunderstand you ;)). Cheers, ~Chris > Best Regards, > > -M< > > -- @ChrisGrundemann weblog.chrisgrundemann.com www.burningwiththebush.com www.coisoc.org From steve at ibctech.ca Tue Apr 6 19:17:10 2010 From: steve at ibctech.ca (Steve Bertrand) Date: Tue, 06 Apr 2010 19:17:10 -0400 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: <4BBBA757.2020500@impulse.net> References: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net> <018901cad5bb$95108950$bf319bf0$@net> <6D251AF0-1FE5-4184-9032-014EBCB9E6CB@ren-isac.net> <4BBBA757.2020500@impulse.net> Message-ID: <4BBBC0F6.8050007@ibctech.ca> On 2010.04.06 17:27, Jay Hennigan wrote: > On 4/6/10 12:51 PM, Wes Young wrote: > >> "ISPs may choose to enter the customer's name along with the ISP's >> address and phone number in reassignments and reallocations in lieu of >> the customer's address and phone number. The customer's actual >> information must be provided to ARIN on request and will be held in the >> strictest confidence." >> >> Those "two lines" (at-least to me), represent sort of the "domains by >> proxy feature". >> >> When dealing with security incidents, if the contact information is >> virtually proxy'd, then thats more time/money spent trying to get a-hold >> of someone close enough to the problem to do away with it. A single >> domain can't wipe out half of the internet, a single address (or set of >> addresses, or /29--) could. When we can't keep track of those closest to >> the situation (who care about the situation), the threat potential >> increases. > > I have to respectfully disagree. The vast majority of our customers are > small to medium sized businesses who have very little operational clue. > Law firms, insurance agents, warehouse firms, etc. The contacts at the > phone number or physical address of these operations can barely spell > BGP, let alone describe it. The vast majority of my customers are exactly the same. > As their ISP, we are much more likely to able to do away with any > problems that they may create than their on-premise staff. Agreed. > Listing their phone number and address instead of ours results in total > confusion as their receptionist is likely to want to have someone call > you back. Even if an operator is half-baked, they still should know that it's trivial to look up the POCs for the encompassing block in the event that a receptionist responds with "no" when one asks "do you have a computer technician that looks after your stuff?". Better yet, I throw it right into the SWIP 'Comments' section, just to be safe: Comment: For other issues, or if the above contacts Comment: are non-responsive, contact the ARIN POC registered Comment: to the encompassing IP block. Any person who values WHOIS for operational purposes will be able to glean the info they need, and will be able to identify whether the person on the other end of the phone is 'unresponsive' (such as a receptionist). What happens if a scrupulous LIR was getting paid for a client that was abusing my network, but had their personal information hidden? I couldn't create a baseline or filtering strategy based on IP, because they could just move them to another block. I can't monitor based on customer name, because it's 'protected'. Hence, I may be dealing with a moving target, with absolutely no classification ability to provide my upstreams with for aid. Personally, I don't care about the privacy of my clients. They are on the global Internet, and with that goes your privacy (as far as IP addressing is concerned). I can't cross the Canada/US border anymore without identifying exactly who I am and what my address is, and I see no difference in this. I just like to know that if someone calls my client or myself, they'd be able to inform me immediately who is originating an issue so I can fix it. > Calling a clueful ISP and being able to reach a NOC person with the > ability to deal with the problem when a customer gets pwn3d at 02:00 > local time on a Sunday morning is going to be much more useful than > leaving a voice mail for the receptionist at the wholesale carpet > distributor whose server got hacked. Fixed in the 'comments' section, or by gleaning the POCs of the parent block. >> I understand what you say about the change in allocations, maybe that >> shouldn't have been listed as a primary reason (more so than the >> obfuscation of "last mile" contact information). However, the very thing >> you're trying to protect against (eg: customer lists), is one of the >> very things security ops handlers are trying to build up and keep >> current. The public information in an unstructured and federated >> environment helps us do that. It is only two sentences, and that's >> dangerous when you're setting a standard for the backbone of the >> federated environment that is the internet. > > The change is the *ability* to list the ISP's contact number and > address, not a *requirement* to do so. For cases where the end user > customer has a security and technical staff that is willing able to deal > with these issues when they come up, said staff will probably want to > have their own contact number listed in WHOIS. Indeed it should be. > > If anything, I view this proposal as facilitating, not hindering, rapid > response to security incidents by those with the knowledge and ability > to deal with them. How do we know that you are not going to 'fix' the problem by rendering the client a new block? When they attack next week, and we call you again, how can we identify whether it is another one of your clients, or the same one? > Note that this proposal in my opinion is better for *technical* reasons, > without regard to any business and privacy concerns driving it. I completely understand what your stance is on this and why you feel this way, as seemingly we have a similar type of client base. However, you, like I, are the ones who *will* properly fix a problem when required. I'm concerned about the ones who will use this as a loophole to avoid that. Respectfully, Steve From jay at impulse.net Tue Apr 6 20:11:02 2010 From: jay at impulse.net (Jay Hennigan) Date: Tue, 06 Apr 2010 17:11:02 -0700 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: <4BBBC0F6.8050007@ibctech.ca> References: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net> <018901cad5bb$95108950$bf319bf0$@net> <6D251AF0-1FE5-4184-9032-014EBCB9E6CB@ren-isac.net> <4BBBA757.2020500@impulse.net> <4BBBC0F6.8050007@ibctech.ca> Message-ID: <4BBBCD96.9090801@impulse.net> On 4/6/10 4:17 PM, Steve Bertrand wrote: > Even if an operator is half-baked, they still should know that it's > trivial to look up the POCs for the encompassing block in the event that > a receptionist responds with "no" when one asks "do you have a computer > technician that looks after your stuff?". The receptionist is likely to respond with a LAN vendor that may or may not be in a position to fix the issue. It may be trivial to look up the POC for the encompassing block but it is another step, another phone call or conversation, more delay, etc. The ISP of a non-technical customer is likely to be more knowledgeable regarding his customer's network than the receptionist and probably in a better position to work directly with any other local vendors and consultants. Also the ISP is in a position to down an interface or add an ACL *right now* in serious cases. The end customer isn't going to want to spend money on a consultant to fix something that isn't a problem (to them), and hasn't heard of some remote network operator calling with a complaint. And if the customer's phone number is published in WHOIS, they'll likely dismiss any such calls as just another telemarketer. (Telemarketers are the only ones that ever call that number we were forced to publish, that's why we never check that voice mail...) > Better yet, I throw it right into the SWIP 'Comments' section, just to > be safe: > > Comment: For other issues, or if the above contacts > Comment: are non-responsive, contact the ARIN POC registered > Comment: to the encompassing IP block. > > Any person who values WHOIS for operational purposes will be able to > glean the info they need, and will be able to identify whether the > person on the other end of the phone is 'unresponsive' (such as a > receptionist). More work, more clutter, and more steps. > What happens if a scrupulous LIR was getting paid for a client that was > abusing my network, but had their personal information hidden? I > couldn't create a baseline or filtering strategy based on IP, because > they could just move them to another block. I can't monitor based on > customer name, because it's 'protected'. Hence, I may be dealing with a > moving target, with absolutely no classification ability to provide my > upstreams with for aid. I think you mean UNscrupulous LIR. The customer name is not "protected" from what I read in the proposal. The phone number and street address are. If the customer is a deliberate abuser, the phone number and contact information of said abuser are going to be worthless. Usually it's a virus/bot/smurf amplifier type of issue where the customer is either unaware of the problem or just notices that things are slow. If the LIR is unscrupulous and deliberately supporting abusers, they wouldn't have a problem with entering completely bogus SWIPs anyway. This change isn't going to change the behavior of dishonest and unscrupulous LIRs. It is going to result in valid POCs of those in a position to fix problems without having to deal with non-technical people. Dishonest and abusive people will continue to be dishonest and abusive regardless of the rules. > Personally, I don't care about the privacy of my clients. They are on > the global Internet, and with that goes your privacy (as far as IP > addressing is concerned). I can't cross the Canada/US border anymore > without identifying exactly who I am and what my address is, and I see > no difference in this. I just like to know that if someone calls my > client or myself, they'd be able to inform me immediately who is > originating an issue so I can fix it. Agreed, but in the majority of cases when they call your client they are going to get little in the way of fixing. They will wind up calling you eventually anyway. Why not have that be the first call they make? > How do we know that you are not going to 'fix' the problem by rendering > the client a new block? When they attack next week, and we call you > again, how can we identify whether it is another one of your clients, or > the same one? See above. And does it matter? If you're an unscrupulous ISP that deliberately harbors abusers, does the rest of the Internet care which particular IP maps to which particular abuser today or next week or are they likely to just refuse all of your packets? >> Note that this proposal in my opinion is better for *technical* reasons, >> without regard to any business and privacy concerns driving it. > > I completely understand what your stance is on this and why you feel > this way, as seemingly we have a similar type of client base. However, > you, like I, are the ones who *will* properly fix a problem when > required. I'm concerned about the ones who will use this as a loophole > to avoid that. I don't think this proposal will make a difference one way or another to criminals and deliberate abusers. It will result in faster resolution of those cases where the actual user of the IP space is non-technical or not staffed 24/7 by providing an immediate lookup of a contact more likely to have the ability to resolve problems quickly and competently. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From aaron at wholesaleinternet.net Tue Apr 6 21:39:15 2010 From: aaron at wholesaleinternet.net (Aaron Wendel) Date: Tue, 6 Apr 2010 20:39:15 -0500 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: <4BBBC0F6.8050007@ibctech.ca> References: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net> <018901cad5bb$95108950$bf319bf0$@net> <6D251AF0-1FE5-4184-9032-014EBCB9E6CB@ren-isac.net> <4BBBA757.2020500@impulse.net> <4BBBC0F6.8050007@ibctech.ca> Message-ID: <029401cad5f3$21ef4aa0$65cddfe0$@net> What would people think if the policy was altered to distinguish between an "end user" class and a "reseller" class of customer where the requirements would be to disclose full information on the reseller, which would be someone reselling network services such as web hosting, VPS' or even another ISP, and someone hosting their corporate e-mail and web site? The former should have a clue and be able to deal with network abuse issues while the latter is more likely to just be confused and ignore complaints. It would also protect those customers who are more likely to be "poached" as, at least in my case, the resellers have more interaction with me or my staff and therefore have a stronger relationship. Right now my count has the yays and nays running just about dead even. This suggestion was offered as a possible compromise by one of the nays. Aaron From steve at ibctech.ca Tue Apr 6 21:40:13 2010 From: steve at ibctech.ca (Steve Bertrand) Date: Tue, 06 Apr 2010 21:40:13 -0400 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: <4BBBCD96.9090801@impulse.net> References: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net> <018901cad5bb$95108950$bf319bf0$@net> <6D251AF0-1FE5-4184-9032-014EBCB9E6CB@ren-isac.net> <4BBBA757.2020500@impulse.net> <4BBBC0F6.8050007@ibctech.ca> <4BBBCD96.9090801@impulse.net> Message-ID: <4BBBE27D.1010601@ibctech.ca> On 2010.04.06 20:11, Jay Hennigan wrote: > On 4/6/10 4:17 PM, Steve Bertrand wrote: > >> Even if an operator is half-baked, they still should know that it's >> trivial to look up the POCs for the encompassing block in the event that >> a receptionist responds with "no" when one asks "do you have a computer >> technician that looks after your stuff?". > > The receptionist is likely to respond with a LAN vendor that may or may > not be in a position to fix the issue. It may be trivial to look up the > POC for the encompassing block but it is another step, another phone > call or conversation, more delay, etc. Understood. However, I would rather have to take one extra one-minute step to validate via a phone call that the person I'm calling is who they are reported to be before I need to do a one second lookup to find out who you are and how to contact you. At least I'll know they are who you say they are, and will know for the future that they have clueless monkeys on call for 'network maintenance'. In the long run, I believe a potential extra step is worth it. > The ISP of a non-technical customer is likely to be more knowledgeable > regarding his customer's network than the receptionist and probably in a > better position to work directly with any other local vendors and > consultants. Also the ISP is in a position to down an interface or add > an ACL *right now* in serious cases. > > The end customer isn't going to want to spend money on a consultant to > fix something that isn't a problem (to them), and hasn't heard of some > remote network operator calling with a complaint. Even if I'm more knowledgeable in an emergency and I have to shut a client interface, then it is clear that the client is in need of spending money to fix a problem anyways. This potentially results in wasted time for you up front, or extra time for me later when we're questioned about why they are down without any prior engagement. Someone will always lose something in a situation like this... I'm just trying to look at it from the perspective of what can be gained. > And if the customer's > phone number is published in WHOIS, they'll likely dismiss any such > calls as just another telemarketer. (Telemarketers are the only ones > that ever call that number we were forced to publish, that's why we > never check that voice mail...) Fair enough. However, that is attempting to evade anyways, so it doesn't matter. Every company has a published number for business. You, having them as a client surely know it somehow. > I think you mean UNscrupulous LIR. Thanks ;) > The customer name is not "protected" from what I read in the proposal. > The phone number and street address are. If the customer is a > deliberate abuser, the phone number and contact information of said > abuser are going to be worthless. I don't believe that. Even though I'm afraid of retribution for saying this, I feel that re-assignment information of a client is the responsibility of the re-assigning party. If people want ARIN to validate the POCs of it's re-alloc/assignments, then we, as peers, should have the ability to randomly call each other up and say "hey, does this client still `own' this block?". I'm likely way off-base here, and perhaps I'm completely missing something, but: "If the customer is a deliberate abuser, the phone number and contact information of said abuser are going to be worthless. " ...then the re-assigning party should be flamed and noted for not doing its due diligence in the first place. > Usually it's a virus/bot/smurf > amplifier type of issue where the customer is either unaware of the > problem or just notices that things are slow. Usually, yes. However, ignorance is in no way allowed as an excuse. > If the LIR is unscrupulous and deliberately supporting abusers, they > wouldn't have a problem with entering completely bogus SWIPs anyway. > This change isn't going to change the behavior of dishonest and > unscrupulous LIRs. It is going to result in valid POCs of those in a > position to fix problems without having to deal with non-technical people. A rogue LIR is always going to try to circumvent the legal/policy anyways. For those LIRs who aren't unscrupulous, it allows for finer grain monitoring, better statistical gathering, easier documentation, better peer-to-peer communication. iow, I believe that having the client info in the db (even if your phone number is beside the clients) will serve the entire community better in the long run. > Dishonest and abusive people will continue to be dishonest and abusive > regardless of the rules. Yup, but they'd be easier to filter out. >> Personally, I don't care about the privacy of my clients. They are on >> the global Internet, and with that goes your privacy (as far as IP >> addressing is concerned). I can't cross the Canada/US border anymore >> without identifying exactly who I am and what my address is, and I see >> no difference in this. I just like to know that if someone calls my >> client or myself, they'd be able to inform me immediately who is >> originating an issue so I can fix it. > > Agreed, but in the majority of cases when they call your client they are > going to get little in the way of fixing. They will wind up calling you > eventually anyway. Why not have that be the first call they make? Well, one reason, I'd like my client know that the situation is being initiated externally. A serious person is calling to investigate a potentially serious problem. To further, it allows the caller to identify that they are speaking directly to the people who are listed in WHOIS. It provides confidence to them to know that they are headed in the proper direction. $receptionist at the counter could say via phone at 1400 that "yes, this is X company". Even if (s)he couldn't identify her ISP or her tech, the caller would (imho) merrily take that extra step to see who the next contact in the hierarchy is given the confidence (s)he has gained. >> How do we know that you are not going to 'fix' the problem by rendering >> the client a new block? When they attack next week, and we call you >> again, how can we identify whether it is another one of your clients, or >> the same one? > > See above. And does it matter? If you're an unscrupulous ISP that > deliberately harbors abusers, does the rest of the Internet care which > particular IP maps to which particular abuser today or next week or are > they likely to just refuse all of your packets? I'm not the rest of the Internet, but if I know that you have an abuser that you admit to having intermittent problems with, I'd rather throw a /28 into my infrastructure than have my users calling because I've had to blackhole your /16. ...and yes. I do believe that there are some who still care which block maps to which user. I personally believe that this research is important for historical purposes. >>> Note that this proposal in my opinion is better for *technical* reasons, >>> without regard to any business and privacy concerns driving it. >> >> I completely understand what your stance is on this and why you feel >> this way, as seemingly we have a similar type of client base. However, >> you, like I, are the ones who *will* properly fix a problem when >> required. I'm concerned about the ones who will use this as a loophole >> to avoid that. > > I don't think this proposal will make a difference one way or another to > criminals and deliberate abusers. It will result in faster resolution > of those cases where the actual user of the IP space is non-technical or > not staffed 24/7 by providing an immediate lookup of a contact more > likely to have the ability to resolve problems quickly and competently. Again, I understand why you feel this way, but I'm torn from it. I think, and I *feel*, that by ensuring proper block-holder information in each re-assignment, it will be easier to weed out the 'unscrupulous'. Perhaps client churn is a concerning factor here, but I see more importance on being able to know who has what, than someone trying to steal clients. Also, I don't imagine there are many here who don't utilize the security community for some services. Providing policy allowances such as this may hinder them in what they can potentially provide... and at the same time load more responsibility upon ARIN to collect information when necessary, slowing the investigative process down exponentially (due to following any new policy that would have to be created for them to acquire the info). Respectfully, and very inquisitive, Steve From farmer at umn.edu Wed Apr 7 00:43:09 2010 From: farmer at umn.edu (David Farmer) Date: Tue, 06 Apr 2010 23:43:09 -0500 Subject: [arin-ppml] ULA-C In-Reply-To: References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> Message-ID: <4BBC0D5D.2060903@umn.edu> First, I want to apologies to everyone, I'm starting to believe I've been wasting all of your time on this. I thought we could find a consensus allowing the implementation of ULA-C while providing assurance to those worried about ULA-C becoming a policy abuse path. Somehow I even convinced myself there was the start of a consensus developing in the past couple weeks. Today it has become clear to me that I was deluding myself, and I'm starting to think the whole thing was a futile effort. There seems to be two diametrically opposed camps, neither of which are willing to budge out of their entrenched positions. So, I will make one final appeal for both sides to find a way to compromise. Without both groups being willing to compromises, I fear all that is going to happen is a continued shouting match. I believe a globally defined prefix for non-routed addressing, that has both registered uniqueness and reverse DNS, A.K.A ULA-C, would be of value to both the enterprise and services provider worlds. 1. With a single global well-known prefix, Service providers and other globally reachable Internet (DFZ) network operators could easily filter this prefix and the associated packets, without an excessive burden on their operations. 2. If packets or routes leak inappropriately, then tracking down the source, if necessary, becomes much easier. As the assignment is registered to an organization with contact information. This is not currently possible with RFC 1918 or RFC 4193. 3. Providing these assignments from a single global well-known prefix helps ensure these assignments are not misappropriated or hijacked, this helps protect both service providers and enterprise that received the assignment. This is not possible with an unannounced PI assignment, maybe with RPKI in the future, but not as things stand today. 4. The availability of ULA-C for internal addressing will likely make PA addressing facing the Internet more palatable at least for some classes of enterprise users. This might be implemented with NAT66, multiple RAs, or any number of possible future solutions. Like maybe some variation of LISP, or some other GSE type solutions. But, the details are irrelevant that is an operational issue not a policy one. 5. ULA-C with at least an option for authoritative reverse DNS, provides other options than just split DNS for enterprise internal naming. Also, Internet based VPNs can create many DNS challenges. Leaking forward and reverse DNS lookups for RFC 1918 and RFC 4193 addresses are a nuisance for both service providers and enterprises alike. 6. ULA-C, currently proposed as FC00::/8, is a much more limited resource than GUA 2000::/3, and since resource are being globally dedicated to individual organizations, some mechanism to ensure the long-term stewardship of those resource is necessary. The RIRs seem well suited to provide the necessary stewardship, as they already do this at a global scale for many other number resources, why build something new. 7. ULA-C, even with a global well-known prefix, is just another 128bit integer, there is nothing fundamentally different about it, than PA or PI. In fact, with registered uniqueness, reverse DNS, and maybe even RPKI in the future, the only practical difference between ULA-C and PI is the non-routed property, applied realistically only by convention. There is one possible other difference, random prefix selection. While this could help prevent some kinds of abuse, I'm not sure this would provide much practical deterrence in using ULA-C as a substitute for PI. Which I believe is the primary abuse path of concern. Therefore, I believe the concerns about ULA-C becoming a path for policy abuse cannot be completely discounted. However, in reality the risk is no where near as large as some are claiming. Further, I believe this risk can be easily managed via the RIRs' number resource policy processes, if the RIRs were to be given full policy control of ULA-C registrations. I believe the crux of the issues are these last two points (#6 & #7). Some members of the community seem to want ULA-C to bypass the stewardship and policy control of the RIRs, to justify a low cost for an assignment of ULA-C. And, some others seem to be over blowing the risk of abuse that ULA-C represents and seem to claim there is no way to manage that risk. I believe, the stewardship the RIRs provide is necessary, and the RIRs' policy processes can properly manage the risk. As for cost, while not a policy matter, in the shorter-term ULA-C is not going to be as cost effective as some would hope. However, if in the longer-term the risks can be managed, then I have to believe that the RIRs will do the right thing. So, is some kind of compromise between the opposing camps possible? Otherwise, I fear this is going to continue to be a pointless shouting match. Finally, I want to be clear the opinions I have expressed in this whole set of threads have been my personal opinion. The AC has not reached any consensus on these issues. And, without compromise from both camps as noted, I honestly don't see the AC coming to any consensus either. -- =============================================== David Farmer Email:farmer at umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 =============================================== From michael.dillon at bt.com Wed Apr 7 05:05:22 2010 From: michael.dillon at bt.com (michael.dillon at bt.com) Date: Wed, 7 Apr 2010 10:05:22 +0100 Subject: [arin-ppml] Comments on Draft Policy 2010-3:Customer Confidentiality In-Reply-To: <6D251AF0-1FE5-4184-9032-014EBCB9E6CB@ren-isac.net> Message-ID: <28E139F46D45AF49A31950F88C49745805AF0DFD@E03MVZ2-UKDY.domain1.systemhost.net> > "ISPs may choose to enter the customer's name along with the > ISP's address and phone number in reassignments and > reallocations in lieu of the customer's address and phone > number. The customer's actual information must be provided to > ARIN on request and will be held in the strictest confidence." > > Those "two lines" (at-least to me), represent sort of the > "domains by proxy feature". This is much stricter than today where an ISP can just leave out customer information, and not give ARIN anything. > When dealing with security incidents, if the contact > information is virtually proxy'd, then thats more time/money > spent trying to get a- hold of someone close enough to the > problem to do away with it. You clearly do not have front-line experience with this kind of contact scenario. If you contact the ISP, they can disconnect the customer, then contact them and help them sort out the problem. If you contact the customer, they will say something like, "I don't know what you are talking about, I was cooking supper and I'm not using my computer at all, just reading the recipe off the screen". Filling the whois directory with contact info for people who have little understanding of technology and networks *WILL* cost you more money and wasted time trying to get a hold of someone who can understand your issue and act upon it. > However, the very thing you're trying to > protect against (eg: customer lists), is one of the very > things security ops handlers are trying to build up and keep > current. The public information in an unstructured and > federated environment helps us do that. It is only two > sentences, and that's dangerous when you're setting a > standard for the backbone of the federated environment that > is the internet. Yes, it is true that in the Wild West, private police forces and armies were free to form and to take action. But the Wild West has ended, and it is time for the Internet to also become more civilized. If this bothers you, then join the police force or the FBI, and you will be a real cop, not just a pretend one. > We are enumerating those customer lists on a daily basis to > help make the internet a safer place. On second thought, maybe you should go into politics. That way you could pass a law mandating ISPs to share their databases of customer identity and IP address with the legal authorities. The fact is that by removing junk info from the whois directory ARIN would be helping to make the Internet a safer place. > By design, this policy > appears to be aimed at taking that functionality away. Yes, and in my opinion it should be simplified to remove this sentence: The customer's actual information must be provided to ARIN on request and will be held in the strictest confidence. That doesn't belong in policy and is already part of ARIN's current operational practice. When ARIN needs the info, they ask for it, and they will sign an NDA with the registrant. --Michael Dillon From michael.dillon at bt.com Wed Apr 7 05:14:14 2010 From: michael.dillon at bt.com (michael.dillon at bt.com) Date: Wed, 7 Apr 2010 10:14:14 +0100 Subject: [arin-ppml] Comments onDraft Policy 2010-3: Customer Confidentiality In-Reply-To: <029401cad5f3$21ef4aa0$65cddfe0$@net> Message-ID: <28E139F46D45AF49A31950F88C49745805AF0E16@E03MVZ2-UKDY.domain1.systemhost.net> > What would people think if the policy was altered to > distinguish between an "end user" class and a "reseller" > class of customer where the requirements would be to disclose > full information on the reseller, which would be someone > reselling network services such as web hosting, VPS' or even > another ISP, and someone hosting their corporate e-mail and web site? What makes you think that the average reseller has more technical clue than the average citizen? --Michael Dillon From cengel at sponsordirect.com Wed Apr 7 11:29:10 2010 From: cengel at sponsordirect.com (Chris Engel) Date: Wed, 7 Apr 2010 11:29:10 -0400 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: Message-ID: Jay Hennigan wrote: > The change is the *ability* to list the ISP's contact number > and address, not a *requirement* to do so. For cases where > the end user customer has a security and technical staff that > is willing able to deal with these issues when they come up, > said staff will probably want to have their own contact > number listed in WHOIS. Indeed it should be. > > If anything, I view this proposal as facilitating, not > hindering, rapid response to security incidents by those with > the knowledge and ability to deal with them. > > Note that this proposal in my opinion is better for > *technical* reasons, without regard to any business and > privacy concerns driving it. > I agree with Jay 100% here. For people that WANT to anonymize thier information (whether for fair reasons or foul) thier going to be able to put in bogus information here regardless of policy. Unless you want to start investing about $10,000 per registration to actualy investigate whether the information that they provide is accurate, then anything you write as policy isn't going to help here. For anyone else, it really should be between the ISP and the customer as to who gets listed. Totaly ignoring the privacy issue...a policy like this would actualy allow for faster response to problems in many cases. As Jay pointed out, many companies may not even have some-one technical on staff that can deal with these issues. If you call up a receptionist on the phone, they aren't likely to be able to help you....and if they are even mildly tech saavy they aren't going to be able to tell the difference between you and some-one making a social engineering attempt on them. Even for organizations that DO have technical people on staff....very few maintain 24/7 NOC's like ISP's do. I know for our organization if you try to contact any of our publicaly listed numbers outside of regular business hours, you won't get a response. However, our hosting providers and customers do have call sheets with after hours emergency contact numbers on them.... and I'd certainly be willing to provide something similar to an ISP's NOC or other trusted agent that can act as a gateway function between some-one with a legitimate issue...and some-one trying to sell me hosting space in Hong Kong. Tell me, which would yeild a faster response? Respectfully to the security research organizations, why should you not have to justify your legitimate need for such information? Aside from technical considerations and on to ethical/public policy issues. Information access should be a 2 way street. If you want access to some-one elses information then you should be prepared to surrender your own in order to get it. You should be able to justify your access to that information and there should be some method of transparency/tracking/accountability as to what you do with that information. Right now, WHOIS is about as far away from a 2-way street as you can get. The information contained in WHOIS may not be particularly sensitive... but the principle remains the same. Christopher Engel From stephen at sprunk.org Wed Apr 7 11:31:14 2010 From: stephen at sprunk.org (Stephen Sprunk) Date: Wed, 07 Apr 2010 10:31:14 -0500 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: <4BBBC0F6.8050007@ibctech.ca> References: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net> <018901cad5bb$95108950$bf319bf0$@net> <6D251AF0-1FE5-4184-9032-014EBCB9E6CB@ren-isac.net> <4BBBA757.2020500@impulse.net> <4BBBC0F6.8050007@ibctech.ca> Message-ID: <4BBCA542.8020103@sprunk.org> On 06 Apr 2010 18:17, Steve Bertrand wrote: > On 2010.04.06 17:27, Jay Hennigan wrote: > >> I have to respectfully disagree. The vast majority of our customers >> are small to medium sized businesses who have very little operational >> clue. Law firms, insurance agents, warehouse firms, etc. The >> contacts at the phone number or physical address of these operations >> can barely spell BGP, let alone describe it. > The vast majority of my customers are exactly the same. > I suspect that the vast majority of _everyone's_ customers are the same. Heck, most of the folks _working for ISPs_ I've dealt with can't describe BGP. The average customer can't even spell _IP_. >> As their ISP, we are much more likely to able to do away with any problems that they may create than their on-premise staff. >> > Agreed. > True. >> Listing their phone number and address instead of ours results in total confusion as their receptionist is likely to want to have someone call you back. >> > Even if an operator is half-baked, they still should know that it's trivial to look up the POCs for the encompassing block in the event that a receptionist responds with "no" when one asks "do you have a computer technician that looks after your stuff?". > True. It's trivially easy to format your WHOIS request to get the parent block(s) of the address you're looking up. I normally bypass the end user altogether when I have a need to contact someone because the odds of them having anyone technical enough to be useful are so small. > Better yet, I throw it right into the SWIP 'Comments' section, just to > be safe: > > Comment: For other issues, or if the above contacts > Comment: are non-responsive, contact the ARIN POC registered > Comment: to the encompassing IP block. > This is a decent idea, but IMHO it would be better to set a "technical" and/or "abuse" POC on the SWIP itself (available with the "detailed" template). > Note that this proposal in my opinion is better for *technical* reasons, without regard to any business and privacy concerns driving it. > > I completely understand what your stance is on this and why you feel > this way, as seemingly we have a similar type of client base. However, > you, like I, are the ones who *will* properly fix a problem when > required. I'm concerned about the ones who will use this as a loophole > to avoid that. > Indeed. IMHO, most of those who will take advantage of this policy will do so for business reasons (e.g. hiding their customer lists from competitors) rather than technical ones. S -- Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3646 bytes Desc: S/MIME Cryptographic Signature URL: From kkargel at polartel.com Wed Apr 7 11:47:21 2010 From: kkargel at polartel.com (Kevin Kargel) Date: Wed, 7 Apr 2010 10:47:21 -0500 Subject: [arin-ppml] Comments on Draft Policy 2010-3:Customer Confidentiality In-Reply-To: <28E139F46D45AF49A31950F88C49745805AF0DFD@E03MVZ2-UKDY.domain1.systemhost.net> References: <6D251AF0-1FE5-4184-9032-014EBCB9E6CB@ren-isac.net> <28E139F46D45AF49A31950F88C49745805AF0DFD@E03MVZ2-UKDY.domain1.systemhost.net> Message-ID: <8695009A81378E48879980039EEDAD28876D4457@MAIL1.polartel.local> > "ISPs may choose to enter the customer's name along with the ISP's > address and phone number in reassignments and reallocations in lieu of > the customer's address and phone number. The customer's actual > information must be provided to ARIN on request and will be held in > the strictest confidence." I still think a better wording would be : > "^The customer^ may choose to enter the customer's name along with the ISP's > address and phone number in reassignments and reallocations in lieu of > the customer's address and phone number. The customer's actual > information must be provided to ARIN ^^ and will be held in > the strictest confidence." This decision should be the asignee's decision, not the ISP's decision. I believe in many if not most cases the customer's decision will be to tell the ISP "Do whatever is right.", but it is still the customers prerogative. From kkargel at polartel.com Wed Apr 7 11:56:33 2010 From: kkargel at polartel.com (Kevin Kargel) Date: Wed, 7 Apr 2010 10:56:33 -0500 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: <4BBCA542.8020103@sprunk.org> References: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net> <018901cad5bb$95108950$bf319bf0$@net> <6D251AF0-1FE5-4184-9032-014EBCB9E6CB@ren-isac.net> <4BBBA757.2020500@impulse.net> <4BBBC0F6.8050007@ibctech.ca> <4BBCA542.8020103@sprunk.org> Message-ID: <8695009A81378E48879980039EEDAD28876D4458@MAIL1.polartel.local> Can't the customer *already* list whoever their agent is as technical or abuse PoC? I have always suggested to non-technical customers that they list either their ISP (me) or their contracted network maintainer as the technical and abuse PoC as appropriate. That just makes common sense. Whoever is contracted to provide and maintain network services for the customer *is* an agent of the customer and IMHO qualifies for inclusion in PoC contacts according to current policy. I do strongly feel though that this is the prerogative of the customer, not the ISP. The ISP can obviously advise the customer, and in most cases a non-technical customers response to the ISP will be "Whatever you say.", but in the end it is the customers decision. Kevin Kargel From kkargel at polartel.com Wed Apr 7 12:05:51 2010 From: kkargel at polartel.com (Kevin Kargel) Date: Wed, 7 Apr 2010 11:05:51 -0500 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: <20100407160235.GB28901@vacation.karoshi.com.> References: <474FEA3C-42FE-401D-A6CB-130973053094@ren-isac.net> <018901cad5bb$95108950$bf319bf0$@net> <6D251AF0-1FE5-4184-9032-014EBCB9E6CB@ren-isac.net> <4BBBA757.2020500@impulse.net> <4BBBC0F6.8050007@ibctech.ca> <4BBCA542.8020103@sprunk.org> <8695009A81378E48879980039EEDAD28876D4458@MAIL1.polartel.local> <20100407160235.GB28901@vacation.karoshi.com.> Message-ID: <8695009A81378E48879980039EEDAD28876D4459@MAIL1.polartel.local> > > kind of begs the question, who is the "customer" here doesn't it? > if I am getting numbering resources from my RIR, then I am their > customer and I should have final say in what is entered into their > DB. If, on the other hand, I am the customer of, say CSnet (using > a long-dead company for reference) then CSnet is the customer of > the RIR, not me and I have zero say in what CSnet, as the RIR > customer, places in its registration entries/database. > > SWIPS and LEOs (CALEA) sort of want to insist that someone, in this > case the RIR, maintain accurate, public records of folks who are > not the RIR customers/clients. > > --bill So maybe "end user" would be a better descriptor than customer? From cgrundemann at gmail.com Wed Apr 7 12:13:05 2010 From: cgrundemann at gmail.com (Chris Grundemann) Date: Wed, 7 Apr 2010 10:13:05 -0600 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: References: Message-ID: On Wed, Apr 7, 2010 at 09:29, Chris Engel wrote: > I agree with Jay 100% here. For people that WANT to anonymize thier information (whether for fair reasons or foul) thier going to be able to put in bogus information here regardless of policy. Unless you want to start investing about $10,000 per registration to actualy investigate whether the information that they provide is accurate, then anything you write as policy isn't going to help here. > You are right, this policy will not help. What might is an opt-in type email once a year to all (technical and abuse) POCs. See the adopted-but-not-yet-implemented policy 2008-7 for an idea of what this looks like. > For anyone else, it really should be between the ISP and the customer as to who gets listed. Totaly ignoring the privacy issue...a policy like this would actualy allow for faster response to problems in many cases. As Jay pointed out, many companies may not even have some-one technical on staff that can deal with these issues. If you call up a receptionist on the phone, they aren't likely to be able to help you....and if they are even mildly tech saavy they aren't going to be able to tell the difference between you and some-one making a social engineering attempt on them. > Even if you are right, this policy (2010-3) is _not_ needed to accomplish this. ARIN already allows simple reassignments which use the upstream POC information. Quoting from https://www.arin.net/resources/request/reassignments.html: " * IPv4 Reassign-Simple Used to sub-delegate IP addresses to a customer that does not need to: * sub-delegate the addresses to their own customers * maintain their own in-addr.arpa delegation * display their own point of contact (POC) information. Can also be used to change the customer name and address information (but not the range) on an existing simple reassignment and to remove simple reassignments. It is submitted by the parent organization's Administrative or Technical POC, or the Technical POC for the resource. POCs are not associated with simple reassignments. The customer receiving the reassignment will have the assigning ISP's POCs and name servers. " > Even for organizations that DO have technical people on staff....very few maintain 24/7 NOC's like ISP's do. I know for our organization if you try to contact any of our publicaly listed numbers outside of regular business hours, you won't get a response. However, our hosting providers and customers do have call sheets with after hours emergency contact numbers on them.... and I'd certainly be willing to provide something similar to an ISP's NOC or other trusted agent that can act as a gateway function between some-one with a legitimate issue...and some-one trying to sell me hosting space in Hong Kong. Tell me, which would yeild a faster response? > The question here should not be "what happens in this one corner case" or "what happens in my one example" but rather "what does the best good for the entire community - in all cases?" The answer is that the most complete, comprehensive and valid whois directory possible provides the best possible resource for *all*. > > Respectfully to the security research organizations, why should you not have to justify your legitimate need for such information? Aside from technical considerations and on to ethical/public policy issues. Information access should be a 2 way street. If you want access to some-one elses information then you should be prepared to surrender your own in order to get it. You should be able to justify your access to that information and there should be some method of transparency/tracking/accountability as to what you do with that information. Right now, WHOIS is about as far away from a 2-way street as you can get. The information contained in WHOIS may not be particularly sensitive... but the principle remains the same. > I believe in an Open Internet. Walling off whois data is not conducive to openness. OTOH, fully available whois data has very little downside, quite a lot of upside and _is_ conducive to keeping the Internet ecosystem Open. To restate: I am opposed to dp 2010-3. I again invite those in favor of this policy to review pp 109 which just might meet your needs without creating the problems that this policy will. Respectfully, ~Chris > > Christopher Engel > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to > the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/arin-ppml > Please contact info at arin.net if you experience any issues. > -- @ChrisGrundemann weblog.chrisgrundemann.com www.burningwiththebush.com www.coisoc.org From cengel at sponsordirect.com Wed Apr 7 12:23:57 2010 From: cengel at sponsordirect.com (Chris Engel) Date: Wed, 7 Apr 2010 12:23:57 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: Message-ID: David Farmer wrote: > I believe, the stewardship the RIRs provide is necessary, and > the RIRs' > policy processes can properly manage the risk. As for cost, > while not a > policy matter, in the shorter-term ULA-C is not going to be as cost > effective as some would hope. However, if in the longer-term > the risks > can be managed, then I have to believe that the RIRs will do > the right > thing. David, Speaking only for myself, I don't think the fee's I've heard thrown around (I think it was something like $1200 per year?) would present much of a stumbling block for most of those on the Enterprise who's addressing needs would actually justify ULA-C. Realistically, that's less then the coffee budget. No significant Enterprise should even blink at that. As long as there is no fee or justification for ULA-R (which I'm assuming because there is no registration) then everything should be fine. If you can't justify $1200 per year, then the burden imposed by using something which is not guarantied unique but still statistically alot bigger then RFC1918 is not that significant. Frankly I would think that most smaller Enterprises/startups will probably opt for ULA-R anyway. That would be our plan right now (assuming we can find NAT support in IPv6). However, I can see the value in ULA-C for some Enterprises...and you'll definitely get some buy in there..even with significant fee's. I wouldn't have any problem fee/justification wise if ULA-C was treated identically to PI. The only caveat should be that justification for ULA-C shouldn't count against justification for PA/PI... you should be able to get both types of addresses for the same device. The real value of ULA-C (IMO) is the understanding that it's not supposed to be globally routed. Yes, that's enforced by convention only...but that's no different then pretty much anything else on the internet. Christopher Engel From cengel at sponsordirect.com Wed Apr 7 12:43:47 2010 From: cengel at sponsordirect.com (Chris Engel) Date: Wed, 7 Apr 2010 12:43:47 -0400 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: Message-ID: Chris Grundemann wrote: > You are right, this policy will not help. What might is an > opt-in type email once a year to all (technical and abuse) > POCs. See the adopted-but-not-yet-implemented policy 2008-7 > for an idea of what this looks like. Chris, I don't see how sending out an e-mail to slipperysam at gmail.com which has an auto-responder setup on it to reply to such ARIN e-mails is going to help much to provide information on who that address holder really is. If some-one really wants to hide thier identity....pretty much the only way you are going to find it is tracing the form of payment they use when paying thier ISP's bills. Doing that probably means going to the courts. The place a policy like that may help is when a block holder isn't purposefully trying to hide who they are....but may have had some internal changes (moved offices, new e-mail address, new network admin, etc) and forgotten to update thier contact info accordingly. I don't neccesarly object to the policy...I just don't think it's going to achieve all that much outside of issues like that. Christopher Engel From owen at delong.com Wed Apr 7 12:51:33 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 7 Apr 2010 09:51:33 -0700 Subject: [arin-ppml] ULA-C In-Reply-To: References: Message-ID: On Apr 7, 2010, at 9:23 AM, Chris Engel wrote: > David Farmer wrote: > >> I believe, the stewardship the RIRs provide is necessary, and >> the RIRs' >> policy processes can properly manage the risk. As for cost, >> while not a >> policy matter, in the shorter-term ULA-C is not going to be as cost >> effective as some would hope. However, if in the longer-term >> the risks >> can be managed, then I have to believe that the RIRs will do >> the right >> thing. > > David, > > Speaking only for myself, I don't think the fee's I've heard thrown around (I think it was something like $1200 per year?) would present much of a stumbling block for most of those on the Enterprise who's addressing needs would actually justify ULA-C. Realistically, that's less then the coffee budget. No significant Enterprise should even blink at that. As long as there is no fee or justification for ULA-R (which I'm assuming because there is no registration) then everything should be fine. If you can't justify $1200 per year, then the burden imposed by using something which is not guarantied unique but still statistically alot bigger then RFC1918 is not that significant. Frankly I would think that most smaller Enterprises/startups will probably opt for ULA-R anyway. That would be our plan right now (assuming we can find NAT support in IPv6). > The fee most likely (the current GUA fees) would be $1250 ONE TIME initial and it would then be part of your end-user $100/year fee. If you were an ISP, it would likely be zero cost all around as it is unlikely to change your usage tier. > However, I can see the value in ULA-C for some Enterprises...and you'll definitely get some buy in there..even with significant fee's. I wouldn't have any problem fee/justification wise if ULA-C was treated identically to PI. The only caveat should be that justification for ULA-C shouldn't count against justification for PA/PI... you should be able to get both types of addresses for the same device. The real value of ULA-C (IMO) is the understanding that it's not supposed to be globally routed. Yes, that's enforced by convention only...but that's no different then pretty much anything else on the internet. > I completely agree. Owen From owen at delong.com Wed Apr 7 14:04:26 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 7 Apr 2010 11:04:26 -0700 Subject: [arin-ppml] ULA-C In-Reply-To: <20100407173104.GA30448@vacation.karoshi.com.> References:

<20100407173104.GA30448@vacation.karoshi.com.> Message-ID: <9F343107-619F-4C8E-9A5E-581CCBB2754D@delong.com> On Apr 7, 2010, at 10:31 AM, bmanning at vacation.karoshi.com wrote: > On Wed, Apr 07, 2010 at 09:51:33AM -0700, Owen DeLong wrote: >> >> The fee most likely (the current GUA fees) would be $1250 ONE TIME initial and it would then be part of >> your end-user $100/year fee. If you were an ISP, it would likely be zero cost all around as it is unlikely to >> change your usage tier. > > > Nope ... its 1250/year. and likely to rise once the fee waiver expires. > the 100/year fee remains for the resources covered under the LRSA. > > --bill I'm not seeing where you get that impression... From https://www.arin.net/fees/fee_schedule.html END USERS / ASSIGNMENTS End users receive IP addresses for use only in their internal networks, and not for distribution to users of their Internet services. End users are assessed an initial fee for each new IPv4 and IPv6 address assignment, AS number registration, resource transfer, and experimental resource registration. IPv4 and IPv6 address assignments, ASN's and transfers are subject to a $100 USD annual maintenance fee. This fee is per Organization ID (OrgID). After a resource request has been approved, ARIN will invoice for payment. Payment must be received and a Registration Services Agreement (RSA) must be executed before resources are released. ARIN will send an invoice for the maintenance fee approximately 60 days before it is due. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cgrundemann at gmail.com Wed Apr 7 14:47:11 2010 From: cgrundemann at gmail.com (Chris Grundemann) Date: Wed, 7 Apr 2010 12:47:11 -0600 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: References: Message-ID: On Wed, Apr 7, 2010 at 10:43, Chris Engel wrote: > > Chris, > > I don't see how sending out an e-mail to slipperysam at gmail.com which has an auto-responder setup on it to reply to such ARIN e-mails is going to help much to provide information on who that address holder really is. If some-one really wants to hide thier identity....pretty much the only way you are going to find it is tracing the form of payment they use when paying thier ISP's bills. Doing that probably means going to the courts. > True, it won't tell you *who* they are but the hope is to determine *that* they are. While the implementation of the policy is completely up to ARIN staff, my vision was for something a bit better at rooting out fake or bad addresses. Like including a URL that must be visited, or a certain phrase that must be included in the reply. Something very lightweight for a real person but hard (if not impossible) for an auto-responder. Then you at least know that someone is receiving mail at that address, which is quite a bit better than what we have now - but not perfect. > The place a policy like that may help is when a block holder isn't purposefully trying to hide who they are....but may have had some internal changes (moved offices, new e-mail address, new network admin, etc) and forgotten to update thier contact info accordingly. I don't neccesarly object to the policy...I just don't think it's going to achieve all that much outside of issues like that. > I agree that the biggest win will be keeping honest folks honest, but I think it will provide some help combating the bad guys too. Again, specific implementation is up to ARIN staff but the idea is that after the emails go out they will end up with a list of unresponsive POCs and that will give them somewhere to start. Most of the unresponsive POCs will be sorted out through a phone call or physical letter. The others will likely often point to abandoned and abused resources. That is the hope anyway. ~Chris > > Christopher Engel > -- @ChrisGrundemann weblog.chrisgrundemann.com www.burningwiththebush.com www.coisoc.org From marty at akamai.com Wed Apr 7 15:07:54 2010 From: marty at akamai.com (Hannigan, Martin) Date: Wed, 07 Apr 2010 15:07:54 -0400 Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality In-Reply-To: <4BBCA542.8020103@sprunk.org> Message-ID: [ clip ] >> >> I completely understand what your stance is on this and why you feel >> this way, as seemingly we have a similar type of client base. However, >> you, like I, are the ones who *will* properly fix a problem when >> required. I'm concerned about the ones who will use this as a loophole >> to avoid that. >> > > Indeed. IMHO, most of those who will take advantage of this policy will > do so for business reasons (e.g. hiding their customer lists from > competitors) rather than technical ones. > Which technically isn't exactly going to work. It is 2010 after all. http://ws.arin.net/whois/?queryinput=!%3EWHOLE-125 This output is enough for geoLoc, something more reliable than WHOIS, to provide an ip->domain name->contact information mapping at a cost that is similar. There are a variety of companies involved in providing these services and they are designed around electronic advertising, fraud prevention, fraud detection and correlating consumer demographics. Fortune 500's and small business all have access to the tools necessary to do this for short change. IMHO, the only domain names that would _not_ be easily translated into a reachable human being by geoLoc databases are the ones who deliberately leave no trace and do not want to be reached. As others have noted, it is likely that the majority are nefarious in nature. Not in favor of 2010-3. Competition is supposed to be about improvement. This is self-destructive as noted by many. The ROI is negative as a result, the rationale isn't about privacy and the proposal doesn't take us even a small step towards accomplishing any goal related to privacy. Best Regards, -M< [cj, thanks for pointing out that I blurred [109 <<>>> 2010-3]. I didn't realize it as I was trying to figure out what was up with this issue and the large volume of postings ] From bill at herrin.us Wed Apr 7 17:17:31 2010 From: bill at herrin.us (William Herrin) Date: Wed, 7 Apr 2010 17:17:31 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: References: Message-ID: On Wed, Apr 7, 2010 at 12:23 PM, Chris Engel wrote: > Speaking only for myself, I don't think the fee's I've heard thrown > around (I think it was something like $1200 per year?) would > present much of a stumbling block for most of those on the > Enterprise who's addressing needs would actually justify ULA-C. Needs? Justify? $1200? For ULA? Buddy, I don't think you quite get what ULA is or what it's for. All three of those are huge stumbling blocks to a ULA-C, and I do work for a large enterprise which would have a use for registered ULA. ULA is for everything from the coordinated enterprise WAN to the independent 20-phone LAN installed by a particular office's vendor and the VPNed "inside lan" for customer 4468's 3 servers. Like random ULA, it's gotta be damn near grab and go... and $1200 is a non-starter. -Bill -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From gtb at slac.stanford.edu Wed Apr 7 18:24:06 2010 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Wed, 7 Apr 2010 15:24:06 -0700 Subject: [arin-ppml] ULA-C In-Reply-To: References: Message-ID: <6F51B50ECF32084788B9B3A8469A71B5CFFC6F7177@EXCHCLUSTER1-02.win.slac.stanford.edu> > From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On Behalf Of Chris Engel ... > > David Farmer wrote: > > > I believe, the stewardship the RIRs provide is necessary, and > > the RIRs' > > policy processes can properly manage the risk. As for cost, > > while not a > > policy matter, in the shorter-term ULA-C is not going to be as cost > > effective as some would hope. However, if in the longer-term > > the risks > > can be managed, then I have to believe that the RIRs will do > > the right > > thing. > .... > However, I can see the value in ULA-C for some Enterprises... > and you'll definitely get some buy in there..even with > significant fee's. I wouldn't have any problem fee/justification > wise if ULA-C was treated identically to PI. The only caveat > should be that justification for ULA-C shouldn't count > against justification for PA/PI... you should be able to get > both types of addresses for the same device. The real value of > ULA-C (IMO) is the understanding that it's not supposed to be globally > routed. Yes, that's enforced by convention only...but that's no > different then pretty much anything else on the internet. I agree. I can see an argument that if the price for ULA-C *is* the same as PI there would be little advantage for an organization to try to get ULA-C as an end-run for "cheap" GUA. Only those that understand ULA-C and want the current and future restrictions (not globally routed) are likely to choose it. There will be such organizations. I would like to see ARIN be able to serve them. Gary From michael.dillon at bt.com Thu Apr 8 06:26:11 2010 From: michael.dillon at bt.com (michael.dillon at bt.com) Date: Thu, 8 Apr 2010 11:26:11 +0100 Subject: [arin-ppml] ULA-C In-Reply-To: Message-ID: <28E139F46D45AF49A31950F88C49745805B60BBA@E03MVZ2-UKDY.domain1.systemhost.net> > The real value of ULA-C (IMO) > is the understanding that it's not supposed to be globally > routed. Yes, that's enforced by convention only...but that's > no different then pretty much anything else on the internet. Actually, ULA-C *IS* designed to be globally routed. But only on private internetworks, not on the public Internet. Remember that the Internet Protocol suite and the IETF are not there to service the public Internet. They are there to allow everyone to internetwork computers and other devices in any way that is useful to them. This includes private internetworks and it includes semi-connected regions of the public Internet, as well as the so-called "global Public Internet". I think that everyone understands what private internetworks are whether they are COINs or just a company that connects to a couple of key trading partners over some kind of VPN service. But consider this possibility. A country like China might choose to offer certain government services using a few registered ULA-C ranges, and require all ISPs in China to route those addresses, i.e. punch some /48 holes in their FC00::/7 filters. The end result would be that within China, those government sites are fully connected to the public Internet but outside of China, those sites do not exist. You might never want to do such a thing, but I can't think of a good reason why you would want to prevent everybody on the planet from doing such a thing. The IETF is there to create possibilities, not to prescribe everything about how you must operate your networks. Within ARIN we must remember that we are part of a larger picture, and sometimes, public Internet operators need to step aside and say, "this doesn't affect us because we filter FC00::/7" and let other people do their thing. Other people includes enterprise network operators, Community Of Interest Network (COIN) operators, and innovative thinkers who want to do something new. This is a situation where even if the majority of PPML voices are opposed to ULA-C addressing, the AC and Board of Trustees should do the right thing and make it happen, in a reasonable and orderly way. Remember that ULA-C addresses do exist today; they just don't have any orderly processes surrounding them. This is a vacuum that must be filled, before someone creates a fait accompli type of solution. --Michael Dillon From cengel at sponsordirect.com Thu Apr 8 10:43:16 2010 From: cengel at sponsordirect.com (Chris Engel) Date: Thu, 8 Apr 2010 10:43:16 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: Message-ID: Bill Herrin wrote: > Needs? Justify? $1200? For ULA? Buddy, I don't think you > quite get what ULA is or what it's for. > > All three of those are huge stumbling blocks to a ULA-C, and > I do work for a large enterprise which would have a use for > registered ULA. ULA is for everything from the coordinated > enterprise WAN to the independent 20-phone LAN installed by a > particular office's vendor and the VPNed "inside lan" for > customer 4468's 3 servers. Like random ULA, it's gotta be > damn near grab and go... and $1200 is a non-starter. > > -Bill If I'm not mistaken the prime difference between ULA-C versus ULA-R is that of guarantied uniqueness as opposed to statistically probable uniqueness, correct? The discussion of fee's and justification and all that jazz is, I believe, contained to ULA-C. I don't believe anyone is proposing anything like that for ULA-R....wouldn't be enforceable even if they did, since there is no registration necessary for ULA-R. I agree that $1200 and justification for private address space for 3 servers is a pretty bad deal. However, the difference between using ULA-C and ULA-R for that use case is that with ULA-R, IF you go through a merger or something of that nature there is a somewhat less then 1 percent chance that you will have to renumber - 3 SERVERS. That doesn't strike me as a particularly daunting burden to risk. Where ULA-C really makes a difference over ULA-R (IMO) is for the folks who need address space for thousands of devices. For those guys even though the chance of running into a conflict with ULA-R is small, if it does hit...it's a huge burden. However, for those guys a $1200 fee isn't even worth blinking over. For everyone else, there is ULA-R. I've got no pony in this race. I'm neither the big multi-national Enterprise or the guy with 3 servers in his closet. IF/WHEN we support IPv6 (still an open question) our plans would be to use ULA-R regardless, even if ULA-C was free. The big objection to ULA-C that seems to be getting raised by people here.... as David pointed out.... was that ULA-C could be abused as an end-run around PI/PA policy/fees. If you make the policy/fees for ULA-C identical to those, you remove any incentive for that and still retain what makes ULA-C valuable. Seems like a reasonable compromise to me.... and really the guys who most need ULA-C (as opposed to ULA-R) should easily be able to afford that kind of money. Just my 2 cents. Christopher Engel From info at arin.net Fri Apr 9 10:04:59 2010 From: info at arin.net (Member Services) Date: Fri, 09 Apr 2010 10:04:59 -0400 Subject: [arin-ppml] ARIN XXV Policy Discussions Message-ID: <4BBF340B.9040600@arin.net> The ARIN XXV Public Policy and Members Meeting will be held very soon in Toronto. Whether you?re attending in person or participating remotely, be sure to review the agenda so you don?t miss your chance to share your thoughts during the policy discussions: Monday, 19 April 2010-3: Customer Confidentiality 2010-6: Simplified M&A transfer policy 2010-2: /24 End User Minimum Assignment Unit 2010-5: Reduce and Simplify IPv4 Initial Allocations Tuesday, 20 April 2010-7: Simplified IPv6 policy 2010-8: Rework of IPv6 assignment criteria 2010-4: Rework of IPv6 allocation criteria 2010-1: Waiting List for Unmet IPv4 Requests View the agenda for specific times at https://www.arin.net/ARIN-XXV/agenda.html. The agenda is subject to change, but we will make every effort not to change the times for policy discussions. We will be sending daily agenda updates to all attendees and registered remote participants. You can also follow us on Twitter @TeamARIN for schedule updates. Be sure to use the #arin25 tag for your own tweets about the meeting. Complete information on the text of the draft policies being discussed is available at https://www.arin.net/policy/proposals/. If you?re not able to be there in person, you can still take advantage of remote participation features that will allow your voice to be heard during critical policy discussions. In addition to following the video or audio webcast, you can read along with the live transcript, submit questions and comments, and vote in straw polls via Jabber chat. To register as a remote participant, learn more about the remote participation services, or access the meeting materials please go to https://www.arin.net/ARIN-XXV/remote.html. We look forward to your participation. Regards, Member Services American Registry for Internet Numbers (ARIN) From gbonser at seven.com Sun Apr 11 20:04:41 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 11 Apr 2010 17:04:41 -0700 Subject: [arin-ppml] ULA-C References: <28E139F46D45AF49A31950F88C49745805B60BBA@E03MVZ2-UKDY.domain1.systemhost.net> Message-ID: <5A6D953473350C4B9995546AFE9939EE08FE6E54@RWC-EX1.corp.seven.com> > -----Original Message----- > From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On > Behalf Of michael.dillon at bt.com > Sent: Thursday, April 08, 2010 3:26 AM > To: arin-ppml at arin.net > Subject: Re: [arin-ppml] ULA-C > > > > The real value of ULA-C (IMO) > > is the understanding that it's not supposed to be globally > > routed. Yes, that's enforced by convention only...but that's > > no different then pretty much anything else on the internet. > > Actually, ULA-C *IS* designed to be globally routed. But only > on private internetworks, not on the public Internet. We are an operation that has a lot of private interconnectivity with other networks that does not go over the Internet. RFC-1918 collision has been a major issue and forces the use of GUA when connecting with partner networks. This causes a "burn" of address space that is not even publically reachable. The notion of having ULA that are allocated from some central registry is appealing for purposes of private interconnections where one would not have to worry about collisions in address space and would probably be worth the expense for us provided it was for our partners as well. George From mcr at sandelman.ca Sun Apr 11 20:47:55 2010 From: mcr at sandelman.ca (Michael Richardson) Date: Sun, 11 Apr 2010 20:47:55 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: <5A6D953473350C4B9995546AFE9939EE08FE6E54@RWC-EX1.corp.seven.com> References: <28E139F46D45AF49A31950F88C49745805B60BBA@E03MVZ2-UKDY.domain1.systemhost.net> <5A6D953473350C4B9995546AFE9939EE08FE6E54@RWC-EX1.corp.seven.com> Message-ID: <8889.1271033275@marajade.sandelman.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "George" == George Bonser writes: >> -----Original Message----- >> From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] George> On >> Behalf Of michael.dillon at bt.com >> Sent: Thursday, April 08, 2010 3:26 AM >> To: arin-ppml at arin.net >> Subject: Re: [arin-ppml] ULA-C >> >> >> > The real value of ULA-C (IMO) >> > is the understanding that it's not supposed to be globally >> > routed. Yes, that's enforced by convention only...but that's >> > no different then pretty much anything else on the internet. >> >> Actually, ULA-C *IS* designed to be globally routed. But only >> on private internetworks, not on the public Internet. George> We are an operation that has a lot of private George> interconnectivity with other networks that does not go over George> the Internet. RFC-1918 collision has been a major issue and George> forces the use of GUA when connecting with partner networks. George> This causes a "burn" of address space that is not even George> publically reachable. A question: how many of your connections are with organizations that did not, when they first numbered their network, even know that they were going to connect with you? I ask because, while you say: George> not have to worry about collisions in address space and George> would probably be worth the expense for us provided it was George> for our partners as well. that it's worth the money, that's only with the knowledge that you'd be connecting. What if you did not know, a-priori, that you were going to connect? How cheap would ULA-C have to be to just "get some" regardless, vs how much expense do you think renumbering is? - -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video then sign the petition. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Finger me for keys iQEVAwUBS8JtuoCLcPvd0N1lAQK2tggAh/HQsoaeB3HkxFPaNK3BKIVMFqDArrga BPiCZgWNO2BdxtrRm0iHf93skgGBxspNJfnr8jF7++NmwNKG173HvrUU4OrNnma8 twot4at0EkTwhxf1eqIuhWlP7GZUXq6yUx9pREizqL35JWIOIeJW7TeR2vMrIhK+ gREb4OlVQqfrj12ge7MI3m8grM816MYGzXLsp0zGm7SDxCO0HSA5B4yUMWTl1puZ wzCRiHdl6tybLFrmCC6kT4InQJzK4ZUy7CYNcxVVrPh5H9OMrp0ktRYIVWTil3x6 fuz7P2q3nhMNzKXh2DX9S+bZcbRmqT2sG2Q4xhq9wE1hmmGqiYgN1A== =lWCJ -----END PGP SIGNATURE----- From gbonser at seven.com Sun Apr 11 21:01:57 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 11 Apr 2010 18:01:57 -0700 Subject: [arin-ppml] ULA-C References: <28E139F46D45AF49A31950F88C49745805B60BBA@E03MVZ2-UKDY.domain1.systemhost.net> <5A6D953473350C4B9995546AFE9939EE08FE6E54@RWC-EX1.corp.seven.com> <8889.1271033275@marajade.sandelman.ca> Message-ID: <5A6D953473350C4B9995546AFE9939EE08FE6E55@RWC-EX1.corp.seven.com> > -----Original Message----- > From: mcr at sandelman.ca [mailto:mcr at sandelman.ca] > Sent: Sunday, April 11, 2010 5:48 PM > To: George Bonser > Cc: michael.dillon at bt.com; arin-ppml at arin.net > Subject: Re: [arin-ppml] ULA-C > > A question: how many of your connections are with organizations that > did > not, when they first numbered their network, even know that they were > going to connect with you? I don't think it is a matter of knowing if they are going to connect to *us* specifically or our knowing if we will connect to them specifically. It is a matter of considering if you are going to make connections and exchange traffic in general with partners that might be between systems not generally available to the Internet and are in private network space. If you decide that the probability of such a connection is high, then it would be prudent to obtain address space that is not likely to collide with your potential partner. Having space allocated from some central registry would give reasonable assurance of that. > I ask because, while you say: > > George> not have to worry about collisions in address space and > George> would probably be worth the expense for us provided it was > George> for our partners as well. > > that it's worth the money, that's only with the knowledge that you'd be > connecting. Sometimes "peace of mind" is worth a bit of money. If the network can be rolled out with the reasonable expectation that there will not be a collision, ever, with a potential partner, then it is well worth $1200. How much time would be spent in engineering an alternative if there is a collision? Will it take more than 3 hours to figure out and implement? If it does, then the money was well spent. $1200 is practically free. > What if you did not know, a-priori, that you were going to connect? > How cheap would ULA-C have to be to just "get some" regardless, vs how > much expense do you think renumbering is? Again it is a matter of knowing that you are going to have connections with people. You don't know in advance what their address space is, you don't know in advance even who exactly you are going to connect to. To absolutely ensure that you will never have that problem is a good architectural decision. Not doing so is probably fine for a "garage" operation that lives by the notion that "it isn't a problem until it is a problem" but that isn't the best way to do things, in my opinion. I would rather do it so the problem will never occur in the first place. From gbonser at seven.com Sun Apr 11 21:15:31 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 11 Apr 2010 18:15:31 -0700 Subject: [arin-ppml] ULA-C References: <28E139F46D45AF49A31950F88C49745805B60BBA@E03MVZ2-UKDY.domain1.systemhost.net> <5A6D953473350C4B9995546AFE9939EE08FE6E54@RWC-EX1.corp.seven.com> <8889.1271033275@marajade.sandelman.ca> Message-ID: <5A6D953473350C4B9995546AFE9939EE08FE6E56@RWC-EX1.corp.seven.com> > -----Original Message----- > From: mcr at sandelman.ca [mailto:mcr at sandelman.ca] > Sent: Sunday, April 11, 2010 5:48 PM > To: George Bonser > Cc: michael.dillon at bt.com; arin-ppml at arin.net > Subject: Re: [arin-ppml] ULA-C > > A question: how many of your connections are with organizations that > did > not, when they first numbered their network, even know that they were > going to connect with you? > Let me provide something of a plausible example. You have Mondo Megacorp who provides some service worldwide. One aspect of their service is actually provided by a third party (Littlefish, Inc.) but branded as a service of Mondo Megacorp. There is some integration of the billing that needs to happen because Littlefish, Inc. needs to be able to turn on and off service to Modo Megacorp's customers and to bill Mondo for services rendered. Neither company has their financial backend systems in publically routed network space but they need to talk to each other. Littlefish provides service to a lot of bigger fish and has a lot of private connectivity to specific systems it needs communications with at these partners that are on private networks. If they are all in "private" space that is also unique, they never have to worry about address space collisions when they interface with each other on the backend. G From joelja at bogus.com Sun Apr 11 21:36:41 2010 From: joelja at bogus.com (joel jaeggli) Date: Sun, 11 Apr 2010 18:36:41 -0700 Subject: [arin-ppml] ULA-C Message-ID: <5A6D953473350C4B9995546AFE9939EE08FE6E56@RWC-EX1.corp.seven.com> Mondo-megacorp will trivially have enough gua space to address it's extranet and the cost of aquiring space is negible compared to cost of deploying anything inside mondo-megacorp. Joel George Bonser wrote: > > >> -----Original Message----- >> From: mcr at sandelman.ca [mailto:mcr at sandelman.ca] >> Sent: Sunday, April 11, 2010 5:48 PM >> To: George Bonser >> Cc: michael.dillon at bt.com; arin-ppml at arin.net >> Subject: Re: [arin-ppml] ULA-C >> >> A question: how many of your connections are with organizations that >> did >> not, when they first numbered their network, even know that they were >> going to connect with you? >> > >Let me provide something of a plausible example. You have Mondo >Megacorp who provides some service worldwide. One aspect of their >service is actually provided by a third party (Littlefish, Inc.) but >branded as a service of Mondo Megacorp. There is some integration of >the billing that needs to happen because Littlefish, Inc. needs to be >able to turn on and off service to Modo Megacorp's customers and to bill >Mondo for services rendered. > >Neither company has their financial backend systems in publically routed >network space but they need to talk to each other. Littlefish provides >service to a lot of bigger fish and has a lot of private connectivity to >specific systems it needs communications with at these partners that are >on private networks. > >If they are all in "private" space that is also unique, they never have >to worry about address space collisions when they interface with each >other on the backend. > >G >_______________________________________________ >PPML >You are receiving this message because you are subscribed to >the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). >Unsubscribe or manage your mailing list subscription at: >http://lists.arin.net/mailman/listinfo/arin-ppml >Please contact info at arin.net if you experience any issues. > From gbonser at seven.com Sun Apr 11 21:40:53 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 11 Apr 2010 18:40:53 -0700 Subject: [arin-ppml] ULA-C References: <5A6D953473350C4B9995546AFE9939EE08FE6E56@RWC-EX1.corp.seven.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> > -----Original Message----- > From: joel jaeggli [mailto:joelja at bogus.com] > Sent: Sunday, April 11, 2010 6:37 PM > To: George Bonser; mcr at sandelman.ca > Cc: arin-ppml at arin.net > Subject: Re: [arin-ppml] ULA-C > > Mondo-megacorp will trivially have enough gua space to address it's > extranet and the cost of aquiring space is negible compared to cost of > deploying anything inside mondo-megacorp. > > Joel > Joel, you missed the point. The do not want their financial backend systems on globally routable address space. They do not want it to even be POSSIBLE that by some kind of misconfiguration, their systems could be reachable from the Internet. So they put it in address space that is impossible to be reached across the public Internet. From joelja at bogus.com Sun Apr 11 22:14:23 2010 From: joelja at bogus.com (joel jaeggli) Date: Sun, 11 Apr 2010 19:14:23 -0700 Subject: [arin-ppml] ULA-C Message-ID: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> Oddly, I work for mondo-megacorp and I find it interesting that you're speaking for all entities that fit that category collectively. From my vantage point ,the security posture associated with a particular prefix, service or network internal to our administrative domain is defined by requirements not by some intrinsic nature of the prefix. George Bonser wrote: > > >> -----Original Message----- >> From: joel jaeggli [mailto:joelja at bogus.com] >> Sent: Sunday, April 11, 2010 6:37 PM >> To: George Bonser; mcr at sandelman.ca >> Cc: arin-ppml at arin.net >> Subject: Re: [arin-ppml] ULA-C >> >> Mondo-megacorp will trivially have enough gua space to address it's >> extranet and the cost of aquiring space is negible compared to cost of >> deploying anything inside mondo-megacorp. >> >> Joel >> > >Joel, you missed the point. The do not want their financial backend systems on globally routable address space. > >They do not want it to even be POSSIBLE that by some kind of misconfiguration, their systems could be reachable from the Internet. So they put it in address space that is impossible to be reached across the public Internet. > > > > > From owen at delong.com Mon Apr 12 01:18:07 2010 From: owen at delong.com (Owen DeLong) Date: Sun, 11 Apr 2010 22:18:07 -0700 Subject: [arin-ppml] ULA-C In-Reply-To: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> Message-ID: Well said. Even RFC-1918 space can be routed across the global internet due to misconfiguration, so, I fail to see how that can possibly provide the protection described. Admittedly, the number of misconfigurations increases in inverse proportion to topological proximity, but, nonetheless, lots of routing tables see RFC-1918 space on the global internet due to misconfiguration. Why would ULA-C or any other "special" prefix be any different? Owen On Apr 11, 2010, at 7:14 PM, joel jaeggli wrote: > Oddly, I work for mondo-megacorp and I find it interesting that you're speaking for all entities that fit that category collectively. > > From my vantage point ,the security posture associated with a particular prefix, service or network internal to our administrative domain is defined by requirements not by some intrinsic nature of the prefix. > > George Bonser wrote: > >> >> >>> -----Original Message----- >>> From: joel jaeggli [mailto:joelja at bogus.com] >>> Sent: Sunday, April 11, 2010 6:37 PM >>> To: George Bonser; mcr at sandelman.ca >>> Cc: arin-ppml at arin.net >>> Subject: Re: [arin-ppml] ULA-C >>> >>> Mondo-megacorp will trivially have enough gua space to address it's >>> extranet and the cost of aquiring space is negible compared to cost of >>> deploying anything inside mondo-megacorp. >>> >>> Joel >>> >> >> Joel, you missed the point. The do not want their financial backend systems on globally routable address space. >> >> They do not want it to even be POSSIBLE that by some kind of misconfiguration, their systems could be reachable from the Internet. So they put it in address space that is impossible to be reached across the public Internet. >> >> >> >> >> > _______________________________________________ > PPML > You are receiving this message because you are subscribed to > the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/arin-ppml > Please contact info at arin.net if you experience any issues. From gbonser at seven.com Mon Apr 12 01:24:02 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 11 Apr 2010 22:24:02 -0700 Subject: [arin-ppml] ULA-C References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> Can you tell me how RFC1918 space can be routed across the global internet? No transit provider in the world accepts those routes and assuming that such traffic would have to traverse at least three networks (originating, at least one transit and the destination), having all three misconfigured is quite unlikely. But I have never seen a transit network that will pass RFC1918 traffic. Who would they send it to? There must be a few hundred networks attempting to announce that space to them. > -----Original Message----- > From: Owen DeLong [mailto:owen at delong.com] > Sent: Sunday, April 11, 2010 10:18 PM > To: joel jaeggli > Cc: George Bonser; mcr at sandelman.ca; arin-ppml at arin.net > Subject: Re: [arin-ppml] ULA-C > > Well said. Even RFC-1918 space can be routed across the global > internet due to misconfiguration, so, I fail to see how that can > possibly provide the protection described. > > Admittedly, the number of misconfigurations increases in inverse > proportion to topological proximity, but, nonetheless, lots of routing > tables see RFC-1918 space on the global internet due to > misconfiguration. > > Why would ULA-C or any other "special" prefix be any different? > > Owen > > On Apr 11, 2010, at 7:14 PM, joel jaeggli wrote: > > > Oddly, I work for mondo-megacorp and I find it interesting that > you're speaking for all entities that fit that category collectively. > > > > From my vantage point ,the security posture associated with a > particular prefix, service or network internal to our administrative > domain is defined by requirements not by some intrinsic nature of the > prefix. > > > > George Bonser wrote: > > > >> > >> > >>> -----Original Message----- > >>> From: joel jaeggli [mailto:joelja at bogus.com] > >>> Sent: Sunday, April 11, 2010 6:37 PM > >>> To: George Bonser; mcr at sandelman.ca > >>> Cc: arin-ppml at arin.net > >>> Subject: Re: [arin-ppml] ULA-C > >>> > >>> Mondo-megacorp will trivially have enough gua space to address it's > >>> extranet and the cost of aquiring space is negible compared to cost > of > >>> deploying anything inside mondo-megacorp. > >>> > >>> Joel > >>> > >> > >> Joel, you missed the point. The do not want their financial backend > systems on globally routable address space. > >> > >> They do not want it to even be POSSIBLE that by some kind of > misconfiguration, their systems could be reachable from the Internet. > So they put it in address space that is impossible to be reached across > the public Internet. > >> > >> > >> > >> > >> > > _______________________________________________ > > PPML > > You are receiving this message because you are subscribed to > > the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). > > Unsubscribe or manage your mailing list subscription at: > > http://lists.arin.net/mailman/listinfo/arin-ppml > > Please contact info at arin.net if you experience any issues. From lear at cisco.com Mon Apr 12 01:28:29 2010 From: lear at cisco.com (Eliot Lear) Date: Mon, 12 Apr 2010 07:28:29 +0200 Subject: [arin-ppml] ULA-C In-Reply-To: References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> Message-ID: <4BC2AF7D.4020702@cisco.com> As one of the authors of that document, much as I am no great fan, I have to say that no matter how hard we try, we have great difficulty convincing people that the prefix doesn't matter. And there is some reason to believe that a well know prefix does matter, because it is easy for administrators (either side of the demarc) to install filters on well known prefixes, and at least some do. My big issue with all of this is that by the time you're done with a registration service that might offer reverse DNS (is that what we're saying?), those filters are really the only difference between ULA-C and PI; and the actually necessity for them, as far as the SPs other customers are concerned, is considerably lessened since the spaces don't overlap. Eliot On 4/12/10 7:18 AM, Owen DeLong wrote: > Well said. Even RFC-1918 space can be routed across the global internet due to misconfiguration, so, I fail to see how that can possibly provide the protection described. > > Admittedly, the number of misconfigurations increases in inverse proportion to topological proximity, but, nonetheless, lots of routing tables see RFC-1918 space on the global internet due to misconfiguration. > > Why would ULA-C or any other "special" prefix be any different? > > Owen > > On Apr 11, 2010, at 7:14 PM, joel jaeggli wrote: > >> Oddly, I work for mondo-megacorp and I find it interesting that you're speaking for all entities that fit that category collectively. >> >> From my vantage point ,the security posture associated with a particular prefix, service or network internal to our administrative domain is defined by requirements not by some intrinsic nature of the prefix. >> >> George Bonser wrote: >> >>> >>>> -----Original Message----- >>>> From: joel jaeggli [mailto:joelja at bogus.com] >>>> Sent: Sunday, April 11, 2010 6:37 PM >>>> To: George Bonser; mcr at sandelman.ca >>>> Cc: arin-ppml at arin.net >>>> Subject: Re: [arin-ppml] ULA-C >>>> >>>> Mondo-megacorp will trivially have enough gua space to address it's >>>> extranet and the cost of aquiring space is negible compared to cost of >>>> deploying anything inside mondo-megacorp. >>>> >>>> Joel >>>> >>> Joel, you missed the point. The do not want their financial backend systems on globally routable address space. >>> >>> They do not want it to even be POSSIBLE that by some kind of misconfiguration, their systems could be reachable from the Internet. So they put it in address space that is impossible to be reached across the public Internet. >>> >>> >>> >>> >>> >> _______________________________________________ >> PPML >> You are receiving this message because you are subscribed to >> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). >> Unsubscribe or manage your mailing list subscription at: >> http://lists.arin.net/mailman/listinfo/arin-ppml >> Please contact info at arin.net if you experience any issues. > _______________________________________________ > PPML > You are receiving this message because you are subscribed to > the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/arin-ppml > Please contact info at arin.net if you experience any issues. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gbonser at seven.com Mon Apr 12 02:13:33 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 11 Apr 2010 23:13:33 -0700 Subject: [arin-ppml] ULA-C References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE08FE6E67@RWC-EX1.corp.seven.com> To clarify, if you attempt to route RFC1918 across the internet, how do you ensure it gets to the desired destination if thousands of potential destinations are using that space and possibly hundreds of them are announcing it (and being ignored) by their upstream. Yes, it is "possible" to route rc1918 traffic across the internet but there is no assurance that the rfc1918 network it is going to is your desired "target". It would require an incredible fluke of circumstances for that to happen: 1. Source network announcing their RFC1918 space 2. Transit network accepting their RFC1918 space and nobody else's except destination network. 3. Transit network announcing source network's RFC1918 space to destination network. 4. Destination network accepting RFC1918 address space. 5. Destination network announcing RFC1918 address space and transit provider accepting the announcement. 6. If multiple transit networks involved, they all accept both source and destination RFC1918 space and no others becsuse that would "muddy the water". 7. Not likely to happen on this planet but possible. > -----Original Message----- > From: Owen DeLong [mailto:owen at delong.com] > Sent: Sunday, April 11, 2010 10:18 PM > To: joel jaeggli > Cc: George Bonser; mcr at sandelman.ca; arin-ppml at arin.net > Subject: Re: [arin-ppml] ULA-C > > Well said. Even RFC-1918 space can be routed across the global > internet due to misconfiguration, so, I fail to see how that can > possibly provide the protection described. > > Admittedly, the number of misconfigurations increases in inverse > proportion to topological proximity, but, nonetheless, lots of routing > tables see RFC-1918 space on the global internet due to > misconfiguration. > > Why would ULA-C or any other "special" prefix be any different? > > Owen > > On Apr 11, 2010, at 7:14 PM, joel jaeggli wrote: > > > Oddly, I work for mondo-megacorp and I find it interesting that > you're speaking for all entities that fit that category collectively. > > > > From my vantage point ,the security posture associated with a > particular prefix, service or network internal to our administrative > domain is defined by requirements not by some intrinsic nature of the > prefix. > > > > George Bonser wrote: > > > >> > >> > >>> -----Original Message----- > >>> From: joel jaeggli [mailto:joelja at bogus.com] > >>> Sent: Sunday, April 11, 2010 6:37 PM > >>> To: George Bonser; mcr at sandelman.ca > >>> Cc: arin-ppml at arin.net > >>> Subject: Re: [arin-ppml] ULA-C > >>> > >>> Mondo-megacorp will trivially have enough gua space to address it's > >>> extranet and the cost of aquiring space is negible compared to cost > of > >>> deploying anything inside mondo-megacorp. > >>> > >>> Joel > >>> > >> > >> Joel, you missed the point. The do not want their financial backend > systems on globally routable address space. > >> > >> They do not want it to even be POSSIBLE that by some kind of > misconfiguration, their systems could be reachable from the Internet. > So they put it in address space that is impossible to be reached across > the public Internet. > >> > >> > >> > >> > >> > > _______________________________________________ > > PPML > > You are receiving this message because you are subscribed to > > the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). > > Unsubscribe or manage your mailing list subscription at: > > http://lists.arin.net/mailman/listinfo/arin-ppml > > Please contact info at arin.net if you experience any issues. From gbonser at seven.com Mon Apr 12 02:28:01 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 11 Apr 2010 23:28:01 -0700 Subject: [arin-ppml] ULA-C References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <4BC2AF7D.4020702@cisco.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE08FE6E6B@RWC-EX1.corp.seven.com> I agree at a fundamental level that prefix doesn?t matter. And I will always add block for that space at my edge. But it is just another tool in the box. I wan?t meaning that anyone should ?rely? on the prefix for security, I meant that it was another added layer to help protect you. From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On Behalf Of Eliot Lear Sent: Sunday, April 11, 2010 10:28 PM To: Owen DeLong Cc: arin-ppml at arin.net Subject: Re: [arin-ppml] ULA-C As one of the authors of that document, much as I am no great fan, I have to say that no matter how hard we try, we have great difficulty convincing people that the prefix doesn't matter. And there is some reason to believe that a well know prefix does matter, because it is easy for administrators (either side of the demarc) to install filters on well known prefixes, and at least some do. My big issue with all of this is that by the time you're done with a registration service that might offer reverse DNS (is that what we're saying?), those filters are really the only difference between ULA-C and PI; and the actually necessity for them, as far as the SPs other customers are concerned, is considerably lessened since the spaces don't overlap. Eliot On 4/12/10 7:18 AM, Owen DeLong wrote: Well said. Even RFC-1918 space can be routed across the global internet due to misconfiguration, so, I fail to see how that can possibly provide the protection described. Admittedly, the number of misconfigurations increases in inverse proportion to topological proximity, but, nonetheless, lots of routing tables see RFC-1918 space on the global internet due to misconfiguration. Why would ULA-C or any other "special" prefix be any different? Owen On Apr 11, 2010, at 7:14 PM, joel jaeggli wrote: Oddly, I work for mondo-megacorp and I find it interesting that you're speaking for all entities that fit that category collectively. >From my vantage point ,the security posture associated with a particular prefix, service or network internal to our administrative domain is defined by requirements not by some intrinsic nature of the prefix. George Bonser wrote: -----Original Message----- From: joel jaeggli [mailto:joelja at bogus.com] Sent: Sunday, April 11, 2010 6:37 PM To: George Bonser; mcr at sandelman.ca Cc: arin-ppml at arin.net Subject: Re: [arin-ppml] ULA-C Mondo-megacorp will trivially have enough gua space to address it's extranet and the cost of aquiring space is negible compared to cost of deploying anything inside mondo-megacorp. Joel Joel, you missed the point. The do not want their financial backend systems on globally routable address space. They do not want it to even be POSSIBLE that by some kind of misconfiguration, their systems could be reachable from the Internet. So they put it in address space that is impossible to be reached across the public Internet. _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/arin-ppml Please contact info at arin.net if you experience any issues. _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/arin-ppml Please contact info at arin.net if you experience any issues. -------------- next part -------------- An HTML attachment was scrubbed... URL: From owen at delong.com Mon Apr 12 02:30:23 2010 From: owen at delong.com (Owen DeLong) Date: Sun, 11 Apr 2010 23:30:23 -0700 Subject: [arin-ppml] ULA-C In-Reply-To: <5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> Message-ID: On Apr 11, 2010, at 10:24 PM, George Bonser wrote: > Can you tell me how RFC1918 space can be routed across the global > internet? > I didn't say it could be done without misconfiguration. I said that it doesn't protect you as much as you think in the case of misconfiguration. > No transit provider in the world accepts those routes and assuming that > such traffic would have to traverse at least three networks > (originating, at least one transit and the destination), having all > three misconfigured is quite unlikely. > And yet, time and time again, they show up in the routing tables. > But I have never seen a transit network that will pass RFC1918 traffic. Look harder, it has definitely happened. > Who would they send it to? There must be a few hundred networks > attempting to announce that space to them. > Presumably the person who they accepted the advertisement from. IOW, the person who has obviously misconfigured things in the way you say it will protect you. Owen > > >> -----Original Message----- >> From: Owen DeLong [mailto:owen at delong.com] >> Sent: Sunday, April 11, 2010 10:18 PM >> To: joel jaeggli >> Cc: George Bonser; mcr at sandelman.ca; arin-ppml at arin.net >> Subject: Re: [arin-ppml] ULA-C >> >> Well said. Even RFC-1918 space can be routed across the global >> internet due to misconfiguration, so, I fail to see how that can >> possibly provide the protection described. >> >> Admittedly, the number of misconfigurations increases in inverse >> proportion to topological proximity, but, nonetheless, lots of routing >> tables see RFC-1918 space on the global internet due to >> misconfiguration. >> >> Why would ULA-C or any other "special" prefix be any different? >> >> Owen >> >> On Apr 11, 2010, at 7:14 PM, joel jaeggli wrote: >> >>> Oddly, I work for mondo-megacorp and I find it interesting that >> you're speaking for all entities that fit that category collectively. >>> >>> From my vantage point ,the security posture associated with a >> particular prefix, service or network internal to our administrative >> domain is defined by requirements not by some intrinsic nature of the >> prefix. >>> >>> George Bonser wrote: >>> >>>> >>>> >>>>> -----Original Message----- >>>>> From: joel jaeggli [mailto:joelja at bogus.com] >>>>> Sent: Sunday, April 11, 2010 6:37 PM >>>>> To: George Bonser; mcr at sandelman.ca >>>>> Cc: arin-ppml at arin.net >>>>> Subject: Re: [arin-ppml] ULA-C >>>>> >>>>> Mondo-megacorp will trivially have enough gua space to address > it's >>>>> extranet and the cost of aquiring space is negible compared to > cost >> of >>>>> deploying anything inside mondo-megacorp. >>>>> >>>>> Joel >>>>> >>>> >>>> Joel, you missed the point. The do not want their financial > backend >> systems on globally routable address space. >>>> >>>> They do not want it to even be POSSIBLE that by some kind of >> misconfiguration, their systems could be reachable from the Internet. >> So they put it in address space that is impossible to be reached > across >> the public Internet. >>>> >>>> >>>> >>>> >>>> >>> _______________________________________________ >>> PPML >>> You are receiving this message because you are subscribed to >>> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). >>> Unsubscribe or manage your mailing list subscription at: >>> http://lists.arin.net/mailman/listinfo/arin-ppml >>> Please contact info at arin.net if you experience any issues. From gbonser at seven.com Mon Apr 12 02:45:38 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 11 Apr 2010 23:45:38 -0700 Subject: [arin-ppml] ULA-C References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE08FE6E6E@RWC-EX1.corp.seven.com> Inline > -----Original Message----- > From: Owen DeLong [mailto:owen at delong.com] > Sent: Sunday, April 11, 2010 11:30 PM > To: George Bonser > Cc: joel jaeggli; mcr at sandelman.ca; arin-ppml at arin.net > Subject: Re: [arin-ppml] ULA-C > > > On Apr 11, 2010, at 10:24 PM, George Bonser wrote: > > > Can you tell me how RFC1918 space can be routed across the global > > internet? > > > I didn't say it could be done without misconfiguration. I said that it > doesn't > protect you as much as you think in the case of misconfiguration. > > > No transit provider in the world accepts those routes and assuming > that > > such traffic would have to traverse at least three networks > > (originating, at least one transit and the destination), having all > > three misconfigured is quite unlikely. > > > And yet, time and time again, they show up in the routing tables. Yes, but probably not to the destination network you are trying to get to. You are missing my point. RFC1918 being in the routing table does not equate to that being the RFC1918 address of the network you would be targeting. In fact, they might have eleventy zillion paths to 10/8 for all I know. I suppose email is too difficult a forum for me to express myself on this subject. Just because RFC1918 addresses might be present in the routing table doesn't mean you can access foo.com's RFC1918 space from bar.com. It just means that SOMEONE is announcing the same space from someplace and that you are believing it. For a purposeful end to end connection to be made from foo.com to bar.com's RFC1918 space there would need to be an incredible number of mistakes to be made along the path. So imagine you are connecting from 192.168.1.1 to 192.168.2.2 ...whose 192.168.2.2 are you connecting to? In the case if unique private space, that problem goes away. Anyone with unique private space would potentially be reachable IF A: they announced it B: their transit provider believed it C: their peers believed it D: destination network believes it. I think the case of all four of those cases being true is less than if one is using global space. If one is using global space then everyone will believe it as a matter of course. > > > But I have never seen a transit network that will pass RFC1918 > traffic. > > Look harder, it has definitely happened. Granted, it possibly has. I haven't noticed, basically because I block such announcements at the front door. From mcr at sandelman.ca Mon Apr 12 08:42:51 2010 From: mcr at sandelman.ca (Michael Richardson) Date: Mon, 12 Apr 2010 08:42:51 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: <4BBC0D5D.2060903@umn.edu> References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> <4BBC0D5D.2060903@umn.edu> Message-ID: <7357.1271076171@marajade.sandelman.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David, I want to thank you for the summary. I have waited a few days to see the responses, before contributing. You make 7 points. It seems that the thread has gone astray again. Your first 4 points address the issue of leakage, and why a unique prefix is better than having NCN randomly in the PI space, yet there is a long thread that misses those points completely. I believe that point #4 is very important, so I repeat it: > 4. The availability of ULA-C for internal addressing will likely > make PA addressing facing the Internet more palatable at least for > some classes of enterprise users. This might be implemented with > NAT66, multiple RAs, or any number of possible future solutions. > Like maybe some variation of LISP, or some other GSE type solutions. > But, the details are irrelevant that is an operational issue not a > policy one. I think it's important to remember how IPv4 came to occur. FIRST, Enterprises deployed it. They did it because having IP services were useful. They did so without any expectation that they would "connect" to the Internet --- they were already connected to themselves. (Who remembers when Apple had to renumber?) Responders to your email have not clearly said, "I disagree with point 1", yet they continue to argue it. I am glad that you understand point #5 -- about DNS and VPNs. (Those who know what IETF work I've done, realize that most of my work in the 2000s has been at intersection of DNS and IPsec...) Contraversal points you list are #6 and #7. David> 6. ULA-C, currently proposed as FC00::/8, is a much more David> limited resource than GUA 2000::/3, and since resource are David> being globally dedicated to individual organizations, some David> mechanism to ensure the long-term stewardship of those David> resource is necessary. The RIRs seem well suited to provide David> the necessary stewardship, as they already do this at a David> global scale for many other number resources, why build David> something new. I completely agree. I want the RIRs to do this. David> 7. ULA-C, even with a global well-known prefix, is just David> another 128bit integer, there is nothing fundamentally David> different about it, than PA or PI. In fact, with registered David> uniqueness, reverse DNS, and maybe even RPKI in the future, David> the only practical difference between ULA-C and PI is the David> non-routed property, applied realistically only by David> convention. There is one possible other difference, random David> prefix selection. While this could help prevent some kinds David> of abuse, I'm not sure this would provide much practical David> deterrence in using ULA-C as a substitute for PI. Which I David> believe is the primary abuse path of concern. I put no value on the randomness, but I do not object to it, but that's not the crux of your point. (Scanning the lower /64 bits is sufficient randomness for me) RPKI) I don't see why RPKI certificates would be issued for ULA-C space. If they were, it would be for completeness, and would specify a non-existant/reserved/invalid ASN. This itself would provide an additional hurdle against leakage. If RPKI was legitimately issued, it would be issued, in my opinion, from a different CA. Most likely anyone that needed RPKI for their ULA-C would be running their own CA. My opinion (as a security geek), is that running your own CA exceeds the cost of getting PI space!! David> Therefore, I believe the concerns about ULA-C becoming a path David> for policy abuse cannot be completely discounted. However, David> in reality the risk is no where near as large as some are David> claiming. Further, I believe this risk can be easily managed David> via the RIRs' number resource policy processes, if the RIRs David> were to be given full policy control of ULA-C registrations. I agree --- there could be abuse. Rather than overconstrain ourselves in advance, is there nothing we can do on a complaint basis? David> I believe, the stewardship the RIRs provide is necessary, and David> the RIRs' policy processes can properly manage the risk. As David> for cost, while not a policy matter, in the shorter-term David> ULA-C is not going to be as cost effective as some would David> hope. However, if in the longer-term the risks can be David> managed, then I have to believe that the RIRs will do the David> right thing. David> So, is some kind of compromise between the opposing camps David> possible? Otherwise, I fear this is going to continue to be a David> pointless shouting match. I can deal with these statements. They *do* represent a compromise to me. Michael Dillon? Bill Herrin? - -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video then sign the petition. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Finger me for keys iQEVAwUBS8MVMoCLcPvd0N1lAQIjrwgAkUXbUxipqkSeKumCoRmF0tM94La4RJfB Qdjj8nnuIaSxeAU9CHQBUobX6HB6nHTzpXjqrgPIuT9vd6LUbF2MEHn8ZfJDlceu 5+Cv89FEn9khtAKpQKnPrwA67nhAM/ukY/3XWTwlCJ052vK74dtTTsMk5RhT/5G2 oE1Zgvi6PG7snL2aAWlMZ5dgP2zcG7WEbqy+F2toVlRwIRxbid8eIj02VXKWNwZw GVew5t3rPfbqdUM2Othf3XDdfik8z/2GajnQnSoz+WCwFzENvSPiT0HIpoVq4Kmo UHwn1WG04n22ur4NVRBinRQv9PBQorrIN5nWdR1SXnImYPVQ6Psntw== =fsXT -----END PGP SIGNATURE----- From kkargel at polartel.com Mon Apr 12 10:50:17 2010 From: kkargel at polartel.com (Kevin Kargel) Date: Mon, 12 Apr 2010 09:50:17 -0500 Subject: [arin-ppml] ULA-C In-Reply-To: <5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> Message-ID: <8695009A81378E48879980039EEDAD28876D4499@MAIL1.polartel.local> > > Can you tell me how RFC1918 space can be routed across the global > internet? > For an experiment have your edge router log traffic to/from RFC1918 addresses. I think you will be surprised to see that some *is* being routed over the internet but hopefully being stopped at your global edge. A quick look at an incoming filter on one of my edges shows: deny ip 10.0.0.0 0.255.255.255 any (262873 matches) deny ip 172.16.0.0 0.0.255.255 any (18474 matches) deny ip 192.168.0.0 0.0.255.255 any (127131 matches) I realize it is not a overpowering amount of traffic but it does exist. Kevin From cgrundemann at gmail.com Mon Apr 12 11:13:29 2010 From: cgrundemann at gmail.com (Chris Grundemann) Date: Mon, 12 Apr 2010 09:13:29 -0600 Subject: [arin-ppml] ULA-C In-Reply-To: <5A6D953473350C4B9995546AFE9939EE08FE6E6E@RWC-EX1.corp.seven.com> References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE08FE6E6E@RWC-EX1.corp.seven.com> Message-ID: Perhaps mostly for my own sanity I would like to summarize what I believe has been said a number of times in these threads as simply as possible so that we might move forward a bit: 1) "Private" address space (with or without NAT) is not a very good security measure (if a measure at all). 2) Regardless of the validity of point number one (which I happen to agree with) there are a large number of Orgs and folks who believe that they *need* "private" address space. And my own take on what this means: 1) ARIN is responsible to the entire community. 2) The community contains people who want/need "private" address space. 3) Therefor, ARIN should work to provide "private" address space to the community. We should probably focus on the draft policies on the plate for Toronto and put the whole ULA-C conversation on hold until after the meeting, but at that more appropriate time someone should draft a policy proposal that addresses the assigning of ULA-C to those who believe they need it. Then we can discuss the policy details and stop debating the operational (read: not policy related) issues surrounding "private" address space and NAT (maybe). $0.02 ~Chris > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to > the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/arin-ppml > Please contact info at arin.net if you experience any issues. > -- @ChrisGrundemann weblog.chrisgrundemann.com www.burningwiththebush.com www.coisoc.org From cengel at sponsordirect.com Mon Apr 12 11:42:33 2010 From: cengel at sponsordirect.com (Chris Engel) Date: Mon, 12 Apr 2010 11:42:33 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: Message-ID: Owen DeLong wrote: > Well said. Even RFC-1918 space can be routed across the > global internet due to misconfiguration, so, I fail to see > how that can possibly provide the protection described. > > Admittedly, the number of misconfigurations increases in > inverse proportion to topological proximity, but, > nonetheless, lots of routing tables see RFC-1918 space on the > global internet due to misconfiguration. > > Why would ULA-C or any other "special" prefix be any different? > > Owen > > On Apr 11, 2010, at 7:14 PM, joel jaeggli wrote: > > > Oddly, I work for mondo-megacorp and I find it interesting > that you're > > speaking for all entities that fit that category collectively. > > > > From my vantage point ,the security posture associated with a > > particular prefix, service or network internal to our > administrative > > domain is defined by requirements not by some intrinsic > nature of the > > prefix. With RFC-1918 there are two things that HELP prevent it from being routed to you. Firstly it's understood by convention that it's not supposed to be routed across the global internet... meaning that a non-negligible number of admins are going to decline to route it. Secondly it's not unique, so even if an admin accepted routes for it, the chance that it would be YOUR particular route and nobody elses is also fairly small. Granted, the chances that it would be routed to you are still some number higher then 0 percent.... but we all know that in security there is no such thing as a 0 percent chance of exploit (perfect defense). Any measure that reduces the chance of exploit by ANY degree has some value as a protection. With ULA-C, you do take away the non-unique factor but you still have the understood not to be globaly routed factor which does help. It's the same reason why people stop at red lights. There is nothing magical about the color red that makes car's apply thier breaks. It's simply well understood by most drivers that the color red means STOP. The color chosen doesn't really matter (just like the pre-fix), it could have been blue, orange or violet.... what matters is that it's a color easly distinguishable from the one which indicates GO (green) and that the convention of what you are SUPPOSED to do has been widely published and is well understood by most drivers who use the road. That's why ULA-C has value. The actual pre-fix chosen doesn't matter... what matters is that it's WIDELY published and understood what the INTENT of an address within that range is... so that when people see it, they can at least easily recognize what they are SUPPOSED to do with it. No one can force them to follow that convention, but at least the information is available for them to do so, if they choose. By contrast, it's not particularly easy for an admin to know that some guy half-way across the world is using this particular portion of his GUA for his private network and doesn't want it routed and this other particular portion of his GUA should be routed, if you happen to get announcements for both. Furthermore, I fail to see what the big hang-up is here. I don't think anyone is trying to speak for all domains and tell them that they MUST use ULA space for their private networks. By all means, if anyone that want's to use a portion of their GUA space for that... there is nothing in ULA that would hinder them from doing so. However, a certain percentage of the community clearly feels that there would be value in having ULA-C space. If there is no particular shortage of address space in IPv6, and the people who want it are willing to pay the costs to support ULA-C and we minimize the potential for abuse by treating it fee/policy wise identical to PI... where is the objection? Do we really need to micro-manage everyone else's networks & addressing choices for them.... or can we accept that different people have different views/approaches/values and provide for a wide range of options so that as many folks as possible can pursue the approach that THEY feel works best for them? Christopher Engel From lear at cisco.com Mon Apr 12 11:30:15 2010 From: lear at cisco.com (Eliot Lear) Date: Mon, 12 Apr 2010 17:30:15 +0200 Subject: [arin-ppml] ULA-C In-Reply-To: <4BBC0D5D.2060903@umn.edu> References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> <4BBC0D5D.2060903@umn.edu> Message-ID: <4BC33C87.8010304@cisco.com> David, Thank you for that summary. This has been an interesting discussion. My own reading of the "room" is that people have come to understand that if you assign a price of 0 to something that has value without any bounds on acquisition of that resource, someone somewhere will arbitrage the difference. The way the community has attempted to prevent that is through restrictions on "ownership", including a needs assessment and a limitation on transfers. It would seem prudent to maintain the same sorts of restrictions for ULA-C that we have for any other IP address as you wrote, particularly if reverse DNS is offered. At that point, even more so than you wrote, the difference between PI and ULA-C is strictly a matter of service provider policy, and nothing more, with even fewer externalities than that of RFC 1918 addresses . Indeed under those circumstances, a single service provider could offer VPN services using ULA-C without MPLS, although let us agree that the edge configuration might be a bit more "interesting". This leads to my own ultimate question: why doesn't Section 6.5.8 cover interior needs sufficiently? And this goes to your point (4), which I quote: > 4. The availability of ULA-C for internal addressing will likely make > PA addressing facing the Internet more palatable at least for some > classes of enterprise users. This might be implemented with NAT66, > multiple RAs, or any number of possible future solutions. Like maybe > some variation of LISP, or some other GSE type solutions. But, the > details are irrelevant that is an operational issue not a policy one. Of the arguments in your message, it would seem to me that this one, combined with whatever security argument one would be the ones that should be further developed. In addition, given that ARIN and the RIRs have demonstrated reasonable flexibility in terms of making changes to policies, one could reasonably ask the question as to whether this proposal is well timed. The introduction of NAT66 into the discussion is one that would need to be carefully considered, and LISP and ILNP (GSE's successor) are still nascent technologies. Regards, Eliot -------------- next part -------------- An HTML attachment was scrubbed... URL: From kkargel at polartel.com Mon Apr 12 12:03:07 2010 From: kkargel at polartel.com (Kevin Kargel) Date: Mon, 12 Apr 2010 11:03:07 -0500 Subject: [arin-ppml] ULA-C In-Reply-To: References: Message-ID: <8695009A81378E48879980039EEDAD28876D44A3@MAIL1.polartel.local> > > Well said. Even RFC-1918 space can be routed across the > > global internet due to misconfiguration, so, I fail to see > > how that can possibly provide the protection described. > > > > Admittedly, the number of misconfigurations increases in > > inverse proportion to topological proximity, but, > > nonetheless, lots of routing tables see RFC-1918 space on the > > global internet due to misconfiguration. > > > > Why would ULA-C or any other "special" prefix be any different? > > > > Owen > > > > On Apr 11, 2010, at 7:14 PM, joel jaeggli wrote: > > > > > Oddly, I work for mondo-megacorp and I find it interesting > > that you're > > > speaking for all entities that fit that category collectively. > > > > > > From my vantage point ,the security posture associated with a > > > particular prefix, service or network internal to our > > administrative > > > domain is defined by requirements not by some intrinsic > > nature of the > > > prefix. > > I am in the camp where I do not see any real added value to ULA, but at the same time it won't hurt to provide ULA so if people want it why not. If we really wanted to swing to the other side of the pendulum, and there is plenty of good space, then perhaps what we should do is to just automatically include a corresponding ULA allocation with each and every GUA allocation.. It would simplify recordkeeping if the ULA pool were the same size as the GUA pool, so a mirror allocation could be made. Then there would only need be one registration and database entry for each GUA/ULA pair assigned. An alternate idea would be to shift the GUA address right eight bits. For example if I were allocated GUA of 2610:188::0/32 then I could be allocated ULA at fc00:2610:188::0/48 automatically. Again it would be such a simple repeatable pattern there would only need be one registration and could be done at no additional cost. Kevin From kkargel at polartel.com Mon Apr 12 12:49:01 2010 From: kkargel at polartel.com (Kevin Kargel) Date: Mon, 12 Apr 2010 11:49:01 -0500 Subject: [arin-ppml] FW: ULA-C Message-ID: <8695009A81378E48879980039EEDAD28876D44A6@MAIL1.polartel.local> ERK! Monday morning math correction.. Sorry all.. I meant sixteen bits but typed eight. I am in the camp where I do not see any real added value to ULA, but at the same time it won't hurt to provide ULA so if people want it why not. If we really wanted to swing to the other side of the pendulum, and there is plenty of good space, then perhaps what we should do is to just automatically include a corresponding ULA allocation with each and every GUA allocation.. It would simplify recordkeeping if the ULA pool were the same size as the GUA pool, so a mirror allocation could be made. Then there would only need be one registration and database entry for each GUA/ULA pair assigned. An alternate idea would be to shift the GUA address right SIXTEEN (not eight) bits. For example if I were allocated GUA of 2610:188::0/32 then I could be allocated ULA at fc00:2610:188::0/48 automatically. Again it would be such a simple repeatable pattern there would only need be one registration and could be done at no additional cost. Kevin From kkargel at polartel.com Mon Apr 12 15:42:13 2010 From: kkargel at polartel.com (Kevin Kargel) Date: Mon, 12 Apr 2010 14:42:13 -0500 Subject: [arin-ppml] FW: ULA-C In-Reply-To: <20100412191814.GB15291@vacation.karoshi.com.> References: <8695009A81378E48879980039EEDAD28876D44A6@MAIL1.polartel.local> <20100412191814.GB15291@vacation.karoshi.com.> Message-ID: <8695009A81378E48879980039EEDAD28876D44B1@MAIL1.polartel.local> > > An alternate idea would be to shift the GUA address right SIXTEEN (not > eight) bits. For example if I were allocated GUA of 2610:188::0/32 then I > could be allocated ULA at fc00:2610:188::0/48 automatically. Again it > would be such a simple repeatable pattern there would only need be one > registration and could be done at no additional cost. > > > > Kevin > > do you think that all five (and maybe six) RIRs would buy into this > as a global > addressing policy? > > --bill I have no idea, I was just throwing something out that might make ULA more facile.. but if people thought it was a good idea here it should be just as good an idea elsewhere. Kevin From farmer at umn.edu Mon Apr 12 19:44:43 2010 From: farmer at umn.edu (David Farmer) Date: Mon, 12 Apr 2010 18:44:43 -0500 Subject: [arin-ppml] ULA-C In-Reply-To: References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE08FE6E6E@RWC-EX1.corp.seven.com> Message-ID: <4BC3B06B.5050603@umn.edu> Chris Grundemann wrote: > Perhaps mostly for my own sanity I would like to summarize what I > believe has been said a number of times in these threads as simply as > possible so that we might move forward a bit: > > 1) "Private" address space (with or without NAT) is not a very good > security measure (if a measure at all). > 2) Regardless of the validity of point number one (which I happen to > agree with) there are a large number of Orgs and folks who believe > that they *need* "private" address space. > > And my own take on what this means: > 1) ARIN is responsible to the entire community. > 2) The community contains people who want/need "private" address space. > 3) Therefor, ARIN should work to provide "private" address space to > the community. I agree with all of those points. > We should probably focus on the draft policies on the plate for > Toronto and put the whole ULA-C conversation on hold until after the > meeting, but at that more appropriate time someone should draft a > policy proposal that addresses the assigning of ULA-C to those who > believe they need it. I mostly agree except for one point, currently DP2010-8 includes assignments of PI address space for non-connected networks (NCN). This basically comes from the concept of NCN as it is in current IPv4 policy. Personally, I believe there is a place for both NCN PI and for ULA-C. Further, I believe PI, NCN PI, and ULA-C, should have similar if not identical policies, but that is for a later discussion. Also, I believe NCN PI and ULA-C can be treated as separate policy questions. However, I'm not sure everyone agrees with this. So, the ULA-C question may inject itself into DP2010-8's discussion. Additionally, for DP2010-7 a non-routed prefix is likely to be a point of discussion too. Therefore, at least some understanding of where to go with ULA-C may become necessary to move 2010-8 or 2010-7 forward, which ever direction we decide to go. As you suggest if possible, it might be helpful if we could discuss these policies in isolation of the ULA-C question and then come back to the ULA-C question for the next round of policy discussions. But, this will take everyones cooperation, I don't think it would be proper to dictate this from the podium. Another possible tactic would be to eliminate both NCN PI or a non-routed prefix from these policies and include that as part of a ULA-C policy discussion. Other ideas? How would people prefer to proceed on this? A little thought ahead of time on this might help focus the discussion and make for a more effective floor discussion in Toronto. Thanks > Then we can discuss the policy details and stop > debating the operational (read: not policy related) issues surrounding > "private" address space and NAT (maybe). Yes, please. > $0.02 > ~Chris In my opinion it is worth way more than $0.02. :) -- =============================================== David Farmer Email:farmer at umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 =============================================== From farmer at umn.edu Mon Apr 12 20:08:17 2010 From: farmer at umn.edu (David Farmer) Date: Mon, 12 Apr 2010 19:08:17 -0500 Subject: [arin-ppml] ULA-C In-Reply-To: <7357.1271076171@marajade.sandelman.ca> References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> <4BBC0D5D.2060903@umn.edu> <7357.1271076171@marajade.sandelman.ca> Message-ID: <4BC3B5F1.4040204@umn.edu> Michael Richardson wrote: > David> 7. ULA-C, even with a global well-known prefix, is just > David> another 128bit integer, there is nothing fundamentally > David> different about it, than PA or PI. In fact, with registered > David> uniqueness, reverse DNS, and maybe even RPKI in the future, > David> the only practical difference between ULA-C and PI is the > David> non-routed property, applied realistically only by > David> convention. There is one possible other difference, random > David> prefix selection. While this could help prevent some kinds > David> of abuse, I'm not sure this would provide much practical > David> deterrence in using ULA-C as a substitute for PI. Which I > David> believe is the primary abuse path of concern. > > I put no value on the randomness, but I do not object to it, but that's > not the crux of your point. (Scanning the lower /64 bits is sufficient > randomness for me) Yep, I don't care either way too. But there is one thing random assignment from the full ULA-C prefix would accomplish; it would prevent someone from easily accepting ARIN's ULA-C assignments and not the other RIR's ULA-C assignments. And preventing it from becoming a regional PI substitute. Is this worth the hassle? I don't know. > RPKI) I don't see why RPKI certificates would be issued for ULA-C space. > If they were, it would be for completeness, and would specify a > non-existant/reserved/invalid ASN. This itself would provide an > additional hurdle against leakage. > > If RPKI was legitimately issued, it would be issued, in my > opinion, from a different CA. Most likely anyone that needed RPKI > for their ULA-C would be running their own CA. My opinion (as a > security geek), is that running your own CA exceeds the cost of > getting PI space!! I don't want to derail things with a discussion of RPKI for ULA-C, there are many different ways to deal with it I'm not sure what the right answers are. But just like I think those that want Authoritative Reverse DNS for ULA-C should be able to get it, if someone wants an RPKI certificate from ARIN for their ULA-C assignment, why not? And it is yet another reason to have the RIR's do ULA-C assignment. ULA-C is just more of the same of what the RIRs do now. > David> Therefore, I believe the concerns about ULA-C becoming a path > David> for policy abuse cannot be completely discounted. However, > David> in reality the risk is no where near as large as some are > David> claiming. Further, I believe this risk can be easily managed > David> via the RIRs' number resource policy processes, if the RIRs > David> were to be given full policy control of ULA-C registrations. > > I agree --- there could be abuse. > Rather than overconstrain ourselves in advance, is there nothing we can > do on a complaint basis? Where do those complaints go? How do we resolve disputes? For PA and PI essentially that is dealt within the policy development processes for the RIRs. That is how we hash things out as a community, it seems logical to use the same processes for ULA-C. But, I'm open to other ideas. > David> I believe, the stewardship the RIRs provide is necessary, and > David> the RIRs' policy processes can properly manage the risk. As > David> for cost, while not a policy matter, in the shorter-term > David> ULA-C is not going to be as cost effective as some would > David> hope. However, if in the longer-term the risks can be > David> managed, then I have to believe that the RIRs will do the > David> right thing. > > David> So, is some kind of compromise between the opposing camps > David> possible? Otherwise, I fear this is going to continue to be a > David> pointless shouting match. > > I can deal with these statements. They *do* represent a compromise to > me. > > Michael Dillon? > Bill Herrin? I'm interested in what others think, is this a compromise we can all live with? -- =============================================== David Farmer Email:farmer at umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 =============================================== From bill at herrin.us Mon Apr 12 20:41:56 2010 From: bill at herrin.us (William Herrin) Date: Mon, 12 Apr 2010 20:41:56 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> Message-ID: On Mon, Apr 12, 2010 at 2:30 AM, Owen DeLong wrote: >> No transit provider in the world accepts those routes and assuming that >> such traffic would have to traverse at least three networks >> (originating, at least one transit and the destination), having all >> three misconfigured is quite unlikely. >> > And yet, time and time again, they show up in the routing tables. Owen, So what? You can kill them with three lines in your filter if they bother you. As can I. As can anyone who cares. And a ULA-C will be even easier: just one line to suppress the whole mess. Are you so insecure about ARIN's ability to satisfy IPv6 GUA users that you think those users will do what it takes to pressure the network operators into reliably carrying ULA as if it was GUA? You shouldn't be. ARIN does fine. Hell, if it's a concern, why not offer ULA based on the registrant's agreement not to announce it into the public Internet routing tables and give ARIN the right to fine registrants and if necessary revoke the registration for any uncorrected leak that someone complains about? Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From mcr at sandelman.ca Mon Apr 12 20:46:14 2010 From: mcr at sandelman.ca (Michael Richardson) Date: Mon, 12 Apr 2010 20:46:14 -0400 Subject: [arin-ppml] ULA-C and RPKI In-Reply-To: <4BC3B5F1.4040204@umn.edu> References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> <4BBC0D5D.2060903@umn.edu> <7357.1271076171@marajade.sandelman.ca> <4BC3B5F1.4040204@umn.edu> Message-ID: <17252.1271119574@marajade.sandelman.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "David" == David Farmer writes: >> RPKI) I don't see why RPKI certificates would be issued for ULA-C space. >> If they were, it would be for completeness, and would specify a >> non-existant/reserved/invalid ASN. This itself would provide an >> additional hurdle against leakage. >> If RPKI was legitimately issued, it would be issued, in my >> opinion, from a different CA. Most likely anyone that needed RPKI >> for their ULA-C would be running their own CA. My opinion (as a >> security geek), is that running your own CA exceeds the cost of >> getting PI space!! David> I don't want to derail things with a discussion of RPKI for David> ULA-C, there are many different ways to deal with it I'm not David> sure what the right answers are. But just like I think those David> that want Authoritative Reverse DNS for ULA-C should be able David> to get it, if someone wants an RPKI certificate from ARIN for David> their ULA-C assignment, why not? And it is yet another David> reason to have the RIR's do ULA-C assignment. ULA-C is just David> more of the same of what the RIRs do now. Why not? Well because a full-validity, primary AA binding of ULA-C to an ASN makes no operational sense. If we agree that the only routing of ULA-C is private small-i internets (COINs), then those organizations that want to do this need to run their own RPKI AA's. (AA = Authorization Authority) - -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video then sign the petition. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Finger me for keys iQEVAwUBS8O+1YCLcPvd0N1lAQJwigf/au+zdCNs3/nIvtkYpwXuGKHr+amiMt6B HeiITnhKfwkvyGMEj5CF9cqUseNUiYs8GM28PMhZt58MNoGl7WQLkBGgaUPDcJek mbvS31+3uWjUpzrtqVC5LqmrDjN6EriRPt3zmgY5tMIdsIBpoN1yrejP8gXTvYUz NOSBeN3GXKp0Sdv+I4DqAjTIBMlYWCMbByFAnLkXy5b6BKpN9qdbievb9PYX0g6w CarcqElhyApN4nE7+VDuYafDM9SqcX0ershN7sn+E8APX52rj0hsBH7yNsviWQJi jvYRvdSKmdC3+bqDBJir6Gw4Q2RZaLyhrq/QfTqNgJjnbQ+kBPFcHA== =OAbF -----END PGP SIGNATURE----- From mcr at sandelman.ca Mon Apr 12 21:00:04 2010 From: mcr at sandelman.ca (Michael Richardson) Date: Mon, 12 Apr 2010 21:00:04 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: <4BC3B5F1.4040204@umn.edu> References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> <4BBC0D5D.2060903@umn.edu> <7357.1271076171@marajade.sandelman.ca> <4BC3B5F1.4040204@umn.edu> Message-ID: <18253.1271120404@marajade.sandelman.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "David" == David Farmer writes: David> Therefore, I believe the concerns about ULA-C becoming a path David> for policy abuse cannot be completely discounted. However, David> in reality the risk is no where near as large as some are David> claiming. Further, I believe this risk can be easily managed David> via the RIRs' number resource policy processes, if the RIRs David> were to be given full policy control of ULA-C registrations. mcr> I agree --- there could be abuse. mcr> Rather than overconstrain ourselves in advance, is there mcr> nothing we can do on a complaint basis? David> Where do those complaints go? How do we resolve disputes? For David> PA and PI essentially that is dealt within the policy David> development processes for the RIRs. That is how we hash David> things out as a community, it seems logical to use the same David> processes for ULA-C. Let's say that I start announcing 134.84.123.0/24 from my ASN. What would you do? Who would you complain to? (yes, RPKI is a tool to prevent that, as is the RPDB, assume it happens) But, assuming it gets through, how is that different than announcing IANA's FC00::/7 on the public Internet? What I'm asking is: why do we have to think through all possible actions in advance, and write intricate policies... why do we have no mechanisms to permit judgement? There is a pathology where organizations try to write policies for everything, as opposed to routine things+clear exceptions, only I don't know what the word is. - -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video then sign the petition. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Finger me for keys iQEVAwUBS8PCEYCLcPvd0N1lAQIxEwf/egQXX+DlSIA70YyuG+gTg7OL8eF8ya/f y9PJj085yuwL9jSyfglDJxdDIKAXDz5Nmq/8qIcNW8Xqy++Kkn4BSlOk0+BGmGfs IYX6RoZB6X0E6b5Baf0zwQ43zBmKoDy0W4aBnFBx4rTr4HTyt8aaoYspgFFr1Nuj RQCBBqdeRb+V3Oa+tZFTRk9eh+gmrKKjzaVmweCm9HzVOgYUZOCVjAv2vMr00uk8 INLtf045IQKOqmkG1LWoCfibkpprgVTga2HC06Mfh617/ptc4blmkSnl+ibaJ8gT sQP6PjDgtGICGW2lrTDOJWXOGEih6AI/SlAzbCLdHXIoYR8GeMcFGw== =s/MA -----END PGP SIGNATURE----- From bill at herrin.us Mon Apr 12 21:08:28 2010 From: bill at herrin.us (William Herrin) Date: Mon, 12 Apr 2010 21:08:28 -0400 Subject: [arin-ppml] ULA-C and RPKI In-Reply-To: <17252.1271119574@marajade.sandelman.ca> References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> <4BBC0D5D.2060903@umn.edu> <7357.1271076171@marajade.sandelman.ca> <4BC3B5F1.4040204@umn.edu> <17252.1271119574@marajade.sandelman.ca> Message-ID: On Mon, Apr 12, 2010 at 8:46 PM, Michael Richardson wrote: >>>>>> "David" == David Farmer writes: > ? ?David> I don't want to derail things with a discussion of RPKI for > ? ?David> ULA-C, there are many different ways to deal with it I'm not > ? ?David> sure what the right answers are. But just like I think those > ? ?David> that want Authoritative Reverse DNS for ULA-C should be able > ? ?David> to get it, if someone wants an RPKI certificate from ARIN for > ? ?David> their ULA-C assignment, why not? ?And it is yet another > ? ?David> reason to have the RIR's do ULA-C assignment. ?ULA-C is just > ? ?David> more of the same of what the RIRs do now. > > Why not? ?Well because a full-validity, primary AA binding of ULA-C to > an ASN makes no operational sense. > > If we agree that the only routing of ULA-C is private small-i internets > (COINs), then those organizations that want to do this need to run their > own RPKI AA's. (AA = Authorization Authority) Last I read anything about it, there wasn't enough information about RPKI's final form to make a determination whether or not ULA could be usefully signed. At least one form I read is nothing more than an expression from the space's registrant that, "this is the scope of what I announce; anything else is false." ARIN is expected to sign any record the legitimate registrant places before it, even if it claims disaggregation down to /128. There's no reason ULA in this scenario couldn't be signed by ARIN. On the other hand, you could also use signing / refusing to sign records as a disaggregation and entry control to try to suppress route count in the Internet's routing tables. With justification criteria for the record you want signed just like there was justification criteria for getting the GUA space in the first place. Signing ULA records in that scenario would obviously be problematic... Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From mcr at sandelman.ca Mon Apr 12 21:14:36 2010 From: mcr at sandelman.ca (Michael Richardson) Date: Mon, 12 Apr 2010 21:14:36 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> Message-ID: <19412.1271121276@marajade.sandelman.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "William" == William Herrin writes: William> So what? You can kill them with three lines in your filter if they William> bother you. As can I. As can anyone who cares. And a ULA-C will be William> even easier: just one line to suppress the whole mess. So, if ULA is going leak, why hasn't ULA-R leaked already? William> Hell, if it's a concern, why not offer ULA based on the William> registrant's agreement not to announce it into the public William> Internet routing tables and give ARIN the right to fine William> registrants and if necessary revoke the registration for William> any uncorrected leak that someone complains about? Of course, one can get around all of this by leaking ULA-R (at the cost of whois and reverse DNS). If anything, offering ULA-C, and demanding this kind of agreement seems to give ARIN more power over ULA space, rather than less. If you give out whois and rDNS, then ARIN also winds up with the power to insert shaming statements into those databases. - -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video then sign the petition. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Finger me for keys iQEVAwUBS8PFe4CLcPvd0N1lAQIXDwf7Bq2r++ZQnGHmXeJaOjexhMIBfoETF+iv JTPp7X9g/svh5P82lIiiKIKAu73D+7zM+oOFAS3cZUY+ynKgvGwK+8o2wjVuSXqy 20VF8alzP9MsygwxFYSQLnf3d/g0UieT3BMOCr53EBZfVXLVIyPql+A/j8UIyvXa WDHZeo16zQM8VhD1b8kLaiIMKztKSnNAokIZkAckN+5A4awHFzLsaZfQQv0Nh3Vb QuMQ9t/40l6V9v+LUKqVkQ90Yos8gqS4m/hcaGEaNqtI9SUwNAG2SnnB1SFI0YsN hbpWP/nNIWuy3NBBcK4o4i3s2OEwe3CPq5OuJiBjV4VVSI7NacM8AA== =bxU1 -----END PGP SIGNATURE----- From owen at delong.com Mon Apr 12 22:02:59 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 12 Apr 2010 19:02:59 -0700 Subject: [arin-ppml] ULA-C In-Reply-To: References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> Message-ID: <3B16CEDE-291F-4AB6-AEF1-B36B92757A1B@delong.com> On Apr 12, 2010, at 5:41 PM, William Herrin wrote: > On Mon, Apr 12, 2010 at 2:30 AM, Owen DeLong wrote: >>> No transit provider in the world accepts those routes and assuming that >>> such traffic would have to traverse at least three networks >>> (originating, at least one transit and the destination), having all >>> three misconfigured is quite unlikely. >>> >> And yet, time and time again, they show up in the routing tables. > > Owen, > > So what? You can kill them with three lines in your filter if they > bother you. As can I. As can anyone who cares. And a ULA-C will be > even easier: just one line to suppress the whole mess. > The discussion was about whether RFC-1918/ULA provide a security benefit or could be accidentally advertised. My point is that they can and are. > Are you so insecure about ARIN's ability to satisfy IPv6 GUA users > that you think those users will do what it takes to pressure the > network operators into reliably carrying ULA as if it was GUA? You > shouldn't be. ARIN does fine. > Not at all. I'm not opposed to ULA implemented in a non-harmful way. I am opposed to perpetuating the myth that it somehow enhances security. Owen From bill at herrin.us Mon Apr 12 22:33:07 2010 From: bill at herrin.us (William Herrin) Date: Mon, 12 Apr 2010 22:33:07 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: <3B16CEDE-291F-4AB6-AEF1-B36B92757A1B@delong.com> References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> <3B16CEDE-291F-4AB6-AEF1-B36B92757A1B@delong.com> Message-ID: On Mon, Apr 12, 2010 at 10:02 PM, Owen DeLong wrote: > The discussion was about whether RFC-1918/ULA provide a security > benefit or could be accidentally advertised. My mistake. I thought the discussion was about whether or not accidental advertisements could pose a policy-level threat to Internet operations, not whether readily cleaned negligible-impact accidents were possible. >?I'm not opposed to ULA implemented in a non-harmful way. > > I am opposed to perpetuating the myth that it somehow enhances > security. Then it's fortunate that no one has proposed an ARIN declaration that ULA is good for Internet security. Fortunate indeed that the proposal on the table is merely to allow folks to register the ULA space they use so that no one accidentally uses the same space, without the onerous hoops and costs justifiably needed for the assignment and allocation of GUA space. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From owen at delong.com Mon Apr 12 22:36:41 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 12 Apr 2010 19:36:41 -0700 Subject: [arin-ppml] ULA-C In-Reply-To: References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> <3B16CEDE-291F-4AB6-AEF1-B36B92757A1B@delong.com> Message-ID: > > Then it's fortunate that no one has proposed an ARIN declaration that > ULA is good for Internet security. Fortunate indeed that the proposal > on the table is merely to allow folks to register the ULA space they > use so that no one accidentally uses the same space, without the > onerous hoops and costs justifiably needed for the assignment and > allocation of GUA space. > The latter part, the without the hops and justifiable need issue is a policy problem, indeed. If ARIN is to issue ULA, it should be on substantially the same terms as GUA so that there is no incentive to (mis)use ULA where GUA is required. I am all for reducing the GUA barrier to non-onerous. Owen -------------- next part -------------- An HTML attachment was scrubbed... URL: From bill at herrin.us Mon Apr 12 23:08:48 2010 From: bill at herrin.us (William Herrin) Date: Mon, 12 Apr 2010 23:08:48 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> <3B16CEDE-291F-4AB6-AEF1-B36B92757A1B@delong.com>

Message-ID: On Mon, Apr 12, 2010 at 10:36 PM, Owen DeLong wrote: > The latter part, the without the hops and justifiable need issue is a > policy problem, indeed. ?If ARIN is to issue ULA, it should be on > substantially the same terms as GUA so that there is no incentive > to (mis)use ULA where GUA is required. > I am all for reducing the GUA barrier to non-onerous. And so we're back full circle to the beginning where you're not opposed to ULA as long as it's actually GUA and you're not opposed to making GUA non-onerous as long as we retain all the barriers and costs that make it onerous. -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From michel at arneill-py.sacramento.ca.us Mon Apr 12 23:48:29 2010 From: michel at arneill-py.sacramento.ca.us (Michel Py) Date: Mon, 12 Apr 2010 20:48:29 -0700 Subject: [arin-ppml] ULA-C In-Reply-To: <3B16CEDE-291F-4AB6-AEF1-B36B92757A1B@delong.com> References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com><5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> <3B16CEDE-291F-4AB6-AEF1-B36B92757A1B@delong.com> Message-ID: <471D76419F9EF642962323D13DF1DF690118BA@newserver.arneill-py.local> > Owen DeLong > I am opposed to perpetuating the myth that it somehow enhances security. The reason RFC1918 addresses "enhance" security is because they are ambiguous. The odds of your ISP announcing your RFC1918 prefix on the GRT are small: it requires a screw-up both on your side and on your ISP's side. Furthermore, even though this occasionally happens, chances are that even if this happens, you won't be at much risk. My router's IP address is 192.168.1.1. Come and attack it. Oh, you successfully DDOSed a Linksys in Waikiki beach. Congratulations. Now, that being said, the IPv6 game is different. As long as the size of any IPv6 pool is "large-enough-to-be-almost-unique", there will be temptations to announce it and therefore make it vulnerable. The so-called "security" does not come from the address being labeled as "private". Michel. From owen at delong.com Tue Apr 13 00:03:52 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 12 Apr 2010 21:03:52 -0700 Subject: [arin-ppml] ULA-C In-Reply-To: References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> <3B16CEDE-291F-4AB6-AEF1-B36B92757A1B@delong.com>

Message-ID: <83193A72-D442-4312-B579-02BBD39DA065@delong.com> On Apr 12, 2010, at 8:08 PM, William Herrin wrote: > On Mon, Apr 12, 2010 at 10:36 PM, Owen DeLong wrote: >> The latter part, the without the hops and justifiable need issue is a >> policy problem, indeed. If ARIN is to issue ULA, it should be on >> substantially the same terms as GUA so that there is no incentive >> to (mis)use ULA where GUA is required. >> I am all for reducing the GUA barrier to non-onerous. > > And so we're back full circle to the beginning where you're not > opposed to ULA as long as it's actually GUA and you're not opposed to > making GUA non-onerous as long as we retain all the barriers and costs > that make it onerous. > Not at all... ULA as strictly address space that's theoretically unroutable is fine with me. I'm all for making GUA available for significantly lower fees than the current pricing if it can be done practically. I am not for any elimination of justified need, but, I'm actually willing to go pretty far on lowering the level required for justified need. Probably much further than many other people. Owen From farmer at umn.edu Tue Apr 13 00:12:53 2010 From: farmer at umn.edu (David Farmer) Date: Mon, 12 Apr 2010 23:12:53 -0500 Subject: [arin-ppml] ULA-C In-Reply-To: <4BC33C87.8010304@cisco.com> References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> <4BBC0D5D.2060903@umn.edu> <4BC33C87.8010304@cisco.com> Message-ID: <4BC3EF45.7050903@umn.edu> Eliot Lear wrote: > This leads to my own ultimate question: why doesn't Section 6.5.8 cover > interior needs sufficiently? At least right now, in the end for ARIN, I believe a common policy for PI, NCN PI, and ULA-C makes sense to me. Or, if for some reason one policy isn't doable, then three different policies that are essentially identical. However, I've been trying not to jump strait to a final conclusion, but to help facilitate the process of finding a consensus that allows ULA-C to move forward. And I have to admit, I've waffled on and rethought the exact details a number of times in the past few months regarding ULA-C. Further, until we can develop a consensus for how ULA-C should work, who should provide the registry services for it, and under what kind of terms, coming up with an ARIN policy for making ULA-C assignments, through 6.5.8 or what ever final process seems premature. > And this goes to your point (4), which I > quote: > >> 4. The availability of ULA-C for internal addressing will likely make >> PA addressing facing the Internet more palatable at least for some >> classes of enterprise users. This might be implemented with NAT66, >> multiple RAs, or any number of possible future solutions. Like maybe >> some variation of LISP, or some other GSE type solutions. But, the >> details are irrelevant that is an operational issue not a policy one. > > Of the arguments in your message, it would seem to me that this one, > combined with whatever security argument one would be the ones that > should be further developed. Do you have suggestion how to further develop this argument? > In addition, given that ARIN and the RIRs > have demonstrated reasonable flexibility in terms of making changes to > policies, one could reasonably ask the question as to whether this > proposal is well timed. Could you clarify what you mean here, are you suggesting this should wait? If so, to an extent I agree, we realistically can't take this up until the Fall ARIN meeting, is that still to soon? However, as I discuss in my response to Chris, this issue is at least partially entwined in a couple policies that will be discussed next week in Toronto. > The introduction of NAT66 into the discussion > is one that would need to be carefully considered, and LISP and ILNP > (GSE's successor) are still nascent technologies. Are the considerations with regard to NAT66 and ILNP different for ULA-C than for ULA-L (RFC 4193)? > Regards, > > Eliot -- =============================================== David Farmer Email:farmer at umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 =============================================== From bill at herrin.us Tue Apr 13 00:50:17 2010 From: bill at herrin.us (William Herrin) Date: Tue, 13 Apr 2010 00:50:17 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: <83193A72-D442-4312-B579-02BBD39DA065@delong.com> References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> <3B16CEDE-291F-4AB6-AEF1-B36B92757A1B@delong.com>

<83193A72-D442-4312-B579-02BBD39DA065@delong.com> Message-ID: On Tue, Apr 13, 2010 at 12:03 AM, Owen DeLong wrote: > > On Apr 12, 2010, at 8:08 PM, William Herrin wrote: > >> On Mon, Apr 12, 2010 at 10:36 PM, Owen DeLong wrote: >>> The latter part, the without the hops and justifiable need issue is a >>> policy problem, indeed. ?If ARIN is to issue ULA, it should be on >>> substantially the same terms as GUA so that there is no incentive >>> to (mis)use ULA where GUA is required. >>> I am all for reducing the GUA barrier to non-onerous. >> >> And so we're back full circle to the beginning where you're not >> opposed to ULA as long as it's actually GUA and you're not opposed to >> making GUA non-onerous as long as we retain all the barriers and costs >> that make it onerous. >> > Not at all... ULA as strictly address space that's theoretically unroutable > is fine with me. ?I'm all for making GUA available for significantly lower > fees than the current pricing if it can be done practically. I am not for > any elimination of justified need, but, I'm actually willing to go pretty far > on lowering the level required for justified need. ?Probably much further > than many other people. Well, I will work with you tirelessly to identify practical ways to improve the process for getting GUA space, but that doesn't help the folks who intend to use ULA space. They have a need poorly served by any GUA or GUA-pinned regime you've suggested: negligible cost grab and go addresses for use with the barest hint of planning, consuming only the most trivial of the registry services: entries in two databases. I don't think we want that for GUA. I think we *want* people to carefully consider how they intend to use GUA addresses before requesting them from the registry and throwing route announcements. Don't you? Of course if you'd rather, we can simply build up the ULA registry at http://www.sixxs.net/tools/grh/ula/list/ It'll be done poorly versus what a strong operation like ARIN is capable of but it'll meet the actual registered ULA need. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From owen at delong.com Tue Apr 13 01:14:57 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 12 Apr 2010 22:14:57 -0700 Subject: [arin-ppml] ULA-C In-Reply-To: References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE08FE6E63@RWC-EX1.corp.seven.com> <3B16CEDE-291F-4AB6-AEF1-B36B92757A1B@delong.com>

<83193A72-D442-4312-B579-02BBD39DA065@delong.com> Message-ID: On Apr 12, 2010, at 9:50 PM, William Herrin wrote: > On Tue, Apr 13, 2010 at 12:03 AM, Owen DeLong wrote: >> >> On Apr 12, 2010, at 8:08 PM, William Herrin wrote: >> >>> On Mon, Apr 12, 2010 at 10:36 PM, Owen DeLong wrote: >>>> The latter part, the without the hops and justifiable need issue is a >>>> policy problem, indeed. If ARIN is to issue ULA, it should be on >>>> substantially the same terms as GUA so that there is no incentive >>>> to (mis)use ULA where GUA is required. >>>> I am all for reducing the GUA barrier to non-onerous. >>> >>> And so we're back full circle to the beginning where you're not >>> opposed to ULA as long as it's actually GUA and you're not opposed to >>> making GUA non-onerous as long as we retain all the barriers and costs >>> that make it onerous. >>> >> Not at all... ULA as strictly address space that's theoretically unroutable >> is fine with me. I'm all for making GUA available for significantly lower >> fees than the current pricing if it can be done practically. I am not for >> any elimination of justified need, but, I'm actually willing to go pretty far >> on lowering the level required for justified need. Probably much further >> than many other people. > > Well, I will work with you tirelessly to identify practical ways to > improve the process for getting GUA space, but that doesn't help the > folks who intend to use ULA space. They have a need poorly served by > any GUA or GUA-pinned regime you've suggested: negligible cost grab > and go addresses for use with the barest hint of planning, consuming > only the most trivial of the registry services: entries in two > databases. > > I don't think we want that for GUA. I think we *want* people to > carefully consider how they intend to use GUA addresses before > requesting them from the registry and throwing route announcements. > Don't you? > This is where we differ most strongly. I'm really tired of the that GUA == Route Announcement or that route announcements are somehow evil or should be avoided by the RIR. 1. Not all uses for GUA will end up in the DFZ. 2. It's not ARIN's place to judge who is worthy or set the criteria by which others decide who is worthy of entries in the DFZ. That is best left for people who run actual routers. So, having said that, I think that ULA should have a little bit stronger criteria than grab-and-go without planning anything. I think that GUA should also have a little bit stronger criteria than that. I do not think either should be much stronger than that. > > Of course if you'd rather, we can simply build up the ULA registry at > http://www.sixxs.net/tools/grh/ula/list/ > Have fun with that. Personally, I think that project is short-sighted and harmful, but, as I've said, there's nothing ARIN can do about people who want to run competing registries... Even if they chose to issue from 2000::/3. > It'll be done poorly versus what a strong operation like ARIN is > capable of but it'll meet the actual registered ULA need. > Maybe it will, maybe it won't. I'm not particularly concerned with it one way or another because I don't think it will gain as much traction as something done by the RIR system. I choose to try and work in the ARIN framework to make the best policies possible for the community in that framework. I participate to much lesser extents in APNIC, RIPE, LACNIC, and AfriNIC. I simply do not have the time to put significant effort into policies in other registries. If I did, I'd probably be more focused on domain name registry/ registrar messes before I'd spend time on the sixxs ULA registry. Owen From lear at cisco.com Tue Apr 13 04:34:05 2010 From: lear at cisco.com (Eliot Lear) Date: Tue, 13 Apr 2010 10:34:05 +0200 Subject: [arin-ppml] ULA-C In-Reply-To: <4BC3EF45.7050903@umn.edu> References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> <4BBC0D5D.2060903@umn.edu> <4BC33C87.8010304@cisco.com> <4BC3EF45.7050903@umn.edu> Message-ID: <4BC42C7D.3050004@cisco.com> David, > Further, until we can develop a consensus for how ULA-C should work, > who should provide the registry services for it, and under what kind > of terms, coming up with an ARIN policy for making ULA-C assignments, > through 6.5.8 or what ever final process seems premature. My point was that absent additional information (see below), ARIN is already there for PI. > >> And this goes to your point (4), which I quote: >> >>> 4. The availability of ULA-C for internal addressing will likely >>> make PA addressing facing the Internet more palatable at least for >>> some classes of enterprise users. This might be implemented with >>> NAT66, multiple RAs, or any number of possible future solutions. >>> Like maybe some variation of LISP, or some other GSE type >>> solutions. But, the details are irrelevant that is an operational >>> issue not a policy one. >> >> Of the arguments in your message, it would seem to me that this one, >> combined with whatever security argument one would be the ones that >> should be further developed. > > Do you have suggestion how to further develop this argument? I wrote the above because I don't understand how (4) is a driver, and so I presume others don't either. > >> In addition, given that ARIN and the RIRs have demonstrated >> reasonable flexibility in terms of making changes to policies, one >> could reasonably ask the question as to whether this proposal is well >> timed. > > Could you clarify what you mean here, are you suggesting this should > wait? If so, to an extent I agree, we realistically can't take this > up until the Fall ARIN meeting, is that still to soon? However, as I > discuss in my response to Chris, this issue is at least partially > entwined in a couple policies that will be discussed next week in > Toronto. I'll put it another way: is there substantial customer demand for a service such as ULA-C? I don't see it. Until such time as others see it, why would we execute so soon? With regard to NCNs, I can see them being related; but again, the policy process is pretty flexible. In as much as demand is there, I would let that be the determining factor for timing, so long as we don't make decisions that would foreclose options or do not properly steward the space. Do you see that happening here? > >> The introduction of NAT66 into the discussion is one that would need >> to be carefully considered, and LISP and ILNP (GSE's successor) are >> still nascent technologies. > > Are the considerations with regard to NAT66 and ILNP different for > ULA-C than for ULA-L (RFC 4193)? Only modestly so. Were I an SP, I probably would probably be more reticent to route RFC 4193 addresses, given the eventuality that a collision will occur in those cases. That means that NAT66 is actually more of an interest for ULA-L. If I'm an enterprise, once I'm spending money for addresses, I might as well get something that offers me the most flexibility from a routing perspective. That might as well be PI. The same argument applies to ILNP/LISP. Eliot From owen at delong.com Tue Apr 13 09:02:31 2010 From: owen at delong.com (Owen DeLong) Date: Tue, 13 Apr 2010 06:02:31 -0700 Subject: [arin-ppml] ULA-C In-Reply-To: <4BC42C7D.3050004@cisco.com> References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <4BA76279.9060809@umn.edu> <07B89580-34D1-4F02-BFD0-A7ADE6490B69@delong.com> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> <4BBC0D5D.2060903@umn.edu> <4BC33C87.8010304@cisco.com> <4BC3EF45.7050903@umn.edu> <4BC42C7D.3050004@cisco.com> Message-ID: <7F219DCC-B4C3-4089-8387-40C1EE916AF1@delong.com> >> >>> And this goes to your point (4), which I quote: >>> >>>> 4. The availability of ULA-C for internal addressing will likely make PA addressing facing the Internet more palatable at least for some classes of enterprise users. This might be implemented with NAT66, multiple RAs, or any number of possible future solutions. Like maybe some variation of LISP, or some other GSE type solutions. But, the details are irrelevant that is an operational issue not a policy one. >>> >>> Of the arguments in your message, it would seem to me that this one, combined with whatever security argument one would be the ones that should be further developed. >> >> Do you have suggestion how to further develop this argument? > > I wrote the above because I don't understand how (4) is a driver, and so I presume others don't either. > Regardless of your opinion on the subject (and mine is well known), there is a fraction of the community who believe that having ULA addresses for your interior and mapping those through NAT66 to provider assigned addresses is a good solution to the difficulty of renumbering and necessary to make IPv6 deployment palatable in their enterprise. This is the rationale behind point 4 being a driver. >> >>> In addition, given that ARIN and the RIRs have demonstrated reasonable flexibility in terms of making changes to policies, one could reasonably ask the question as to whether this proposal is well timed. >> >> Could you clarify what you mean here, are you suggesting this should wait? If so, to an extent I agree, we realistically can't take this up until the Fall ARIN meeting, is that still to soon? However, as I discuss in my response to Chris, this issue is at least partially entwined in a couple policies that will be discussed next week in Toronto. > > I'll put it another way: is there substantial customer demand for a service such as ULA-C? I don't see it. Until such time as others see it, why would we execute so soon? With regard to NCNs, I can see them being related; but again, the policy process is pretty flexible. In as much as demand is there, I would let that be the determining factor for timing, so long as we don't make decisions that would foreclose options or do not properly steward the space. Do you see that happening here? I do not know the size of the demand, but, there are at least a few vocal proponents of the idea. In fairness, they seem to be about the same in number as the vocal opponents of NAT66. It is almost impossible to determine the size of the constituencies lined up on either side, and, I suspect the vast majority of the community doesn't really care as long as they can get to their preferred content. Owen -------------- next part -------------- An HTML attachment was scrubbed... URL: From bill at herrin.us Tue Apr 13 09:26:03 2010 From: bill at herrin.us (William Herrin) Date: Tue, 13 Apr 2010 09:26:03 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <3B16CEDE-291F-4AB6-AEF1-B36B92757A1B@delong.com>

<83193A72-D442-4312-B579-02BBD39DA065@delong.com>

Message-ID: On Tue, Apr 13, 2010 at 1:14 AM, Owen DeLong wrote: > This is where we differ most strongly. ?I'm really tired of the noun> that GUA == Route Announcement or that route announcements are > somehow evil or should be avoided by the RIR. > > 1. ? ? ?Not all uses for GUA will end up in the DFZ. > 2. ? ? ?It's not ARIN's place to judge who is worthy or set the criteria by > ? ? ? ?which others decide who is worthy of entries in the DFZ. That is > ? ? ? ?best left for people who run actual routers. Owen, If you can get the netops to sign off on eliminating things like the multihomed criteria and the the minimum host count criteria which for IPv6 /48's serve solely to suppress the public route count, I'll stand in support. I think that's a fantasy but more power to you. > So, having said that, I think that ULA should have a little bit stronger > criteria than grab-and-go without planning anything. I think that GUA > should also have a little bit stronger criteria than that. This is where your position is unreasonable and self-serving. ULA is private IP addresses, the successor in spirit to the no-rules RFC1918. Of course it has to be grab and go. Self-serving because the real reason you don't want it to be grab and go is that would mess with your idea of unifying it with the GUA policy which would be difficult to responsibly architect as grab and go. Make your case for making RFC1918 more difficult to get than it is if you want, but please get on the same page as the rest of us in understanding that ULA is IPv6's RFC1918 with a nearly identical use profile regardless of whether a registry is involved. >> Of course if you'd rather, we can simply build up the ULA registry at >> http://www.sixxs.net/tools/grh/ula/list/ >> > Have fun with that. ?Personally, I think that project is short-sighted and > harmful, but, as I've said, there's nothing ARIN can do about people who > want to run competing registries. It has 25% as many ULA registrations as IPv6 GUA announcements on the public Internet and is growing as fast or faster than IPv6 is. Barring someone else stepping forward to do a proper job (i.e. the RIRs) it's on track to hit critical mass around the same time as IPv6 over all. It doesn't do a great job meeting the need we're discussing, but it does meet that need, something at which the notions you've suggested still fall short. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From bill at herrin.us Tue Apr 13 09:32:10 2010 From: bill at herrin.us (William Herrin) Date: Tue, 13 Apr 2010 09:32:10 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: <4BC42C7D.3050004@cisco.com> References: <28E139F46D45AF49A31950F88C497458058E241E@E03MVZ2-UKDY.domain1.systemhost.net> <8695009A81378E48879980039EEDAD28876D4435@MAIL1.polartel.local> <8695009A81378E48879980039EEDAD28876D443A@MAIL1.polartel.local> <4BBC0D5D.2060903@umn.edu> <4BC33C87.8010304@cisco.com> <4BC3EF45.7050903@umn.edu> <4BC42C7D.3050004@cisco.com> Message-ID: On Tue, Apr 13, 2010 at 4:34 AM, Eliot Lear wrote: > I'll put it another way: is there substantial customer demand for a service > such as ULA-C? ?I don't see it. Eliot, 2900 routes in the public table. 700 ULA "registrations" at http://www.sixxs.net/tools/grh/ula/list/ . What do the numbers tell you about the relative demand? Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From marty at akamai.com Tue Apr 13 10:05:26 2010 From: marty at akamai.com (Hannigan, Martin) Date: Tue, 13 Apr 2010 10:05:26 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: Message-ID: > From: William Herrin > Date: Tue, 13 Apr 2010 09:32:10 -0400 > To: Eliot Lear > Cc: "arin-ppml at arin.net" > Subject: Re: [arin-ppml] ULA-C > > On Tue, Apr 13, 2010 at 4:34 AM, Eliot Lear wrote: >> I'll put it another way: is there substantial customer demand for a service >> such as ULA-C? ?I don't see it. > > Eliot, > > 2900 routes in the public table. 700 ULA "registrations" at > http://www.sixxs.net/tools/grh/ula/list/ . What do the numbers tell > you about the relative demand? > Not a lot. If you clean up the data and make it unique to Name it's quite a bit less. I'd say noise in the grand scheme of things. Best, -M< From owen at delong.com Tue Apr 13 10:11:29 2010 From: owen at delong.com (Owen DeLong) Date: Tue, 13 Apr 2010 07:11:29 -0700 Subject: [arin-ppml] ULA-C In-Reply-To: References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <3B16CEDE-291F-4AB6-AEF1-B36B92757A1B@delong.com>

<83193A72-D442-4312-B579-02BBD39DA065@delong.com>

Message-ID: On Apr 13, 2010, at 6:26 AM, William Herrin wrote: > On Tue, Apr 13, 2010 at 1:14 AM, Owen DeLong wrote: >> This is where we differ most strongly. I'm really tired of the > noun> that GUA == Route Announcement or that route announcements are >> somehow evil or should be avoided by the RIR. >> >> 1. Not all uses for GUA will end up in the DFZ. >> 2. It's not ARIN's place to judge who is worthy or set the criteria by >> which others decide who is worthy of entries in the DFZ. That is >> best left for people who run actual routers. > > Owen, > > If you can get the netops to sign off on eliminating things like the > multihomed criteria and the the minimum host count criteria which for > IPv6 /48's serve solely to suppress the public route count, I'll > stand in support. I think that's a fantasy but more power to you. > I think we'll eventually get [back] there. It's definitely worth the effort. > >> So, having said that, I think that ULA should have a little bit stronger >> criteria than grab-and-go without planning anything. I think that GUA >> should also have a little bit stronger criteria than that. > > This is where your position is unreasonable and self-serving. ULA is > private IP addresses, the successor in spirit to the no-rules RFC1918. > Of course it has to be grab and go. Self-serving because the real > reason you don't want it to be grab and go is that would mess with > your idea of unifying it with the GUA policy which would be difficult > to responsibly architect as grab and go. > I'm not sure how you see this as self-serving. The reason I think it must be unified is because if it is not unified, ULA-C will NOT be a successor to RFC-1918, it will become de facto GUA without the community's GUA policies. This isn't because it's what is best for me, it's because I believe it is necessary for the benefit of the community as a whole. ULA-R is the successor to RFC-1918, and, even it does not have as much protection from "GUA-Creep" for lack of a better term as RFC-1918 did. This is the advantage and the curse of the much larger address space. Collisions are so much less likely that there is enough uniqueness to represent a risk that these addresses may be used as a substitute for GUA. That would negatively impact the community in two ways: 1. It would make ULA meaningless to those that want it as an address space regarded by the community as un-routable on the "global internet". 2. It would make GUA policies far less effective or meaningful as ULA becomes an end-run for those policies. > Make your case for making RFC1918 more difficult to get than it is if > you want, but please get on the same page as the rest of us in > understanding that ULA is IPv6's RFC1918 with a nearly identical use > profile regardless of whether a registry is involved. > I agree with you about the community's intended use of RFC-1918 and ULA. If I did not, I would probably be opposed to ULA in general rather than specifically opposed to a ULA policy that invites abuse. However, intended use and unintended consequences both need to be evaluated. A non-unified policy for ULA/GUA will lead to abuse of ULA as an end-run for GUA which is, in my opinion, an unacceptable risk. > > >>> Of course if you'd rather, we can simply build up the ULA registry at >>> http://www.sixxs.net/tools/grh/ula/list/ >>> >> Have fun with that. Personally, I think that project is short-sighted and >> harmful, but, as I've said, there's nothing ARIN can do about people who >> want to run competing registries. > > It has 25% as many ULA registrations as IPv6 GUA announcements on the > public Internet and is growing as fast or faster than IPv6 is. Barring > someone else stepping forward to do a proper job (i.e. the RIRs) it's > on track to hit critical mass around the same time as IPv6 over all. > Your statement here is mathematically inconsistent with itself. Be that as it may, even if this registry hits critical mass, it's much less likely that ISPs might consider advertising routes based on this registry than based on data in an RIR. In any case, there's not much ARIN can do about it. Would I rather the SIXXS registry didn't exist? Probably. Do I think that it has the potential to become a disservice to the community for the exact reasons I have mentioned above? Yes. Nonetheless, I agree that it is out of scope for ARIN policy and I do believe that anyone has the right to build any list of integers they want. Integers are not property, you can't own numbers. > It doesn't do a great job meeting the need we're discussing, but it > does meet that need, something at which the notions you've suggested > still fall short. > As I said, enjoy. I have no problem with you registering whatever you want in other registries. I do not want to see ARIN create opportunities to evade ARIN policies inside other ARIN policies. ULA as you want to see ARIN register it would do exactly that. Owen From bill at herrin.us Tue Apr 13 11:15:30 2010 From: bill at herrin.us (William Herrin) Date: Tue, 13 Apr 2010 11:15:30 -0400 Subject: [arin-ppml] ULA-C In-Reply-To: References: <5A6D953473350C4B9995546AFE9939EE08FE6E58@RWC-EX1.corp.seven.com> <3B16CEDE-291F-4AB6-AEF1-B36B92757A1B@delong.com>

<83193A72-D442-4312-B579-02BBD39DA065@delong.com>

Message-ID: On Tue, Apr 13, 2010 at 10:11 AM, Owen DeLong wrote: > On Apr 13, 2010, at 6:26 AM, William Herrin wrote: >> If you can get the netops to sign off on eliminating things like the >> multihomed criteria and the the minimum host count criteria which for >> IPv6 /48's serve solely to ?suppress the public route count, I'll >> stand in support. >> > I think we'll eventually get [back] there. It's definitely worth the effort. More power to you. > The reason I think it must > be unified is because if it is not unified, ULA-C will NOT be a successor > to RFC-1918, it will become de facto GUA without the community's > GUA policies. Given the trivially available controls (both technical and legal) to prevent such an occurrence, this means you anticipate dissatisfaction with ARIN's GUA policies to a degree that results in system collapse unless artificially propped up. If that's a more than a paranoid fear, perhaps you should work on solving the problems that make GUA so unsatisfactory and let ULA do the job ULA is supposed to do. > A non-unified policy for ULA/GUA will lead to abuse of > ULA as an end-run for GUA which is, in my opinion, an unacceptable > risk. I asked in a previous message and I'll ask again: why wouldn't the combination of ISP route filtering and policy language that directs ARIN to revoke ULA registrations in response to misuse as GUA space fully resolve this alleged problem? I think you're throwing up a smoke screen here. There are perfectly reasonable solutions to this problem that don't require a unified policy. You seem want a unified policy and seem intent on bending the facts of the situation to get it, regardless of whether that serves users' needs. That's what I call self-serving... not because you personally profit but because it serves your unjustified sense of righteousness. Prove me wrong. Make an honest attempt identify solutions to the perceived route-leak problem that don't unify the policies, and compromise. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From info at arin.net Tue Apr 13 12:06:25 2010 From: info at arin.net (Member Services) Date: Tue, 13 Apr 2010 12:06:25 -0400 Subject: [arin-ppml] Attend ARIN XXV Remote Participation Message-ID: <4BC49681.3050200@arin.net> The ARIN XXV Public Policy and Members Meeting will be held next week in Toronto, and will feature a wide variety of presentations and important policy discussion. Can?t attend the meeting in person? No problem! ARIN XXV also offers many remote participation features. The entire ARIN XXV Meeting, including the premeeting activities, will be webcast. ARIN offers additional remote participation options, including a live transcript and chat rooms. The live transcript will record all presentations and discussions from the meeting floor, so you can read along to enhance your meeting viewing. There will also be a variety of chat room options available to registered remote participants. Remote registration is free and all remote registrants will be listed on the ARIN website as online attendees. To learn more about the ARIN meeting remote participation services please go to: https://www.arin.net/ARIN-XXV/remote.html Remote participants who pre-register their Jabber Identifiers (JIDs) will have access to the restricted chat rooms from the start of the meeting. You can register a JID at any time, but new participants will only be added during scheduled meeting breaks. Be sure to review the agenda at: https://www.arin.net/ARIN-XXV/agenda.html To ensure your access to these services, register now by going to ?Register for ARIN XXV? at https://www.arin.net/ARIN-XXV/ and choose "ARIN XXV Remote Participant" from the drop-down. The form must be completed in order to access the meeting Jabber chat rooms. Registration is not required for the webcast and live transcript. We look forward to your participation. Regards, Member Services American Registry for Internet Numbers (ARIN) From marquis at roble.com Tue Apr 13 12:33:55 2010 From: marquis at roble.com (Roger Marquis) Date: Tue, 13 Apr 2010 09:33:55 -0700 (PDT) Subject: [arin-ppml] ULA-C In-Reply-To: References: Message-ID: <20100413163355.37BF02B2128@mx5.roble.com> William Herrin wrote: > Owen DeLong wrote: >> A non-unified policy for ULA/GUA will lead to abuse of >> ULA as an end-run for GUA which is, in my opinion, an unacceptable >> risk. > > I asked in a previous message and I'll ask again: why wouldn't the > combination of ISP route filtering and policy language that directs > ARIN to revoke ULA registrations in response to misuse as GUA space > fully resolve this alleged problem? I would also like to know why Owen believes filtering would be a suitable replacement for NAT's security (such as it is), whereas similar filters would not work for route announcements and ULA/GUA traffic. Roger Marquis From rsm at fast-serv.com Tue Apr 13 13:31:49 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Tue, 13 Apr 2010 13:31:49 -0400 Subject: [arin-ppml] IPv6 /32 minimum for extra-small ISP Message-ID: <20100413172714.M35473@fast-serv.com> Why are extra-small ISP's with a /21 or /22 of v4 space forced to buy so much v6 IP space and essentially double our fees? I know there's a rebate in effect (for now) but regardless, I'm extremely displeased with this policy. -- Randy From tedm at ipinc.net Tue Apr 13 14:02:30 2010 From: tedm at ipinc.net (Ted Mittelstaedt) Date: Tue, 13 Apr 2010 11:02:30 -0700 Subject: [arin-ppml] IPv6 /32 minimum for extra-small ISP In-Reply-To: <20100413172714.M35473@fast-serv.com> References: <20100413172714.M35473@fast-serv.com> Message-ID: <4BC4B1B6.7060804@ipinc.net> Randy, The assumption has always been that if your an extra-small ISP that you obtain IP addressing from your LIR (ie: upstream ISP) It isn't the amount of numbers that your planning to use that is the problem. The problem is that even if you got an extremely small allocation that as soon as you advertise it, you consume the same amount of routing resources on everyone else's BGP router on the Internet, that someone with a larger allocation has who is advertising theirs. Thus it is not fair to base pricing solely on the amount of numbering. Current IPv4 pricing is based both on the amount of numbering and the principle that we want to make the cost-per-number more expensive for the smaller ISPs to discourage them from obtaining portable numbers, and encourage them to use numbers from their upstream, this reduces growth of the DFZ. That is why pricing on a per-IP basis gets higher the smaller the allocations that you have. Of course, ARIN continually claims that larger allocations require less maintainence and smaller allocations require more maintainence and has ginned-up reports purporting to prove this, which is why the smaller allocations are more expensive on a per-IP basis, but we all know that this is baloney. ARIN claims it's charter prevents them from using pricing as a tool to effect policy which is why the official line from them on pricing is what it is, so they have to resort to some creativity to arrive at a fair pricing. But, setting that aside, if you consider the pricing from ALL angles, not just your own parochial one, you will understand why pricing MUST be more of a burden for the smaller orgs. I personally feel that IP pricing could stand to have some tweaks in it, as the price-per-IP difference between the very largest allocations and the smallest allocations is to rediculously large, but I certainly do not think it should be flat across all sizes of allocations, and I suspect if you think about this and realize that your own router expenditures for your own router/routers are driven by what everyone else on the Internet gets, you will realize the wisdom of the current approach. Ted Mittelstaedt Internet Partners, Inc. On 4/13/2010 10:31 AM, Randy McAnally wrote: > Why are extra-small ISP's with a /21 or /22 of v4 space forced to buy so much v6 > IP space and essentially double our fees? I know there's a rebate in effect > (for now) but regardless, I'm extremely displeased with this policy. > > -- > Randy > > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to > the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/arin-ppml > Please contact info at arin.net if you experience any issues. From tedm at ipinc.net Tue Apr 13 14:02:30 2010 From: tedm at ipinc.net (Ted Mittelstaedt) Date: Tue, 13 Apr 2010 11:02:30 -0700 Subject: [arin-ppml] IPv6 /32 minimum for extra-small ISP In-Reply-To: <20100413172714.M35473@fast-serv.com> References: <20100413172714.M35473@fast-serv.com> Message-ID: <4BC4B1B6.7060804@ipinc.net> Randy, The assumption has always been that if your an extra-small ISP that you obtain IP addressing from your LIR (ie: upstream ISP) It isn't the amount of numbers that your planning to use that is the problem. The problem is that even if you got an extremely small allocation that as soon as you advertise it, you consume the same amount of routing resources on everyone else's BGP router on the Internet, that someone with a larger allocation has who is advertising theirs. Thus it is not fair to base pricing solely on the amount of numbering. Current IPv4 pricing is based both on the amount of numbering and the principle that we want to make the cost-per-number more expensive for the smaller ISPs to discourage them from obtaining portable numbers, and encourage them to use numbers from their upstream, this reduces growth of the DFZ. That is why pricing on a per-IP basis gets higher the smaller the allocations that you have. Of course, ARIN continually claims that larger allocations require less maintainence and smaller allocations require more maintainence and has ginned-up reports purporting to prove this, which is why the smaller allocations are more expensive on a per-IP basis, but we all know that this is baloney. ARIN claims it's charter prevents them from using pricing as a tool to effect policy which is why the official line from them on pricing is what it is, so they have to resort to some creativity to arrive at a fair pricing. But, setting that aside, if you consider the pricing from ALL angles, not just your own parochial one, you will understand why pricing MUST be more of a burden for the smaller orgs. I personally feel that IP pricing could stand to have some tweaks in it, as the price-per-IP difference between the very largest allocations and the smallest allocations is to rediculously large, but I certainly do not think it should be flat across all sizes of allocations, and I suspect if you think about this and realize that your own router expenditures for your own router/routers are driven by what everyone else on the Internet gets, you will realize the wisdom of the current approach. Ted Mittelstaedt Internet Partners, Inc. On 4/13/2010 10:31 AM, Randy McAnally wrote: > Why are extra-small ISP's with a /21 or /22 of v4 space forced to buy so much v6 > IP space and essentially double our fees? I know there's a rebate in effect > (for now) but regardless, I'm extremely displeased with this policy. > > -- > Randy > > > _______________________________________________ > PPML > You are receiving this message because you are subscribed to > the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). > Unsubscribe or manage your mailing list subscription at: > http://lists.arin.net/mailman/listinfo/arin-ppml > Please contact info at arin.net if you experience any issues. From rsm at fast-serv.com Tue Apr 13 14:25:53 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Tue, 13 Apr 2010 14:25:53 -0400 Subject: [arin-ppml] IPv6 /32 minimum for extra-small ISP In-Reply-To: <4BC4B1B6.7060804@ipinc.net> References: <20100413172714.M35473@fast-serv.com> <4BC4B1B6.7060804@ipinc.net> Message-ID: <20100413181739.M43100@fast-serv.com> ---------- Original Message ----------- From: Ted Mittelstaedt To: arin-ppml at arin.net Sent: Tue, 13 Apr 2010 11:02:30 -0700 Subject: Re: [arin-ppml] IPv6 /32 minimum for extra-small ISP > The assumption has always been that if your an extra-small ISP that > you obtain IP addressing from your LIR (ie: upstream ISP) ARIN made us give back that IP space to qualify for multihoming policy. So now when we need IP space we have to go direct to ARIN, thus we have a /22 and a /21 and still qualify for extra-small pricing. Try asking your upstream for IPs when you already have direct assignments... it's not going to happen. Furthermore, my gripe IS NOT WITH PRICING PER IP. It is the fact that big multi-homed ISP can request a v6 allocation and see no increase in fees (they pay only the bigger of the two, obviously their v4 space), yet a smaller multi-homed ISP requests v6 and doubles their yearly fees because a /32 is the minimum. I thought ARIN was encouraging the adoption of v6 for everyone, not just big ISPs. -- Randy www.FastServ.com From rsm at fast-serv.com Tue Apr 13 14:33:28 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Tue, 13 Apr 2010 14:33:28 -0400 Subject: [arin-ppml] IPv6 /32 minimum for extra-small ISP In-Reply-To: <20100413181739.M43100@fast-serv.com> References: <20100413172714.M35473@fast-serv.com> <4BC4B1B6.7060804@ipinc.net> <20100413181739.M43100@fast-serv.com> Message-ID: <20100413183106.M55521@fast-serv.com> I guess I'm just surprised that it costs twice as much to obtain IPv6 as IPv4 for _us_. Obviously this isn't the case for everyone (big ISP with a ton of v4) but for us it's a ridiculous policy. -- Randy From NOC at ChangeIP.com Tue Apr 13 15:16:00 2010 From: NOC at ChangeIP.com (NOC at ChangeIP.com) Date: Tue, 13 Apr 2010 12:16:00 -0700 Subject: [arin-ppml] IPv6 /32 minimum for extra-small ISP References: <20100413172714.M35473@fast-serv.com> <4BC4B1B6.7060804@ipinc.net> Message-ID: > From: "Ted Mittelstaedt" > > The problem is that even if you got an extremely small allocation that > as soon as you advertise it, you consume the same amount of routing > resources on everyone else's BGP router on the Internet, that someone > with a larger allocation has who is advertising theirs. Thus it is not > fair to base pricing solely on the amount of numbering. ARIN sets the pricing based on routing slots? I thought ARIN was disentangled from the routing aspect of it. Also, why do they even bother listing x-small fees for ISP allocations if you can't even get it. Sam From rsm at fast-serv.com Tue Apr 13 15:30:21 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Tue, 13 Apr 2010 15:30:21 -0400 Subject: [arin-ppml] IPv6 /32 minimum for extra-small ISP In-Reply-To: References: <20100413172714.M35473@fast-serv.com> <4BC4B1B6.7060804@ipinc.net> Message-ID: <20100413192513.M42419@fast-serv.com> Not to mention that certain large ISP's announce large blocks as contiguous /24's. -- Randy ---------- Original Message ----------- From: