route filtering policies (from "split b" thread)

Mike Lieberman Mike at netwright.net
Tue Jun 6 10:01:06 EDT 2000


Stephen Griffin said:
>
> In the referenced message, Mike Lieberman said:
> >
> > > Mike,
> > >
> <snip>
> > > How would you define exactly how to identify one of these
> > > organizations?
> >
> > Look I understand the frustration you are all having with
> this... but let's
> > say ARIN sells /24's for $2.500/yr. You really need it for
> your home now?
>
> Selling address space would be a _bad_ thing. Charging money to cover
> allocation record-keeping is fine, since it doesn't convey
> "ownership".
> We've already seen the perils with turning things into commodities
> (cf the domain naming system).
>
Well we disagree. ARIN is already charging a yearly fee for space and to
make this argument now is goofy. As I said in an earlier email. All the
current policy does is encourage some companies to lie about their needs.

> > You need a router and bandwidth capable of full BGP.
> Vendors who will take
> > your BGP.  You're not going to use ISDN, cable modems, xDSL
> or a inexpensive
> > router. The cost alone if structured correctly can provide
> a reasonable
> > self-selective system by which most networks won't want the
> costs or the
> > hassles.
>
> The costs of a cisco 25XX (which could handle 2 scaled-down
> bgp sessions
> quite happily), 2 modems, and 2 phone lines is hardly prohibitive.
>
Once again you're arguing a non-issue. Set the requirement at two full T1's
with a CIsco 3640 and 128MB's if you like.

> > I actually attended a meeting as a consultant to a company
> that will go
> > unnamed. They have a /21 and there was a disussion about
> putting everything
> > behind a firewall and using private IP. The head of their
> IT group pointed
> > out that they would lose their ability to router their
> network as they were
> > doing via BGP and would put the company at risk. That was
> the end of the
> > discussion. Like I said early on in this discussion. You
> have two competing
> > needs. Address space and routing tables. By not making a
> rational choice,
> > you simple produce decisions that have adverse impacts.
>
> The problem is that this entity runs the risk of forfeiture
> of _all_ of
> their address space. I saw somewhere in this thread someone mentioning
> a buy-back program for address space. That isn't necessary,
> since address
> space is delegated, not sold. Theoretically ICANN, the RIR's and the
> other registries (such as myself on behalf of my employer)
> have the right
> to rescind any allocation we have jurisdiction over. Hopefully, this
> is utilized extremely sparingly.
>
Yes but the risk is forfeiture later or shutting down businesses today. Ever
drive faster than the speed limit? How about when the limit was 55 on the
interstates? Create unreasonable rules and you get rule breakers. Your hopes
are forlorn and wrong. Not every or even most have a need to break the rules
but those who do have a need, will.

> > I think you need to say OK, if have multiple paths, the
> right router, you
> > are willing to pay, then you get X address space and that
> WILL route,
> > whether you need that much space or not. Set it low enough
> so that you can
> > live with the waste and high enough so that tables don't
> break for the few
> > who will pay for it(I think a /24 fits if the cost to get it is high
> > enough). And then don't make the user justify the network
> need for the size
> > of the block. The only justifaction comes if the request if for more
> > numbers.
>
> If you persist on BGP == redundancy, but that is hardly the
> only solution.
>
Oh yes it is in some situtations. Your are arguing from an urban model not a
rural one.

> > > One of the issues being dealt with by ARIN and the other
> registries
> > > is how to determine who has a legitimate need and who
> doesn't. Further
> > > when we can determine who has a legitimate need, then we
> > > could actually
> > > determine how many there might be and what the impact on
> the routing
> > > table would be.  For example, ARIN would start seeing requests for
> > > people like me who have a sizable network in their home and want
> > > redundancy.  Should I get a globally routable /24?  My
> home network
> > > is important.  (at least I think it is)  What if I need a
> /28?  Should
> > > that be routed as well?
> > >
> > >     These are not necessarily small companies by annual
> > > revenues. They just
> > >     don't have a need for more than a /24. The policies of
> > > the large vendors who
> > >     insist on filtering, do more to serve the business
> > > objectives of those
> > >     vendors, than they do to protect the scalability of
> the Internet.
> > >
> > > Most of the folks I know who filter do it to keep their networks
> > > working and for no other reason.
> > >
> > > Thanks for your input.
> > > ---CJ
>
> If someone has a need to have their allocation globally
> routed, and can
> justify a /24, they should request that it come from class C space to
> have the highest likelihood of the route being heard.
> However, a /24 from
> class A space (not counting like 24/8 64/8 etc) has a high
> likelihood of
> being dropped. If the entity _can't_ justify a /24, then they need to
> do something like colocate diverse machines with providers
> across the mesh,
> with something like a dns trick to direct people to the
> various colocations.
>
Once again you are not looking at the rural model. If you ever worked in a
region where a single fiber cut took ALL LD services away from 70% of the
state subscribers for four hours, you'd start to appreciate how and why we
use BGP to assure a messure of robustness. And you are assuming businesses
which can, by their business model, colocate. This is not always the case.

I agree with the concept of having just one region such as class C space
where /24 is assured. It isn't now.

> 5 Providers
> 3 having service machines (web/mx/whatever)
> 2 having dns machines which check reachability of machines
> and services
> (dns boxes are supposed to be on different subnets anyways).
>
> If you _need_ redundancy, then you do the above, and pay the
> associated
> costs. It is highly unlikely that anyone is going to allow me to
> deaggregate 0/1 just so I can have redundancy at my house because
> I "need" it, or at the bar down the street, or the law-firm
> down the block.
> The size of the entity doesn't really matter much, whether it is just
> me, or Shodan Heavy Industries. You either can justify the
> address space,
> or you can not. If you can not, you still have options
> (number machines
> out of allocations provided by each of your upstreams and
> dns-twiddle),
> colocate around the mesh as noted above, where you even get
> geographical
> diversity to avoid things like a backhoe or terrorist taking out both
> of your redundant links by cutting close to your building or
> blowing it
> up. There are options which preserve engineering principles, conserve
> address space, and provide redundancy. These are the things which
> registries (whether RIRs or registries underneath them) should offer
> up to entities which require redundancy.

This is a non-starter. A name will only resolve to one IP at a time and
until that rule changes then those companies that require true always on
technologies are going to get the ip space they need to assure routing.
RIR's simply can't act fast enough and don't have a crisis emergency system
for single networks. And even if they did, take a look at how long it takes
cache to expire. There are very good reasons with the Rube Goldberg
solutions you offer are not helpful and don't solve the fundamental problem.

/* Mike Lieberman                            Mike at NetWright.Net */
/*                         President                            */
/*                       Net Wright LLC                         */
/*                   http://www.netwright.net                   */
/*                 Voice and Fax: 307-857-1053                  */




More information about the ARIN-discuss mailing list