[ppml] article about IPv6 vs firewalls vs NAT in arstechnica (seen on slashdot)

JORDI PALET MARTINEZ jordi.palet at consulintel.es
Fri May 11 17:23:26 EDT 2007


I've talked with Leo from IANA about this details a few days ago.

Basically there are two choices to make this happen (even both in parallel):

1) The ID becomes an RFC and possibly has further details, as for example a
possible split of the FC00 in between several registries, or just a mention
of the IANA as to designate the central registry (a single one or
distributed across several), with an explicit mention of the RIRs as being
that authority.

2) A global policy doing the same job. The risk here is that it is not
accepted by any of the RIRs, and then we become stuck.

I will say that the RFC path may be faster and actually is what I'm trying
to follow with the ID authors.

Regards,
Jordi




> De: Jason Schiller <schiller at uu.net>
> Responder a: <ppml-bounces at arin.net>
> Fecha: Fri, 11 May 2007 09:05:10 -0400 (EDT)
> Para: Owen DeLong <owen at delong.com>
> CC: <vixie at vix.com>, <ppml at arin.net>, "address-policy-wg at ripe.net"
> <address-policy-wg at ripe.net>
> Asunto: Re: [ppml] article about IPv6 vs firewalls vs NAT in arstechnica (seen
> on slashdot)
> 
> Owen,
> 
> I just want to be clear about somehting you said.  You view ULA central as
> "an end-run on the RIR process."  Is this because the expired ULC-central
> draft suggests that some new "central allocation authority" be established
> to assign these addresses?
> 
> If the draft RFC was resurrected and all references to "cental allocation
> authority" and "cental authority" were removed and replaced with clear
> text explaining the following:
> 
> - IANA should divide FC00::/8 into eight /11s
> - Each RIR would be given one /11 to make ULA-Central assignments
> - Three /11s would be held in reserve for new RIRs in the future.
> 
> Would you still think this was an end-run on the RIR process?
> 
> Would you be in support of the draft moving forward?
> 
> Do you think this should not be decided by an RFC, but rather as a global
> policy through each of the RIRs?
> 
> If you prefer the RIR process, would you be in favor of a global policy
> submitted to ARIN that had the provisions of the expired ULA-central
> draft, with the modification of removing "cental authority" and clearly
> designating how IANA should divide the space among the existing RIRs?
> 
> ULA-central text snippets below.
> 
> ___Jason
> 
> 
> 
> draft-ietf-ipv6-ula-central-01.txt -- section 3.2.1
>   "Global IDs should be assigned under the authority of a single
>    allocation organization because they are pseudo-random and without
>    any structure.  This is easiest to accomplish if there is a single
>    authority for the assignments."
> 
> draft-ietf-ipv6-ula-central-01.txt -- section 7.0
> 
>   "The IANA is instructed to designate an allocation authority, based on
>    instructions from the IAB, for centrally assigned Unique Local IPv6
>    unicast addresses.  This allocation authority shall comply with the
>    requirements described in Section 3.2 of this document, including in
>    particular allocation on a permanent basis and with sufficient
>    provisions to avoid hoarding of numbers.  If deemed appropriate, the
>    authority may also consist of multiple organizations performing the
>    allocation authority duties.
> 
>    The designated allocation authority is required to document how they
>    will meet the requirements described in Section 3.2 of this document
>    in an RFC.  This RFC will be shepherd through the IETF by the IAB."
> 
> 
> 
> 
> 
> ==========================================================================
> Jason Schiller                                               (703)886.6648
> Senior Internet Network Engineer                         fax:(703)886.0512
> Public IP Global Network Engineering                       schiller at uu.net
> UUNET / Verizon                         jason.schiller at verizonbusiness.com
> 
> The good news about having an email address that is twice as long is that
> it increases traffic on the Internet.
> 
> On Thu, 10 May 2007, Owen DeLong wrote:
> 
>> Date: Thu, 10 May 2007 23:12:21 -0700
>> From: Owen DeLong <owen at delong.com>
>> To: "william(at)elan.net" <william at elan.net>
>> Cc: vixie at vix.com, ppml at arin.net, address-policy-wg at ripe.net
>> Subject: Re: [ppml] article about IPv6 vs firewalls vs NAT in arstechnica
>>     (seen on slashdot)
>> 
>> ULA Central is intended so that some subset of the internet can reliably
>> use it to interconnect while not being "globally" routed.
>> 
>> The problem I have with this theory is that the delta between a
>> collection
>> of networks routing by mutual agreement and the internet is:
>> 
>> A. Fuzzy
>> B. Non-Existant
>> C. There is no difference
>> D. Meaningless
>> E. Any and/or All of the above
>> 
>> Pick your favorite answer from the above and you've pretty much got it.
>> If ULA central were limited to not exiting the local AS (in some
>> meaningful
>> way, like routers won't forward routes or traffic to ULA addresses to
>> external
>> adjacencies), then, I might see it as something other than an end-run on
>> the RIR process.  However, in it's current state of "license for
>> anyone who
>> wants to run a competing RIR for networks that choose to interoperate
>> on this basis" I think it's a pretty bad idea.
>> 
>> Owen
>> 
>> 
>> On May 11, 2007, at 12:03 AM, william(at)elan.net wrote:
>> 
>>> 
>>> I don't understand your point about why ULA need to be registered if
>>> its not going to be globally routed. Also PI is not the same as ULA -
>>> PI do come from RIRs and in IPv6 there was no way to get PI (except
>>> in a few special cases) until recent ARIN's micro-allocation policy.
>>> 
>>> On Fri, 11 May 2007, Tony Hain wrote:
>>> 
>>>> I agree that this will help inform the debate, and while Iljitsch
>>>> did a good
>>>> job of outlining the issue, he left out a significant point:::
>>>> People explicitly chose to be in the state of "as there is
>>>> currently no
>>>> obvious way to make services only available locally" by insisting
>>>> that the
>>>> local-scope addressing range have a global-scope as far as
>>>> application
>>>> developers were concerned. Now the application developers are
>>>> complaining
>>>> about the consequences of their choice, because the alternative to
>>>> 'no
>>>> routing path for an attack' is to insert a device that has to make
>>>> policy
>>>> decisions with limited information.
>>>> 
>>>> The current ULA-central discussions will be directly involved in
>>>> this issue.
>>>> It is critical that all of the RIR's have policies establishing a
>>>> mechanism
>>>> for registering ULA-central prefixes & PI. For those who don't
>>>> recall, the
>>>> reason ULA-central was tabled was that it was seen as a potential
>>>> end-run to
>>>> acquire PI space in the absence of appropriate policy to do so out
>>>> of a
>>>> range recognized for global routing.
>>>> 
>>>> The need for keeping some things local while others are global is
>>>> real, and
>>>> the lack of appropriate mechanisms to accomplish that through the
>>>> routing
>>>> system that is designed to deal with path selection leads to entire
>>>> industries for fragile work-arounds along with their increased
>>>> complexity.
>>>> 
>>>> Tony
>>>> 
>>>> 
>>>>> -----Original Message-----
>>>>> From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net] On
>>>>> Behalf Of
>>>>> vixie at vix.com
>>>>> Sent: Thursday, May 10, 2007 9:59 PM
>>>>> To: ppml at arin.net
>>>>> Subject: [ppml] article about IPv6 vs firewalls vs NAT in
>>>>> arstechnica
>>>>> (seen on slashdot)
>>>>> 
>>>>> i think that this article will help inform the debate around the
>>>>> ipv6
>>>>> transition:
>>>>> 
>>>>> http://arstechnica.com/articles/paedia/ipv6-firewall-mixed-
>>>>> blessing.ars
>>>>> _______________________________________________
>>>>> This message sent to you through the ARIN Public Policy Mailing List
>>>>> (PPML at arin.net).
>>>>> Manage your mailing list subscription at:
>>>>> http://lists.arin.net/mailman/listinfo/ppml
>>>> 
>>>> _______________________________________________
>>>> This message sent to you through the ARIN Public Policy Mailing List
>>>> (PPML at arin.net).
>>>> Manage your mailing list subscription at:
>>>> http://lists.arin.net/mailman/listinfo/ppml
>>> _______________________________________________
>>> This message sent to you through the ARIN Public Policy Mailing List
>>> (PPML at arin.net).
>>> Manage your mailing list subscription at:
>>> http://lists.arin.net/mailman/listinfo/ppml
>> 
>> 
> 
> 
> _______________________________________________
> This message sent to you through the ARIN Public Policy Mailing List
> (PPML at arin.net).
> Manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/ppml




**********************************************
The IPv6 Portal: http://www.ipv6tf.org

Bye 6Bone. Hi, IPv6 !
http://www.ipv6day.org

This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.






More information about the ARIN-PPML mailing list