[ppml] Suggestion for ARIN to deligate smaller IP blocks

Ted Mittelstaedt tedm at ipinc.net
Thu May 31 17:53:56 EDT 2007 

> -----Original Message-----
> From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of
Leroy Ladyzhensky
> Sent: Thursday, May 31, 2007 1:12 PM
> To: ppml at arin.net
> Subject: [ppml] Suggestion for ARIN to deligate smaller IP blocks

> In this suggestion I am not talking about ISP's but this is directed to
policy IPv4 assignment for "end-users".

> The current policy is as follows...

[deleted]

> Imagine this situation:

>An internet based company provides a specialized service. In order for the
companies clients
>to utilize this service they need to open ports in their firewall. As we
know this option in
>a firewall is based on the IP's of the internet based company.

Leroy,

  I'm very sorry but this is based on flawed reasoning.  Let me demonstrate:

ip-port-rtr0# sh ver | include IOS
IOS (tm) 7200 Software (C7200-IK8S-M), Version 12.2(46), RELEASE SOFTWARE
(fc1)
ip-port-rtr0#config t
Enter configuration commands, one per line.  End with CNTL/Z.
ip-port-rtr0(config)#access-list 100 permit ip host mail.ipinc.net any
ip-port-rtr0(config)#exit
ip-port-rtr0#sh access-list 100
Extended IP access list 100
    permit ip host 65.75.192.11 any

Now I'm not going to belabor the point with a long drawn out example of how
to setup
remote management of access lists on routers - just be aware that with Cisco
IOS when it
boots it will interpret an access list that uses DNS names - the stored
config may contain
a DNS name not an IP address.  Obviously you have to put the config into the
router's
nvram through other means than "write mem" but that is trivial.

Other enterprise level firewalls have the same capability.  And
Cisco has tools that allow a single console to manage 2000 routers if need
be - assuming
the admin isn't educated enough to do it with free open source scripting
tools
that have been around for the last 20 years.  (I assume you know that Cisco
routers can
be made into firewalls with IOS Firewall Feature set)

> Let’s say they have 2000 clients. so that 2000 firewalls that have entries
for their IP's.

Then you see, they have a choice.  They can specify El-Cheapo dlink or
otherwise crummy
"firewalls" (which will not be IPv6 compliant and thus have to be switched
out in a few
years anyway) that have ZERO capability for remote management, and cannot
use DNS in
access list configurations, or they can specify REAL
enterprise-level firewalls that they can remotely manage on their customers'
behalf
with configurations that are not full of static IP addresses.

The rest of your reasoning was all stacked on the idea you have to use
static IPs
at the customer site, so in disproving that, it makes the rest of the
argument moot.

I am sure your capabable of contriving more un-real world examples to argue
the point,
the fact is, anyone with 2000 clients better have given this matter serious
thought and
had a much longer and more through ISP selection process than just calling
the Yellow
Pages and getting the cheapest hosting in town.  Before getting yourself
into this kind
of corner you had better have allocated sufficient IP addresses in advance
for future
growth and be pretty sure your provider isn't some fly-by-night operator who
is going
to take away your IP numbers for no good reason.

Fundamentally this is an arguement that boils down to "my lack of planning
is the
rest of the world's problem" or more accurately, "I figured out a way to
make a buck that
involves causing the rest of the world to spend more money"

As was said, allowing smaller advertisements causes everyone else on the
Internet to
spend more money.  It helps a few companies and individuals so that they can
get away
with half-assed El Cheapo deployments with Dlink routers, at the cost of the
rest of the
individuals and companies on the Internet paying for it.  It is better for
everyone to
not provide an environment that would encourage a company to contemplate
having 2000
Dlink routers out there with statically assigned IP addresses, but instead
force them
to contemplate 2000 IOS firewalls with a much more expensive, yet remotely
manageable,
setup.

Ted

More information about the ARIN-PPML mailing list