[ppml] Suggestion for ARIN to deligate smaller IP blocks

John Santos JOHN at egh.com
Thu May 31 19:39:15 EDT 2007 

This is completely wrong.  In Leroy's scenario, his company does not
own and does not manage the 2000 firewalls.  Those belong to his
customers.  He is not providing a soup-to-nuts internet service to
those customers.  He is providing one specific service on one (or a
small) number of specific ports, from one (or a small number of specific)
servers.  The *CUSTOMER* has to open the *CUSTOMER'S* firewall to
those specific ports and services in order to utilize Leroy's service.

It is the 2000 customers who would have to pay the cost.  It may be
small for each, but its cumulative, and will certainly generating lots
of support calls back to Leroy's company.

My company is in a similar situation to Leroy's customers.  We have an
external mail filtering service.  Our published MX records point to
the service, and they then forward the (filtered for spam, viruses,
RBL, etc.) mail to us, so we have had to open up our firewall to SMTP
from their specific IP addresses.  We are certainly *not* going to let
them manage our firewalls for us, nor are we going to willy-nilly change
our firewall rules on their request without minimally verifying the
origin of the request (a support call to them.)  Multiply by several
thousand customers.

If they were to start changing IP addresses frequently, we would start
looking for a new service provider.

This is an *extremely* unlevel playing field, since ACME GIANT ASP,
INC. (which is many times the size of Leroy's company), could easily
justify an allocation, and thus could promise their customers that
their IP addresses and firewall rule would never change.

Of course, Leroy could game the system and provide each of his customers
with a single, unique IP address (thus requiring 8 class C's) and
then forward them all to the same handfull of servers at his firewalls.

So is it better for the overburdened routers to route to one Class C
(what Leroy actually requires), or to 8 of them?  (Especially given
there is no guarantee the 8 would be contiguous and thus could be
treated as a single /21 for routing purposes.)


On Thu, 31 May 2007, Ted Mittelstaedt wrote:

> 
> > -----Original Message-----
> > From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of
> Leroy Ladyzhensky
> > Sent: Thursday, May 31, 2007 1:12 PM
> > To: ppml at arin.net
> > Subject: [ppml] Suggestion for ARIN to deligate smaller IP blocks
> 
> > In this suggestion I am not talking about ISP's but this is directed to
> policy IPv4 assignment for "end-users".
> 
> > The current policy is as follows...
> 
> [deleted]
> 
> > Imagine this situation:
> 
> >An internet based company provides a specialized service. In order for the
> companies clients
> >to utilize this service they need to open ports in their firewall. As we
> know this option in
> >a firewall is based on the IP's of the internet based company.
> 
> Leroy,
> 
>   I'm very sorry but this is based on flawed reasoning.  Let me demonstrate:
> 
> ip-port-rtr0# sh ver | include IOS
> IOS (tm) 7200 Software (C7200-IK8S-M), Version 12.2(46), RELEASE SOFTWARE
> (fc1)
> ip-port-rtr0#config t
> Enter configuration commands, one per line.  End with CNTL/Z.
> ip-port-rtr0(config)#access-list 100 permit ip host mail.ipinc.net any
> ip-port-rtr0(config)#exit
> ip-port-rtr0#sh access-list 100
> Extended IP access list 100
>     permit ip host 65.75.192.11 any
> 
> Now I'm not going to belabor the point with a long drawn out example of how
> to setup
> remote management of access lists on routers - just be aware that with Cisco
> IOS when it
> boots it will interpret an access list that uses DNS names - the stored
> config may contain
> a DNS name not an IP address.  Obviously you have to put the config into the
> router's
> nvram through other means than "write mem" but that is trivial.
> 
> Other enterprise level firewalls have the same capability.  And
> Cisco has tools that allow a single console to manage 2000 routers if need
> be - assuming
> the admin isn't educated enough to do it with free open source scripting
> tools
> that have been around for the last 20 years.  (I assume you know that Cisco
> routers can
> be made into firewalls with IOS Firewall Feature set)
> 
> > Let’s say they have 2000 clients. so that 2000 firewalls that have entries
> for their IP's.
> 
> Then you see, they have a choice.  They can specify El-Cheapo dlink or
> otherwise crummy
> "firewalls" (which will not be IPv6 compliant and thus have to be switched
> out in a few
> years anyway) that have ZERO capability for remote management, and cannot
> use DNS in
> access list configurations, or they can specify REAL
> enterprise-level firewalls that they can remotely manage on their customers'
> behalf
> with configurations that are not full of static IP addresses.
> 

What makes you think Leroy is specifying anything at the customer's
premises?  The customer is choosing (one hopes!) their own firewall,
router, ISP, etc.



> The rest of your reasoning was all stacked on the idea you have to use
> static IPs
> at the customer site, so in disproving that, it makes the rest of the
> argument moot.
> 

The customers don't (necessarily) have static IPs.  Leroy's company is
the one that needs the static IPs.



> I am sure your capabable of contriving more un-real world examples to argue
> the point,
> the fact is, anyone with 2000 clients better have given this matter serious
> thought and
> had a much longer and more through ISP selection process than just calling
> the Yellow
> Pages and getting the cheapest hosting in town.  Before getting yourself
> into this kind
> of corner you had better have allocated sufficient IP addresses in advance
> for future
> growth and be pretty sure your provider isn't some fly-by-night operator who
> is going
> to take away your IP numbers for no good reason.
> 

Or never quadruple their rates or go into direct competition with him
or otherwise make their ongoing business relationship untenable?


> Fundamentally this is an arguement that boils down to "my lack of planning
> is the
> rest of the world's problem" or more accurately, "I figured out a way to
> make a buck that
> involves causing the rest of the world to spend more money"
> 
> As was said, allowing smaller advertisements causes everyone else on the
> Internet to
> spend more money.  It helps a few companies and individuals so that they can
> get away
> with half-assed El Cheapo deployments with Dlink routers, at the cost of the
> rest of the
> individuals and companies on the Internet paying for it.  It is better for
> everyone to
> not provide an environment that would encourage a company to contemplate
> having 2000
> Dlink routers out there with statically assigned IP addresses, but instead
> force them
> to contemplate 2000 IOS firewalls with a much more expensive, yet remotely
> manageable,
> setup.
> 
> Ted
> 
> _______________________________________________
> This message sent to you through the ARIN Public Policy Mailing List
> (PPML at arin.net).
> Manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/ppml
> 
> 

-- 
John Santos
Evans Griffiths & Hart, Inc.
781-861-0670 ext 539

More information about the ARIN-PPML mailing list