[arin-ppml] IPv6 Non-connected networks

Owen DeLong owen at delong.com
Mon Mar 22 13:37:09 EDT 2010 

On Mar 22, 2010, at 7:12 AM, Michael Richardson wrote:

>
>> The ISP _will_ listen because the customer has money,
>> collectively if not enough individually.
>
> I'm also lost by this statement.
> It seems to be lost in IPv4 scarcity ideas to me.
>
> It's not one ISP that customer with $$$$ has to convince, but *all* of
> them.   A customer with that much money can certainly afford to buy
> globablly routable /48, or a /32 or something.
>
If there were enough reliably good filtering, sure. There isn't, and, as
long as one ISP somewhere accepts it, it'll get to a surprisingly large
fraction of the internet and eventually, it'll end up getting accepted.

> End systems with that much money do not appear overnight, so it's not
> like they are going to number a billion mobile phones with ULA-C
> addresses and then want to route it.

Given the source of some of the tactics like this which I have seen
in IPv4, I wouldn't count on that being the case.

I do know of one case which I can't disclose details due to NDA where
it was exactly a very large mobile phone provider forcing another  
company
to route an IANA-Reserved /8 to their network. I keep hoping that  
said /8
ends up at least partially allocated to one of said company's other
customers.

> Such an organization will have money to get the address space they  
> need.
>
Doesn't mean they'll choose to do it, especially if ULA-C appears  
otherwise
easier or cheaper to get.

> If there are customers with $$$$ money, how come they haven't  
> convinced
> ISPs to route 10/8 for them already?
>
10/8 suffers from a lack of global uniqueness. This means that none of  
the
multiple users is more entitled to use it than any of the others and  
routing
it is guaranteed to be a mess.  (Still, it's not like it never appears  
in tables
in the DFZ).

ULA-C would not suffer from this issue, so, I can see the thought  
process
going along the lines of "Heh.. $$$ for doing something harmless.. Why  
not."

> Listen to Michael Dillon, my emphasis:
>
>> Enterprise users, who are SORELY UNDERREPRESENTED in the RIRs, rather
>> like to have internal networks addressed with blocks which DON'T WORK
>> on the Internet. It adds an ADDITIONAL LAYER OF SECURITY in case
>> various people make mistakes in configuring things like routers and
>> firewalls.
>
> AND, a reason why having whois-type information available, and for  
> using
>     globably unique address is so that when this mistake is  
> discovered, it
>     is possible to actually find out whose address space is leaking!
>
ULA-C isn't going to be blocks which don't work on the internet. It's  
going
to be blocks which people expect not to work on the internet, but,  
really
they do under some circumstances.  End result, a false sense of security
which is worse than no security.

NAT != Security
Address Obfuscation != Security
Misconfiguration == Insecurity

Belief otherwise merely increases risk.

Owen

More information about the ARIN-PPML mailing list