[arin-ppml] 2600::/12 LOA

[Andrew Fried]

Hi Joe,

The problem with announcing overlapping space like this is that MERIT
becomes a sinkhole for legitimate traffic should an organization using
address space in 2600::/12 have some kind of network problem.  While
many organizations with IPv6 space are dual homed, many rely on a single
router.  If that router goes down for a firmware update or a power cable
gets inadvertently unplugged, all of their inbound connections will
suddenly start getting intercepted by MERIT.  I'm not comfortable with that.

I use the term sinkhole in hopes that MERIT isn't more aggressive with
their data capturing and running honeypots.

This is not a "service" that ARIN should have allowed without the
express consent of each netblock owner that could be potentially
affected.  And I don't agree with your position that this in any way
promotes IPv6 implementation.

Regardless of the justifications for having done this in the past, ARIN
should not allow this to continue.

Andrew


On 3/29/14, 1:29 PM, Joe St Sauver wrote:
> Hi,
>
> John Curran commented:
>
> #We were asked to cooperate with Merit on darknet research on ARIN's IPv6
> #2600::/12 space and I authorized the effort.  Apparently, the effort also
> #included the routing an overall covering prefix and I missed that aspect 
> #of the project.  Aside from the technical concerns outlined here, there 
> #is also a very valid question of whether ARIN should ever be involved in 
> #routing authorization covering already issued space, since presumably the 
> #same dialogue and consensus in the operator community (that should be a 
> #prerequisite for such an experiment) should also suffice as the approval 
> #with ISPs when it comes to researchers actually inserting the necessary 
> #routes.
> #
> #Going forward, ARIN will not issue routing authorization that covers any
> #address space issued to others without community-developed policy that
> #specifically directs us to do so.   
>
> In mid-December 2013 I highlighted this very Merit darknet project in 
> a keynote I did for Merit Networks Networking Summit in Ann Arbor, see
> "Networking in These Crazy Days: Stay Calm, Get Secure, and Get Involved,"
> http://pages.uoregon.edu/joe/merit-networking/merit-networking.pdf
> at slide 28. 
>
> I think that the Merit IPv6 darknet project was *very* important in helping
> to promote uptake of IPv6 in that it provides empirical evidence that the 
> level of "background radiation" in IPv6 space isn't very high right now 
> (roughly ~1Mbps), and what is there is typically the result of 
> misconfiguration rather than malicious scanning (or at least that's what 
> was reported in the Merit technical paper summarizing that experience,
> as cited in my slides).
>
> Moreover, given BGP route selection rules, I'm not particularly disturbed
> by the presence of that covering announcement: any more specific route should
> immediately be preferred to a broad covering route of the sort employed by
> the IPv6 darknet research effort.
>
> I believe that ARIN acted properly in supporting this network research, and 
> I'd be quite disappointed if ARIN (and other RIRs) discontinued support for 
> research of this sort, particularly when carefully done by leading academic 
> networking research organizations.
>
> Regards,
>
> Joe St Sauver, Ph.D. (joe at oregon.uoregon.edu)
>
> Disclaimer: I am not affiliated with the Merit Darknet effort, and all 
> opinions expressed in this note are purely my own.
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.

-- 
Andrew Fried
afried at deteque.com

+1.703.667.4050   Office
+1.703.362.0067   Mobile
deteque           Skype