On 02/08/2012 21:30, Steven Bellovin wrote: > On Aug 2, 2012, at 1:24 PM, David Conrad wrote: > >> On Aug 2, 2012, at 11:44 AM, j...@mercury.lcs.mit.edu (Noel Chiappa) wrote: >>>> we should instead focus on the ways that the technical architecture of >>>> the Internet creates control points that are vulnerable to capture and >>>> consider ways in which those control points can be made capture-proof. >>> Agreed. >> The challenge of course is that one of the simple/efficient mechanisms to >> implement desirable features (e.g., security, scalability, manageability) is >> to create hierarchies, but those very hierarchies provide control points >> that can (at least in theory) be captured. The DNS root is one such, the >> proposed RPKI root is another. Perhaps a variation of the Software >> Engineering Dilemma ("fast, good, cheap: pick two") applies to Internet >> architecture: secure, scalable, manageable: pick two? >> >>>> If the ITU-T wants to also be in the business of handing out IPv6 >>>> address names then give then a /21 or a /16 and tell them to go >>>> party. >> I don't think this is what the ITU is after. My impression is that the ITU >> is arguing that member states should get the /<whatever> directly. >> >>> I basically agree. It could have negative impacts on the routing, by >>> impacting >>> route aggregatability, but it can hardly be worse that those bletcherous PI >>> addresses, so if it makes them happy to be in charge of a large /N, why not? >> I believe the routing scalability risk lies not in the allocation body, but >> rather the policies imposed around the allocations. That is, imagine a >> world of 200+ National Internet Registries instead of 5 Regional Internet >> registries. If the government behind an NIR then decides that to use the >> Internet in their country, you must use addresses allocated by the NIR of >> that country, you then run the risk of having 200+ prefixes for each entity >> that operates globally. This risk could be addressed if it didn't matter >> where you get your addresses, however that isn't true with the existing >> model and there are political pressures that would likely ensure that it >> would not be true in the NIR model. > > > It also implies entry into a country through a few official gateways/exchange > points -- that way, there are only ~200 entries plus your own country's that > you need in your RIB... (Telecom used to be that way -- PTTs and other > monopolies (e.g., AT&T) loved it.)
Exactly. It is intended to defeat the Internet's historical growth model of independence from national administrations and monopolies, by imposing a geographical addressing scheme. Since the Internet actually works with a topological addressing scheme, the effect is to force the topology to be congruent with the geography. If you want central control, that's a desirable result. It isn't a harmless concession. We've been playing whack-a-mole against this for a number of years now. Brian Carpenter