On 02/08/2012 21:30, Steven Bellovin wrote:
> On Aug 2, 2012, at 1:24 PM, David Conrad wrote:
>
>> On Aug 2, 2012, at 11:44 AM, j...@mercury.lcs.mit.edu (Noel Chiappa) wrote:
>>>> we should instead focus on the ways that the technical architecture of
>>>> the Internet creates control points that are vulnerable to capture and
>>>> consider ways in which those control points can be made capture-proof.
>>> Agreed.
>> The challenge of course is that one of the simple/efficient mechanisms to
>> implement desirable features (e.g., security, scalability, manageability) is
>> to create hierarchies, but those very hierarchies provide control points
>> that can (at least in theory) be captured. The DNS root is one such, the
>> proposed RPKI root is another. Perhaps a variation of the Software
>> Engineering Dilemma ("fast, good, cheap: pick two") applies to Internet
>> architecture: secure, scalable, manageable: pick two?
>>
>>>> If the ITU-T wants to also be in the business of handing out IPv6
>>>> address names then give then a /21 or a /16 and tell them to go
>>>> party.
>> I don't think this is what the ITU is after. My impression is that the ITU
>> is arguing that member states should get the /<whatever> directly.
>>
>>> I basically agree. It could have negative impacts on the routing, by
>>> impacting
>>> route aggregatability, but it can hardly be worse that those bletcherous PI
>>> addresses, so if it makes them happy to be in charge of a large /N, why not?
>> I believe the routing scalability risk lies not in the allocation body, but
>> rather the policies imposed around the allocations. That is, imagine a
>> world of 200+ National Internet Registries instead of 5 Regional Internet
>> registries. If the government behind an NIR then decides that to use the
>> Internet in their country, you must use addresses allocated by the NIR of
>> that country, you then run the risk of having 200+ prefixes for each entity
>> that operates globally. This risk could be addressed if it didn't matter
>> where you get your addresses, however that isn't true with the existing
>> model and there are political pressures that would likely ensure that it
>> would not be true in the NIR model.
>
>
> It also implies entry into a country through a few official gateways/exchange
> points -- that way, there are only ~200 entries plus your own country's that
> you need in your RIB... (Telecom used to be that way -- PTTs and other
> monopolies (e.g., AT&T) loved it.)
Exactly. It is intended to defeat the Internet's historical growth model
of independence from national administrations and monopolies, by imposing
a geographical addressing scheme. Since the Internet actually works with
a topological addressing scheme, the effect is to force the topology
to be congruent with the geography. If you want central control, that's
a desirable result.
It isn't a harmless concession. We've been playing whack-a-mole against
this for a number of years now.
Brian Carpenter
