RE: [ipv6-wg@ripe.net] RE: /48 micro allocations for v6 root servers, was: national security

2003-12-13 Thread Jeroen Massar 
-BEGIN PGP SIGNED MESSAGE-

Joao Damas [mailto:[EMAIL PROTECTED] wrote:

BIG SNIP

 No, no and definitely no!!!
 
 It is one thing to put all IXP prefixes in the same block, 
 after all it 
 does not matter if they are not seen in the global Internet as, in 
 fact, they should not be visible.

My idea exactly, though some others think differently and
they have their valid reasons to do so.

 However, putting public infrastructure all in the same prefix 
 is about the worst idea I have heard in some time. One hiccup
 would kill them all at the same time.

All the 'public infrastructure' is under 2000::/3 at the moment.
Do hiccup's over there cause any problems? I mean, come on, even
Cisco (AS109 FYI) is passing prefixes through their routers that
have private ASN's as transits.

If they are all in the same prefix (/32 for instance) at least
people could safeguard and put monitoring on those prefixes as
they are easily identified as being 'critical infra', which is
the reason why it is currently seperately specified in the RIR
allocation policies.

Next to that if DNS's are given a micro-allocation from that
/32, ISP's will know that it is normal and default behaviour
for that prefix, unlike the current set of a number of 'special'
prefixes that simply look like normal prefixes.

I really don't see any difference between:
 - 2001:db8::/32 = 1 NS
or:
 - 2001:db8::/32 = contains all NS's
2001:db8:1:/48 - A.root
2001:db8:2:/48 - B.root
2001:db8:3:/48 - C.root
2001:db8:2000:/48 - nl.tld
2001:db8:3000:/48 - de.tld


The last one are more specifics anyways, if anybody is able
to announce a /32 or a /48, it doesn't matter it will always
be a BGP and trust problem. Same if I would announce say,
198.41.0.0/22 on the AMS-IX to the peers over there, it will
have the shortest path and any ISP not filtering correctly
will start sending the traffic to me. That is a BGP security
and peering-trust problem and has nothing to do with the above.

Greets,
 Jeroen

-BEGIN PGP SIGNATURE-
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/

iQA/AwUBP9tLICmqKFIzPnwjEQJaAgCeKFRi6JIAr9YW6o8Q0R89WNzUTQ8AoKxY
v0pH3CxlzoSBmcioQfkGbfzV
=7CTX
-END PGP SIGNATURE-

Re: [ipv6-wg@ripe.net] RE: /48 micro allocations for v6 root servers, was: national security

2003-12-12 Thread Sascha Lenz 
Hay,

On Mon, Dec 08, 2003 at 10:16:03PM +0100, Gert Doering wrote:
 Hi,
 
 On Mon, Dec 08, 2003 at 10:01:53PM +0100, Jeroen Massar wrote:
  There are currently quite some ISP's who filter anything /35.
  Generally ISP's should be filtering on allocation boundaries.
  Thus if a certain prefix is allocated as a /32, they should not
  be accepting anything smaller (/33, /34 etc)
 
 There is no commonly agreed-upon best practice for this yet.
 
 We do *not* suppress more-specifics from those address blocks, as we
 think it's a legitimate wish for certain networks to be multihomed,
 and currently there is no other solution than to go for the pragmatic
 approach, and just announce a /40 or even /48.
 
 I agree that things that are more specific than a /48 should not be
 out there.

Well I think everyone agrees, that Prefixes longer than /48 should
definately not show up in the global routing table, simlar to prefixes
longer than /24 in the IPv4 world.

I even could somehow understand, that we might not want /48s, i.e.
end-sites to be in the global BGP table.

But what i really oppose is, that there should or must be filters
on RIR Allocation boundaries, i.e. /32's and shorter.

_At_least_ NLA space (yes, i know, NLA-acronym is depreciated) must
be routable and accepted everywhere,
for example Sub-Allocations to smaller ISPs or non-commarcial organisations
who do not want to get a RIR membership or simply can't afford it
(there is no low-cost membership for non-commercial organisations
available at any RIR AFAICS).

Otherwise this would be a huge discrimination in my eyes, which cannot
be even in today's totally commercialized Internet.

Consider the other options:

- People with money would start making things up to get a RIR allocation
  just like they do nowerdays some times to get portable address
  space (PI Assignments or a PA Block of a /20 or something)

  Everyone can get a RIR member, even end-users. 
  They now get an IPv4 Allocation as soon as they are member (an can
  show some need for IP-space).
  Current IPv6 policy forbids end-sites to get an Allocation,
  but why the difference? 
  Even if this part stays in the policy, people will start to make up
  things, we have 100 employees and 100 contractors which we connect
  in their home-office and assign them /48s .. and they most likely 
  will have their /32 to announce globally.
  
  On the other hand, organisations who don't have the money will be
  completely discriminated.

  
- Rather focus on the one (or few) Prefixes per AS part

  As already stated within this thread, IPv6 fixes the biggest
  problem by design - many many many Prefixes per AS will be no issue.

  Now if we also consider that many many many customers (end-sites)
  who have PI space, ASNs, BGP Multihoming just because there was
  no other solution in the IPv4 world back some years at all...
  Most _are_ happy with whatever IPv6 Multihoming solution other than
  BGP-Multihoming is out there, for example multiple lines to the
  same ISPs, Fallback-Tunnels or whatever the other IPv6 multihoming draft
  was about...
  Not everyone who does full BGP multihoming today does really need it.
 
  BUT - noone who really wants real Multihoming like it is done
  today by announcing a unique prefix, should be denied that.
  This just won't work in the real world, because some customers need
  this, and some non-commercial organisations rather want to invest
  in their infrastructure than in a RIR membership when they only
  have whatever, 200 members and are happy with a /40.
 
  The routers do not care if a prefix is a /32 or a /40 or even a /48.
  No much difference, the amount of Prefixes is the problem.
 
So, probably we should rethink the global IPv6 Policy anyways.
As Gert said - this lack of IPv6 Multihoming possibility with the current
Policy and filters just hinders IPv6 deployment at the moment.
I can't do this in IPv6? On sorry, then i don't see why i need it when
my connectivity gets worse than with IPv4

BTW: I announce several /40s and don't really see routing problems up to 
 now. I really thought, all those folks who fought the holy war for
 strict filters were long gone? Am I wrong?

-- 
==
= Sascha 'master' Lenz  SL277-RIPE  [EMAIL PROTECTED] =
==
= You can rent this space for $$$  * PGP public Key on demand *  =
==

Re: [ipv6-wg@ripe.net] RE: /48 micro allocations for v6 root servers, was: national security

2003-12-11 Thread Joao Damas 
On 9 Dec, 2003, at 2:20, Jeroen Massar wrote:

-BEGIN PGP SIGNED MESSAGE-

[2 mails into one again]

Bill Manning [mailto:[EMAIL PROTECTED] wrote:

% Expect to see routers being optimized that will only route
% the upper 64bits of the address, so you might not want to do
% anything smaller than that.
This, if it happens, will be exactly opposed to
the IPv6 design goal, which was to discourage/prohibit
hardware/software designers from making presumptions or
assumptions about the size of prefixes and HARDCODING them
into products.
Good point. With current allocation schemes it should work but
maybe in the future, for anything outside 2000::/3 it could
indeed change and then the above could indeed break.
Hope the implementators of routing engines did notice that
unlike what I did :)
%  Root nameservers are a very different story of course...
%
% A /32 contains 65k /48's, so these IX blocks could provide for
% enough /48's for 65k IX's, thus unless that switch at the back
% of my desk, which connects 'neighbours' too is to be called an
% IX, because they have a linux router and me too and they speak
% BGP is going to be called an IX it shouldn't be a problem if
% the same block is used for 26? and maybe 3 tld servers per country.
%
% At least everybody will know that that /32 will have more specifics.
%
% Greets,
%  Jeroen
	2001:0478:: was delegated expressly for IX and core infrastructure.
- - is this documented somewhere?
  (google on the prefix only returns discussions about it's use ;)
- - is it available to the world(tm) as it looks like this is only
  available for exchanges managed by EP as per 
http://www.ep.net/wtgipa.html
  Thus also to the RIPE/APNIC/LACNIC region ?
  Regionalizing a root-server shouldn't be the case anyways as it
  shouldn't be bound to a certain spot.

I, personally, see absolutely no problem into making it the 'critical 
infra'
or 'root server' prefix, when it is documented correctly. EP.NET acts 
as
a neutral body, with this way kinda of a sub-RIR though. All 
root-servers
should be using the space then btw, not a few, but all of them.


No, no and definitely no!!!

It is one thing to put all IXP prefixes in the same block, after all it 
does not matter if they are not seen in the global Internet as, in 
fact, they should not be visible.

However, putting public infrastructure all in the same prefix is about 
the worst idea I have heard in some time. One hiccup would kill them 
all at the same time.

Joao Damas
ISC

Re: [ipv6-wg@ripe.net] RE: /48 micro allocations for v6 root servers, was: national security

2003-12-08 Thread Gert Doering 
Hi,

On Mon, Dec 08, 2003 at 10:01:53PM +0100, Jeroen Massar wrote:
 There are currently quite some ISP's who filter anything /35.
 Generally ISP's should be filtering on allocation boundaries.
 Thus if a certain prefix is allocated as a /32, they should not
 be accepting anything smaller (/33, /34 etc)

There is no commonly agreed-upon best practice for this yet.

We do *not* suppress more-specifics from those address blocks, as we
think it's a legitimate wish for certain networks to be multihomed,
and currently there is no other solution than to go for the pragmatic
approach, and just announce a /40 or even /48.

I agree that things that are more specific than a /48 should not be
out there.

[..]
 the ipv6 global routing table is quite small, but it could grow
 quite large and when ISP's still don't filter correctly, or better
 if ISP's don't aggregate it will explode and we will be needing
 the follow up to BGP soon, which is more work for the IETF :)

If every holder of an AS will announce one prefix at maximum (which
should be doable by proper aggregation), the v6 BGP table would grow
to about 20.000 entries.  This is still manageable, although it would
kill my good old Cisco 2500 that still has a full v6 BGP table...

 As for which smoked filled room, this should be a task of the
 RIRs, thus RIPE's IPv6 WG etc. but it usually takes place when
 communicating between ISP's. Notice that many ISP's use Gerts list:
 http://www.space.net/~gert/RIPE/ipv6-filters.html
 
 I would applaud a generic /32 that is 'allowed' to being cut up
 into multiple /48's for the purpose of critical infrastructure.
 But please, keep it to 1 *documented* /32. That way people will
 know that they will see more specifics from that prefix and that
 they should be accepting it too.

As you cite my page, you will also know that it does not make a specific
recommendation on the subject of filtering things between /35 and /48...

Gert Doering
-- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  57386  (57785)

SpaceNet AG Mail: [EMAIL PROTECTED]
Joseph-Dollinger-Bogen 14   Tel : +49-89-32356-0
80807 Muenchen  Fax : +49-89-32356-299

RE: [ipv6-wg@ripe.net] RE: /48 micro allocations for v6 root servers, was: national security

2003-12-08 Thread Jeroen Massar 
-BEGIN PGP SIGNED MESSAGE-

Gert Doering [mailto:[EMAIL PROTECTED] wrote:

 On Mon, Dec 08, 2003 at 10:01:53PM +0100, Jeroen Massar wrote:
  There are currently quite some ISP's who filter anything /35.
  Generally ISP's should be filtering on allocation boundaries.
  Thus if a certain prefix is allocated as a /32, they should not
  be accepting anything smaller (/33, /34 etc)
 
 There is no commonly agreed-upon best practice for this yet.

Some ISP's do it, most don't.

Btw CH-SUNRISE-20031124 = 2001:1700::/27, so Libertel isn't the
biggest girl on the block anymore with their /31 :)

 We do *not* suppress more-specifics from those address blocks, as we
 think it's a legitimate wish for certain networks to be multihomed,
 and currently there is no other solution than to go for the pragmatic
 approach, and just announce a /40 or even /48.
 
 I agree that things that are more specific than a /48 should not be
 out there.

Indeed. And yes there are ISP's announcing /128's etc.
And private ASN's for that matter or even using them as transit.

SNIP

 As you cite my page, you will also know that it does not make a specific
 recommendation on the subject of filtering things between /35 and /48...

Yups and I fully support that argument.

If it was done we would currently see 413 prefixes, those are the
'allocated' prefixes that are getting announced.
In GRH each of the ~30 peers have an average of 459 prefixes.
Checking just know, the highest number of prefixes send to GRH
was 515 prefixes, which is far from the 20k or even 30k if all
the ASN's would announce 1 IPv6 prefix.

At the moment that is certainly no problem and it shouldn't be
for years to come, unless IPv6 really takes off. Google/Doom3 IPv6 anyone?

The biggest advantage that IPv6 already has is that a single
ISP already gets enough space, thus it doesn't need to 

Iljitsch van Beijnum [mailto:[EMAIL PROTECTED] wrote:

 On 8-dec-03, at 22:01, Jeroen Massar wrote:
 
  There are currently quite some ISP's who filter anything /35.
  Generally ISP's should be filtering on allocation boundaries.
  Thus if a certain prefix is allocated as a /32, they should not
  be accepting anything smaller (/33, /34 etc)
 
 So how are ISPs supposed to know what the allocation size for a 
 particular prefix is? This type of filtering only works if the filter 
 list is relatively short and pretty much never changes. Anything else 
 and the cure is worse than the disease.

The proposed Redistribution of Cooperative Filtering Information draft
could help out there which allows one to redistribute 'good prefix' lists.
See https://www1.ietf.org/mail-archive/working-groups/idr/current/msg00201.html
for the draft or http://arneill-py.sacramento.ca.us/redisfilter.ppt for
the presentation given in Minneapolis.

Without that or a similar system, it would be a pain indeed.
That's why I pointed to Gert's page which has a better and
currently working solution.

SNIP

  Currently the !3! IX blocks (2001:7f8::/32 + 2001:504::/32 + 
  2001:7fa::/32)
  are seen being announced in pieces too. Maybe these IX blocks, which
  are common already could be used for assigning 'critical infra' from?

 Note that announcing the actual prefix for an internet exchange subnet 
 tickles an undesirable BGP feature in places where the prefix isn't 
 filtered, so these prefixes are best not announced.

As far as I can see with the GRH tools etc, all the prefixes
that are allocated as IX Prefixes and those that are in use
are currently visible worldwide.

 The allocations seem to be /48s and not /64s though, so in
 practice this shouldn't be a problem but still no reason why
 these should be globally visible.

The only reason I heared so far is so that people in Tokio can
ping the IX interface in London or a similar kind of scenario.
They argue that it is handy for debugging. My take is that if
it isn't your network, you can't fix it either, so if a traceroute
ends on that box, contact them, they can really figure it out.

 Root nameservers are a very different story of course...

A /32 contains 65k /48's, so these IX blocks could provide for
enough /48's for 65k IX's, thus unless that switch at the back
of my desk, which connects 'neighbours' too is to be called an
IX, because they have a linux router and me too and they speak
BGP is going to be called an IX it shouldn't be a problem if
the same block is used for 26? and maybe 3 tld servers per country.

At least everybody will know that that /32 will have more specifics.

Greets,
 Jeroen

-BEGIN PGP SIGNATURE-
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/

iQA/AwUBP9UHMymqKFIzPnwjEQLiLwCgta1mOkrixvXcZD8mTLheePv9ERYAn3GK
Rt2Hp+dk8HVBDuFaub0lf6Rt
=OqJO
-END PGP SIGNATURE-

Re: [ipv6-wg@ripe.net] RE: /48 micro allocations for v6 root servers, was: national security

2003-12-08 Thread Bill Manning 
%  Root nameservers are a very different story of course...
% 
% A /32 contains 65k /48's, so these IX blocks could provide for
% enough /48's for 65k IX's, thus unless that switch at the back
% of my desk, which connects 'neighbours' too is to be called an
% IX, because they have a linux router and me too and they speak
% BGP is going to be called an IX it shouldn't be a problem if
% the same block is used for 26? and maybe 3 tld servers per country.
% 
% At least everybody will know that that /32 will have more specifics.
% 
% Greets,
%  Jeroen


2001:0478:: was delegated expressly for IX and core infrastructure.
Thats where at least one of the IPv6 prefixes for root-servers
exists.  Two are from ARIN micro-allocations and there is a
/32 for another server.


--bill
Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).