[NANOG] US DoD receives chunked IPv6 /13 (14x /22 but not totally consecutive)
Hi folks, As everybody is a big fan of securing their networks against foreign attacks, be aware that the US DoD has been assigned 14 /22's, IPv6 that is, not IPv4, they all come from a single IPv6 /13 though, which is what they apparently asked for in the beginning, at least that was the rumor, well they got what they wanted. I've recorded it into GRH as a single /13 though, as that is what it is, and I am not going to bother whois'ing and entering the 14 separate entries there, as that is useless, especially as they will most likely never appear in the global routing tables anyway. Depending on your love for the US, you might want to add special rules in your network to be able to easily detect Cyber Attacks and other such things towards that address space, to be able to better serve your country, may that be the US or any other country for that matter. I am of course wondering why ARIN gave 1 organization 14 separate /22's, even though they are recorded exactly the same, just different prefixes and netnames and it is effectively one huge /13. They could easily have been recorded as that one /13, it is not like eg Canada (no other countries that fall under ARIN now is there) will get a couple of the chunks of remaining space in between there. By assigning them separate /22's, they effectively are stating that it is good to fragment the address space and by having them recorded in whois, also that announcing more specifics from that /13 is just fine. The other fun question is of course what a single organization has to do with (2^(48-13)=) 34.359.738.368, yes indeed, 34 billion /48's which cover 2.251.799.813.685.248 /64's which is a number that I can't even pronounce. According to Wikipedia the US only has a mere population of 304,080,000, that means that every US citizen can get a 1000+ /48's from their DoD, thus maybe every nuclear warhead and every bullet is getting their own /48 or something to be able to justify for that amount of address space. At least this gives the opportunity to hardcode that block out of hardware if you want to avoid it being ever used by the publicly known part of the US DoD. I wouldn't mind seeing the request form that can justify this amount of address space though, must be a lot of fun. Now back to your regular NANOG schedule Greets, Jeroen (who will hide himself in a nice Swiss nuclear bunker till the flames are all gone ;) 1) http://en.wikipedia.org/wiki/United_States which points to: http://www.census.gov/population/www/popclockus.html ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: [NANOG] US DoD receives chunked IPv6 /13 (14x /22 but not totally consecutive)
Perhaps it is an attempt to make their address space so sparsely populated that it's close to impossible to find a host without knowing it's address in the first place? On Fri, May 16, 2008 at 1:09 PM, Jeroen Massar <[EMAIL PROTECTED]> wrote: > Hi folks, > > As everybody is a big fan of securing their networks against foreign > attacks, be aware that the US DoD has been assigned 14 /22's, IPv6 that > is, not IPv4, they all come from a single IPv6 /13 though, which is what > they apparently asked for in the beginning, at least that was the rumor, > well they got what they wanted. > > I've recorded it into GRH as a single /13 though, as that is what it is, > and I am not going to bother whois'ing and entering the 14 separate > entries there, as that is useless, especially as they will most likely > never appear in the global routing tables anyway. > > Depending on your love for the US, you might want to add special rules > in your network to be able to easily detect Cyber Attacks and other such > things towards that address space, to be able to better serve your > country, may that be the US or any other country for that matter. > > I am of course wondering why ARIN gave 1 organization 14 separate /22's, > even though they are recorded exactly the same, just different prefixes > and netnames and it is effectively one huge /13. They could easily have > been recorded as that one /13, it is not like eg Canada (no other > countries that fall under ARIN now is there) will get a couple of the > chunks of remaining space in between there. By assigning them separate > /22's, they effectively are stating that it is good to fragment the > address space and by having them recorded in whois, also that announcing > more specifics from that /13 is just fine. > > The other fun question is of course what a single organization has to do > with (2^(48-13)=) 34.359.738.368, yes indeed, 34 billion /48's which > cover 2.251.799.813.685.248 /64's which is a number that I can't even > pronounce. According to Wikipedia the US only has a mere population of > 304,080,000, that means that every US citizen can get a 1000+ /48's from > their DoD, thus maybe every nuclear warhead and every bullet is getting > their own /48 or something to be able to justify for that amount of > address space. At least this gives the opportunity to hardcode that > block out of hardware if you want to avoid it being ever used by the > publicly known part of the US DoD. I wouldn't mind seeing the request > form that can justify this amount of address space though, must be a lot > of fun. > > Now back to your regular NANOG schedule > > Greets, > Jeroen > > (who will hide himself in a nice Swiss nuclear bunker till the flames > are all gone ;) > > 1) http://en.wikipedia.org/wiki/United_States >which points to: http://www.census.gov/population/www/popclockus.html > > > ___ > NANOG mailing list > NANOG@nanog.org > http://mailman.nanog.org/mailman/listinfo/nanog > ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: [NANOG] US DoD receives chunked IPv6 /13 (14x /22 but not totally consecutive)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings, Not to address the political issues here (which are deep, wide, and WAY too much of a black-hole), remember, that the DoD is not a single organization from a networking perspective. There are a number of different organizations within that structure, all of which may, or may not, want to announce separately, maintain their own external links, etc. Those boundaries can be on a service level (USAF vs USN), geographical level (Southern Command vs. Northern Command), etc. My guess is that they don't want to be tied to only announcing a single /13. Each of those organizations is bigger than a lot of service providers out there... As for why so many addresses - consider a networked ship (where everything has an address), soldier (each soldier having one or more addresses), battlefield sensors, etc. With stateless autoconf, that can add up fairly quickly (depending on network topology). Lastly, If you honestly think that any entity (government or non- government) would launch an offensive cyber-attack from their own address space... never mind Chris On 16 May 2008, at 10.58, Dorn Hetzel wrote: > Perhaps it is an attempt to make their address space so sparsely > populated > that it's close to impossible to find a host without knowing it's > address in > the first place? > > On Fri, May 16, 2008 at 1:09 PM, Jeroen Massar <[EMAIL PROTECTED]> > wrote: > >> Hi folks, >> >> As everybody is a big fan of securing their networks against foreign >> attacks, be aware that the US DoD has been assigned 14 /22's, IPv6 >> that >> is, not IPv4, they all come from a single IPv6 /13 though, which is >> what >> they apparently asked for in the beginning, at least that was the >> rumor, >> well they got what they wanted. >> >> I've recorded it into GRH as a single /13 though, as that is what >> it is, >> and I am not going to bother whois'ing and entering the 14 separate >> entries there, as that is useless, especially as they will most >> likely >> never appear in the global routing tables anyway. >> >> Depending on your love for the US, you might want to add special >> rules >> in your network to be able to easily detect Cyber Attacks and other >> such >> things towards that address space, to be able to better serve your >> country, may that be the US or any other country for that matter. >> >> I am of course wondering why ARIN gave 1 organization 14 separate / >> 22's, >> even though they are recorded exactly the same, just different >> prefixes >> and netnames and it is effectively one huge /13. They could easily >> have >> been recorded as that one /13, it is not like eg Canada (no other >> countries that fall under ARIN now is there) will get a couple of the >> chunks of remaining space in between there. By assigning them >> separate >> /22's, they effectively are stating that it is good to fragment the >> address space and by having them recorded in whois, also that >> announcing >> more specifics from that /13 is just fine. >> >> The other fun question is of course what a single organization has >> to do >> with (2^(48-13)=) 34.359.738.368, yes indeed, 34 billion /48's which >> cover 2.251.799.813.685.248 /64's which is a number that I can't even >> pronounce. According to Wikipedia the US only has a mere population >> of >> 304,080,000, that means that every US citizen can get a 1000+ /48's >> from >> their DoD, thus maybe every nuclear warhead and every bullet is >> getting >> their own /48 or something to be able to justify for that amount of >> address space. At least this gives the opportunity to hardcode that >> block out of hardware if you want to avoid it being ever used by the >> publicly known part of the US DoD. I wouldn't mind seeing the request >> form that can justify this amount of address space though, must be >> a lot >> of fun. >> >> Now back to your regular NANOG schedule >> >> Greets, >>Jeroen >> >> (who will hide himself in a nice Swiss nuclear bunker till the flames >> are all gone ;) >> >> 1) http://en.wikipedia.org/wiki/United_States >> which points to: http://www.census.gov/population/www/popclockus.html >> >> >> ___ >> NANOG mailing list >> NANOG@nanog.org >> http://mailman.nanog.org/mailman/listinfo/nanog >> > ___ > NANOG mailing list > NANOG@nanog.org > http://mailman.nanog.org/mailman/listinfo/nanog > - --- 李柯睿 Check my PGP key here: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xCB67593B -BEGIN PGP SIGNATURE- iQEcBAEBAgAGBQJILc81AAoJEGmx2Mt/+Iw/0HEH/1HZmv1nsNRpz1sqjMJwy0kr O68VCagg7tNfRLq/ErY8lOkxcVsAp0R6urZN8kJwt59MBcd1Yat8BxqayfXcbrx4 m/y361FKjEt8HpBBcS5EiHftjojD2aWczlinJuGL97koDw390ozuZhXLvui27JsE Zh2LHdLrya2ZKMkfL2/mLc7J1C0CiuMvflDVCURG8c+aG17O+aH8csTbxHzStoH4 U0lbxH6hvOHVtQdaHa4JKtZD6zdUIn4quZ
Re: [NANOG] US DoD receives chunked IPv6 /13 (14x /22 but not totally consecutive)
Please keep the political rhetoric off-list, thanks. On Fri, May 16, 2008 at 1:09 PM, Jeroen Massar <[EMAIL PROTECTED]> wrote: > Hi folks, > > As everybody is a big fan of securing their networks against foreign > attacks, be aware that the US DoD has been assigned 14 /22's, IPv6 that > is, not IPv4, they all come from a single IPv6 /13 though, which is what > they apparently asked for in the beginning, at least that was the rumor, > well they got what they wanted. > So, someone else pointed out that the DoD isn't one org, really. There are several groups/orgs under DoD, there are several groups nested under each of those groups, and depending upon the network architecture/topology used it's fully possible that one route announcement isn't practical for this Org. What I think we should worry about is a larger portion of that Org with a large enough part of one of the /22's doing something silly like: "redistribute connected" ... (which they could, of course, have done with any/all of their /8's -> /16's in ipv4 as well...) -Chris ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: [NANOG] US DoD receives chunked IPv6 /13 (14x /22 but not totally consecutive)
On 16/05/2008 20:15 Christopher LILJENSTOLPE wrote: > My guess is that they don't want to be tied to only announcing a > single /13. Each of those organizations is bigger than a lot of > service providers out there... Since when do you have to announce only the same size prefix as your allocation? -- Colin Alston ~ http://www.karnaugh.za.net/ "To the world you may be one person, to one person you may be the world" ~ Rachel Ann Nunes. ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: [NANOG] US DoD receives chunked IPv6 /13 (14x /22 but not totally consecutive)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You certainly don't have to. However, as other folks have indicated here, that is the way that some folks read it. My guess is that this was purely for network topology and administrative reasons. Chris On 16 May 2008, at 12.51, Colin Alston wrote: > On 16/05/2008 20:15 Christopher LILJENSTOLPE wrote: >> My guess is that they don't want to be tied to only announcing a >> single /13. Each of those organizations is bigger than a lot of >> service providers out there... > > Since when do you have to announce only the same size prefix as your > allocation? > > -- > Colin Alston ~ http://www.karnaugh.za.net/ > "To the world you may be one person, to one person you may be the > world" ~ Rachel Ann Nunes. > > ___ > NANOG mailing list > NANOG@nanog.org > http://mailman.nanog.org/mailman/listinfo/nanog > - --- 李柯睿 Check my PGP key here: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xCB67593B -BEGIN PGP SIGNATURE- iQEcBAEBAgAGBQJILqXzAAoJEGmx2Mt/+Iw/UxkH/25h7CPcpr50ontu5y/sYFav dXron7uvLtCEFPyT/mEemYn31hekjsd37xy6bLMeAaqwo6/Eh66nZxKLhKLgtR+q f+PBAUj5znQ58/NITvJzIq3fFN3A1ll3x96cqOVSmiqa1DZo6ChquX1CW2sIRBWw aVQaFatrVnvlGx7cDR6IFiwertrEftcK/7POm9wgljYUCfS9pZhv3hy66yNUdEe9 4MWIB6K9lK36WBHz+ZnKLRbmw3QALFAbTWwzVC9qc0EFY7Yr3b3BZuba0UGyin0d HcL0cupzJ3UutINwVjUlmujbwaYot8pyVcr3FrQ9YbZ2mGLDvvMTVjipuWtqmOU= =wh07 -END PGP SIGNATURE- ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: [NANOG] US DoD receives chunked IPv6 /13 (14x /22 but not totally consecutive)
On Fri, 16 May 2008, Colin Alston wrote: > On 16/05/2008 20:15 Christopher LILJENSTOLPE wrote: >> My guess is that they don't want to be tied to only announcing a >> single /13. Each of those organizations is bigger than a lot of >> service providers out there... > > Since when do you have to announce only the same size prefix as your > allocation? http://www.arin.net/policy/nrpm.html#six511 reads: "c. plan to provide IPv6 connectivity to organizations to which it will assign IPv6 address space, by advertising that connectivity through its single aggregated address allocation;" Other regions have, or have had, similar requirements. I'm not a native speaker, but I guess "single aggregated address allocation" could be read to imply either 1) "one superblock [and nothing else]", or 2) "at least one superblock that covers everything" (with no implied statement on the more specifics). Even if the interpretation is the second, the "benefit" of multiple allocations is that they wouldn't need to route between all the suballocations at least in one location in case someone is building route filters so that it would reject more specifics. -- Pekka Savola "You each name yourselves king, yet the Netcore Oykingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
