Naiming Shen [mailto:[EMAIL PROTECTED] wrote: > my original comment was to "rfc1918 is a disaster", and your below > reasoning is completely v6 related. i agree with you that all those > problems can be solved with different mechansims(particularly in v6 > domain), but they are not necessarily easier or better than using > private addresses. more inline.
<SNIP> > ] > - someone does not want the addresses to be global dns > ] > reachable. some ISPs assign private addresses on all > ] > their backbone links just for that. > ] > the names showing up when they do internal troubleshooting, > ] > but not in external domain traceroute. > ] > ] Use a /48 out of the ISP's /32 and use that for those backbone links. > ] Then even people who are outside of the network still can find out > ] that this address space is owned by that ISP. > ] > ] As for names showing up, those can only be handy to identify them. > ] Otherwise either use seperate DNS's or use BIND's 'view' capability. > ] Ofcourse other DNS implementations might have other facilities. > ] > > yes, you can do it those ways, but is that easier than using the > private addresses? There is a difference between randomly picking a /48 from fec0:: or picking a globally unique /48 out of space you 'own'. And yes, dns requires configuration, but leaking private space into the global DNS isn't what one would like to see either. Example: A host with IPv4 10.0.0.1 and a public IPv6 address. Locally one can reach it over IPv4 and IPv6, but when trying to get to it over the public internet, where only the IPv6 address gets published there are no problems either, except that you can't reach it over IPv4 because it doesn't exist globally. Note that this is common practice today for sites having NATed IPv4 space but global connectivity using IPv6. If one did publish the RFC1918 IPv4 address in DNS one is bound to come across a local box one day, which might be a big surprise. Eg "telnet secure.example.net 'connected to secure' password" That is what uniquenes is all about. (yeah I know use SSH :) And ofcourse somebody could also route your unique prefix to an odd box if they really want to. Point in this part: never ever publish private addresses in the global DNS. > ] > - in router/etc documentation, its nice to have diagrams > ] > showing routers having 10.x.x.x addresses in their > ] > configuration examples, its not good to put legal > ] > addresses over there. > ] > ] That's where 2001:db8::/32 is for. > ] > ] > - of course in v4, addresses are not free. > ] > ] In IPv6 they won't be free either. If you want 'free' space just > ] pick some random addresses and use them. But then don't complain > ] that you can't route it over the internet etc. > > again, is picking up random addresses better than using private > addresses? isn't it creating more confusing for the users? Addresses are addresses and you do want them to be globally unique. Or are you expecting to never ever grow and by that merge networks with another, which might have the same space? > ] > - its safer to use private addresses during testing, > e.g. routing > ] > protocol testing in lab. even if you leak out those > addresses by > ] > mistake, the chances are your peer, or upstream is > filtering them, > ] > so the damage is minimized. > ] > ] Then don't route it to the outside. Use firewalls etc. > ] One could also 'forget' to filter 2001:db8::/32 or any other space. > ] How many IPv4 smurfamp gateways where there still on the internet? > ] and how many ISP's do actually filter on egress from their > customers? > > i didn't mean packet filtering, rather route filtering with bgp. > as far as the ISPs i know, they all filter private addresses from > the routing level. it would be nuts to accept your peer's private > address announcements. yes, people can 'forget' to do certain things, > but it does not make it better to use random addresses. I know a couple of badly behaved ISP's which simply do not filter because the CPU of make R and F would not be able to handle the load. Not everyone knows what RPF does unfortunatly. Spoofed (D)DOSses also show that quite well, because how could they spoof if the ISP filtered? Ever did a log of RFC1918 space coming into your network, not even talking about DNS's publishing RFC1918 space. > ] > i think my point on this related to SL is that, the SL space > ] > is already carved and well known already to everyone, what is > ] > the point to reclaim it for "normal" use? though i'm absolutely > ] > against to have routing/dns support to SL. > ] > ] I don't see any relation whatsoever to the above points. > ] Also IPv6 is currently still not heavily deployed and still > ] be carved so that problems related to SL will be gone. > ] > ] Also if you don't need routing then use fe80::/10. > ] And what do you mean for not having SL support in DNS? > ] How are you going to let an application get to that host then? > ] Are you letting the user remember and type in a 128bits address? > > what i meant is no "special" treatment in routing and dns for those > addresses. of course they are still routable, otherwise it would be > a "special" treatment. sure they can be put in your local dns record, > but it can not be searched from the root domain servers. With 'globaly routable' I mean that everyone on the internet would be able to reach them. All address space is routable ofcourse. Greets, Jeroen -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
