Re: ITU-T Dubai Meeting and IPv15
One problem with excessively large fields, including variable length addresses with a high maximum length, is that the next time someone wants to encode some additional information, they just tuck it inside that field in some quasi-proprietary way, instead of going to the trouble of actually adding a field. Witness X.509 Certificate serial numbers, which are arbitrary precision integers, but which frequently are used for a variety of information, all BER encoded... Thanks, Donald = Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e...@gmail.com On Fri, Aug 10, 2012 at 1:35 PM, David Conrad d...@virtualized.org wrote: On Aug 10, 2012, at 10:22 AM, Andrew G. Malis agma...@gmail.com wrote: Another alternative is self-describing variable-length addresses, again do it once and we'll never have to worry about it again. Heretic! That's OSI speak! Why do you hate the Internet you ISO/ITU lackey?!? /flashback Yeah, variable-length addresses would have been nice. There was even working code. Maybe next IPng. Regards, -drc
Re: ITU-T Dubai Meeting and IPv15
On 8/11/12 10:13 AM, Donald Eastlake wrote: One problem with excessively large fields, including variable length addresses with a high maximum length, is that the next time someone wants to encode some additional information, they just tuck it inside that field in some quasi-proprietary way, instead of going to the trouble of actually adding a field. Witness X.509 Certificate serial numbers, which are arbitrary precision integers, but which frequently are used for a variety of information, all BER encoded... given various semantic uses of bits within ipv6 addresses that have been proposed or which are used informally even with only 128 bits it's important to make this distinction. a freely extensible bit field will end up with all sorts of garbage in it, that at best is only signficant in one context, and at worse is significant in different fashions in different contexts. instead of having an locator-id you have a locator-qos-mpls-subscriberid-streetaddress-latlong-id Thanks, Donald = Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e...@gmail.com On Fri, Aug 10, 2012 at 1:35 PM, David Conrad d...@virtualized.org wrote: On Aug 10, 2012, at 10:22 AM, Andrew G. Malis agma...@gmail.com wrote: Another alternative is self-describing variable-length addresses, again do it once and we'll never have to worry about it again. Heretic! That's OSI speak! Why do you hate the Internet you ISO/ITU lackey?!? /flashback Yeah, variable-length addresses would have been nice. There was even working code. Maybe next IPng. Regards, -drc
Re: ITU-T Dubai Meeting
On Thu, Aug 9, 2012 at 11:12 PM, Randy Bush ra...@psg.com wrote: Hubris? it has already lasted 40. and it's such a short way from 40 to hundreds or thousands. i get it. 40 is not very short of 100 at all. And creating a legacy that other people have to work round is rather too easy in this industry. The place is littered with them. COBOL will probably last another century. QWERTY will. Lasting has little to being good. I can understand why people might not want to worry about long term issues but not why you would want to insult people who do think about them. first, i did not insult anyone. if you took it as an insult, take it up with your shaman, rabi, priest, or shrink. You pulled the 'I don't understand this so nobody else can' move. That is pretty insulting. You botched DNSSEC deployment because you were incapable of considering such issues damn! and i missed where i had anything to do with dnssec deployment. but i am glad we all now understand why it has fared so badly. You are the reason that DNSSEC did not deploy in 2002. There was a clear WG consensus to change the spec to make it deployable and you used your position as WG chair to block it. The code was written and would have deployed with the ATLAS upgrade. You are the only reason it did not. You thought that changing the specification to meet a deployment issue was unreasonable. I told you repeatedly that there would be no deployment unless the change was made. The result was that you 'won' and DNSSEC was on hold for six years while the WG undid the mess you made. Congratulations. And now deployment of DNSSEC is much harder because the Internet is now a cabinet level concern and there is an actual Russia-China treaty that requires them to block it (amongst other things). if we accept your argument now we will get another botch job. an i am guilty of ad homina? Ad homniem is actually a valid argument against an unsubstantiated personal opinion. 'Randy Bush made a botch of DNSSEC' is a perfectly valid argument for rejecting Randy Bush's opinion on the value of long term planning. The fact that outcomes cannot be predicted with 100% certainty does not mean that all outcomes are equally likely or that we have absolutely no control over them or that there is no point in discussing them. my point was predicting technology outcomes hundreds if not thousands of years in the future is beyond hyperbolic. The point related to the institutions, not the technology. Predicting that institutions will become corrupt over long periods of time is hardly hyperbolic. -- Website: http://hallambaker.com/
Re: ITU-T Dubai Meeting
hundreds or thousands is perceptually much larger than 100. Predicting that institutions will become corrupt over long periods of time is hardly hyperbolic. the institutions are corrupt now. as to dnssec, opinions seem to vary widely, and yours is a few sigma out. some think you/verisign stalled it for five years becuase you could not commercialize it. but i really do not care. randy
Re: ITU-T Dubai Meeting
On Fri, Aug 10, 2012 at 9:41 AM, Randy Bush ra...@psg.com wrote: hundreds or thousands is perceptually much larger than 100. Predicting that institutions will become corrupt over long periods of time is hardly hyperbolic. the institutions are corrupt now. Pointing that out right now hardly helps the cause of stopping the ITU-T getting control of their function. as to dnssec, opinions seem to vary widely, and yours is a few sigma out. some think you/verisign stalled it for five years becuase you could not commercialize it. but i really do not care. I stated the conditions under which deployment would take place in .net and .com. Had you genuinely believed that I did not intend to deploy in any case and was merely stalling you should have given me what I had asked for and put me on the spot. The reason you pulled the procedural manipulations with the bogus DNS Directorate review etc. was that you were convinced that VeriSign had no choice but to deploy. If it had been my product I would have brought the lawyers in at that point. A working group chair is not entitled to re-litigate arguments that they have already lost by referring them to a directorate and directorates are not permitted to re-litigate working group discussions. The fact that you made such a personal intervention on an issue that you really don't care about speaks volumes. I find it amazing how often the members of the elder generation pull the following sililoquy: 1) I do not understand the issues here, therefore nobody can understand them 2) We must be careful not to make mistakes by making decisions we do not understand 3) Therefore everyone must do it my way as it makes no difference Difference between you and me is that when I know I don't know something I either go talk to people who do and find out or I don't get involved with that issue. You pronounce that nobody understands it and then demand to be the decision maker. Website: http://hallambaker.com/
Re: ITU-T Dubai Meeting
Phillip == Phillip Hallam-Baker hal...@gmail.com writes: Phillip Allocating a /16 for national RIRs independent of IANA and Phillip the US Can we give them ULA-C space? ;-)
Re: ITU-T Dubai Meeting and IPv15
A 260-bit address should be sufficient to address every atom in the universe, according to current estimates (10^78 atoms). We go there next (plus some extra to add hierarchy), and we'll never have to worry about addressing again. Another alternative is self-describing variable-length addresses, again do it once and we'll never have to worry about it again. Cheers, Andy On Thu, Aug 9, 2012 at 12:45 PM, Worley, Dale R (Dale) dwor...@avaya.com wrote: From: Phillip Hallam-Baker [hal...@gmail.com] As Tom Knight pointed out when the IPv4 address size was chosen, there aren't enough for one for each person living on the planet. Remember that we are trying to build a network that is going to last for hundreds if not thousands of years. Technology changes over time, and so the optimal design tradeoffs change over time. When IPv4 was designed, memory, processing power, and transmission capacity were far more expensive than now. Moore's Law suggests a factor of 2^15 between 1982 and 2012. Before that was the ARPAnet, with 8 bit addresses, which lasted for around 15 years. Presumably IPv6 will suffice for at least another 30 years. The real issue regarding longevity is that total network overhauls should be infrequent enough that their amortized costs are well less than ongoing operational costs. Once that has been achieved, the cost savings of designing a protocol with a longer usable lifetime is probably not worth the effort of trying to predict the future well enough to achieve longer lifetime. Extrapolating a 30-year lifetime for each IP version suggests that in 300 years we will reach the end of the usable life of IPv15 and will have to allocate more bits to the version field at the beginning of packets. That'll be a mess... Dale
Re: ITU-T Dubai Meeting and IPv15
From: Andrew G. Malis agma...@gmail.com 260-bit address should be sufficient to [s]address[/s] _name_ every atom in the universe YPIF. Noel h
Re: ITU-T Dubai Meeting and IPv15
On Aug 10, 2012, at 10:22 AM, Andrew G. Malis agma...@gmail.com wrote: Another alternative is self-describing variable-length addresses, again do it once and we'll never have to worry about it again. Heretic! That's OSI speak! Why do you hate the Internet you ISO/ITU lackey?!? /flashback Yeah, variable-length addresses would have been nice. There was even working code. Maybe next IPng. Regards, -drc
Re: ITU-T Dubai Meeting
The fact that people plan badly does not mean that all planning must fail. As Tom Knight pointed out when the IPv4 address size was chosen, there aren't enough for one for each person living on the planet. IPv6 has enough addresses to assign a subnet to every grain of sand on the planet. Allocating a /16 for national RIRs independent of IANA and the US government gives other countries the ability to protect their national interests. The specific concern is that the US government can pass a law that prevents Remember that we are trying to build a network that is going to last for hundreds if not thousands of years. I don't think it likely that the RIRs or ICANN or even the IETF lasts that long. If it does it will be in a very different form. What we might think about Steve Crocker or Vint Cerf or whoever is irrelevant, we do not know who their successors will be let alone whether we can trust whoever is in charge in 2040. I do not believe the national allocations are ever likely to be used unless the RIRs screw up or get above their post but their existence provides an exit option in case they ever do. What I am proposing here is the network equivalent of a crumple zone on a car body. Cars are designed to break in very specific ways so as to avoid damage. There is quite a large potential for collateral damage if an event occurs and people start inventing solutions on the fly and there are multiple competing solutions fighting it out. There are privacy implications to this approach but only for battles that have already been lost. Packets are not routed by the IP address in any case, they are aggregated by the ASN number and all that is needed to map those to identify national origin in practice is a lookup table. [Yes there are networks that span national borders but not in countries with ugly types of government where this capability is a concern]. On Fri, Aug 3, 2012 at 2:46 PM, Dmitry Burkov db...@burkov.aha.ru wrote: Mark, I really enjoyed your professional remarks for the years and your deep and intrinsic mind, but it seems that now it is not a time to discuss the issue that ipv4 is scarce resource :) My opinion that IPv6 was done in the worst manner and we should simply recognize that we have no other way to satisfy industry needs in such short time. Nothing personal - as a lot of my friends spent significant part of their life on it. Dima On Aug 3, 2012, at 10:25 PM, Mark Andrews wrote: In message fb949bea-5bdb-401a-8a75-e9a9bdaa7...@ripe.net, Daniel Karrenberg w rites: On 02.08.2012, at 22:41, Phillip Hallam-Baker wrote: ... That depends on whether the registry in question is dealing with a scarce resource or a plentiful one. Having two registries handing out IPv4 addresses at this point would be very very bad. Having more than one place you can get an IPv6 from would not worry me at all. ... IPv4 addresses used to be regarded as non-scarce not so long ago. I don't know what planet you have been living on but it was clear IPv4 addresses were a scarce resource 2+ decades ago longer than some IETF attendees have been alive. IPv6 was started because they were a scarce resource that would run out in the foreseeable future. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Website: http://hallambaker.com/
Re: ITU-T Dubai Meeting
Remember that we are trying to build a network that is going to last for hundreds if not thousands of years. some of us do not have such hubris. I don't think it likely that the RIRs or ICANN or even the IETF lasts that long. If it does it will be in a very different form. i suspect the same is true for the internet. i bet it will be quite different in much less than a hundred years. so can we please stick to engineering, not omnipotence. randy
Re: ITU-T Dubai Meeting
Hubris? it has already lasted 40. Hubris was proposing that the Clinton-Gore campaign deploy a Web server in the White House when we had 100 people using it. I can understand why people might not want to worry about long term issues but not why you would want to insult people who do think about them. Particularly in your particular case. You botched DNSSEC deployment because you were incapable of considering such issues and if we accept your argument now we will get another botch job. The fact that outcomes cannot be predicted with 100% certainty does not mean that all outcomes are equally likely or that we have absolutely no control over them or that there is no point in discussing them. In context the statement was that we should not design infrastructure on the basis that we can trust the individuals we put in charge of them now. One of the fundamental reasons ICANN governance is a disaster is that people who could and should have known better had assumed we could trust Jon Postel. More importantly for this issue, the fact that we might trust them does not mean we should expect others to do so. On Thu, Aug 9, 2012 at 11:06 AM, Randy Bush ra...@psg.com wrote: Remember that we are trying to build a network that is going to last for hundreds if not thousands of years. some of us do not have such hubris. I don't think it likely that the RIRs or ICANN or even the IETF lasts that long. If it does it will be in a very different form. i suspect the same is true for the internet. i bet it will be quite different in much less than a hundred years. so can we please stick to engineering, not omnipotence. randy -- Website: http://hallambaker.com/
RE: ITU-T Dubai Meeting and IPv15
From: Phillip Hallam-Baker [hal...@gmail.com] As Tom Knight pointed out when the IPv4 address size was chosen, there aren't enough for one for each person living on the planet. Remember that we are trying to build a network that is going to last for hundreds if not thousands of years. Technology changes over time, and so the optimal design tradeoffs change over time. When IPv4 was designed, memory, processing power, and transmission capacity were far more expensive than now. Moore's Law suggests a factor of 2^15 between 1982 and 2012. Before that was the ARPAnet, with 8 bit addresses, which lasted for around 15 years. Presumably IPv6 will suffice for at least another 30 years. The real issue regarding longevity is that total network overhauls should be infrequent enough that their amortized costs are well less than ongoing operational costs. Once that has been achieved, the cost savings of designing a protocol with a longer usable lifetime is probably not worth the effort of trying to predict the future well enough to achieve longer lifetime. Extrapolating a 30-year lifetime for each IP version suggests that in 300 years we will reach the end of the usable life of IPv15 and will have to allocate more bits to the version field at the beginning of packets. That'll be a mess... Dale
Re: ITU-T Dubai Meeting
Hubris? it has already lasted 40. and it's such a short way from 40 to hundreds or thousands. i get it. I can understand why people might not want to worry about long term issues but not why you would want to insult people who do think about them. first, i did not insult anyone. if you took it as an insult, take it up with your shaman, rabi, priest, or shrink. secondly, You botched DNSSEC deployment because you were incapable of considering such issues damn! and i missed where i had anything to do with dnssec deployment. but i am glad we all now understand why it has fared so badly. if we accept your argument now we will get another botch job. an i am guilty of ad homina? The fact that outcomes cannot be predicted with 100% certainty does not mean that all outcomes are equally likely or that we have absolutely no control over them or that there is no point in discussing them. my point was predicting technology outcomes hundreds if not thousands of years in the future is beyond hyperbolic. randy
Re: ITU-T Dubai Meeting
Noel Chiappa wrote: you want some level of privacy protection and therefore a fully dynamic temporary DHCP-assigned IPv6 address This turns out to be a chimera. Such addresses don't really provide any real privacy - it turns out to be easy to track people through their access patterns, etc. It _can_ be used in in a privacy-protecting fashion, when used properly (potentially with other than a web browser). If one is using one single web browser for *everything*; with cookies, active content, flash and all other crap enabled, then an occasional change in the outside address of your DSL router is not going to make much of a difference, of course. The map that tools/plugins like these draw after a few mouseclicks in a fully-featured FireFox are impressive (or depressing, depending on how you feel about privacy): http://www.mozilla.org/en-US/collusion/ http://www.ghostery.com/ -Martin
Re: ITU-T Dubai Meeting
On 08/08/2012 06:30, Doug Barton wrote: On 08/07/2012 10:19 PM, Martin Rex wrote: Mark Andrews wrote: In message 5021742a.70...@dougbarton.us, Doug Barton writes: On 08/07/2012 00:46, Martin Rex wrote: IPv6 PA prefixes result in that awkward renumbering. Avoiding the renumbering implies provider independent network prefix. ULA on the inside + https://tools.ietf.org/html/rfc6296 If you are changing your external connection you may as well just use ULA + PA. The DNS needs to be updated in either case, the firewall needs to be updated in either case. And what about running apps and network connections in the connected state? If they are connected external to your network then obviously they would have to be restarted ... but then you know that already. :) And any mission-critical application that can't survive a disconnect and reconnect is badly broken anyway. I've never understood why session survival was so highly rated; this has vastly complicated every discussion of multihoming for many years. Brian If PI everywhere were a feasible strategy at this time, I'd be first in line. But it isn't, so I think it's worthwhile discussing how we can do what we _can_ do, best.
Re: ITU-T Dubai Meeting
On 07.08.2012, at 00:02, Martin Rex wrote: Steven Bellovin wrote: Randy Bush wrote: whatever the number of address bits, if it is fixed, we always run out. memory addressing has been a cliff many times. ip addressing. ... Yup. To quote Fred Brooks on memory address space: Every successful computer architecture eventually runs out of address space -- and I heard him say that in 1973. I'm wondering what resource shortage would have happened if IPv6 had been massively adopted 10 years earlier, and whether we would have seen the internet backbone routers suffer severely from the size of the routing tables, if every single home customer (DSL subscriber) would have required a provider-independent IPv6 network prefix rather than a single, provider-dependent IPv4 IP Address. ... add to that: what would have happened if the IETF had not underestimated the life expectancy of IPv4 address space so drastically and consequently had taken the time to design a better IPv6 with things like wire compatibility with IPv4, better routing and other features that make ISPs want to deploy it. Ah - what if ... . Amusing musings but not more than that. Daniel
Re: ITU-T Dubai Meeting
Brian, On Aug 8, 2012, at 12:52 AM, Brian E Carpenter brian.e.carpen...@gmail.com wrote: If they are connected external to your network then obviously they would have to be restarted ... but then you know that already. :) And any mission-critical application that can't survive a disconnect and reconnect is badly broken anyway. I've never understood why session survival was so highly rated; this has vastly complicated every discussion of multihoming for many years. The Law of Conservation of Complexity[1]? Forcing applications to deal with disconnect/reconnect means they're much more complicated than if they can assume the session is always there and there are many more applications (and application developers, particular those that do it poorly) than networks. Regards, -drc [1] I thought I was being snarky. Imagine my surprise when I just discovered this actually exists: http://en.wikipedia.org/wiki/Law_of_conservation_of_complexity
Re: ITU-T Dubai Meeting
If I refuse to use NAT (or NPTv6 for the sensible)? Any other option besides PI? /as On 7 Aug 2012, at 17:01, Doug Barton wrote: On 08/07/2012 00:46, Martin Rex wrote: IPv6 PA prefixes result in that awkward renumbering. Avoiding the renumbering implies provider independent network prefix. ULA on the inside + https://tools.ietf.org/html/rfc6296 -- I am only one, but I am one. I cannot do everything, but I can do something. And I will not let what I cannot do interfere with what I can do. -- Edward Everett Hale, (1822 - 1909)
Re: ITU-T Dubai Meeting
On 8/8/2012 6:40 AM, David Conrad wrote: Imagine my surprise when I just discovered this actually exists To the extent that anything on wikipedia actually exists ... :) -- I am only one, but I am one. I cannot do everything, but I can do something. And I will not let what I cannot do interfere with what I can do. -- Edward Everett Hale, (1822 - 1909)
Re: ITU-T Dubai Meeting
On 06/08/2012 23:02, Martin Rex wrote: Steven Bellovin wrote: Randy Bush wrote: whatever the number of address bits, if it is fixed, we always run out. memory addressing has been a cliff many times. ip addressing. ... Yup. To quote Fred Brooks on memory address space: Every successful computer architecture eventually runs out of address space -- and I heard him say that in 1973. I'm wondering what resource shortage would have happened if IPv6 had been massively adopted 10 years earlier, and whether we would have seen the internet backbone routers suffer severely from the size of the routing tables, if every single home customer (DSL subscriber) would have required a provider-independent IPv6 network prefix rather than a single, provider-dependent IPv4 IP Address. That was never a likely scenario (and still isn't). PA prefixes are still the norm for mass-market IP, regardless of version number. Brian
Re: ITU-T Dubai Meeting
Brian E Carpenter wrote: [ Charset UTF-8 unsupported, converting... ] On 06/08/2012 23:02, Martin Rex wrote: Steven Bellovin wrote: Randy Bush wrote: whatever the number of address bits, if it is fixed, we always run out. memory addressing has been a cliff many times. ip addressing. ... Yup. To quote Fred Brooks on memory address space: Every successful computer architecture eventually runs out of address space -- and I heard him say that in 1973. I'm wondering what resource shortage would have happened if IPv6 had been massively adopted 10 years earlier, and whether we would have seen the internet backbone routers suffer severely from the size of the routing tables, if every single home customer (DSL subscriber) would have required a provider-independent IPv6 network prefix rather than a single, provider-dependent IPv4 IP Address. That was never a likely scenario (and still isn't). PA prefixes are still the norm for mass-market IP, regardless of version number. IPv6 PA prefixes result in that awkward renumbering. Avoiding the renumbering implies provider independent network prefix. With IPv4, you would have typically keept your IPv4 network address (the old class A, B C from early 199x) even when changing network providers. To me, IPv6 PA prefixes look like a pretty useless feature (from the customer perspective). Either you want an provider-independent prefix to avoid the renumbering when changing providers, or you want some level of privacy protection and therefore a fully dynamic temporary DHCP-assigned IPv6 address (same network prefix for 1+ customers of the ISP) and for use with NAT (again to avoid the renumbering). IPv6 renumbering creates huge complexity without value (for the customer). -Martin
Re: ITU-T Dubai Meeting
Martin, As far as the mass market goes, multiple prefixes and renumbering are a fact of life. See the MIF and HOMENET WGs for more. As far as enterprise networks go, renumbering is rather undesirable but sometimes inevitable, see 6RENUM. Regards Brian On 07/08/2012 08:46, Martin Rex wrote: Brian E Carpenter wrote: [ Charset UTF-8 unsupported, converting... ] On 06/08/2012 23:02, Martin Rex wrote: Steven Bellovin wrote: Randy Bush wrote: whatever the number of address bits, if it is fixed, we always run out. memory addressing has been a cliff many times. ip addressing. ... Yup. To quote Fred Brooks on memory address space: Every successful computer architecture eventually runs out of address space -- and I heard him say that in 1973. I'm wondering what resource shortage would have happened if IPv6 had been massively adopted 10 years earlier, and whether we would have seen the internet backbone routers suffer severely from the size of the routing tables, if every single home customer (DSL subscriber) would have required a provider-independent IPv6 network prefix rather than a single, provider-dependent IPv4 IP Address. That was never a likely scenario (and still isn't). PA prefixes are still the norm for mass-market IP, regardless of version number. IPv6 PA prefixes result in that awkward renumbering. Avoiding the renumbering implies provider independent network prefix. With IPv4, you would have typically keept your IPv4 network address (the old class A, B C from early 199x) even when changing network providers. To me, IPv6 PA prefixes look like a pretty useless feature (from the customer perspective). Either you want an provider-independent prefix to avoid the renumbering when changing providers, or you want some level of privacy protection and therefore a fully dynamic temporary DHCP-assigned IPv6 address (same network prefix for 1+ customers of the ISP) and for use with NAT (again to avoid the renumbering). IPv6 renumbering creates huge complexity without value (for the customer). -Martin
Re: ITU-T Dubai Meeting
Brian, Yes, that is true, renumbering is a fact and we may be doing it eventually but hopefully not frequently. Needing to renumbering every time that a large enterprise changes internet provider (frequently, every 2 or 3 years perhaps) it is simply not practical today and possibly it will never be. Regards, as On 7 Aug 2012, at 05:20, Brian E Carpenter wrote: Martin, As far as the mass market goes, multiple prefixes and renumbering are a fact of life. See the MIF and HOMENET WGs for more. As far as enterprise networks go, renumbering is rather undesirable but sometimes inevitable, see 6RENUM. Regards Brian On 07/08/2012 08:46, Martin Rex wrote: Brian E Carpenter wrote: [ Charset UTF-8 unsupported, converting... ] On 06/08/2012 23:02, Martin Rex wrote: Steven Bellovin wrote: Randy Bush wrote: whatever the number of address bits, if it is fixed, we always run out. memory addressing has been a cliff many times. ip addressing. ... Yup. To quote Fred Brooks on memory address space: Every successful computer architecture eventually runs out of address space -- and I heard him say that in 1973. I'm wondering what resource shortage would have happened if IPv6 had been massively adopted 10 years earlier, and whether we would have seen the internet backbone routers suffer severely from the size of the routing tables, if every single home customer (DSL subscriber) would have required a provider-independent IPv6 network prefix rather than a single, provider-dependent IPv4 IP Address. That was never a likely scenario (and still isn't). PA prefixes are still the norm for mass-market IP, regardless of version number. IPv6 PA prefixes result in that awkward renumbering. Avoiding the renumbering implies provider independent network prefix. With IPv4, you would have typically keept your IPv4 network address (the old class A, B C from early 199x) even when changing network providers. To me, IPv6 PA prefixes look like a pretty useless feature (from the customer perspective). Either you want an provider-independent prefix to avoid the renumbering when changing providers, or you want some level of privacy protection and therefore a fully dynamic temporary DHCP-assigned IPv6 address (same network prefix for 1+ customers of the ISP) and for use with NAT (again to avoid the renumbering). IPv6 renumbering creates huge complexity without value (for the customer). -Martin
Re: ITU-T Dubai Meeting
From: m...@sap.com (Martin Rex) To me, IPv6 PA prefixes look like a pretty useless feature (from the customer perspective). Far be it from me to defend IPv6, but... I don't see the case here. Our house is pretty typical of the _average_ consumer - we have a provider suppplied PA address (IPv4, but the principles are the same), which they seem to change on a fairly regular basis as they renumber/reorganize their network. However, as we don't run any servers/services, we don't care. Thanks to the magic of DHCP, etc, everything 'just works'. So for the _average_ customer (who are 99.9...% of their customers), PA is just fine. you want some level of privacy protection and therefore a fully dynamic temporary DHCP-assigned IPv6 address This turns out to be a chimera. Such addresses don't really provide any real privacy - it turns out to be easy to track people through their access patterns, etc. Noel
RE: ITU-T Dubai Meeting
From: Martin Rex [m...@sap.com] IPv6 PA prefixes result in that awkward renumbering. Avoiding the renumbering implies provider independent network prefix. With IPv4, you would have typically keept your IPv4 network address (the old class A, B C from early 199x) even when changing network providers. I've been told that ISPs don't like routing to their customers using routing-independent prefixes (in IPv4), and that the result is that small organizations (in practice) use provider address space. Certainly there would be a problem with routing table size if all organizations used provider-independent prefixes. Dale
Re: ITU-T Dubai Meeting
On Aug 7, 2012, at 5:32 PM, Noel Chiappa wrote: From: m...@sap.com (Martin Rex) To me, IPv6 PA prefixes look like a pretty useless feature (from the customer perspective). Far be it from me to defend IPv6, but... I don't see the case here. Our house is pretty typical of the _average_ consumer - we have a provider suppplied PA address (IPv4, but the principles are the same), which they seem to change on a fairly regular basis as they renumber/reorganize their network. However, as we don't run any servers/services, we don't care. Thanks to the magic of DHCP, etc, everything 'just works'. So for the _average_ customer (who are 99.9...% of their customers), PA is just fine. If home automation systems become more commonplace, having a server at home may also become more commonplace. What's the point of having an IPv6-enabled lightbulb if you can't turn it off from half-way around the world? But as long as DNS updates dynamically, this shouldn't be a problem. For organizations renumbering is more painful, but as long as there's plenty of time to prepare - it should be manageable. If it's too painful, there are provider independent addresses, but how many really need them? Yoav
Re: ITU-T Dubai Meeting
From: Yoav Nir y...@checkpoint.com For organizations renumbering is more painful, but as long as there's plenty of time to prepare - it should be manageable. If it's too painful, there are provider independent addresses, but how many really need them? Or we could separate location and identity. Just a thought. Oh, wait... (Just channeling my inner Randy... :-) Noel
Re: ITU-T Dubai Meeting
On Aug 7, 2012, at 6:19 PM, Noel Chiappa wrote: From: Yoav Nir y...@checkpoint.com For organizations renumbering is more painful, but as long as there's plenty of time to prepare - it should be manageable. If it's too painful, there are provider independent addresses, but how many really need them? Or we could separate location and identity. Just a thought. Oh, wait... I'm the same person, I live in the same house. My computer is connected to the same socket in the wall. All I changed was the ISP. Why do we call the thing that's changed location?
Re: ITU-T Dubai Meeting
From: Yoav Nir y...@checkpoint.com I live in the same house. My computer is connected to the same socket in the wall. That's your physical location. Irrelevant (basically) ato the network. All I changed was the ISP. Why do we call the = thing that's changed location? 'Location' in the network-centric sense (i.e. 'where in the overall network's connectivity map you are'). Is there a better term? (Not that we're likely to be able to switch to it now, 'location' is too engrained, going back to RFC-1498, if not before.) Noel
Re: ITU-T Dubai Meeting
On Aug 7, 2012, at 6:35 PM, Noel Chiappa wrote: All I changed was the ISP. Why do we call the = thing that's changed location? 'Location' in the network-centric sense (i.e. 'where in the overall network's connectivity map you are'). Right. The location is pretty much irrelevant to the user. Too bad changing it involves pain for the user rather than just pain for the core (ISPs and such)
Re: ITU-T Dubai Meeting
On 08/07/2012 00:46, Martin Rex wrote: IPv6 PA prefixes result in that awkward renumbering. Avoiding the renumbering implies provider independent network prefix. ULA on the inside + https://tools.ietf.org/html/rfc6296 -- I am only one, but I am one. I cannot do everything, but I can do something. And I will not let what I cannot do interfere with what I can do. -- Edward Everett Hale, (1822 - 1909)
Re: ITU-T Dubai Meeting
In message 5021742a.70...@dougbarton.us, Doug Barton writes: On 08/07/2012 00:46, Martin Rex wrote: IPv6 PA prefixes result in that awkward renumbering. Avoiding the renumbering implies provider independent network prefix. ULA on the inside + https://tools.ietf.org/html/rfc6296 If you are changing your external connection you may as well just use ULA + PA. The DNS needs to be updated in either case, the firewall needs to be updated in either case. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: ITU-T Dubai Meeting
Mark Andrews wrote: In message 5021742a.70...@dougbarton.us, Doug Barton writes: On 08/07/2012 00:46, Martin Rex wrote: IPv6 PA prefixes result in that awkward renumbering. Avoiding the renumbering implies provider independent network prefix. ULA on the inside + https://tools.ietf.org/html/rfc6296 If you are changing your external connection you may as well just use ULA + PA. The DNS needs to be updated in either case, the firewall needs to be updated in either case. And what about running apps and network connections in the connected state? I'm also wondering about sockets in listen() on less-than-any interface(s), bind() seems to work on IP-Addresses, not interfaces. I have a copy Steven's Unix Network Programming (a Volume 1 second edition that I purchase while at the Pittsburgh IETF in Aug 2000) I don't see (IPv6) renumbering in the Index or Table of Contents, is it somewhere describe for apps programmers how to deal with renumbering events? Or is it a Reboot for changes to take effect type of activity? -Martin
Re: ITU-T Dubai Meeting
On 08/07/2012 09:51 PM, Mark Andrews wrote: In message 5021742a.70...@dougbarton.us, Doug Barton writes: On 08/07/2012 00:46, Martin Rex wrote: IPv6 PA prefixes result in that awkward renumbering. Avoiding the renumbering implies provider independent network prefix. ULA on the inside + https://tools.ietf.org/html/rfc6296 If you are changing your external connection you may as well just use ULA + PA. That was what Martin was discussing, unless I missed something.
Re: ITU-T Dubai Meeting
On 08/07/2012 10:19 PM, Martin Rex wrote: Mark Andrews wrote: In message 5021742a.70...@dougbarton.us, Doug Barton writes: On 08/07/2012 00:46, Martin Rex wrote: IPv6 PA prefixes result in that awkward renumbering. Avoiding the renumbering implies provider independent network prefix. ULA on the inside + https://tools.ietf.org/html/rfc6296 If you are changing your external connection you may as well just use ULA + PA. The DNS needs to be updated in either case, the firewall needs to be updated in either case. And what about running apps and network connections in the connected state? If they are connected external to your network then obviously they would have to be restarted ... but then you know that already. :) If PI everywhere were a feasible strategy at this time, I'd be first in line. But it isn't, so I think it's worthwhile discussing how we can do what we _can_ do, best.
Re: ITU-T Dubai Meeting
Steven Bellovin wrote: Randy Bush wrote: whatever the number of address bits, if it is fixed, we always run out. memory addressing has been a cliff many times. ip addressing. ... Yup. To quote Fred Brooks on memory address space: Every successful computer architecture eventually runs out of address space -- and I heard him say that in 1973. I'm wondering what resource shortage would have happened if IPv6 had been massively adopted 10 years earlier, and whether we would have seen the internet backbone routers suffer severely from the size of the routing tables, if every single home customer (DSL subscriber) would have required a provider-independent IPv6 network prefix rather than a single, provider-dependent IPv4 IP Address. -Martin
Re: ITU-T Dubai Meeting
On 03.08.2012, at 20:25, Mark Andrews wrote: IPv4 addresses used to be regarded as non-scarce not so long ago. I don't know what planet you have been living on but it was clear IPv4 addresses were a scarce resource 2+ decades ago longer than some IETF attendees have been alive. IPv6 was started because they were a scarce resource that would run out in the foreseeable future. I may have been too terse for some readers. What I intended to point out is that the life time of address spaces has been underestimated more often than not, especially early on in their deployment. This is particularly true for network level addressing. Arguments that addresses are not scarce in any finite address space should be judged in the light of this historic experience. In other words: I expect that it will be not more than 20 years from now that we will hear cries of Why were we so wasteful with IPv6 addresses in the beginning? This is why I disagree with Phillip Hallam-Baker's opinion. Daniel PS: I have been living on Earth, the densest and fifth-largest of the eight planets in the Solar System. Personally I have been aware of the general state of the IPv4 address space since the 1980s and I have contributed towards making it last as long as it did; refer to RFC1597 (now RFC1918) of the year 1994 as an example.
Re: ITU-T Dubai Meeting
In other words: I expect that it will be not more than 20 years from now that we will hear cries of Why were we so wasteful with IPv6 addresses in the beginning? This is why I disagree with Phillip Hallam-Baker's opinion. aol whatever the number of address bits, if it is fixed, we always run out. memory addressing has been a cliff many times. ip addressing. ... randy
Re: ITU-T Dubai Meeting
On Aug 5, 2012, at 7:34 AM, Randy Bush wrote: In other words: I expect that it will be not more than 20 years from now that we will hear cries of Why were we so wasteful with IPv6 addresses in the beginning? This is why I disagree with Phillip Hallam-Baker's opinion. aol whatever the number of address bits, if it is fixed, we always run out. memory addressing has been a cliff many times. ip addressing. ... Yup. To quote Fred Brooks on memory address space: Every successful computer architecture eventually runs out of address space -- and I heard him say that in 1973. --Steve Bellovin, https://www.cs.columbia.edu/~smb
Re: ITU-T Dubai Meeting
On 02/08/2012 21:30, Steven Bellovin wrote: On Aug 2, 2012, at 1:24 PM, David Conrad wrote: On Aug 2, 2012, at 11:44 AM, j...@mercury.lcs.mit.edu (Noel Chiappa) wrote: we should instead focus on the ways that the technical architecture of the Internet creates control points that are vulnerable to capture and consider ways in which those control points can be made capture-proof. Agreed. The challenge of course is that one of the simple/efficient mechanisms to implement desirable features (e.g., security, scalability, manageability) is to create hierarchies, but those very hierarchies provide control points that can (at least in theory) be captured. The DNS root is one such, the proposed RPKI root is another. Perhaps a variation of the Software Engineering Dilemma (fast, good, cheap: pick two) applies to Internet architecture: secure, scalable, manageable: pick two? If the ITU-T wants to also be in the business of handing out IPv6 address names then give then a /21 or a /16 and tell them to go party. I don't think this is what the ITU is after. My impression is that the ITU is arguing that member states should get the /whatever directly. I basically agree. It could have negative impacts on the routing, by impacting route aggregatability, but it can hardly be worse that those bletcherous PI addresses, so if it makes them happy to be in charge of a large /N, why not? I believe the routing scalability risk lies not in the allocation body, but rather the policies imposed around the allocations. That is, imagine a world of 200+ National Internet Registries instead of 5 Regional Internet registries. If the government behind an NIR then decides that to use the Internet in their country, you must use addresses allocated by the NIR of that country, you then run the risk of having 200+ prefixes for each entity that operates globally. This risk could be addressed if it didn't matter where you get your addresses, however that isn't true with the existing model and there are political pressures that would likely ensure that it would not be true in the NIR model. It also implies entry into a country through a few official gateways/exchange points -- that way, there are only ~200 entries plus your own country's that you need in your RIB... (Telecom used to be that way -- PTTs and other monopolies (e.g., ATT) loved it.) Exactly. It is intended to defeat the Internet's historical growth model of independence from national administrations and monopolies, by imposing a geographical addressing scheme. Since the Internet actually works with a topological addressing scheme, the effect is to force the topology to be congruent with the geography. If you want central control, that's a desirable result. It isn't a harmless concession. We've been playing whack-a-mole against this for a number of years now. Brian Carpenter
Re: ITU-T Dubai Meeting
3 aug 2012 kl. 09:18 skrev Brian E Carpenter brian.e.carpen...@gmail.com: Exactly. It is intended to defeat the Internet's historical growth model of independence from national administrations and monopolies, by imposing a geographical addressing scheme. Since the Internet actually works with a topological addressing scheme, the effect is to force the topology to be congruent with the geography. If you want central control, that's a desirable result. The key here is control. Innovation in the core, or at the edge. License/politically based or need based allocation. The rest is implementation. Patrik
Re: ITU-T Dubai Meeting
Plug: http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_15-2/ipj_15-2.pdf Read the article December in Dubai, I think you will find it interesting. Ole Ole J. Jacobsen Editor and Publisher, The Internet Protocol Journal Cisco Systems Tel: +1 408-527-8972 Mobile: +1 415-370-4628 E-mail: o...@cisco.com URL: http://www.cisco.com/ipj Skype: organdemo
Re: ITU-T Dubai Meeting
On Aug 2, 2012, at 12:55 PM, SM s...@resistor.net wrote: If the ITU-T wants a /16 it is simply a matter of asking the IETF for it. And, unless the reason the ITU-T was requesting the /16 was for some protocol that came up with that has global applicability that needed a /16 of IPv6 space, they'd be redirected to an RIR. Regards, -drc
Re: ITU-T Dubai Meeting
I hope too as they still ignore the procedures Sent from my iPhone On 03.08.2012, at 19:37, David Conrad d...@virtualized.org wrote: On Aug 2, 2012, at 12:55 PM, SM s...@resistor.net wrote: If the ITU-T wants a /16 it is simply a matter of asking the IETF for it. And, unless the reason the ITU-T was requesting the /16 was for some protocol that came up with that has global applicability that needed a /16 of IPv6 space, they'd be redirected to an RIR. Regards, -drc
Re: ITU-T Dubai Meeting
In message fb949bea-5bdb-401a-8a75-e9a9bdaa7...@ripe.net, Daniel Karrenberg w rites: On 02.08.2012, at 22:41, Phillip Hallam-Baker wrote: ... That depends on whether the registry in question is dealing with a scarce resource or a plentiful one. Having two registries handing out IPv4 addresses at this point would be very very bad. Having more than one place you can get an IPv6 from would not worry me at all. ... IPv4 addresses used to be regarded as non-scarce not so long ago. I don't know what planet you have been living on but it was clear IPv4 addresses were a scarce resource 2+ decades ago longer than some IETF attendees have been alive. IPv6 was started because they were a scarce resource that would run out in the foreseeable future. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: ITU-T Dubai Meeting
Mark, I really enjoyed your professional remarks for the years and your deep and intrinsic mind, but it seems that now it is not a time to discuss the issue that ipv4 is scarce resource :) My opinion that IPv6 was done in the worst manner and we should simply recognize that we have no other way to satisfy industry needs in such short time. Nothing personal - as a lot of my friends spent significant part of their life on it. Dima On Aug 3, 2012, at 10:25 PM, Mark Andrews wrote: In message fb949bea-5bdb-401a-8a75-e9a9bdaa7...@ripe.net, Daniel Karrenberg w rites: On 02.08.2012, at 22:41, Phillip Hallam-Baker wrote: ... That depends on whether the registry in question is dealing with a scarce resource or a plentiful one. Having two registries handing out IPv4 addresses at this point would be very very bad. Having more than one place you can get an IPv6 from would not worry me at all. ... IPv4 addresses used to be regarded as non-scarce not so long ago. I don't know what planet you have been living on but it was clear IPv4 addresses were a scarce resource 2+ decades ago longer than some IETF attendees have been alive. IPv6 was started because they were a scarce resource that would run out in the foreseeable future. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: ITU-T Dubai Meeting
At 12:18 AM 8/3/2012, Brian E Carpenter wrote: Exactly. It is intended to defeat the Internet's historical growth model of independence from national administrations and monopolies, by imposing a geographical addressing scheme. Since the Internet actually works with a topological addressing scheme, the effect is to force the topology to be congruent with the geography. If you want central control, that's Yes. However that message is not reaching the people who are part of national administrations. At 12:25 AM 8/3/2012, Patrik Fältström wrote: The key here is control. SAAG [1] might consider working on that Worst Common Practice document to explain to countries how they should cut off the Internet ( http://www.ietf.org/proceedings/84/slides/slides-84-irtfopen-1.pdf ). :-) If I am not mistaken the control points are already in place in one or more countries. The key may be control. It may also be a desire to address a problem which people consider as important. Regards, -sm 1. There is generally one of more interesting presentations at SAAG. I don't know how the Security ADs make that happen.
Re: ITU-T Dubai Meeting
From: Phillip Hallam-Baker hal...@gmail.com to stop such things as 'Information terrorism' which is their term for freedom of speech. :-) The current governance structure of the Internet does more than merely prevent other governments from gaining control of the Internet, it grants the US an extraordinary degree of control. Or at least they give the appearance of doing so on paper if the checks and balances on that control are not sufficiently understood. Correct; and so it might be worth changing the structure to lessen that _appearance_ of USG control. But if such changes increase the Internet's vulnerabiilty to hostile, authoritarian governments, maybe that would not (in the end) be such a good idea. as with the crypto-wars the grand bargain will almost certainly mean absolutely nothing. Not necessarily - see below. If the WCIT process results in an over-reach, governments can and will leave the ITU. The latter is unlikely, IMO. we should instead focus on the ways that the technical architecture of the Internet creates control points that are vulnerable to capture and consider ways in which those control points can be made capture-proof. Agreed. The Internet has three separate potential control points: The IP Address registry, the DNS name registry and the various registries for protocol features. And it is these that in my perception are really what is at risk in Dubai, which is why I disagreed (above) that the output of Dubai will necessarily be a NOOP. We need to protect the openness of the Internet. We do not need to perpetuate the existence of ICANN, IANA or the RIRs as institutions. Maintaining the institutions may be a means of protecting the open internet but we should be prepared to walk away from them if necessary I concur that they may be expendable, but others may differ. In particular, will not whatever replaces them be equally targets? Yes, a shell game may produce temporary relief, but in the end won't the replacements be equally targeted for takeover/control? If the ITU-T wants to also be in the business of handing out IPv6 address names then give then a /21 or a /16 and tell them to go party. No really, choose your battles. I basically agree. It could have negative impacts on the routing, by impacting route aggregatability, but it can hardly be worse that those bletcherous PI addresses, so if it makes them happy to be in charge of a large /N, why not? What I am certain of is that we do not need to rely on the counsels of those who tell us that the situation is so complex that we need not worry our little heads about it. Indeed. Noel
Re: ITU-T Dubai Meeting
Hi Phillip, At 11:16 AM 8/2/2012, Phillip Hallam-Baker wrote: But there is also another side to the complaints made by Russia, China and others, a complaint that US dominated organizations like ICANN and the IETF do not allow sufficient credit for in my view. The current Is the above about the US having a prominent say in organizations such as ICANN and the IETF? governance structure of the Internet does more than merely prevent other governments from gaining control of the Internet, it grants the US an extraordinary degree of control. Or at least they give the appearance of doing so on paper if the checks and balances on that control are not sufficiently understood. Is there even a governance structure (see draft-bollow-ectf-02)? Contrary to the view expressed to me by one IESG member, there is no outcome here that is 'unthinkable'. Diplomats will almost invariably What is unthinkable today may be possible tomorrow. The Internet has three separate potential control points: The IP Address registry, the DNS name registry and the various registries for protocol features. All three are an example of a Tinkerbell ontology: They exist for no other reason than that people believe in their existence. ICANN DNS names have relevance because there is a consensus that they are so, new.net DNS names are irrelevant because there is consensus that they are so. Yes. Rather than attempting to maintain the status quo, we should instead identify what are the necessary concerns. We need to protect the openness of the Internet. We do not need to perpetuate the existence of ICANN, IANA or the RIRs as institutions. Maintaining the The IETF took money from ICANN for some hors d'oeuvres and nobody objected. institutions may be a means of protecting the open internet but we should be prepared to walk away from them if necessary and in particular we should not defend their monopoly status at all costs. During the last plenary it was mentioned that the IETF should not be self-perpetuating. For some people the open internet is the web. Other people see it as Google, Facebook and Twitter. Would anyone on this mailing list walk away from these free services to protect the open internet? Consider for example the maintenance of IPv6 address space. Why does this have to be an IANA monopoly? The only necessary requirements for IPv6 address space is that the same space is not assigned to two different parties and we do not run out. If the ITU-T wants to also be in the business of handing out IPv6 address names then give then a /21 or a /16 and tell them to go party. No really, choose your battles. If the ITU-T wants a /16 it is simply a matter of asking the IETF for it. In conclusion, there is an issue here but not a cause for the panic that many seem to suggest. The situation is certainly complex, but not one that is too complex for mortal understanding. What I am certain of is that we do not need to rely on the counsels of those who tell us that the situation is so complex that we need not worry our little heads about it. In fact I believe the exact opposite: The openness of Yes. Regards, -sm
Re: ITU-T Dubai Meeting
On Aug 2, 2012, at 11:44 AM, j...@mercury.lcs.mit.edu (Noel Chiappa) wrote: we should instead focus on the ways that the technical architecture of the Internet creates control points that are vulnerable to capture and consider ways in which those control points can be made capture-proof. Agreed. The challenge of course is that one of the simple/efficient mechanisms to implement desirable features (e.g., security, scalability, manageability) is to create hierarchies, but those very hierarchies provide control points that can (at least in theory) be captured. The DNS root is one such, the proposed RPKI root is another. Perhaps a variation of the Software Engineering Dilemma (fast, good, cheap: pick two) applies to Internet architecture: secure, scalable, manageable: pick two? If the ITU-T wants to also be in the business of handing out IPv6 address names then give then a /21 or a /16 and tell them to go party. I don't think this is what the ITU is after. My impression is that the ITU is arguing that member states should get the /whatever directly. I basically agree. It could have negative impacts on the routing, by impacting route aggregatability, but it can hardly be worse that those bletcherous PI addresses, so if it makes them happy to be in charge of a large /N, why not? I believe the routing scalability risk lies not in the allocation body, but rather the policies imposed around the allocations. That is, imagine a world of 200+ National Internet Registries instead of 5 Regional Internet registries. If the government behind an NIR then decides that to use the Internet in their country, you must use addresses allocated by the NIR of that country, you then run the risk of having 200+ prefixes for each entity that operates globally. This risk could be addressed if it didn't matter where you get your addresses, however that isn't true with the existing model and there are political pressures that would likely ensure that it would not be true in the NIR model. There are also risks associated with upkeep of registration data, which is already a challenge with the existing limited set of registries. I imagine this would get worse with more registries. Regards, -drc
Re: ITU-T Dubai Meeting
On Aug 2, 2012, at 1:24 PM, David Conrad wrote: On Aug 2, 2012, at 11:44 AM, j...@mercury.lcs.mit.edu (Noel Chiappa) wrote: we should instead focus on the ways that the technical architecture of the Internet creates control points that are vulnerable to capture and consider ways in which those control points can be made capture-proof. Agreed. The challenge of course is that one of the simple/efficient mechanisms to implement desirable features (e.g., security, scalability, manageability) is to create hierarchies, but those very hierarchies provide control points that can (at least in theory) be captured. The DNS root is one such, the proposed RPKI root is another. Perhaps a variation of the Software Engineering Dilemma (fast, good, cheap: pick two) applies to Internet architecture: secure, scalable, manageable: pick two? If the ITU-T wants to also be in the business of handing out IPv6 address names then give then a /21 or a /16 and tell them to go party. I don't think this is what the ITU is after. My impression is that the ITU is arguing that member states should get the /whatever directly. I basically agree. It could have negative impacts on the routing, by impacting route aggregatability, but it can hardly be worse that those bletcherous PI addresses, so if it makes them happy to be in charge of a large /N, why not? I believe the routing scalability risk lies not in the allocation body, but rather the policies imposed around the allocations. That is, imagine a world of 200+ National Internet Registries instead of 5 Regional Internet registries. If the government behind an NIR then decides that to use the Internet in their country, you must use addresses allocated by the NIR of that country, you then run the risk of having 200+ prefixes for each entity that operates globally. This risk could be addressed if it didn't matter where you get your addresses, however that isn't true with the existing model and there are political pressures that would likely ensure that it would not be true in the NIR model. It also implies entry into a country through a few official gateways/exchange points -- that way, there are only ~200 entries plus your own country's that you need in your RIB... (Telecom used to be that way -- PTTs and other monopolies (e.g., ATT) loved it.) --Steve Bellovin, https://www.cs.columbia.edu/~smb
Re: ITU-T Dubai Meeting
On Thu, Aug 2, 2012 at 11:44 AM, Noel Chiappa j...@mercury.lcs.mit.edu wrote: From: Phillip Hallam-Baker hal...@gmail.com to stop such things as 'Information terrorism' which is their term for freedom of speech. :-) The term comes up in their treaty. If the WCIT process results in an over-reach, governments can and will leave the ITU. The latter is unlikely, IMO. If the ITU were to over-reach and get away with it then it will not have over-reached by definition. One of the factors here is that a lot of the diplomats working on 'cyber' (aka information engagement, cyber security, etc. etc.) began by working on arms limitation treaties. This turns out to be self reinforcing as once the US has a person from that world in their delegation the Russians will add someone who was part of earlier negotiations with her and vice versa. Nuclear deterrence is a viable strategy because nuclear weapons are difficult to make which makes the attribution problem tractable and thus enables a credible threat of consequences. Techies know that Cyber deterrence is obviously unworkable because attribution is not possible. We can track an IP packet to Iran but we cannot state with certainty who controlled the computer who sent it. The diplomats know that this is the case but really can't accept that it is the case because they are trying to cram cyber into their 'deterrence' framework. Cyber-attacks should be considered a form of terrorism. The barrier to entry is low, the consequences are disproportionate to the effort but fall far short of a conventional attack. At this point we are at the same stage of understanding of cyber as the diplomatic community was with terrorism in the mid 1960s when the terrorist movements began to become active in Europe. The US government is doing damn stupid things like attacking civil nuclear facilities and the Russians are doing stuff that is equally stupid. The challenge we face is how to define the border between a cyber attack (i.e. an act of war) and cyber-espionage (which is not considered warfare in law). I do not take offense at the Chinese government enacting a DIY reparations program for the 'open door' policy and the opium wars. I am going to do my best to help my customers stop them, but they are acting within their rights. The Internet has three separate potential control points: The IP Address registry, the DNS name registry and the various registries for protocol features. And it is these that in my perception are really what is at risk in Dubai, which is why I disagreed (above) that the output of Dubai will necessarily be a NOOP. Yes, it is all about the registries. We need to protect the openness of the Internet. We do not need to perpetuate the existence of ICANN, IANA or the RIRs as institutions. Maintaining the institutions may be a means of protecting the open internet but we should be prepared to walk away from them if necessary I concur that they may be expendable, but others may differ. In particular, will not whatever replaces them be equally targets? Yes, a shell game may produce temporary relief, but in the end won't the replacements be equally targeted for takeover/control? That depends on whether the registry in question is dealing with a scarce resource or a plentiful one. Having two registries handing out IPv4 addresses at this point would be very very bad. Having more than one place you can get an IPv6 from would not worry me at all. If the ITU-T wants to also be in the business of handing out IPv6 address names then give then a /21 or a /16 and tell them to go party. No really, choose your battles. I basically agree. It could have negative impacts on the routing, by impacting route aggregatability, but it can hardly be worse that those bletcherous PI addresses, so if it makes them happy to be in charge of a large /N, why not? SM also commented on this: If the ITU-T wants a /16 it is simply a matter of asking the IETF for it. No, if the ITU-T really wants to do this it is just a matter of them taking it. This happens repeatedly in registry schemes. They could ask the IETF for a /16 or they could simply send a message informing us that they will be allocating out of (say) 2F00::/16 from now on and that it would be 'inadvisable' for IANA, ICANN, IETF or whoever to grant competing allocations. If people choose to route packets for the corresponding BGP adverts then they get away with it. If they can't do that then we don't need to worry about them anyway. -- Website: http://hallambaker.com/
Re: ITU-T Dubai Meeting
On 8/2/2012 1:24 PM, David Conrad wrote: On Aug 2, 2012, at 11:44 AM, j...@mercury.lcs.mit.edu (Noel Chiappa) wrote: we should instead focus on the ways that the technical architecture of the Internet creates control points that are vulnerable to capture and consider ways in which those control points can be made capture-proof. Agreed. The challenge of course is that one of the simple/efficient mechanisms to implement desirable features (e.g., security, scalability, manageability) is to create hierarchies, but those very hierarchies provide control points that can (at least in theory) be captured. The DNS root is one such, the proposed RPKI root is another. Perhaps a variation of the Software Engineering Dilemma (fast, good, cheap: pick two) applies to Internet architecture: secure, scalable, manageable: pick two? If the ITU-T wants to also be in the business of handing out IPv6 address names then give then a /21 or a /16 and tell them to go party. I don't think this is what the ITU is after. My impression is that the ITU is arguing that member states should get the /whatever directly. I basically agree. It could have negative impacts on the routing, by impacting route aggregatability, but it can hardly be worse that those bletcherous PI addresses, so if it makes them happy to be in charge of a large /N, why not? I believe the routing scalability risk lies not in the allocation body, but rather the policies imposed around the allocations. That is, imagine a world of 200+ National Internet Registries instead of 5 Regional Internet registries. If the government behind an NIR then decides that to use the Internet in their country, you must use addresses allocated by the NIR of that country, you then run the risk of having 200+ prefixes for each entity that operates globally. This risk could be addressed if it didn't matter where you get your addresses, however that isn't true with the existing model and there are political pressures that would likely ensure that it would not be true in the NIR model. There are also risks associated with upkeep of registration data, which is already a challenge with the existing limited set of registries. I imagine this would get worse with more registries. In addition to the very valid points that David made, there are also other risks. Such as, if the national government is the only source of IP addresses then they have much greater control over who can get on the network in-country. And if all of the traffic from a given country is coming into my country via the same prefix it makes it that much easier to apply censorship, tariffs, etc. The whole concept of a global network, with no centralized control, that permits (nay, encourages) the free flow of information is anathema to many national governments. They are desperate to choke that off, by any means necessary. Doug -- I am only one, but I am one. I cannot do everything, but I can do something. And I will not let what I cannot do interfere with what I can do. -- Edward Everett Hale, (1822 - 1909)
Re: ITU-T Dubai Meeting
On Aug 2, 2012, at 2:30 PM, Doug Barton wrote: The whole concept of a global network, with no centralized control, that permits (nay, encourages) the free flow of information is anathema to many national governments. They are desperate to choke that off, by any means necessary. From http://www.nextgov.com/cybersecurity/2012/07/nsa-head-calls-more-visibility-over-computer-networks/57073/ : The decentralized nature of the Internet and the confusing thicket of independent public and private networks are limiting efforts to protect against attacks, Alexander signaled Friday at the Def Con hacker conference in Las Vegas. This is Gen. Alexander, head of the NSA... --Steve Bellovin, https://www.cs.columbia.edu/~smb
Re: ITU-T Dubai Meeting
On 8/2/2012 2:53 PM, Steven Bellovin wrote: On Aug 2, 2012, at 2:30 PM, Doug Barton wrote: The whole concept of a global network, with no centralized control, that permits (nay, encourages) the free flow of information is anathema to many national governments. They are desperate to choke that off, by any means necessary. From http://www.nextgov.com/cybersecurity/2012/07/nsa-head-calls-more-visibility-over-computer-networks/57073/ : The decentralized nature of the Internet and the confusing thicket of independent public and private networks are limiting efforts to protect against attacks, Alexander signaled Friday at the Def Con hacker conference in Las Vegas. This is Gen. Alexander, head of the NSA... I'm not discounting the fact that some elements of the USG want to clamp down on this troublesome freedom thing. :) But look at the next sentence below what you quoted: Alexander used the speech to lobby for laws to make it easier for companies under attack to share information with the government and each other ... There are currently many DIS-incentives in place regarding companies sharing information about attacks, hacks, etc. -- I am only one, but I am one. I cannot do everything, but I can do something. And I will not let what I cannot do interfere with what I can do. -- Edward Everett Hale, (1822 - 1909)
Re: ITU-T Dubai Meeting
On 02.08.2012, at 22:41, Phillip Hallam-Baker wrote: ... That depends on whether the registry in question is dealing with a scarce resource or a plentiful one. Having two registries handing out IPv4 addresses at this point would be very very bad. Having more than one place you can get an IPv6 from would not worry me at all. ... IPv4 addresses used to be regarded as non-scarce not so long ago. It is not about distributing the address space but about keeping a correct, comprehensive and current registry of address space users. As others have pointed out the ITU argument is about choice only in name. It is quite likely that nation states will quickly restrict that choice once they control one of the 'choices'. Full disclosure: I helped invent and implement the RIR system. I am employed by the RIPE NCC. Daniel
