Re: Addressing plan exercise for our IPv6 course
On Tue, 27 Jul 2010 12:34:40 -0700 Owen DeLong o...@delong.com wrote: On Jul 27, 2010, at 12:05 PM, Akyol, Bora A wrote: Please see comments inline. On 7/22/10 10:13 PM, Owen DeLong o...@delong.com wrote: In all reality: 1. NAT has nothing to do with security. Stateful inspection provides security, NAT just mangles addresses. Of course, the problem is that there are millions of customers that believe that NAT == security. This needs to change. 2. In the places where NAT works, it does so at a terrible cost. It breaks a number of things, and, applications like Skype are incredibly more complex pieces of code in order to solve NAT traversal. I look at this as water under the bridge. Yep, it was complicated code and now it works. I can run bittorrent just fine beyond an Apple wireless router and I did nothing to make that work. Micro-torrent just communicates with the router to make the port available. It's only water under the bridge for IPv4. If we start putting NAT66 into play, it will be the same thing all over again. Additionally, it's only water under the bridge for existing applications. Each new application seems to go through the same exercise because for some reason, no two NAT gateways seem to have exactly the same traversal requirements and no two applications seem to implement the same set of traversal code. What is worse about that is that we networking people have ended up shifting the cost of fixing our problem onto the application developers and onto the application users. Because we don't provide end-to-end visibility between peers on the Internet (Internet transparency - see RFC4924), application developers have to try to develop methods of doing that themselves. As you've said, this creates additional application complexity, additional bugs, and duplicate functionality between different applications, all at the application layer. (HTTP has become the de facto substrate protocol of the Internet because firewalls permit it, and client server communication has become the de facto communications method for applications that would truly benefit from peer-to-peer communications (i.e. more scalable, more available), because client server overcomes the lack of global reachability NAT creates)) Who pays this additional application development cost? Everybody, including us networking people, because we also use applications too. We get code that is possibly more buggy because it is more complex, written by people who are usually not networking code experts. We might miss out on better user interfaces or less buggy code that's there to do what the application's purpose is, because that time was instead spent on developing network layer work arounds. It seems to me that the best place to solve problems is whether they exist or where they're caused. Those solutions usually solve the problem properly, and commonly are also the cheapest way to solve it. The network layer is where these problems exist, and that's where they should be solved. We should use IPv6 to restore Internet transparency, so that application developers don't have to do it for us - again. We'll end up with a better and simpler Internet to operate, and better and/or cheaper applications. Regards, Mark. The elimination of NAT is one of the greatest features of IPv6. Most customers don't know or care what NAT is and wouldn't know the difference between a NAT firewall and a stateful inspection firewall. I do think that people will get rid of the NAT box by and large, or, at least in IPv6, the box won't be NATing. Whether or not they NAT it, it's still better to give the customer enough addresses that they don't HAVE to NAT. Owen Of course, no disagreement there. The real challenge is going to be education of customers so that they can actually configure a firewall policy to protect their now-suddenly-addressable-on-the-Internet home network. I would love to see how SOHO vendors are going to address this. Not so much... SOHO gateways should implement stateful inspection with the same default policy a NAT box provides today... 1.Outbound packets create a state table entry. 2.Inbound packets are only forwarded if they match an existing state table entry. Pretty simple, actually. Owen
Re: Addressing plan exercise for our IPv6 course
I look at this as water under the bridge. Yep, it was complicated code and now it works. I can run bittorrent just fine beyond an Apple wireless router and I did nothing to make that work. Micro-torrent just communicates with the router to make the port available. So, the security model here is that arbitrary untrusted applications, running on an arbitrary untrusted OS, selected by people who have no understanding of computer or network security are allowed to update the security policy on the perimeter device. I can see why those secure NAT boxes have *totally* stopped the Windows botnet problem in its tracks... Of course, no disagreement there. The real challenge is going to be education of customers so that they can actually configure a firewall policy to protect their now-suddenly-addressable-on-the-Internet home network. I would love to see how SOHO vendors are going to address this. Permit any outbound Permit any inbound established Deny any inbound Achieves essentially the same functionality as a NAT device without the annoying mangling of addresses. Vendors could then continue to offer the UPnP request a hole functionality that they do today, or tweak the labels on their forward this port web GUI to say permit the port instead. For end-users who want to carry on doing exactly what they do today, the changes required for both them and their CPE vendor are trivial. For end-users who are currently frustrated by NAT, they have their real, honest-to-goodness end-to-end Internet restored. Everybody wins, apart those with a vested interest in upselling to business connectivity plans, or those who would prefer that the Internet is TV on new technology, and that end-users remain good little eyeballs, dutifully paying for their Big Business Content. Regards, Tim.
Re: Addressing plan exercise for our IPv6 course
On Sun, 25 Jul 2010 03:56:52 +1000 Karl Auer ka...@biplane.com.au wrote: On Sat, 2010-07-24 at 10:42 -0700, Owen DeLong wrote: You do have to properly set up the rules for which addresses to use for what communication properly. It breaks less if you forego the ULA brokenness, but, some people insist for whatever reason. What is the ULA brokenness? If it is address selection policy distribution, then this Internet Draft is aiming to solve that - Distributing Address Selection Policy using DHCPv6 http://tools.ietf.org/html/draft-fujisaki-6man-addr-select-opt-00.html Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156 Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF
Re: Addressing plan exercise for our IPv6 course
On 23 July 2010 01:45, Karl Auer ka...@biplane.com.au wrote: Unless I've misunderstood Matthew, and he was suggesting that the /64 be the link network. That would indeed effectively give the customer a single address, unless it was being bridged rather than routed at the CPE. Not sure bridging it is such a good idea - most people will probably want their home networks to keep working even if the ISP has an outage. Sorry for the week's delay - I meant delegating a /64 using DHCPv6 PD, I had assumed the link net would be based on provider preference - /64 would obviously make the most sense for the vast majority of scenarios. In my experience, I would have though well over 99% of residential users just require one subnet, if they require additional subnets they'll ask for them, and if it's standardised, a /56 could easily be quickly assigned and added to either the DHCPv6 PD or static routed if required. That would usually be a service the customer would pay extra for. I'm purely looking at residential use here, not SOHO nor SME. M M
Re: Addressing plan exercise for our IPv6 course
On Jul 29, 2010, at 3:51 AM, Mark Smith wrote: On Sun, 25 Jul 2010 03:56:52 +1000 Karl Auer ka...@biplane.com.au wrote: On Sat, 2010-07-24 at 10:42 -0700, Owen DeLong wrote: You do have to properly set up the rules for which addresses to use for what communication properly. It breaks less if you forego the ULA brokenness, but, some people insist for whatever reason. What is the ULA brokenness? If it is address selection policy distribution, then this Internet Draft is aiming to solve that - Distributing Address Selection Policy using DHCPv6 http://tools.ietf.org/html/draft-fujisaki-6man-addr-select-opt-00.html Source address selection is one of the problems. Distribution of source address selection policy is part of that problem. Owen
Re: Addressing plan exercise for our IPv6 course
On Jul 29, 2010, at 4:08 AM, Matthew Walster wrote: On 23 July 2010 01:45, Karl Auer ka...@biplane.com.au wrote: Unless I've misunderstood Matthew, and he was suggesting that the /64 be the link network. That would indeed effectively give the customer a single address, unless it was being bridged rather than routed at the CPE. Not sure bridging it is such a good idea - most people will probably want their home networks to keep working even if the ISP has an outage. Sorry for the week's delay - I meant delegating a /64 using DHCPv6 PD, I had assumed the link net would be based on provider preference - /64 would obviously make the most sense for the vast majority of scenarios. In my experience, I would have though well over 99% of residential users just require one subnet, if they require additional subnets they'll ask for them, and if it's standardised, a /56 could easily be quickly assigned and added to either the DHCPv6 PD or static routed if required. That would usually be a service the customer would pay extra for. I'm purely looking at residential use here, not SOHO nor SME. M M Why not just give them a /48 and not worry about who needs what? Why add the cost and complexity of all these different sized assignments based on requests and such? If we give every household on the planet a /48 (approximately 3 billion /48s), we consume less than 1/8192 of 2000::/3. Even if it turns out this is a bad idea and we can't sustain this level of IP consumption, we still have 7/8ths of the address space available to use more conservative addressing plans. Owen
Re: Addressing plan exercise for our IPv6 course
The policies available in all the 5 RIR regions, allow you to request not the default /32, but whatever is appropriate for the size of your network even if you provide to your end-users /48. Not an issue. Regards, Jordi -Original Message- From: Matthew Walster matt...@walster.org To: Owen DeLong o...@delong.com Cc: nanog@nanog.org Date: Thu, 29 Jul 2010 16:00:40 +0100 Subject: Re: Addressing plan exercise for our IPv6 course On 29 July 2010 15:49, Owen DeLong o...@delong.com wrote: If we give every household on the planet a /48 (approximately 3 billion /48s), we consume less than 1/8192 of 2000::/3. There are 65,536 /48s in a /32. It's not about how available 2000::/3 is, it's hassle to keep requesting additional PA space. Some ISPs literally have millions of customers. All I'm saying is, why waste the space when they're only going to need 1 subnet? If they want more than one subnet, give them a /48,/56,/60 or whatever, as requested. M ** The IPv6 Portal: http://www.ipv6tf.org This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.
Re: Addressing plan exercise for our IPv6 course
On 29 Jul 2010, at 8:00, Matthew Walster wrote: On 29 July 2010 15:49, Owen DeLong o...@delong.com wrote: If we give every household on the planet a /48 (approximately 3 billion /48s), we consume less than 1/8192 of 2000::/3. There are 65,536 /48s in a /32. It's not about how available 2000::/3 is, it's hassle to keep requesting additional PA space. Some ISPs literally have millions of customers. Why would you initially request and receive a /32 if you know that you'll need far more space to assign subnets to all your customers? All I'm saying is, why waste the space when they're only going to need 1 subnet? If they want more than one subnet, give them a /48,/56,/60 or whatever, as requested. There's a good chance that you want to keep your customers for the long haul. There's a good chance that in the long run multi-subnet home networks will become the norm. Leo
Re: Addressing plan exercise for our IPv6 course
On Jul 29, 2010, at 8:00 AM, Matthew Walster wrote: On 29 July 2010 15:49, Owen DeLong o...@delong.com wrote: If we give every household on the planet a /48 (approximately 3 billion /48s), we consume less than 1/8192 of 2000::/3. There are 65,536 /48s in a /32. It's not about how available 2000::/3 is, it's hassle to keep requesting additional PA space. Some ISPs literally have millions of customers. If you have millions of customers, why get a /32? Why not take that fact and ask for the right amount of space? 1,000,000 customers should easily qualify you for a /24 or thereabouts. If you have 8,000,000 customers, you should probably be asking for a /20 or thereabouts. It's not rocket science to ask for enough address space, and, if you have the number of customers to justify it based on a /48 per customer, the RIRs will happily allocate it to you. All I'm saying is, why waste the space when they're only going to need 1 subnet? If they want more than one subnet, give them a /48,/56,/60 or whatever, as requested. For at least the following reasons: 1. A single subnet may be the norm today because residential users and there vendors have been in a scarcity of addresses mentality for so long that applications to take full advantage of internet as it should be haven't been possible. That will change. 2. A single subnet may be enough for many (definitely not all and possibly not even most) today, but, certainly won't be the norm for long once IPv6 is more ubiquitous. 3. It places unnecessary limitations on the user and makes it unnecessarily more difficult to deploy additional capabilities. 4. Your increasing the workload on your own staff as your customers realize that one subnet is no longer enough and come back to you for larger assignments. 5. It's short sighted and assumes that the current IPv4 model will permanently apply to IPv6. Why waste valuable people's time to conserve nearly valueless renewable resources? Owen
Re: Addressing plan exercise for our IPv6 course
Why waste valuable people's time to conserve nearly valueless renewable resources? See my earlier comments on upsell and control. While you have some ISPs starting from the mentality that gives us accepting incoming connections is a chargeable extra, they're also going to be convinced that there's a revenue opportunity in segmenting customers who want N of some resource from those who want 2N, 4N, ... That the resource in question is, for all practical purposes, both free and infinite (cue someone with a 'tragedy of the commons' analysis) does not factor - if they want more, they must pay more! Regards, Tim.
Re: Addressing plan exercise for our IPv6 course
On 2010-07-29 19:32, Tim Franklin wrote: Why waste valuable people's time to conserve nearly valueless renewable resources? See my earlier comments on upsell and control. While you have some ISPs starting from the mentality that gives us accepting incoming connections is a chargeable extra, they're also going to be convinced that there's a revenue opportunity in segmenting customers who want N of some resource from those who want 2N, 4N, ... That the resource in question is, for all practical purposes, both free and infinite (cue someone with a 'tragedy of the commons' analysis) does not factor - if they want more, they must pay more! Ever thought about this tiny thing called BANDWIDTH USAGE? It is what ISPs are charged by their transit providers / peers, thus why not do that do users? Oh yeah.. something with overselling capacity but that is not a big issue either, you can probably figure out what the average is, the lowest and the highest and come up with a good competitive pricing strategy from there. And there is another advantage there: the people who use a lot of bandwidth are actually paying for it then, thus you don't have to ratelimit these folks, as heck, they pay for it! Need more capacity in an area, well, no problem they paid for it already, thus do calculate that into your pricing too of course ;) Thus don't charge folks for the amount of IP addresses they have, that is not what you get charged for by your transit/peers either. Greets, Jeroen
Re: Addressing plan exercise for our IPv6 course
On 29 Jul 2010 12:19, Owen DeLong wrote: On Jul 29, 2010, at 8:00 AM, Matthew Walster wrote: On 29 July 2010 15:49, Owen DeLong o...@delong.com wrote: If we give every household on the planet a /48 (approximately 3 billion /48s), we consume less than 1/8192 of 2000::/3. There are 65,536 /48s in a /32. It's not about how available 2000::/3 is, it's hassle to keep requesting additional PA space. Some ISPs literally have millions of customers. If you have millions of customers, why get a /32? Why not take that fact and ask for the right amount of space? 1,000,000 customers should easily qualify you for a /24 or thereabouts. If you have 8,000,000 customers, you should probably be asking for a /20 or thereabouts. ... and paying sixteen times as much in assignment and maintenance fees. See the problem there? It's not rocket science to ask for enough address space, and, if you have the number of customers to justify it based on a /48 per customer, the RIRs will happily allocate it to you. Yes. However, I don't think the RIRs are as willing to give out address space for _potential_ customers, e.g. if a telco or cableco wanted to assign a single block to each CO/head end to account for future growth. OTOH, you can get address space based on a /48 per actual customer, then actually assign a /64 per potential customer and have enough for massive growth. Why waste valuable people's time to conserve nearly valueless renewable resources? By creating artificial scarcity, one can increase profits per unit of nearly-valueless, renewable resources. See also: De Beers and the demonizing of artificial diamonds. S -- Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking smime.p7s Description: S/MIME Cryptographic Signature
Re: Addressing plan exercise for our IPv6 course
On Jul 29, 2010, at 10:32 AM, Tim Franklin wrote: Why waste valuable people's time to conserve nearly valueless renewable resources? See my earlier comments on upsell and control. While you have some ISPs starting from the mentality that gives us accepting incoming connections is a chargeable extra, they're also going to be convinced that there's a revenue opportunity in segmenting customers who want N of some resource from those who want 2N, 4N, ... That the resource in question is, for all practical purposes, both free and infinite (cue someone with a 'tragedy of the commons' analysis) does not factor - if they want more, they must pay more! If you want to build a business based on upsell and control by trying to convince users that they should give you extra money to provision a resource that costs you virtually nothing, then more power to you. However, I think this will, in the end, be as popular as american restaurants that charge for ice water. Consumers are moderately ignorant, but, not completely stupid. Address scarcity has allowed this model to succeed to some extent in IPv4, largely due to lack of alternatives and the fact that all consumer ISPs operate on this model. In IPv6, there is no scarcity, some ISPs will offer alternatives, and, consumers will rapidly learn about this disparity and I'm guessing that a model that says: Network Numbers Our CostYou Pay 1 $0.1$0.00 2 $0.2$1.00 4 $0.4$2.00 etc. Is probably going to be at a significant competitive disadvantage vs. a model that says You can have whatever address space you can justify. We'll start you with 65,536 networks which we believe is way more than enough for virtually any residential user. We don't charge you anything for address space. We think charging people for integers is illogical. However, if you think there is a competitive or revenue advantage, more power to you. Owen
Re: Addressing plan exercise for our IPv6 course
On Jul 29, 2010, at 10:41 AM, Stephen Sprunk wrote: On 29 Jul 2010 12:19, Owen DeLong wrote: On Jul 29, 2010, at 8:00 AM, Matthew Walster wrote: On 29 July 2010 15:49, Owen DeLong o...@delong.com wrote: If we give every household on the planet a /48 (approximately 3 billion /48s), we consume less than 1/8192 of 2000::/3. There are 65,536 /48s in a /32. It's not about how available 2000::/3 is, it's hassle to keep requesting additional PA space. Some ISPs literally have millions of customers. If you have millions of customers, why get a /32? Why not take that fact and ask for the right amount of space? 1,000,000 customers should easily qualify you for a /24 or thereabouts. If you have 8,000,000 customers, you should probably be asking for a /20 or thereabouts. ... and paying sixteen times as much in assignment and maintenance fees. See the problem there? If you have millions of IPv4 customers, then, you're already paying that for your IPv4 space. Since you pay the greater of your IPv4 or IPv6 utilization, I think the larger you are, the less likely it is that you will be paying more for IPv6 than IPv4, even if you give your customers all /48s of IPv6 instead of /32s of IPv4. It's not rocket science to ask for enough address space, and, if you have the number of customers to justify it based on a /48 per customer, the RIRs will happily allocate it to you. Yes. However, I don't think the RIRs are as willing to give out address space for _potential_ customers, e.g. if a telco or cableco wanted to assign a single block to each CO/head end to account for future growth. OTOH, you can get address space based on a /48 per actual customer, then actually assign a /64 per potential customer and have enough for massive growth. I believe you can actually do this to a pretty large extent within policy. The tricky part comes when you need more space and haven't met the HD Ratio requirements across the board. I agree there's room for improvement in the policy here. Why waste valuable people's time to conserve nearly valueless renewable resources? By creating artificial scarcity, one can increase profits per unit of nearly-valueless, renewable resources. See also: De Beers and the demonizing of artificial diamonds. There are lots of opportunities to exploit people. I was limiting my comments to the layer 0-7 issues for the most part. I think optimizing the exploitation of customers is probably out of charter for this list. Owen
Re: Web expert on his 'catastrophe' key for the internet
The story keeps growing out of proportion and in the wrong direction ... This one claims that six guys hold the keys to bring back porn : http://indyposted.com/34983/six-guys-have-the-keys-to-the-internet/comment-page-1/#comment-15785 And ABC is talking about the brotherhood : http://abcnews.go.com/Technology/brotherhood-internet-keys-chosen/story?id=11271450page=2 On the next ICANN meeting we should shave their heads and give them a monk outfit. Is ICANN doing such a poor PR job that mainstream media are getting this non-event not quite right ? Sigh
Re: Addressing plan exercise for our IPv6 course
Owen DeLong wrote: If you want to build a business based on upsell and control by trying to convince users that they should give you extra money to provision a resource that costs you virtually nothing, then more power to you. However, I think this will, in the end, be as popular as american restaurants that charge for ice water. Sorry, I need to dial back on the cynicism / sarcasm a bit, it doesn't travel so well through the tubes - that's a rant about the attitudes I encounter, not my views! I *utterly* agree with you that trying to micro-manage the allocation size on a per-customer basis for high-volume residential / SOHO connections is a complete waste of resources. I equally believe that a number of ISPs operating in that market are going to try, not just one or two crazy outliers, based on the attitudes I touched on in my rant (which, again, *aren't* mine). Coming from an IPv4 business model that goes: Extra for a static IP Extra for more than one IP Extra for a contract that doesn't forbid incoming connections Extra for non-generic reverse DNS Extra for not blocking IPSec Extra for... I fully expect some ISPs to extend that into whatever parts of IPv6 they can measure and charge for. Is probably going to be at a significant competitive disadvantage vs. a model that says You can have whatever address space you can justify. We'll start you with 65,536 networks which we believe is way more than enough for virtually any residential user. We don't charge you anything for address space. We think charging people for integers is illogical. I really hope you're right. I'd love to see the Internet opened back up again, for everyone. Regards, Tim.
Re: Addressing plan exercise for our IPv6 course
Jeroen Massar wrote: See my earlier comments on upsell and control. While you have some ISPs starting from the mentality that gives us accepting incoming connections is a chargeable extra, they're also going to be convinced that there's a revenue opportunity in segmenting customers who want N of some resource from those who want 2N, 4N, ... That the resource in question is, for all practical purposes, both free and infinite (cue someone with a 'tragedy of the commons' analysis) does not factor - if they want more, they must pay more! Ever thought about this tiny thing called BANDWIDTH USAGE? [snip] Thus don't charge folks for the amount of IP addresses they have, that is not what you get charged for by your transit/peers either. Apologies - again, my sarcasm doesn't travel well. I don't think selling IP addresses is a good idea - it's an idea I hit against and get annoyed by in the IPv4 world that I expect at least some ISPs to try and perpetuate into the IPv6 world. Regards, Tim.
Re: Web expert on his 'catastrophe' key for the internet
On 2010-07-28, at 18:24, andrew.wallace wrote: I think there is a social vulnerability in a group of people who need to travel, a lot of the time, by plane, to exactly the same location to make new keys to reset DNSSEC. Let's try to forget this reset DNSSEC meme. This is a technical list. Let's concentrate on what we can describe accurately. What I think is, this is leaving them wide open to attack. If an attack was state-sponsored, its likely they would be able to stop those selected people reaching the location in the United States by way of operational officers intercepting them by kidnap or murder, and indeed, a cyber attack without the need for human intervention to stop the select people getting to their destination could be done by knocking out the air traffic system. Which would, hamper the resetting and creation of new keys for DNSSEC. The crypto officers who have generously volunteered to travel to the key management facility where they were enrolled from time to time will carry with them safety deposit box keys. As part of the process, they will unlock the safety deposit boxes contained within one of the safes in the key management facility tier 5, and extract a tamper-evident bag containing smart cards. The smart cards, under supervision of the crypto officer, are used to carry out the HSM operations that are planned for execution during that ceremony. In the event that insufficient crypto officers are able to attend (for whatever reason) ICANN retains the ability to drill the safety deposit boxes and extract the smart cards in order to preserve the security and stability of the DNS. ICANN would never do this unless the security and stability of the DNS was under threat, and would exercise this last-resort option with a great deal of public visibility. That full disclosure would unavoidably include details of people who were not able to attend. By publicising the list of crypto officers ICANN aims to increase transparency in the normal process (no drills required). We have no reason to think that our last-resort options will ever be exercised, but we have planned for them nonetheless because this is an important system and all bases need to be covered. All these details (and more) can be found in the DNSSEC Policy Statement (DPS) published at http://www.iana.org/dnssec/. I encourage anybody with the time and interest to dissect that document and challenge it wherever possible. Our aim is for maximum transparency and the greatest reason for the public to trust that the KSK is secure and worth trusting. One observation from a non-crypto operations guy that was drawn into this project and has learnt a lot from having to implement the infrastructure designed by real crypto people: security is not always obvious. What seems like a flaw is often not, and what seems safe is often risky. There is a great deal to learn about security engineering, and what seems obvious is frequently not. Joe
Re: Web expert on his 'catastrophe' key for the internet
By publicising the list of crypto officers ICANN aims to increase transparency in the normal process (no drills required). We have no reason to think that our last-resort options will ever be exercised, but we have planned for them nonetheless because this is an important system and all bases need to be covered. I thought that was the original idea, to have a system that is based on community trust. I believe that the DNSSEC deployment team did a very good job, perhaps the extra PR and hype from ICANN generated some confusion but I don't think that it was the actual source of such a rainfall of misinformation. I suggest that it should be seriously considered to revoke the role of RKSH from the person that used that role to obtain publicity and self promotion, and request the immediate return of all cryptographic material. This is not something to get the guy on a limo an parade him on the streets of his local town or have now every one included on the public list interviewed by news outfits. So much buzz around his role and comments about being part of the circle of trust or brotherhood or anything similar discredits the entire process. My .02 Jorge
Re: 33-Bit Addressing via ONE bit or TWO bits ? does NANOG care?
On Sat, Jul 24, 2010 at 4:17 PM, William Pitcock neno...@systeminplace.net wrote: On Sat, 2010-07-24 at 15:50 -0400, Steven King wrote: I am very curious to see how this would play with networks that wouldn't support such a technology. How would you ensure communication between a network that supported 33-Bit addressing and one that doesn't? 33-bit is a fucking retarded choice for any addressing scheme as it's neither byte nor nibble-aligned. Infact, the 33rd bit would ensure that an IPv4 header had to have 5 byte addresses. 33 bits nearly as useful as my proposal to extend the live of IPv4 by simply using the unused addresses. What unused addresses do I speak of? Currently the highest IP address is 255.255.255.255. Well, why not use the addresses from 256 to 999? IP addresses could go all the way to 999.999.999.999 and still be 3-digits per octet. We wouldn't even have to modify much code. How many times have you see a perl script that uses \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} as the regular expression for matching IP addresses? Tons of code assumes 3 digits per octet. None of that would have to change. We can get a few more bits another way. Why not steal bits from the port number? We used to think we needed 64k different ports. However, now we really only need port 80. Instant Message tunnels over port 80, so does nearly every important new protocol. Why not just reclaim those bits and use them for addresses? Instant address extension! Tom :-) --- indicates humor or sarcasm (in case you weren't sure) -- http://EverythingSysadmin.com -- my blog http://www.TomOnTime.com -- my advice
Re: Web expert on his 'catastrophe' key for the internet
On Thu, 29 Jul 2010 20:19:45 CDT, Jorge Amodio said: I suggest that it should be seriously considered to revoke the role of RKSH from the person that used that role to obtain publicity and self promotion, and request the immediate return of all cryptographic material. This is not something to get the guy on a limo an parade him on the streets of his local town or have now every one included on the public list interviewed by news outfits. Well, there's a bit of a problem - you have to make the list of key holders known, so that all and sundry can verify for themselves that ICANN (or any other single organization, for that matter) doesn't have all the marbles. A second point is that if you have 7 keyholders who are not well known, they're actually *easier* targets than if they're well known public figures. Think about that for a bit - who's easier to coerce without being detected, the guy who lives in the apartment downstairs from me, or somebody who's out in the open and identified as important? A pretty good article that puts a lot of the rest of it back into perspective: http://www.digitalsociety.org/2010/07/fantasy-role-playing-has-no-place-in-dnssec pgpYDrSJlawfs.pgp Description: PGP signature
Re: Web expert on his 'catastrophe' key for the internet
Hmmm, from the interview of the British guy, the smart card seems to be in UK (he did a lapsus on it), which differs from what you describe. if all the smart cards are in the US in an individual safe deposit box in the same location, this raise the concern that there is only one place the smartcard can be stolen or destroyed. Also, is it part of the process that each smart card holder must routinely check that his smartcard is still there? I would have also thought, that there would be redundancy into these smartcards, like you need 3 out of 5 to rebuild the key, or something like this. I should read the spec Usually IETF people are well versed on security, so I believe the process to be quite sound. - Original Message - From: Joe Abley jab...@hopcount.ca To: andrew.wallace andrew.wall...@rocketmail.com Cc: nanog@nanog.org Sent: Friday, 30 July, 2010 10:48:40 AM Subject: Re: Web expert on his 'catastrophe' key for the internet On 2010-07-28, at 18:24, andrew.wallace wrote: I think there is a social vulnerability in a group of people who need to travel, a lot of the time, by plane, to exactly the same location to make new keys to reset DNSSEC. Let's try to forget this reset DNSSEC meme. This is a technical list. Let's concentrate on what we can describe accurately. What I think is, this is leaving them wide open to attack. If an attack was state-sponsored, its likely they would be able to stop those selected people reaching the location in the United States by way of operational officers intercepting them by kidnap or murder, and indeed, a cyber attack without the need for human intervention to stop the select people getting to their destination could be done by knocking out the air traffic system. Which would, hamper the resetting and creation of new keys for DNSSEC. The crypto officers who have generously volunteered to travel to the key management facility where they were enrolled from time to time will carry with them safety deposit box keys. As part of the process, they will unlock the safety deposit boxes contained within one of the safes in the key management facility tier 5, and extract a tamper-evident bag containing smart cards. The smart cards, under supervision of the crypto officer, are used to carry out the HSM operations that are planned for execution during that ceremony. In the event that insufficient crypto officers are able to attend (for whatever reason) ICANN retains the ability to drill the safety deposit boxes and extract the smart cards in order to preserve the security and stability of the DNS. ICANN would never do this unless the security and stability of the DNS was under threat, and would exercise this last-resort option with a great deal of public visibility. That full disclosure would unavoidably include details of people who were not able to attend. By publicising the list of crypto officers ICANN aims to increase transparency in the normal process (no drills required). We have no reason to think that our last-resort options will ever be exercised, but we have planned for them nonetheless because this is an important system and all bases need to be covered. All these details (and more) can be found in the DNSSEC Policy Statement (DPS) published at http://www.iana.org/dnssec/. I encourage anybody with the time and interest to dissect that document and challenge it wherever possible. Our aim is for maximum transparency and the greatest reason for the public to trust that the KSK is secure and worth trusting. One observation from a non-crypto operations guy that was drawn into this project and has learnt a lot from having to implement the infrastructure designed by real crypto people: security is not always obvious. What seems like a flaw is often not, and what seems safe is often risky. There is a great deal to learn about security engineering, and what seems obvious is frequently not. Joe
Re: 33-Bit Addressing via ONE bit or TWO bits ? does NANOG care?
What world do live in? Yes, we extend the life of IPv4 by increasing the numeric range. As for only needing port 80, I'm not really sure where you've been for the last decade or so. There's are hundreds of services using different ports, and tunneling them all makes absolutely no sense. Yes, we don't really need 65k ports, but stealing bits in the header from them is the most ridiculous thing I've heard yet. List of registered ports: http://www.iana.org/assignments/port-numbers http://www.iana.org/assignments/port-numbersAlso take into account public access *nix servers, with people running their own services on whatever port they've taken or been assigned. How do you intend to implement a solution for that? Give public access servers the middle finger and keep on going? On Thu, Jul 29, 2010 at 10:31 PM, Tom Limoncelli t...@whatexit.org wrote: On Sat, Jul 24, 2010 at 4:17 PM, William Pitcock neno...@systeminplace.net wrote: On Sat, 2010-07-24 at 15:50 -0400, Steven King wrote: I am very curious to see how this would play with networks that wouldn't support such a technology. How would you ensure communication between a network that supported 33-Bit addressing and one that doesn't? 33-bit is a fucking retarded choice for any addressing scheme as it's neither byte nor nibble-aligned. Infact, the 33rd bit would ensure that an IPv4 header had to have 5 byte addresses. 33 bits nearly as useful as my proposal to extend the live of IPv4 by simply using the unused addresses. What unused addresses do I speak of? Currently the highest IP address is 255.255.255.255. Well, why not use the addresses from 256 to 999? IP addresses could go all the way to 999.999.999.999 and still be 3-digits per octet. We wouldn't even have to modify much code. How many times have you see a perl script that uses \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} as the regular expression for matching IP addresses? Tons of code assumes 3 digits per octet. None of that would have to change. We can get a few more bits another way. Why not steal bits from the port number? We used to think we needed 64k different ports. However, now we really only need port 80. Instant Message tunnels over port 80, so does nearly every important new protocol. Why not just reclaim those bits and use them for addresses? Instant address extension! Tom :-) --- indicates humor or sarcasm (in case you weren't sure) -- http://EverythingSysadmin.com -- my blog http://www.TomOnTime.com -- my advice -- Byron Grobe
Re: 33-Bit Addressing via ONE bit or TWO bits ? does NANOG care?
What world do live in? Yes, we extend the life of IPv4 by increasing the numeric range. As for only needing port 80, I'm not really sure where you've been for the last decade or so. There's are hundreds of services using different ports, and tunneling them all makes absolutely no sense. Yes, we don't really need 65k ports, but stealing bits in the header from them is the most ridiculous thing I've heard yet. List of registered ports: http://www.iana.org/assignments/port-numbers http://www.iana.org/assignments/port-numbersAlso take into account public access *nix servers, with people running their own services on whatever port they've taken or been assigned. How do you intend to implement a solution for that? Give public access servers the middle finger and keep on going? -- Byron Grobe -- Byron Grobe
Re: Web expert on his 'catastrophe' key for the internet
A pretty good article that puts a lot of the rest of it back into perspective: http://www.digitalsociety.org/2010/07/fantasy-role-playing-has-no-place-in-dnssec Good article indeed. It is highly unlikely that we will ever need the service of the RKSH, I agree that a well know public figure from the community could constitute a more difficult target, but as anything in information security, everything is relative. What I find unacceptable is to take advantage of the community trust by using the RKSH role for personal self promotion and publicity. Regards Jorge
Re: Web expert on his 'catastrophe' key for the internet
On 07/29/10 20:23, Franck Martin wrote: I should read the spec Yes, preferably before commenting on it publicly ... Doug (... oops) -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso
Re: 33-Bit Addressing via ONE bit or TWO bits ? does NANOG care?
On Thu, 29 Jul 2010 23:45:03 EDT, Atticus said: What world do live in? Yes, we extend the life of IPv4 by increasing the numeric range. As for only needing port 80, I'm not really sure where you've been for the last decade or so. I hate to say this, but all of you who are actually thinking about stealing bits from IPv4 headers when IPv6 is already here: Look who started the ONE bit or TWO bits thread. YHBT. HAND. ;) pgprLAfZtDaTK.pgp Description: PGP signature
Re: Web expert on his 'catastrophe' key for the internet
On 07/29/10 20:09, valdis.kletni...@vt.edu wrote: On Thu, 29 Jul 2010 20:19:45 CDT, Jorge Amodio said: I suggest that it should be seriously considered to revoke the role of RKSH from the person that used that role to obtain publicity and self promotion, and request the immediate return of all cryptographic material. This is not something to get the guy on a limo an parade him on the streets of his local town or have now every one included on the public list interviewed by news outfits. Well, there's a bit of a problem - you have to make the list of key holders known, so that all and sundry can verify for themselves that ICANN (or any other single organization, for that matter) doesn't have all the marbles. A second point is that if you have 7 keyholders who are not well known, they're actually *easier* targets than if they're well known public figures. Think about that for a bit - who's easier to coerce without being detected, the guy who lives in the apartment downstairs from me, or somebody who's out in the open and identified as important? A pretty good article that puts a lot of the rest of it back into perspective: http://www.digitalsociety.org/2010/07/fantasy-role-playing-has-no-place-in-dnssec That article has numerous errors in it as well, and in some ways is even worse because the guy is claiming to be a security expert who actually understands how it all works. Doug -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso
Re: 33-Bit Addressing via ONE bit or TWO bits ? does NANOG care?
I (unfortunately) cannot get native IPv6 from my ISP at this time, but do have several tunnels set up using Hurricane Electric's excellent tunnel brokerage service. All my local systems are dual-stack, my public access server has a routed /48 that I use to broker my own tunnels for devices (like my Motorola Droid cell phone). IPv6 is the future, and it is coming. As Valdis said, why try to extend the life of an effectively dead technology, and an inferior one at that. With IPSec compliance integrated into the protocol itself, and the hundreds of other benefits, why try to morph an old technology? In with the new, out with the old. IPv4 is very soon to be a completely dead beast, and we'll be all the better for it. This is the age of the internet, everything is interconnected. There is no possible way for v4 to keep up with the growth of this era. On Thu, Jul 29, 2010 at 11:55 PM, valdis.kletni...@vt.edu wrote: On Thu, 29 Jul 2010 23:45:03 EDT, Atticus said: What world do live in? Yes, we extend the life of IPv4 by increasing the numeric range. As for only needing port 80, I'm not really sure where you've been for the last decade or so. I hate to say this, but all of you who are actually thinking about stealing bits from IPv4 headers when IPv6 is already here: Look who started the ONE bit or TWO bits thread. YHBT. HAND. ;) -- Byron Grobe
Re: 33-Bit Addressing via ONE bit or TWO bits ? does NANOG care?
On Fri, 30 Jul 2010 00:14:46 EDT, Atticus said: technology, and an inferior one at that. With IPSec compliance integrated into the protocol itself, and the hundreds of other benefits, why try to morph an old technology? You *do* realize that IPv6 IPSec is the *exact same stuff* that's in IPv4, the only difference is that a compliant IPv6 stack has to include it, as opposed to the optional-but-all-major-OS-do-it status in IPv4, right? Does anybody know of *any* products that support dual-stack and include the IPv6 IPSec stuff but left the IPv4 IPSec stuff out? I've never actually seen one... pgpIZL48ewKKQ.pgp Description: PGP signature
Re: Web expert on his 'catastrophe' key for the internet
- Original Message - From: Doug Barton do...@dougbarton.us To: Franck Martin fra...@genius.com Cc: Joe Abley jab...@hopcount.ca, nanog@nanog.org Sent: Friday, 30 July, 2010 3:49:04 PM Subject: Re: Web expert on his 'catastrophe' key for the internet On 07/29/10 20:23, Franck Martin wrote: I should read the spec Yes, preferably before commenting on it publicly ... Do I look like someone that reads manuals? ;)
Re: Web expert on his 'catastrophe' key for the internet
On Thu, Jul 29, 2010 at 10:23 PM, Franck Martin fra...@genius.com wrote: Hmmm, from the interview of the British guy, the smart card seems to be in UK (he did a lapsus on it), which differs from what you describe. You gotta read up on the whole ceremony and their statement of practices: https://www.iana.org/dnssec/icann-dps.txt ... Crypto Officers are different from Recovery Key Share Holders. Crypto officers hold a key to a safe deposit box in the safe room Safe 2, containing the operator cards. Tier 5 Each vault contains a Tamper-evident bag (TEB) with a smart card required to authenticate with the HSM to perform crypto operations. Those cards don't leave the facility. The operatorscards are only authentication tokens, the key is stored on the hardware security modules. Hardware security modules, and the laptop+DVD+USB Flash stick required to operate them are stored in tamper evident bags in Safe 1. There are 7 crypto officers per site, but only 3 are required to authenticate to the HSM to enable it to perform operations. The recovery key share holders have a key to a bank safety deposit box under _their own_ control, containing a smartcard in tamper-evident bag, holding part of the HSM's internal encryption key. Each RKSH has to provide and maintain records of where they are storing their smartcard. 7 RKSH per site, but only 5 are required for recovery operations. -- -J
Re: Web expert on his 'catastrophe' key for the internet
On Fri, 30 Jul 2010, Joe Abley wrote: One observation from a non-crypto operations guy that was drawn into this project and has learnt a lot from having to implement the infrastructure designed by real crypto people: security is not always obvious. What seems like a flaw is often not, and what seems safe is often risky. There is a great deal to learn about security engineering, and what seems obvious is frequently not. Trust is also based on perception, whether justified or not. The participants in the community wanted this kind of key ceremony and many ceremonial key holders for a variety of reasons. If the community changes its mind in the future, and wants a different kind of key ceremony and ceremonial key holders, then submit comments and propose changes. Whether Recovery Key Share Holders serve any useful role after the HSMs are initialized is one of those questions that lots of beer may help.