Re: The Reg does 240/4
inline Christopher Hawker writes: > Hi Christian, > > The idea to this is to allow new networks to emerge onto the internet, > without potentially having to fork out > substantial amounts of money. That would then be using IPv6 with IPv4 transition translation etc at the ingress/egress to your new shiny ISP. > > I am of the view that networks large enough to require more than a /8 v4 for > a private network, would be in the > position to move towards IPv6-only. Meta has already achieved this > (https://engineering.fb.com/2017/01/17/production-engineering/legacy-support-on-ipv6-only-infra/) > by rolling > out dual-stack on their existing nodes and enabling new nodes as > IPv6-only. Any network of any size can justify using IPv6. You will though face some old telco monopolistic / Tier 1 incumbencies who find their benefit in networking is to be as anti social to fellow networks as their lack of imagination on the value of connectivity can facilitate and regret they can't charge time and distance but very happy to charge on ingress and egress. >I cannot think of a bigger waste of > resources that have the possibility of being publicly used, than to allocate > an additional 16 x /8 to RFC1918 > space. > I expect it would take many years for 240/4 to have universal routing as a public resource. That maybe the first challenge to get it through IETF The other challenge is that the block is currently marked experimental and really if you want to make a plan to use all or part of that block. Then that should be for experimental purposes. Just saying it is now public isn't really an innovation. Also once reallocated its lost to future experimental uses. > The same argument could be had about using larger than a /8 for private > networking. Why not use IPv6? > well now you are speaking hexadecimal! > Regards, > Christopher Hawker best Christian > - > From: Christian de Larrinaga > Sent: Wednesday, February 14, 2024 11:51 PM > To: Christopher Hawker > Cc: Denis Fondras ; nanog@nanog.org > Subject: Re: The Reg does 240/4 > > excuse top posting - > > I don't see a case for shifting 240/4 into public IP space if it is just > going to sustain the rentier sinecures of the existing IPv4 > incumbencies. In other words if RIRs don't use it boost new entrants it > will just add another knot to the stranglehold we are in vis IPv4. > > I can see a potential case for shifting it from experimental to private > space given the fact that "the rest of us" without public IP space and > natted behind CGNATs have taken to use IPv4 for wireguard, containers, > zero configs and so on, to tie our various locations, services and > applications together within our own private distributed nets and expose > our services for public consumption over IPv6. > > C > > Christian de Larrinaga > > Christian Christopher Hawker writes > >> Hi Denis, >> >> It will only be burned through if RIR communities change policies to allow >> for larger delegations than what is >> currently in place. I believe that some level of change is possible whilst >> limiting the exhaustion rate, e.g. allowing >> for delegations up to a maximum holding of a /22, however we shouldn't go >> crazy (for want of a better phrase) >> and allow for delegations of a /20, /19 etc. >> >> If this was only going to give us a potential 1-3 years' worth of space, >> then I would agree in saying that it is a > waste >> of time, would take far too long to make the space usable and wouldn't be >> worth it. However, as long as we > don't >> get greedy, change the maximum allowed delegation to large delegations, and >> every Tom/Dick/Harry applying >> for a /16 allocation then 240/4 will last us a lengthy amount of time, at >> least a few decades. >> >> Regards, >> Christopher Hawker >> - >> From: NANOG on behalf of >> Denis Fondras via NANOG >> >> Sent: Wednesday, February 14, 2024 11:10 PM >> To: nanog@nanog.org >> Subject: Re: The Reg does 240/4 >> >> Le Tue, Feb 13, 2024 at 03:24:21PM -0800, David Conrad a écrit : >>> This doesn’t seem all that positive to me, particularly because it’s >>> temporary >>> since the underlying problem (limited resource, unlimited demand) cannot be >>> addressed. >>> >> >> I agree with this. >> Yet I am in favor of changing the status of 240/4, just so it can get burned >> fast, we stop this endless discussion and can start to deploy IPv6 again. >> >> Denis -- Christian de Larrinaga
Re: The Reg does 240/4
excuse top posting - I don't see a case for shifting 240/4 into public IP space if it is just going to sustain the rentier sinecures of the existing IPv4 incumbencies. In other words if RIRs don't use it boost new entrants it will just add another knot to the stranglehold we are in vis IPv4. I can see a potential case for shifting it from experimental to private space given the fact that "the rest of us" without public IP space and natted behind CGNATs have taken to use IPv4 for wireguard, containers, zero configs and so on, to tie our various locations, services and applications together within our own private distributed nets and expose our services for public consumption over IPv6. C Christian de Larrinaga Christian Christopher Hawker writes > Hi Denis, > > It will only be burned through if RIR communities change policies to allow > for larger delegations than what is > currently in place. I believe that some level of change is possible whilst > limiting the exhaustion rate, e.g. allowing > for delegations up to a maximum holding of a /22, however we shouldn't go > crazy (for want of a better phrase) > and allow for delegations of a /20, /19 etc. > > If this was only going to give us a potential 1-3 years' worth of space, then > I would agree in saying that it is a waste > of time, would take far too long to make the space usable and wouldn't be > worth it. However, as long as we don't > get greedy, change the maximum allowed delegation to large delegations, and > every Tom/Dick/Harry applying > for a /16 allocation then 240/4 will last us a lengthy amount of time, at > least a few decades. > > Regards, > Christopher Hawker > - > From: NANOG on behalf of Denis > Fondras via NANOG > > Sent: Wednesday, February 14, 2024 11:10 PM > To: nanog@nanog.org > Subject: Re: The Reg does 240/4 > > Le Tue, Feb 13, 2024 at 03:24:21PM -0800, David Conrad a écrit : >> This doesn’t seem all that positive to me, particularly because it’s >> temporary >> since the underlying problem (limited resource, unlimited demand) cannot be >> addressed. >> > > I agree with this. > Yet I am in favor of changing the status of 240/4, just so it can get burned > fast, we stop this endless discussion and can start to deploy IPv6 again. > > Denis -- Christian de Larrinaga
Re: Let's Focus on Moving Forward Re: V6 still not supported
Your take on English history is a delightful fantasy but it is just that a delightful fantasy. Norman barons were not typically concerned with the health of their anglo saxon/british serfs / yoemen other than providing the required tithes. But taking you at what seems to be your intention. Speaking as a digital peasant I am not assured that my interests are protected from anybody by being told I have no direct access to people I want to communicate with but have to go through a third party. Any addressing model that terminates address space between me and someone I communicate with also terminates my communications and security and by so doing introduces a number of uncertainties potentially rather arbitrary to what would otherwise be under my direct policy domain. C "Abraham Y. Chen" writes: > Hi, Christian: > > 0) Allow me following your "towers of babel world" metaphor to tell > a short story. > > 1) In the ancient days, peasants labored under the shadow of the > Tower, following the rules of and paid tax to the Lord living in the > Tower. In return, they expected protection from the Lord against > harms. (Sometime ago, I read an archaeological article reporting > certain evidence that the Load somewhere in England during medieval > time might have been expected to protect his peasants from any harm, > including even paid his life for famine.) > > 2) In the modern world, the peasants still live around the Tower > following the rules, paying taxes and expecting protection from the > Lord, now represented by the government agencies such as local police, > FCC, FTC, DoD, DHS, etc. > > 3) In the Internet era, the peasants roam everywhere around the > cyberspace freely enjoying the Internet way. However, their wealth is > now being siphoned out to the invisible Lords (the multi-national > businesses with virtual presence in each and every Tower). However, > little can be expected in return when perpetrators attack, because no > Lord assumes the responsibility, nor any can be held responsible. > > 4) EzIP proposes an overlay cyberspace with geographic flavor to > restore the society infrastructure back to Pt. 2) above, while > providing the daily services of Pt. 3). It essentially offers a > parallel Internet for the peasants who can again expect protection > from their local government who collects taxes, while without losing > the benefits of the digital revolution. > > 5) The two cyberspaces are expected to coexist and none-interfering > to each other. Peasants have the freedom of choice by living in either > or try both then decide. > > The above is just a quick rough thought, far from polished. It is > intended to be a preliminary framework so that we can hang some meat > on it for starting meaningful discussions. > > Regards, > > > Abe (2022-04-01 14:17) > > > > > > > On 2022-03-27 11:03, Christian de Larrinaga wrote: >> >> >> On 27 March 2022 15:53:25 Brandon Butterworth >> wrote: >> >>> On Sun Mar 27, 2022 at 12:31:48AM -0400, Abraham Y. Chen wrote: EzIP proposes to deploy 240/4 address based RANs, each tethering off the current Internet via one IPv4 public address. >>> >>> So each RAN has no possibility of redundant connections? Nobody >>> of scale would accept such a limitation. It also looks like an >>> opportunity for telcos/governments to partition their part >>> of the internet and impose whatever censorship they wish. >>> As such, the collection of RANs forms an overlay network layer wrapping around the current Internet core. Consequently, only the SPRs in the RAN need to be able to transport 240/4 addressed packets. >>> >>> You previously described this as like connecting CG-NATs together via a >>> VPN. I don't see why we'd want to add maintaining a global VPN to >>> already difficult peering relationships. It could be used to exlude non >>> EzIP club members. >>> This is why we talk about enabling new (but based on existing design) routers to use 240/4 netblock for serving as SPRs, but not perturbing any routers in the current Internet. >>> >>> As it's a CG-NAT variant why are you delaying yourself by requiring >>> new address space that will take a long time to become available? Why >>> not use the already allocated space for CG-NAT? Sure it's only a /10 >>> but that's an already (probably too) large RAN. >>> >>> It also seems unfeasibly optimistic that if the work was done globally >>> to make 240/4 useable that they'd want to dedicate it to the as yet >>> undeployed EzIP. You might stand more chance if you gained some >>> critical mass using the existing available 100.64/10 & rfc1918 space, >>> and then those that find they need more in one RAN will make the case >>> for 240/4 when it becomes necessary for them. Is 240/4 special to >>> EzIP such that alternative numbers may not be used? >>> I would like to share one intriguing graphics (see URL below) that is almost perfect for depicting the EzIP
Re: Let's Focus on Moving Forward Re: V6 still not supported
On 27 March 2022 15:53:25 Brandon Butterworth wrote: On Sun Mar 27, 2022 at 12:31:48AM -0400, Abraham Y. Chen wrote: EzIP proposes to deploy 240/4 address based RANs, each tethering off the current Internet via one IPv4 public address. So each RAN has no possibility of redundant connections? Nobody of scale would accept such a limitation. It also looks like an opportunity for telcos/governments to partition their part of the internet and impose whatever censorship they wish. As such, the collection of RANs forms an overlay network layer wrapping around the current Internet core. Consequently, only the SPRs in the RAN need to be able to transport 240/4 addressed packets. You previously described this as like connecting CG-NATs together via a VPN. I don't see why we'd want to add maintaining a global VPN to already difficult peering relationships. It could be used to exlude non EzIP club members. This is why we talk about enabling new (but based on existing design) routers to use 240/4 netblock for serving as SPRs, but not perturbing any routers in the current Internet. As it's a CG-NAT variant why are you delaying yourself by requiring new address space that will take a long time to become available? Why not use the already allocated space for CG-NAT? Sure it's only a /10 but that's an already (probably too) large RAN. It also seems unfeasibly optimistic that if the work was done globally to make 240/4 useable that they'd want to dedicate it to the as yet undeployed EzIP. You might stand more chance if you gained some critical mass using the existing available 100.64/10 & rfc1918 space, and then those that find they need more in one RAN will make the case for 240/4 when it becomes necessary for them. Is 240/4 special to EzIP such that alternative numbers may not be used? I would like to share one intriguing graphics (see URL below) that is almost perfect for depicting the EzIP deployment configuration. Consider the blue sphere as the earth or the current Internet core and the golden colored land as the RANs. By connecting each continent, country or all the way down to a Region to the earth via one IPv4 address, we have the EzIP configuration. With this architecture, each RAN looks like a private network. That sounds an entirely undesirable goal for the internet. brandon It isn't the Internet. It's at best a very poorly connected spur gateway. Too many today don't remember the towers of Babel world prior to the Internet. If they did they'd understand that building on this type of idea is like burying yourself And any customers so unwise to get involved C
Re: VPN recommendations?
Intriguing. This week I started to look around for new wireguard implementation tools and appliances. I've used openvpn and ipsec in the main although last month put together a 10x and IPv6 wireguard net in my home and out to two vps hosts which is handy. For my own use this is ok -ish, but I am not so sure about keeping track of the configs, managing users and adding configs as a network grows. In other words I want help when scaling wg and handling change particularly if I am managing nets for other projects or delegating. Tailscale, ZeroTier and some others are doing a great job I feel and no doubt have a handle on that. I've not tried them as yet. Because I do like to have options that are not mediated I have kept looking as much for my own curiousity and education as for deploying a service in anger. But having a toolset that can support the latter capability has to be the aim to work towards. I've found a few potentially interesting more recent projects and am intending to start to test deploy some of these in sequence to see how I get on. I think I'll start wth https://github.com/gravitl/netmaker Please note I've only reviewed the documentation. I've not yet played with it. This seems to offer at an early stage in its development a webappliance (optionally) with CoreDNS if you want naming support and IPv6 and at least some client management features. It claims to be fast but that can be tested. It also is deployable as a docker/kubernetes k8 which is intriguing when deploying and managing containers between multiple hosts across data centres. It uses a mongodb licence which may or may not be a problem. If one plays with IPSEC then I guess one could run wg through IPSEC but is there any point unless you already have an IPSEC branch and don't want to take it down whilst adding wg for a new class of devices/userbase? I'd be interested in sharing experiences and advice (offlist) and delighted to learn from wireguard and vpn's clueful folk. thank you for an interesting discussion. Christian William Herrin writes: On Fri, Feb 11, 2022 at 10:35 AM Dan Sneddon wrote: 1) IPSEC does not lend itself to dynamic routing or dynamic configuration. It is very much a static set-it-and-forget-it technology, but that doesn’t work in a dynamically changing environment. Hi Dan, Depending on how you configure it, IPSEC can work fine with dynamic routing. The thing to understand is that IPSec has two modes: transport and tunnel. Transport is between exactly two IP addresses while tunnel expects a broader network to exist on at least one end. "Tunnel" mode is what everyone actually uses but you can deconstruct it: it's built up from transport mode + a tunnel protocol (gre or ipip I don't remember which) + implicit routing and firewalling which wreaks havoc on dynamic routing. Now, it turns out that you can instead configure IPSec in transport mode, configure the tunnel separately and leave out the implicit firewalling. This may not apply to William Herrin’s (OP) use case of a VPN appliance It's not relevant to my situation, no. I need the VPN to establish a statically addressed clean layer 3 on top of dynamically addressed and natted endpoints to support the next appliance in the chain where dynamic addressing is not possible. I don't actually care if it adds security; it just needs to establish that statically addressed layer. Oh yeah, and it has to be listed under "virtual private network" on the government NIAP list. https://www.niap-ccevs.org/product/PCL.cfm?ID624=34 Regards, Bill Herrin -- Christian de Larrinaga https://firsthand.net
Re: New minimum speed for US broadband connections
Nobody needs more than 64k of RAM. On Sun 30 May 2021 at 14:28, Mike Hammett wrote: That doesn't really serve any value and 99.99% of people would not pay any more than $50 for the ability, so your ability to execute such a system is limited. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ━━━ From: "Lady Benjamin Cannon of Glencoe" To: "Laura Smith" Cc: "NANOG Operators' Group" Sent: Saturday, May 29, 2021 4:43:50 PM Subject: Re: New minimum speed for US broadband connections I’m right there with you. I can download an entire Mac OS update in 6 minutes. It’s astonishing. I’d pay a grand a month for this. I’d pay five. -LB Ms. Lady Benjamin PD Cannon of Glencoe, ASCE 6x7 Networks & 6x7 Telecom, LLC CEO b...@6by7.net "The only fully end-to-end encrypted global telecommunications company in the world.” ANNOUNCING: 6x7 GLOBAL MARITIME FCC License KJ6FJJ [cid][cid] On May 29, 2021, at 1:57 AM, Laura Smith via NANOG wrote: I agree with Dan. In Switzerland you can get 10Gb symmetric to the home for 49.95 per month (or 39.95 if you have a mobile with the same ISP) . As with Dan, average utilisation is measured in Mb. But then the ability to go from that to download 10GB of the latest patches from Microsoft or Apple, or the ability to upload large files for off-site backups or for friends/customers I don't know what I'd do without it ! And of course, the days of the buffering wheel of death when streaming 4K TV is long gone ... I can have multiple people in multiple rooms in my house streaming 4K and nobody notices. I would never, ever, go back to DSL. Even if they hiked the price 5x, I'd still pay it. Coming back to the original question on this thread, my answer would be the minimum for 2021 should be 1/1. Anything less than that is a bit silly and will soon be obsolete. ‐‐‐ Original Message ‐‐‐ On Saturday, 29 May 2021 04:50, Dan Stralka wrote: But it is reality, it's just not your reality, Mike. Brandon's ISP can provide that service. So should there be a more granular definition of speeds mandated based on population density, last mile tech, etc? I was in the camp that you didn't need higher bandwidth than you'd normally find - I was happy on my 50/10 plan. Then my ISP upgraded me to a 300/50 or thereabouts and it was a night and day difference in getting things done. Just like your example of average utilization being in the single megabits per second, my average utilization is near zero. But when I need to move files I can burst to speeds that aren't embarrassing in 2021. Higher bandwidth is both welcome and necessary. It doesn't have to be sustained throughout the contract to be required. The only question is how feasible it is, and I suspect it's quite feasible for larger players. Dan (end) On Fri, May 28, 2021, 22:33 Mike Hammett wrote: That's not based in any kind of reality. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com From: "Brandon Price" To: "Sean Donelan" , "NANOG Operators' Group" Sent: Friday, May 28, 2021 5:21:53 PM Subject: RE: New minimum speed for US broadband connections 100/100 minimum for sure. In our small neck of the woods, we are currently doing 250/250 for $45 and 1000/1000 for $60 no data caps. We have lost some grants on rural builds because "someone" in the census block claims they provide broadband.. Not hard to put an AP up on a tower and hit the current definition's upload speed. I get a chuckle when the providers tell the customer what they "need"... Brandon Price Senior Network Engineer City of Sherwood, Sherwood Broadband -Original Message- From: NANOG On Behalf Of Sean Donelan Sent: Thursday, May 27, 2021 5:33 PM To: NANOG Operators' Group Subject: Re: New minimum speed for US broadband connections CAUTION: This email originated from outside of the organization. Do
Re: DoD IP Space
Is the DoD still the owner? On Sun 25 Apr 2021 at 10:24, Bill Woodcock wrote: On Apr 25, 2021, at 9:40 AM, Mel Beckman wrote: It’s a direct militarization of a civilian utility. I think I’d characterize it, rather, as a possible privatization of public property. If someone builds a house in the middle of a public park, it’s not _what they’re doing in the house_ that concerns me. -Bill -- Christian de Larrinaga https://firsthand.net
