Re: IPv6 uptake (was: The Reg does 240/4)

[William Herrin]

On Mon, Feb 19, 2024 at 6:02 AM Howard, Lee
 wrote:
> Most NATs I've seen in the last 10-15 years are "full cone" NATs: they are 
> configured so that once there is an
> outbound flow, and inbound datagram to that address+port will be forwarded to 
> the inside address, regardless
> of source.

Hi Lee,

Yes, they do that to help with NAT traversal. This allows two hosts
behind separate NATs to establish direct communication with the help
of an external server in the establishment phase. The flip side is
that your internal hosts are limited to 65k established connections
between them or the firewall exhausts its available ports. Without
full cone, the number of translations that NAT can do is bounded only
by its available RAM.


> NAPT just increases the size of the space to scan: just dump your crafted 
> packets to every address
> + every port at your target.

Not quite. Full cone slightly reduces NAT's positive security impact.
But only slightly. An external source can poke at an internal host on
the specific port where the internal host has established an outbound
connection, but it can't poke the internal host on any other ports
where services might actually be running and waiting for connections.


> FWIW, the other enterprise IT security hole I often see: if your VPN is 
> IPv6-unaware, but your users have IPv6
> at home (like most in the U.S.), your VPN is now split-tunnel, regardless of 
> policy. You may think all your
> packets are going through the VPN to be inspected by the corporate firewall, 
> but any web site with IPv6
> (about half) will use the local residential route, not the VPN.

Yep. Folks who built their security for remote users around the idea
of preventing split-tunnels have done the job so very wrong. Another
fun thing you can do in Linux is run the VPN software inside a network
namespace. The VPN happily takes over the namespace and any software
you run inside the namespace, but the rest of the host remains on the
public Internet. You can also run the VPN in a VM that shares mounts
and clipboard with the host.

Regards,
Bill Herrin




>
> Lee
>


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: IPv6 uptake (was: The Reg does 240/4)

[William Herrin]

On Mon, Feb 19, 2024 at 5:29 AM Howard, Lee via NANOG  wrote:
> In the U.S., the largest operators without IPv6 are (in order by size):
> Lumen (CenturyLink)

CenturyLink has IPv6 using 6rd. It works fine.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

RE: IPv6 uptake (was: The Reg does 240/4)

[Howard, Lee via NANOG]

Bottom-posted with old school formatting by hand.

-Original Message-
From: NANOG  On Behalf 
Of William Herrin
Sent: Friday, February 16, 2024 8:05 PM
To: Michael Thomas 
Cc: nanog@nanog.org
Subject: Re: IPv6 uptake (was: The Reg does 240/4)

> On the firewall, I program it to do NAT translation from
> 192.168.55.0/24 to 199.33.225.1 when sending packets outbound, which also has 
> the effect of disallowing 
> inbound packets to 192.168.55.0/24 which are not part of an established 
> connection.
> 
> Someone tries to telnet to 192.168.55.4. What happens? The packet never even 
> reaches my firewall because 
> that IP address doesn't go anywhere on the Internet.

Most NATs I've seen in the last 10-15 years are "full cone" NATs: they are 
configured so that once there is an 
outbound flow, and inbound datagram to that address+port will be forwarded to 
the inside address, regardless
of source.

Most devices now have a more or less constant flow of heartbeats or updates to 
somewhere on the Internet.
In practice, NAPT just increases the size of the space to scan: just dump your 
crafted packets to every address
+ every port at your target.

If that increased scanning target is your security, you're better off with the 
increased target of IPv6.

IT administrators don't usually know what kind of NAT they have deployed.

FWIW, the other enterprise IT security hole I often see: if your VPN is 
IPv6-unaware, but your users have IPv6
at home (like most in the U.S.), your VPN is now split-tunnel, regardless of 
policy. You may think all your
packets are going through the VPN to be inspected by the corporate firewall, 
but any web site with IPv6
(about half) will use the local residential route, not the VPN.

Lee

RE: IPv6 uptake (was: The Reg does 240/4)

[Howard, Lee via NANOG]

If you ever want to know which providers in a country are lagging, Geoff Huston 
is here to help:

https://stats.labs.apnic.net/ipv6/US

In the U.S., the largest operators without IPv6 are (in order by size):
Verizon FiOS (they deployed to 50%, discovered a bug, and rolled back)
Frontier
Lumen (CenturyLink)
CableVision
CableOne
Suddenlink
Windstream
US Cellular
Brightspeed

Comcast, Charter, and Cox each have fully deployed IPv6, along with AT and 
all of the mobile carriers.

Lee

-Original Message-
From: NANOG  On Behalf 
Of Michael Thomas
Sent: Sunday, February 18, 2024 3:29 PM
To: nanog@nanog.org
Subject: Re: IPv6 uptake (was: The Reg does 240/4)

[You don't often get email from m...@mtcc.com. Learn why this is important at 
https://aka.ms/LearnAboutSenderIdentification ]

This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links 
and attachments.



On 2/18/24 8:47 AM, Greg Skinner via NANOG wrote:
> On Feb 17, 2024, at 11:27 AM, William Herrin  wrote:
>> On Sat, Feb 17, 2024 at 10:34?AM Michael Thomas  wrote:
>>
>>> Funny, I don't recall Bellovin and Cheswick's Firewall book 
>>> discussing NAT.
>> And mine too, since I hadn't heard of "Firewalls and Internet
>> Security: Repelling the Wily Hacker" and have not read it.
> For what it's worth, both editions of Bellovin and Cheswick's 
> Firewalls book are online. [1]  Also, there are discussions about NAT 
> and how it influenced IPng (eventually IPv6) on the big-internet list. 
> [2]

FWIW, while at Cisco I started to get wind of some NAT-like proposal being 
floated by 3COM at Packetcable back in the late 90's, early 2000's (sorry, I 
have no memory of the specifics now). That was pretty horrifying to me and 
others as the implication was that we'd have to implement it in our routers, 
which I'm sure 3COM viewed as a feature, not a bug. We pushed back that 
implementing IPv6 was a far better option if it came down to that. That sent me 
and Steve Deering off on an adventure to figure out how we might actually make 
good on that alternative in the various service provider BU's. Unsurprisingly 
the BU's were not very receptive not just because of the problems with v6 vs 
hardware forwarding, but mostly because providers weren't asking for it.
They weren't asking for CGNAT like things either though so it was mostly the 
status quo. IOS on the other hand was taking IPv6 much more seriously so that 
providers could at least deploy it in the small for testing, pilots, etc even 
if it was a patchwork in the various platforms.

The problem with v6 uptake has always been on the provider side. BU's wouldn't 
have wanted to respin silicon but if providers were asking for it and it gave 
them a competitive advantage, they'd have done it in a heartbeat. It's 
heartening to hear that a lot of big providers and orgs are using IPv6 
internally to simplify management along with LTE's use of v6. I don't know 
what's happening in MSO land these days, but it would be good to hear if they 
too are pushing a LTE-like solution. I do know that Cablelabs pretty early on 
-- around the time I mentioned above -- has been pushing for v6. Maybe Jason 
Livingood can clue us in. Getting cable operators onboard too would certainly 
be a good thing, though LTE doesn't have to deal with things like brain dead 
v4-only wireless routers on their network.

Mike

Re: IPv6 uptake (was: The Reg does 240/4)

[Matthew Walster via NANOG]

On Sun, 18 Feb 2024, 05:29 Owen DeLong via NANOG,  wrote:

> Most firewalls are default deny. Routers are default allow unless you put
> a filter on the interface.
>

This is not relevant though. NAT when doing port overloading, as is the
case for most CPE, is not default-deny or default-allow. The OS processes
the packet just like normal and sends an ICMP back unless there is another
firewall that says drop. NAPT adds temporary rewrite rules for each flow
that goes outbound.

NAT adds nothing to security (Bill and I agree to disagree on this), but at
> best, it complicates the audit trail.
>

It absolutely does add something. Whether that something is valuable or not
depends on your vantage point, and I'd say it's better than nothing, but
there are better solutions available.

M

>

Re: IPv6 uptake (was: The Reg does 240/4)

[Michael Thomas]

On 2/18/24 8:47 AM, Greg Skinner via NANOG wrote:

On Feb 17, 2024, at 11:27 AM, William Herrin  wrote:

On Sat, Feb 17, 2024 at 10:34?AM Michael Thomas  wrote:


Funny, I don't recall Bellovin and Cheswick's Firewall book discussing
NAT.

And mine too, since I hadn't heard of "Firewalls and Internet
Security: Repelling the Wily Hacker" and have not read it.

For what it's worth, both editions of Bellovin and Cheswick's Firewalls book 
are online. [1]  Also, there are discussions about NAT and how it influenced 
IPng (eventually IPv6) on the big-internet list. [2]


FWIW, while at Cisco I started to get wind of some NAT-like proposal 
being floated by 3COM at Packetcable back in the late 90's, early 2000's 
(sorry, I have no memory of the specifics now). That was pretty 
horrifying to me and others as the implication was that we'd have to 
implement it in our routers, which I'm sure 3COM viewed as a feature, 
not a bug. We pushed back that implementing IPv6 was a far better option 
if it came down to that. That sent me and Steve Deering off on an 
adventure to figure out how we might actually make good on that 
alternative in the various service provider BU's. Unsurprisingly the 
BU's were not very receptive not just because of the problems with v6 vs 
hardware forwarding, but mostly because providers weren't asking for it. 
They weren't asking for CGNAT like things either though so it was mostly 
the status quo. IOS on the other hand was taking IPv6 much more 
seriously so that providers could at least deploy it in the small for 
testing, pilots, etc even if it was a patchwork in the various platforms.


The problem with v6 uptake has always been on the provider side. BU's 
wouldn't have wanted to respin silicon but if providers were asking for 
it and it gave them a competitive advantage, they'd have done it in a 
heartbeat. It's heartening to hear that a lot of big providers and orgs 
are using IPv6 internally to simplify management along with LTE's use of 
v6. I don't know what's happening in MSO land these days, but it would 
be good to hear if they too are pushing a LTE-like solution. I do know 
that Cablelabs pretty early on -- around the time I mentioned above -- 
has been pushing for v6. Maybe Jason Livingood can clue us in. Getting 
cable operators onboard too would certainly be a good thing, though LTE 
doesn't have to deal with things like brain dead v4-only wireless 
routers on their network.


Mike

Re: IPv6 uptake (was: The Reg does 240/4)

[Michael Thomas]

On 2/17/24 11:27 AM, William Herrin wrote:

On Sat, Feb 17, 2024 at 10:34 AM Michael Thomas  wrote:

I didn't hear about NAT until the
late 90's, iirc. I've definitely not heard of Gauntlet.

Then there are gaps in your knowledge.


Funny, I don't recall Bellovin and Cheswick's Firewall book discussing
NAT.

And mine too, since I hadn't heard of "Firewalls and Internet
Security: Repelling the Wily Hacker" and have not read it.

I see that the book was published in 1994. In 1994 Gauntlet was
calling their process "transparent application layer gateways," not
NAT.

What was called NAT in 1994 was stateless 1:1 NAT, where one IP mapped
to exactly one IP in both directions. Stateless 1:1 NAT had no impact
on security. But that's not the technology we're talking about in
2024. Stateless 1:1 NAT is so obsolete that support was dropped from
the Linux kernel a long time ago. That actually caused a problem for
me in 2017. I had a use where I wanted 1:1 NAT and wanted to turn off
connection tracking so that I could do asymmetric routing through the
stateless translators. No go.

So it does not surprise me that a 1994 book on network security would
not have discussed NAT. They'd have referred to the comparable
contemporary technology, which was "transparent application layer
gateways." Those behaved like what we now call NAT but did the job a
different way: instead of modifying packets, they terminated the
connection and proxied it.


I don't recall the book talking about proxies, but it's been a long 
time. It was mostly about (stateful) firewalls, iirc. The rapid 
expansion of the internet caused a huge need for a big band-aid, 
especially with shitty windows boxes emerging on the net shortly after. 
A stateful firewall walled off for incoming on client subnets was 
perfectly sufficient though, and need to provision clients with proxies 
and the necessary software. The book is not very long and honestly 
that's a feature as it seemed to mostly be trying to get the word out 
that we should be protecting ourselves at the borders until better 
security could get deployed. If NAT's supposed belt and suspenders 
security was such a big feature, I don't recall anybody talking about it 
that way back then. That's why it's always seemed like a post-hoc 
rationalization. When I was at Cisco, all of the internal networks were 
numbered in public address space and I never once heard any clamor for 
the client space to be renumbered into RFC 1918 space for security 
reasons. Admittedly anybody doing so would have faced fierce resistance, 
but if there were any debate at all it was that adding state to network 
flows was a Bad Thing.


NAT has always been about overloading public IP addresses first and 
foremost. The supposed security gains are vastly dwarfed by the decrease 
in functionality that NAT brings with it. One only has to look at the 
mental gymnastics that goes into filling out SDP announcements for VoIP 
to know that any supposed security benefits are not worth the trouble 
that it brings. If it were only security, nobody would have done it. It 
was always about address conservation first and foremost.


Mike

Re: IPv6 uptake (was: The Reg does 240/4)

[Greg Skinner via NANOG]

On Feb 17, 2024, at 11:27 AM, William Herrin  wrote:
> 
> On Sat, Feb 17, 2024 at 10:34?AM Michael Thomas  wrote:
> 
>> Funny, I don't recall Bellovin and Cheswick's Firewall book discussing
>> NAT.
> 
> And mine too, since I hadn't heard of "Firewalls and Internet
> Security: Repelling the Wily Hacker" and have not read it.

For what it's worth, both editions of Bellovin and Cheswick's Firewalls book 
are online. [1]  Also, there are discussions about NAT and how it influenced 
IPng (eventually IPv6) on the big-internet list. [2]

—gregbo

[1] https://www.wilyhacker.com
[2] https://mailarchive.ietf.org/arch/browse/big-internet/

Re: IPv6 uptake (was: The Reg does 240/4)

[Steven Sommars]

Concerning the firewall book.

Firewalls and Internet Security, Second Edition
PDF online at
https://www.wilyhacker.com/fw2e.pdf
"Some people think that NAT boxes are a form of
firewall. In some sense, they are, but they're low-end ones."

Re: IPv6 mail The Reg does 240/4

[Michael Thomas]

On 2/17/24 2:21 PM, John Levine wrote:

But what happens under the hood at

major mailbox providers is maddeningly opaque so who really knows? It
would be nice if MAAWG published a best practices or something like that
to outline what is actually happening in live deployments.

Unfortunately, spammers can read just as well as we can so it's not
going to happen.


They already have the recon so they don't need any help. The rest of us 
could be helped by what the current art is.


Mike

Re: IPv6 mail The Reg does 240/4

[John Levine]

It appears that Michael Thomas  said:
>I kind of get the impression that once you get to aggregates at the 
>domain level like DKIM or SPF, addresses as a reputation vehicle don't 
>much figure into decision making.

It definitely does, since there are plenty of IPs that send only
malicious mail, or that shouldn't be sending mail at all. Every large
mail system uses Spamhaus' IP lists as part of their filtering
process. 

I hear that SPF is largely useless these days because most SPF records
include IP ranges for many mail providers, and a lot of those
providers do a poor job of keeping one customer from spoofing mail
from another. DKIM is still quite useful.

K. But what happens under the hood at 
>major mailbox providers is maddeningly opaque so who really knows? It 
>would be nice if MAAWG published a best practices or something like that 
>to outline what is actually happening in live deployments.

Unfortunately, spammers can read just as well as we can so it's not
going to happen.

R's,
John

Re: IPv6 uptake (was: The Reg does 240/4)

[Brandon Butterworth]

On 17/02/2024, 19:27:20, "William Herrin"  wrote:

So it does not surprise me that a 1994 book on network security would
not have discussed NAT. They'd have referred to the comparable
contemporary technology, which was "transparent application layer
gateways." Those behaved like what we now call NAT but did the job a
different way: instead of modifying packets, they terminated the
connection and proxied it.


And that was a very desired feature plus the address isolation,
then and for decades since. The clients IP stack was not trusted
to interact directly with external hosts.

See socks proxy too (and later Squid). It is still in use today
in some places.

There were stateful firewalls but trust was reduced when the
Firewall 1 undocumented and not unconfigurable default DNS UDP
inbound rule was discovered, it let anyone on the Internets "DNS"
packets reach any host on the inside they could guess the address
of. The "what if the product does allow packets in it is expected
not to" consideration drove having unreachable internal addressing.

Clicking on rules and assuming it is all good forever more through
product revisions was not sufficient. Every version would need a
significant re audit and probably miss any real problem.

How are people validating their firewall does what they think it
does?

brandon

Re: IPv6 uptake (was: The Reg does 240/4)

[William Herrin]

On Sat, Feb 17, 2024 at 10:34 AM Michael Thomas  wrote:
> I didn't hear about NAT until the
> late 90's, iirc. I've definitely not heard of Gauntlet.

Then there are gaps in your knowledge.

> Funny, I don't recall Bellovin and Cheswick's Firewall book discussing
> NAT.

And mine too, since I hadn't heard of "Firewalls and Internet
Security: Repelling the Wily Hacker" and have not read it.

I see that the book was published in 1994. In 1994 Gauntlet was
calling their process "transparent application layer gateways," not
NAT.

What was called NAT in 1994 was stateless 1:1 NAT, where one IP mapped
to exactly one IP in both directions. Stateless 1:1 NAT had no impact
on security. But that's not the technology we're talking about in
2024. Stateless 1:1 NAT is so obsolete that support was dropped from
the Linux kernel a long time ago. That actually caused a problem for
me in 2017. I had a use where I wanted 1:1 NAT and wanted to turn off
connection tracking so that I could do asymmetric routing through the
stateless translators. No go.

So it does not surprise me that a 1994 book on network security would
not have discussed NAT. They'd have referred to the comparable
contemporary technology, which was "transparent application layer
gateways." Those behaved like what we now call NAT but did the job a
different way: instead of modifying packets, they terminated the
connection and proxied it.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: The Reg does 240/4

[Michael Thomas]

On 2/17/24 10:19 AM, Owen DeLong via NANOG wrote:
Mike, it’s true that Google used to be a lot less strict on IPv4 email 
than IPv6, but they want SPF and /or DKIM on everything now, so it’s 
mostly the same. There is less reputation data available for IPv6 and 
server reputation is a harder problem in IPv6, but reputation systems 
are becoming less relevant.


I kind of get the impression that once you get to aggregates at the 
domain level like DKIM or SPF, addresses as a reputation vehicle don't 
much figure into decision making. But what happens under the hood at 
major mailbox providers is maddeningly opaque so who really knows? It 
would be nice if MAAWG published a best practices or something like that 
to outline what is actually happening in live deployments.


Mike

Re: IPv6 uptake (was: The Reg does 240/4)

[William Herrin]

On Sat, Feb 17, 2024 at 10:22 AM Justin Streiner  wrote:
> Getting back to the recently revised topic of this thread - IPv6
> uptake - what have peoples' experiences been related to
> crafting sane v6 firewall rulesets in recent products from the
> major firewall players (Palo Alto, Cisco, Fortinet, etc)?

Hi Justin,

It's been years since I used anything other than Linux to build
someone a firewall. It has such a superior toolset, not just for
setting rules but for diagnosing things that don't work as expected.
The COTS products aren't just painful for IPv6, they're painful for
IPv4.

I especially despised the Cisco PIX/ASA line. I did use Fortinet's WAF
product for a while and it was okay. I only used it as a reverse proxy
to a web server, and then only because it was a security compliance
requirement for that project.

Regards,
Bill Herrin



-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: IPv6 uptake (was: The Reg does 240/4)

[Owen DeLong via NANOG]

I can’t speak to Cisco as I don’t have recent experience there. Juniper, Linux, Palo Alto, and most others I’ve dealt with in the last 5 years pose no significant difference in writing policy for IPv6 vs. the process for IPv4. OwenOn Feb 17, 2024, at 10:23, Justin Streiner  wrote:We went pretty deep into the weeds on NAT in this thread - far deeper than I expected ;)Getting back to the recently revised topic of this thread - IPv6 uptake - what have peoples' experiences been related to crafting sane v6 firewall rulesets in recent products from the major firewall players (Palo Alto, Cisco, Fortinet, etc)?  On the last major v6 deployment I did, working with the firewalls was definitely one of the major pain points because the support / stability was really lacking, or there wasn't full feature parity between their v4 and v6 capabilities.Thank youjmsOn Fri, Feb 16, 2024 at 11:04 PM William Herrin  wrote:On Fri, Feb 16, 2024 at 7:41 PM John R. Levine  wrote:
> > That it's possible to implement network security well without using
> > NAT does not contradict the claim that NAT enhances network security.
>
> I think we're each overgeneralizing from our individual expeience.
>
> You can configure a V6 firewall to be default closed as easily as you can
> configure a NAT.

Hi John,

We're probably not speaking the same language. You're talking about
configuring the function of one layer in a security stack. I'm talking
about adding or removing a layer in a security stack. Address
overloaded NAT in conjunction with private internal addresses is an
additional layer in a security stack. It has security-relevant
properties that the other layers don't duplicate. Regardless of how
you configure it.

Also, you can't "configure" a layer to be default closed. That's a
property of the security layer. It either is or it is not.

You can configure a layer to be "default deny," which I assume is what
you meant. The issue is that anything that can be configured can be
accidentally unconfigured. When default-deny is accidentally
unconfigured, the network becomes wide open. When NAT is accidentally
unconfigured, the network stops functioning entirely. The gate is
closed.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: IPv6 uptake (was: The Reg does 240/4)

[Owen DeLong via NANOG]

> Think of it like this: you have a guard, you have a fence and you have
> barbed wire on top of the fence. Can you secure the place without the
> barbed wire? Of course. Can an intruder defeat the barbed wire? Of
> course. Is it more secure -with- the barbed wire? Obviously.
> 
NAT is like the barbed wire. Anyone with a pair of wire cutters doesn’t need to 
defeat the barbed wire, they just cut the fence instead. 

But I understand how the barbed wire makes you and management feel warm and 
fuzzy. 

The problem here is that NAT is also like a big blind spot in the video cameras 
that should be helping you spot the guy cutting the fence. 

Owen

Re: IPv6 uptake (was: The Reg does 240/4)

[Owen DeLong via NANOG]

Bill, same scenario, but instead of fat fingering an outbound rule, you fat 
finger a port map for inbound connections to a different host and get the 
destination address wrong. 

Still hacked. 

NAT doesn’t prevent fat fingers from getting you hacked, it just changes the 
nature of the required fat fingering. 

Care to talk about trying to track down a compromised host through the audit 
trail given an abuse report that doesn’t include the source port number? 
(Oracle even one that happens to include it)?

Owen


> On Feb 16, 2024, at 17:05, William Herrin  wrote:
> 
> On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas  wrote:
>> If you know which subnets need to be NAT'd don't you also know which
>> ones shouldn't exposed to incoming connections (or conversely, which
>> should be permitted)? It seems to me that all you're doing is moving
>> around where that knowledge is stored? Ie, DHCP so it can give it
>> private address rather than at the firewall knowing which subnets not to
>> allow access? Yes, DHCP can be easily configured to make everything
>> private, but DHCP for static reachable addresses is pretty handy too.
> 
> Hi Mike,
> 
> Suppose I have a firewall at 2602:815:6000::1 with an internal network
> of 2602:815:6001::/64. Inside the network on 2602:815:6001::4 I have a
> switch that accepts telnet connections with a user/password of
> admin/admin. On the firewall, I program it to disallow all Internet
> packets to 2602:815:6001::/64 that are not part of an established
> connection.
> 
> Someone tries to telnet to 2602:815:6001::4. What happens? Blocked.
> 
> Now, I make a mistake on my firewall. I insert a rule intended to
> allow packets outbound from 2602:815:6001::4 but I fat-finger it and
> so it allows them inbound to that address instead. Someone tries to
> telnet to 2602:815:6001::4. What happens? Hacked.
> 
> Now suppose I have a firewall at 199.33.225.1 with an internal network
> of 192.168.55.0/24. Inside the network on 192.168.55.4 I have a switch
> that accepts telnet connections with a user/password of admin/admin.
> On the firewall, I program it to do NAT translation from
> 192.168.55.0/24 to 199.33.225.1 when sending packets outbound, which
> also has the effect of disallowing inbound packets to 192.168.55.0/24
> which are not part of an established connection.
> 
> Someone tries to telnet to 192.168.55.4. What happens? The packet
> never even reaches my firewall because that IP address doesn't go
> anywhere on the Internet.
> 
> Now I make a mistake on my firewall. I insert a rule intended to allow
> packets outbound from 192.168.55.4 but I fat-finger it and so it
> allows them inbound to that address instead. Someone tries to telnet
> to 192.168.55.4. What happens? The packet STILL doesn't reach my
> firewall because that IP address doesn't go anywhere on the Internet.
> 
> See the difference? Accessible versus accessible and addressable. Not
> addressable enhances security.
> 
> Regards,
> Bill Herrin
> 
> 
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/

Re: IPv6 uptake (was: The Reg does 240/4)

[Michael Thomas]

On 2/16/24 6:33 PM, William Herrin wrote:

On Fri, Feb 16, 2024 at 6:10 PM Ryan Hamel  wrote:

Depending on where that rule is placed within your ACL, yes that can happen 
with *ANY* address family.

Hi Ryan,

Correct. The examples illustrated a difference between a firewall
implementing address-overloaded NAT and a firewall implementing
everything except the address translation. Either example could be
converted to the other address family and it would work the same way.


All things aside, I agree with Dan that NAT was never
ever designed to be a security tool. It is used because
of the scarcity of public address space, and it provides
a "defense" depending on how it is implemented, with
minimal effort. This video tells the story of NAT and the
Cisco PIX, straight from the creators
https://youtu.be/GLrfqtf4txw

NAT's story, the modern version of NAT when we talk about IPv4
firewalls, started in the early '90s with the Gauntlet firewall. It
was described as a transparent application layer gateway. Gauntlet
focused on solving enterprise security issues. Gauntlet's technology
converged with what was then 1:1 NAT to produce the address-overloaded
NAT like what later appeared in the Cisco PIX (also first and foremost
a security product) and is present in all our DSL and cable modems
today.

Security came first, then someone noticed it'd be useful for address
conservation too. Gauntlet's customers generally had or could readily
get a supply of public IP addresses. Indeed, when Gauntlet was
released, IP addresses were still available from
hostmas...@internic.net at zero cost and without any significant
documentation. And Gauntlet was expensive: folks who couldn't easily
obtain public IP addresses also couldn't afford it.


Funny, I don't recall Bellovin and Cheswick's Firewall book discussing 
NAT. That was sort of the go-to book for hard-on-the-outside 
soft-on-the-inside defense. Maybe they were unaware of this, or maybe 
they didn't agree with the premise. I didn't hear about NAT until the 
late 90's, iirc. I've definitely not heard of Gauntlet.


As I recall, it was very much an afterthought with cable/DOCSIS to use 
NAT to conserve addresses. The headend DHCP server just gave public 
addresses to whoever asked. DOCSIS CPE at that time was just an L2 
modem. NAT traversal absolutely was not on the table with Packetcable 
back in the late 90's, and believe me we were very concerned about the 
security of MGCP since it was UDP based.


Which is to say that NAT came around to preserve address space. Any 
security properties were sort of a post-hoc rationalization and hotly 
debated given all the things NAT broke.


Mike

Re: IPv6 uptake (was: The Reg does 240/4)

[Owen DeLong via NANOG]

Most firewalls are default deny. Routers are default allow unless you put a 
filter on the interface.

NAT adds nothing to security (Bill and I agree to disagree on this), but at 
best, it complicates the audit trail. 

Owen


> On Feb 16, 2024, at 15:19, Jay R. Ashworth  wrote:
> 
> - Original Message -
>> From: "William Herrin" 
> 
>> On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth  wrote:
 From: "Justin Streiner" 
 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
 to accept in the v4 world.
>>> 
>>> NAT doesn't "equal" security.
>>> 
>>> But it is certainly a *component* of security, placing control of what 
>>> internal
>>> nodes are accessible from the outside in the hands of the people inside.
>> 
>> Every firewall does that. What NAT does above and beyond is place
>> control of what internal nodes are -addressable- from the outside in
>> the hands of the people inside -- so that most of the common mistakes
>> with firewall configuration don't cause the internal hosts to -become-
>> accessible.
>> 
>> The distinction doesn't seem that subtle to me, but a lot of folks
>> making statements about network security on this list don't appear to
>> grasp it.
> 
> You bet.  I knew someone would chime in, but whether they'd be agreeing
> with me -- as you are -- or yelling at me, wasn't clear.
> 
> It's a default deny (NAT) vs default allow (firewall) question, and
> I prefer default deny -- at least inbound.  You *can* run NAT as default
> deny outbound, too, but it's much less tolerable for general internet
> connectivity -- in some dedicated circumstances, it can be workable.
> 
> Cheers,
> -- jra
> --
> Jay R. Ashworth  Baylink   
> j...@baylink.com
> Designer The Things I Think   RFC 2100
> Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: IPv6 uptake (was: The Reg does 240/4)

[Owen DeLong via NANOG]

> On Feb 16, 2024, at 14:20, Jay R. Ashworth  wrote:
> 
> - Original Message -
>> From: "Justin Streiner" 
> 
>> 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
>> to accept in the v4 world.
> 
> NAT doesn't "equal" security.
> 
> But it is certainly a *component* of security, placing control of what 
> internal
> nodes are accessible from the outside in the hands of the people inside.

Uh, no… no it is not. Stateful inspection (which the kind of NAT (actually 
NAPT) you are assuming here depends on) is a component of security. You can do 
stateful inspection without mutilating the header and have all the same 
security benefits without losing or complicating the audit trail. 

Owen

Re: IPv6 uptake (was: The Reg does 240/4)

[William Herrin]

On Sat, Feb 17, 2024 at 10:03 AM Michael Thomas  wrote:
> On 2/16/24 5:37 PM, William Herrin wrote:
> > What is there to address? I already said that NAT's security
> > enhancement comes into play when a -mistake- is made with the network
> > configuration. You want me to say it again? Okay, I've said it again.
>
> The implication being that we should keep NAT'ing ipv6 for... a thin
> veil of security. That all of the other things that NAT breaks is worth
> the trouble because we can't trust our fat fingers on firewall configs.

Hi Mike,

There's no "we" here, no one-size-fits-all answer. Some folks
evaluating their scenario with their details will conclude that NAT's
security benefit outweighs its performance and functionality
implications. Others evaluating other scenarios will reach different
answers.

For enterprise customers, you're talking about folks who've been doing
NAT for two decades and have more recently implemented HTTPS capture
and re-encryption in order to scan for malware in transit. Will many
of them insist on NAT and its security enhancement when they get
around to deploying IPv6? Bet on it.

So, what happens when you try to tell such folks that they don't need
NAT for security in IPv6? It contradicts their -correct- intuition
that NAT has a security benefit, but because they can't quite nail
down what's wrong with your claim, it leaves them unsure. And what do
people who are unsure about an IPv6 deployment do? Nothing! They put
it back on the shelf and return to it in a couple of years.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: IPv6 uptake (was: The Reg does 240/4)

[Justin Streiner]

We went pretty deep into the weeds on NAT in this thread - far deeper than
I expected ;)

Getting back to the recently revised topic of this thread - IPv6 uptake -
what have peoples' experiences been related to crafting sane v6 firewall
rulesets in recent products from the major firewall players (Palo Alto,
Cisco, Fortinet, etc)?  On the last major v6 deployment I did, working with
the firewalls was definitely one of the major pain points because the
support / stability was really lacking, or there wasn't full feature parity
between their v4 and v6 capabilities.

Thank you
jms

On Fri, Feb 16, 2024 at 11:04 PM William Herrin  wrote:

> On Fri, Feb 16, 2024 at 7:41 PM John R. Levine  wrote:
> > > That it's possible to implement network security well without using
> > > NAT does not contradict the claim that NAT enhances network security.
> >
> > I think we're each overgeneralizing from our individual expeience.
> >
> > You can configure a V6 firewall to be default closed as easily as you can
> > configure a NAT.
>
> Hi John,
>
> We're probably not speaking the same language. You're talking about
> configuring the function of one layer in a security stack. I'm talking
> about adding or removing a layer in a security stack. Address
> overloaded NAT in conjunction with private internal addresses is an
> additional layer in a security stack. It has security-relevant
> properties that the other layers don't duplicate. Regardless of how
> you configure it.
>
> Also, you can't "configure" a layer to be default closed. That's a
> property of the security layer. It either is or it is not.
>
> You can configure a layer to be "default deny," which I assume is what
> you meant. The issue is that anything that can be configured can be
> accidentally unconfigured. When default-deny is accidentally
> unconfigured, the network becomes wide open. When NAT is accidentally
> unconfigured, the network stops functioning entirely. The gate is
> closed.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/
>

Re: The Reg does 240/4

[Owen DeLong via NANOG]

Mike, it’s true that Google used to be a lot less strict on IPv4 email than 
IPv6, but they want SPF and /or DKIM on everything now, so it’s mostly the 
same. There is less reputation data available for IPv6 and server reputation is 
a harder problem in IPv6, but reputation systems are becoming less relevant. 

YMMV, but if your mail server is properly configured for SPF and DKIM, you 
shouldn’t have any difference in SMTP experience with Google for either 
protocol. 

Owen


> On Feb 16, 2024, at 07:20, Mike Hammett  wrote:
> 
> 
> "Does any IPv6 enabled ISP provide PTR records for mail servers?"
> 
> I think people will conflate doing so at ISP-scale and doing so at 
> residential hobbiyst scale (and everything in between). One would expect 
> differences in outcomes of attempting PTR records in DIA vs. broadband.
> 
> "How does Google handle mail from an IPv6 server?"
> 
> A few people have posted that it works for them, but unless it has changed 
> recently, per conversations on the mailop mailing list, Google does not treat 
> IPv6 and IPv4 mail the same and that causes non-null issues.
> 
> 
> 
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
> 
> Midwest-IX
> http://www.midwest-ix.com
> 
> From: "Stephen Satchell" 
> To: nanog@nanog.org
> Sent: Wednesday, February 14, 2024 8:25:03 PM
> Subject: Re: The Reg does 240/4
> 
> On 2/14/24 4:23 PM, Tom Samplonius wrote:
> > The best option is what is happening right now:  you can’t get new IPv4
> > addresses, so you have to either buy them, or use IPv6.  The free market
> >   is solving the problem right now.  Another solution isn’t needed.
> 
> Really?  How many mail servers are up on IPv6?  How many legacy mail
> clients can handle IPv6?  How many MTA software packages can handle IPv6
> today "right out of the box" without specific configuration?
> 
> Does any IPv6 enabled ISP provide PTR records for mail servers?
> 
> How does Google handle mail from an IPv6 server?
> 
> The Internet is not just the Web.
> 

Re: IPv6 uptake (was: The Reg does 240/4)

[Michael Thomas]

On 2/16/24 5:37 PM, William Herrin wrote:

On Fri, Feb 16, 2024 at 5:33 PM Michael Thomas  wrote:

So you're not going to address that this is a management plain problem.

Hi Mike,

What is there to address? I already said that NAT's security
enhancement comes into play when a -mistake- is made with the network
configuration. You want me to say it again? Okay, I've said it again.


The implication being that we should keep NAT'ing ipv6 for... a thin 
veil of security. That all of the other things that NAT breaks is worth 
the trouble because we can't trust our fat fingers on firewall configs.


Mike

Re: IPv6 uptake (was: The Reg does 240/4)

[Tom Beecher]

>
> Any given layer of security can be breached with expense and effort.
> Breaching every layer of security at the same time is more challenging
> than breaching any particular one of them. The use of NAT adds a layer
> of security to the system that is not otherwise there.
>
>
> Think of it like this: you have a guard, you have a fence and you have
> barbed wire on top of the fence. Can you secure the place without the
> barbed wire? Of course. Can an intruder defeat the barbed wire? Of
> course. Is it more secure -with- the barbed wire? Obviously.
>

Bill-

In a security context, NAT/PAT only provides *obfuscation* of the internal
numbering and source ports of the networks on the inside of the NAT/PAT
device. "Security by obscurity" is a well debunked maxim by now. Any
perceived benefits that obscurity provides are gone as soon as the
information attempting to be hidden can be discovered, or the methods by
which it functions are known. It may slightly deter the lazy, but
techniques to discover the otherwise 'hidden' numbering and port usage have
existed for decades.


On Fri, Feb 16, 2024 at 10:28 PM William Herrin  wrote:

> On Fri, Feb 16, 2024 at 7:10 PM John Levine  wrote:
> > If you configure your firewall wrong, bad things will happen.  I have
> both
> > IPv6 and NAT IPv4 on my network here and I haven't found it particularly
> > hard to get the config correct for IPv6.
>
> Hi John,
>
> That it's possible to implement network security well without using
> NAT does not contradict the claim that NAT enhances network security.
>
> That it's possible to breach the layer of security added by NAT does
> not contradict the claim that NAT enhances network security.
>
> Any given layer of security can be breached with expense and effort.
> Breaching every layer of security at the same time is more challenging
> than breaching any particular one of them. The use of NAT adds a layer
> of security to the system that is not otherwise there.
>
>
> Think of it like this: you have a guard, you have a fence and you have
> barbed wire on top of the fence. Can you secure the place without the
> barbed wire? Of course. Can an intruder defeat the barbed wire? Of
> course. Is it more secure -with- the barbed wire? Obviously.
>
> Regards,
> Bill Herrin
>
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/
>

Re: IPv6 uptake (was: The Reg does 240/4)

[Ryan Hamel]

Again Bill, the NAT process layer is not involved in dropping unwanted traffic 
until the packet is at least four/five levels deep. On ingress, a firewall will 
check if there is any flow/stream associated to it, ensure the packet follows 
the applicable protocol state machine, process it against the inbound interface 
rules, do any DPI rule processing, THEN NAT lookup, and egress routing + ACLs 
on the outbound ACL. 
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html

On a standard LAN -> WAN firewall configured with a single public IPv4 IP; your 
protection comes from the connect state/flow tables primarily. No one would be 
touching NAT configurations at the same rate as zone and policy configurations, 
unless it's for complex VPN setups. Using NAT as a defense in depth strategy 
against deploying v6 is only hurting yourself. I have yet to come across an 
enterprise that uses it between internal VLANs or policies/zones, where the 
same threat potential can be, especially in a DMZ.

Ryan Hamel


From: NANOG  on behalf of William 
Herrin 
Sent: Friday, February 16, 2024 8:03 PM
To: John R. Levine 
Cc: nanog@nanog.org 
Subject: Re: IPv6 uptake (was: The Reg does 240/4)

Caution: This is an external email and may be malicious. Please take care when 
clicking links or opening attachments.


On Fri, Feb 16, 2024 at 7:41 PM John R. Levine  wrote:
> > That it's possible to implement network security well without using
> > NAT does not contradict the claim that NAT enhances network security.
>
> I think we're each overgeneralizing from our individual expeience.
>
> You can configure a V6 firewall to be default closed as easily as you can
> configure a NAT.

Hi John,

We're probably not speaking the same language. You're talking about
configuring the function of one layer in a security stack. I'm talking
about adding or removing a layer in a security stack. Address
overloaded NAT in conjunction with private internal addresses is an
additional layer in a security stack. It has security-relevant
properties that the other layers don't duplicate. Regardless of how
you configure it.

Also, you can't "configure" a layer to be default closed. That's a
property of the security layer. It either is or it is not.

You can configure a layer to be "default deny," which I assume is what
you meant. The issue is that anything that can be configured can be
accidentally unconfigured. When default-deny is accidentally
unconfigured, the network becomes wide open. When NAT is accidentally
unconfigured, the network stops functioning entirely. The gate is
closed.

Regards,
Bill Herrin


--
William Herrin
b...@herrin.us
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbill.herrin.us%2F=05%7C02%7Cryan%40rkhtech.org%7C0de6c54d274c4b231dc608dc2f6dc319%7C81c24bb4f9ec4739ba4d25c42594d996%7C0%7C0%7C638437395698409506%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C=k19sefOjlCNOBGbiAmhzcFszrOEhf8SQQfs0MQThyaU%3D=0<https://bill.herrin.us/>

Re: IPv6 uptake (was: The Reg does 240/4)

[William Herrin]

On Fri, Feb 16, 2024 at 7:41 PM John R. Levine  wrote:
> > That it's possible to implement network security well without using
> > NAT does not contradict the claim that NAT enhances network security.
>
> I think we're each overgeneralizing from our individual expeience.
>
> You can configure a V6 firewall to be default closed as easily as you can
> configure a NAT.

Hi John,

We're probably not speaking the same language. You're talking about
configuring the function of one layer in a security stack. I'm talking
about adding or removing a layer in a security stack. Address
overloaded NAT in conjunction with private internal addresses is an
additional layer in a security stack. It has security-relevant
properties that the other layers don't duplicate. Regardless of how
you configure it.

Also, you can't "configure" a layer to be default closed. That's a
property of the security layer. It either is or it is not.

You can configure a layer to be "default deny," which I assume is what
you meant. The issue is that anything that can be configured can be
accidentally unconfigured. When default-deny is accidentally
unconfigured, the network becomes wide open. When NAT is accidentally
unconfigured, the network stops functioning entirely. The gate is
closed.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: IPv6 uptake (was: The Reg does 240/4)

[John R. Levine]

That it's possible to implement network security well without using
NAT does not contradict the claim that NAT enhances network security.


I think we're each overgeneralizing from our individual expeience.

You can configure a V6 firewall to be default closed as easily as you can 
configure a NAT.  Once you start making exceptions, it depends on the 
nature of the exceptions, the way you tell the router about them (CLI, web 
crudware, whatever) and doubtless other stuff too.


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: IPv6 uptake (was: The Reg does 240/4)

[William Herrin]

On Fri, Feb 16, 2024 at 7:10 PM John Levine  wrote:
> If you configure your firewall wrong, bad things will happen.  I have both
> IPv6 and NAT IPv4 on my network here and I haven't found it particularly
> hard to get the config correct for IPv6.

Hi John,

That it's possible to implement network security well without using
NAT does not contradict the claim that NAT enhances network security.

That it's possible to breach the layer of security added by NAT does
not contradict the claim that NAT enhances network security.

Any given layer of security can be breached with expense and effort.
Breaching every layer of security at the same time is more challenging
than breaching any particular one of them. The use of NAT adds a layer
of security to the system that is not otherwise there.


Think of it like this: you have a guard, you have a fence and you have
barbed wire on top of the fence. Can you secure the place without the
barbed wire? Of course. Can an intruder defeat the barbed wire? Of
course. Is it more secure -with- the barbed wire? Obviously.

Regards,
Bill Herrin

-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: IPv6 uptake (was: The Reg does 240/4)

[John Levine]

It appears that William Herrin  said:
>Now suppose I have a firewall at 199.33.225.1 with an internal network
>of 192.168.55.0/24. Inside the network on 192.168.55.4 I have a switch
>that accepts telnet connections with a user/password of admin/admin.
>On the firewall, I program it to do NAT translation from
>192.168.55.0/24 to 199.33.225.1 when sending packets outbound, which
>also has the effect of disallowing inbound packets to 192.168.55.0/24
>which are not part of an established connection.

Or you set up port forwarding for some other device but you mistype the
internal address an forward it to the switch.  Or the switch helpfully
uses UPNP to do its own port forwarding and you forget to turn it off.

If you configure your firewall wrong, bad things will happen.  I have both
IPv6 and NAT IPv4 on my network here and I haven't found it particularly
hard to get the config correct for IPv6.

Normally the ISP will give you an IPv6 /56 or larger so you can have
multiple segments behind the router each with a /64 and different
policies for each segment.

Re: IPv6 uptake (was: The Reg does 240/4)

[William Herrin]

On Fri, Feb 16, 2024 at 6:10 PM Ryan Hamel  wrote:
> Depending on where that rule is placed within your ACL, yes that can happen 
> with *ANY* address family.

Hi Ryan,

Correct. The examples illustrated a difference between a firewall
implementing address-overloaded NAT and a firewall implementing
everything except the address translation. Either example could be
converted to the other address family and it would work the same way.

> All things aside, I agree with Dan that NAT was never
> ever designed to be a security tool. It is used because
> of the scarcity of public address space, and it provides
> a "defense" depending on how it is implemented, with
> minimal effort. This video tells the story of NAT and the
> Cisco PIX, straight from the creators
> https://youtu.be/GLrfqtf4txw

NAT's story, the modern version of NAT when we talk about IPv4
firewalls, started in the early '90s with the Gauntlet firewall. It
was described as a transparent application layer gateway. Gauntlet
focused on solving enterprise security issues. Gauntlet's technology
converged with what was then 1:1 NAT to produce the address-overloaded
NAT like what later appeared in the Cisco PIX (also first and foremost
a security product) and is present in all our DSL and cable modems
today.

Security came first, then someone noticed it'd be useful for address
conservation too. Gauntlet's customers generally had or could readily
get a supply of public IP addresses. Indeed, when Gauntlet was
released, IP addresses were still available from
hostmas...@internic.net at zero cost and without any significant
documentation. And Gauntlet was expensive: folks who couldn't easily
obtain public IP addresses also couldn't afford it.

Regards,
Bill Herrin

-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: IPv6 uptake (was: The Reg does 240/4)

[Ryan Hamel]

sronan,

A subnet can come from the ISP (residential/small business), or business is 
utilizing BGP with their upstream. When V6 is in use, a firewall does not need 
to perform NAT, just stateful flow inspection and applying the applicable rules 
based on the zone and/or interface.

Bill,

Depending on where that rule is placed within your ACL, yes that can happen 
with *ANY* address family.

---

All things aside, I agree with Dan that NAT was never ever designed to be a 
security tool. It is used because of the scarcity of public address space, and 
it provides a "defense" depending on how it is implemented, with minimal 
effort. This video tells the story of NAT and the Cisco PIX, straight from the 
creators https://youtu.be/GLrfqtf4txw

Ryan Hamel


From: NANOG  on behalf of 
sro...@ronan-online.com 
Sent: Friday, February 16, 2024 5:44 PM
To: William Herrin 
Cc: nanog@nanog.org 
Subject: Re: IPv6 uptake (was: The Reg does 240/4)

Caution: This is an external email and may be malicious. Please take care when 
clicking links or opening attachments.


Why is your Internal v6 subnet advertised to the Internet?

> On Feb 16, 2024, at 8:08 PM, William Herrin  wrote:
>
> On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas  wrote:
>> If you know which subnets need to be NAT'd don't you also know which
>> ones shouldn't exposed to incoming connections (or conversely, which
>> should be permitted)? It seems to me that all you're doing is moving
>> around where that knowledge is stored? Ie, DHCP so it can give it
>> private address rather than at the firewall knowing which subnets not to
>> allow access? Yes, DHCP can be easily configured to make everything
>> private, but DHCP for static reachable addresses is pretty handy too.
>
> Hi Mike,
>
> Suppose I have a firewall at 2602:815:6000::1 with an internal network
> of 2602:815:6001::/64. Inside the network on 2602:815:6001::4 I have a
> switch that accepts telnet connections with a user/password of
> admin/admin. On the firewall, I program it to disallow all Internet
> packets to 2602:815:6001::/64 that are not part of an established
> connection.
>
> Someone tries to telnet to 2602:815:6001::4. What happens? Blocked.
>
> Now, I make a mistake on my firewall. I insert a rule intended to
> allow packets outbound from 2602:815:6001::4 but I fat-finger it and
> so it allows them inbound to that address instead. Someone tries to
> telnet to 2602:815:6001::4. What happens? Hacked.
>
> Now suppose I have a firewall at 199.33.225.1 with an internal network
> of 192.168.55.0/24. Inside the network on 192.168.55.4 I have a switch
> that accepts telnet connections with a user/password of admin/admin.
> On the firewall, I program it to do NAT translation from
> 192.168.55.0/24 to 199.33.225.1 when sending packets outbound, which
> also has the effect of disallowing inbound packets to 192.168.55.0/24
> which are not part of an established connection.
>
> Someone tries to telnet to 192.168.55.4. What happens? The packet
> never even reaches my firewall because that IP address doesn't go
> anywhere on the Internet.
>
> Now I make a mistake on my firewall. I insert a rule intended to allow
> packets outbound from 192.168.55.4 but I fat-finger it and so it
> allows them inbound to that address instead. Someone tries to telnet
> to 192.168.55.4. What happens? The packet STILL doesn't reach my
> firewall because that IP address doesn't go anywhere on the Internet.
>
> See the difference? Accessible versus accessible and addressable. Not
> addressable enhances security.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> b...@herrin.us
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbill.herrin.us%2F=05%7C02%7Cryan%40rkhtech.org%7C5672986956c34e345fd208dc2f5a571c%7C81c24bb4f9ec4739ba4d25c42594d996%7C0%7C0%7C638437312255883842%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C=iuKWxWts%2B9buTCz318C7hz6DbuWSST%2FKPZAWbbhSj8Q%3D=0<https://bill.herrin.us/>

Re: IPv6 uptake (was: The Reg does 240/4)

[William Herrin]

On Fri, Feb 16, 2024 at 5:45 PM  wrote:
> Why is your Internal v6 subnet advertised to the Internet?

Because that was the example network -without- NAT. If I made two
networks -with- NAT, there would be no difference to show.

I make 2602:815:6000::/44 be 199.33.224.0/23, make 2602:815:6001::/64
be 199.33.224.0/24, make 2602:815:600::1 be 199.33.225.1 and make
2602:815:6001::4 be 199.33.224.4, it would be the exact same example
with the exact same network security impact.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: IPv6 uptake (was: The Reg does 240/4)

[sronan]

Why is your Internal v6 subnet advertised to the Internet?

> On Feb 16, 2024, at 8:08 PM, William Herrin  wrote:
> 
> On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas  wrote:
>> If you know which subnets need to be NAT'd don't you also know which
>> ones shouldn't exposed to incoming connections (or conversely, which
>> should be permitted)? It seems to me that all you're doing is moving
>> around where that knowledge is stored? Ie, DHCP so it can give it
>> private address rather than at the firewall knowing which subnets not to
>> allow access? Yes, DHCP can be easily configured to make everything
>> private, but DHCP for static reachable addresses is pretty handy too.
> 
> Hi Mike,
> 
> Suppose I have a firewall at 2602:815:6000::1 with an internal network
> of 2602:815:6001::/64. Inside the network on 2602:815:6001::4 I have a
> switch that accepts telnet connections with a user/password of
> admin/admin. On the firewall, I program it to disallow all Internet
> packets to 2602:815:6001::/64 that are not part of an established
> connection.
> 
> Someone tries to telnet to 2602:815:6001::4. What happens? Blocked.
> 
> Now, I make a mistake on my firewall. I insert a rule intended to
> allow packets outbound from 2602:815:6001::4 but I fat-finger it and
> so it allows them inbound to that address instead. Someone tries to
> telnet to 2602:815:6001::4. What happens? Hacked.
> 
> Now suppose I have a firewall at 199.33.225.1 with an internal network
> of 192.168.55.0/24. Inside the network on 192.168.55.4 I have a switch
> that accepts telnet connections with a user/password of admin/admin.
> On the firewall, I program it to do NAT translation from
> 192.168.55.0/24 to 199.33.225.1 when sending packets outbound, which
> also has the effect of disallowing inbound packets to 192.168.55.0/24
> which are not part of an established connection.
> 
> Someone tries to telnet to 192.168.55.4. What happens? The packet
> never even reaches my firewall because that IP address doesn't go
> anywhere on the Internet.
> 
> Now I make a mistake on my firewall. I insert a rule intended to allow
> packets outbound from 192.168.55.4 but I fat-finger it and so it
> allows them inbound to that address instead. Someone tries to telnet
> to 192.168.55.4. What happens? The packet STILL doesn't reach my
> firewall because that IP address doesn't go anywhere on the Internet.
> 
> See the difference? Accessible versus accessible and addressable. Not
> addressable enhances security.
> 
> Regards,
> Bill Herrin
> 
> 
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/

Re: IPv6 uptake (was: The Reg does 240/4)

[William Herrin]

On Fri, Feb 16, 2024 at 5:33 PM Michael Thomas  wrote:
> So you're not going to address that this is a management plain problem.

Hi Mike,

What is there to address? I already said that NAT's security
enhancement comes into play when a -mistake- is made with the network
configuration. You want me to say it again? Okay, I've said it again.

Regards,
Bill Herrin

-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: IPv6 uptake (was: The Reg does 240/4)

[Michael Thomas]

On 2/16/24 5:30 PM, William Herrin wrote:

On Fri, Feb 16, 2024 at 5:22 PM Michael Thomas  wrote:

On 2/16/24 5:05 PM, William Herrin wrote:

Now, I make a mistake on my firewall. I insert a rule intended to
allow packets outbound from 2602:815:6001::4 but I fat-finger it and
so it allows them inbound to that address instead. Someone tries to
telnet to 2602:815:6001::4. What happens? Hacked.

Yes, but if the DHCP database has a mistake it's pretty much the same
situation since it could be numbered with a public address.

Um. No. You'd have to make multiple mistakes cross-contaminating your
public and private ethernet segments yet somehow without completely
breaking your network rendering it inoperable.


So you're not going to address that this is a management plain problem. ok.

Mike

Re: IPv6 uptake (was: The Reg does 240/4)

[William Herrin]

On Fri, Feb 16, 2024 at 5:22 PM Michael Thomas  wrote:
> On 2/16/24 5:05 PM, William Herrin wrote:
> > Now, I make a mistake on my firewall. I insert a rule intended to
> > allow packets outbound from 2602:815:6001::4 but I fat-finger it and
> > so it allows them inbound to that address instead. Someone tries to
> > telnet to 2602:815:6001::4. What happens? Hacked.
>
> Yes, but if the DHCP database has a mistake it's pretty much the same
> situation since it could be numbered with a public address.

Um. No. You'd have to make multiple mistakes cross-contaminating your
public and private ethernet segments yet somehow without completely
breaking your network rendering it inoperable.


> NAT is not without its own set of problems,

NAT's problems are legion. But the question was whether and how NAT
improves the security of a network employing it.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: IPv6 uptake (was: The Reg does 240/4)

[Michael Thomas]

On 2/16/24 5:05 PM, William Herrin wrote:

On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas  wrote:

If you know which subnets need to be NAT'd don't you also know which
ones shouldn't exposed to incoming connections (or conversely, which
should be permitted)? It seems to me that all you're doing is moving
around where that knowledge is stored? Ie, DHCP so it can give it
private address rather than at the firewall knowing which subnets not to
allow access? Yes, DHCP can be easily configured to make everything
private, but DHCP for static reachable addresses is pretty handy too.

Hi Mike,

Suppose I have a firewall at 2602:815:6000::1 with an internal network
of 2602:815:6001::/64. Inside the network on 2602:815:6001::4 I have a
switch that accepts telnet connections with a user/password of
admin/admin. On the firewall, I program it to disallow all Internet
packets to 2602:815:6001::/64 that are not part of an established
connection.

Someone tries to telnet to 2602:815:6001::4. What happens? Blocked.

Now, I make a mistake on my firewall. I insert a rule intended to
allow packets outbound from 2602:815:6001::4 but I fat-finger it and
so it allows them inbound to that address instead. Someone tries to
telnet to 2602:815:6001::4. What happens? Hacked.


Yes, but if the DHCP database has a mistake it's pretty much the same 
situation since it could be numbered with a public address. For both you 
can have the default as "reject" or "accept" -- that's just a default 
and depends on how you want to manage your network.


NAT is not without its own set of problems, so if this boils down to a 
subnet management issue there are obviously ways to deal with that to 
avoid NAT's problems. Both DHCP and firewall configs don't have to be 
the ultimate source of truth about any of this. And that's likely a Good 
Thing since you want them to be pretty much as fungible and replaceable 
as possible. If you're exposed to fat fingers for either, you're 
probably already in trouble. Something in the management plain is far 
more likely to care about this kind of thing than hardware vendors who 
see that as a cost center with predictably shitty implementations.


Mike

Re: IPv6 uptake (was: The Reg does 240/4)

[William Herrin]

On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas  wrote:
> If you know which subnets need to be NAT'd don't you also know which
> ones shouldn't exposed to incoming connections (or conversely, which
> should be permitted)? It seems to me that all you're doing is moving
> around where that knowledge is stored? Ie, DHCP so it can give it
> private address rather than at the firewall knowing which subnets not to
> allow access? Yes, DHCP can be easily configured to make everything
> private, but DHCP for static reachable addresses is pretty handy too.

Hi Mike,

Suppose I have a firewall at 2602:815:6000::1 with an internal network
of 2602:815:6001::/64. Inside the network on 2602:815:6001::4 I have a
switch that accepts telnet connections with a user/password of
admin/admin. On the firewall, I program it to disallow all Internet
packets to 2602:815:6001::/64 that are not part of an established
connection.

Someone tries to telnet to 2602:815:6001::4. What happens? Blocked.

Now, I make a mistake on my firewall. I insert a rule intended to
allow packets outbound from 2602:815:6001::4 but I fat-finger it and
so it allows them inbound to that address instead. Someone tries to
telnet to 2602:815:6001::4. What happens? Hacked.

Now suppose I have a firewall at 199.33.225.1 with an internal network
of 192.168.55.0/24. Inside the network on 192.168.55.4 I have a switch
that accepts telnet connections with a user/password of admin/admin.
On the firewall, I program it to do NAT translation from
192.168.55.0/24 to 199.33.225.1 when sending packets outbound, which
also has the effect of disallowing inbound packets to 192.168.55.0/24
which are not part of an established connection.

Someone tries to telnet to 192.168.55.4. What happens? The packet
never even reaches my firewall because that IP address doesn't go
anywhere on the Internet.

Now I make a mistake on my firewall. I insert a rule intended to allow
packets outbound from 192.168.55.4 but I fat-finger it and so it
allows them inbound to that address instead. Someone tries to telnet
to 192.168.55.4. What happens? The packet STILL doesn't reach my
firewall because that IP address doesn't go anywhere on the Internet.

See the difference? Accessible versus accessible and addressable. Not
addressable enhances security.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: IPv6 uptake (was: The Reg does 240/4)

[Daniel Marks via NANOG]

> a lot of folks
> making statements about network security on this list don't appear to
> grasp it.

If your network is secure, it isn’t even possible to “accidentally” open 
inbound ports in the first place. You either allow it to happen or you don’t 
via security policy, anything else means your “security” relies on humans not 
making a mistake, and that’s not security.

Using NAT as a “line of defense” means you implicitly don’t trust your 
authorization system, which means you don't actually have a security posture to 
begin with.

Using the same logic, you might as well go buy another firewall to put in front 
of your actual Firewall just in case you accidentally misconfigure it. Notice 
how you’re not actually securing anything, you’re putting a band aid on your 
insecure process.

-Dan

> On Feb 16, 2024, at 18:04, William Herrin  wrote:
> 
> On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth  wrote:
>>> From: "Justin Streiner" 
>>> 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
>>> to accept in the v4 world.
>> 
>> NAT doesn't "equal" security.
>> 
>> But it is certainly a *component* of security, placing control of what 
>> internal
>> nodes are accessible from the outside in the hands of the people inside.
> 
> Hi Jay,
> 
> Every firewall does that. What NAT does above and beyond is place
> control of what internal nodes are -addressable- from the outside in
> the hands of the people inside -- so that most of the common mistakes
> with firewall configuration don't cause the internal hosts to -become-
> accessible.
> 
> The distinction doesn't seem that subtle to me, but a lot of folks
> making statements about network security on this list don't appear to
> grasp it.
> 
> Regards,
> Bill Herrin
> 
> 
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/

Re: IPv6 uptake (was: The Reg does 240/4)

[Jay R. Ashworth]

- Original Message -
> From: "William Herrin" 

> On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth  wrote:
>> > From: "Justin Streiner" 
>> > 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
>> > to accept in the v4 world.
>>
>> NAT doesn't "equal" security.
>>
>> But it is certainly a *component* of security, placing control of what 
>> internal
>> nodes are accessible from the outside in the hands of the people inside.
> 
> Every firewall does that. What NAT does above and beyond is place
> control of what internal nodes are -addressable- from the outside in
> the hands of the people inside -- so that most of the common mistakes
> with firewall configuration don't cause the internal hosts to -become-
> accessible.
> 
> The distinction doesn't seem that subtle to me, but a lot of folks
> making statements about network security on this list don't appear to
> grasp it.

You bet.  I knew someone would chime in, but whether they'd be agreeing
with me -- as you are -- or yelling at me, wasn't clear.

It's a default deny (NAT) vs default allow (firewall) question, and
I prefer default deny -- at least inbound.  You *can* run NAT as default
deny outbound, too, but it's much less tolerable for general internet
connectivity -- in some dedicated circumstances, it can be workable.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: IPv6 uptake (was: The Reg does 240/4)

[Michael Thomas]

On 2/16/24 3:01 PM, William Herrin wrote:

On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth  wrote:

From: "Justin Streiner" 
4. Getting people to unlearn the "NAT=Security" mindset that we were forced
to accept in the v4 world.

NAT doesn't "equal" security.

But it is certainly a *component* of security, placing control of what internal
nodes are accessible from the outside in the hands of the people inside.

Hi Jay,

Every firewall does that. What NAT does above and beyond is place
control of what internal nodes are -addressable- from the outside in
the hands of the people inside -- so that most of the common mistakes
with firewall configuration don't cause the internal hosts to -become-
accessible.


If you know which subnets need to be NAT'd don't you also know which 
ones shouldn't exposed to incoming connections (or conversely, which 
should be permitted)? It seems to me that all you're doing is moving 
around where that knowledge is stored? Ie, DHCP so it can give it 
private address rather than at the firewall knowing which subnets not to 
allow access? Yes, DHCP can be easily configured to make everything 
private, but DHCP for static reachable addresses is pretty handy too.


Mike

Re: IPv6 uptake (was: The Reg does 240/4)

[William Herrin]

On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth  wrote:
> > From: "Justin Streiner" 
> > 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
> > to accept in the v4 world.
>
> NAT doesn't "equal" security.
>
> But it is certainly a *component* of security, placing control of what 
> internal
> nodes are accessible from the outside in the hands of the people inside.

Hi Jay,

Every firewall does that. What NAT does above and beyond is place
control of what internal nodes are -addressable- from the outside in
the hands of the people inside -- so that most of the common mistakes
with firewall configuration don't cause the internal hosts to -become-
accessible.

The distinction doesn't seem that subtle to me, but a lot of folks
making statements about network security on this list don't appear to
grasp it.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: IPv6 uptake (was: The Reg does 240/4)

[Jay R. Ashworth]

- Original Message -
> From: "Justin Streiner" 

> 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
> to accept in the v4 world.

NAT doesn't "equal" security. 

But it is certainly a *component* of security, placing control of what internal
nodes are accessible from the outside in the hands of the people inside.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: The Reg does 240/4

[John Levine]

It appears that Mike Hammett  said:
>-=-=-=-=-=-
>
>" Does any IPv6 enabled ISP provide PTR records for mail servers?" 
>
>
>I think people will conflate doing so at ISP-scale and doing so at residential 
>hobbiyst scale (and everything in between). One would
>expect differences in outcomes of attempting PTR records in DIA vs. broadband. 

Most consumer ISPs block port 25 so rDNS would be the least of your problems 
trying to run a home mail server.

>"How does Google handle mail from an IPv6 server?" 
>
>A few people have posted that it works for them, but unless it has changed 
>recently, per conversations on the mailop mailing list,
>Google does not treat IPv6 and IPv4 mail the same and that causes non-null 
>issues. 

As has been widely reported, Google has recently tightened up authentication 
requirements so
v4 and v6 are now pretty similar.

They won't accept v6 mail that isn't authenticated with SPF or DKIM
but honestly, if you can't figure out how to publish an SPF record you
shouldn't try to run a mail server.

R's,
John

RE: The Reg does 240/4

[Howard, Lee via NANOG]

It seems we’re the marketplace of record.

We do have some private transactions, that is, sales that take place outside of 
our marketplace and therefore don’t appear on the prior-sales page. That’s 
generally for /16 or larger, where one or both parties want custom terms that 
differ from our standard Terms of Use.

It’s true that prices for /16 and larger have held steadier than smaller 
blocks. My guess is that there has been a lot more supply of smaller blocks 
than /16+, driving prices down for the smaller blocks. Supply for /16s and 
larger is fine, but not enormous. I don’t assume that prices will remain the 
same.

So, what about 240/4?  The IPv4 market moves about 40 million addresses per 
year. A /4 is 268 million addresses, so if that supply became available (IETF 
telling IANA to distribute it to the RIRs, I assume) it would definitely affect 
the market for a long time. The RIRs would have to look at their 
post-exhaustion policies and figure out whether they still applied, or if 
pre-exhaustion policies should be used. I don’t have a strong opinion on this, 
and give credit to the authors of the proposal for working to identify any 
places where 240/4 would not work.

I still think the Internet works better when everyone uses the same protocol, 
so everyone should deploy IPv6. At this point, the consumer electronics and 
corporate IT sectors are the major holdouts. There are still ISPs and web sites 
that don’t have IPv6, but it’s no longer reasonable to assert that those are 
failures as a group, IMHO.


Lee Howard | Senior Vice President, IPv4.Global
[Inline image]

t: 646.651.1950
email: leehow...@hilcostreambank.com<mailto:leehow...@hilcostreambank.com>
web: www.ipv4.global<http://www.ipv4.global/>
twitter: twitter.com/ipv4g<https://twitter.com/ipv4g/>





From: NANOG  On Behalf 
Of Mike Hammett
Sent: Friday, February 16, 2024 10:28 AM
To: Tom Beecher 
Cc: nanog@nanog.org
Subject: Re: The Reg does 240/4

This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links 
and attachments.


Evidence to support Tom's statement:

https://auctions.ipv4.global/prior-sales


-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com


From: "Tom Beecher" mailto:beec...@beecher.cc>>
To: "Brian Knight" mailto:m...@knight-networks.com>>
Cc: nanog@nanog.org<mailto:nanog@nanog.org>
Sent: Thursday, February 15, 2024 5:31:42 PM
Subject: Re: The Reg does 240/4
$/IPv4 address peaked in 2021, and has been declining since.

On Thu, Feb 15, 2024 at 16:05 Brian Knight via NANOG 
mailto:nanog@nanog.org>> wrote:
On 2024-02-15 13:10, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote:
> I've said it before, and I'll say it again:
>
>   The only thing stopping global IPv6 deployment is
>   Netflix continuing to offer services over IPv4.
>
> If Netflix dropped IPv4, you would see IPv6 available *everywhere*
> within a month.

As others have noted, and to paraphrase a long-ago quote from this
mailing list, I'm sure all of Netflix's competitors hope Netflix does
that.

I remain hopeful that the climbing price of unique, available IPv4
addresses eventually forces migration to v6. From my armchair, only
through economics will this situation will be resolved.

> --lyndon

-Brian

RE: The Reg does 240/4

[Brotman, Alex via NANOG]

We (comcast.net) have been sending/receiving via IPv6 since 2012 or so.  We do 
have PTR records for our outbound IPv6 addresses, and expect them for inbound 
IPv6 as well.Keeping in mind that a huge portion of inbound mail is 
bulk/commercial and they have thus far largely avoided IPv6, Inbound IPv6 is 
about 5% of traffic.  Outbound IPv6 is about 40% of traffic.  I’m not sharing 
mail submissions from users as many (nearly all?) of our users have IPv6 and 
that would skew the numbers, and may not be relevant to this discussion.

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

From: NANOG  On Behalf Of 
Mike Hammett
Sent: Friday, February 16, 2024 10:20 AM
To: l...@satchell.net
Cc: nanog@nanog.org
Subject: Re: The Reg does 240/4

"Does any IPv6 enabled ISP provide PTR records for mail servers?"

I think people will conflate doing so at ISP-scale and doing so at residential 
hobbiyst scale (and everything in between). One would expect differences in 
outcomes of attempting PTR records in DIA vs. broadband.

"How does Google handle mail from an IPv6 server?"

A few people have posted that it works for them, but unless it has changed 
recently, per conversations on the mailop mailing list, Google does not treat 
IPv6 and IPv4 mail the same and that causes non-null issues.



-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com<https://urldefense.com/v3/__http:/www.ics-il.com__;!!CQl3mcHX2A!Adj7UyXOfg2bkj9fl_CbY2Z7kBhqQzqvduQFbfMITlcG2Om1zcWSj6zljATvnM2kFdxDQer3FJBfv7AFbA$>

Midwest-IX
http://www.midwest-ix.com<https://urldefense.com/v3/__http:/www.midwest-ix.com__;!!CQl3mcHX2A!Adj7UyXOfg2bkj9fl_CbY2Z7kBhqQzqvduQFbfMITlcG2Om1zcWSj6zljATvnM2kFdxDQer3FJCDd4cxfw$>


From: "Stephen Satchell" mailto:l...@satchell.net>>
To: nanog@nanog.org<mailto:nanog@nanog.org>
Sent: Wednesday, February 14, 2024 8:25:03 PM
Subject: Re: The Reg does 240/4

On 2/14/24 4:23 PM, Tom Samplonius wrote:
> The best option is what is happening right now:  you can’t get new IPv4
> addresses, so you have to either buy them, or use IPv6.  The free market
>   is solving the problem right now.  Another solution isn’t needed.

Really?  How many mail servers are up on IPv6?  How many legacy mail
clients can handle IPv6?  How many MTA software packages can handle IPv6
today "right out of the box" without specific configuration?

Does any IPv6 enabled ISP provide PTR records for mail servers?

How does Google handle mail from an IPv6 server?

The Internet is not just the Web.

Re: The Reg does 240/4

[Mike Hammett]

Evidence to support Tom's statement: 

https://auctions.ipv4.global/prior-sales 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Tom Beecher"  
To: "Brian Knight"  
Cc: nanog@nanog.org 
Sent: Thursday, February 15, 2024 5:31:42 PM 
Subject: Re: The Reg does 240/4 




$/IPv4 address peaked in 2021, and has been declining since. 





On Thu, Feb 15, 2024 at 16:05 Brian Knight via NANOG < nanog@nanog.org > wrote: 


On 2024-02-15 13:10, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote: 
> I've said it before, and I'll say it again: 
> 
> The only thing stopping global IPv6 deployment is 
> Netflix continuing to offer services over IPv4. 
> 
> If Netflix dropped IPv4, you would see IPv6 available *everywhere* 
> within a month. 

As others have noted, and to paraphrase a long-ago quote from this 
mailing list, I'm sure all of Netflix's competitors hope Netflix does 
that. 

I remain hopeful that the climbing price of unique, available IPv4 
addresses eventually forces migration to v6. From my armchair, only 
through economics will this situation will be resolved. 

> --lyndon 

-Brian 

Re: The Reg does 240/4

[Christian de Larrinaga via NANOG]

inline

Christopher Hawker  writes:

> Hi Christian,
>
> The idea to this is to allow new networks to emerge onto the internet, 
> without potentially having to fork out
> substantial amounts of money.

That would then be using IPv6 with IPv4 transition translation etc at the
ingress/egress to your new shiny ISP. 

>
> I am of the view that networks large enough to require more than a /8 v4 for 
> a private network, would be in the
> position to move towards IPv6-only. Meta has already achieved this
> (https://engineering.fb.com/2017/01/17/production-engineering/legacy-support-on-ipv6-only-infra/)
>  by rolling
> out dual-stack on their existing nodes and enabling new nodes as
> IPv6-only.

Any network of any size can justify using IPv6.

You will though face some old telco monopolistic / Tier 1 incumbencies
who find their benefit in networking is to be as anti social to fellow
networks as their lack of imagination on the value of connectivity can
facilitate and regret they can't charge time and distance but very happy
to charge on ingress and egress. 

>I cannot think of a bigger waste of
> resources that have the possibility of being publicly used, than to allocate 
> an additional 16 x /8 to RFC1918
> space.
>

I expect it would take many years for 240/4 to have universal
routing  as a public resource. That maybe the first challenge to get it through 
IETF

The other challenge is that the block is currently marked experimental
and really if you want to make a plan to use all or part of that
block. Then that should be for experimental purposes.

Just saying it is now public isn't really an innovation. 

Also once reallocated its lost to future experimental uses. 

> The same argument could be had about using larger than a /8 for private 
> networking. Why not use IPv6?
>

well now you are speaking hexadecimal! 

> Regards,
> Christopher Hawker


best

Christian 
> -
> From: Christian de Larrinaga 
> Sent: Wednesday, February 14, 2024 11:51 PM
> To: Christopher Hawker 
> Cc: Denis Fondras ; nanog@nanog.org 
> Subject: Re: The Reg does 240/4 
>  
> excuse top posting -
>
> I don't see a case for shifting 240/4 into public IP space if it is just
> going to sustain the rentier sinecures of the existing IPv4
> incumbencies. In other words if RIRs don't use it boost new entrants it
> will just add another knot to the stranglehold we are in vis IPv4. 
>
> I can see a potential case for shifting it from experimental to private
> space given the fact that "the rest of us" without public IP space and
> natted behind CGNATs have taken to use IPv4 for wireguard, containers,
> zero configs and so on, to tie our various locations, services and
> applications together within our own private distributed nets and expose
> our services for public consumption over IPv6.
>
> C
>
> Christian de Larrinaga
>
> Christian Christopher Hawker  writes
>
>> Hi Denis,
>>
>> It will only be burned through if RIR communities change policies to allow 
>> for larger delegations than what is
>> currently in place. I believe that some level of change is possible whilst 
>> limiting the exhaustion rate, e.g. allowing
>> for delegations up to a maximum holding of a /22, however we shouldn't go 
>> crazy (for want of a better phrase)
>> and allow for delegations of a /20, /19 etc.
>>
>> If this was only going to give us a potential 1-3 years' worth of space, 
>> then I would agree in saying that it is a
> waste
>> of time, would take far too long to make the space usable and wouldn't be 
>> worth it. However, as long as we
> don't
>> get greedy, change the maximum allowed delegation to large delegations, and 
>> every Tom/Dick/Harry applying
>> for a /16 allocation then 240/4 will last us a lengthy amount of time, at 
>> least a few decades.
>>
>> Regards,
>> Christopher Hawker
>> -
>> From: NANOG  on behalf of 
>> Denis Fondras via NANOG
>> 
>> Sent: Wednesday, February 14, 2024 11:10 PM
>> To: nanog@nanog.org 
>> Subject: Re: The Reg does 240/4 
>>  
>> Le Tue, Feb 13, 2024 at 03:24:21PM -0800, David Conrad a écrit :
>>> This doesn’t seem all that positive to me, particularly because it’s 
>>> temporary
>>> since the underlying problem (limited resource, unlimited demand) cannot be
>>> addressed.
>>> 
>>
>> I agree with this.
>> Yet I am in favor of changing the status of 240/4, just so it can get burned
>> fast, we stop this endless discussion and can start to deploy IPv6 again.
>>
>> Denis


-- 
Christian de Larrinaga 

Re: The Reg does 240/4

[Mike Hammett]

" Does any IPv6 enabled ISP provide PTR records for mail servers?" 


I think people will conflate doing so at ISP-scale and doing so at residential 
hobbiyst scale (and everything in between). One would expect differences in 
outcomes of attempting PTR records in DIA vs. broadband. 



"How does Google handle mail from an IPv6 server?" 


A few people have posted that it works for them, but unless it has changed 
recently, per conversations on the mailop mailing list, Google does not treat 
IPv6 and IPv4 mail the same and that causes non-null issues. 



- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Stephen Satchell"  
To: nanog@nanog.org 
Sent: Wednesday, February 14, 2024 8:25:03 PM 
Subject: Re: The Reg does 240/4 

On 2/14/24 4:23 PM, Tom Samplonius wrote: 
> The best option is what is happening right now: you can’t get new IPv4 
> addresses, so you have to either buy them, or use IPv6. The free market 
> is solving the problem right now. Another solution isn’t needed. 

Really? How many mail servers are up on IPv6? How many legacy mail 
clients can handle IPv6? How many MTA software packages can handle IPv6 
today "right out of the box" without specific configuration? 

Does any IPv6 enabled ISP provide PTR records for mail servers? 

How does Google handle mail from an IPv6 server? 

The Internet is not just the Web. 

Re: The Reg does 240/4

[Mike Hammett]

" Think how many more sites could have IPv6 capability already if this wasted 
effort had been put into that, instead. " 


My assumption is not many because the people talking about this likely either 
already have or will not deploy IPv6. Those that are willing to deploy IPv6, 
but have not are too busy to be engaging in the conversation. Well, mostly. 





- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Owen DeLong via NANOG"  
To: "Christopher Hawker"  
Cc: "North American Operators' Group"  
Sent: Wednesday, February 14, 2024 11:23:35 AM 
Subject: Re: The Reg does 240/4 



This gift from the bad idea fairy just keeps on giving. You’ve presented your 
case numerous times. The IETF has repeatedly found no consensus for it and yet 
you persist. 


Think how many more sites could have IPv6 capability already if this wasted 
effort had been put into that, instead. 


Owen 





On Feb 13, 2024, at 14:16, Christopher Hawker  wrote: 







Hi Tom, 


We aren't trying to have a debate on this. All we can do is present our case, 
explain our reasons and hope that we can gain a consensus from the community. 


I understand that some peers don't like the idea of this happening and yes we 
understand the technical work behind getting this across the line. It's easy 
enough for us to say "this will never happen" or to put it into the "too hard" 
basket, however, the one thing I can guarantee is that will never happen, if 
nothing is done. 


Let's not think about ourselves for a moment, and think about the potential 
positive impact that this could bring. 


Regards, 
Christopher Hawker 


From: Tom Beecher  
Sent: Wednesday, February 14, 2024 1:23 AM 
To: Christopher Hawker  
Cc: North American Operators' Group ; aus...@lists.ausnog.net 
; Christopher Hawker via sanog ; 
apnic-t...@lists.apnic.net  
Subject: Re: The Reg does 240/4 




Now, we know there's definitely going to be some pushback on this. This won't 
be easy to accomplish and it will take some time. 




It won't ever be 'accomplished' by trying to debate this in the media. 


On Tue, Feb 13, 2024 at 5:05 AM Christopher Hawker < ch...@thesysadmin.au > 
wrote: 





Hello all, 


[Note: I have cross-posted this reply to a thread from NANOG on AusNOG, SANOG 
and APNIC-Talk in order to invite more peers to engage in the discussion on 
their respective forums.] 


Just to shed some light on the article and our involvement... 


Since September 1981, 240/4 has been reserved for future use, see 
https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml . 
This space has always been reserved for future use and given the global 
shortage of available space for new network operators we feel it is appropriate 
for this space to be reclassified as Unicast space available for delegation by 
IANA/PTI to RIRs on behalf of ICANN. 


At present, the IP space currently available for RIRs to delegate to new 
members is minimal, if any at all. The primary goal of our call for change is 
to afford smaller players who are wanting to enter the industry the opportunity 
to do so without having to shell out the big dollars for space. Although I do 
not agree with IP space being treated as a commodity (as this was not what it 
was intended to be), those who can afford to purchase space may do so and those 
who cannot should be able to obtain space from their respective RIR without 
having to wait over a year in some cases just to obtain space. It's not 
intended to flood the market with resources that can be sold off to the highest 
bidder, and this can very well be a way for network operators to plan to 
properly roll out IPv6. At this point in time, the uptake and implementation of 
IPv6 is far too low (only 37% according to https://stats.labs.apnic.net/ipv6 ) 
for new networks to deploy IPv6 single-stack, meaning that we need to continue 
supporting IPv4 deployments. 


The reallocation of IPv4 space marked as Future Use would not restrict or 
inhibit the deployment of IPv6, if anything, in our view it will help the 
deployment through allowing these networks to service a greater number of 
customers than what a single /24 v4 prefix will allow. Entire regions of an 
economy have the potential to be serviced by a single /23 IPv4 prefix when used 
in conjunction with IPv6 space. 


Now, some have argued that we should not do anything with IPv4 and simply let 
it die out. IPv4 will be around for the foreseeable future and while it is, we 
need to allow new operators to continue deploying networks. It is unfair of us 
to say "Let's all move towards IPv6 and just let IPv4 die" however the reality 
of the situation is that while we continue to treat it as a commodity and allow 
v6 uptake to progress as slowly as it is, we need to continue supporting it v4. 
Some have also

Re: The Reg does 240/4

[Brian Knight via NANOG]

Depends what size block is being traded. Prices for /16 and larger have been flat since 2021.One thing is for sure: the cost for any size block has not dropped back to 2013 levels.Consider also that providers are starting to pass the charges onto their customers, like $DAYJOB-1 (an NSP) and now AWS this year. Those who may not be trading address blocks are starting to feel the bite.-BrianOn Feb 15, 2024, at 5:31 PM, Tom Beecher  wrote:$/IPv4 address peaked in 2021, and has been declining since. On Thu, Feb 15, 2024 at 16:05 Brian Knight via NANOG  wrote:On 2024-02-15 13:10, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote:
> I've said it before, and I'll say it again:
> 
>   The only thing stopping global IPv6 deployment is
>   Netflix continuing to offer services over IPv4.
> 
> If Netflix dropped IPv4, you would see IPv6 available *everywhere*
> within a month.

As others have noted, and to paraphrase a long-ago quote from this 
mailing list, I'm sure all of Netflix's competitors hope Netflix does 
that.

I remain hopeful that the climbing price of unique, available IPv4 
addresses eventually forces migration to v6. From my armchair, only 
through economics will this situation will be resolved.

> --lyndon

-Brian

Re: IPv6 uptake (was: The Reg does 240/4)

[Stephen Satchell]

On 2/15/24 9:40 PM, Justin Streiner wrote:

The Internet edge and core portion of deploying IPv6 - dual-stack or
otherwise - is fairly easy. I led efforts to do this at a large .edu
starting in 2010/11.  The biggest hurdles are/were/might still be:
1. Coming up with a good address plan that will do what you want and scale
as needed.  It should also be flexible enough to accommodate re-writes if
you think of something that needs to be added/changed down the road 


Several of the resources and books I picked up over the past five years 
discuss this.  At the leaf level, coming up with a address plan is easy. 
 For example, I define two subnets:  one for public access, one for LAN 
use.  Each subnet has 64K addresses, far more than I need.  The firewall 
protects the LANnet



2. For providers who run older kit, v6 support might still be a bit dodgy.
You might also run into things like TCAM exhaustion, neighbor table
exhaustion, etc.  The point at which box X tips over is often not well
defined and depends on your use case and configuration.


Above my use level as a leaf node.  It may explain part of the situation 
I have with my upstream ISP...but I think the problem is more related to 
account management and not a technical one.



3. The last time I checked, v6 support in firewalls and other middle-mile
devices was still poor.  Hopefully that has gotten better in the last 6-7
years.  My current day job doesn't have me touching firewalls, so I haven't
kept up on developments here.  I recall coming up with a base firewall
ruleset for Cisco ASAs to balance security with the functionality v6 needs
to work correctly.  Hopefully firewall vendors have gotten better about
building templates to handle some of the heavy lifting.


In Linux, there have been significant advances in firewall support. 
Part of that support was in the kernel, part was in the tools.  The 
advent of NFT (NFTABLES) further improves things.  My replacement 
firewall design is to use YAML to define the rules; a Python driver 
converts the data into rules to implement the policy.


Can't speak for others.  By the way, instead of improving IPTABLES to 
handle IPv6, the community build IP6TABLES to support IPv6.  I was told 
that all I needed to do with my BASH-implemented firewall driver was to 
add IP6TABLE commands to the existing IPTABLES rules.  I would have done 
that if my upstream provider wasn't so IPv6-hostile.  I think that would 
have been a mistake.



4. Getting people to unlearn the "NAT=Security" mindset that we were forced
to accept in the v4 world.


That was EASY for me to unlearn.  With IPv4, I never had the luxury of 
subnetting large swaths of addresses.  With IPv6, that's easy, even in 
home networks.




That said, I'm thinking about giving up completely on IPv6 -- too many 
hurdles put in the way by my 800-pound-gorilla ISP.  I'm too old to 
fight the battle any more; the ROI isn't worth the effort.  I'll be dead 
before the lack of IPv6 connectivity becomes a personal problem.

Re: IPv6 uptake (was: The Reg does 240/4)

[Justin Streiner]

The Internet edge and core portion of deploying IPv6 - dual-stack or
otherwise - is fairly easy. I led efforts to do this at a large .edu
starting in 2010/11.  The biggest hurdles are/were/might still be:
1. Coming up with a good address plan that will do what you want and scale
as needed.  It should also be flexible enough to accommodate re-writes if
you think of something that needs to be added/changed down the road :)
2. For providers who run older kit, v6 support might still be a bit dodgy.
You might also run into things like TCAM exhaustion, neighbor table
exhaustion, etc.  The point at which box X tips over is often not well
defined and depends on your use case and configuration.
3. The last time I checked, v6 support in firewalls and other middle-mile
devices was still poor.  Hopefully that has gotten better in the last 6-7
years.  My current day job doesn't have me touching firewalls, so I haven't
kept up on developments here.  I recall coming up with a base firewall
ruleset for Cisco ASAs to balance security with the functionality v6 needs
to work correctly.  Hopefully firewall vendors have gotten better about
building templates to handle some of the heavy lifting.
4. Getting people to unlearn the "NAT=Security" mindset that we were forced
to accept in the v4 world.

Thank you
jms

On Thu, Feb 15, 2024 at 8:43 PM John Levine  wrote:

> It appears that Stephen Satchell  said:
> >Several people in NANOG have opined that there are a number of mail
> >servers on the Internet operating with IPv6 addresses.  OK.  I have a
> >mail server, which has been on the Internet for decades.  On IPv4.
> >
> >For the last four years, every attempt to get a PTR record in ip6.arpa
> >from my ISP has been rejected, usually with a nasty dismissive.
>
> I don't think you'll get much disagreement that AT is not a great ISP.
>
> One straightforward workaround is to get an IPv6 tunnel from
> Hurricane. It's free, it works, and they will delegate the rDNS
> anywhere you want. My local ISP doesn't do IPv6 at all (they're a
> rural phone company who of course say you are the only person who's
> ever asked) so until they do, HE is a quite adequate option.
>
> R's,
> John
>

Re: IPv6 uptake (was: The Reg does 240/4)

[John Levine]

It appears that Stephen Satchell  said:
>Several people in NANOG have opined that there are a number of mail 
>servers on the Internet operating with IPv6 addresses.  OK.  I have a 
>mail server, which has been on the Internet for decades.  On IPv4.
>
>For the last four years, every attempt to get a PTR record in ip6.arpa 
>from my ISP has been rejected, usually with a nasty dismissive.

I don't think you'll get much disagreement that AT is not a great ISP.

One straightforward workaround is to get an IPv6 tunnel from
Hurricane. It's free, it works, and they will delegate the rDNS
anywhere you want. My local ISP doesn't do IPv6 at all (they're a
rural phone company who of course say you are the only person who's
ever asked) so until they do, HE is a quite adequate option.

R's,
John

Re: The Reg does 240/4

[Tom Beecher]

$/IPv4 address peaked in 2021, and has been declining since.

On Thu, Feb 15, 2024 at 16:05 Brian Knight via NANOG 
wrote:

> On 2024-02-15 13:10, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote:
> > I've said it before, and I'll say it again:
> >
> >   The only thing stopping global IPv6 deployment is
> >   Netflix continuing to offer services over IPv4.
> >
> > If Netflix dropped IPv4, you would see IPv6 available *everywhere*
> > within a month.
>
> As others have noted, and to paraphrase a long-ago quote from this
> mailing list, I'm sure all of Netflix's competitors hope Netflix does
> that.
>
> I remain hopeful that the climbing price of unique, available IPv4
> addresses eventually forces migration to v6. From my armchair, only
> through economics will this situation will be resolved.
>
> > --lyndon
>
> -Brian
>

Re: The Reg does 240/4

[Brian Knight via NANOG]

On 2024-02-15 13:10, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote:

I've said it before, and I'll say it again:

  The only thing stopping global IPv6 deployment is
  Netflix continuing to offer services over IPv4.

If Netflix dropped IPv4, you would see IPv6 available *everywhere*
within a month.


As others have noted, and to paraphrase a long-ago quote from this 
mailing list, I'm sure all of Netflix's competitors hope Netflix does 
that.


I remain hopeful that the climbing price of unique, available IPv4 
addresses eventually forces migration to v6. From my armchair, only 
through economics will this situation will be resolved.



--lyndon


-Brian

Re: IPv6 uptake (was: The Reg does 240/4)

[Mark Andrews]

Well all that shows is that your ISP  is obstructionist. If they can can enter 
a PTR record or delegate the reverse range to you for your IPv4 server they can 
do it for your IPv6 addresses. In most cases it is actually easier as address 
space is assigned on nibble boundaries (/48, /52, /56, /60, :64) so there isn’t 
a need to do multiple delegations and RFC2317 style “delegations” aren’t needed 
in IPv6. If there is a non nibble assignment just do multiple sequential 
delegations (2, 4 or 8). 

It isn’t hard to type the reverse prefix into a zone then ns then the name of a 
server, bump the serial and reload it.

e.g.

e.b.c.2.6.0.7.d.0.2.2.2.ip6.arpa. ns ns1.example.com.

Good luck.

-- 
Mark Andrews

> On 16 Feb 2024, at 04:48, Stephen Satchell  wrote:
> 
> Several people in NANOG have opined that there are a number of mail servers 
> on the Internet operating with IPv6 addresses.  OK.  I have a mail server, 
> which has been on the Internet for decades.  On IPv4.
> 
> For the last four years, every attempt to get a PTR record in ip6.arpa from 
> my ISP has been rejected, usually with a nasty dismissive.
> 
> Today, I'm trying again to get that all-important PTR record.  If I'm 
> successful, then I expect to have my mail server fully up and running in the 
> IPv6 space within 72 hours, or when the DNS changes propagate, whichever is 
> longer.

Re: mail and IPv6, not The Reg does 240/4

[Tim Howe]

On Wed, 14 Feb 2024 18:25:03 -0800
Stephen Satchell  wrote:

> On 2/14/24 4:23 PM, Tom Samplonius wrote:
> > The best option is what is happening right now:  you can’t get new IPv4
> > addresses, so you have to either buy them, or use IPv6.  The free market
> >   is solving the problem right now.  Another solution isn’t needed.  
> 
> Really?  How many mail servers are up on IPv6?  How many legacy mail 
> clients can handle IPv6?  How many MTA software packages can handle IPv6 
> today "right out of the box" without specific configuration?

Mine have been dual stack for a while (6 years?  8 years? don't
exactly recall).  However, I remember being enough of an early v6
adopter that it was a bit of a challenge to get IPv6 glue records set
up for our DNS servers (that was long before I was brave enough to have
my email servers on v6, though).

> Does any IPv6 enabled ISP provide PTR records for mail servers?

We do, of course, I can't speak for others.  We also
sub-delegate on request.  However, we are small/local and cater to small
businesses.

> How does Google handle mail from an IPv6 server?

I remember Google being where some of my first v6 email was
coming from and going to.

I would advise that if you allow your MTA to attach to all IPv6
addresses that you make sure all of them have REV PTR.  Google, at
least last time I looked, would deny email via IPv6 based solely on REV
PTR errors.  They are more forgiving over v4, but I suspect that
has/had to do with more mature spam filtering considerations on v4 than
v6.
I once made the mistake of not having one of my secondary
addresses set up with a REV PTR and Google rejected any email that came
from that IP.

--TimH

Re: The Reg does 240/4

[Owen DeLong via NANOG]

For everyone’s amusement:
[root@owen log]# grep 'IPv6' maillog | wc -l
2648
[root@owen log]# grep 'IPv4' maillog | wc -l
0


Now admittedly, this isn’t really a fair report because sendmail doesn’t tag 
IPv4 address as “IPv4” like it does IPv6 addresses.

e.g.: Feb 15 19:22:59 owen sendmail[1545111]: STARTTLS=server, relay=localhost 
[IPv6:0:0:0:0:0:0:0:1], version=TLSv1.3, verify=NOT, 
cipher=TLS_AES_256_GCM_SHA384, bits=256/256

A slightly more fair version:
[root@owen log]# grep 'connect from' maillog | wc -l
14547
[root@owen log]# grep 'connect from' maillog | grep IPv6 | wc -l
431


Which shows that 431 of 14547 total connections came via IPv6 during the log 
period (which begins 00:00:39 UTC Feb. 11) and continues to the time of this 
writing.

However, that is overly generous to IPv4 because a much higher percentage of 
the connections on IPv6 result in actual mail transfer while many of the IPv4 
connections are various failed authentication attempts, attempts to deliver 
rejected (SPAM, other) messages, and other various failures to complete the 
delivery process (disconnects after EHLO, etc.).

As stated earlier, approximately 40% of all mail received by my MTA arrives 
over IPv6.

FWIW, most of my netflix viewing is done via IPv6 as well.

turning off IPv4 is a tall order and a huge risk for Netflix to take, so I 
don’t see that happening. You’re not wrong about the likely impact, but it 
would be a rough contest between ISPs telling their customers “Netflix turned 
us off, blame them” and Netflix telling its customers “We’re no longer 
supporting the legacy internet protocol and your ISP needs to modernize.”. In 
the end it likely turns into a pox on both their houses and the ISPs in 
question and Netflix both lose a bunch of customers in the process.

OTOH, as new products come out that are unable to get IPv4 and are delivered 
over IPv6 only, this will eventually have roughly the same effect without the 
avoidable business risk involved in Netflix leading the way. this is my primary 
argument against the proposal, it will further delay this inevitability which, 
in turn, prolongs the pain period of this transition. While a handful of new 
entrants might benefit in some way in the short term from such a thing, in the 
long term, it’s actually harmful to everyone overall.

Owen


> On Feb 15, 2024, at 11:10, Lyndon Nerenberg (VE7TFX/VE6BBM) 
>  wrote:
> 
> I've said it before, and I'll say it again:
> 
>  The only thing stopping global IPv6 deployment is
>  Netflix continuing to offer services over IPv4.
> 
> If Netflix dropped IPv4, you would see IPv6 available *everywhere*
> within a month.
> 
> --lyndon

Re: The Reg does 240/4

[William Herrin]

On Thu, Feb 15, 2024 at 11:10 AM Lyndon Nerenberg (VE7TFX/VE6BBM)
 wrote:
> I've said it before, and I'll say it again:
>
>   The only thing stopping global IPv6 deployment is
>   Netflix continuing to offer services over IPv4.
>
> If Netflix dropped IPv4, you would see IPv6 available *everywhere*
> within a month.

If only a couple of large businesses would slit their throats by
refusing to service a large swath of their paying customers, IPv6
deployment would surely accelerate.


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: mail and IPv6, not The Reg does 240/4

[Matthew McGehrin]

Tom,

The solution is easy, just have a dual-stack MX record.

$ host gmail-smtp-in.l.google.com.
gmail-smtp-in.l.google.com has address 172.253.115.26
gmail-smtp-in.l.google.com has IPv6 address 2607:f8b0:4004:c06::1a

Servers using IPv6 connect to IPv6 as needed.

Matthew

On 2/14/2024 9:26 PM, John Levine wrote:
> It appears that Stephen Satchell  said:
>> On 2/14/24 4:23 PM, Tom Samplonius wrote:
>>> The best option is what is happening right now:  you can’t get new IPv4
>>> addresses, so you have to either buy them, or use IPv6.  The free market
>>>is solving the problem right now.  Another solution isn’t needed.
>> Really?  How many mail servers are up on IPv6?  How many legacy mail
>> clients can handle IPv6?  How many MTA software packages can handle IPv6
>> tod

Re: The Reg does 240/4

[Lyndon Nerenberg (VE7TFX/VE6BBM)]

I've said it before, and I'll say it again:

  The only thing stopping global IPv6 deployment is
  Netflix continuing to offer services over IPv4.

If Netflix dropped IPv4, you would see IPv6 available *everywhere*
within a month.

--lyndon

Re: The Reg does 240/4

[Lyndon Nerenberg (VE7TFX/VE6BBM)]

> >  How many legacy mail clients can handle IPv6?

I would suspect all of them, since MUAs, by definition, are not
involved in any mail transport operations.  But if you're thinking
of MUAs that use Submission, they are unlikely to care one whit
what the underlying transport is.  You configure a submission
hostname, and the client just hands that off to the underlying OS
to deal with.  It doesn't care what parameters are passed to the
connect() call under the hood.

As for mail servers handling v6 out of the box, I am not familiar
with *any* currently shipping MTA that does NOT do v6 with no
configuration required.

--lyndon

IPv6 uptake (was: The Reg does 240/4)

[Stephen Satchell]

Several people in NANOG have opined that there are a number of mail 
servers on the Internet operating with IPv6 addresses.  OK.  I have a 
mail server, which has been on the Internet for decades.  On IPv4.


For the last four years, every attempt to get a PTR record in ip6.arpa 
from my ISP has been rejected, usually with a nasty dismissive.


Today, I'm trying again to get that all-important PTR record.  If I'm 
successful, then I expect to have my mail server fully up and running in 
the IPv6 space within 72 hours, or when the DNS changes propagate, 
whichever is longer.

Re: The Reg does 240/4

[Tom Beecher]

>
> This is the first time we've presented this case so I'm uncertain as to
> how you've come to the conclusion that I've "presented [my] case numerous
> times" and that we "continue to persist".


This may be the first time your group has presented your opinions on 240/4,
but you are not the first. It's been brought up at IETF multiple times,
multiple drafts submitted, multiple debates / convos / arguments had.

At the end of the day, the following is still true.

1. Per RFC2860, IANA maintains the registry of IPv4 allocations to RIRs,
and the IPv4 Special Address Space Registry.
2. The IPv4 Special Address Space Registry records 240.0.0.0/4 as Reserved
, per RFC1112, Section 4.
3. Any changes to the IPv4 Special Address Space Registry require IETF
Review , RFC7249, Section 2.2.
4. IETF Review is defined in RFC5226.

In summation, the status of 240/4 CAN ONLY be changed IF the IETF process
results in an RFC that DIRECTS IANA to update the IPv4 Special Address
Space Registry. To date, the IETF process has not done so.

Making the case on mailing lists , forums, or media outlets may try to win
hearts and minds, but unless the IETF process is engaged with, nothing will
change. Of course, some will want to reply that 'the IETF are meanies and
don't want to do what we want'. All I'd say to that is , welcome to the
process of making / changing internet standards.  :)



On Thu, Feb 15, 2024 at 6:29 AM Christopher Hawker 
wrote:

> Owen,
>
> This is the first time we've presented this case so I'm uncertain as to
> how you've come to the conclusion that I've "presented [my] case numerous
> times" and that we "continue to persist".
>
> I also don't know how us diverting energy from 240/4 towards IPv6
> deployment in privately-owned networks will help. People cannot be made to
> adopt IPv6 (although IMO they should) and until they are ready to do so we
> must continue to support IPv4, for new and existing networks. While we can
> encourage and help people move towards IPv6 we can't force adoption through
> prevention of access to IPv4.
>
> Regards,
> Christopher Hawker
> --
> *From:* Owen DeLong 
> *Sent:* Thursday, February 15, 2024 4:23 AM
> *To:* Christopher Hawker 
> *Cc:* Tom Beecher ; North American Operators' Group <
> nanog@nanog.org>
> *Subject:* Re: The Reg does 240/4
>
> This gift from the bad idea fairy just keeps on giving. You’ve presented
> your case numerous times. The IETF has repeatedly found no consensus for it
> and yet you persist.
>
> Think how many more sites could have IPv6 capability already if this
> wasted effort had been put into that, instead.
>
> Owen
>
>
> On Feb 13, 2024, at 14:16, Christopher Hawker 
> wrote:
>
> 
> Hi Tom,
>
> We aren't trying to have a debate on this. All we can do is present our
> case, explain our reasons and hope that we can gain a consensus from the
> community.
>
> I understand that some peers don't like the idea of this happening and yes
> we understand the technical work behind getting this across the line. It's
> easy enough for us to say "this will never happen" or to put it into the
> "too hard" basket, however, the one thing I can guarantee is that will
> never happen, if nothing is done.
>
> Let's not think about ourselves for a moment, and think about the
> potential positive impact that this could bring.
>
> Regards,
> Christopher Hawker
> --
> *From:* Tom Beecher 
> *Sent:* Wednesday, February 14, 2024 1:23 AM
> *To:* Christopher Hawker 
> *Cc:* North American Operators' Group ;
> aus...@lists.ausnog.net ; Christopher Hawker via
> sanog ; apnic-t...@lists.apnic.net <
> apnic-t...@lists.apnic.net>
> *Subject:* Re: The Reg does 240/4
>
>
> Now, we know there's definitely going to be some pushback on this. This
> won't be easy to accomplish and it will take some time.
>
>
>  It won't ever be 'accomplished' by trying to debate this in the media.
>
> On Tue, Feb 13, 2024 at 5:05 AM Christopher Hawker 
> wrote:
>
> Hello all,
>
> [Note: I have cross-posted this reply to a thread from NANOG on AusNOG,
> SANOG and APNIC-Talk in order to invite more peers to engage in the
> discussion on their respective forums.]
>
> Just to shed some light on the article and our involvement...
>
> Since September 1981, 240/4 has been reserved for future use, see
> https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml.
> This space has always been reserved for future use and given the global
> shortage of available space for new network operators we feel it is
> appropriate for this space to be reclassified as Unicast space available
> for delega

Re: The Reg does 240/4

[Owen DeLong via NANOG]

> On Feb 15, 2024, at 03:29, Christopher Hawker  wrote:
> 
> 
> Owen,
> 
> This is the first time we've presented this case so I'm uncertain as to how 
> you've come to the conclusion that I've "presented [my] case numerous times" 
> and that we "continue to persist".
> 
It may be your first time at bat, but this proposal has been rejected in the 
IETF many times before over at least 2 decades. 

> I also don't know how us diverting energy from 240/4 towards IPv6 deployment 
> in privately-owned networks will help. People cannot be made to adopt IPv6 
> (although IMO they should) and until they are ready to do so we must continue 
> to support IPv4, for new and existing networks. While we can encourage and 
> help people move towards IPv6 we can't force adoption through prevention of 
> access to IPv4.

Actually, no,  no we should not continue to support IPv4. The sooner there are 
real world consequences to those networks that have failed to implement IPv6, 
the sooner they will finally do so. 

Unfortunately, yes, this will be temporarily painful to new entrants that are 
IPv6 only until there is a sufficient critical mass of them to drive the 
remaining (and ever decreasing) IPv4 only networks to finally act. 

Delaying that inevitability only prolongs this pain and does not improve or 
promote any common good. 

Owen

Re: The Reg does 240/4

[Owen DeLong via NANOG]

> On Feb 14, 2024, at 18:25, Stephen Satchell  wrote:
> 
> On 2/14/24 4:23 PM, Tom Samplonius wrote:
>> The best option is what is happening right now:  you can’t get new IPv4
>> addresses, so you have to either buy them, or use IPv6.  The free market
>>  is solving the problem right now.  Another solution isn’t needed.
> 
> Really?  How many mail servers are up on IPv6?  How many legacy mail clients 
> can handle IPv6?  How many MTA software packages can handle IPv6 today "right 
> out of the box" without specific configuration?

Quite a few, actually. About 40% of my email comes and goes via IPv6. 

Sendai, postfix, outlook, and several others all handle IPv6 without need for 
any more IPv6 specific configuration than is required for IPv4. 

> 
> Does any IPv6 enabled ISP provide PTR records for mail servers?

Yes. Most of the transit providers I deal with offer ip6.arpa delegation at 
least. You can either stand up your own NS or use any of a variety of free DNS 
providers to host that delegation. 

> 
> How does Google handle mail from an IPv6 server?

So far I’ve had no issues exchanging mail with Google, Yahoo, or MSN (former 
Hotmail) on IPv6. 

> 
> The Internet is not just the Web.

True. Guess what… SSH, VNC, SMTP, IMAP, and many other things are working just 
fine on IPv6. 

IPv6 isn’t just the web either. IPv6 is the modern internet. 

Owen

Re: The Reg does 240/4

[Owen DeLong via NANOG]

There is one other mechanism available that has not yet come into play. One 
which this proposal seeks to further delay. In fact IMHO, the one that is most 
likely to ultimately succeed…

At some point new entrants will be unable to obtain IPv4. When there is a 
sufficient critical mass of those that IPv4 only sites cannot reach, those 
sites will be faced with an ROI on IPv6 deployment they can no longer ignore. 

Hence, not only is this bad idea a waste of effort, but it’s actually harmful 
in the short, medium, and long terms. 

Owen


> On Feb 14, 2024, at 15:35, Christopher Hawker  wrote:
> 
> 
> John,
> 
> If you feel that it is wasted time, you are welcome to not partake in the 
> discussion. Your remarks have been noted.
> 
> It's all well and good to say that "more sites could have IPv6 if time wasn't 
> being wasted on 240/4" however we can only do so much regarding the 
> deployment of v6 within networks we manage. All we can do is educate people 
> on the importance of IPv6 uptake, we can not force people to adopt it. The 
> only way to rapidly accelerate the uptake of IPv6 is for networks is to 
> either offer better rates for v6 transit, or disable v4 connectivity 
> completely.
> 
> Otherwise v6 connectivity is going to dawdle at the current rate it is.
> 
> Regards,
> Christopher Hawker
> From: NANOG  on behalf of John 
> Levine 
> Sent: Thursday, February 15, 2024 10:11 AM
> To: nanog@nanog.org 
> Subject: Re: The Reg does 240/4
>  
> It appears that William Herrin  said:
> >On Wed, Feb 14, 2024 at 9:23 AM Owen DeLong via NANOG  
> >wrote:
> >> Think how many more sites could have IPv6 capability already if this 
> >> wasted effort had been put into that, instead.
> >
> >"Zero-sum bias is a cognitive bias towards zero-sum thinking;
> 
> Well, OK, think how many more sites could hav IPv6 if people weren't
> wasting time arguing about this nonsense.
> 
> R's,
> John
> 
> 

Re: The Reg does 240/4

[William Herrin]

On Thu, Feb 15, 2024 at 3:08 AM Christopher Hawker  wrote:
> The idea to this is to allow new networks to emerge
> onto the internet, without potentially having to fork
> out substantial amounts of money.

Hi Chris,

I think that would be the worst possible use for 240/4. The last thing
new entrants need is IP address space with complex and quirky legacy
issues.

No-sale on the money issue too. I did a cost analysis years ago on the
money involved in "the rest of us" accepting a route announcement into
the DFZ. The short version is that if you can't afford IPv4 addresses
at the current market prices, you don't belong here. Your presence
with a /24 will collectively cost us more than you spent, just in the
first year.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: The Reg does 240/4

[Chris Adams]

Once upon a time, Christopher Hawker  said:
> The idea to this is to allow new networks to emerge onto the internet, 
> without potentially having to fork out substantial amounts of money.

There is a substatial amount of money involved in trying to make 240/4
usable on the Internet.  Network equipment vendors, software vendors,
and companies and users currently operating on the Internet will have to
spend time and money to make that happen.

So basically, you are looking for everyone currently involved in the
Internet operations to subsidize these theoretical new companies, which
may be competitors, may or may not succeed (lots of new companies fail
for reasons unrelated to IPv4 address space cost), etc.

Are you also looking for new rules to impose additional limits on
transfers of 240/4 space?  Because since you want this space to go to
new companies, a bunch of them will fail (as a lot of companies do not
succeed) and be bought out by existing larger companies, just shifting
that 240/4 space right back into the same hands.  In fact, it would be
an obvious incentive to start a venture that can qualify for 240/4
space, only to turn around and sell the business to a pre-existing
company that wants more IPv4 space.

If you want 240/4 to be reserved for these new companies, you haven't
identified ANY reason for ANY existing company or user to exert any
resources, other than "but I want it".
-- 
Chris Adams 

Re: The Reg does 240/4

[Christopher Hawker]

Owen,

This is the first time we've presented this case so I'm uncertain as to how 
you've come to the conclusion that I've "presented [my] case numerous times" 
and that we "continue to persist".

I also don't know how us diverting energy from 240/4 towards IPv6 deployment in 
privately-owned networks will help. People cannot be made to adopt IPv6 
(although IMO they should) and until they are ready to do so we must continue 
to support IPv4, for new and existing networks. While we can encourage and help 
people move towards IPv6 we can't force adoption through prevention of access 
to IPv4.

Regards,
Christopher Hawker

From: Owen DeLong 
Sent: Thursday, February 15, 2024 4:23 AM
To: Christopher Hawker 
Cc: Tom Beecher ; North American Operators' Group 

Subject: Re: The Reg does 240/4

This gift from the bad idea fairy just keeps on giving. You’ve presented your 
case numerous times. The IETF has repeatedly found no consensus for it and yet 
you persist.

Think how many more sites could have IPv6 capability already if this wasted 
effort had been put into that, instead.

Owen


On Feb 13, 2024, at 14:16, Christopher Hawker  wrote:


Hi Tom,

We aren't trying to have a debate on this. All we can do is present our case, 
explain our reasons and hope that we can gain a consensus from the community.

I understand that some peers don't like the idea of this happening and yes we 
understand the technical work behind getting this across the line. It's easy 
enough for us to say "this will never happen" or to put it into the "too hard" 
basket, however, the one thing I can guarantee is that will never happen, if 
nothing is done.

Let's not think about ourselves for a moment, and think about the potential 
positive impact that this could bring.

Regards,
Christopher Hawker

From: Tom Beecher 
Sent: Wednesday, February 14, 2024 1:23 AM
To: Christopher Hawker 
Cc: North American Operators' Group ; aus...@lists.ausnog.net 
; Christopher Hawker via sanog ; 
apnic-t...@lists.apnic.net 
Subject: Re: The Reg does 240/4

Now, we know there's definitely going to be some pushback on this. This won't 
be easy to accomplish and it will take some time.

 It won't ever be 'accomplished' by trying to debate this in the media.

On Tue, Feb 13, 2024 at 5:05 AM Christopher Hawker 
mailto:ch...@thesysadmin.au>> wrote:
Hello all,

[Note: I have cross-posted this reply to a thread from NANOG on AusNOG, SANOG 
and APNIC-Talk in order to invite more peers to engage in the discussion on 
their respective forums.]

Just to shed some light on the article and our involvement...

Since September 1981, 240/4 has been reserved for future use, see 
https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml. 
This space has always been reserved for future use and given the global 
shortage of available space for new network operators we feel it is appropriate 
for this space to be reclassified as Unicast space available for delegation by 
IANA/PTI to RIRs on behalf of ICANN.

At present, the IP space currently available for RIRs to delegate to new 
members is minimal, if any at all. The primary goal of our call for change is 
to afford smaller players who are wanting to enter the industry the opportunity 
to do so without having to shell out the big dollars for space. Although I do 
not agree with IP space being treated as a commodity (as this was not what it 
was intended to be), those who can afford to purchase space may do so and those 
who cannot should be able to obtain space from their respective RIR without 
having to wait over a year in some cases just to obtain space. It's not 
intended to flood the market with resources that can be sold off to the highest 
bidder, and this can very well be a way for network operators to plan to 
properly roll out IPv6. At this point in time, the uptake and implementation of 
IPv6 is far too low (only 37% according to https://stats.labs.apnic.net/ipv6) 
for new networks to deploy IPv6 single-stack, meaning that we need to continue 
supporting IPv4 deployments.

The reallocation of IPv4 space marked as Future Use would not restrict or 
inhibit the deployment of IPv6, if anything, in our view it will help the 
deployment through allowing these networks to service a greater number of 
customers than what a single /24 v4 prefix will allow. Entire regions of an 
economy have the potential to be serviced by a single /23 IPv4 prefix when used 
in conjunction with IPv6 space.

Now, some have argued that we should not do anything with IPv4 and simply let 
it die out. IPv4 will be around for the foreseeable future and while it is, we 
need to allow new operators to continue deploying networks. It is unfair of us 
to say "Let's all move towards IPv6 and just let IPv4 die" however the reality 
of the situation is that while we continue to treat it as a commodity and 

Re: The Reg does 240/4

[Dave Taht]

I attempted with as much nuance and humor as I could muster, to
explain and summarize the ipv4 exhaustion problem, and CGNAT, the
240/4 controversy as well as the need to continue making the IPv6
transition, on this podcast yesterday.

https://hackaday.com/2024/02/14/floss-weekly-episode-769-10-more-internet/

Enjoy.

Re: The Reg does 240/4

[Christopher Hawker]

Hi Christian,

The idea to this is to allow new networks to emerge onto the internet, without 
potentially having to fork out substantial amounts of money.

I am of the view that networks large enough to require more than a /8 v4 for a 
private network, would be in the position to move towards IPv6-only. Meta has 
already achieved this 
(https://engineering.fb.com/2017/01/17/production-engineering/legacy-support-on-ipv6-only-infra/)
 by rolling out dual-stack on their existing nodes and enabling new nodes as 
IPv6-only. I cannot think of a bigger waste of resources that have the 
possibility of being publicly used, than to allocate an additional 16 x /8 to 
RFC1918 space.

The same argument could be had about using larger than a /8 for private 
networking. Why not use IPv6?

Regards,
Christopher Hawker

From: Christian de Larrinaga 
Sent: Wednesday, February 14, 2024 11:51 PM
To: Christopher Hawker 
Cc: Denis Fondras ; nanog@nanog.org 
Subject: Re: The Reg does 240/4

excuse top posting -

I don't see a case for shifting 240/4 into public IP space if it is just
going to sustain the rentier sinecures of the existing IPv4
incumbencies. In other words if RIRs don't use it boost new entrants it
will just add another knot to the stranglehold we are in vis IPv4.

I can see a potential case for shifting it from experimental to private
space given the fact that "the rest of us" without public IP space and
natted behind CGNATs have taken to use IPv4 for wireguard, containers,
zero configs and so on, to tie our various locations, services and
applications together within our own private distributed nets and expose
our services for public consumption over IPv6.


C

Christian de Larrinaga


Christian Christopher Hawker  writes

> Hi Denis,
>
> It will only be burned through if RIR communities change policies to allow 
> for larger delegations than what is
> currently in place. I believe that some level of change is possible whilst 
> limiting the exhaustion rate, e.g. allowing
> for delegations up to a maximum holding of a /22, however we shouldn't go 
> crazy (for want of a better phrase)
> and allow for delegations of a /20, /19 etc.
>
> If this was only going to give us a potential 1-3 years' worth of space, then 
> I would agree in saying that it is a waste
> of time, would take far too long to make the space usable and wouldn't be 
> worth it. However, as long as we don't
> get greedy, change the maximum allowed delegation to large delegations, and 
> every Tom/Dick/Harry applying
> for a /16 allocation then 240/4 will last us a lengthy amount of time, at 
> least a few decades.
>
> Regards,
> Christopher Hawker
> -
> From: NANOG  on behalf of Denis 
> Fondras via NANOG
> 
> Sent: Wednesday, February 14, 2024 11:10 PM
> To: nanog@nanog.org 
> Subject: Re: The Reg does 240/4
>
> Le Tue, Feb 13, 2024 at 03:24:21PM -0800, David Conrad a écrit :
>> This doesn’t seem all that positive to me, particularly because it’s 
>> temporary
>> since the underlying problem (limited resource, unlimited demand) cannot be
>> addressed.
>>
>
> I agree with this.
> Yet I am in favor of changing the status of 240/4, just so it can get burned
> fast, we stop this endless discussion and can start to deploy IPv6 again.
>
> Denis


--
Christian de Larrinaga

Re: The Reg does 240/4

[Christian de Larrinaga via NANOG]

excuse top posting -

I don't see a case for shifting 240/4 into public IP space if it is just
going to sustain the rentier sinecures of the existing IPv4
incumbencies. In other words if RIRs don't use it boost new entrants it
will just add another knot to the stranglehold we are in vis IPv4. 

I can see a potential case for shifting it from experimental to private
space given the fact that "the rest of us" without public IP space and
natted behind CGNATs have taken to use IPv4 for wireguard, containers,
zero configs and so on, to tie our various locations, services and
applications together within our own private distributed nets and expose
our services for public consumption over IPv6.


C

Christian de Larrinaga


Christian Christopher Hawker  writes

> Hi Denis,
>
> It will only be burned through if RIR communities change policies to allow 
> for larger delegations than what is
> currently in place. I believe that some level of change is possible whilst 
> limiting the exhaustion rate, e.g. allowing
> for delegations up to a maximum holding of a /22, however we shouldn't go 
> crazy (for want of a better phrase)
> and allow for delegations of a /20, /19 etc.
>
> If this was only going to give us a potential 1-3 years' worth of space, then 
> I would agree in saying that it is a waste
> of time, would take far too long to make the space usable and wouldn't be 
> worth it. However, as long as we don't
> get greedy, change the maximum allowed delegation to large delegations, and 
> every Tom/Dick/Harry applying
> for a /16 allocation then 240/4 will last us a lengthy amount of time, at 
> least a few decades.
>
> Regards,
> Christopher Hawker
> -
> From: NANOG  on behalf of Denis 
> Fondras via NANOG
> 
> Sent: Wednesday, February 14, 2024 11:10 PM
> To: nanog@nanog.org 
> Subject: Re: The Reg does 240/4 
>  
> Le Tue, Feb 13, 2024 at 03:24:21PM -0800, David Conrad a écrit :
>> This doesn’t seem all that positive to me, particularly because it’s 
>> temporary
>> since the underlying problem (limited resource, unlimited demand) cannot be
>> addressed.
>> 
>
> I agree with this.
> Yet I am in favor of changing the status of 240/4, just so it can get burned
> fast, we stop this endless discussion and can start to deploy IPv6 again.
>
> Denis


-- 
Christian de Larrinaga 

Re: The Reg does 240/4

[Mark Andrews]

> On 15 Feb 2024, at 13:25, Stephen Satchell  wrote:
> 
> On 2/14/24 4:23 PM, Tom Samplonius wrote:
>> The best option is what is happening right now:  you can’t get new IPv4
>> addresses, so you have to either buy them, or use IPv6.  The free market
>>  is solving the problem right now.  Another solution isn’t needed.
> 
> Really?  How many mail servers are up on IPv6?

Lots.

>  How many legacy mail clients can handle IPv6?

Most.  If you are using mbox format there is no change.  The only ones that
don’t handle it are ones that don’t have support for creating IPv6 connections.

>  How many MTA software packages can handle IPv6 today "right out of the box" 
> without specific configuration?

Most.  Really its been 20+ years since IPv6 was added to most of the mail
products that actually use TCP to connect to a mail store or to send email.

Just about the only thing that was needed to be done was to look for 
records in addition to A records after looking up the MX records or to
replace gethostbyname with getnodebyname and then getaddrinfo.  This was a
10 minute job for most developers.

If you publish  records for a service they will be used.

> Does any IPv6 enabled ISP provide PTR records for mail servers?

If they want to send email from those addresses they do.  

> How does Google handle mail from an IPv6 server?

Mostly the same as from IPv4.

> The Internet is not just the Web.

It isn’t.  But you could answer most of these by just looking at the email 
headers in
your own incoming mail.  Email has been delivered over IPv6 for over 2 decades 
now.


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

Re: mail and IPv6, not The Reg does 240/4

[John Levine]

It appears that Stephen Satchell  said:
>On 2/14/24 4:23 PM, Tom Samplonius wrote:
>> The best option is what is happening right now:  you can’t get new IPv4
>> addresses, so you have to either buy them, or use IPv6.  The free market
>>   is solving the problem right now.  Another solution isn’t needed.
>
>Really?  How many mail servers are up on IPv6?  How many legacy mail 
>clients can handle IPv6?  How many MTA software packages can handle IPv6 
>today "right out of the box" without specific configuration?

These days most of them.  The popular open source sendmail, postfix,
and exim all do.  The mail programs on my Android phone and iPad do.
Thunderbird does.

>Does any IPv6 enabled ISP provide PTR records for mail servers?

I'm not sure what you're asking. Every IPv6 mail server has rDNS since
otherwise nobody would accept its mail, same as IPv4.

>How does Google handle mail from an IPv6 server?

Assuming it's authenticated with SPF or DKIM, better than IPv4. All
the mail between Gmail and my system runs over IPv6.

A fair amount of mail from Hotmail/Outlook arrives over IPv6 as well
which is surprising since they don't publish  records for their
inbound mail.

R's,
John

Re: The Reg does 240/4

[Stephen Satchell]

On 2/14/24 4:23 PM, Tom Samplonius wrote:

The best option is what is happening right now:  you can’t get new IPv4
addresses, so you have to either buy them, or use IPv6.  The free market
  is solving the problem right now.  Another solution isn’t needed.


Really?  How many mail servers are up on IPv6?  How many legacy mail 
clients can handle IPv6?  How many MTA software packages can handle IPv6 
today "right out of the box" without specific configuration?


Does any IPv6 enabled ISP provide PTR records for mail servers?

How does Google handle mail from an IPv6 server?

The Internet is not just the Web.

Re: The Reg does 240/4

[Tom Beecher]

>
> All we can do is educate people on the importance of IPv6 uptake, we can
> not force people to adopt it.
>

At this stage of the game, networks and products that don't support V6
aren't likely to do so unless there is a forcing function to make them do
it. Meaning money.



On Wed, Feb 14, 2024 at 6:35 PM Christopher Hawker 
wrote:

> John,
>
> If you feel that it is wasted time, you are welcome to not partake in the
> discussion. Your remarks have been noted.
>
> It's all well and good to say that "more sites could have IPv6 if time
> wasn't being wasted on 240/4" however we can only do so much regarding the
> deployment of v6 within networks we manage. All we can do is educate people
> on the importance of IPv6 uptake, we can not force people to adopt it. The
> only way to rapidly accelerate the uptake of IPv6 is for networks is to
> either offer better rates for v6 transit, or disable v4 connectivity
> completely.
>
> Otherwise v6 connectivity is going to dawdle at the current rate it is.
>
> Regards,
> Christopher Hawker
> --
> *From:* NANOG  on behalf of
> John Levine 
> *Sent:* Thursday, February 15, 2024 10:11 AM
> *To:* nanog@nanog.org 
> *Subject:* Re: The Reg does 240/4
>
> It appears that William Herrin  said:
> >On Wed, Feb 14, 2024 at 9:23 AM Owen DeLong via NANOG 
> wrote:
> >> Think how many more sites could have IPv6 capability already if this
> wasted effort had been put into that, instead.
> >
> >"Zero-sum bias is a cognitive bias towards zero-sum thinking;
>
> Well, OK, think how many more sites could hav IPv6 if people weren't
> wasting time arguing about this nonsense.
>
> R's,
> John
>
>
>

Re: The Reg does 240/4

[Tom Samplonius]

… The only way to rapidly accelerate the uptake of IPv6 is for networks is to 
either offer better rates for v6 transit, or disable v4 connectivity completely.


This is a false dichotomy:  those aren’t the only two options, nor the best two 
options.

The best option is what is happening right now:  you can’t get new IPv4 
addresses, so you have to either buy them, or use IPv6.  The free market is 
solving the problem right now.  Another solution isn’t needed.

For example, Amazon is charging $0.005 per IPv4 per hour, which is a perfect.  
AWS users can either choose to use IPv4 at that rate, or choose to use IPv6 at 
$0.000 per hour.  And Azure is basically doing the same thing.  See  
https://azure.microsoft.com/en-us/pricing/details/ip-addresses/ and 
https://azure.microsoft.com/en-ca/updates/azure-public-ipv6-offerings-are-free-as-of-july-31/

So just sit back and watch the world re-address to IPv6.  It’s not a race.  


Tom

Re: The Reg does 240/4

[Christopher Hawker]

John,

If you feel that it is wasted time, you are welcome to not partake in the 
discussion. Your remarks have been noted.

It's all well and good to say that "more sites could have IPv6 if time wasn't 
being wasted on 240/4" however we can only do so much regarding the deployment 
of v6 within networks we manage. All we can do is educate people on the 
importance of IPv6 uptake, we can not force people to adopt it. The only way to 
rapidly accelerate the uptake of IPv6 is for networks is to either offer better 
rates for v6 transit, or disable v4 connectivity completely.

Otherwise v6 connectivity is going to dawdle at the current rate it is.

Regards,
Christopher Hawker

From: NANOG  on behalf of John 
Levine 
Sent: Thursday, February 15, 2024 10:11 AM
To: nanog@nanog.org 
Subject: Re: The Reg does 240/4

It appears that William Herrin  said:
>On Wed, Feb 14, 2024 at 9:23 AM Owen DeLong via NANOG  wrote:
>> Think how many more sites could have IPv6 capability already if this wasted 
>> effort had been put into that, instead.
>
>"Zero-sum bias is a cognitive bias towards zero-sum thinking;

Well, OK, think how many more sites could hav IPv6 if people weren't
wasting time arguing about this nonsense.

R's,
John

Re: The Reg does 240/4

[John Levine]

It appears that William Herrin  said:
>On Wed, Feb 14, 2024 at 9:23 AM Owen DeLong via NANOG  wrote:
>> Think how many more sites could have IPv6 capability already if this wasted 
>> effort had been put into that, instead.
>
>"Zero-sum bias is a cognitive bias towards zero-sum thinking; 

Well, OK, think how many more sites could hav IPv6 if people weren't
wasting time arguing about this nonsense.

R's,
John

Re: The Reg does 240/4

[David Conrad]

Christopher,

On Feb 14, 2024, at 4:49 AM, Christopher Hawker  wrote:
> I agree with the fact that introducing this space has the very real risk of 
> it being obtained by the highest bidder. Perhaps I may be naive in believing 
> that we have a possible chance to delegate this space wisely and prevent it 
> from being exhausted at a rather rapid rate, however I can only hope that 
> people will see the potential benefit that this could bring, and policy not 
> being changed to benefit the larger players in the space.
> 
> IP resources were never intended to become a commodity, rather a tool that 
> allowed people to globally connect.

You’re mixing agendas. In earlier messages, you had argued the address space 
should be provided to "new entrants.” However, if IP resource were intended to 
be a tool that allows people to globally connect, then the age/size/previous 
holdings of the organization obtaining the address space shouldn’t matter: what 
matters is whether it is used for connectivity.  Indeed, if you want to 
facilitate the greatest amount of connectivity, it can be (and has been) argued 
the allocations should be made to the larger players since they have more 
resources to put the address space into use, greater reach, larger marketing 
departments, etc. 

(These are the same arguments made at various RIR policy meetings prior to 
runout any time anyone suggested limitations on IPv4 address allocations. The 
nice thing about history repeating itself is that you know when to go out and 
get popcorn.)

> It should never have become a commodity, and it's a shame that it is being 
> treated as such with a price tag put on it.

I suspect any limited resource with unlimited demand is going to end up here. 
You’re arguing against markets. Good luck with that.

Regards,
-drc

Re: The Reg does 240/4

[William Herrin]

On Wed, Feb 14, 2024 at 9:23 AM Owen DeLong via NANOG  wrote:
> Think how many more sites could have IPv6 capability already if this wasted 
> effort had been put into that, instead.

"Zero-sum bias is a cognitive bias towards zero-sum thinking; it is
people's tendency to intuitively judge that a situation is zero-sum,
even when this is not the case. This bias promotes zero-sum fallacies,
false beliefs that situations are zero-sum. Such fallacies can cause
other false judgements and poor decisions."

https://en.wikipedia.org/wiki/Zero-sum_thinking

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: The Reg does 240/4

[Stephen Satchell]

On 2/14/24 9:30 AM, Owen DeLong via NANOG wrote:

That experiment already failed with the original v6 adoption process.
It’s been more than 20 years and all we have proven is that as long as
people can have an excuse to avoid v6 deployment, they will continue to
do so.

Giving them another 20 years of excuses is a step against the collective
  good IMHO.


I agree with you, based on my experience with several Internet 
providers.  One of the biggest issues I have seen is a lack of a case to 
adopt IPv6 widely and completely.  The management of the upper level 
providers ask this question: what is the return on the investment? 
Until that is convincingly answered, the foot-dragging of IPv6 adoption 
will continue.


In my particular case, it's the complete lack of support by my upstream 
provider.  Yes, they offer IPv6 connectivity.  No, they don't offer 
guaranteed public IPv6 address space.  No, they don't provide the same 
support for IPv6 that they do for IPv4.  I had to pull toenails to get 
enough information to bring up a Web server in IPv6.  It took getting a 
business fiber account to even get the bare minimum -- and I had to get 
a little creative to get the rest of the details that my ISP didn't provide.


What is the big thing missing, beside public IPv6 space?


$ dig -x 2600:1700:79b0:ddc0::3

; <<>> DiG 9.16.1-Ubuntu <<>> -x 2600:1700:79b0:ddc0::3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44020
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.d.d.0.b.9.7.0.0.7.1.0.0.6.2.ip6.arpa. IN 
PTR


Now, this is my web server's address.  My mail server's proposed IPv6 
address, is only one digit away.  Can I get a PTR record for it?  No. 
Can I get a delegation for my IPv6 address range?  No.  "We don't 
support IPv6."  That has been the refrain since 2018.  It's 2024 -- you 
do the math.


We are talking about a fairly large many-customer three-letter company, 
not some hole in the wall back-room operation.


Could I handle a delegation?  Yes.  Putting up a DNS server is child's 
play.  On a box with a public IP address.  That is not the barrier.


Now, I can't speak for all companies.  For example, I have no clue what 
support and services Hurricane Electric provides to its customers with 
regard to IPv6, even though I've seen many mentions of HE over the decades.


When the community wants to get serious about advancing the deployment 
of IPv6, the community itself needs to buy into IPv6.  At least one big 
player isn't interested.

Re: The Reg does 240/4

[Owen DeLong via NANOG]

> 
> 1. RIRs, following 
> https://www.icann.org/resources/pages/allocation-ipv4-rirs-2012-02-25-en, 
> would request new /8s, and receive those allocations.

I don’t think this applies any more. I could be wrong, but I think based on 
current practice, IANA would simply distribute 3 of the 16 /8s to each of the 
RIRs. 

That’s been the process for recovered blocks since the last 5 /8s from the free 
pool were distributed. 

> 2. Entities[*] with pent up demand would submit requests and have those 
> requests filled by the RIRs

Which would rapidly deplete that space in most RIRs and leave an abundance of 
wasted space sitting on the shelf in a couple of RIRs with policies that 
prolong the shortage on the pretense that it enhances the useful life of IPv4. 

> 3. While more /8s in 240/4 remain, go to step 1

Or not. (See my comment on step 1)

> 4. Return to status quo ante.

Which happens almost immediately for IANA and soon thereafter in most RIRs. 

> 
> In other words, while the IANA free pool is not (again) empty, network 
> operators would be able to get IPv4 address space at a fraction of the market 
> price, and then we’d go back to the way things are now.
> 
> This suggests the length of time the primary benefit (cheap IPv4 addresses) 
> would be enjoyed depends on RIR allocation policies.  ISTR a comment from you 
> earlier suggesting that based on current consumption rates, 240/4 would 
> fulfill needs for 50 years.  However, this appears to assume that current 
> “soft landing” (etc) policies would remain in place.  Why would you assume 
> that?  I would imagine there would be non-trivial pressure from the RIR 
> memberships to return to the pre-runout policy regime which was burning 
> through multiple /8s in months. In particular, I’d think the large scale 
> buyers of address space (as well as IP market speculators) who tend to be the 
> most active in RIR policy forums would jump at the opportunity to get “huge 
> tracts of land” at bargain basement prices again.
> 
> This doesn’t seem all that positive to me, particularly because it’s 
> temporary since the underlying problem (limited resource, unlimited demand) 
> cannot be addressed.  What positive impact do you predict?

Here, I 100% agree with David. (Which is quite rare)

Owen

Re: The Reg does 240/4

[Owen DeLong via NANOG]

That experiment already failed with the original v6 adoption process. It’s been 
more than 20 years and all we have proven is that as long as people can have an 
excuse to avoid v6 deployment, they will continue to do so. 

Giving them another 20 years of excuses is a step against the collective good 
IMHO. 

Owen


> On Feb 13, 2024, at 14:43, Christopher Hawker  wrote:
> 
> 
> Per my original email, looking at current exhaustion rates in the APNIC 
> service region, if we stuck to allocating space to new entities and 
> maintained allocating a maximum of a /22 to networks, just 3 x /8 would last 
> over 20 years. This should be a more than sufficient timeframe for a much 
> wider v6 adoption and deployment.
> 
> Regards,
> Christopher Hawker
> From: NANOG  on behalf of 
> Lyndon Nerenberg (VE7TFX/VE6BBM) 
> Sent: Wednesday, February 14, 2024 7:42 AM
> To: North American Operators' Group 
> Subject: Re: The Reg does 240/4
>  
> And what are they going to do when 240/4 runs out?

Re: The Reg does 240/4

[Owen DeLong via NANOG]

This gift from the bad idea fairy just keeps on giving. You’ve presented your case numerous times. The IETF has repeatedly found no consensus for it and yet you persist. Think how many more sites could have IPv6 capability already if this wasted effort had been put into that, instead. OwenOn Feb 13, 2024, at 14:16, Christopher Hawker  wrote:






Hi Tom,




We aren't trying to have a debate on this. All we can do is present our case, explain our reasons and hope that we can gain a consensus from the community.




I understand that some peers don't like the idea of this happening and yes we understand the technical work behind getting this across the line. It's easy enough for us to say "this will never happen" or to put it into the "too hard" basket, however, the one
 thing I can guarantee is that will never happen, if nothing is done.




Let's not think about ourselves for a moment, and think about the potential positive impact that this could bring.




Regards,

Christopher Hawker


From: Tom Beecher 
Sent: Wednesday, February 14, 2024 1:23 AM
To: Christopher Hawker 
Cc: North American Operators' Group ; aus...@lists.ausnog.net ; Christopher Hawker via sanog ; apnic-t...@lists.apnic.net 
Subject: Re: The Reg does 240/4
 




Now, we know there's definitely going to be some pushback on this. This won't be easy to accomplish and it will take some time. 


 It won't ever be 'accomplished' by trying to debate this in the media.



On Tue, Feb 13, 2024 at 5:05 AM Christopher Hawker <ch...@thesysadmin.au> wrote:





Hello all,




[Note: I have cross-posted this reply to a thread from NANOG on AusNOG, SANOG and APNIC-Talk in order to invite more peers to engage in the discussion on their respective forums.]




Just to shed some light on the article and our involvement...



Since September 1981, 240/4 has been reserved for future use, see

https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml. This space has always been reserved for future use and given the global shortage of available space for new network operators we feel it is appropriate for this space to be reclassified
 as Unicast space available for delegation by IANA/PTI to RIRs on behalf of ICANN.



At present, the IP space currently available for RIRs to delegate to new members is minimal, if any at all. The primary
 goal of our call for change is to afford smaller players who are wanting to enter the industry the opportunity to do so without having to shell out the big dollars for space. Although I do not agree with IP space being treated as a commodity (as this was not
 what it was intended to be), those who can afford to purchase space may do so and those who cannot should be able to obtain space from their respective RIR without having to wait over a year in some cases just to obtain space. It's not intended to flood the
 market with resources that can be sold off to the highest bidder, and this can very well be a way for network operators to plan to properly roll out IPv6. At this point in time, the uptake and implementation of IPv6 is far too low (only 37% according to

https://stats.labs.apnic.net/ipv6) for new networks to deploy IPv6 single-stack, meaning that we need to continue supporting IPv4 deployments.


The reallocation of IPv4 space marked as Future Use would not restrict or inhibit the deployment of IPv6, if anything,
 in our view it will help the deployment through allowing these networks to service a greater number of customers than what a single /24 v4 prefix will allow. Entire regions of an economy have the potential to be serviced by a single /23 IPv4 prefix when used
 in conjunction with IPv6 space.


Now, some have argued that we should not do anything with IPv4 and simply let it die out. IPv4 will be around for the
 foreseeable future and while it is, we need to allow new operators to continue deploying networks. It is unfair of us to say "Let's all move towards IPv6 and just let IPv4 die" however the reality of the situation is that while we continue to treat it as a
 commodity and allow v6 uptake to progress as slowly as it is, we need to continue supporting it v4. Some have also argued that networks use this space internally within their infrastructure. 240/4 was always marked as Reserved for Future Use and if network
 operators elect to squat on reserved space instead of electing to deploy v6 across their internal networks then that is an issue they need to resolve, and it should not affect how it is reallocated. It goes against the bottom-up approach of policy development
 by allowing larger network operators to state that this space cannot be made unicast because they are using it internally (even though it's not listed in RFC1918), and its reallocation would affect their networks.


In the APNIC region, there is a policy which only allows for a maximum of a /23 IPv4 prefix to be allocated/assigned to
 new members and any more space required 

Re: The Reg does 240/4

[Ryan Hamel]

Allocating 240/4 only temporarily drives down pricing until it's all assigned, 
then we're all back at square one. Ya know what does not put us back square 
one, nor waste our time? Implementing IPv6.

Ryan Hamel


From: NANOG  on behalf of Christopher 
Hawker 
Sent: Wednesday, February 14, 2024 4:49 AM
To: David Conrad 
Cc: North American Operators' Group 
Subject: Re: The Reg does 240/4

Caution: This is an external email and may be malicious. Please take care when 
clicking links or opening attachments.

Hi David,

I agree with the fact that introducing this space has the very real risk of it 
being obtained by the highest bidder. Perhaps I may be naive in believing that 
we have a possible chance to delegate this space wisely and prevent it from 
being exhausted at a rather rapid rate, however I can only hope that people 
will see the potential benefit that this could bring, and policy not being 
changed to benefit the larger players in the space.

IP resources were never intended to become a commodity, rather a tool that 
allowed people to globally connect. It should never have become a commodity, 
and it's a shame that it is being treated as such with a price tag put on it.

Regards,
Christopher Hawker

From: David Conrad 
Sent: Wednesday, February 14, 2024 1:03 PM
To: Christopher Hawker 
Cc: North American Operators' Group 
Subject: Re: The Reg does 240/4

Christopher,

On Feb 13, 2024, at 4:14 PM, Christopher Hawker  wrote:
This is a second chance to purposefully ration out a finite resource.

Perhaps I’m overly cynical, but other than more players and _way_ more money, 
the dynamics of [limited resource, unlimited demand] don’t appear to have 
changed significantly from the first time around. However, I suspect the real 
roadblock you’ll face in policy discussions (aside from the folks who make 
their money leasing IPv4 addresses) is the argument that efforts to ration and 
thereby extend the life of IPv4 will continue to distort the market and impede 
the only useful signal to network operators regarding the costs of remaining 
with IPv4 compared to supporting IPv6.  Good luck!

Regards,
-drc

Re: The Reg does 240/4

[Christopher Hawker]

Hi David,

I agree with the fact that introducing this space has the very real risk of it 
being obtained by the highest bidder. Perhaps I may be naive in believing that 
we have a possible chance to delegate this space wisely and prevent it from 
being exhausted at a rather rapid rate, however I can only hope that people 
will see the potential benefit that this could bring, and policy not being 
changed to benefit the larger players in the space.

IP resources were never intended to become a commodity, rather a tool that 
allowed people to globally connect. It should never have become a commodity, 
and it's a shame that it is being treated as such with a price tag put on it.

Regards,
Christopher Hawker

From: David Conrad 
Sent: Wednesday, February 14, 2024 1:03 PM
To: Christopher Hawker 
Cc: North American Operators' Group 
Subject: Re: The Reg does 240/4

Christopher,

On Feb 13, 2024, at 4:14 PM, Christopher Hawker  wrote:
This is a second chance to purposefully ration out a finite resource.

Perhaps I’m overly cynical, but other than more players and _way_ more money, 
the dynamics of [limited resource, unlimited demand] don’t appear to have 
changed significantly from the first time around. However, I suspect the real 
roadblock you’ll face in policy discussions (aside from the folks who make 
their money leasing IPv4 addresses) is the argument that efforts to ration and 
thereby extend the life of IPv4 will continue to distort the market and impede 
the only useful signal to network operators regarding the costs of remaining 
with IPv4 compared to supporting IPv6.  Good luck!

Regards,
-drc

Re: The Reg does 240/4

[Christopher Hawker]

Hi Denis,

It will only be burned through if RIR communities change policies to allow for 
larger delegations than what is currently in place. I believe that some level 
of change is possible whilst limiting the exhaustion rate, e.g. allowing for 
delegations up to a maximum holding of a /22, however we shouldn't go crazy 
(for want of a better phrase) and allow for delegations of a /20, /19 etc.

If this was only going to give us a potential 1-3 years' worth of space, then I 
would agree in saying that it is a waste of time, would take far too long to 
make the space usable and wouldn't be worth it. However, as long as we don't 
get greedy, change the maximum allowed delegation to large delegations, and 
every Tom/Dick/Harry applying for a /16 allocation then 240/4 will last us a 
lengthy amount of time, at least a few decades.

Regards,
Christopher Hawker

From: NANOG  on behalf of Denis 
Fondras via NANOG 
Sent: Wednesday, February 14, 2024 11:10 PM
To: nanog@nanog.org 
Subject: Re: The Reg does 240/4

Le Tue, Feb 13, 2024 at 03:24:21PM -0800, David Conrad a écrit :
> This doesn’t seem all that positive to me, particularly because it’s temporary
> since the underlying problem (limited resource, unlimited demand) cannot be
> addressed.
>

I agree with this.
Yet I am in favor of changing the status of 240/4, just so it can get burned
fast, we stop this endless discussion and can start to deploy IPv6 again.

Denis

Re: The Reg does 240/4

[Denis Fondras via NANOG]

Le Tue, Feb 13, 2024 at 03:24:21PM -0800, David Conrad a écrit :
> This doesn’t seem all that positive to me, particularly because it’s temporary
> since the underlying problem (limited resource, unlimited demand) cannot be
> addressed.
> 

I agree with this.
Yet I am in favor of changing the status of 240/4, just so it can get burned
fast, we stop this endless discussion and can start to deploy IPv6 again.

Denis

Re: The Reg does 240/4

[David Conrad]

Christopher,

On Feb 13, 2024, at 4:14 PM, Christopher Hawker  wrote:
> This is a second chance to purposefully ration out a finite resource.

Perhaps I’m overly cynical, but other than more players and _way_ more money, 
the dynamics of [limited resource, unlimited demand] don’t appear to have 
changed significantly from the first time around. However, I suspect the real 
roadblock you’ll face in policy discussions (aside from the folks who make 
their money leasing IPv4 addresses) is the argument that efforts to ration and 
thereby extend the life of IPv4 will continue to distort the market and impede 
the only useful signal to network operators regarding the costs of remaining 
with IPv4 compared to supporting IPv6.  Good luck!

Regards,
-drc

Re: Enough of The Reg does 240/4

[John Levine]

It appears that Tom Beecher  said:
>> We aren't trying to have a debate on this. All we can do is present our
>> case, explain our reasons and hope that we can gain a consensus from the
>> community.
>
>Respectfully, if you're just putting your case out there and hoping that
>people come around to your position, it's never going to happen.

I think we have once again established that repeating a bad idea over
and over and over does not make it any less bad.

Let's argue about something else, OK?

R's,
John

Re: The Reg does 240/4

[Tom Beecher]

>
> We aren't trying to have a debate on this. All we can do is present our
> case, explain our reasons and hope that we can gain a consensus from the
> community.


Respectfully, if you're just putting your case out there and hoping that
people come around to your position, it's never going to happen.

On Tue, Feb 13, 2024 at 5:15 PM Christopher Hawker 
wrote:

> Hi Tom,
>
> We aren't trying to have a debate on this. All we can do is present our
> case, explain our reasons and hope that we can gain a consensus from the
> community.
>
> I understand that some peers don't like the idea of this happening and yes
> we understand the technical work behind getting this across the line. It's
> easy enough for us to say "this will never happen" or to put it into the
> "too hard" basket, however, the one thing I can guarantee is that will
> never happen, if nothing is done.
>
> Let's not think about ourselves for a moment, and think about the
> potential positive impact that this could bring.
>
> Regards,
> Christopher Hawker
> --
> *From:* Tom Beecher 
> *Sent:* Wednesday, February 14, 2024 1:23 AM
> *To:* Christopher Hawker 
> *Cc:* North American Operators' Group ;
> aus...@lists.ausnog.net ; Christopher Hawker via
> sanog ; apnic-t...@lists.apnic.net <
> apnic-t...@lists.apnic.net>
> *Subject:* Re: The Reg does 240/4
>
>
> Now, we know there's definitely going to be some pushback on this. This
> won't be easy to accomplish and it will take some time.
>
>
>  It won't ever be 'accomplished' by trying to debate this in the media.
>
> On Tue, Feb 13, 2024 at 5:05 AM Christopher Hawker 
> wrote:
>
> Hello all,
>
> [Note: I have cross-posted this reply to a thread from NANOG on AusNOG,
> SANOG and APNIC-Talk in order to invite more peers to engage in the
> discussion on their respective forums.]
>
> Just to shed some light on the article and our involvement...
>
> Since September 1981, 240/4 has been reserved for future use, see
> https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml.
> This space has always been reserved for future use and given the global
> shortage of available space for new network operators we feel it is
> appropriate for this space to be reclassified as Unicast space available
> for delegation by IANA/PTI to RIRs on behalf of ICANN.
>
> At present, the IP space currently available for RIRs to delegate to new
> members is minimal, if any at all. The primary goal of our call for change
> is to afford smaller players who are wanting to enter the industry the
> opportunity to do so without having to shell out the big dollars for space.
> Although I do not agree with IP space being treated as a commodity (as this
> was not what it was intended to be), those who can afford to purchase space
> may do so and those who cannot should be able to obtain space from their
> respective RIR without having to wait over a year in some cases just to
> obtain space. It's not intended to flood the market with resources that can
> be sold off to the highest bidder, and this can very well be a way for
> network operators to plan to properly roll out IPv6. At this point in time,
> the uptake and implementation of IPv6 is far too low (only 37% according to
> https://stats.labs.apnic.net/ipv6) for new networks to deploy IPv6
> single-stack, meaning that we need to continue supporting IPv4 deployments.
>
> The reallocation of IPv4 space marked as Future Use would not restrict or
> inhibit the deployment of IPv6, if anything, in our view it will help the
> deployment through allowing these networks to service a greater number of
> customers than what a single /24 v4 prefix will allow. Entire regions of an
> economy have the potential to be serviced by a single /23 IPv4 prefix when
> used in conjunction with IPv6 space.
>
> Now, some have argued that we should not do anything with IPv4 and simply
> let it die out. IPv4 will be around for the foreseeable future and while it
> is, we need to allow new operators to continue deploying networks. It is
> unfair of us to say "Let's all move towards IPv6 and just let IPv4 die"
> however the reality of the situation is that while we continue to treat it
> as a commodity and allow v6 uptake to progress as slowly as it is, we need
> to continue supporting it v4. Some have also argued that networks use this
> space internally within their infrastructure. 240/4 was always marked as
> Reserved for Future Use and if network operators elect to squat on reserved
> space instead of electing to deploy v6 across their internal networks then
> that is an issue they need to resolve, and it should not affect how it is
> reallocated

Re: The Reg does 240/4

[Christopher Hawker]

Hi Bill,

I agree, that a more viable path may be to look at moving it from reserved to 
unicast (which in itself would be relatively easy to accomplish). Once this has 
been done we could then look at possible use-cases for it instead of trying to 
trying to jump 4 steps ahead.

The idea to this discussion is to get feedback/input and talk about this. If 
there is such a strong push away from this from all stakeholders (and not just 
the top 1% of network operators) then it may not be the way to go. Everyone 
needs to be afforded a say.

Regards,
Christopher Hawker

From: William Herrin 
Sent: Wednesday, February 14, 2024 10:06 AM
To: Christopher Hawker 
Cc: North American Operators' Group 
Subject: Re: The Reg does 240/4

On Tue, Feb 13, 2024 at 2:34 PM Christopher Hawker  wrote:
> Having [240/4] reclassified as unicast space is indeed much easier.

Hi Chris,

If I were spending my time on the effort, that's what I'd pursue. It's
a low-impact change with no reasonable counter-argument I've seen. As
you noted, half the vendors already treat it as unicast space anyway.


> With that, comes the argument - what about legacy hardware
> that vendors no longer support, or are out of warranty and no
> longer receive software updates?

What about legacy hardware that doesn't support CIDR? What about the
1990s Sparc Stations that don't have enough ram to run anything
vaguely like a modern web browser? You make the key standards change
(from reserved undefined use to reserved unicast use) and over time
varying potential uses for those unicast addresses become practical
despite the receding legacy equipment.

None of us has a crystal ball saying when IPv4 use will start to fall
off. It's entirely possible It'll still be going strong in 20 more
years. If so, and if 240/4 was defined as unicast now, it'll surely be
practical to use it by then.

Making the simple standards change also lets us debate the "best" use
of the addresses while the needed software change happens in parallel,
instead of holding up the software changes while we debate. Allocating
them to the RIRs isn't the only practical use of a new set of unicast
IP addresses. Other plausible uses include:

* More RFC1918 for large organizations.

* IXP addresses which only host routers, not the myriad servers and
end-user client software.

* ICMP unreachable source address block, for use by routers which need
to emit a destination unreachable message but do not have a global IP
address with which to do so.

* A block of designated private-interconnect addresses intended to be
used by off-internet networks using overlapping RFC1918 which
nevertheless need to interconnect.

Indeed, the only use for which we definitely -don't- need more IPv4
addresses is Multicast.

So, a rush to deploy 240/4 to RIRs is not really warranted.

Regards,
Bill Herrin


--
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: The Reg does 240/4

[Christopher Hawker]

Hi David,

In order to forecast exhaustion rates, we needed something to measure against. 
It would be rather naive of us to assume that allocation policy would remain 
the same tomorrow as it was yesterday, if APNIC received a /8 from IANA. This 
is where we looked at pre-prop127 delegation sizes of up to a /22. If we were 
to allow applicants who have received either a /23 or /24 post-prop127 to apply 
for resources up to a maximum holding of /22 this would last (again, under 
current policy) 20+ years. These of course as mentioned are dependent on 3 x /8 
prefixes.

The intent of this isn't just to drop more space into the wild to be snatched 
up by the highest bidder, it's supposed to afford new players an opportunity to 
connect without having to fork out a small fortune to do so. I can only hope 
that people understand and see this, and instead of selfishly saying no, see 
what it's trying to do, who it can impact and at least understand. I definitely 
understand that RIR policy can change in as little as 12 months and it very 
well could happen that policies will change that see the exhaustion policies 
implemented over the last 15 years all undone for the sake of being able to get 
a quick /20 and for space to disappear in a few years (again) which I don't 
really think is the right way to go. This is a second chance to purposefully 
ration out a finite resource.

Regards,
Christopher Hawker

From: David Conrad 
Sent: Wednesday, February 14, 2024 10:24 AM
To: Christopher Hawker 
Cc: North American Operators' Group 
Subject: Re: The Reg does 240/4

Christopher,

On Feb 13, 2024, at 2:15 PM, Christopher Hawker  wrote:
Let's not think about ourselves for a moment, and think about the potential 
positive impact that this could bring.

Let’s assume that the class E checks in all IP stacks and application code that 
do or can connect to the Internet are magically removed (not going to argue 
feasibility of this) and control of 240/4 is put into the hands of IANA to 
allocate to the RIRs. Subsequent steps would be:

1. RIRs, following 
https://www.icann.org/resources/pages/allocation-ipv4-rirs-2012-02-25-en, would 
request new /8s, and receive those allocations.
2. Entities[*] with pent up demand would submit requests and have those 
requests filled by the RIRs
3. While more /8s in 240/4 remain, go to step 1
4. Return to status quo ante.

In other words, while the IANA free pool is not (again) empty, network 
operators would be able to get IPv4 address space at a fraction of the market 
price, and then we’d go back to the way things are now.

This suggests the length of time the primary benefit (cheap IPv4 addresses) 
would be enjoyed depends on RIR allocation policies.  ISTR a comment from you 
earlier suggesting that based on current consumption rates, 240/4 would fulfill 
needs for 50 years.  However, this appears to assume that current “soft 
landing” (etc) policies would remain in place.  Why would you assume that?  I 
would imagine there would be non-trivial pressure from the RIR memberships to 
return to the pre-runout policy regime which was burning through multiple /8s 
in months. In particular, I’d think the large scale buyers of address space (as 
well as IP market speculators) who tend to be the most active in RIR policy 
forums would jump at the opportunity to get “huge tracts of land” at bargain 
basement prices again.

This doesn’t seem all that positive to me, particularly because it’s temporary 
since the underlying problem (limited resource, unlimited demand) cannot be 
addressed.  What positive impact do you predict?

Thanks,
-drc
* I’ve purposefully ignored the geopolitical aspect of this here. In reality, I 
suspect there would be pressure for ‘entities’ to include countries, etc.

Re: The Reg does 240/4

[David Conrad]

Christopher,

On Feb 13, 2024, at 2:15 PM, Christopher Hawker  wrote:
> Let's not think about ourselves for a moment, and think about the potential 
> positive impact that this could bring.


Let’s assume that the class E checks in all IP stacks and application code that 
do or can connect to the Internet are magically removed (not going to argue 
feasibility of this) and control of 240/4 is put into the hands of IANA to 
allocate to the RIRs. Subsequent steps would be:

1. RIRs, following 
https://www.icann.org/resources/pages/allocation-ipv4-rirs-2012-02-25-en, would 
request new /8s, and receive those allocations.
2. Entities[*] with pent up demand would submit requests and have those 
requests filled by the RIRs
3. While more /8s in 240/4 remain, go to step 1
4. Return to status quo ante.

In other words, while the IANA free pool is not (again) empty, network 
operators would be able to get IPv4 address space at a fraction of the market 
price, and then we’d go back to the way things are now.

This suggests the length of time the primary benefit (cheap IPv4 addresses) 
would be enjoyed depends on RIR allocation policies.  ISTR a comment from you 
earlier suggesting that based on current consumption rates, 240/4 would fulfill 
needs for 50 years.  However, this appears to assume that current “soft 
landing” (etc) policies would remain in place.  Why would you assume that?  I 
would imagine there would be non-trivial pressure from the RIR memberships to 
return to the pre-runout policy regime which was burning through multiple /8s 
in months. In particular, I’d think the large scale buyers of address space (as 
well as IP market speculators) who tend to be the most active in RIR policy 
forums would jump at the opportunity to get “huge tracts of land” at bargain 
basement prices again.

This doesn’t seem all that positive to me, particularly because it’s temporary 
since the underlying problem (limited resource, unlimited demand) cannot be 
addressed.  What positive impact do you predict?

Thanks,
-drc
* I’ve purposefully ignored the geopolitical aspect of this here. In reality, I 
suspect there would be pressure for ‘entities’ to include countries, etc.

Re: The Reg does 240/4

[William Herrin]

On Tue, Feb 13, 2024 at 2:34 PM Christopher Hawker  wrote:
> Having [240/4] reclassified as unicast space is indeed much easier.

Hi Chris,

If I were spending my time on the effort, that's what I'd pursue. It's
a low-impact change with no reasonable counter-argument I've seen. As
you noted, half the vendors already treat it as unicast space anyway.


> With that, comes the argument - what about legacy hardware
> that vendors no longer support, or are out of warranty and no
> longer receive software updates?

What about legacy hardware that doesn't support CIDR? What about the
1990s Sparc Stations that don't have enough ram to run anything
vaguely like a modern web browser? You make the key standards change
(from reserved undefined use to reserved unicast use) and over time
varying potential uses for those unicast addresses become practical
despite the receding legacy equipment.

None of us has a crystal ball saying when IPv4 use will start to fall
off. It's entirely possible It'll still be going strong in 20 more
years. If so, and if 240/4 was defined as unicast now, it'll surely be
practical to use it by then.

Making the simple standards change also lets us debate the "best" use
of the addresses while the needed software change happens in parallel,
instead of holding up the software changes while we debate. Allocating
them to the RIRs isn't the only practical use of a new set of unicast
IP addresses. Other plausible uses include:

* More RFC1918 for large organizations.

* IXP addresses which only host routers, not the myriad servers and
end-user client software.

* ICMP unreachable source address block, for use by routers which need
to emit a destination unreachable message but do not have a global IP
address with which to do so.

* A block of designated private-interconnect addresses intended to be
used by off-internet networks using overlapping RFC1918 which
nevertheless need to interconnect.

Indeed, the only use for which we definitely -don't- need more IPv4
addresses is Multicast.

So, a rush to deploy 240/4 to RIRs is not really warranted.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/