RE: was bogon filters, now Brief Segue on 1918
Michael - good points all, and saved me typing out a reply. Additionally, using up the RFC1918 space isn't the only problem ... the previously mentioned collision problems between so-called private networks become more and more likely (until almost guaranteed). Only nit: In any case, IPv4 is yesterday's news. Nowadays everyone is scrambling to integrate IPv6 into their networks and shift services onto IPv6. ... I would say they should be doing so; I wish more were!! /TJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 1:06 PM To: nanog@nanog.org Subject: RE: was bogon filters, now Brief Segue on 1918 Your point seemed to be that it is not a large enough allocation of IPs for an international enterprise of 80K souls. My rebuttal is: 16.5 million IPs isn't enough? You don't seem to understand how IPv4 networks are designed and how that interacts with scale, i.e. the large sprawling networks that international enterprises have. You don't simply count out x addresses per employee. Instead, you design a subnet architecture that a) can grow at all levels, and b) can be cut off the network when you sell off a branch operation or two. This leads to large amounts of IP addresses used up in padding at all levels, which then leads to these organizations running out of RFC 1918 space, a more and more common occurence. This, in itself, is a good incentive to move to IPv6, since the seemingly wasteful subnet architecture is considered best practice with IPv6, and a ULA prefix or two gives you lots of space to keep growing. What are we talking about then? 100 IPs per person--say each person has 10 PCs, 10 printers, 10 automated factory machines, 10 lab instruments, 49 servers and the soda machine on their network? Nope. We are not talking about people, but about network architecture and topology. Two people in one office need two addresses. Put them in separate offices and they need two subnets. Topology dominates the design. I don't think you have that many soda machines. Even on 5 continents. Even with your growing Asian market, your suppliers, and the whole marketing team. I believe the first two companies to run out of RFC 1918 space (or to project that it would happen) are Comcast, and American cable provider in one continent, and a Japanese cable provider on a small Pacific island next to China. //Err. Doing it wrong does not justify doing it wrong. Cute sound bites does not make you an expert in anything. In any case, IPv4 is yesterday's news. Nowadays everyone is scrambling to integrate IPv6 into their networks and shift services onto IPv6. --Michael Dillon
RE: was bogon filters, now Brief Segue on 1918
Your point seemed to be that it is not a large enough allocation of IPs for an international enterprise of 80K souls. My rebuttal is: 16.5 million IPs isn't enough? You don't seem to understand how IPv4 networks are designed and how that interacts with scale, i.e. the large sprawling networks that international enterprises have. You don't simply count out x addresses per employee. Instead, you design a subnet architecture that a) can grow at all levels, and b) can be cut off the network when you sell off a branch operation or two. This leads to large amounts of IP addresses used up in padding at all levels, which then leads to these organizations running out of RFC 1918 space, a more and more common occurence. This, in itself, is a good incentive to move to IPv6, since the seemingly wasteful subnet architecture is considered best practice with IPv6, and a ULA prefix or two gives you lots of space to keep growing. What are we talking about then? 100 IPs per person--say each person has 10 PCs, 10 printers, 10 automated factory machines, 10 lab instruments, 49 servers and the soda machine on their network? Nope. We are not talking about people, but about network architecture and topology. Two people in one office need two addresses. Put them in separate offices and they need two subnets. Topology dominates the design. I don't think you have that many soda machines. Even on 5 continents. Even with your growing Asian market, your suppliers, and the whole marketing team. I believe the first two companies to run out of RFC 1918 space (or to project that it would happen) are Comcast, and American cable provider in one continent, and a Japanese cable provider on a small Pacific island next to China. //Err. Doing it wrong does not justify doing it wrong. Cute sound bites does not make you an expert in anything. In any case, IPv4 is yesterday's news. Nowadays everyone is scrambling to integrate IPv6 into their networks and shift services onto IPv6. --Michael Dillon
Re: was bogon filters, now Brief Segue on 1918
I've always enjoyed your posts Michael. You are obviously an expert, with no patience for idiocy, and you always go for the throat and try to hurt the other person as much as you can. Your messages are always very entertaining. In this case, however, you are responding to a conversation that is pretty much over and done. I've already received umpty emails telling me how right I am, and another umpty emails telling me I am an idiot and I should go back to knitting. Most of the latter were privately sent, and I appreciate both their candor and discretion The reasonable voices seem to feel that it doesn't matter if I am right, as the real world just doesn't care. I have to agree with that. That's kinda the whole point, I think. The forward thinkers feel as you do that IPV6 is the real answer. I believe I was the first to say that in this thread. As far as the individual points that you satirize below--well ok then. We are not talking about people. I was not the person who raised people as a metric. Jump his case if you feel the need. I was actually jumping his case about it myself, albeit tongue in cheek, and hopefully with no hard feelings. However, the original conversation centered on the best way to design private networks so that internetworking between companies who did not confer on eachothers' network design does not cause problems, and how very few companies follow RFC1918 very well in my experience. Whether they fail at RFC1918 for real reasons or not, they still fail. As far as companies that design their own networks so they have trouble interoperating with themselves--well, bummer for them. I bet they wish they had done their design more efficiently instead of making large sprawling networks with plenty of room for growth for soda machines. Because you just can't assign enough IP address space for your soda machines. Cute sound bites does (sic) not make you an expert in anything. I agree with this too. But just because it's cute, doesn't mean it's wrong. --Patrick Darden [EMAIL PROTECTED] wrote: Your point seemed to be that it is not a large enough allocation of IPs for an international enterprise of 80K souls. My rebuttal is: 16.5 million IPs isn't enough? You don't seem to understand how IPv4 networks are designed and how that interacts with scale, i.e. the large sprawling networks that international enterprises have. You don't simply count out x addresses per employee. Instead, you design a subnet architecture that a) can grow at all levels, and b) can be cut off the network when you sell off a branch operation or two. This leads to large amounts of IP addresses used up in padding at all levels, which then leads to these organizations running out of RFC 1918 space, a more and more common occurence. This, in itself, is a good incentive to move to IPv6, since the seemingly wasteful subnet architecture is considered best practice with IPv6, and a ULA prefix or two gives you lots of space to keep growing. What are we talking about then? 100 IPs per person--say each person has 10 PCs, 10 printers, 10 automated factory machines, 10 lab instruments, 49 servers and the soda machine on their network? Nope. We are not talking about people, but about network architecture and topology. Two people in one office need two addresses. Put them in separate offices and they need two subnets. Topology dominates the design. I don't think you have that many soda machines. Even on 5 continents. Even with your growing Asian market, your suppliers, and the whole marketing team. I believe the first two companies to run out of RFC 1918 space (or to project that it would happen) are Comcast, and American cable provider in one continent, and a Japanese cable provider on a small Pacific island next to China. //Err. Doing it wrong does not justify doing it wrong. Cute sound bites does not make you an expert in anything. In any case, IPv4 is yesterday's news. Nowadays everyone is scrambling to integrate IPv6 into their networks and shift services onto IPv6. --Michael Dillon
Re: was bogon filters, now Brief Segue on 1918
On Thu, Aug 07, 2008 at 01:47:02PM -0400, Patrick Darden wrote: I've always enjoyed your posts Michael. You are obviously an expert, with no patience for idiocy, and you always go for the throat and try to hurt the other person as much as you can. Your messages are always very entertaining. You really think Michael is malicious in his intent? You've spent a whole lot of time paying now attention around here, haven't you? As far as companies that design their own networks so they have trouble interoperating with themselves--well, bummer for them. I bet they wish they had done their design more efficiently instead of making large sprawling networks with plenty of room for growth for soda machines. Because you just can't assign enough IP address space for your soda machines. Cute sound bites does (sic) not make you an expert in anything. I agree with this too. But just because it's cute, doesn't mean it's wrong. No, cute soundbites don't make you an expert. But in this case, Dillon's right, and you're wrong: your attempt to trivialize the specific issue on point (allocation within the 1918 space internal to a company network) by implying that the only reasons to do it the way he suggests amount to leaving space for soda machines only proves in public that you don't know what you're talking about. As randy would put it, I encourage my competitors to hire you to architect their WANs. Cheers, -- jra -- Jay R. Ashworth Baylink [EMAIL PROTECTED] Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin)
Re: was bogon filters, now Brief Segue on 1918
Hi Jay, Jay R. Ashworth wrote: You really think Michael is malicious in his intent? You've spent a whole lot of time paying now attention around here, haven't you? I think Michael tends to get confrontational. As, apparently, do you. I'm on a lot of the same lists Michael is on. Have been since 1997. I have a lot of respect for him, with reservations gathered from experience. He is sharp, and he has a sharp tongue. No, cute soundbites don't make you an expert. But in this case, Dillon's right, and you're wrong: your attempt to trivialize the specific issue on point (allocation within the 1918 space internal to a company network) by implying that the only reasons to do it the way he suggests amount to leaving space for soda machines only proves in public that you don't know what you're talking about. No, you are wrong. Your attempt to trivialize what I have to say by calling it cute only proves that you don't know what you are talking about. Bad logic, isn't it? Statement that you are wrong, then proving it with nonsense addressing someone's character without addressing the point Your mislabelling my tongue-in-cheek ongoing obsession with soda machines as Trivializing only proves you have no sense of humor. I remember when some kids at MIT first put their dorm's soda machine on the internet. Man that was cool. You could ping it and find out how many cokes were left, and their temperature As randy would put it, I encourage my competitors to hire you to architect their WANs. Thank you. Your bile does you credit. --Patrick Darden
Re: was bogon filters, now Brief Segue on 1918
On Thu, Aug 07, 2008 at 03:55:13PM -0400, Patrick Darden wrote: Jay R. Ashworth wrote: You really think Michael is malicious in his intent? You've spent a whole lot of time paying now attention around here, haven't you? I think Michael tends to get confrontational. As, apparently, do you. Sure. And he's not always right either; none of us are. But he gave cogent arguments to support his point, and you gave us coke machines -- worse, *accused him*, backhandedly, of leaving space for coke machines. See below. I'm on a lot of the same lists Michael is on. Have been since 1997. I have a lot of respect for him, with reservations gathered from experience. He is sharp, and he has a sharp tongue. None of which amounts to wants to hurt people, which is what you accused him of. No, cute soundbites don't make you an expert. But in this case, Dillon's right, and you're wrong: your attempt to trivialize the specific issue on point (allocation within the 1918 space internal to a company network) by implying that the only reasons to do it the way he suggests amount to leaving space for soda machines only proves in public that you don't know what you're talking about. No, you are wrong. Your attempt to trivialize what I have to say by calling it cute only proves that you don't know what you are talking about. Bad logic, isn't it? Statement that you are wrong, then proving it with nonsense addressing someone's character without addressing the point And yet I see tha tyou don't yourself bother to try to prove your argument; you merely continue to go after Michael and I on peripheral points. No pun intended. Your mislabelling my tongue-in-cheek ongoing obsession with soda machines as Trivializing only proves you have no sense of humor. I remember when some kids at MIT first put their dorm's soda machine on the internet. Man that was cool. You could ping it and find out how many cokes were left, and their temperature Sure. Online coke machines are just about as cool as coffee-pot webcams. But they're orthogonal to the discussion that was at hand, and your returning to that well in the middle of a serious discussion suggests that you, yourself, are not all that serious. Once is tongue in cheek. Twice or three times is dilettante. As randy would put it, I encourage my competitors to hire you to architect their WANs. Thank you. Your bile does you credit. I don't know, Patrick; you seem to be the one emotionalizing the argument. I'm out of this one though; we are certainly out of AUP. Cheers, -- jra -- Jay R. Ashworth Baylink [EMAIL PROTECTED] Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin)
RE: was bogon filters, now Brief Segue on 1918
Hi Jay, Jay Ashworth: Sure. And he's not always right either; none of us are. But he gave cogent arguments to support his point, and you gave us He gave good arguments. You, however, did not. None of which amounts to wants to hurt people, which is what you accused him of. I was out of line here. I apologize to Michael. I don't think he took offense, but if he did I genuinely regret it. And yet I see tha tyou don't yourself bother to try to prove your argument; you merely continue to go after Michael and I on peripheral points. No pun intended. Didn't have to: you didn't address anything other than personal or peripheral stuff. Sure. Online coke machines are just about as cool as coffee-pot webcams. They were in 1995. Back when the first one went online. That was too cool for me to express. But they're orthogonal to the discussion that was at hand, and your returning to that well in the middle of a serious discussion suggests that you, yourself, are not all that serious. Or perhaps that I was trying to cool the discussion down a bit. I had already tried to bring it to a close once It was an extended hyperbole of ridiculousness. Soda machines. Mm. Once is tongue in cheek. Twice or three times is dilettante. No, I think it just proves that saying the same stupid joke three times doesn't make it funny. Doesn't mean I am a dilettante network operator. Just means I'm not funny. ;-) I don't know, Patrick; you seem to be the one emotionalizing the argument. Yeah, I have a sharp tongue too. And I am a dillettante. And everything I say is just so cute and precious. And I am Wrong. I'm out of this one though; we are certainly out of AUP. I'm with you on this, for sure. If you want to address me off-list please feel free. --Patrick Darden
RE: was bogon filters, now Brief Segue on 1918
Where I work we are more aimed towards the SMB market, and we do run into that issue a lot. Of course a lot of the problem we run into is that the engineers who set up these SMB clients, even getting into some of the larger businesses just use what they always do. I can think of one specific engineer who everything he does is 192.168.1.0/24 .254 gateway .1 server which has cause issues. We have one particular client who has nearly 40 VPN's between partners and they have actually had to do a lot of natting at the vpn endpoint as they have 3 clients they connect to that are 10.0.1.0/24 and several that are 192.168.0.0/24 however a lot of the newer VPN firewalls that we work with actually do a pretty slick job. SonicWall NSA series devices have a NAT VPN range checkbox when you build the VPN and you just give it the range to use, as do the Fortinet devices. -Original Message- From: Darden, Patrick S. [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2008 7:26 AM To: nanog@nanog.org Subject: was bogon filters, now Brief Segue on 1918 Was looking over 1918 again, and for the record I have only run into one network that follows: If two (or more) organizations follow the address allocation specified in this document and then later wish to establish IP connectivity with each other, then there is a risk that address uniqueness would be violated. To minimize the risk it is strongly recommended that an organization using private IP addresses choose *randomly* from the reserved pool of private addresses, when allocating sub-blocks for its internal allocation. I added the asterisks. Most private networks start at the bottom and work up: 192.168.0.X++, 10.0.0.X++, etc. This makes any internetworking (ptp, vpn, etc.) ridiculously difficult. I've seen a lot of hack jobs using NAT to get around this. Ugly. --Patrick Darden -Original Message- From: Darden, Patrick S. Sent: Wednesday, August 06, 2008 9:19 AM To: 'Leo Bicknell'; nanog@nanog.org Subject: RE: Is it time to abandon bogon prefix filters? Yes. 1918 (10/8, 172.16/12, 192.168/16), D, E, reflective (outgoing mirroring), and as always individual discretion. --Patrick Darden -Original Message- From: Leo Bicknell [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2008 9:10 AM To: nanog@nanog.org Subject: Is it time to abandon bogon prefix filters? Bogon filters made a lot of sense when most of the Internet was bogons. Back when 5% of the IP space was allocated blocking the other 95% was an extremely useful endevour. However, by the same logic as we get to 80-90% used, blocking the 20-10% unused is reaching diminishing returns; and at the same time the rate in which new blocks are allocated continues to increase causing more and more frequent updates. Have bogon filters outlived their use? Is it time to recommend people go to a simpler bogon filter (e.g. no 1918, Class D, Class E) that doesn't need to be updated as frequently? -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Re: was bogon filters, now Brief Segue on 1918
Darden, Patrick S. wrote: Most private networks start at the bottom and work up: 192.168.0.X++, 10.0.0.X++, etc. This makes any internetworking (ptp, vpn, etc.) ridiculously difficult. I've seen a lot of hack jobs using NAT to get around this. Ugly. Well, you can always do what one of the companies I work with does: allocate from 42.0.0.0/8 for networks that might need to interoperate with 1918 space and hope that it is forever before we run so low on IPv4 space that 42.0.0.0/8 needs to be taken out of reserved status. How many more weeks is forever now? Matthew Kaufman [EMAIL PROTECTED] http://www.matthew.at
Re: was bogon filters, now Brief Segue on 1918
Matthew Kaufman wrote: do what one of the companies I work with does: allocate from 42.0.0.0/8 some italian isps use blocked american military /8s. i find that highly amusing, especially when i think of the long-term implication for the folk who blocked access to that they wanted to 'own'. randy
Re: was bogon filters, now Brief Segue on 1918
Darden, Patrick S. wrote: Was looking over 1918 again, and for the record I have only run into one network that follows: If two (or more) organizations follow the address allocation specified in this document and then later wish to establish IP connectivity with each other, then there is a risk that address uniqueness would be violated. To minimize the risk it is strongly recommended that an organization using private IP addresses choose *randomly* from the reserved pool of private addresses, when allocating sub-blocks for its internal allocation. I added the asterisks. You're supposed to choose ula-v6 /48 prefixs randomly as well... Any bets on whether that routinely happens? While you're home can probably randomly allocate subnets out of a /8 or /12 for a while without collisions, nobody that's actually building a subnetting plan for a large private network is going to be able to get away with that in v4. --Patrick Darden -Original Message- From: Darden, Patrick S. Sent: Wednesday, August 06, 2008 9:19 AM To: 'Leo Bicknell'; nanog@nanog.org Subject: RE: Is it time to abandon bogon prefix filters? Yes. 1918 (10/8, 172.16/12, 192.168/16), D, E, reflective (outgoing mirroring), and as always individual discretion. --Patrick Darden -Original Message- From: Leo Bicknell [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2008 9:10 AM To: nanog@nanog.org Subject: Is it time to abandon bogon prefix filters? Bogon filters made a lot of sense when most of the Internet was bogons. Back when 5% of the IP space was allocated blocking the other 95% was an extremely useful endevour. However, by the same logic as we get to 80-90% used, blocking the 20-10% unused is reaching diminishing returns; and at the same time the rate in which new blocks are allocated continues to increase causing more and more frequent updates. Have bogon filters outlived their use? Is it time to recommend people go to a simpler bogon filter (e.g. no 1918, Class D, Class E) that doesn't need to be updated as frequently?
Re: was bogon filters, now Brief Segue on 1918
On Aug 6, 2008, at 7:44 AM, Matthew Kaufman wrote: Darden, Patrick S. wrote: Most private networks start at the bottom and work up: 192.168.0.X++, 10.0.0.X++, etc. This makes any internetworking (ptp, vpn, etc.) ridiculously difficult. I've seen a lot of hack jobs using NAT to get around this. Ugly. Well, you can always do what one of the companies I work with does: allocate from 42.0.0.0/8 for networks that might need to interoperate with 1918 space and hope that it is forever before we run so low on IPv4 space that 42.0.0.0/8 needs to be taken out of reserved status. How many more weeks is forever now? Personally, I'd like to see such numbers put on a list for ICANN to give priority to in their next RIR distribution. Owen
RE: was bogon filters, now Brief Segue on 1918
Most organizations that would be doing this would not randomly pick out subnets, if I understand you. They would randomly pick out a subnet, then they would sub-subnet that based on a scheme. I believe this is the intent of RFC 1918. Not to apply a random IP scheme, but to randomly pick a network from the appropriate sized Private Networking ranges, then apply a well thought out scheme to the section of IP addresses you chose. E.g. 10.150.x.y/16 as their network. X could be physical positioning, and Y could be purposive in nature. 10.150.0.0 as basement, 10.150.1.0 as first floor, 10.150.2.0 as second floor, etc. 1-20 as switches/routers, 21-50 as servers and static workstations, 51-100 as printers, and 101--200 as DHCP scope for PCs, and 201-254 for remote login DHCP scope (vpn, dialup, etc.) Yes, I think a large private network would work this way. RFC 1918 wants it to work this way (imho). --p -Original Message- From: Joel Jaeggli [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2008 11:21 AM To: Darden, Patrick S. Cc: nanog@nanog.org Subject: Re: was bogon filters, now Brief Segue on 1918 Darden, Patrick S. wrote: *randomly* from the reserved pool of private addresses, when You're supposed to choose ula-v6 /48 prefixs randomly as well... Any bets on whether that routinely happens? While you're home can probably randomly allocate subnets out of a /8 or /12 for a while without collisions, nobody that's actually building a subnetting plan for a large private network is going to be able to get away with that in v4.
Re: was bogon filters, now Brief Segue on 1918
On 06/08/2008 4:44, Matthew Kaufman [EMAIL PROTECTED] wrote: [...] Well, you can always do what one of the companies I work with does: allocate from 42.0.0.0/8 for networks that might need to interoperate with 1918 space and hope that it is forever before we run so low on IPv4 space that 42.0.0.0/8 needs to be taken out of reserved status. I'm very confident that 42.0.0.0/8 will be allocated within the next three years. Leo
Re: was bogon filters, now Brief Segue on 1918
Darden, Patrick S. wrote: Most organizations that would be doing this would not randomly pick out subnets, if I understand you. They would randomly pick out a subnet, then they would sub-subnet that based on a scheme. I believe this is the intent of RFC 1918. Not to apply a random IP scheme, but to randomly pick a network from the appropriate sized Private Networking ranges, then apply a well thought out scheme to the section of IP addresses you chose. E.g. 10.150.x.y/16 as their network. X could be physical positioning, and Y could be purposive in nature. 10.150.0.0 as basement, 10.150.1.0 as first floor, 10.150.2.0 as second floor, etc. 1-20 as switches/routers, 21-50 as servers and static workstations, 51-100 as printers, and 101--200 as DHCP scope for PCs, and 201-254 for remote login DHCP scope (vpn, dialup, etc.) Yes, I think a large private network would work this way. RFC 1918 wants it to work this way (imho). How much of 10/8 and 172.16/12 does an organization with ~80k employees, on 5 continents, with hundreds of extranet connections to partners and suppliers in addition to numerous aquistions and the occasional subsidiary who also use 10/8 and 172.16/12 use? --p -Original Message- From: Joel Jaeggli [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2008 11:21 AM To: Darden, Patrick S. Cc: nanog@nanog.org Subject: Re: was bogon filters, now Brief Segue on 1918 Darden, Patrick S. wrote: *randomly* from the reserved pool of private addresses, when You're supposed to choose ula-v6 /48 prefixs randomly as well... Any bets on whether that routinely happens? While you're home can probably randomly allocate subnets out of a /8 or /12 for a while without collisions, nobody that's actually building a subnetting plan for a large private network is going to be able to get away with that in v4.
Re: was bogon filters, now Brief Segue on 1918
On Aug 6, 2008, at 12:36 PM, Joel Jaeggli wrote: Darden, Patrick S. wrote: Most organizations that would be doing this would not randomly pick out subnets, if I understand you. They would randomly pick out a subnet, then they would sub-subnet that based on a scheme. I believe this is the intent of RFC 1918. Not to apply a random IP scheme, but to randomly pick a network from the appropriate sized Private Networking ranges, then apply a well thought out scheme to the section of IP addresses you chose. E.g. 10.150.x.y/16 as their network. X could be physical positioning, and Y could be purposive in nature. 10.150.0.0 as basement, 10.150.1.0 as first floor, 10.150.2.0 as second floor, etc. 1-20 as switches/routers, 21-50 as servers and static workstations, 51-100 as printers, and 101--200 as DHCP scope for PCs, and 201-254 for remote login DHCP scope (vpn, dialup, etc.) Yes, I think a large private network would work this way. RFC 1918 wants it to work this way (imho). How much of 10/8 and 172.16/12 does an organization with ~80k employees, on 5 continents, with hundreds of extranet connections to partners and suppliers in addition to numerous aquistions and the occasional subsidiary who also use 10/8 and 172.16/12 use? In my experience, effectively all of it. Marshall --p -Original Message- From: Joel Jaeggli [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2008 11:21 AM To: Darden, Patrick S. Cc: nanog@nanog.org Subject: Re: was bogon filters, now Brief Segue on 1918 Darden, Patrick S. wrote: *randomly* from the reserved pool of private addresses, when You're supposed to choose ula-v6 /48 prefixs randomly as well... Any bets on whether that routinely happens? While you're home can probably randomly allocate subnets out of a / 8 or /12 for a while without collisions, nobody that's actually building a subnetting plan for a large private network is going to be able to get away with that in v4.
RE: was bogon filters, now Brief Segue on 1918
Well, how about this then: 10.Z.X.Y with Z being continent, X being country name with letters beginning with A assigned 1-10, B 11-20, with any unused letters having their numbers appended as needed, and Y being of course the host/int itself with maybe still 1-20 as switches/routers, 21-50 as servers and static workstations, 51-100 as printers, and 101--200 as DHCP scope for PCs, and 201-254 for remote login DHCP scope (vpn, dialup, etc.) continent 1:10.100.x.y/16 provides ~65,000 IP addresses Continent 2:10.101.x.y/16 provides the same continent 3:whoa, asian market is big, better allocate for enterprise growth. 10.102.x.y and 10.103.x.y cont 4: 10.104/16 cont 5: 10.105/16 We have provided for ~400,000 employees here, fairly spread out equally amongst your 5 continents. With lots of room for growth by just adding another 10.Z/16 or two to each continent. Country algeria gets 10.100.1 and 10.100.2, country aguonia (?) gets 10.100.3 and 10.100.4, country bwabistan gets 10.100.11-15 (~1270 usable IPs, room for 150 servers, 250 printers, 500 PCs, 250 simultaneous telecommuters, and 100 switches and routers) because the company is big there. Etc. etc. My off the cuff network scheme isn't very good, but you get the drift. RFC1918 works. Details just have to be worked out on a case by case basis. IPV6 where are you?! --p -Original Message- From: Joel Jaeggli [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2008 12:36 PM To: Darden, Patrick S. Cc: nanog@nanog.org Subject: Re: was bogon filters, now Brief Segue on 1918 Darden, Patrick S. wrote: Most organizations that would be doing this would not randomly pick out subnets, if I understand you. They would randomly pick out a subnet, then they would sub-subnet that based on a scheme. I believe this is the intent of RFC 1918. Not to apply a random IP scheme, but to randomly pick a network from the appropriate sized Private Networking ranges, then apply a well thought out scheme to the section of IP addresses you chose. E.g. 10.150.x.y/16 as their network. X could be physical positioning, and Y could be purposive in nature. 10.150.0.0 as basement, 10.150.1.0 as first floor, 10.150.2.0 as second floor, etc. 1-20 as switches/routers, 21-50 as servers and static workstations, 51-100 as printers, and 101--200 as DHCP scope for PCs, and 201-254 for remote login DHCP scope (vpn, dialup, etc.) Yes, I think a large private network would work this way. RFC 1918 wants it to work this way (imho). How much of 10/8 and 172.16/12 does an organization with ~80k employees, on 5 continents, with hundreds of extranet connections to partners and suppliers in addition to numerous aquistions and the occasional subsidiary who also use 10/8 and 172.16/12 use?
RE: was bogon filters, now Brief Segue on 1918
Actually, rereading this, I agree. My experience is large companies take it all, using huge swathes inefficiently, instead of doing it right. In my previous post I was answering the question I thought you were asking, not your real question. I agree with you both. I think that RFC1918 Could work, if companies used it correctly Again, though, I have only run into one company that used it correctly. IPV6, you are our only hope! (obiwan kenobi, you are our only hope!) --p Joel said How much of 10/8 and 172.16/12 does an organization with ~80k employees, on 5 continents, with hundreds of extranet connections to partners and suppliers in addition to numerous aquistions and the occasional subsidiary who also use 10/8 and 172.16/12 use? Marshall said In my experience, effectively all of it.
Re: was bogon filters, now Brief Segue on 1918
Darden, Patrick S. wrote: I'll reply below with //s. My point is still: most companies do not use RFC1918 correctly. As with say v4 prefix distribution as a whole where you observe that the number of very large prefix holders is rather small, it's really easy to say most casually, trivially in fact, that most rfc1918 uses are single devices with a single subnet behind them. There are a small number (low tens of thousands instead of low hundreds of millions) of applications where rfc1918 space feels rather tight, because in fact it's all going to get used. you don't have to look very far for operators (what we traditionally thing of as operators represent a chunk of those applications) chaffing under their 1918 limitations, see for example this draft which is undoubtedly met with opposition since the idea has come around before. http://tools.ietf.org/html/draft-shirasaki-isp-shared-addr-00 Your point seemed to be that it is not a large enough allocation of IPs for an international enterprise of 80K souls. My rebuttal is: 16.5 million IPs isn't enough? That is my point, 24 bits is rather tight. The least specific 32 of 96 bits looks like it will continue to work ok for some time... --p -Original Message- From: Joel Jaeggli [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2008 1:31 PM To: Darden, Patrick S. Cc: nanog@nanog.org Subject: Re: was bogon filters, now Brief Segue on 1918 That's comical thanks. come back when you've done it. //Ok. Marshall is correct. //Ok. If you'd like to avoid constant renumbering you need a sparser allocation model. You're still going to have collisions with your suppliers and acquisitions and some applications (eg labs, factory automation systems etc) have orders of magnitude large address space requirements than the number of humans using them implies. //You used the metric of 80K people. Now you say it is a bad metric when I reply using it. Your fault, you compound it--you don't provide a better one. What are we talking about then? 100 IPs per person--say each person has 10 PCs, 10 printers, 10 automated factory machines, 10 lab instruments, 49 servers and the soda machine on their network? 80,000*100==8 million IP addresses. That leaves you with 8.5 million And that includes 80,000 networked soda machines. I don't think you have that many soda machines. Even on 5 continents. Even with your growing Asian market, your suppliers, and the whole marketing team. In practice indivudal sites might be assigned between a 22 and a 16 with sites with exotic requirements having multiple assignments potentially from different non-interconnected networks (but still with internal uniqueness requirements). //Err. Doing it wrong does not justify doing it wrong.
RE: was bogon filters, now Brief Segue on 1918
--- [EMAIL PROTECTED] wrote: Most organizations that would be doing this would not randomly pick out subnets, if I understand you. They would randomly pick out a subnet, then they would sub-subnet that based on a scheme. --- One way to do it... In picking out 1918 space for a network, I happened to notice it was 2:45pm. I randomly picked 20 minutes less and came up with 10.245.225. Then I started going lower as everyone seems to start lower and then goes higher. 10.245.225.0/24, 10.245.224.0/24, etc. Within those (and the larger subnets) I chose to fill out the blocks based on a scheme. So far, no network has used these ranges and we've connected to many. scott
RE: was bogon filters, now Brief Segue on 1918
But ... that's part of why RFC1918 is used, so they have this fairly large address range to play with. And remember, what one person calls inefficiency, another calls flexibility. Either (or neither) may be right! Oh, and I don't think we can say RFC1918 doesn't work today - obviously it does, just possibly inducing lots of head-aches. And yes, same ideas occur - just with larger numbers :) - in v6. To keep the analogy complete, reference ULAs ... with a (more stringent?) random component. (I put a question mark on that just because you can break the spec and configure non-random ones grumble) /TJ -Original Message- From: Darden, Patrick S. [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2008 1:19 PM To: Marshall Eubanks; Joel Jaeggli Cc: nanog@nanog.org Subject: RE: was bogon filters, now Brief Segue on 1918 Actually, rereading this, I agree. My experience is large companies take it all, using huge swathes inefficiently, instead of doing it right. In my previous post I was answering the question I thought you were asking, not your real question. I agree with you both. I think that RFC1918 Could work, if companies used it correctly Again, though, I have only run into one company that used it correctly. IPV6, you are our only hope! (obiwan kenobi, you are our only hope!) --p Joel said How much of 10/8 and 172.16/12 does an organization with ~80k employees, on 5 continents, with hundreds of extranet connections to partners and suppliers in addition to numerous aquistions and the occasional subsidiary who also use 10/8 and 172.16/12 use? Marshall said In my experience, effectively all of it.
RE: was bogon filters, now Brief Segue on 1918
I think the problem is that operational reality (ease of use, visual clarity, etc.) has long since won the war against the numerical capabilities. Things like assigning /24's per vlan make the routing table easy to read, subnets easy to assign, etc. Starting from the bottom up, the next easy segregation point is /16s per site. Yielding just over 250 sites, each with just over 250 network segments, each supporting up to 250 or so users. Easy aggregation summarization, easy to own and operate ... grossly inefficient. But common. So, right or wrong is largely irrelevant - it just is. Now go into that environment and push for a strictly-speaking efficient allocation mechanism and let me know what kind of traction you get. Moving forward, we can try to do things right in our IPv6 networks ... assuming we don't inherit too much of the cruft from above. Use the bits to do flexible allocation while also maintaining aggregation / summarization - it can be done. ... now let's get some work done. /TJ -Original Message- From: Darden, Patrick S. [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2008 1:48 PM To: Joel Jaeggli Cc: nanog@nanog.org Subject: RE: was bogon filters, now Brief Segue on 1918 I'll reply below with //s. My point is still: most companies do not use RFC1918 correctly. Your point seemed to be that it is not a large enough allocation of IPs for an international enterprise of 80K souls. My rebuttal is: 16.5 million IPs isn't enough? --p -Original Message- From: Joel Jaeggli [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2008 1:31 PM To: Darden, Patrick S. Cc: nanog@nanog.org Subject: Re: was bogon filters, now Brief Segue on 1918 That's comical thanks. come back when you've done it. //Ok. Marshall is correct. //Ok. If you'd like to avoid constant renumbering you need a sparser allocation model. You're still going to have collisions with your suppliers and acquisitions and some applications (eg labs, factory automation systems etc) have orders of magnitude large address space requirements than the number of humans using them implies. //You used the metric of 80K people. Now you say it is a bad metric when I reply using it. Your fault, you compound it--you don't provide a better one. What are we talking about then? 100 IPs per person--say each person has 10 PCs, 10 printers, 10 automated factory machines, 10 lab instruments, 49 servers and the soda machine on their network? 80,000*100==8 million IP addresses. That leaves you with 8.5 million And that includes 80,000 networked soda machines. I don't think you have that many soda machines. Even on 5 continents. Even with your growing Asian market, your suppliers, and the whole marketing team. In practice indivudal sites might be assigned between a 22 and a 16 with sites with exotic requirements having multiple assignments potentially from different non-interconnected networks (but still with internal uniqueness requirements). //Err. Doing it wrong does not justify doing it wrong.