date:20031208

%  (i personally don't think a /35 route with just one host in it makes
%  much sense,
% 
% Agree.

/35 routes are being discouraged in favor of /32 entries...
4,064,000,000 addresses to ensure that just one host
-might- have global reachability.  IMHO, a /48 is even 
overkill...  :)

--bill
Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).

Re: just a brief note about anycast

2003-12-08 Thread jfcm

At 17:05 08/12/03, Eliot Lear wrote:
Good documentation is also really important.  It turns out there is some 
for F, at least.  See http://www.isc.org/tn/isc-tn-2003-1.html by Joe Abley.
No one denies the dedication of the root people. But this is the crux. 
some documentation ... for one machine.

Where are the published approved and certified procedures, agreements, 
insurance contracts, statistics, logger, budget, authorized people, 
clearances,  oaths, for every people, company, organization sharing into 
root management. Where is the law concerning the root management issues and 
impact. For example is a root failure legally considered as an act of God? 
Is tempering the root a special crime? Due to the possible impact on the 
life of people all over the planet, will it be judged by UN? Who is to 
investigate? Root means life and death nowadays.

Either we need the root system and it must match the basic surety rules for 
a critical infrastructure, or we just want to keep the fossil concept the 
way it was designed 20 years ago. Then UN/ITU or private industry or a new 
NGO or a new Gov technically and security certified type of operator is to 
find, propose, test, and deploy another solution. I suggest them to read 
carefully the very well crafted ICP-3 document. It correctly considers the 
end of the single authoritative root file concept. And documents the way to 
test new venues.

I am sorry to come again and again on this. I will do it until a special WG 
is created or IETF transfers the concern to ITU.

Because we must realize that - even brilliant and resilient - a 20 years 
old solution for an inter-university project designed for a single 
authority to keep control, and to provide a centralized (hierarchical) 
service, just cannot match today technical, legal and security 
requirements. The way business is transacted, government operates, and 
national defense is conducted have changed. These activities rely on a 
complex interdependent network of information technology infrastructures we 
may call cyberspace which includes Internet and different other 
technologies. We must accept that if the IAB/IETF do not takes it the same 
way as Govs, it will be removed from them. The world wants a new network 
approach, more equal, more secure, more stable, safer, more innovation 
oriented, respectfull of national digital independance and sovereignty and 
IS actually switching.
http://www.nytimes.com/2003/12/08/technology/08divide.html?th=pagewanted=printposition

Today, every nations need and must be permited a strategy towards a 
national and global secure cyberspace IAB and IETF are to design and help 
the implementation. It will provide a framework for protecting this 
infrastructure that is essential to their economy, security, and way of 
life. In the past few years, threats in cyberspace have risen dramatically. 
The policy of governements is to protect against the debilitating 
disruption of the operation of information systems for critical 
infrastructures and, thereby, help to protect the people, economy, national 
security and societal relations of their nations. We all must act to reduce 
the vulnerabilities to these threats before they can be exploited - as it 
is so easy today with the DNS cf. the recent threads - to damage the cyber 
systems or polluting other portions of the DNS which support national 
critical infrastructures and ensure that such disruptions of cyberspace are 
infrequent, of minimal duration, manageable, and cause the least damage 
possible.

Securing cyberspace is a difficult strategic challenge that requires a 
coordinated and focused effort from the entire societythe  government, 
regional and local governments, the private sector, and the people. The 
cornerstone of a nation's cyberspace security strategy should be 
public-private partnership such as proclaimed by the WSIS. Only by acting 
together from every nation can we build a more secure future in DNS and 
cyberspace, our world of today. Also, the nations not sharing into the root 
management must find sovereign alternatives to protect themselves, their 
citizen and their economy from bad root management by the nation domining 
it, whatever the reason, and from their practical inability to quickly 
adapt in full and equal independance the portion of the root which may 
concern their immediate local situation after such actions as war, 
catastrophe, revolution, etc. and societal, cultural and legal rights. This 
is certainly a technical challenge since the DNS was not designed that way.

In the world critical root system area, Govs actions should include: 
forensics and attack attribution, protection of installations, indications 
and warnings, and protection against organized attacks or against the 
consequences of their international policy (political tensions, wars) and 
the acts of God. They should also support research and technology 
development that will enable the private sector to better secure the

Re: /48 micro allocations for v6 root servers, was: national security

2003-12-08 Thread Paul Vixie

   /35 routes are being discouraged in favor of /32 entries...
   4,064,000,000 addresses to ensure that just one host -might-
   have global reachability.  IMHO, a /48 is even overkill...  :)

i think the important points for ietf@ to know about are (a) that this
is an open issue, (b) that it's generally agreed that all the RIR's ought
to have the same rules regarding microallocations, and (c) exactly where
(as in what working group or mailing list or smoke filled room) the
discussion is being held.  for example, bill says above that /35 routes
are being discouraged and that's probably true but by whom? and where?

Re: national security

2003-12-08 Thread Masataka Ohta

Joe Abley;

I don't think this is an oversight, I'm pretty sure this was 
intentional. However, since in practice the BGP best path selection 
algorithm boils down to looking at the AS path length and this has the 
tendency to be the same length for many paths, BGP is fairly useless 
for deciding the best path for even low ambition definitions of the word.


For the service aspects of F we're more concerned with reliability than 
performance. Recursive resolvers ask questions to the root relatively 
infrequently, and the important thing is that they have *a* path to use 
to talk to a root server, not necessarily that they are able to 
automagically select the instance with the lowest instantaneous RTT (and 
continue to find a root regardless of what damage might exist in the 
network elsewhere).
I'm afraid F servers does not follow the intention of my original
proposal of anycast root servers.
The intention is to allow millions or trillions of root servers.

While you can rely on someone else's root server with the BGP
best path selection, it is a lot better to have your own
root server.
In addition, it is not necessary to have any hierarchy between
anycast servers at all, as long as there is a single source of
information. Hierarchy may be useful if a single entity manages
all the anycast root servers. However, you can manage your own.
Finally, using only a single address, F, does not provide any
real robustness.
		Masataka Ohta

Re: just a brief note about anycast

% Either we need the root system and it must match the basic surety rules for 
% a critical infrastructure, or we just want to keep the fossil concept the 
% way it was designed 20 years ago. 

Why do you think this is an either/or proposition?

% Then UN/ITU or private industry or a new 
% NGO or a new Gov technically and security certified type of operator is to 
% find, propose, test, and deploy another solution. I suggest them to read 
% carefully the very well crafted ICP-3 document. It correctly considers the 
% end of the single authoritative root file concept. And documents the way to 
% test new venues.

Please provide a pointer to this ICP-3 document.
UN/ITU, Private Industry, and NGO/Governments are -ALREADY- 
engaged in this process.

% I am sorry to come again and again on this. I will do it until a special WG 
% is created or IETF transfers the concern to ITU.

special WG - chartered in/under what jurisdiction?

% The world wants a new network 
% approach, more equal, more secure, more stable, safer, more innovation 
% oriented, respectfull of national digital independance and sovereignty and 
% IS actually switching.
% 
http://www.nytimes.com/2003/12/08/technology/08divide.html?th=pagewanted=printposition

Then the world is getting what it wants.  Is there a requirement
to force the dismantling of an existing system first?  If so, where
is that requirement documented?  Nothing is preventing -anyone-
or -any group- from formulating, and promulgating their own
naming constructs.

% Today, every nations need and must be permited a strategy towards a 
% national and global secure cyberspace 

Nothing is preventing nations from proceeding with their stratagies
towards a national and globally secure cyberspace.


% IAB and IETF are to design and help 
% the implementation. 

Under what charter and funding model?

% Or more simply, may be kill the real time root servers concept and review 
% the DNS as a non God centralized system? If there was nothing to protect 
% because there would be nothing, we would risk far less from there.

Been there, done that. The TBDS project (circa 1999/2000) 
eliminated the requirement for an always on, fully connected
mesh, with access to any external authoritative servers, be
they root, tld, or anywhere else in the heirarchy.

The upshot was that the DNS is -fully- placed in the hands of
the endusers.  We did not replace one centralized service with
another or even a collection of centralized services, e.g. 
no ICANN, no IANA, no nation state, no private industry, no
NGO or multinational treaty organization.  It was -COMPLETELY-
up to the endusers.

% Then?

We wait for the adoption by vendors/users of the new world
order while we maintain, augment, and evolve the existing,
working system so as to facilitate a near-zero impact on the
people, organizations, and nations that have come to depend
on the system we have built.

% jfc

--bill
Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).

Re: /48 micro allocations for v6 root servers, was: national security

%  /35 routes are being discouraged in favor of /32 entries...
%  4,064,000,000 addresses to ensure that just one host -might-
%  have global reachability.  IMHO, a /48 is even overkill...  :)
% 
% i think the important points for ietf@ to know about are (a) that this
% is an open issue, (b) that it's generally agreed that all the RIR's ought
% to have the same rules regarding microallocations, and (c) exactly where
% (as in what working group or mailing list or smoke filled room) the
% discussion is being held.  for example, bill says above that /35 routes
% are being discouraged and that's probably true but by whom? and where?

By ISPs, in conjunction w/ IETF and RIRs. Check the allocation
policies.  I'll agree that (a) is valid,  there is little that
is cast in stone.  (b) on the other hand, has any number of 
legal implications... collusion, monopolies, etc. As for (c),
check the RIR working groups and mailing lists, the V6OPS wg of the
IETF and the IPv6 protocol wg.

-- 
--bill

Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).

Re: national security

2003-12-08 Thread Masataka Ohta

Joe Abley;

I'm afraid F servers does not follow the intention of my original
proposal of anycast root servers.

This may well be the case (I haven't read your original proposal).
The IDs have expired. I'm working on a revised one.

Apologies if I gave the impression that I thought to the contrary.
No, no need of apologies.

Finally, using only a single address, F, does not provide any
real robustness.

Fortunately there are twelve other root nameservers.
But, one should have one's own three root servers with different addresses.

		Masataka Ohta

RE: /48 micro allocations for v6 root servers, was: national security

-BEGIN PGP SIGNED MESSAGE-

Paul Vixie wrote:

  /35 routes are being discouraged in favor of /32 entries...
  4,064,000,000 addresses to ensure that just one host -might-
  have global reachability.  IMHO, a /48 is even overkill...  :)
 
 i think the important points for ietf@ to know about are (a) that this
 is an open issue, (b) that it's generally agreed that all the 
 RIR's ought to have the same rules regarding microallocations, and (c) 
 exactly where (as in what working group or mailing list or smoke filled room) the
 discussion is being held.  for example, bill says above that 
 /35 routes are being discouraged and that's probably true but by 
 whom? and where?

There are currently quite some ISP's who filter anything /35.
Generally ISP's should be filtering on allocation boundaries.
Thus if a certain prefix is allocated as a /32, they should not
be accepting anything smaller (/33, /34 etc)

Checking http://www.sixxs.net/tools/grh/tla/all/

8
The database currently holds 630 IPv6 TLA's.
Of which 18 (2.86%) are returned to the pool, 202 (32.06%) IPv6
TLA's didn't have a routing entry.
Thus 410 (65.08%) networks are currently announced.
0 (0.00%) only announced a /35 while they have been assigned a /32.
13 (2.06%) announce both their /32 and their /35.
- 8

I have to add that there is an error here as 2001:dc0::/35 is in
the tables, but doesn't get picked up by the software, will be
fixing that soonish. Generally if you announce a /35 it will get
through to most ISP's. But we should be avoiding that. Currently
the ipv6 global routing table is quite small, but it could grow
quite large and when ISP's still don't filter correctly, or better
if ISP's don't aggregate it will explode and we will be needing
the follow up to BGP soon, which is more work for the IETF :)

As for which smoked filled room, this should be a task of the
RIRs, thus RIPE's IPv6 WG etc. but it usually takes place when
communicating between ISP's. Notice that many ISP's use Gerts list:
http://www.space.net/~gert/RIPE/ipv6-filters.html

I would applaud a generic /32 that is 'allowed' to being cut up
into multiple /48's for the purpose of critical infrastructure.
But please, keep it to 1 *documented* /32. That way people will
know that they will see more specifics from that prefix and that
they should be accepting it too.

Currently the !3! IX blocks (2001:7f8::/32 + 2001:504::/32 + 2001:7fa::/32)
are seen being announced in pieces too. Maybe these IX blocks, which
are common already could be used for assigning 'critical infra' from?

This is a RIR thing and should be discussed there (ipv6-wg cc'd).
The IETF though should ofcourse advise in all matters.

Greets,
 Jeroen

-BEGIN PGP SIGNATURE-
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/

iQA/AwUBP9TmwCmqKFIzPnwjEQIk9gCfWIZU0RJA3OGyrbOFTa1+ZIvSDE4AniOW
qOqG5k7653xd5LaLSLUAglde
=mqwa
-END PGP SIGNATURE-

Re: /48 micro allocations for v6 root servers, was: national security

2003-12-08 Thread John Stracke

Bill Manning wrote:

% b) that it's generally agreed that all the RIR's ought
% to have the same rules regarding microallocations, 

	(b) on the other hand, has any number of 
	legal implications... collusion, monopolies, etc.
 

But this is a example where uniformity is desirable on technical grounds 
(i.e., if the policies aren't uniform, nobody will know how small they 
can afford to filter).  That's got to be legal, or no standards body 
would be safe.  Or do you think the participants in, say, the ipp WG are 
vulnerable to charges of colluding to drive competing printing protocols 
from the market?

--
/=\
|John Stracke  |[EMAIL PROTECTED]  |
|Principal Engineer|http://www.centive.com|
|Centive   |My opinions are my own.   |
|=|
|The Reality Check's in the mail. --L. Peter Deutsch|
\=/

Re: /48 micro allocations for v6 root servers, was: national security

2003-12-08 Thread Zefram

Bill Manning wrote:
   /35 routes are being discouraged in favor of /32 entries...
   4,064,000,000 addresses to ensure that just one host
   -might- have global reachability.  IMHO, a /48 is even 
   overkill...  :)

Just wondering, as I have about IPv4 anycast allocations: why can't we
designate a block for microallocations, within which prefix length filters
aren't applied?  The number of routes in the DFZ is the same either way;
is there any technical reason why /64 or /128 prefixes, or /32 in IPv4,
can't be used?  I'm not a routing person, so apologies if this is somehow
unspeakably dumb.

-zefram

Re: [ipv6-wg@ripe.net] RE: /48 micro allocations for v6 root servers, was: national security

2003-12-08 Thread Gert Doering

Hi,

On Mon, Dec 08, 2003 at 10:01:53PM +0100, Jeroen Massar wrote:
 There are currently quite some ISP's who filter anything /35.
 Generally ISP's should be filtering on allocation boundaries.
 Thus if a certain prefix is allocated as a /32, they should not
 be accepting anything smaller (/33, /34 etc)

There is no commonly agreed-upon best practice for this yet.

We do *not* suppress more-specifics from those address blocks, as we
think it's a legitimate wish for certain networks to be multihomed,
and currently there is no other solution than to go for the pragmatic
approach, and just announce a /40 or even /48.

I agree that things that are more specific than a /48 should not be
out there.

[..]
 the ipv6 global routing table is quite small, but it could grow
 quite large and when ISP's still don't filter correctly, or better
 if ISP's don't aggregate it will explode and we will be needing
 the follow up to BGP soon, which is more work for the IETF :)

If every holder of an AS will announce one prefix at maximum (which
should be doable by proper aggregation), the v6 BGP table would grow
to about 20.000 entries.  This is still manageable, although it would
kill my good old Cisco 2500 that still has a full v6 BGP table...

 As for which smoked filled room, this should be a task of the
 RIRs, thus RIPE's IPv6 WG etc. but it usually takes place when
 communicating between ISP's. Notice that many ISP's use Gerts list:
 http://www.space.net/~gert/RIPE/ipv6-filters.html
 
 I would applaud a generic /32 that is 'allowed' to being cut up
 into multiple /48's for the purpose of critical infrastructure.
 But please, keep it to 1 *documented* /32. That way people will
 know that they will see more specifics from that prefix and that
 they should be accepting it too.

As you cite my page, you will also know that it does not make a specific
recommendation on the subject of filtering things between /35 and /48...

Gert Doering
-- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  57386  (57785)

SpaceNet AG Mail: [EMAIL PROTECTED]
Joseph-Dollinger-Bogen 14   Tel : +49-89-32356-0
80807 Muenchen  Fax : +49-89-32356-299

ITU takes over?

2003-12-08 Thread Noel Chiappa

Just saw this online, and it seem apropos to recent traffic:

  A controversial plan to grant governments broad controls over the Internet
  has stolen the spotlight of a United Nations conference on IT next week,
  where China and Cuba will be among its strongest supporters. 
  Leaders from nearly 200 countries will convene in Geneva for the World
  Summit on the Information Society (WSIS) Dec. 10-12, an inaugural
  conference with lofty goals to discuss bridging the digital divide and
  fostering press freedoms. 
  But a contentious political move to grant an international governing body
  such as the U.N.'s International Telecommunication Union (ITU) control over
  Internet governance issues -- from distributing Web site domains to the
  public to fighting spam -- has all but obscured the more virtuous aspects
  of the event. 
  ...
  .. many in the developing world believe a new approach is needed as the
  [Internet] enters its teen years, one that will see poorer countries
  harness new technologies to improve their competitive stance. 
  ...
  [ICANN] has been criticized roundly for adopting a pro-business approach
  that neglects the developing world. 
  The ITU .. has been put forth by the developing world as the governing body
  that will best address its needs. 
  What we are looking at is the future management of the Internet. It's not
  about who owns it or who will be regulating the laws, but what is best way
  to manage what has become a natural resource for all of humanity,'' a
  summit official said.

http://money.cnn.com/2003/12/08/technology/internet.reut/index.htm

Anyone know more about this?

Noel

Re: national security

2003-12-08 Thread Joe Abley

On 8 Dec 2003, at 15:25, Masataka Ohta wrote:

I'm afraid F servers does not follow the intention of my original
proposal of anycast root servers.
This may well be the case (I haven't read your original proposal). 
Apologies if I gave the impression that I thought to the contrary.

Finally, using only a single address, F, does not provide any
real robustness.
Fortunately there are twelve other root nameservers.

Joe

Re: /48 micro allocations for v6 root servers, was: national security

% Bill Manning wrote:
%  /35 routes are being discouraged in favor of /32 entries...
%  4,064,000,000 addresses to ensure that just one host
%  -might- have global reachability.  IMHO, a /48 is even 
%  overkill...  :)
% 
% Just wondering, as I have about IPv4 anycast allocations: why can't we
% designate a block for microallocations, within which prefix length filters
% aren't applied?  The number of routes in the DFZ is the same either way;
% is there any technical reason why /64 or /128 prefixes, or /32 in IPv4,
% can't be used?  I'm not a routing person, so apologies if this is somehow
% unspeakably dumb.
% 
% -zefram

we can.  There is no reason why... routing table slots are
routing table slots.  It does place the onus on the ISPs to
be more vigorous in tracking what they will and will not accept
or propogate. Now, they tend to depend on RIRs to set their 
routing policies for them... :)

--bill
Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).

Re: just a brief note about anycast

2003-12-08 Thread Randy Presuhn

Hi -

 From: jfcm [EMAIL PROTECTED]
 To: Eliot Lear [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Sent: Monday, December 08, 2003 10:27 AM
 Subject: Re: just a brief note about anycast
...
  The world wants a new network
 approach, more equal, more secure, more stable, safer, more innovation
 oriented, respectfull of national digital independance and sovereignty and
 IS actually switching.
...

Phrases like national digital independence and sovereignty make
it sound as though the real motivation for all this is to make it
easier for the repressive regimes of the world to selectively disconnect
themselves from the global net.  Things are bad enough already.
Let's not help the chauvenists of nationalism make things worse,
even though the technology is already in place to allow them to do it.

Admirable goals like improving network security and stability do
not require increased government involvement, nor do they in
any way require abandoning the existing cooperative relationship
between the ITU and the IETF.  The very notion of national
digital independence and soveriegnty is contrary to network
security and stability.

Randy

Re: /48 micro allocations for v6 root servers, was: national security

2003-12-08 Thread Valdis . Kletnieks

On Mon, 08 Dec 2003 21:17:00 GMT, Zefram [EMAIL PROTECTED]  said:

 Just wondering, as I have about IPv4 anycast allocations: why can't we
 designate a block for microallocations, within which prefix length filters
 aren't applied?  The number of routes in the DFZ is the same either way;
 is there any technical reason why /64 or /128 prefixes, or /32 in IPv4,
 can't be used?  I'm not a routing person, so apologies if this is somehow
 unspeakably dumb.

No technical reason - except if you say I'll filter IPv4 announcements at
/28, then you're open to routing table burps if somebody accidentally
or intentionally de-aggregates to a very long prefix.  Imagine if somebody
flubs and withdraws a /12 and announces a /12 worth of /28 (Yes,
this sort of stuff DOES happen.)


pgp0.pgp
Description: PGP signature

RE: just a brief note about anycast

2003-12-08 Thread Steve Schieberl


 Phrases like national digital independence and sovereignty
 make it sound as though the real motivation for all this is to
 make it easier for the repressive regimes of the world to
 selectively disconnect themselves from the global net.
 Things are bad enough already. Let's not help the
 chauvenists of nationalism make things worse, even though
 the technology is already in place to allow them to do it.

Long time lurker, first time writer.  I wholeheartedly agree.  'Tis all.

RE: /48 micro allocations for v6 root servers, was: national security

-BEGIN PGP SIGNED MESSAGE-

[This should go to v6ops@ or [EMAIL PROTECTED] :) ]

Zefram wrote:

 Bill Manning wrote:
  /35 routes are being discouraged in favor of /32 entries...
  4,064,000,000 addresses to ensure that just one host
  -might- have global reachability.  IMHO, a /48 is even 
  overkill...  :)
 
 Just wondering, as I have about IPv4 anycast allocations: why can't we
 designate a block for microallocations, within which prefix 
 length filters aren't applied?

That would be the best solution, make it documented and publically known.

  The number of routes in the DFZ is the same 
 either way; is there any technical reason why /64 or /128 prefixes, or 
 /32 in IPv4, can't be used?  I'm not a routing person, so apologies if 
 this is somehow unspeakably dumb.

Expect to see routers being optimized that will only route
the upper 64bits of the address, so you might not want to do
anything smaller than that.

Ofcourse one can use /128 routes, and /64's etc.
But because of anycast you don't want to use /127's though.

Greets,
 Jeroen

-BEGIN PGP SIGNATURE-
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/

iQA/AwUBP9T1TSmqKFIzPnwjEQIN7wCfe9bK+T1q2q8R1RK/tCdPlQuEVt0AoLxW
loVQEyBt+J9PubZVG1MLxQ0O
=pMGw
-END PGP SIGNATURE-

Worst case question I guess

2003-12-08 Thread Dan Kolis

As a (not too) humble regular DNS user as opposed to an insider... What is
the worst case scenerio on this, anyway?

It seems to me our buddies and the North American power reliabability board;
(whatever) would say they can't POSSIBLY fail such that power is out for
days. Yet it happened. I think killed some folks here and there too.

It seems to me, I'm speaking from a skeptical approach which is always the
best when the downsides big. 

If all the root operators had an offline copy of there DNS entries and
rolled back 24 hours in a crisis, so what? 99.99% of DNS UDP's would
resolve, a few new ones would be troubled. No Anycast, no BGP, just rollback
a day and reassess the systemic failure for a next plan. Turn all that off
and think for a day or so.

It seems to me a smaller chance but a non-trivial one is for the whole thing
to become unreliable because the (maybe) millions of subdomains get
clobbered. For instance, I think I'm right that the subdomain www.
{anything} is incredibly distributed. Never a SOA at a TLD ccTLD... You know
what I mean.

If a WWW snagger rewriter virus existed that left 100% of the root servers
perfect (either due to a brillant management plan, disinterest, or dumb
luck, etc.) but www.{any} didn't work, the loss of functionality would be
close to having the roots lost, wouldn't it?

Harder to fix, because the people involved haven't been to a fancy workshop
of what if's. And there hard to contact because suddenly internet is
unreliable. There was an outage in the switched telephone system much like
this about 12 years ago. None of the technocrats who could fix it could find
each other, so the outage persisted for a long time until an unnamed vendor!
bicyled new binaries to 400 phone switches.

regards
Dan
 

Dan Kolis - Lindsay Electronics Ltd [EMAIL PROTECTED]
50 Mary Street West, Lindsay Ontario Canada K9V 2S7
(705) 324-2196  X272 (705) 324-5474 Fax
An ISO 9001 Company; 
/Document end

Re: /48 micro allocations for v6 root servers, was: national security

2003-12-08 Thread Iljitsch van Beijnum

On 8-dec-03, at 22:01, Jeroen Massar wrote:

There are currently quite some ISP's who filter anything /35.
Generally ISP's should be filtering on allocation boundaries.
Thus if a certain prefix is allocated as a /32, they should not
be accepting anything smaller (/33, /34 etc)
So how are ISPs supposed to know what the allocation size for a 
particular prefix is? This type of filtering only works if the filter 
list is relatively short and pretty much never changes. Anything else 
and the cure is worse than the disease.

I would applaud a generic /32 that is 'allowed' to being cut up
into multiple /48's for the purpose of critical infrastructure.
But please, keep it to 1 *documented* /32. That way people will
know that they will see more specifics from that prefix and that
they should be accepting it too.
I'm not sure if it needs to be a /32 or if it needs to be just a single 
one, but I fully agree this should be documented very well and in a 
central place. Buried somewhere on a RIR website isn't good enough. 
(Try finding the the micro allocation list on the ARIN site without 
help from Google.)

I think this means it must be an RFC. RIR documents just don't have the 
same standing in the community, and, apparently, quality control.

Currently the !3! IX blocks (2001:7f8::/32 + 2001:504::/32 + 
2001:7fa::/32)
are seen being announced in pieces too. Maybe these IX blocks, which
are common already could be used for assigning 'critical infra' from?
Note that announcing the actual prefix for an internet exchange subnet 
tickles an undesirable BGP feature in places where the prefix isn't 
filtered, so these prefixes are best not announced. The allocations 
seem to be /48s and not /64s though, so in practice this shouldn't be a 
problem but still no reason why these should be globally visible.

Root nameservers are a very different story of course...

Re: ITU takes over?

2003-12-08 Thread Anthony G. Atkielski

Noel Chiappa writes:

 Anyone know more about this?

Since it is being discussed in secret (with even ICANN excluded,
apparently), it's hard to know more.

Re: /48 micro allocations for v6 root servers, was: national security

2003-12-08 Thread Iljitsch van Beijnum

[my apologies for burning so much bandwith]

On 8-dec-03, at 22:17, Zefram wrote:

Just wondering, as I have about IPv4 anycast allocations: why can't we
designate a block for microallocations, within which prefix length 
filters
aren't applied?  The number of routes in the DFZ is the same either 
way;
is there any technical reason why /64 or /128 prefixes, or /32 in IPv4,
can't be used?  I'm not a routing person, so apologies if this is 
somehow
unspeakably dumb.
In RFC 3513 (section 2.6) it more or less says that anycast addresses 
must be host addresses and they must be propagated throughout the 
region where there are interfaces configured for the anycast address. 
So if there are root servers sharing an anycast address all over the 
globe, there must be a globally visible /128 for that root server.

So no, this isn't dumb. Also, if anycast addresses are going to come 
from micro allocations there is no particular reason to stop at 48 
bits. A prefix size that is different from what millions of end users 
will be getting might in fact be a plus.

Re: /48 micro allocations for v6 root servers, was: national security

2003-12-08 Thread Zefram

[EMAIL PROTECTED] wrote:
   Imagine if somebody
flubs and withdraws a /12 and announces a /12 worth of /28

That's why I suggested relaxing the filters only within a designated
block.  So (for IPv4) the /12 worth of /28s gets ignored, but the /32s
in the micro-allocation block are accepted.  It always seemed odd to me
that we allocate a /24 per anycast service, and worry about the address
space wastage, when all the anycast services we can expect to find useful
in IPv4 will comfortably fit into less than a single /24.

If there's a problem due to the need for 100% implementation of
the relaxation of prefix length filters, we should allocate a
micro-allocation block for IPv6 *now*, while the number of routers
requiring reconfiguration is relatively small.  I propose 0:1::/32,
which is distinctive, causes no fragmentation, and is in a region of
the address space already recognised as being for weird stuff.

-zefram

Re: /48 micro allocations for v6 root servers, was: national security





Just some perspectives on the IPv6 addressing scheme, that I have highlighted to APNIC.

A country like Tuvalu with about 10,000 people, which is an island with many possibility of connectivity to the Internet would be attributed what range if they request IPv6?

Don't tell me they do not need IPv6 or they can get it from their upstream provider. It is a country, they should be able to change their upstream provider every 6 months without having to change the IP space of the country...

BTW: I know about 10 countries in this case in the Pacific Islands, unfortunately few are APNIC members or attend APNIC.

Cheers




Franck Martin
[EMAIL PROTECTED]
SOPAC, Fiji
GPG Key fingerprint = 44A4 8AE4 392A 3B92 FDF9 D9C6 BE79 9E60 81D9 1320
Toute connaissance est une reponse a une question G.Bachelard

RE: [ipv6-wg@ripe.net] RE: /48 micro allocations for v6 root servers, was: national security

-BEGIN PGP SIGNED MESSAGE-

Gert Doering [mailto:[EMAIL PROTECTED] wrote:

 On Mon, Dec 08, 2003 at 10:01:53PM +0100, Jeroen Massar wrote:
  There are currently quite some ISP's who filter anything /35.
  Generally ISP's should be filtering on allocation boundaries.
  Thus if a certain prefix is allocated as a /32, they should not
  be accepting anything smaller (/33, /34 etc)
 
 There is no commonly agreed-upon best practice for this yet.

Some ISP's do it, most don't.

Btw CH-SUNRISE-20031124 = 2001:1700::/27, so Libertel isn't the
biggest girl on the block anymore with their /31 :)

 We do *not* suppress more-specifics from those address blocks, as we
 think it's a legitimate wish for certain networks to be multihomed,
 and currently there is no other solution than to go for the pragmatic
 approach, and just announce a /40 or even /48.
 
 I agree that things that are more specific than a /48 should not be
 out there.

Indeed. And yes there are ISP's announcing /128's etc.
And private ASN's for that matter or even using them as transit.

SNIP

 As you cite my page, you will also know that it does not make a specific
 recommendation on the subject of filtering things between /35 and /48...

Yups and I fully support that argument.

If it was done we would currently see 413 prefixes, those are the
'allocated' prefixes that are getting announced.
In GRH each of the ~30 peers have an average of 459 prefixes.
Checking just know, the highest number of prefixes send to GRH
was 515 prefixes, which is far from the 20k or even 30k if all
the ASN's would announce 1 IPv6 prefix.

At the moment that is certainly no problem and it shouldn't be
for years to come, unless IPv6 really takes off. Google/Doom3 IPv6 anyone?

The biggest advantage that IPv6 already has is that a single
ISP already gets enough space, thus it doesn't need to 

Iljitsch van Beijnum [mailto:[EMAIL PROTECTED] wrote:

 On 8-dec-03, at 22:01, Jeroen Massar wrote:
 
  There are currently quite some ISP's who filter anything /35.
  Generally ISP's should be filtering on allocation boundaries.
  Thus if a certain prefix is allocated as a /32, they should not
  be accepting anything smaller (/33, /34 etc)
 
 So how are ISPs supposed to know what the allocation size for a 
 particular prefix is? This type of filtering only works if the filter 
 list is relatively short and pretty much never changes. Anything else 
 and the cure is worse than the disease.

The proposed Redistribution of Cooperative Filtering Information draft
could help out there which allows one to redistribute 'good prefix' lists.
See https://www1.ietf.org/mail-archive/working-groups/idr/current/msg00201.html
for the draft or http://arneill-py.sacramento.ca.us/redisfilter.ppt for
the presentation given in Minneapolis.

Without that or a similar system, it would be a pain indeed.
That's why I pointed to Gert's page which has a better and
currently working solution.

SNIP

  Currently the !3! IX blocks (2001:7f8::/32 + 2001:504::/32 + 
  2001:7fa::/32)
  are seen being announced in pieces too. Maybe these IX blocks, which
  are common already could be used for assigning 'critical infra' from?

 Note that announcing the actual prefix for an internet exchange subnet 
 tickles an undesirable BGP feature in places where the prefix isn't 
 filtered, so these prefixes are best not announced.

As far as I can see with the GRH tools etc, all the prefixes
that are allocated as IX Prefixes and those that are in use
are currently visible worldwide.

 The allocations seem to be /48s and not /64s though, so in
 practice this shouldn't be a problem but still no reason why
 these should be globally visible.

The only reason I heared so far is so that people in Tokio can
ping the IX interface in London or a similar kind of scenario.
They argue that it is handy for debugging. My take is that if
it isn't your network, you can't fix it either, so if a traceroute
ends on that box, contact them, they can really figure it out.

 Root nameservers are a very different story of course...

A /32 contains 65k /48's, so these IX blocks could provide for
enough /48's for 65k IX's, thus unless that switch at the back
of my desk, which connects 'neighbours' too is to be called an
IX, because they have a linux router and me too and they speak
BGP is going to be called an IX it shouldn't be a problem if
the same block is used for 26? and maybe 3 tld servers per country.

At least everybody will know that that /32 will have more specifics.

Greets,
 Jeroen

-BEGIN PGP SIGNATURE-
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/

iQA/AwUBP9UHMymqKFIzPnwjEQLiLwCgta1mOkrixvXcZD8mTLheePv9ERYAn3GK
Rt2Hp+dk8HVBDuFaub0lf6Rt
=OqJO
-END PGP SIGNATURE-

Re: ITU takes over?

2003-12-08 Thread vinton g. cerf

There have been fairly intense discussions in a series of meetings called PrepComs 
as in preparatory committees leading up to the World Summit on the Information 
Society (WSIS) taking place December 10-12 in Geneva. In the most recent meetings, a 
government only rule was invoked that excluded interested parties such as ICANN, 
among others, but the texts have been made visible. Of course, it remains to be seen 
whether these texts will be adopted by the summit meeting representatives.

The texts cover principles and action plans, respectively, for realization of the 
Information Society. 

The subject of Internet Governance has been a large focus of attention, as has been 
a proposal for creating an international fund to promote the creation of information 
infrastructure in the developing world. Internet Governance is a very broad topic 
including law enforcement, intellectual property protection, consumer protection, tax 
policies, and so on. It also happens to include some of the things that ICANN is 
responsible for. Unfortunately, the discussion has tended to center on ICANN as the 
only really visible example of an organization attempting to develop policy (which is 
being treated as synonymous with governance). ICANN's mandate is very limited and it 
would be helpful if the broad governance issues mentioned above could find other 
organizational homes. ICANN's work could be fitted into a larger framework but some 
people seem to think that if ICANN doesn't do all the things that might fall into 
Internet governance then ICANN should be replaced with, eg, an !
 ITU or
 UN body. 

This is, of course, a controversial matter with sovreignty of states mixed into a 
variety of political attitudes about the US, the Department of Commerce role with 
ICANN and so on. It should come as no surprise to anyone that I would prefer to see a 
solution to the broad governance problem that continues to limit the ICANN mandate and 
creates organizational homes for that which ICANN cannot or should not undertake. Just 
as plainly, I don't favor replacing ICANN with a UN-agency.

You may make a search on key words, like internet governance at that site 
www.wsis-online.net and will see all relevant meetings.

Hope this is helpful.

Vint Cerf

At 11:51 PM 12/8/2003 +0100, Anthony G. Atkielski wrote:
Noel Chiappa writes:

 Anyone know more about this?

Since it is being discussed in secret (with even ICANN excluded,
apparently), it's hard to know more.

Vint Cerf
SVP Technology Strategy
MCI
22001 Loudoun County Parkway, F2-4115
Ashburn, VA 20147
703 886 1690 (v806 1690)
703 886 0047 fax
[EMAIL PROTECTED]
www.mci.com/cerfsup

Re: Worst case question I guess

2003-12-08 Thread John C Klensin

Dan,

One small addition to your discussion/scenario...

As has been pointed out on this list, the actual rate of changes 
in the root zone is on the order of a few per week. 
Statistically, that means your 24 hour rollback might, often, 
have zero effect.   Now compare this to the change rate in some 
very large ccTLD or gTLD, which is, I would assume, measured in 
the thousands per day range.

Now a short quiz:

(i) Which part of the potential outage problem should we
be spending a lot of energy worrying about, based on the
impact of a simple halt to effective updating for a
while or, in your scenario, a rollback?

(ii) Why does all the energy go into worrying about the
root instead?

(iii) While (as has also been pointed out) the software
and systems run by the root operators are fairly
diverse, protecting them from easy, one-size-fits-all
versions of certain types of attacks, would you care to
guess at the diversity level among the servers for the
typical large ccTLD or gTLD?
(iv) I can be reached, via various forwarding aliases
(and, in some cases, almost by accident), using domain
names that are subdomains of five different TLDs
(although I use most of them sufficiently infrequently
that, in the case of a COM outage, you'd probably have
to phone me to find out which to use).  How about you?
Guess what the count is for the typical Internet user.
sigh
john


--On Monday, 08 December, 2003 17:21 -0500 Dan Kolis 
[EMAIL PROTECTED] wrote:

As a (not too) humble regular DNS user as opposed to an
insider... What is the worst case scenerio on this, anyway?
It seems to me our buddies and the North American power
reliabability board; (whatever) would say they can't POSSIBLY
fail such that power is out for days. Yet it happened. I think
killed some folks here and there too.
It seems to me, I'm speaking from a skeptical approach which
is always the best when the downsides big.
If all the root operators had an offline copy of there DNS
entries and rolled back 24 hours in a crisis, so what? 99.99%
of DNS UDP's would resolve, a few new ones would be troubled.
No Anycast, no BGP, just rollback a day and reassess the
systemic failure for a next plan. Turn all that off and think
for a day or so.
It seems to me a smaller chance but a non-trivial one is for
the whole thing to become unreliable because the (maybe)
millions of subdomains get clobbered. For instance, I think
I'm right that the subdomain www. {anything} is incredibly
distributed. Never a SOA at a TLD ccTLD... You know what I
mean.
If a WWW snagger rewriter virus existed that left 100% of
the root servers perfect (either due to a brillant management
plan, disinterest, or dumb luck, etc.) but www.{any} didn't
work, the loss of functionality would be close to having the
roots lost, wouldn't it?
Harder to fix, because the people involved haven't been to a
fancy workshop of what if's. And there hard to contact because
suddenly internet is unreliable. There was an outage in the
switched telephone system much like this about 12 years ago.
None of the technocrats who could fix it could find each
other, so the outage persisted for a long time until an
unnamed vendor! bicyled new binaries to 400 phone switches.
regards
Dan
Dan Kolis - Lindsay Electronics Ltd [EMAIL PROTECTED]
50 Mary Street West, Lindsay Ontario Canada K9V 2S7
(705) 324-2196  X272 (705) 324-5474 Fax
An ISO 9001 Company;
/Document end

Re: /48 micro allocations for v6 root servers, was: national security

2003-12-08 Thread Ted Hardie

At 11:21 AM +1200 12/09/2003, Franck Martin wrote:
Just some perspectives on the IPv6 addressing scheme, that I have highlighted to 
APNIC.

A country like Tuvalu with about 10,000 people, which is an island with many 
possibility of connectivity to the Internet would be attributed what range if they 
request IPv6?

The key question I would ask is whether Tuvalu is planning to provide services to
its 10,000 people.  If it plans a state monopoly ISP with eventual service to
some fraction (possible 100%) of its citizens, then it is a service provider
with that base.

If, on the other hand, it is not planning to provide services itself, but will allow
competition among service providers so that some folk get IP connectivity
through Vendor A and some through Vendor B, then it is appropriate to say
those folks getting service from A have space allocated from Vendor and
those from Vendor B from Vendor B.


Don't tell me they do not need IPv6 or they can get it from their upstream provider. 
It is a country, they should be able to change their upstream provider every 6 months 
without having to change the IP space of the country...

Their being a country isn't nearly so important as whether or not they are a network. 
Provider independent address space for a network can make sense (whether justified
through multi-homing, sovereignty, or correct form-filling skills).  Provider 
independent
address space for something that is not a network is just bits.

BTW: I know about 10 countries in this case in the Pacific Islands, unfortunately few 
are APNIC members or attend APNIC.

Cheers


regards,
Ted Hardie

Re: /48 micro allocations for v6 root servers, was: national security

2003-12-08 Thread Mark Prior

Franck Martin wrote:

Just some perspectives on the IPv6 addressing scheme, that I have
highlighted to APNIC.
A country like Tuvalu with about 10,000 people, which is an island with
many possibility of connectivity to the Internet would be attributed
what range if they request IPv6?
Don't tell me they do not need IPv6 or they can get it from their
upstream provider. It is a country, they should be able to change their
upstream provider every 6 months without having to change the IP space
of the country...
BTW: I know about 10 countries in this case in the Pacific Islands,
unfortunately few are APNIC members or attend APNIC.
I know it's a bit bigger but see Papua New Guinea (2001:0C60::/32). I'm 
not sure if they are using it yet as I stopped providing support for PNG 
before I could roll out new router OS versions necessary to support 
IPv6. I doubt that APNIC would have a problem with Tuvalu making a case 
for a prefix.

Mark.

Re: ITU takes over?

2003-12-08 Thread vinton g. cerf

Noel:


1.  The Salt Lake Tribune:  U.S. Net dominance questioned
http://www.sltrib.com/2003/Dec/12082003/business/118003.asp

2.  The Register: Internet showdown side-stepped in Geneva
http://www.theregister.co.uk/content/6/34394.html

3.  CNN Money: A potentially tangled Web?
http://money.cnn.com/2003/12/08/technology/internet.reut/

4.  The Washington Times: U.N. control of Web rejected
http://washingtontimes.com/world/20031208-125717-6682r.htm

5.  SeattlePi.com: Talks seek global Internet ground rules
http://seattlepi.nwsource.com/business/aptech_story.asp?category=1700slug= 
UN%20Tech%20Summit

6.  The New York Times: Digital Divide to Be Big Issue at U.N. Summit on
Internet
http://www.nytimes.com/2003/12/07/international/07CND-DIVI.html?ex=10714644 
00en=1f0ead87b5fce559ei=5062partner=GOOGLE

7.  Telecom.paper: ITU nominated to monitor Internet governance
http://www.telecom.paper.nl/index.asp?location=http%3A//www.telecom.paper.n 
l/site/news_ta.asp%3Ftype%3Dabstract%26id%3D37965%26NR%3D122

8.  TechWorld: Battle for control of Internet postponed
http://www.techworld.com/news/index.cfm?fuseaction=displaynewsnewsid=750

9.  ARS Technica: U.N. battle brewing over control of the Internet
http://arstechnica.com/news/posts/1070735373.html

10.  BBC News: Go ahead for UN internet summit
http://news.bbc.co.uk/2/hi/technology/3300071.stm

At 02:42 PM 12/8/2003 -0500, Noel Chiappa wrote:
Just saw this online, and it seem apropos to recent traffic:

 snip

http://money.cnn.com/2003/12/08/technology/internet.reut/index.htm

Anyone know more about this?

Noel

Vint Cerf
SVP Technology Strategy
MCI
22001 Loudoun County Parkway, F2-4115
Ashburn, VA 20147
703 886 1690 (v806 1690)
703 886 0047 fax
[EMAIL PROTECTED]
www.mci.com/cerfsup

Re: [ipv6-wg@ripe.net] RE: /48 micro allocations for v6 root servers, was: national security

%  Root nameservers are a very different story of course...
% 
% A /32 contains 65k /48's, so these IX blocks could provide for
% enough /48's for 65k IX's, thus unless that switch at the back
% of my desk, which connects 'neighbours' too is to be called an
% IX, because they have a linux router and me too and they speak
% BGP is going to be called an IX it shouldn't be a problem if
% the same block is used for 26? and maybe 3 tld servers per country.
% 
% At least everybody will know that that /32 will have more specifics.
% 
% Greets,
%  Jeroen


2001:0478:: was delegated expressly for IX and core infrastructure.
Thats where at least one of the IPv6 prefixes for root-servers
exists.  Two are from ARIN micro-allocations and there is a
/32 for another server.


--bill
Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).

Re: ITU takes over?

2003-12-08 Thread Eric A. Hall


On 12/8/2003 5:36 PM, vinton g. cerf wrote:

 The subject of Internet Governance has been a large focus of
 attention, as has been a proposal for creating an international fund to
 promote the creation of information infrastructure in the developing
 world. Internet Governance is a very broad topic including law
 enforcement, intellectual property protection, consumer protection, tax
 policies, and so on.

Yay, another proposal to give control of $resource to $tyrant while having
the west pay for it.

What's the track record on those? Not gonna happen. Move along.

-- 
Eric A. Hallhttp://www.ehsco.com/
Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/

Re: ITU takes over?

2003-12-08 Thread Ole J. Jacobsen

See http://www.isoc.org/



Ole J. Jacobsen
Editor and Publisher,  The Internet Protocol Journal
Tel: +1 408-527-8972   GSM: +1 415-370-4628
E-mail: [EMAIL PROTECTED]  URL: http://www.cisco.com/ipj



On Mon, 8 Dec 2003, Anthony G. Atkielski wrote:

 Noel Chiappa writes:

  Anyone know more about this?

 Since it is being discussed in secret (with even ICANN excluded,
 apparently), it's hard to know more.

Re: just a brief note about anycast

2003-12-08 Thread Dean Anderson

On Mon, 8 Dec 2003, Randy Presuhn wrote:

 Phrases like national digital independence and sovereignty make
 it sound as though the real motivation for all this is to make it
 easier for the repressive regimes of the world to selectively disconnect
 themselves from the global net.  Things are bad enough already.
 Let's not help the chauvenists of nationalism make things worse,
 even though the technology is already in place to allow them to do it.

Well, they think we are the chauvenists of unilateralism.  If we had
played more fairly and honestly, they might not be so suspicious of our
motives.  And its not just about disconnection.  One can already
disconnect if one chooses. So I think the developing world views it as
about freedom from the undue control and influence of a unilateral power.

 Admirable goals like improving network security and stability do
 not require increased government involvement, nor do they in
 any way require abandoning the existing cooperative relationship
 between the ITU and the IETF.  The very notion of national
 digital independence and soveriegnty is contrary to network
 security and stability.

Actually, these admirable goals do require government involvement. Without
laws to punish the crackers and the DDOS'rs, there is no network security
or stability.  One cannot fight international crime without Interpol, and
organizations like Interpol cannot exist without respect for national
soveriegnty.


--Dean

Re: ITU takes over?

Hmmm,

What is wrong with ISOC?

Cannot it be this body, we are looking for?

Cheers

On Tue, 2003-12-09 at 11:36, vinton g. cerf wrote:

There have been fairly intense discussions in a series of meetings called PrepComs as in preparatory committees leading up to the World Summit on the Information Society (WSIS) taking place December 10-12 in Geneva. In the most recent meetings, a government only rule was invoked that excluded interested parties such as ICANN, among others, but the texts have been made visible. Of course, it remains to be seen whether these texts will be adopted by the summit meeting representatives.

The texts cover principles and action plans, respectively, for realization of the Information Society.

The subject of Internet Governance has been a large focus of attention, as has been a proposal for creating an international fund to promote the creation of information infrastructure in the developing world. Internet Governance is a very broad topic including law enforcement, intellectual property protection, consumer protection, tax policies, and so on. It also happens to include some of the things that ICANN is responsible for. Unfortunately, the discussion has tended to center on ICANN as the only really visible example of an organization attempting to develop policy (which is being treated as synonymous with governance). ICANN's mandate is very limited and it would be helpful if the broad governance issues mentioned above could find other organizational homes. ICANN's work could be fitted into a larger framework but some people seem to think that if ICANN doesn't do all the things that might fall into Internet governance then ICANN sho
uld be replaced with, eg, an !
ITU or
UN body.

Franck Martin
[EMAIL PROTECTED]
SOPAC, Fiji
GPG Key fingerprint = 44A4 8AE4 392A 3B92 FDF9 D9C6 BE79 9E60 81D9 1320
Toute connaissance est une reponse a une question G.Bachelard

RE: /48 micro allocations for v6 root servers, was: national security

-BEGIN PGP SIGNED MESSAGE-

[2 mails into one again]

Bill Manning [mailto:[EMAIL PROTECTED] wrote:

 % Expect to see routers being optimized that will only route
 % the upper 64bits of the address, so you might not want to do
 % anything smaller than that.
 
   This, if it happens, will be exactly opposed to 
   the IPv6 design goal, which was to discourage/prohibit
   hardware/software designers from making presumptions or
   assumptions about the size of prefixes and HARDCODING them
   into products.

Good point. With current allocation schemes it should work but
maybe in the future, for anything outside 2000::/3 it could
indeed change and then the above could indeed break.

Hope the implementators of routing engines did notice that
unlike what I did :)

 %  Root nameservers are a very different story of course...
 % 
 % A /32 contains 65k /48's, so these IX blocks could provide for
 % enough /48's for 65k IX's, thus unless that switch at the back
 % of my desk, which connects 'neighbours' too is to be called an
 % IX, because they have a linux router and me too and they speak
 % BGP is going to be called an IX it shouldn't be a problem if
 % the same block is used for 26? and maybe 3 tld servers per country.
 % 
 % At least everybody will know that that /32 will have more specifics.
 % 
 % Greets,
 %  Jeroen
 
 
   2001:0478:: was delegated expressly for IX and core infrastructure.

- - is this documented somewhere?
  (google on the prefix only returns discussions about it's use ;)

- - is it available to the world(tm) as it looks like this is only
  available for exchanges managed by EP as per http://www.ep.net/wtgipa.html
  Thus also to the RIPE/APNIC/LACNIC region ?
  Regionalizing a root-server shouldn't be the case anyways as it
  shouldn't be bound to a certain spot.

I, personally, see absolutely no problem into making it the 'critical infra'
or 'root server' prefix, when it is documented correctly. EP.NET acts as
a neutral body, with this way kinda of a sub-RIR though. All root-servers
should be using the space then btw, not a few, but all of them.
Exceptions to the rule will only cause that the exceptions are forgotten
or that the rule is bent to badly that the rule isn't in place anymore.

   Thats where at least one of the IPv6 prefixes for root-servers
   exists.  Two are from ARIN micro-allocations and there is a
   /32 for another server.

Grepping on root+dns in http://www.sixxs.net/tools/grh/tla/all/

2001:7fd::/32  K-rootserver-net-20030829 (not seen)
2001:7fe::/32  I-rootserver-net-20030916 (seen per 2003-09-17)
2001:dc0::/32  APNIC-AP-V6-20030124  *
2001:dc3::/32  M-ROOT-DNS-IPv6-20030619  (seen per 2003-08-31)
2001:dc4::/32  jp-dns-JPNIC-JP-20031117  (seen per 2003-12-03)

* = 2001:dc0::/35 + 2001:dc0:2000::/35 are announced, not the /32

The ARIN microallocs are not in there as they are not TLA's.
Should I start tracking those too with GRH?

Btw currently seen in the routing table (as per GRH)
2001:478::/32 (from SPRINT / AS6175)
2001:478::/45  (from EP.NET / AS4555)
2001:478:65::/48 (from EP.NET / AS4555)

Greets,
 Jeroen

-BEGIN PGP SIGNATURE-
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/

iQA/AwUBP9UjUymqKFIzPnwjEQJ/1wCcCdLq3LSE+0DZBr6TvRh/APRR7K4AoIyg
Kh9IVDhzyle40AT6c4s0xH0b
=ybSi
-END PGP SIGNATURE-

Re: ITU takes over?

2003-12-08 Thread vinton g. cerf

at the moment it is not well constituted to develop policy.

v

At 01:01 PM 12/9/2003 +1200, Franck Martin wrote:
Hmmm,

What is wrong with ISOC?

Cannot it be this body, we are looking for?

Vint Cerf
SVP Technology Strategy
MCI
22001 Loudoun County Parkway, F2-4115
Ashburn, VA 20147
703 886 1690 (v806 1690)
703 886 0047 fax
[EMAIL PROTECTED]
www.mci.com/cerfsup

Re: ITU takes over?

2003-12-08 Thread Mark Atwood

vinton g. cerf [EMAIL PROTECTED] writes:
 At 01:01 PM 12/9/2003 +1200, Franck Martin wrote:
 What is wrong with ISOC?
 at the moment it is not well constituted to develop policy.

This is a feature, not a bug.

-- 
Mark Atwood   | When you do things right,
[EMAIL PROTECTED] | people won't be sure you've done anything at all.
http://www.pobox.com/~mra

FWD: ICANN GNSO Request for public comment on Regsitry Services

2003-12-08 Thread John C Klensin

Hi.

This seems worth forwarding to the IETF list in case people have 
comments they would like to submit as individuals.  I'm also 
forwarding it to the IAB in the event that they think a formal 
comment is appropriate.

Reading hint: while the proposed procedure seems, from the 
description, to be oriented toward requests such as

we have been registering only names from organizations
of type X, we would now like to register type Y as well
or  
we would like to charge EUR 5 per year rather than USD
6
it would presumably also apply to requests such as:

we would like to start registering arbitrary binary
strings in the TLD
we would like to auction off a wildcard record in the
TLD
or
we would like to start putting, e.g., NAPTR and SRV
records in the TLD zone, not just NS records.
I suspect some members of this community might have opinions on 
such issues.  If we do, it seems reasonable to make comments on 
the procedures that would ensure the availability of adequate 
and early consideration.  Or maybe we don't care after all.

Note that discussion here is pointless: if you have a position 
and want to express it, tell the GNSO according to the 
instructions given on the cited web pages.

regards,
   john
-- Forwarded Message --
Date: Monday, 08 December, 2003 23:41 +0100
From: GNSO SECRETARIAT [EMAIL PROTECTED]
To: announce [EMAIL PROTECTED]
Subject: [announce] Request for public comment on Regsitry 
Services

[To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
[To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Please see the request for Public comment on:
Procedure for use by ICANN in considering requests for consent
and related contractual amendments to allow changes in the
architecture or operation of a gTLD registry
at:
http://gnso.icann.org
http://gnso.icann.org/comments-request/
http://gnso.icann.org/issues/registry-services/tor-revised.shtml
Draft Terms of reference
Procedure for use by ICANN in considering requests for consent
and related contractual amendments to allow changes in the
architecture or operation of a gTLD registry
COMMENT  PERIOD is open for 20 days and ENDS  28 DECEMBER 2003,
23:00 GMT
Thank you in anticipation for the time taken to comment.

GNSO Secretariat



-- End Forwarded Message --

Re: just a brief note about anycast

2003-12-08 Thread Randy Presuhn

Hi -

 From: Dean Anderson [EMAIL PROTECTED]
 To: Randy Presuhn [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Sent: Monday, December 08, 2003 4:50 PM
 Subject: Re: just a brief note about anycast
...
 Well, they think we are the chauvenists of unilateralism.  If we had
 played more fairly and honestly, they might not be so suspicious of our

How has the IETF been playing unfairly or dishonestly?
Or is the argument that ICANN has been unfair and dishonest?

 motives.  And its not just about disconnection.  One can already
 disconnect if one chooses. So I think the developing world views it as
 about freedom from the undue control and influence of a unilateral power.
...

How would replacing ICANN (or the IETF) with the ITU
make things any less unilateral?  As I see it, all that it would
accomplish is that it would give governments and corporations
a more direct voice in matters, at the expense of individual
technical contributors.

Randy

Re[2]: ITU takes over?

2003-12-08 Thread Anthony G. Atkielski

Franck Martin writes:

 What is wrong with ISOC?

 Cannot it be this body, we are looking for?

ISOC membership is open to anyone.  Very few governments are going to
support an organization that does not restrict its membership to elite
government representatives.

Re[2]: just a brief note about anycast

2003-12-08 Thread Anthony G. Atkielski

Dean Anderson writes:

 Well, they think we are the chauvenists of unilateralism.  If we had
 played more fairly and honestly, they might not be so suspicious of our
 motives.

What has been unfair and dishonest thus far?  Dominance by the U.S. does
not automatically equate to unfairness and dishonesty.

The only reason there is an Internet at all is that the United States
built one.  If it had been up to the developing countries, the only
communication available today would be paper cups and taut string, and
it would be available only to a few dictators.

 So I think the developing world views it as about freedom
 from the undue control and influence of a unilateral power.

These developing countries are still trying to grapple with the
challenge of clean running water for their populations; why do they care
about the Internet?

The real concerns of the Third World are three: (1) they want more
money from the West for their corrupt governments; (2) they want to
suppress any form of free speech that might undermine their corrupt
governments; and (3) they want more money from the West for their
corrupt governments.

 Actually, these admirable goals do require government
 involvement.

Digital independence and sovereignty scarcely seem like admirable goals;
they are just synonyms for censorship and restricted access.

 Without laws to punish the crackers and the DDOS'rs, there
 is no network security or stability.

It is not necessary to intervene in the technical implementation of the
network to punish crackers and others; it is only necessary to find
them.

 One cannot fight international crime without Interpol, and
 organizations like Interpol cannot exist without respect for
 national soveriegnty.

By definition, an organization like Interpol requires the partial
sacrifice of national sovereignty.  If all states were entirely
sovereign, no interstate police organization could exist.

The same is true for the Internet (and the telephone network, and postal
services, and so on).

Re: just a brief note about anycast





On Tue, 2003-12-09 at 15:15, Randy Presuhn wrote:

Hi -

How would replacing ICANN (or the IETF) with the ITU
make things any less unilateral?  As I see it, all that it would
accomplish is that it would give governments and corporations
a more direct voice in matters, at the expense of individual
technical contributors.

Randy

And one important fact, is that IETF issues standards which do not contain patents... but ITU does!

Cheers




Franck Martin
[EMAIL PROTECTED]
SOPAC, Fiji
GPG Key fingerprint = 44A4 8AE4 392A 3B92 FDF9 D9C6 BE79 9E60 81D9 1320
Toute connaissance est une reponse a une question G.Bachelard

Re: /48 micro allocations for v6 root servers, was: national security

%  I, personally, see absolutely no problem into making it the 'critical infra'
%  or 'root server' prefix, when it is documented correctly. EP.NET acts as
%  a neutral body, with this way kinda of a sub-RIR though. All root-servers
%  should be using the space then btw, not a few, but all of them.
% 
% i, both personally and professionally, think that this would not be desirable.
% -- 
% Paul Vixie

EP.NET has been doing micro-allocations for longer than all but
one RIR has been in existance. That said, I am greatful that RIRs
themselves are doing micro-allocations. This for two reasons:

) customers should have -choice-
) using multiple prefixes reduces the impact of route flap
  taking out everyone.


--bill
Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).

Re: just a brief note about anycast

2003-12-08 Thread Paul Hoffman / IMC

At 3:30 PM +1200 12/9/03, Franck Martin wrote:
And one important fact, is that IETF issues standards which do not 
contain patents... but ITU does!
It depends on what you mean by do not contain patents. If you mean 
that are not covered by any patents, then tropical living has 
really affected your view of IETF reality. Reading 
http://www.ietf.org/ipr.html will possibly drag you back to where 
the rest of the folks on this mailing list reside.

--Paul Hoffman, Director
--Internet Mail Consortium

Re: Re[2]: just a brief note about anycast