just a brief note about anycast
I realize that the anycast discussion was meant by Karl as an example. But there was precisely one technical concern I had when discussion got going. And that was that if something went wrong- meaning that someone was returning bad data- the IP address wouldn't necessarily provide a clear answer as to who the source of the bad data is. I expressed this concern privately to Paul Vixie who provided me a very satisfactory answer: you can query the name server for a record that will provide you uniquely identifying information. I'll let Paul describe this, but it amounts to the borrowing of an unused class for management purposes. While there is always room for improvement of course, Paul's answers make it clear to me that the root folk have given this some fairly careful thought. I also agree with Paul on another point- different methods used by different servers ARE a good thing, so that no one logical attack could take them all out. Good documentation is also really important. It turns out there is some for F, at least. See http://www.isc.org/tn/isc-tn-2003-1.html by Joe Abley. Eliot
Re: national security
On 8 Dec 2003, at 10:14, Dean Anderson wrote: Also, anycasting doesn't work for TCP. Would you care to elaborate on doesn't work? I agree. It is easy to create a blackhole, or even a DDOS on an anycast address. It is much harder to DDOS 600 IP addresses spread through some 200 countries. It's arguably easier for a distributed attack to cause degrade the availability of a service bound to a unicast-reachable address than an anycast-reachable address. The former will tend to collect traffic along a progressively narrow funnel until congestion occurs; with an anycast target the pain is distributed over a set of funnels, and in general not all will experience the same degree (or any) pain, depending on the distribution and behaviour of the attacking nodes. In a non-distributed attack anycast victims fare subtantially better (since non-select anycast targets are unaffected, and only suffer topological fallout from the node sinking the attack traffic). Joe
Re: national security
On 7 Dec 2003, at 07:21, Iljitsch van Beijnum wrote: I don't think this is an oversight, I'm pretty sure this was intentional. However, since in practice the BGP best path selection algorithm boils down to looking at the AS path length and this has the tendency to be the same length for many paths, BGP is fairly useless for deciding the best path for even low ambition definitions of the word. For the service aspects of F we're more concerned with reliability than performance. Recursive resolvers ask questions to the root relatively infrequently, and the important thing is that they have *a* path to use to talk to a root server, not necessarily that they are able to automagically select the instance with the lowest instantaneous RTT (and continue to find a root regardless of what damage might exist in the network elsewhere). For example, local routing policies might lead a resolver in South Africa to select a path to 192.5.5.0/24 in California over the node in Johannesburg under normal operation. We hope, though, that in the event that the resolver becomes isolated from California, a path exists to Johannesburg which will allow F-root service to continue reliably (and, for example, to allow names under ZA corresponding to local, reachable, services to continue to resolve). The selection of anycast node has more importance when you consider the other, non-service role of F, which is to sink attack traffic: we'd like to sink attack traffic as close to its source as possible. Fortunately the rough-hewn and clumsy hammer of BGP path selection seems good enough to attempt to attain that goal right now, since our routing policy generally leads people to favour a local node (peer) over a global node (transit) through application of pre-existing routing policy. This is a natural result of the common truth that peering paths are cheaper than transit ones. Joe
Re: /48 micro allocations for v6 root servers, was: national security
% (i personally don't think a /35 route with just one host in it makes % much sense, % % Agree. /35 routes are being discouraged in favor of /32 entries... 4,064,000,000 addresses to ensure that just one host -might- have global reachability. IMHO, a /48 is even overkill... :) --bill Opinions expressed may not even be mine by the time you read them, and certainly don't reflect those of any other entity (legal or otherwise).
Re: just a brief note about anycast
At 17:05 08/12/03, Eliot Lear wrote: Good documentation is also really important. It turns out there is some for F, at least. See http://www.isc.org/tn/isc-tn-2003-1.html by Joe Abley. No one denies the dedication of the root people. But this is the crux. some documentation ... for one machine. Where are the published approved and certified procedures, agreements, insurance contracts, statistics, logger, budget, authorized people, clearances, oaths, for every people, company, organization sharing into root management. Where is the law concerning the root management issues and impact. For example is a root failure legally considered as an act of God? Is tempering the root a special crime? Due to the possible impact on the life of people all over the planet, will it be judged by UN? Who is to investigate? Root means life and death nowadays. Either we need the root system and it must match the basic surety rules for a critical infrastructure, or we just want to keep the fossil concept the way it was designed 20 years ago. Then UN/ITU or private industry or a new NGO or a new Gov technically and security certified type of operator is to find, propose, test, and deploy another solution. I suggest them to read carefully the very well crafted ICP-3 document. It correctly considers the end of the single authoritative root file concept. And documents the way to test new venues. I am sorry to come again and again on this. I will do it until a special WG is created or IETF transfers the concern to ITU. Because we must realize that - even brilliant and resilient - a 20 years old solution for an inter-university project designed for a single authority to keep control, and to provide a centralized (hierarchical) service, just cannot match today technical, legal and security requirements. The way business is transacted, government operates, and national defense is conducted have changed. These activities rely on a complex interdependent network of information technology infrastructures we may call cyberspace which includes Internet and different other technologies. We must accept that if the IAB/IETF do not takes it the same way as Govs, it will be removed from them. The world wants a new network approach, more equal, more secure, more stable, safer, more innovation oriented, respectfull of national digital independance and sovereignty and IS actually switching. http://www.nytimes.com/2003/12/08/technology/08divide.html?th=pagewanted=printposition Today, every nations need and must be permited a strategy towards a national and global secure cyberspace IAB and IETF are to design and help the implementation. It will provide a framework for protecting this infrastructure that is essential to their economy, security, and way of life. In the past few years, threats in cyberspace have risen dramatically. The policy of governements is to protect against the debilitating disruption of the operation of information systems for critical infrastructures and, thereby, help to protect the people, economy, national security and societal relations of their nations. We all must act to reduce the vulnerabilities to these threats before they can be exploited - as it is so easy today with the DNS cf. the recent threads - to damage the cyber systems or polluting other portions of the DNS which support national critical infrastructures and ensure that such disruptions of cyberspace are infrequent, of minimal duration, manageable, and cause the least damage possible. Securing cyberspace is a difficult strategic challenge that requires a coordinated and focused effort from the entire societythe government, regional and local governments, the private sector, and the people. The cornerstone of a nation's cyberspace security strategy should be public-private partnership such as proclaimed by the WSIS. Only by acting together from every nation can we build a more secure future in DNS and cyberspace, our world of today. Also, the nations not sharing into the root management must find sovereign alternatives to protect themselves, their citizen and their economy from bad root management by the nation domining it, whatever the reason, and from their practical inability to quickly adapt in full and equal independance the portion of the root which may concern their immediate local situation after such actions as war, catastrophe, revolution, etc. and societal, cultural and legal rights. This is certainly a technical challenge since the DNS was not designed that way. In the world critical root system area, Govs actions should include: forensics and attack attribution, protection of installations, indications and warnings, and protection against organized attacks or against the consequences of their international policy (political tensions, wars) and the acts of God. They should also support research and technology development that will enable the private sector to better secure the
Re: /48 micro allocations for v6 root servers, was: national security
/35 routes are being discouraged in favor of /32 entries... 4,064,000,000 addresses to ensure that just one host -might- have global reachability. IMHO, a /48 is even overkill... :) i think the important points for ietf@ to know about are (a) that this is an open issue, (b) that it's generally agreed that all the RIR's ought to have the same rules regarding microallocations, and (c) exactly where (as in what working group or mailing list or smoke filled room) the discussion is being held. for example, bill says above that /35 routes are being discouraged and that's probably true but by whom? and where?
Re: national security
Joe Abley; I don't think this is an oversight, I'm pretty sure this was intentional. However, since in practice the BGP best path selection algorithm boils down to looking at the AS path length and this has the tendency to be the same length for many paths, BGP is fairly useless for deciding the best path for even low ambition definitions of the word. For the service aspects of F we're more concerned with reliability than performance. Recursive resolvers ask questions to the root relatively infrequently, and the important thing is that they have *a* path to use to talk to a root server, not necessarily that they are able to automagically select the instance with the lowest instantaneous RTT (and continue to find a root regardless of what damage might exist in the network elsewhere). I'm afraid F servers does not follow the intention of my original proposal of anycast root servers. The intention is to allow millions or trillions of root servers. While you can rely on someone else's root server with the BGP best path selection, it is a lot better to have your own root server. In addition, it is not necessary to have any hierarchy between anycast servers at all, as long as there is a single source of information. Hierarchy may be useful if a single entity manages all the anycast root servers. However, you can manage your own. Finally, using only a single address, F, does not provide any real robustness. Masataka Ohta
Re: just a brief note about anycast
% Either we need the root system and it must match the basic surety rules for % a critical infrastructure, or we just want to keep the fossil concept the % way it was designed 20 years ago. Why do you think this is an either/or proposition? % Then UN/ITU or private industry or a new % NGO or a new Gov technically and security certified type of operator is to % find, propose, test, and deploy another solution. I suggest them to read % carefully the very well crafted ICP-3 document. It correctly considers the % end of the single authoritative root file concept. And documents the way to % test new venues. Please provide a pointer to this ICP-3 document. UN/ITU, Private Industry, and NGO/Governments are -ALREADY- engaged in this process. % I am sorry to come again and again on this. I will do it until a special WG % is created or IETF transfers the concern to ITU. special WG - chartered in/under what jurisdiction? % The world wants a new network % approach, more equal, more secure, more stable, safer, more innovation % oriented, respectfull of national digital independance and sovereignty and % IS actually switching. % http://www.nytimes.com/2003/12/08/technology/08divide.html?th=pagewanted=printposition Then the world is getting what it wants. Is there a requirement to force the dismantling of an existing system first? If so, where is that requirement documented? Nothing is preventing -anyone- or -any group- from formulating, and promulgating their own naming constructs. % Today, every nations need and must be permited a strategy towards a % national and global secure cyberspace Nothing is preventing nations from proceeding with their stratagies towards a national and globally secure cyberspace. % IAB and IETF are to design and help % the implementation. Under what charter and funding model? % Or more simply, may be kill the real time root servers concept and review % the DNS as a non God centralized system? If there was nothing to protect % because there would be nothing, we would risk far less from there. Been there, done that. The TBDS project (circa 1999/2000) eliminated the requirement for an always on, fully connected mesh, with access to any external authoritative servers, be they root, tld, or anywhere else in the heirarchy. The upshot was that the DNS is -fully- placed in the hands of the endusers. We did not replace one centralized service with another or even a collection of centralized services, e.g. no ICANN, no IANA, no nation state, no private industry, no NGO or multinational treaty organization. It was -COMPLETELY- up to the endusers. % Then? We wait for the adoption by vendors/users of the new world order while we maintain, augment, and evolve the existing, working system so as to facilitate a near-zero impact on the people, organizations, and nations that have come to depend on the system we have built. % jfc --bill Opinions expressed may not even be mine by the time you read them, and certainly don't reflect those of any other entity (legal or otherwise).
Re: /48 micro allocations for v6 root servers, was: national security
% /35 routes are being discouraged in favor of /32 entries... % 4,064,000,000 addresses to ensure that just one host -might- % have global reachability. IMHO, a /48 is even overkill... :) % % i think the important points for ietf@ to know about are (a) that this % is an open issue, (b) that it's generally agreed that all the RIR's ought % to have the same rules regarding microallocations, and (c) exactly where % (as in what working group or mailing list or smoke filled room) the % discussion is being held. for example, bill says above that /35 routes % are being discouraged and that's probably true but by whom? and where? By ISPs, in conjunction w/ IETF and RIRs. Check the allocation policies. I'll agree that (a) is valid, there is little that is cast in stone. (b) on the other hand, has any number of legal implications... collusion, monopolies, etc. As for (c), check the RIR working groups and mailing lists, the V6OPS wg of the IETF and the IPv6 protocol wg. -- --bill Opinions expressed may not even be mine by the time you read them, and certainly don't reflect those of any other entity (legal or otherwise).
Re: national security
Joe Abley; I'm afraid F servers does not follow the intention of my original proposal of anycast root servers. This may well be the case (I haven't read your original proposal). The IDs have expired. I'm working on a revised one. Apologies if I gave the impression that I thought to the contrary. No, no need of apologies. Finally, using only a single address, F, does not provide any real robustness. Fortunately there are twelve other root nameservers. But, one should have one's own three root servers with different addresses. Masataka Ohta
RE: /48 micro allocations for v6 root servers, was: national security
-BEGIN PGP SIGNED MESSAGE- Paul Vixie wrote: /35 routes are being discouraged in favor of /32 entries... 4,064,000,000 addresses to ensure that just one host -might- have global reachability. IMHO, a /48 is even overkill... :) i think the important points for ietf@ to know about are (a) that this is an open issue, (b) that it's generally agreed that all the RIR's ought to have the same rules regarding microallocations, and (c) exactly where (as in what working group or mailing list or smoke filled room) the discussion is being held. for example, bill says above that /35 routes are being discouraged and that's probably true but by whom? and where? There are currently quite some ISP's who filter anything /35. Generally ISP's should be filtering on allocation boundaries. Thus if a certain prefix is allocated as a /32, they should not be accepting anything smaller (/33, /34 etc) Checking http://www.sixxs.net/tools/grh/tla/all/ 8 The database currently holds 630 IPv6 TLA's. Of which 18 (2.86%) are returned to the pool, 202 (32.06%) IPv6 TLA's didn't have a routing entry. Thus 410 (65.08%) networks are currently announced. 0 (0.00%) only announced a /35 while they have been assigned a /32. 13 (2.06%) announce both their /32 and their /35. - 8 I have to add that there is an error here as 2001:dc0::/35 is in the tables, but doesn't get picked up by the software, will be fixing that soonish. Generally if you announce a /35 it will get through to most ISP's. But we should be avoiding that. Currently the ipv6 global routing table is quite small, but it could grow quite large and when ISP's still don't filter correctly, or better if ISP's don't aggregate it will explode and we will be needing the follow up to BGP soon, which is more work for the IETF :) As for which smoked filled room, this should be a task of the RIRs, thus RIPE's IPv6 WG etc. but it usually takes place when communicating between ISP's. Notice that many ISP's use Gerts list: http://www.space.net/~gert/RIPE/ipv6-filters.html I would applaud a generic /32 that is 'allowed' to being cut up into multiple /48's for the purpose of critical infrastructure. But please, keep it to 1 *documented* /32. That way people will know that they will see more specifics from that prefix and that they should be accepting it too. Currently the !3! IX blocks (2001:7f8::/32 + 2001:504::/32 + 2001:7fa::/32) are seen being announced in pieces too. Maybe these IX blocks, which are common already could be used for assigning 'critical infra' from? This is a RIR thing and should be discussed there (ipv6-wg cc'd). The IETF though should ofcourse advise in all matters. Greets, Jeroen -BEGIN PGP SIGNATURE- Version: Unfix PGP for Outlook Alpha 13 Int. Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/ iQA/AwUBP9TmwCmqKFIzPnwjEQIk9gCfWIZU0RJA3OGyrbOFTa1+ZIvSDE4AniOW qOqG5k7653xd5LaLSLUAglde =mqwa -END PGP SIGNATURE-
Re: /48 micro allocations for v6 root servers, was: national security
Bill Manning wrote: % b) that it's generally agreed that all the RIR's ought % to have the same rules regarding microallocations, (b) on the other hand, has any number of legal implications... collusion, monopolies, etc. But this is a example where uniformity is desirable on technical grounds (i.e., if the policies aren't uniform, nobody will know how small they can afford to filter). That's got to be legal, or no standards body would be safe. Or do you think the participants in, say, the ipp WG are vulnerable to charges of colluding to drive competing printing protocols from the market? -- /=\ |John Stracke |[EMAIL PROTECTED] | |Principal Engineer|http://www.centive.com| |Centive |My opinions are my own. | |=| |The Reality Check's in the mail. --L. Peter Deutsch| \=/
Re: /48 micro allocations for v6 root servers, was: national security
Bill Manning wrote: /35 routes are being discouraged in favor of /32 entries... 4,064,000,000 addresses to ensure that just one host -might- have global reachability. IMHO, a /48 is even overkill... :) Just wondering, as I have about IPv4 anycast allocations: why can't we designate a block for microallocations, within which prefix length filters aren't applied? The number of routes in the DFZ is the same either way; is there any technical reason why /64 or /128 prefixes, or /32 in IPv4, can't be used? I'm not a routing person, so apologies if this is somehow unspeakably dumb. -zefram
Re: [ipv6-wg@ripe.net] RE: /48 micro allocations for v6 root servers, was: national security
Hi, On Mon, Dec 08, 2003 at 10:01:53PM +0100, Jeroen Massar wrote: There are currently quite some ISP's who filter anything /35. Generally ISP's should be filtering on allocation boundaries. Thus if a certain prefix is allocated as a /32, they should not be accepting anything smaller (/33, /34 etc) There is no commonly agreed-upon best practice for this yet. We do *not* suppress more-specifics from those address blocks, as we think it's a legitimate wish for certain networks to be multihomed, and currently there is no other solution than to go for the pragmatic approach, and just announce a /40 or even /48. I agree that things that are more specific than a /48 should not be out there. [..] the ipv6 global routing table is quite small, but it could grow quite large and when ISP's still don't filter correctly, or better if ISP's don't aggregate it will explode and we will be needing the follow up to BGP soon, which is more work for the IETF :) If every holder of an AS will announce one prefix at maximum (which should be doable by proper aggregation), the v6 BGP table would grow to about 20.000 entries. This is still manageable, although it would kill my good old Cisco 2500 that still has a full v6 BGP table... As for which smoked filled room, this should be a task of the RIRs, thus RIPE's IPv6 WG etc. but it usually takes place when communicating between ISP's. Notice that many ISP's use Gerts list: http://www.space.net/~gert/RIPE/ipv6-filters.html I would applaud a generic /32 that is 'allowed' to being cut up into multiple /48's for the purpose of critical infrastructure. But please, keep it to 1 *documented* /32. That way people will know that they will see more specifics from that prefix and that they should be accepting it too. As you cite my page, you will also know that it does not make a specific recommendation on the subject of filtering things between /35 and /48... Gert Doering -- NetMaster -- Total number of prefixes smaller than registry allocations: 57386 (57785) SpaceNet AG Mail: [EMAIL PROTECTED] Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 80807 Muenchen Fax : +49-89-32356-299
ITU takes over?
Just saw this online, and it seem apropos to recent traffic: A controversial plan to grant governments broad controls over the Internet has stolen the spotlight of a United Nations conference on IT next week, where China and Cuba will be among its strongest supporters. Leaders from nearly 200 countries will convene in Geneva for the World Summit on the Information Society (WSIS) Dec. 10-12, an inaugural conference with lofty goals to discuss bridging the digital divide and fostering press freedoms. But a contentious political move to grant an international governing body such as the U.N.'s International Telecommunication Union (ITU) control over Internet governance issues -- from distributing Web site domains to the public to fighting spam -- has all but obscured the more virtuous aspects of the event. ... .. many in the developing world believe a new approach is needed as the [Internet] enters its teen years, one that will see poorer countries harness new technologies to improve their competitive stance. ... [ICANN] has been criticized roundly for adopting a pro-business approach that neglects the developing world. The ITU .. has been put forth by the developing world as the governing body that will best address its needs. What we are looking at is the future management of the Internet. It's not about who owns it or who will be regulating the laws, but what is best way to manage what has become a natural resource for all of humanity,'' a summit official said. http://money.cnn.com/2003/12/08/technology/internet.reut/index.htm Anyone know more about this? Noel
Re: national security
On 8 Dec 2003, at 15:25, Masataka Ohta wrote: I'm afraid F servers does not follow the intention of my original proposal of anycast root servers. This may well be the case (I haven't read your original proposal). Apologies if I gave the impression that I thought to the contrary. Finally, using only a single address, F, does not provide any real robustness. Fortunately there are twelve other root nameservers. Joe
Re: /48 micro allocations for v6 root servers, was: national security
% Bill Manning wrote: % /35 routes are being discouraged in favor of /32 entries... % 4,064,000,000 addresses to ensure that just one host % -might- have global reachability. IMHO, a /48 is even % overkill... :) % % Just wondering, as I have about IPv4 anycast allocations: why can't we % designate a block for microallocations, within which prefix length filters % aren't applied? The number of routes in the DFZ is the same either way; % is there any technical reason why /64 or /128 prefixes, or /32 in IPv4, % can't be used? I'm not a routing person, so apologies if this is somehow % unspeakably dumb. % % -zefram we can. There is no reason why... routing table slots are routing table slots. It does place the onus on the ISPs to be more vigorous in tracking what they will and will not accept or propogate. Now, they tend to depend on RIRs to set their routing policies for them... :) --bill Opinions expressed may not even be mine by the time you read them, and certainly don't reflect those of any other entity (legal or otherwise).
Re: just a brief note about anycast
Hi - From: jfcm [EMAIL PROTECTED] To: Eliot Lear [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, December 08, 2003 10:27 AM Subject: Re: just a brief note about anycast ... The world wants a new network approach, more equal, more secure, more stable, safer, more innovation oriented, respectfull of national digital independance and sovereignty and IS actually switching. ... Phrases like national digital independence and sovereignty make it sound as though the real motivation for all this is to make it easier for the repressive regimes of the world to selectively disconnect themselves from the global net. Things are bad enough already. Let's not help the chauvenists of nationalism make things worse, even though the technology is already in place to allow them to do it. Admirable goals like improving network security and stability do not require increased government involvement, nor do they in any way require abandoning the existing cooperative relationship between the ITU and the IETF. The very notion of national digital independence and soveriegnty is contrary to network security and stability. Randy
Re: /48 micro allocations for v6 root servers, was: national security
On Mon, 08 Dec 2003 21:17:00 GMT, Zefram [EMAIL PROTECTED] said: Just wondering, as I have about IPv4 anycast allocations: why can't we designate a block for microallocations, within which prefix length filters aren't applied? The number of routes in the DFZ is the same either way; is there any technical reason why /64 or /128 prefixes, or /32 in IPv4, can't be used? I'm not a routing person, so apologies if this is somehow unspeakably dumb. No technical reason - except if you say I'll filter IPv4 announcements at /28, then you're open to routing table burps if somebody accidentally or intentionally de-aggregates to a very long prefix. Imagine if somebody flubs and withdraws a /12 and announces a /12 worth of /28 (Yes, this sort of stuff DOES happen.) pgp0.pgp Description: PGP signature
RE: just a brief note about anycast
Phrases like national digital independence and sovereignty make it sound as though the real motivation for all this is to make it easier for the repressive regimes of the world to selectively disconnect themselves from the global net. Things are bad enough already. Let's not help the chauvenists of nationalism make things worse, even though the technology is already in place to allow them to do it. Long time lurker, first time writer. I wholeheartedly agree. 'Tis all.
RE: /48 micro allocations for v6 root servers, was: national security
-BEGIN PGP SIGNED MESSAGE- [This should go to v6ops@ or [EMAIL PROTECTED] :) ] Zefram wrote: Bill Manning wrote: /35 routes are being discouraged in favor of /32 entries... 4,064,000,000 addresses to ensure that just one host -might- have global reachability. IMHO, a /48 is even overkill... :) Just wondering, as I have about IPv4 anycast allocations: why can't we designate a block for microallocations, within which prefix length filters aren't applied? That would be the best solution, make it documented and publically known. The number of routes in the DFZ is the same either way; is there any technical reason why /64 or /128 prefixes, or /32 in IPv4, can't be used? I'm not a routing person, so apologies if this is somehow unspeakably dumb. Expect to see routers being optimized that will only route the upper 64bits of the address, so you might not want to do anything smaller than that. Ofcourse one can use /128 routes, and /64's etc. But because of anycast you don't want to use /127's though. Greets, Jeroen -BEGIN PGP SIGNATURE- Version: Unfix PGP for Outlook Alpha 13 Int. Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/ iQA/AwUBP9T1TSmqKFIzPnwjEQIN7wCfe9bK+T1q2q8R1RK/tCdPlQuEVt0AoLxW loVQEyBt+J9PubZVG1MLxQ0O =pMGw -END PGP SIGNATURE-
Worst case question I guess
As a (not too) humble regular DNS user as opposed to an insider... What is the worst case scenerio on this, anyway? It seems to me our buddies and the North American power reliabability board; (whatever) would say they can't POSSIBLY fail such that power is out for days. Yet it happened. I think killed some folks here and there too. It seems to me, I'm speaking from a skeptical approach which is always the best when the downsides big. If all the root operators had an offline copy of there DNS entries and rolled back 24 hours in a crisis, so what? 99.99% of DNS UDP's would resolve, a few new ones would be troubled. No Anycast, no BGP, just rollback a day and reassess the systemic failure for a next plan. Turn all that off and think for a day or so. It seems to me a smaller chance but a non-trivial one is for the whole thing to become unreliable because the (maybe) millions of subdomains get clobbered. For instance, I think I'm right that the subdomain www. {anything} is incredibly distributed. Never a SOA at a TLD ccTLD... You know what I mean. If a WWW snagger rewriter virus existed that left 100% of the root servers perfect (either due to a brillant management plan, disinterest, or dumb luck, etc.) but www.{any} didn't work, the loss of functionality would be close to having the roots lost, wouldn't it? Harder to fix, because the people involved haven't been to a fancy workshop of what if's. And there hard to contact because suddenly internet is unreliable. There was an outage in the switched telephone system much like this about 12 years ago. None of the technocrats who could fix it could find each other, so the outage persisted for a long time until an unnamed vendor! bicyled new binaries to 400 phone switches. regards Dan Dan Kolis - Lindsay Electronics Ltd [EMAIL PROTECTED] 50 Mary Street West, Lindsay Ontario Canada K9V 2S7 (705) 324-2196 X272 (705) 324-5474 Fax An ISO 9001 Company; /Document end
Re: /48 micro allocations for v6 root servers, was: national security
On 8-dec-03, at 22:01, Jeroen Massar wrote: There are currently quite some ISP's who filter anything /35. Generally ISP's should be filtering on allocation boundaries. Thus if a certain prefix is allocated as a /32, they should not be accepting anything smaller (/33, /34 etc) So how are ISPs supposed to know what the allocation size for a particular prefix is? This type of filtering only works if the filter list is relatively short and pretty much never changes. Anything else and the cure is worse than the disease. I would applaud a generic /32 that is 'allowed' to being cut up into multiple /48's for the purpose of critical infrastructure. But please, keep it to 1 *documented* /32. That way people will know that they will see more specifics from that prefix and that they should be accepting it too. I'm not sure if it needs to be a /32 or if it needs to be just a single one, but I fully agree this should be documented very well and in a central place. Buried somewhere on a RIR website isn't good enough. (Try finding the the micro allocation list on the ARIN site without help from Google.) I think this means it must be an RFC. RIR documents just don't have the same standing in the community, and, apparently, quality control. Currently the !3! IX blocks (2001:7f8::/32 + 2001:504::/32 + 2001:7fa::/32) are seen being announced in pieces too. Maybe these IX blocks, which are common already could be used for assigning 'critical infra' from? Note that announcing the actual prefix for an internet exchange subnet tickles an undesirable BGP feature in places where the prefix isn't filtered, so these prefixes are best not announced. The allocations seem to be /48s and not /64s though, so in practice this shouldn't be a problem but still no reason why these should be globally visible. Root nameservers are a very different story of course...
Re: ITU takes over?
Noel Chiappa writes: Anyone know more about this? Since it is being discussed in secret (with even ICANN excluded, apparently), it's hard to know more.
Re: /48 micro allocations for v6 root servers, was: national security
[my apologies for burning so much bandwith] On 8-dec-03, at 22:17, Zefram wrote: Just wondering, as I have about IPv4 anycast allocations: why can't we designate a block for microallocations, within which prefix length filters aren't applied? The number of routes in the DFZ is the same either way; is there any technical reason why /64 or /128 prefixes, or /32 in IPv4, can't be used? I'm not a routing person, so apologies if this is somehow unspeakably dumb. In RFC 3513 (section 2.6) it more or less says that anycast addresses must be host addresses and they must be propagated throughout the region where there are interfaces configured for the anycast address. So if there are root servers sharing an anycast address all over the globe, there must be a globally visible /128 for that root server. So no, this isn't dumb. Also, if anycast addresses are going to come from micro allocations there is no particular reason to stop at 48 bits. A prefix size that is different from what millions of end users will be getting might in fact be a plus.
Re: /48 micro allocations for v6 root servers, was: national security
[EMAIL PROTECTED] wrote: Imagine if somebody flubs and withdraws a /12 and announces a /12 worth of /28 That's why I suggested relaxing the filters only within a designated block. So (for IPv4) the /12 worth of /28s gets ignored, but the /32s in the micro-allocation block are accepted. It always seemed odd to me that we allocate a /24 per anycast service, and worry about the address space wastage, when all the anycast services we can expect to find useful in IPv4 will comfortably fit into less than a single /24. If there's a problem due to the need for 100% implementation of the relaxation of prefix length filters, we should allocate a micro-allocation block for IPv6 *now*, while the number of routers requiring reconfiguration is relatively small. I propose 0:1::/32, which is distinctive, causes no fragmentation, and is in a region of the address space already recognised as being for weird stuff. -zefram
Re: /48 micro allocations for v6 root servers, was: national security
Just some perspectives on the IPv6 addressing scheme, that I have highlighted to APNIC. A country like Tuvalu with about 10,000 people, which is an island with many possibility of connectivity to the Internet would be attributed what range if they request IPv6? Don't tell me they do not need IPv6 or they can get it from their upstream provider. It is a country, they should be able to change their upstream provider every 6 months without having to change the IP space of the country... BTW: I know about 10 countries in this case in the Pacific Islands, unfortunately few are APNIC members or attend APNIC. Cheers Franck Martin [EMAIL PROTECTED] SOPAC, Fiji GPG Key fingerprint = 44A4 8AE4 392A 3B92 FDF9 D9C6 BE79 9E60 81D9 1320 Toute connaissance est une reponse a une question G.Bachelard
RE: [ipv6-wg@ripe.net] RE: /48 micro allocations for v6 root servers, was: national security
-BEGIN PGP SIGNED MESSAGE- Gert Doering [mailto:[EMAIL PROTECTED] wrote: On Mon, Dec 08, 2003 at 10:01:53PM +0100, Jeroen Massar wrote: There are currently quite some ISP's who filter anything /35. Generally ISP's should be filtering on allocation boundaries. Thus if a certain prefix is allocated as a /32, they should not be accepting anything smaller (/33, /34 etc) There is no commonly agreed-upon best practice for this yet. Some ISP's do it, most don't. Btw CH-SUNRISE-20031124 = 2001:1700::/27, so Libertel isn't the biggest girl on the block anymore with their /31 :) We do *not* suppress more-specifics from those address blocks, as we think it's a legitimate wish for certain networks to be multihomed, and currently there is no other solution than to go for the pragmatic approach, and just announce a /40 or even /48. I agree that things that are more specific than a /48 should not be out there. Indeed. And yes there are ISP's announcing /128's etc. And private ASN's for that matter or even using them as transit. SNIP As you cite my page, you will also know that it does not make a specific recommendation on the subject of filtering things between /35 and /48... Yups and I fully support that argument. If it was done we would currently see 413 prefixes, those are the 'allocated' prefixes that are getting announced. In GRH each of the ~30 peers have an average of 459 prefixes. Checking just know, the highest number of prefixes send to GRH was 515 prefixes, which is far from the 20k or even 30k if all the ASN's would announce 1 IPv6 prefix. At the moment that is certainly no problem and it shouldn't be for years to come, unless IPv6 really takes off. Google/Doom3 IPv6 anyone? The biggest advantage that IPv6 already has is that a single ISP already gets enough space, thus it doesn't need to Iljitsch van Beijnum [mailto:[EMAIL PROTECTED] wrote: On 8-dec-03, at 22:01, Jeroen Massar wrote: There are currently quite some ISP's who filter anything /35. Generally ISP's should be filtering on allocation boundaries. Thus if a certain prefix is allocated as a /32, they should not be accepting anything smaller (/33, /34 etc) So how are ISPs supposed to know what the allocation size for a particular prefix is? This type of filtering only works if the filter list is relatively short and pretty much never changes. Anything else and the cure is worse than the disease. The proposed Redistribution of Cooperative Filtering Information draft could help out there which allows one to redistribute 'good prefix' lists. See https://www1.ietf.org/mail-archive/working-groups/idr/current/msg00201.html for the draft or http://arneill-py.sacramento.ca.us/redisfilter.ppt for the presentation given in Minneapolis. Without that or a similar system, it would be a pain indeed. That's why I pointed to Gert's page which has a better and currently working solution. SNIP Currently the !3! IX blocks (2001:7f8::/32 + 2001:504::/32 + 2001:7fa::/32) are seen being announced in pieces too. Maybe these IX blocks, which are common already could be used for assigning 'critical infra' from? Note that announcing the actual prefix for an internet exchange subnet tickles an undesirable BGP feature in places where the prefix isn't filtered, so these prefixes are best not announced. As far as I can see with the GRH tools etc, all the prefixes that are allocated as IX Prefixes and those that are in use are currently visible worldwide. The allocations seem to be /48s and not /64s though, so in practice this shouldn't be a problem but still no reason why these should be globally visible. The only reason I heared so far is so that people in Tokio can ping the IX interface in London or a similar kind of scenario. They argue that it is handy for debugging. My take is that if it isn't your network, you can't fix it either, so if a traceroute ends on that box, contact them, they can really figure it out. Root nameservers are a very different story of course... A /32 contains 65k /48's, so these IX blocks could provide for enough /48's for 65k IX's, thus unless that switch at the back of my desk, which connects 'neighbours' too is to be called an IX, because they have a linux router and me too and they speak BGP is going to be called an IX it shouldn't be a problem if the same block is used for 26? and maybe 3 tld servers per country. At least everybody will know that that /32 will have more specifics. Greets, Jeroen -BEGIN PGP SIGNATURE- Version: Unfix PGP for Outlook Alpha 13 Int. Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/ iQA/AwUBP9UHMymqKFIzPnwjEQLiLwCgta1mOkrixvXcZD8mTLheePv9ERYAn3GK Rt2Hp+dk8HVBDuFaub0lf6Rt =OqJO -END PGP SIGNATURE-
Re: ITU takes over?
There have been fairly intense discussions in a series of meetings called PrepComs as in preparatory committees leading up to the World Summit on the Information Society (WSIS) taking place December 10-12 in Geneva. In the most recent meetings, a government only rule was invoked that excluded interested parties such as ICANN, among others, but the texts have been made visible. Of course, it remains to be seen whether these texts will be adopted by the summit meeting representatives. The texts cover principles and action plans, respectively, for realization of the Information Society. The subject of Internet Governance has been a large focus of attention, as has been a proposal for creating an international fund to promote the creation of information infrastructure in the developing world. Internet Governance is a very broad topic including law enforcement, intellectual property protection, consumer protection, tax policies, and so on. It also happens to include some of the things that ICANN is responsible for. Unfortunately, the discussion has tended to center on ICANN as the only really visible example of an organization attempting to develop policy (which is being treated as synonymous with governance). ICANN's mandate is very limited and it would be helpful if the broad governance issues mentioned above could find other organizational homes. ICANN's work could be fitted into a larger framework but some people seem to think that if ICANN doesn't do all the things that might fall into Internet governance then ICANN should be replaced with, eg, an ! ITU or UN body. This is, of course, a controversial matter with sovreignty of states mixed into a variety of political attitudes about the US, the Department of Commerce role with ICANN and so on. It should come as no surprise to anyone that I would prefer to see a solution to the broad governance problem that continues to limit the ICANN mandate and creates organizational homes for that which ICANN cannot or should not undertake. Just as plainly, I don't favor replacing ICANN with a UN-agency. You may make a search on key words, like internet governance at that site www.wsis-online.net and will see all relevant meetings. Hope this is helpful. Vint Cerf At 11:51 PM 12/8/2003 +0100, Anthony G. Atkielski wrote: Noel Chiappa writes: Anyone know more about this? Since it is being discussed in secret (with even ICANN excluded, apparently), it's hard to know more. Vint Cerf SVP Technology Strategy MCI 22001 Loudoun County Parkway, F2-4115 Ashburn, VA 20147 703 886 1690 (v806 1690) 703 886 0047 fax [EMAIL PROTECTED] www.mci.com/cerfsup
Re: Worst case question I guess
Dan, One small addition to your discussion/scenario... As has been pointed out on this list, the actual rate of changes in the root zone is on the order of a few per week. Statistically, that means your 24 hour rollback might, often, have zero effect. Now compare this to the change rate in some very large ccTLD or gTLD, which is, I would assume, measured in the thousands per day range. Now a short quiz: (i) Which part of the potential outage problem should we be spending a lot of energy worrying about, based on the impact of a simple halt to effective updating for a while or, in your scenario, a rollback? (ii) Why does all the energy go into worrying about the root instead? (iii) While (as has also been pointed out) the software and systems run by the root operators are fairly diverse, protecting them from easy, one-size-fits-all versions of certain types of attacks, would you care to guess at the diversity level among the servers for the typical large ccTLD or gTLD? (iv) I can be reached, via various forwarding aliases (and, in some cases, almost by accident), using domain names that are subdomains of five different TLDs (although I use most of them sufficiently infrequently that, in the case of a COM outage, you'd probably have to phone me to find out which to use). How about you? Guess what the count is for the typical Internet user. sigh john --On Monday, 08 December, 2003 17:21 -0500 Dan Kolis [EMAIL PROTECTED] wrote: As a (not too) humble regular DNS user as opposed to an insider... What is the worst case scenerio on this, anyway? It seems to me our buddies and the North American power reliabability board; (whatever) would say they can't POSSIBLY fail such that power is out for days. Yet it happened. I think killed some folks here and there too. It seems to me, I'm speaking from a skeptical approach which is always the best when the downsides big. If all the root operators had an offline copy of there DNS entries and rolled back 24 hours in a crisis, so what? 99.99% of DNS UDP's would resolve, a few new ones would be troubled. No Anycast, no BGP, just rollback a day and reassess the systemic failure for a next plan. Turn all that off and think for a day or so. It seems to me a smaller chance but a non-trivial one is for the whole thing to become unreliable because the (maybe) millions of subdomains get clobbered. For instance, I think I'm right that the subdomain www. {anything} is incredibly distributed. Never a SOA at a TLD ccTLD... You know what I mean. If a WWW snagger rewriter virus existed that left 100% of the root servers perfect (either due to a brillant management plan, disinterest, or dumb luck, etc.) but www.{any} didn't work, the loss of functionality would be close to having the roots lost, wouldn't it? Harder to fix, because the people involved haven't been to a fancy workshop of what if's. And there hard to contact because suddenly internet is unreliable. There was an outage in the switched telephone system much like this about 12 years ago. None of the technocrats who could fix it could find each other, so the outage persisted for a long time until an unnamed vendor! bicyled new binaries to 400 phone switches. regards Dan Dan Kolis - Lindsay Electronics Ltd [EMAIL PROTECTED] 50 Mary Street West, Lindsay Ontario Canada K9V 2S7 (705) 324-2196 X272 (705) 324-5474 Fax An ISO 9001 Company; /Document end
Re: /48 micro allocations for v6 root servers, was: national security
At 11:21 AM +1200 12/09/2003, Franck Martin wrote: Just some perspectives on the IPv6 addressing scheme, that I have highlighted to APNIC. A country like Tuvalu with about 10,000 people, which is an island with many possibility of connectivity to the Internet would be attributed what range if they request IPv6? The key question I would ask is whether Tuvalu is planning to provide services to its 10,000 people. If it plans a state monopoly ISP with eventual service to some fraction (possible 100%) of its citizens, then it is a service provider with that base. If, on the other hand, it is not planning to provide services itself, but will allow competition among service providers so that some folk get IP connectivity through Vendor A and some through Vendor B, then it is appropriate to say those folks getting service from A have space allocated from Vendor and those from Vendor B from Vendor B. Don't tell me they do not need IPv6 or they can get it from their upstream provider. It is a country, they should be able to change their upstream provider every 6 months without having to change the IP space of the country... Their being a country isn't nearly so important as whether or not they are a network. Provider independent address space for a network can make sense (whether justified through multi-homing, sovereignty, or correct form-filling skills). Provider independent address space for something that is not a network is just bits. BTW: I know about 10 countries in this case in the Pacific Islands, unfortunately few are APNIC members or attend APNIC. Cheers regards, Ted Hardie
Re: /48 micro allocations for v6 root servers, was: national security
Franck Martin wrote: Just some perspectives on the IPv6 addressing scheme, that I have highlighted to APNIC. A country like Tuvalu with about 10,000 people, which is an island with many possibility of connectivity to the Internet would be attributed what range if they request IPv6? Don't tell me they do not need IPv6 or they can get it from their upstream provider. It is a country, they should be able to change their upstream provider every 6 months without having to change the IP space of the country... BTW: I know about 10 countries in this case in the Pacific Islands, unfortunately few are APNIC members or attend APNIC. I know it's a bit bigger but see Papua New Guinea (2001:0C60::/32). I'm not sure if they are using it yet as I stopped providing support for PNG before I could roll out new router OS versions necessary to support IPv6. I doubt that APNIC would have a problem with Tuvalu making a case for a prefix. Mark.
Re: ITU takes over?
Noel: 1. The Salt Lake Tribune: U.S. Net dominance questioned http://www.sltrib.com/2003/Dec/12082003/business/118003.asp 2. The Register: Internet showdown side-stepped in Geneva http://www.theregister.co.uk/content/6/34394.html 3. CNN Money: A potentially tangled Web? http://money.cnn.com/2003/12/08/technology/internet.reut/ 4. The Washington Times: U.N. control of Web rejected http://washingtontimes.com/world/20031208-125717-6682r.htm 5. SeattlePi.com: Talks seek global Internet ground rules http://seattlepi.nwsource.com/business/aptech_story.asp?category=1700slug= UN%20Tech%20Summit 6. The New York Times: Digital Divide to Be Big Issue at U.N. Summit on Internet http://www.nytimes.com/2003/12/07/international/07CND-DIVI.html?ex=10714644 00en=1f0ead87b5fce559ei=5062partner=GOOGLE 7. Telecom.paper: ITU nominated to monitor Internet governance http://www.telecom.paper.nl/index.asp?location=http%3A//www.telecom.paper.n l/site/news_ta.asp%3Ftype%3Dabstract%26id%3D37965%26NR%3D122 8. TechWorld: Battle for control of Internet postponed http://www.techworld.com/news/index.cfm?fuseaction=displaynewsnewsid=750 9. ARS Technica: U.N. battle brewing over control of the Internet http://arstechnica.com/news/posts/1070735373.html 10. BBC News: Go ahead for UN internet summit http://news.bbc.co.uk/2/hi/technology/3300071.stm At 02:42 PM 12/8/2003 -0500, Noel Chiappa wrote: Just saw this online, and it seem apropos to recent traffic: snip http://money.cnn.com/2003/12/08/technology/internet.reut/index.htm Anyone know more about this? Noel Vint Cerf SVP Technology Strategy MCI 22001 Loudoun County Parkway, F2-4115 Ashburn, VA 20147 703 886 1690 (v806 1690) 703 886 0047 fax [EMAIL PROTECTED] www.mci.com/cerfsup
Re: [ipv6-wg@ripe.net] RE: /48 micro allocations for v6 root servers, was: national security
% Root nameservers are a very different story of course... % % A /32 contains 65k /48's, so these IX blocks could provide for % enough /48's for 65k IX's, thus unless that switch at the back % of my desk, which connects 'neighbours' too is to be called an % IX, because they have a linux router and me too and they speak % BGP is going to be called an IX it shouldn't be a problem if % the same block is used for 26? and maybe 3 tld servers per country. % % At least everybody will know that that /32 will have more specifics. % % Greets, % Jeroen 2001:0478:: was delegated expressly for IX and core infrastructure. Thats where at least one of the IPv6 prefixes for root-servers exists. Two are from ARIN micro-allocations and there is a /32 for another server. --bill Opinions expressed may not even be mine by the time you read them, and certainly don't reflect those of any other entity (legal or otherwise).
Re: ITU takes over?
On 12/8/2003 5:36 PM, vinton g. cerf wrote: The subject of Internet Governance has been a large focus of attention, as has been a proposal for creating an international fund to promote the creation of information infrastructure in the developing world. Internet Governance is a very broad topic including law enforcement, intellectual property protection, consumer protection, tax policies, and so on. Yay, another proposal to give control of $resource to $tyrant while having the west pay for it. What's the track record on those? Not gonna happen. Move along. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: ITU takes over?
See http://www.isoc.org/ Ole J. Jacobsen Editor and Publisher, The Internet Protocol Journal Tel: +1 408-527-8972 GSM: +1 415-370-4628 E-mail: [EMAIL PROTECTED] URL: http://www.cisco.com/ipj On Mon, 8 Dec 2003, Anthony G. Atkielski wrote: Noel Chiappa writes: Anyone know more about this? Since it is being discussed in secret (with even ICANN excluded, apparently), it's hard to know more.
Re: just a brief note about anycast
On Mon, 8 Dec 2003, Randy Presuhn wrote: Phrases like national digital independence and sovereignty make it sound as though the real motivation for all this is to make it easier for the repressive regimes of the world to selectively disconnect themselves from the global net. Things are bad enough already. Let's not help the chauvenists of nationalism make things worse, even though the technology is already in place to allow them to do it. Well, they think we are the chauvenists of unilateralism. If we had played more fairly and honestly, they might not be so suspicious of our motives. And its not just about disconnection. One can already disconnect if one chooses. So I think the developing world views it as about freedom from the undue control and influence of a unilateral power. Admirable goals like improving network security and stability do not require increased government involvement, nor do they in any way require abandoning the existing cooperative relationship between the ITU and the IETF. The very notion of national digital independence and soveriegnty is contrary to network security and stability. Actually, these admirable goals do require government involvement. Without laws to punish the crackers and the DDOS'rs, there is no network security or stability. One cannot fight international crime without Interpol, and organizations like Interpol cannot exist without respect for national soveriegnty. --Dean
Re: ITU takes over?
Hmmm, What is wrong with ISOC? Cannot it be this body, we are looking for? Cheers On Tue, 2003-12-09 at 11:36, vinton g. cerf wrote: There have been fairly intense discussions in a series of meetings called PrepComs as in preparatory committees leading up to the World Summit on the Information Society (WSIS) taking place December 10-12 in Geneva. In the most recent meetings, a government only rule was invoked that excluded interested parties such as ICANN, among others, but the texts have been made visible. Of course, it remains to be seen whether these texts will be adopted by the summit meeting representatives. The texts cover principles and action plans, respectively, for realization of the Information Society. The subject of Internet Governance has been a large focus of attention, as has been a proposal for creating an international fund to promote the creation of information infrastructure in the developing world. Internet Governance is a very broad topic including law enforcement, intellectual property protection, consumer protection, tax policies, and so on. It also happens to include some of the things that ICANN is responsible for. Unfortunately, the discussion has tended to center on ICANN as the only really visible example of an organization attempting to develop policy (which is being treated as synonymous with governance). ICANN's mandate is very limited and it would be helpful if the broad governance issues mentioned above could find other organizational homes. ICANN's work could be fitted into a larger framework but some people seem to think that if ICANN doesn't do all the things that might fall into Internet governance then ICANN sho uld be replaced with, eg, an ! ITU or UN body. Franck Martin [EMAIL PROTECTED] SOPAC, Fiji GPG Key fingerprint = 44A4 8AE4 392A 3B92 FDF9 D9C6 BE79 9E60 81D9 1320 Toute connaissance est une reponse a une question G.Bachelard
RE: /48 micro allocations for v6 root servers, was: national security
-BEGIN PGP SIGNED MESSAGE- [2 mails into one again] Bill Manning [mailto:[EMAIL PROTECTED] wrote: % Expect to see routers being optimized that will only route % the upper 64bits of the address, so you might not want to do % anything smaller than that. This, if it happens, will be exactly opposed to the IPv6 design goal, which was to discourage/prohibit hardware/software designers from making presumptions or assumptions about the size of prefixes and HARDCODING them into products. Good point. With current allocation schemes it should work but maybe in the future, for anything outside 2000::/3 it could indeed change and then the above could indeed break. Hope the implementators of routing engines did notice that unlike what I did :) % Root nameservers are a very different story of course... % % A /32 contains 65k /48's, so these IX blocks could provide for % enough /48's for 65k IX's, thus unless that switch at the back % of my desk, which connects 'neighbours' too is to be called an % IX, because they have a linux router and me too and they speak % BGP is going to be called an IX it shouldn't be a problem if % the same block is used for 26? and maybe 3 tld servers per country. % % At least everybody will know that that /32 will have more specifics. % % Greets, % Jeroen 2001:0478:: was delegated expressly for IX and core infrastructure. - - is this documented somewhere? (google on the prefix only returns discussions about it's use ;) - - is it available to the world(tm) as it looks like this is only available for exchanges managed by EP as per http://www.ep.net/wtgipa.html Thus also to the RIPE/APNIC/LACNIC region ? Regionalizing a root-server shouldn't be the case anyways as it shouldn't be bound to a certain spot. I, personally, see absolutely no problem into making it the 'critical infra' or 'root server' prefix, when it is documented correctly. EP.NET acts as a neutral body, with this way kinda of a sub-RIR though. All root-servers should be using the space then btw, not a few, but all of them. Exceptions to the rule will only cause that the exceptions are forgotten or that the rule is bent to badly that the rule isn't in place anymore. Thats where at least one of the IPv6 prefixes for root-servers exists. Two are from ARIN micro-allocations and there is a /32 for another server. Grepping on root+dns in http://www.sixxs.net/tools/grh/tla/all/ 2001:7fd::/32 K-rootserver-net-20030829 (not seen) 2001:7fe::/32 I-rootserver-net-20030916 (seen per 2003-09-17) 2001:dc0::/32 APNIC-AP-V6-20030124 * 2001:dc3::/32 M-ROOT-DNS-IPv6-20030619 (seen per 2003-08-31) 2001:dc4::/32 jp-dns-JPNIC-JP-20031117 (seen per 2003-12-03) * = 2001:dc0::/35 + 2001:dc0:2000::/35 are announced, not the /32 The ARIN microallocs are not in there as they are not TLA's. Should I start tracking those too with GRH? Btw currently seen in the routing table (as per GRH) 2001:478::/32 (from SPRINT / AS6175) 2001:478::/45 (from EP.NET / AS4555) 2001:478:65::/48 (from EP.NET / AS4555) Greets, Jeroen -BEGIN PGP SIGNATURE- Version: Unfix PGP for Outlook Alpha 13 Int. Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/ iQA/AwUBP9UjUymqKFIzPnwjEQJ/1wCcCdLq3LSE+0DZBr6TvRh/APRR7K4AoIyg Kh9IVDhzyle40AT6c4s0xH0b =ybSi -END PGP SIGNATURE-
Re: ITU takes over?
at the moment it is not well constituted to develop policy. v At 01:01 PM 12/9/2003 +1200, Franck Martin wrote: Hmmm, What is wrong with ISOC? Cannot it be this body, we are looking for? Vint Cerf SVP Technology Strategy MCI 22001 Loudoun County Parkway, F2-4115 Ashburn, VA 20147 703 886 1690 (v806 1690) 703 886 0047 fax [EMAIL PROTECTED] www.mci.com/cerfsup
Re: ITU takes over?
vinton g. cerf [EMAIL PROTECTED] writes: At 01:01 PM 12/9/2003 +1200, Franck Martin wrote: What is wrong with ISOC? at the moment it is not well constituted to develop policy. This is a feature, not a bug. -- Mark Atwood | When you do things right, [EMAIL PROTECTED] | people won't be sure you've done anything at all. http://www.pobox.com/~mra
FWD: ICANN GNSO Request for public comment on Regsitry Services
Hi. This seems worth forwarding to the IETF list in case people have comments they would like to submit as individuals. I'm also forwarding it to the IAB in the event that they think a formal comment is appropriate. Reading hint: while the proposed procedure seems, from the description, to be oriented toward requests such as we have been registering only names from organizations of type X, we would now like to register type Y as well or we would like to charge EUR 5 per year rather than USD 6 it would presumably also apply to requests such as: we would like to start registering arbitrary binary strings in the TLD we would like to auction off a wildcard record in the TLD or we would like to start putting, e.g., NAPTR and SRV records in the TLD zone, not just NS records. I suspect some members of this community might have opinions on such issues. If we do, it seems reasonable to make comments on the procedures that would ensure the availability of adequate and early consideration. Or maybe we don't care after all. Note that discussion here is pointless: if you have a position and want to express it, tell the GNSO according to the instructions given on the cited web pages. regards, john -- Forwarded Message -- Date: Monday, 08 December, 2003 23:41 +0100 From: GNSO SECRETARIAT [EMAIL PROTECTED] To: announce [EMAIL PROTECTED] Subject: [announce] Request for public comment on Regsitry Services [To: [EMAIL PROTECTED]; [EMAIL PROTECTED] [To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Please see the request for Public comment on: Procedure for use by ICANN in considering requests for consent and related contractual amendments to allow changes in the architecture or operation of a gTLD registry at: http://gnso.icann.org http://gnso.icann.org/comments-request/ http://gnso.icann.org/issues/registry-services/tor-revised.shtml Draft Terms of reference Procedure for use by ICANN in considering requests for consent and related contractual amendments to allow changes in the architecture or operation of a gTLD registry COMMENT PERIOD is open for 20 days and ENDS 28 DECEMBER 2003, 23:00 GMT Thank you in anticipation for the time taken to comment. GNSO Secretariat -- End Forwarded Message --
Re: just a brief note about anycast
Hi - From: Dean Anderson [EMAIL PROTECTED] To: Randy Presuhn [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, December 08, 2003 4:50 PM Subject: Re: just a brief note about anycast ... Well, they think we are the chauvenists of unilateralism. If we had played more fairly and honestly, they might not be so suspicious of our How has the IETF been playing unfairly or dishonestly? Or is the argument that ICANN has been unfair and dishonest? motives. And its not just about disconnection. One can already disconnect if one chooses. So I think the developing world views it as about freedom from the undue control and influence of a unilateral power. ... How would replacing ICANN (or the IETF) with the ITU make things any less unilateral? As I see it, all that it would accomplish is that it would give governments and corporations a more direct voice in matters, at the expense of individual technical contributors. Randy
Re[2]: ITU takes over?
Franck Martin writes: What is wrong with ISOC? Cannot it be this body, we are looking for? ISOC membership is open to anyone. Very few governments are going to support an organization that does not restrict its membership to elite government representatives.
Re[2]: just a brief note about anycast
Dean Anderson writes: Well, they think we are the chauvenists of unilateralism. If we had played more fairly and honestly, they might not be so suspicious of our motives. What has been unfair and dishonest thus far? Dominance by the U.S. does not automatically equate to unfairness and dishonesty. The only reason there is an Internet at all is that the United States built one. If it had been up to the developing countries, the only communication available today would be paper cups and taut string, and it would be available only to a few dictators. So I think the developing world views it as about freedom from the undue control and influence of a unilateral power. These developing countries are still trying to grapple with the challenge of clean running water for their populations; why do they care about the Internet? The real concerns of the Third World are three: (1) they want more money from the West for their corrupt governments; (2) they want to suppress any form of free speech that might undermine their corrupt governments; and (3) they want more money from the West for their corrupt governments. Actually, these admirable goals do require government involvement. Digital independence and sovereignty scarcely seem like admirable goals; they are just synonyms for censorship and restricted access. Without laws to punish the crackers and the DDOS'rs, there is no network security or stability. It is not necessary to intervene in the technical implementation of the network to punish crackers and others; it is only necessary to find them. One cannot fight international crime without Interpol, and organizations like Interpol cannot exist without respect for national soveriegnty. By definition, an organization like Interpol requires the partial sacrifice of national sovereignty. If all states were entirely sovereign, no interstate police organization could exist. The same is true for the Internet (and the telephone network, and postal services, and so on).
Re: just a brief note about anycast
On Tue, 2003-12-09 at 15:15, Randy Presuhn wrote: Hi - How would replacing ICANN (or the IETF) with the ITU make things any less unilateral? As I see it, all that it would accomplish is that it would give governments and corporations a more direct voice in matters, at the expense of individual technical contributors. Randy And one important fact, is that IETF issues standards which do not contain patents... but ITU does! Cheers Franck Martin [EMAIL PROTECTED] SOPAC, Fiji GPG Key fingerprint = 44A4 8AE4 392A 3B92 FDF9 D9C6 BE79 9E60 81D9 1320 Toute connaissance est une reponse a une question G.Bachelard
Re: /48 micro allocations for v6 root servers, was: national security
% I, personally, see absolutely no problem into making it the 'critical infra' % or 'root server' prefix, when it is documented correctly. EP.NET acts as % a neutral body, with this way kinda of a sub-RIR though. All root-servers % should be using the space then btw, not a few, but all of them. % % i, both personally and professionally, think that this would not be desirable. % -- % Paul Vixie EP.NET has been doing micro-allocations for longer than all but one RIR has been in existance. That said, I am greatful that RIRs themselves are doing micro-allocations. This for two reasons: ) customers should have -choice- ) using multiple prefixes reduces the impact of route flap taking out everyone. --bill Opinions expressed may not even be mine by the time you read them, and certainly don't reflect those of any other entity (legal or otherwise).
Re: just a brief note about anycast
At 3:30 PM +1200 12/9/03, Franck Martin wrote: And one important fact, is that IETF issues standards which do not contain patents... but ITU does! It depends on what you mean by do not contain patents. If you mean that are not covered by any patents, then tropical living has really affected your view of IETF reality. Reading http://www.ietf.org/ipr.html will possibly drag you back to where the rest of the folks on this mailing list reside. --Paul Hoffman, Director --Internet Mail Consortium
Re: Re[2]: just a brief note about anycast
On Tue, 2003-12-09 at 15:30, Anthony G. Atkielski wrote: The real concerns of the Third World are three: (1) they want more money from the West for their corrupt governments; (2) they want to suppress any form of free speech that might undermine their corrupt governments; and (3) they want more money from the West for their corrupt governments. We could talk about AID here, but it is not the IETF subject. I would summarise like this: more than half of the AID form the US government goes to Israel only (you know what israel does with this money) USAID policy is for each nickel given, there should be 2 nickels back... Yes I know I summarise... and yes there are corrupt governments out there Sorry, I could not let it go... Please do not reply to this e-mail on the list, this has nothing to do with IETF. Franck Martin [EMAIL PROTECTED] SOPAC, Fiji GPG Key fingerprint = 44A4 8AE4 392A 3B92 FDF9 D9C6 BE79 9E60 81D9 1320 Toute connaissance est une reponse a une question G.Bachelard
Re: ITU takes over?
On Mon, 8 Dec 2003, vinton g. cerf wrote: at the moment it is not well constituted to develop policy. No, but it well constituented to be. Is it only necessary that it be reconstituted. Scott v At 01:01 PM 12/9/2003 +1200, Franck Martin wrote: Hmmm, What is wrong with ISOC? Cannot it be this body, we are looking for? Vint Cerf SVP Technology Strategy MCI 22001 Loudoun County Parkway, F2-4115 Ashburn, VA 20147 703 886 1690 (v806 1690) 703 886 0047 fax [EMAIL PROTECTED] www.mci.com/cerfsup sleekfreak pirate broadcast world tour 2002-3 live from the pirate hideout http://sleekfreak.ath.cx:81/
Re: ITU takes over?
On Tue, 09 Dec 2003 05:37:18 EST, shogunx said: On Mon, 8 Dec 2003, vinton g. cerf wrote: at the moment it is not well constituted to develop policy. No, but it well constituented to be. Is it only necessary that it be reconstituted. The fact that cats could swim for long periods underwater if only they were fish is not by itself sufficient reason to attempt the conversion. pgp0.pgp Description: PGP signature