Re: The Reg does 240/4
inline Christopher Hawker writes: > Hi Christian, > > The idea to this is to allow new networks to emerge onto the internet, > without potentially having to fork out > substantial amounts of money. That would then be using IPv6 with IPv4 transition translation etc at the ingress/egress to your new shiny ISP. > > I am of the view that networks large enough to require more than a /8 v4 for > a private network, would be in the > position to move towards IPv6-only. Meta has already achieved this > (https://engineering.fb.com/2017/01/17/production-engineering/legacy-support-on-ipv6-only-infra/) > by rolling > out dual-stack on their existing nodes and enabling new nodes as > IPv6-only. Any network of any size can justify using IPv6. You will though face some old telco monopolistic / Tier 1 incumbencies who find their benefit in networking is to be as anti social to fellow networks as their lack of imagination on the value of connectivity can facilitate and regret they can't charge time and distance but very happy to charge on ingress and egress. >I cannot think of a bigger waste of > resources that have the possibility of being publicly used, than to allocate > an additional 16 x /8 to RFC1918 > space. > I expect it would take many years for 240/4 to have universal routing as a public resource. That maybe the first challenge to get it through IETF The other challenge is that the block is currently marked experimental and really if you want to make a plan to use all or part of that block. Then that should be for experimental purposes. Just saying it is now public isn't really an innovation. Also once reallocated its lost to future experimental uses. > The same argument could be had about using larger than a /8 for private > networking. Why not use IPv6? > well now you are speaking hexadecimal! > Regards, > Christopher Hawker best Christian > --------- > From: Christian de Larrinaga > Sent: Wednesday, February 14, 2024 11:51 PM > To: Christopher Hawker > Cc: Denis Fondras ; nanog@nanog.org > Subject: Re: The Reg does 240/4 > > excuse top posting - > > I don't see a case for shifting 240/4 into public IP space if it is just > going to sustain the rentier sinecures of the existing IPv4 > incumbencies. In other words if RIRs don't use it boost new entrants it > will just add another knot to the stranglehold we are in vis IPv4. > > I can see a potential case for shifting it from experimental to private > space given the fact that "the rest of us" without public IP space and > natted behind CGNATs have taken to use IPv4 for wireguard, containers, > zero configs and so on, to tie our various locations, services and > applications together within our own private distributed nets and expose > our services for public consumption over IPv6. > > C > > Christian de Larrinaga > > Christian Christopher Hawker writes > >> Hi Denis, >> >> It will only be burned through if RIR communities change policies to allow >> for larger delegations than what is >> currently in place. I believe that some level of change is possible whilst >> limiting the exhaustion rate, e.g. allowing >> for delegations up to a maximum holding of a /22, however we shouldn't go >> crazy (for want of a better phrase) >> and allow for delegations of a /20, /19 etc. >> >> If this was only going to give us a potential 1-3 years' worth of space, >> then I would agree in saying that it is a > waste >> of time, would take far too long to make the space usable and wouldn't be >> worth it. However, as long as we > don't >> get greedy, change the maximum allowed delegation to large delegations, and >> every Tom/Dick/Harry applying >> for a /16 allocation then 240/4 will last us a lengthy amount of time, at >> least a few decades. >> >> Regards, >> Christopher Hawker >> - >> From: NANOG on behalf of >> Denis Fondras via NANOG >> >> Sent: Wednesday, February 14, 2024 11:10 PM >> To: nanog@nanog.org >> Subject: Re: The Reg does 240/4 >> >> Le Tue, Feb 13, 2024 at 03:24:21PM -0800, David Conrad a écrit : >>> This doesn’t seem all that positive to me, particularly because it’s >>> temporary >>> since the underlying problem (limited resource, unlimited demand) cannot be >>> addressed. >>> >> >> I agree with this. >> Yet I am in favor of changing the status of 240/4, just so it can get burned >> fast, we stop this endless discussion and can start to deploy IPv6 again. >> >> Denis -- Christian de Larrinaga
Re: The Reg does 240/4
excuse top posting - I don't see a case for shifting 240/4 into public IP space if it is just going to sustain the rentier sinecures of the existing IPv4 incumbencies. In other words if RIRs don't use it boost new entrants it will just add another knot to the stranglehold we are in vis IPv4. I can see a potential case for shifting it from experimental to private space given the fact that "the rest of us" without public IP space and natted behind CGNATs have taken to use IPv4 for wireguard, containers, zero configs and so on, to tie our various locations, services and applications together within our own private distributed nets and expose our services for public consumption over IPv6. C Christian de Larrinaga Christian Christopher Hawker writes > Hi Denis, > > It will only be burned through if RIR communities change policies to allow > for larger delegations than what is > currently in place. I believe that some level of change is possible whilst > limiting the exhaustion rate, e.g. allowing > for delegations up to a maximum holding of a /22, however we shouldn't go > crazy (for want of a better phrase) > and allow for delegations of a /20, /19 etc. > > If this was only going to give us a potential 1-3 years' worth of space, then > I would agree in saying that it is a waste > of time, would take far too long to make the space usable and wouldn't be > worth it. However, as long as we don't > get greedy, change the maximum allowed delegation to large delegations, and > every Tom/Dick/Harry applying > for a /16 allocation then 240/4 will last us a lengthy amount of time, at > least a few decades. > > Regards, > Christopher Hawker > - > From: NANOG on behalf of Denis > Fondras via NANOG > > Sent: Wednesday, February 14, 2024 11:10 PM > To: nanog@nanog.org > Subject: Re: The Reg does 240/4 > > Le Tue, Feb 13, 2024 at 03:24:21PM -0800, David Conrad a écrit : >> This doesn’t seem all that positive to me, particularly because it’s >> temporary >> since the underlying problem (limited resource, unlimited demand) cannot be >> addressed. >> > > I agree with this. > Yet I am in favor of changing the status of 240/4, just so it can get burned > fast, we stop this endless discussion and can start to deploy IPv6 again. > > Denis -- Christian de Larrinaga
Re: Let's Focus on Moving Forward Re: V6 still not supported
Your take on English history is a delightful fantasy but it is just that a delightful fantasy. Norman barons were not typically concerned with the health of their anglo saxon/british serfs / yoemen other than providing the required tithes. But taking you at what seems to be your intention. Speaking as a digital peasant I am not assured that my interests are protected from anybody by being told I have no direct access to people I want to communicate with but have to go through a third party. Any addressing model that terminates address space between me and someone I communicate with also terminates my communications and security and by so doing introduces a number of uncertainties potentially rather arbitrary to what would otherwise be under my direct policy domain. C "Abraham Y. Chen" writes: > Hi, Christian: > > 0) Allow me following your "towers of babel world" metaphor to tell > a short story. > > 1) In the ancient days, peasants labored under the shadow of the > Tower, following the rules of and paid tax to the Lord living in the > Tower. In return, they expected protection from the Lord against > harms. (Sometime ago, I read an archaeological article reporting > certain evidence that the Load somewhere in England during medieval > time might have been expected to protect his peasants from any harm, > including even paid his life for famine.) > > 2) In the modern world, the peasants still live around the Tower > following the rules, paying taxes and expecting protection from the > Lord, now represented by the government agencies such as local police, > FCC, FTC, DoD, DHS, etc. > > 3) In the Internet era, the peasants roam everywhere around the > cyberspace freely enjoying the Internet way. However, their wealth is > now being siphoned out to the invisible Lords (the multi-national > businesses with virtual presence in each and every Tower). However, > little can be expected in return when perpetrators attack, because no > Lord assumes the responsibility, nor any can be held responsible. > > 4) EzIP proposes an overlay cyberspace with geographic flavor to > restore the society infrastructure back to Pt. 2) above, while > providing the daily services of Pt. 3). It essentially offers a > parallel Internet for the peasants who can again expect protection > from their local government who collects taxes, while without losing > the benefits of the digital revolution. > > 5) The two cyberspaces are expected to coexist and none-interfering > to each other. Peasants have the freedom of choice by living in either > or try both then decide. > > The above is just a quick rough thought, far from polished. It is > intended to be a preliminary framework so that we can hang some meat > on it for starting meaningful discussions. > > Regards, > > > Abe (2022-04-01 14:17) > > > > > > > On 2022-03-27 11:03, Christian de Larrinaga wrote: >> >> >> On 27 March 2022 15:53:25 Brandon Butterworth >> wrote: >> >>> On Sun Mar 27, 2022 at 12:31:48AM -0400, Abraham Y. Chen wrote: >>>> EzIP proposes to deploy 240/4 >>>> address based RANs, each tethering off the current Internet via >>>> one IPv4 >>>> public address. >>> >>> So each RAN has no possibility of redundant connections? Nobody >>> of scale would accept such a limitation. It also looks like an >>> opportunity for telcos/governments to partition their part >>> of the internet and impose whatever censorship they wish. >>> >>>> As such, the collection of RANs forms an overlay network >>>> layer wrapping around the current Internet core. Consequently, only the >>>> SPRs in the RAN need to be able to transport 240/4 addressed packets. >>> >>> You previously described this as like connecting CG-NATs together via a >>> VPN. I don't see why we'd want to add maintaining a global VPN to >>> already difficult peering relationships. It could be used to exlude non >>> EzIP club members. >>> >>>> This is why we talk about enabling new (but based on existing design) >>>> routers to use 240/4 netblock for serving as SPRs, but not perturbing >>>> any routers in the current Internet. >>> >>> As it's a CG-NAT variant why are you delaying yourself by requiring >>> new address space that will take a long time to become available? Why >>> not use the already allocated space for CG-NAT? Sure it's only a /10 >>> but that's an already (probably too) large RAN. >>> >>> It also seems unfeasibly optimistic that if the work was done globally >>> to make 240/4 useab
Re: Let's Focus on Moving Forward Re: V6 still not supported
On 27 March 2022 15:53:25 Brandon Butterworth wrote: On Sun Mar 27, 2022 at 12:31:48AM -0400, Abraham Y. Chen wrote: EzIP proposes to deploy 240/4 address based RANs, each tethering off the current Internet via one IPv4 public address. So each RAN has no possibility of redundant connections? Nobody of scale would accept such a limitation. It also looks like an opportunity for telcos/governments to partition their part of the internet and impose whatever censorship they wish. As such, the collection of RANs forms an overlay network layer wrapping around the current Internet core. Consequently, only the SPRs in the RAN need to be able to transport 240/4 addressed packets. You previously described this as like connecting CG-NATs together via a VPN. I don't see why we'd want to add maintaining a global VPN to already difficult peering relationships. It could be used to exlude non EzIP club members. This is why we talk about enabling new (but based on existing design) routers to use 240/4 netblock for serving as SPRs, but not perturbing any routers in the current Internet. As it's a CG-NAT variant why are you delaying yourself by requiring new address space that will take a long time to become available? Why not use the already allocated space for CG-NAT? Sure it's only a /10 but that's an already (probably too) large RAN. It also seems unfeasibly optimistic that if the work was done globally to make 240/4 useable that they'd want to dedicate it to the as yet undeployed EzIP. You might stand more chance if you gained some critical mass using the existing available 100.64/10 & rfc1918 space, and then those that find they need more in one RAN will make the case for 240/4 when it becomes necessary for them. Is 240/4 special to EzIP such that alternative numbers may not be used? I would like to share one intriguing graphics (see URL below) that is almost perfect for depicting the EzIP deployment configuration. Consider the blue sphere as the earth or the current Internet core and the golden colored land as the RANs. By connecting each continent, country or all the way down to a Region to the earth via one IPv4 address, we have the EzIP configuration. With this architecture, each RAN looks like a private network. That sounds an entirely undesirable goal for the internet. brandon It isn't the Internet. It's at best a very poorly connected spur gateway. Too many today don't remember the towers of Babel world prior to the Internet. If they did they'd understand that building on this type of idea is like burying yourself And any customers so unwise to get involved C
Re: VPN recommendations?
Intriguing. This week I started to look around for new wireguard implementation tools and appliances. I've used openvpn and ipsec in the main although last month put together a 10x and IPv6 wireguard net in my home and out to two vps hosts which is handy. For my own use this is ok -ish, but I am not so sure about keeping track of the configs, managing users and adding configs as a network grows. In other words I want help when scaling wg and handling change particularly if I am managing nets for other projects or delegating. Tailscale, ZeroTier and some others are doing a great job I feel and no doubt have a handle on that. I've not tried them as yet. Because I do like to have options that are not mediated I have kept looking as much for my own curiousity and education as for deploying a service in anger. But having a toolset that can support the latter capability has to be the aim to work towards. I've found a few potentially interesting more recent projects and am intending to start to test deploy some of these in sequence to see how I get on. I think I'll start wth https://github.com/gravitl/netmaker Please note I've only reviewed the documentation. I've not yet played with it. This seems to offer at an early stage in its development a webappliance (optionally) with CoreDNS if you want naming support and IPv6 and at least some client management features. It claims to be fast but that can be tested. It also is deployable as a docker/kubernetes k8 which is intriguing when deploying and managing containers between multiple hosts across data centres. It uses a mongodb licence which may or may not be a problem. If one plays with IPSEC then I guess one could run wg through IPSEC but is there any point unless you already have an IPSEC branch and don't want to take it down whilst adding wg for a new class of devices/userbase? I'd be interested in sharing experiences and advice (offlist) and delighted to learn from wireguard and vpn's clueful folk. thank you for an interesting discussion. Christian William Herrin writes: On Fri, Feb 11, 2022 at 10:35 AM Dan Sneddon wrote: 1) IPSEC does not lend itself to dynamic routing or dynamic configuration. It is very much a static set-it-and-forget-it technology, but that doesn’t work in a dynamically changing environment. Hi Dan, Depending on how you configure it, IPSEC can work fine with dynamic routing. The thing to understand is that IPSec has two modes: transport and tunnel. Transport is between exactly two IP addresses while tunnel expects a broader network to exist on at least one end. "Tunnel" mode is what everyone actually uses but you can deconstruct it: it's built up from transport mode + a tunnel protocol (gre or ipip I don't remember which) + implicit routing and firewalling which wreaks havoc on dynamic routing. Now, it turns out that you can instead configure IPSec in transport mode, configure the tunnel separately and leave out the implicit firewalling. This may not apply to William Herrin’s (OP) use case of a VPN appliance It's not relevant to my situation, no. I need the VPN to establish a statically addressed clean layer 3 on top of dynamically addressed and natted endpoints to support the next appliance in the chain where dynamic addressing is not possible. I don't actually care if it adds security; it just needs to establish that statically addressed layer. Oh yeah, and it has to be listed under "virtual private network" on the government NIAP list. https://www.niap-ccevs.org/product/PCL.cfm?ID624=34 Regards, Bill Herrin -- Christian de Larrinaga https://firsthand.net
Re: New minimum speed for US broadband connections
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you are expecting this email and/or know the content is safe. On Thu, 27 May 2021, Lady Benjamin Cannon of Glencoe, ASCE wrote: At least 100/100. We don’t like selling slower than 10g anymore, that’s what I’d start everyone at if I could. At $50/month or less? Maximize number of households of all demographic groups. -- Christian de Larrinaga https://firsthand.net
Re: DoD IP Space
Is the DoD still the owner? On Sun 25 Apr 2021 at 10:24, Bill Woodcock wrote: On Apr 25, 2021, at 9:40 AM, Mel Beckman wrote: It’s a direct militarization of a civilian utility. I think I’d characterize it, rather, as a possible privatization of public property. If someone builds a house in the middle of a public park, it’s not _what they’re doing in the house_ that concerns me. -Bill -- Christian de Larrinaga https://firsthand.net
Re: Hulu / ESPN: Commercial IP Address
Brandon, That is odd. Might this be an artefact of cellular carriers being fixated on revenue protection of their inter carrier rates. Are they (wrongly) assuming a public IP might be a grey market termination risk onto their networks? best Christian Brandon Butterworth wrote: > > On Sat Oct 13, 2018 at 02:39:37PM -0400, Daniel Corbe wrote: >> >> I had a customer with a similar issue. I statically assigned them a >> different IP and it didn???t resolve it. The problem turned out to be >> tied to their Hulu account. > > > I had a similar issue with wifi calling on O2 in the UK. it > worked on some wifi but not others. After pressing O2 support > for quite some time they admitted "you're on commercial IP space > which we don't support" but would say no more. > > After a little puzzling I realised the working wifis were > NATed to 1918 so I added NAT to one that wasn't working and the > phone registered OK for wifi calling. The address it was NATed > to was the same range so it appears their test is for 1918 space > on the client. > > I'm not saying HULU is the same, I've never has access to it, > but companies cook up some wierd ideas of what is accepable for > client access. I've still got no idea why having a public IP makes > it unnaceptable to make phone calls where their coverage is poor. > > brandon
Re: Is WHOIS going to go away?
Tei wrote: > > Maybe a good balance for whois is to include organization information > so I know where a website is hosted, but not personal information, so > I can't show in their house and steal their dog. > > I feel uneasy about having my phone available to literally everyone on > the internet. > > Technical contact information is supposed to be available for technical purposes. Not that that purpose has been reliable as time has gone by. Has that (required) purpose just flown past the policy makers? Christian
Re: Conference Videos
Has there been some assessment of how justified have those seeking the "right to be forgotten" been in becoming forgotten? By doing so does it risk changing the record in a way that is not beneficial to the community and historical record? I warmly second the plaudit and thanks to Brandon for his support of UKNOF. He has played a very substantial part in making UKNOF what it is today. Christian > Chris Russell <mailto:ch...@nifry.com> > 14 March 2017 at 08:23 > > > We've had this within UKNOF ... sometimes people do not wish to be > recorded, mainly due to confidentiality reasons (ie: advance heads up, > or personal thoughts delivered to a specific audience). Occasionally > we have been asked to remove recordings at a later date due to > changing circumstances etc. > > We explicitly mention the webcast/records on abstract submissions > from memory, and also recently introduced shepherding to help > presentations be more relevant (both to the speakers to help them in > pushing a $clue or message, to our audience to ensure relevance and to > us in terms of protection from litigation, etc). This applies to both > submitted AND sponsor talks (the latter being incredibly useful and > has shown a major increase in sponsor talk relevance and feedback > ratings). > > People will always mention a lack of recording/webcast for this type > of content ... but then arguably that is a driver to attend in person. > > Thanks > > Chris > (UKNOF PC Chair) > > > > Patrick W. Gilmore <mailto:patr...@ianai.net> > 13 March 2017 at 22:10 > > > > Speakers are informed they are going to be recorded. If they have > sensitive information, they can choose a track and ask it not be > recorded. NANOG has done this in the past, but you should talk to the > Program Committee if you are interested in this. > > Steve Feldman <mailto:feld...@twincreeks.net> > 13 March 2017 at 22:06 > > Many attendees also find value in the parts of the conference that > aren't recorded, like hallway conversations, informal meetings, and > even social events. > > Keeping and maintaining the archive of slides and video recordings is > an essential part of NANOG's educational mission, which was key to > obtaining and maintaining the IRS 401(c)(3) nonprofit status. > > So at least for the time I was on the Board, not only were there no > regrets, but we worked hard to maintain and enhance the video experience. > Steve > > > Mike Hammett <mailto:na...@ics-il.net> > 13 March 2017 at 21:52 > Another organization I'm in has a hard policy of no recordings of any > sessions at their conferences. They think that recordings of content > (even vendor-sponsored, vendor-specific sessions with vendor consent) > would have a catastrophic effect on conference attendance. > > NANOG doesn't seem to have that issue. Any background on the process > to get there? Any regrets? > > > > > - > Mike Hammett > Intelligent Computing Solutions > > Midwest Internet Exchange > > The Brothers WISP > -- Christian de Larrinaga FBCS, CITP, - @ FirstHand - +44 7989 386778 c...@firsthand.net -
Re: gagging *IX directors re snoop/block orders
It's a pretty shocking development. It's one thing to nobble a single network under the IP Act to interfere with equipment but to use a neutral exchange to nobble shared infrastructure used across US and UK and ... is a completely different can of worms. I don't exercise a vote anymore at LINX but I do hope members will pause and consider this very carefully indeed. Christian > Brandon Butterworth <mailto:bran...@rd.bbc.co.uk> > 17 February 2017 at 17:38 > On Fri Feb 17, 2017 at 05:19:32PM +, William Waites wrote: >> So instead of saying, "we have this new spying law in the UK and we need >> to rejigg the decision-making at LINX so we will be ready in case we are >> required to do something that must be kept secret" > > Yes but "hey government, swivel on this" isn't going to be an > effective secret weapon, they'll neutralise it before you use it > >> what was proposed to >> the membership was, "we have embarked on this long governance journey >> and this is what we have come up with as the best way to run LINX". Those >> are two very different propositions > > A big winking eye emoji was needed > > brandon > William Waites <mailto:wwai...@tardis.ed.ac.uk> > 17 February 2017 at 17:19 >> On Feb 17, 2017, at 16:46, Patrick W. Gilmore <patr...@ianai.net> wrote: >> >> There is one problem: The article is factually incorrect on multiple points. > > It would be interesting to know what points those are, it reads mostly > accurately > to me. > >> The proposed constitutional changes are in the public domain. > > The main problem, though this point may have gotten lost in the very long > discussion on the LINX members list, is that the reasoning and motivation for > the changes was not made clear. Even when explanatory materials were > belatedly provided, they weren’t especially clear. > > So instead of saying, "we have this new spying law in the UK and we need > to rejigg the decision-making at LINX so we will be ready in case we are > required to do something that must be kept secret" what was proposed to > the membership was, "we have embarked on this long governance journey > and this is what we have come up with as the best way to run LINX". Those > are two very different propositions, especially for busy people who don’t have > time to read in detail and understand all the implications. > > All that I suggested is that the members be properly informed so that they > can make this choice with their eyes open. It is important to have this > discussion in the open, and explicitly mark the transition where Internet > Exchange Points re-organise themselves to accommodate spying laws and > gag orders. > > William Waites > Laboratory for Foundations of Computer Science > School of Informatics, University of Edinburgh > Informatics Forum 5.38, 10 Crichton St. > Edinburgh, EH8 9AB, Scotland > > The University of Edinburgh is a charitable body, registered in > Scotland, with registration number SC005336. > -- Christian de Larrinaga FBCS, CITP, - @ FirstHand - +44 7989 386778 c...@firsthand.net -
Re: GeoIP database issues and the real world consequences
Really? - You want RIRs to now perpetuate an application of IPs they are not designed for? The activities of MaxMind and similar need to be exposed so people understand the problem. No matter how Geo IP businesses might back peddle and say they never intended their services to be considered as authoritative etc the fact is people including law enforcement and presumably General Hayden and friends are buying into the fallacy that IP addresses are fit for the purpose of geo location. Let's put this another way. How many LIRs accounting systems use IPs as billing / account identifiers? No? I wonder why not. C Todd Crane <mailto:todd.cr...@n5tech.com> > 13 April 2016 at 06:57 > I like (sarcasm) how everybody here either wants to point fingers at > MaxMind or offer up coordinates to random places knowing that it will > never happen. What ever happened to holding people responsible for > being stupid. When did it start becoming ((fill in the blank)) coffee > shop’s for you burning your tongue on your coffee, etc. I’ve seen/used > all sorts of geolocation solutions and never once thought to myself > that when a map pin was in the middle of a political boundary, that > the software was telling me anything other than the place was > somewhere within the boundary. Furthermore, most geolocation services > will also show a zoomed-out/in map based on certainty. So if you can > see more than a few hundred miles in the map that only measures > 200x200 pixels, then it probably isn’t that accurate. > > As to a solution, why don’t we just register the locations (more or > less) with ARIN? Hell, with the amount of money we all pay them in > annual fees, I can’t imagine it would be too hard for them to > maintain. They could offer it as part of their public whois service or > even just make raw data files public. > > Just a though > > —Todd > > > Jean-Francois Mezei <mailto:jfmezei_na...@vaxination.ca> > 13 April 2016 at 01:17 > All GeoIP services would be forced to document their default lat/long > values so that users know that when these values, they know it is a > generic one for that country. (or supply +181. +91.0 which is an > invalid value indicating that there is no lat/long, look at country code > given). -- Christian de Larrinaga FBCS, CITP, - @ FirstHand - +44 7989 386778 c...@firsthand.net -
Re: /27 the new /24
Around 2004 I noted that the fear was without v4 something in the network would break. (It was considered crazy then to consider v6 only). Now I'm seeing concern that something in the applications will break. The difference is that networks can't guarantee to push static IPv4 to those problems like they could. New networks can't establish let alone grow unless they are essentially v6 only with v4 translation. But I'm seeing concern that some of these newer IETF transition mechanisms are too complex or expensive - i.e., off-putting enough so a smaller ISP is forced to consider CGNAT. I'm not sure if this is just an isolated case or if there is something missing needed by smaller and growing ISPs . Christian Matthew Kaufman wrote: > > > On 10/7/15 7:00 AM, Mark Andrews wrote: >> I don't see anyone wishing it went differnetly. I see someone >> pointing out the reality that lots of ISP's are way too late to >> delivering IPv6. *Every* ISP should have been planning to deliver >> IPv6 by the time the first RIR ran out of IPv4 addresses. > > Look, I'm as much a supporter of delivering IPv6 as anyone. I've had > IPv6 enabled on my home network (and the small data center I run in my > garage) for over a decade now. In 2004, I made sure that IPv6 was > fully supported in the peer-to-peer stack I developed and that > eventually became RFC 7016. And for the last 5 years I've been pushing > for IPv6 support in the product I work on for my employer. > > But the reality is that there's a whole lot of small and medium-sized > ISPs run by fine, upstanding individuals serving their communities -- > even in and around the San Francisco Bay Area -- that have either no > or very limited (tunnels only) support for IPv6. That's the reality of > the transition. And threatening these folks with the attorney general > isn't the way to get them to adopt IPv6, nor is shaming them. They > will add IPv6 support when it is easy to do, when their staff has the > time, and when the economics make sense. > > Meanwhile we have app developers trying to use cloud platforms that > don't support IPv6 well (or at all), writing code while sitting in > offices that don't have IPv6 service due either to their ISP or their > internal IT department... and so there's another reason ISPs need to > keep concentrating on IPv4 as their first priority. > > And so, in the current actual Internet, not some hypothetical one, if > you want your website to be seen, you get it an IPv4 address. And with > IPv4 going for $6-$8 each and it being possible to support hundreds or > thousands of websites on a single IPv4 address, there's really no excuse. > > Will this be different in the future? I sure hope so. But we're not > there yet. > > Matthew Kaufman -- Christian de Larrinaga FBCS, CITP, - @ FirstHand - +44 7989 386778 c...@firsthand.net -
Re: Friday Fun: UK Government (Dept of Work Pensions) selling off an entire /8
unrouted addresses I expect What with their CTO declaring no need for IPv6 last June I do wonder if the Government is in the driving seat of its network policy. It'll be a'rolling in the aisles when HMG wakes up to find they've flogged their v4 and can't deploy v6 and are to be stuck behind a nice vendor's CGNAT policies for the duration. But they love silos. Christian Randy Carpenter wrote: Top Quality ? Are they aged longer in special barrels? Polished extra nicely? (Ouch, I think I injured my eyes from the rolling) thanks, -Randy - On Mar 13, 2015, at 2:46 PM, Alec Muffett alec.muff...@gmail.com wrote: Perhaps I'm odd, but I find the novelty of this to be amusing: IPv4 Market Group Announces the Availability of a Significant Portfolio of IPv4 Addresses for Purchase in the RIPE Region: IPv4 Market Group, a global leader in IPv4 sales, has just announced the availability of up to 2.6 million top quality IPv4 addresses for purchase in the RIPE region. The firm’s Executive Vice President for Business Development, Jeff Mehlenbacher, said that the IPv4 blocks are being offered in multiples of /16, with up to 7 contiguous /16’s and 40 /16’s in total IPs. ...deletia... http://ipv4marketgroup.com/ipv4-addresses-ripe-region/ It's related to this blogpost: https://governmenttechnology.blog.gov.uk/2015/02/19/freeing-up-unused-ip-addresses/ ...and I gather that perhaps - although it's currently being marketed as a bunch of /16s - they might also entertain the possibility of selling it as an entire /8 for a reasonable price. I'm wondering: have we passed the point of peak IPv4 scarcity? Is selling an entire /8 still a viable proposition? Apparently UK Gov may have more than one... - alec -- http://dropsafe.crypticide.com/aboutalecm -- Christian de Larrinaga FBCS, CITP, MCMA - @ FirstHand - +44 7989 386778 c...@firsthand.net -
Re: gTLDs opened up
hilarious! Now we know that open really means ... closed. C Alex Buie wrote: They apparently have different zones (ie, they run 5 different, separate roots), and you pay a different price depending on how many zones you want your TLD to be active in. (cf http://www.open-root.eu/our-rates/list-of-zones-and-pricing/) On Thu, Jul 11, 2013 at 1:26 PM, Michael Brown mich...@supermathie.netwrote: On 13-07-11 04:08 PM, Alex Buie wrote: Am I missing something, or is that purporting to be an IPv4 address beginning with 478? Heh… it seems as though they mistyped '*78.47.115.194*' there. 7 - How to distinguish between identical TLDs? Within the Icann framework, names such as: tube.com, tube.net, tube.org, etc. allow in principle to differentiate different domains under the same name. Within the open root framework, if there are several .tube, one will distinguish them according to the root being activated. Wait… so 'open root' isn't a single alternative root namespace? It's different depending on… near as I can tell which part of the planet you're in? Or is the product multiple independent roots… are you buying your own '.' tree or a 'tld.' tree? Clearly, this will work‽ Is this the future? Visit my site at http://fluttershy.turgid.wonka.^78.47.115.194/index.go; -- Michael Brown| The true sysadmin does not adjust his behaviour Systems Administrator| to fit the machine. He adjusts the machinemich...@supermathie.net | until it behaves properly. With a hammer, | if necessary. - Brian
Re: Level3 IPv6 peering with HE only in London?
v6 traffic picking up through L3/HE? /C On 12 Apr 2012, at 16:35, Dave Sotnick wrote: Yep, looks much better now. This is what Level3 had to say: David, You should see this repaired at this time, looks like the peering between L3 and HE crashed in stateside when the ipv6 max prefix limits exceeded the router configurations. Please let us know if any further questions. Regards, Level 3 Communications Thanks all, -Dave On Wed, Apr 11, 2012 at 11:37 PM, Mike Leber mle...@he.net wrote: Was fixed a short while ago, please retest. Mike. On 4/11/12 9:08 PM, Dave Sotnick wrote: Hello Nanog, Looks like Level3's only IPv6 route to HE is via London right now: Show Level 3 (Las Vegas, NV) Traceroute to www.he.net 1 vl-5.bar1.LasVegas1.Level3.net (2001:1900:2F::1) 0 msec 0 msec 0 msec 2 vl-11.bar2.LasVegas1.Level3.net (2001:1900:4:1::3C6) 0 msec 0 msec 0 msec 3 vl-4045.car1.Denver1.Level3.net (2001:1900:4:1::276) 84 msec 228 msec 224 msec 4 vl-4081.car2.Denver1.Level3.net (2001:1900:4:1::32) 20 msec 20 msec 20 msec 5 vl-4042.edge1.Chicago2.Level3.net (2001:1900:4:1::36) 44 msec 44 msec 44 msec 6 vl-4067.car1.Chicago1.Level3.net (2001:1900:4:1::1D) 48 msec 212 msec 224 msec 7 vl-4061.car2.NewYork2.Level3.net (2001:1900:4:1::22) 184 msec 216 msec 232 msec 8 vl-4080.car1.NewYork2.Level3.net (2001:1900:4:1::F1) 80 msec 80 msec 80 msec 9 vl-4041.car1.NewYork1.Level3.net (2001:1900:4:1::101) 80 msec 80 msec 80 msec 10 vl-4086.edge3.London1.Level3.net (2001:1900:6:1::11) 176 msec 144 msec 164 msec 11 vl-4081.edge3.London1.Level3.net (2001:1900:5:1::102) 136 msec 132 msec vl-4081.edge4.London1.Level3.net (2001:1900:5:1::106) 148 msec 12 2001:1900:5:3::11E 160 msec 156 msec 160 msec 13 10gigabitethernet7-4.core1.nyc4.he.net (2001:470:0:128::1) 344 msec 208 msec 200 msec 14 10gigabitethernet5-3.core1.lax1.he.net (2001:470:0:10E::1) 276 msec 260 msec 268 msec 15 10gigabitethernet7-4.core1.fmt2.he.net (2001:470:0:18D::1) 272 msec 272 msec 324 msec 16 10gigabitethernet2-1.core1.fmt1.he.net (2001:470:0:2D::1) 288 msec 272 msec 276 msec 17 * * * 18 * * * Confirmed by L3's looking glasses ( http://lg.level3.net/traceroute/traceroute.cgi?site=lvg1target=www.he.netipv6=true ) and my own corporate IPv6 connection from Level 3. I opened a ticket with Level 3. Anyone else seen this? -Dave
Re: shared address space... a reality!
;-) So that is what very rough consensus looks like operationally! IESG Note http://www.ietf.org/mail-archive/web/ietf-announce/current/msg09959.html Christian On 15 Mar 2012, at 06:59, Randy Bush wrote: NetRange: 100.64.0.0 - 100.127.255.255 CIDR: 100.64.0.0/10 Already updated my martians acl and deployed it internally... and i have configured two home LANs to use it randy
Re: do not filter your customers
not just the .au govt C On 23 Feb 2012, at 07:54, Jay Mitchell wrote: I'm laughing now, but it wasn't funny a couple of hours ago. Seems a lot of the .au govt needs to learn some carrier diversity... On 23/02/2012, at 4:41 PM, Randy Bush ra...@psg.com wrote: don't filter your customers. when they leak the world to you, it will get you a lot of free press and your marketing department will love you. just ask telstra. randy
Re: Dear RIPE: Please don't encourage phishing
The DNS industry is putting us a long way from when RFC 2826 was written. Christian On 12 Feb 2012, at 01:31, John Levine wrote: Nice. Basically, unless the TLD registrar has a public policy that basically says We don't allow names with cyrillic C to collide with MICROSOFT, their hostnames all get displayed as xn--gobbledygook. More or less. ICANN has been wrestling with the lookalike character issue in domain names for about a decade. I think it's fair to say that everyone agrees that all solutions are less than totally satisfactory. R's, John
Re: what if...?
You tell that to http://www.charset.org/punycode.php?encoded=xn--m_omaaamk.comdecode=Punycode+to+normal+text Normal text FMQQSQQT.com to Punycode xn--m_omaaamk.com ? On 20 Dec 2011, at 17:00, Jared Mauch wrote: On Dec 20, 2011, at 11:37 AM, Eduardo A. Suárez wrote: Hi, what if evil guys hack my mom ISP DNS servers and use RPZ to redirect traffic from mom_bank.com to evil.com? How can she detect this? Thankfully mom_bank.com is not valid, as underscores aren't valid in dns names :) Additionally, SSL certificates combined with DNSSEC/DANE can provide some protection. Some of this technology may not be available today, but is worth tracking if you are interested in this topic. - Jared
Re: ARIN-2011-1: ARIN Inter-RIR Transfers - Last Call (expires in one week)
Lucky rich you to have such capacious v4 connectivity to be worrying about such downstream stuff. The rest of the world is starring at abyss of zero connectivity unless it deploys v6. Solve that one. Christian On 11 Nov 2011, at 07:15, Brett Watson wrote: On Nov 10, 2011, at 6:56 AM, Leo Bicknell wrote: The tide is coming. The tide is wet. The tide is full of IPv6 water. Get over it. Awesome, so you've solved the multi-homing issues with v6? The RA/DHCPv6 issues? (I'll just leave it at those three). -b
Re: OT: Social Networking, Privacy and Control
You know I don't need Facebook to introduce (broker) me to anyone! I am more than happy managing my own relationships (gradations of trust included!) Oh and my friends are distributed in the real world as well! This works pretty well even without a social network or a system. When the Diginotar certification authority was badly compromised I got a bunch of information from many sources using those protocols which span the standards sphere of the Internet each bringing information that I value at varying levels of trust and applicability. Between and in combination of all this input I was able to take action and remove Diginotar from my keychain. I could have waited for Apple to stir its stumps but didn't need to. All those independent distributed trust brokers did a fine job! thanks folks! Christian On 4 Oct 2011, at 16:38, Jay Ashworth wrote: As usual, the underlying issue is one of trust. Alas, I see no theoretical way that distributed systems like Diaspora *can* provide some of the functions that are core to systems like Facebook, *exactly by virtue* (vice?) of the fact that they are distributed; there is no central Trust Broker.
Re: CGN and CDN (was Re: what about the users re: NAT444 or ?)
I can predict the response from the teen dens of the world! What does CGN mean .. Can't Get Nothing! Christian On 9 Sep 2011, at 17:06, Alexander Harrowell wrote: On Friday 09 Sep 2011 16:25:35 valdis.kletni...@vt.edu wrote: On Fri, 09 Sep 2011 11:09:38 EDT, Jean- francois.tremblay...@videotron.com said: A very interesting point. In order to save precious CGN resources, it would not be surprising to see some ISPs asking CDNs to provide a private/non-routed behind-CGN leg for local CDN nodes. The actual problem here is that everyone assumes it'll be donkey's years before every last web server in the world is on IPv6. If you're a CDN, though, you can solve this problem for your own network right now by deploying IPv6! Akamai says that you need 650 AS to cover 90% of Internet traffic. I propose that effort getting content networks to go dual stack is better used than effort used to work around NAT444. Further, if making your hosting network IPv6 is hard, the answer is surely to give the job to a CDN operator with v6 clue. I actually rather think CDNs are an important way of getting content onto the IPv6 Internet. In my view CDNing (and its sister, application acceleration) is so important to delivering the heavy video and complex web apps that dominate the modern Internet that this should be a killer. Still, breaking the BBC, Hulu, Level(3), Akamai, Limelight, and Google's video services will probably reduce your transit and backhaul bills significantly. Can't say it'll help with customer retention. For this to work, the CGN users would probably have a different set of DNS servers (arguably also with a private/non-routed leg) or some other way to differentiate these CGN clients. Lots of fun in the future debugging that. Especially once you have 10 or 15 CDNs doing this, all of which have different rules of engagement. Akamai requires us to do X, Hulu wants Y, Foobar wants Y and specifically NOT-X... ;) And then Cogent will get into another peering spat and :) -- The only thing worse than e-mail disclaimers...is people who send e-mail to lists complaining about them
Re: what about the users re: NAT444 or ?
exactly. don't plan to deploy what breaks things for the user edge. there are two issues here 1/ what ISPs do that might break things at the edge 2/ what edge stuff is doing that will break things at the other end edge of a connection It seems a bit odd that ISPs would actively plot to do 1/ whilst they could be making hard cash helping people at the edge avoid 2/ Odd because it adds a 3/ element which is stuff at the edge which will break stuff in the network. Do (some) operators see more money in a 1/2/3/ world? Christian On 8 Sep 2011, at 17:52, Dan Wing wrote: Is there not a bit of CPE needed here? What should the CPE do? and not do? should it deprecate NAT/PAT when it receives 1918 allocation from a CGN? Careful with that idea -- people like their in-home network to continue functioning even when their ISP is down or having an outage.
what about the users re: NAT444 or ?
I wonder if the discussion as useful as it is isn't forgetting that the edge of Internet has a stake in getting this right too! This is not just an ISP problem but one where content providers and services that is the users need to get from here to there in good order. So What can users do to encourage ISPs to deploy v6 to them? What can users do to ease the pain in reaching IPv4 only sites once they are on IPv6 tails? Is there not a bit of CPE needed here? What should the CPE do? and not do? should it deprecate NAT/PAT when it receives 1918 allocation from a CGN? and less technically but relevant I think is to ask about cost? who pays? Christian On 8 Sep 2011, at 15:02, Cameron Byrne wrote: On Sep 8, 2011 1:47 AM, Leigh Porter leigh.por...@ukbroadband.com wrote: -Original Message- From: Owen DeLong [mailto:o...@delong.com] Sent: 08 September 2011 01:22 To: Leigh Porter Cc: Seth Mos; NANOG Subject: Re: NAT444 or ? Considering that offices, schools etc regularly have far more than 10 users per IP, I think this limit is a little low. I've happily had around 300 per public IP address on a large WiFi network, granted these are all different kinds of users, it is just something that operational experience will have to demonstrate. Yes, but, you are counting individual users whereas at the NAT444 level, what's really being counted is end-customer sites not individual users, so the term users is a bit misleading in the context. A given end-customer site may be from 1 to 50 or more individual users. Indeed, my users are using LTE dongles mostly so I expect they will be single users. At the moment on the WiMAX network I see around 35 sessions from a WiMAX modem on average rising to about 50 at peak times. These are a combination of individual users and home modems. We had some older modems that had integrated NAT that was broken and locked up the modem at 200 sessions. Then some old base station software died at about 10K sessions. So we monitor these things now.. I would love to avoid NAT444, I do not see a viable way around it at the moment. Unless the Department of Work and Pensions release their /8 that is ;-) The best mitigation really is to get IPv6 deployed as rapidly and widely as possible. The more stuff can go native IPv6, the less depends on fragile NAT444. Absolutely. Even things like google maps, if that can be dumped on v6, it'll save a load of sessions from people. The sooner services such as Microsoft Update turn on v6 the better as well. I would also like the CDNs to be able to deliver content in v6 (even if the main page is v4) which again will reduce the traffic that has to traverse any NAT. Soon, I think content providers (and providers of other services on the 'net) will roll v6 because of the performance increase as v6 will not have to traverse all this NAT and be subject to session limits, timeouts and such. What do you mean by performance increase? If performance equals latency, v4 will win for a long while still. Cgn does not add measurable latency. Cb -- Leigh __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
Re: IPv6 version of www.qwest.com/www.centurylink.com has been down for 10 days
via gogo6 tunnel box (http://gogo6.com/) from my UK location ( not tested other tunnels nor native) $ telnet -6 www.savvis.com 80 Trying 2001:460:100:1000::37... Connected to www.savvis.net. $ ping6 www.savvis.com PING6(56=40+8+8 bytes) 2001:5c0:1110:8000:217:f2ff:fee6:ab79 -- 2001:460:100:1000::37 16 bytes from 2001:460xx, icmp_seq=0 hlim=243 time=149.971 ms Christian On 6 Sep 2011, at 06:25, Mikael Abrahamsson wrote: On Mon, 5 Sep 2011, Jima wrote: I'm with Frank on this one: ICMP yes, HTTP/HTTPS no, via native IPv6 (multiple locations). No, wait -- it shows as open from a couple tunnels (both HE SixXS). So it's not consistent. Lovely. $ telnet -6 www.savvis.com 80 Trying 2001:460:100:1000::37... telnet: Unable to connect to remote host: Connection refused I checked, it's a TCP RST packet, not ICMP unreachable. This is from native IPv6. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: IPv4 Address Exhaustion Effects on the Earth
The audio I found at http://ietf80streaming.dnsalias.net/ietf80/ietf80-ch4-wed-am.mp3 Christian On 3 Apr 2011, at 20:53, Jim Gettys wrote: On 04/01/2011 11:44 AM, George Bonser wrote: From: Joao C. Mendes Ogawa Sent: Thursday, March 31, 2011 6:14 PM Subject: Fwd: IPv4 Address Exhaustion Effects on the Earth FYI --Jonny Ogawa - Forwarded message from Stephen H. Inden - Dang, I was hoping to see an RFC on Bufferbloat in Avian Carriers and how tail-drop is a messy solution that is to be avoided. Sigh... A major opportunity missed. Unfortunately the bufferbloat problem isn't a laughing matter, though I do wish I had thought of this idea in time for my talk. I will include this joke as some levity about the mess we're in as I repeat the talk going forward, and would tie in very nicely with one of the amusing reasons that RED in a different light has never been published. I really hate giving such bad news without some levity as it can be a real downer both for me and the audience. For those of you who missed my IETF talk, you can find the latest version (tweaked since IETF) at: http://mirrors.bufferbloat.net/Talks/PragueIETF/ I suspect audio is some place on the net as well; I presented at the transport area meeting. The questions after my talk are also very worth listening to. Time was precious in that venue, so I did feel rushed and hope to get a better opportunity in a month or two for that. It's a shorter version of my first talk given at Murray Hill http://mirrors.bufferbloat.net/Talks/BellLabs01192011/ which does have additional information impossible to fit in that short a time slot. - Jim
Re: IPv6 mistakes, was: Re: Looking for an IPv6 naysayer...
Now that is what Baldrick* would call a cunning plan! And interesting examples. Christian *Apologies to Tony Robinson and Blackadder On 12 Mar 2011, at 18:52, Tom Limoncelli wrote: On Fri, Feb 11, 2011 at 8:29 PM, Tom Limoncelli t...@whatexit.org wrote: On Fri, Feb 11, 2011 at 2:56 PM, Owen DeLong o...@delong.com wrote: I think you'll be in for a surprise here, too. The 4G transition is already underway. For the vendors where 4G means LTE, IPv6 is the native protocol and IPv4 requires a certain amount of hackery to operate. I'm writing an article where I want to say that but I can't find an article I can reference to back it up. I don't want to accidentally encourage an urban legend or rumor. (For example, I can't find verification to the rumor that ARIN rejected a request from LTE providers for IPv4 space and instead told them to go straight to IPv6. I do others in this thread saying that native IPv4 on LTE is common, so unless someone can give me evidence, I'll have to update that part of the article. OMG i'd love to make that point; anyone have proof?). I could, instead, write, most carriers will probably roll IPv6 out as part of their 4G upgrade but that sounds wishy-washy. Thanks in advance, Tom -- http://EverythingSysadmin.com -- my blog (new posts Mon and Wed) http://www.TomOnTime.com -- my advice (more videos coming soon) The article I mentioned I was writing has been published and is now available on-line here: http://queue.acm.org/detail.cfm?id=1959015 Thanks for all the assistance both on this mailing list and the private email I received! Tom Limoncelli http://www.EverythingSysadmin.com -- Sign up for my new class Advanced Time Mgmt: Team Efficiency at PICC! April 29-30, New Jersey, LOPSA PICC: www.picconf.org Dec 4-9, Boston, Usenix LISA, www.usenix.org/event/lisa11 Dec 4-5, Boston, ACM CHIMIT, chimit.acm.org Call for papers and talk proposals open at LISA and CHIMIT!
Re: IPv6? Why, you are the first one to ask for it!
Do please let me know which major global network provider this is. Off-list if you prefer. Christian On 1 Mar 2011, at 18:39, George Bonser wrote: Fairly major global network provider likes to call themselves a Tier 1. Asking about native IPv6 in one of their colo facilities in the UK. They say their US facilities won't be v6 capable until Q4 2011. The UK rep acted like it was the first he'd ever heard of it and implied we were the very first to ask for it. Note to providers: That might have worked a couple of years ago but when we hear that today, we know it is false. Please be honest in your responses to that question. If you aren't going to deploy it for another year or two, just say so. The notion that we are the very first ones to ever ask for it from a global provider in a major country is just lame. George
Re: SmartNet Alternatives
Can anybody point to dependable analysis of the performance credentials on green (CO2/carbon neutral, recycling, etc) and financial cost recovery of the Internet vendors such Juniper and Cisco et al? The story emerging here is not looking very encouraging. Christian On 13 Feb 2011, at 21:54, Randy Carpenter wrote: How does Juniper feel about used hardware? ~Seth I love Juniper's hardware and software, and support. However, the way they deal with used or second hand hardware is terrible. It is not possible to transfer ownership at all. You can not resell anything, and hope to get any software updates or support. The challenge is that Cisco refurb with SmartNet is generally considerably cheaper than new Juniper. It makes it tough to sell Juniper in many situations. We have the same problem with NetApp. It seems that these companies would rather see their equipment end up in a landfill, and have the secondary market turn to a different vendor, rather than being responsible, and making it possible for equipment to be reused instead of trashed. It really annoys me. Disclaimer: I am a Juniper and NetApp partner/reseller, and love their stuff. I just hate their policies. -Randy