Re: DoD IP Space

[Randy Bush]

>> what i hope is that they publish the results of their experiment.  a
>> bit more depth in discussion in ripe community.
> 
> https://bgp.he.net/AS8003#_prefixes

those are not results of an experiment. those are some visible artifacts
of (possibly part of) an experimental setup.

what i meant was the *results* of their measurements and the insights
gained.

< snark >

( and when i wanted to know what prefixes were being announced, i looked
  at my own router(s).  neither cisco, juniper, nor arcos seemed to have
  the equivalent of
  `show ip bgp regexp _8003$ insight`
  though i have been asking for years
  :)

randy

---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header butchery

Re: DoD IP Space

[Randy Bush]

>> anyone seeing roas in 11/8?  i am not.
> am not either, I would be curious to know if the RPKI discussion came up
> for the prefixes in the run up to turning up this new service.

what i hope is that they publish the results of their experiment.  a bit
more depth in discussion in ripe community.

---

From: Randy Bush 
Subject: Re: [anti-abuse-wg] AS8003 and U.S. Department of Defense routing
To: Brian Nisbet 
Cc: Anti Abuse WG 
Date: Tue, 27 Apr 2021 08:22:16 -0700

interesting wg to do routing security analysis.

as i do really not know the dod's or their proxy's motive(s), i can not
say much about their tactics let alone strategy.

i do know, and have actually seen and experienced, part of 11/8 being
used as if it was 1918 space; ripe bologna was the first time.  and the
food in that town was fantastic!

a /8 telescope would pick up leakage patterns as well as the current
shotgun blast of announcements (i presume folk have looked at the actual
announcements).  i would naïvely think that the /8 might be slightly
more easily analyzed than the pieces.

maybe, as the telescope analysis shows focused leaks, they are trying to
disrupt those focused uses with these focused announcements.

but, if an op is using 11.12.666.0/23 internally, would they be careless
enough to accept an exogenous announcement of that space?  i guess i
should not underestimate carelessness.

is some random (small, i hope) isp using my address space internally as
1918 equivalent abusive, beyond their customers maybe not be able to
reach my network?  if so, maybe the vigilantes are looking in the wrong
direction.

randy

---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header butchery

Re: DoD IP Space

[Christopher Morrow]

On Mon, Apr 26, 2021 at 10:18 PM Randy Bush  wrote:

> anyone seeing roas in 11/8?  i am not.
>
>
am not either, I would be curious to know if the RPKI discussion came up
for the prefixes in the run up to turning up this new service.
I'd also love to know if they are planning to publish ROA :) it'd be handy
in telling the rest of the world: "Hey, the owners of the space
authorize ASNFOO/BAR/BAZ that the announcement(s) you see are ok by them"

it might also have closed down some of the initial 'WUT?' conversation
about these prefixes.
-chris

Re: DoD IP Space

[Randy Bush]

anyone seeing roas in 11/8?  i am not.

randy

---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header butchery

Re: DoD IP Space

[Michael Thomas]

On 4/24/21 3:45 PM, William Herrin wrote:

On Sat, Apr 24, 2021 at 8:26 AM Mel Beckman  wrote:

This doesn’t sound good, no matter how you slice it. The lack of
transparency with a civilian resource is troubling at a minimum.

You do understand that the addresses in question are not and have
never been "civilian." They came into DoD's possession when this was
all still a military project funded by what's now DARPA.

Personally, I think we may have an all time record for the largest
honeypot ever constructed. I'd love to be a fly on that wall.

Is this to say that the prefixes are now being announced? Sorry for this 
dumb question, but how would this honeypot work?


Mike

Re: DoD IP Space

[Mel Beckman]

Carlos,

It’s true even though the Internet is comprised of more than American providers 
and customers. A subsidy is a subsidy. It doesn’t have to go to everyone to “be 
true”. :)

 -mel

> On Apr 26, 2021, at 12:44 PM, Carlos M. Martinez  
> wrote:
> 
> That would be true if “the Internet” was still fully comprised of American 
> providers and customers. That hasn’t been the case for a long, long time.
> 
> On 26 Apr 2021, at 16:27, Mel Beckman wrote:
> 
>> Owen,
>> 
>> Well, no. The Internet — meaning the ISPs and customers that comprise it — 
>> get substantial subsidies to this day. But that’s no call for the government 
>> to be obtuse with the purposes of its IP space.
>> 
>> https://www.nasdaq.com/articles/more-than-300-companies-participate-in-internet-subsidy-program-u.s.-agency-2021-04-01
>> 
>> -mel
>> 
>> 
>>> On Apr 26, 2021, at 11:05 AM, Owen DeLong  wrote:
>>> 
>>> 
>>> 
 On Apr 24, 2021, at 16:34 , Jason Biel  wrote:
 
 The internet that is subsidized by that same Government….
>>> 
>>> Uh, s/is/was/
>>> 
>>> There’s really no subsidy any more.
>>> 
>>> Owen
>>> 

RE: DoD IP Space

[Jean St-Laurent via NANOG]

I’d be interested in an objective recap of this thread.

 

It seems like we could do a Netflix series for networkers about it. 

 

Anyone would like to give it a try to summarize the story back from the 80’s  
till today and explain what is at stake here? 

 

Thanks
Jean

 

From: NANOG  On Behalf Of Tom Beecher
Sent: April 26, 2021 9:32 AM
To: Mel Beckman 
Cc: nanog@nanog.org
Subject: Re: DoD IP Space

 

As long as that IP space was isolated to the .mil network, it was private 
space, as far as the Internet was concerned.

 

The DoD allocation of 11/8 predates the concept of 'private network space'.

 

11/8 was first assigned to the DoD in RFC 943 in April of 1985. The concept of 
IPv4 space for private networks was first defined in RFC 1597, March 1994. 
(Which eventually would become RFC1918. )

 

The fact that certain parties decided on their own that space not present in 
the global routing table was 'fair game' or 'private' doesn't make them 
correct, it simply makes them ill informed. 

 

On Sat, Apr 24, 2021 at 7:18 PM Mel Beckman mailto:m...@beckman.org> > wrote:

Bill,

It’s the INTERNET that is civilian, not the IP space. As long as that IP space 
was isolated to the .mil network, it was private space, as far as the Internet 
was concerned. Now DoD has moved it into the civilian Internet, and I treat 
them as potentially malicious as I do any other organization that lies, cheats, 
and steals the public trust.

 -mel

> On Apr 24, 2021, at 3:45 PM, William Herrin  <mailto:b...@herrin.us> > wrote:
> 
> On Sat, Apr 24, 2021 at 8:26 AM Mel Beckman  <mailto:m...@beckman.org> > wrote:
>> This doesn’t sound good, no matter how you slice it. The lack of
>> transparency with a civilian resource is troubling at a minimum.
> 
> You do understand that the addresses in question are not and have
> never been "civilian." They came into DoD's possession when this was
> all still a military project funded by what's now DARPA.
> 
> Personally, I think we may have an all time record for the largest
> honeypot ever constructed. I'd love to be a fly on that wall.
> 
> Regards,
> Bill Herrin
> 
> 
> 
> -- 
> William Herrin
> b...@herrin.us <mailto:b...@herrin.us> 
> https://bill.herrin.us/

Re: DoD IP Space

[Carlos M. Martinez]

That would be true if “the Internet” was still fully comprised of 
American providers and customers. That hasn’t been the case for a 
long, long time.


On 26 Apr 2021, at 16:27, Mel Beckman wrote:


Owen,

Well, no. The Internet — meaning the ISPs and customers that 
comprise it — get substantial subsidies to this day. But that’s no 
call for the government to be obtuse with the purposes of its IP 
space.


https://www.nasdaq.com/articles/more-than-300-companies-participate-in-internet-subsidy-program-u.s.-agency-2021-04-01

 -mel



On Apr 26, 2021, at 11:05 AM, Owen DeLong  wrote:




On Apr 24, 2021, at 16:34 , Jason Biel  wrote:

The internet that is subsidized by that same Government….


Uh, s/is/was/

There’s really no subsidy any more.

Owen

Re: DoD IP Space

[Mel Beckman]

Owen,

Well, no. The Internet — meaning the ISPs and customers that comprise it — get 
substantial subsidies to this day. But that’s no call for the government to be 
obtuse with the purposes of its IP space.

https://www.nasdaq.com/articles/more-than-300-companies-participate-in-internet-subsidy-program-u.s.-agency-2021-04-01

 -mel


> On Apr 26, 2021, at 11:05 AM, Owen DeLong  wrote:
> 
> 
> 
>> On Apr 24, 2021, at 16:34 , Jason Biel  wrote:
>> 
>> The internet that is subsidized by that same Government….
> 
> Uh, s/is/was/
> 
> There’s really no subsidy any more.
> 
> Owen
> 

Re: DoD IP Space

[Owen DeLong via NANOG]

> On Apr 24, 2021, at 16:34 , Jason Biel  wrote:
> 
> The internet that is subsidized by that same Government….

Uh, s/is/was/

There’s really no subsidy any more.

Owen

Re: DoD IP Space

[John Curran]

On 26 Apr 2021, at 9:59 AM, Ca By  wrote:
> 
> ...
> The fact that certain parties decided on their own that space not present in 
> the global routing table was 'fair game' or 'private' doesn't make them 
> correct, it simply makes them ill informed. 
> 
> My reading of this thread is that the space is now permanently bogon’d for 
> some honeypot. so yeah, it is fair game. Enjoy the public goods all ! 

 

While each network operator is free to make their own decisions on how they 
configure their routers, I’d personally suggest that folks think twice before 
considering another parties IP address blocks to be available for private use.  
Just as no one expected to ever see many of these networks be publicly 
announced, it would not surprise me in the least to see production applications 
on these blocks at some point in the near future…   

/John

Re: DoD IP Space

[Ca By]

On Mon, Apr 26, 2021 at 6:36 AM Tom Beecher  wrote:

> As long as that IP space was isolated to the .mil network, it was private
>> space, as far as the Internet was concerned.
>>
>
> The DoD allocation of 11/8 predates the concept of 'private network space'.
>
> 11/8 was first assigned to the DoD in RFC 943 in April of 1985. The
> concept of IPv4 space for private networks was first defined in RFC 1597,
> March 1994. (Which eventually would become RFC1918. )
>
> The fact that certain parties decided on their own that space not present
> in the global routing table was 'fair game' or 'private' doesn't make them
> correct, it simply makes them ill informed.
>

My reading of this thread is that the space is now permanently bogon’d for
some honeypot. so yeah, it is fair game. Enjoy the public goods all !


> On Sat, Apr 24, 2021 at 7:18 PM Mel Beckman  wrote:
>
>> Bill,
>>
>> It’s the INTERNET that is civilian, not the IP space. As long as that IP
>> space was isolated to the .mil network, it was private space, as far as the
>> Internet was concerned. Now DoD has moved it into the civilian Internet,
>> and I treat them as potentially malicious as I do any other organization
>> that lies, cheats, and steals the public trust.
>>
>>  -mel
>>
>> > On Apr 24, 2021, at 3:45 PM, William Herrin  wrote:
>> >
>> > On Sat, Apr 24, 2021 at 8:26 AM Mel Beckman  wrote:
>> >> This doesn’t sound good, no matter how you slice it. The lack of
>> >> transparency with a civilian resource is troubling at a minimum.
>> >
>> > You do understand that the addresses in question are not and have
>> > never been "civilian." They came into DoD's possession when this was
>> > all still a military project funded by what's now DARPA.
>> >
>> > Personally, I think we may have an all time record for the largest
>> > honeypot ever constructed. I'd love to be a fly on that wall.
>> >
>> > Regards,
>> > Bill Herrin
>> >
>> >
>> >
>> > --
>> > William Herrin
>> > b...@herrin.us
>> > https://bill.herrin.us/
>>
>>

Re: DoD IP Space

[Tom Beecher]

>
> Wish i was in the room when they turned it on. I hope they make a tiktok
> of the expressions of everyone looking at the first data. [ joke ]
>

That would have been fascinating to see. (The technical bits, maybe not so
much the Tik Tok.)

Some chat threads with industry friends over the years in the last few
months on this topic has been frustrating but enlightening. Many
conversations about 'someone hijacking space' which eventually leads to
finding out they were using this DoD space in ways that the presence of
these announcements in the DFZ breaks things. I'm running out of "just
because you can doesn't mean you should' memes to reply with.

On Sun, Apr 25, 2021 at 12:21 PM Martin Hannigan  wrote:

>
> On Sat, Apr 24, 2021 at 11:27 AM Mel Beckman  wrote:
>
>> This doesn’t sound good, no matter how you slice it. The lack of
>> transparency with a civilian resource is troubling at a minimum. I’m going
>> to bogon this space as a defensive measure, until its real — and detailed —
>> purpose can be known. The secret places of our government have proven
>> themselves untrustworthy in the protection of citizens’ data and networks.
>> They tend to think they know “what’s good for” us.
>>
>>  -mel
>>
>>
>
> If you apply that ideology to 0/0 you're not going to have much of an
> Internet beyond cat pics.
>
> Wish i was in the room when they turned it on. I hope they make a tiktok
> of the expressions of everyone looking at the first data. [ joke ]
>
> Warm regards,
>
> -M<
>
>
>> On Apr 24, 2021, at 8:05 AM, John Curran  wrote:
>>
>> 
>> As noted -
>> https://www.washingtonpost.com/technology/2021/04/24/pentagon-internet-address-mystery/#click=https://t.co/mVh26yBq9G
>>
>> FYI,
>> /John
>>
>> John Curran
>> President and CEO
>> American Registry for Internet Numbers
>>
>> On Jan 20, 2021, at 8:35 AM, John Curran  wrote:
>>
>> 
>> Tom –
>>
>> Most definitely: lack of routing history is not at all a reliable
>> indicator of the potential for valid routing of a given IPv4 block in the
>> future, so best practice suggest that allocated address space should not be
>> blocked by others without specific cause.
>>
>> Doing otherwise opens one up to unexpected surprises when issued space
>> suddenly becomes more active in routing and is yet is inexplicably
>> unreachable for some destinations.
>>
>> /John
>>
>> On Nov 5, 2019, at 10:38 AM, Tom Beecher  wrote:
>>
>>
>> Using the generally accepted definition of a bogon ( RFC 1918 / 5735 /
>> 6598 + netblock not allocated by an RiR ), 22/8 is not a bogon and
>> shouldn't be treated as one.
>>
>> The DoD does not announce it to the DFZ, as is their choice, but nothing
>> says they may not change that position tomorrow. There are plenty of
>> subnets out there that are properly allocated by an RiR, but the assignees
>> do not send them to the DFZ because of $reasons.
>>
>> In my opinion, creating bogon lists that include allocated but not
>> advertised prefixes is poor practice that is likely to end up biting an
>> operator at one point or another.
>>
>> On Tue, Nov 5, 2019 at 9:45 AM Töma Gavrichenkov 
>> wrote:
>>
>>> Peace,
>>>
>>> On Tue, Nov 5, 2019, 4:55 PM David Conrad  wrote:
>>> > On Nov 4, 2019, at 10:56 PM, Grant Taylor via NANOG 
>>> wrote:
>>> >> This thread got me to wondering, is there any
>>> >> legitimate reason to see 22/8 on the public
>>> >> Internet?  Or would it be okay to treat 22/8
>>> >> like a Bogon and drop it at the network edge?
>>> >
>>> > Given the transfer market for IPv4 addresses,
>>> > the spot price for IPv4 addresses, and the need
>>> > of even governments to find “free” (as in
>>> > unconstrained) money, I’d think treating any
>>> > legacy /8 as a bogon would not be prudent.
>>>
>>> It has been said before in this thread that the DoD actively uses this
>>> network internally.  I believe if the DoD were to cut costs, they
>>> would be able to do it much more effectively in many other areas, and
>>> their IPv4 networks would be about the last thing they would think of
>>> (along with switching off ACs Bernard Ebbers-style).  With that in
>>> mind, treating the DoD networks as bogons now makes total sense to me.
>>>
>>> --
>>> Töma
>>>
>>

Re: DoD IP Space

[Tom Beecher]

>
> As long as that IP space was isolated to the .mil network, it was private
> space, as far as the Internet was concerned.
>

The DoD allocation of 11/8 predates the concept of 'private network space'.

11/8 was first assigned to the DoD in RFC 943 in April of 1985. The concept
of IPv4 space for private networks was first defined in RFC 1597, March
1994. (Which eventually would become RFC1918. )

The fact that certain parties decided on their own that space not present
in the global routing table was 'fair game' or 'private' doesn't make them
correct, it simply makes them ill informed.

On Sat, Apr 24, 2021 at 7:18 PM Mel Beckman  wrote:

> Bill,
>
> It’s the INTERNET that is civilian, not the IP space. As long as that IP
> space was isolated to the .mil network, it was private space, as far as the
> Internet was concerned. Now DoD has moved it into the civilian Internet,
> and I treat them as potentially malicious as I do any other organization
> that lies, cheats, and steals the public trust.
>
>  -mel
>
> > On Apr 24, 2021, at 3:45 PM, William Herrin  wrote:
> >
> > On Sat, Apr 24, 2021 at 8:26 AM Mel Beckman  wrote:
> >> This doesn’t sound good, no matter how you slice it. The lack of
> >> transparency with a civilian resource is troubling at a minimum.
> >
> > You do understand that the addresses in question are not and have
> > never been "civilian." They came into DoD's possession when this was
> > all still a military project funded by what's now DARPA.
> >
> > Personally, I think we may have an all time record for the largest
> > honeypot ever constructed. I'd love to be a fly on that wall.
> >
> > Regards,
> > Bill Herrin
> >
> >
> >
> > --
> > William Herrin
> > b...@herrin.us
> > https://bill.herrin.us/
>
>

Re: DoD IP Space

[Stephane Bortzmeyer]

On Sun, Apr 25, 2021 at 08:29:51AM -0400,
 Jean St-Laurent via NANOG  wrote 
 a message of 38 lines which said:

> Let's see what will slowly appear in shodan.io and shadowserver.org

My favorite (but remember it can be a gigantic honeypot) is the
Ubiquiti router with the name
"HACKED-ROUTER-HELP-SOS-HAD-DUPE-PASSWORD" :-)

Re: DoD IP Space

[John Curran]

On 25 Apr 2021, at 4:59 PM, Sabri Berisha 
mailto:sa...@cluecentral.net>> wrote:

- On Apr 25, 2021, at 2:24 AM, Bill Woodcock 
wo...@pch.net wrote:

Hi,

I think I’d characterize it, rather, as a possible privatization of public
property.

This comment sparked my curiosity. Does ARIN consider IP space to be property?

One could argue both ways:

1. Whomever "owns" a netblock simply owns the right to use and advertise it as 
long
as it's being used for the purposes under which it was assigned by a number 
registry.
This would be similar to "apartment rights" in a condominium complex.

OR;

2. IP space comes with property rights such as selling and leasing as one 
wishes. But,
that would also imply that IP space can be stolen.

I'd be curious to hear what ARIN's position is on this.

Sabri -

ARIN’s position can be clearly found in section 2 of the Registration Services 
Agreement  -

– When parties are issued IP address blocks, they are given a limited bundle of 
contractual rights to an entry in the registry database.
– These rights include the exclusive right to be associated with a specific 
entry, the exclusive right to administer that entry in the ARIN registry 
database, and exclusive right of transfer this bundle of rights in accordance 
with adopted policy.

Two things:  a) None of this pertains to a right to announce or route an IP 
address block – ISPs each control their own routing and often care about who 
holds rights to a block in the registry, but that does not equate to issuing a 
“right to route.”   b) You’ll probably want to discuss with legal counsel for 
more specifics of the nuances between contractual rights versus property 
rights, particularly when if comes to intangible rights, enforceability against 
specific parties versus the world, etc.

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

Re: DoD IP Space

[j k]

In the positive side of things, guess we will see IPv6 usage.

Joe Klein

On Sun, Apr 25, 2021, 6:11 PM John Curran  wrote:

> Sronan -
>
> I made no claims other than pointing out that IP address blocks in the
> ARIN registry are subject to ARIN policies.
>
> ARIN was formed specifically so that the Internet community could engage
> in self-regulation for IP number resources; to wit: "Creation of ARIN will
> give the users of IP numbers (mostly Internet service providers,
> corporations and other large institutions) a voice in the policies by which
> they are managed and allocated within the North American region” [1] – thus
> ARIN's policies for management of the registry apply to all resources in
> the registry because that was inherent to the purpose to which ARIN was
> formed.
>
> This includes having ARIN "assume full responsibility for Internet
> Protocol (IP) number assignments and related administrative tasks
> previously handled by NSI.”, whereby ARIN formally became the successor
> registry operator for organizational assignments in a long chain that
> includes USC/ISI, SRI, GSI, and NSI.
>
> The community wanted self-governance, and that’s exactly what it got…  the
> result is a fairly important reason to participate in ARIN policy
> development and/or governance if you feel strongly about these matters.
>
> Thanks!
> /John
>
> John Curran
> President and CEO
> American Registry for Internet Numbers
>
> [1] https://www.nsf.gov/news/news_summ.jsp?cntn_id=102819 - "Internet
> Moves Toward Privatization / IP numbers handled by non-profit”
>
>
> On Apr 25, 2021, at 11:38 AM, sro...@ronan-online.com wrote:
>
>  So you are claiming that ARIN has jurisdiction over DoD IP space?
>
> Sent from my iPhone
>
> On Apr 25, 2021, at 9:13 AM, John Curran  wrote:
>
>  Sronan -
>
> I’d suggest asking rather than making assertions when it comes to ARIN, as
> this will avoid propagating existing misinformation in the community.
>
> Many US government agencies, including the US Department of Defense, have
> signed registration services agreements with ARIN.
>
> From https://account.arin.net/public/member-list -
>
> United States Department of Defense (DoD)
>
> USDDD 
>
>
> Thanks!
> /John
>
> John Curran
> President and CEO
> American Registry for Internet Numbers
>
> On 25 Apr 2021, at 8:54 AM, sro...@ronan-online.com wrote:
>
> Except these DoD blocks don’t fall under ARIM justification, as they
> predate ARIN. It is very likely that the DoD has never and will never sign
> any sort of ARIN agreement.
>
> Sent from my iPhone
>
> On Apr 25, 2021, at 3:40 AM, Mel Beckman  wrote:
>
> Mark,
>
> ARIN rules require every IP space holder to publish accurate — and
> effective —  Admin, Tech, and Abuse POCs. The DOD hasn’t done this, as I
> pointed out, and as you can test for yourself. Your expectation that the
> DOD will “generally comply with all of the expected norms” is sorely naive,
> and already disproven.
>
> As far as “why does anyone on the Internet need to publish to your
> arbitrary standards”, you seem to forget that in the U.S., the government
> is accountable to the People. Where a private company may not have to
> explain its purposes, the government most certainly does in the private
> sector. With these IP spaces being thrust into the civilian realm, yes,
> they owe the citizenry an explanation of their actions, just as they would
> if they had started mounting missile launchers on highway overpasses. It’s
> a direct militarization of a civilian utility.
>
> Keep in mind that the U.S. Government — under all administrations — has
> shown that it will abuse every technical advantage it can, as long as it
> can do so in secret. Perhaps you’ve forgotten James Clapper, the former
> director of national intelligence, who falsely testified to Congress that
> the government does “not wittingly” collect the telephone records of
> millions of Americans. And he was just the tip of the iceberg. Before
> Clapper under Obama there was the Bush administration’s Stellar Wind"
> warrantless surveillance program. The list of government abuse of civilian
> resources is colossal .
>
> Fighting against that isn’t political. It’s patriotic.
>
> -mel
>
> On Apr 25, 2021, at 12:02 AM, Mark Foster  wrote:
>
> 
>
> On 25/04/2021 3:24 am, Mel Beckman wrote:
>
> This doesn’t sound good, no matter how you slice it. The lack of
> transparency with a civilian resource is troubling at a minimum. I’m going
> to bogon this space as a defensive measure, until its real — and detailed —
> purpose can be known. The secret places of our government have proven
> themselves untrustworthy in the protection of citizens’ data and networks.
> They tend to think they know “what’s good for” us.
>
> -mel
>
>
> Why does anyone on the Internet need to publish to your arbitrary
> standards, what they intend to do with their IP address ranges?
>
> Failure to advertise the IP address space to the 

Re: DoD IP Space

[John Curran]

Sronan -

I made no claims other than pointing out that IP address blocks in the ARIN 
registry are subject to ARIN policies.

ARIN was formed specifically so that the Internet community could engage in 
self-regulation for IP number resources; to wit: "Creation of ARIN will give 
the users of IP numbers (mostly Internet service providers, corporations and 
other large institutions) a voice in the policies by which they are managed and 
allocated within the North American region” [1] – thus ARIN's policies for 
management of the registry apply to all resources in the registry because that 
was inherent to the purpose to which ARIN was formed.

This includes having ARIN "assume full responsibility for Internet Protocol 
(IP) number assignments and related administrative tasks previously handled by 
NSI.”, whereby ARIN formally became the successor registry operator for 
organizational assignments in a long chain that includes USC/ISI, SRI, GSI, and 
NSI.

The community wanted self-governance, and that’s exactly what it got…  the 
result is a fairly important reason to participate in ARIN policy development 
and/or governance if you feel strongly about these matters.

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

[1] https://www.nsf.gov/news/news_summ.jsp?cntn_id=102819 - "Internet Moves 
Toward Privatization / IP numbers handled by non-profit”


On Apr 25, 2021, at 11:38 AM, 
sro...@ronan-online.com wrote:

 So you are claiming that ARIN has jurisdiction over DoD IP space?

Sent from my iPhone

On Apr 25, 2021, at 9:13 AM, John Curran 
mailto:jcur...@arin.net>> wrote:

 Sronan -

I’d suggest asking rather than making assertions when it comes to ARIN, as this 
will avoid propagating existing misinformation in the community.

Many US government agencies, including the US Department of Defense, have 
signed registration services agreements with ARIN.

From https://account.arin.net/public/member-list -

United States Department of Defense (DoD)

USDDD

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

On 25 Apr 2021, at 8:54 AM, 
sro...@ronan-online.com wrote:

Except these DoD blocks don’t fall under ARIM justification, as they predate 
ARIN. It is very likely that the DoD has never and will never sign any sort of 
ARIN agreement.

Sent from my iPhone

On Apr 25, 2021, at 3:40 AM, Mel Beckman 
mailto:m...@beckman.org>> wrote:

Mark,

ARIN rules require every IP space holder to publish accurate — and effective —  
Admin, Tech, and Abuse POCs. The DOD hasn’t done this, as I pointed out, and as 
you can test for yourself. Your expectation that the DOD will “generally comply 
with all of the expected norms” is sorely naive, and already disproven.

As far as “why does anyone on the Internet need to publish to your arbitrary 
standards”, you seem to forget that in the U.S., the government is accountable 
to the People. Where a private company may not have to explain its purposes, 
the government most certainly does in the private sector. With these IP spaces 
being thrust into the civilian realm, yes, they owe the citizenry an 
explanation of their actions, just as they would if they had started mounting 
missile launchers on highway overpasses. It’s a direct militarization of a 
civilian utility.

Keep in mind that the U.S. Government — under all administrations — has shown 
that it will abuse every technical advantage it can, as long as it can do so in 
secret. Perhaps you’ve forgotten James Clapper, the former director of national 
intelligence, who falsely testified to Congress that the government does “not 
wittingly” collect the telephone records of millions of Americans. And he was 
just the tip of the iceberg. Before Clapper under Obama there was the Bush 
administration’s Stellar Wind" warrantless surveillance program. The list of 
government abuse of civilian resources is colossal .

Fighting against that isn’t political. It’s patriotic.

-mel

On Apr 25, 2021, at 12:02 AM, Mark Foster 
mailto:blak...@blakjak.net>> wrote:


On 25/04/2021 3:24 am, Mel Beckman wrote:
This doesn’t sound good, no matter how you slice it. The lack of transparency 
with a civilian resource is troubling at a minimum. I’m going to bogon this 
space as a defensive measure, until its real — and detailed — purpose can be 
known. The secret places of our government have proven themselves untrustworthy 
in the protection of citizens’ data and networks. They tend to think they know 
“what’s good for” us.

-mel


Why does anyone on the Internet need to publish to your arbitrary standards, 
what they intend to do with their IP address ranges?

Failure to advertise the IP address space to the Internet (until now, perhaps) 
doesn't make the address space any less legitimate, and though I'd expect the 
DoD to generally comply with all of the expected 

Re: DoD IP Space

[Sabri Berisha]

- On Apr 25, 2021, at 2:24 AM, Bill Woodcock wo...@pch.net wrote:

Hi,

> I think I’d characterize it, rather, as a possible privatization of public
> property.

This comment sparked my curiosity. Does ARIN consider IP space to be property?

One could argue both ways:

1. Whomever "owns" a netblock simply owns the right to use and advertise it as 
long
as it's being used for the purposes under which it was assigned by a number 
registry.
This would be similar to "apartment rights" in a condominium complex.

OR;

2. IP space comes with property rights such as selling and leasing as one 
wishes. But,
that would also imply that IP space can be stolen.

I'd be curious to hear what ARIN's position is on this. 

Thanks,

Sabri

Re: DoD IP Space

[John Curran]

Randy -

We don’t generally speak about specific customers – but I do acknowledge this 
is a bit of an unusual case...

There was no exchange at all, but rather the US DoD wanted to make sure that 
(if at some
point in the future) they had excess IPv4 resources that the DoD retained the 
ability to reutilize such elsewhere within the US Government rather than 
returning them to ARIN.

(You have to remember this was a point in time when many organizations were 
retuned unused IPv4 blocks in order to help with IPv4 longevity...) 

ARIN provided them clarity in that regard (as requiring return when other 
departments had need for IPv4 number resources was never the intent), and that 
has since been completely preempted by the adoption of transfer policies by the 
ARIN community.

Thanks,
/John

John Curran
President and CEO
American Registry for Internet Numbers

> On Apr 25, 2021, at 12:32 PM, Randy Bush  wrote:
> 
> john,
> 
> my altzheimer's device tells me that some years back there was a
> documented written agreement between arin and the dod along the lines of
> dod getting a large swath of ipv6 space[0] in exchange for agreeing to
> return[1] or otherwise put into public use a half dozen ipv4 /8s.
> 
> could you refresh my memory, e.g. with the document, please?  thanks.
> 
> randy
> 
> --
> 
> [0] which they are still trying to figure out how to use; bit isn't half
>the internet in a similar pinch. :)
> 
> [1] since the dod probably did not get the space from arin, 'return' is
>probably not a good term.
> 
> 
> ---
> ra...@psg.com
> `gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
> signatures are back, thanks to dmarc header butchery
> 

Re: DoD IP Space

[Michael Butler via NANOG]

On 4/25/21 12:32 PM, Randy Bush wrote:

john,

my altzheimer's device tells me that some years back there was a
documented written agreement between arin and the dod along the lines of
dod getting a large swath of ipv6 space[0] in exchange for agreeing to
return[1] or otherwise put into public use a half dozen ipv4 /8s.

could you refresh my memory, e.g. with the document, please?  thanks.

randy

--

[0] which they are still trying to figure out how to use; bit isn't half
 the internet in a similar pinch. :)

[1] since the dod probably did not get the space from arin, 'return' is
 probably not a good term.


The footnote (11) on page 7 of https://www.gao.gov/assets/gao-20-402.pdf 
seems to be most relevant ..


"We are not aware of any statutory requirements that directly address 
the ability of a government agency to transfer or sell IP addresses to a 
third party, but DOD would face legal and policy constraints to any 
potential sale or transfer of the addresses to a third party outside of 
the government. Among other things, this is because DOD entered into an 
agreement with the American Registry for Internet Numbers. Specifically, 
this agreement states the department must return unused addresses to the 
registry."


imb

Re: DoD IP Space

[Randy Bush]

john,

my altzheimer's device tells me that some years back there was a
documented written agreement between arin and the dod along the lines of
dod getting a large swath of ipv6 space[0] in exchange for agreeing to
return[1] or otherwise put into public use a half dozen ipv4 /8s.

could you refresh my memory, e.g. with the document, please?  thanks.

randy

--

[0] which they are still trying to figure out how to use; bit isn't half
the internet in a similar pinch. :)

[1] since the dod probably did not get the space from arin, 'return' is
probably not a good term.


---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header butchery

Re: DoD IP Space

[Martin Hannigan]

On Sat, Apr 24, 2021 at 11:27 AM Mel Beckman  wrote:

> This doesn’t sound good, no matter how you slice it. The lack of
> transparency with a civilian resource is troubling at a minimum. I’m going
> to bogon this space as a defensive measure, until its real — and detailed —
> purpose can be known. The secret places of our government have proven
> themselves untrustworthy in the protection of citizens’ data and networks.
> They tend to think they know “what’s good for” us.
>
>  -mel
>
>

If you apply that ideology to 0/0 you're not going to have much of an
Internet beyond cat pics.

Wish i was in the room when they turned it on. I hope they make a tiktok of
the expressions of everyone looking at the first data. [ joke ]

Warm regards,

-M<


> On Apr 24, 2021, at 8:05 AM, John Curran  wrote:
>
> 
> As noted -
> https://www.washingtonpost.com/technology/2021/04/24/pentagon-internet-address-mystery/#click=https://t.co/mVh26yBq9G
>
> FYI,
> /John
>
> John Curran
> President and CEO
> American Registry for Internet Numbers
>
> On Jan 20, 2021, at 8:35 AM, John Curran  wrote:
>
> 
> Tom –
>
> Most definitely: lack of routing history is not at all a reliable
> indicator of the potential for valid routing of a given IPv4 block in the
> future, so best practice suggest that allocated address space should not be
> blocked by others without specific cause.
>
> Doing otherwise opens one up to unexpected surprises when issued space
> suddenly becomes more active in routing and is yet is inexplicably
> unreachable for some destinations.
>
> /John
>
> On Nov 5, 2019, at 10:38 AM, Tom Beecher  wrote:
>
>
> Using the generally accepted definition of a bogon ( RFC 1918 / 5735 /
> 6598 + netblock not allocated by an RiR ), 22/8 is not a bogon and
> shouldn't be treated as one.
>
> The DoD does not announce it to the DFZ, as is their choice, but nothing
> says they may not change that position tomorrow. There are plenty of
> subnets out there that are properly allocated by an RiR, but the assignees
> do not send them to the DFZ because of $reasons.
>
> In my opinion, creating bogon lists that include allocated but not
> advertised prefixes is poor practice that is likely to end up biting an
> operator at one point or another.
>
> On Tue, Nov 5, 2019 at 9:45 AM Töma Gavrichenkov 
> wrote:
>
>> Peace,
>>
>> On Tue, Nov 5, 2019, 4:55 PM David Conrad  wrote:
>> > On Nov 4, 2019, at 10:56 PM, Grant Taylor via NANOG 
>> wrote:
>> >> This thread got me to wondering, is there any
>> >> legitimate reason to see 22/8 on the public
>> >> Internet?  Or would it be okay to treat 22/8
>> >> like a Bogon and drop it at the network edge?
>> >
>> > Given the transfer market for IPv4 addresses,
>> > the spot price for IPv4 addresses, and the need
>> > of even governments to find “free” (as in
>> > unconstrained) money, I’d think treating any
>> > legacy /8 as a bogon would not be prudent.
>>
>> It has been said before in this thread that the DoD actively uses this
>> network internally.  I believe if the DoD were to cut costs, they
>> would be able to do it much more effectively in many other areas, and
>> their IPv4 networks would be about the last thing they would think of
>> (along with switching off ACs Bernard Ebbers-style).  With that in
>> mind, treating the DoD networks as bogons now makes total sense to me.
>>
>> --
>> Töma
>>
>

Re: DoD IP Space

[sronan]

So you are claiming that ARIN has jurisdiction over DoD IP space?

Sent from my iPhone

> On Apr 25, 2021, at 9:13 AM, John Curran  wrote:
> 
>  Sronan - 
> 
> I’d suggest asking rather than making assertions when it comes to ARIN, as 
> this will avoid propagating existing misinformation in the community. 
> 
> Many US government agencies, including the US Department of Defense, have 
> signed registration services agreements with ARIN.
> 
> From https://account.arin.net/public/member-list - 
> 
> United States Department of Defense (DoD)   USDDD
> 
> Thanks! 
> /John
> 
> John Curran
> President and CEO
> American Registry for Internet Numbers
> 
>>> On 25 Apr 2021, at 8:54 AM, sro...@ronan-online.com wrote:
>>> 
>>> Except these DoD blocks don’t fall under ARIM justification, as they 
>>> predate ARIN. It is very likely that the DoD has never and will never sign 
>>> any sort of ARIN agreement.
>>> 
>>> Sent from my iPhone
>>> 
>>> On Apr 25, 2021, at 3:40 AM, Mel Beckman  wrote:
>>> 
>>> Mark,
>>> 
>>> ARIN rules require every IP space holder to publish accurate — and 
>>> effective —  Admin, Tech, and Abuse POCs. The DOD hasn’t done this, as I 
>>> pointed out, and as you can test for yourself. Your expectation that the 
>>> DOD will “generally comply with all of the expected norms” is sorely naive, 
>>> and already disproven.
>>> 
>>> As far as “why does anyone on the Internet need to publish to your 
>>> arbitrary standards”, you seem to forget that in the U.S., the government 
>>> is accountable to the People. Where a private company may not have to 
>>> explain its purposes, the government most certainly does in the private 
>>> sector. With these IP spaces being thrust into the civilian realm, yes, 
>>> they owe the citizenry an explanation of their actions, just as they would 
>>> if they had started mounting missile launchers on highway overpasses. It’s 
>>> a direct militarization of a civilian utility. 
>>> 
>>> Keep in mind that the U.S. Government — under all administrations — has 
>>> shown that it will abuse every technical advantage it can, as long as it 
>>> can do so in secret. Perhaps you’ve forgotten James Clapper, the former 
>>> director of national intelligence, who falsely testified to Congress that 
>>> the government does “not wittingly” collect the telephone records of 
>>> millions of Americans. And he was just the tip of the iceberg. Before 
>>> Clapper under Obama there was the Bush administration’s Stellar Wind" 
>>> warrantless surveillance program. The list of government abuse of civilian 
>>> resources is colossal . 
>>> 
>>> Fighting against that isn’t political. It’s patriotic.
>>> 
>>> -mel 
>>> 
 On Apr 25, 2021, at 12:02 AM, Mark Foster  wrote:
 
 
>> On 25/04/2021 3:24 am, Mel Beckman wrote:
> This doesn’t sound good, no matter how you slice it. The lack of 
> transparency with a civilian resource is troubling at a minimum. I’m 
> going to bogon this space as a defensive measure, until its real — and 
> detailed — purpose can be known. The secret places of our government have 
> proven themselves untrustworthy in the protection of citizens’ data and 
> networks. They tend to think they know “what’s good for” us.
> 
> -mel
> 
 
 Why does anyone on the Internet need to publish to your arbitrary 
 standards, what they intend to do with their IP address ranges?
 
 Failure to advertise the IP address space to the Internet (until now, 
 perhaps) doesn't make the address space any less legitimate, and though 
 I'd expect the DoD to generally comply with all of the expected norms 
 around BGP arrangements and published whois details, at the end of the 
 day, they can nominate who should originate it from their AS and as long 
 as we can see who owns it it's just not our business.
 
 Any organisation who's used DoD space in a way that's likely to conflict 
 with, well, the DoD, gambled and lost.
 
 Mark.
 
> 

Re: DoD IP Space

[John Curran]

Sronan -

For avoidance of doubt (and to save folks some digging), I will observe that 
the number resources associated with the U.S. DoD handle I referenced do not 
include DoD’s legacy IPv4 number resource holdings.However, there are 
indeed are registration agreements with the US DoD that pertain to the DoD’s 
legacy IPv4 number resource holdings, and this may be readily confirmed by 
reviewing the CBO assessment report for the “NATIONAL DEFENSE AUTHORIZATION ACT 
FOR FISCAL YEAR 2020” (which in its early form envisioned potential 
monetization of select DoD IPv4 number resources) -

From the CBO assessment  


To estimate the potential receipts from the sale of IP
addresses, CBO examined the security risks and market factors
that would affect the number of addresses and the price for
those addresses that could be sold within the ten-year budget
window. CBO expects that DoD would not be prepared to sell any
addresses before 2022 for several reasons. First, over the next
two years DoD plans to study the cybersecurity requirements and
procedures that will support the department's transition of
IPv4 addresses to the next generation of IPv6 addresses.
Second, the agency would then have to update its internal
network operations in order to mitigate the security risks of
transferring DoD IP addresses to nonfederal entities.\5\ Third,
DoD would have to amend its existing agreement with the
American Registry for Internet Numbers (ARIN), which requires
DoD to release unneeded IP addresses to ARIN for
redistribution.

ARIN has no particular view on the merits/issues of US DoD disposition of its 
rights to IPv4 blocks (and this provision was omitted from the NDAA in its 
final form), but we did indicate to the DoD that ARIN polices for IPv4 address 
blocks have indeed changed, and that their agreement with ARIN does not 
preclude disposition of rights to IPv4 address blocks now that the ARIN 
community has established transfer policies allowing same.

(ARIN applies the community-developed policies to all number resources in the 
ARIN registry, and this includes blocks issued by predecessor operators of the 
registry.)

FYI,
/John

John Curran
President and CEO
American Registry for Internet Numbers


On 25 Apr 2021, at 9:13 AM, John Curran 
mailto:jcur...@arin.net>> wrote:

Sronan -

I’d suggest asking rather than making assertions when it comes to ARIN, as this 
will avoid propagating existing misinformation in the community.

Many US government agencies, including the US Department of Defense, have 
signed registration services agreements with ARIN.

From https://account.arin.net/public/member-list -

United States Department of Defense (DoD)

USDDD

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

On 25 Apr 2021, at 8:54 AM, 
sro...@ronan-online.com wrote:

Except these DoD blocks don’t fall under ARIM justification, as they predate 
ARIN. It is very likely that the DoD has never and will never sign any sort of 
ARIN agreement.

Sent from my iPhone

On Apr 25, 2021, at 3:40 AM, Mel Beckman 
mailto:m...@beckman.org>> wrote:

Mark,

ARIN rules require every IP space holder to publish accurate — and effective —  
Admin, Tech, and Abuse POCs. The DOD hasn’t done this, as I pointed out, and as 
you can test for yourself. Your expectation that the DOD will “generally comply 
with all of the expected norms” is sorely naive, and already disproven.

As far as “why does anyone on the Internet need to publish to your arbitrary 
standards”, you seem to forget that in the U.S., the government is accountable 
to the People. Where a private company may not have to explain its purposes, 
the government most certainly does in the private sector. With these IP spaces 
being thrust into the civilian realm, yes, they owe the citizenry an 
explanation of their actions, just as they would if they had started mounting 
missile launchers on highway overpasses. It’s a direct militarization of a 
civilian utility.

Keep in mind that the U.S. Government — under all administrations — has shown 
that it will abuse every technical advantage it can, as long as it can do so in 
secret. Perhaps you’ve forgotten James Clapper, the former director of national 
intelligence, who falsely testified to Congress that the government does “not 
wittingly” collect the telephone records of millions of Americans. And he was 
just the tip of the iceberg. Before Clapper under Obama there was the Bush 
administration’s Stellar Wind" warrantless surveillance program. The list of 
government abuse of civilian resources is colossal .

Fighting against that isn’t political. It’s patriotic.

-mel

On Apr 25, 2021, at 12:02 AM, Mark Foster 
mailto:blak...@blakjak.net>> wrote:


On 25/04/2021 3:24 am, Mel Beckman wrote:
This doesn’t sound good, no matter how you 

Re: DoD IP Space

[John Curran]

Sronan -

I’d suggest asking rather than making assertions when it comes to ARIN, as this 
will avoid propagating existing misinformation in the community.

Many US government agencies, including the US Department of Defense, have 
signed registration services agreements with ARIN.

From https://account.arin.net/public/member-list -

United States Department of Defense (DoD)

USDDD

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

On 25 Apr 2021, at 8:54 AM, 
sro...@ronan-online.com wrote:

Except these DoD blocks don’t fall under ARIM justification, as they predate 
ARIN. It is very likely that the DoD has never and will never sign any sort of 
ARIN agreement.

Sent from my iPhone

On Apr 25, 2021, at 3:40 AM, Mel Beckman 
mailto:m...@beckman.org>> wrote:

Mark,

ARIN rules require every IP space holder to publish accurate — and effective —  
Admin, Tech, and Abuse POCs. The DOD hasn’t done this, as I pointed out, and as 
you can test for yourself. Your expectation that the DOD will “generally comply 
with all of the expected norms” is sorely naive, and already disproven.

As far as “why does anyone on the Internet need to publish to your arbitrary 
standards”, you seem to forget that in the U.S., the government is accountable 
to the People. Where a private company may not have to explain its purposes, 
the government most certainly does in the private sector. With these IP spaces 
being thrust into the civilian realm, yes, they owe the citizenry an 
explanation of their actions, just as they would if they had started mounting 
missile launchers on highway overpasses. It’s a direct militarization of a 
civilian utility.

Keep in mind that the U.S. Government — under all administrations — has shown 
that it will abuse every technical advantage it can, as long as it can do so in 
secret. Perhaps you’ve forgotten James Clapper, the former director of national 
intelligence, who falsely testified to Congress that the government does “not 
wittingly” collect the telephone records of millions of Americans. And he was 
just the tip of the iceberg. Before Clapper under Obama there was the Bush 
administration’s Stellar Wind" warrantless surveillance program. The list of 
government abuse of civilian resources is colossal .

Fighting against that isn’t political. It’s patriotic.

-mel

On Apr 25, 2021, at 12:02 AM, Mark Foster 
mailto:blak...@blakjak.net>> wrote:


On 25/04/2021 3:24 am, Mel Beckman wrote:
This doesn’t sound good, no matter how you slice it. The lack of transparency 
with a civilian resource is troubling at a minimum. I’m going to bogon this 
space as a defensive measure, until its real — and detailed — purpose can be 
known. The secret places of our government have proven themselves untrustworthy 
in the protection of citizens’ data and networks. They tend to think they know 
“what’s good for” us.

-mel


Why does anyone on the Internet need to publish to your arbitrary standards, 
what they intend to do with their IP address ranges?

Failure to advertise the IP address space to the Internet (until now, perhaps) 
doesn't make the address space any less legitimate, and though I'd expect the 
DoD to generally comply with all of the expected norms around BGP arrangements 
and published whois details, at the end of the day, they can nominate who 
should originate it from their AS and as long as we can see who owns it 
it's just not our business.

Any organisation who's used DoD space in a way that's likely to conflict with, 
well, the DoD, gambled and lost.

Mark.

Re: DoD IP Space

[John Curran]

On 24 Apr 2021, at 6:45 PM, William Herrin 
mailto:b...@herrin.us>> wrote:

On Sat, Apr 24, 2021 at 8:26 AM Mel Beckman 
mailto:m...@beckman.org>> wrote:
This doesn’t sound good, no matter how you slice it. The lack of
transparency with a civilian resource is troubling at a minimum.

You do understand that the addresses in question are not and have
never been "civilian." They came into DoD's possession when this was
all still a military project funded by what's now DARPA.

Personally, I think we may have an all time record for the largest
honeypot ever constructed. I'd love to be a fly on that wall.

Bill -

That’s actually a possibility - just join DDS…  
https://apnews.com/article/technology-business-government-and-politics-b26ab809d1e9fdb53314f56299399949

‘ "The big Pentagon internet mystery now partially solved”
….
After weeks of wonder by the networking community, the Pentagon has now 
provided a very terse explanation for what it’s doing. But it has not answered 
many basic questions, beginning with why it chose to entrust management of the 
address space to a company that seems not to have existed until September.

The military hopes to “assess, evaluate and prevent unauthorized use of DoD IP 
address space,” said a statement issued Friday by Brett Goldstein, chief of the 
Pentagon’s Defense Digital 
Service,
 which is running the project. It also hopes to “identify potential 
vulnerabilities” as part of efforts to defend against cyber-intrusions by 
global adversaries, who are consistently infiltrating U.S. networks, sometimes 
operating from unused internet address blocks. '

FYI,
/John

John Curran
President and CEO
American Registry for Internet Numbers

Re: DoD IP Space

[sronan]

Except these DoD blocks don’t fall under ARIM justification, as they predate 
ARIN. It is very likely that the DoD has never and will never sign any sort of 
ARIN agreement.

Sent from my iPhone

> On Apr 25, 2021, at 3:40 AM, Mel Beckman  wrote:
> 
> Mark,
> 
> ARIN rules require every IP space holder to publish accurate — and effective 
> —  Admin, Tech, and Abuse POCs. The DOD hasn’t done this, as I pointed out, 
> and as you can test for yourself. Your expectation that the DOD will 
> “generally comply with all of the expected norms” is sorely naive, and 
> already disproven.
> 
> As far as “why does anyone on the Internet need to publish to your arbitrary 
> standards”, you seem to forget that in the U.S., the government is 
> accountable to the People. Where a private company may not have to explain 
> its purposes, the government most certainly does in the private sector. With 
> these IP spaces being thrust into the civilian realm, yes, they owe the 
> citizenry an explanation of their actions, just as they would if they had 
> started mounting missile launchers on highway overpasses. It’s a direct 
> militarization of a civilian utility. 
> 
> Keep in mind that the U.S. Government — under all administrations — has shown 
> that it will abuse every technical advantage it can, as long as it can do so 
> in secret. Perhaps you’ve forgotten James Clapper, the former director of 
> national intelligence, who falsely testified to Congress that the government 
> does “not wittingly” collect the telephone records of millions of Americans. 
> And he was just the tip of the iceberg. Before Clapper under Obama there was 
> the Bush administration’s Stellar Wind" warrantless surveillance program. The 
> list of government abuse of civilian resources is colossal . 
> 
> Fighting against that isn’t political. It’s patriotic.
> 
> -mel 
> 
>> On Apr 25, 2021, at 12:02 AM, Mark Foster  wrote:
>> 
>> 
 On 25/04/2021 3:24 am, Mel Beckman wrote:
>>> This doesn’t sound good, no matter how you slice it. The lack of 
>>> transparency with a civilian resource is troubling at a minimum. I’m going 
>>> to bogon this space as a defensive measure, until its real — and detailed — 
>>> purpose can be known. The secret places of our government have proven 
>>> themselves untrustworthy in the protection of citizens’ data and networks. 
>>> They tend to think they know “what’s good for” us.
>>> 
>>> -mel
>>> 
>> 
>> Why does anyone on the Internet need to publish to your arbitrary standards, 
>> what they intend to do with their IP address ranges?
>> 
>> Failure to advertise the IP address space to the Internet (until now, 
>> perhaps) doesn't make the address space any less legitimate, and though I'd 
>> expect the DoD to generally comply with all of the expected norms around BGP 
>> arrangements and published whois details, at the end of the day, they can 
>> nominate who should originate it from their AS and as long as we can see who 
>> owns it it's just not our business.
>> 
>> Any organisation who's used DoD space in a way that's likely to conflict 
>> with, well, the DoD, gambled and lost.
>> 
>> Mark.
>> 

RE: DoD IP Space

[Jean St-Laurent via NANOG]

This is true and very interesting, but the opposite is also true. 

They are now reachable from probably nearly anywhere and therefore open for 
business.  

Let's see what will slowly appear in shodan.io and shadowserver.org

Jean

-Original Message-
From: NANOG  On Behalf Of William 
Herrin
Sent: April 24, 2021 6:46 PM
To: Mel Beckman 
Cc: nanog@nanog.org
Subject: Re: DoD IP Space

On Sat, Apr 24, 2021 at 8:26 AM Mel Beckman  wrote:
> This doesn’t sound good, no matter how you slice it. The lack of 
> transparency with a civilian resource is troubling at a minimum.

You do understand that the addresses in question are not and have never been 
"civilian." They came into DoD's possession when this was all still a military 
project funded by what's now DARPA.

Personally, I think we may have an all time record for the largest honeypot 
ever constructed. I'd love to be a fly on that wall.

Regards,
Bill Herrin



--
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: DoD IP Space

[John Curran]

Mr. Beckman  - 

As noted by Mark Foster below, the listed contact information for the DoD 
address blocks is indeed correct, and (as you yourself confirmed) may be used 
to successfully contact the organization.  ARIN does not have the mandate to 
force any organization “to deal” with any other, but I can assure you that the 
contacts listed for the resources in the ARIN registry have been used to 
resolve actual technical problems without any difficultly. 

Best wishes,
/John

John Curran
President and CEO
American Registry for Internet Numbers


> On 25 Apr 2021, at 6:11 AM, Mark Foster  wrote:
> 
> Hi Mel,
> 
> I'd expect ARIN to hold them to account for complying with ARIN rules, if 
> they are subject.  In years gone by, I have been able to contact US DoD 
> organisations using published contact methods to address technical issues. So 
> even if there's technical non-compliance (which i'd agree should be 
> addressed), it could be a lot worse.
> 
> As for the DoD's accountability via your system of government, my view would 
> be that instead of bogon-filtering addresses legitimately appearing in your 
> BGP, with the justification being "they havn't before!", you could consider 
> asking them via channels. Like 
> https://open.defense.gov/transparency/foia.aspx for example.  But i'm not a 
> citizen of the United States, so will happily plead ignorance as to whether 
> this is likely to lead you to what you want to know or not.
> 
> In my country the government is also accountable to the people. But that 
> doesn't mean I would expect an Internet Service Provider to deliberately 
> sabotage the network access of their customers, either. Starts to feel like a 
> net neutrality argument again.
> 
> Mark.
> 
> PS: If DoD make use of IP address space that they legitimately hold, i'm not 
> sure you can call it a civilian resource, despite it interacting with 
> civilian counterparts.  Any consumable held by a military organisation is a 
> military resource and they'll make use of it based on their operational 
> requirements. The best comparison I could think of, would be fuel 
> (gasoline/petroleum/diesel/Jet-A1), all of which has both military and 
> civilian application.
> 
> On 25/04/2021 7:40 pm, Mel Beckman wrote:
>> Mark,
>> 
>> ARIN rules require every IP space holder to publish accurate — and effective 
>> —  Admin, Tech, and Abuse POCs. The DOD hasn’t done this, as I pointed out, 
>> and as you can test for yourself. Your expectation that the DOD will 
>> “generally comply with all of the expected norms” is sorely naive, and 
>> already disproven.
>> 
>> As far as “why does anyone on the Internet need to publish to your arbitrary 
>> standards”, you seem to forget that in the U.S., the government is 
>> accountable to the People. Where a private company may not have to explain 
>> its purposes, the government most certainly does in the private sector. With 
>> these IP spaces being thrust into the civilian realm, yes, they owe the 
>> citizenry an explanation of their actions, just as they would if they had 
>> started mounting missile launchers on highway overpasses. It’s a direct 
>> militarization of a civilian utility.
>> 
>> Keep in mind that the U.S. Government — under all administrations — has 
>> shown that it will abuse every technical advantage it can, as long as it can 
>> do so in secret. Perhaps you’ve forgotten James Clapper, the former director 
>> of national intelligence, who falsely testified to Congress that the 
>> government does “not wittingly” collect the telephone records of millions of 
>> Americans. And he was just the tip of the iceberg. Before Clapper under 
>> Obama there was the Bush administration’s Stellar Wind" warrantless 
>> surveillance program. The list of government abuse of civilian resources is 
>> colossal .
>> 
>> Fighting against that isn’t political. It’s patriotic.
>> 
>>  -mel
>> 
>>> On Apr 25, 2021, at 12:02 AM, Mark Foster  wrote:
>>> 
>>> 
 On 25/04/2021 3:24 am, Mel Beckman wrote:
 This doesn’t sound good, no matter how you slice it. The lack of 
 transparency with a civilian resource is troubling at a minimum. I’m going 
 to bogon this space as a defensive measure, until its real — and detailed 
 — purpose can be known. The secret places of our government have proven 
 themselves untrustworthy in the protection of citizens’ data and networks. 
 They tend to think they know “what’s good for” us.
 
  -mel
 
>>> Why does anyone on the Internet need to publish to your arbitrary 
>>> standards, what they intend to do with their IP address ranges?
>>> 
>>> Failure to advertise the IP address space to the Internet (until now, 
>>> perhaps) doesn't make the address space any less legitimate, and though I'd 
>>> expect the DoD to generally comply with all of the expected norms around 
>>> BGP arrangements and published whois details, at the end of the day, they 
>>> can nominate who should originate it from 

Re: DoD IP Space

[Mark Foster]

Hi Mel,

I'd expect ARIN to hold them to account for complying with ARIN rules, 
if they are subject.  In years gone by, I have been able to contact US 
DoD organisations using published contact methods to address technical 
issues. So even if there's technical non-compliance (which i'd agree 
should be addressed), it could be a lot worse.


As for the DoD's accountability via your system of government, my view 
would be that instead of bogon-filtering addresses legitimately 
appearing in your BGP, with the justification being "they havn't 
before!", you could consider asking them via channels. Like 
https://open.defense.gov/transparency/foia.aspx for example.  But i'm 
not a citizen of the United States, so will happily plead ignorance as 
to whether this is likely to lead you to what you want to know or not.


In my country the government is also accountable to the people. But that 
doesn't mean I would expect an Internet Service Provider to deliberately 
sabotage the network access of their customers, either. Starts to feel 
like a net neutrality argument again.


Mark.

PS: If DoD make use of IP address space that they legitimately hold, i'm 
not sure you can call it a civilian resource, despite it interacting 
with civilian counterparts.  Any consumable held by a military 
organisation is a military resource and they'll make use of it based on 
their operational requirements. The best comparison I could think of, 
would be fuel (gasoline/petroleum/diesel/Jet-A1), all of which has both 
military and civilian application.


On 25/04/2021 7:40 pm, Mel Beckman wrote:

Mark,

ARIN rules require every IP space holder to publish accurate — and effective —  
Admin, Tech, and Abuse POCs. The DOD hasn’t done this, as I pointed out, and as 
you can test for yourself. Your expectation that the DOD will “generally comply 
with all of the expected norms” is sorely naive, and already disproven.

As far as “why does anyone on the Internet need to publish to your arbitrary 
standards”, you seem to forget that in the U.S., the government is accountable 
to the People. Where a private company may not have to explain its purposes, 
the government most certainly does in the private sector. With these IP spaces 
being thrust into the civilian realm, yes, they owe the citizenry an 
explanation of their actions, just as they would if they had started mounting 
missile launchers on highway overpasses. It’s a direct militarization of a 
civilian utility.

Keep in mind that the U.S. Government — under all administrations — has shown that 
it will abuse every technical advantage it can, as long as it can do so in secret. 
Perhaps you’ve forgotten James Clapper, the former director of national 
intelligence, who falsely testified to Congress that the government does “not 
wittingly” collect the telephone records of millions of Americans. And he was just 
the tip of the iceberg. Before Clapper under Obama there was the Bush 
administration’s Stellar Wind" warrantless surveillance program. The list of 
government abuse of civilian resources is colossal .

Fighting against that isn’t political. It’s patriotic.

  -mel


On Apr 25, 2021, at 12:02 AM, Mark Foster  wrote:



On 25/04/2021 3:24 am, Mel Beckman wrote:
This doesn’t sound good, no matter how you slice it. The lack of transparency 
with a civilian resource is troubling at a minimum. I’m going to bogon this 
space as a defensive measure, until its real — and detailed — purpose can be 
known. The secret places of our government have proven themselves untrustworthy 
in the protection of citizens’ data and networks. They tend to think they know 
“what’s good for” us.

  -mel


Why does anyone on the Internet need to publish to your arbitrary standards, 
what they intend to do with their IP address ranges?

Failure to advertise the IP address space to the Internet (until now, perhaps) 
doesn't make the address space any less legitimate, and though I'd expect the 
DoD to generally comply with all of the expected norms around BGP arrangements 
and published whois details, at the end of the day, they can nominate who 
should originate it from their AS and as long as we can see who owns it 
it's just not our business.

Any organisation who's used DoD space in a way that's likely to conflict with, 
well, the DoD, gambled and lost.

Mark.

Re: DoD IP Space

[Christian de Larrinaga via NANOG]

Is the DoD still the owner?

On Sun 25 Apr 2021 at 10:24, Bill Woodcock  wrote:


On Apr 25, 2021, at 9:40 AM, Mel Beckman  
wrote:

It’s a direct militarization of a civilian utility.


I think I’d characterize it, rather, as a possible privatization 
of public property.


If someone builds a house in the middle of a public park, it’s 
not _what they’re doing in the house_ that concerns me.


-Bill



--
Christian de Larrinaga 
https://firsthand.net

Re: DoD IP Space

[Bill Woodcock]

> On Apr 25, 2021, at 9:40 AM, Mel Beckman  wrote:
> It’s a direct militarization of a civilian utility.

I think I’d characterize it, rather, as a possible privatization of public 
property.

If someone builds a house in the middle of a public park, it’s not _what 
they’re doing in the house_ that concerns me.

-Bill



signature.asc
Description: Message signed with OpenPGP

Re: DoD IP Space

[Mel Beckman]

Mark,

ARIN rules require every IP space holder to publish accurate — and effective —  
Admin, Tech, and Abuse POCs. The DOD hasn’t done this, as I pointed out, and as 
you can test for yourself. Your expectation that the DOD will “generally comply 
with all of the expected norms” is sorely naive, and already disproven.

As far as “why does anyone on the Internet need to publish to your arbitrary 
standards”, you seem to forget that in the U.S., the government is accountable 
to the People. Where a private company may not have to explain its purposes, 
the government most certainly does in the private sector. With these IP spaces 
being thrust into the civilian realm, yes, they owe the citizenry an 
explanation of their actions, just as they would if they had started mounting 
missile launchers on highway overpasses. It’s a direct militarization of a 
civilian utility. 

Keep in mind that the U.S. Government — under all administrations — has shown 
that it will abuse every technical advantage it can, as long as it can do so in 
secret. Perhaps you’ve forgotten James Clapper, the former director of national 
intelligence, who falsely testified to Congress that the government does “not 
wittingly” collect the telephone records of millions of Americans. And he was 
just the tip of the iceberg. Before Clapper under Obama there was the Bush 
administration’s Stellar Wind" warrantless surveillance program. The list of 
government abuse of civilian resources is colossal . 

Fighting against that isn’t political. It’s patriotic.

 -mel 

> On Apr 25, 2021, at 12:02 AM, Mark Foster  wrote:
> 
> 
>> On 25/04/2021 3:24 am, Mel Beckman wrote:
>> This doesn’t sound good, no matter how you slice it. The lack of 
>> transparency with a civilian resource is troubling at a minimum. I’m going 
>> to bogon this space as a defensive measure, until its real — and detailed — 
>> purpose can be known. The secret places of our government have proven 
>> themselves untrustworthy in the protection of citizens’ data and networks. 
>> They tend to think they know “what’s good for” us.
>> 
>>  -mel
>> 
> 
> Why does anyone on the Internet need to publish to your arbitrary standards, 
> what they intend to do with their IP address ranges?
> 
> Failure to advertise the IP address space to the Internet (until now, 
> perhaps) doesn't make the address space any less legitimate, and though I'd 
> expect the DoD to generally comply with all of the expected norms around BGP 
> arrangements and published whois details, at the end of the day, they can 
> nominate who should originate it from their AS and as long as we can see who 
> owns it it's just not our business.
> 
> Any organisation who's used DoD space in a way that's likely to conflict 
> with, well, the DoD, gambled and lost.
> 
> Mark.
> 

Re: DoD IP Space

[Mark Foster]

On 25/04/2021 3:24 am, Mel Beckman wrote:
This doesn’t sound good, no matter how you slice it. The lack of 
transparency with a civilian resource is troubling at a minimum. I’m 
going to bogon this space as a defensive measure, until its real — and 
detailed — purpose can be known. The secret places of our government 
have proven themselves untrustworthy in the protection of citizens’ 
data and networks. They tend to think they know “what’s good for” us.


 -mel



Why does anyone on the Internet need to publish to your arbitrary 
standards, what they intend to do with their IP address ranges?


Failure to advertise the IP address space to the Internet (until now, 
perhaps) doesn't make the address space any less legitimate, and though 
I'd expect the DoD to generally comply with all of the expected norms 
around BGP arrangements and published whois details, at the end of the 
day, they can nominate who should originate it from their AS and as long 
as we can see who owns it it's just not our business.


Any organisation who's used DoD space in a way that's likely to conflict 
with, well, the DoD, gambled and lost.


Mark.

Re: DoD IP Space

[Mel Beckman]

Jason,

The government subsidizes farms, too. That doesn’t mean we let them be 
militarized.

Logic. :)

 -mel

On Apr 24, 2021, at 4:35 PM, Jason Biel  wrote:


The internet that is subsidized by that same Government

Logic.

On Sat, Apr 24, 2021 at 18:19 Mel Beckman 
mailto:m...@beckman.org>> wrote:
Bill,

It’s the INTERNET that is civilian, not the IP space. As long as that IP space 
was isolated to the .mil network, it was private space, as far as the Internet 
was concerned. Now DoD has moved it into the civilian Internet, and I treat 
them as potentially malicious as I do any other organization that lies, cheats, 
and steals the public trust.

 -mel

> On Apr 24, 2021, at 3:45 PM, William Herrin 
> mailto:b...@herrin.us>> wrote:
>
> On Sat, Apr 24, 2021 at 8:26 AM Mel Beckman 
> mailto:m...@beckman.org>> wrote:
>> This doesn’t sound good, no matter how you slice it. The lack of
>> transparency with a civilian resource is troubling at a minimum.
>
> You do understand that the addresses in question are not and have
> never been "civilian." They came into DoD's possession when this was
> all still a military project funded by what's now DARPA.
>
> Personally, I think we may have an all time record for the largest
> honeypot ever constructed. I'd love to be a fly on that wall.
>
> Regards,
> Bill Herrin
>
>
>
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/

--
Jason

Re: DoD IP Space

[Mel Beckman]

Ryan,

My motives are not political. It doesn’t matter which party is behind this (and 
it looks like both would have to be, based on the timeline).

I’m treating this sudden advertisement of IP space as I would any other hostile 
actor, which NANOGers filter all the time. If the DOD comes clean and provides 
the required registered contact information, I might reconsider. But I’ve 
already called the published abuse contact number, and they say they don’t deal 
with “the public”. Until the DoD makes clear their intentions, blocking this IP 
space is the only sensible decision.

 -mel 

> On Apr 24, 2021, at 9:11 PM, Ryan Hamel  wrote:
> 
> Mel,
> 
> I hope you're not implementing this in an ISP network, it's not net neutral 
> if a carrier is making a (political) route/filtering decision. (Points to The 
> Great Firewall of China)
> 
> Ryan
> 
> -Original Message-
> From: NANOG  On Behalf Of Mel 
> Beckman
> Sent: Saturday, April 24, 2021 4:17 PM
> To: William Herrin 
> Cc: nanog@nanog.org
> Subject: Re: DoD IP Space
> 
> Bill,
> 
> It’s the INTERNET that is civilian, not the IP space. As long as that IP 
> space was isolated to the .mil network, it was private space, as far as the 
> Internet was concerned. Now DoD has moved it into the civilian Internet, and 
> I treat them as potentially malicious as I do any other organization that 
> lies, cheats, and steals the public trust.
> 
> -mel
> 
>> On Apr 24, 2021, at 3:45 PM, William Herrin  wrote:
>> 
>>> On Sat, Apr 24, 2021 at 8:26 AM Mel Beckman  wrote:
>>> This doesn’t sound good, no matter how you slice it. The lack of 
>>> transparency with a civilian resource is troubling at a minimum.
>> 
>> You do understand that the addresses in question are not and have 
>> never been "civilian." They came into DoD's possession when this was 
>> all still a military project funded by what's now DARPA.
>> 
>> Personally, I think we may have an all time record for the largest 
>> honeypot ever constructed. I'd love to be a fly on that wall.
>> 
>> Regards,
>> Bill Herrin
>> 
>> 
>> 
>> --
>> William Herrin
>> b...@herrin.us
>> https://bill.herrin.us/
> 
> 

RE: DoD IP Space

[Ryan Hamel]

Mel,

I hope you're not implementing this in an ISP network, it's not net neutral if 
a carrier is making a (political) route/filtering decision. (Points to The 
Great Firewall of China)

Ryan

-Original Message-
From: NANOG  On Behalf Of Mel Beckman
Sent: Saturday, April 24, 2021 4:17 PM
To: William Herrin 
Cc: nanog@nanog.org
Subject: Re: DoD IP Space

Bill,

It’s the INTERNET that is civilian, not the IP space. As long as that IP space 
was isolated to the .mil network, it was private space, as far as the Internet 
was concerned. Now DoD has moved it into the civilian Internet, and I treat 
them as potentially malicious as I do any other organization that lies, cheats, 
and steals the public trust.

 -mel

> On Apr 24, 2021, at 3:45 PM, William Herrin  wrote:
> 
> On Sat, Apr 24, 2021 at 8:26 AM Mel Beckman  wrote:
>> This doesn’t sound good, no matter how you slice it. The lack of 
>> transparency with a civilian resource is troubling at a minimum.
> 
> You do understand that the addresses in question are not and have 
> never been "civilian." They came into DoD's possession when this was 
> all still a military project funded by what's now DARPA.
> 
> Personally, I think we may have an all time record for the largest 
> honeypot ever constructed. I'd love to be a fly on that wall.
> 
> Regards,
> Bill Herrin
> 
> 
> 
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/

Re: DoD IP Space

[Jason Biel]

The internet that is subsidized by that same Government

Logic.

On Sat, Apr 24, 2021 at 18:19 Mel Beckman  wrote:

> Bill,
>
> It’s the INTERNET that is civilian, not the IP space. As long as that IP
> space was isolated to the .mil network, it was private space, as far as the
> Internet was concerned. Now DoD has moved it into the civilian Internet,
> and I treat them as potentially malicious as I do any other organization
> that lies, cheats, and steals the public trust.
>
>  -mel
>
> > On Apr 24, 2021, at 3:45 PM, William Herrin  wrote:
> >
> > On Sat, Apr 24, 2021 at 8:26 AM Mel Beckman  wrote:
> >> This doesn’t sound good, no matter how you slice it. The lack of
> >> transparency with a civilian resource is troubling at a minimum.
> >
> > You do understand that the addresses in question are not and have
> > never been "civilian." They came into DoD's possession when this was
> > all still a military project funded by what's now DARPA.
> >
> > Personally, I think we may have an all time record for the largest
> > honeypot ever constructed. I'd love to be a fly on that wall.
> >
> > Regards,
> > Bill Herrin
> >
> >
> >
> > --
> > William Herrin
> > b...@herrin.us
> > https://bill.herrin.us/
>
> --
Jason

Re: DoD IP Space

[Mel Beckman]

Bill,

It’s the INTERNET that is civilian, not the IP space. As long as that IP space 
was isolated to the .mil network, it was private space, as far as the Internet 
was concerned. Now DoD has moved it into the civilian Internet, and I treat 
them as potentially malicious as I do any other organization that lies, cheats, 
and steals the public trust.

 -mel

> On Apr 24, 2021, at 3:45 PM, William Herrin  wrote:
> 
> On Sat, Apr 24, 2021 at 8:26 AM Mel Beckman  wrote:
>> This doesn’t sound good, no matter how you slice it. The lack of
>> transparency with a civilian resource is troubling at a minimum.
> 
> You do understand that the addresses in question are not and have
> never been "civilian." They came into DoD's possession when this was
> all still a military project funded by what's now DARPA.
> 
> Personally, I think we may have an all time record for the largest
> honeypot ever constructed. I'd love to be a fly on that wall.
> 
> Regards,
> Bill Herrin
> 
> 
> 
> -- 
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/

Re: DoD IP Space

[William Herrin]

On Sat, Apr 24, 2021 at 8:26 AM Mel Beckman  wrote:
> This doesn’t sound good, no matter how you slice it. The lack of
> transparency with a civilian resource is troubling at a minimum.

You do understand that the addresses in question are not and have
never been "civilian." They came into DoD's possession when this was
all still a military project funded by what's now DARPA.

Personally, I think we may have an all time record for the largest
honeypot ever constructed. I'd love to be a fly on that wall.

Regards,
Bill Herrin



-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: DoD IP Space

[Mike Hammett]

I encourage my competition to make equally arbitrary routing decisions. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Mel Beckman"  
To: "Mike Hammett"  
Cc: nanog@nanog.org, "John Curran"  
Sent: Saturday, April 24, 2021 10:53:26 AM 
Subject: Re: DoD IP Space 


In this specific case the group of self-described DOD network cowboys who, due 
to lack of transparency and public oversight, could be doing all manner of 
nefarious things with this IP space. It can’t help to let it in, and it can 
definitely hurt. 


But you know that. So why are you playing dumb? 


-mel 



On Apr 24, 2021, at 8:44 AM, Mike Hammett  wrote: 







"proven-malicious IP space owner" 


The DoD? 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Mel Beckman"  
To: "Mike Hammett"  
Cc: nanog@nanog.org, "John Curran"  
Sent: Saturday, April 24, 2021 10:37:42 AM 
Subject: Re: DoD IP Space 

I will not permit traffic into my network whose proven-malicious IP space owner 
is devious about its purpose. You can, if you want. 


-mel 



On Apr 24, 2021, at 8:28 AM, Mike Hammett  wrote: 







Huh? 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Mel Beckman"  
To: "John Curran"  
Cc: nanog@nanog.org 
Sent: Saturday, April 24, 2021 10:24:45 AM 
Subject: Re: DoD IP Space 

This doesn’t sound good, no matter how you slice it. The lack of transparency 
with a civilian resource is troubling at a minimum. I’m going to bogon this 
space as a defensive measure, until its real — and detailed — purpose can be 
known. The secret places of our government have proven themselves untrustworthy 
in the protection of citizens’ data and networks. They tend to think they know 
“what’s good for” us. 


-mel 



On Apr 24, 2021, at 8:05 AM, John Curran  wrote: 







As noted - 
https://www.washingtonpost.com/technology/2021/04/24/pentagon-internet-address-mystery/#click=https://t.co/mVh26yBq9G
 


FYI, 
/John 


John Curran 
President and CEO 
American Registry for Internet Numbers 



On Jan 20, 2021, at 8:35 AM, John Curran  wrote: 







Tom – 


Most definitely: lack of routing history is not at all a reliable indicator of 
the potential for valid routing of a given IPv4 block in the future, so best 
practice suggest that allocated address space should not be blocked by others 
without specific cause. 


Doing otherwise opens one up to unexpected surprises when issued space suddenly 
becomes more active in routing and is yet is inexplicably unreachable for some 
destinations. 


/John 



On Nov 5, 2019, at 10:38 AM, Tom Beecher  wrote: 









Using the generally accepted definition of a bogon ( RFC 1918 / 5735 / 6598 + 
netblock not allocated by an RiR ), 22/8 is not a bogon and shouldn't be 
treated as one. 



The DoD does not announce it to the DFZ, as is their choice, but nothing says 
they may not change that position tomorrow. There are plenty of subnets out 
there that are properly allocated by an RiR, but the assignees do not send them 
to the DFZ because of $reasons. 


In my opinion, creating bogon lists that include allocated but not advertised 
prefixes is poor practice that is likely to end up biting an operator at one 
point or another. 


On Tue, Nov 5, 2019 at 9:45 AM Töma Gavrichenkov < xima...@gmail.com > wrote: 


Peace, 

On Tue, Nov 5, 2019, 4:55 PM David Conrad < d...@virtualized.org > wrote: 
> On Nov 4, 2019, at 10:56 PM, Grant Taylor via NANOG < nanog@nanog.org > 
> wrote: 
>> This thread got me to wondering, is there any 
>> legitimate reason to see 22/8 on the public 
>> Internet? Or would it be okay to treat 22/8 
>> like a Bogon and drop it at the network edge? 
> 
> Given the transfer market for IPv4 addresses, 
> the spot price for IPv4 addresses, and the need 
> of even governments to find “free” (as in 
> unconstrained) money, I’d think treating any 
> legacy /8 as a bogon would not be prudent. 

It has been said before in this thread that the DoD actively uses this 
network internally. I believe if the DoD were to cut costs, they 
would be able to do it much more effectively in many other areas, and 
their IPv4 networks would be about the last thing they would think of 
(along with switching off ACs Bernard Ebbers-style). With that in 
mind, treating the DoD networks as bogons now makes total sense to me. 

-- 
Töma 

Re: DoD IP Space

[Mel Beckman]

In this specific case the group of self-described DOD network cowboys who, due 
to lack of transparency and public oversight, could be doing all manner of 
nefarious things with this IP space. It can’t help to let it in, and it can 
definitely hurt.

But you know that. So why are you playing dumb?

 -mel

On Apr 24, 2021, at 8:44 AM, Mike Hammett  wrote:


"proven-malicious IP space owner"

The DoD?



-
Mike Hammett
Intelligent Computing Solutions<http://www.ics-il.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL>
Midwest Internet Exchange<http://www.midwest-ix.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix>
The Brothers WISP<http://www.thebrotherswisp.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png]<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>

From: "Mel Beckman" 
To: "Mike Hammett" 
Cc: nanog@nanog.org, "John Curran" 
Sent: Saturday, April 24, 2021 10:37:42 AM
Subject: Re: DoD IP Space

I will not permit traffic into my network whose proven-malicious IP space owner 
is devious about its purpose. You can, if you want.

 -mel

On Apr 24, 2021, at 8:28 AM, Mike Hammett  wrote:


Huh?



-
Mike Hammett
Intelligent Computing Solutions<http://www.ics-il.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL>
Midwest Internet Exchange<http://www.midwest-ix.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix>
The Brothers WISP<http://www.thebrotherswisp.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png]<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>

From: "Mel Beckman" 
To: "John Curran" 
Cc: nanog@nanog.org
Sent: Saturday, April 24, 2021 10:24:45 AM
Subject: Re: DoD IP Space

This doesn’t sound good, no matter how you slice it. The lack of transparency 
with a civilian resource is troubling at a minimum. I’m going to bogon this 
space as a defensive measure, until its real — and detailed — purpose can be 
known. The secret places of our government have proven themselves untrustworthy 
in the protection of citizens’ data and networks. They tend to think they know 
“what’s good for” us.

 -mel

On Apr 24, 2021, at 8:05 AM, John Curran  wrote:


As noted - 
https://www.washingtonpost.com/technology/2021/04/24/pentagon-internet-address-mystery/#click=https://t.co/mVh26yBq9G

FYI,
/John

John Curran
President and CEO
American Registry for Internet Numbers

On Jan 20, 2021, at 8:35 AM, John Curran  wrote:


Tom –

Most definitely: lack of routing history is not at all a reliable indicator of 
the potential for valid routing of a given IPv4 block in the future, so best 
practice suggest that allocated address space should not be blocked by others 
without specific cause.

Doing otherwise opens one up to unexpected surprises when issued space suddenly 
becomes more active in routing and is yet is inexplicably unreachable for some 
destinations.

/John

On Nov 5, 2019, at 10:38 AM, Tom Beecher  wrote:


Using the generally accepted definition of a bogon ( RFC 1918 / 5735 / 6598 + 
netblock not allocated by an RiR ), 22/8 is not a bogon and shouldn't be 
treated as one.

The DoD does not announce it to the DFZ, as is their choice, but nothing says 
they may not change that position tomorrow. There are plenty of subnets out 
there that are properly allocated by an RiR, but the assignees do not send them 
to the DFZ because of $reasons.

In my opinion, creating bogon lists that include allocated but not advertised 
prefixes is poor practice that is likely to end up biting an operator at one 
point or a

Re: DoD IP Space

[Mike Hammett]

"proven-malicious IP space owner" 


The DoD? 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Mel Beckman"  
To: "Mike Hammett"  
Cc: nanog@nanog.org, "John Curran"  
Sent: Saturday, April 24, 2021 10:37:42 AM 
Subject: Re: DoD IP Space 

I will not permit traffic into my network whose proven-malicious IP space owner 
is devious about its purpose. You can, if you want. 


-mel 



On Apr 24, 2021, at 8:28 AM, Mike Hammett  wrote: 







Huh? 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Mel Beckman"  
To: "John Curran"  
Cc: nanog@nanog.org 
Sent: Saturday, April 24, 2021 10:24:45 AM 
Subject: Re: DoD IP Space 

This doesn’t sound good, no matter how you slice it. The lack of transparency 
with a civilian resource is troubling at a minimum. I’m going to bogon this 
space as a defensive measure, until its real — and detailed — purpose can be 
known. The secret places of our government have proven themselves untrustworthy 
in the protection of citizens’ data and networks. They tend to think they know 
“what’s good for” us. 


-mel 



On Apr 24, 2021, at 8:05 AM, John Curran  wrote: 







As noted - 
https://www.washingtonpost.com/technology/2021/04/24/pentagon-internet-address-mystery/#click=https://t.co/mVh26yBq9G
 


FYI, 
/John 


John Curran 
President and CEO 
American Registry for Internet Numbers 



On Jan 20, 2021, at 8:35 AM, John Curran  wrote: 







Tom – 


Most definitely: lack of routing history is not at all a reliable indicator of 
the potential for valid routing of a given IPv4 block in the future, so best 
practice suggest that allocated address space should not be blocked by others 
without specific cause. 


Doing otherwise opens one up to unexpected surprises when issued space suddenly 
becomes more active in routing and is yet is inexplicably unreachable for some 
destinations. 


/John 



On Nov 5, 2019, at 10:38 AM, Tom Beecher  wrote: 









Using the generally accepted definition of a bogon ( RFC 1918 / 5735 / 6598 + 
netblock not allocated by an RiR ), 22/8 is not a bogon and shouldn't be 
treated as one. 



The DoD does not announce it to the DFZ, as is their choice, but nothing says 
they may not change that position tomorrow. There are plenty of subnets out 
there that are properly allocated by an RiR, but the assignees do not send them 
to the DFZ because of $reasons. 


In my opinion, creating bogon lists that include allocated but not advertised 
prefixes is poor practice that is likely to end up biting an operator at one 
point or another. 


On Tue, Nov 5, 2019 at 9:45 AM Töma Gavrichenkov < xima...@gmail.com > wrote: 


Peace, 

On Tue, Nov 5, 2019, 4:55 PM David Conrad < d...@virtualized.org > wrote: 
> On Nov 4, 2019, at 10:56 PM, Grant Taylor via NANOG < nanog@nanog.org > 
> wrote: 
>> This thread got me to wondering, is there any 
>> legitimate reason to see 22/8 on the public 
>> Internet? Or would it be okay to treat 22/8 
>> like a Bogon and drop it at the network edge? 
> 
> Given the transfer market for IPv4 addresses, 
> the spot price for IPv4 addresses, and the need 
> of even governments to find “free” (as in 
> unconstrained) money, I’d think treating any 
> legacy /8 as a bogon would not be prudent. 

It has been said before in this thread that the DoD actively uses this 
network internally. I believe if the DoD were to cut costs, they 
would be able to do it much more effectively in many other areas, and 
their IPv4 networks would be about the last thing they would think of 
(along with switching off ACs Bernard Ebbers-style). With that in 
mind, treating the DoD networks as bogons now makes total sense to me. 

-- 
Töma 

Re: DoD IP Space

[Mel Beckman]

I will not permit traffic into my network whose proven-malicious IP space owner 
is devious about its purpose. You can, if you want.

 -mel

On Apr 24, 2021, at 8:28 AM, Mike Hammett  wrote:


Huh?



-
Mike Hammett
Intelligent Computing Solutions<http://www.ics-il.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL>
Midwest Internet Exchange<http://www.midwest-ix.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix>
The Brothers WISP<http://www.thebrotherswisp.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png]<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>

From: "Mel Beckman" 
To: "John Curran" 
Cc: nanog@nanog.org
Sent: Saturday, April 24, 2021 10:24:45 AM
Subject: Re: DoD IP Space

This doesn’t sound good, no matter how you slice it. The lack of transparency 
with a civilian resource is troubling at a minimum. I’m going to bogon this 
space as a defensive measure, until its real — and detailed — purpose can be 
known. The secret places of our government have proven themselves untrustworthy 
in the protection of citizens’ data and networks. They tend to think they know 
“what’s good for” us.

 -mel

On Apr 24, 2021, at 8:05 AM, John Curran  wrote:


As noted - 
https://www.washingtonpost.com/technology/2021/04/24/pentagon-internet-address-mystery/#click=https://t.co/mVh26yBq9G

FYI,
/John

John Curran
President and CEO
American Registry for Internet Numbers

On Jan 20, 2021, at 8:35 AM, John Curran  wrote:


Tom –

Most definitely: lack of routing history is not at all a reliable indicator of 
the potential for valid routing of a given IPv4 block in the future, so best 
practice suggest that allocated address space should not be blocked by others 
without specific cause.

Doing otherwise opens one up to unexpected surprises when issued space suddenly 
becomes more active in routing and is yet is inexplicably unreachable for some 
destinations.

/John

On Nov 5, 2019, at 10:38 AM, Tom Beecher  wrote:


Using the generally accepted definition of a bogon ( RFC 1918 / 5735 / 6598 + 
netblock not allocated by an RiR ), 22/8 is not a bogon and shouldn't be 
treated as one.

The DoD does not announce it to the DFZ, as is their choice, but nothing says 
they may not change that position tomorrow. There are plenty of subnets out 
there that are properly allocated by an RiR, but the assignees do not send them 
to the DFZ because of $reasons.

In my opinion, creating bogon lists that include allocated but not advertised 
prefixes is poor practice that is likely to end up biting an operator at one 
point or another.

On Tue, Nov 5, 2019 at 9:45 AM Töma Gavrichenkov 
mailto:xima...@gmail.com>> wrote:
Peace,

On Tue, Nov 5, 2019, 4:55 PM David Conrad 
mailto:d...@virtualized.org>> wrote:
> On Nov 4, 2019, at 10:56 PM, Grant Taylor via NANOG 
> mailto:nanog@nanog.org>> wrote:
>> This thread got me to wondering, is there any
>> legitimate reason to see 22/8 on the public
>> Internet?  Or would it be okay to treat 22/8
>> like a Bogon and drop it at the network edge?
>
> Given the transfer market for IPv4 addresses,
> the spot price for IPv4 addresses, and the need
> of even governments to find “free” (as in
> unconstrained) money, I’d think treating any
> legacy /8 as a bogon would not be prudent.

It has been said before in this thread that the DoD actively uses this
network internally.  I believe if the DoD were to cut costs, they
would be able to do it much more effectively in many other areas, and
their IPv4 networks would be about the last thing they would think of
(along with switching off ACs Bernard Ebbers-style).  With that in
mind, treating the DoD networks as bogons now makes total sense to me.

--
Töma

Re: DoD IP Space

[Mike Hammett]

Huh? 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Mel Beckman"  
To: "John Curran"  
Cc: nanog@nanog.org 
Sent: Saturday, April 24, 2021 10:24:45 AM 
Subject: Re: DoD IP Space 

This doesn’t sound good, no matter how you slice it. The lack of transparency 
with a civilian resource is troubling at a minimum. I’m going to bogon this 
space as a defensive measure, until its real — and detailed — purpose can be 
known. The secret places of our government have proven themselves untrustworthy 
in the protection of citizens’ data and networks. They tend to think they know 
“what’s good for” us. 


-mel 



On Apr 24, 2021, at 8:05 AM, John Curran  wrote: 







As noted - 
https://www.washingtonpost.com/technology/2021/04/24/pentagon-internet-address-mystery/#click=https://t.co/mVh26yBq9G
 


FYI, 
/John 


John Curran 
President and CEO 
American Registry for Internet Numbers 



On Jan 20, 2021, at 8:35 AM, John Curran  wrote: 







Tom – 


Most definitely: lack of routing history is not at all a reliable indicator of 
the potential for valid routing of a given IPv4 block in the future, so best 
practice suggest that allocated address space should not be blocked by others 
without specific cause. 


Doing otherwise opens one up to unexpected surprises when issued space suddenly 
becomes more active in routing and is yet is inexplicably unreachable for some 
destinations. 


/John 



On Nov 5, 2019, at 10:38 AM, Tom Beecher  wrote: 









Using the generally accepted definition of a bogon ( RFC 1918 / 5735 / 6598 + 
netblock not allocated by an RiR ), 22/8 is not a bogon and shouldn't be 
treated as one. 



The DoD does not announce it to the DFZ, as is their choice, but nothing says 
they may not change that position tomorrow. There are plenty of subnets out 
there that are properly allocated by an RiR, but the assignees do not send them 
to the DFZ because of $reasons. 


In my opinion, creating bogon lists that include allocated but not advertised 
prefixes is poor practice that is likely to end up biting an operator at one 
point or another. 


On Tue, Nov 5, 2019 at 9:45 AM Töma Gavrichenkov < xima...@gmail.com > wrote: 


Peace, 

On Tue, Nov 5, 2019, 4:55 PM David Conrad < d...@virtualized.org > wrote: 
> On Nov 4, 2019, at 10:56 PM, Grant Taylor via NANOG < nanog@nanog.org > 
> wrote: 
>> This thread got me to wondering, is there any 
>> legitimate reason to see 22/8 on the public 
>> Internet? Or would it be okay to treat 22/8 
>> like a Bogon and drop it at the network edge? 
> 
> Given the transfer market for IPv4 addresses, 
> the spot price for IPv4 addresses, and the need 
> of even governments to find “free” (as in 
> unconstrained) money, I’d think treating any 
> legacy /8 as a bogon would not be prudent. 

It has been said before in this thread that the DoD actively uses this 
network internally. I believe if the DoD were to cut costs, they 
would be able to do it much more effectively in many other areas, and 
their IPv4 networks would be about the last thing they would think of 
(along with switching off ACs Bernard Ebbers-style). With that in 
mind, treating the DoD networks as bogons now makes total sense to me. 

-- 
Töma 

Re: DoD IP Space

[Mel Beckman]

This doesn’t sound good, no matter how you slice it. The lack of transparency 
with a civilian resource is troubling at a minimum. I’m going to bogon this 
space as a defensive measure, until its real — and detailed — purpose can be 
known. The secret places of our government have proven themselves untrustworthy 
in the protection of citizens’ data and networks. They tend to think they know 
“what’s good for” us.

 -mel

On Apr 24, 2021, at 8:05 AM, John Curran  wrote:


As noted - 
https://www.washingtonpost.com/technology/2021/04/24/pentagon-internet-address-mystery/#click=https://t.co/mVh26yBq9G

FYI,
/John

John Curran
President and CEO
American Registry for Internet Numbers

On Jan 20, 2021, at 8:35 AM, John Curran  wrote:


Tom –

Most definitely: lack of routing history is not at all a reliable indicator of 
the potential for valid routing of a given IPv4 block in the future, so best 
practice suggest that allocated address space should not be blocked by others 
without specific cause.

Doing otherwise opens one up to unexpected surprises when issued space suddenly 
becomes more active in routing and is yet is inexplicably unreachable for some 
destinations.

/John

On Nov 5, 2019, at 10:38 AM, Tom Beecher  wrote:


Using the generally accepted definition of a bogon ( RFC 1918 / 5735 / 6598 + 
netblock not allocated by an RiR ), 22/8 is not a bogon and shouldn't be 
treated as one.

The DoD does not announce it to the DFZ, as is their choice, but nothing says 
they may not change that position tomorrow. There are plenty of subnets out 
there that are properly allocated by an RiR, but the assignees do not send them 
to the DFZ because of $reasons.

In my opinion, creating bogon lists that include allocated but not advertised 
prefixes is poor practice that is likely to end up biting an operator at one 
point or another.

On Tue, Nov 5, 2019 at 9:45 AM Töma Gavrichenkov 
mailto:xima...@gmail.com>> wrote:
Peace,

On Tue, Nov 5, 2019, 4:55 PM David Conrad 
mailto:d...@virtualized.org>> wrote:
> On Nov 4, 2019, at 10:56 PM, Grant Taylor via NANOG 
> mailto:nanog@nanog.org>> wrote:
>> This thread got me to wondering, is there any
>> legitimate reason to see 22/8 on the public
>> Internet?  Or would it be okay to treat 22/8
>> like a Bogon and drop it at the network edge?
>
> Given the transfer market for IPv4 addresses,
> the spot price for IPv4 addresses, and the need
> of even governments to find “free” (as in
> unconstrained) money, I’d think treating any
> legacy /8 as a bogon would not be prudent.

It has been said before in this thread that the DoD actively uses this
network internally.  I believe if the DoD were to cut costs, they
would be able to do it much more effectively in many other areas, and
their IPv4 networks would be about the last thing they would think of
(along with switching off ACs Bernard Ebbers-style).  With that in
mind, treating the DoD networks as bogons now makes total sense to me.

--
Töma

Re: DoD IP Space

[John Curran]

As noted - 
https://www.washingtonpost.com/technology/2021/04/24/pentagon-internet-address-mystery/#click=https://t.co/mVh26yBq9G

FYI,
/John

John Curran
President and CEO
American Registry for Internet Numbers

On Jan 20, 2021, at 8:35 AM, John Curran  wrote:


Tom –

Most definitely: lack of routing history is not at all a reliable indicator of 
the potential for valid routing of a given IPv4 block in the future, so best 
practice suggest that allocated address space should not be blocked by others 
without specific cause.

Doing otherwise opens one up to unexpected surprises when issued space suddenly 
becomes more active in routing and is yet is inexplicably unreachable for some 
destinations.

/John

On Nov 5, 2019, at 10:38 AM, Tom Beecher  wrote:


Using the generally accepted definition of a bogon ( RFC 1918 / 5735 / 6598 + 
netblock not allocated by an RiR ), 22/8 is not a bogon and shouldn't be 
treated as one.

The DoD does not announce it to the DFZ, as is their choice, but nothing says 
they may not change that position tomorrow. There are plenty of subnets out 
there that are properly allocated by an RiR, but the assignees do not send them 
to the DFZ because of $reasons.

In my opinion, creating bogon lists that include allocated but not advertised 
prefixes is poor practice that is likely to end up biting an operator at one 
point or another.

On Tue, Nov 5, 2019 at 9:45 AM Töma Gavrichenkov 
mailto:xima...@gmail.com>> wrote:
Peace,

On Tue, Nov 5, 2019, 4:55 PM David Conrad 
mailto:d...@virtualized.org>> wrote:
> On Nov 4, 2019, at 10:56 PM, Grant Taylor via NANOG 
> mailto:nanog@nanog.org>> wrote:
>> This thread got me to wondering, is there any
>> legitimate reason to see 22/8 on the public
>> Internet?  Or would it be okay to treat 22/8
>> like a Bogon and drop it at the network edge?
>
> Given the transfer market for IPv4 addresses,
> the spot price for IPv4 addresses, and the need
> of even governments to find “free” (as in
> unconstrained) money, I’d think treating any
> legacy /8 as a bogon would not be prudent.

It has been said before in this thread that the DoD actively uses this
network internally.  I believe if the DoD were to cut costs, they
would be able to do it much more effectively in many other areas, and
their IPv4 networks would be about the last thing they would think of
(along with switching off ACs Bernard Ebbers-style).  With that in
mind, treating the DoD networks as bogons now makes total sense to me.

--
Töma

Re: DoD IP Space

[Christopher Morrow]

On Thu, Mar 11, 2021 at 10:54 AM j k  wrote:
>
> Two questions...
>
> 1. How many on this list already have dual-stack or IPv6 only in operation?

we're coming up on the 10yr anniversary of 'world ipv6 day'.. so I
would HOPE 'lots' :)
probably that's not entirely a good 'hope' :(

> 2. If you are running IPv4 only, and a major service was to switch to IPv6 
> only,..
>  a. How fast would you move to a dual-stack of IPv6 only?
>  b. What would it impact your customers?
>  c. How would it impact your business?
>

This is REALY now a days: "people will learn when they get bit"
much like 'gosh, password is not a great password, who knew?'
 or: "well, who needs windows updates anyway?"

evangelizing ipv6 is... not worth the effort :( because if you didn't
get them memo over the last 10yrs
you are verizon and you are not changing stance until something
significant enough bites you.
(yearly email about verizon residential service and lack of ipv6 support.. )

Re: DoD IP Space

[j k]

Two questions...

1. How many on this list already have dual-stack or IPv6 only in operation?

2. If you are running IPv4 only, and a major service was to switch to IPv6
only,..
 a. How fast would you move to a dual-stack of IPv6 only?
 b. What would it impact your customers?
 c. How would it impact your business?

Joe Klein

"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
"*I skate to where the puck is going to be, not to where it has been."
-- *Wayne
Gretzky
"I never lose. I either win or learn" - Nelson Mandela


On Thu, Feb 11, 2021 at 12:56 PM William Herrin  wrote:

> On Thu, Feb 11, 2021 at 6:13 AM Izaac  wrote:
> > On Wed, Feb 10, 2021 at 10:38:00AM -0800, William Herrin wrote:
> > > None whatsoever. You just have to be really big.
> >
> > Hi Beel,
>
> That was unnecessary. Sorry I used an S instead of a Z.
>
> > Thanks for backing me up with an example of an organization with
> > competent network engineering.  Their ability to almost infinitely
> > leverage the existing rfc1918 address space to serve an appreciable
> > fraction of all Internet attached hosts is a real demonstration of the
> > possible.
>
> Except they don't. One of the reasons you can't put vms in multiple
> regions into the same VPC is they don't have enough IP addresses to
> uniquely address the backend hosts in every region. They end up with a
> squirrelly VPC peering thing they relies on multiple gateway hosts to
> overcome the address partitioning from overlapping RFC1918.
>
> In other words, it proves the exact opposite of your assertion.
>
> Regards,
> Bill Herrin
>
>
>
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/
>

Re: DoD IP Space

[Daniel Seagraves]

> On Feb 26, 2021, at 7:50 PM, Mel Beckman  wrote:
> 
> IPv6. The protocol of the future, and always will be :)

“Why be part of the solution when there’s good money to be made in prolonging 
the problem?”

Re: DoD IP Space

[Mel Beckman]

I remember. And I have the HE.net Guru Badge to prove it :)

And don’t forget the World IPv6 Launch in 2012. 

IPv6. The protocol of the future, and always will be :)


-mel via cell

> On Feb 26, 2021, at 3:49 PM, Jay Hennigan  wrote:
> 
> On 2/13/21 18:24, Mark Foster wrote:
> 
>> So the business case will be the 'killer app' or perhaps 'killer service' 
>> that's IPv6-only and that'll provide a business reason.
>> But chicken and egg.. who wants to run a service that's IPv6-only and miss 
>> out on such a big userbase?
> 
> Am I the only one who remembers "The Great IPv6 Experiment" from way back in 
> 2007?
> 
> -- 
> Jay Hennigan - j...@west.net
> Network Engineering - CCIE #7880
> 503 897-8550 - WB6RDV

Re: DoD IP Space

[Jay Hennigan]

On 2/13/21 18:24, Mark Foster wrote:


So the business case will be the 'killer app' or perhaps 'killer service' 
that's IPv6-only and that'll provide a business reason.

But chicken and egg.. who wants to run a service that's IPv6-only and miss out 
on such a big userbase?


Am I the only one who remembers "The Great IPv6 Experiment" from way 
back in 2007?


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

Re: DoD IP Space

[bzs]

In my humble but correct opinion one of the things which sabotages
these efforts is an aversion to any solution which doesn't feel like
it would work quickly and decisively (ask Bezos to offer a discount to
anyone using IPv6 to order on Amazon???)

I remember back in ~2003 on the Anti-Spam Research Group some
interesting ideas* being shot down because that would take ten years
to deploy! 2003.

And here we are about 25 years into IPv6 still looking for that silver
bullet.

What might be more useful would be forming some sort of group with the
understanding that they might produce a ten year or longer timeline of
steps which might more fully deploy IPv6.

* In all honesty they weren't all that interesting. But for example
"we need to respecify SMTP to stop spam!" had a half-life of about 60
minutes dying on the rebuttal that even if you did that it would take
TEN YEARS to get wide adoption of an SMTP replacement. I never saw how
such proposals would help with spam but ok perhaps they were
discouraged by the rebuts.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: DoD IP Space

[Randy Bush]

> it’s unclear if there’s been any systematic look-back or institutional
> learning coming out of the entire experience.

i am always impressed by optimism in the face of cold reality

Re: DoD IP Space

[Mark Andrews]

1993 matches my recollections as well.

Network Working Group S. Bradner
Internet draftHarvard University
   A. Mankin
 NRL
  September 1994


 
The Recommendation for the IP Next Generation Protocol


  



> On 16 Feb 2021, at 04:28, Mel Beckman  wrote:
> 
> LOL! Well, Mike says “definitely at least 1993”, whereas Wikipedia itself 
> says that Wikipedia cannot be trusted. Mike, to my knowledge, has never 
> admitted being wrong. So I’m going with Mike :)
> 
> I think it was Al Gore who first proposed IPv6, right Mike? :)
> 
>  -mel beckman
> 
>> On Feb 15, 2021, at 6:36 AM, Kenneth J. Dupuis  wrote:
>> 
>> 
>> 1995? https://en.m.wikipedia.org/wiki/IPv6
>> 
>> On Feb 11, 2021 8:51 PM, Michael Thomas  wrote:
>> 
>> On 2/11/21 5:41 PM, Izaac wrote: 
>> > 
>> >> IPv6 restores that ability and RFC-1918 is a bandaid for an obsolete 
>> >> protocol. 
>> > So, in your mind, IPv4 was "obsolete" in 1996 -- almost three years 
>> > before IPv6 was even specified?  Fascinating.  I could be in no way 
>> > mistaken for an IPv4/NAT apologist, but that one's new on me. 
>> 
>> ipv6 was on my radar in the early 90's. it was definitely at least 1993, 
>> maybe earlier. 
>> 
>> Mike 
>> 
>> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

Re: DoD IP Space

[Gary Buhrmaster]

On Mon, Feb 15, 2021 at 9:36 PM Joe Loiacono  wrote:

> V8!  heh ... wow hadn't thought of that for a while ...

... Slaps forehead and says:  "Wow, I could've had a V8!"

Re: DoD IP Space

[Joe Loiacono]

V8!  heh ... wow hadn't thought of that for a while ...

On 2/15/2021 3:39 PM, Valdis Klētnieks wrote:

On Mon, 15 Feb 2021 10:51:51 -0800, Sabri Berisha said:


Well, considering this RIPE article that talked about IPv7 already..

https://lists.ripe.net/pipermail/ripe-org-closed/1993/msg00024.html

Bonus points for those who remember/know where v5 and v8 were from :)

Re: DoD IP Space

[Fred Baker]

Streams Transport and PIP.

Good grief. V7 was Robert Ullman’s CATNIP. He wanted to sell hardware to 
everyone, and V7 was the interchange protocol between IPv4, IPX, and CLNS.

Sent using a machine that autocorrects in interesting ways...

> On Feb 15, 2021, at 12:41 PM, Valdis Klētnieks  
> wrote:
> 
> On Mon, 15 Feb 2021 10:51:51 -0800, Sabri Berisha said:
> 
>> Well, considering this RIPE article that talked about IPv7 already..
>> 
>> https://lists.ripe.net/pipermail/ripe-org-closed/1993/msg00024.html
> 
> Bonus points for those who remember/know where v5 and v8 were from :)

V5 was 

Re: DoD IP Space

[james.cut...@consultant.com]

It’s Dead, Jim — Speaking of V8.  I’m glad Outlook had a Delete button.

> On Feb 15, 2021, at 3:39 PM, Valdis Klētnieks  wrote:
> 
> On Mon, 15 Feb 2021 10:51:51 -0800, Sabri Berisha said:
> 
>> Well, considering this RIPE article that talked about IPv7 already..
>> 
>> https://lists.ripe.net/pipermail/ripe-org-closed/1993/msg00024.html
> 
> Bonus points for those who remember/know where v5 and v8 were from :)

Re: DoD IP Space

[Valdis Klētnieks]

On Mon, 15 Feb 2021 10:51:51 -0800, Sabri Berisha said:

> Well, considering this RIPE article that talked about IPv7 already..
>
> https://lists.ripe.net/pipermail/ripe-org-closed/1993/msg00024.html

Bonus points for those who remember/know where v5 and v8 were from :)


pgpdrYkPJgCF0.pgp
Description: PGP signature

Re: DoD IP Space

[Geoff Mulligan]

Actually John - IPng started out being called IPv7, but we caught the 
mistake and renamed it IPv6.  Whew :-)


Geoff


On 2/15/21 8:33 AM, John Curran wrote:
On 15 Feb 2021, at 2:01 AM, Mark Andrews > wrote:

...
Complain to your vendors about not implementing RFC 8305, RFC 6724, and
RFC 7078.  RFC 8305 or RFC6724 + RFC 7078 would fix your issue.

Thats Happy Eyeballs and tuneable address selection rules.


Mark -

You’ve properly pointed out IPv6 can indeed be readily & safely 
deployed today using modern equipment that supports a reasonable 
transition approach… full agreement there.


Interestingly enough, you’ve also pointed out the not-so-secret reason 
why it's taken so long to get sizable deployment of IPv6 – that is, 
despite us knowing that we needed "a straightforward transition plan” 
on day one that documented how to move from IPv4 to IPng (aka IPv6), 
we opted in 1995 to select a next generation protocol which lacked any 
meaningful transition plan and instead left that nasty transition 
topic as an exercise for the reader and/or addressed by postulated 
outputs from newly-defined working groups…  thus the underlying reason 
for the lost decades of creative engineering efforts in gap-filling by 
those who came after and had to actually build working networks and 
applications using IPv6.


For what it’s worth, I do think we’re finally 98 or 99% of the way 
there, but it has resulted some very real costs - rampant industry 
confusion, loss of standards credibility, etc.  There’s some real 
lessons to be had here – as one who was in the IP Directorate at the 
time (and thus sharing in the blame), I know I would have done quite a 
bit differently, but it’s unclear if there’s been any systematic 
look-back or institutional learning coming out of the entire experience.


FYI,
/John

Re: DoD IP Space

[Sabri Berisha]

- On Feb 15, 2021, at 9:28 AM, mel  wrote: 

Hi,

> LOL! Well, Mike says “definitely at least 1993”, whereas Wikipedia itself says
> that Wikipedia cannot be trusted. Mike, to my knowledge, has never admitted
> being wrong. So I’m going with Mike :)

Well, considering this RIPE article that talked about IPv7 already..

https://lists.ripe.net/pipermail/ripe-org-closed/1993/msg00024.html

I'd say: myth plausible.

> I think it was Al Gore who first proposed IPv6, right Mike? :)

Myth busted. He invented the internet. IPv6 was invented by his intern.

Thanks,

Sabri

Re: DoD IP Space

[Mel Beckman]

LOL! Well, Mike says “definitely at least 1993”, whereas Wikipedia itself says 
that Wikipedia cannot be trusted. Mike, to my knowledge, has never admitted 
being wrong. So I’m going with Mike :)

I think it was Al Gore who first proposed IPv6, right Mike? :)

 -mel beckman

On Feb 15, 2021, at 6:36 AM, Kenneth J. Dupuis  wrote:


1995? https://en.m.wikipedia.org/wiki/IPv6

On Feb 11, 2021 8:51 PM, Michael Thomas  wrote:

On 2/11/21 5:41 PM, Izaac wrote:
>
>> IPv6 restores that ability and RFC-1918 is a bandaid for an obsolete 
>> protocol.
> So, in your mind, IPv4 was "obsolete" in 1996 -- almost three years
> before IPv6 was even specified?  Fascinating.  I could be in no way
> mistaken for an IPv4/NAT apologist, but that one's new on me.

ipv6 was on my radar in the early 90's. it was definitely at least 1993,
maybe earlier.

Mike

Re: DoD IP Space

[William Herrin]

On Mon, Feb 15, 2021 at 7:49 AM Valdis Klētnieks
 wrote:
> On Sun, 14 Feb 2021 22:25:56 -0800, William Herrin said:
> > This particular problem could be quickly resolved if the OSes still
> > getting updates were updated to default name resolution to prioritize
> > the IPv4 addresses instead. That would allow broken IPv6
> > configurations to exist without breaking the user's entire Internet
> > experience. Which would allow them to leave it turned on so that it
> > resumes working when the error is eventually found and fixed.
>
> Oh, come on Bill.  This ain't your first rodeo.  You know damned well
> that if we do that, the errors are in fact *not* eventually found and fixed.

I don't know that and neither do you. That remains an untested theory.
What I do know, with the perfection of 20/20 hindsight, is that
v6-first has impeded deployment for two decades by routinely giving
folks a reason to turn IPv6 back off.

Hard headed.

Regards,
Bill Herrin




-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: DoD IP Space

[Valdis Klētnieks]

On Sun, 14 Feb 2021 22:25:56 -0800, William Herrin said:

> This particular problem could be quickly resolved if the OSes still
> getting updates were updated to default name resolution to prioritize
> the IPv4 addresses instead. That would allow broken IPv6
> configurations to exist without breaking the user's entire Internet
> experience. Which would allow them to leave it turned on so that it
> resumes working when the error is eventually found and fixed.

Oh, come on Bill.  This ain't your first rodeo.  You know damned well
that if we do that, the errors are in fact *not* eventually found and fixed.

In addition, if you do that, even once the error is fixed, the box will
not know about that and will continue to use the IPv4 addresses.

Re: DoD IP Space

[John Curran]

On 15 Feb 2021, at 2:01 AM, Mark Andrews  wrote:
> ...
> Complain to your vendors about not implementing RFC 8305, RFC 6724, and
> RFC 7078.  RFC 8305 or RFC6724 + RFC 7078 would fix your issue.
> 
> Thats Happy Eyeballs and tuneable address selection rules.

Mark - 

You’ve properly pointed out IPv6 can indeed be readily & safely 
deployed today using modern equipment that supports a reasonable transition 
approach… full agreement there. 

Interestingly enough, you’ve also pointed out the not-so-secret reason 
why it's taken so long to get sizable deployment of IPv6 – that is, despite us 
knowing that we needed "a straightforward transition plan” on day one that 
documented how to move from IPv4 to IPng (aka IPv6), we opted in 1995 to select 
a next generation protocol which lacked any meaningful transition plan and 
instead left that nasty transition topic as an exercise for the reader and/or 
addressed by postulated outputs from newly-defined working groups…  thus the 
underlying reason for the lost decades of creative engineering efforts in 
gap-filling by those who came after and had to actually build working networks 
and applications using IPv6.

For what it’s worth, I do think we’re finally 98 or 99% of the way 
there, but it has resulted some very real costs - rampant industry confusion, 
loss of standards credibility, etc.  There’s some real lessons to be had here – 
as one who was in the IP Directorate at the time (and thus sharing in the 
blame), I know I would have done quite a bit differently, but it’s unclear if 
there’s been any systematic look-back or institutional learning coming out of 
the entire experience.

FYI,
/John 

Re: DoD IP Space

[james.cut...@consultant.com]

On Feb 11, 2021, at 9:01 PM, Kenneth J. Dupuis  wrote:
> 
> 1995? https://en.m.wikipedia.org/wiki/IPv6
> 
> On Feb 11, 2021 8:51 PM, Michael Thomas  wrote:
> 
> On 2/11/21 5:41 PM, Izaac wrote:
> >
> >> IPv6 restores that ability and RFC-1918 is a bandaid for an obsolete 
> >> protocol.
> > So, in your mind, IPv4 was "obsolete" in 1996 -- almost three years
> > before IPv6 was even specified?  Fascinating.  I could be in no way
> > mistaken for an IPv4/NAT apologist, but that one's new on me.
> 
> ipv6 was on my radar in the early 90's. it was definitely at least 1993, 
> maybe earlier.
> 
> Mike
> 
Back then some thought it would be more like DECnet Phase V.

Re: DoD IP Space

[Kenneth J. Dupuis]

1995? https://en.m.wikipedia.org/wiki/IPv6On Feb 11, 2021 8:51 PM, Michael Thomas  wrote:
On 2/11/21 5:41 PM, Izaac wrote:
>
>> IPv6 restores that ability and RFC-1918 is a bandaid for an obsolete protocol.
> So, in your mind, IPv4 was "obsolete" in 1996 -- almost three years
> before IPv6 was even specified?  Fascinating.  I could be in no way
> mistaken for an IPv4/NAT apologist, but that one's new on me.

ipv6 was on my radar in the early 90's. it was definitely at least 1993, 
maybe earlier.

Mike

Re: DoD IP Space

[Mark Tinka]

On 2/15/21 09:59, na...@jack.fr.eu.org wrote:


Yet both ps5 and xbox series x have ipv6 support

A console released in 2013 do not, but its successor released in 2020 
have it


How wild is this, I wonder why ?


IPv6 also runs on hardware that was shipped as far back as 2003, if not 
earlier.


Mark.

Re: DoD IP Space

[William Herrin]

On Sun, Feb 14, 2021 at 11:01 PM Mark Andrews  wrote:
> Complain to your vendors about not implementing RFC 8305, RFC 6724, and
> RFC 7078.  RFC 8305 or RFC6724 + RFC 7078 would fix your issue.
>
> Thats Happy Eyeballs and tuneable address selection rules.
>
> You don’t have to perform the naive connection from getaddrinfo() man page.

Hi Mark,

When I said bull-headed, this is exactly what I had in mind. Happy
eyeballs and things like
https://bill.herrin.us/freebies/libeasyv6-0.1/ aren't first-class
citizens in the APIs. Their code has to be independently added to each
application individually. Getaddrinfo() is core standard. Fix the
problem in the place that fixes it in every place or else it's never
really fixed.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: DoD IP Space

[nanog]

Yet both ps5 and xbox series x have ipv6 support

A console released in 2013 do not, but its successor released in 2020 
have it


How wild is this, I wonder why ?

On 2/15/21 5:25 AM, Mark Tinka wrote:
I mean, there's a reason that 
in 2021, PS4 still does not support IPv6.


Mark.

Re: DoD IP Space

[Mark Andrews]

> On 15 Feb 2021, at 17:25, William Herrin  wrote:
> 
> On Sun, Feb 14, 2021 at 8:27 PM Mark Tinka  wrote:
>> Dropping a few feet from cloud nine, there, really, is no other thing
>> that will facilitate or hold back the adoption of IPv6, like money.
> 
> Well actually, that's not entirely true. One thing holding back IPv6
> is the unfortunately routine need to turn it off in order to get one
> or another IPv4 thing back working again. Like the disney thing
> earlier in this thread. Or like my experience yesterday where I had to
> disable IPv6 to fetch files on a particular server because SLAAC was
> serving up invalid addresses but the app insisted on trying all 8 IPv6
> addresses before it would attempt any of the IPv4 addresses. And of
> course I can't call my ISP and say: you're causing my Linux box to
> pick up bad IPv6 addresses. Front line support can barely handle IPv4
> and Windows.
> 
> I stuck with it for a couple hours and figured out how to disable
> SLAAC without disabling DHCP-PD so that I could turn IPv6 back on with
> addresses which worked. But really, how many people are going to do
> that? Most tick the IPv6 checkbox to off and are done with it.
> 
> This particular problem could be quickly resolved if the OSes still
> getting updates were updated to default name resolution to prioritize
> the IPv4 addresses instead. That would allow broken IPv6
> configurations to exist without breaking the user's entire Internet
> experience. Which would allow them to leave it turned on so that it
> resumes working when the error is eventually found and fixed.
> 
> Prioritizing IPv6 over IPv4 for newly initiated connections is one of
> the trifecta of critical design errors that have been killing IPv6 for
> two decades. One of the two that if key folks weren't being so
> bull-headed about it, it would be trivial to fix.

Complain to your vendors about not implementing RFC 8305, RFC 6724, and
RFC 7078.  RFC 8305 or RFC6724 + RFC 7078 would fix your issue.

Thats Happy Eyeballs and tuneable address selection rules.

You don’t have to perform the naive connection from getaddrinfo() man page.

   struct addrinfo hints, *res, *res0;
   int error;
   int s;
   const char *cause = NULL;

   memset(, 0, sizeof(hints));
   hints.ai_family = PF_UNSPEC;
   hints.ai_socktype = SOCK_STREAM;
   error = getaddrinfo("www.kame.net", "http", , );
   if (error) {
   errx(1, "%s", gai_strerror(error));
   /*NOTREACHED*/
   }
   s = -1;
   for (res = res0; res; res = res->ai_next) {
   s = socket(res->ai_family, res->ai_socktype,
   res->ai_protocol);
   if (s < 0) {
   cause = "socket";
   continue;
   }

   if (connect(s, res->ai_addr, res->ai_addrlen) < 0) {
   cause = "connect";
   close(s);
   s = -1;
   continue;
   }

   break;  /* okay we got one */
   }
   if (s < 0) {
   err(1, "%s", cause);
   /*NOTREACHED*/
   }
   freeaddrinfo(res0);

You could actually use something a little more sophisticated like

int
connect_to_host(struct addrinfo *res0) {
struct addrinfo *res;
int fd = -1, n, i, j, flags, count;
struct pollfd *fds;
int timeout = TIMEOUT;

/*
 * Work out how many possible descriptors we could use.
 */
for (res = res0, count = 0; res; res = res->ai_next)
count++;
fds = calloc(count, sizeof(*fds));
if (fds == NULL) {
perror("calloc");
goto cleanup;
}

for (res = res0, i = 0, count = 0; res; res = res->ai_next) {
fd = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
if (fd == -1) {
/*
 * If AI_ADDRCONFIG is not supported we will get
 * EAFNOSUPPORT returned.  Behave as if the address
 * was not there.
 */
if (errno != EAFNOSUPPORT)
perror("socket");
else if (res->ai_next != NULL)
continue;
} else if ((flags = fcntl(fd, F_GETFL)) == -1) {
perror("fcntl");
close(fd);
} else if (fcntl(fd, F_SETFL, flags | O_NONBLOCK) == -1) {
perror("fcntl");
close(fd);
} else if (connect(fd, res->ai_addr, res->ai_addrlen) == -1) {
if (errno != EINPROGRESS) {

Re: DoD IP Space

[Mark Tinka]

On 2/15/21 08:25, William Herrin wrote:


Well actually, that's not entirely true. One thing holding back IPv6
is the unfortunately routine need to turn it off in order to get one
or another IPv4 thing back working again. Like the disney thing
earlier in this thread. Or like my experience yesterday where I had to
disable IPv6 to fetch files on a particular server because SLAAC was
serving up invalid addresses but the app insisted on trying all 8 IPv6
addresses before it would attempt any of the IPv4 addresses. And of
course I can't call my ISP and say: you're causing my Linux box to
pick up bad IPv6 addresses. Front line support can barely handle IPv4
and Windows.

I stuck with it for a couple hours and figured out how to disable
SLAAC without disabling DHCP-PD so that I could turn IPv6 back on with
addresses which worked. But really, how many people are going to do
that? Most tick the IPv6 checkbox to off and are done with it.

This particular problem could be quickly resolved if the OSes still
getting updates were updated to default name resolution to prioritize
the IPv4 addresses instead. That would allow broken IPv6
configurations to exist without breaking the user's entire Internet
experience. Which would allow them to leave it turned on so that it
resumes working when the error is eventually found and fixed.

Prioritizing IPv6 over IPv4 for newly initiated connections is one of
the trifecta of critical design errors that have been killing IPv6 for
two decades. One of the two that if key folks weren't being so
bull-headed about it, it would be trivial to fix.


This is not unique to IPv6. Almost every protocol (including IPv4) has 
some inherent design problem that keeps lists like this alive with 
swaths of advice and solutions.


But at its core, if money is going to stand in the way of IPv6 gaining 
global interest, the issues you, me and others face with SLAAC and other 
technical IPv6 annoyances will never receive the attention they need to 
get resolved.


Why fix something nobody wants to use in the first place?

Mark.

Re: DoD IP Space

[William Herrin]

On Sun, Feb 14, 2021 at 8:27 PM Mark Tinka  wrote:
> Dropping a few feet from cloud nine, there, really, is no other thing
> that will facilitate or hold back the adoption of IPv6, like money.

Well actually, that's not entirely true. One thing holding back IPv6
is the unfortunately routine need to turn it off in order to get one
or another IPv4 thing back working again. Like the disney thing
earlier in this thread. Or like my experience yesterday where I had to
disable IPv6 to fetch files on a particular server because SLAAC was
serving up invalid addresses but the app insisted on trying all 8 IPv6
addresses before it would attempt any of the IPv4 addresses. And of
course I can't call my ISP and say: you're causing my Linux box to
pick up bad IPv6 addresses. Front line support can barely handle IPv4
and Windows.

I stuck with it for a couple hours and figured out how to disable
SLAAC without disabling DHCP-PD so that I could turn IPv6 back on with
addresses which worked. But really, how many people are going to do
that? Most tick the IPv6 checkbox to off and are done with it.

This particular problem could be quickly resolved if the OSes still
getting updates were updated to default name resolution to prioritize
the IPv4 addresses instead. That would allow broken IPv6
configurations to exist without breaking the user's entire Internet
experience. Which would allow them to leave it turned on so that it
resumes working when the error is eventually found and fixed.

Prioritizing IPv6 over IPv4 for newly initiated connections is one of
the trifecta of critical design errors that have been killing IPv6 for
two decades. One of the two that if key folks weren't being so
bull-headed about it, it would be trivial to fix.

Regards,
Bill Herrin

--
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: DoD IP Space

[Mark Tinka]

On 2/14/21 22:34, Sabri Berisha wrote:


You are 100% Correct. Perhaps we can get Jeff Bezos to give 25% extra off
at the next Cyber Monday event to those accessing amazon.com via IPv6.

That will not only drive IPv6 deployment at eyeball networks, it's a
feasible plan as well. IF good ol' Jeff wants to cooperate :)


Dropping a few feet from cloud nine, there, really, is no other thing 
that will facilitate or hold back the adoption of IPv6, like money.


It will distill down into who is willing to spend it, make it or lose it.

All (other) discussions about IPv6's adoption (or lack thereof) are just 
recycled revolutions around this reality. I mean, there's a reason that 
in 2021, PS4 still does not support IPv6.


Mark.

Re: DoD IP Space

[Sabri Berisha]

- On Feb 14, 2021, at 11:56 AM, Randy Bush ra...@psg.com wrote:

Hi,

> hint: that idea is from the late '90s.  the next bright idea for what
> would help ipv6 take over the internet was 3gpp.  it's been a long line
> of things which would make ipv6 take off. 

You are 100% Correct. Perhaps we can get Jeff Bezos to give 25% extra off
at the next Cyber Monday event to those accessing amazon.com via IPv6.

That will not only drive IPv6 deployment at eyeball networks, it's a
feasible plan as well. IF good ol' Jeff wants to cooperate :)

Thanks,

Sabri

Re: DoD IP Space

[Mark Tinka]

On 2/14/21 21:56, Randy Bush wrote:


hint: that idea is from the late '90s.  the next bright idea for what
would help ipv6 take over the internet was 3gpp.  it's been a long line
of things which would make ipv6 take off.  and at least ten million
messages on mailing lists such as this.  and the adoption rate has
crawled up slowly; the first derivative remaining fairly flat.

of course, if you measure it at the right place, it can have steep
points.  when goog tured it up for youtube, the proportion of their v6
traffic went up nicely; no surprise.  but when i want to measure a real
rate of change, i like a mid-stream sample at some isps' borders or ixp,
away from eyeballs or eye candy.

if we all spent as much time deploying, or helping others deploy as
opposed to screaming at them that they must do it asap, we might get
that first derivative up a wee bit.  but i fear that, at this point,
patience is what is most useful.


Like I was saying to someone privately, by pr0n I really meant whatever 
app or service makes the most sense at the time. It could be gaming, it 
could be Clubhouse, it could a crossword puzzle. Something, anything. We 
know how to build online services that ordinary people see value in. 
Extending that to have it delivered mostly over IPv6 is not a huge leap, 
if all sides understood that the impetus was to promote IPv6 adoption.


But yes, short of that, patience is the only hope.

Mark.

Re: DoD IP Space

[Randy Bush]

> Perhaps it's time that we made good friends with the folk accelerating
> pr0n, and did a deal with them where someone's fetish was only
> available over IPv6.

hint: that idea is from the late '90s.  the next bright idea for what
would help ipv6 take over the internet was 3gpp.  it's been a long line
of things which would make ipv6 take off.  and at least ten million
messages on mailing lists such as this.  and the adoption rate has
crawled up slowly; the first derivative remaining fairly flat.

of course, if you measure it at the right place, it can have steep
points.  when goog tured it up for youtube, the proportion of their v6
traffic went up nicely; no surprise.  but when i want to measure a real
rate of change, i like a mid-stream sample at some isps' borders or ixp,
away from eyeballs or eye candy.

if we all spent as much time deploying, or helping others deploy as
opposed to screaming at them that they must do it asap, we might get
that first derivative up a wee bit.  but i fear that, at this point,
patience is what is most useful.

randy

Re: DoD IP Space

[Mark Tinka]

On 2/14/21 04:24, Mark Foster wrote:


So the business case will be the 'killer app' or perhaps 'killer service' 
that's IPv6-only and that'll provide a business reason.

But chicken and egg.. who wants to run a service that's IPv6-only and miss out 
on such a big userbase?


Perhaps it's time that we made good friends with the folk accelerating 
pr0n, and did a deal with them where someone's fetish was only available 
over IPv6. Small enough that it does not bother their existing cash cow, 
but large enough that it starts to get some notice, where eyeballs can 
put pressure on their service providers to get them access.


I'm not kidding. Because sitting back and hoping "things just happen" is 
kind of like throwing a switch into a building and putting the words 
"IXP" outside, and hoping the right people will come knocking. We know 
IXP's are obvious, but a lot of their growth comes from their operators 
running around and actually getting patronage going.


IPv6 is obvious. But I think it requires a lot more non-technical agency 
to get it adopted.


Mark.

Re: DoD IP Space

[Mark Tinka]

On 2/14/21 02:00, scott wrote:



I would be looking for a new job and it is a much larger network than 
2 routers is a big city.  :)    Sabri Berisha was correct: "The true 
enemy here is mid-level management that refuses to prioritize 
deployment of IPv6.   What we should be discussing is how best to 
approach that problem. It's where ops and corporate politics 
overlap."   What I always heard when I bring it up and they don't want 
to talk about it was "What's the business case?" They know there isn't 
one.


You've just answered yourself, which is the sad (but true) reality.

It will always come down to numbers, especially if you need to expend 
money on kit or use limited human resources that are already tied up 
with money-making projects.


If you can show that further delaying IPv6 deployment will have a direct 
impact on loss of revenue (particularly in the immediate), then you'll 
have a better chance of getting the deployment approved. The problem is 
any relationship between IPv6 and the going concern of the business is 
most likely to be indirect, which will make your task even that much harder.


Perhaps appealing to your management's sense of "something else", that 
when combined with (loss of) revenue, gives them a minute to pause and 
think. I wouldn't know what that "something else" as it pertains to your 
specific business, but maybe you do.


Mark.

RE: DoD IP Space

[Mark Foster]

Apologies for the top-post to a bottom-thread; I blame Outlook.

I was going to comment that in a couple of corporate network engineering roles 
I've had, the lack of the business case has always been to highlight that all 
the things we want to reach on the Internet can be accessed by IPv4.

So the business case will be the 'killer app' or perhaps 'killer service' 
that's IPv6-only and that'll provide a business reason.

But chicken and egg.. who wants to run a service that's IPv6-only and miss out 
on such a big userbase?

What remains is sliding IPv6 in as a minimal-cost service upgrade when you 
lifecycle your equipment.  And when it's not minimal-cost (due to perhaps, 
complex firewall/nat arrangements), it's still a hard ask.

I don't have the answer to this yet, but occasionally a tech-savvy executive 
buys-in on the need to future-proof things.

Mark.

-Original Message-
From: NANOG  On Behalf Of scott
Sent: Sunday, 14 February 2021 1:01 pm
To: nanog@nanog.org
Subject: Re: DoD IP Space


On 2/12/2021 8:39 PM, Mark Tinka wrote:
> On 2/12/21 21:56, scott wrote:
>>
>> 100% agreed!  Been whining about that here many times.  I have been 
>> trying to get IPv6 going for a long time, but the above stopped my 
>> plans.  One thing I mentioned recently, though, is we just got a 
>> $BIGCUSTOMER and their requirement was we do IPv6. So keep your IPv6 
>> deployment plans ready.  In my case they said a 'we need it right 
>> now' kind of thing.  That could happen to anyone here.
>
> How about just doing it and then asking for forgiveness later :-)?
>
> That's what I did in 2005, but fair point, the network was only 2 
> routers big and in just one city :-).
> --
> --


I would be looking for a new job and it is a much larger network than 2 routers 
is a big city.  :)Sabri Berisha was correct: "The true enemy here is 
mid-level management that refuses to prioritize deployment of IPv6.   What we 
should be discussing is how best to approach that problem. It's where ops and 
corporate politics overlap."   What I always heard when I bring it up and they 
don't want to talk about it was "What's the business case?" They know there 
isn't one.

scott

Re: DoD IP Space

[scott]

On 2/12/2021 8:39 PM, Mark Tinka wrote:

On 2/12/21 21:56, scott wrote:


100% agreed!  Been whining about that here many times.  I have been 
trying to get IPv6 going for a long time, but the above stopped my 
plans.  One thing I mentioned recently, though, is we just got a 
$BIGCUSTOMER and their requirement was we do IPv6. So keep your IPv6 
deployment plans ready.  In my case they said a 'we need it right 
now' kind of thing.  That could happen to anyone here.


How about just doing it and then asking for forgiveness later :-)?

That's what I did in 2005, but fair point, the network was only 2 
routers big and in just one city :-).





I would be looking for a new job and it is a much larger network than 2 
routers is a big city.  :)    Sabri Berisha was correct: "The true enemy 
here is mid-level management that refuses to prioritize deployment of 
IPv6.   What we should be discussing is how best to approach that 
problem. It's where ops and corporate politics overlap."   What I always 
heard when I bring it up and they don't want to talk about it was 
"What's the business case?" They know there isn't one.


scott

Re: DoD IP Space

[Mark Tinka]

On 2/12/21 21:56, scott wrote:




100% agreed!  Been whining about that here many times.  I have been 
trying to get IPv6 going for a long time, but the above stopped my 
plans.  One thing I mentioned recently, though, is we just got a 
$BIGCUSTOMER and their requirement was we do IPv6.  So keep your IPv6 
deployment plans ready.  In my case they said a 'we need it right now' 
kind of thing.  That could happen to anyone here.


How about just doing it and then asking for forgiveness later :-)?

That's what I did in 2005, but fair point, the network was only 2 
routers big and in just one city :-).


Mark.

Re: DoD IP Space

[scott]

--- sa...@cluecentral.net wrote:
From: Sabri Berisha 

The true enemy here is mid-level management that refuses to prioritize 
deployment of IPv6.


What we should be discussing is how best to approach that problem. It's 
where ops and corporate politics overlap.

--


100% agreed!  Been whining about that here many times.  I have been 
trying to get IPv6 going for a long time, but the above stopped my 
plans.  One thing I mentioned recently, though, is we just got a 
$BIGCUSTOMER and their requirement was we do IPv6.  So keep your IPv6 
deployment plans ready.  In my case they said a 'we need it right now' 
kind of thing.  That could happen to anyone here.


scott

Re: DoD IP Space

[Christopher Morrow]

On Fri, Feb 12, 2021 at 11:30 AM Tom Beecher  wrote:
>>
>> For most networks there is almost no pain in enabling IPv6.
>
>
> A startup vendor, formed by long time industry veterans, released brand new 
> products inside of the last 8 years that did not yet have IPv6 support 
> because their software, also created by them from scratch, did not yet 
> support it. It does now, but one could argue that it's mind boggling this 
> happened in the first place.
>

this happens, a lot :(

> When experienced industry individuals decide that V6 is second class enough 
> to chop the feature just to get the product out the door, and bolt it on to 
> code later (because THAT always works out well :) ), it really makes you 
> wonder how many more generations of engineers will be having these same 
> conversations.
>
> The money always talks. As long as solutions exist to massage V4 scarcity , 
> and those solutions remain cheaper, they will generally win.
>

the problem (one problem?) in the networking space is that:
  "Today's network works, why should I add risk / config-pain /
customer-problems / uncertainty when there's no driving reason to do
same?"

This is almost certainly why some residential providers still don't
offer v6 (verizon) on their residential link service.
-chris

Re: DoD IP Space

[Tom Beecher]

>
> For most networks there is almost no pain in enabling IPv6.
>

A startup vendor, formed by long time industry veterans, released brand new
products inside of the last 8 years that did not yet have IPv6 support
because their software, also created by them from scratch, did not yet
support it. It does now, but one could argue that it's mind boggling this
happened in the first place.

When experienced industry individuals decide that V6 is second class enough
to chop the feature just to get the product out the door, and bolt it on to
code later (because THAT always works out well :) ), it really makes you
wonder how many more generations of engineers will be having these same
conversations.

The money always talks. As long as solutions exist to massage V4 scarcity ,
and those solutions remain cheaper, they will generally win.

On Thu, Feb 11, 2021 at 5:07 PM Mark Andrews  wrote:

>
>
> > On 12 Feb 2021, at 08:11, Jim Shankland  wrote:
> >
> > On 2/11/21 6:29 AM, Owen DeLong wrote:
> >>
> >>> On Feb 11, 2021, at 05:55 , Izaac  wrote:
> >>>
> >>> On Wed, Feb 10, 2021 at 04:04:43AM -0800, Owen DeLong wrote:
>  without creating partitioned networks.
> >>> Ridiculous.  Why would you establish such a criteria?  The defining
> >>> characteristic of rfc1918 networks is that they are partitioned.
> >>>
> >>> The ability to recognize and exploit partitions within a network,
> >>> natural or otherwise, is the measure of competence in a network
> >>> engineer.
> >>>
> >>> Stop making excuses.
> >> Ridiculous… TCP/IP was designed to be a peer to peer system where each
> endpoint was uniquely
> >> addressable whether reachable by policy or not.
> >>
> >> IPv6 restores that ability and RFC-1918 is a bandaid for an obsolete
> protocol.
> >>
> >> Stop making excuses and let’s fix the network.
> >>
> >> Owen
> >
> > TCP/IP wasn't designed; it evolved (OK, a slight exaggeration). The
> ISO-OSI protocol stack was designed. Many years ago, I taught a course on
> TCP/IP networking. The course was written by someone else, I was just being
> paid to present/teach it. Anyway, I vividly remember a slide with bullet
> points explaining why TCP/IP was a transitional technology, and would be
> rapidly phased out, replaced by the "standard", intelligently designed
> ISO-OSI stack. By the time I taught the course, I had to tell the class
> that every single statement on that slide was incorrect. In the end,
> evolution beat out intelligent design, by a country mile.
> >
> > It was probably a couple of years later -- the year definitely started
> with a 1 -- that I first heard that IPv4 was being phased out, to be
> replaced over the next couple of years by IPv6. We've been hearing it ever
> since.
> >
> > That doesn't mean that we'll be living with IPv4 forever. A peer to peer
> system where each endpoint is uniquely addressable is desirable. But in a
> world of virtual machines, load balancers, etc., the binding of an IP
> address to a particular, physical piece of hardware has long since become
> tenuous. IPv4 is evolving into a 48-bit address space for endpoints (32-bit
> host + 16-bit port). That development has extended IPv4's useful life by
> many years.
> >
> > There is pain associated with continuing to make IPv4 work. And there is
> pain associated with transitioning to IPv6. IPv6 will be adopted when the
> pain of the former path is much larger than the pain of the latter path.
> Saying "RFC-1918 is a bandaid for an obsolete protocol" is using a
> normative, rather than empirical, definition of "obsolete". In the
> empirical sense, things are obsolete when people stop using them. Tine will
> tell when that happens.
> >
> > Jim Shankland
>
> For most networks there is almost no pain in enabling IPv6. Its
> reconfigure the routers to announce IPv6 prefixes and you are done.  We are
> 20+ years into IPv6 deployment.  Almost everything you buy today works with
> IPv6.  Even the crappy $50 home router does IPv6.  100s of millions of
> household networks have had IPv6 enabled without the owners of those
> networks needing to anything other than perhaps swap out a IPv4-only router
> to one that supports IPv6.  Hell lots of those home networks are behind
> IPv6-only uplinks with the CPE router translating the legacy IPv4 to IPv6
> for transport over the IPv6-only uplink.  The same happens with mobile
> phones these days.  If you have a phone that was purchased in the last 10
> years, give or take, you will most probably be talking to the world over a
> IPv6-only link.  Even Telstra here in Australia is transition their network
> to IPv6-only, the network in South Australia is IPv6-only with the other
> states to come.  Optus here has been shipping IPv6 capable routers for the
> last several years with every new install / replacement.  Optus haven’t yet
> enabled IPv6 to the home but the installed base is becoming IPv6 capable.
>
> The harder part is making sure every piece of kit works with IPv6 when you
> want to turn off IPv4 

Re: DoD IP Space

[Owen DeLong]

Eric, I’d argue that does fall within the definition of incompetence called out 
by Izaac.

I’m talking about how you run out of RFC-1918 space (if you choose to use it in 
the first place) without incompetence.

Owen


> On Feb 11, 2021, at 09:15 , Eric Kuhnke  wrote:
> 
> You don't, you wastefully assign a /24 to every unique thing that you think 
> needs an internal management IP block (even if there's 5 things that answer 
> pings there), and decide it's too much work to renumber things. Easy for a 
> big ISP that's also acquired many small/mid-sized ISPs to run out of v4 
> private IP space that way.
> 
> 
> 
> On Wed, Feb 10, 2021 at 4:05 AM Owen DeLong  > wrote:
> Please explain to me how you uniquely number 40M endpoints with RFC-1918 
> without running out of
> addresses and without creating partitioned networks.
> 
> If you can’t, then I’m not the one making excuses.
> 
> Owen
> 
> 
> > On Feb 9, 2021, at 15:44 , Izaac mailto:iz...@setec.org>> 
> > wrote:
> > 
> > On Fri, Feb 05, 2021 at 02:36:57PM -0800, Owen DeLong wrote:
> >> it is definitely possible to run out of RFC-1918 space with scale and no 
> >> incompetence.
> > 
> > No, it isn't.  It's the year 2021.  Stop making excuses.
> > 
> > -- 
> > . ___ ___  .   .  ___
> > .  \/  |\  |\ \
> > .  _\_ /__ |-\ |-\ \__
> 

Re: DoD IP Space

[Mark Tinka]

On 2/12/21 06:41, Randy Bush wrote:


iij joined in '97.  and helped others who asked.  but i'm from the rainy
pacific northwest (of the states).  we don't try to push water uphill.


As my Gambian friend would say, "Lead a horse to water, and teach it how 
to fish".


My first join was in 2005. We, like you, also helped those who asked. 
The momentum is now at a point where the incentive to turn on IPv6 has 
to come from within.


Mark.

Re: DoD IP Space

[Randy Bush]

>> i must say i am impressed that the ipv6 must be deployed now and it
>> solves it all religion is still being shouted from the street corner
>> 25 years on.  it is as if the shouters think they will convince any
>> body or change anything.  folk will deploy X when they perceive that
>> the cost:benefit is in X's favor.  and 25 years on, we are not
>> changing people's perceptions.  it's only been a quarter of a
>> century; have some patience.
> 
> We'll carry on.
> 
> Those who want to join will join, when they join.

iij joined in '97.  and helped others who asked.  but i'm from the rainy
pacific northwest (of the states).  we don't try to push water uphill.

randy

Re: DoD IP Space

[Mark Tinka]

On 2/12/21 02:51, Randy Bush wrote:

i must say i am impressed that the ipv6 must be deployed now and it
solves it all religion is still being shouted from the street corner 25
years on.  it is as if the shouters think they will convince any body or
change anything.  folk will deploy X when they perceive that the
cost:benefit is in X's favor.  and 25 years on, we are not changing
people's perceptions.  it's only been a quarter of a century; have some
patience.


We'll carry on.

Those who want to join will join, when they join.

Mark.

Re: DoD IP Space

[Willy Manga]

Hi,

On 11/02/2021 13:00, nanog-requ...@nanog.org wrote:
> Date: Wed, 10 Feb 2021 09:50:56 -0800
> From: Doug Barton 
>[...] On 2/10/21 5:56 AM, Ca By wrote>
>> The 3 cellular networks in the usa, 100m subs each, use ipv6 to uniquely 
>> address customers. And in the case of ims (telephony on a celluar), it 
>> is ipv6-only, afaik.
> So that answers the question of how to scale networks past what can be 
> done with 1918 space. Although why the phones would need to talk 
> directly to each other, I can't imagine.

- P2P applications?

- (because I'm tethering,) enable customers to share a service to other
people without relying to (many) external parties? (actually, that was
the purpose of the Internet since the beginning if I'm right)

- ...

> I also reject the premise that any org, no matter how large, needs to 
> uniquely number every endpoint. When I was doing IPAM for a living, not 
> allowing the workstations in Tucson to talk to the printers in Singapore 
> was considered a feature. I even had one customer who wanted the 
> printers to all have the same (1918) IP address in every office because 
> they had a lot of sales people who traveled between offices who couldn't 
> handle reconfiguring every time they visited a new location. I thought 
> it was a little too precious personally, but the customer is always 
> right.  :)

Here comes the DNS imho if it was accepted by the customer. Same result,
better management and flexibility...

> Sure, it's easier to give every endpoint a unique address, but it is not 
> a requirement, and probably isn't even a good idea. Spend a little time 
> designing your network so that the things that need to talk to each 
> other can, and the things that don't have to, can't. I did a lot of 
> large multinational corporations using this type of design and never 
> even came close to exhausting 1918 space.


Here comes your firewall rules and all your ACL ... easier with IPv6 imho


-- 
Willy Manga
@ongolaboy
https://ongola.blogspot.com/



OpenPGP_signature
Description: OpenPGP digital signature

Re: DoD IP Space

[Fred Baker]

On Jan 23, 2021, at 11:32 AM, Sabri Berisha  wrote:
> 
> Personally, I would 
> argue that a full implementation of IPv6 means that v4 could be phased out 
> without
> adverse effect on the production network.

I like that definition.

Re: DoD IP Space

[William Herrin]

On Thu, Feb 11, 2021 at 5:52 PM Izaac  wrote:
> On Thu, Feb 11, 2021 at 09:53:56AM -0800, William Herrin wrote:
> > In other words, it proves the exact opposite of your assertion.
>
> Golly.  Do you want to tell the 1M+ AWS customers that the services they
> paid ~$280B for last year don't work, or should I?

You moved the goal post there, Izaac with a z. Your original claim:

On Tue, Feb 9, 2021 at 3:46 PM Izaac  wrote:
> On Fri, Feb 05, 2021 at 02:36:57PM -0800, Owen DeLong wrote:
> > it is definitely possible to run out of RFC-1918 space with scale and no 
> > incompetence.
>
> No, it isn't.

Yes, it is. Amazon did. And you seem to agree they're competent.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: DoD IP Space

[Mark Andrews]

> On 12 Feb 2021, at 12:41, Izaac  wrote:
> 
> On Thu, Feb 11, 2021 at 06:29:42AM -0800, Owen DeLong wrote:
>> Ridiculous… TCP/IP was designed to be a peer to peer system where each 
>> endpoint was uniquely
>> addressable whether reachable by policy or not.
> 
> I think that is a dramatic over-simplification of the IP design criteria
> -- as it was already met by NCP or even a single ethernet segment.  But
> that's an aside.  I recommend that you read rfc1918, with a particular
> focus on Section 2, because I'm about to employ its language:
> 
> When dealing at large scale, an incompetent network engineer sees a
> network under their control as a single enterprise.  Whereas a competent
> network engineer recognizes that they are actually operating a
> federation of enterprises.  They identify the seams, design an
> architecture which exploits them, and allocate their scarce resources
> appropriately.
> 
>> IPv6 restores that ability and RFC-1918 is a bandaid for an obsolete 
>> protocol.
> 
> So, in your mind, IPv4 was "obsolete" in 1996 -- almost three years
> before IPv6 was even specified?  Fascinating.  I could be in no way
> mistaken for an IPv4/NAT apologist, but that one's new on me.

IPv4’s address space was known to be too small well before RFC1918.

September 1994 https://tools.ietf.org/html/draft-ipng-recommendation-00 -> RFC 
1752
July 1995 https://tools.ietf.org/html/draft-ietf-cidrd-private-addr-00 -> RFC 
1918

RFC 1918 was deployed as a mechanism to extend the usefulness of IPv4 until
IPNG, which became IPv6, was available by reducing the address space pressure on
the registries.

I knew IPv4 didn’t have enough addresses in 1988 when I got my first IPv4 
address
allocation.  Anyone with a bit of common sense could see that 4B addresses was
not enough for the Earth.  It was just a matter of time before it would need to
be replaced.

>> Stop making excuses and let's fix the network
> 
> If you want to "fix the network," tolerate neither incompetence or sloth
> from its operators.  Educate the former.  Encourage the latter.
> 
> -- 
> . ___ ___  .   .  ___
> .  \/  |\  |\ \
> .  _\_ /__ |-\ |-\ \__

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

Re: DoD IP Space

[Michael Thomas]

On 2/11/21 5:41 PM, Izaac wrote:



IPv6 restores that ability and RFC-1918 is a bandaid for an obsolete protocol.

So, in your mind, IPv4 was "obsolete" in 1996 -- almost three years
before IPv6 was even specified?  Fascinating.  I could be in no way
mistaken for an IPv4/NAT apologist, but that one's new on me.


ipv6 was on my radar in the early 90's. it was definitely at least 1993, 
maybe earlier.


Mike

Re: DoD IP Space

[Izaac]

On Thu, Feb 11, 2021 at 09:53:56AM -0800, William Herrin wrote:
> In other words, it proves the exact opposite of your assertion.

Golly.  Do you want to tell the 1M+ AWS customers that the services they
paid ~$280B for last year don't work, or should I?

-- 
. ___ ___  .   .  ___
.  \/  |\  |\ \
.  _\_ /__ |-\ |-\ \__

Re: DoD IP Space

[Izaac]

On Thu, Feb 11, 2021 at 06:29:42AM -0800, Owen DeLong wrote:
> Ridiculous… TCP/IP was designed to be a peer to peer system where each 
> endpoint was uniquely
> addressable whether reachable by policy or not.

I think that is a dramatic over-simplification of the IP design criteria
-- as it was already met by NCP or even a single ethernet segment.  But
that's an aside.  I recommend that you read rfc1918, with a particular
focus on Section 2, because I'm about to employ its language:

When dealing at large scale, an incompetent network engineer sees a
network under their control as a single enterprise.  Whereas a competent
network engineer recognizes that they are actually operating a
federation of enterprises.  They identify the seams, design an
architecture which exploits them, and allocate their scarce resources
appropriately.

> IPv6 restores that ability and RFC-1918 is a bandaid for an obsolete protocol.

So, in your mind, IPv4 was "obsolete" in 1996 -- almost three years
before IPv6 was even specified?  Fascinating.  I could be in no way
mistaken for an IPv4/NAT apologist, but that one's new on me.

> Stop making excuses and let's fix the network

If you want to "fix the network," tolerate neither incompetence or sloth
from its operators.  Educate the former.  Encourage the latter.

-- 
. ___ ___  .   .  ___
.  \    /  |\  |\ \
.  _\_ /__ |-\ |-\ \__

Re: DoD IP Space

[Randy Bush]

i must say i am impressed that the ipv6 must be deployed now and it
solves it all religion is still being shouted from the street corner 25
years on.  it is as if the shouters think they will convince any body or
change anything.  folk will deploy X when they perceive that the
cost:benefit is in X's favor.  and 25 years on, we are not changing
people's perceptions.  it's only been a quarter of a century; have some
patience.

randy

Re: DoD IP Space

[Mark Andrews]

> On 12 Feb 2021, at 10:25, Tim Howe  wrote:
> 
> On Fri, 12 Feb 2021 09:05:51 +1100
> Mark Andrews  wrote:
> 
>> Almost everything you buy today works with IPv6.  Even the crappy $50 home 
>> router does IPv6.
> 
>   You're testing very different gear than I am.  I have not found
> this to be true, and I look harder than most.
> 
>   I put every new CPE I come across, high-end and low-end,
> against our auto-config dual-stack setup to see how well they work with
> v6.  Our setup is fairly simple: dhcp v4, dhcp v6 with /56 PD
> I also test with static IP configs (/30 or /31 v4, /127 v6 with routed /56 or 
> /48)
> 
> devices seem to fall into many different categories:
> 
>  * Just works.  I think I have fewer than 5 tested devices that land here.
>Some of them only after I reported bugs and managed to get fixes
>(these are my favorite vendors).
>  * almost just works; minor bugs that can be worked around if you research how
>  * works if configured a very specific way, but not without ISP cooperation
>  * can be made to work if you are an expert who will go past the normal 
> interface.
>  * works when static, but requires extra help and knowledge to get working 
> with
>dynamic config or just doesn't
>  * allows you to configure it as if it would work, but doesn't;
>sometimes works at first but fails over time (I do long-term stability 
> testing).
>  * doesn't even pretend to work (even if the packaging claims support)
>  * doesn't work.  Doesn't claim to.  No plans to make it work.  Stop asking 
> us.
> 
>   More surprising is that having a big name or being a no-name is
> no indication of what category you will fall into.  Juniper SRX needs
> a little help due to known bug, for example.  Another nice, big-name
> device starts by sending a malformed packet to my dhcpv6 server and
> just fails before getting out of the gate.  Ubiquiti ERx was a nice
> surprise as far as functionality and configurability, but no support in
> the GUI.
> 
>   Support is non-existent in SMX solutions even from the biggest
> names.  This is often a surprise to them when I point it out.
> 
>   I'm convinced most people claiming IPv6 support is common
> haven't actually tried it with many devices.  We support v6 one way or
> another on all our Internet services, but it has been a chore, to put it
> mildly.  CPE hasn't even been the biggest problem.
> 
> —TimH

Well I’m glad you are testing so you don’t distribute garbage to your customers.
I wish more ISPs would do more of it.

There is also plenty of garbage on the IPv4 side as well.  

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org