69/8...this sucks

According to ARIN's whois server, there are 95 subdelegations for
NET-69-0-0-0-0...we're the 95th.

Clearly this problem is going to get a lot worse before it gets better.
And since most network operators are not on NANOG or USENET or any other
mailing list, there are really only two means of contact. Either every
affected party probes the net, identifies misconfigured networks and
contacts them one by one using email, phone and letters. Or we use the
press to make the problem and solution widely visible.

In either case, I think it would be a mistake to just fix the immediate
problem of a few ISPs needed full reachability from 69/8 space. Since we
have to put the effort into this problem, let's try to fix the general
problem, not just a small part of it.

The general problem is that ever large numbers of devices are getting IPv4
address ranges hard-coded into their configurations with no process in
place for reviewing and changing those configurations. These devices are
not just routers but also firewalls and application servers.

In order to solve the general problem we need to make it easy for people
to review and change their configurations. This is not a lot different
from the problems that DNS solved. When you configure a device with a
domain name, the device will dynamically review and update the IP address
that it uses for communication. No human intervention is necessary.

Essentially, what we need is something that provides a capability similar
to DNS except that it works for IP address ranges, not for individual IP
addresses. This is where ARIN comes in. Because ARIN has the top-level
authority for IP address ranges in North America, they are the *ONLY*
organization that can authoritatively identify who an IP address range is
delegated to.

I have suggested that ARIN should set up an LDAP server to publish the
delegation of all their IP address space updated on a daily basis. And
that organizations which sub-delegate space, i.e. ISPs, should also run
LDAP servers as part of a delegation hierarchy similar to DNS. This type
of referral LDAP is part of the IETF standard and has been implemented by
most LDAP software vendors. Because LDAP is a widespread technology that
is used in the enterprise for identification and authentication, there is
a high likelihood that the suppliers of firewalls and application servers
will build in support for querying the ARIN delegation hierarchy.

I realize ARIN can't guarantee global routability of IP space, but


they continue to give out IP blocks they absolutely know are not fully
routable on the internet today?

ISPs make addresses routable. ARIN is not an ISP. ARIN members are ISPs.
ARIN does not compete with its members.

Therefore, ARIN should focus on the problem of how to publish
authoritative data about which IP addresses should be routable. The
appropriate technology combined with the appropriate publicity will create
demand from enterprise network admins which will drive all ISPs and device
vendors to fix the problem.

If anyone wants to discuss this further, then I suggest that the upcoming
ARIN meeting in Memphis is the ideal venue to do so.

--Michael Dillon

Date: Mon, 10 Mar 2003 09:46:33 +0000
From: Michael.Dillon

I have suggested that ARIN should set up an LDAP server to
publish the delegation of all their IP address space updated

Not bad, but will the lazy ISPs set up an LDAP server to track
changes they aren't tracking now? Will those with erroneous
filters magically change simply because of LDAP? I still contend
the answer is is a boot to the head that screams to them, "Update
your freaking filters!"