Incompetance abounds at the InterNIC

Phil_Howard2 · January 20, 1999, 3:51pm

John Fraizer wrote:

1) You should have domain servers for ANY domain you register that live in
NON-RFC1918 space. Otherwise, Why register the domain at all? If it's for
use behind the firewall, why not use internic.net or whitehouse.gov? You
say "Because they want to receive email at the domain!" Well, to receive
email, the rest of the world has to be able to find the mx records and to
do that, your domain servers have to live in NON-RFC space and we have now
completely and totally blown your first point out of the water and made it,
in your own words, "moot."

You have totally missed the concept that businesses can connect to other
businesses which connect other businesses and so on, and conduct network
protocols using the TCP/IP suite, just as if it were an Internet, but in
fact is highly isolated and segmented. Any ONE company in it may only be
able to reach those companies they connected directly to, but the other
companies reach many more companies.

Using RFC1918 space for this won't work because there has to be some kind
of administration of the space to ensure enough uniqueness that no two
companies that are visible to any one company have the same addressing.
There can be only one such administration of any practicality even though
this "closed Internet" is chopped into isolated segments.

Further, many companies with these networks also allow direct access to
the real open Internet. That means for sure that addresses in use on the
open Internet cannot be duplicated anywhere else. So the allocation of
space within the closed network has to be unique even compared to the
open Internet.

So it makes sense that every company connecting this way must obtain their
own unique address space.

2) DNS servers that are behind a firewall are useless in the context you
describe above.

Not true. The DNS servers exist and are used by many of these companies.
Only those companies that need to use them can reach them.

3) You should NEVER pick random addresses. Please refer to RFC1918.

Agreed. And this does not happen (it once did, but some of the larger
companies that many of the other companies connect to laid down the rules
that said all addresses must be unique).

4) If you don't intend to be routed on the global internet, you SHOULD be
required to use RFC1918 space. NOBODY should be allocate routable address
space for internal, off-net use.

This is neither practical nor possible. wave your hands all you want, but
it won't happen because RFC1918 space cannot ever hope to allow every one
of these companies to have address space that they can communicate with
each other uniquely, entirely within the RFC1918 space. There are two
reasons for this and based on mail I've received from a few people, it is
clear to me that a lot of people need these spelled out.

1. There is not enough space in RFC1918 to assign UNIQUE addresses to each
company that interconnects with many other companies, that further
interconnect with many others, and on and on.

2. Even if there was enough space, there is no one doing any administration
    of such space to ensure that all such assignments are sufficiently unique
    to ensure that every company connecting to many others will never see
    two or more such companies using the space part of RFC1918 space.

It seems many people still have their heads stuck in ivory towers and lack
the concepts of the real world. I once did, so I know it happens.

Think of these "closed Internets" as businesses conducting business with
each other over the Internet, but then deciding to get guaranteed bandwidth
by directly connecting to each peer, not routing to the real open Internet,
and basically becoming isolated except for the fact that in many of these
companies their computers (servers and desktops) can not only reach many
other companies this way, but also the real open Internet.

Addresses must be unique unless they are entirely internal (links themselves
often can be, too, but this does get messy sometimes) within one company,
which is not the bulk of what this is.

Likewise, name spaces also have to be unique, and the NS servers that are
authority for them may not be reachable by you or perhaps even anyone else
on the open Internet. But that doesn't mean they aren't real and being
used by many different businesses.

>been included with the request. Other ideas include limiting the number
>of outstanding requests per contact. If you have more than N unpaid
>domains, you can't regiater any more on that contact until you either
>pay up on some or delete some.

This would be a moot effort. What is going to stop the speculators from
just generating random email addresses for admin, techincal and contact
addresses. It is very simple to route *@domain.com to a single email box.

They probably can and probably will do this. It's not an ultimate solution
but it migh quiet things down for a little while until a better solution can
finally be agreed on.

Derek_Balling · January 20, 1999, 4:23pm

Using RFC1918 space for this won't work because there has to be some kind
of administration of the space to ensure enough uniqueness that no two
companies that are visible to any one company have the same addressing.
There can be only one such administration of any practicality even though
this "closed Internet" is chopped into isolated segments.

Sure it will. It requires (gasp) some COMMUNICATION between the companies
involved. I don't know of many companies who between them will completely
fill 10.0.0.0/8 with all the machines that need to interconnect. I mean
that's a pissload of machines. SIXTEEN MILLION machines.

Further, many companies with these networks also allow direct access to
the real open Internet. That means for sure that addresses in use on the
open Internet cannot be duplicated anywhere else. So the allocation of
space within the closed network has to be unique even compared to the
open Internet.

The best way to do this is with a firewall (companies doing this probably
already have one, otherwise their "private" network ain't so private), and
just about every firewall worth putting on a box will do NAT. You map
individual machines that need their own IP address directly through on a
one-to-one relationship, and the rest you let the firewall masquerade
through. Conserves "real" IP space.

So it makes sense that every company connecting this way must obtain their
own unique address space.

No, it doesn't.

1. There is not enough space in RFC1918 to assign UNIQUE addresses to each
company that interconnects with many other companies, that further
interconnect with many others, and on and on.

There's 16,000,000 addresses in 10/8... not to mention the rest of the
space. Seems like VERY poor space management if the people involved can't
fit in there.

2. Even if there was enough space, there is no one doing any administration
   of such space to ensure that all such assignments are sufficiently unique
   to ensure that every company connecting to many others will never see
   two or more such companies using the space part of RFC1918 space.

So the companies come together - once - and allocate space for each other.
If the companies have such a good relationship that they are allowing
people in behind their firewalls and such, then communication amongst them
shouldn't be a foreign concept.

Likewise, name spaces also have to be unique, and the NS servers that are
authority for them may not be reachable by you or perhaps even anyone else
on the open Internet. But that doesn't mean they aren't real and being
used by many different businesses.

This is an interesting concept... perhaps there ought to be an RFC1918-like
TLD "prv" or something, which is reserved for resolving addesses that will
only ever sit on RFC1918 space. Set aside certain addresses in RFC1918
space that the root servers could ostensibly "point" to as being the
"official" nameservers for that TLD, ...

Hmmmm.. just a thought.

D

Jay_R_Ashworth · January 21, 1999, 12:47am

John Fraizer wrote:
> 1) You should have domain servers for ANY domain you register that live in
> NON-RFC1918 space. Otherwise, Why register the domain at all? If it's for
> use behind the firewall, why not use internic.net or whitehouse.gov? You
> say "Because they want to receive email at the domain!" Well, to receive
> email, the rest of the world has to be able to find the mx records and to
> do that, your domain servers have to live in NON-RFC space and we have now
> completely and totally blown your first point out of the water and made it,
> in your own words, "moot."

You have totally missed the concept that businesses can connect to other
businesses which connect other businesses and so on, and conduct network
protocols using the TCP/IP suite, just as if it were an Internet, but in
fact is highly isolated and segmented. Any ONE company in it may only be
able to reach those companies they connected directly to, but the other
companies reach many more companies.

And Phil has, I think possibly unintentionally, put this thread on
topic for NANOG.

Using RFC1918 space for this won't work because there has to be some kind
of administration of the space to ensure enough uniqueness that no two
companies that are visible to any one company have the same addressing.
There can be only one such administration of any practicality even though
this "closed Internet" is chopped into isolated segments.

The question is: are these disconnected nets part of "The Internet",
and if they aren't, how should their addressing and DNS be handled?

Further, many companies with these networks also allow direct access to
the real open Internet. That means for sure that addresses in use on the
open Internet cannot be duplicated anywhere else. So the allocation of
space within the closed network has to be unique even compared to the
open Internet.

So it makes sense that every company connecting this way must obtain their
own unique address space.

Yes, it does. _I_ think. Even if these nets aren't routable to the
Internet, they may be populated by machines that are dual-homed, but
are _not_ routers, and address collisions would be A Bad Thing.

Now, in these class-less days, I have _no_ idea who you'd get such an
address block from...

> 2) DNS servers that are behind a firewall are useless in the context you
> describe above.

Not true. The DNS servers exist and are used by many of these companies.
Only those companies that need to use them can reach them.

This raises the companion question: should such networks have
'Internet' DNS, as well, even though they're not visible to the net at
large; that is, must they have root nameservers visible to the
InterNIC.

Phil asserts that no, they need not, and having done the exposition, I
find I must agree with him... but that does raise some interesting
questions...

> 4) If you don't intend to be routed on the global internet, you SHOULD be
> required to use RFC1918 space. NOBODY should be allocate routable address
> space for internal, off-net use.

This is neither practical nor possible. wave your hands all you want, but
it won't happen because RFC1918 space cannot ever hope to allow every one
of these companies to have address space that they can communicate with
each other uniquely, entirely within the RFC1918 space. There are two
reasons for this and based on mail I've received from a few people, it is
clear to me that a lot of people need these spelled out.

I disagree; we'll hit the points.

1. There is not enough space in RFC1918 to assign UNIQUE addresses to each
company that interconnects with many other companies, that further
interconnect with many others, and on and on.

Counted the number of /24's in a class A lately, Po

Ok, there are only 64k. But that's a lot of industry. Just how many
people want to do this?

2. Even if there was enough space, there is no one doing any administration
    of such space to ensure that all such assignments are sufficiently unique
    to ensure that every company connecting to many others will never see
    two or more such companies using the space part of RFC1918 space.

True.

So start one. You'd have to do it under the auspices of one of
the 800-pound gorillas you mentioned...

Or move them all to IPv6 space.

Think of these "closed Internets" as businesses conducting business with
each other over the Internet, but then deciding to get guaranteed bandwidth
by directly connecting to each peer, not routing to the real open Internet,
and basically becoming isolated except for the fact that in many of these
companies their computers (servers and desktops) can not only reach many
other companies this way, but also the real open Internet.

A private backbone which only accepts packets from peers. Nothing
unusual about that...

Likewise, name spaces also have to be unique, and the NS servers that are
authority for them may not be reachable by you or perhaps even anyone else
on the open Internet. But that doesn't mean they aren't real and being
used by many different businesses.

Yeah... but this raises the question of whether the charter of the
InterNIC is to maintain (protection for) domain names that are
_intentionally_ never visible to their customers (the net at large),
simply to make life easier for a much smaller crowd...

And, AFAICS, that's the _real_ crux of the issue, right there.

Cheers,
-- jra