[NANOG] US DoD receives chunked IPv6 /13 (14x /22 but not totally consecutive)

Jeroen_Massar1 · May 16, 2008, 5:09pm

Hi folks,

As everybody is a big fan of securing their networks against foreign
attacks, be aware that the US DoD has been assigned 14 /22's, IPv6 that
is, not IPv4, they all come from a single IPv6 /13 though, which is what
they apparently asked for in the beginning, at least that was the rumor,
well they got what they wanted.

I've recorded it into GRH as a single /13 though, as that is what it is,
and I am not going to bother whois'ing and entering the 14 separate
entries there, as that is useless, especially as they will most likely
never appear in the global routing tables anyway.

Depending on your love for the US, you might want to add special rules
in your network to be able to easily detect Cyber Attacks and other such
things towards that address space, to be able to better serve your
country, may that be the US or any other country for that matter.

I am of course wondering why ARIN gave 1 organization 14 separate /22's,
even though they are recorded exactly the same, just different prefixes
and netnames and it is effectively one huge /13. They could easily have
been recorded as that one /13, it is not like eg Canada (no other
countries that fall under ARIN now is there) will get a couple of the
chunks of remaining space in between there. By assigning them separate
/22's, they effectively are stating that it is good to fragment the
address space and by having them recorded in whois, also that announcing
more specifics from that /13 is just fine.

The other fun question is of course what a single organization has to do
with (2^(48-13)=) 34.359.738.368, yes indeed, 34 billion /48's which
cover 2.251.799.813.685.248 /64's which is a number that I can't even
pronounce. According to Wikipedia the US only has a mere population of
304,080,000, that means that every US citizen can get a 1000+ /48's from
their DoD, thus maybe every nuclear warhead and every bullet is getting
their own /48 or something to be able to justify for that amount of
address space. At least this gives the opportunity to hardcode that
block out of hardware if you want to avoid it being ever used by the
publicly known part of the US DoD. I wouldn't mind seeing the request
form that can justify this amount of address space though, must be a lot
of fun.

Now back to your regular NANOG schedule....

Greets,
Jeroen

(who will hide himself in a nice Swiss nuclear bunker till the flames
are all gone

1) http://en.wikipedia.org/wiki/United_States
which points to: http://www.census.gov/population/www/popclockus.html

Alan_Hetzel · May 16, 2008, 5:58pm

Perhaps it is an attempt to make their address space so sparsely populated
that it's close to impossible to find a host without knowing it's address in
the first place?

Christopher_LILJENST · May 16, 2008, 6:15pm

Greetings,

Not to address the political issues here (which are deep, wide, and WAY too much of a black-hole), remember, that the DoD is not a single organization from a networking perspective. There are a number of different organizations within that structure, all of which may, or may not, want to announce separately, maintain their own external links, etc. Those boundaries can be on a service level (USAF vs USN), geographical level (Southern Command vs. Northern Command), etc.

My guess is that they don't want to be tied to only announcing a single /13. Each of those organizations is bigger than a lot of service providers out there...

As for why so many addresses - consider a networked ship (where everything has an address), soldier (each soldier having one or more addresses), battlefield sensors, etc. With stateless autoconf, that can add up fairly quickly (depending on network topology).

Lastly, If you honestly think that any entity (government or non-government) would launch an offensive cyber-attack from their own address space... never mind....

Chris

Robert_D_Scott · May 16, 2008, 6:15pm

OH, You mean like putting a sniper in a bunch of trees. They know that
tactic well.

Robert D. Scott Robert@ufl.edu
Senior Network Engineer 352-273-0113 Phone
CNS - Network Services 352-392-2061 CNS Receptionist
University of Florida 352-392-9440 FAX
Florida Lambda Rail 352-294-3571 FLR NOC
Gainesville, FL 32611

Warren_Kumari · May 16, 2008, 6:41pm

OH, You mean like putting a sniper in a bunch of trees. They know that
tactic well.

Yup -- http://www.youtube.com/watch?v=ltmMJntSfQI

W

Christopher_Morrow · May 16, 2008, 7:22pm

<apply hip waders>
Please keep the political rhetoric off-list, thanks.
</apply hip waders>

Hi folks,

As everybody is a big fan of securing their networks against foreign
attacks, be aware that the US DoD has been assigned 14 /22's, IPv6 that
is, not IPv4, they all come from a single IPv6 /13 though, which is what
they apparently asked for in the beginning, at least that was the rumor,
well they got what they wanted.

So, someone else pointed out that the DoD isn't one org, really. There
are several groups/orgs under DoD, there are several groups nested
under each of those groups, and depending upon the network
architecture/topology used it's fully possible that one route
announcement isn't practical for this Org.

What I think we should worry about is a larger portion of that Org
with a large enough part of one of the /22's doing something silly
like: "redistribute connected" ... (which they could, of course, have
done with any/all of their /8's -> /16's in ipv4 as well...)

-Chris

Colin · May 16, 2008, 7:51pm

Since when do you have to announce only the same size prefix as your allocation?

Deepak_Jain · May 16, 2008, 10:01pm

:_)

Another concept that might be useful with *that* much address space is the concept of modeling your ENEMIES' networks inside of unique space (persistently, forever). I'm sure we aren't far from the days where boxen will be set up to emulate the interaction between hundreds of other nodes, latency, jitter and packet loss included. It might be a fun project to be asked to pursue.

There really isn't a platform in current address space to do that (once you add persistently and multiple enemies) to the equation.

Deepak

Dorn Hetzel wrote:

Christopher_LILJENST · May 17, 2008, 9:31am

You certainly don't have to. However, as other folks have indicated here, that is the way that some folks read it. My guess is that this was purely for network topology and administrative reasons.

Chris

Pekka_Savola · May 18, 2008, 2:25pm

http://www.arin.net/policy/nrpm.html#six511 reads:

"c. plan to provide IPv6 connectivity to organizations to which it will assign IPv6 address space, by advertising that connectivity through its single aggregated address allocation;"

Other regions have, or have had, similar requirements.

I'm not a native speaker, but I guess "single aggregated address allocation" could be read to imply either 1) "one superblock [and nothing else]", or 2) "at least one superblock that covers everything" (with no implied statement on the more specifics).

Even if the interpretation is the second, the "benefit" of multiple allocations is that they wouldn't need to route between all the suballocations at least in one location in case someone is building route filters so that it would reject more specifics.