And something else a lot of people tend to forget - just because space isn't
in the tables doesn't mean it's not in use.
There are companies that connect to thousands of other companies (see the
financial markets) that require unique addressing between companies with
non-colliding address ranges. 10.x.x.x doesn't quite cut it.
-DT
Temkin, David wrote:
And something else a lot of people tend to forget - just because space isn't
in the tables doesn't mean it's not in use.
True.
There are companies that connect to thousands of other companies (see the
financial markets) that require unique addressing between companies with
non-colliding address ranges. 10.x.x.x doesn't quite cut it.
This is not an acceptable excuse to burn PI space.
There are plenty of other Iana-L available... try using an obscure one.
[Should non-routed addresses be revoked?]
No, but they should be watched to see if they remain unrouted and then
try to contact the owner..
And something else a lot of people tend to forget - just because space isn't
in the tables doesn't mean it's not in use.
Something of a waste?
There are companies that connect to thousands of other companies (see the
financial markets) that require unique addressing between companies with
non-colliding address ranges. 10.x.x.x doesn't quite cut it.
Why not? 16 million addresses arent enough? (and thats only 10/8)
RFC1918 does suggest non-public intra-company networks use private space.
Steve
Thus spake "Stephen J. Wilcox" <steve@telecomplete.co.uk>
[Should non-routed addresses be revoked?]
No, but they should be watched to see if they remain unrouted and then
try to contact the owner..
There's already a project underway to reclaim unrouted allocations.
> There are companies that connect to thousands of other companies
> (see the financial markets) that require unique addressing between
> companies with non-colliding address ranges. 10.x.x.x doesn't quite
> cut it.Why not? 16 million addresses arent enough? (and thats only 10/8)
RFC1918 does suggest non-public intra-company networks use
private space.
N companies can have up to N(N-1) interconnections, which requires either:
a) double NAT, with a single address range for all interconnects
b) no NAT, with a unique address range for each interconnect
c) very careful management of the RFC1918 space such that no two companies
talking have a collision
d) globally unique addresses for each participant using RIRs
(c) simply doesn't work in reality, (b) is no better than (d), and (a) is
beyond ugly not to mention incompatible with many apps.
Furthermore, ARIN emphatically claims they make no guarantees their
allocations are routable, nor do any of their policies or RFC2050 require
allocations be announced. Finally, ARIN has no policy authorizing
revocation of an allocation other than for nonpayment of fees; even failure
to meet efficiency requirements doesn't justify that. You're talking major
policy changes.
S
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking
Thus spake "Stephen J. Wilcox" <steve@telecomplete.co.uk>
> [Should non-routed addresses be revoked?]
>
> No, but they should be watched to see if they remain unrouted and then
> try to contact the owner..There's already a project underway to reclaim unrouted allocations.
> > There are companies that connect to thousands of other companies
> > (see the financial markets) that require unique addressing between
> > companies with non-colliding address ranges. 10.x.x.x doesn't quite
> > cut it.
>
> Why not? 16 million addresses arent enough? (and thats only 10/8)
>
> RFC1918 does suggest non-public intra-company networks use
> private space.N companies can have up to N(N-1) interconnections, which requires either:
a) double NAT, with a single address range for all interconnects
b) no NAT, with a unique address range for each interconnect
c) very careful management of the RFC1918 space such that no two companies
talking have a collision
d) globally unique addresses for each participant using RIRs(c) simply doesn't work in reality, (b) is no better than (d), and (a) is
beyond ugly not to mention incompatible with many apps.
Only because everyone seems to use 10.0.0.x ... of course if you only followed
the guidelines, rtfm!
"If two (or more) organizations follow the address allocation specified in this
document and then later wish to establish IP connectivity with each other, then
there is a risk that address uniqueness would be violated. To minimize the risk
it is strongly recommended that an organization using private IP addresses
choose randomly from the reserved pool of private addresses, when allocating
sub-blocks for its internal allocation."
Furthermore, ARIN emphatically claims they make no guarantees their
allocations are routable, nor do any of their policies or RFC2050 require
allocations be announced. Finally, ARIN has no policy authorizing
revocation of an allocation other than for nonpayment of fees; even failure
to meet efficiency requirements doesn't justify that. You're talking major
policy changes.
I dont know the policies very well but are you sure they cant revoke dead
allocations? For RIR assigned space I thought this was covered, so your issue
was with the legacy pre-RIR swamp? And it cant be that big a deal to make legacy
blocks fall into the new rules...
Steve
* stephen@sprunk.org (Stephen Sprunk) [Tue 29 Apr 2003, 00:50 CEST]:
N companies can have up to N(N-1) interconnections, which requires either:
a) double NAT, with a single address range for all interconnects
b) no NAT, with a unique address range for each interconnect
c) very careful management of the RFC1918 space such that no two companies
talking have a collision
d) globally unique addresses for each participant using RIRs(c) simply doesn't work in reality, (b) is no better than (d), and (a) is
beyond ugly not to mention incompatible with many apps.
d) is basically having the Internet community pay - both in real money
for staffing at RIRs and in scarce IP address space - for no benefit in
return at all for a function that those N companies should have an
institution perform for them via c).
Regards,
-- Niels.
Niels Bakker wrote:
d) is basically having the Internet community pay - both in real money
for staffing at RIRs and in scarce IP address space - for no benefit in
return at all for a function that those N companies should have an
institution perform for them via c).
Actually, the company pays just the same as everyone else concerning staffing at RIRs. As for scarce IP address space, the last report I heard was that surge slowed down in time to keep it from being a serious problem at this time.
If a company has a habit of making interconnections with other companies and said company has several /16's worth of network, I can understand their desire not to use 10/8, as a conflict on a new interconnect could require massive renumbering. However, I do think there should be methods in place to recognize that those routes should not be routed by others.
For example, 9/8 shouldn't ever be routed by anyone unless IBM changes their mind and decides to route it.
-Jack
Thus spake "Stephen J. Wilcox" <steve@telecomplete.co.uk>
> N companies can have up to N(N-1) interconnections, which requires
either:
> a) double NAT, with a single address range for all interconnects
> b) no NAT, with a unique address range for each interconnect
> c) very careful management of the RFC1918 space such that no two
companies
> talking have a collision
> d) globally unique addresses for each participant using RIRs
>
> (c) simply doesn't work in reality, (b) is no better than (d), and (a)
is
> beyond ugly not to mention incompatible with many apps.
Only because everyone seems to use 10.0.0.x ... of course if you
only followed the guidelines, rtfm!
If I need several thousand subnets, and my business partners need several
thousand subnets each, then odds are we're going to collide if there's no
entity coordinating things -- and that doesn't consider all of my business
partners' partners.
Gosh, what you need is an Internet Assigned Numbers Authority to make sure
no two organizations used the same part of the address space. I bet you
could devise a system where organizations applied for the amount of space
they need, which would be verified by an impartial authority, and the
results would be published in a whois server. Of course, this sounds like a
lot of work, so you'd probably establish regional registries to do this...
Either you use globally unique addresses, or you use NAT. It's that simple.
No other solution scales.
I dont know the policies very well but are you sure they cant revoke
dead allocations? For RIR assigned space I thought this was covered,
so your issue was with the legacy pre-RIR swamp?
Under current reclamation programs, an unannounced legacy allocation is only
reclaimed if the tenant organization fails to respond. There is no process
for revoking a legacy allocation that is in use, whether announced or not,
whether efficiently used or not. Likewise, I am not aware of ARIN revoking
any non-legacy allocations for any reason other than failure to pay
rent^Wfees.
And it cant be that big a deal to make legacy blocks fall into the
new rules...
You might as well revoke all pre-RIR allocations, it'd be a lot simpler than
doing the research to find 99% of them don't meet RFC2050 requirements.
Now, you can debate the ethics of requiring new organizations to meet a
different standard, but that's another thread.
S
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking
An example covering this exact case: 9.0.0.0/8 is such a space, owned by IBM.
Some illicit use documented at www.ris.ripe.net :
9.184.112.0/20
9.186.144.0/20 , both from AS 3786 (dacom.co.kr, bora.net) , since at
least 2002/12/26.
IBM confirmed the bogosity of these announcements on 04/07, the routes
got withdrawn on 04/14.
Kai Schlichting wrote:
An example covering this exact case: 9.0.0.0/8 is such a space, owned by IBM.
Some illicit use documented at www.ris.ripe.net :
9.184.112.0/20
9.186.144.0/20 , both from AS 3786 (dacom.co.kr, bora.net) , since at
least 2002/12/26.IBM confirmed the bogosity of these announcements on 04/07, the routes
got withdrawn on 04/14.
Actually, IBM confirmed that any announcements from 9/8 were guaranteed to be bogus. IBM uses 9/8 internally. They use NAT to convert 9/8 addresses back to routed addresses. One can imagine that IBM has a large internal network globally with interconnects to various partners. Yet many companies have found that utilization of NAT when communicating with the public networks is a sound addition to security.
Private peering follows different rulesets than public. Many respectable organizations still don't understand that you can Peer privately without exporting each others advertisements in order to save expenditures to third parties when transiting traffic between the two networks. Security percautions are also treated different. What you would offer a partner sometimes exceeds the access you'd allow the public.
While there are benefits to registering space that isn't routed on the public network, such space needs to be declared as such. Until that time, people will continue to hijack those networks and use them for their own ends.
-Jack
Kai Schlichting wrote:
> An example covering this exact case: 9.0.0.0/8 is such a space, owned by IBM.
>
> Some illicit use documented at www.ris.ripe.net :
>
> 9.184.112.0/20
> 9.186.144.0/20 , both from AS 3786 (dacom.co.kr, bora.net) , since at
> least 2002/12/26.
>
> IBM confirmed the bogosity of these announcements on 04/07, the routes
> got withdrawn on 04/14.Actually, IBM confirmed that any announcements from 9/8 were guaranteed
to be bogus. IBM uses 9/8 internally. They use NAT to convert 9/8
addresses back to routed addresses. One can imagine that IBM has a large
internal network globally with interconnects to various partners. Yet
many companies have found that utilization of NAT when communicating
with the public networks is a sound addition to security.
Further to my earlier post.. a large global private network requiring unique
space at many sites, they use 9/8 .. why not use 10/8 ??? (renumbering reasons
aside that is!)
Recall the counter argument from Stephen Sprunk was that it needed a per site
allocation from a registry, and yet these guys are managing just fine without
it!
Steve
Stephen J. Wilcox wrote:
Further to my earlier post.. a large global private network requiring unique
space at many sites, they use 9/8 .. why not use 10/8 ??? (renumbering reasons
aside that is!)Recall the counter argument from Stephen Sprunk was that it needed a per site allocation from a registry, and yet these guys are managing just fine without it!
IBM uses the registry. They are alloted a 9/8, even if it is legacy. I do not know what addressing peers to the IBM networks use. I presume that some of them are not 9/8 addressing.
-Jack
Stephen
And in the event the owner can't be contacted? And if contact is
successful, and the owner says "I'm just holding on to it because I like
have 10 /24s" or, worse, he gets the clue and just starts advertising the
space, without using it? Then we have both address space waste and routing
table bloat...
- dan
And in the event the owner can't be contacted? And if contact is
Figure out a plan B..
successful, and the owner says "I'm just holding on to it because I like
Request they conform to the new administration
have 10 /24s" or, worse, he gets the clue and just starts advertising the
space, without using it? Then we have both address space waste and routing
Again, work out a plan and request they conform..
These are actions you can develop plans for, and whatever happens you increase
your knowledge and remove a little more of the unknown swamp..
Steve
Further to my earlier post.. a large global private network requiring
unique space at many sites, they use 9/8 .. why not use 10/8 ???
(renumbering reasons aside that is!)
One reason apart from renumbering, before VPNs were a popular phrase, IBM had a large multinational secure private IP network that many IBM customers used to connect their various sites, and interconnect to vendors and such. Unsurprisingly, IBM also used this network to connect sites together (before they built a separate Intranet network) - and so globally uniqueness was needed.
Recall the counter argument from Stephen Sprunk was that it needed a per
site allocation from a registry, and yet these guys are managing just
fine without it!
There is a per-site allocation from a registry, just an IBM internal one.
There is a vast difference between managing uniqueness within an organisation (however large and unwieldly), and managing uniqueness between organisations.
(Yes, NAT, ipsec tunnels, ipv6 blah blah blah would be better, but why isn't everyone here completely switched over to ipv6?)
Thus spake "Richard Irving" <rirving@onecall.net>
> There are companies that connect to thousands of other companies
> (see the financial markets) that require unique addressing between
> companies with non-colliding address ranges. 10.x.x.x doesn't
> quite cut it.This is not an acceptable excuse to burn PI space.
There are plenty of other Iana-L available... try using an obscure one.
If RIRs want to claim their allocations aren't guaranteed to be routable,
that must mean they are willing to make allocations for non-routed use.
Furthermore, there is nothing in the ARIN allocation policies requiring a
member to actually announce all of his allocations on the public Internet.
You're welcome to propose new RIR policies, but the reality today is that
globally unique addresses can be and are allocated for private use.
S
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking
No, I am not proposing a new Arin addressing scheme...
This was a standard I am quoting from memory, way back...
I too had asked for Unique space that was wasn't going to be
routed, and recieved a "Sorry, Arin only allocates addresses
that are going to be used on the -=Internet=-." response....
I didn't invent the perspective, just "parroted" it.
Stephen Sprunk wrote:
Thus spake "Stephen J. Wilcox" <steve@telecomplete.co.uk>
> Actually, IBM confirmed that any announcements from 9/8 were
> guaranteed to be bogus. IBM uses 9/8 internally. They use NAT to
> convert 9/8 addresses back to routed addresses. One can imagine
> that IBM has a large internal network globally with interconnects to
> various partners. Yet many companies have found that utilization of
> NAT when communicating with the public networks is a sound
> addition to security.Further to my earlier post.. a large global private network requiring
uniquespace at many sites, they use 9/8 .. why not use 10/8 ???
(renumbering reasons aside that is!)
Because they expose subnets of 9/8 to customers of their data-processing
services and assign 9/8 addresses to customers as well if needed. Those
customers are likely to be using 10/8 themselves, so a different block is
the only scalable solution not involving double NAT.
Recall the counter argument from Stephen Sprunk was that it needed
a per site allocation from a registry, and yet these guys are managing
just fine without it!
Read my post again; IBM is a perfect example of using public addresses for
private purposes, which I found to be the preferred option (vs NAT).
S
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking
Thus spake "Richard Irving" <rirving@onecall.net>
> > There are companies that connect to thousands of other companies
> > (see the financial markets) that require unique addressing between
> > companies with non-colliding address ranges. 10.x.x.x doesn't
> > quite cut it.
>
> This is not an acceptable excuse to burn PI space.
>
> There are plenty of other Iana-L available... try using an obscure one.If RIRs want to claim their allocations aren't guaranteed to be routable,
that must mean they are willing to make allocations for non-routed use.
Hmm, I dont believe the inverse is true, not guaranteed to be routable refers to
them making no guarantees on the policies of ISPs with regards to prefix length
filtering etc and not guaranteeing that to possess IPs means you can connect to
the Internet without doing everything else an ISP should do.
Making allocations for non-routed use is not the same and a separate question.
Steve
Thus spake "Daniel Golding" <dgold@FDFNet.Net>
And in the event the owner can't be contacted? And if contact is
successful, and the owner says "I'm just holding on to it because I like
have 10 /24s" or, worse, he gets the clue and just starts advertising the
space, without using it? Then we have both address space waste and
routing table bloat...
While that is certainly problematic, it's just not worth dealing with until
all of the truly unused space is reclaimed or voluntarily returned AND we
have run out of new space to assign.
Most people will Do The Right Thing when given the chance. Case in point:
about 6 years ago, I emailed the contacts for every unrouted block within a
particular swamp /16. The overwhelming majority offerred to give (not sell)
the block to me, a few didn't respond, and a couple dozen indicated they
were using or planning to use the block in the near future. I dropped the
project, having more important things to do, but I figure I could have
snatched up a sizeable portion of the swamp just by asking. Too bad ISI got
into the game before I thought of it again 
S
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking