and a very pleasant evening.
a few questions.
IPv6 on your radar?
Looking at options for addressing your future v6 needs?
Have you looked at the IETF/ID in the subject line?
if you think something like this is a good idea, worth
persuing, I'd like to hear from you.
--bill
While I think this is an improvement, unless the distribution of ULA-C is no cheaper
and no easier to get than GUA, I still think there is reason to believe that it is likely
ULA-C will become de facto GUA over the long term.
As such, I still think the current draft is a bad idea absent appropriate protections in
RIR policy.
Owen
I see a need for stable, permanent blocks of addresses within an organization. For example, a branch office connecting to a central office over VPN: firewall rules need to be predictable. If the branch office' IPv6 block changes, much access will break. This is directly analogous to how RFC1918 space is used today in such environments.
There is a need to have organizations be able to either self-assign or RIR-assign space that they own and can use without trouble within their network. That address space need not be routable on the public networks.
In general I think this draft has merit.
Unique Local Adresses, of which the linked draft is specifying a subset,
were specified in RFC4193, published in October 2005. They meet all the
requirements you've stated. You might also want to have a look at
RFC3879, "Deprecating Site Local Addresses" for the reasons why IPv6
Site Local addresses, the direct IPv6 equivalent of RFC1918 addresses,
were deprecated. Many of the reasons provided also apply to using IPv4
RFC1918 addresses.
This draft is about a centralised registry for one half of the ULA
space. It is debatable whether it is necessary, as ULAs shouldn't leak
out of a site using them. The major concern is that if they are
globally registered, then some people will start believing that
they can use them as global addresses, and start demanding other
parties such as their ISP or IXes route them, instead of getting
proper global addresses for that purpose. As an example of the risks, an
informal registry for non-central ULAs has been created at sixxs.net.
As a single ULA /48 should be enough for most organisations, looking at
the list, it seems that some people are already attempting an addressing
'land grab'. I can't even reach the website of one of the people who as
registered 7 /48s. It's a bit hard to believe he has a large enough
network to need 458 752 subnets ...
http://www.sixxs.net/tools/grh/ula/list/
I think the fact that people have listed them there also means that
they now think they now globally 'own' those addresses, and should
there be a (very unlikely) collision, would argue that the address
space was theirs first and point to that list. While duplicated ULAs
shouldn't happen, it shouldn't matter if it does, unless those two
organisations want to interconnect directly.
ULAs are meant to be stable addressing for inside of your network.
They are not meant to be leaked outside your network under most
circumstances. The only time routes for your ULA address space
may appear outside of your network is if you have a direct link to
another organisation (i.e. a backdoor link), and you want to avoid
using your Internet transit to reach them and vice-versa. In BGP terms,
when you announce some of your ULA address space to the other
organisation, you'd attach a NO_EXPORT community.
Regards,
Mark.
I agree with owen, mostly... except I think we should just push RIR's
to make GUA accessible to folks that need ipv6 adress space,
regardless of connectiivty to thegreater 'internet' (for some
definition of that thing).
ULA of all types causes headaches on hosts, routers, etc. There is no
reason to go down that road, just use GUA (Globally Unique Addresses).
-Chris
Failure to provide an ULA mechanism will result in self assignment from the spaces not yet made available for allocation. Down that road we will find history repeating itself.
The reason I see a use in ULA-C is to ensure there is a way for cooperating organizations (whether within or between enterprises) to have addressing that will not overlap for private interconnects. If the RIRs will give out the space to end users and not charge a fortune for it, there may be a chance of that working. It is less clear whether this is within the business model or mission of the RIRs, though, to hand out very small chucks of address space to a very large number of organizations for address space that will not be routed.
Of course if the ULA approach does gain acceptance, you'll have a LOT easier time deciding which blocks of addresses to permit and deny in your BGP sessions and packet filters on your borders.
See RFC 1814. Fun how history repeats itself.
Regards,
-drc
While I think this is an improvement, unless the distribution of ULA-C is no cheaper
and no easier to get than GUA, I still think there is reason to believe that it is likely
ULA-C will become de facto GUA over the long term.As such, I still think the current draft is a bad idea absent appropriate protections in
RIR policy.I agree with owen, mostly... except I think we should just push RIR's
to make GUA accessible to folks that need ipv6 adress space,
regardless of connectiivty to thegreater 'internet' (for some
definition of that thing).ULA of all types causes headaches on hosts, routers, etc. There is no
reason to go down that road, just use GUA (Globally Unique Addresses).-Chris
Failure to provide an ULA mechanism will result in self assignment from the spaces not yet made available for allocation. Down that road we will find history repeating itself.
The reason I see a use in ULA-C is to ensure there is a way for cooperating organizations
(whether within or between enterprises) to have addressing that will not overlap for private
interconnects. If the RIRs will give out the space to end users and not charge a fortune for
it, there may be a chance of that working. It is less clear whether this is within the
define 'fortune' ? I think currently for a PI /48 it's 1250/yr right?
So... the cost (less really) of a laptop for your newest employee per
year, basically.
That seems quite reasonable (to me). Is that in the range you feel is
acceptable?
business model or mission of the RIRs, though, to hand out very small chucks of address
space to a very large number of organizations for address space that will not be routed.
'not be routed' .... I think the RIR's should assign ip space, they
have no idea (and no control) over where/what gets routed. They are a
uniqueness registry really, for ipv6.
Of course if the ULA approach does gain acceptance, you'll have a LOT easier time
deciding which blocks of addresses to permit and deny in your BGP sessions and packet
filters on your borders.
PI for v6 comes from a set block in each RIR, eh?
-Chris
yes... for those less willing to search: "Unique Addresses are Good"
The abstract:
The IAB suggests that while RFC 1597 establishes reserved IP address
space for the use of private networks which are isolated and will
remain isolated from the Internet, any enterprise which anticipates
external connectivity to the Internet should apply for a globally
unique address from an Internet registry or service provider.
This does seem to be pretty much exactly my point (their point I suppose)
Thx (as always drc)
-chris
@Chris, I agree with you. Perhaps its time for us to throw a proposal
into the hopper to do just that.
Owen
Yup. Back in the day, the folks who ran the RIRs (at the time) were a bit distressed at that IAB statement as we had seen the writing on the wall and were telling customers that due to the limited nature of IPv4, if you didn't want to connect to the Internet, you should use private addressing. It was a bit of a "War of RFCs" (1597, 1627, 1814, 1918).
My impression, which may be wrong, is that the primary driver for ULA-C is to avoid the administrative/cost overhead with entering into a relationship with the RIRs, particularly if there is no interest in connecting (directly) to the Internet. I guess I don't really see the harm...
Regards,
-drc
Speaking personally. Not representing anyone but myself. Really. No, REALLY.
(although this disclaimer doesn't appear to work for some folks who really should know better)
this is my take as well. The RIR system works quite well, esp for
networks/networking based on the previous centuries interconnection
models. Its the best method for managing constrained resources, such
as IPv4.
something like ULA, esp the -C varient might be worthwhile as an alternative
distribution channel, a way for folks who want to do novel things with
networking/addressing that are not comprended in the normal bottom-up
processes of the RIR system. In your words, "avoid the adminisrative/cost
overhead with entering(maintaining) a relationship with the RIRs"
I see this proposal as a vector for inovative change.
--bill
if you think something like this is a good idea, worth
persuing, I'd like to hear from you.
and for those of us who think this whack-a-mole is still a stupid idea,
where do we write?
randy
I see a need for stable, permanent blocks of addresses within an
organization.
yep. unicast ipv6 address space will do just fine.
randy
apparently the same place! thanks Randy.
--bill
> While I think this is an improvement, unless the distribution of ULA-C is no cheaper
> and no easier to get than GUA, I still think there is reason to believe that it is likely
> ULA-C will become de facto GUA over the long term.
>
> As such, I still think the current draft is a bad idea absent appropriate protections in
> RIR policy.I agree with owen, mostly... except I think we should just push RIR's
to make GUA accessible to folks that need ipv6 adress space,
regardless of connectiivty to thegreater 'internet' (for some
definition of that thing).ULA of all types causes headaches on hosts, routers, etc. There is no
reason to go down that road, just use GUA (Globally Unique Addresses).
So what happens when you change providers? How are you going to keep
using globals that now aren't yours?
I'm also curious about these headaches. What are they?
That's not what I recollect when the site-local/ULA discussions were
going on in 2002. Specifically, ULA-Cs were to address the concern of
some people that the statistical possibility of collisions was too
high, and therefore they wanted to be assured of global ULA uniqueness
via central registry. The chance of collision is quite low - from
RFC4193, section 3.2.3,
" The following table shows the probability of a collision for a range
of connections using a 40-bit Global ID field.
Connections Probability of Collision
2 1.81*10^-12
10 4.54*10^-11
100 4.54*10^-09
1000 4.54*10^-07
10000 4.54*10^-05
Based on this analysis, the uniqueness of locally generated Global
IDs is adequate for sites planning a small to moderate amount of
inter-site communication using locally generated Global IDs."
with 'connections' meaning backdoor links.
Traditional, non-ULA-Cs would do the job your talking about fine.
Regards,
Mark.
I'm so not creative enough to compose this whole missive in TLAs... perhaps some day.
Some bright blub got tired of typing out "Globally Unique Addresses) and so started
using the TLA/GUA.
Which eventually got me to thinking. Technically, all IP addresses are globally unique.
There is only one of them. 172.14.3.42/32 is a GUA. There are however, two other
vectors which the community seems to want and we talk around them a whole bunch.
Perhaps we should explicitly make them part of the conversation.
) A GUA has a single authoritative chain of custody... e.g. the community recognizes
that only Bill Manning's Bait and Sushi shoppe (AS 66,666) is authorized to
inject routes for and sink traffic to 172.14.3.0/24
The whole rPKI construct is built to support this idea. Now some prefixes are
defined to -NOT- have a single authoriative chain of custody, witness RFC 1918.
And NAT makes matters "fuzzier" ... bringing scoping into the mix - but I'll
stick by the postualte that this single authoritative chain of custody is
a key point in understanding how folk think of IP stewardship ... and
(THIS IS IMPORTANT) ... there is this strong idea that a short custody chain
is prefered over a long one.
) A GUA is temporally bound**... e.g. the community recognizes that for any given GUA, there
is a temporal bounding on the chain of custody. DHCP is a canonical example for
end/leaf sites, where GUAs are leased out for (comparitavely) brief time periods.
ISPs lease space to their clients for longer periods, and RIRs are (mostly) binding
a chain of custody to annual cycles. For some legacy space, the temporal binding
is of -much- longer duration.
so... I might argue that the IANA/RIR/LIR/Enterprise chain has the renumbering concern
that you raise, while a IPR/Enterprise chain is much shorter and has a smaller renumbering
concern.
and -IF- the permise and details of the draft are to be beleived, then a delegation
from that space is just as much assured of global uniqueness than space from an RIR.
** The Temporaly Unique Address/TUA !!!
There is a measured rate by RIRs and the like on the order of 10^-6 for
accidentally issuing duplicate integers (roughly approximated by 2 cases of
duplicate ASNs out of (300K routes + 30K ASNs). In other words, unless you
have over 1,000 or so backdoor links, you're more likely to get screwed over by
an administrative drone fscking up your paperwork than you are of a statistical
collision.
> While I think this is an improvement, unless the distribution of ULA-C is no cheaper
> and no easier to get than GUA, I still think there is reason to believe that it is likely
> ULA-C will become de facto GUA over the long term.
>
> As such, I still think the current draft is a bad idea absent appropriate protections in
> RIR policy.I agree with owen, mostly... except I think we should just push RIR's
to make GUA accessible to folks that need ipv6 adress space,
regardless of connectiivty to thegreater 'internet' (for some
definition of that thing).ULA of all types causes headaches on hosts, routers, etc. There is no
reason to go down that road, just use GUA (Globally Unique Addresses).So what happens when you change providers? How are you going to keep
using globals that now aren't yours?
use pi space, request it from your local friendly RIR.
I'm also curious about these headaches. What are they?
do I use that ula-* address to talk to someone or another GUA address?
how do I decide? what about to business partners?
one address... much simpler, much less to screw up.
-chris