who gets a /32 [Re: IPV6 renumbering painless?]

Thus spake "Iljitsch van Beijnum" <iljitsch@muada.com>

Don't have "real connectivity"?

That's right. If you need internet access, you need it to be faster than 16 kbps.

Who said the only purpose of IP was to connect to the Internet?

Not me. But if you don't connect to the internet you don't contribute to the global routing table so there is no issue.

The point is, that these days applications such as mail and web are sufficiently heavy that you can't even run them cost effectively over dial up (wasting your employee's time costs more than the fatter line) let alone less.

That assumes the company wants their employees using web or email, or that there are even humans at a site to begin with. Pipeline control systems, weather stations, cash registers, credit card machines and ATMs, warehouse inventory scanners, stock exchanges, etc. have no need to _directly_ talk to the outside world. People in customer-facing roles, like those at banks or airports, are not supposed to be surfing the web or even doing email at work. Many companies are still using green-screen apps or graphical applications that have a measured per-terminal average of under 1kbps; I ran into one company tunneling 9600bps serial over X.25 over IP -- ugly, but it worked for thousands of terminals.

However, all of these low-bandwidth hosts in far-off lands talk to a corporate datacenter somewhere, perhaps their own or a vendor's or customer's, and those hosts often talk to several other hosts who might also need (or at least have) access to the Internet. The options are NAT, ULAs, or PI space; total cost of implementation seems lowest for ULAs.

In my experience, they will announce the aggregate from all hub sites plus more-specifics for that hub and the sites directly connected to it. Traffic that comes into the wrong hub due to prefix length filters (or Internet outages) is back-hauled inside the corporate backbone.

It would be interested to see some good statistics on this stuff. However many enterprises any of us has seen from the inside, it's still unlikly to be a statistically relevant sample.

An unfiltered BGP feed should give you stats on what's quoted immediately above. If you want numbers of publicly-invisible hosts, even if you knew who to ask most would refuse to answer for "security reasons" or require an NDA. My best guess, having been on the inside at a few dozen enterprises, is that they number in the high millions to low tens of millions today. In five years, it'll be in the mid tens of millions as more and more new hardware comes with IP connectivity built-in and legacy apps are gradually updated.

S

Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking

>So a single large address block is of little use to such an organization,
>unless they get to announce more specifics all over the place.

This seems to imply several things:
- when having lots of sites, you typically want to obtain local
   Internet connectivity, because transporting all the traffic over
   links or VPNs is a pretty heavy business

  this is an assertion which many have claimed is false.
  based on empericial evidence.

- you don't want to backhaul all the traffic in the internal network
   / VPNs, so you'll either need to announce a lot of more specifics
   or use IP addresses from local internet providers

  this is also an assertion based on false premise.

The point is, that these days applications such as mail and web are sufficiently heavy that you can't even run them cost effectively over dial up (wasting your employee's time costs more than the fatter line) let alone less.

That assumes the company wants their employees using web or email, or that there are even humans at a site to begin with.

No it doesn't, but if this is not the case, then this clause kicks in:

if you don't connect to the internet you don't contribute to the global routing table so there is no issue.

It would be interested to see some good statistics on this stuff. However many enterprises any of us has seen from the inside, it's still unlikly to be a statistically relevant sample.

An unfiltered BGP feed should give you stats on what's quoted immediately above. If you want numbers of publicly-invisible hosts, even if you knew who to ask most would refuse to answer for "security reasons" or require an NDA.

No, that's not what I'm interested in. What I'd like to know is how many big organizations backhaul their internet traffic to one or a few central sites, and how many connect to one or more ISPs locally at different sites.

Not necessarily true. I live in California. However, 703-842-5527 is a
valid phone number for me. It even worked for me while I was in Puerto
Vallarta, Mexico. I can take that number pretty much any where in the
world, whether temporarily, or, even if I move there.

This isn't just a US phenomenon. Companies like
http://www.telphin.com/numbers.php
are selling this kind of number portability in other countries.
And I remember some Australians were routing US phone numbers
to their mobiles back in 1997.

Clearly, telephone numbers are now being treated as
names rather than addresses. The technical issues
we should be concerned with are down at the address
level. Could continental aggregation be a way of
reducing the size of the so-called global routing
table so that the table can accomodate a larger number
of specifics within the continent?

Alex Bligh raised the spectre of GRE tunnels to
redirect traffic to the right location. Could this
be done by simply readdressing the packets? Is this
even relevant in a world that runs IPv4 and IPv6
over MPLS? After all MPLS is designed to swap and
pop destination labels to route and reroute packets
through the network.

In a real-world network perhaps we should accept
that some problems will be solved outside of
IPv6.

--Michael Dillon

No, that's not what I'm interested in. What I'd like to know is how many
big organizations backhaul their internet traffic to one or a few central
sites, and how many connect to one or more ISPs locally at different
sites.

I believe there are enough examples of each that neither can be ignored.
I also believe that the former is growing vs. the latter.

Owen

Care to offer a couple of examples of this empirical evidence ?

>> Internet connectivity, because transporting all the traffic over
>> links or VPNs is a pretty heavy business
>
> this is an assertion which many have claimed is false.
> based on empericial evidence.
>
Care to offer a couple of examples of this empirical evidence ?

  attached. care to provide counter examples?

--
Pekka Savola "You each name yourselves king, yet the

  well... postings to the list indicate cisco only has
  four egress points, from my experience, Texas Instruments,
  Dupont, EDS, and several others for which the NDA holds.
  all these enterprises have substantial corporate networks
  and few egress points into the commodity Internet.

  you might look at Apple, HP, Sony, LG, Brown&Root, Citi,
  Microsoft, BAE, Airbus, ING, etc...
  and consider why these folks would use the commodity
  internet to move around their corporate data.

  or perhaps you are modeling a different enterprise?

--bill

While I would never argue there are companies who do not push internal data over the Internet, I am surprised you think that proves no company pushes internal data over the Internet.

As for counter examples, I know of a few, but confidentiality does not allow me to discuss corporate network topology on a public mailing list. Does this mean it never happens (i.e. I am lying)? If you believe that, so be it. However, the facts are still the facts, no matter what your belief is.

Well you'll have to get some kind of link unless you don't want to
move packets. Leave it up to the business case to dictate your
connection type. At least on the topic of backhauling traffic over the
vpn, it's really no worse than having all your offices connect back to
the central site in plaintext. Crypto is cheap these days.

When my 133MHz home firewall can push 50Mbps down the vpn with a $70
crypto board, there's no way a simple VPN can be considered "pretty
heavy business". Look at all the CPU vendors squawking about on-die
crypto (to say nothing of the vendors of crypto cards). There are a
number of decent vendors of VIA C3 based systems without any need for
moving parts that'll give you full duplex crypto on 3 100mbit links
with processor time and bus cycles to spare.

/me waits for Henning to say something about openbsd and C3's...

I have worked for multiple enterprises where both of the statements below
were false. There are many enterprises which run their own backbones,
have internet access at some subset of their sites, and, backhaul all
traffic on their own backbone to enforce policy at the internet borders.
Some of them use internet based VPNs as part of their backbone, but, in
those cases, most have forced ALL traffic leaving the site through the VPN,
so, users at the site have no direct or independent internet access. The
VPN terminators are, in those cases, usually on PA space. The office network
is usually either RFC-1918 or PI space depending on the enterprise.
All of the enterprises with which I am familiar would prefer PI space to
RFC-1918, but, because of IPv4 limitations, some accepted 1918. Most will
not accept a 1918-like solution in v6.

I cannot name the enterprises because of NDA issues, but, there are at least
10 that I know of that expect to go to PI space in v6.

Owen

While I would never argue there are companies who do not push internal
data over the Internet, I am surprised you think that proves no company
pushes internal data over the Internet.

  i don't. my assertion is that there are significant networks
  that don't ever touch what we think of as the "internet" but
  still use IP to push datagrams around... and attempting to
  marginalize them as "fringe" networks that must use non-global
  addresses is, imho, arrogent at best.

As for counter examples, I know of a few, but confidentiality does not
allow me to discuss corporate network topology on a public mailing
list. Does this mean it never happens (i.e. I am lying)? If you
believe that, so be it. However, the facts are still the facts, no
matter what your belief is.

  i know quite a few as well, the NDA still holds.

Ahhhh, my apologies. We are in agreement, and I thought otherwise.

I'll try to read more carefully next time.

I'm not sure anyone is marginalizing them.

The point just is that are those very big, international networks advertising the same aggregate in all the places they (publicly) connect to the net, and no more specifics anywhere?

I.e., what I'd like to see is a couple of example of international big enterprises which would not need to advertise the more specifics to Internet anywhere. How rare is this?

Pekka,
  All of the examples I referenced (which I unfortunately cannot name
due to NDA) fit exactly the model you are referring to. They advertise a small
number of prefixes from a small number of sites to cover a very large and
diverse number of sites. They advertise the same set of prefixes from the
same ASN in each of those sites. In cases where they are using VPN for
backbone, they use PA space for the VPN terminators and do not advertise
more specifics to accommodate this.

Hope that helps.

Owen

And don't forget that you still have to change your phone number when you move a great enough distance. In IP we somehow feel it's important that there are no geographical constraint on address use at all. That's a shame, because even if we aggregate by contintent that would save up to four times in the number of entries in the routing table of any router.

Then why geographic based aggregated IPv6 addresses disposed? Geographic based addresses can solve the agregation quite nicely.

The general objection (apart from incorrect assumptions based on old incomplete work) is that network topology and geography don't correlate. My counter-objection is that the correlation doesn't have to be 1 to be able to take advantage of it when it's present.

Unfortunately the uniqueness can be problematic....

How do you mean?

On the other hand, unless you have some way to *enforce* a higher correlation
than we already have, how do you propose to get a better result than we
currently (mostly accidentally) get via CIDR aggregation?

For instance, 212.x.y.z is "known" to be on one continent, and so on - but
how do you leverage that into a 212/8 routing entry?

> That's right. If you need internet access, you need it to be faster than
> 16 kbps.

Who said the only purpose of IP was to connect to the Internet? 16kbps is
the lowest I've seen only because that's the smallest you can buy in the FR
world (Sprint's 0kbps PVCs aside). Many businesses were fine (and still

4k and 8k PVCs are available (and in use) in some regions. I have seen
them in Africa and southern Asia mainly.

> As far as I can tell, it's pretty rare for an organization of this size to
> have
> their own IP network that they use to connect all their sites to the
> global
> internet, for the simple reason that leased lines, framerelay or ATM

It is quite possible to use these links to connect sites
to the internet. Not for surfing mp3-sites maybe, but having a
terminal session to some other business partners
machine. The corporate mainframe world allows for many things on small
bandwidth, even if some providers don't like it.

> capacity is generally more expensive than IP connectivity.

At higher bw levels, that might be true, but at sub-T1 rates FR/ATM are
often cheaper to build your own network and certainly offer lower latency
and higher reliability; ditto for outside major cities, where FR/ATM
typically offers a zero-mile loop whereas IP connections may need to be
backhauled a hundred miles or more. If T1 Internet pipes are cheaper at a

Servicelevels on the Internet suck. Thats the main reason not to use
it for anything important. If my frame-connection fails I open my hand and
my provider pays a lot until it works again. If "the Internet fails", I
have no one I can squeeze the money out of.

That massively increases a FR-Providers motivation to have their network
running. Penalties can never make up for a lost connection (no
provider has enough cash at hand) but it is a nice PART (P=Provider).

particular location, some people may choose to tunnel their corporate
network over it, but that is typically _all_ traffic, not just internal
traffic.

Centralized Internetgateways are common practice. Everything has to go
through these (and their filters, Virus Scanners, whatnot).

There's also a security motivation as well: it's much simpler to maintain a
couple firewalls at central sites (with technical staff present) than to
manage thousands out at every site with a handful or even zero human users
which may not even be allowed Internet access in the first place.

Especially with users having physical access to the firewalls.
Securitywise you do not want that, but if you have internetaccess in
each location users can just bypass the firewall too easily.

With a framerelay network they can plug in something else to the
wall but won't get anywhere else then with their normal equipment, so they
do not do it due to the lack of advantage.

Nils

The Fork Lift driver in some random warehouse does not need email. All
he needs is his Barcode scanner to send an 8Digit-Number over the
line every 1 or two minutes and get an equal
length reply telling him where to Haul the box whose barcode he just
scanned.

Nils

Yeah right. That's why Worldcom's frame-relay network was "unusable" for
about 10 days and took out part of the Chicago Board of Trade elecronic
trading system.

What's interesting is most major providers' Internet service SLA is
often better than their SLA for other services, including TDM. If
your Internet service has problems (not just down) you may get from 0%
to 100% or more credit. But if your circuit is down, it doesn't really
matter. Of course, your SLA probably depends a lot on how much you
normally pay the provider. If you are buying an oc48c, you'll probably
pay for a different SLA than the modem dialup account.

and to be fair it might have actually been MCI's network at that time,
with name changes though I'm losing track... not EVERYTHING is worldcom's
fault