ietf
[Top] [All Lists]

RE: [ipv6-wg(_at_)ripe(_dot_)net] RE: /48 micro allocations for v6 root servers, was: national security

2003-12-13 10:41:34
-----BEGIN PGP SIGNED MESSAGE-----

Joao Damas [mailto:joao(_at_)isc(_dot_)org] wrote:

<BIG SNIP>

No, no and definitely no!!!

It is one thing to put all IXP prefixes in the same block, 
after all it 
does not matter if they are not seen in the global Internet as, in 
fact, they should not be visible.

My idea exactly, though some others think differently and
they have their valid reasons to do so.

However, putting public infrastructure all in the same prefix 
is about the worst idea I have heard in some time. One hiccup
would kill them all at the same time.

All the 'public infrastructure' is under 2000::/3 at the moment.
Do hiccup's over there cause any problems? I mean, come on, even
Cisco (AS109 FYI) is passing prefixes through their routers that
have private ASN's as transits.

If they are all in the same prefix (/32 for instance) at least
people could safeguard and put monitoring on those prefixes as
they are easily identified as being 'critical infra', which is
the reason why it is currently seperately specified in the RIR
allocation policies.

Next to that if DNS's are given a micro-allocation from that
/32, ISP's will know that it is normal and default behaviour
for that prefix, unlike the current set of a number of 'special'
prefixes that simply look like normal prefixes.

I really don't see any difference between:
 - 2001:db8::/32 = 1 NS
or:
 - 2001:db8::/32 = contains all NS's
    2001:db8:1:/48 - A.root
    2001:db8:2:/48 - B.root
    2001:db8:3:/48 - C.root
    2001:db8:2000:/48 - nl.tld
    2001:db8:3000:/48 - de.tld
    ....

The last one are more specifics anyways, if anybody is able
to announce a /32 or a /48, it doesn't matter it will always
be a BGP and trust problem. Same if I would announce say,
198.41.0.0/22 on the AMS-IX to the peers over there, it will
have the shortest path and any ISP not filtering correctly
will start sending the traffic to me. That is a BGP security
and peering-trust problem and has nothing to do with the above.

Greets,
 Jeroen

-----BEGIN PGP SIGNATURE-----
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / jeroen(_at_)unfix(_dot_)org / http://unfix.org/~jeroen/

iQA/AwUBP9tLICmqKFIzPnwjEQJaAgCeKFRi6JIAr9YW6o8Q0R89WNzUTQ8AoKxY
v0pH3CxlzoSBmcioQfkGbfzV
=7CTX
-----END PGP SIGNATURE-----




<Prev in Thread] Current Thread [Next in Thread>