ietf
[Top] [All Lists]

Re: What to improve? BCP-38/SAC-004 anyone?

2015-12-31 08:29:07
On 31 Dec 2015, at 12:31, tom p. wrote:

IP addresses are only meaningful to geeks like us.  Users at large see
and use e-mail addresses and phone numbers and, when they have yet to
learn that these can be faked, are susceptible to fraud.  This brings
real pain to real people and could provide a lever to get things done.

You are correct on the difference between what is an issue to "normal people" 
and what is an issue "to us".

And yes, the issues with untrust in SS7, similar to the breakdown I see in 
X.509 CA environment, is hurting users. Makes it quite hard to set up a 
2-factor authentication with recovery mechanisms being secure and trusted (i.e. 
hint: do not use the same telephone number for your 2-factor authentication as 
your fallback mechanism).

But not at all hurting the Internet as much as source IP address validation.

Given the depletion of IPv4 address space, we now see increased number of real 
use of allocated but not announced IPv4 address space. Simply because trust in 
routing make it easier to just use some space that no one else is using than 
pay $12/address or whatever it is.

This reuse of already allocated (by others) IPv4 address space has grown faster 
than I expected.

In the next phase, unless people use IPv6, people will just use whatever IPv4 
addresses they can find. And that will hurt the ones having IPv4 addresses in 
the outskirts of the net. In developing countries. What do an organization in 
Sweden care if they just reuse whatever some organization in Rwanda use? If 
announced from Sweden, the addresses will probably work quite well for the 
Swedish organisation, but so much less for the one in Rwanda which is the real 
holder of the address space. Creation of local caches from Akamai, Google, 
Apple, Microsoft, Cloudflare and DNS operators as us as Netnod that moves 
content closer to Rwanda will for this scenario make the impact smaller. When 
it hurts. Not if.

Without proper source address validation, it will be worse than a cold on New 
Years Eve (which I understand many have), and we can never recuperate the 
situation we sort of have today -- that we can trust the uniqueness and correct 
(well) route announcement of IPv4.

And THIS is for me the largest driver for IPv6.

That we can not guarantee for how long IPv4 will actually work. For some 
definition of "we" and some definition of "work".

I am scared.

Really scared.

And if we loose this, then our fight against spam and other for the consumer 
visible things does not matter.

At all.

   Patrik

Attachment: signature.asc
Description: OpenPGP digital signature