North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: IAB and "private" numbering
- From: Edward Lewis
- Date: Thu Nov 17 12:34:03 2005
At 13:59 -0800 11/11/05, Tony Tauber wrote:
There are some resources, like IP addresses and AS numbers, the proper
operation of which hinges on their uniqueness.
(Yeah, I did read the rest of the thread, but am replying to the
Does this concern make sense?
Does this course of action make sense?
Is there a(nother) better venue than the IAB?
What do people think?
I think there are a few dilemmas in this topic.
One stems from the RIR's duty to provide stewardship of the number
resources they administer. The other is the dividing line between
protocol design (IAB) and operations (RIRs).
One concern from this is number resources depletion, which is why, in
my estimation, there are people measuring things like announced space
and time to network with AS numbers. (I'm referring to work Geoff
Huston, Tony Hain, and Henk U of RIPE have presented in numerous
locations in the past few months.)
When a resource is becoming scarce, there's a push to try and be
certain that it is being used efficiently, with efficiency measured
in terms of time to depletion. With this in mind, if a resource is
used privately, why can't it be used publicly too by some deserving?
(I ask this rhetorically as an example.)
Stewardship also means uniqueness too, or at least uniqueness in some
scope. (A 48 bit number could be a "hardware address" or a
combination IPv4 and port number, as an example of stretching.) To
achieve this, the RIRs would naturally assign an number to anyone
deserving, regardless of how the network is connected.
Combine that with a third dimension, that the RIRs are run in the
context of some sort of public trust, there are folks that will want
to check up on them. That's where we get folks probing the exposed
data (via whois, say) and seeing what they can get to. I think this
is where the assumption of a "public internet" comes from.
This is a three-way conflict centered on the RIRs. There's the whole
matter of the benefit vs. pain of scoped (as in site local, link
local, RFC 1918) addressing. That's a matter for the protocol
engineers to figure out, I think that is something the IAB would be
concerned about - if not so already.
I don't think that you want to have the directory services of the
RIRs (whois today) flag addresses as public use or private use, but
you do what the defined protocol scope clearly indicated. The reason
for not labelling public or private is that there are multiple
private (if there is indeed one true public). If you see two private
addresses, can they see each other?
In as much as we don't want the RIR's in the routers, we shouldn't
put the routers into the RIRs. The outcome of this is that folks
probing and prodding the data in the RIRs ought to not expect to see
all the resources registered therein on the public Internet.
It would tempting to say not to worry about unseen resources, to
assume they are in the private areas of the world. However, there
are probably resources that are "lost" - allocated in the days when
IANA was a small part of ISI and things were done on paper. In the
effort to stop depletion, these should be reclaimed, but deciding
what is lost versus what is in private use is ... a dilemma.
My experience in this is tied to DNS and lame delegations. Just like
the routing table issue, we have delegations into places that are not
reachable. A name server may be situated in a way in which "it can
see out" but "we cannot see in." The problem with these seems to be
some past implementations of DNS that looped as a result of lame
delegations (in this case situations in which the desired name
server[s] are not reachable).
Maybe this is where the IAB steps in, and looks for documents showing
how members of a network, whether the public or a private network,
can either protect themselves from trying to reach unreachable areas,
or to set up stub or proxy services to absorb ill-fated traffic
destined to an unreachable address. I'm not sure this is feasible -
the DNSOP WG seems to have killed, or is about to kill a document on
"don't publish unreachable things in the DNS." As much as that
sounds useful, there was no energy in the group to finish the
document. A lack of energy tells me something.
Scoped addresses do run afoul of the theory that a network is a
collection on mutually reachable endpoints. Once you scope an
address, you've lost the theory of the network layer. Still, it does
work to do this, so it's not that it's impossible, it's that the
theory needs to be, umm, scoped. I've thought far less about this,
but that's the kind of thing that the IAB might weigh in on, if there
is the energy to do so.
Edward Lewis +1-571-434-5468
3 months to the next trip. I guess it's finally time to settle down and
find a grocery store.