North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Should Extranets be congruent with the Internet? (was Re: Incompetance abounds at the InterNIC)

  • From: Jay R. Ashworth
  • Date: Thu Jan 21 00:39:32 1999

On Wed, Jan 20, 1999 at 09:51:56AM -0600, Phil Howard wrote:
> John Fraizer wrote:
> > 1) You should have domain servers for ANY domain you register that live in
> > NON-RFC1918 space.  Otherwise, Why register the domain at all?  If it's for
> > use behind the firewall, why not use or  You
> > say "Because they want to receive email at the domain!"  Well, to receive
> > email, the rest of the world has to be able to find the mx records and to
> > do that, your domain servers have to live in NON-RFC space and we have now
> > completely and totally blown your first point out of the water and made it,
> > in your own words, "moot."
> You have totally missed the concept that businesses can connect to other
> businesses which connect other businesses and so on, and conduct network
> protocols using the TCP/IP suite, just as if it were an Internet, but in
> fact is highly isolated and segmented.  Any ONE company in it may only be
> able to reach those companies they connected directly to, but the other
> companies reach many more companies.

And Phil has, I think possibly unintentionally, put this thread on
topic for NANOG.

> Using RFC1918 space for this won't work because there has to be some kind
> of administration of the space to ensure enough uniqueness that no two
> companies that are visible to any one company have the same addressing.
> There can be only one such administration of any practicality even though
> this "closed Internet" is chopped into isolated segments.

The question is: are these disconnected nets part of "The Internet",
and if they aren't, how should their addressing and DNS be handled?

> Further, many companies with these networks also allow direct access to
> the real open Internet.  That means for sure that addresses in use on the
> open Internet cannot be duplicated anywhere else.  So the allocation of
> space within the closed network has to be unique even compared to the
> open Internet.
> So it makes sense that every company connecting this way must obtain their
> own unique address space.

Yes, it does.  _I_ think.  Even if these nets aren't routable to the
Internet, they may be populated by machines that are dual-homed, but
are _not_ routers, and address collisions would be A Bad Thing.

Now, in these class-less days, I have _no_ idea who you'd get such an
address block from...

> > 2) DNS servers that are behind a firewall are useless in the context you
> > describe above.
> Not true.  The DNS servers exist and are used by many of these companies.
> Only those companies that need to use them can reach them.

This raises the companion question: should such networks have
'Internet' DNS, as well, even though they're not visible to the net at
large; that is, must they have root nameservers visible to the

Phil asserts that no, they need not, and having done the exposition, I
find I must agree with him... but that does raise some interesting

> > 4) If you don't intend to be routed on the global internet, you SHOULD be
> > required to use RFC1918 space.  NOBODY should be allocate routable address
> > space for internal, off-net use.
> This is neither practical nor possible.  wave your hands all you want, but
> it won't happen because RFC1918 space cannot ever hope to allow every one
> of these companies to have address space that they can communicate with
> each other uniquely, entirely within the RFC1918 space.  There are two
> reasons for this and based on mail I've received from a few people, it is
> clear to me that a lot of people need these spelled out.

I disagree; we'll hit the points.

> 1.  There is not enough space in RFC1918 to assign UNIQUE addresses to each
>     company that interconnects with many other companies, that further
>     interconnect with many others, and on and on.

Counted the number of /24's in a class A lately, Po

Ok, there are only 64k.  But that's a lot of industry.  Just how many
people want to do this?

> 2.  Even if there was enough space, there is no one doing any administration
>     of such space to ensure that all such assignments are sufficiently unique
>     to ensure that every company connecting to many others will never see
>     two or more such companies using the space part of RFC1918 space.


So start one.  :-)  You'd have to do it under the auspices of one of
the 800-pound gorillas you mentioned...

Or move them all to IPv6 space.

> Think of these "closed Internets" as businesses conducting business with
> each other over the Internet, but then deciding to get guaranteed bandwidth
> by directly connecting to each peer, not routing to the real open Internet,
> and basically becoming isolated except for the fact that in many of these
> companies their computers (servers and desktops) can not only reach many
> other companies this way, but also the real open Internet.

A private backbone which only accepts packets from peers.  Nothing
unusual about that...

> Likewise, name spaces also have to be unique, and the NS servers that are
> authority for them may not be reachable by you or perhaps even anyone else
> on the open Internet.  But that doesn't mean they aren't real and being
> used by many different businesses.

Yeah... but this raises the question of whether the charter of the
InterNIC is to maintain (protection for) domain names that are
_intentionally_ never visible to their customers (the net at large),
simply to make life easier for a much smaller crowd...

And, AFAICS, that's the _real_ crux of the issue, right there.

-- jra
Jay R. Ashworth                                                [email protected]
Member of the Technical Staff     Buy copies of The New Hackers Dictionary.
The Suncoast Freenet            Give them to all your friends.
Tampa Bay, Florida             +1 813 790 7592