|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: large multi-site enterprises and PI prefix [Re: who gets a /32 [Re: IPV6 renumbering painless?]]
On 23-nov-04, at 6:49, Patrick W Gilmore wrote: If all active ASes did this we'd have a 400k routing table. So please no PI in IPv6, not even for large enterprises. Why is an ISP more "worthy" or PI space than a large enterprise. In fact, ISPs are responsible for far, far more table pollution than enterprises. Pot-Kettle-Black? Besides that, please remember the Internet is a business, not a research tool or a toy for those with enable. Business have business needs. If the Internet cannot satisfy them, then the Internet will not be paid for its services. This ain't 1999 no more, you need your customers.I'm going to try to make this my last message on this subject... It's very simple. If the routing tables get too big too fast, very bad things start to happen. The Apple example (along with some ISPs who announce dozens or hundreds of aggregatable blocks unaggregated) shows that we can't rely on good internet citizenship to manage the problem. Just to make sure everyone understands: according to the latest CIDR report there are 149080 prefixes in the global routing table, sourced by 18398 ASes. That's 8.1 prefixes per AS. If we subtract the 7506 one-prefix ASes from both figures we're at 13 prefixes per AS. Apple sources 22 prefixes from their AS. That's 70% more than the average, with the average including the largest ISPs in the world. So why is it reasonable to give even quite small ISPs a portable block but not the largest enterprises? Two reasons. First of all, the number of ISPs world wide is low enough that with the allocation policies in IPv6 ISPs alone aren't going to blow up the global routing table. The second is, that if an ISP needs to renumber, all their customers have to renumber as well. This makes renumbering much harder for ISPs than for end-user organizations. In addition to portable address space being harmful, I also believe it's not really necessary. Renumbering client-only systems is NOT a problem with DHCP or IPv6 stateless autoconfiguration. (With the latter, it's even completely transparent to the user. I've tried it.) With some tools managing the DNS during renumbering also isn't a real issue. Reconfiguring routers and other network infrastructure isn't entirely trivial at this point, but this is being worked on. I don't see why this shouldn't be solved to a satisfactory degree in the future. This leaves address-based access restrictions. There are two aspects to this: internal addresses and external addresses. Trusting packets that come from some address X on the internet makes no sense, as it's fairly trivial to hijack address space on the internet. Trusting packets because they come from an internal address is doable to a certain degree, because you get to reject packets that falsely claim to be from the inside on the borders. However, unique local addresses are just fine for this. (This means hosts that need both internal and external connectivity must have different addresses for both, but this isn't a problem in IPv6. Default address selection rules specify that when connecting to ULAs a host should use its own ULA address and when connecting to the rest of the world it should use its regular address, but this isn't fully implemented in OSes yet.) With all the above in effect, renumbering would only really impact VPN tunnels. Even if this must be done by hand I don't think it's reasonable to give out PI space just to avoid this. And I'm sure the VPN vendors can come up with mechanisms that allow the secure creation/renumbering of those tunnels, if they feel their customers need it. If organizations with PA space want to peer, this shouldn't be a problem: they just announce their /48 to their peers. Obviously if people are interested in peering, they'll be willing to carry the more specifics in their routing tables. The difference with PI is that if they filter the route out, there is no loss of connectivity. Remember that IPv4 still has a few good years in it so there is time to fix problems with IPv6 so we get to do it right from the start rather than have the same mess we have now with larger addresses.
|