Should Extranets be congruent with the Internet? (was Re: Incompetance abounds at the InterNIC)
Jay R. Ashworth
jra at scfn.thpl.lib.fl.us
Thu Jan 21 00:47:58 UTC 1999
On Wed, Jan 20, 1999 at 09:51:56AM -0600, Phil Howard wrote:
> John Fraizer wrote:
> > 1) You should have domain servers for ANY domain you register that live in
> > NON-RFC1918 space. Otherwise, Why register the domain at all? If it's for
> > use behind the firewall, why not use internic.net or whitehouse.gov? You
> > say "Because they want to receive email at the domain!" Well, to receive
> > email, the rest of the world has to be able to find the mx records and to
> > do that, your domain servers have to live in NON-RFC space and we have now
> > completely and totally blown your first point out of the water and made it,
> > in your own words, "moot."
> You have totally missed the concept that businesses can connect to other
> businesses which connect other businesses and so on, and conduct network
> protocols using the TCP/IP suite, just as if it were an Internet, but in
> fact is highly isolated and segmented. Any ONE company in it may only be
> able to reach those companies they connected directly to, but the other
> companies reach many more companies.
And Phil has, I think possibly unintentionally, put this thread on
topic for NANOG.
> Using RFC1918 space for this won't work because there has to be some kind
> of administration of the space to ensure enough uniqueness that no two
> companies that are visible to any one company have the same addressing.
> There can be only one such administration of any practicality even though
> this "closed Internet" is chopped into isolated segments.
The question is: are these disconnected nets part of "The Internet",
and if they aren't, how should their addressing and DNS be handled?
> Further, many companies with these networks also allow direct access to
> the real open Internet. That means for sure that addresses in use on the
> open Internet cannot be duplicated anywhere else. So the allocation of
> space within the closed network has to be unique even compared to the
> open Internet.
> So it makes sense that every company connecting this way must obtain their
> own unique address space.
Yes, it does. _I_ think. Even if these nets aren't routable to the
Internet, they may be populated by machines that are dual-homed, but
are _not_ routers, and address collisions would be A Bad Thing.
Now, in these class-less days, I have _no_ idea who you'd get such an
address block from...
> > 2) DNS servers that are behind a firewall are useless in the context you
> > describe above.
> Not true. The DNS servers exist and are used by many of these companies.
> Only those companies that need to use them can reach them.
This raises the companion question: should such networks have
'Internet' DNS, as well, even though they're not visible to the net at
large; that is, must they have root nameservers visible to the
Phil asserts that no, they need not, and having done the exposition, I
find I must agree with him... but that does raise some interesting
> > 4) If you don't intend to be routed on the global internet, you SHOULD be
> > required to use RFC1918 space. NOBODY should be allocate routable address
> > space for internal, off-net use.
> This is neither practical nor possible. wave your hands all you want, but
> it won't happen because RFC1918 space cannot ever hope to allow every one
> of these companies to have address space that they can communicate with
> each other uniquely, entirely within the RFC1918 space. There are two
> reasons for this and based on mail I've received from a few people, it is
> clear to me that a lot of people need these spelled out.
I disagree; we'll hit the points.
> 1. There is not enough space in RFC1918 to assign UNIQUE addresses to each
> company that interconnects with many other companies, that further
> interconnect with many others, and on and on.
Counted the number of /24's in a class A lately, Po
Ok, there are only 64k. But that's a lot of industry. Just how many
people want to do this?
> 2. Even if there was enough space, there is no one doing any administration
> of such space to ensure that all such assignments are sufficiently unique
> to ensure that every company connecting to many others will never see
> two or more such companies using the space part of RFC1918 space.
So start one. :-) You'd have to do it under the auspices of one of
the 800-pound gorillas you mentioned...
Or move them all to IPv6 space.
> Think of these "closed Internets" as businesses conducting business with
> each other over the Internet, but then deciding to get guaranteed bandwidth
> by directly connecting to each peer, not routing to the real open Internet,
> and basically becoming isolated except for the fact that in many of these
> companies their computers (servers and desktops) can not only reach many
> other companies this way, but also the real open Internet.
A private backbone which only accepts packets from peers. Nothing
unusual about that...
> Likewise, name spaces also have to be unique, and the NS servers that are
> authority for them may not be reachable by you or perhaps even anyone else
> on the open Internet. But that doesn't mean they aren't real and being
> used by many different businesses.
Yeah... but this raises the question of whether the charter of the
InterNIC is to maintain (protection for) domain names that are
_intentionally_ never visible to their customers (the net at large),
simply to make life easier for a much smaller crowd...
And, AFAICS, that's the _real_ crux of the issue, right there.
Jay R. Ashworth jra at baylink.com
Member of the Technical Staff Buy copies of The New Hackers Dictionary.
The Suncoast Freenet Give them to all your friends.
Tampa Bay, Florida http://www.ccil.org/jargon/ +1 813 790 7592
More information about the NANOG