large multi-site enterprises and PI prefix [Re: who gets a /32 [Re: IPV6 renumbering painless?]]

Tue Nov 23 10:32:49 UTC 2004

On 23-nov-04, at 6:49, Patrick W Gilmore wrote:

>> If all active ASes did this we'd have a 400k routing table. So please 
>> no PI in IPv6, not even for large enterprises.

> Why is an ISP more "worthy" or PI space than a large enterprise.  In 
> fact, ISPs are responsible for far, far more table pollution than 
> enterprises.  Pot-Kettle-Black?

> Besides that, please remember the Internet is a business, not a 
> research tool or a toy for those with enable.  Business have business 
> needs.  If the Internet cannot satisfy them, then the Internet will 
> not be paid for its services.  This ain't 1999 no more, you need your 
> customers.

I'm going to try to make this my last message on this subject...

It's very simple. If the routing tables get too big too fast, very bad 
things start to happen. The Apple example (along with some ISPs who 
announce dozens or hundreds of aggregatable blocks unaggregated) shows 
that we can't rely on good internet citizenship to manage the problem. 
Just to make sure everyone understands: according to the latest CIDR 
report there are 149080 prefixes in the global routing table, sourced 
by 18398 ASes. That's 8.1 prefixes per AS. If we subtract the 7506 
one-prefix ASes from both figures we're at 13 prefixes per AS. Apple 
sources 22 prefixes from their AS. That's 70% more than the average, 
with the average including the largest ISPs in the world.

So why is it reasonable to give even quite small ISPs a portable block 
but not the largest enterprises? Two reasons. First of all, the number 
of ISPs world wide is low enough that with the allocation policies in 
IPv6 ISPs alone aren't going to blow up the global routing table. The 
second is, that if an ISP needs to renumber, all their customers have 
to renumber as well. This makes renumbering much harder for ISPs than 
for end-user organizations.

In addition to portable address space being harmful, I also believe 
it's not really necessary. Renumbering client-only systems is NOT a 
problem with DHCP or IPv6 stateless autoconfiguration. (With the 
latter, it's even completely transparent to the user. I've tried it.) 
With some tools managing the DNS during renumbering also isn't a real 
issue. Reconfiguring routers and other network infrastructure isn't 
entirely trivial at this point, but this is being worked on. I don't 
see why this shouldn't be solved to a satisfactory degree in the 
future.

This leaves address-based access restrictions. There are two aspects to 
this: internal addresses and external addresses. Trusting packets that 
come from some address X on the internet makes no sense, as it's fairly 
trivial to hijack address space on the internet. Trusting packets 
because they come from an internal address is doable to a certain 
degree, because you get to reject packets that falsely claim to be from 
the inside on the borders. However, unique local addresses are just 
fine for this. (This means hosts that need both internal and external 
connectivity must have different addresses for both, but this isn't a 
problem in IPv6. Default address selection rules specify that when 
connecting to ULAs a host should use its own ULA address and when 
connecting to the rest of the world it should use its regular address, 
but this isn't fully implemented in OSes yet.)

With all the above in effect, renumbering would only really impact VPN 
tunnels. Even if this must be done by hand I don't think it's 
reasonable to give out PI space just to avoid this. And I'm sure the 
VPN vendors can come up with mechanisms that allow the secure 
creation/renumbering of those tunnels, if they feel their customers 
need it.

If organizations with PA space want to peer, this shouldn't be a 
problem: they just announce their /48 to their peers. Obviously if 
people are interested in peering, they'll be willing to carry the more 
specifics in their routing tables. The difference with PI is that if 
they filter the route out, there is no loss of connectivity.

Remember that IPv4 still has a few good years in it so there is time to 
fix problems with IPv6 so we get to do it right from the start rather 
than have the same mess we have now with larger addresses.