large multi-site enterprises and PI prefix [Re: who gets a /32 [Re: IPV6 renumbering painless?]]
Iljitsch van Beijnum
iljitsch at muada.com
Tue Nov 23 10:32:49 UTC 2004
On 23-nov-04, at 6:49, Patrick W Gilmore wrote:
>> If all active ASes did this we'd have a 400k routing table. So please
>> no PI in IPv6, not even for large enterprises.
> Why is an ISP more "worthy" or PI space than a large enterprise. In
> fact, ISPs are responsible for far, far more table pollution than
> enterprises. Pot-Kettle-Black?
> Besides that, please remember the Internet is a business, not a
> research tool or a toy for those with enable. Business have business
> needs. If the Internet cannot satisfy them, then the Internet will
> not be paid for its services. This ain't 1999 no more, you need your
> customers.
I'm going to try to make this my last message on this subject...
It's very simple. If the routing tables get too big too fast, very bad
things start to happen. The Apple example (along with some ISPs who
announce dozens or hundreds of aggregatable blocks unaggregated) shows
that we can't rely on good internet citizenship to manage the problem.
Just to make sure everyone understands: according to the latest CIDR
report there are 149080 prefixes in the global routing table, sourced
by 18398 ASes. That's 8.1 prefixes per AS. If we subtract the 7506
one-prefix ASes from both figures we're at 13 prefixes per AS. Apple
sources 22 prefixes from their AS. That's 70% more than the average,
with the average including the largest ISPs in the world.
So why is it reasonable to give even quite small ISPs a portable block
but not the largest enterprises? Two reasons. First of all, the number
of ISPs world wide is low enough that with the allocation policies in
IPv6 ISPs alone aren't going to blow up the global routing table. The
second is, that if an ISP needs to renumber, all their customers have
to renumber as well. This makes renumbering much harder for ISPs than
for end-user organizations.
In addition to portable address space being harmful, I also believe
it's not really necessary. Renumbering client-only systems is NOT a
problem with DHCP or IPv6 stateless autoconfiguration. (With the
latter, it's even completely transparent to the user. I've tried it.)
With some tools managing the DNS during renumbering also isn't a real
issue. Reconfiguring routers and other network infrastructure isn't
entirely trivial at this point, but this is being worked on. I don't
see why this shouldn't be solved to a satisfactory degree in the
future.
This leaves address-based access restrictions. There are two aspects to
this: internal addresses and external addresses. Trusting packets that
come from some address X on the internet makes no sense, as it's fairly
trivial to hijack address space on the internet. Trusting packets
because they come from an internal address is doable to a certain
degree, because you get to reject packets that falsely claim to be from
the inside on the borders. However, unique local addresses are just
fine for this. (This means hosts that need both internal and external
connectivity must have different addresses for both, but this isn't a
problem in IPv6. Default address selection rules specify that when
connecting to ULAs a host should use its own ULA address and when
connecting to the rest of the world it should use its regular address,
but this isn't fully implemented in OSes yet.)
With all the above in effect, renumbering would only really impact VPN
tunnels. Even if this must be done by hand I don't think it's
reasonable to give out PI space just to avoid this. And I'm sure the
VPN vendors can come up with mechanisms that allow the secure
creation/renumbering of those tunnels, if they feel their customers
need it.
If organizations with PA space want to peer, this shouldn't be a
problem: they just announce their /48 to their peers. Obviously if
people are interested in peering, they'll be willing to carry the more
specifics in their routing tables. The difference with PI is that if
they filter the route out, there is no loss of connectivity.
Remember that IPv4 still has a few good years in it so there is time to
fix problems with IPv6 so we get to do it right from the start rather
than have the same mess we have now with larger addresses.
More information about the NANOG
mailing list