Why do some providers require IPv6 /64 PA space to have public whois?
Constantine A. Murenin
mureninc at gmail.com
Thu Dec 13 08:34:43 UTC 2012
On 10 December 2012 13:27, Schiller, Heather A
<heather.schiller at verizon.com> wrote:
> Actually, requiring a public whois record is the way it always has been, that's only recently changed. I think most folks would agree that, IPv4 /32 :: IPv6 /128 as IPv4 /29 :: IPv6 /64 So, while you are right, that swip'ing a v4 /32 has never been required, I think your analogy of a v6 /64 to a v4 /32 is off. The minimum assignment requiring a swip is also ensconced in RIR policy. If you don't like it, may I suggest you propose policy to change it?
I think your comparison of IPv4 /32 being equivalent to IPv6 /128 is
only true in specific and narrow contexts outside of this discussion,
and I strongly disagree with such generalisations being applied here.
Just from the practical side and by means of an example, take a look
at 6rd and the way other national internet providers have been
implementing it. I had a routed /27 with AT&T FTTU; every IPv4
address on AT&T automatically gets a /60 IPv6 allocation; by
extension, my IPv4 /27 was equivalent to IPv6 /55 (plus I also must
have had one extra /60 for the IPv4 address in the shared subnet to
which my /27 IPv4 subnet was routed).
And Linode: upon request, they offer a free /56 to any of their
customers, to complement a /32 IPv4 allocation.
Many other hosting providers likewise provide a free /48 (some do this
by default, some upon request) to anyone who only requires a single
IPv4 address otherwise.
Likewise, HE's tunnelbroker.net gives out a total of five /48's (per a
single account) to anyone who asks; and if you look at it, they're
still doing this out of the smallest v6 allocation compared to any
other carrier: 2001:470::/32; yes, just a /32, when even Linode has a
And the same example is even true of hetzner.de: they assign a /32
IPv4 for free to every server, and the only IPv6 that they give is a
/64, offering no other option at all whatsoever (they do offer the
option of another, routed IPv6 /64, but that's it). Yet,
unfortunately, hetzner.de is one of the few that doesn't offer any
IPv6 at all unless you agree for your private data to go to a public
database maintained by RIPE when you request any kind of IPv6
connectivity. It presents an obvious barrier to entry, and limits
native IPv6 adoption when huge providers like hetzner.de may require
you to give up your privacy for native IPv6, but not for IPv4.
So, as per above, in my humble view, a /64 IPv6 allocation is
equivalent to a NAT in IPv4 terms. :-) Any provider who insists
otherwise (especially when it comes down to actually giving out such
addresses), simply tries to be creative about their revenue streams in
regards to something that's supposed to be a public resource and
that's not even that scarce to begin with.
> RIPE's policy:
> " When an End User has a network using public address space this must be registered separately with the contact details of the End User. Where the End User is an individual rather than an organisation, the contact information of the service provider may be substituted for the End Users."
You have conveniently omitted the prior part of the same paragraph
about PtP links.
IPv4 Address Allocation and Assignment Policies for the RIPE NCC Service Region
21 May 2012 — address policy, ipv4
6.2 Network Infrastructure and End User Networks
IP addresses used solely for the connection of an End User to a
service provider (e.g. point-to-point links) are considered part of
the service provider's infrastructure. These addresses do not have to
be registered with the End User's contact details but can be
registered as part of the service provider's internal infrastructure.
When an End User has a network using public address space this must be
registered separately with the contact details of the End User. Where
the End User is an individual rather than an organisation, the contact
information of the service provider may be substituted for the End
Although written with IPv4 in mind, if you take this paragraph and try
to interpret it within IPv6, then the first, non-routed, /64 with
hetzner.de can easily be considered a point-to-point link, and due to
the plethora of free alternatives people would hardly attempt to use
such an allocation in any other way than as indeed a point-to-point
link, especially when a second free /64, now routed, is also
(And even if someone would in fact use their first PtP /64 to create
some kind of a VPN and a small home network, then at the internet
who-to-blame level how would that be any different whatsoever from
them doing a NAT with a /32 IPv4? On the other hand, I do agree that
standardised aggregate whois entries detailing the size of individual
allocations within a given address space would be very-very useful
with IPv6, indeed (else, how do you ban a user by an IP-address?).)
Also, consider why so much private information has to be published in
whois in the first place: usually, it's for the issues related to
network architecture, security, attacks and spam. Why would other
network operators benefit from getting information about individual
one-person customers of hetzner.de, instead of contact information of
hetzner.de themselves? (Or am I really supposed to be getting a phone
call at 03:00 in the middle of the night from a random network
engineer in another part of the world who decided to visit my private
website, and found my individual server misconfigured or
inaccessible?) So, in my opinion, in the end, this information about
individuals with /64 allocations may only end up being useful for
data-miners and potentially copyright trolls.
It should not be just optional to not publish such information; it
should be specifically prohibited for such information to be published
about individual non-company customers (unless the individual
explicitly requests for any such information to be published).
Many ccTLDs have already stopped providing any kind of information
about their Private Person customers (not even a name, nor an email,
as a matter of TLD policy).
> Note the *may* -- ISP's aren't required to support it.
> More RIPE policy..
> "When an organisation holding an IPv6 address allocation makes IPv6 address assignments, it must register these assignments in the appropriate RIR database.
> These registrations can either be made as individual assignments or by inserting a object with a status value of 'AGGREGATED-BY-LIR' where the assignment-size attribute contains the size of the individual assignments made to End Users.When more than a /48 is assigned to an organisation, it must be registered in the database as a separate object with status 'ASSIGNED'."
> So they have to register it, and they get a choice about how they do it.. Your provider has chosen a way you don't like. Talk to them about it, rather than complaining on NANOG?
Thank you for actually looking up the policies; I'll keep this in mind.
> Min assignment swip
> 188.8.131.52. Reassignment information
> Each static IPv6 assignment containing a /64 or more addresses shall be registered in the WHOIS directory via SWIP or a distributed service which meets the standards set forth in section 3.2. Reassignment registrations shall include each client's organizational information, except where specifically exempted by this policy.
> 184.108.40.206.3.2. Residential Customer Privacy
> To maintain the privacy of their residential customers, an organization with downstream residential customers holding /29 and larger blocks may substitute that organization's name for the customer's name, e.g. 'Private Customer - XYZ Network', and the customer's street address may read 'Private Residence'. Each private downstream residential reassignment must have accurate upstream Abuse and Technical POCs visible on the WHOIS directory record for that block.
> 220.127.116.11. Residential Subscribers
> 18.104.22.168.1. Residential Customer Privacy
> To maintain the privacy of their residential customers, an organization with downstream residential customers holding /64 and larger blocks may substitute that organization's name for the customer's name, e.g. 'Private Customer - XYZ Network', and the customer's street address may read 'Private Residence'. Each private downstream residential reassignment must have accurate upstream Abuse and Technical POCs visible on the WHOIS record for that block.
What are the exceptions to 22.214.171.124?
In other news, Linode has a /30 IPv6 in the US with ARIN, using a /32
for each of their 4 sites within the US (thus already exhausting their
original allocation), and it seems like they have absolutely no whois
records anywhere (neither for their customers, nor even for their own
distinct sites); the only whois you get is for their actual original
/30 allocation from ARIN!
http://bgp.he.net/net/2600:3c01::/32 -- no individual whois for their
For IPv4, they likewise didn't seem to have bothered creating any
individual SWIP entries even for each of their own sites (which are
all run as separate networks); all their allocations only show their
New Jersey address, and, basically, the following comment:
Comment: This block is used for static customer allocations.
Are they somehow exempt, or are they blatantly violating every ARIN
I also know of at least one other provider who gave me a /48 from
their ARIN-issued space without doing any kind of a whois record
within their /32, but they have only a single physical site, so it's
not such a big deal, IMHO.
Also, I notice that your policies at ARIN have exceptions explicitly
for Residential Customers, but what about individuals renting network
resources in the cloud? Are such individuals suddenly not officially
> -----Original Message-----
> From: Constantine A. Murenin [mailto:mureninc at gmail.com]
> Sent: Saturday, December 08, 2012 12:46 AM
> To: nanog at nanog.org
> Subject: Why do some providers require IPv6 /64 PA space to have public whois?
> I personally don't understand this policy. I've signed up with hetzner.de, and I'm trying to get IPv6; however, on the supplementary page where the complementary IPv6 /64 subnet can be requested (notice that it's not even a /48, and not even the second, routed, /64), after I change the selection from requesting one additional IPv4 address to requesting the IPv6 /64 subnet (they offer no other IPv6 options in that menu), they use DOM to remove the IP address justification field ("Purpose of use"), and instead statically show my name, physical street address (including the apartment number), email address and phone number, and ask to confirm that all of this information can be submitted to RIPE.
> They offer no option of modifying any of this; they also offer no option of hiding the street address and showing it as "Private Address" instead; they also offer no option of providing contact information different from the contact details for the main profile or keeping a separate set of contact details in the main profile specifically for RIPE; they also offer no option of providing a RIPE handle instead (dunno if one can be registered with a "Private Address" address, showing only city/state/country and postal code; I do know that with ARIN and PA IPv4 subnets you can do "Private Address" in the Address field); they also don't let you submit the form unless you agree for the information shown to be passed along to RIPE for getting IPv6 connectivity (again, no IPv6 is provided by default or otherwise).
> Is this what we're going towards? No probable cause and no court orders for obtaining individually identifying information about internet customers with IPv6 addresses? In the future, will the copyright trolls be getting this information directly from public whois, bypassing the internet provider abuse teams and even the most minimal court supervision? Is this really the disadvantage of IPv4 that IPv6 proudly fixes? I certainly have never heard of whois entries for /32 IPv4 address allocations!
> Anyhow, just one more provider where it's easier to use HE's tunnelbroker.net instead of obtaining IPv6 natively; due to the data-mining and privacy concerns now. What's the point of native IPv6 connectivity again? In hetzner.de terms, tunnelbroker.net even provides you with the failover IPv6 address(es), something that they themselves only offer for IPv4!
> Is it just me, or are there a lot of other folks who use tunnelbroker.net even when their ISP offers native IPv6 support?
> Might be interesting for HE.net to make some kind of a study. :-)
More information about the NANOG