202203081821.AYC Re: 202203071610.AYC Re: Making Use of 240/4 NetBlock

Abraham Y. Chen aychen at avinta.com
Wed Mar 9 04:29:04 UTC 2022

Hi, Stephen:

1)    First, logistics: Since I have been waiting for the moderation of 
my first posting on NANOG, could I assume that you are sending me this 
personal eMail as a Moderator?

2)    Perhaps the material provided in my writing was not sufficient, 
you seem to be expressing concerns from other perspectives. As concisely 
characterized by one of the "Internet fathers", the EzIP is an overlay 
network relative to the current Internet. As such, the EzIP deployment 
is pretty much independent of the hurdles that the current Internet 
equipment or convention may impose on it. That is, we can start the EzIP 
deployment leaving everything in the current Internet alone. This is 
because each EzIP deployment module, called RAN (Regional Area Network) 
is tethered via one IPv4 public address onto the Internet core. Since 
each RAN appears to be a private network, it can be set up according to 
its own requirements. That is, each RAN can make use of any desired IPv4 
technology, while leaving others aside. As long as the packets on that 
single access path between the RAN and the Internet conform to the 
Internet conventions, the deployment of the EzIP proposal should work.

3)    " ... if you plan on endpoint computers (such as those in homes) 
to use the 240/4 netblock. ...   ":    No, we do not. As presented by 
the RAN demonstration cited by the whitepaper, one of the primary 
criteria of the EzIP proposal is not to affect the current private 
network setups. Although, other than Windows OS based products, there 
are more and more IoTs do support 240/4 netblock. Even some Internet 
routers appear to do so, as well.

4)    " ... DD-WRT project? ...    ":     EzIP does not have any 
ambition to alter or replace the existing Internet equipment in any 
sense. Fortunately, we can deploy our solution without such complication 
due to the overlay characteristics. Our main goal is to demonstrate that 
"*/there exists/*" one feasible configuration that can operate EzIP in 
parallel to the existing Internet for providing equivalent services. 
 From such a skeletal reference, one can expand to larger deployments, 
as well as put on desired features and capabilities. For example, we 
have utilized OpenWrt 19.07.3 to demonstrate the feasibility of the EzIP 
scheme. Since the enabling technique is "disabling the program code that 
has been disabling the use of the 240/4 netblock",  any other projects 
such as DD-WRT can replicate it just as well, if so inclined.

5)    "... Firewalls ...  NIST ...   ":    Since EzIP is only 
identifying the additional address resources from the "Reserve" and 
suggesting how to use it, I am not clear why high level functionalities 
such as security related firewall tasks get involved here. Do NIST 
Guidelines specify blocking any packet with the 240/4 netblock address? 
I failed to spot such.  Since there is no natural division between the 
240/4 netblock from the rest of IPv4 address pool, I can't see any 
reason to single this netblock out in the firewall related tasks anyway. 
Do you know the reason why? I would appreciate very much if you could 
elaborate your concerns.

6)    By the way, the EzIP's RAN is actually very much the same as 
CG-NAT or CDN, architecturally.  The only difference is that EzIP 
Project manged to identify a larger usable address pool enabling the 
practice of static addressing to simplify operation logistics, mitigate 
cyber insecurity, etc.

I look forward to your thoughts.


Abe (2022-03-09 23:28 EST)

On 2022-03-08 13:08, Stephen Satchell wrote:
> On 3/7/22 2:14 PM, Abraham Y. Chen wrote:
>>      In a nutshell, EzIP proposes to disable the program codes in 
>> current routers that have been disabling the use of the 240/4 
>> NetBlock. The cost of this software engineering should be minimal. 
>> The EzIP deployment architecture is the same as that of the existing 
>> CG-NAT (Carrier Grade Network Address Translation). Consequently, 
>> there is no need to modify any hardware equipment. There is an online 
>> setup description (Reference II), called RAN (Regional Area Network), 
>> that demonstrates the feasibility of this approach.
> You have another surface that will need to dealt with if you plan on 
> endpoint computers (such as those in homes) to use the 240/4 netblock. 
> You will need to talk to the authors of firewall books and web sites 
> to update the examples to remove all-traffic blocks on 240/4.  Then 
> individual administrations, not just ISP/Service-Provider, will need 
> to know to modify any home-brew firewalls to open all addresses except 
> (and perhaps
> That includes my publications about firewall configurations.
> If you haven't already, you will need to include makers of access 
> points and companies such as SonicWALL.  Have you talked to pfSense?  
> DD-WRT project?  UFW project?  firewalld project?  The Berkeley Packet 
> Filter project?  How about authors of the NIST _Guidelines on 
> Firewalls and Firewall Policy_ publication 
> (https://www.govinfo.gov/content/pkg/GOVPUB-C13-f52fdee3827e2f5d903fa8b4b66d4855/pdf/GOVPUB-C13-f52fdee3827e2f5d903fa8b4b66d4855.pdf) 
> I wish you luck.  And that's only the things I found in English.

This email has been checked for viruses by Avast antivirus software.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220308/7326b554/attachment.html>

More information about the NANOG mailing list