Assignments for Critical Infrastruction
Hello everybody, I would like to post unformal proposal before writing official policy modification proposal (and/or having discussion tomorrow on Open Hour). We would like to see policy for IPv4 and IPv6 modified to allow /24 *minimum* for IPv4 and /48 *minimum* to gTLD/ccTLD. First reason behind this is that one PI is not really enough and it's blocking us to deploy more DNS servers and make our TLD service more reliable. Second reason is that if we deploy more Anycasted DNS servers we could keep (or drop down) number of NS records for TLD, so we could manage to keep DNS reply size low even with DNSSEC. And last, but not least, it would be good to keep this synchronized with other regions (see [1],[2]). Note: we may also extend the list of requestors to: Root DNS, ccTLD, gTLD, IANA, RIRs. Which I think is reasonable list. 1. http://www.nro.net/documents/comp-pol.html#2-4-2 2. http://www.nro.net/documents/comp-pol.html#3-4-1 If there is at least some consensus, I am willing to write official policy change proposal. Ondrej -- Ondřej Surý technický ředitel/Chief Technical Officer ----------------------------------------- CZ.NIC, z.s.p.o. -- .cz domain registry Americká 23,120 00 Praha 2,Czech Republic mailto:ondrej.sury@nic.cz http://nic.cz/ sip:ondrej.sury@nic.cz tel:+420.222745110 mob:+420.739013699 fax:+420.222745112 -----------------------------------------
On Tue, Oct 28, 2008 at 11:48:06AM +0100, Ond??ej Surý <ondrej.sury@nic.cz> wrote a message of 9 lines which said:
We would like to see policy for IPv4 and IPv6 modifiedto allow /24 *minimum* for IPv4 and /48 *minimum* togTLD/ccTLD. First reason behind this is that one PI is not reallyenough and it's blocking us to deploy more DNS serversand make our TLD service more reliable.
As a TLD, I agree. ".fr" has currently two anycast nodes (managed outside, so they do not use "our" addresses) and plan to add more and to manage them ourselves. We will therefore need more than one PI prefix.
And last, but not least, it would be good to keep thissynchronized with other regions (see [1],[2]). Note:we may also extend the list of requestors to:Root DNS, ccTLD, gTLD, IANA, RIRs.Which I think is reasonable list.
ENUM "TLD" too, as discussed on monday :-)
On Oct 29, 2008, at 9:10 AM, Stephane Bortzmeyer wrote:
On Tue, Oct 28, 2008 at 11:48:06AM +0100, Ond??ej Surý <ondrej.sury@nic.cz> wrote a message of 9 lines which said:
We would like to see policy for IPv4 and IPv6 modifiedto allow /24 *minimum* for IPv4 and /48 *minimum* togTLD/ccTLD. First reason behind this is that one PI is not reallyenough and it's blocking us to deploy more DNS serversand make our TLD service more reliable.
As a TLD, I agree. ".fr" has currently two anycast nodes (managed outside, so they do not use "our" addresses) and plan to add more and to manage them ourselves. We will therefore need more than one PI prefix.
Maybe I understand, maybe I don't...but isn't the whole idea of anycast that you create redundancy by adding more machines/locations in the same address space ? So what exactly are you trying to gain by adding multiple anycast blocks, that's not exactly clear with me. Marco
2008/10/29 Marco Hogewoning <marcoh@marcoh.net>:
On Oct 29, 2008, at 9:10 AM, Stephane Bortzmeyer wrote:
On Tue, Oct 28, 2008 at 11:48:06AM +0100, Ond??ej Surý <ondrej.sury@nic.cz> wrote a message of 9 lines which said:
We would like to see policy for IPv4 and IPv6 modifiedto allow /24 *minimum* for IPv4 and /48 *minimum* togTLD/ccTLD. First reason behind this is that one PI is not reallyenough and it's blocking us to deploy more DNS serversand make our TLD service more reliable.
As a TLD, I agree. ".fr" has currently two anycast nodes (managed outside, so they do not use "our" addresses) and plan to add more and to manage them ourselves. We will therefore need more than one PI prefix.
Maybe I understand, maybe I don't...but isn't the whole idea of anycast that you create redundancy by adding more machines/locations in the same address space ? So what exactly are you trying to gain by adding multiple anycast blocks, that's not exactly clear with me.
We discussed this face to face, but just for the record. Idea of having multiple PI anycast clouds is to have: M servers in N anycast clouds and L locations and each anycast cloud includes K servers, where L >= N, M >= L and K << M Picture would be better here :(. Very simple example in plain words: each anycast cloud will have 3 servers placed in 3 different location, and each two anycast clouds can share no more then 2 locations with another anycast cloud. Each location cannot hold more then two anycast clouds. Anycast clouds: A1 A2 A3 A4 Locations: L1 L2 L3 L4 L5 L6 A1(L1 L2 L3) A2(L1 L4 L5) A3(L2 L4 L6) A4(L3 L5 L6) That way any two locations can fail without failure of any anycast node. Ondrej. -- Ondřej Surý technický ředitel/Chief Technical Officer ----------------------------------------- CZ.NIC, z.s.p.o. -- .cz domain registry Americká 23,120 00 Praha 2,Czech Republic mailto:ondrej.sury@nic.cz http://nic.cz/ sip:ondrej.sury@nic.cz tel:+420.222745110 mob:+420.739013699 fax:+420.222745112 -----------------------------------------
On Wed, Oct 29, 2008 at 10:40:37AM +0400, Marco Hogewoning <marcoh@marcoh.net> wrote a message of 23 lines which said:
isn't the whole idea of anycast that you create redundancy by adding more machines/locations in the same address space ?
Having one anycast cloud does provide redundancy and then protection against *some* problems, typically physical problems (power failures, fire) or dDOS.
So what exactly are you trying to gain by adding multiple anycast blocks, that's not exactly clear with me.
But anycast by itself does not protect you against problems with BGP/routing. If Pakistan Telecom announces one of your prefixes, or if a wrong/outdated bogon filter blocks it, anycast by itself won't help. Here, a second anycast cloud with a second prefix may help.
* Stephane Bortzmeyer:
But anycast by itself does not protect you against problems with BGP/routing. If Pakistan Telecom announces one of your prefixes, or if a wrong/outdated bogon filter blocks it, anycast by itself won't help. Here, a second anycast cloud with a second prefix may help.
And BGP does not optimize for RTT, like some resolvers do, so too much anycast will slow things down a bit. -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
On Thu, Oct 30, 2008 at 07:36:48PM +0100, Florian Weimer <fweimer@bfk.de> wrote a message of 16 lines which said:
And BGP does not optimize for RTT, like some resolvers do, so too much anycast will slow things down a bit.
Isn't it a classical case of security/performance trade-off? After the attack on the root name servers on february 2007, most name servers operators are ready to worsen a bit the latency, in order to get more resilience. And, anyway, we are drifting. The issue is not whether name servers operators MUST use anycast-with-several-prefixes but if they CAN do it with the current policy (answer: no, because it is limited to one prefix).
bortzmeyer@nic.fr (Stephane Bortzmeyer) wrote:
As a TLD, I agree. ".fr" has currently two anycast nodes (managed outside, so they do not use "our" addresses) and plan to add more and to manage them ourselves. We will therefore need more than one PI prefix.
The same goes for ".de" (and +49 enum as well). But everyone already knew that ;-) Elmar. -- --[ bins@denic.de ]-----------------------------[ http://www.denic.de/ ]-- DENIC eG | Elmar K. Bins | Networking, Security Kaiserstr. 75-77 | AS8763, AS31529 | Tel +49 69 27235 0 D-60329 Frankfurt am Main | EKB2 @ RIPE | Fax +49 69 27235 239 -------------------------------------------------------------------------- Eingetr. Nr. 770 im Genossenschaftsregister Amtsgericht Frankfurt am Main Vorstand: Sabine Dolderer, Dr. Jörg Schweiger, Marcus Schäfer, Carsten Schiefner. Vorsitzender des Aufsichtsrats: Elmar Knipp
Ondrej, in the light of the comments on my proposal for ENUM anycast assignments discussed in Dubai, I was planning to write a revised policy proposal to go through PDP, I will be taking action on this as soon as the minutes/webcast from Dubai are available. I think it's safe to say we are working towards the same/similar goal and I think it's important that we don't both do the same work. I will have a first draft of my proposal here in the next couple of weeks. Regards Brett Carr Nominet UK On Tue, Oct 28, 2008 at 10:48 AM, Ondřej Surý <ondrej.sury@nic.cz> wrote:
Hello everybody,
I would like to post unformal proposal before writing official policy modification proposal (and/or having discussion tomorrow on Open Hour).
We would like to see policy for IPv4 and IPv6 modified to allow /24 *minimum* for IPv4 and /48 *minimum* to gTLD/ccTLD.
First reason behind this is that one PI is not really enough and it's blocking us to deploy more DNS servers and make our TLD service more reliable.
Second reason is that if we deploy more Anycasted DNS servers we could keep (or drop down) number of NS records for TLD, so we could manage to keep DNS reply size low even with DNSSEC.
And last, but not least, it would be good to keep this synchronized with other regions (see [1],[2]). Note: we may also extend the list of requestors to: Root DNS, ccTLD, gTLD, IANA, RIRs. Which I think is reasonable list.
1. http://www.nro.net/documents/comp-pol.html#2-4-2 2. http://www.nro.net/documents/comp-pol.html#3-4-1
If there is at least some consensus, I am willing to write official policy change proposal.
Ondrej -- Ondřej Surý technický ředitel/Chief Technical Officer ----------------------------------------- CZ.NIC, z.s.p.o. -- .cz domain registry Americká 23,120 00 Praha 2,Czech Republic mailto:ondrej.sury@nic.cz http://nic.cz/ sip:ondrej.sury@nic.cz <sip%3Aondrej.sury@nic.cz> tel:+420.222745110 mob:+420.739013699 fax:+420.222745112 -----------------------------------------
Brett, I already sent my proposals to modify ipv4 and ipv6 policies to wg chairs while in Dubai. But incorporating ENUM should be as easy as listing ENUM Tier-1 registry to list of what is 'Critical Infrastructure'. Ondrej. 2008/11/17 B C <brettlists@gmail.com>:
Ondrej, in the light of the comments on my proposal for ENUM anycast assignments discussed in Dubai, I was planning to write a revised policy proposal to go through PDP, I will be taking action on this as soon as the minutes/webcast from Dubai are available. I think it's safe to say we are working towards the same/similar goal and I think it's important that we don't both do the same work. I will have a first draft of my proposal here in the next couple of weeks.
Regards
Brett Carr
Nominet UK
On Tue, Oct 28, 2008 at 10:48 AM, Ondřej Surý <ondrej.sury@nic.cz> wrote:
Hello everybody,
I would like to post unformal proposal before writing official policy modification proposal (and/or having discussion tomorrow on Open Hour).
We would like to see policy for IPv4 and IPv6 modified to allow /24 *minimum* for IPv4 and /48 *minimum* to gTLD/ccTLD.
First reason behind this is that one PI is not really enough and it's blocking us to deploy more DNS servers and make our TLD service more reliable.
Second reason is that if we deploy more Anycasted DNS servers we could keep (or drop down) number of NS records for TLD, so we could manage to keep DNS reply size low even with DNSSEC.
And last, but not least, it would be good to keep this synchronized with other regions (see [1],[2]). Note: we may also extend the list of requestors to: Root DNS, ccTLD, gTLD, IANA, RIRs. Which I think is reasonable list.
1. http://www.nro.net/documents/comp-pol.html#2-4-2 2. http://www.nro.net/documents/comp-pol.html#3-4-1
If there is at least some consensus, I am willing to write official policy change proposal.
Ondrej -- Ondřej Surý technický ředitel/Chief Technical Officer ----------------------------------------- CZ.NIC, z.s.p.o. -- .cz domain registry Americká 23,120 00 Praha 2,Czech Republic mailto:ondrej.sury@nic.cz http://nic.cz/ sip:ondrej.sury@nic.cz tel:+420.222745110 mob:+420.739013699 fax:+420.222745112 -----------------------------------------
-- Ondřej Surý technický ředitel/Chief Technical Officer ----------------------------------------- CZ.NIC, z.s.p.o. -- .cz domain registry Americká 23,120 00 Praha 2,Czech Republic mailto:ondrej.sury@nic.cz http://nic.cz/ sip:ondrej.sury@nic.cz tel:+420.222745110 mob:+420.739013699 fax:+420.222745112 -----------------------------------------
participants (6)
-
B C -
Elmar K. Bins -
Florian Weimer -
Marco Hogewoning -
Ondřej Surý -
Stephane Bortzmeyer