RE: [address-policy-wg] RE: Private address space in IPv4 and IPv6 [was something irrelevantly titled]
> -----Original Message----- > From: Andy Davidson [mailto:andy@nosignal.org] > Sent: Sunday, May 31, 2009 10:55 AM > To: Potapov Vladislav > Cc: address-policy-wg@ripe.net > Subject: Re: [address-policy-wg] RE: Private address space in IPv4 and > IPv6 [was something irrelevantly titled] > > > On 29 May 2009, at 11:16, <poty@iiat.ru> <poty@iiat.ru> wrote: > > > Then Radianz could easily create its own rules without bothering the > > World, couldn't it? And so - use ANY IP addresses. Why should I see > > the > > internal networks (I use corrected "private" meanings) of Radianz or > > other such companys? If it is NEVER interact with my or the most of > > other networks in the Internet? > > Hi, Vladislav > > As others have tried to point out, private networks often still > connect to the Internet, so in order to prevent connectivity problems > between -- in this case, Radianz -- and another, unspecified network > on the Internet, then the addressing that Radianz need to use for > their private networks must be globally unique. Here we have several possibilities: 1. We have a tunnel between the internal networks - then Radianz network do not need to be GLOBALLY unique, it should be unique only between interconnected networks. 2. The same network should have access to the Internet. Then it should use NAT (not possibly in IPv6) or just be partially connected to the Internet. The second case - is announcing the block (or part of the block) to the Internet. The first case - internal network may have RFC 1918 or other IP addresses. > > Kind regards, > Andy Davidson Vladislav Potapov Ru.iiat
On Mon, Jun 01, 2009 at 02:36:33PM +0400, poty@iiat.ru wrote: > > > > -----Original Message----- > > From: Andy Davidson [mailto:andy@nosignal.org] > > Sent: Sunday, May 31, 2009 10:55 AM > > To: Potapov Vladislav > > Cc: address-policy-wg@ripe.net > > Subject: Re: [address-policy-wg] RE: Private address space in IPv4 and > > IPv6 [was something irrelevantly titled] > > > > > > On 29 May 2009, at 11:16, <poty@iiat.ru> <poty@iiat.ru> wrote: > > > > > Then Radianz could easily create its own rules without bothering the > > > World, couldn't it? And so - use ANY IP addresses. Why should I see > > > the > > > internal networks (I use corrected "private" meanings) of Radianz or > > > other such companys? If it is NEVER interact with my or the most of > > > other networks in the Internet? > > > > Hi, Vladislav > > > > As others have tried to point out, private networks often still > > connect to the Internet, so in order to prevent connectivity problems > > between -- in this case, Radianz -- and another, unspecified network > > on the Internet, then the addressing that Radianz need to use for > > their private networks must be globally unique. > Here we have several possibilities: > 1. We have a tunnel between the internal networks - then Radianz network > do not need to be GLOBALLY unique, it should be unique only between > interconnected networks. > 2. The same network should have access to the Internet. Then it should > use NAT (not possibly in IPv6) or just be partially connected to the you should update your reading list. I ahve been using IVI (an IPv6 NAT) for a little over 18 months ... works just fine. And you should look into the IETF BEHAVE work... all about IPv6 and NAT. > Internet. The second case - is announcing the block (or part of the > block) to the Internet. The first case - internal network may have RFC > 1918 or other IP addresses. > > > > > Kind regards, > > Andy Davidson > > Vladislav Potapov > Ru.iiat >
2. The same network should have access to the Internet. Then it should use NAT (not possibly in IPv6) or just be partially connected to the Internet. The second case - is announcing the block (or part of the block) to the Internet. The first case - internal network may have RFC 1918 or other IP addresses.
Radianz is only one of several internetworks with connect many organizations together with circuits that are completely separate from the Internet. All of these organizations also have connections to the Internet. Internally, sometimes there is separate LAN cabling for the Radianz-connected workstations, and sometimes everything is on one LAN. If everything is on one LAN, then the only reason that Radianz is not connected to the Internet is because of many ACLs and firewall rules that control where traffic goes. People who make addressing policy, don't often think about ACLs and firewall rules, but they are at least as important as routing. If the Radianz network operates with globally unique IP addresses, then the subscribers can be confident that any ACLs blocking Radianz traffic from the Internet will never cause a problem for real Internet traffic. Globally unique addresses are required to have reliable ACLs in enterprise LANs. Technically speaking, you could claim that Radianz is actually connected to the Internet, even though they do not announce their address prefixes, and there are many ACLs and firewall rules blocking traffic from leaking out. Note that these types of traffic controls (ACLs) can be used in other scenarios. Network X could announce their addresses to some neighbour ASes in country A, and those ASes might not announce the routes to international peers. They might also implement ACLs so that no traffic can flow to international peers. Network X would still be on the Internet and their customers in country A would be happy that they can browse all kinds of sites on the Internet in country A. They could even send email internationally because it would be relayed by the ASes with international peering agreements. Is Network X on the Internet? Is the Radianz network on the Internet? Addressing policy would be just as complex as today if RIPE agreed that the scope for RIPE-NCC allocations should be restricted to "the Internet". There is no point in making such a change, and people who are ignorant of history need to take the time and learn about the history of the Internet, of IANA and of RIPE. Vlad, ne bud pizdetsom! Prochitay istoriyu i prekrashay svoyi glupie pisma. --Michael Dillon P.S. Radianz is merely an example of many other internetworks that carry IP traffic from many organizations, but which do not openly peer with the Internet. P.P.S. We are going through a time with lots of change, IPv4 runout, AS runout, RFC 1918 runout, AS32 introduction, IPv6 deployment. In addition, the landscape is not as uniform as it was back in the early days. LIR is no longer the same thing as ISP since there are now many more business models, and more diversity in how IP networks are built and operated. We need to keep a balanced view as we make changes to policy because RIPE policy has to be workable for everybody.
participants (3)
-
bmanning@vacation.karoshi.com -
michael.dillon@bt.com -
poty@iiat.ru