Hijacking unused address space for a private infrastructure - any legal consequences?
Hi all, Could somebody speak on the legal consequences of hijacking unused address space? Imagine the situation that some vendor would push many Carriers to use FC/8 by cutting a rather big block out of it (/28 for each Carrier). This address space should have a registry. It is an IANA property till then. But: 1. Nobody is using it - nobody would be hurt. 2. This prefix would be excluded from the Internet (by routing and filtering) 3. FC/8 is assumed to be used for the closed domain (the purpose of usage is very similar). Just nobody decided how exactly. Maybe /28 is not how IANA and IETF would want to split it in the future. People could ask "why not GUA"? The answer is: it is difficult to get yet another /28 GUA from RIR just for the infrastructure. /28 goal has the technical roots by itself. It is the sort of technical solution. Could such LIR/Carrier have any pressure from any RIR or IANA itself? Is any restriction in the LIR agreement? Any legal consequences? (that would push for renumbering). Of course, I am aware what may happen if Carrier would need to connect infrastructure with different Carrier or Cloud Provider Without proper random prefix generation and registry to guarantee uniqueness. The technical side is very clear for me. I am just very ignorant on the legal side. Disclaimer: This question is not related to Huawei, not at all. Eduard
On 20220224, at 15:00, Vasilenko Eduard via ipv6-wg <ipv6-wg@ripe.net> wrote:
Hi all, Could somebody speak on the legal consequences of hijacking unused address space?
While there might be lawyer related folks, or even actual lawyers, I don't think you will get any legal advice here, for that ask a lawyer, and likely a technical lawyer who is involved in Internet policy and related questions. As a non-lawyer, thus not legal advice but purely personal technical comments:
Imagine the situation that some vendor would push many Carriers to use FC/8 by cutting a rather big block out of it (/28 for each Carrier). This address space should have a registry. It is an IANA property till then.
Anybody can create their own "Internet" with their own address space in their own routers in their own network, all while using IP related technologies. IANA has little to do with it, as well, it is your own private network. What can happen though, is that the IETF, and then IANA, reassigns address space for a different purpose. At which point everybody using that space clashes with it. See also usage of IPv4 from various /8's that are "not globally routed but used internally". Same goes for IPv6 or any other address space. The Internet, and IETF/IANA/RIRs etc only work as the community decided that that is the way to run it. As an example https://dn42.dev/ already uses fd00::/8. I personally "have" fd42:2a2b:acf1::/48 out of that range (see also https://dn42.ch) Yes, DN42 is "just using that", and mostly it will be fine. The related IPv4 space they use already had quite a few clashes, as RFC1918 space is rare, but if one connects to DN42 you obey their registry and all is fine.
But: 1. Nobody is using it - nobody would be hurt. 2. This prefix would be excluded from the Internet (by routing and filtering) 3. FC/8 is assumed to be used for the closed domain (the purpose of usage is very similar). Just nobody decided how exactly. Maybe /28 is not how IANA and IETF would want to split it in the future.
People could ask "why not GUA"? The answer is: it is difficult to get yet another /28 GUA from RIR just for the infrastructure. /28 goal has the technical roots by itself. It is the sort of technical solution.
RIR typically give out the space that one really needs. If you can justify it, you will get it. If you cannot justify it, you likely do not need it. As a LIR can get a IPv6 /29 per default (and then likely never have to ask again).... I would be very surprised if one is a large entity that one cannot receive an extra /28. If there is a special protocol that you need this for, define the protocol, send the draft to the IETF, convince people, and they can assign a great chunk out of that if really justified.
Could such LIR/Carrier have any pressure from any RIR or IANA itself?
Likely no. But they will likely get community backlash if it causes issue on the Internet.
Is any restriction in the LIR agreement? Any legal consequences? (that would push for renumbering).
That is really a legal question to ask a lawyer.... but from my POV no. Greets, Jeroen
Hi, On Thu, Feb 24, 2022 at 04:08:45PM +0100, Jeroen Massar via ipv6-wg wrote:
People could ask "why not GUA"? The answer is: it is difficult to get yet another /28 GUA from RIR just for the infrastructure. /28 goal has the technical roots by itself. It is the sort of technical solution.
RIR typically give out the space that one really needs.
If you can justify it, you will get it.
If you cannot justify it, you likely do not need it.
As a LIR can get a IPv6 /29 per default (and then likely never have to ask again).... I would be very surprised if one is a large entity that one cannot receive an extra /28.
If I hear "/28 just for the infrastructure" I'd claim "they are doing something wrong, in significant ways". No network is so big that a /32 wouldn't be enough *for the infrastructure* (4 billion /64 subnets), unless you start encoding stuff into network prefixes that should not be there. And no, people should not get /28s for (pure) "network numbers are hard" reasons. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On 20220224, at 16:26, Gert Doering <gert@Space.Net> wrote:
Hi,
On Thu, Feb 24, 2022 at 04:08:45PM +0100, Jeroen Massar via ipv6-wg wrote:
People could ask "why not GUA"? The answer is: it is difficult to get yet another /28 GUA from RIR just for the infrastructure. /28 goal has the technical roots by itself. It is the sort of technical solution.
RIR typically give out the space that one really needs.
If you can justify it, you will get it.
If you cannot justify it, you likely do not need it.
As a LIR can get a IPv6 /29 per default (and then likely never have to ask again).... I would be very surprised if one is a large entity that one cannot receive an extra /28.
If I hear "/28 just for the infrastructure" I'd claim "they are doing something wrong, in significant ways".
No network is so big that a /32 wouldn't be enough *for the infrastructure* (4 billion /64 subnets), unless you start encoding stuff into network prefixes that should not be there.
And no, people should not get /28s for (pure) "network numbers are hard" reasons.
Full ack on that. Hence why I mentioned "if you can justify it" :) Greets, Jeroen
Hi Jordi, Jeroen, Gert, Thanks for the answers. OK, It looks like not a legal problem. Is it any problem for RIRs if this behavior would proliferate? (many Carriers would cut something from FC/8) It is exactly what is going on now. A few HUGE Carriers already accepted this approach and one big vendor continues the push of other Carriers. APNIC has refused in yet additional /28 specifically for this technical solution to these HUGE Carriers. I am not enough proficient to say: did they request properly? I have been told that /28 just for infrastructure is to-o-o much. Of course, these carriers have bigger blocks for real subscribers. And what is worse, these Carriers have smaller blocks for infrastructure that has been given by APNIC before. It is like "the second block for the same purpose" from APNIC's point of view. I am not so sure that it is easy to get. I did expect that some would ask why. I did try to address these. You are still surprised. OK. Let me say more. It is uSID SRv6 solution. It needs a short prefix for the infrastructure because the prefix is replicated in every entry of the SRH list. Or else it would cost a few percentages of the whole network bandwidth. i.e., it may burn a few percentages of overall network investments of the big carrier. FYI, uSID is the 1st solution (section 4.1) in the https://datatracker.ietf.org/doc/html/draft-ietf-spring-srv6-srh-compression... Eduard -----Original Message----- From: ipv6-wg [mailto:ipv6-wg-bounces@ripe.net] On Behalf Of Jeroen Massar via ipv6-wg Sent: Thursday, February 24, 2022 6:48 PM To: Gert Doering <gert@Space.Net> Cc: ipv6-wg@ripe.net Subject: Re: [ipv6-wg] Hijacking unused address space for a private infrastructure - any legal consequences?
On 20220224, at 16:26, Gert Doering <gert@Space.Net> wrote:
Hi,
On Thu, Feb 24, 2022 at 04:08:45PM +0100, Jeroen Massar via ipv6-wg wrote:
People could ask "why not GUA"? The answer is: it is difficult to get yet another /28 GUA from RIR just for the infrastructure. /28 goal has the technical roots by itself. It is the sort of technical solution.
RIR typically give out the space that one really needs.
If you can justify it, you will get it.
If you cannot justify it, you likely do not need it.
As a LIR can get a IPv6 /29 per default (and then likely never have to ask again).... I would be very surprised if one is a large entity that one cannot receive an extra /28.
If I hear "/28 just for the infrastructure" I'd claim "they are doing something wrong, in significant ways".
No network is so big that a /32 wouldn't be enough *for the infrastructure* (4 billion /64 subnets), unless you start encoding stuff into network prefixes that should not be there.
And no, people should not get /28s for (pure) "network numbers are hard" reasons.
Full ack on that. Hence why I mentioned "if you can justify it" :) Greets, Jeroen -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/ipv6-wg
On 20220224, at 18:05, Vasilenko Eduard <vasilenko.eduard@huawei.com> wrote:
Hi Jordi, Jeroen, Gert, Thanks for the answers. OK, It looks like not a legal problem. Is it any problem for RIRs if this behavior would proliferate? (many Carriers would cut something from FC/8)
Not the internet, not their problem IMHO. If you start using address space that might clash, the problem becomes that when you eventually get bought out by each-other that you cannot actually merge your networks as you will have clashing space... But, when you have millions, that should not be a problem right, or you could do what they do with IPv4: NAT NAT NAT NAT NAT.... [..]
It is uSID SRv6 solution. It needs a short prefix for the infrastructure because the prefix is replicated in every entry of the SRH list. [..]
Eh. So, you might want to consider not deploying insecure technology (SRv6) that has very obvious security problems, as has been pointed out on the various IETF lists, or misusing address space for something it is not meant for. Greets, Jeroen
Eh. So, you might want to consider not deploying insecure technology (SRv6) that has very obvious security problems, as has been pointed out on the various IETF lists, or misusing address space for something it is not meant for.
The next solution in the same draft https://datatracker.ietf.org/doc/html/draft-ietf-spring-srv6-srh-compression... does not have the same problem. It has just one copy of the prefix in the destination address. Hence, it could be any length (even bigger the /64). Ed/ -----Original Message----- From: Jeroen Massar [mailto:jeroen@massar.ch] Sent: Thursday, February 24, 2022 9:05 PM To: Vasilenko Eduard <vasilenko.eduard@huawei.com> Cc: Gert Doering <gert@Space.Net>; JORDI PALET MARTINEZ via ipv6-wg <ipv6-wg@ripe.net> Subject: Re: [ipv6-wg] Hijacking unused address space for a private infrastructure - any legal consequences?
On 20220224, at 18:05, Vasilenko Eduard <vasilenko.eduard@huawei.com> wrote:
Hi Jordi, Jeroen, Gert, Thanks for the answers. OK, It looks like not a legal problem. Is it any problem for RIRs if this behavior would proliferate? (many Carriers would cut something from FC/8)
Not the internet, not their problem IMHO. If you start using address space that might clash, the problem becomes that when you eventually get bought out by each-other that you cannot actually merge your networks as you will have clashing space... But, when you have millions, that should not be a problem right, or you could do what they do with IPv4: NAT NAT NAT NAT NAT.... [..]
It is uSID SRv6 solution. It needs a short prefix for the infrastructure because the prefix is replicated in every entry of the SRH list. [..]
Eh. So, you might want to consider not deploying insecure technology (SRv6) that has very obvious security problems, as has been pointed out on the various IETF lists, or misusing address space for something it is not meant for. Greets, Jeroen
Hi, On Thu, Feb 24, 2022 at 06:11:59PM +0000, Vasilenko Eduard via ipv6-wg wrote:
Eh. So, you might want to consider not deploying insecure technology (SRv6) that has very obvious security problems, as has been pointed out on the various IETF lists, or misusing address space for something it is not meant for.
The next solution in the same draft https://datatracker.ietf.org/doc/html/draft-ietf-spring-srv6-srh-compression... does not have the same problem. It has just one copy of the prefix in the destination address. Hence, it could be any length (even bigger the /64).
Much better wrt address consumption, but still SR6 has unsolved security problems. As a consequence, SR6 can only be deployed if your network is fully disconnected from everyone else (including possibly untrusted customers) - and if you have that, it does not really matter what addresses you use. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Domain isolation is good up to the point that "Option C style" is needed (for E2E services, without any GW in the middle) Then domain isolation would become not so isolated. It is the rear case now, but Cloud/DC is a good example of when it is better not to have an additional gateway for service stitching. Ed/ -----Original Message----- From: Gert Doering [mailto:gert@space.net] Sent: Thursday, February 24, 2022 9:20 PM To: Vasilenko Eduard <vasilenko.eduard@huawei.com> Cc: Jeroen Massar <jeroen@massar.ch>; Gert Doering <gert@space.net>; JORDI PALET MARTINEZ via ipv6-wg <ipv6-wg@ripe.net> Subject: Re: [ipv6-wg] Hijacking unused address space for a private infrastructure - any legal consequences? Hi, On Thu, Feb 24, 2022 at 06:11:59PM +0000, Vasilenko Eduard via ipv6-wg wrote:
Eh. So, you might want to consider not deploying insecure technology (SRv6) that has very obvious security problems, as has been pointed out on the various IETF lists, or misusing address space for something it is not meant for.
The next solution in the same draft https://datatracker.ietf.org/doc/html/draft-ietf-spring-srv6-srh-compr ession-00 does not have the same problem. It has just one copy of the prefix in the destination address. Hence, it could be any length (even bigger the /64).
Much better wrt address consumption, but still SR6 has unsolved security problems. As a consequence, SR6 can only be deployed if your network is fully disconnected from everyone else (including possibly untrusted customers) - and if you have that, it does not really matter what addresses you use. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
participants (3)
-
Gert Doering -
Jeroen Massar -
Vasilenko Eduard