[ipv6-wg@ripe.net] Update on IPv6 filter recommendation
Hi, I have just added an update to the "strict" filter list of my IPv6 filter list recommendations on http://www.space.net/~gert/RIPE/ipv6-filters.html The new thing is that inside 2001:500::/29, the "strict" list is now permitting /48s. This is because 2001:500:: is used for ARIN microallocations, and /48s are the "normal" allocation boundary in there. Two networks are already announced from within that block, 2001:500::/48 and 2001:500:1::/48, and some ISPs promtly can't reach them due to too tight filtering. So if you filter very strictly, please adapt your filters for that block. (Thanks to Carlos Friacas for pointing that out to me). Gert Doering -- NetMaster -- Total number of prefixes smaller than registry allocations: 54495 (54267) SpaceNet AG Mail: netmaster@Space.Net Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 80807 Muenchen Fax : +49-89-32356-299
On Mon, 12 May 2003, Gert Doering wrote:
I have just added an update to the "strict" filter list of my IPv6 filter list recommendations on http://www.space.net/~gert/RIPE/ipv6-filters.html
The new thing is that inside 2001:500::/29, the "strict" list is now permitting /48s. This is because 2001:500:: is used for ARIN microallocations, and /48s are the "normal" allocation boundary in there.
Two networks are already announced from within that block, 2001:500::/48 and 2001:500:1::/48, and some ISPs promtly can't reach them due to too tight filtering.
So if you filter very strictly, please adapt your filters for that block.
There is a danger that this uncoordinated madness will spread. There has been a proposal to extend the microallocation policy, but luckily enough it has been shot down. IMO, you should only let in 2001:500::/32 upto /48 if you really have to, and not the other blocks in the /29 (especially, don't let through exchange point addresses, under 2001:504::/32). Please refer to: http://www.arin.net/registration/ipv6/micro_alloc.html -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Hi, On Mon, May 12, 2003 at 11:40:30AM +0300, Pekka Savola wrote:
The new thing is that inside 2001:500::/29, the "strict" list is now permitting /48s. This is because 2001:500:: is used for ARIN microallocations, and /48s are the "normal" allocation boundary in there. [..] There is a danger that this uncoordinated madness will spread.
I didn't imply that I *like* this microallocation policy - I think it's the wrong way to go. We have a root name server policy, and the individual regions should not do "other" microallocations, especially not for the root. Nevertheless it is happening, and I am just documenting things (right now).
There has been a proposal to extend the microallocation policy, but luckily enough it has been shot down.
Could you give me some more background on that? What was the proposal, and why was it shot down?
IMO, you should only let in 2001:500::/32 upto /48 if you really have to, and not the other blocks in the /29 (especially, don't let through exchange point addresses, under 2001:504::/32). Please refer to: http://www.arin.net/registration/ipv6/micro_alloc.html
Thanks for pointing that out to me. I will update my documentation accordingly. (*done*) Gert Doering -- NetMaster -- Total number of prefixes smaller than registry allocations: 54495 (54267) SpaceNet AG Mail: netmaster@Space.Net Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 80807 Muenchen Fax : +49-89-32356-299
On Mon, 12 May 2003, Gert Doering wrote:
There has been a proposal to extend the microallocation policy, but luckily enough it has been shot down.
Could you give me some more background on that? What was the proposal, and why was it shot down?
Proposal: http://www.arin.net/policy/2003_4.html There are numerous problems with the proposal, even though it may have been well-intentioned: 1) waiving 200 /48 assignments could enable any 1-person consulting business with 1 customer to get a /32 2) micro-allocations are useless unless they're routed, and there is no community concensus that they're the right thing to do at the moment. 3) there kinds of policy changes should occur on a different level, like global-v6 mailing list and/or the IETF, not just one RIR. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Hi, On Mon, May 12, 2003 at 01:35:25PM +0300, Pekka Savola wrote:
Proposal:
Ah, that one. Actually like the first two proposals. Micro-Allocations are genuinely evil, though.
There are numerous problems with the proposal, even though it may have been well-intentioned:
1) waiving 200 /48 assignments could enable any 1-person consulting business with 1 customer to get a /32
This has come up in the RIPE region a while ago already (1.5 years?) and my response at that time was "so what?". In the RIPE region (which is different from ARIN), being sufficiently determined to wade through the paperwork, sign all the RIPE member contracts and pay the LIR fees could be considered enough prerequisite to get a /32. People didn't like that, though - as far as I remember, the loudest criticism came from the ARIN land.
2) micro-allocations are useless unless they're routed, and there is no community concensus that they're the right thing to do at the moment.
Micro-Allocations are *bad*. I can see two exceptions that can be clearly defined and are really "exceptionable enough" (and not "just convenient") - that's IXPs, and root name servers. We have policies for those. All other Micro-Allocations boil down to inventing PI in one region only.
3) there kinds of policy changes should occur on a different level, like global-v6 mailing list and/or the IETF, not just one RIR.
Yep. But still I think that something needs to be done... Gert Doering -- NetMaster -- Total number of prefixes smaller than registry allocations: 54495 (54267) SpaceNet AG Mail: netmaster@Space.Net Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 80807 Muenchen Fax : +49-89-32356-299
% 1) waiving 200 /48 assignments could enable any 1-person consulting % business with 1 customer to get a /32 that might be an issue. % 2) micro-allocations are useless unless they're routed, and there is no % community concensus that they're the right thing to do at the moment. routed to whom? I may have no desire to have you hear my routes % 3) there kinds of policy changes should occur on a different level, like % global-v6 mailing list and/or the IETF, not just one RIR. there is this fundamental logic flaw that there is a single global routing system. there is not and never has been. --bill Opinions expressed may not even be mine by the time you read them, and certainly don't reflect those of any other entity (legal or otherwise).
On Mon, May 12, 2003 at 11:40:30AM +0300, Pekka Savola wrote:
There is a danger that this uncoordinated madness will spread. There has been a proposal to extend the microallocation policy, but luckily enough it has been shot down.
Indeed. There is a danger that once some exceptions are made, others will follow... Tim
On Mon, 12 May 2003, Tim Chown wrote:
On Mon, May 12, 2003 at 11:40:30AM +0300, Pekka Savola wrote:
There is a danger that this uncoordinated madness will spread. There has been a proposal to extend the microallocation policy, but luckily enough it has been shot down.
Indeed. There is a danger that once some exceptions are made, others will follow...
Tim
I don't think that an exception should be made for microallocations at all. To paraphrase what ARIN says, there is no guarantee that address space that they assign will be globally routable. --- John Fraizer | High-Security Datacenter Services | President | Dedicated circuits 64k - 155M OC3 | EnterZone, Inc | Virtual, Dedicated, Colocation | http://www.enterzone.net/ | Network Consulting Services |
John Fraizer wrote:
I don't think that an exception should be made for microallocations at all. To paraphrase what ARIN says, there is no guarantee that address space that they assign will be globally routable.
You should note that that also goes for the rest of the allocations. 69/8 in IPv4 anyone ? :) If an ISP decides to filter it's their choice, it is also their network and their money (and isn't that what it is all about?) That's why it's also good that Gert notified us of this change. Let's hope rpslng will come soon and that everybody in IPv6 uses it correctly, that will be a big step forward for changes like these. Greets, Jeroen
On Tue, 13 May 2003, Jeroen Massar wrote:
John Fraizer wrote:
I don't think that an exception should be made for microallocations at all. To paraphrase what ARIN says, there is no guarantee that address space that they assign will be globally routable.
You should note that that also goes for the rest of the allocations. 69/8 in IPv4 anyone ? :)
The alloocations I have seen have problems out of 69/8 were not micro-allocations. They were /19's and /18's. I'm sure that there are a few /20's in there with a token /24 perhaps but, the ones I have knowledge of were _real_ allocations and not micro-allocations. The issue of reachability of those allocations was brought on NOT by people being filtered based on prefix length but because so many people were using outdated BOGON filters - filters that would have even blocked 69.0.0.0/8 had it been announced.
If an ISP decides to filter it's their choice, it is also their network and their money (and isn't that what it is all about?)
How about this: If an ISP sees what a pile of crap the IPv4 tables have become and filters responsibly in v6, despite non-responsible allocations made by ARIN, I would tend to look at it as a responsible community member telling an irresponsible community member that we don't want IPv6 SWAMP space and the routing table bloat that it will lead to.
That's why it's also good that Gert notified us of this change. Let's hope rpslng will come soon and that everybody in IPv6 uses it correctly, that will be a big step forward for changes like these.
And I agree. It was nice that Gert notified us of the change. I am still not opening up my filters for those prefixes though. --- John Fraizer | High-Security Datacenter Services | President | Dedicated circuits 64k - 155M OC3 | EnterZone, Inc | Virtual, Dedicated, Colocation | http://www.enterzone.net/ | Network Consulting Services |
On tisdag, maj 13, 2003, at 17:42 Europe/Stockholm, Jeroen Massar wrote:
Let's hope rpslng will come soon and that everybody in IPv6 uses it correctly, that will be a big step forward for changes like these.
Maybe we could start with RPSL for IPv4 first.... - kurtis -
participants (7)
-
Bill Manning -
Gert Doering -
Jeroen Massar -
John Fraizer -
Kurt Erik Lindqvist -
Pekka Savola -
Tim Chown