IETF Logo Mail Archive

Re: [GROW] WGLC: draft-ietf-grow-private-ip-sp-cores

Anthony Kirkham <tkirkham@anthony-kirkham.com> Sun, 17 June 2012 04:39 UTC

Return-Path: <tkirkham@anthony-kirkham.com>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D15211E808A for <grow@ietfa.amsl.com>; Sat, 16 Jun 2012 21:39:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_15=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tvyTOVi9yGOY for <grow@ietfa.amsl.com>; Sat, 16 Jun 2012 21:39:13 -0700 (PDT)
Received: from nskntmtas03p.mx.bigpond.com (nskntmtas03p.mx.bigpond.com [61.9.168.143]) by ietfa.amsl.com (Postfix) with ESMTP id 30B0211E8088 for <grow@ietf.org>; Sat, 16 Jun 2012 21:39:12 -0700 (PDT)
Received: from nskntcmgw06p ([61.9.169.166]) by nskntmtas03p.mx.bigpond.com with ESMTP id <20120617043911.YOJN10464.nskntmtas03p.mx.bigpond.com@nskntcmgw06p>; Sun, 17 Jun 2012 04:39:11 +0000
Received: from Anthonys-MacBook-Pro.local ([124.185.157.18]) by nskntcmgw06p with BigPond Outbound id PGf61j00A0Q5xN401Gf7YH; Sun, 17 Jun 2012 04:39:11 +0000
X-Authority-Analysis: v=2.0 cv=MaHuSuDf c=1 sm=1 a=0VFf0P/YIxcxI/RgN+hXcA==:17 a=_1pLAPWVdgkA:10 a=5guEdk2PV24A:10 a=Ib5BsLsVyy8A:10 a=bVeADsv9IVkA:10 a=xR3Tfk4wAAAA:8 a=J_N6KFswAAAA:8 a=48vgC7mUAAAA:8 a=pGLkceISAAAA:8 a=W0TSPLbk8_8ecOe9HjYA:9 a=wPNLvfGTeEIA:10 a=XXhtLnmuZa8A:10 a=Pwbduc0PQ3sA:10 a=lZB815dzVvQA:10 a=MSl-tDqOz04A:10 a=DOA9UqtVIb8eiSIH:21 a=h2kJ-wAunyB7OuFJ:21 a=DRcdMcqMgZ9gEA3QyN8A:9 a=_W_S_7VecoQA:10 a=tXsnliwV7b4A:10 a=PKL3fjCvJOY_0fiD:21 a=sLg3YFiUJi1NeDKj:21 a=0VFf0P/YIxcxI/RgN+hXcA==:117
Message-ID: <4FDD5F69.3000009@anthony-kirkham.com>
Date: Sun, 17 Jun 2012 14:39:05 +1000
From: Anthony Kirkham <tkirkham@anthony-kirkham.com>
Organization: Anthony-Kirkham.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Tony Tauber <ttauber@1-4-5.net>, "Smith, Donald" <Donald.Smith@centurylink.com>
References: <CAL9jLabADdWCwDhBdaBJ4fVdk9a=OeJQYFQM4Z_+-P56cVWftw@mail.gmail.com> <01e301cd4580$208f3900$4001a8c0@gateway.2wire.net> <B01905DA0C7CDC478F42870679DF0F101105C4C714@qtdenexmbm24.AD.QINTRA.COM> <4FD8726A.6040509@anthony-kirkham.com> <CAGQUKceQo3neZB7TTvCHK9hkM41ftNJaHx4dRXsVuYjhJa+5eQ@mail.gmail.com>
In-Reply-To: <CAGQUKceQo3neZB7TTvCHK9hkM41ftNJaHx4dRXsVuYjhJa+5eQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------090301080804040007090404"
Cc: "grow@ietf.org" <grow@ietf.org>, "grow-chairs@tools.ietf.org" <grow-chairs@tools.ietf.org>
Subject: Re: [GROW] WGLC: draft-ietf-grow-private-ip-sp-cores
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: tkirkham@anthony-kirkham.com
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/grow>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Jun 2012 04:39:16 -0000

Tony and Donald,

What say If I change the wording on squat space from:

"The practice of ISPs using 'stolen' address space (also known as 
'squat' space) has many of the same issues (or effects) as that of using 
private IP address space within core networks.", plus some additional

  to:

"The practice of ISPs using 'stolen' address space (also known as 
'squat' space) has many of the same, plus some additional issues (or 
effects) as that of using private IP address space within core networks."

Regards
Tony K



On 13/06/12 10:27 PM, Tony Tauber wrote:
> Using squat/stolen space will mean ICMP messages from the SP core 
> wouldn't be able to reach the legitimate address holder's network but 
> neither would traffic of the customers of that SP.  I don't believe 
> that the same is true of "private" space; so there are actually _more_ 
> problems with the "squat" approach.
>
> In general, big fan, support publication.
>
> Thanks,
>
> Tony T.
>
> On Wed, Jun 13, 2012 at 6:58 AM, Anthony Kirkham 
> <tkirkham@anthony-kirkham.com <mailto:tkirkham@anthony-kirkham.com>> 
> wrote:
>
>     Donald,
>
>     Thanks for the review, I plan to do another update in the next few
>     days, I'm just waiting to see if any further feedback arrives.
>
>     A couple of specific comments:
>
>     re - squat space. The intent was not to make recommendations on
>     the practice, just to document the effects.
>
>     re - 5. Unexpected interactions with some NAT implementations:
>     What you say is exactly what I intended to illustrate. I will
>     update the wording so its clear I'm not talking about a routing loop.
>
>     Regards
>     Tony K
>
>
>     On 9/06/12 7:17 AM, Smith, Donald wrote:
>
>         There is a mention of "squat" space that doesn't make any
>         recommendations as to use or not.
>
>         I can understand not expressing an opinion on the
>         rfc1918/private space shouldn't this state that squating is bad?
>         "This effect in itself is often not a problem.  However, if anti-
>            spoofing controls are applied at network perimeters, then
>         responses
>            returned from hops with private IP addresses will be dropped."
>
>         Any rfc1918 filtering mechinisim will cause this issue not
>         just bcp38 type anti-spoofing.
>         Firewalls, junipers and many platforms drop rfc1918 space but
>         not as part of bcp38 .
>         BTW BCP84 ala rfc3704 is an update/addition to bcp38 you
>         should probably add them to this reference.
>
>
>         And for consistecy I recommend using an expression such as
>         "any rfc1918 or bogon filtering..."
>
>         Under section 4 the author says urpf or ingress filtering.
>         "If the router's interface address is a
>            private IP address, then this ICMP reply packet may be
>         discarded due
>            to uRPF or ingress filtering, thereby causing the PMTUD
>         mechanism to
>            fail."
>
>         Under
>         5. Unexpected interactions with some NAT implementations
>         The first section works. As stated it might confuse someone
>         but honestly unless the 4th hop also matches the 2 hop it
>         doesn't look like a routing loop to me. It looks like rfc1918
>         reuse.
>
>
>         Type escape sequence to abort.
>            Tracing the route to 198.51.100.100
>
>              1 10.1.1.2 0 msec 0 msec 0 msec
>              2 198.51.100.13 0 msec 4 msec 0 msec
>         3 10.1.1.2 0 <tel:3%2010.1.1.2%200> msec 4 msec 0 msec<<<<
>         4 198.51.100.5 <tel:4%20198.51.100.5> 4 msec 0 msec 4 msec
>         5 198.51.100.1 <tel:5%20198.51.100.1> 0 msec 0 msec 0 msec
>
>         Section 6 references rfc2827 should probably include bcp84 and
>         rfc3704.
>
>         Your first example of a security gap is really a no worse if
>         you use private or public addresss but you call that out so I
>         am ok with it.
>
>         NIT
>         This:
>         Some applications discover the outside address of
>            their local CPE to determine if that address is reserver
>         for special
>            use.
>         Should be this:
>         Some applications discover the outside address of
>            their local CPE to determine if that address is reserved
>         for special
>            use.
>
>
>         When packets collide the controllers cease transmission AND
>         wait a random time before retransmission (mostly)!
>         Donald.Smith@CenturyLink.com
>
>
>             -----Original Message-----
>             From: grow-bounces@ietf.org <mailto:grow-bounces@ietf.org>
>             [mailto:grow-bounces@ietf.org
>             <mailto:grow-bounces@ietf.org>] On Behalf Of
>             t.petch
>             Sent: Friday, June 08, 2012 8:06 AM
>             To: Christopher Morrow; grow-chairs@tools.ietf.org
>             <mailto:grow-chairs@tools.ietf.org>; grow@ietf.org
>             <mailto:grow@ietf.org>
>             Subject: Re: [GROW] WGLC: draft-ietf-grow-private-ip-sp-cores
>
>             I would like to see this published as an RFC.
>
>             The only discussion I see whether or not the title of 12.2
>             should have
>             an initial capital - I think that it should.
>
>             Tom Petch
>
>             ----- Original Message -----
>             From: "Christopher Morrow"<christopher.morrow@gmail.com
>             <mailto:christopher.morrow@gmail.com>>
>             To:<grow-chairs@tools.ietf.org
>             <mailto:grow-chairs@tools.ietf.org>>;<grow@ietf.org
>             <mailto:grow@ietf.org>>
>             Sent: Tuesday, June 05, 2012 7:41 PM
>
>                 Folks,
>                 There's been work on the draft:
>                 <http://tools.ietf.org/html/draft-ietf-grow-private-ip-sp-cores>
>
>                 I think the commenters' comments were addressed by the
>                 authors.
>                 Can we move this to WGLC now and clear that 6/19/2012
>                 (June 19,
>
>             2012).
>
>                 Abstract of the draft:
>                   "The purpose of this document is to provide a
>                 discussion of the
>                    potential problems of using private, RFC1918, or
>                 non-globally-
>                    routable addressing within the core of an SP
>                 network.  The
>
>             discussion
>
>                    focuses on link addresses and to a small extent
>                 loopback
>
>             addresses.
>
>                    While many of the issues are well recognised within
>                 the ISP
>                    community, there appears to be no document that
>                 collectively
>                    describes the issues."
>
>                 Could there be some discussion on WGLC and  we'll see
>                 about  moving
>                 this along to the IESG?
>
>                 -chris
>                 _______________________________________________
>                 GROW mailing list
>                 GROW@ietf.org <mailto:GROW@ietf.org>
>                 https://www.ietf.org/mailman/listinfo/grow
>
>
>             _______________________________________________
>             GROW mailing list
>             GROW@ietf.org <mailto:GROW@ietf.org>
>             https://www.ietf.org/mailman/listinfo/grow
>
>         This communication is the property of CenturyLink and may
>         contain confidential or privileged information. Unauthorized
>         use of this communication is strictly
>         prohibited and may be unlawful.  If you have received this
>         communication
>         in error, please immediately notify the sender by reply e-mail
>         and destroy
>         all copies of the communication and any attachments.
>         _______________________________________________
>         GROW mailing list
>         GROW@ietf.org <mailto:GROW@ietf.org>
>         https://www.ietf.org/mailman/listinfo/grow
>
>
>
>
>     -- 
>
>
>     _______________________________________________
>     GROW mailing list
>     GROW@ietf.org <mailto:GROW@ietf.org>
>     https://www.ietf.org/mailman/listinfo/grow
>
>


--

v2.23.0 | Report a Bug | By Email