Re: Non routable IPv6 registry proposal

[Phillip Hallam-Baker <phill@hallambaker.com>]

On Thu, Jan 21, 2021 at 5:14 AM Nick Hilliard <nick@foobar.org> wrote:

> Phillip Hallam-Baker wrote on 21/01/2021 01:57:
> > People make waaaay too much out of the risks of running registries
>
> Yep they certainly do, until there's a registry failure, or even the
> threat of one. At that point, people often execute dramatic u-turns in
> their opinion, depending on how important the registry's function was to
> them.
>
> Nick
>

Has there ever been a proper consideration of the abstract security
concerns for a registry?

I rather suspect the closest we get is Warwick Ford et. al. writing the
Certificate Policy Statement RFC in PKIX which was largely based on Michael
Baum's practice statement for VRSN class 3. That is rather heavily PKI
focused and it is all based on a Kohnfelder PKI architecture and 1980s PKI
technology.

Perhaps we should ask how registries can go wrong. Or maybe we should ask
the IAB to consider this.I can think of a few problems:

Integrity
* Duplicate registrations
* Unauthorized registration modification
* Unpublished registrations
* Inappropriate semantic mapping

Availability
* Rent seeking
* Denial of service
* Coercion by government

What gets wrapped round the axle in DNS space is of course the semantic
mapping issues. DNS names have an obvious interpretation. There is the
natural assumption microsoft.com arrives at Microsoft Inc. Failure to
achieve that mapping correctly is actually a serious safety and security
issue as they provide the most popular desktop operating system. That is a
very complex issue and I am not in the least impressed by the way ICANN has
approached it.

ULAs are free of semantic binding, or at least the ones I propose to issue
will be.

OK so there is one 'risk' that perhaps should be mentioned openly because
it is likely the one of most concern to people, 'what are the unexpected
uses of these addresses' or 'what else is PHB planning he is not telling us
about'.

Well I really wished I knew myself because I can see several possibilities
but they are still a bit on the fuzzy side. I think I am going to have to
build a prototype before I can start to get a handle on those. But it is my
experience that getting the addressing right is the key to solving any
network protocol issue. URIs made the Web.

The registry concern that is rarely considered in IETF is what happens if
there is no registry? There are two possibilities:

1) Innovation is put on hold until the registry is created.
2) People just create their own code points

The second has occurred on countless occasions and sometimes between really
big companies. Every hard drive has a unique identifier which is actually
in the MAC address space. After asking nicely and getting the run-around,
the drive makers just allocated themselves 1/16th of the total MAC address
space.