Re: Why Scopes? (was: Re: [saad] About saad)

Brian E Carpenter <brc@zurich.ibm.com> Mon, 20 October 2003 19:04 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09595 for <saad-archive@odin.ietf.org>; Mon, 20 Oct 2003 15:04:23 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ABfJz-0004uv-5L for saad-archive@odin.ietf.org; Mon, 20 Oct 2003 15:04:03 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h9KJ43Lm018900 for saad-archive@odin.ietf.org; Mon, 20 Oct 2003 15:04:03 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ABfJy-0004ul-VA for saad-web-archive@optimus.ietf.org; Mon, 20 Oct 2003 15:04:03 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09426 for <saad-web-archive@ietf.org>; Mon, 20 Oct 2003 15:03:52 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1ABfJv-0003ga-00 for saad-web-archive@ietf.org; Mon, 20 Oct 2003 15:03:59 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1ABfJv-0003gV-00 for saad-web-archive@ietf.org; Mon, 20 Oct 2003 15:03:59 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ABfJx-0004sU-35; Mon, 20 Oct 2003 15:04:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ABfJ6-0004Xd-Mv for saad@optimus.ietf.org; Mon, 20 Oct 2003 15:03:08 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09219 for <saad@ietf.org>; Mon, 20 Oct 2003 15:02:58 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1ABfJ3-0003eR-00 for saad@ietf.org; Mon, 20 Oct 2003 15:03:05 -0400
Received: from d12lmsgate-5.de.ibm.com ([194.196.100.238] helo=d12lmsgate.de.ibm.com) by ietf-mx with esmtp (Exim 4.12) id 1ABfJ2-0003cl-00 for saad@ietf.org; Mon, 20 Oct 2003 15:03:04 -0400
Received: from d12relay01.megacenter.de.ibm.com (d12relay01.megacenter.de.ibm.com [9.149.165.180]) by d12lmsgate.de.ibm.com (8.12.10/8.12.8) with ESMTP id h9KJ0oNb047534; Mon, 20 Oct 2003 21:00:50 +0200
Received: from ochsehorn.zurich.ibm.com (ochsehorn.zurich.ibm.com [9.4.16.140]) by d12relay01.megacenter.de.ibm.com (8.12.9/NCO/VER6.6) with ESMTP id h9KJ0naA215434; Mon, 20 Oct 2003 21:00:49 +0200
Received: from zurich.ibm.com (sig-9-145-243-139.de.ibm.com [9.145.243.139]) by ochsehorn.zurich.ibm.com (AIX4.3/8.9.3p2/8.9.3) with ESMTP id VAA59880; Mon, 20 Oct 2003 21:00:34 +0200
Message-ID: <3F9430AA.275235C5@zurich.ibm.com>
Date: Mon, 20 Oct 2003 20:59:54 +0200
From: Brian E Carpenter <brc@zurich.ibm.com>
Organization: IBM
X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
X-Accept-Language: en,fr,de
MIME-Version: 1.0
To: Michel Py <michel@arneill-py.sacramento.ca.us>
CC: James Kempf <kempf@docomolabs-usa.com>, saad@ietf.org
Subject: Re: Why Scopes? (was: Re: [saad] About saad)
References: <DD7FE473A8C3C245ADA2A2FE1709D90B06C66A@server2003.arneill-py.sacramento.ca.us>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: saad-admin@ietf.org
Errors-To: saad-admin@ietf.org
X-BeenThere: saad@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=unsubscribe>
List-Id: Scope Addressing Architecture Discussion <saad.ietf.org>
List-Post: <mailto:saad@ietf.org>
List-Help: <mailto:saad-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit

I think Michel is basically correct here. And I think that
draft-hain-templin-ipv6-limitedrange-02.txt should be
read at this point.

   Brian

Michel Py wrote:
> 
> James,
> 
> > James Kempf wrote:
> > One of the things I'd like to see is a list of why people
> > use scoped addresses (RFC 1918) in IPv4.
> 
> I have some text about this, see below.
> 
> Note: in the text below, the reason I state that some reasons are
> actually non-reasons is because the motive behind the use of scoped
> addresses (RFC1918) is _not_ their scoping but some other property of
> RFC1918 addresses or because the motive is a by-product of some other
> thing that results in RFC1918 addresses being used.
> 
> Non-reason #1: "lots of addresses for free".
> --------------------------------------------
> This is why people have moved to NAT, not why people have moved to
> RFC1918; the multiplication of addresses is a feature of NAT, and the
> use of RFC1918 in this situation is only a by-product of the use of NAT
> because it just happens that RFC1918 addresses are the best choice to
> put behind NAT (compared to hijacking a random prefix).
> 
> It is generally believed that if we do see IPv6 NAT, it will not be
> because of address scarcity nor because ISPs would charge for a /48.
> Similar to the reason "lots of addresses for free" is not why people use
> RFC1918 (NAT is the reason), price, scarcity or unavailability of IPv6
> PA addresses is likely not why people would want to use IPv6 scoped
> addresses.
> 
> Non-reason #2: Cheap alternative to PI/portable addresses.
> ----------------------------------------------------------
> I have _tons_ of customers that have no problem whatsoever obtaining
> enough PA addresses for their needs. They won't get extra ones, but they
> will get enough. Although it is true that for the home market obtaining
> more than one static address is some extra money that could be spent on
> something else, it is a non-existent issue for businesses; PA addresses
> are typically good enough for home use.
> 
> For small businesses that get low grade connectivity such as DSL, $20/mo
> or $50/mo to get a /27 or a /26 is insignificant. For larger business
> that get T1 and above connectivity, enough PA IPv4 addresses are
> typically part of the deal with the ISP.
> 
> So for businesses there are enough addresses, but these addresses are
> not PI. In this situation, people use RFC1918 addresses because they are
> portable, not because they are scoped. Here again the real reason is
> NAT. The main driving force behind this is cost of renumbering is so
> high that it offsets by far the annoyances of NAT; besides most
> enterprises use a combination of public and private addresses.
> Conservation of address space is here nothing more than an added bonus
> of NAT, because businesses might not request as many public addresses as
> they would have if they were not using NAT.
> 
> Security/isolation/defense-in-depth.
> ------------------------------------
> This is a non-reason for the home market and a valid one for the
> business/enterprise.
> 
> For the home market: besides having more addresses (described above)
> what the home user likes is the security provided by RFC1918 addresses.
> Why do RFC1918 addresses provide security? Because they are not publicly
> routable, so using those mandates NAT, which does provide a basic
> firewall.
> 
> In this case, scoping == not-publicly-routable. So, the home market uses
> RFC1918 not because of their scope but because of the property they have
> being not-publicly-routable, which means NAT, which means basic
> firewall. Security could be provided with a non-NAT firewall, but since
> NAT is already there because the home user wants multiple addresses and
> the cheapest available firewall is a NAT box anyway, NAT it is.
> 
> For the business/enterprise is where scoping comes to a use. In this
> case, scoping != not-publicly-routable. There are perfectly valid uses
> for publicly routable but nevertheless scoped addresses. In this
> environment, the use of RFC1918 addresses provides both a fail-safe
> against firewall/access-list SNAFUs, and a supplemental annoyance for
> hackers. None of these are miracles, but are part of defense-in-depth
> strategies and are palatable to the taste of the experienced enterprise
> operators that do not like to have all the eggs in the same basket.
> Also, network administrators like the comfort of this big 10/8 block.
> 
> In short: why do people use scoped (RFC1918) addresses?
> -------------------------------------------------------
> Home users:
> It has nothing to do with scoping and everything to do with NAT. The
> home user wants a) more addresses for free and b) a basic firewall, both
> of which are features of NAT not scoping. Usage of RFC1918 address is
> only a by-product of NAT.
> 
> Business/enterprise:
> Part of it has nothing to do with scoping either. The #1 reason behind
> using RFC1918 in a business environment is independence from the ISP /
> easy renumbering.
> The other part of it is where scoping takes place: automatic/fail-safe
> access control (to be used in combination with manually configured
> security) and an extra annoyance for the hacker (needs to tunnel out on
> top of hacking).
> 
> How does this apply to IPv6?
> 
> Home users:
> The number of address is solved. What is left to provide is a basic
> firewall.
> This brings the question whether or not this basic firewall should be a
> feature of scoping or not. IMHO, these are two different topics, and
> home usage does not care about scoping.
> 
> Business/enterprise:
> There is a need for scoping that is currently not fulfilled. This is the
> same concept as IPv4 RFC1918 address, except that the reason for
> non-global-routability should be the scoping mechanism opposed to
> ambiguity for IPv4.
> 
> Note that there also is a need for a PI equivalent that is not fulfilled
> either and the lack of it leads us directly to NATv6.
> 
> > Clearly, NATs are popular in IPv4 for reasons other than lack
> > of address space, and simply condemning them as evil or even
> > arguing against them without understanding why people want
> > them isn't likely to result in a usable technical solution,
> > and probably won't persuade people to stop using them anyway.
> 
> Indeed; I hope the analysis above helps to clarify this.
> 
> Michel.
> 
> _______________________________________________
> Saad mailing list
> Saad@ietf.org
> https://www1.ietf.org/mailman/listinfo/saad

-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Brian E Carpenter 
Distinguished Engineer, Internet Standards & Technology, IBM 

NEW ADDRESS <brc@zurich.ibm.com> PLEASE UPDATE ADDRESS BOOK

_______________________________________________
Saad mailing list
Saad@ietf.org
https://www1.ietf.org/mailman/listinfo/saad