Re: Why Scopes? (was: Re: [saad] About saad)
Brian E Carpenter <brc@zurich.ibm.com> Mon, 20 October 2003 19:04 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09595 for <saad-archive@odin.ietf.org>; Mon, 20 Oct 2003 15:04:23 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ABfJz-0004uv-5L for saad-archive@odin.ietf.org; Mon, 20 Oct 2003 15:04:03 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h9KJ43Lm018900 for saad-archive@odin.ietf.org; Mon, 20 Oct 2003 15:04:03 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ABfJy-0004ul-VA for saad-web-archive@optimus.ietf.org; Mon, 20 Oct 2003 15:04:03 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09426 for <saad-web-archive@ietf.org>; Mon, 20 Oct 2003 15:03:52 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1ABfJv-0003ga-00 for saad-web-archive@ietf.org; Mon, 20 Oct 2003 15:03:59 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1ABfJv-0003gV-00 for saad-web-archive@ietf.org; Mon, 20 Oct 2003 15:03:59 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ABfJx-0004sU-35; Mon, 20 Oct 2003 15:04:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ABfJ6-0004Xd-Mv for saad@optimus.ietf.org; Mon, 20 Oct 2003 15:03:08 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09219 for <saad@ietf.org>; Mon, 20 Oct 2003 15:02:58 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1ABfJ3-0003eR-00 for saad@ietf.org; Mon, 20 Oct 2003 15:03:05 -0400
Received: from d12lmsgate-5.de.ibm.com ([194.196.100.238] helo=d12lmsgate.de.ibm.com) by ietf-mx with esmtp (Exim 4.12) id 1ABfJ2-0003cl-00 for saad@ietf.org; Mon, 20 Oct 2003 15:03:04 -0400
Received: from d12relay01.megacenter.de.ibm.com (d12relay01.megacenter.de.ibm.com [9.149.165.180]) by d12lmsgate.de.ibm.com (8.12.10/8.12.8) with ESMTP id h9KJ0oNb047534; Mon, 20 Oct 2003 21:00:50 +0200
Received: from ochsehorn.zurich.ibm.com (ochsehorn.zurich.ibm.com [9.4.16.140]) by d12relay01.megacenter.de.ibm.com (8.12.9/NCO/VER6.6) with ESMTP id h9KJ0naA215434; Mon, 20 Oct 2003 21:00:49 +0200
Received: from zurich.ibm.com (sig-9-145-243-139.de.ibm.com [9.145.243.139]) by ochsehorn.zurich.ibm.com (AIX4.3/8.9.3p2/8.9.3) with ESMTP id VAA59880; Mon, 20 Oct 2003 21:00:34 +0200
Message-ID: <3F9430AA.275235C5@zurich.ibm.com>
Date: Mon, 20 Oct 2003 20:59:54 +0200
From: Brian E Carpenter <brc@zurich.ibm.com>
Organization: IBM
X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
X-Accept-Language: en,fr,de
MIME-Version: 1.0
To: Michel Py <michel@arneill-py.sacramento.ca.us>
CC: James Kempf <kempf@docomolabs-usa.com>, saad@ietf.org
Subject: Re: Why Scopes? (was: Re: [saad] About saad)
References: <DD7FE473A8C3C245ADA2A2FE1709D90B06C66A@server2003.arneill-py.sacramento.ca.us>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: saad-admin@ietf.org
Errors-To: saad-admin@ietf.org
X-BeenThere: saad@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=unsubscribe>
List-Id: Scope Addressing Architecture Discussion <saad.ietf.org>
List-Post: <mailto:saad@ietf.org>
List-Help: <mailto:saad-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
I think Michel is basically correct here. And I think that draft-hain-templin-ipv6-limitedrange-02.txt should be read at this point. Brian Michel Py wrote: > > James, > > > James Kempf wrote: > > One of the things I'd like to see is a list of why people > > use scoped addresses (RFC 1918) in IPv4. > > I have some text about this, see below. > > Note: in the text below, the reason I state that some reasons are > actually non-reasons is because the motive behind the use of scoped > addresses (RFC1918) is _not_ their scoping but some other property of > RFC1918 addresses or because the motive is a by-product of some other > thing that results in RFC1918 addresses being used. > > Non-reason #1: "lots of addresses for free". > -------------------------------------------- > This is why people have moved to NAT, not why people have moved to > RFC1918; the multiplication of addresses is a feature of NAT, and the > use of RFC1918 in this situation is only a by-product of the use of NAT > because it just happens that RFC1918 addresses are the best choice to > put behind NAT (compared to hijacking a random prefix). > > It is generally believed that if we do see IPv6 NAT, it will not be > because of address scarcity nor because ISPs would charge for a /48. > Similar to the reason "lots of addresses for free" is not why people use > RFC1918 (NAT is the reason), price, scarcity or unavailability of IPv6 > PA addresses is likely not why people would want to use IPv6 scoped > addresses. > > Non-reason #2: Cheap alternative to PI/portable addresses. > ---------------------------------------------------------- > I have _tons_ of customers that have no problem whatsoever obtaining > enough PA addresses for their needs. They won't get extra ones, but they > will get enough. Although it is true that for the home market obtaining > more than one static address is some extra money that could be spent on > something else, it is a non-existent issue for businesses; PA addresses > are typically good enough for home use. > > For small businesses that get low grade connectivity such as DSL, $20/mo > or $50/mo to get a /27 or a /26 is insignificant. For larger business > that get T1 and above connectivity, enough PA IPv4 addresses are > typically part of the deal with the ISP. > > So for businesses there are enough addresses, but these addresses are > not PI. In this situation, people use RFC1918 addresses because they are > portable, not because they are scoped. Here again the real reason is > NAT. The main driving force behind this is cost of renumbering is so > high that it offsets by far the annoyances of NAT; besides most > enterprises use a combination of public and private addresses. > Conservation of address space is here nothing more than an added bonus > of NAT, because businesses might not request as many public addresses as > they would have if they were not using NAT. > > Security/isolation/defense-in-depth. > ------------------------------------ > This is a non-reason for the home market and a valid one for the > business/enterprise. > > For the home market: besides having more addresses (described above) > what the home user likes is the security provided by RFC1918 addresses. > Why do RFC1918 addresses provide security? Because they are not publicly > routable, so using those mandates NAT, which does provide a basic > firewall. > > In this case, scoping == not-publicly-routable. So, the home market uses > RFC1918 not because of their scope but because of the property they have > being not-publicly-routable, which means NAT, which means basic > firewall. Security could be provided with a non-NAT firewall, but since > NAT is already there because the home user wants multiple addresses and > the cheapest available firewall is a NAT box anyway, NAT it is. > > For the business/enterprise is where scoping comes to a use. In this > case, scoping != not-publicly-routable. There are perfectly valid uses > for publicly routable but nevertheless scoped addresses. In this > environment, the use of RFC1918 addresses provides both a fail-safe > against firewall/access-list SNAFUs, and a supplemental annoyance for > hackers. None of these are miracles, but are part of defense-in-depth > strategies and are palatable to the taste of the experienced enterprise > operators that do not like to have all the eggs in the same basket. > Also, network administrators like the comfort of this big 10/8 block. > > In short: why do people use scoped (RFC1918) addresses? > ------------------------------------------------------- > Home users: > It has nothing to do with scoping and everything to do with NAT. The > home user wants a) more addresses for free and b) a basic firewall, both > of which are features of NAT not scoping. Usage of RFC1918 address is > only a by-product of NAT. > > Business/enterprise: > Part of it has nothing to do with scoping either. The #1 reason behind > using RFC1918 in a business environment is independence from the ISP / > easy renumbering. > The other part of it is where scoping takes place: automatic/fail-safe > access control (to be used in combination with manually configured > security) and an extra annoyance for the hacker (needs to tunnel out on > top of hacking). > > How does this apply to IPv6? > > Home users: > The number of address is solved. What is left to provide is a basic > firewall. > This brings the question whether or not this basic firewall should be a > feature of scoping or not. IMHO, these are two different topics, and > home usage does not care about scoping. > > Business/enterprise: > There is a need for scoping that is currently not fulfilled. This is the > same concept as IPv4 RFC1918 address, except that the reason for > non-global-routability should be the scoping mechanism opposed to > ambiguity for IPv4. > > Note that there also is a need for a PI equivalent that is not fulfilled > either and the lack of it leads us directly to NATv6. > > > Clearly, NATs are popular in IPv4 for reasons other than lack > > of address space, and simply condemning them as evil or even > > arguing against them without understanding why people want > > them isn't likely to result in a usable technical solution, > > and probably won't persuade people to stop using them anyway. > > Indeed; I hope the analysis above helps to clarify this. > > Michel. > > _______________________________________________ > Saad mailing list > Saad@ietf.org > https://www1.ietf.org/mailman/listinfo/saad -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Brian E Carpenter Distinguished Engineer, Internet Standards & Technology, IBM NEW ADDRESS <brc@zurich.ibm.com> PLEASE UPDATE ADDRESS BOOK _______________________________________________ Saad mailing list Saad@ietf.org https://www1.ietf.org/mailman/listinfo/saad
- RE: Why Scopes? (was: Re: [saad] About saad) Michel Py
- RE: Why Scopes? (was: Re: [saad] About saad) Michel Py
- Re: Why Scopes? (was: Re: [saad] About saad) J. Noel Chiappa
- Re: Why Scopes? (was: Re: [saad] About saad) Brian E Carpenter
- Re: Why Scopes? (was: Re: [saad] About saad) Ralph Droms
- RE: Why Scopes? (was: Re: [saad] About saad) Erik Nordmark
- RE: Why Scopes? (was: Re: [saad] About saad) Michel Py
- RE: Why Scopes? (was: Re: [saad] About saad) Erik Nordmark
- RE: Why Scopes? (was: Re: [saad] About saad) Michel Py