RE: Why Scopes? (was: Re: [saad] About saad)
"Michel Py" <michel@arneill-py.sacramento.ca.us> Fri, 17 October 2003 21:35 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA25514 for <saad-archive@odin.ietf.org>; Fri, 17 Oct 2003 17:35:23 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AAcFT-0004GX-Ue for saad-archive@odin.ietf.org; Fri, 17 Oct 2003 17:35:04 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h9HLZ3O2016397 for saad-archive@odin.ietf.org; Fri, 17 Oct 2003 17:35:03 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AAcFT-0004GO-JT for saad-web-archive@optimus.ietf.org; Fri, 17 Oct 2003 17:35:03 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA25496 for <saad-web-archive@ietf.org>; Fri, 17 Oct 2003 17:34:52 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AAcFR-0001tQ-00 for saad-web-archive@ietf.org; Fri, 17 Oct 2003 17:35:01 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1AAcFQ-0001tN-00 for saad-web-archive@ietf.org; Fri, 17 Oct 2003 17:35:00 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AAcFR-0004Fy-UV; Fri, 17 Oct 2003 17:35:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AAcEg-0004Ey-RT for saad@optimus.ietf.org; Fri, 17 Oct 2003 17:34:14 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA25464 for <saad@ietf.org>; Fri, 17 Oct 2003 17:34:03 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AAcEe-0001sW-00 for saad@ietf.org; Fri, 17 Oct 2003 17:34:12 -0400
Received: from adsl-209-233-126-65.dsl.scrm01.pacbell.net ([209.233.126.65] helo=arneill-py.sacramento.ca.us) by ietf-mx with esmtp (Exim 4.12) id 1AAcEc-0001rp-00 for saad@ietf.org; Fri, 17 Oct 2003 17:34:10 -0400
Content-class: urn:content-classes:message
Subject: RE: Why Scopes? (was: Re: [saad] About saad)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Date: Fri, 17 Oct 2003 14:33:39 -0700
Content-Transfer-Encoding: quoted-printable
Message-ID: <DD7FE473A8C3C245ADA2A2FE1709D90B06C66A@server2003.arneill-py.sacramento.ca.us>
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Thread-Topic: Why Scopes? (was: Re: [saad] About saad)
thread-index: AcOU0e+VBggjjp1nT2y8ylRc4UCEwgAAragg
From: Michel Py <michel@arneill-py.sacramento.ca.us>
To: James Kempf <kempf@docomolabs-usa.com>
Cc: saad@ietf.org
Content-Transfer-Encoding: quoted-printable
Sender: saad-admin@ietf.org
Errors-To: saad-admin@ietf.org
X-BeenThere: saad@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=unsubscribe>
List-Id: Scope Addressing Architecture Discussion <saad.ietf.org>
List-Post: <mailto:saad@ietf.org>
List-Help: <mailto:saad-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Content-Transfer-Encoding: quoted-printable
James, > James Kempf wrote: > One of the things I'd like to see is a list of why people > use scoped addresses (RFC 1918) in IPv4. I have some text about this, see below. Note: in the text below, the reason I state that some reasons are actually non-reasons is because the motive behind the use of scoped addresses (RFC1918) is _not_ their scoping but some other property of RFC1918 addresses or because the motive is a by-product of some other thing that results in RFC1918 addresses being used. Non-reason #1: "lots of addresses for free". -------------------------------------------- This is why people have moved to NAT, not why people have moved to RFC1918; the multiplication of addresses is a feature of NAT, and the use of RFC1918 in this situation is only a by-product of the use of NAT because it just happens that RFC1918 addresses are the best choice to put behind NAT (compared to hijacking a random prefix). It is generally believed that if we do see IPv6 NAT, it will not be because of address scarcity nor because ISPs would charge for a /48. Similar to the reason "lots of addresses for free" is not why people use RFC1918 (NAT is the reason), price, scarcity or unavailability of IPv6 PA addresses is likely not why people would want to use IPv6 scoped addresses. Non-reason #2: Cheap alternative to PI/portable addresses. ---------------------------------------------------------- I have _tons_ of customers that have no problem whatsoever obtaining enough PA addresses for their needs. They won't get extra ones, but they will get enough. Although it is true that for the home market obtaining more than one static address is some extra money that could be spent on something else, it is a non-existent issue for businesses; PA addresses are typically good enough for home use. For small businesses that get low grade connectivity such as DSL, $20/mo or $50/mo to get a /27 or a /26 is insignificant. For larger business that get T1 and above connectivity, enough PA IPv4 addresses are typically part of the deal with the ISP. So for businesses there are enough addresses, but these addresses are not PI. In this situation, people use RFC1918 addresses because they are portable, not because they are scoped. Here again the real reason is NAT. The main driving force behind this is cost of renumbering is so high that it offsets by far the annoyances of NAT; besides most enterprises use a combination of public and private addresses. Conservation of address space is here nothing more than an added bonus of NAT, because businesses might not request as many public addresses as they would have if they were not using NAT. Security/isolation/defense-in-depth. ------------------------------------ This is a non-reason for the home market and a valid one for the business/enterprise. For the home market: besides having more addresses (described above) what the home user likes is the security provided by RFC1918 addresses. Why do RFC1918 addresses provide security? Because they are not publicly routable, so using those mandates NAT, which does provide a basic firewall. In this case, scoping == not-publicly-routable. So, the home market uses RFC1918 not because of their scope but because of the property they have being not-publicly-routable, which means NAT, which means basic firewall. Security could be provided with a non-NAT firewall, but since NAT is already there because the home user wants multiple addresses and the cheapest available firewall is a NAT box anyway, NAT it is. For the business/enterprise is where scoping comes to a use. In this case, scoping != not-publicly-routable. There are perfectly valid uses for publicly routable but nevertheless scoped addresses. In this environment, the use of RFC1918 addresses provides both a fail-safe against firewall/access-list SNAFUs, and a supplemental annoyance for hackers. None of these are miracles, but are part of defense-in-depth strategies and are palatable to the taste of the experienced enterprise operators that do not like to have all the eggs in the same basket. Also, network administrators like the comfort of this big 10/8 block. In short: why do people use scoped (RFC1918) addresses? ------------------------------------------------------- Home users: It has nothing to do with scoping and everything to do with NAT. The home user wants a) more addresses for free and b) a basic firewall, both of which are features of NAT not scoping. Usage of RFC1918 address is only a by-product of NAT. Business/enterprise: Part of it has nothing to do with scoping either. The #1 reason behind using RFC1918 in a business environment is independence from the ISP / easy renumbering. The other part of it is where scoping takes place: automatic/fail-safe access control (to be used in combination with manually configured security) and an extra annoyance for the hacker (needs to tunnel out on top of hacking). How does this apply to IPv6? Home users: The number of address is solved. What is left to provide is a basic firewall. This brings the question whether or not this basic firewall should be a feature of scoping or not. IMHO, these are two different topics, and home usage does not care about scoping. Business/enterprise: There is a need for scoping that is currently not fulfilled. This is the same concept as IPv4 RFC1918 address, except that the reason for non-global-routability should be the scoping mechanism opposed to ambiguity for IPv4. Note that there also is a need for a PI equivalent that is not fulfilled either and the lack of it leads us directly to NATv6. > Clearly, NATs are popular in IPv4 for reasons other than lack > of address space, and simply condemning them as evil or even > arguing against them without understanding why people want > them isn't likely to result in a usable technical solution, > and probably won't persuade people to stop using them anyway. Indeed; I hope the analysis above helps to clarify this. Michel. _______________________________________________ Saad mailing list Saad@ietf.org https://www1.ietf.org/mailman/listinfo/saad
- RE: Why Scopes? (was: Re: [saad] About saad) Michel Py
- RE: Why Scopes? (was: Re: [saad] About saad) Michel Py
- Re: Why Scopes? (was: Re: [saad] About saad) J. Noel Chiappa
- Re: Why Scopes? (was: Re: [saad] About saad) Brian E Carpenter
- Re: Why Scopes? (was: Re: [saad] About saad) Ralph Droms
- RE: Why Scopes? (was: Re: [saad] About saad) Erik Nordmark
- RE: Why Scopes? (was: Re: [saad] About saad) Michel Py
- RE: Why Scopes? (was: Re: [saad] About saad) Erik Nordmark
- RE: Why Scopes? (was: Re: [saad] About saad) Michel Py