RE: Why Scopes? (was: Re: [saad] About saad)

"Michel Py" <michel@arneill-py.sacramento.ca.us> Fri, 17 October 2003 21:35 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA25514 for <saad-archive@odin.ietf.org>; Fri, 17 Oct 2003 17:35:23 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AAcFT-0004GX-Ue for saad-archive@odin.ietf.org; Fri, 17 Oct 2003 17:35:04 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h9HLZ3O2016397 for saad-archive@odin.ietf.org; Fri, 17 Oct 2003 17:35:03 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AAcFT-0004GO-JT for saad-web-archive@optimus.ietf.org; Fri, 17 Oct 2003 17:35:03 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA25496 for <saad-web-archive@ietf.org>; Fri, 17 Oct 2003 17:34:52 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AAcFR-0001tQ-00 for saad-web-archive@ietf.org; Fri, 17 Oct 2003 17:35:01 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1AAcFQ-0001tN-00 for saad-web-archive@ietf.org; Fri, 17 Oct 2003 17:35:00 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AAcFR-0004Fy-UV; Fri, 17 Oct 2003 17:35:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AAcEg-0004Ey-RT for saad@optimus.ietf.org; Fri, 17 Oct 2003 17:34:14 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA25464 for <saad@ietf.org>; Fri, 17 Oct 2003 17:34:03 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AAcEe-0001sW-00 for saad@ietf.org; Fri, 17 Oct 2003 17:34:12 -0400
Received: from adsl-209-233-126-65.dsl.scrm01.pacbell.net ([209.233.126.65] helo=arneill-py.sacramento.ca.us) by ietf-mx with esmtp (Exim 4.12) id 1AAcEc-0001rp-00 for saad@ietf.org; Fri, 17 Oct 2003 17:34:10 -0400
Content-class: urn:content-classes:message
Subject: RE: Why Scopes? (was: Re: [saad] About saad)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Date: Fri, 17 Oct 2003 14:33:39 -0700
Content-Transfer-Encoding: quoted-printable
Message-ID: <DD7FE473A8C3C245ADA2A2FE1709D90B06C66A@server2003.arneill-py.sacramento.ca.us>
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Thread-Topic: Why Scopes? (was: Re: [saad] About saad)
thread-index: AcOU0e+VBggjjp1nT2y8ylRc4UCEwgAAragg
From: "Michel Py" <michel@arneill-py.sacramento.ca.us>
To: "James Kempf" <kempf@docomolabs-usa.com>
Cc: <saad@ietf.org>
Content-Transfer-Encoding: quoted-printable
Sender: saad-admin@ietf.org
Errors-To: saad-admin@ietf.org
X-BeenThere: saad@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=unsubscribe>
List-Id: Scope Addressing Architecture Discussion <saad.ietf.org>
List-Post: <mailto:saad@ietf.org>
List-Help: <mailto:saad-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Content-Transfer-Encoding: quoted-printable

James,

> James Kempf wrote:
> One of the things I'd like to see is a list of why people
> use scoped addresses (RFC 1918) in IPv4.

I have some text about this, see below.

Note: in the text below, the reason I state that some reasons are
actually non-reasons is because the motive behind the use of scoped
addresses (RFC1918) is _not_ their scoping but some other property of
RFC1918 addresses or because the motive is a by-product of some other
thing that results in RFC1918 addresses being used.



Non-reason #1: "lots of addresses for free".
--------------------------------------------
This is why people have moved to NAT, not why people have moved to
RFC1918; the multiplication of addresses is a feature of NAT, and the
use of RFC1918 in this situation is only a by-product of the use of NAT
because it just happens that RFC1918 addresses are the best choice to
put behind NAT (compared to hijacking a random prefix).

It is generally believed that if we do see IPv6 NAT, it will not be
because of address scarcity nor because ISPs would charge for a /48.
Similar to the reason "lots of addresses for free" is not why people use
RFC1918 (NAT is the reason), price, scarcity or unavailability of IPv6
PA addresses is likely not why people would want to use IPv6 scoped
addresses.



Non-reason #2: Cheap alternative to PI/portable addresses.
----------------------------------------------------------
I have _tons_ of customers that have no problem whatsoever obtaining
enough PA addresses for their needs. They won't get extra ones, but they
will get enough. Although it is true that for the home market obtaining
more than one static address is some extra money that could be spent on
something else, it is a non-existent issue for businesses; PA addresses
are typically good enough for home use.

For small businesses that get low grade connectivity such as DSL, $20/mo
or $50/mo to get a /27 or a /26 is insignificant. For larger business
that get T1 and above connectivity, enough PA IPv4 addresses are
typically part of the deal with the ISP.

So for businesses there are enough addresses, but these addresses are
not PI. In this situation, people use RFC1918 addresses because they are
portable, not because they are scoped. Here again the real reason is
NAT. The main driving force behind this is cost of renumbering is so
high that it offsets by far the annoyances of NAT; besides most
enterprises use a combination of public and private addresses.
Conservation of address space is here nothing more than an added bonus
of NAT, because businesses might not request as many public addresses as
they would have if they were not using NAT.



Security/isolation/defense-in-depth.
------------------------------------
This is a non-reason for the home market and a valid one for the
business/enterprise.

For the home market: besides having more addresses (described above)
what the home user likes is the security provided by RFC1918 addresses.
Why do RFC1918 addresses provide security? Because they are not publicly
routable, so using those mandates NAT, which does provide a basic
firewall.

In this case, scoping == not-publicly-routable. So, the home market uses
RFC1918 not because of their scope but because of the property they have
being not-publicly-routable, which means NAT, which means basic
firewall. Security could be provided with a non-NAT firewall, but since
NAT is already there because the home user wants multiple addresses and
the cheapest available firewall is a NAT box anyway, NAT it is.

For the business/enterprise is where scoping comes to a use. In this
case, scoping != not-publicly-routable. There are perfectly valid uses
for publicly routable but nevertheless scoped addresses. In this
environment, the use of RFC1918 addresses provides both a fail-safe
against firewall/access-list SNAFUs, and a supplemental annoyance for
hackers. None of these are miracles, but are part of defense-in-depth
strategies and are palatable to the taste of the experienced enterprise
operators that do not like to have all the eggs in the same basket.
Also, network administrators like the comfort of this big 10/8 block.


In short: why do people use scoped (RFC1918) addresses?
-------------------------------------------------------
Home users:
It has nothing to do with scoping and everything to do with NAT. The
home user wants a) more addresses for free and b) a basic firewall, both
of which are features of NAT not scoping. Usage of RFC1918 address is
only a by-product of NAT.

Business/enterprise:
Part of it has nothing to do with scoping either. The #1 reason behind
using RFC1918 in a business environment is independence from the ISP /
easy renumbering.
The other part of it is where scoping takes place: automatic/fail-safe
access control (to be used in combination with manually configured
security) and an extra annoyance for the hacker (needs to tunnel out on
top of hacking).


How does this apply to IPv6?

Home users:
The number of address is solved. What is left to provide is a basic
firewall.
This brings the question whether or not this basic firewall should be a
feature of scoping or not. IMHO, these are two different topics, and
home usage does not care about scoping.

Business/enterprise:
There is a need for scoping that is currently not fulfilled. This is the
same concept as IPv4 RFC1918 address, except that the reason for
non-global-routability should be the scoping mechanism opposed to
ambiguity for IPv4. 

Note that there also is a need for a PI equivalent that is not fulfilled
either and the lack of it leads us directly to NATv6.



> Clearly, NATs are popular in IPv4 for reasons other than lack
> of address space, and simply condemning them as evil or even
> arguing against them without understanding why people want
> them isn't likely to result in a usable technical solution,
> and probably won't persuade people to stop using them anyway.

Indeed; I hope the analysis above helps to clarify this.

Michel.


_______________________________________________
Saad mailing list
Saad@ietf.org
https://www1.ietf.org/mailman/listinfo/saad