Re: [GLOBAL-V6]The list of current Issues in IPv6 Policy

To: Darrell Root <droot@cisco.com>
Subject: Re: [GLOBAL-V6]The list of current Issues in IPv6 Policy
From: Pekka Savola <pekkas@netcore.fi>
Date: Sat, 6 Sep 2003 09:04:39 +0300 (EEST)
Cc: global-v6@lists.apnic.net
In-reply-to: <C3D3988D-E01B-11D7-85BC-000393A986D6@cisco.com>
List-archive: <http://www.apnic.net/mailing-lists/global-v6/>
List-help: <mailto:global-v6-request@lists.apnic.net?subject=help>
List-id: Discussion of new global IPv6 policy development <global-v6.lists.apnic.net>
List-post: <mailto:global-v6@lists.apnic.net>
List-subscribe: <http://mailman.apnic.net/mailman/listinfo/global-v6>,<mailto:global-v6-request@lists.apnic.net?subject=subscribe>
List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/global-v6>,<mailto:global-v6-request@lists.apnic.net?subject=unsubscribe>
Sender: global-v6-admin@lists.apnic.net

On Fri, 5 Sep 2003, Darrell Root wrote:
>  > I think that it would be very interesting for the IETF discussion if
>  > you could give a short explanation of this need (in a form that can
>  > be discussed in public). One of the issues in the IETF debate is that
>  > not everybody agrees that there is a real need for local addresses.
> 
> I had a large lab request some v6 space this week.  Their
> current v4 usage is about 1000 RFC1918 subnets, so I planned
> to allocate a /52 in v6.
> 
> They specifically requested non-internet-routable space.  This lab
> does (among other things) high bandwidth testing.  Filling up
> gig links and such.  If the lab accidentally gets connected to
> the production network, and they generate a 1gig stream
> with an internet-routable source address, the stream could
> follow the default route and possibly get passed to our ISP
> (I call this a "not-so-smartbits incident" ;-)
[...]

I'm not sure whether in the scenario you describe the labs should have no 
general Internet connectivity at all ("truly isolated network"), or only 
partial connectivity (hosts would also have global addresses).  

In the first case, I don't think it should be possible to have the stream
pass to Internet anyway, as the part of the network is supposed to be
isolated.  In the second case, I don't understand how you could prevent 
the labs from hosing up by selecting the wrong addresses to be used for 
the test traffic, and the traffic going out anyway.

But still, I think for this scenario to realize, this would require that:

 1) there were no filters at the lab's borders for these source addresses,
 2) there were no filters at the lab's to preclude them connecting to any 
other destination address than the ones the lab uses
 3) the destination address of the test is typoed or otherwise incorrect 
so that the traffic in fact uses the default route to get out, not one of 
the local, more specific routes.

This seems like an extensive number of "buts".  It's just not a single
protection you're getting around now, a single mistake to avoid.  In
particular 1)-2) and 3) seem to be very independent of each other.

So, it seems to me that while perhaps useful, this case is not really a 
requirement.

(I don't oppose addressing, but global addressing, which is just never
advertised in the Internet -- for "truly isolated" networks, but I'm quite
skeptic that there exists a large number of such networks these days.)

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

References:
- Re: [GLOBAL-V6]The list of current Issues in IPv6 Policy
  - From: Darrell Root <droot@cisco.com>

Prev by Date: Re: [GLOBAL-V6]The list of current Issues in IPv6 Policy
Next by Date: Re: [GLOBAL-V6]The list of current Issues in IPv6 Policy
Previous by thread: Re: [GLOBAL-V6]The list of current Issues in IPv6 Policy
Next by thread: Re: [GLOBAL-V6]The list of current Issues in IPv6 Policy
Index(es):
- Date
- Thread