Hi, Stephen:
1) First, logistics:
Since I have been waiting for the moderation of my first posting
on NANOG, could I assume that you are sending me this personal
eMail as a Moderator?
2) Perhaps the
material provided in my writing was not sufficient, you seem to
be expressing concerns from other perspectives. As concisely
characterized by one of the "Internet fathers", the EzIP is an
overlay network relative to the current Internet. As such, the
EzIP deployment is pretty much independent of the hurdles that
the current Internet equipment or convention may impose on it.
That is, we can start the EzIP deployment leaving everything in
the current Internet alone. This is because each EzIP deployment
module, called RAN (Regional Area Network) is tethered via one
IPv4 public address onto the Internet core. Since each RAN
appears to be a private network, it can be set up according to
its own requirements. That is, each RAN can make use of any
desired IPv4 technology, while leaving others aside. As long as
the packets on that single access path between the RAN and the
Internet conform to the Internet conventions, the deployment of
the EzIP proposal should work.
3) " ... if you plan
on endpoint computers (such as those in homes) to use the 240/4
netblock. ... ": No, we do not. As presented by the RAN
demonstration cited by the whitepaper, one of the primary
criteria of the EzIP proposal is not to affect the current
private network setups. Although, other than Windows OS based
products, there are more and more IoTs do support 240/4
netblock. Even some Internet routers appear to do so, as well.
4) " ... DD-WRT
project? ... ": EzIP does not have any ambition to alter
or replace the existing Internet equipment in any sense.
Fortunately, we can deploy our solution without such
complication due to the overlay characteristics. Our main goal
is to demonstrate that "there exists" one
feasible configuration that can operate EzIP in parallel to the
existing Internet for providing equivalent services. From such a
skeletal reference, one can expand to larger deployments, as
well as put on desired features and capabilities. For example,
we have utilized OpenWrt
19.07.3 to demonstrate the feasibility of the EzIP scheme.
Since the enabling technique is "disabling the program code
that has been disabling the use of the 240/4 netblock", any
other projects such as DD-WRT can replicate it just
as well, if so inclined.
5) "... Firewalls
... NIST ... ": Since EzIP is only identifying the
additional address resources from the "Reserve" and suggesting
how to use it, I am not clear why high level functionalities
such as security related firewall tasks get involved here. Do
NIST Guidelines specify blocking any packet with the 240/4
netblock address? I failed to spot such. Since there is no
natural division between the 240/4 netblock from the rest of
IPv4 address pool, I can't see any reason to single this
netblock out in the firewall related tasks anyway. Do you know
the reason why? I would appreciate very much if you could
elaborate your concerns.
6) By the way, the
EzIP's RAN is actually very much the same as CG-NAT or CDN,
architecturally. The only difference is that EzIP Project
manged to identify a larger usable address pool enabling the
practice of static addressing to simplify operation logistics,
mitigate cyber insecurity, etc.
I look forward to your
thoughts.
Regards,
Abe (2022-03-09 23:28
EST)
On 2022-03-08 13:08, Stephen Satchell
wrote:
On
3/7/22 2:14 PM, Abraham Y. Chen wrote:
In a nutshell, EzIP proposes to
disable the program codes in current routers that have been
disabling the use of the 240/4 NetBlock. The cost of this
software engineering should be minimal. The EzIP deployment
architecture is the same as that of the existing CG-NAT (Carrier
Grade Network Address Translation). Consequently, there is no
need to modify any hardware equipment. There is an online setup
description (Reference II), called RAN (Regional Area Network),
that demonstrates the feasibility of this approach.
You have another surface that will need to dealt with if you plan
on endpoint computers (such as those in homes) to use the 240/4
netblock. You will need to talk to the authors of firewall books
and web sites to update the examples to remove all-traffic blocks
on 240/4. Then individual administrations, not just
ISP/Service-Provider, will need to know to modify any home-brew
firewalls to open all addresses except 255.255.255.255 (and
perhaps 240.0.0.0).
That includes my publications about firewall configurations.
If you haven't already, you will need to include makers of access
points and companies such as SonicWALL. Have you talked to
pfSense? DD-WRT project? UFW project? firewalld project? The
Berkeley Packet Filter project? How about authors of the NIST
_Guidelines on Firewalls and Firewall Policy_ publication
(https://www.govinfo.gov/content/pkg/GOVPUB-C13-f52fdee3827e2f5d903fa8b4b66d4855/pdf/GOVPUB-C13-f52fdee3827e2f5d903fa8b4b66d4855.pdf)
I wish you luck. And that's only the things I found in English.