At 06:11 PM 12/23/97 +0000, some abusive halfwit wrote:
GE is heavily firewalled; i'm not suprised you didn't get any answers.
stupid experiment, really.
And a stupid comment, really. No wonder GE no longer wants his services. Look, gang, the reason to do a public ping is that in the last analysis, GE only needs public IP addresses for those infrastructure machines that need public exposure and contact with the public internet. Granted, there are some exceptions. However, a ping -a should bring up at least every valid router on their network that sits in front of a firewalled virtual private network element, plus the firewall host itself. Most everything else sits behind a firewall. By definition, then, those machines can and should be proxied for external public internet connections and can use private network numbers. Those that are not behind the proxy and firewall can keep their public numbers. Despite transit across segments of the public internet, as Mr. Bono of GE so rightly pointed out, only the machines exposed to the public internet need public numbers. The goal here is only to find publicly pingable IPs in use, not to count all hosts behind firewalls. So much for the ex-GE contractor. It is apparent that GE had no more use for his comments than I do, since he is proud to still be able to at least call himself an ex-GE contractor. Mr. Bono, on the other hand, did state useful facts. He is a part of GE, and thus is limited to only pointing out facts that serve GE interests. What he did not point out is that number of employees <> number of needed public static IP addresses. First, the majority of GE employees are blue-collar clock-punchers in factories both in the US and especially overseas. They are not allowed time by the assembly line supervisors for internet access even if they did have the knowledge and desire to establish a permanent presence on the public internet. Second, assume for the moment that leaves maybe 300,000 or those 1.7 million workers eligible for having a white collar AND an office AND a desk with a static address PC on it. How many of these pee cees really have direct exposure to the public internet and are NOT behind a firewall? The one useful comment Mr. Ex-GE Contractor came up with is that GE is heavily firewalled. That means less than 5 percent or so actually see the internet without the blockage of a firewall. Those 5 percent or less are predominantly small offices with small one-segment LANs that do not need a firewall and do not justify a full period private leased line. Of course, back when there *was* a GEIS doing a viable public dial-in ISP business, all that was different. But no more. So let's say less than 60,000 static public IPs are needed for the entire 1.7 million employee GE. That is being generous, BTW. How then can you justify needing more than a single Class-B, or at most two or three worldwide? Only if you admit you use it inefficiently. You cannot convincingly argue that a heavily-firewalled corp needs 100 percent public IPs behind that proxy firewall. Equally, there is no defensible position from which to argue that those users cannot be proxied for virtually all external access from behind that firewall. Sure, if done all at once this would be a time-intensive renumbering process, but other major corps have completed renumbering plans within their normal pee cee workstation refresh cycles and have done so at minimal additional marginal cost over a 12 to 18 month period. GE should not be so bloated and ineffective that their IT staff cannot follow the lead of other corps and do this for the public good. I challenge GE to say that this is not so, and provide pertinent and defensible facts and figures to back it up. I believe that if the truth were know, Jack Kelly and gang are guilty of definitely warehousing hundreds of thousands and almost certainly millions of unneeded public IP addresses because they think they can get away with it and for no other reason. We through ARIN and others should be reallocated this address space for the public use of our subscribers. OK, even though the horse ran away long ago, that's a good tilt at a windmill anyway for ya........Happy Holidays to ALL Randall
At 9:02 PM -0500 12/23/97, Randall Pigott wrote:
Look, gang, the reason to do a public ping is that in the last analysis, GE only needs public IP addresses for those infrastructure machines that need
Some people block ICMP, but have a lot of other direct internet access. This sort of test only gives one an initial set of questions to ask. It does not answer those questions. Don't kill the investigator yet. And of course, this is a moot issue when one is paying for address space. --Dean ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP http://www.av8.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
At 9:02 PM -0500 12/23/97, Randall Pigott wrote:
Look, gang, the reason to do a public ping is that in the last analysis, GE only needs public IP addresses for those infrastructure machines that need
Some people block ICMP, but have a lot of other direct internet access. This sort of test only gives one an initial set of questions to ask. It does not answer those questions.
Don't kill the investigator yet.
And of course, this is a moot issue when one is paying for address space.
--Dean
Careful- if you start saying "you can have whatever you pay for", Microsoft may hear you........:) eric (only half-kidding)
At 9:02 PM -0500 12/23/97, Randall Pigott wrote:
Look, gang, the reason to do a public ping is that in the last analysis, GE only needs public IP addresses for those infrastructure machines that need
Some people block ICMP, but have a lot of other direct internet access. This sort of test only gives one an initial set of questions to ask. It does not answer those questions.
Don't kill the investigator yet.
And of course, this is a moot issue when one is paying for address space.
--Dean
Careful- if you start saying "you can have whatever you pay for", Microsoft may hear you........:)
Hmm. Perhaps we could make a killing by cornering the IP Address market... I wonder how long before IP Addresses are traded on the commodities market... --Dean ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP http://www.av8.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
How then can you justify needing more than a single Class-B, or at most two or three worldwide?
I recall seeing a comment about using the public Internet as private data transfer. Since the smallest prefix you can advertise on the Internet is /24, that breaks up the aforementioned Class B into 256 blocks. Given that GTE (or any large corporation) is likely is divide its remote offices up in headcounts of 254, there's room for inefficiency there. I could easily see a use for _at least_ 4 Class B's, if not more. eric
How then can you justify needing more than a single Class-B, or at most two or three worldwide?
I recall seeing a comment about using the public Internet as private data transfer. Since the smallest prefix you can advertise on the Internet is /24, that breaks up the aforementioned Class B into 256 blocks. Given that GTE (or any large corporation) is likely is divide its remote offices up in headcounts of 254, there's room for inefficiency there. I could easily see a use for _at least_ 4 Class B's, if not more.
Okay... RFC1918 host | | border router <----+ | | | | public internet | | | | | IP tunnel between corporate offices border router | preserving RFC1918 addressing. | | | | RFC1918 host <----+ With carefull use of NAT at appropriate points, it is technically possible to limit the amount of publicly visible addresses you use to (quite conceivably) 2 or 3 traditional class C blocks. Obviously this is not necessarily a real world model but you get the picture. I don't personally believe that an "enterprise" network should ever require more than one (PERHAPS two) /16 networks. When you get to ISPs and similar, the need for addresses will rise dramatically but it can still be kept under control if you're carefull about maintaining hierarchical addressing structures. ---------------------------------------------------------------------- Wayne Bouchard GlobalCenter web@primenet.com Primenet Network Operations Internet Solutions for (602) 416-6422 800-373-2499 x6422 Growing Businesses FAX: (602) 416-9422 http://www.primenet.com http://www.globalcenter.net ----------------------------------------------------------------------
Right, but since each border router off of the public Internet can't advertise anything smaller than /24 (would *your* router accept an advertisement for 3.0.0.0/27?), each seperate office needs at least a /24. Yeah, NAT can take care of the internal addressing, but you're still stuck with the fact that you "only" can have 256 seperate border routers. I was never arguing that GE needs and/or deserves the full 3.0.0.0, as I have little or no experience with their network needs. (I do note, however, that I can't find *any* of 3.0.0.0/8 in Mae-East via Digex right now). I believe it was Lee Ving who said "Let's have a war/We need the space". Fini. eric
Okay...
RFC1918 host | | border router <----+ | | | | public internet | | | | | IP tunnel between corporate offices border router | preserving RFC1918 addressing. | | | | RFC1918 host <----+
With carefull use of NAT at appropriate points, it is technically possible to limit the amount of publicly visible addresses you use to (quite conceivably) 2 or 3 traditional class C blocks. Obviously this is not necessarily a real world model but you get the picture. I don't personally believe that an "enterprise" network should ever require more than one (PERHAPS two) /16 networks. When you get to ISPs and similar, the need for addresses will rise dramatically but it can still be kept under control if you're carefull about maintaining hierarchical addressing structures.
---------------------------------------------------------------------- Wayne Bouchard GlobalCenter web@primenet.com Primenet Network Operations Internet Solutions for (602) 416-6422 800-373-2499 x6422 Growing Businesses FAX: (602) 416-9422 http://www.primenet.com http://www.globalcenter.net ----------------------------------------------------------------------
Right, but since each border router off of the public Internet can't advertise anything smaller than /24 (would *your* router accept an advertisement for 3.0.0.0/27?), each seperate office needs at least a /24. Yeah, NAT can take care of the internal addressing, but you're still stuck with the fact that you "only" can have 256 seperate border routers.
Well, figure that there is going to be some level of proxy service going on for those who do access web pages and whatnot so its unlikely that there would be less than a class C used at each location in actuallity. Plus figure that the only thing that needs to be visible is the /30 allocated from the upstream for the link, technically, there doesn't need to be *any* public addresses in an office. Not to discount valid use of addresses, simply pointing out that if one wanted to restrict themselves, its quite possible. I doubt anyone would want to put themselves through this in the real game, but... ---------------------------------------------------------------------- Wayne Bouchard GlobalCenter web@primenet.com Primenet Network Operations Internet Solutions for (602) 416-6422 800-373-2499 x6422 Growing Businesses FAX: (602) 416-9422 http://www.primenet.com http://www.globalcenter.net ----------------------------------------------------------------------
Right, but since each border router off of the public Internet can't advertise anything smaller than /24 (would *your* router accept an advertisement for 3.0.0.0/27?), each seperate office needs at least a /24. Yeah, NAT can take care of the internal addressing, but you're still stuck with the fact that you "only" can have 256 seperate border routers.
Well, figure that there is going to be some level of proxy service going on for those who do access web pages and whatnot so its unlikely that there would be less than a class C used at each location in actuallity. Plus figure that the only thing that needs to be visible is the /30 allocated from the upstream for the link, technically, there doesn't need to be *any* public addresses in an office.
Not to discount valid use of addresses, simply pointing out that if one wanted to restrict themselves, its quite possible. I doubt anyone would want to put themselves through this in the real game, but...
I think this still has operational content, because justifying address space is a reasonably day-to-day real-world requirement. Perhaps PAGAN might be more appropriate, but it seems to have gone into intergalactic space. We have been making an assumption about being able to hold address space behind address-translating gateways, be they full firewalls or NAT boxes. At the IETF NAT meeting this month, Bob Moskowitz, among others, pointed out this assumption runs counter to trends in large enterprises to use end-to-end encrypted tunnels. If the firewall, etc., is not trusted with the cryptosystem, then it can't do address translation involving such things as TCP checksums. Widespread deployment of IPsec, as I understand it, is likely to increase greatly the need for public address space.
A bit behind on mail owing to the pressure of not shopping early enough but (while I'm waiting for the turkey to cook), having read through the whole thread to date, I couldn't resist a comment on the statement below... At 10:13 PM 12/23/97 -0500, you allegedly wrote:
Right, but since each border router off of the public Internet can't advertise anything smaller than /24 (would *your* router accept an advertisement for 3.0.0.0/27?), each seperate office needs at least a /24. Yeah, NAT can take care of the internal addressing, but you're still stuck with the fact that you "only" can have 256 seperate border routers. [snip for brevity]
Just where are the "border routers" connecting to? Thanks to smd and others (in reaction to the table growth and flap frequency) a couple of years ago many places on/in the net will not advertise/accept anything less than a Classful C /19 (in certain ranges, granted) and will not accept anything longer than a /16 or /8 from "classful" B or A networks. This eventually matched the RIPE rules for address allocation - nothing longer than a /19 from RIPE. Sprint published their rules (here on NANOG and elsewhere) and others worked on roughly the same set. The rules haven't changed much!! Ergo - if your prefix is long you won't be routed! e.g. 3.0.0.0 /8 (or even a bit longer maybe) should be reachable but 3.1.2.128 /25 will probably not! However 3.1.2.129 should be reachable internally via wherever 3.0.0.0 /8 is advertised. If you have a small site connected only via the public net (i.e. to an ISP) you need to get a routeable address space from YOUR UPSTREAM PROVIDER from their address block!! (note:- if you _are_ the provider you will obviously be aggregating to avoid the flaps/entries issue so this doesn't affect you - you reach your internal hosts via your IGP tables!!). If you want the flexibility to change providers when they scr*w up [they will :-) ] then you need a private address space behind a NAT-type device and then get a /32 from "NE1-the-ISP.com". Renumbering a single host is NOT A PROBLEM! How GE deal with things is their headache for now, but with the filtering rules above and the renumbering necessary to get small sites routed in public it strikes me that it would be more sense for them to renumber ONCE into the 10.0.0.0 space and use NAT or something similar to fake-out the IPV4 routing. It doesn't take a rocket-scientist to work out that unused IPV4 space (i.e. space not populating public routing tables) will at some future time become reclaimed either by default or, as elsewhere suggested, by being traded as a commodity. Of course, IPV6 becomes the lazy way out - "there'll be plenty of addresses for everybody" (deja vu?) - if/when it arrives! Something to ponder over dinner..... Have a good (insert relevant reason for celebration here) holiday. -H-
in the spirit of the holiday season, i apologize for my "stupid experiment" comment.
At 06:11 PM 12/23/97 +0000, some abusive halfwit wrote:
GE is heavily firewalled; i'm not suprised you didn't get any answers.
stupid experiment, really.
And a stupid comment, really. No wonder GE no longer wants his services.
detailed technical discussion that i don't dispute, and probably agree with, omitted.
I challenge GE to say that this is not so, and provide pertinent and defensible facts and figures to back it up. I believe that if the truth were know, Jack Kelly and gang are guilty of definitely warehousing
i think that you mean "Jack Welch".
hundreds of thousands and almost certainly millions of unneeded public IP addresses because they think they can get away with it and for no other reason.
i think you have no comprehension of how GE works. GE has, over a period of years, consolidated their address space into 3 as they become better integrated with the public internet. at one time, this space was exposed to the public. having been badly burned by hackers once or twice, GE has moved most, if not all, of this space behind firewalls; based on conversations i had with some of the GE R&D systems staff a year or so back, i believe that their intent is that little, of any, of 3.0.0.0/8 is to be exposed to the open net; the gateways that i've used in the past use addresses in 192.something as their public face. so there are probably no technical reasons why GE couldn't just hand 3.0.0.0/8 back -- because of the firewalling; they probably don't really even need to renumber into 10.0.0.0/8 (and based on my experience, any effort to renumber the corporation from 3 to 10 would be doomed to failure.). the reasons why the addresses won't be returned are part of corporate culture, and have to do with the fact that there is little motivation for GE to hand the old Class A back -- they aren' t paying for it, and aren't going to in the near future, and if ARIN tried to charge them for it, it'd just result in a court case -- GE has very good lawyers on retainer, and lots of them.
We through ARIN and others should be reallocated this address space for the public use of our subscribers.
greater good arguments don't cut it with GE management, unless it's for the greater good of the shareholders. richard -- Richard Welty Chief Internet Engineer, INet Solutions welty@inet-solutions.net http://www.inet-solutions.net/~welty/ 888-311-INET
On Wed, Dec 24, 1997 at 11:11:39AM +0000, Richard Welty wrote:
i think you have no comprehension of how GE works.
Oh, I think a number of people do, and its why some of us have stated, multiple times, that the current policies are discriminatory and ARE going to lead to court cases, lawyers, and trouble for ARIN and others who have and continue to control this process.
GE has, over a period of years, consolidated their address space into 3 as they become better integrated with the public internet. at one time, this space was exposed to the public. having been badly burned by hackers once or twice, GE has moved most, if not all, of this space behind firewalls; based on conversations i had with some of the GE R&D systems staff a year or so back, i believe that their intent is that little, of any, of 3.0.0.0/8 is to be exposed to the open net; the gateways that i've used in the past use addresses in 192.something as their public face.
so there are probably no technical reasons why GE couldn't just hand 3.0.0.0/8 back -- because of the firewalling; they probably don't really even need to renumber into 10.0.0.0/8 (and based on my experience, any effort to renumber the corporation from 3 to 10 would be doomed to failure.). the reasons why the addresses won't be returned are part of corporate culture, and have to do with the fact that there is little motivation for GE to hand the old Class A back -- they aren' t paying for it, and aren't going to in the near future, and if ARIN tried to charge them for it, it'd just result in a court case -- GE has very good lawyers on retainer, and lots of them.
We through ARIN and others should be reallocated this address space for the public use of our subscribers.
greater good arguments don't cut it with GE management, unless it's for the greater good of the shareholders.
richard -- Richard Welty Chief Internet Engineer, INet Solutions welty@inet-solutions.net http://www.inet-solutions.net/~welty/ 888-311-INET
And THERE lies the problem. See, ARIN wants to claim that others can't have what GE has. Further, ARIN, along with the IANA, wants to claim that people should "give back" space that they are not effeciently using to connect to the Internet - unless, of course, you're someone like MIT, GE, or PSI. Hiding 95% of your hosts behind firewalls is fine. But if you're doing that, you only need 5% of the space you would otherwise need to be "exposed", and thus on public routable space. Until ARIN and the IANA come to grips with the FACT that the current and past policy in fact discriminatorily disadvantages some organizations and providers while allowing others free run with either new or previous allocations, the risk of serious legal and social challenges remains high. ARIN doesn't like this one bit; I'm on the AC, and even with my being on the "inside" it is difficult to impossible to get the ARIN people to recognize the problem, say much less do anything about it. The reason, of course, is political - guess what happens if they DO address it? Lots of people get upset, and some of them have a lot of money and lawyers. What's not being paid attention to is that the number of parties who are being screwed is growing. Sooner or later they will reach critical mass and form a class looking for redress, and when that happens there will be trouble. IANA, with the people there believing they are insulated from any real risk due to their being technically employees of a publically-funded university, has an even-more-discriminatory worldview on this. ARIN and/or the IANA are eventually going to tangle with someone who has both lawyers and money, and comes to the conclusion that both they *AND THE CORPORATIONS WHO HAVE BENEFITTED FROM THE DISCRIMINATORY BEHAVIOR* make nice, fat, juicy targets for some legal action. IMHO, that organization will be proven correct. It is critically important to the operational stability of the Internet that this problem is addressed BEFORE someone files a $100M lawsuit and names some of the world's largest backbone providers and corporations, along with ARIN and the IANA, as defendants over this issue. Both ARIN and the IANA would have to fold in the face of such a challenge. Now we have *NO* delegation path available, and the likely result would be chaos. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly to FULL DS-3 Service | NEW! K56Flex support on ALL modems Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost
On Wed, Dec 24, 1997 at 11:31:12AM -0600, Karl Denninger wrote:
It is critically important to the operational stability of the Internet that this problem is addressed BEFORE someone files a $100M lawsuit and names some of the world's largest backbone providers and corporations, along with ARIN and the IANA, as defendants over this issue.
And gets an order from some clueless judge to pick up all of their equipment for inspection. <sigh> Cheers, -- jr 'adolescence is hell...' a -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Two words: Darth Doogie." -- Jason Colby, Tampa Bay, Florida on alt.fan.heinlein +1 813 790 7592
"Jay R. Ashworth" <jra@scfn.thpl.lib.fl.us> wrote:
On Wed, Dec 24, 1997 at 11:31:12AM -0600, Karl Denninger wrote:
It is critically important to the operational stability of the Internet that this problem is addressed BEFORE someone files a $100M lawsuit and names some of the world's largest backbone providers and corporations, along with ARIN and the IANA, as defendants over this issue. And gets an order from some clueless judge to pick up all of their equipment for inspection.
Or the military decides we've all gone to far with their toy and nukes us! randy
participants (10)
-
Dean Anderson
-
Eric Osborne
-
Henry Steuart
-
Howard C. Berkowitz
-
Jay R. Ashworth
-
Karl Denninger
-
Randall Pigott
-
Randy Bush
-
Richard Welty
-
Wayne Bouchard