At 11:57 07/11/2005, Michael.Dillon@btradianz.com wrote:
What about those that are assigned and used but not [currently] visible on the public Internet [i.e., are on other internets]?
Indeed!
On Henk's slide number 5 he states:
"Each AS wants to be able to send traffic to any other AS"
This is NOT true. Many ASes explicitly do *NOT* want to send traffic to any other AS. They only want to send traffic to customers, vendors or business partners of some sort.
You are right, but this was not the point I was trying to make on this slide. The point I was trying to make is: A site is assigned an AS if it has a network that is connected to the global Internet and wants to send traffic somewhere. (If not, why bother to get an AS?) One of the rules in the policies is that the AS is returned when the need disappears. So, very naively, I'd think that for each assigned AS there is at least one path announcing the address space in that AS to somebody else. I immediately agree that there are cases where an AS does not want to send traffic to another AS, or prefers not to use a path even though it is available. I also agree that there are cases where a network is not visible at all on the Internet and a private AS cannot be used. However, I do not believe that these cases account for 1/3 of the AS out there. Henk
In other words, there are many so-called extranets which are basically internets built using exactly the same technology as the Internet however with more restrictive interconnect policies.
One way to visualize this is to imagine the Internet as a cloud. At the core of the cloud are the core providers and at the edge of the cloud are the end user organizations, many of which appear to be singly homed. However, hidden behind this edge is a thin layer which represents a private internet. It also connects many networks but it does *NOT* exchange traffic with the public Internet. All the networks connected to these private internets are also connected to the public Internet but they implement strict traffic separation policies internally. In some cases, this is an air gap but these days it is often a bunch of firewalls.
In the 24/7 connected world of the 21st century there is a lot of growth in these internets that wrap around the Internet but don't exchange vital fluids with it.
--Michael Dillon
------------------------------------------------------------------------------ Henk Uijterwaal Email: henk.uijterwaal(at)ripe.net RIPE Network Coordination Centre http://www.amsterdamned.org/~henk P.O.Box 10096 Singel 258 Phone: +31.20.5354414 1001 EB Amsterdam 1016 AB Amsterdam Fax: +31.20.5354445 The Netherlands The Netherlands Mobile: +31.6.55861746 ------------------------------------------------------------------------------ Look here junior, don't you be so happy. And for Heaven's sake, don't you be so sad. (Tom Verlaine)
On Mon, Nov 07, 2005 at 09:33:30PM +0100, Henk Uijterwaal wrote:
At 11:57 07/11/2005, Michael.Dillon@btradianz.com wrote:
What about those that are assigned and used but not [currently] visible on the public Internet [i.e., are on other internets]?
Indeed!
On Henk's slide number 5 he states:
"Each AS wants to be able to send traffic to any other AS"
This is NOT true. Many ASes explicitly do *NOT* want to send traffic to any other AS. They only want to send traffic to customers, vendors or business partners of some sort.
You are right, but this was not the point I was trying to make on this slide.
The point I was trying to make is: A site is assigned an AS if it has a network that is connected to the global Internet and wants to send traffic somewhere. (If not, why bother to get an AS?) ... ...
Because it is connected to a DIFFERENT internet and wants to send traffic somewhere. My point was that the slide makes it sound like it covers ALL ASNs [as does your text, above], and there is AT LEAST one other possibility. -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
This is NOT true. Many ASes explicitly do *NOT* want to send traffic to any other AS. They only want to send traffic to customers, vendors or business partners of some sort.
The point I was trying to make is: A site is assigned an AS if it has a network that is connected to the global Internet and wants to send traffic somewhere. (If not, why bother to get an AS?)
Many companies get an AS in order to exchange traffic with other companies across an internetwork that IS NOT THE GLOBAL INTERNET!!! There are many internetworks separate from the global Internet. These internetworks carry traffic between many companies using globally unique IP addresses and global unique AS numbers. But these companies do not want any of this traffic to transit any part of the global Internet and they don't want any form of peering with the global Internet. Some people seem to think that IP addresses were created in order to allow people to run networks connected to the global Internet and that ASes were invented in order for such networks to exchange routing policy details on the global Internet. THIS IS *NOT* TRUE! IP (Internetwork Protocol) addresses were created to allow devices to communicate using IP regardless of whether they are all connected to a single global Internet or not. And AS numbers were created to allow IP networks to exchange routing policy details across any IP network, not just the global Internet. RFC1918 IP addresses were set aside for the special case in which someone is building a *PRIVATE* network. Once two organizations interconnect their networks, the two networks are no longer private and must use globally unique addresses to avoid conflicts. Similarly private AS numbers were created for people to build private internetworks such as in a lab environment or at the edge of the global Internet where the private ASes would disappear when routes are aggregated towards the core. But if many companies wish to connect their networks in an internetwork, separate from the global Internet then private AS numbers are required to avoid conflicts. So, to answer your question, "Why bother to get an AS?". In order to exchange routing policy details with other organizations on one of the many internetworks that are NOT PART OF THE GLOBAL INTERNET! It is important for RIR policymakers to understand that the RIRs are not managing Internet resources. They are managing IP (Internetwork Protocol) resources that are absolutely essential for ALL users of IP and related protocols. These users may not be part of the Internet but they still have a right to use these resources in order to build their networks.
One of the rules in the policies is that the AS is returned when the need disappears.
Excellent rule and it should be more widely enforced.
I also agree that there are cases where a network is not visible at all on the Internet and a private AS cannot be used. However, I do not believe that these cases account for 1/3 of the AS out there.
I agree. I would guess that there are no more than a few hundred ASes in use on private internetworks. So that still leaves almost 10,000 ASes that could be recovered and reused. On the other hand, it may be cheaper in the long run to just go to a 4-byte AS number and forget about lost AS numbers entirely. Is "waste" really a relevant word when we have IPv6 and 4-byte ASNs on the horizon? --Michael Dillon
On Tue, 2005-11-08 at 10:46 +0000, Michael.Dillon@btradianz.com wrote:
This is NOT true. Many ASes explicitly do *NOT* want to send traffic to any other AS. They only want to send traffic to customers, vendors or business partners of some sort.
The point I was trying to make is: A site is assigned an AS if it has a network that is connected to the global Internet and wants to send traffic somewhere. (If not, why bother to get an AS?)
Many companies get an AS in order to exchange traffic with other companies across an internetwork that IS NOT THE GLOBAL INTERNET!!! There are many internetworks separate from the global Internet. These internetworks carry traffic between many companies using globally unique IP addresses and global unique AS numbers. But these companies do not want any of this traffic to transit any part of the global Internet and they don't want any form of peering with the global Internet.
Some people seem to think that IP addresses were created in order to allow people to run networks connected to the global Internet and that ASes were invented in order for such networks to exchange routing policy details on the global Internet. THIS IS *NOT* TRUE!
IP (Internetwork Protocol) addresses were created to allow devices to communicate using IP regardless of whether they are all connected to a single global Internet or not. And AS numbers were created to allow IP networks to exchange routing policy details across any IP network, not just the global Internet.
You need to separate technology from implementation. Anybody is free to use IP-technology to build their own network for which they define their own policies. What you refer to as the "global internet" is just one particular implementation with resource-allocation-policies decided by its users. With no shortage of resources (in this case AS-numbers and IP-addresses) we wouldn't have this discussion. Then nobody would care how an organisation is using the resources that are allocated to them. Resource-allocation across separate administrative domains doesn't work when there's a shortage. *If* that happens private networks may need to establish their own registry for "private ipv4 resources overlapping with the global internet", so that those resources can be re-used.
RFC1918 IP addresses were set aside for the special case in which someone is building a *PRIVATE* network. Once two organizations interconnect their networks, the two networks are no longer private and must use globally unique addresses to avoid conflicts. Similarly private AS numbers were created for people to build private internetworks such as in a lab environment or at the edge of the global Internet where the private ASes would disappear when routes are aggregated towards the core. But if many companies wish to connect their networks in an internetwork, separate from the global Internet then private AS numbers are required to avoid conflicts.
So, to answer your question, "Why bother to get an AS?". In order to exchange routing policy details with other organizations on one of the many internetworks that are NOT PART OF THE GLOBAL INTERNET!
Nobody is questioning the advantages of globally unique identifiers. However, administrative resources for the internet are primarily ment to serve the public. If or when there's a shortage of resources, private network may have to accept to administer their resources separately. There is technically no need for these networks to share resources with the global internet if they have no intention to ever connect to, or communicates with nodes on, the global network.
It is important for RIR policymakers to understand that the RIRs are not managing Internet resources. They are managing IP (Internetwork Protocol) resources that are absolutely essential for ALL users of IP and related protocols. These users may not be part of the Internet but they still have a right to use these resources in order to build their networks.
Wrong. RIRs have no authority outside the resources they've been assigned from the global pool, and certainly not over networks not connected to the global internet. RIR's are (as anybody else) free to take part in the process of developing global policies. Anybody is free to build their own separate networks and use IP-technology as they want, but internet registries have no obligation to administer their resources. //Per
With no shortage of resources (in this case AS-numbers and IP-addresses) we wouldn't have this discussion. Then nobody would care how an organisation is using the resources that are allocated to them.
Thankfully there is no shortage of IP addresses and there will be no shortage of AS numbers. The factory has already ramped up production of IPv6 addresses and warehouses are full. Designs for the new version AS numbers are just about past engineering review and the factory is ready to begin production.
Nobody is questioning the advantages of globally unique identifiers. However, administrative resources for the internet are primarily ment to serve the public.
And the public *IS* being served by the diversity of applications and networks which use the Internet Protocol. The public is served regardless of whether the device is on a private network, the global Internet or some other internet.
There is technically no need for these networks to share resources with the global internet if they have no intention to ever connect to, or communicates with nodes on, the global network.
This is where you are wrong. Primarily this is because firewalls make it possible for organizations to run a network which connects to BOTH the global Internet and one or more private Internets without allowing any traffic to transit between these networks or any routing information to leak between these networks. Nevertheless, the network in the middle needs to use globally unique addresses and both RFC 1918 and RFC 2050 explicitly account for such networks. If a network interconnects with other networks it is *NOT& a private network and therefore it requires globally unique identifiers.
Wrong. RIRs have no authority outside the resources they've been assigned from the global pool, and certainly not over networks not connected to the global internet. RIR's are (as anybody else) free to take part in the process of developing global policies.
RIRs have no authority over networks connected to the global Internet either. RIRs are part of a system of self-regulation, not government regulation, and therefore have no authority other than the consent of their members.
Anybody is free to build their own separate networks and use IP-technology as they want, but internet registries have no obligation to administer their resources.
You seem to think that the Internet was created before there were nascent RIRs managing internet numbering. It was the other way around. Right from the beginning when IP, the internetwork protocol, was designed, there was an understanding of the need to COORDINATE numbering resources. After a while, so many of the young internetworks connected together that people started to think and speak of one single global Internet. This is a nice result but IP does not belong to *ONLY* those organizations who connect to the global Internet. It is more general than that. Even though the Internet is the major revenue source for most of the companies in which NANOG members work, these companies also operate important IP networks which are *NOT* the Internet. It is important to remember this, especially when talking about ARIN and other RIRs, ICANN, the IETF, etc. None of these organizations serve the global Internet exclusively. They serve the body of protocols which make the Internet, and other internets, possible. --Michael Dillon
On Tue, 2005-11-08 at 14:48 +0000, Michael.Dillon@btradianz.com wrote:
With no shortage of resources (in this case AS-numbers and IP-addresses) we wouldn't have this discussion. Then nobody would care how an organisation is using the resources that are allocated to them.
Thankfully there is no shortage of IP addresses and there will be no shortage of AS numbers. The factory has already ramped up production of IPv6 addresses and warehouses are full. Designs for the new version AS numbers are just about past engineering review and the factory is ready to begin production.
Nobody is questioning the advantages of globally unique identifiers. However, administrative resources for the internet are primarily ment to serve the public.
And the public *IS* being served by the diversity of applications and networks which use the Internet Protocol. The public is served regardless of whether the device is on a private network, the global Internet or some other internet.
There is technically no need for these networks to share resources with the global internet if they have no intention to ever connect to, or communicates with nodes on, the global network.
This is where you are wrong. Primarily this is because firewalls make it possible for organizations to run a network which connects to BOTH the global Internet and one or more private Internets without allowing any traffic to transit between these networks or any routing information to leak between these networks. Nevertheless, the network in the middle needs to use globally unique addresses and both RFC 1918 and RFC 2050 explicitly account for such networks. If a network interconnects with other networks it is *NOT& a private network and therefore it requires globally unique identifiers.
... which is why I specifically said "no intention to ever connect to, or communicates with nodes on, the global network". In which case overlaps in adressblocks are irrelevant, as are any mention of NAT and firewalls as there is no connection (direct or indirect) between the networks.
Wrong. RIRs have no authority outside the resources they've been assigned from the global pool, and certainly not over networks not connected to the global internet. RIR's are (as anybody else) free to take part in the process of developing global policies.
RIRs have no authority over networks connected to the global Internet either. RIRs are part of a system of self-regulation, not government regulation, and therefore have no authority other than the consent of their members.
Authority wasn't the right word perhaps ;) "Operating context" may be a better term.
Anybody is free to build their own separate networks and use IP-technology as they want, but internet registries have no obligation to administer their resources.
You seem to think that the Internet was created before there were nascent RIRs managing internet numbering.
Nope, when I started networking there was no global network worth connecting to and sna, decnet or ipx nodes worldwide outnumbered ip by 1000 to one or more. RFC1918 wasn't even on the horizon and there were lots of ad-hoc built IP networks using randomly selected addresses. Internet governance was handled by handful of people in IANA.
It was the other way around. Right from the beginning when IP, the internetwork protocol, was designed, there was an understanding of the need to COORDINATE numbering resources. After a while, so many of the young internetworks connected together that people started to think and speak of one single global Internet. This is a nice result but IP does not belong to *ONLY* those organizations who connect to the global Internet. It is more general than that.
Sure, and that's why you need to separate between the technology administered through the IETF and *one* particular implementation of it which happen to be coordinated by a hierarchy of organisations under the "ICANN-umbrella". Those who don't want to take part in this hierarchy or communicate with it's network are free to organise their own in whatever way they please.
Even though the Internet is the major revenue source for most of the companies in which NANOG members work, these companies also operate important IP networks which are *NOT* the Internet. It is important to remember this, especially when talking about ARIN and other RIRs, ICANN, the IETF, etc. None of these organizations serve the global Internet exclusively. They serve the body of protocols which make the Internet, and other internets, possible.
technology != implementation //Per
... which is why I specifically said "no intention to ever connect to, or communicates with nodes on, the global network". In which case overlaps in adressblocks are irrelevant, as are any mention of NAT and firewalls as there is no connection (direct or indirect) between the networks.
The only case that I am aware of where there is truly *NO* intention to ever connect to the global Internet is military networks. When I was referring to other internets I did not have military networks in mind. In every other case that I am aware of, the partcipants in the internet also maintain connectivity to the Internet via alternate paths. --Michael Dillon
Thus spake <Michael.Dillon@btradianz.com>
... which is why I specifically said "no intention to ever connect to, or communicates with nodes on, the global network". In which case overlaps in adressblocks are irrelevant, as are any mention of NAT and firewalls as there is no connection (direct or indirect) between the networks.
The only case that I am aware of where there is truly *NO* intention to ever connect to the global Internet is military networks. When I was referring to other internets I did not have military networks in mind.
In every other case that I am aware of, the partcipants in the internet also maintain connectivity to the Internet via alternate paths.
I've personally dealt with private networks that had no intent of ever connecting to the Internet, though they were connected to other internal networks that did have such connectivity and to business partners (over private links) that probably did as well. One I still have nightmares about was a mess of eight (yes, eight) instances of 10/8 which were dynamically NATed to class B addresses to reach common servers and for communication to various partners, with a few tens of thousands of static NAT entries for devices that needed to be polled. I suppose if those private networks had had a default route (they didn't) and there were no firewalls in the way (there were) they could have reached the Internet, but at the time it was designed there was no intent to ever allow such. Too bad the equipment we had to support didn't understand IPv6, or we could have gotten away with using the site-local prefix (or, later, ULAs) and no NAT at all. S Stephen Sprunk "Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
On Tue, Nov 08, 2005 at 04:29:18PM +0100, Per Heldal wrote: ...
... which is why I specifically said "no intention to ever connect to, or communicates with nodes on, the global network". In which case overlaps in adressblocks are irrelevant, as are any mention of NAT and firewalls as there is no connection (direct or indirect) between the networks. ...
(1) Intentions change. As does ownership and therefore required connectivity. (2) Unique name spaces (from IP address or ASN spaces) are also used to verify that there is no leakage between two internets which one desires to keep separate. From a technical point of view, that may be considered a waste of the name spaces that could be used redundantly on both networks; from a security point of view ... it's one way to get the job done. I do think that hundreds of ASNs fall in these categories, I can't guess whether thousands do. -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
participants (5)
-
Henk Uijterwaal
-
Joseph S D Yao
-
Michael.Dillon@btradianz.com
-
Per Heldal
-
Stephen Sprunk