Removal of multihomed requirement for IPv6
Hi All, I support this proposal. To have 2 ISPs is not a cheap solution. What in case if you have 2-ISPs and you are not satisfied with offered services with one of them and decide to have only 1-ISP. You cannot use IPv6 PI space. What in case if you want to change another ISP ? You have to renumber a lot of ip addresses and update firewalls and more. I think that keeping multihoming requirement for IPv6 PI space prevent to deploy of IPv6 especially for small end users (customers). Mikael Abrahamsson, Why do you think: "50 EUR PI with no technical requirements for multihoming or other is a recipe for longterm disaster in my book." ? 50 Eur works today for IPv4 PI space as well. Thank you Best regards _____________________________________ Pavol Kovac -----Original Message----- From: address-policy-wg-admin@ripe.net [mailto:address-policy-wg-admin@ripe.net] On Behalf Of address-policy-wg-request@ripe.net Sent: Friday, May 06, 2011 12:00 PM To: address-policy-wg@ripe.net Subject: address-policy-wg digest, Vol 1 #1313 - 14 msgs Send address-policy-wg mailing list submissions to address-policy-wg@ripe.net To subscribe or unsubscribe via the World Wide Web, visit http://www.ripe.net/mailman/listinfo/address-policy-wg or, via email, send a message with subject or body 'help' to address-policy-wg-request@ripe.net You can reach the person managing the list at address-policy-wg-admin@ripe.net When replying, please edit your Subject line so it is more specific than "Re: Contents of address-policy-wg digest..." Today's Topics: 1. On the agenda for tomorrow: 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) (Sander Steffann) 2. Re: 2011-02 New Policy Proposal (Removal of multihomed requirement for IPv6) (Mikael Abrahamsson) 3. Legal counsel on 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) (Sander Steffann) 4. RE: 2011-02 New Policy Proposal (Removal of multihomed requirement for IPv6) (poty@iiat.ru) 5. Re: Legal counsel on 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) (Mikael Abrahamsson) 6. Re: 2011-02 New Policy Proposal (Removal of multihomed requirement for IPv6) (=?ISO-8859-1?Q?Vegar_L=F8v=E5s?=) 7. Re: Legal counsel on 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) (Malcolm Hutty) 8. pointer to ietf sidr wg (Randy Bush) 9. Re: Legal counsel on 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) (boggits) --__--__-- Message: 1 From: Sander Steffann <sander@steffann.nl> Date: Thu, 5 May 2011 16:44:41 +0200 To: "address-policy-wg@ripe.net Working Group" <address-policy-wg@ripe.net> Subject: [address-policy-wg] On the agenda for tomorrow: 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) Hello WG, We will have a discussion about 2008-08 (Initial Certification Policy in = the RIPE NCC Service Region) on the agenda for tomorrow's address policy = session at RIPE 62. We also will have a short presentation there about = the issues that have been discussed on this mailing list over the last = couple of days. The session is from 9:00 to 10:30 and remote = participation is possible at http://ripe62.ripe.net/live/main. Thank you, Sander Steffann APWG co-chair --__--__-- Message: 2 Date: Thu, 5 May 2011 19:30:27 +0200 (CEST) From: Mikael Abrahamsson <swmike@swm.pp.se> To: address-policy-wg@ripe.net cc: policy-announce@ripe.net Subject: Re: [address-policy-wg] 2011-02 New Policy Proposal (Removal of multihomed requirement for IPv6) Organization: People's Front Against WWW On Fri, 15 Apr 2011, Emilio Madaio wrote:
We encourage you to review this proposal and send your comments to <address-policy-wg@ripe.net> before 13 May 2011.
As has been stated by me before, 50 EUR PI with no technical requirements for multihoming or other is a recipe for longterm disaster in my book. I strongly oppose. -- Mikael Abrahamsson email: swmike@swm.pp.se --__--__-- Message: 3 From: Sander Steffann <sander@steffann.nl> Date: Fri, 6 May 2011 08:43:56 +0200 To: "address-policy-wg@ripe.net Working Group" <address-policy-wg@ripe.net> Subject: [address-policy-wg] Legal counsel on 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) Hello WG, I asked the RIPE NCC to get legal counsel on the possibilities of a = court ordering the RIPE NCC to revoke or confiscate RPKI certificates. = Here is the full answer we received: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The RIPE NCC is an association under Dutch law and therefore subject to = the Dutch legislation. RIPE NCC has consulted several external lawyers, = and has obtained an analysis of the legal situation based on current, = existing Dutch legislation. This analysis takes into account Dutch = Criminal, Civil and Administrative law. Certificates are directly linked to the registration of the Internet = number resources. There is no specific Dutch legislation that can be used to order the = deregistration of Internet number resources or change the registration = details of Internet number resources. Nor is there any legislation that = applies to the revocation of certificates over Internet number = resources. In the absence of such legislation, a court cannot order the revocation = of certificates. It is the RIPE NCC=92s view, based on this analysis, that the RIPE NCC = cannot be ordered to revoke resource certificates. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Of course laws can change, but the advice above may address some of the = concerns raised about the RPKI infrastructure. Sander Steffann APWG co-chair --__--__-- Message: 4 Subject: RE: [address-policy-wg] 2011-02 New Policy Proposal (Removal of multihomed requirement for IPv6) Date: Fri, 6 May 2011 10:59:44 +0400 From: <poty@iiat.ru> To: <swmike@swm.pp.se>, <address-policy-wg@ripe.net> Cc: <policy-announce@ripe.net> According to my messages to the WG earlier and taking into good consideration of the point of view of Mikael Abrahamsson I oppose the policy too. Vladislav Potapov IIAT, Ltd. -----Original Message----- From: address-policy-wg-admin@ripe.net [mailto:address-policy-wg-admin@ripe.net] On Behalf Of Mikael Abrahamsson Sent: Thursday, May 05, 2011 9:30 PM To: address-policy-wg@ripe.net Cc: policy-announce@ripe.net Subject: Re: [address-policy-wg] 2011-02 New Policy Proposal (Removal of multihomed requirement for IPv6) On Fri, 15 Apr 2011, Emilio Madaio wrote:
We encourage you to review this proposal and send your comments to=20 <address-policy-wg@ripe.net> before 13 May 2011.
As has been stated by me before, 50 EUR PI with no technical requirements=20 for multihoming or other is a recipe for longterm disaster in my book. I strongly oppose. --=20 Mikael Abrahamsson email: swmike@swm.pp.se --__--__-- Message: 5 Date: Fri, 6 May 2011 09:01:27 +0200 (CEST) From: Mikael Abrahamsson <swmike@swm.pp.se> To: Sander Steffann <sander@steffann.nl> cc: "address-policy-wg@ripe.net Working Group" <address-policy-wg@ripe.net> Subject: Re: [address-policy-wg] Legal counsel on 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) Organization: People's Front Against WWW On Fri, 6 May 2011, Sander Steffann wrote:
In the absence of such legislation, a court cannot order the revocation of certificates.
In several countries, we've seen courts ordering ISPs to block accessibility to certain sites involving not using DNS names (denmark and thepiratebay.org for instance, or the domain names transferred to US authorities just a few months ago) or block access IP-wise (Black Internet in Sweden). I am sure there was no specific law handling this, but the laws at least in these countries are flexible enough that other laws can be used to order things around.
Of course laws can change, but the advice above may address some of the concerns raised about the RPKI infrastructure.
It's good that it has been answered for dutch law, I wonder what equivalent question would have been answered in Sweden and Denmark or the US 5 years ago. -- Mikael Abrahamsson email: swmike@swm.pp.se --__--__-- Message: 6 Date: Fri, 06 May 2011 09:13:49 +0200 From: =?ISO-8859-1?Q?Vegar_L=F8v=E5s?= <vegar@rentarack.no> To: address-policy-wg@ripe.net Subject: Re: [address-policy-wg] 2011-02 New Policy Proposal (Removal of multihomed requirement for IPv6) I agree with this proposal. --=20 Best regards Vegar L=F8v=E5s Rent a Rack AS On 15.04.2011 11:22, Emilio Madaio wrote:
Dear Colleagues,
A proposed change to the RIPE Document ripe-512,"IPv6 Address Allocation and Assignment Policy", is now available for discussion.
You can find the full proposal at:
http://www.ripe.net/ripe/policies/proposals/2011-02
We encourage you to review this proposal and send your comments to <address-policy-wg@ripe.net> before 13 May 2011.
Regards
Emilio Madaio Policy Development Officer RIPE NCC
--__--__-- Message: 7 Date: Fri, 06 May 2011 08:28:44 +0100 From: Malcolm Hutty <malcolm@linx.net> To: address-policy-wg@ripe.net Subject: Re: [address-policy-wg] Legal counsel on 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/05/2011 07:43, Sander Steffann wrote:
There is no specific Dutch legislation that can be used to order the deregistration of Internet number resources or change the registration details of Internet number resources. Nor is there any legislation that applies to the revocation of certificates over Internet number resources. =20 In the absence of such legislation, a court cannot order the revocation of certificates. =20 It is the RIPE NCC=92s view, based on this analysis, that the RIPE NCC cannot be ordered to revoke resource certificates.
There are a couple of other possible current vectors, as well as the question of future legislation. 1. Legal counsel referred to the lack of legislation that specifically mentioned revocation of certificates. Most of the existing and draft legislation I know of (not Dutch, but some EU) refers instead to "preventing access to Internet [locations/sites/content]". As a generalisation, courts will not normally order someone to do something utterly outside their power, but may order someone to take such steps as they are able to achieve an end if they are seen as being able to make a significant contribution, even if that contribution won't be wholly successful. For example, courts sometimes order newspapers and broadcasters not to publish information, even though they know the information may end up being published online. Right now it is commonly said that RIPE NCC does not have control over routing, so a court would be unlikely to order the RIPE NCC to prevent access to an Internet location. If, as a result of this policy, RIPE NCC is seen to have the capability to significantly reduce the reachability of an Internet location, a court might be willing to order it to "prevent access to the location" to the extent that it is able. No explicit mention need be made of certificate revocation. 2. Within some jurisdictions LEAs argue that Internet intermediaries are themselves criminally liable if they "facilitate" criminal activity by refusing to prevent access to an Internet location where criminal activity is ongoing, once they have been informed of the criminal activity. Intermediaries are thus induced to block access without a court order being necessary. Within the EU, network operators have special protection against this threat from the E-Commerce Directive as "mere conduits", but unfortunately registries like the RIPE NCC probably do not fit the definition of "mere conduit". In the UK, Nominet (the .uk ccTLD registry) has been induced to suspend domain registrations using this argument. RIPE NCC might in future be exposed to the same pressure. 3. Finally, new legislation not only /could/ be created, but most certainly will. The Netherlands is subject to EU law. Whether such new law would affect the RIPE NCC we cannot be certain, but I am certain that the only thing restraining lobbyists is a lack of awareness of the existence of RIPE NCC (and awareness is increasing), and a belief that the RIPE NCC has no relevant technical capability, which this policy would change. - --=20 Malcolm Hutty | tel: +44 20 7645 3523 Head of Public Affairs | Read the LINX Public Affairs blog London Internet Exchange | http://publicaffairs.linx.net/ London Internet Exchange Ltd Maya House, 134-138 Borough High Street, London SE1 1LB Company Registered in England No. 3137929 Trinity Court, Trinity Street, Peterborough PE1 1DA -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3DoywACgkQJiK3ugcyKhSlSACdGyEFtxJUai+xrWtGB/vwZjoJ VnUAoLpgRXaghPiUTTDwF3SIoQxgCEa+ =3DeFIF -----END PGP SIGNATURE----- --__--__-- Message: 8 Date: Fri, 06 May 2011 10:23:36 +0200 From: Randy Bush <randy@psg.com> To: RIPE address policy WG <address-policy-wg@ripe.net> Subject: [address-policy-wg] pointer to ietf sidr wg as requested by gert, here are pointers to the work of the sidr wg of the ietf main page of wg == documents http://datatracker.ietf.org/wg/sidr/ charter of sidr wg http://datatracker.ietf.org/wg/sidr/charter/ mailing list http://www.ietf.org/mail-archive/web/sidr/current/maillist.html if i can be of help in navigation or interpretation, feel free to write to me randy, just another bozo on the routing security bus --__--__-- Message: 9 Date: Fri, 6 May 2011 11:06:44 +0200 Subject: Re: [address-policy-wg] Legal counsel on 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) From: boggits <boggits@gmail.com> Cc: "address-policy-wg@ripe.net Working Group" <address-policy-wg@ripe.net> On 6 May 2011 08:43, Sander Steffann <sander@steffann.nl> wrote:
Of course laws can change, but the advice above may address some of the concerns raised about the RPKI infrastructure.
This is indeed true but misses the point that laws tend to exist either when there is an actual 'thing' to make laws about or are framed in such a way to allow the courts the latitude to include 'new things' in the same piece of legislation. Since RPKI is not currently a 'thing' but rather a 'new thing' I would be wary of relying on legal opinion that says: "There is no specific Dutch legislation that can be used to order the deregistration of Internet number resources or change the registration details of Internet number resources. Nor is there any legislation that applies to the revocation of certificates over Internet number resources." What you are looking for is legislation (as pointed out by Malcom) that can be used to restrict/control access to the internet which appears to exist at least at a European level J -- James Blessing 07989 039 476 End of address-policy-wg Digest
On Fri, 6 May 2011, ABS EMEA NIC - IPA Support AT&T wrote:
Why do you think: "50 EUR PI with no technical requirements for multihoming or other is a recipe for longterm disaster in my book." ? 50 Eur works today for IPv4 PI space as well.
As far as I know there is still multihoming requirement for IPv4 PI. And if you have read my other email, I am extremely sceptical about the global routing system being able to handle the hundreds of thousands of PI blocks I believe we're going to see if this policy changes. We need other means for people to easily change addresses and multihome, shoving this into the global routing system is not the right longterm solution. -- Mikael Abrahamsson email: swmike@swm.pp.se
Hi, On Fri, May 06, 2011 at 03:24:55PM +0200, Mikael Abrahamsson wrote:
On Fri, 6 May 2011, ABS EMEA NIC - IPA Support AT&T wrote:
Why do you think: "50 EUR PI with no technical requirements for multihoming or other is a recipe for longterm disaster in my book." ? 50 Eur works today for IPv4 PI space as well.
As far as I know there is still multihoming requirement for IPv4 PI.
No. Never was. http://www.ripe.net/ripe/docs/ripe-509#----pa-vs--pi-address-space The IPv6 PI policy that we currently have is significantly more restrictive than the IPv4 PI policy, specifically because the working group at that time decided that we don't know whether the routing table will explode. We still don't know, but given that IPv4 PI is much less restrictive, IPv4 PI is only contributing 21% of the BGP routes in the RIPE region, and the restrictive IPv6 PI policy is holding up deployment plans, people are asking to get this changed. Gert Doering -- APWG chair -- did you enable IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
On Fri, 6 May 2011, Gert Doering wrote:
We still don't know, but given that IPv4 PI is much less restrictive, IPv4 PI is only contributing 21% of the BGP routes in the RIPE region, and the restrictive IPv6 PI policy is holding up deployment plans, people are asking to get this changed.
<meetings.ripe.net/ripe-53/presentations/address_space.pdf> seems to indicate that it's 59% ? Is there newer data available that shows what's happened since 2011 that could be had? -- Mikael Abrahamsson email: swmike@swm.pp.se
On May 7, 2011, at 05:31, Mikael Abrahamsson wrote:
On Fri, 6 May 2011, Gert Doering wrote:
We still don't know, but given that IPv4 PI is much less restrictive, IPv4 PI is only contributing 21% of the BGP routes in the RIPE region, and the restrictive IPv6 PI policy is holding up deployment plans, people are asking to get this changed.
<meetings.ripe.net/ripe-53/presentations/address_space.pdf> seems to indicate that it's 59% ? Is there newer data available that shows what's happened since 2011 that could be had?
Dear Mikael, The 59% is the number of IPv4 PI assignments that the RIPE NCC made at the time. Looking at the IPv4 numbers today, we find: - Using 1996 as a start date for counting, the RIPE NCC has allocated 15k prefixes to LIRs and assigned 16k prefixes as PI - In 2011 so far, 57% of all prefixes given out were PI In the BGP routing table the de-aggregation levels are much higher for PA allocations than for PI assignments though, 1:3.8 for PA allocations and 1:1.1 for PI assignments. This is the 21% number that Gert quotes. Best regards, Alex Le Heux RIPE NCC
On Sat, 7 May 2011, Alex Le Heux wrote:
In the BGP routing table the de-aggregation levels are much higher for PA allocations than for PI assignments though, 1:3.8 for PA allocations and 1:1.1 for PI assignments. This is the 21% number that Gert quotes.
Ok. So the expectation from these numbers is that since v4 PI doesn't require multihoming, removing this from the v6 PI requirement wouldn't really mean that more people getting v6 PI than are currently doing v4 PI? Is there anything else that might be different with v6 PI without multihoming compared to v4 PI that means current and historic v4 PI numbers might not be indicative of future v6 PI behaviour? -- Mikael Abrahamsson email: swmike@swm.pp.se
Hay, Am 07.05.2011 um 08:18 schrieb Mikael Abrahamsson:
On Sat, 7 May 2011, Alex Le Heux wrote:
In the BGP routing table the de-aggregation levels are much higher for PA allocations than for PI assignments though, 1:3.8 for PA allocations and 1:1.1 for PI assignments. This is the 21% number that Gert quotes.
Ok.
So the expectation from these numbers is that since v4 PI doesn't require multihoming, removing this from the v6 PI requirement wouldn't really mean that more people getting v6 PI than are currently doing v4 PI?
Is there anything else that might be different with v6 PI without multihoming compared to v4 PI that means current and historic v4 PI numbers might not be indicative of future v6 PI behaviour?
maybe the fact that IPv4 PI (+ASNs) were for free until very recently and now actually cost money AND - much worse - you have to hassle with a stupid contract? (i still hate the NCC for the latter :-) but - that's another story). So i expect actually LESS IPv6 PI deployment overall anyways for the foreseeable future. ...and then i hope we get rid of the PI vs. PA distinction as per Gert's presented suggestion during RIPE62. -- Mit freundlichen Grüßen / Kind Regards Sascha Lenz [SLZ-RIPE] Senior System- & Network Architect
* Mikael Abrahamsson
Is there anything else that might be different with v6 PI without multihoming compared to v4 PI that means current and historic v4 PI numbers might not be indicative of future v6 PI behaviour?
Well, anyone can easily justify the need for an IPv6 /48 as that's the minimum assignment size. The minimum IPv4 assignment size, on the other hand, is smaller than a /24, which means that an applicant would require 100s of devices on his network in order to to qualify for an IPv4 PI assignment that can be actually routed on the internet. -- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com/ Tel: +47 21 54 41 27
On Sat, 7 May 2011, Tore Anderson wrote:
Well, anyone can easily justify the need for an IPv6 /48 as that's the minimum assignment size. The minimum IPv4 assignment size, on the other hand, is smaller than a /24, which means that an applicant would require 100s of devices on his network in order to to qualify for an IPv4 PI assignment that can be actually routed on the internet.
Wow, I thought <http://www.ripe.net/ripe/policies/proposals/2006-05> was already passed to take care of that. Seems I was wrong again. -- Mikael Abrahamsson email: swmike@swm.pp.se
Hi, On Sat, May 07, 2011 at 09:39:46AM +0200, Mikael Abrahamsson wrote:
Wow, I thought <http://www.ripe.net/ripe/policies/proposals/2006-05> was already passed to take care of that. Seems I was wrong again.
Got stuck in the apparatus. Sorry for that, we're working on it again. It doesn't really keep people from getting a /24 if they really want it, and do not shy away from making up numbers - which is basically what the proposal about: discourage lying to the NCC to work around policy restrictions. Gert Doering -- NetMaster -- did you enable IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
Why do you think: "50 EUR PI with no technical requirements for multihoming or other is a recipe for longterm disaster in my book." ? 50 Eur works today for IPv4 PI space as well.
As far as I know there is still multihoming requirement for IPv4 PI.
And if you have read my other email, I am extremely sceptical about the global routing system being able to handle the hundreds of thousands of PI blocks I believe we're going to see if this policy changes.
We need other means for people to easily change addresses and multihome, shoving this into the global routing system is not the right longterm solution.
i am extremely wary of people changing addresses and multi-homing. what if, while they were changing addresses, a gang of hooligans stole the addresses just as they were changing them? or, if while they were multi-homing, a dutch court reposessed one of the homes? while this would not be a traditional home, being a new kind of home, the courts would have great latitude in its action. randy
participants (7)
-
ABS EMEA NIC - IPA Support AT&T -
Alex Le Heux -
Gert Doering -
Mikael Abrahamsson -
Randy Bush -
Sascha Lenz -
Tore Anderson