On Sun, Jan 24, 2021 at 4:22 AM JORDI PALET MARTINEZ via NANOG <
nanog@nanog.org> wrote:
[...]
> So, you end up with 2-3 RIRs allocations, not 5. And the real situation is
> that 3 out of 5 RIRs communities, decided to be more relaxed on that
> requirement, so you don’t need actually more than 1 or may be 2
> allocations. Of course, we are talking “in the past” because if we are
> referring to IPv4 addresses, you actually have a different problem trying
> to get them from the RIRs.
>
Hi Jordi,
I've adjusted the subject line to reflect the real thrust of this
discussion.
You're right--if we're trying to get "new" allocations of IPv4 addresses,
we've got bigger problems to solve.
But when it comes to IPv6 address blocks and ASNs, these questions are
still very relevant.
And, going back to the original article that spawned the parent thread, the
problem wasn't about companies requesting *new* blocks, it was about the
usage of old, already granted blocks that were now being reclaimed.
Historically, ISPs have focused on ensuring their usage of IP space
reflected the then-current requirements at the time the blocks were
requested. This action by Ron, well-intentioned as it is, raises a new
challenge for ISPs: network numbering decisions that were made in the
past, which may have been done perfectly according to the guidelines in
place at the time the blocks were assigned, may later on violate *newly
added* requirements put in place by RIRs. How many global networks
allocate manpower and time cycles to potentially renumbering portions of
their network each time a new policy is put in place at an RIR that makes
previously-conforming addressing topologies no longer conforming?
Historically, once addresses were granted by an RIR, and the exercise of
ensuring all the requirements were met, and the addresses were in place,
that was it; nobody went back every time a new policy was put in place and
re-audited the network to ensure it was still in compliance, and did the
work to bring it back into compliance if the new policy created violations,
because the RIRs generally didn't go back to see if new policies had been
retroactively applied to all member networks.
Ron's actions have now put every network on notice; it wasn't good enough
to be in compliance at the time you obtained your address space, you MUST
re-audit your network any time new policies are put into force by the RIR
in a region in which you do business, or your address space may be revoked
due to retroactive application of the new policy against addresses you have
already put into use.
This is a bigger deal that I think many people on the list are first
grasping.
We grow up accustomed to the notion that laws can't be applied
retroactively. If you smoked pot last year, before it was criminalized,
they can't arrest you this year after a new law was passed for smoking it
before the law was passed.
In the DDoS-guard case, the address blocks in question seem to have been
granted by LACNIC nearly a decade ago back in 2013, under whatever policies
were in force at the time. But they're being revoked and reclaimed based
on the policies that are in place *now*, nearly a decade later.
It sends a very clear message--it's not enough to be in compliance with
policies at the time the addresses are granted. New policies can and will
be applied retroactively, so decisions you made in the past that were valid
and legal, may now be invalid, and subject you to revocation. It's bad
enough when it's your own infrastructure that you have some control over
that you may need to re-number; woe to you if you assign address blocks to
*customers* in a manner that was valid under previous policy, but is no
longer valid under new policies--you get to go back to your customers, and
explain that *they* now have to redo their network addressing so that it is
in compliance, in order for *you* to be in compliance with the new
policies. Otherwise, you can *all* end up losing your IP address blocks.
So--while I think Ron's actions were done with the best of intentions, I
think the fallout from those actions should be sending a chill down the
spine of every network operator who obtained address blocks under policies
in place a decade ago that hasn't gone back and re-audited their network
for compliance after ever subsequent policy decision.
What if one of *your* customers falls into Ron's spotlight; is the rest of
your network still in compliance with every RIR policy passed in the years
or decades since the addresses were allocated? Are you at risk of having
chunks of your IP space revoked?
I know this sets a precedent *I* find frightening. If it isn't scaring
you, either you don't run a network, or I suspect you haven't thought all
the way through how it could impact your business at some unforeseen point
in the future, when a future policy is passed. :/
Thanks!
Matt
nanog@nanog.org> wrote:
[...]
> So, you end up with 2-3 RIRs allocations, not 5. And the real situation is
> that 3 out of 5 RIRs communities, decided to be more relaxed on that
> requirement, so you don’t need actually more than 1 or may be 2
> allocations. Of course, we are talking “in the past” because if we are
> referring to IPv4 addresses, you actually have a different problem trying
> to get them from the RIRs.
>
Hi Jordi,
I've adjusted the subject line to reflect the real thrust of this
discussion.
You're right--if we're trying to get "new" allocations of IPv4 addresses,
we've got bigger problems to solve.
But when it comes to IPv6 address blocks and ASNs, these questions are
still very relevant.
And, going back to the original article that spawned the parent thread, the
problem wasn't about companies requesting *new* blocks, it was about the
usage of old, already granted blocks that were now being reclaimed.
Historically, ISPs have focused on ensuring their usage of IP space
reflected the then-current requirements at the time the blocks were
requested. This action by Ron, well-intentioned as it is, raises a new
challenge for ISPs: network numbering decisions that were made in the
past, which may have been done perfectly according to the guidelines in
place at the time the blocks were assigned, may later on violate *newly
added* requirements put in place by RIRs. How many global networks
allocate manpower and time cycles to potentially renumbering portions of
their network each time a new policy is put in place at an RIR that makes
previously-conforming addressing topologies no longer conforming?
Historically, once addresses were granted by an RIR, and the exercise of
ensuring all the requirements were met, and the addresses were in place,
that was it; nobody went back every time a new policy was put in place and
re-audited the network to ensure it was still in compliance, and did the
work to bring it back into compliance if the new policy created violations,
because the RIRs generally didn't go back to see if new policies had been
retroactively applied to all member networks.
Ron's actions have now put every network on notice; it wasn't good enough
to be in compliance at the time you obtained your address space, you MUST
re-audit your network any time new policies are put into force by the RIR
in a region in which you do business, or your address space may be revoked
due to retroactive application of the new policy against addresses you have
already put into use.
This is a bigger deal that I think many people on the list are first
grasping.
We grow up accustomed to the notion that laws can't be applied
retroactively. If you smoked pot last year, before it was criminalized,
they can't arrest you this year after a new law was passed for smoking it
before the law was passed.
In the DDoS-guard case, the address blocks in question seem to have been
granted by LACNIC nearly a decade ago back in 2013, under whatever policies
were in force at the time. But they're being revoked and reclaimed based
on the policies that are in place *now*, nearly a decade later.
It sends a very clear message--it's not enough to be in compliance with
policies at the time the addresses are granted. New policies can and will
be applied retroactively, so decisions you made in the past that were valid
and legal, may now be invalid, and subject you to revocation. It's bad
enough when it's your own infrastructure that you have some control over
that you may need to re-number; woe to you if you assign address blocks to
*customers* in a manner that was valid under previous policy, but is no
longer valid under new policies--you get to go back to your customers, and
explain that *they* now have to redo their network addressing so that it is
in compliance, in order for *you* to be in compliance with the new
policies. Otherwise, you can *all* end up losing your IP address blocks.
So--while I think Ron's actions were done with the best of intentions, I
think the fallout from those actions should be sending a chill down the
spine of every network operator who obtained address blocks under policies
in place a decade ago that hasn't gone back and re-audited their network
for compliance after ever subsequent policy decision.
What if one of *your* customers falls into Ron's spotlight; is the rest of
your network still in compliance with every RIR policy passed in the years
or decades since the addresses were allocated? Are you at risk of having
chunks of your IP space revoked?
I know this sets a precedent *I* find frightening. If it isn't scaring
you, either you don't run a network, or I suspect you haven't thought all
the way through how it could impact your business at some unforeseen point
in the future, when a future policy is passed. :/
Thanks!
Matt