Mailing List Archive

Peter,

>--------- Text sent by Peter Dawe follows:
>
> Demon Internet Services provide an IP address for every dial-up
> customer. Most other ISPs have taken the view that this is a waste of
> valuable IP space and allocate IP addresses dynamically.
>
> How should our industry respond to ISPs who behave selfishly and do
> not take into account the good of the network?
>
>
> Peter Dawe
> Unipalm PIPEX
>

1. Speaking as IAB chair, I must state that the IAB has absolutely
no role to play in answering your question. Operational/commercial
issues are outside our mandate, whatever we might feel.

2. However, even without an IAB discussion, I can tell you that
we are in favour of technology that conserves address space and
facilitates renumbering.

Regards,
Brian Carpenter (IAB Chair) (brian@dxcoms.cern.ch)
voice +41 22 767 4967, fax +41 22 767 7155

Date: Mon, 29 Jan 1996 11:15:32 +0100 (MET)
From: "Brian Carpenter CERN-CN" <brian@dxcoms.cern.ch>
Message-ID: <9601291015.AA08851@dxcoms.cern.ch>


1. [..] I must state that the IAB has absolutely no role [..]

Absolutely.

2. [..] I can tell you that we are in favour of technology
that conserves address space and facilitates renumbering.

Again, absolutely.

I should say here though that that technology doesn't exist
yet. My brother happens to be a customer of Demon's. He
has one of those statically assigned IP addresses for a dial
up customer (he's just a PC at home and typically a few minutes
a day).

That sounds like a perfect place for a dynamic address, however,
if he had that, it would make life harder for me. With his
static address I can instal filters to give him more access to
my system at home (which is basically permanently connected, and
not a PC) than I allow all the rest of you. (For Tony's
benefit - no, this is not relying on source address filtering,
I actually filter the packets that my system sends out, I will
let it send packets to him that I won't let it send elsewhere,
which has basically the same effect).

While I have no doubt that not all of Demon's customers have
requirements or uses anything like this, simply outlawing
static addresses for dial up uses seems to me to be going a
little too far. At least until we have the mechanisms that
would make this need redundant (like dynamic DNS updates, and
IP security widely deployed), plus good renumbering.

Incidentally, absolutely no-one seems to doubt that if I have
two systems at home, on a baby-lan, I can have a /29 or /30
statically assigned to me (at 50% or less address effeciency),
but that if I have just one it seems I'm not supposed to have
a /32 (100% address effeciency). Weird...

kre

Demon Internet Services provide an IP address for every dial-up
customer. Most other ISPs have taken the view that this is a waste
of valuable IP space and allocate IP addresses dynamically.
How should our industry respond to ISPs who behave selfishly and
do not take into account the good of the network?
Is it just selfish or do they have good reasons?
Dynamic address assignment and (static!) access
control don't go very well together, which could
be a reason for static address assignment.


Piet

At 9:36 PM 29/1/96, Robert Elz <kre@munnari.OZ.AU> wrote:

>Incidentally, absolutely no-one seems to doubt that if I have
>two systems at home, on a baby-lan, I can have a /29 or /30
>statically assigned to me (at 50% or less address effeciency),
>but that if I have just one it seems I'm not supposed to have
>a /32 (100% address effeciency). Weird...

Yes. Combine this with IP over Direct-TV, where the PC address must be
synchronized between the out-bound telephone channel (semi-permanent) and
the in-bound satellite channel (permanent). Also combine with IP mobility,
which assumes that the mobile is keeping its IP address while roaming.
Also combine with IP over CATv, where a PC at home has essentially the same
requirement as a PC at work.

All in all, at least one address per computer is a very reasonable goal,
one which we have zero reason to legislate away.

Christian Huitema

On Mon, 29 Jan 1996, Piet Beertema wrote:

> Demon Internet Services provide an IP address for every dial-up
> customer. Most other ISPs have taken the view that this is a waste
> of valuable IP space and allocate IP addresses dynamically.
> How should our industry respond to ISPs who behave selfishly and
> do not take into account the good of the network?
> Is it just selfish or do they have good reasons?
> Dynamic address assignment and (static!) access
> control don't go very well together, which could
> be a reason for static address assignment.

Demon have spent a great deal of time and energy developing a
system which allows customers (who have individual IP addresses)
to dial in to any one of a number of PoPs and have their mail etc
automatically routed to them; the IP number is dynamically bound
to the particular modem they are coming in on at run time. They
are justifiably proud of this system. I believe that someone
from Demon has also pointed out that it is much more efficient
that the usual "class C per customer" approach, which assigns
256 addresses to half a dozen machines.

We strongly encourage our customers, most of whom are providers,
to use dynamic routing for dial up, but we can understand Demon's
situation ... and find it hard to condemn them when there are
so many more glaring examples of waste of IP address space.
--
Jim Dixon VBCnet GB Ltd +44 117 929 1316 fax +44 117 927 2015
VBCnet West +1 408 971 2682 fax +1 408 971 2684

At 09:36 PM 1/29/96 +1100, Robert Elz wrote:

>
>That sounds like a perfect place for a dynamic address, however,
>if he had that, it would make life harder for me. With his
>static address I can instal filters to give him more access to
>my system at home (which is basically permanently connected, and
>not a PC) than I allow all the rest of you. (For Tony's
>benefit - no, this is not relying on source address filtering,
>I actually filter the packets that my system sends out, I will
>let it send packets to him that I won't let it send elsewhere,
>which has basically the same effect).
>

I can certainly understand the need for access control & security, but
with the use of a smart-card one-time password system, this is a moot
point.

- paul

> Yes. Combine this with IP over Direct-TV, where the PC address must be
> synchronized between the out-bound telephone channel (semi-permanent) and
> the in-bound satellite channel (permanent). Also combine with IP mobility,
> which assumes that the mobile is keeping its IP address while roaming.
> Also combine with IP over CATv, where a PC at home has essentially the same
> requirement as a PC at work.
>
> All in all, at least one address per computer is a very reasonable goal,
> one which we have zero reason to legislate away.

I agree with Christian completely

Lixia

Date: Mon, 29 Jan 1996 08:12:37 -0500
From: Paul Ferguson <pferguso@cisco.com>
Message-ID: <199601291311.FAA04274@lint.cisco.com>

I can certainly understand the need for access control & security, but
with the use of a smart-card one-time password system, this is a moot
point.

You're expecting me to obtain one of those things for my system
at home? And assuming that password type capable access
protection is the only kind of protection I care about.

Lets be a little reasonable please - access filters aren't
dead yet (I would like to see them vanish, and I would hope that
one day that might happen, today isn't that day).

I will believe this has happened when cisco no longer support
packet filtering in their routers.

kre

I can certainly understand the need for access control & security,
but with the use of a smart-card one-time password system, this is
a moot point.
Huh? How are you going to stop a system from "illegally"
(in the sense of the provider, contracts, or whatever)
acting as -say- www, ftp, or whatever server with such
a one-time password system? You'll need access control
*based on IP addresses* to reach that goal!


Piet

Peter Dawe,

If you want to forbid statically-assigned (yet aggregatable)
addresses for dialup customers, then someday you'll have to
choose where to draw the line between kre's brother with one IP
address and my site with 7164, if I start reaching the internet
through some sort of switched virtual circuits. The difference
will be only one of scale.
_________________________________________________________
Matt Crawford crawdad@fnal.gov Fermilab
PGP: D5 27 83 7A 25 25 7D FB 09 3C BA 33 71 C4 DA 6A

>Peter,
>
>>--------- Text sent by Peter Dawe follows:
>>
>> Demon Internet Services provide an IP address for every dial-up
>> customer. Most other ISPs have taken the view that this is a waste of
>> valuable IP space and allocate IP addresses dynamically.
>>
>> How should our industry respond to ISPs who behave selfishly and do
>> not take into account the good of the network?
>>
>>
>> Peter Dawe
>> Unipalm PIPEX
>>
>
>1. Speaking as IAB chair, I must state that the IAB has absolutely
>no role to play in answering your question. Operational/commercial
>issues are outside our mandate, whatever we might feel.
>
>2. However, even without an IAB discussion, I can tell you that
>we are in favour of technology that conserves address space and
>facilitates renumbering.
>
>Regards,
> Brian Carpenter (IAB Chair) (brian@dxcoms.cern.ch)
> voice +41 22 767 4967, fax +41 22 767 7155

I would like to raise concerns regarding the guidelines used
by the InterNIC for allocating addresses. Some of the current
guidelines seem oblivious of emerging market realities
and often times highly non-objective.

I wish to see this issue addressed by someone, the iab
or iana, or anyone else that sets forth, mandates or influences
the policies used by the InterNIC.

As a "small" web service provider that wants to continue
to be multi-homed, I find the attitude that the use
of static dialup addresses or in our perception of the
InterNIC that the use of a single IP address to virtual
host a .com domain is somehow wasteful to be questionable.
I believe that such uses are in fact highly efficient.
I have no grounds, and it makes no business sense, to tell
a customer they cannot have a dedicated web server for
their domain or get SMTP feed to their dialup client.

The same registries, I have reasons to believe, tend to
overlook allocations of several /16s to major corporations
that are completely firewalled from the Internet and could
very well use non-public addresses for thousands of internal
machines. I used to work in one such corporation and have
observed their historical use of IP addresses and new allocations.

It is quite possible that the registries are on the forefront
dealing with these issues with stretched resources and no body
to turn to evolve the policies for the rapidly changing marketplace.
I can then understand, and now it is my hope ;-), that being part
of these aliases will automatically qualify me as a "caring" Internet
citizen.

The end result is we have to either learn to play the game
so we will survive and continue to be independent. In
the meanwhile, we continue to live on the edge fearing the day
when a big chunk of the Internet drops our 206/19.

Oh yes, we have already renumberd twice and the support
costs are enormous.

Thanks for listening this far,
Sanjay.

At 02:19 AM 1/30/96 +1100, Robert Elz wrote:

>
>You're expecting me to obtain one of those things for my system
>at home? And assuming that password type capable access
>protection is the only kind of protection I care about.
>

Well, not exactly. I was thinking along the lines of something a little
larger than 'home' access. :-)

>Lets be a little reasonable please - access filters aren't
>dead yet (I would like to see them vanish, and I would hope that
>one day that might happen, today isn't that day).
>
>I will believe this has happened when cisco no longer support
>packet filtering in their routers.
>
>kre
>
>

My point was that filtering on source addresses is not exactly the
most secure method of access control.

- paul

At 05:18 PM 1/29/96 +0100, Piet Beertema wrote:

> I can certainly understand the need for access control & security,
> but with the use of a smart-card one-time password system, this is
> a moot point.

>Huh? How are you going to stop a system from "illegally"
>(in the sense of the provider, contracts, or whatever)
>acting as -say- www, ftp, or whatever server with such
>a one-time password system? You'll need access control
>*based on IP addresses* to reach that goal!
>
>

No, no, no. The concept of access-filtering based on source address is
easily spoofed, where the OTP password systems that I'm referring to
are based on a concept of authentication-based access, which is much more
reliable than a [possibly fake] source address.

This is not a new concept.

- paul

Original message <MAPI.Id.0016.00657465726420204333343130303138@MAPI.to.RFC822>
From: Peter Dawe <peterd@dial.pipex.com>
Date: Jan 28, 18:46
Subject: Static IP addresses for Dial-up
>
> Demon Internet Services provide an IP address for every dial-up
> customer. Most other ISPs have taken the view that this is a waste of
> valuable IP space and allocate IP addresses dynamically.
>
> How should our industry respond to ISPs who behave selfishly and do
> not take into account the good of the network?

The access-control argument has been beaten to death already. We offer our
customers static IP addresses for some additional reasons:
- ability to receive mail by SMTP instead of POP
- ability to run a part time WWW or BBS service at a fixed address
- support for systems that don't easily support dynamic addresses
(some Unix machines with hand-coded dialup scripts)
and most importantly
- ability to do disconnect-and-redial without breaking connections, which
is particularly useful with ISDN. You can telnet somewhere, get idled out
of the ISDN server, hit return and your ISDN adapter auto-redials and
connects and your packet goes through, and you're still on the same
address so everything works.
Customers on flakey dialup lines (28.8k from up in the mountains during
bad weather) appreciate this too.

-matthew kaufman
matthew@scruz.net

At 13:46 1/28/96, Peter Dawe wrote:

>Demon Internet Services provide an IP address for every dial-up
>customer. Most other ISPs have taken the view that this is a waste of
>valuable IP space and allocate IP addresses dynamically.
>
>How should our industry respond to ISPs who behave selfishly and do
>not take into account the good of the network?


Demon (as it appears to the Internet [due to their dynamic modem
binding/routing code]) is all permanently wired (but randomly
powered-up/connected) hosts. The fact that the connections are via dial-up
not leased lines is not relevant to how they appear to the Net. If every
one of their users had their own leased line OR dial up port phone number
would you say that they wasting space? There is no significant difference
between these latter connection methods and Demon's actual "Dial any of our
POPs to make your connection" method. All they are doing is sharing the
modem ports instead of assigning a separate one to each customer. As they
have noted, dynamic addressed does not fit the model of what they are
selling (ie: CONNECTION not ACCESS). What types of Daemons/Agents are being
run by the user while they are connected is not important due to the STATIC
IPN (Something that would NOT be possible with a dynamic/random IPN
number). Until Dynamic DNS is out in the field, Dynamic IPN supports ONLY
Access not Connection (and as I noted, Demon sells Connection not just
Access).

Date: Mon, 29 Jan 1996 12:48:00 -0500
From: Paul Ferguson <pferguso@cisco.com>
Message-ID: <199601291747.JAA15611@lint.cisco.com>

You clearly didn't read the message I sent that you replied to...

Well, not exactly. I was thinking along the lines of something a little
larger than 'home' access. :-)

The issue I mentioned was my brother, with a static IP address
from Demon for his one system at home, which connects via
dial up, connecting to my one system at home, which is also
dial up (right now), though basically a permanent connection.

My point was that filtering on source addresses is not exactly the
most secure method of access control.

Again, you didn't read my message - I know that source address
filtering is even less secure than other filtering. However
the source address in one packet is the destination address in
another - and I can filter on that destination address...

I also know that there are attacks that can be made without
requiring return packets at all - those I have to deal with
in other ways (smart card password schemes most certainly
aren't it) regardless of what kind of address (statically
assigned, or dynamically assigned) my brother gets.

kre

[cc: trimmed to nanog]

At 07:50 PM 1/30/96 +1100, Robert Elz wrote:

>
>I also know that there are attacks that can be made without
>requiring return packets at all - those I have to deal with
>in other ways (smart card password schemes most certainly
>aren't it) regardless of what kind of address (statically
>assigned, or dynamically assigned) my brother gets.
>

Yes, I understand completely.

Actually, we could go back and forth like this forever, punching
holes in secure access control methods.

Let's just agree that without strong end-to-end encryption, its
all swiss cheese. :-)

- paul

Date: Tue, 30 Jan 1996 08:02:46 -0500
From: Paul Ferguson <pferguso@cisco.com>
Message-ID: <199601301302.FAA06195@lint.cisco.com>

[cc: trimmed to nanog]

Which I'm not on... (not that that matters here, this
is about ended).

Let's just agree that without strong end-to-end encryption, its
all swiss cheese. :-)

Yes, though with the caveat that without static addresses
the cheese is rather rank, and suitable for nothing at all,
with static addresses (relaly stable known addresses) so
filtering is possible at least a little first level protection
is possible.

kre

>
> I can certainly understand the need for access control & security,
> but with the use of a smart-card one-time password system, this is
> a moot point.
> Huh? How are you going to stop a system from "illegally"
> (in the sense of the provider, contracts, or whatever)
> acting as -say- www, ftp, or whatever server with such
> a one-time password system? You'll need access control
> *based on IP addresses* to reach that goal!
>

Perhaps you would like to flesh out these requirements
with Dave O'Leary for the PIER WG. This was an area
that was of particular concern, in an environment where
renumbering is a fact of life.

--bill

> At 09:36 PM 1/29/96 +1100, Robert Elz wrote:
>
> >
> >That sounds like a perfect place for a dynamic address, however,
> >if he had that, it would make life harder for me. With his
> >static address I can instal filters to give him more access to
> >my system at home (which is basically permanently connected, and
> >not a PC) than I allow all the rest of you. (For Tony's
> >benefit - no, this is not relying on source address filtering,
> >I actually filter the packets that my system sends out, I will
> >let it send packets to him that I won't let it send elsewhere,
> >which has basically the same effect).
> >
>
> I can certainly understand the need for access control & security, but
> with the use of a smart-card one-time password system, this is a moot
> point.
>
> - paul

You are ignoring the risks of the session being stolen after the
password is given. Outbound filters will help this, strong end-to-end
encryption will prevent it.

Martha Greenberg
marthag@mit.edu