Re: [sig-policy] New version of prop-110: Designate 1.2.3.0/24 as Anycas
On 14/02/2014, at 11:44, Dean Pemberton <dean at internetnz dot net dot nz> wrote:
> I like David's way of handling the issue that you raise.
> By saying that "... it is acceptable to filter this prefix at an
> administrative boundary, if an operator desires. Further, it should
> be made clear it is not acceptable to advertise this prefix to the
> Global Internet.”
Indeed, I saw David’s post after I’d sent mine!
> I'm interested in your comment here regarding the IXP situation.
> Would 1.2.3.4 being advertised onto an IXP by a willing participant be
> something that you'd see a problem with?
There are plenty of open resolvers on the Internet, some of which are even there intentionally ;) The difference here is when a customer uses Google Public DNS, OpenDNS, etc, they are always sending their queries to the same organisation. Their experience should therefore be mostly consistent.
Were use of 1.2.3.4 to become widespread, and in the absence of appropriate filtering, that same customer’s queries end up at a different organisation’s servers depending on what the best path to 1.2.3.0/24 is at any given time.
Were I so maliciously inclined, I might even deliberately *want* to be the instance of 1.2.3.4 reached by as many networks as possible, in order to give me insight into what my competitors’ customers are doing, or just because I’m nosey. There’s nothing stopping me lying in the responses to my competitors’ customers either. DNSSEC, etc, but that requires that customers (or their CPE) are doing the right thing.
From my perspective, unless there is a business requirement to do otherwise, 1.2.3.0/24 would end up in the same bucket as any other martian: I don’t want to hear about it from anyone, I don’t want packets destined to it to leave my network, and I don’t want packets from it to enter my network. So no, from the perspective of networks I have the appropriate control over, it is no more of a problem than an IXP participant advertising some addresses out of an RFC1918 network.
That is not to say I would never run a name server answering queries to 1.2.3.4. Times change, and if “enough” other networks are doing it, fielding support calls because “I always use 1.2.3.4, it works everywhere except here, you are broken” is something that I am sure businesses would probably want to Go Away. I don’t think I’d be rushing into setting it up initially, though.
> It would certainly be possible to place wording into the policy which
> places an expectation that operators should filter this at their AS
> boundary. I'm interested in whether people think this would
> unreasonably restrict the benefit of some fo the use cases of this
> prefix.
It might restrict the benefit to some. No doubt there are reasons for operating a 1.2.3.4 instance in ways I haven’t thought of. Like David, I don’t think I’d ever want to see prop-110’s use of 1.2.3.0/24 resulting in it being in the “DFZ,” though.
Cheers