nanog mailing list archives

202203081821.AYC Re: 202203071610.AYC Re: Making Use of 240/4 NetBlock


From: "Abraham Y. Chen" <aychen () avinta com>
Date: Tue, 8 Mar 2022 23:29:04 -0500

Hi, Stephen:

1)    First, logistics: Since I have been waiting for the moderation of my first posting on NANOG, could I assume that you are sending me this personal eMail as a Moderator?

2)    Perhaps the material provided in my writing was not sufficient, you seem to be expressing concerns from other perspectives. As concisely characterized by one of the "Internet fathers", the EzIP is an overlay network relative to the current Internet. As such, the EzIP deployment is pretty much independent of the hurdles that the current Internet equipment or convention may impose on it. That is, we can start the EzIP deployment leaving everything in the current Internet alone. This is because each EzIP deployment module, called RAN (Regional Area Network) is tethered via one IPv4 public address onto the Internet core. Since each RAN appears to be a private network, it can be set up according to its own requirements. That is, each RAN can make use of any desired IPv4 technology, while leaving others aside. As long as the packets on that single access path between the RAN and the Internet conform to the Internet conventions, the deployment of the EzIP proposal should work.

3)    " ... if you plan on endpoint computers (such as those in homes) to use the 240/4 netblock. ...   ":    No, we do not. As presented by the RAN demonstration cited by the whitepaper, one of the primary criteria of the EzIP proposal is not to affect the current private network setups. Although, other than Windows OS based products, there are more and more IoTs do support 240/4 netblock. Even some Internet routers appear to do so, as well.

4)    " ... DD-WRT project? ...    ":     EzIP does not have any ambition to alter or replace the existing Internet equipment in any sense. Fortunately, we can deploy our solution without such complication due to the overlay characteristics. Our main goal is to demonstrate that "*/there exists/*" one feasible configuration that can operate EzIP in parallel to the existing Internet for providing equivalent services. From such a skeletal reference, one can expand to larger deployments, as well as put on desired features and capabilities. For example, we have utilized OpenWrt 19.07.3 to demonstrate the feasibility of the EzIP scheme. Since the enabling technique is "disabling the program code that has been disabling the use of the 240/4 netblock",  any other projects such as DD-WRT can replicate it just as well, if so inclined.

5)    "... Firewalls ...  NIST ...   ":    Since EzIP is only identifying the additional address resources from the "Reserve" and suggesting how to use it, I am not clear why high level functionalities such as security related firewall tasks get involved here. Do NIST Guidelines specify blocking any packet with the 240/4 netblock address? I failed to spot such.  Since there is no natural division between the 240/4 netblock from the rest of IPv4 address pool, I can't see any reason to single this netblock out in the firewall related tasks anyway. Do you know the reason why? I would appreciate very much if you could elaborate your concerns.

6)    By the way, the EzIP's RAN is actually very much the same as CG-NAT or CDN, architecturally.  The only difference is that EzIP Project manged to identify a larger usable address pool enabling the practice of static addressing to simplify operation logistics, mitigate cyber insecurity, etc.


I look forward to your thoughts.


Regards,


Abe (2022-03-09 23:28 EST)



On 2022-03-08 13:08, Stephen Satchell wrote:
On 3/7/22 2:14 PM, Abraham Y. Chen wrote:
     In a nutshell, EzIP proposes to disable the program codes in current routers that have been disabling the use of the 240/4 NetBlock. The cost of this software engineering should be minimal. The EzIP deployment architecture is the same as that of the existing CG-NAT (Carrier Grade Network Address Translation). Consequently, there is no need to modify any hardware equipment. There is an online setup description (Reference II), called RAN (Regional Area Network), that demonstrates the feasibility of this approach.

You have another surface that will need to dealt with if you plan on endpoint computers (such as those in homes) to use the 240/4 netblock. You will need to talk to the authors of firewall books and web sites to update the examples to remove all-traffic blocks on 240/4.  Then individual administrations, not just ISP/Service-Provider, will need to know to modify any home-brew firewalls to open all addresses except 255.255.255.255 (and perhaps 240.0.0.0).

That includes my publications about firewall configurations.

If you haven't already, you will need to include makers of access points and companies such as SonicWALL.  Have you talked to pfSense?  DD-WRT project?  UFW project?  firewalld project?  The Berkeley Packet Filter project?  How about authors of the NIST _Guidelines on Firewalls and Firewall Policy_ publication (https://www.govinfo.gov/content/pkg/GOVPUB-C13-f52fdee3827e2f5d903fa8b4b66d4855/pdf/GOVPUB-C13-f52fdee3827e2f5d903fa8b4b66d4855.pdf)
I wish you luck.  And that's only the things I found in English.



--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Current thread: