Re: Stealthy Overlay Network Re: 202401100645.AYC Re: IPv4 address block

[Christopher Hawker <chris () thesysadmin au>]

Hang on... So EzIP is now about using 240/4 as CGNAT space? Wait, I'm
lost...

With CGNAT, there is either public IP space in front of the gateway, or
private space behind it. There is no such thing as "semi-private" space in
the world of CGNAT, as devices with public IPs can't directly access
devices behind a CGNAT gateway with a 100.64/10 address. It's either a
public address, or a private address (not to be confused with an RFC1918
private address).

Let's talk hypothetically for a minute and assume that 240/4 is used as
CGNAT space. Your "solution" to residential gateways not supporting the use
of 240/4 space being upgraded to OpenWRT won't work, because not all CPE
supports OpenWRT.

Instead of attempting to use a larger prefix for CGNAT, IPv6 is definitely
the easier solution to implement as the vast majority of vendors already
support v6.

Regards,
Christopher Hawker

On Mon, 15 Jan 2024 at 15:06, Abraham Y. Chen <aychen () avinta com> wrote:

> Hi, Mike:
>
> 1)   "... only private use. ...":
>
>     The EzIP deployment plan is to use 240/4 netblock as "Semi-Public"
> addresses for the existing CG-NAT facility. With many RG-NATs (Routing /
> Residential Gateway -NATs) already capable of being 240/4 clients thru the
> upgrade to OpenWrt, no IoT on any private premises will sense any change.
>
> Regards,
>
>
> Abe (2024-01-14 23:04)
>
>
> On 2024-01-12 15:16, Mike Hammett wrote:
>
> I'm not talking about global, public use, only private use.
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> ------------------------------
> *From: *"Tom Beecher" <beecher () beecher cc> <beecher () beecher cc>
> *To: *"Mike Hammett" <nanog () ics-il net> <nanog () ics-il net>
> *Cc: *"Ryan Hamel" <ryan () rkhtech org> <ryan () rkhtech org>, "Abraham Y.
> Chen" <AYChen () alum mit edu> <AYChen () alum mit edu>, nanog () nanog org
> *Sent: *Friday, January 12, 2024 2:06:32 PM
> *Subject: *Re: Stealthy Overlay Network Re: 202401100645.AYC Re: IPv4
> address block
>
> You don't need everything in the world to support it, just the things
> > "you" use.
>
>
> You run an ISP, let me posit something.
>
> Stipulate your entire network infra, services, and applications support
> 240/4, and that it's approved for global , public use tomorrow. Some
> company gets a block in there, stands up some website. Here are some
> absolutely plausible scenarios that you might have to deal with.
>
> - Some of your customers are running operating systems / network gear that
> doesn't support 240/4.
> - Some of your customers may be using 3rd party DNS resolvers that don't
> support 240/4.
> - Some network in between you and the dest missed a few bogon ACLs ,
> dropping your customer's traffic.
>
> All of this becomes support issues you have to deal with.
>
> On Fri, Jan 12, 2024 at 2:21 PM Mike Hammett <nanog () ics-il net> wrote:
>
> > I wouldn't say it's unknowable, just that no one with a sufficient enough
> > interest in the cause has been loud enough with the research they've done,
> > assuming some research has been done..
> >
> > You don't need everything in the world to support it, just the things
> > "you" use.
> >
> >
> >
> > -----
> > Mike Hammett
> > Intelligent Computing Solutions <http://www.ics-il.com/>
> > <https://www.facebook.com/ICSIL>
> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> > <https://www.linkedin.com/company/intelligent-computing-solutions>
> > <https://twitter.com/ICSIL>
> > Midwest Internet Exchange <http://www.midwest-ix.com/>
> > <https://www.facebook.com/mdwestix>
> > <https://www.linkedin.com/company/midwest-internet-exchange>
> > <https://twitter.com/mdwestix>
> > The Brothers WISP <http://www.thebrotherswisp.com/>
> > <https://www.facebook.com/thebrotherswisp>
> > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> > ------------------------------
> > *From: *"Tom Beecher" <beecher () beecher cc>
> > *To: *"Mike Hammett" <nanog () ics-il net>
> > *Cc: *"Ryan Hamel" <ryan () rkhtech org>, "Abraham Y. Chen" <
> > AYChen () alum mit edu>, nanog () nanog org
> > *Sent: *Friday, January 12, 2024 1:16:53 PM
> > *Subject: *Re: Stealthy Overlay Network Re: 202401100645.AYC Re: IPv4
> > address block
> >
> > How far are we from that, in reality? I don't have any intention on using
> > > the space, but I would like to put some definition to this boogey man.
> >
> >
> > It's unknowable really.
> >
> > Lots of network software works just fine today with it. Some don't. To my
> > knowledge some NOS vendors have outright refused to support 240/4 unless
> > it's reclassified. Beyond network equipment, there is an unknowable number
> > of software packages , drivers, etc out in the world which 240/4 is still
> > hardcoded not to work. It's been unfortunate to see this fact handwaved
> > away in many discussions on the subject.
> >
> > The Mirai worm surfaced in 2016. The software vulnerabilities used in its
> > attack vectors are still unpatched and present in massive numbers
> > across the internet; there are countless variants that still use the same
> > methods, 8 years later. Other vulnerabilities still exist after
> > multiple decades. But we somehow think devices will be patched to support
> > 240/4 quickly?
> >
> > It's just unrealistic.
> >
> > On Fri, Jan 12, 2024 at 1:03 PM Mike Hammett <nanog () ics-il net> wrote:
> >
> > > " every networking vendor, hardware vendor, and OS vendor"
> > >
> > > How far are we from that, in reality? I don't have any intention on
> > > using the space, but I would like to put some definition to this boogey man.
> > >
> > >
> > >
> > > -----
> > > Mike Hammett
> > > Intelligent Computing Solutions <http://www.ics-il.com/>
> > > <https://www.facebook.com/ICSIL>
> > > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> > > <https://www.linkedin.com/company/intelligent-computing-solutions>
> > > <https://twitter.com/ICSIL>
> > > Midwest Internet Exchange <http://www.midwest-ix.com/>
> > > <https://www.facebook.com/mdwestix>
> > > <https://www.linkedin.com/company/midwest-internet-exchange>
> > > <https://twitter.com/mdwestix>
> > > The Brothers WISP <http://www.thebrotherswisp.com/>
> > > <https://www.facebook.com/thebrotherswisp>
> > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> > > ------------------------------
> > > *From: *"Ryan Hamel" <ryan () rkhtech org>
> > > *To: *"Abraham Y. Chen" <aychen () avinta com>, "Vasilenko Eduard" <
> > > vasilenko.eduard () huawei com>
> > > *Cc: *"Abraham Y. Chen" <AYChen () alum MIT edu>, nanog () nanog org
> > > *Sent: *Thursday, January 11, 2024 11:04:31 PM
> > > *Subject: *Re: Stealthy Overlay Network Re: 202401100645.AYC Re: IPv4
> > > address block
> > >
> > > Abraham,
> > >
> > > You may not need permission from the IETF, but you effectively need it
> > > from every networking vendor, hardware vendor, and OS vendor. If you do not
> > > have buy in from key stakeholders, it's dead-on arrival.
> > >
> > > Ryan
> > > ------------------------------
> > > *From:* NANOG <nanog-bounces+ryan=rkhtech.org () nanog org> on behalf of
> > > Abraham Y. Chen <aychen () avinta com>
> > > *Sent:* Thursday, January 11, 2024 6:38:52 PM
> > > *To:* Vasilenko Eduard <vasilenko.eduard () huawei com>
> > > *Cc:* Chen, Abraham Y. <AYChen () alum MIT edu>; nanog () nanog org <
> > > nanog () nanog org>
> > > *Subject:* Stealthy Overlay Network Re: 202401100645.AYC Re: IPv4
> > > address block
> > >
> > >
> > > Caution: This is an external email and may be malicious. Please take
> > > care when clicking links or opening attachments.
> > >
> > > Hi, Vasilenko:
> > >
> > > 1)    ... These “multi-national conglo” has enough influence on the
> > > IETF to not permit it.":
> > >
> > >     As classified by Vint Cerf, 240/4 enabled EzIP is an overlay network
> > > that may be deployed stealthily (just like the events reported by the
> > > RIPE-LAB). So, EzIP deployment does not need permission from the IETF.
> > >
> > > Regards,
> > >
> > >
> > > Abe (2024-01-11 21:38 EST)
> > >
> > >
> > >
> > >
> > > On 2024-01-11 01:17, Vasilenko Eduard wrote:
> > >
> > > > It has been known that multi-national conglomerates have been using
> > > it without announcement.
> > >
> > > This is an assurance that 240/4 would never be permitted for Public
> > > Internet. These “multi-national conglo” has enough influence on the
> > > IETF to not permit it.
> > >
> > > Ed/
> > >
> > > *From:* NANOG [
> > > mailto:nanog-bounces+vasilenko.eduard=huawei.com () nanog org
> > > <nanog-bounces+vasilenko.eduard=huawei.com () nanog org>] *On Behalf Of *Abraham
> > > Y. Chen
> > > *Sent:* Wednesday, January 10, 2024 3:35 PM
> > > *To:* KARIM MEKKAOUI <amekkaoui () mektel ca> <amekkaoui () mektel ca>
> > > *Cc:* nanog () nanog org; Chen, Abraham Y. <AYChen () alum MIT edu>
> > > <AYChen () alum MIT edu>
> > > *Subject:* 202401100645.AYC Re: IPv4 address block
> > > *Importance:* High
> > >
> > >
> > >
> > > Hi, Karim:
> > >
> > >
> > >
> > > 1)    If you have control of your own equipment (I presume that your
> > > business includes IAP - Internet Access Provider, since you are asking to
> > > buy IPv4 blocks.), you can get a large block of reserved IPv4 address *for
> > > free* by *disabling* the program codes in your current facility that
> > > has been *disabling* the use of 240/4 netblock. Please have a look at
> > > the below whitepaper. Utilized according to the outlined disciplines, this
> > > is a practically unlimited resources. It has been known that multi-national
> > > conglomerates have been using it without announcement. So, you can do so
> > > stealthily according to the proposed mechanism which establishes uniform
> > > practices, just as well.
> > >
> > >
> > >
> > >     https://www.avinta.com/phoenix-1/home/RevampTheInternet.pdf
> > >
> > >
> > >
> > > 2)    Being an unorthodox solution, if not controversial, please follow
> > > up with me offline. Unless, other NANOGers express their interests.
> > >
> > >
> > >
> > >
> > >
> > > Regards,
> > >
> > >
> > >
> > >
> > >
> > > Abe (2024-01-10 07:34 EST)
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > On 2024-01-07 22:46, KARIM MEKKAOUI wrote:
> > >
> > > Hi Nanog Community
> > >
> > >
> > >
> > > Any idea please on the best way to buy IPv4 blocs and what is the price?
> > >
> > >
> > >
> > > Thank you
> > >
> > >
> > >
> > > KARIM
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> > >
> > > Virus-free.www.avast.com
> > > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>