On 31 Dec 2015, at 12:31, tom p. wrote: > IP addresses are only meaningful to geeks like us. Users at large see > and use e-mail addresses and phone numbers and, when they have yet to > learn that these can be faked, are susceptible to fraud. This brings > real pain to real people and could provide a lever to get things done. You are correct on the difference between what is an issue to "normal people" and what is an issue "to us". And yes, the issues with untrust in SS7, similar to the breakdown I see in X.509 CA environment, is hurting users. Makes it quite hard to set up a 2-factor authentication with recovery mechanisms being secure and trusted (i.e. hint: do not use the same telephone number for your 2-factor authentication as your fallback mechanism). But not at all hurting the Internet as much as source IP address validation. Given the depletion of IPv4 address space, we now see increased number of real use of allocated but not announced IPv4 address space. Simply because trust in routing make it easier to just use some space that no one else is using than pay $12/address or whatever it is. This reuse of already allocated (by others) IPv4 address space has grown faster than I expected. In the next phase, unless people use IPv6, people will just use whatever IPv4 addresses they can find. And that will hurt the ones having IPv4 addresses in the outskirts of the net. In developing countries. What do an organization in Sweden care if they just reuse whatever some organization in Rwanda use? If announced from Sweden, the addresses will probably work quite well for the Swedish organisation, but so much less for the one in Rwanda which is the real holder of the address space. Creation of local caches from Akamai, Google, Apple, Microsoft, Cloudflare and DNS operators as us as Netnod that moves content closer to Rwanda will for this scenario make the impact smaller. When it hurts. Not if. Without proper source address validation, it will be worse than a cold on New Years Eve (which I understand many have), and we can never recuperate the situation we sort of have today -- that we can trust the uniqueness and correct (well) route announcement of IPv4. And THIS is for me the largest driver for IPv6. That we can not guarantee for how long IPv4 will actually work. For some definition of "we" and some definition of "work". I am scared. Really scared. And if we loose this, then our fight against spam and other for the consumer visible things does not matter. At all. Patrik
Attachment:
signature.asc
Description: OpenPGP digital signature