[address-policy-wg] 2005-08 New Policy Proposal

-----Original Message-----
From: address-policy-wg-admin at ripe.net
[mailto:address-policy-wg-admin at ripe.net] On Behalf Of Gert Doering

[Ger Doering]
Why should anyone want to give a customer 10 IPv6 addresses, and *not*
a full /64?

[Jørgen Hovland] 
I can think of a few reasons that would directly affect us now:

* Internal marketing and/or policy reasons.
* Limit the amount of abuse.
* It isn’t possible with todays ethernet technology to use an entire /64 on
the same LAN, MAC addresses are 48bits wide. Private customers only have one
LAN link to us.  Even if the MAC addresses were to be expanded into 96bit,
the probability of MAC address collision most likely still is far too high.
* Limitations in the contract making it reasonable to limit the amount of IP
addresses you get, like "you are only allowed to connect 10 cameras to the
internet".
* We might want to sell a "cheaper" version of a better product.
* It would result in a DoS if we didn’t limit the DHCP pool per link to
something that our hardware is capable of doing. So the full /64 will never
be used. 
* The product isn't capable of more than N links (machines).

A thought: 
Security is about giving access to what you need, not what you can get. 

[Ger Doering]
This would be very much against the spirit of IPv6 - "have enough addresses,
and no questions asked".

[Jørgen Hovland] 
I don't quite see the similarity between "having enough addresses" and
"allocating the proper amount of addresses for the product you are buying",
so I believe the spirit is still there.
There will be less technical limitations in the future, but the other
reasons will still remain.


Cheers,

Joergen Hovland