<br><font size=2 face="Courier New">Beeing the first on this list in 2004
I can't resist to express</font>
<br><font size=2 face="Courier New">my best wishes to everyone :-)</font>
<br>
<br><font size=2 face="Courier New">During the last year, when we made
plans for our further</font>
<br><font size=2 face="Courier New">operations of our nameservice (i.e.
anycast and introduction</font>
<br><font size=2 face="Courier New">of IPv6), we discovered that we are
getting into conflict</font>
<br><font size=2 face="Courier New">with some of the RIPE allocation policies.
I have been encouraged</font>
<br><font size=2 face="Courier New">to start a discussion about making
a policy change request.</font>
<br>
<br><font size=2 face="Courier New">So here it comes:</font>
<br>
<br><font size=2 face="Courier New">Request For An IPv4/IPv6 Policy Allowing
Assignments </font>
<br><font size=2 face="Courier New">For Network Critical Infrastructure</font>
<br>
<br><font size=2 face="Courier New">Abstract</font>
<br>
<br><font size=2 face="Courier New">At the moment, DENIC has eleven nameservers
serving the de zone. At the moment they are </font>
<br><font size=2 face="Courier New">all IPv4 only. DENIC wants to change
the DNS setup with a higher total number of </font>
<br><font size=2 face="Courier New">nameservers which not only have IPv4
but also IPv6 connectivity. However DENIC cannot </font>
<br><font size=2 face="Courier New">simply increase the number of NS records
and add AAAA records as this would quickly </font>
<br><font size=2 face="Courier New">occasion truncation in the authority
section of the UDP answer. Ignoring this limitation would </font>
<br><font size=2 face="Courier New">cause negative effects that are described
in http://www.ietf.org/internet-drafts/draft-ietf-</font>
<br><font size=2 face="Courier New">dnsop-respsize-00.txt</font>
<br>
<br><font size=2 face="Courier New">In order to keep at least the current
quality of service, improve the resilience against </font>
<br><font size=2 face="Courier New">distributed denial of service attacks
(DDoS) and easier future scalability, the deployment of </font>
<br><font size=2 face="Courier New">anycast technology (RFC3258) has been
chosen for the future DENIC DNS operation.</font>
<br>
<br><font size=2 face="Courier New">DENIC can not simply use addresses
out of their current assignment because it is current </font>
<br><font size=2 face="Courier New">practice to filter announcements on
allocation boundaries.</font>
<br>
<br><font size=2 face="Courier New">Therefore DENIC requests to establish
a policy for ccTLD and gTLD nameservers that allows </font>
<br><font size=2 face="Courier New">RIPE NCC to assign IPv4, IPv6 addresses
that are not likely to be filtered by common </font>
<br><font size=2 face="Courier New">practise for anycast-operation of their
DNS services.</font>
<br>
<br>
<br><font size=2 face="Courier New">Technical justification for this policy</font>
<br>
<br><font size=2 face="Courier New">Pros:</font>
<br>
<br><font size=2 face="Courier New">1. Acceptance
of DNS to be network critical </font>
<br>
<br><font size=2 face="Courier New">Studies like http://www.ripe.net/ripe/meetings/ripe-45/presentations/ripe45-eof-</font>
<br><font size=2 face="Courier New">rickard.pdf shows clearly that ccTLD
and gTLD nameservers are a critical network </font>
<br><font size=2 face="Courier New">infrastructure that justify special
policies to guarantee operability of Internet applications. </font>
<br>
<br><font size=2 face="Courier New">Three out of four RIRs (APNIC, ARIN
and LACNIC) have policies allowing assignments to </font>
<br><font size=2 face="Courier New">network critical infrastructure. All
three policies classify ccTLDs as critical infrastructure. </font>
<br><font size=2 face="Courier New">Extracts from these policies can be
found in Appendices I through III. </font>
<br>
<br><font size=2 face="Courier New">2. Usage
of DNS </font>
<br>
<br><font size=2 face="Courier New">By size </font>
<br><font size=2 face="Courier New"> </font>
<br><font size=2 face="Courier New">DENIC has 7 million registered domains
with a monthly increase of 1%. The introduction of </font>
<br><font size=2 face="Courier New">IDN in 2004 will increase the number
of de-domains by roughly 500,000 to 1,000,000 </font>
<br><font size=2 face="Courier New">domains in addition to the normal growth
rate. </font>
<br>
<br><font size=2 face="Courier New">Query load on nameservers </font>
<br>
<br><font size=2 face="Courier New">DENIC currently serves 10,000 queries
per second (all nameservers combined). The load is </font>
<br><font size=2 face="Courier New">expected to increase exponentially
as the acceptance of the Internet as a communication </font>
<br><font size=2 face="Courier New">infrastructure is rising. </font>
<br>
<br><font size=2 face="Courier New">New usage for DNS </font>
<br>
<br><font size=2 face="Courier New">New integrating services like ENUM
rely on DNS as their distributed information database. </font>
<br><font size=2 face="Courier New">The adoption of ENUM will contribute
to the importance of DNS for normal life of industry </font>
<br><font size=2 face="Courier New">operations.</font>
<br><font size=2 face="Courier New">3. Resilience
</font>
<br>
<br><font size=2 face="Courier New">As availability expectation for Internet
applications grow, nameservers are part of the critical </font>
<br><font size=2 face="Courier New">Internet infrastructures to make these
applications work. Anycasting is currently the state-of-</font>
<br><font size=2 face="Courier New">the-art solution to lower the impact
of DDoS attacks.</font>
<br><font size=2 face="Courier New">4. Allow
smooth IPv6 transition </font>
<br>
<br><font size=2 face="Courier New">As the world starts exploiting IPv6,
the critical infrastructures should support them natively. </font>
<br><font size=2 face="Courier New">However the limit of 512 bytes UDP
responses put a limit on the total number of names and </font>
<br><font size=2 face="Courier New">addresses (IPv4 and IPv6) that can
be supplied using DNS protocol. Extension mechanisms </font>
<br><font size=2 face="Courier New">for DNS (EDNS0) has removed this limitation
but is not widely deployed yet. This dilemma, </font>
<br><font size=2 face="Courier New">needing more space in the packets than
DNS protocol provides, can be overcome by using </font>
<br><font size=2 face="Courier New">anycast technology. </font>
<br>
<br>
<br>
<br><font size=2 face="Courier New">Cons:</font>
<br>
<br><font size=2 face="Courier New">1. Accepting
a number of IPv4/24 and IPv6/32 allocations for critical network </font>
<br><font size=2 face="Courier New">infrastructures does not align with
the traditional address conservation efforts. With </font>
<br><font size=2 face="Courier New">anycasting it is very likely that only
a few addresses from the entire assignment would </font>
<br><font size=2 face="Courier New">be used.</font>
<br>
<br><font size=2 face="Courier New">2. RIPE
document 233 dated from 24th May 2002 says: "Although it is
undesirable to </font>
<br><font size=2 face="Courier New">give special status to any IP (IPv4
or IPv6) address block, it was agreed by the </font>
<br><font size=2 face="Courier New">community that the particular need
defined in this document is the only justifiable </font>
<br><font size=2 face="Courier New">exception to that general principle."
</font>
<br>
<br><font size=2 face="Courier New">Consequences of a policy change</font>
<br>
<br><font size=2 face="Courier New">After allowing special assignments
for anycast ccTLD/gTLD nameservers, there is a need to </font>
<br><font size=2 face="Courier New">establish consensus in the RIPE region
about which criteria will qualify a service to be </font>
<br><font size=2 face="Courier New">considered Internet critical infrastructure.
There might be other services beside TLD DNS </font>
<br><font size=2 face="Courier New">falling into this category.</font>
<br>
<br>
<br>
<br>
<br><font size=2 face="Courier New">Appendix I</font>
<br>
<br><font size=2 face="Courier New">APNIC Policy</font>
<br><font size=2 face="Courier New">(Following section is taken from http://www.apnic.net/docs/policy/add-manage-policy.html
- </font>
<br><font size=2 face="Courier New">11.3)</font>
<br>
<br><font size=2 face="Courier New">11.3 Critical infrastructure</font>
<br>
<br><font size=2 face="Courier New">The following critical infrastructure
networks, if operating in the</font>
<br><font size=2 face="Courier New">Asia Pacific region, are eligible to
receive a portable assignment:</font>
<br>
<br><font size=2 face="Courier New">* root domain name system (DNS) server;</font>
<br><font size=2 face="Courier New">* global top level domain (gTLD) nameservers;</font>
<br><font size=2 face="Courier New">* country code TLD (ccTLDs) nameservers;</font>
<br><font size=2 face="Courier New">* IANA;</font>
<br><font size=2 face="Courier New">* Regional Internet Registry (RIRs);
and</font>
<br><font size=2 face="Courier New">* National Internet Registry (NIRs).</font>
<br>
<br><font size=2 face="Courier New">Assignments to critical infrastructure
are available only to the actual operators of the network </font>
<br><font size=2 face="Courier New">infrastructure performing such functions.
Registrar organisations which do not actually host </font>
<br><font size=2 face="Courier New">the network housing the registry infrastructure,
will not be eligible for an assignment under </font>
<br><font size=2 face="Courier New">this policy.</font>
<br>
<br><font size=2 face="Courier New">The minimum assignment made under these
terms is /24.</font>
<br>
<br>
<br>
<br><font size=2 face="Courier New">Appendix II</font>
<br>
<br><font size=2 face="Courier New">ARIN Policy</font>
<br>
<br><font size=2 face="Courier New">(Following section taken from http://www.arin.net/policy/ipv4.html#microalloc)</font>
<br>
<br><font size=2 face="Courier New">Micro-allocations (Policy 2001-3)</font>
<br>
<br><font size=2 face="Courier New">Note: This policy makes obsolete the
former micro-allocation policy.</font>
<br>
<br><font size=2 face="Courier New">ARIN will make micro-allocations to
critical infrastructure providers of the Internet, </font>
<br><font size=2 face="Courier New">including public exchange points, core
DNS service providers (e.g. ICANN-sanctioned root, </font>
<br><font size=2 face="Courier New">gTLD, and ccTLD operators) as well
as the RIRs and IANA. These allocations will be</font>
<br><font size=2 face="Courier New">no longer than a /24 using IPv4 or
a /48 using IPv6. Multiple allocations may be</font>
<br><font size=2 face="Courier New">granted in certain situations.</font>
<br>
<br><font size=2 face="Courier New">Exchange point allocations MUST be
allocated from specific blocks reserved only for this </font>
<br><font size=2 face="Courier New">purpose. All other micro-allocations
WILL be allocated out of other blocks reserved for </font>
<br><font size=2 face="Courier New">micro-allocation purposes. ARIN will
make a list of these blocks publicly available.</font>
<br>
<br>
<br><font size=2 face="Courier New">Appendix III</font>
<br>
<br><font size=2 face="Courier New">LACNIC</font>
<br>
<br><font size=2 face="Courier New">(Following section is taken from http://lacnic.net/policy-en.pdf)</font>
<br>
<br><font size=2 face="Courier New">3.3.3 Micro Allocations</font>
<br>
<br><font size=2 face="Courier New">Micro allocation is the name given
to those allocations that imply blocks smaller than /20 but </font>
<br><font size=2 face="Courier New">always larger than or equal to /24.</font>
<br>
<br><font size=2 face="Courier New">LACNIC can grant this type of allocation
in case of projects and infrastructure for networks </font>
<br><font size=2 face="Courier New">that are key or critical for the region,
such as IXPs (Internet Exchange Points), NAPs </font>
<br><font size=2 face="Courier New">(Network Access Points), RIRs, ccTLDs,
among others.</font>
<br>
<br><font size=2 face="Courier New">In the case of IXPs or NAPs, in order
to be able to apply for this type of allocation, </font>
<br><font size=2 face="Courier New">organizations shall meet the following
requirements:</font>
<br>
<br><font size=2 face="Courier New">1. Duly document the following aspects:</font>
<br><font size=2 face="Courier New">1. 1Prove by means of their bylaws
their capacity of IXP or NAP. The organization shall have </font>
<br><font size=2 face="Courier New">at least three members and an open
policy in relation to the association of new members.</font>
<br><font size=2 face="Courier New">1. 2Submit a company structure organizational
diagram.</font>
<br><font size=2 face="Courier New">1. 3Document the numbering plan to
be implemented.</font>
<br><font size=2 face="Courier New">2. Provide a usage plan for the following
three and six months.</font>
<br>
<br><font size=2 face="Courier New">The rest of the applications shall
be studied based on the analysis of the documentation </font>
<br><font size=2 face="Courier New">justifying the critical and/or key
aspects of the project.</font>
<br><font size=2 face="Courier New">Organizations receiving micro allocations
are not authorized to suballocate these addresses.</font>
<br>
<br>
<br><font size=2 face="Courier New">-- </font>
<br><font size=2 face="Courier New">Andreas Baess</font>
<br><font size=2 face="Courier New">DENIC eG<br>
Wiesenh�ttenplatz 26<br>
D-60329 Frankfurt</font>
<br>