[NNagain] Artificial scarcity and virtual numbers, like IP addresses and certs

[Dave Taht]

Last week a discussion started that is one of the sadder arguments in
favor of some forms of artificial scarcity across the internet I have
yet read, and a seemingly complete misunderstanding of the role of
thesoftware that runs it - and it took a lot for me to recover enough
to try and counter it. To start off with a sideways example:

Everyone talks about planting more trees to cope with global warming.
Nobody talks about planting more fruit trees to feed more people
(while also helping with carbon capture). Why is that?

We had an apple tree next door when I was growing up, and our
neighbors made canned jam. During the season it was no trouble to jump
the fence and pick up a healthy snack.

Back when I had a house I had a plum tree that shed so much fruit it
kept me in jelly all year, and also fed a profusion of friends, deer
and other animals. I also had blackberries and raspberries on and
around the property and could usually pick breakfast or dessert in
under 15 minutes for many months out of the year.

The principal downsides are: the dang deer would eat my roses, too,
and raccoons would also turn over the garbage pail and scare my cat.
Blackberries are a pretty invasive species, you have to cut them back
yearly - and you can prick yourself picking them, but rather than
resent that I dreamed of having a more automated means of picking
them, perhaps via a daily drone.

Nowadays, my gf and I hunt mushrooms in multiple parks nearby. It is a
nice way to spend a morning. You can only do it a few days after rain
in the late fall, and it rains rarely here. Some of these are
poisonous, many, such as boletas - are utterly delicious. Their growth
process is so mysterious still, that there seems to be no way to
produce them in a factory farm.

You see a lot of FUD spread around, about the dangers of mushrooms,
but with a good guidebook, and experience,
it seems to work out ok for many. Still... it is rare to see an
American in the forest hunting mushrooms, we mostly see Japanese,
Mexicans, Chinese and Russians doing it.

A day where you can find 3 Boletas - is a VERY good day! That is
enough to flavor quite a few meals!

You walk a typical city street however, seeing no fruit trees, and
hear very few birds.

...

Not too many years ago, especially after the Snowden revelations,
encrypting all web traffic became a thing, and a bunch of wanna
monopolists attempted to make the processes for acquiring a cert
onerous and expensive. I am talking 1000s of dollars here, with fancy
procedures like locked physical vaults filled with these numbers. (for
those that do not know, a web certificate is just a string of numbers
and an authentication chain that ensures that the DNS name of a
website matches the website itself. The process of validating one, or
not, you have all seen. There are many other uses for certs in
general, and one of the most useful - and problematic - ones, is you
can setup a cert to expire after a given period of time)

A couple internet founders got kind of PO'd at all that monopolistic
behavior over the "open web", and started up LetsEncrypt,
which by evolution and rigorous automation made acquiring a "good"
cert child's play, (a minute, once), and thus everyone that wanted
good crypto and authentication on their website, personal, or
otherwise, got it. This is far too long a story to tell here, if I can
find a reference on it, I will post it. I think I am mixing up the
timelines some.

Much hewing and gnashing of teeth later the wanna-be monopolists
vanished, and anyone can get a cert for their application
so long as they have a public IP address and an entry in the global
DNS, from the letsencrypt system.

The process of democratizing good cryptography started long before
that with the openssl project, which was the baseline library that
many applications used to manage cryptography and certificates. Being
free software, and not horrible to deal with, and up to date, it ended
up being used by nearly everything on the web...

A downside to that was it wasn't until a major security hole was found
that the starving developers got a little long term support from the
now millions of users like banks and so on, and there is now enough
variety in the ecosystem of other codebases to make another bug that
big less terrifying. But trillions of dollars flow, still, through
older openssl versions, bugs are still being found, and fixed.
https://www.openssl.org/news/vulnerabilities.html

and the internet is currently going through contortions to cope with
far less complicated vulns such as:
https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit

...

More recently efforts to create artificial scarcity like NFTs were big
and ugly fads. The bubble on NFTs finally crashed a few years ago, as
did most (but not all) of the ones around web3. An image is just a
string of numbers. You have to accept somehow, mentally, that
someone's blockchain is authorative, and thus! that image has value.
They didn't.

I am very happy to see some of the biggest grifters behind
"cryptocurrency" scams creating and then evaporating billions of
dollars of value via bad practices, hype, pump and dump and "rug
pulls" going to jail.

 PT Barnum was right -
"there IS a sucker born every minute" - as was Mark Twain - "You can
fool some of the people some of the time".

Given the enormity of these levels of virtual theft I sometimes wish
the penalties for it still included time in the public stocks, and
severing of the hands, in the hope that it might deter more folk from
this course of action.

For all that, some forms of electronic currency strike me as pretty
good and useful. Coping with IBAN and swift is a PITA, but works for
many.  Zelle is straightforward but not good internationally.

I think the transaction fees charged by most of the common ones rather
high and a real drain on the economy when compared to physical cash
but it seems cheaper than the cost of printing and distributing
physical money in the first place. India has rolled out a remarkably
cheap, transaction fee-less, version of ecurrency, as has China. I do
not know much about those, and wish I knew more.

I know plenty of businesses still, that prefer cash, and many more
that pass a 4% surcharge onto the customer when
credit is used.

I was a too-early adopter of eCash, (late 1990s) and being burned by
that I avoided bitcoin.

I still gawk at the idea that these strings of numbers got converted
from a unit of exchange and into being a store of
(pumped up) value. I guess I am unusual in disrespecting these forms
of commerce given how widely accepted other forms
of financial derivatives are and the commonness today of non-voting stock -
but with my savings account earning .01% and my credit cards costing
29%, perhaps I should have figured out a way to play in this or the
stock market long before now!

I know multiple people that did well "investing" into bitcoin. One
bought a house.

But in the end these are just strings of numbers scribbled into a ledger.

...

In 2016 John Gilmore convinced me that IPv4, and its 4 billion
addresses, needed to connect through it - still had life in it - and
was going to be needed for 50+ years more, for the Internet to
continue to interoperate, from a paper entitled "The Hidden Standards
War - Economic factors Affecting IPv6 deployment" It is in this
presentation here - which I certainly wish more people would read and
think about:

https://github.com/schoen/unicast-extensions/blob/master/docs/IPv4%20Unicast%20Extensions3.pdf

As part of the unicast extensions project...
We went and scanned *All* the open source code in the world, only to
find that certain "policy" restrictions
placed on IPv4 in the early 80s were not enforced in IoT, in zero
applications, and only a few mainline operating systems.
Notably the 240/4 (1/16th of the internet address space reserved in
1983 for "future use" - 240 million addresses!) - actually worked on
most devices already due to an effort dating back to 2008. I finished
the job with a very small set of patches with the only public
application left that did not work, we know of, being the bird routing
daemon, and the Windows OS. While my fingers were in there, I also
made 0/8 work (16 million addresses), and we crafted proposals also to
divvy up 127/8 more as to its original meaning of "local host
networking".

Back then I was more naive than I am today. I had thought that various
powers that be (the RIRs, ICANN, the IETF) would look at this vast
unused space with huge demand for it, as an opportunity, and that as
it did need an OS upgrade in many cases, that some adoption would
force more OS upgrades which also gave workable IPv6 support. I am
pretty sure that if a financial model emerged for supporting open
source software development with at least some of this space emerged,
that we could indeed roll out 240/4 in 3-7 years and it would be
immediately and incrementally useful to those limping on along on
limited or conflicting rfc1918 applications.

Instead... oh, I don't want to to talk about it any more. I merely
justify to myself that eliminating the 0/8 check from Linux saves a
few nanoseconds on every packet. Our few weeks of effort saved money
and time for all the billions of users of containers and linux a few
hours after it deployed more widely as part of ubuntu, redhat, centos,
etc, etc.

But that is not the most hilarious thing. A goodly percentage of the
internet's IPv4 address space remains dark - and not online - given
the willy nilly allocations in the beginning and confused ownership
that has been hard to sort out since 1983. I have a /23 that I have
been sitting on for 30 years. I am happy ARIN is making it vastly
easier to get a BGP AS number at the beginning of next year.  I kind
of view the dark areas on the ipv4 map as much like the FCC's wireless
spectrum maps.

Current market sales price for ipv4 is about $35/ip. Amazon looks to
be renting their 120 million allocations to the tune of $44B/year
starting in 2024.

Other address spaces belong to people that have died, or orgs that
have forgotten they had it in the first place, and some of the biggest
unused chunks are held by corps that haven't tried to realize their
market value yet - Apple has a /8 for example.

The biggest chunks of that dark space are actually held today by the
US government! Last I looked there were 11 /8s - 180m IPv4 addresses
held fallow, and a giant mystery around AS8003 - which started
announcing those, but not routing them:
https://www.kentik.com/blog/the-mystery-of-as8003/ - I do not know
what was going on here!? (anyone know?) I imagine at these prices that
these spaces hold great value for those attempting to cross the
digital divide and provide digital equity, as despite the successes of
carrier grade nat, real IPv4 addresses are needed along the edge to
provide good services through that, and real IPv4 addresses required
to interoperate with many vpns, at least.

Once upon a time someone with an IPv6 axe to grind, picked our second
weakest proposal (reducing the native "localhost" 127/8 address block
to a /16 and my use case, (others in the project differed) using up
the remaining to make kubernetes less of a hairball and more efficient
than rfc1918 host nat) For the record, our weakest proposal was trying
to find ways to reduce the multicast space (224/4) sanely to reflect
modern multicast IP addressing applications only using up about 8
dedicated ports total. Fixing this involves adding about 6 lines of
code to multiple OSes, not subtracting it. IPv6 involves adding and
testing 100s of thousands of lines of code to everything, the "adding"
part being mostly done, the testing part problematic, and the long
tail as per "The Hidden Standards War - Economic factors Affecting
IPv6 deployment"  incredibly long.

I took so much flack from that 127/8 brigade, (tho we did get some
grudging approval of making 240/4 usable enough as at least rfc1918
space once we pointed it out) - and being busy with fixing
bufferbloat, which was far less controversial by that point, dropped
out of the unicast extensions project.

I like to think the IETF internet drafts we produced [3,4,5] are now
highly entertaining pieces of the historical record and who knows!? as
 it has been 6+ years after the lines of code were deleted, the code
deployed in linux and BSD, and the world didn't melt, perhaps it will
gain traction. Since... Google used up 240/4 as a ipv6->ipv4 NAT
translator for a while, and amazon is also using up at least 240/8 and
242/8 for their own internal uses. [2] Perhaps their use cases can be
made official and shared with the rest of the internet denizens
someday, or my original dream of aiming for the 240/4 space to become
publicly available and operated succeed.

I keep hoping to get a project launched to just announce 255/8 onto
the global internet and see what, if anything, breaks. That is kind of
symbolically like 2.4ghz spectrum was "junk spectrum" originally.
There are a lot of other IPv4 things that could be made to work better
- udp-lite could be made to just work (already does) more globally,
thus doubling the
available port space for all udp-like traffic, as one example.

As for 0/8, I had fantasies of making that "just work" for a "space
RIR" nat translator and individual terminal address-ability, 0.0.0.1
being starfleet headquarters. It helps to have read the paper I
started with to realize we are going to be stuck with IPv4 for a lot
longer than most think. But the day I deleted this code, with perhaps
a someday value to someone of billions, was a good day.[5]

As lessig once wrote - "code is law."

... sometimes it is bad law. Or just bugs.

...

This finally gets me to trying to talk about the string of flawed
analogies made in one of the posts - comparing a three tier passenger
railroad system with how the internet works. Physical goods and
infrastructure are vastly different from virtual goods, and the real
costs of development, deployment, and especially maintenance, of the
code on the internet, not well understood.

But that is all I intend to write for today.I would merely like more
folk to be aware that some numbers are only more valuable than others
due to arbitrary constraints and shared hallucinations.

[1] https://news.ycombinator.com/item?id=29246420
[2] https://news.ycombinator.com/item?id=32566730
[3] https://www.ietf.org/archive/id/draft-schoen-intarea-unicast-127-00.html
[4] https://www.ietf.org/archive/id/draft-schoen-intarea-unicast-240-00.html
[5] https://news.ycombinator.com/item?id=20430096

-- 
Oct 30: https://netdevconf.info/0x17/news/the-maestro-and-the-music-bof.html
Dave Täht CSO, LibreQos