Re: Standalone Stratum 1 NTP Server

[Mike Lyon]

http://www.truetime.com/index.html

Not exactly "stand alone" because you have to place the antenna somwhere
where it can see the GPS satellites as is the case with any any Stratum 1
NTP device. Then you have to program the IP into it and plug the ethernet
into it. They are really simple to install and configure. They give you a
certain amount of Coax (you can order more if need be) and you put the
antenna on the roof and run it down to the receiver. Quite simple.

They have a couple different models to choose from.

-Mike



On Mon, 26 Aug 2002, Mike Leber wrote:

>
>
> I was wondering if anybody has any suggestions for a low priced, off the
> shelf, complete (includes any necessary receivers), standalone (as in you
> just plug it in and connect ethernet), stratum 1 NTP server?
>
> Please also mention where to buy it.
>
> Mike.
>
> +- H U R R I C A N E - E L E C T R I C -+
> | Mike Leber   Direct Internet Connections   Voice 510 580 4100 |
> | Hurricane Electric Web Hosting  Colocation   Fax 510 580 4151 |
> | [EMAIL PROTECTED]   http://www.he.net |
> +---+
>

Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at

[Paul Vixie]

> > ...and, occasionally, your ISP's "abuse desk."  If this function of
> > your ISP costs less than 1 FTE per 10,000 dialups or 1,000 T1's or 100
> > T3's, then your ISP is a slacker and probably a magnet for professional
> > spammers as well.

> Not to try to undercut the general point, but that would imply that
> Earthlink, AOL, and MSN (for examples) should have a combined abuse
> department of roughly 1500 employees.  Well, perhaps those were poor
> examples then.

as i told patrick, the numbers are round, and a survey is needed.  it's
definitely going to be the case that scale will lead to economy, and AOL
could most likely get by with only 100 full time "abuse desk" staffers
as long as the rest of their service model were optimized to make abuse
difficult to propagate.  i doubt they will comment in detail here, since
the actual numbers are likely to be some kind of internal secret.  i know
i get far less spam from AOL than i used to, and i've assumed that this
is because they decided to address the costs at the front end (in their
service model) rather than the back end (in endless cleanup.)

>  It would be wonderful if it were the case, and while it seems like
> laziness when we talk about the big guys, most middle sized providers
> just don't have the operating budgets to not slack at least a little bit.

whenever you get spammed, it's because some isp somewhere is a slacker,
and is letting you pay the price for their lack of investment in this
critical area.  (spam is not unlike route flaps in this way, i suppose.)

> But this debate (I'm not debating with *you*) keeps coming around full
> circle.  Perhaps the real social problem is convincing whatever standards
> bodies and vendors necessary that it is a technical problem.

i think it's clear that everybody wants it to be somebody else's problem.

> There seems to be far too much apathy (FUD?) rather than just designing a
> partial solution, however imperfect, and implementing it.

as the designer of several partial solutions which have been implemented, i
agree from experience.

spam's assymetric cost:benefit ratio (between a spammer and a victim)
really institutionalizes apathy.  the benefit to one spammer in being able
to outwit a defense is a measurable success in that day's events.  the
benefit to one victim in being able to erect a defense which stops one kind
of spam or spam from one source or what have you is immeasurably small
compared to the deluge of other crap that'll come over the gunwales in the
same diurnal period.

no solution which does not progressively leverage the combined small
efforts of millions of spam victims will ever be measurably effective other
than in some small locality and/or for some brief instant.  see the DCC
for an example (http://dcc.rhyolite.com/) of how to build and apply that
leverage.  (i'm not giving the reference to vipul's razor because i said
"millions.")
-- 
Paul Vixie

Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal atsmtpng.org)

[Iljitsch van Beijnum]

On Mon, 26 Aug 2002, Greg A. Woods wrote:

> > > Well, you might be able to pay your ISP for that kind of service, but
> > > not all ISPs need supply such service and certainly not many users
> > > really _need_ such a level of service.

> > So now I have to justify the kind of services I want to use? What's next,
> > me having to register the words I'd like to say over the phone with my
> > phone company?

> Your analogy is pretty stupid.

Thank you for your kind words, but I have to disagree. It is not an ISP's
business what's in the packets I send, just like it's not the phone
company's business what I say over the phone. Whatever happened to
innocent until proven guilty? If they get a complaint that holds up to
some scruteny, they can start looking at what I'm doing. But filtering
beforehand just because I _may_ do something bad sets a big, fat, ugly
precedent.

> Some lame luser with a set-top box (the majority of all users, lame and
> otherwise) never ever needs to send arbitrary IP packets to arbitrary IP
> addresses.

And east germans have no reason to visit west germany, so that wall was a
good think after all.

> Are you trying to say that the Internet should be restricted to only
> those who can responsibly send arbitrary IP packets to arbitrary IP addresses?

People should be able to handle arbitrary incoming IP packets (although
not necessarily arbitrary numbers of them). If you don't like receiving
something, what is the smart thing to do: ask several hundred million
people not to send it, or filter it out yourself?

Don't try teaching pigs to sing. It wastes your time, and annoys the pig.

Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal atsmtpng.org)

[Bruce Campbell]

On Mon, 26 Aug 2002, Brad Knowles wrote:

>   I still think that it causes problems for mailing lists.

I understand the proposal to be based on the envelope sender, not the
sender in the body.  Hence, mailing lists work, because they are the
envelope sender, not the person who submitted the mail to the mailing
list.

If that is not the case, then Paul needs to be hassled until the wording
is clear that mailing lists will continue to work.

>   Moreover, you need to know the complete outbound path for all
> e-mail, from soup to nuts, so that you can add all those machines to
> the list of known mail-from MX entries for your domain.
>
>   I'm sorry, complete information like this just doesn't exist
> anymore.  Knowledge like this did exist twenty or more years ago,

Pardon?  Are you saying that for a given entity (say, example.com), your
administrative procedures are such that you do not know all the machines
that can send email directly to that part of the Internet outside that
entity?

Even for an entity like aol.com, their outbound mail servers appear to be
a small(ish) set of circa 20 machines which can be listed appropriately by
AOL.

> back when there were only a few UUCP nodes.  But even then, things
> quickly got to a point where people couldn't possibly know all
> possible paths between any two points, and people just listed their
> address from a small set of "well known" nodes.

Yes, entirely correct.  However, the bulk of the Internet mail today is
from one host to another host.  Knowledge of the path the mail takes, on
the SMTP level, is not needed by the mailer, unlike UUCP which required
the mailer to be aware of various routing topologies.

The rest of your mail is an invitation to clean up the little bit of
forward and reverse domain space that is under your immediate control,
which is a Good Thing IMO.

--==--
Bruce.

Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at smtpng.org)

[michael . dillon]

Filters are static things, that have to be updated, and can't see every
case that comes thru. 

It might be possible to make filters that don't need to be updated that 
often if
you apply AI techniques to recognizing SPAM. For instance, check out this 
new approach:
 http://www.paulgraham.com/paulgraham/spam.html


--Michael Dillon

Re: Standalone Stratum 1 NTP Server

[CARL . P . HIRSCH]

If GPS visibility is not an option (GPS can be very finicky about being
able to see an open percentage of the sky), then CDMA signals are also an
option in the states. Handy if the installation is going to be in a
highrise. Prices seem to vary greatly between manufacturers, I've gotten
quotes on both of these in the past but I'm not finding the post-it I'd
written that info upon.

http://www.endruntechnologies.com/ntp-server.htm
http://www.datum.com/tt/pages/tymserve/2100.html

HTH,
-carl



   
  
  Mike Lyon
  
   
  
  s.com>   cc:  <[EMAIL PROTECTED]>  
  
  Sent by: Subject: Re: Standalone Stratum 1 NTP 
Server  
  owner-nanog@meri 
  
  t.edu
  
   
  
   
  
  08/27/02 02:43   
  
  AM   
  
   
  
   
  





http://www.truetime.com/index.html

Not exactly "stand alone" because you have to place the antenna somwhere
where it can see the GPS satellites as is the case with any any Stratum 1
NTP device. Then you have to program the IP into it and plug the ethernet
into it. They are really simple to install and configure. They give you a
certain amount of Coax (you can order more if need be) and you put the
antenna on the roof and run it down to the receiver. Quite simple.

They have a couple different models to choose from.

-Mike



On Mon, 26 Aug 2002, Mike Leber wrote:

>
>
> I was wondering if anybody has any suggestions for a low priced, off the
> shelf, complete (includes any necessary receivers), standalone (as in you
> just plug it in and connect ethernet), stratum 1 NTP server?
>
> Please also mention where to buy it.
>
> Mike.
>
> +- H U R R I C A N E - E L E C T R I C -+
> | Mike Leber   Direct Internet Connections   Voice 510 580 4100 |
> | Hurricane Electric Web Hosting  Colocation   Fax 510 580 4151 |
> | [EMAIL PROTECTED]   http://www.he.net |
> +---+
>

SWIP weirdness

[matthew zeier]

The new ARIN SWIP template confuses me.  The reassign-simple I sent in
lastnight came back with:

> Fail to Pass Validation. Error Message:
> *PUBLIC COMMENTS can not be removed

I had:

> 9. Customer Country Code: US
> 10. Public Comments: NONE
>
> END OF TEMPLATE


And the docs say:


PUBLIC COMMENTS SECTION (Optional)

10. If there are any comments that you would like publicly displayed in
WHOIS regarding this registration, detail them here. If you wish to
remove the publicly displayed comments from WHOIS, enter NONE.


Where's the misunderstanding?

--
matthew zeier - "Curiosity is a willing, a proud, an eager confession
of ignorance." - Leonard Rubenstein

198.41.0.0/22 ? whois-servers.net

[Mike Tancsa]

Anyone know whats up with 198.41.0.0/22 ?  I am seeing all sorts of whois 
lookup failures as a result.
route-views.oregon-ix.net>show ip bgp 198.41.0.0/22
% Network not in table
route-views.oregon-ix.net>

net.whois-servers.net

---Mike

Mike Tancsa,  tel +1 519 651 3400
Sentex Communications,[EMAIL PROTECTED]
Providing Internet since 1994www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike

IPv6 Interview Questions and critic

[Joe Baptista]

Hi:

I'm doing an article on IPv6 and am looking for comments - here is a
portion on IPv6 which relates to the privacy issue ... any comments,
crtics or interviews welcomed.

-- snip
As you know IPv6 is a suite of protocols for the network layer of the
Internet which uses IPv4 gateways.  It's purpose is to expand address
space.  At this time IPv6 comes prepackaged with all popular operating
systems. This includes all flavours of unix , windows and Mac OS.

IPv6 is designed to solve many of the problems of the current version of
IPv4 with regard to address depletion. The goal is to use IPv6 to expand
the capabilities of the Internet to enable a variety of valuable
peer-to-peer and mobile applications.  According to many industry pundits
it is the future of networking.

However IPv6 has many privacy issues. IPv6 address space uses an ID
(indentifier) derived from your hardware or phone.  "That allows your
packets to be traced back to your PC or cell-phone" said .
 fears abuse as a hardware ID wired into the ipv6 protocol can
be used to determine the manufacturer, make and model number, and value
of the hardware equipment being used by the end user.

Ipv6 empowers the business community by providing a means of identifying
and tracking users.  Under Ipv6 users can be tracked and income
demographics determined through hardware identification.

Many members of the networking community have addressed concerns that the
technology could result in potential abuse and  warns users to
think twice before they buy themselves a used Lap-Top computer and inherit
all the prior surfing history of the previous user?

Ipv6 uses 128 bits to provide addressing, routing and identification
information on a computer. The 128-bits are divided into the left-64 and
the right-64.  Ipv6 uses the right 64 bits to store an IEEE defined global
identifier (EUI64). This identifier is composed of company id value
assigned to a manufacturer by the IEEE Registration Authority. The 64-bit
identifier is a concatenation of the 24-bit company_id value and a 40-bit
extension identifier assigned by the organization with that company_id
assignment. The 48-bit MAC address of your network interface card is also
used to make up the EUI64.
-- snip

Cheers Joe Baptista

--
Planet Communications & Computing Facility
a division of The dot.GOD Registry, Limited

Re: IPv6 Interview Questions and critic

[Stephen J. Wilcox]

ooh how exciting, you can tell who uses 3Com network cards :)


Most networks eg P2P will use /127 and not use MAC anyway so I cant see this
being a privacy on issue on anything but end devices and you can override if yuo
feel the need...

On end devices by default yes it uses mac, I cant see why this would be a real
security hole.. vulnerabilities exist in the OS/Apps not the hardware. For the
paranoid theres no reason why yuo cant manually assign the full IPv6 address
anyhow, the use of MACs is only there to provide convenience so users dont need
to configure their networks.

NMAP fingerprinting is of far more interest than what NIC vendor whitehouse.gov
uses (unless your doing market research on NIC cards I guess ;)

Steve


On Tue, 27 Aug 2002, Joe Baptista wrote:

> 
> 
> Hi:
> 
> I'm doing an article on IPv6 and am looking for comments - here is a
> portion on IPv6 which relates to the privacy issue ... any comments,
> crtics or interviews welcomed.
> 
> -- snip
> As you know IPv6 is a suite of protocols for the network layer of the
> Internet which uses IPv4 gateways.  It's purpose is to expand address
> space.  At this time IPv6 comes prepackaged with all popular operating
> systems. This includes all flavours of unix , windows and Mac OS.
> 
> IPv6 is designed to solve many of the problems of the current version of
> IPv4 with regard to address depletion. The goal is to use IPv6 to expand
> the capabilities of the Internet to enable a variety of valuable
> peer-to-peer and mobile applications.  According to many industry pundits
> it is the future of networking.
> 
> However IPv6 has many privacy issues. IPv6 address space uses an ID
> (indentifier) derived from your hardware or phone.  "That allows your
> packets to be traced back to your PC or cell-phone" said .
>  fears abuse as a hardware ID wired into the ipv6 protocol can
> be used to determine the manufacturer, make and model number, and value
> of the hardware equipment being used by the end user.
> 
> Ipv6 empowers the business community by providing a means of identifying
> and tracking users.  Under Ipv6 users can be tracked and income
> demographics determined through hardware identification.
> 
> Many members of the networking community have addressed concerns that the
> technology could result in potential abuse and  warns users to
> think twice before they buy themselves a used Lap-Top computer and inherit
> all the prior surfing history of the previous user?
> 
> Ipv6 uses 128 bits to provide addressing, routing and identification
> information on a computer. The 128-bits are divided into the left-64 and
> the right-64.  Ipv6 uses the right 64 bits to store an IEEE defined global
> identifier (EUI64). This identifier is composed of company id value
> assigned to a manufacturer by the IEEE Registration Authority. The 64-bit
> identifier is a concatenation of the 24-bit company_id value and a 40-bit
> extension identifier assigned by the organization with that company_id
> assignment. The 48-bit MAC address of your network interface card is also
> used to make up the EUI64.
> -- snip
> 
> Cheers Joe Baptista
> 
> --
> Planet Communications & Computing Facility
> a division of The dot.GOD Registry, Limited
> 
> 

Re: IPv6 Interview Questions and critic

[John Palmer]

- Original Message -
From: "Joe Baptista" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 27, 2002 09:41
Subject: IPv6 Interview Questions and critic


>
>
> Hi:
>
> I'm doing an article on IPv6 and am looking for comments - here is a
> portion on IPv6 which relates to the privacy issue ... any comments,
> crtics or interviews welcomed.
>
> -- snip
> As you know IPv6 is a suite of protocols for the network layer of the
> Internet which uses IPv4 gateways.  It's purpose is to expand address
> space.  At this time IPv6 comes prepackaged with all popular operating
> systems. This includes all flavours of unix , windows and Mac OS.

Windows? I don't think so, not yet anyways

>
> IPv6 is designed to solve many of the problems of the current version of
> IPv4 with regard to address depletion. The goal is to use IPv6 to expand
> the capabilities of the Internet to enable a variety of valuable
> peer-to-peer and mobile applications.  According to many industry pundits
> it is the future of networking.
>
> However IPv6 has many privacy issues. IPv6 address space uses an ID
> (indentifier) derived from your hardware or phone.

Hmm - if you mean that there will now be enough addresses to assign each
device its own IP6 Address - then yah. Other than that, how is it "derived"
from the hardware.

> Ipv6 empowers the business community by providing a means of identifying
> and tracking users.  Under Ipv6 users can be tracked and income
> demographics determined through hardware identification.
>
> Many members of the networking community have addressed concerns that the
> technology could result in potential abuse and  warns users to
> think twice before they buy themselves a used Lap-Top computer and inherit
> all the prior surfing history of the previous user?
>

Hmm - again, I would be upset if I wasn't able to CHANGE the IP6 addy
because this would be true.

Re: SWIP weirdness

[ginny listman]

Mr. Zeier,

I have just review the template you submitted. The error listed below was
generated because the template you submitted was a NEW. The NONE feature
is used to remove existing public comments. We will modify our software to
be more forgiving in the future. BTW, Registration Services has
successfully processed your template, and you should have a confirmation
in your inbox.

Ginny Listman
Director of Engineering
ARIN

On Tue, 27 Aug 2002, matthew zeier wrote:

>
>
> The new ARIN SWIP template confuses me.  The reassign-simple I sent in
> lastnight came back with:
>
> > Fail to Pass Validation. Error Message:
> > *PUBLIC COMMENTS can not be removed
>
> I had:
>
> > 9. Customer Country Code: US
> > 10. Public Comments: NONE
> >
> > END OF TEMPLATE
>
>
> And the docs say:
>
>
> PUBLIC COMMENTS SECTION (Optional)
>
> 10. If there are any comments that you would like publicly displayed in
> WHOIS regarding this registration, detail them here. If you wish to
> remove the publicly displayed comments from WHOIS, enter NONE.
>
>
> Where's the misunderstanding?
>
> --
> matthew zeier - "Curiosity is a willing, a proud, an eager confession
> of ignorance." - Leonard Rubenstein
>

Re: IPv6 Interview Questions and critic

[Eric Gauthier]

Joe,

> Ipv6 uses 128 bits to provide addressing, routing and identification
> information on a computer. The 128-bits are divided into the left-64 and
> the right-64.  Ipv6 uses the right 64 bits to store an IEEE defined global
> identifier (EUI64). This identifier is composed of company id value
> assigned to a manufacturer by the IEEE Registration Authority. The 64-bit
> identifier is a concatenation of the 24-bit company_id value and a 40-bit
> extension identifier assigned by the organization with that company_id
> assignment. The 48-bit MAC address of your network interface card is also
> used to make up the EUI64.

I'm definitely not an expert, but my understanding is that the left 64
bits are structured as a EUI64 "address" but are not REQUIRED to be
your systems MAC address.  By default, your system may choose to populate
the bits with your MAC, but your system code also choose to populate
it with something else.  This gets around privacy issues (i.e. CNN
being able to track my travel habits by watching their web server access
logs) but it does pose some interesting issues for filtering at an Enterprise
which wants to give certain levels of access to certain people. 

You might want to pose your question to one of the IPv6 mailing lists -
either [EMAIL PROTECTED] or [EMAIL PROTECTED]

Eric :)

Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at

[Paul Vixie]

> > I still think that it causes problems for mailing lists.
> 
> I understand the proposal to be based on the envelope sender, not the
> sender in the body.  Hence, mailing lists work, because they are the
> envelope sender, not the person who submitted the mail to the mailing
> list.

numerically speaking, most mailing lists are simple exploding forwarders
on par with a sendmail "aliases" entry.  in this case the envelope sender
won't change at forwarding time, and this would cause a problem if it were
possible to repudiate mail sources.  such mailing lists would have to 
change from

list: person1, person2, ...

to

list: "|sendmail -flist-request person1 person2 ..."
list-request: postmaster

and that's what http://www.vix.com/~vixie/mailfrom.txt means when it says

   This could scale poorly and may add pressure toward transport remailing
   (with a new envelope) rather than transport forwarding (reusing the old
   envelope.)

> If that is not the case, then Paul needs to be hassled until the wording
> is clear that mailing lists will continue to work.

i don't think sendmail.cf code fragments are equivilent to IOS command line
fragments.  in other words nothing from this thread can be cut and pasted
into mr. bush's router (or anybody else's router).  there are other lists
which are way more appropriate than nanog@ for discussion of spam, and even
the mailfrom proposal.  i mentioned it not because it needed a hearing --
it had already been heard on those very other lists i mentioned -- but to
demonstrate that the most powerful force on the internet is someone who
says something won't work.  thank y'all for your help in the demonstration.
-- 
Paul Vixie

Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at

[Paul Vixie]

[EMAIL PROTECTED] (Paul Vixie) writes:

> whenever you get spammed, it's because some isp somewhere is a slacker,

what i meant to say was "whenever you're getting repeat spam from the same
place, day after week after month, it's because some isp somewhere is a
slacker."  any given isp can be attacked and used to send outbound spam.
but not every isp can be used in this way over and over by the same bunch
of people.  to the second group, i say: "please shift the cost of dealing
with spam from your network, back inside your network."
-- 
Paul Vixie

Re: IPv6 Interview Questions and critic

[Kevin Oberman]

> From: "John Palmer" <[EMAIL PROTECTED]>
> Date: Tue, 27 Aug 2002 09:52:01 -0500
> Sender: [EMAIL PROTECTED]
> 
> 
> 
> - Original Message -
> From: "Joe Baptista" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, August 27, 2002 09:41
> Subject: IPv6 Interview Questions and critic
> 
> 
> >
> >
> > Hi:
> >
> > I'm doing an article on IPv6 and am looking for comments - here is a
> > portion on IPv6 which relates to the privacy issue ... any comments,
> > crtics or interviews welcomed.
> >
> > -- snip
> > As you know IPv6 is a suite of protocols for the network layer of the
> > Internet which uses IPv4 gateways.  It's purpose is to expand address
> > space.  At this time IPv6 comes prepackaged with all popular operating
> > systems. This includes all flavours of unix , windows and Mac OS.
> 
> Windows? I don't think so, not yet anyways

Yes, Windows. Today. Now. But you must explicitly enable it at this
time.

I have been told that it will come enabled sith Windows XP SP2. I
don't know exactly when SP2 is scheduled for release.

R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: [EMAIL PROTECTED]  Phone: +1 510 486-8634

Re: IPv6 Interview Questions and critic

[Kevin Oberman]

> Date: Tue, 27 Aug 2002 10:41:08 -0400 (EDT)
> From: Joe Baptista <[EMAIL PROTECTED]>
> Sender: [EMAIL PROTECTED]
> 
> 
> 
> Hi:
> 
> I'm doing an article on IPv6 and am looking for comments - here is a
> portion on IPv6 which relates to the privacy issue ... any comments,
> crtics or interviews welcomed.
> 
> -- snip
> As you know IPv6 is a suite of protocols for the network layer of the
> Internet which uses IPv4 gateways.  It's purpose is to expand address
> space.  At this time IPv6 comes prepackaged with all popular operating
> systems. This includes all flavours of unix , windows and Mac OS.
> 
> IPv6 is designed to solve many of the problems of the current version of
> IPv4 with regard to address depletion. The goal is to use IPv6 to expand
> the capabilities of the Internet to enable a variety of valuable
> peer-to-peer and mobile applications.  According to many industry pundits
> it is the future of networking.
> 
> However IPv6 has many privacy issues. IPv6 address space uses an ID
> (indentifier) derived from your hardware or phone.  "That allows your
> packets to be traced back to your PC or cell-phone" said .
>  fears abuse as a hardware ID wired into the ipv6 protocol can
> be used to determine the manufacturer, make and model number, and value
> of the hardware equipment being used by the end user.
> 
> Ipv6 empowers the business community by providing a means of identifying
> and tracking users.  Under Ipv6 users can be tracked and income
> demographics determined through hardware identification.
> 
> Many members of the networking community have addressed concerns that the
> technology could result in potential abuse and  warns users to
> think twice before they buy themselves a used Lap-Top computer and inherit
> all the prior surfing history of the previous user?
> 
> Ipv6 uses 128 bits to provide addressing, routing and identification
> information on a computer. The 128-bits are divided into the left-64 and
> the right-64.  Ipv6 uses the right 64 bits to store an IEEE defined global
> identifier (EUI64). This identifier is composed of company id value
> assigned to a manufacturer by the IEEE Registration Authority. The 64-bit
> identifier is a concatenation of the 24-bit company_id value and a 40-bit
> extension identifier assigned by the organization with that company_id
> assignment. The 48-bit MAC address of your network interface card is also
> used to make up the EUI64.
> -- snip

This is really pretty silly.

Only end nodes will auto-configure with the MAC address used for 48
bits of the IPv6 address. Exactly how this is a serious privacy issue
continues to elude me, but I suppose that the paranoid may want to
change it to some things else. (And change it on an hourly basis, if
they are REALLY paranoid.)

Nothing mandates the contents of the lower 64 bits of the IPv6
address. The use of the MAC address is a simple convenience so that
you can just plug in an IPv6 system and run without need for a DHCP
server or nay manual configuration. If you want to over-ride the MAC
address portion, it's your business.

God help us all if some discovers that I use both Intel and 3Com
cards! (Not to mention Agere on occasion.)

R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: [EMAIL PROTECTED]  Phone: +1 510 486-8634

60 Hudson peering

[Ralph Doncaster]

I have a POP in 60 Hudson, 19th floor.  The only peering exchange I'm
aware of in the building is Stealth's IPV6 exchange in Tel-X (23rd
floor).  If there's any interest in IPV4 peering from any networks with a
presence on the 19th, I'd be willing to provide free 100baseTx ports on a
peering switch in 1904.

I'm aware of MetroIX, but that's on the 15th floor and its unreasonably
expensive to get fiber cross-connects between floors in 60 Hudson, and
cat5 cross-connects aren't even available between the 19th and 15th
floors.

Ralph Doncaster
principal, IStop.com

Re: Standalone Stratum 1 NTP Server

[Mike Lyon]

Here is your base pricing from Truetime:

NTS-150 $2395
NTS-200 $3595

-Mike



On Tue, 27 Aug 2002, John Todd wrote:

> Happen to know what the base price is for these?   "Low price" is a
> relative term when dealing with clock makers.  :)
>
> JT
>
>
> >http://www.truetime.com/index.html
> >
> >Not exactly "stand alone" because you have to place the antenna somwhere
> >where it can see the GPS satellites as is the case with any any Stratum 1
> >NTP device. Then you have to program the IP into it and plug the ethernet
> >into it. They are really simple to install and configure. They give you a
> >certain amount of Coax (you can order more if need be) and you put the
> >antenna on the roof and run it down to the receiver. Quite simple.
> >
> >They have a couple different models to choose from.
> >
> >-Mike
> >
> >
> >
> >On Mon, 26 Aug 2002, Mike Leber wrote:
> >
> >>
> >>
> >>  I was wondering if anybody has any suggestions for a low priced, off the
> >>  shelf, complete (includes any necessary receivers), standalone (as in you
> >>  just plug it in and connect ethernet), stratum 1 NTP server?
> >>
> >>  Please also mention where to buy it.
> >>
> >>  Mike.
> >>
> >>  +- H U R R I C A N E - E L E C T R I C -+
> >>  | Mike Leber   Direct Internet Connections   Voice 510 580 4100 |
> >>  | Hurricane Electric Web Hosting  Colocation   Fax 510 580 4151 |
> >>  | [EMAIL PROTECTED]   http://www.he.net |
> >  > +---+
> >  >
>

-- 
/
-  Mike Lyon-
-   Studio Engineer -
-   KKUP Public Radio, Cupertino, Ca-
-Cell:  408-621-4826-
- www.fitzharris.com/~mlyon -
/

[OT] Re: IPv6 Interview Questions and critic

[William Waites]

>>> "Kevin" == Kevin Oberman <[EMAIL PROTECTED]> writes:

Kevin> This is really pretty silly.

Not really, Joe may actually have  a point here.  

Kevin> Only  end nodes  will auto-configure  with the  MAC address
Kevin> used for 48 bits of the IPv6 address. Exactly how this is a
Kevin> serious privacy issue continues  to elude me, but I suppose
Kevin> that  the paranoid  may want  to change  it to  some things
Kevin> else. (And change it on an hourly basis, if they are REALLY
Kevin> paranoid.)

The reason  for EUI64  is to  provide a sensible  default for  the end
system  address.  Yes  it  is  possible  for  anyone  with  sufficient
motivation to use something else,  but the vast majority of users will
just plug their in laptops and get an address.

What information  can be reconstructed  from this? For a  mobile user,
you could construct a list of the providers and POPs that they tend to
use. This  means that when I use  google, they can easily  tell that I
live in  abc neighborhood and  work at xyz  company and tend  to spend
time surfing the  web at my friend's place across  town.  That is, you
can infer patterns of physical movement of the device and the user.

The worry is not so much  about the people with the technical savvy to
randomize their addresses,  but about everybody else that  is not even
aware that they're making  themselves and their movements conveniently
identifiable.

Don't credit cards  and cell phones do the same  thing? Yes, it is the
same problem. But   in those cases, at least  there are  more barriers
to getting at and using the information... In theory...

Kevin> God help us all if some discovers that I use both Intel and
Kevin> 3Com cards! (Not to mention Agere on occasion.)

Just wait  until you start getting targeted  advertising from Realtek!

;)

-w

Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at smtpng.org)

[Lyndon Nerenberg]

> So what's so bad about forwarding all tcp/25 traffic over that relay and
> letting that relay decide if the MAIL FROM: is allowed to be relayed?

Because I want to send mail through my own SMTP server that speaks
STARTTLS and uses certificates that are under my control.

Maybe I don't want my email sitting around in your MTA queue for
your sysadmins to read.

Or maybe you just don't have a clue about how to configure and run
an MTA, therefore any mail I send through your enforced gateway
gets silently black-holed.

> And if a client wants to mail from another domain which isn't relayed by
> it's upstream ISP, he/she could ask it's ISP to do so.
> Yes this will add an administrative hassle, but doesn't spam imply that
> also?

Do you *honestly* believe what you wrote above? Do you have any experience
trying to actually get these sort of changes made? Can you provide
statistically valid numbers showing this is a realistic solution in
the real world? (Frankly, this proposal is so absurd I have to wonder
if you've even dealt with *an* ISP ...)

The Internet is a peer-to-peer network, whether you like it or not.

--lyndon

Lizzie Borden took an axe,
And plunged it deep into the VAX;
Don't you envy people who
Do all the things YOU want to do?

Re: wcom issues in SF Bay area?

[Mark Kent]

>> So, is there a significant Worldcom operational issue that
>> has not yet been reported to nanog?  

To answer my own question: Yes, there was a problem on the MFS
ring between S63 and S77 (a "BZ ring" problem).   Fixed  with 
a card swap yesterday near mid-day.

-mark

Re: 60 Hudson peering

[Jeffrey Meltzer]

$750 is not unreasonable for 2 strand dark fiber in 60 Hudson.  And if you
work hard, you can get this down to $500.  Check 111 8th Ave, it costs well
into the $3,000/mo range generally.

In addition, we're already working on (in progress) cat5 xcon's between TelX and
suite 1505 in 60 Hudson.  However, how much do you think that would cost?
Not all that much less, figure in the $300/mo range.

Furthermore, anyone peering inside of TelX is probably doing it privately
and because of the cost of xcon's there, probably would keep doing it
privately.

BTW, if anyone is interested in speaking about MetroIX, contact myself or
Avi off-list.  It's been moving along slowly as people re-evaluate peering
arrangements, companies that we talk to disappear, etc ;)  People like to
see things done instantly in this market, but that's not always the best way
to get things done right...

Jeff

On Tue, Aug 27, 2002 at 12:38:43PM -0400, Ralph Doncaster wrote:
> 
> I have a POP in 60 Hudson, 19th floor.  The only peering exchange I'm
> aware of in the building is Stealth's IPV6 exchange in Tel-X (23rd
> floor).  If there's any interest in IPV4 peering from any networks with a
> presence on the 19th, I'd be willing to provide free 100baseTx ports on a
> peering switch in 1904.
> 
> I'm aware of MetroIX, but that's on the 15th floor and its unreasonably
> expensive to get fiber cross-connects between floors in 60 Hudson, and
> cat5 cross-connects aren't even available between the 19th and 15th
> floors.
> 
> Ralph Doncaster
> principal, IStop.com
> 

Re: IPv6 Interview Questions and critic

[Petri Helenius]

Kevin Oberman wrote:

> Yes, Windows. Today. Now. But you must explicitly enable it at this
> time.
> 
The one that ships with Win XP is quite seriously broken in it's 
resolver behaviour (you'll not be able to reach many IPv4 WWW
sites after enabling it) and additionally none of the Windows
services, which would make it useful within a corporate network,
are IPv6 enabled.

> I have been told that it will come enabled sith Windows XP SP2. I
> don't know exactly when SP2 is scheduled for release.

It would be nice if at that point one could get away with IPv6-only 
intranet with IPv4 proxy/NAT to the outside. But I don't see that
happening with the rate of progress Windows has got anytime soon.

Pete

> 
> R. Kevin Oberman, Network Engineer
> Energy Sciences Network (ESnet)
> Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
> E-mail: [EMAIL PROTECTED]  Phone: +1 510 486-8634

Re: IPv6 Interview Questions and critic

[Peter John Hill]

On Tuesday, August 27, 2002, at 10:41  AM, Joe Baptista wrote:

> Ipv6 uses 128 bits to provide addressing, routing and identification
> information on a computer. The 128-bits are divided into the left-64 
> and
> the right-64.  Ipv6 uses the right 64 bits to store an IEEE defined 
> global
> identifier (EUI64). This identifier is composed of company id value
> assigned to a manufacturer by the IEEE Registration Authority. The 
> 64-bit
> identifier is a concatenation of the 24-bit company_id value and a 
> 40-bit
> extension identifier assigned by the organization with that company_id
> assignment. The 48-bit MAC address of your network interface card is 
> also
> used to make up the EUI64.

Since it so easy for a host (relative to ipv4) to have multiple ip 
addresses, I like what Microsoft has done. If told by a router, a Win 
XP box will assign itself a global unicast address using EUI-64. It 
will also create a global unicast anonymous address. This will not be 
tied to the hardware, and the OS will also limit how long it uses that 
address before deprecating that address and creating a new preferred 
anonymous address. I can see servers using the EUI-64 address, while 
clients use the anonymous address. It will allow servers to narrow down 
who is accessing their servers to a 64 bit subnet. That will be good 
enough for most statistics, but will make it more difficult to do the 
scarier tracking of users.

I have noticed that the Linux and Mac OS X ipv6 implementations so not 
create the private addresses automatically.
Peter Hill
Network Engineer
Carnegie Mellon University

Re: Standalone Stratum 1 NTP Server

[Karsten W. Rohrbach]

Mike Leber([EMAIL PROTECTED])@2002.08.26 23:52:08 +:
> I was wondering if anybody has any suggestions for a low priced, off the
> shelf, complete (includes any necessary receivers), standalone (as in you
> just plug it in and connect ethernet), stratum 1 NTP server?

some years ago, i migrated all of my server infrastructure from NTP to
clockspeed and the taiclock protocol, which works a bit different to
NTP. every server keeps its own correction/drift values in a running
software PLL. my current update interval is to poll the main server(s)
every two weeks. after experiencing several problems with xntpd (like
folks sending random udp packets with spoofed ip addresses causing
several machines to drift up to two(!) hours (yes, the default
configurations are without any auth on most OS distributions), the
problem was solved by not depending on a steady feed of fresh clock
information. adjustment bases solely on a single correction value, which
runs in a tolerance window of about 25 to 30 attoseconds per week on
most intel based boards i got here. 

http://cr.yp.to/clockspeed.html

i know that some folks will start to bash on dan, again, but his
approach to tackle the time synchronization problem appeared to solve
most/all of our operational problems of our time servers and clients. in
daily operations, clockspeed/taiclock clearly proved to be superior to
NTP, timed, et al. furthermore, the software is very simple to install
and maintain, with less security/stability risks due to less complexity
in code.

regards,
/k

-- 
> CS Students do it in the pool.
WebMonster Community Project -- Reliable and quick since 1998 -- All on BSD
http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.de/
GnuPG:   0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4  A113 B393 6BF4 DEC9 48A6
REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 BF46
REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C  5F 0B E0 6B 4D CD 8C 44
My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/
Please do not remove my address from To: and Cc: fields in mailing lists. 10x



msg04810/pgp0.pgp
Description: PGP signature

RE: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at smtpng.org)

[Barry Shein]

From: JC Dill <[EMAIL PROTECTED]>
>I guess you haven't read RFC 3098 yet then.
>
>http://www.geektools.com/rfc/rfc3098.txt

Wow, I missed that. It's really quite good. So good, in fact, that I
just sent copies of it out to the 300 MILLION ADDRESSES I have on this
CD here...

No, seriously, it's good stuff, thank you for pointing it out. Now how
do we get legislators, judges, etc. and their staff to read it? (said
somewhat rhetorically / thinking out loud, I'll print it nicely and
send it to my reps with a cover letter.)

-- 
-Barry Shein

Software Tool & Die| [EMAIL PROTECTED]   | http://www.TheWorld.com
Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD
The World  | Public Access Internet | Since 1989 *oo*

OC-48 failure last night

[Roy]

There was a major OC-48 failure somewhere near Salinas, California about
2AM PDT today which resulted in loss of connectivity to a lot of the
ISPS in that LATA.

Anyone have any details?

Re: Paul's Mailfrom (Was: IETF SMTP Working GroupProposal at smtpng.org)

[Brad Knowles]

At 7:02 PM -0400 2002/08/26, Scott Gifford wrote:

>  The proposal suggests that you get all of the A records for all of the
>  accepted names, then make sure that one of the A records matches the
>  address that the connection came from.  See sec. 2.3.

Right.  And when they add a new mail gateway and don't tell you 
about it?  What if they have forty-five of the damn things, each with 
its own unique name?

>  Even if it did require good reverse DNS, that would only be needed for
>  domains that chose to implement this, and only for addresses that
>  are allowed to send mail from that domain.

So, if you can't send mail out directly, you pass it on up to 
your ISP.  And if they can't send the stuff directly, they pass it up 
another level.  And so on.  And you have to know all the possible IP 
addresses that could be used as exit points for your mail.

Yeesh.  Ya know, even X.400 wasn't this silly.

-- 
Brad Knowles, <[EMAIL PROTECTED]>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++> h--- r---(+++)* z(+++)

Re: IPv6 Interview Questions and critic

[Marshall Eubanks]

On Tue, 27 Aug 2002 14:43:38 -0400
 Peter John Hill <[EMAIL PROTECTED]> wrote:
> 
> 
> On Tuesday, August 27, 2002, at 10:41  AM, Joe Baptista wrote:
> 
> > Ipv6 uses 128 bits to provide addressing, routing and identification
> > information on a computer. The 128-bits are divided into the left-64 
> > and
> > the right-64.  Ipv6 uses the right 64 bits to store an IEEE defined 
> > global
> > identifier (EUI64). This identifier is composed of company id value
> > assigned to a manufacturer by the IEEE Registration Authority. The 
> > 64-bit
> > identifier is a concatenation of the 24-bit company_id value and a 
> > 40-bit
> > extension identifier assigned by the organization with that company_id
> > assignment. The 48-bit MAC address of your network interface card is 
> > also
> > used to make up the EUI64.
> 
> Since it so easy for a host (relative to ipv4) to have multiple ip 
> addresses, I like what Microsoft has done. If told by a router, a Win 
> XP box will assign itself a global unicast address using EUI-64. It 
> will also create a global unicast anonymous address. This will not be 
> tied to the hardware, and the OS will also limit how long it uses that

Wasn't this described in an Internet draft ? Do you know what the status is -
I cannot seem to find it.

Marshall
 
> address before deprecating that address and creating a new preferred 
> anonymous address. I can see servers using the EUI-64 address, while 
> clients use the anonymous address. It will allow servers to narrow down 
> who is accessing their servers to a 64 bit subnet. That will be good 
> enough for most statistics, but will make it more difficult to do the 
> scarier tracking of users.
> 
> I have noticed that the Linux and Mac OS X ipv6 implementations so not 
> create the private addresses automatically.
> Peter Hill
> Network Engineer
> Carnegie Mellon University
> 

Re: IPv6 Interview Questions and critic

[Kurtis Lindqvist]

> However IPv6 has many privacy issues. IPv6 address space uses an ID
> (indentifier) derived from your hardware or phone.  "That allows your
> packets to be traced back to your PC or cell-phone" said .
>  fears abuse as a hardware ID wired into the ipv6 protocol can
> be used to determine the manufacturer, make and model number, and value
> of the hardware equipment being used by the end user.


...uhm, and? What is the real difference with a IPv4 address and privacy?
You can tell as much (more or less) with a port scan to a IPv4
address...and someone will always track the "ID" (I guess that is what I
call IP address).

If we are talking about the EUI64, that will disclose the vendor but
hardly the make and model number

- kurtis -

Re: IPv6 Interview Questions and critic

[Iljitsch van Beijnum]

On Tue, 27 Aug 2002, Marshall Eubanks wrote:

> > Since it so easy for a host (relative to ipv4) to have multiple ip
> > addresses, I like what Microsoft has done. If told by a router, a Win
> > XP box will assign itself a global unicast address using EUI-64. It
> > will also create a global unicast anonymous address. This will not be
> > tied to the hardware, and the OS will also limit how long it uses that
>
> Wasn't this described in an Internet draft ? Do you know what the status is -
> I cannot seem to find it.

RFC 3041. There's also
http://playground.sun.com/pub/ipng/html/specs/ipv6-address-privacy.html

Re: IPv6 Interview Questions and critic

[Iljitsch van Beijnum]

On Tue, 27 Aug 2002, Kurtis Lindqvist wrote:

> >  fears abuse as a hardware ID wired into the ipv6 protocol can
> > be used to determine the manufacturer, make and model number, and value
> > of the hardware equipment being used by the end user.

> ...uhm, and? What is the real difference with a IPv4 address and privacy?

The difference is that someone using a dynamic IP address is still
recognizable by the lower 64 bits of their dynamic address because this
part is always the same. (But cookies do the same thing.)

> You can tell as much (more or less) with a port scan to a IPv4
> address...

How can I recognize someone by doing a portscan?

Re: IPv6 Interview Questions and critic

[Peter John Hill]

On Tuesday, August 27, 2002, at 05:07  PM, Marshall Eubanks wrote:

> On Tue, 27 Aug 2002 14:43:38 -0400
>  Peter John Hill <[EMAIL PROTECTED]> wrote:
>>
>>
>> On Tuesday, August 27, 2002, at 10:41  AM, Joe Baptista wrote:
>>
>> Since it so easy for a host (relative to ipv4) to have multiple ip
>> addresses, I like what Microsoft has done. If told by a router, a Win
>> XP box will assign itself a global unicast address using EUI-64. It
>> will also create a global unicast anonymous address. This will not be
>> tied to the hardware, and the OS will also limit how long it uses that
>
> Wasn't this described in an Internet draft ? Do you know what the 
> status is -
> I cannot seem to find it.


http://www.ietf.org/rfc/rfc3041.txt
Abstract

Nodes use IPv6 stateless address autoconfiguration to generate
addresses without the necessity of a Dynamic Host Configuration
Protocol (DHCP) server.  Addresses are formed by combining network
prefixes with an interface identifier.  On interfaces that contain
embedded IEEE Identifiers, the interface identifier is typically
derived from it.  On other interface types, the interface identifier
is generated through other means, for example, via random number
generation.  This document describes an extension to IPv6 stateless
address autoconfiguration for interfaces whose interface identifier
is derived from an IEEE identifier.  Use of the extension causes
nodes to generate global-scope addresses from interface identifiers
that change over time, even in cases where the interface contains an
embedded IEEE identifier.  Changing the interface identifier (and the
global-scope addresses generated from it) over time makes it more
difficult for eavesdroppers and other information collectors to
identify when different addresses used in different transactions
actually correspond to the same node.


> Marshall
>
>> address before deprecating that address and creating a new preferred
>> anonymous address. I can see servers using the EUI-64 address, while
>> clients use the anonymous address. It will allow servers to narrow 
>> down
>> who is accessing their servers to a 64 bit subnet. That will be good
>> enough for most statistics, but will make it more difficult to do the
>> scarier tracking of users.
>>
>> I have noticed that the Linux and Mac OS X ipv6 implementations so not
>> create the private addresses automatically.
>> Peter Hill
>> Network Engineer
>> Carnegie Mellon University
>>
>
>

Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at

[Barry Shein]

On August 27, 2002 at 03:15 [EMAIL PROTECTED] (Paul Vixie) wrote:
 > 
 > >   Every single purely technical approach to stopping spam has been a
 > >   complete loser.
 > 
 > In the fullness of time, the universe itself will die of heat.  So what?

How come this makes me want to raise the issue of our immortal souls?

 > What matters more is what use is made of time before it gets so "full."  A
 > number of purely technical approaches to stopping spam have been quite
 > successful... in the short term... which not the same as being a complete
 > loser in the long term.  (Everything's a complete loser if you measure it
 > right.)

I guess my assertion has been that it really hasn't been measured and
the sense is that spam has always been rising either linearly or
super-linearly.

Putting bomb-sniffing dogs at the security gates only to see them take
the planes with box-cutters is not my idea of "successful" even in the
short term.

So for example saying this or that filter appears to have repelled 1M
spam msgs per day doesn't really prove much unless one can say with
some (preferably mathematical) confidence that it's actually reduced
spam not just caused it to flow around the filter.

Put another way it'd be nice to know that a technical approach was
statistically superior to just shutting off SMTP for an hour per day
which would also block some amount of spam. Look! Not one single piece
of spam from 1AM-2AM (while we had our machinery all turned off.)


Maybe there is no technical solution, of any value, possible (at the
system / DoS level, not talking about individual approaches like
whitelisting.)

I'm quite serious.

I think it's sad to watch all this effort go into chasing technical
solution after technical solution for all these years by so many
bright people only to feel like it was all pretty much for naught.

About the only real value I've seen is that we can at least sort of
point at these efforts when some nihlist says "who is to say spam is
bad?" and respond, well, these people are going to all this trouble
(possibly futile) to stop it so I guess that's one bit of evidence
that it's not universally loved.

My point is that I think we really need to start focusing on solutions
which aren't primarily or solely technical.

One that keeps coming to mind is charging for all bulk commercial
e-mail as a regular custom for reasons I've outlined here previously.

But I don't claim that to be the only or even best solution.

It's just one that makes some sense to me.

And, more importantly, is an example of the kind of thing I'm thinking
so people don't always finish reading my notes by shaking their heads
and saying ``gosh he writes pretty well but WTF is he talking
about???''


-- 
-Barry Shein

Software Tool & Die| [EMAIL PROTECTED]   | http://www.TheWorld.com
Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD
The World  | Public Access Internet | Since 1989 *oo*

Re: IPv6 Interview Questions and critic

[Valdis . Kletnieks]

On Tue, 27 Aug 2002 23:33:40 +0200, Iljitsch van Beijnum said:
> How can I recognize someone by doing a portscan?

http://www.insecure.org/nmap

It slices, it dices, it makes julienne fries.

(I'm assuming you mean in the same sense as "you can identify a machine's
vendor based on the EUI-64..." - neither a portscan or a MAC address will
tell you who's machine it is, as far as I know (although doing an nmap to find
ports that will tell you who it is... hmm... ;)

-- 
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech




msg04820/pgp0.pgp
Description: PGP signature

Re: IPv6 Interview Questions and critic

[Valdis . Kletnieks]

On Tue, 27 Aug 2002 17:48:24 EDT, [EMAIL PROTECTED] said:

> (I'm assuming you mean in the same sense as "you can identify a machine's
> vendor based on the EUI-64..." - neither a portscan or a MAC address will
> tell you who's machine it is, as far as I know (although doing an nmap to find
> ports that will tell you who it is... hmm... ;)

And yes, I realized after I hit send that a MAC address can be correlated
to "the same guy as last time" or "different guy", although other means still
need to be used to identify *who* "the same guy" is ;)



msg04821/pgp0.pgp
Description: PGP signature

Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at

[Paul Vixie]

> > In the fullness of time, the universe itself will die of heat.  So what?
> 
> How come this makes me want to raise the issue of our immortal souls?

spammers have souls?

> So for example saying this or that filter appears to have repelled 1M
> spam msgs per day doesn't really prove much unless one can say with
> some (preferably mathematical) confidence that it's actually reduced
> spam not just caused it to flow around the filter.
> 
> Put another way it'd be nice to know that a technical approach was
> statistically superior to just shutting off SMTP for an hour per day
> which would also block some amount of spam. Look! Not one single piece
> of spam from 1AM-2AM (while we had our machinery all turned off.)

i measure success by the fraction:

rejected_spam / total_spam

thus if i can reject 6000/1 that may not seem better than rejecting
1000/4000 since i ended up dealing with 4000 received spams rather than
3000, but it actually does mean that my situation got better
_compared_to_having_done_nothing_.

(those are weekly figures for my own personal server; hotmail sees the
same numbers in less than one second, which helps understand the importance
of total rational impact rather than simple absolute unrejected volume.)

(once postfix supports dcc i expect to see it change to 8000/1, btw.)

> Maybe there is no technical solution, of any value, possible (at the
> system / DoS level, not talking about individual approaches like
> whitelisting.)
> 
> I'm quite serious.

i know you are, but i think the better statement would be "there is not
going to be a single long term solution, either technical or nontechnical."
we're going to see a lot of point solutions, as each participant seeks to
shift the costs of handling unwanted e-mail away from themselves.

> My point is that I think we really need to start focusing on solutions
> which aren't primarily or solely technical.

the folks at http://spam.abuse.net/ and http://www.cauce.org/ and even
http://www.spamcon.org/ would be alarmed to hear you say that they've
been focused on purely technical solutions all these years.

Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at

[Barry Shein]

Oh to some extent even the first time it's because they're slackers.

If instead of a brainless rush to sign up dial-up accts and check
credentials later they demanded a credit card or other verifiable
information (a phone number we can call you back at to activate) then
they'd burn up about 99.9% of the opportunities for spammers to get
throw-away, anonymous accounts.


I say this from absolutely first-hand experience.



On August 27, 2002 at 15:22 [EMAIL PROTECTED] (Paul Vixie) wrote:
 > 
 > [EMAIL PROTECTED] (Paul Vixie) writes:
 > 
 > > whenever you get spammed, it's because some isp somewhere is a slacker,
 > 
 > what i meant to say was "whenever you're getting repeat spam from the same
 > place, day after week after month, it's because some isp somewhere is a
 > slacker."  any given isp can be attacked and used to send outbound spam.
 > but not every isp can be used in this way over and over by the same bunch
 > of people.  to the second group, i say: "please shift the cost of dealing
 > with spam from your network, back inside your network."
 > -- 
 > Paul Vixie

-- 
-Barry Shein

Software Tool & Die| [EMAIL PROTECTED]   | http://www.TheWorld.com
Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD
The World  | Public Access Internet | Since 1989 *oo*

Re: 60 Hudson peering

[Ralph Doncaster]

$750/mth is once you get to MetCom.  For the cx on the 19th to their FDP
is another $300/mth.  Now you're at $1050/mth.  For $1K/mth I can get 100M
from the 19th floor to 25 Broadway, + $100/mth for the cat5 cx.  So if I
were going to spend a grand a month to connect to an exchange point, it
would be NYIIX and not MetroIX.

Ralph Doncaster
principal, IStop.com 

On Tue, 27 Aug 2002, Jeffrey Meltzer wrote:

> 
> $750 is not unreasonable for 2 strand dark fiber in 60 Hudson.  And if you
> work hard, you can get this down to $500.  Check 111 8th Ave, it costs well
> into the $3,000/mo range generally.
> 
> In addition, we're already working on (in progress) cat5 xcon's between TelX and
> suite 1505 in 60 Hudson.  However, how much do you think that would cost?
> Not all that much less, figure in the $300/mo range.
> 
> Furthermore, anyone peering inside of TelX is probably doing it privately
> and because of the cost of xcon's there, probably would keep doing it
> privately.
> 
> BTW, if anyone is interested in speaking about MetroIX, contact myself or
> Avi off-list.  It's been moving along slowly as people re-evaluate peering
> arrangements, companies that we talk to disappear, etc ;)  People like to
> see things done instantly in this market, but that's not always the best way
> to get things done right...
> 
> Jeff
> 
> On Tue, Aug 27, 2002 at 12:38:43PM -0400, Ralph Doncaster wrote:
> > 
> > I have a POP in 60 Hudson, 19th floor.  The only peering exchange I'm
> > aware of in the building is Stealth's IPV6 exchange in Tel-X (23rd
> > floor).  If there's any interest in IPV4 peering from any networks with a
> > presence on the 19th, I'd be willing to provide free 100baseTx ports on a
> > peering switch in 1904.
> > 
> > I'm aware of MetroIX, but that's on the 15th floor and its unreasonably
> > expensive to get fiber cross-connects between floors in 60 Hudson, and
> > cat5 cross-connects aren't even available between the 19th and 15th
> > floors.
> > 
> > Ralph Doncaster
> > principal, IStop.com
> > 
> 
> 

Re: Paul's Mailfrom (Was: IETF SMTP Working GroupProposal at smtpng.org)

[Brad Knowles]

At 12:14 PM +1000 2002/08/27, Martin wrote:

>  but surely an MTA derives it's usefulness by running on port 25. i don't
>  remember reading about where in the DNS MX RR you could specify what port
>  the MTA would be listening on...

Proper support of SRV records would allow you to put the service 
on any machine or set of machines, and on any port.

-- 
Brad Knowles, <[EMAIL PROTECTED]>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++> h--- r---(+++)* z(+++)

Re: Paul's Mailfrom (Was: IETF SMTP Working GroupProposal at smtpng.org)

[Brad Knowles]

At 7:19 PM -0700 2002/08/26, David Schwartz wrote:

>   Every ISP I have ever worked for and every ISP I have ever used has
>  eventually been convinced by me to come around to this policy. Do whatever
>  you want by default, but let trusted/clueful people opt out of it and just
>  get their IP datagrams from point A to point B.

As someone who has worked at AOL and the largest ISP in Belgium, 
and advocated policies like this myself, I would agree.  But I 
wouldn't advertise anywhere that people can pay to opt out of the 
transparent proxy.  I would instead require that they contact me on 
their own initiative.

Once they've done that and I've got their signature on a contract 
that allows me to wield terrible punishment upon them if they violate 
it, then I'd be willing to move them to another network where they 
would be allowed unfettered access.

Of course, they'd pay for that access, and it would be a 
different type of account.

-- 
Brad Knowles, <[EMAIL PROTECTED]>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++> h--- r---(+++)* z(+++)

Re: Paul's Mailfrom (Was: IETF SMTP Working GroupProposal at

[Brad Knowles]

At 9:45 PM -0600 2002/08/26, David Van Duzer wrote:

>  Not to try to undercut the general point, but that would imply that
>  Earthlink, AOL, and MSN (for examples) should have a combined abuse
>  department of roughly 1500 employees.

Last I checked, AOL itself had over 6000 employees, of which 5000 
were the help desk.  The other 1000 were the rest of the company, and 
the Operations group had something over 100 (many of the rest were in 
Development).  The Abuse department was an entire division of 
something like a couple dozen people, and was divided into multiple 
groups -- one handled USENET abuse, one handled e-mail abuse, etc 
This was back when AOL still had only about eight or nine million 
users.

Ghu only knows what the numbers are like today.

>  Perhaps the real social problem is
>  convincing whatever standards bodies and vendors necessary that it is a
>  technical problem.

No, this is wrong.  It is not a technical problem.  Any technical 
"solution" you apply will have any of several technical work-arounds 
that can be relatively easily discovered, and probably within the 
span of just a few hours early on Saturday morning -- so that they've 
got the rest of the weekend to generate spam using their "new and 
improved" tools, and then a few months to make a killing on selling 
their new versions to the even more clueless.

>  There seems to be far too much apathy (FUD?) rather
>  than just designing a partial solution, however imperfect, and
>  implementing it.

The problem is a social one, and the only real solutions will be 
socio-legal in nature.  They may have technical implementations, but 
that is the only respect in which technology is employed.


Fundamentally, you can't implement a policy until you actually 
have a policy.  The setting of the policy is a socio-legal problem, 
the implementation of the policy may have technical aspects.

-- 
Brad Knowles, <[EMAIL PROTECTED]>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++> h--- r---(+++)* z(+++)

Re: Paul's Mailfrom (Was: IETF SMTP Working GroupProposal at

[Brad Knowles]

At 7:43 AM + 2002/08/27, Paul Vixie wrote:

>   i doubt they will comment in detail here, since
>  the actual numbers are likely to be some kind of internal secret.  i know
>  i get far less spam from AOL than i used to, and i've assumed that this
>  is because they decided to address the costs at the front end (in their
>  service model) rather than the back end (in endless cleanup.)

They have implemented a lot of internal controls for users of the 
AOL client.  For dial-up users trying to directly transmit mail, they 
have to pass through the transparent SMTP proxy which the AOL 
personnel set up and explicitly requested that it be added to the 
MAPS RBL.

So, one way they have to deal with the AOL internal controls, and 
the other way they are already blacklisted.

>  no solution which does not progressively leverage the combined small
>  efforts of millions of spam victims will ever be measurably effective other
>  than in some small locality and/or for some brief instant.  see the DCC
>  for an example (http://dcc.rhyolite.com/) of how to build and apply that
>  leverage.  (i'm not giving the reference to vipul's razor because i said
>  "millions.")

Indeed, that is a cool idea.  I definitely want to look into that 
a lot more closely.  Perhaps we can combine this with deep blacklist 
checking (beyond just the first hop), tagging, and Bayesian content 
filtering.  Perhaps then we will have a temporary pass at a 
semi-decent anti-spam filter.

-- 
Brad Knowles, <[EMAIL PROTECTED]>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++> h--- r---(+++)* z(+++)

Re: Paul's Mailfrom (Was: IETF SMTP Working GroupProposal at smtpng.org)

[Brad Knowles]

At 12:58 PM +0100 2002/08/27, [EMAIL PROTECTED] wrote:

>  It might be possible to make filters that don't need to be updated that
>  often if
>  you apply AI techniques to recognizing SPAM. For instance, check out this
>  new approach:
>   http://www.paulgraham.com/paulgraham/spam.html

Bayesian techniques are neither AI nor new.  See 
 and 
, among 
others.

Moreover, while there may be client-side programs which implement 
these techniques, and there may be prototype server-side programs 
which implement these techniques, I am not aware of any more 
production-oriented tools which are available to implement these 
kinds of techniques.

-- 
Brad Knowles, <[EMAIL PROTECTED]>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++> h--- r---(+++)* z(+++)

Re: Paul's Mailfrom (Was: IETF SMTP Working GroupProposal at smtpng.org)

[Brad Knowles]

At 11:19 AM -0600 2002/08/27, Lyndon Nerenberg wrote:

>  Because I want to send mail through my own SMTP server that speaks
>  STARTTLS and uses certificates that are under my control.

That's a valid concern.  Indeed, that's exactly the sort of thing 
I will want to be doing in the near future.

>  Maybe I don't want my email sitting around in your MTA queue for
>  your sysadmins to read.

Given the volumes of mail that pass through these kinds of 
things, that's not likely to be a problem.  More likely to be a 
problem would be the fact that the mail might sit there for a week 
before it gets retried a second time.  That takes careful system 
engineering for load, making sure to retry old messages often enough, 
etc

>  Or maybe you just don't have a clue about how to configure and run
>  an MTA, therefore any mail I send through your enforced gateway
>  gets silently black-holed.

I have a clue how to configure and run an MTA.  This is my 
specialty.  I still recommend setting up a transparent proxy for port 
25, but if I set up a separate machine (or set of machines) for that 
function, I will probably do the same as AOL and explicitly request 
that this machine be on the MAPS RBL (and certain other blacklists).

So, yes.  Most anything you send through that machine would 
definitely be black-holed, at least if I set up a separate system to 
handle that traffic.

>  The Internet is a peer-to-peer network, whether you like it or not.

That's changing, whether you like it or not.  For that matter, 
whether I like it or not.

-- 
Brad Knowles, <[EMAIL PROTECTED]>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++> h--- r---(+++)* z(+++)

Re: Paul's Mailfrom (Was: IETF SMTP Working GroupProposal at smtpng.org)

[Brad Knowles]

At 12:16 PM +0200 2002/08/27, Bruce Campbell wrote:

>  I understand the proposal to be based on the envelope sender, not the
>  sender in the body.  Hence, mailing lists work, because they are the
>  envelope sender, not the person who submitted the mail to the mailing
>  list.

Read my previous comment about mailing lists that do not change 
the envelope sender (e.g., mailing lists that are instead run as 
simple aliases).

>  Pardon?  Are you saying that for a given entity (say, example.com), your
>  administrative procedures are such that you do not know all the machines
>  that can send email directly to that part of the Internet outside that
>  entity?

Not if example.com is a vanity domain and is not allowed to 
transmit mail directly to the outside world, or actively chooses to 
use the relay services provided by their ISP.  You may know the entry 
point, but it can be difficult to determine all the possible exit 
points.

>  Even for an entity like aol.com, their outbound mail servers appear to be
>  a small(ish) set of circa 20 machines which can be listed appropriately by
>  AOL.

I know.  I set those machines up.  They haven't really changed 
much since I left in '97.  But try listing 20 different names as MXes 
for a mail-from label.  Have you heard of this thing called "DNS 
response truncation"?  Do you know the kinds of problems it causes 
for many MTAs, even today?

>  Yes, entirely correct.  However, the bulk of the Internet mail today is
>  from one host to another host.  Knowledge of the path the mail takes, on
>  the SMTP level, is not needed by the mailer, unlike UUCP which required
>  the mailer to be aware of various routing topologies.

It is if you have to know all the possible exit points for e-mail 
that you may transmit.

>  The rest of your mail is an invitation to clean up the little bit of
>  forward and reverse domain space that is under your immediate control,
>  which is a Good Thing IMO.

Indeed, it would be good to get this cleaned up.  But let's be 
realistic.  When you have 256 total gTLDs and ccTLDs (plus the root 
zone), served by 762 unique machines, and 413 of those machines are 
open public/recursive nameservers in addition to their authoritative 
duties, leaving everyone underneath 204 TLDs susceptible to attack 
via cache poisoning at one or more servers for their TLD, you realize 
that there are much more serious problems that have to be solved.

-- 
Brad Knowles, <[EMAIL PROTECTED]>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++> h--- r---(+++)* z(+++)

Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at

[Paul Vixie]

> >  ... (http://dcc.rhyolite.com/) ...
> 
>   Indeed, that is a cool idea.  I definitely want to look into
> that a lot more closely.  Perhaps we can combine this with deep
> blacklist checking (beyond just the first hop), tagging, and Bayesian
> content filtering.  Perhaps then we will have a temporary pass at a
> semi-decent anti-spam filter.

be careful when you gang things together.  spamassassin seems to be a
considered approach, but that doesn't mean more is always better.  as
has oft been said of PRNG's, adding complexity usually subtracts from
the quality.  if you combine too many kinds of spam filtering together
then you'll have that much more trouble figuring out what to tune when
you get a false positive.

Re: Paul's Mailfrom (Was: IETF SMTP Working GroupProposal at

[Brad Knowles]

At 9:59 PM + 2002/08/27, Paul Vixie wrote:

>>  My point is that I think we really need to start focusing on solutions
>>  which aren't primarily or solely technical.
>
>  the folks at http://spam.abuse.net/ and http://www.cauce.org/ and even
>  http://www.spamcon.org/ would be alarmed to hear you say that they've
>  been focused on purely technical solutions all these years.

Yup.  Ever since these organizations were created, I've been 
saying that they're focusing on the wrong aspect of the wrong 
problem.  I've known Ray Everrett Church for years, and he and I have 
had this discussion multiple times before.  Sadly, it doesn't seem to 
have had any impact.

-- 
Brad Knowles, <[EMAIL PROTECTED]>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++> h--- r---(+++)* z(+++)

Re: Paul's Mailfrom (Was: IETF SMTP Working GroupProposal at smtpng.org)

[Brad Knowles]

At 7:37 PM -0400 2002/08/27, Dean Anderson wrote:

>  You worked at AOL?  This happens quite often. I've known of several admins
>  who started reading email, checking terminal servers, and "disrupting"
>  users who complained about the admins performance.  One admin wrote a
>  script that reset the session of a "PITA" user every half hour.

I've heard of cases like this.  I also know that the people I 
heard about were terminated with extreme prejudice, as soon as 
management got even a single whiff as to what they were doing.  They 
took a really, really hard line against this kind of administrative 
abuse.

Before I left, they had started seriously cracking down on 
removing any additional access or permissions that someone may have 
had, if they couldn't prove that they needed it during the course of 
their job.  I basically lost all access to the Stratus mainframes, 
because I didn't need it in order to perform my duties as the Sr. 
Internet Mail System Administrator.


No, I have a lot of my own bitches about AOL, mostly due to 
extremely questionable business practices that I saw while I was 
there.  But this is an area where I don't think that much criticism 
can be rightly levelled at them.

>  That is the number one problem, and its why consumer groups think they
>  need tougher privacy laws.

I definitely support tougher privacy laws.  But I don't think AOL 
would be likely to have much problems meeting or exceeding most 
enhanced privacy laws that I can think of.

-- 
Brad Knowles, <[EMAIL PROTECTED]>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++> h--- r---(+++)* z(+++)

[apops] The Cidr Report

[CIDR Report]

This is an auto-generated mail on Fri Aug 23 23:00:00 PDT 2002
It is not checked before it leaves my workstation.  However, hopefully 
you will find this report interesting and will take the time to look 
through this to see if you can improve the amount of aggregation you 
perform.

Check http://www.employees.org/~tbates/cidr-report.html for a daily
update of this report.

NEW: Check http://www.employees.org/~tbates/cidr-report-region.html for
the regional version of this report.

NEW: Check http://www.employees.org/~tbates/autnums.html for a complete
list of autonomous system number to name mappings as used by the CIDR-Report.

The report is split into sections:

   0) General Status
   
  List the route table history for the last week, list any possibly
  bogus routes seen and give some status on ASes.

   1) Gains by aggregating at the origin AS level

  This lists the "Top 30" players who if they decided to aggregate
  their announced classful prefixes at the origin AS level could 
  make a significant difference in the reduction of the current 
  size of the Internet routing table. This calculation does not 
  take into account the inclusion of holes when forming an aggregate
  so it is possible even larger reduction should be possible.

   2) Weekly Delta

  A summary of the last weeks changes in terms of withdrawn and
  added routes. Please note that this is only a snapshot but does 
  give some indication of ASes participating in CIDR. Clearly,
  it is generally a good thing to see a large amount of withdrawls.

   3) Interesting aggregates

  Interesting here means not an aggregate made as a set of 
  classful routes.  

Thanks to GX Networks for giving me access to their routing tables once a
day. 

Please send any comments about this report directly to CIDR Report 
<[EMAIL PROTECTED]>.



--

CIDR REPORT for 23Aug02


0) General Status

Table History
-

DatePrefixes
160802  112263
170802  112395
180802  112126
190802  112372
200802  112331
210802  112026
220802  112220
230802  112433

Check http://www.employees.org/~tbates/cidr.plot.html for a plot
of the table history.


Possible Bogus Routes
-


AS Summary
--

Number of ASes in routing system:  13481

Number of ASes announcing only one prefix:  8184 (4604 cidr, 3580 classful)

Largest number of  cidr routes:  736 announced by AS3908
Largest number of classful routes:  1196 announced by  AS701



1) Gains by aggregating at the origin AS level

 --- 23Aug02 ---
ASnumNetsNow NetsCIDR  NetGain  % Gain   Description

AS701   1196  967  229   19.1%   UUNET Technologies, Inc. 
AS1221  1039  822  217   20.9%   Telstra Pty Ltd
AS17557  268   94  174   64.9%   Pakistan Telecom
AS6595   224   60  164   73.2%   DoD Education Activity Network As
AS852522  379  143   27.4%   Telus Advanced Communications 
AS16473  196   75  121   61.7%   Bell South 
AS7018   774  662  112   14.5%   AT&T 
AS4151   253  156   97   38.3%   USDA 
AS19632   995   94   94.9%   Metropolis Intercom S.A. 
AS12302  122   29   93   76.2%   MobiFon S.A.
AS16814  105   20   85   81.0%   NSS, S.A. 
AS1239   501  419   82   16.4%   Sprint 
AS226170   89   81   47.6%   Los Nettos 
AS4755   202  126   76   37.6%   Videsh Sanchar Nigam Ltd. Autonom
AS2048   178  103   75   42.1%   State of Louisiana 
AS577266  193   73   27.4%   Bell Advanced Communications Inc.
AS7046   291  221   70   24.1%   UUNET Technologies, Inc. 
AS3464   163  103   60   36.8%   Alabama SuperComputer Network 
AS19834   644   60   93.8%   NetForce, Inc. 
AS10620   85   25   60   70.6%   TVCABLE BOGOTA 
AS724207  148   59   28.5%   DLA Systems Automation Center 
AS653570   13   57   81.4%   Chilesat Servicios  Empresariales
AS5515   243  186   57   23.5%   Sonera Finland Autonomous System
AS16758   636   57   90.5%   IKON Office Solutions 
AS3908   285  230   55   19.3%   Supernet, Inc. 
AS209289  234   55   19.0%   Qwest 
AS905182   28   54   65.9%   INCONET Autonomous System
AS949884   31   53   63.1%   BHARTI BT INTERNET LTD.
AS3233   105   53   52   49.5%   RNC - Romanian Natioanal R&D Netw
AS703273  223   50   18.3%   UUNET Technologies, Inc. 

Total  548804231312567   22.9%


For the rest of the previous weeks gain information please see
http://www.employees.org:80/~tbates/cidr-report.html

2) Weekly Delta

Please see
http://www.employees.org:80/~t

Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at smtpng.org)

[David Schwartz]

>>Maybe I don't want my email sitting around in your MTA queue for
>>your sysadmins to read.

>Given the volumes of mail that pass through these kinds of
>things, that's not likely to be a problem.  More likely to be a
>problem would be the fact that the mail might sit there for a week
>before it gets retried a second time.  That takes careful system
>engineering for load, making sure to retry old messages often enough,
>etc

I'm afraid the technology to rapidly sift through large volumes of
information to search for specific areas of interest is widely available. It
is totally reasonable to not want to send mail through your ISP's mail
servers and perhaps directly to a trusted mail distributor over an encrypted
link. Of course, you can easily use a port other than 25 for this purpose.
The problem comes when the recipient tries to validate your origin address
against your secure mail server.

DS

Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal atsmtpng.org)

[Jim Hickstein]

--On Monday, August 26, 2002 10:34 PM +0200 Iljitsch van Beijnum 
<[EMAIL PROTECTED]> wrote:

> As a user, I pay my ISP to forward IP packets. If there happen to be TCP
> segments in those packets, that's something between me and the person the
> packet is addressed to, whether the destination port of those TCP segments
> is 25 or something else.

Hear, hear!  I run an email-only service provider (www.imap-partners.net), 
and we have to help certain users over the threshold at e.g. Earthlink by 
permitting them to reach us on another port.  This is logically ridiculous, 
and bound to change.

Earthlink's behavior here may have some positive social benefit, but there 
is a downside.  If it becomes impossible for my customers to reach me and 
do SMTP AUTH, I will be out of business.  The network is not the 
application, and should not be.

Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal atsmtpng.org)

[Jim Hickstein]

--On Tuesday, August 27, 2002 6:13 PM -0700 David Schwartz 
<[EMAIL PROTECTED]> wrote:

>   I'm afraid the technology to rapidly sift through large volumes of
> information to search for specific areas of interest is widely available.
> It  is totally reasonable to not want to send mail through your ISP's
> mail  servers and perhaps directly to a trusted mail distributor over an
> encrypted  link. Of course, you can easily use a port other than 25 for
> this purpose.  The problem comes when the recipient tries to validate
> your origin address  against your secure mail server.

Your secure mail server (i.e. me) just has to be named in a MAIL-FROM MX 
record.  We do DNS for some of our customers, and can add this trivially; 
the others control their own zones.  Works for me.

Will Canada's Internet providers become spies?

[Joe Baptista]

enjoy ... and i'm curious if there are any small or large system admins in
canada here that this affects and their opinions.

regards
joe baptista

- Original Message -
From: "Declan McCullagh" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 27, 2002 6:43 PM
Subject: FC: Will Canada's Internet providers become spies?




http://news.com.com/2100-1023-955595.html?tag=politech

Will Canada's ISPs become spies?
By Declan McCullagh
August 27, 2002, 12:56 PM PT

WASHINGTON--The Canadian government is considering a proposal that
would force Internet providers to rewire their networks for easy
surveillance by police and spy agencies.

A discussion draft released Sunday also contemplates creating a
national database of every Canadian with an Internet account, a plan
that could sharply curtail the right to be anonymous online.

[...]

---


From: David Akin <[EMAIL PROTECTED]>
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Subject: Canada to review electronic surveillance laws

Hey Declan --
May be a bit too 'Canadian' for Politech but here you are . ...

David Akin
CTV News
The Globe and Mail

Office: 416.313.2503
Mobile: 416.528.3819


 > -Original Message-
 > From:
 > [EMAIL PROTECTED]
 > [mailto:[EMAIL PROTECTED]]
 > Sent: Monday, August 26, 2002 7:13 AM
 > Subject: Government of Canada to Review Lawful Access Laws
 >
 >
 > Date: 2002/08/25
 >
 > QUEBEC, August 25, 2002 --  The Honourable Martin Cauchon,
 > Minister of Justice and Attorney General of Canada, the
 > Honourable Lawrence MacAulay, Solicitor General of Canada,
 > and the Honourable Allan Rock, Minister of Industry, today
 > announced that the Government of Canada will consult with
 > Canadians concerning lawful access to information and
 > communications.  The consultation was launched by Minister
 > MacAulay, on behalf of his colleagues, at the annual meeting
 > of the Canadian Association of Chiefs of Police (CACP).
 >
 > "Lawful access legislation must protect the privacy of
 > Canadians and reflect their values. The Government of Canada
 > will be examining current laws to ensure crimes and other
 > threats to public safety can continue to be investigated
 > effectively," said Minister Cauchon.
 >
 > "Legislation governing lawful access was originally designed
 > for rotary telephones -- not e-mail or the Internet," said
 > Minister MacAulay.  "Dated laws allow criminals and
 > terrorists to use technology to hide their illicit
 > activities. This initiative is about keeping our laws current
 > so that the police can do their job and keep Canadians safe."
 >
 > "Technology is a great enabler for Canadians, but also
 > presents challenges for law enforcement," said Minister Rock.
 > "Through this process, we are seeking ideas from law
 > enforcement, industry and all Canadians to find a solution
 > that supports public safety and privacy, and how to achieve
 > this without inhibiting industry's ability to innovate and compete."
 >
 > Lawful access is the lawful interception of communications,
 > and the search and seizure of information by law enforcement
 > and national security agencies.  Updating lawful access
 > legislation is essential to a broad range of investigative
 > bodies, in their continued efforts to fight crimes such as
 > terrorism, child pornography, drug trafficking, smuggling,
 > Internet and telemarketing fraud, price fixing and money
 > laundering. Lawful access can only be exercised with a lawful
 > authority, and is well entrenched in laws such as the
 > Criminal Code, the Canadian Security Intelligence Act, the
 > Competition Act and other Acts of Parliament. Lawful access
 > legislation also recognizes the privacy rights of all people
 > in Canada and their rights under the Canadian Charter of
 > Rights and Freedoms.
 >
 > This consultation process will involve key stakeholders
 > including law enforcement, telecommunications companies,
 > civil liberties and privacy organizations. The public will
 > also be given the opportunity to consider lawful access
 > issues and options for change by obtaining a consultation
 > paper, which is available at
 > www.canada.justice.gc.ca/en/cons/la_al. Those wishing to
 > respond may send their submissions to [EMAIL PROTECTED]
 > before November 15, 2002.
 >
 > In the January 2001 Speech from the Throne, the Government of
 > Canada pledged to provide modern tools to safeguard Canadians
 > from emerging threats such as cyber-crime.  The lawful access
 > consultation will contribute to the Government's ongoing
 > commitments, both nationally and internationally, to ensure a
 > balanced and effective approach to addressing threats to
 > public safety and national security.
 >
 > References:
 >
 > Media Relations Office
 > Department of Justice
 > (613) 957-4207
 >
 > Suzanne Thébarge
 > Director of Communications
 > Minister's Office
 > (613) 992-4621
 > Communications
 > Solicitor General Canada
 > (613) 991-280

RE: Will Canada's Internet providers become spies?

[Phil Rosenthal]

Is news.com.com run by news.com ?
http://news.com/2100-1023-955595.html?tag=politech == 404

--Phil

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Joe Baptista
Sent: Tuesday, August 27, 2002 10:44 PM
To: [EMAIL PROTECTED]
Subject: Will Canada's Internet providers become spies?




enjoy ... and i'm curious if there are any small or large system admins
in canada here that this affects and their opinions.

regards
joe baptista

- Original Message -
From: "Declan McCullagh" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 27, 2002 6:43 PM
Subject: FC: Will Canada's Internet providers become spies?




http://news.com.com/2100-1023-955595.html?tag=politech

Will Canada's ISPs become spies?
By Declan McCullagh
August 27, 2002, 12:56 PM PT

WASHINGTON--The Canadian government is considering a proposal that
would force Internet providers to rewire their networks for easy
surveillance by police and spy agencies.

A discussion draft released Sunday also contemplates creating a
national database of every Canadian with an Internet account, a plan
that could sharply curtail the right to be anonymous online.

[...]

---


From: David Akin <[EMAIL PROTECTED]>
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Subject: Canada to review electronic surveillance laws

Hey Declan --
May be a bit too 'Canadian' for Politech but here you are . ...

David Akin
CTV News
The Globe and Mail

Office: 416.313.2503
Mobile: 416.528.3819


 > -Original Message-
 > From:
 > [EMAIL PROTECTED]
 > [mailto:[EMAIL PROTECTED]]
 > Sent: Monday, August 26, 2002 7:13 AM
 > Subject: Government of Canada to Review Lawful Access Laws
 >
 >
 > Date: 2002/08/25
 >
 > QUEBEC, August 25, 2002 --  The Honourable Martin Cauchon,
 > Minister of Justice and Attorney General of Canada, the
 > Honourable Lawrence MacAulay, Solicitor General of Canada,
 > and the Honourable Allan Rock, Minister of Industry, today
 > announced that the Government of Canada will consult with
 > Canadians concerning lawful access to information and
 > communications.  The consultation was launched by Minister
 > MacAulay, on behalf of his colleagues, at the annual meeting  > of
the Canadian Association of Chiefs of Police (CACP).  >  > "Lawful
access legislation must protect the privacy of  > Canadians and reflect
their values. The Government of Canada  > will be examining current laws
to ensure crimes and other  > threats to public safety can continue to
be investigated  > effectively," said Minister Cauchon.  >  >
"Legislation governing lawful access was originally designed  > for
rotary telephones -- not e-mail or the Internet," said  > Minister
MacAulay.  "Dated laws allow criminals and  > terrorists to use
technology to hide their illicit  > activities. This initiative is about
keeping our laws current  > so that the police can do their job and keep
Canadians safe."  >  > "Technology is a great enabler for Canadians, but
also  > presents challenges for law enforcement," said Minister Rock.  >
"Through this process, we are seeking ideas from law  > enforcement,
industry and all Canadians to find a solution  > that supports public
safety and privacy, and how to achieve  > this without inhibiting
industry's ability to innovate and compete."  >  > Lawful access is the
lawful interception of communications,  > and the search and seizure of
information by law enforcement  > and national security agencies.
Updating lawful access  > legislation is essential to a broad range of
investigative  > bodies, in their continued efforts to fight crimes such
as  > terrorism, child pornography, drug trafficking, smuggling,  >
Internet and telemarketing fraud, price fixing and money  > laundering.
Lawful access can only be exercised with a lawful  > authority, and is
well entrenched in laws such as the  > Criminal Code, the Canadian
Security Intelligence Act, the  > Competition Act and other Acts of
Parliament. Lawful access  > legislation also recognizes the privacy
rights of all people  > in Canada and their rights under the Canadian
Charter of  > Rights and Freedoms.  >  > This consultation process will
involve key stakeholders  > including law enforcement,
telecommunications companies,  > civil liberties and privacy
organizations. The public will  > also be given the opportunity to
consider lawful access  > issues and options for change by obtaining a
consultation  > paper, which is available at  >
www.canada.justice.gc.ca/en/cons/la_al. Those wishing to  > respond may
send their submissions to [EMAIL PROTECTED]  > before November 15,
2002.  >  > In the January 2001 Speech from the Throne, the Government
of  > Canada pledged to provide modern tools to safeguard Canadians  >
from emerging threats such as cyber-crime.  The lawful access  >
consultation will contribute to the Government's ongoing  > commitments,
both nationally and internationally, to ensure a  > balanced and
eff

Re: Standalone Stratum 1 NTP Server

[John Todd]

Hmm... $2400 is still in the "pricey" range to be throwing out 
bunches of these across a network in wide distribution.  (Pardon me 
if some of you on the list snicker at my reluctance at the $2400 
price - for some of us the "new, new Econcomy" is making things like 
NTP Stratum 1 clocks a luxury that The Budgeters doesn't see as 
necessary, since it's an invisible engineering issue.)

One would think that a vendor could come up with a 1u rackmount box 
with a GPS and single-board computer (BSD or Linux-based) for ~$500 
total cost.   Add 150% for profit and distribution costs, you're 
still in the $1300 range, which is more reasonable.  I suppose my 
oversimplification is the reason I'm not in the hardware business. 
I'd be even happier with a PCI-bus card that I could put into an old 
(reasonably fast) PC and a CD-ROM with an OpenBSD distribution that 
automatically did the Right Thing.   There is a case to be made about 
off-the-shelf PC hardware not being accurate enough to handle a true 
Stratum-1 clock, and that is a valid point.  However, if I can get 
within .5ms, I'm happy since most of my applications don't require 
anything more accurate than that.  (Those of you timing T1's should 
use the more expensive systems.)

I will go out on a limb and say that a reduction in the cost of 
stratum-1 servers will increase their use across the Internet.  The 
results of such an increase would be arguably visible, as the current 
multi-layer timekeeping system seems to be more-or-less keeping 
clocks correct to the point of usefulness, at least from a 
layer-4-and-up standpoint.  However, accuracy and self-determination 
for timing are probably things that most organizations would consider 
"good" by self-evidence, and the lower the price the more possible 
things become to implement.  Perhaps there are reasons that putting 
stratum-1 clocks in many, many places is sub-optimal; I leave that 
for others to illuminate.

I know that I would like to not rely on POP-external network 
connections to keep my clock sources accurate, but these prices 
(while very inexpensive, compared to other stratum-1 sources I have 
seen) are still outside the "put-one-in-every-POP" price.

JT



At 9:48 AM -0700 8/27/02, Mike Lyon wrote:
>
>Here is your base pricing from Truetime:
>
>NTS-150 $2395
>NTS-200 $3595
>
>-Mike
>
>On Tue, 27 Aug 2002, John Todd wrote:
>
>>  Happen to know what the base price is for these?   "Low price" is a
>>  relative term when dealing with clock makers.  :)
>>
>>  JT
>>
>>
>>  >http://www.truetime.com/index.html
>>  >
>>  >Not exactly "stand alone" because you have to place the antenna somwhere
>>  >where it can see the GPS satellites as is the case with any any Stratum 1
>>  >NTP device. Then you have to program the IP into it and plug the ethernet
>>  >into it. They are really simple to install and configure. They give you a
>>  >certain amount of Coax (you can order more if need be) and you put the
>>  >antenna on the roof and run it down to the receiver. Quite simple.
>>  >
>>  >They have a couple different models to choose from.
>>  >
>>  >-Mike
>>  >
>>  >
>>  >
>>  >On Mon, 26 Aug 2002, Mike Leber wrote:
>>  >
>>  >>
>>  >>
>>  >>  I was wondering if anybody has any suggestions for a low priced, off the
>>  >>  shelf, complete (includes any necessary receivers), standalone 
>>(as in you
>>  >>  just plug it in and connect ethernet), stratum 1 NTP server?
>>  >>
>>  >>  Please also mention where to buy it.
>>  >>
>>  >>  Mike.
>>  >>
>>  >>  +- H U R R I C A N E - E L E C T R I C 
>>-+
>>  >>  | Mike Leber   Direct Internet Connections   Voice 510 
>>580 4100 |
>>  >>  | Hurricane Electric Web Hosting  Colocation   Fax 510 
>>580 4151 |
>>  >>  | [EMAIL PROTECTED] 
>>http://www.he.net |
>>  >  > 
>>+---+
>>  >  >
>>
>
>--
>/
>-  Mike Lyon-
>-   Studio Engineer -
>-   KKUP Public Radio, Cupertino, Ca-
>-Cell:  408-621-4826-
>- www.fitzharris.com/~mlyon -
>/

Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal at smtpng.org)

[David Schwartz]

On Tue, 27 Aug 2002 19:40:16 -0700, Jim Hickstein wrote:
>--On Tuesday, August 27, 2002 6:13 PM -0700 David Schwartz
><[EMAIL PROTECTED]> wrote:

>>I'm afraid the technology to rapidly sift through large volumes of
>>information to search for specific areas of interest is widely available.
>>It  is totally reasonable to not want to send mail through your ISP's
>>mail  servers and perhaps directly to a trusted mail distributor over an
>>encrypted  link. Of course, you can easily use a port other than 25 for
>>this purpose.  The problem comes when the recipient tries to validate
>>your origin address  against your secure mail server.

>Your secure mail server (i.e. me) just has to be named in a MAIL-FROM MX
>record.  We do DNS for some of our customers, and can add this trivially;
>the others control their own zones.  Works for me.

How would this stop the destination mailservers from rejecting the mail
forwarded by the secure server? Remember, the situation is that I don't trust
my ISP to see my outbound mail (because that's where warrants are likely to
be served or interception hardware would likely be surreptitiously inserted).
So I don't want my outbound mail passing through my ISP unencrypted.

And I can't just use an email address that is hosted by the secure mail
server, because then that's where the warrant will be served or the interest
will be focused, and my mail is decrypted there. Nobody inspecting the secure
link could necessarily even tell that it was mail that was going over it or
where it was actually decrypted -- the next hop could just be a forwarded
outputting encrypted data to the ultimate decrypter.

I don't think it's unreasonable to simply say that email can't provide this
kind of feature unless the recipient and sender are part of the system. And
in that case, all the problems go away because the recipient will do the
right thing and no intermediate mail servers that don't know what to do are
needed.

DS

Re: Standalone Stratum 1 NTP Server

[bmanning]

> I will go out on a limb and say that a reduction in the cost of 
> stratum-1 servers will increase their use across the Internet.  The 
> results of such an increase would be arguably visible, as the current 
> multi-layer timekeeping system seems to be more-or-less keeping 
> clocks correct to the point of usefulness, at least from a 
> layer-4-and-up standpoint.  

The point ought to be made that a dense mesh of stratum-2
sources is likely more robust/accurate than a single 
stratum-1 source...  

--bill

Re: Standalone Stratum 1 NTP Server

[Majdi S. Abbas]

On Tue, Aug 27, 2002 at 11:57:39PM -0400, John Todd wrote:
> Hmm... $2400 is still in the "pricey" range to be throwing out 
> bunches of these across a network in wide distribution.  (Pardon me 
> if some of you on the list snicker at my reluctance at the $2400 
> price - for some of us the "new, new Econcomy" is making things like 
> NTP Stratum 1 clocks a luxury that The Budgeters doesn't see as 
> necessary, since it's an invisible engineering issue.)

Is it invisible?  Proper timing is essential.  It's not too
hard to pick a suitable GPS and plug it into a host somewhere if
cost is an issue.

But, more to the point, you don't need a "wide distribution"
of these boxes.  2 or 3 is more than enough.  I tend to use
my top level routers, or some distributed hosts (dns, authentication,
logging, you name it) to form a stratum 2 mesh, and then have the rest
of your network talk to them.

A large number of stratum 2 servers talking to each other as 
well as a few stratum 1 clocks will result in a very stable distributed
timesource that can support a whole lot of clients.

You've already paid for the network, might as well use it.

--msa

Re: Standalone Stratum 1 NTP Server

[David G. Andersen]

On Tue, Aug 27, 2002 at 11:57:39PM -0400, John Todd mooed:
> 
> Hmm... $2400 is still in the "pricey" range to be throwing out 
> bunches of these across a network in wide distribution.  (Pardon me 
> [...]
> 
> One would think that a vendor could come up with a 1u rackmount box 
> with a GPS and single-board computer (BSD or Linux-based) for ~$500 
> total cost.   Add 150% for profit and distribution costs, you're 
> still in the $1300 range, which is more reasonable.  I suppose my 
> oversimplification is the reason I'm not in the hardware business. 

   You might be imagining a somewhat larger market for standalone
stratum-1 timeservers than you might imagine.  For real accuracy, 
you don't want standalone -- you want a locally connected source that 
you can use to tightly discipline the local clock.  (When I say "real," I
mean sub-milisecond).  The difference is .. substantial.  Taken
from two of my machines on the same subnet:

 remote   st poll reach  delay   offsetdisp

Local CDMA 0   32  377 0.0 -0.11 0.00047
100Mbps Ethernet   1 1024  377 0.00035  0.001103 0.01866

And if you want paranoia, go by ntp's estimate of its accuracy:

Local  maximum error 5449 us, estimated error 3 us, TAI offset 0
Ether  maximum error 584994 us, estimated error 1241 us, TAI offset 0

With that on the board... why do you need, or even want,
a standalone NTP server if you're on a budget?  Almost certainly
you have a local computer in your POP -- you can even get
Cisco routers to talk with a local time receiver, if all you
want to do is discipline your routers.  If you've got a caching
nameserver or something else in your POP, that will do just as
well.

> I'd be even happier with a PCI-bus card that I could put into an old 
> (reasonably fast) PC and a CD-ROM with an OpenBSD distribution that 
> automatically did the Right Thing.   There is a case to be made about 

  Grab a serial CDMA/GPS unit (I use the EndRun Praecis Ct because it's
CDMA;  I mention some GPS units below), plug it into your serial port, and
stick:

server 127.127.29.0 prefer
fudge 127.127.29.0 refid CDMA

   in ntp.conf.  It's about as simple as you can get.  But remember --
regardless of how nifty your local clock is, you still need to
have a good server mesh with NTP.  Clocks go bad.  CDMA base stations
screw up (we've found one so far) or change protocols unexpectedly
(three).  GPS has serious visibility issues unless you can get an actual
roof antenna (two).  Configuring this mesh in an intelligent way takes work.
Would make a great research project. :)

  The Ct costs something like $1100.  endruntechnologies.com.
synergy-gps.com sells a really nice GPS timing unit based on the
Motorolla UT+ chipset (designed for timing), including all the parts
you need, for .. eh, 600?  I forget.  Maybe a bit less.  Plug into
serial port, go.  Requires a recompiled kernel under FreeBSD and
Linux, but it's fairly easy to set up.  If you want something for
a bit less work, look at the Trimble units.

  (For reference:  I've got two of the UT+ GPS units, and 20
EndRun Praecis Ct's.  Like them both.  The Ct is a heck of a lot
easier to deploy in a datacenter, as would be the CDMA TrueTime model)

  If you're really broke, and want a stratum 1 server, host one of
our network measurement boxes.  We'll ship it to you, you provide
the network.  In return, you get a local stratum-1 timeserver, 
managed by yours truly.  (I'm serious about this offer, btw.)

  As a second option:  If you manage the connections between
your POPs, you can get really decent remote NTP performance.
The places in which NTP dies are where latencies are asymmetric.
With priority assigned to inter-POP NTP traffic and known
symmetric links, life could be quite happy.

   -Dave (time is very cool)

-- 
work: [EMAIL PROTECTED]  me:  [EMAIL PROTECTED]
  MIT Laboratory for Computer Science   http://www.angio.net/
  I do not accept unsolicited commercial email.  Do not spam me.

Re: Paul's Mailfrom (Was: IETF SMTP Working Group Proposal atsmtpng.org)

[Jim Hickstein]

--On Tuesday, August 27, 2002 9:01 PM -0700 David Schwartz 
<[EMAIL PROTECTED]> wrote:

>> Your secure mail server (i.e. me) just has to be named in a MAIL-FROM MX
>> record.  We do DNS for some of our customers, and can add this trivially;
>> the others control their own zones.  Works for me.
>
>   How would this stop the destination mailservers from rejecting the mail
> forwarded by the secure server? Remember, the situation is that I don't
> trust  my ISP to see my outbound mail (because that's where warrants are
> likely to  be served or interception hardware would likely be
> surreptitiously inserted).  So I don't want my outbound mail passing
> through my ISP unencrypted.

Given this extraordinary requirement, either you wouldn't be my customer, 
or you'd better encrypt at the endpoint (though pipes leak best out the 
ends).  Or you can pony up the money for your own host on a dedicated 
circuit so _it_ can be in the MAIL-FROM MX for your domain (of course 
you'll need your own domain), and then you and your ISP can argue about 
traffic analysis and acceptable use.

Still doesn't fundamentally break the proposal in hand, it seems to me. 
You always get to not publish the repudating information if you don't want 
people to use it.

Re: Standalone Stratum 1 NTP Server

[Mike Lyon]

As I am sure you have noticed from other replies on the list here, the
idea for NTP is not to have a Stratum one device at every single POP. That
would be pricey not only in equipment costs but in roof-rights cost. What
many do for NTP is to have one or two Stratum 1 devices amongst your
network and then distribute it to a box that would then in turn distribute
down to the next layer of equipment and so on. So if you are only spending
$2400 and maybe even $4800 to support NTP across your whole network, I would think
that would be worth it.

-Mike



On Tue, 27 Aug 2002, John Todd wrote:

>
> Hmm... $2400 is still in the "pricey" range to be throwing out
> bunches of these across a network in wide distribution.  (Pardon me
> if some of you on the list snicker at my reluctance at the $2400
> price - for some of us the "new, new Econcomy" is making things like
> NTP Stratum 1 clocks a luxury that The Budgeters doesn't see as
> necessary, since it's an invisible engineering issue.)
>
> One would think that a vendor could come up with a 1u rackmount box
> with a GPS and single-board computer (BSD or Linux-based) for ~$500
> total cost.   Add 150% for profit and distribution costs, you're
> still in the $1300 range, which is more reasonable.  I suppose my
> oversimplification is the reason I'm not in the hardware business.
> I'd be even happier with a PCI-bus card that I could put into an old
> (reasonably fast) PC and a CD-ROM with an OpenBSD distribution that
> automatically did the Right Thing.   There is a case to be made about
> off-the-shelf PC hardware not being accurate enough to handle a true
> Stratum-1 clock, and that is a valid point.  However, if I can get
> within .5ms, I'm happy since most of my applications don't require
> anything more accurate than that.  (Those of you timing T1's should
> use the more expensive systems.)
>
> I will go out on a limb and say that a reduction in the cost of
> stratum-1 servers will increase their use across the Internet.  The
> results of such an increase would be arguably visible, as the current
> multi-layer timekeeping system seems to be more-or-less keeping
> clocks correct to the point of usefulness, at least from a
> layer-4-and-up standpoint.  However, accuracy and self-determination
> for timing are probably things that most organizations would consider
> "good" by self-evidence, and the lower the price the more possible
> things become to implement.  Perhaps there are reasons that putting
> stratum-1 clocks in many, many places is sub-optimal; I leave that
> for others to illuminate.
>
> I know that I would like to not rely on POP-external network
> connections to keep my clock sources accurate, but these prices
> (while very inexpensive, compared to other stratum-1 sources I have
> seen) are still outside the "put-one-in-every-POP" price.
>
> JT
>
>
>
> At 9:48 AM -0700 8/27/02, Mike Lyon wrote:
> >
> >Here is your base pricing from Truetime:
> >
> >NTS-150 $2395
> >NTS-200 $3595
> >
> >-Mike
> >
> >On Tue, 27 Aug 2002, John Todd wrote:
> >
> >>  Happen to know what the base price is for these?   "Low price" is a
> >>  relative term when dealing with clock makers.  :)
> >>
> >>  JT
> >>
> >>
> >>  >http://www.truetime.com/index.html
> >>  >
> >>  >Not exactly "stand alone" because you have to place the antenna somwhere
> >>  >where it can see the GPS satellites as is the case with any any Stratum 1
> >>  >NTP device. Then you have to program the IP into it and plug the ethernet
> >>  >into it. They are really simple to install and configure. They give you a
> >>  >certain amount of Coax (you can order more if need be) and you put the
> >>  >antenna on the roof and run it down to the receiver. Quite simple.
> >>  >
> >>  >They have a couple different models to choose from.
> >>  >
> >>  >-Mike
> >>  >
> >>  >
> >>  >
> >>  >On Mon, 26 Aug 2002, Mike Leber wrote:
> >>  >
> >>  >>
> >>  >>
> >>  >>  I was wondering if anybody has any suggestions for a low priced, off the
> >>  >>  shelf, complete (includes any necessary receivers), standalone
> >>(as in you
> >>  >>  just plug it in and connect ethernet), stratum 1 NTP server?
> >>  >>
> >>  >>  Please also mention where to buy it.
> >>  >>
> >>  >>  Mike.
> >>  >>
> >>  >>  +- H U R R I C A N E - E L E C T R I C
> >>-+
> >>  >>  | Mike Leber   Direct Internet Connections   Voice 510
> >>580 4100 |
> >>  >>  | Hurricane Electric Web Hosting  Colocation   Fax 510
> >>580 4151 |
> >>  >>  | [EMAIL PROTECTED]
> >>http://www.he.net |
> >>  >  >
> >>+---+
> >>  >  >
> >>
> >
> >--
> >/
> >-  Mike Lyon-
> >-   Studio Engineer -
> >-   KKUP Public Radio, Cupertino, Ca-
> >-Cell:  408-621-4826-
> >- www.fitzharris.com/~mlyon -
> >/
>

--

Re: Standalone Stratum 1 NTP Server

[David G. Andersen]

On Tue, Aug 27, 2002 at 11:07:10PM -0700, Jim Hickstein mooed:
> --On Wednesday, August 28, 2002 12:51 AM -0400 "David G. Andersen" 
> <[EMAIL PROTECTED]> wrote:
> 
> At work, it's all steel studs and foil-backed wallboard, and the windows 
> (for a patch GPS antenna) are _way over there_.  *sigh*   I'd love it if 
> someone would pay for my roof penetration there.

  Does your cell phone work in the room?  The CDMA time receivers
work in the strangest places.  The only places I've had no luck:

  - In the bowels of a big building along the mass tech corridor
  - when moved to a bad spot inside a fairly steel and concrete-heavy
lab at the university of utah (works in other spots in the lab).

But aside from that, I've got them working in network closets
and labs all over the place.  Worth giving a shot if you're really
desperate to play.  They're not quite as accurate as GPS (~10 microseconds
vs. ~2-5 microseconds), but what's a few microseconds compared to 
sticking an antenna on the roof?

(As a frequency standard, they're quite good.  But you can't autocorrect
for the CDMA propagation delay).

  -Dave

-- 
work: [EMAIL PROTECTED]  me:  [EMAIL PROTECTED]
  MIT Laboratory for Computer Science   http://www.angio.net/
  I do not accept unsolicited commercial email.  Do not spam me.