Re: Mobile code security (was Re: rr style scanning of non-customers)

[Christopher L. Morrow]

On Mon, 16 Jun 2003, Paul Vixie wrote:

>
> > Should ISPs control what applications their customers can run?
>
> frankly and truly, i would be satisfied if isp's wouldn't run outlook/exchange
> in their noc/abuse departments, so that they could safely accept mime-mail
> rather than bouncing it as their only means of keeping themselves virus-free.

yea, if my sister in-law (who barely knows what 'computer' means most
times) can come to the conclusion that:
1) all email viruses of note are outlook targetted
2) everyone with outlook gets viruses

therefore

3) why would anyone ever run outlook

why can't multibillion dollar companies figure that out? it does mystify
me :)

>
> i love it when mime shows up here.  mh-e just has no idea what to do with a
> "pif" or "exe" file.  the whole concept of having to run "mime defang" at the
> gateway because an abuse desk worker or backbone engineer has a fragile user
> agent is completely ridiculous and there is no possible explaination for it.
> (if this is your situation then quit, or fire somebody, as appropriate.)
>

go pine! (or mh or elm or... mailx!)

Re: from Dave Farber's list: Ireland to regulate peering

[Peter Galbavy]

Sean Donelan wrote:
> If I'm willing to pay list price, I can get "peering" or an
> interconnection with almost any ISP in the world.  I can call the
> sales offices of any provider, and on request most of them will sell
> me a connection to their network.

That isn't peering. That's transit or 'paid peering'.

To me peering has always been an equitable exchange of traffic on a shared
cost basis. UUNET and others have exploited their SMP over the last ten
years to force foreign ISPs to pay them both ways to get to their content
and access customers. That should be regulated (IMHO) - globally. I think we
all know how much fun NDA based peering agreements have been and continue to
be.

"You are a net contene provider - pay to get to our access customers."

"You are a net content consumer - pay to get to out content providers."

"Our customers all pay us."

Hmm. Never liked the abuse/misuse of a 'captive' customer base.

> Ireland appears to be saying, if I don't like the price I can ask the
> Irish government to order ISPs in Ireland to charge less.  If I think
> a grocery store in Ireland is charging too much for potatoes, can I
> ask the Irish government to order the grocery store to change its
> price
> on potatoes?

Actually, yes. At least AFAIK. In the UK you certainly can, but Eire has
similar regulations as a result of the EU. From recent UK experience, the
supermarkets were recently investigated if any had SMP on a regional basis,
and if so should controls be imposed on both pricing (under as well as over)
and also costs - what they pay to suppliers. Sadly, lobbying killed this
issue - this time.

Peter

Re: Mobile code security (was Re: rr style scanning of non-customers)

[Paul Vixie]

> Should ISPs control what applications their customers can run?

frankly and truly, i would be satisfied if isp's wouldn't run outlook/exchange
in their noc/abuse departments, so that they could safely accept mime-mail
rather than bouncing it as their only means of keeping themselves virus-free.

i love it when mime shows up here.  mh-e just has no idea what to do with a
"pif" or "exe" file.  the whole concept of having to run "mime defang" at the
gateway because an abuse desk worker or backbone engineer has a fragile user
agent is completely ridiculous and there is no possible explaination for it.
(if this is your situation then quit, or fire somebody, as appropriate.)

Re: Spammers use Trojans

[E.B. Dreger]

RT> Date: Mon, 16 Jun 2003 00:27:23 -0500 (CDT)
RT> From: Rob Thomas


RT> ] I don't know what proof MessageLabs has, but they report
RT> ] that spammers are breaking into home PCs of unsuspecting

s/home/home, business, colo, and most any other/


RT> ] users to send junk mail.
RT>
RT> What proof?  Old proof.  :)  There are numerous bots,
RT> including the now venerable SDbot, that have this capability.
RT> This doesn't count the plethora of other malware that can
RT> also forward spam.

...and not only spam, but Joe job spam.  Those of us at the edge
have heard "why am I getting bounces for mail I didn't send?" a
time or two. :-(

MessageLabs just now realized this?  AFAIK, this and open proxies
are pretty much _the_ standard vectors nowadays for spamming.
Has ML also "discovered" it's pretty much up to service providers
to combat this, and that it is far from the most pressing issue
law enforcement has on their proverbial plates?


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita
_
  DO NOT send mail to the following addresses :
  [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED]
Sending mail to spambait addresses is a great way to get blocked.

Re: Spammers use Trojans

[Rob Thomas]

Hi, Sean.

] I don't know what proof MessageLabs has, but they report that spammers
] are breaking into home PCs of unsuspecting users to send junk mail.

What proof?  Old proof.  :)  There are numerous bots, including the
now venerable SDbot, that have this capability.  This doesn't count
the plethora of other malware that can also forward spam.

Thanks,
Rob.
-- 
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);

Spammers use Trojans

[Sean Donelan]

I don't know what proof MessageLabs has, but they report that spammers
are breaking into home PCs of unsuspecting users to send junk mail.


http://www.vnunet.com/News/1141610
Spammers are increasingly hijacking home PCs to send junk mail, according
to MessageLabs. The managed email service provider claims to have proof
of spammers using viruses to plant Trojan malware on PCs to provide
remote access.

Re: IPv6

[Joseph T. Klein]

On Thursday, June 12, 2003, at 02:29  PM, Jared Mauch wrote:

	2) Cable providers need to provide IPv6
Get Cablelabs to specify it in DOCSIS, only then will the cable guys do 
it.

--
Joseph T. Klein

PSTN: +1 414 961 1690 VoIP: +1 415 462 1534 Mobile: +1 414 628 3380

Re: from Dave Farber's list: Ireland to regulate peering

[Sean Donelan]

On Sun, 15 Jun 2003, Steve Bellovin wrote:
>ComReg is planning to apply the principles of voice interconnect to all
>network types; this means that "operators of public communications
>networks shall have a right, and when requested by other [operators], an
>obligation to negotiate interconnection with each other for the purpose of
>providing publicly available electronic communications services." In
>effect, IP networks will have to peer with each other on request.
>
>Even worse, the "interconnect" (i.e. peering) prices will be subject to
>review by the Irish regulator if either party feels that they're not being
>offered a fair deal.

This doesn't look like Ireland is regulating peering.  They are regulating
the price of Internet service.

If I'm willing to pay list price, I can get "peering" or an interconnection
with almost any ISP in the world.  I can call the sales offices of any
provider, and on request most of them will sell me a connection to their
network.

Ireland appears to be saying, if I don't like the price I can ask the
Irish government to order ISPs in Ireland to charge less.  If I think
a grocery store in Ireland is charging too much for potatoes, can I
ask the Irish government to order the grocery store to change its price
on potatoes?

Re: IPv6

[Nick Hilliard]

Vadim Antonov wrote:
Now I'm officially a crank because i fail to see why IPv6 is any better
than slightly perked up IPv4 - except for the bottom line of box vendors
who'll get to sell more of the new boxes doing essentially the same thing.
Then, let's draw a distinction between the generally positive to 
can't-really-see-the-point attitude range which most people have towards 
ipv6 and the unparalleled derision and invective which the OSI camp was 
subjected to by large sections of the community before the final nails 
were hammered into its coffin.  Most people do not feel that ipv6 is a 
bad thing which should be put out of its misery with unseemly haste, 
even if the same people may tend to feel apathetic about it.

Nick

RE: IPv6

[Vadim Antonov]

Well, since adding a simple option to IPv4 header would solve all address
space problems w/o any need to change core routing infrastructure (unlike
introduding v6) - I see little need to go for an entirely new L3 protocol.

--vadim

On Sun, 15 Jun 2003, Deepak Jain wrote:

>   1) Is IPV4 approaching an addressing limitation?
>   2) Does IPV6 provide a significant buffer of new addresses (given current
> allocation policies) the way
>   IPV4 did when it was new?
> 
> If (1 & 2) => IPV6 is good
> If (1 | 2) => undefined
> If !(1 & 2) => who cares?

Re: from Dave Farber's list: Ireland to regulate peering

[Nick Hilliard]

Roland Perry wrote:
In practice, regulators will only intervene at all, if one of the ISPs 
has SMP. This is now almost impossible to achieve (tests of "dominance" 
apply) especially with the diversity of transit providers. An SMP ISP 
would have to dominate the *entire* market for wholesale transit in a 
country.
Ireland differs significantly from the UK and many other european 
countries in that the number of ISPs and wholesale transit providers 
operating on the island is much smaller.  While none of the ISPs has SMP 
designation, it is conceivable that it could happen, given the relative 
sizes of some of them.

That said, though, it is extremely unlikely that the regulation engine 
is going to jump in and start dictating to the ISP's what they should or 
shouldn't do wrt IP peering.  There has been an industry-run IX (INEX - 
http://www.inex.ie/) running for several years, and there have been 
remarkably few squabbles about peering during its lifetime.  For this 
reason, if for no other, it is unlikely that SMP designation would serve 
any useful purpose in this instance.

The ComReg directive is simply an implementation of directive 
2002/19/EC, which will be applied in one form or another across all EU 
member states.

These are personal opinions only.  I do various work for the INEX, but 
do not speak for them.

Nick

Re: Looking for transit

[Rob Thomas]

Hi, NANOGers!

] It worked out very quickly. I even have backup volunteers. Thank you all, a
] whole lot, from me, and from Rob, too. Oh, and for those that wondered, I
] should have specified, it's a lot (router and other fun things).

My hearty thanks as well!  I really appreciate it.  :)  For those who
offered to assist I'll let you sneak out before I begin my next NANOG
Security BoF presentation.  :)

Thanks,
Rob.
-- 
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);

Re: IPv6

[Joe St Sauver]

Hi,

The real question when it comes to IPv6 is "What happens if I ignore it?"

At one level, the obvious answer is "Nothing, the planets all continue to 
spin." It is clearly still a unicast IPv4 world out there. At another level:

-- There are numerous free tunnel brokers out there; random users can and 
   will get tunnelled v6 connectivity if native v6 connectivity isn't 
   available. Some *might* assert that transcontinental/intercontinental
   tunnels aren't the best thing for the network (from a global perspective) 
   for a variety of reasons...

-- There are various 6to4 gateways out there, and they, too, are getting used.
   If you enable IPv6 on XP, for example, by default 6to4 gets turned up. 
   Some might assert that 6to4 gateways provided by  might
   not be the best thing for the network (from a global perspective) for a 
   variety of reasons...

-- While you ignore v6, some of your competitors aren't. They're getting
   address space, they're getting their router issues worked through, they're
   getting their DNS servers squared away, they're working out local 
   addressing plans and figuring out application support strategies. They're
   getting experience before they need it for production requirements, and
   while it is still non-embarassing to be "just coming up to speed." 

-- Or consider IPv6 in higher education as an indication that IPv6 may be 
   becoming ripe for easy deployment/may be beginning to become "real". At 
   least for most of the ten or so measurement peers shown at 

   http://amp.nlanr.net/active/cgi-bin/v6_sitesummary.cgi?
   amplet=amp-uoregon&date=103.6.15

   you'll see v6 performance that's roughly comparable to v4 performance. Yes,
   this is across Internet2/Abilene, but at least for IPv6, Abilene has been 
   peering with commercial v6 entities when everyone's in the right spot(s) 
   and it makes sense to do so. 

I understand that in some cases hardware choices make v6 deployment hard (if 
not impossible), and that more v6-incompatible-hardware is unquestionably
getting purchased out there as I write this. I understand that lots of 
applications still aren't ready. And I understand that customers aren't 
beating down your door saying, "Hey, when can I get IPv6?" (just as they 
probably haven't beaten down your door asking about IP multicast in a 
commercially meaningful way). 

On the other hand, I do believe that IPv6 is one of those technologies that
will creep up on folks (if they aren't careful) simply because it does NOT
require "top down" deployment to get a toehold, and the fact that ISPs
AREN'T paying attention to it.

For example, even if many folks carefully track/shape/police IPv4 P2P
traffic, or block cusotmer servers, I'd be willing to bet that most folks 
pay zero attention to their current v6 traffic (whether native, tunnelled, 
or gatewayed)... 

And there *ARE* v6 P2P applications out there (the most notable of which is 
probably Microsoft's 3 degrees), although others are rumored to be porting 
their P2P applications to run dual stack. [There's a nice post about 3 degrees 
entitled "Operational experience with 3 degrees" by Christian Huitema at 
http://dict.regex.info/ipv6/v6ops/current/0183.html if folks are interested.]

And if you aren't paying attention to "Teredo" as a technology, you might want
to see http://www.microsoft.com/windowsxp/pro/techinfo/administration/
p2p/overview.asp -- quoting from that piece,

 Teredo, also known as IPv4 network address translator (NAT)
 traversal for IPv6, is an IPv6/IPv4 transition technology that
 provides address assignment and host-to-host automatic
 tunneling for unicast IPv6 connectivity when IPv6/IPv4 hosts
 are located behind one or multiple IPv4 NATs. To traverse
 IPv4 NATs, IPv6 packets are sent as IPv4-based User
 Datagram Protocol (UDP) messages. [continues...]

Regards,

Joe St Sauver ([EMAIL PROTECTED])
University of Oregon Computing Center

RE: IPv6

[Irwin Lazar]

> IPv6's major implementation problem is going to be apathy.  
> After all, 
> things are working fine at the moment, and who cares that 
> some day there 
> might be a big ip address crunch?
> 
> Nick
> 
FYI:
http://dc.internet.com/news/article.php/2221821

June 13, 2003
Pentagon Commits to IPv6 
By Roy Mark 

The Pentagon announced Friday it is beginning a transition Internet Protocol Version 6 
(Ipv6) to bring the Department of Defense (DoD) closer to its goal of net-centric 
warfare and operations. The new protocol will facilitate integration of the essential 
elements of DoD's global information grid, including its sensors, weapons, platforms, 
information and people. 

11553 glue records in .ORG Re: (NSI) LAME-DELEGATION.ORG hijacking IP space ??

[John Brown]

the issue is them using reserved IP space..

Also, as of today, there are  11553  glue records in the .ORG 
zone for lame delegation.  Most have no more than 1 or 2 zones
associated with a specific glue record.

Seems like NSI is placing a LARGE amount of glue when not needed.

Re: rr style scanning of non-customers

[Paul Vixie]

warning: there are no IOS configuration commands in this thread. hit D now.

[EMAIL PROTECTED] (Sean Donelan) writes:

> However, in a country where VCR's still flash 12:00, users are not
> going to read the manual or a web site or anything else.  Despite
> liking to pick on Microsoft, as soon as you get the operating system
> secure, users load all sorts of other applications.  ...

"reading e-mail" should not be the same thing as "loading applications",
and for that matter "loading applications" should not be the same thing
as "install background malware".  i still have to pick on microsoft 
because their model (from outlook on up) is insecure *by design* and if
they had not used their monopoly power to blunt the market effects of
java and os/2 and wordperfect and mac/os and who knows what else, then
we would at least have genetic diversity, and we might even have some
kind of qualitative improvement somewhere due to successful mutations.

> And don't forget other things connected to your home network, such using
> good passwords on your router/firewall, networked home entertainment
> centor or snmp-enabled refrigerator.

i agree that the most dangerous part of the car is the nut behind the
steering wheel, and that no technological force will ever change that
fact.  but that's not an excuse to design a car without brakes and then
use monopoly power to put other carmakers out of business.
-- 
Paul Vixie

Re: (NSI) LAME-DELEGATION.ORG hijacking IP space ??

[william]

One more note - 
  While this would be the third time I'v seen lame.lamedelegation.org
with ip 1.1.1.1 I really do not know for sure if NSI is responsible or not.
It may very well have been actual previous domain owner who has incorrectly
registered host to such an address. I'd need to lookup zone file for .org
(which is supposed to have a these lame-delegationglue hosts now) and I 
have not yet signed zone download agreement with PIR.

On Sun, 15 Jun 2003 [EMAIL PROTECTED] wrote:

> I commented on it once before on nanog actually...
> 
> Basicly LAME-DELEGATION.ORG is domain Network Solutions is using to move 
> old host records to. If they have a domain that is expiring and scheduled
> for deletion and it has host records in .com or .net zones (so called 
> glue host records), then NSI would rename that host from 
> somehost.experingdomain.com to lamex.lame-delegation.org
> 
> Then they can delete the domain and at some point later they check if 
> there are any domains in their .com/.net zones that use that host
> and if so they either keep that "lame.lame-delegation.org" or notify 
> those domains and manually remove that extra host from the list of dns servers 
> for each domain. Somewhere in the process the lame.lame-delegation.org 
> I gather maybe changed from its previous ip to "1.1.1.1" and then probably 
> deleted. To me using 1.1.1.1 seems inappropriate (this is not a special 
> ip block to be used for such purpose and just reserved iana block which 
> may be allocated, it may also creates unnecessory load on root servers, 
> though in theory nobody is supposed to query that dns os use such host).
> 
> While the above process is better then just deleting the domains and 
> and letting their host records remain (which can then be controlled by 
> whoever reregisters the domains), it only protects .com/.net domains and 
> not domains in any "country-level" or .biz or .info domains which may very 
> well use those deleted hosts as well. I also have to note that its only 
> networksolutions that is using lame-delegation.org and number of other 
> registrars have similar system but using different domains to move hosts to.
> Some dont do it at all and let the host remains even when domain is 
> reregistered (giving control of the glue hosts to new domain owner).
> 
> Also another note I have to make about which I wondered couple months back - 
> while previously it was easy for NSI to rename host names like above 
> since they controlled .com, .net, .org. now that they no longer control 
> .org, this may not be the same (though I suspect it really does not 
> matter, all they change is glue record in zone files as well as whois and 
> they do not necessarily need to control .org for that).
> 
> On Sat, 14 Jun 2003, John Brown wrote:
> 
> > 
> > could someone explain this
> > 
> > shorts# nslookup LAME2850.LAME-DELEGATION.ORG
> > Server:  ns1.chagres.net
> > Address:  216.223.236.233
> > Aliases:  233.236.223.216.in-addr.arpa
> > 
> > Non-authoritative answer:
> > Name:LAME2850.LAME-DELEGATION.ORG
> > Address:  1.1.1.1
> > 
> > 
> > 
> > 
> > or this
> > 
> > 
> > 
> > shorts# nslookup LAME41178.LAME-DELEGATION.ORG
> > Server:  ns1.chagres.net
> > Address:  216.223.236.233
> > Aliases:  233.236.223.216.in-addr.arpa
> > 
> > Non-authoritative answer:
> > Name:LAME41178.LAME-DELEGATION.ORG
> > Address:  4.3.145.66
> > 
> > shorts# nslookup 4.3.145.66
> > Server:  ns1.chagres.net
> > Address:  216.223.236.233
> > Aliases:  233.236.223.216.in-addr.arpa
> > 
> > Name:lsanca1-145-066.biz.dsl.gtei.net
> > Address:  4.3.145.66
> > 
> > 
> > seems 4.3.146.66 is some DSL link in GTEI / BBN / Name today
> > 
> > 
> > 
> > if NSI is going to use this as a way to deal with lame zones, fine,
> > but how about using RFC 1918 space, or a public IP and a machine that
> > returns NXDOMAIN. 
> > 
> > instead of what looks like random IP allocations, some of which may
> > cause pain for others...
> > 
> > Hey, better yet, why not just learn how to DELETE host records from 
> > a zone ???
> > 
> > 

Re: (NSI) LAME-DELEGATION.ORG hijacking IP space ??

[william]

I commented on it once before on nanog actually...

Basicly LAME-DELEGATION.ORG is domain Network Solutions is using to move 
old host records to. If they have a domain that is expiring and scheduled
for deletion and it has host records in .com or .net zones (so called 
glue host records), then NSI would rename that host from 
somehost.experingdomain.com to lamex.lame-delegation.org

Then they can delete the domain and at some point later they check if 
there are any domains in their .com/.net zones that use that host
and if so they either keep that "lame.lame-delegation.org" or notify 
those domains and manually remove that extra host from the list of dns servers 
for each domain. Somewhere in the process the lame.lame-delegation.org 
I gather maybe changed from its previous ip to "1.1.1.1" and then probably 
deleted. To me using 1.1.1.1 seems inappropriate (this is not a special 
ip block to be used for such purpose and just reserved iana block which 
may be allocated, it may also creates unnecessory load on root servers, 
though in theory nobody is supposed to query that dns os use such host).

While the above process is better then just deleting the domains and 
and letting their host records remain (which can then be controlled by 
whoever reregisters the domains), it only protects .com/.net domains and 
not domains in any "country-level" or .biz or .info domains which may very 
well use those deleted hosts as well. I also have to note that its only 
networksolutions that is using lame-delegation.org and number of other 
registrars have similar system but using different domains to move hosts to.
Some dont do it at all and let the host remains even when domain is 
reregistered (giving control of the glue hosts to new domain owner).

Also another note I have to make about which I wondered couple months back - 
while previously it was easy for NSI to rename host names like above 
since they controlled .com, .net, .org. now that they no longer control 
.org, this may not be the same (though I suspect it really does not 
matter, all they change is glue record in zone files as well as whois and 
they do not necessarily need to control .org for that).

On Sat, 14 Jun 2003, John Brown wrote:

> 
> could someone explain this
> 
> shorts# nslookup LAME2850.LAME-DELEGATION.ORG
> Server:  ns1.chagres.net
> Address:  216.223.236.233
> Aliases:  233.236.223.216.in-addr.arpa
> 
> Non-authoritative answer:
> Name:LAME2850.LAME-DELEGATION.ORG
> Address:  1.1.1.1
> 
> 
> 
> 
> or this
> 
> 
> 
> shorts# nslookup LAME41178.LAME-DELEGATION.ORG
> Server:  ns1.chagres.net
> Address:  216.223.236.233
> Aliases:  233.236.223.216.in-addr.arpa
> 
> Non-authoritative answer:
> Name:LAME41178.LAME-DELEGATION.ORG
> Address:  4.3.145.66
> 
> shorts# nslookup 4.3.145.66
> Server:  ns1.chagres.net
> Address:  216.223.236.233
> Aliases:  233.236.223.216.in-addr.arpa
> 
> Name:lsanca1-145-066.biz.dsl.gtei.net
> Address:  4.3.145.66
> 
> 
> seems 4.3.146.66 is some DSL link in GTEI / BBN / Name today
> 
> 
> 
> if NSI is going to use this as a way to deal with lame zones, fine,
> but how about using RFC 1918 space, or a public IP and a machine that
> returns NXDOMAIN. 
> 
> instead of what looks like random IP allocations, some of which may
> cause pain for others...
> 
> Hey, better yet, why not just learn how to DELETE host records from 
> a zone ???
> 
> 

Re: from Dave Farber's list: Ireland to regulate peering

[Roland Perry]

In message <[EMAIL PROTECTED]>, Steve 
Bellovin <[EMAIL PROTECTED]> writes

In brief: New rules being put in place by the Irish telecoms regulator
will regulate IP peering between ISPs as if it were a voice interconnect.
I'd love to hear from any other IPers who know if this is being proposed
anywhere else in Europe. As far as I know, this is unprecedented.
This regime has probably been the case throughout Europe for ISPs that 
were locally licenced telcos, for four years [under the Interconnect 
Directive]. Not that many countries actually believed it or did 
anything. But there are now specific new Directives about this.

The Irish telecoms regulator (ComReg) has announced a new set of licensing
rules for telcos. The bad part is that the rules have been greatly
expanded to include regulation of "all electronic communications
networks", including (apparently) ISP networks and VPN operators.
Indeed, this is just one instance of implementation of the new European 
Telecoms Directives across Europe, due this July. To see a FAQ on the 
UK's version (interconnection in section 5):

http://www.oftel.gov.uk/publications/eu_directives/2003/ispfaq0303.htm

The cherry on the cake is that ISPs can be designated as having
"Significant Market Power" (this used to be defined as having 25% of a
market, but the criteria are now more nebulous).
In practice, regulators will only intervene at all, if one of the ISPs 
has SMP. This is now almost impossible to achieve (tests of "dominance" 
apply) especially with the diversity of transit providers. An SMP ISP 
would have to dominate the *entire* market for wholesale transit in a 
country.
--
Roland Perry, Director of Public Policy, LINX.

Re: from Dave Farber's list: Ireland to regulate peering

[Mark Prior]

The Australian regulator is also examining Internet Interconnection.

See http://www.accc.gov.au/telco/int_intercon_280403.doc>.

Mark.

from Dave Farber's list: Ireland to regulate peering

[Steve Bellovin]

(apologies if this appears twice)


>From: Alex French <[EMAIL PROTECTED]>
>Subject: Ireland to regulate peering



>In brief: New rules being put in place by the Irish telecoms regulator 
>will regulate IP peering between ISPs as if it were a voice interconnect. 
>I'd love to hear from any other IPers who know if this is being proposed 
>anywhere else in Europe. As far as I know, this is unprecedented.
>
>The Irish telecoms regulator (ComReg) has announced a new set of licensing 
>rules for telcos. The bad part is that the rules have been greatly 
>expanded to include regulation of "all electronic communications 
>networks", including (apparently) ISP networks and VPN operators.
>
>ComReg is planning to apply the principles of voice interconnect to all 
>network types; this means that "operators of public communications 
>networks shall have a right, and when requested by other [operators], an 
>obligation to negotiate interconnection with each other for the purpose of 
>providing publicly available electronic communications services." In 
>effect, IP networks will have to peer with each other on request.
>
>Even worse, the "interconnect" (i.e. peering) prices will be subject to 
>review by the Irish regulator if either party feels that they're not being 
>offered a fair deal.
>
>The cherry on the cake is that ISPs can be designated as having 
>"Significant Market Power" (this used to be defined as having 25% of a 
>market, but the criteria are now more nebulous). If you have SMP, you must 
>publish your network cost accounting as prove that the peering prices you 
>charge are cost-oriented (cost + a reasonable ROI)
>
>As I see it, this will lead to the collapse of the current peering/transit 
>negotiation process that ISPs have successfully used all over the world 
>for years. I don't even see how this would benefit smaller ISPs, since the 
>new rules are likely to discourage larger companies from entering this 
>market at all. At the very least, the regulation of peering rates has got 
>to hurt competition.
>
>The relevant documents are available at http://www.comreg.ie. Specific 
>links are
>
>http://www.comreg.ie/whats_new/default.asp?ctype=5&nid=101003
>http://www.comreg.ie/whats_new/default.asp?ctype=5&nid=100998
>

--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)

RE: IPv6

[Deepak Jain]

> > At least there is general consensus among pretty much
> > everyone - with the exception of a small number of cranks -
> that IPv6 is
> > good.
>
> Now I'm officially a crank because i fail to see why IPv6 is any better
> than slightly perked up IPv4 - except for the bottom line of box vendors
> who'll get to sell more of the new boxes doing essentially the same thing.

Vadim --

You're only a crank if you don't think a slightly perked up IPV4 is a good
thing. :)

My justification for IPV6 being a good thing is this:

1) Is IPV4 approaching an addressing limitation?
2) Does IPV6 provide a significant buffer of new addresses (given current
allocation policies) the way
IPV4 did when it was new?

If (1 & 2) => IPV6 is good
If (1 | 2) => undefined
If !(1 & 2) => who cares?

I (personally) don't think IPV6 will change the way the internet operates
in a significant fashion
overnight. I think the vast majority of operators will just use IPV6 like
funny IPV4 addresses. I think
this is a good thing it says the current internet basically works.

I think box vendors will always find something to sell, and they are always
trying to rewrap existing features/functionality into new an exciting
products -- though I think its marketing's fault, not the engineers. I am
sure you will agree, network service providers do much the same thing with
VPN/MPLS tunnel/mumble products.

My $0.02,

Deepak Jain
AiNET

Re: rr style scanning of non-customers

[Sean Donelan]

On Sat, 14 Jun 2003, Randy Bush wrote:
> so where is the authoritative web site
>
>
>
> to which we can point all our friends (and use to lock down
> our kids' machines/sites)?

How could you have missed Dewie the Internet Security Turtle?

http://www.ftc.gov/bcp/conline/edcams/infosecurity/index.html

Microsoft has a consumer oriented page with some operating specific
items (although open file shares isn't give as much attention as I would)

http://www.microsoft.com/security/articles/steps_default.asp



Most major ISPs have an online security web site for their customers.
There are lots of technical how-to's available with a Google search.

However, in a country where VCR's still flash 12:00, users are not
going to read the manual or a web site or anything else.  Despite
liking to pick on Microsoft, as soon as you get the operating system
secure, users load all sorts of other applications.  And don't forget
other things connected to your home network, such using good passwords on
your router/firewall, networked home entertainment centor or snmp-enabled
refrigerator.