ASN and Peering Problem

[Adi Linden]

We currently have two /19 that we advertise on a single ASN. A client
would like to obtain /23 or /22 from us. This is not a problem, except
that their primary internet provider is someone else, other than us.
I think that they would need to have their own ASN to advertise their
portion of our ip space to their peers.

My question is, should we provide the ASN or should they apply for an ASN?
What is the minimum block considered routable, is it reasaonable to
advertise a /23 on its own ASN?

Are there any other solutions I haven't thought of?

Thanks,
Adi

Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)

[Adi Linden]

> 0) for the love of God, Montresor, just block port 25 outbound already.

What is wrong with dedicating port 25 to server to server communication
with some means of authentication (DNS?) to ensure that it is indeed a
vaild mail server. Mail clients should be using port 587 to submit
messages to their local MTA.

Adi

Re: Time to check the rate limits on your mail servers

[Adi Linden]

> >  How come it is always about controlling the symptoms and not the
> >  illness?
> >
> The illness is the user. That is uncontrollable.

A product that doesn't work as advertised has much to do with it as well.

Adi

Re: Time to check the rate limits on your mail servers

[Adi Linden]

How about using SMTP AUTH and verifying the envelope MAIL FROM to match
the actual user authenticating? This will make SPAM traceable and
hopefully ultimately users aware that their PC is sending junk.

Adi

Re: Time to check the rate limits on your mail servers

[Adi Linden]

> > How about using SMTP AUTH and verifying the envelope MAIL FROM to match
> > the actual user authenticating? This will make SPAM traceable and
> > hopefully ultimately users aware that their PC is sending junk.
>
> Ouch ..  Then spammers may start using a From: matching the SMTP auth
> user, and effectively joe-jobbing the user..  Ick..

And that would be marvelous! At the very least it would give the user an
incentive to clean up his PC. Alternately the email account could be
revoked.

Adi

Re: Time to check the rate limits on your mail servers

[Adi Linden]

> > How about using SMTP AUTH and verifying the envelope MAIL FROM to match
> > the actual user authenticating?
>
> that doesn't work if you have more than one email address.

You should know all your users email addresses. It shouldn't be too
difficult to match the 'mail from' address with the user account. The only
caveat would be that [EMAIL PROTECTED] would actually have to use the
hotmail smtp server to send mail.

> > This will make SPAM traceable and
> > hopefully ultimately users aware that their PC is sending junk.
>
> auth is sufficient to make email traceable to your own customers.

And how is that? There isn't necessarily anything in an email indicating
that it originated from an SMTP AUTH authenticated user. While a header
could be added, it isn't a mandatory thing.

Adi

Re: Time to check the rate limits on your mail servers

[Adi Linden]

> > You should know all your users email addresses.
>
> You have got to be kidding.

Not kidding.

I have a mail system that handles mail for the example.com domain. I use
SMTP AUTH as the only means to relay through the server. My expectation
from my customers is that they will utilize this mail service for their
[EMAIL PROTECTED] communications. This means the mail server has knowledge
of all 'mail from' addresses my users are allowed to use.

Who says that Joe ISP has to provide an open SMTP relay to all customers
on his IP space? Let's face it, it doesn't work! Even with throttling some
SPAM will make it thorough and tha mail server will be black listed and
unable to deliver mail to many destinations in no time. It's only a matter
of time before owned PCs aquire the 'intelligence' to utilize SMTP AUTH to
relay mail.

So to clarify my position, my SMTP server handles mail for my users and
noone else. My users are identified by their email address(es) on my mail
server. Therefore, I can enforce that may mailserver reject relayed mail
that does not have a 'mail from' address that corresponds to one of the
valid email addresses for an authenticated users.

I am addressing the dilemma with the average home user. If you own a bunch
of domains you're in a whole different class. Make arrangement with your
ISP to handle your mail, run your own mail server or buy hosting with
email accounts. Point is, if you own a bunch of domains you're not the
average home user that floods the world with crap without their knowledge.

Adi

Re: Time to check the rate limits on your mail servers

[Adi Linden]

> Please explain how the "trust chain" does not verify the sending user.
> "Malware will steal username/password" is not a valid answer, as the
> same can apply equally to crypto keys.

Now that we have established a "trust chain" an verify the sending user we
have an easy way (shuffling through mail logs is by no means easy in my
books) for support people to address SPAM complaints.

Even better, due to the verified sender we can now send bounce messages
and notifications to originator. Sure, it'll result in "I never send
this..." type support calls but support can now say "Sure, your computer
did behind your back...".

Adi

Re: Vonage complains about VoIP-blocking

[Adi Linden]

> http://advancedippipeline.com/60400413
>
> The FCC is investigating -- it's not even clear if it's illegal to do
> that.

How is this any different then blocking port 25 or managing the bandwidth
certain applications use.

Adi

Re: Vonage complains about VoIP-blocking

[Adi Linden]

> > > On Tue, Feb 15, 2005 at 11:53:59AM -0600, Adi Linden wrote:
> > >> How is this any different then blocking port 25 or managing the bandwidth
> > >> certain applications use.
>
> Something else to consider.  We block TFTP at our border for security reasons
> and we've found that this prevents Vonage from working.  Would this mean that
> LEC's can't block TFTP?

Exactly my point. If my network management practises impact service my
customers use it is an issue between me and my customers. If I loose
customers over it, I'd better be prepared to deal with the fallout. I do
not think someone offering a service somewhere in the world has the right
to demand that I make this service available to my customers.

Adi

Re: More on Vonage service disruptions...

[Adi Linden]

> Actually, anticompetitive, and restraint-of-trade come in as better
> arguments. They go along with blocking port 587/110, keeping users from
> getting at legitimate, well-run remote mail servers. The end user paid for
> packet service, and the Internet generally permits any protocol to be run.
> ISPs legitimately block traffic at various protocol levels to deal with
> security and abuse matters. That's unlikely with VOIP.
>
> Blocking for dealing with security issues is one matter. Blocking to
> purposely harm competition is another, and will indeed open a can of worms
> if it persists.

The anticompettive argument is pretty dangerous. What if ISP A has VoIP
serice offering and is provisioning QoS for their VoIP service. At the
same time they are not providing any QoS for competing services or even
degrade service quality for competitors via bandwidth management.

>From the ISPs perspective it makes perfect sense to beef up bandwidth to
offer VoIP to be able to carry traffic from paying VoIP subscribers. But
it doesn't make sense to beef up bandwidth to support the competition.

What it'll come down to is a definition of what services you average
ISP provides. What is internet access, a raw pipe to that indiscriminately
moves any packet from point A to point B? Obviously not, since there are
already restrictions on running servers, blocking of smtp, etc. So it is
perfectly reasonable, IMHO, for an ISP to regulate bandwidth availability
to please the majority of paying customers.

Adi

Re: More on Vonage service disruptions...

[Adi Linden]

> When that happens, if VOIP access to 911/112 is still problematic, we
> can expect standards for it to be mandated by governments - and they
> WILL do it - there is nothing politicians hate more than an avoidable
> fatality where the blame can be attributed to their failure to act.

So what is legislation going to do short of banning VoIP applications that
connect to the PSTN?  So who's going to stand trial if fatalities occur
because the 911 operator was unreachable? The ISP for having insufficient
bandwidth, the janitor for sharing the DSL line, the phone owner for
dropping legacy PSTN service...?

Who would in their right mind rely on MSN Messenger for 911 access? Today
residential VoIP service offered by Vonage or like companies is nothing
more or less than your instant messenging gizmo. Perhaps it is more useful
but by no means more reliable.

Adi

Re: US slaps fine on company blocking VoIP

[Adi Linden]

So who's going to be the IP cop that decided which actions are
anti-competitive and which actions are 'customer care'?

How many service providers oversubscribe their internet feed. Just because
the advertisement says 384k upstream and 2Mbps downstream doesn't mean
this is a guaranteed rate available 24x7 to any destination. In most cases
there is some bandwidth management box somewhere that provides a fair
share of bandwidth to all of the ISPs customers. I am really curious at
which point shaping of traffic is viewed as anti-competitive...

Adi

Re: US slaps fine on company blocking VoIP

[Adi Linden]

> If VOIP doesn't run on your network because you've oversold your capacity,
> no amount of QoS is going to put the quality back into your service.
> People will find better ISPs. If you deliberately set QoS to favor your
> services over a competitor, whom your customers are also paying for
> service, you'll be staring down prosecutors, at some point. It's
> anti-competitive behavior, as you're taking deliberate actions to degrade
> the service of a competitor, simply because you can.

Let's say I sell a premium VoIP offering for an additional fee on my
network. I apply QoS to deliver my VoIP offering to my customers but as a
result all other VoIP service is literally useless during heavy use
times you'd consider this anti-competitive behavior?

Adi

Re: Clearwire May Block VoIP Competitors

[Adi Linden]

On Sat, 26 Mar 2005, Eric Gauthier wrote:
> Hrm... Isn't a VoIP call realtively low bandwidth?  I haven't studied
> this, but Vonage's site seems to imply that the maximum data rate is 90Kbps
> (http://www.vonage.com/help_knowledgeBase_article.php?article=190).  I
> typically see speeds greater than this from my web browser...  Are they
> saying that anything that might consume over 100Kbps isn't going to be
> allowed?

90kbps may be low bandwidth but the packets per second are a killer for
some equipment. VoIP typically has small packets, 80 bytes or 160 bytes,
whereas your webbrowser has most packets close to the max MTU, usually
1500 byte packets. There is quite a bit of wireless gear that buckles
under the stress of very few VoIP streams. Those few streams add up to
much less then the theoretical advertised throughput.

Adi

Re: potpourri (Re: Clearwire May Block VoIP Competitors )

[Adi Linden]

> Personally, I'm quite glad for government regulations
> regarding food safety, home inspection, and lots of
> other things which are safety related.  There are
> other restrictions which I'm not thrilled about, but I
> have yet to hear a compelling reason (which does not
> inherently boil down to a libertarian argument) to
> stop requiring that anything which defines itself as a
> phone-based voice service should have a working 911
> connection.  The VoIP companies currently call
> themselves "phone" companies, and by doing so, IMO,
> they open themselves to this level of regulation.

If VoIP companies are regulated into providing 911 service, minimum
availability standards, etc is one thing. Forcing anyone that might be
transporting VoIP into becoming a Telco is quite another...

Adi

Re: Vonage Hits ISP Resistance

[Adi Linden]

> Frankly, I'm fine with 911 not working on VoIP lines; I have a cell phone
> for that when needed.  Now that I think about it, I'm not sure I've ever
> actually dialed 911 from a land line.

You're lying on the floor incapacitated and in agony, suffering from some
acute and life threatening medical condition. Your neighbour finds you.
He picks up your landline phone, dials 911 and hears "911 service is not
available from this phone please use another phone...". He goes looking
for another phone while you die and rest in peace.

Adi

Re: Schneier: ISPs should bear security burden

[Adi Linden]

> Hey, if you've got customes willing to shell out for that, then more
> power to you.  However, I'm not (and won't be) one of those customers.
> I'm willing to take responsibility for protecting my systems and choosing
> what traffic I do and don't want.  I don't want someone else doing it
> for me.

Hmmm... when you're driving on a public street there is certain safety
equipment you are required to have and use. You're paying more for your
vehicle because of seatbelts, airbags and all the other things that are
supposed to lessen the impact of an accident. Even if you're an expert
driver, you don't have the privilege of not paying for these features.

Adi

Re: Schneier: ISPs should bear security burden

[Adi Linden]

> As somebody who picked a DSL provider specifically because it allows me to
> run any kind of server I want, I'm not highly in favor of blocking
> traffic from broadband users and killing the end-to-end principle that
> makes the Internet work,

When I sign up for an internet account, does the fine print say that I am
to accept all garbage pouring out of the RJ-45...? Why should it be the
recipients job to filter all incoming traffic?

When my PC grabs an IP address, I'd expect to see zero traffic from the
world unless I make a request for content. Only then should I see traffic
and only the content I requested.

Adi

Re: Schneier: ISPs should bear security burden

[Adi Linden]

> Its not up to the ISP to determine outbound malicious traffic, but its up
> to the ISP to respond in a timely manner to complaints. Many (most?) do not.

If they did their support costs would explode. It is block the customer,
educate the customer why they were blocked, exterminate the customers PC,
unblock the customer. No doubt there'll be a repeat of the same in short
time.

Adi

Re: Schneier: ISPs should bear security burden

[Adi Linden]

> And how exactly does that translate to the online world?

It doesn't. There is none or very little punishment for lawlessness and
missbehaviour in the online world.

> Despite the safety and environmental regulations and the fact that
> you have to have a driver's license and insurance (at least here in
> NL), there is no requirement that your locks are industrial strength.
> Or that your car can be locked at all, for that matter.

There is a clear understanding of right and wrong in the general
population. There is law enforcement and meaning full punishment for
crooks and thieves. In the online world I have no recurse against anyone
compromising my computer.

> The fact that a compromised computer doesn't really hurt you all that
> much in the real world is exactly the reason why so many users don't
> care about security. When driving a car they at least have to be
> drunk to reach that level of carelessness.

The fact is that in the online world the abuser is laughing while the
abused is left to clean up the damage. Because a compromised computer
doesn't really hurt most do not even know that they are a victim.

Adi

Re: Schneier: ISPs should bear security burden

[Adi Linden]

> And what about garbage pouring out of RJ-11 sockets?

Hmmm... so because we have garbage coming out of the RJ-11 we might as
well have garbage coming out of the RJ-45, too? 4 wires vs. 8 wires,
twices the garabe out of the RJ-45.

> So I do I obtain your permission to send you a packet?

By replying to my request.

> And where in the packet does it show that the packet comes from
> someone who has said permission?

The packet only exists if it is in response to my request. Keep in mind
that I am talking about enduser PC here.

Adi

Re: BCP regarding TOS transparancy for internet traffic

[Adi Linden]

> Overwriting the tos flags is not "best effort", it is "degraded service"

So how do you propose to control the use of TOS flags within a network? If
I have an application that receives specific treatment because of its TOS
flags, I need to prevent non-compliant traffic from using this TOS flag at
other ingress points. This requires either dropping that traffic or
rewriting the flag.

Re: OT? /dev/null 5.1.1 email

[Adi Linden]

> The first one goes up and down more than it probably should.  :-)

Make your secondary mx aware of all the valid recipient addresses.

Adi

Mail to postmaster

[Adi Linden]

I am looking for insight on how to handle mail addressed to postmaster. I 
guess a human being is supposed to read these? Some months ago mail to 
postmaster went from nearly zero to 10,000 a day in a very short time 
(hours). Ever since then postmaster email has been filed in /dev/null. 
These days we're still at about 2000 postmaster emails per day. Anyone has 
any sensible ideas of how to process mail to postmaster so only relevant 
stuff is forwarded to a human being?

Adi

The Uneducated Enduser (Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT))

[Adi Linden]

> >Think globally.  Even though this forum has NA as its heading, we need to
> >think globally when suggesting solutions.  You'll never get any sort of
> >licensing globally nor will you EVER get end users (globally) educated
> >enough to stop doing the things that they do which allow these events to
> >continually occur.
> 
> Since many gateway service providers will not prevent insufficiently
> skilled users from connecting to the internet and injuring others, the 
> only remaining solution, as far as I can see, is cutting connectivity
> with those enablers.  That is the proposal I advanced in
> .

And once again the you're punishing the victim. Let's not forget that the 
uneducated end user is tricked into doing things that are not good for 
them or the rest of the internet connected world.

Unfortunately the only feasible and readily available computer solution 
for the uneducated end user is a single available operating system. 
Everyone is at the mercy of this product with all its flaws and downfalls. 

Instead of continually blaming the uneducated end user how about providing 
tools to the uneducated end user that can be used to connect to the 
internet without becoming a liability. A toaster with keyboard an 
monitor...

Adi

Re: The Uneducated Enduser (Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT))

[Adi Linden]

> As for the specifics of your comments, I could not disagree more, but it
> is a philosophy of life that distinguishes our views, not the analysis of
> the problem.   I believe (like a lot of other New Englanders and even
> some from California) that people must assume responsibility for their
> actions.  If responsibility is not enforced, society collapses (into e.g.
> the kind of chaos we see on the internet.)

I like the term responsibility but how is it applied? If I own a vehicle, 
what are my responsibilities? I have to obtain a drivers license which 
gives me the privilege of driving a motor vehicle. Driving a motor vehicle 
is an active choice, I am behind the wheel putting the vehicle in motion. 
I am responsible for all the consequences of my actions while driving. 
Where is my responsibility in vehicle ownership? Is is responsible to 
leave the vehicle locked at the curb, unlocked, keys in the ignition? What 
are my responsibilities when an unauthorized person uses my vehicle?
Driving a motor vehicle is a complex task. There is enforcement in place 
and it is common knowledge that training and license is required to use a 
motor vehicle.

What about a baseball bat? Where is my responsibility in owning a baseball 
bat? If I store my baseball bat leaning against my backdoor, am I 
responsible if my neighbour uses it without my permission to crack his 
wifes skull?

> In 2004 no one is "tricked" into using rubbish software; there are 
> plenty of alternatives, and the rubbishy nature of the leading OS is
> in almost every day's newspaper.  It's a choice people make, like overeating
> and gaining weight.  No one is there with a gun forcing people to gain 
> weight.

My argument is that a computer needs to be in a safe state by default. I 
firmly believe that if I buy a brand new box from any reputable vendor 
with a premium operating system of choice I should be able to connect this 
device to a local broadband connection indefinitely. It needs to be safe 
without user training or user intervention.

> As for "uneducated", the solution is the same as for bad drivers:
> training.  If you are a threat to the rest of the internet because of
> your ignorance (or irresponsibility) then you do not qualify for
> connectivity, just as bad drivers don't get licenses, bad credit
> risks don't get credit, and drunk airline pilots stop flying.  

I can walk, I can take a bicycle. Owning a computer today is like owning a 
performance car. There is no learning curve, it's all or nothing.

If this is the way it has to be, then service providers need to take 
responsibility and provide a safe environment for the uneducated users. 
This includes filtering ports, filtering emails, etc. A last resort is 
terminating service if a user is unwilling to learn at all.

Adi

Addresses for latest spam

[Adi Linden]

Does anyone know how the latest email worms assemble the email addresses 
they use? I am getting a large amount of junk destined for non-existant 
(never existant) email accounts. So the address cannot be taken from the 
various address books on the compromised PC's.

Adi

RE: Even you can be hacked

[Adi Linden]

This thread is quite amusing and interesting at the same time. If I read 
the original post right, Mr. Mike Bierstock was informed that he was 
generating an unusual amount of traffic, traffic he would have to pay for. 
He got the bill and had to deal with the consequences. What is wrong with 
that? Does it matter how this traffic was generated?

Adi

Re: Points on your Internet driver's license (was RE: Even you can be hacked)

[Adi Linden]

> If your child borrows your credit card, and makes lots of unathorized
> charges, you may not have to pay more than $50; but the bank can go after
> your son or daughter for the money.  Most parents end up paying, even if
> they didn't authorize their children to use the credit card.

So the credit card company calls you and asks about a bunch of suspicious 
charges being placed on you card. Ok, just keep on charging. Now who's to 
blame for these charges by your sons and daughters and the russian mafia?

I sell a client a metered product (gas, water, electricity, telephone, 
internet data, etc). I notice unusually high consumption. I inform the 
client that the bill is accumulating rather quick and I suspect a problem. 
I have done my job. The client either tells me to stop delivery until the 
problem is diagnosed and resolved or tells me to continue service. Either 
way, the ball in in the clients court. If the client chooses continuation 
of service despite high consumption and subsequent huge bill he has an 
obligation to pay, no matter WHY the usage was to high.

Our society has a screwed up sense of responsibility. Everyone else is 
supposed to look out for me and take care of me. If something happens to 
me because I do something stupid or foolish someone failed to warn me, 
didn't make the sign big enough, didn't sound the horn loud enough, didn't 
lock me up so I couldn't hurt myself. This isn't true for everybody but 
way too many

Adi

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> Been there, done that.  Got any new ideas?

Provide a safe network connection. I believe an ISP should provide a safe 
environment to play, assuming the customer is innocent granny. Your 
average DSL network connection should be safe by default, so a default 
Win98 (or any other OS) can be connected without fear of compromise.

I really don't agree with the "Internet driver's license" concept as 
presented. It really is not an "Internet driver's license" but a 
"Microsoft Safe Operating License". A one fits all type arrangement. Who 
sets the standard?

The plug that connects to the internet world needs to scale with the level 
of expertise of the user. This needs to include a beginners level for the 
clueless with safe email and safe browsing.

Adi 

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> The problem with this is one of who pays for it.

The customer.

> You are talking about an environment where the newcomers and non-experts 
> require significantly more intervention in how things are done and what they 
> can do than the more experienced hands.

I am talking about an environment that applies significant filtering 
before packets are delivered to the customer. NAT, firewall, proxy I 
don't think it is all that difficult to do.

> Do you charge the newbies more to cover this level of protection, or do you 
> spread the charges across your entire userbase to avoid impacting one 
> segment?

This protection is a basic service. Opening ports, supplying a real ip 
address, removing the proxy are the add-on items that increase the cost of 
the connection.

> If you raise the prices for newbies then you will automatically have newcomers 
> going for the cheaper, more "raw", service and negating any advantages you 
> have to a tiered product set with protection at the bottom.

Raise the price of the "raw" service. Keeping in mind I am talking about 
broadband connections to homes and small offices, not bandwidth for larger 
organizations that should have an IT department.

> If you spread the charges then the users who require less handholding are 
> going to get upset when their prices are hiked to cover functionality they 
> will never use.

An ISP has a responsibility in regards of the packets transported. I get 
the impression that most ISP's prefer to be "packet movers". Move packets 
from point A to point B without monitoring, intervention or any other 
responsibilities or obligations. This is quite appropriate for an ISP 
serving corporate clients with large pipes, where IP space is assigned 
from the ISP to the client. Once we're talking about providers that server 
homes and small offices this should be different. The ISP holds the IP 
space so it should be held responsible for the packets originating form 
these IPs to some degree.

In other words, if I provide proof that ip w.x.y.z is the source of 
unsolicited email (these days probably because of a compromised host) I 
firmly believe that it is the ISPs responsiblity to either provide contact 
information on who owns this IP and/or manage the traffic to eliminate the 
abuse. I am convinced that the cost of looking after the "raw" clients 
will be much greater then the cost of providing "conditioned" bandwidth.

Adi

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> That's like saying provide safe electricity. If someone has a toaster where
> the wire cracks and they electrocute themselves, or a hair dryer that isn't
> safe in the bathtub, do you complain that the electric company should
> provide safe electricity?

The problem with all the comparisions is what you are comparing. Your 
utility has an obligation to provide safe electricity. If your holding 
your hair dryer while the utility company sends you 25,000 Volts instead 
of 120 Volts you should complain. 

> How is bandwidth any different?

It is not any different.

> There is no "safe bandwidth". No matter how you look at it it's a two way
> communications and it's never going to be "safe" as far as the bandwidth
> goes, just like electricity is power and it's never going to be safe. It's
> the devices you plug in that need to be made safe.

Computers are devices that are supposed to magically do anything. If I 
purchase a computer to browse the web and send email I should be able to 
obtain "safe bandwidth" that provides web access and email.

To compare this with the electricity company, the average home with a 200A 
service is equivalent to NATed and firewalled internet bandwidth. As your 
electricity demands grow (for whatever reason) the electricity company 
upgrades your service, to 3 phase, 600V, whatever. Same with internet 
bandwidth, get a public ip, get a static ip, get ports opened, run 
servers. Just as the upgraded electricity service requires more knowledge 
and equipment so does the upgraded internet bandwidth.

Adi

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> If we would properly follow the analogy above, ISPs should provide a 
> "security fuse" which would disconnect the user when blown. Paul called 
> this "cyberjail" if I follow his thoughts. All efforts above this should 
> be charged separately or be part of "better general level of service". 
> You can also charge for letting people out of the jail. Make it $50 or 
> $100 a pop, not to be outrageous but justifiable.

Absolutely.

Properly managing ones bandwidth needs to be less expensive than the 
penalty for abuse. 

Adi

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> The better analogy is what happens when you leave your oven on for 8 days 
> straight? Assuming your house doesn't burn down, should you have to pay the 
> electric bill for those 8 days? Hell yeah. It's impossible to separate what 
> was "legit" energy use and what was from the oven, and it's not their fault 
> you didn't turn it off anyway. And in the worst case, if your house burns 
> down, it's STILL not their fault!

This had somewhat deviated from the original post and who is responsible 
for the bandwidth bill. When you buy a metered service, be it electricity, 
water, bandwidth, you pay what you use. It is not the suppliers 
responsiblility to determine what you do with it and question your 
consumption.

I think it is foolish to buy a metered service without ceiling and leave 
things wide open. When I buy metered bandwidth I demand a hard limit. If I 
reach this hard limit I expect to be notified and cut off. If my upstream 
neglects to cut me off, consumption above and beyond the hard limit is 
their burden since they didn't meet their contractual obligation. A simple 
solution.

> Commodity internet access is a one-size-fits-all game plan. At most, 
> there's a second size, residential or business. But any user of either plan 
> can be compared to any other user of the same plan, and the provider will 
> treat them the same. It's too difficult, and doesn't pay, to try and treat 
> them differently. The extra $10 a month isn't going to justify the $20 
> spent making the changes or talking to the person on the phone.

And that is a problem. Unlike your electricity, where the supplier has an 
obligation to provide a certain level of clean energy, there is nothing 
like it with internet bandwidth. All the crud and exploits are dutyfully 
forwarded to the customer.

Some argue that clueful internet consumers are the answer. Prove your 
knowledge in being able to secure devices connected to the internet and 
maintain them properly. The "Internet driver's license" is proof of 
proficiency in this case.

I argue that this is way overboard. I don't believe anyone should require 
any particular knowledge to obtain an internet connection and use the 
internet. Instead internet needs to be available as a clean conditioned 
service for consumption by the clueless.

The reason this isn't economical today is because ISP lack any 
responsiblity. It is cheaper for an ISP to buy more bandwidth and pass the 
worms and viruses customers PCs spew to the internet than it is to deal 
with the problem. Seriously, if I send an ISP reasonable proof that a 
broadband customer hits my mailserver with thousands of emails an hour I 
should be able to expect an immediate response. Not hours, days or weeks, 
minutes and the originating account should be shut down. If this doesn't 
happen I should be able to go to the upstream of the ISP, present my 
case, and have connectivity to the ISP suspended. 

Adi

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> Sorry, that doesn't hold up entirely.  My ADSL connections to my ISP are 
> being used to route IP addresses that belong to me.  It's a home DSL 
> service coming into my house, but, I have my own portable address space 
> and enough clue to manage my own systems, firewall(s), etc.  Why should 
> I be forced to pay your clue tax?

My arguments are in respect to broadband connections to homes and offices 
without IT department, firewalls or cluefulness. If you own your own IP 
space you'd be considered an ISP, buying transit rather than broadband 
home DSL. What the physical wire looks like the service is delivered on 
really doesn't matter.

If I see your ip space bombarding my mail server I can trace its origin. I 
can contact you and request to fix the problem. If you ignore me, refuse 
to fix the problem I can contact your upstream. Your upstream should then 
have a repsonsiblility to resolve the issue including suspension of 
service if my claims are valid and breach AUP.

Adi

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> > The reason this isn't economical today is because ISP lack any 
> > responsiblity. It is cheaper for an ISP to buy more bandwidth and pass the 
> > worms and viruses customers PCs spew to the internet than it is to deal 
> > with the problem. Seriously, if I send an ISP reasonable proof that a 
> > broadband customer hits my mailserver with thousands of emails an hour I 
> > should be able to expect an immediate response. Not hours, days or weeks, 
> > minutes and the originating account should be shut down. If this doesn't 
> > happen I should be able to go to the upstream of the ISP, present my 
> > case, and have connectivity to the ISP suspended. 
> 
> Then, start an ISP, charge extra for that kind of maintainence and compete
> in the marketplace. See how it works out. I wish you the best of luck,
> I really do.

Today ISP are not held accountable for the traffic that originates from 
their network. If they were the economics would be different. Support 
costs for wide open broadband connections to the home would sky rocket. I 
am convinced that providing a safe internet connection to the home user 
would be quite viable at this point.

> I can understand your point of you. Personally, I'd love it if internet
> access was a simple, secure, managed commodity. But it isn't. 

Correct. The answer is to make it a simple, secure, managed commodity. Not 
to demand that granny has a degree to send and receive email.

> The ISP has _no_ legal basis in a lot of cases for terminating accounts 
> when "we" (being the people making noise on this list) would hope they 
> would. If they do, they possibly expose themselves legally. Can you 
> imagine the SOHO owner who screams because he's lost revenue because you 
> shut down his internet connection for a worm? Even if you have a "bullet 
> proof AUP" you may still end up having to deal with lawyers and possibly 
> some court time.

Correct. Today there is less hassle and less risk to an ISP if pollution 
by their customers is just ignored and allowed to happen. The penalties 
for polluting are non-existant. 

The internet is a commodity supplied to customers. As such an ISP should 
have an obligation to supply it as clean and secure as possible. As much 
as the customer has an obigation to ensure that internet connected devices 
do not pollute the internet, so does the ISP have an obligation not to 
pass this pollution to customers.

> So, please explain again, why should an ISP get involved right now?

Because it is the right place to start. It is just lacking incentive.

Adi

Re: Points on your Internet driver's license

[Adi Linden]

> So, who's checking these local LAN's to make sure they don't melt or
> burst into flame once hooked up? 

Who's checking that no evil packets are sent to the LAN that cause it to 
go up in flames?

Adi

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> > My arguments are in respect to broadband connections to homes and offices
> > without IT department, firewalls or cluefulness. If you own your own IP
> > space you'd be considered an ISP, buying transit rather than broadband
> > home DSL. What the physical wire looks like the service is delivered on
> > really doesn't matter.
> >
> WRONG... I am not an ISP, and, my ARIN registration says so...

My apologies, wrong choice of words on my part. You have your own block of 
IP space assigned to you and not some static or dynamic number that 
belongs to your ISP.

All I was trying to say is that you are not a typical ISP customer. No 
matter what pricing your ISP applies to your connection, getting you 
connected takes more than signing up for a basic internet account.

> I am a home end-user ADSL subscriber.  It's as simple as that.  Yes, I 
> happen to have my own address space.  That's partly an artifact of the 
> reality that I've been doing this longer than you (and many others on 
> this list) and got my address space back when.  However, I don't think I 
> should be financially penalized for that.

That depends on your relationship with your ISP.

Adi

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> > And that is a problem. Unlike your electricity, where the supplier has an
> > obligation to provide a certain level of clean energy, there is nothing
> > like it with internet bandwidth. All the crud and exploits are dutyfully
> > forwarded to the customer.
> >
> Clean internet service is internet service that delivers only valid IP
> datagrams.  Most internet service is clean internet service.  Any internet
> service that looks above layer 3 to make forwarding decisions is not clean
> internet service.

Perhaps this is where our opinions greatly differ. If I am a customer with 
my own block of routable ip space I agree with you 100%. But this about 
the average home user that receives a dynamic ip leased from the ISP.

Clean internet is more than just valid IP datagrams to my IP address. If I 
connect to my ISP and do nothing beyond that, not a single packet, I 
expect to not receive any packets either. If I initiate a GET request to a 
web server I expect the webservers response to be returned unaltered. If I 
have an email account with my ISP I expect only valid email to be 
delivered to my email address. I consider this clean internet service from 
the perspective of the average home user.

> > I argue that this is way overboard. I don't believe anyone should require
> > any particular knowledge to obtain an internet connection and use the
> > internet. Instead internet needs to be available as a clean conditioned
> > service for consumption by the clueless.
> >
> I agree that the IDL is overboard.  I even agree with your second sentence.
> Consumers need to demand software which does not support these exploits from
> their software vendors.  That is the real solution.  The internet is a
> transport, just like the phone line coming into your home.  Nothing prevents
> someone from making an obscene phone call to your house.  The most common
> problem software today is like having a telephone that won't let you hang
> up on the prank caller, then, demanding that the phone company prevent those
> calls from coming in the first place.

As a telephone customer I expect to pickup the phone make a call and hang 
up. I expect to receive calls and hang up. If the phone crashes in the 
middle of a conversation I am not happy, if it cost me money because LD 
charges continue to apply I am even less happy. The manufacturer of the 
phone has a given set of specifications to work with and the phone company 
has a given set of parameters of what the signal of the phone line should 
look like.

What if I call you and put an awful tone on the line that blows your 
eardrums, locks up your phone and causes it to dial on it's own and do the 
same to all your friend from your phone. As bonus you'll get a LD bill 
from the phone company for all the calls your phone made without your 
permission. Who's to blame? The phone company because they transmitted 
harmful signals? The phone manufacturer for building a phone without 
accounting for the possibility of this sound? The customer for picking up 
the phone? How do you prevent future events of this sort? Customer 
education?

All of todays software has flaws, some more some less. While some of these 
flaws should simply not exist while others are an oversight. Many of the 
current exploits have one thing in common, malformed packets addressed at 
machines that never requested the packets they are receiving to begin 
with. Stopping these packets from reaching their target is just as 
important as having the target immune to the attack.

The ISP provides a service to a customer, the ISP should be sensible to 
the customers requirements. If the customer requires clean internet 
service than this is what the ISP should strive for. This doesn't relieve 
the customer from being responsible (like opening any and every attachment 
received) but it is just another layer in reducing the enormous amount of 
garbage traffic we are seeing. 

Adi

Re: "Default" Internet Service

[Adi Linden]

> It's not crap.  Infected machines are no more the fault of the internet than
> junkmail in your mailbox is the fault of the post office.  There's literally
> no difference to the model.  The post office delivers mail that is addressed
> to you.  They don't care if it's junk mail or not.  They deliver it.

So what about little envelopes with white powder? Does the post office 
still have an obligation to deliver it or should they be concerned about 
the welfare of their customers? Perhaps they should insist that customers 
are properly vaccinated

Point I am making is that the post office is not responsible and/or liable 
for the content of the packages they deliver. However, if they deliver 
packages that are obviously visibly dangerous to the recipient they have 
an obligation to investigate and not deliver the package. 

> Most residential ISPs get paid the same whether the customer spews
> abuse or not.  Their costs go up some when they get abuse complaints
> and when abuse starts using more bandwidth, so, for the most part, most
> residential ISPs have no incentive to support abuse, but, not enough
> incentive to pay to staff an abuse department sufficiently to be truly
> responsive.  Further, most abuse departments don't get enough support
> from management when the sales and marketing departments come whining
> about how much revenue that abusing customer produces each month.
> This is one of the unfortunate realities of a free-market economy.  It
> doesn't always tie profit to doing the right thing, and, it favors
> short-term thinking over long-term planning.

Who do you suppose pays for the abuse department staff? Those are 
operational costs passed on to all customers. If increasing abuse results 
in increasing staff, hopefully eventually, these cost will most likely be 
passed on to all customer. It would be nice to see per incident billing so 
only offenders and repeat offenders pay. I doubt that'll happen (just a 
gut feeling, no other justification).

Adi

Equipment Shelter with Backup Generator

[Adi Linden]

I am looking for ideas/suppliers for placing network equipment and
satellite earth station equipment in remote locations. There are no
suitable facilities to colocate but single phase power is available. Any
ideas where to find a secure steel clad building, that fits a couple of
rack, has environmenal conditioning, room for a UPS and generator backup?

Thanks,
Adi

Re: Important IPv6 Policy Issue -- Your Input Requested

[Adi Linden]

> I don't know of any applications that require RFC1918 addresses to be
> deployed. (Clearly, this is not to say there are none.)

There are a number of good and reasonable uses for RFC1918 addresses. Just
assume a individual/business/corporate LAN with client/server applications
and statically configured ip numbering. RFC1918 addresses are perfect. NAT
allows this network to be connected through any provider(s) to the
Internet. There is no risk of collision of the internal address with
publically routed addresses.

To do without RFC1918 type address space it expect to

a. Obtain unique, permanent address space for
   personal/business/corporate use
b. Receive this unique, permanent address space
   at no cost
c. Have this unique address space routed via any
   provider of my choosing

Adi

Re: Important IPv6 Policy Issue -- Your Input Requested

[Adi Linden]

> > There are a number of good and reasonable uses for RFC1918 addresses. Just
> > assume a individual/business/corporate LAN with client/server applications
> > and statically configured ip numbering. RFC1918 addresses are perfect. NAT
> > allows this network to be connected through any provider(s) to the
> > Internet. There is no risk of collision of the internal address with
> > publically routed addresses.
> >
> > To do without RFC1918 type address space it expect to
> >
> > a. Obtain unique, permanent address space for
> >personal/business/corporate use
> > b. Receive this unique, permanent address space
> >at no cost
> > c. Have this unique address space routed via any
> >provider of my choosing
>
> I see this a lot recently: You are mixing up RfC1918 and NAT.
>
> If I have globally unique addresses I can NAT them as well
> as 10/8. One has nothing to do with the other.
>
> Having to NAT RfC1918 addresses to reach the internet, does not imply
> that I have to have RfC1918 to be able to do NAT.

What are my options today to obtain ip address space? My requirements are
well met by a /27 subnet. ARIN won't give me a globally unique /27 for
personal use. So the /27 comes from my service provider, which has several
caveats. I cannot multi-home. I cannot keep my address space when changing
providers. I most likely cannot keep my address space moving to a
different city but staying with the same provider.

About half of the devices within my on private network are statically
defined and for local use only. They will never need global access.
Because they are awkward to configure I do not want to renumber, ever. My
solution is to use RFC1918 address space for this network.

RFC1918 address space is free and plentiful for my purposes. It is
provider independent. It is globally unique in the sense that no other
publically routed network is using them. My globally unique address will
come from my provider of the day. NAT is my technology of choice to
connect to the global internet, but other solutions are possible.

If I understand correctly, ipv6 will force me into using provider
dependent globally unique address space. Unless my provider of the day is
required to assign me address space that is and/or permanently assigned
and portable it does not meet my needs. Why not? I am not willing to
renumber when I change providers. I have no problem using NAT to obtain
connectivity from provider B using providers A address space internally.
But that only works if provider A is prevented from reusing 'my' addresses
if I terminate my contract.

And what do I do if I build my network without ties to any provider? Can I
go to ARIN to get globally unique address space, an ipv6 /48? Without
RFC1918 that would be my only choice to prevent from overlapping my
network with someone elses.

If you're telling me that I can get provider independent globally routable
address space for a small network at a reasonable cost I'd jump for joy
and never look at RFC1918 again. But I don't see that offered as an
option, so an RFC1918 block in ipv6 makes all the sense in the world to
me.

Adi

Re: Important IPv6 Policy Issue -- Your Input Requested

[Adi Linden]

> > About half of the devices within my on private network are statically
> > defined and for local use only. They will never need global access.
> > Because they are awkward to configure I do not want to renumber, ever.
> > My
> > solution is to use RFC1918 address space for this network.
>
> Use unique site locals for them in IPv6.

Aren't unique site locals associated with the mac address?

Adi

Re: who gets a /32 [Re: IPV6 renumbering painless?]

[Adi Linden]

> > Locally-generated ULAs meet a need, like RFC 1918, that the RIRs will
> > never (and probably should never) meet -- cost-free and paperwork-free
> > addresses. Local ULAs also have the benefit that it's easy to explain to
> > customers why ISPs won't route them, which has been cited as a problem
> > with central ULAs.
> >
> But locally-generated ULAs aren't ULAs, they're NLAs, so, what's the point
> of creating this giant address space for people to allocate from
> willy-nilly.  If you want to define an RFC-1918 style /32 everyone can
> play in, go for it.  You'll have all the same problems and solutions
> of RFC-1918.  If you want to avoid such collisions as have been the problem
> with RFC-1918, then, you need an address registry, and, let's just accept
> that this isn't a bad thing any more in IPv6 and get the RIRs allocating
> such space in a reasonable fashion.  I'm perfectly willing to have the
> RIRs delegate this space from a separate IPv6 block for that purpose, and,
> the RIRs are capable of doing this.  They're already doing it for IPv4
> based on 2002-3 and 2003-15.

There are a few issues with a registry for ULA address space:

Cost: I find it hard to believe anybody will run a registry for ULA
address space at no cost to the registrant.

Elgibility: If the purpose of a registry is to keep ULAs globally unique
what criteria need to be met to obtain ULA space.

That cames back to my issue (with my clueful end-user hat on) of how an
enduser with a small (or not so small) local network can statically assign
ipv6 addresses to local devices. The requirement for that local ipv6 space
is that it does not ovelap with any current or future globally routable
ipv6 space. After all, some of the device on that local network will need
global access and would be able to reach a global site that has the same
address as the local site. Obviously, since this is non-routable, only
locally significant, space I am not willing to pay for this space.

Adi

Re: Over three million computers 0wned?

[Adi Linden]

> The unanswered question is what should be considered reasonable?  And
> how much of a burden should the end-user carry?

Plugging into the network is like owning a house. You're at the edge of a 
public network, whether it be a road or a wire. Just as you lock your 
front door, there needs to be a way to lock your computer. It is up to the 
OS vendor to provide some user friendly means to access and secure ones 
computer.

>From a provider point of view, computer security is reactive, just like 
our local police force. You call them once your own space has been 
compromised to assist in catching the intruder.

Adi 

Blocking port 135?

[Adi Linden]

http://www.cert.org/advisories/CA-2003-19.html

Would blocking port 135 at the network edge be a prudent preventative 
measure?

RE: Blocking port 135?

[Adi Linden]

> Absolutely.  All of the NetBIOS ports: 135, 137, 138, 139, 445.  

Ports 137, 138, 139, 445 have been blocked for a long time. But port 135 
wasn't until today...

Thanks!
Adi

RE: Microsoft to ship new versions with firewall enabled

[Adi Linden]

> However the new microsoft policy will help protect the network from Joe
> and Jane average who buy a PC from the closest "big box" store and hook it
> up to their cable modem so they can exchange pictures of the kids with the
> grandparents in Fla.  This is the class of users who botnet builders dream
> about because these people do not see a computer as a complex system which
> _requires_ constant maintenance but as a semi-magical device for moving
> images and text around.

But that's exactly what a consumer PC is!  An appliance (just like a 
toaster) for exchanging pictures, sending email, balancing the checkbook, 
paying bill, play games, etc.  The average Joe doesn't care why the thing 
works.  But he does notice if it doesn't work as expected.  Then he'll 
call tech support or get the neighbours kid to help.  He may never notice 
that the box is has been compromised and DoSs his favorite website or 
relays SPAM to millions of fellow Joes.  That's reallity!  The more 
broadband there is, the worse the problem becomes.

I absolutely agree with the statement that the network should be 
transparent. No blocked ports, no filtered content. What goes in one end 
comes out the other or is delivered to the intended recipient in between. 
Exceptions are temporary measures to reduce or eliminate harmful traffic 
that impeded network performance or otherwise compromise the network 
design goals.

Having said that, customers of ISPs have great variety of needs. On one 
hand is the transport of transit data. This is truly a gigo (garbage in, 
garbageout) situation where traffic should flow unhindered and in its 
entirety. On the other hand there is the residential ISP market.  I don't 
think it's safe to let a residential PC sit on an internet connection and 
have pass traffic to and from it without inspection.
 
ISPs need to wake up and offer a managed internet service. Where the ISP 
takes the initiative to provide filtered internet to residential 
customers. Turn on firewall features in your cable box or make those small 
NAT routers part of the service offering.

Bashing any OS vendor isn't the solution. All OS have exploits. The *NIX 
crowd is just a lot more technically inclined and a lot more aware of 
network security than your average Windows user.

So instead of beating up on OS vendors or crippling the network, how about 
crippling the devices that are the root of the problem???

Adi

Re: Navy Marine Corps Internet hit

[Adi Linden]

> > Obviously they didn't filter 135, 137-139, 445, and  inbound
> 
> Not obvious.  I know of several sites that were infected even though they
> had filters in place, due to infected laptops being brought on-site.

Filtering ports 135, 137-139, 445, and  only delays the inevitable... 

Email security issues

[Adi Linden]

Hi,

Is there a place to discuss and find solutions for email related security 
issues? 

I've just receives a nice email from my banker (ok, it claims to be from 
my banker) asking me to visit my banks website and confirm my email 
address. This email is by far the most convincing piece of fraud I 
received to date so far. The URL loads up the bank page plus a popup 
provoding a login. Looking at the source of the popup it revels that it is 
positively not a legit source and most likely used to harvest peoples 
access information.

Thoughts?
Adi

Port 41170 traffic

[Adi Linden]

Anyone has any idea what is carried on tcp and udp port 41170?

Adi

Quarantaine network for infected hosts?

[Adi Linden]

Reading about the various ways universities deal with ill behaved client 
PCs, is there documentation on how to quarantaine devices on a network?

Adi

Re: AOL rejecting mail from IP's w/o reverse DNS ?

[Adi Linden]

> AOL says the PTR record needs to be assigned.  It doesn't specify it 
> has to match the @domain.com in the MAIL FROM: header.  Wouldn't it be 
> enough to make sure every IP address you announce has a PTR and 
> matching A record?  Hasn't this been a requirement for MANY services 
> for MANY years?

Requiring the PTR record to match the MAIL FROM: header would be horrific. 
There goes any hope of virtual hosting of mail accounts, i.e. one server 
with one ip handling multiple email domains. 

Adi

Re: Firewall stateful handling of ICMP packets

[Adi Linden]

The problem with ICMP is that it is ICMP today. What will it be tomorrow?
It'll aways be putting out fires, controlling packet floods matching
whatever signature.

One solution is to get away from unlimited bandwidth. Once there is a cost
associated to having a PC source Nachi or Welchi traffic, customers will
learn to be more concerned and educate themselves. The cost doesn't have
to be moneytary. Progressive rate limiting could be used, where traffic
gets pinched as the allowed traffic per time slot is consumed.

Adi

Re: Firewall stateful handling of ICMP packets

[Adi Linden]

> If ISPs charged customers $0.01/email message, would it cure spam or
> would the spammers just continue to use third-party victims to spam and
> there would be lots of news stories about grandmothers and orphans getting
> huge ISP bills?  IANAL, but many spammers are already breaking a law by
> using victim machines without authorization; but would law enforcement be
> more likely to do something if the victims now had a $50,000 bill from
> their ISP due to the unauthorized traffic?

There will always be crooks and victims. But if becoming a victim actually 
has real world consequences it is much more likely that people will try 
not to become a victim.

I am not talking about sending bills for some outrageous amount due to 
excess bandwidth used. Instead cut off when a certain bandwidth threshold 
has been exceeded. If the bandwidth was used purposely and legitametly, 
buy more bandwidth, otherwise fix your PC.

Adi

Re: Does your Certifying Authority have a clue who you are? Do they care?

[Adi Linden]

While the ssl certificate is meant to verify the owners identity, as a 
consumer I would never trust a ssl certificate for that purpose. It does 
provide a reasonable effort to keep information between me and the server 
confidential. That's worth something, I guess.

Adi

Re: Does your Certifying Authority have a clue who you are? Do they care?

[Adi Linden]

> So what does the PKI actually buy you that using a throwaway self-signed cert
> doesn't provide?

No popup box on the browser asking to accept the certificate.

Adi

Re: antivirus in smtp, good or bad?

[Adi Linden]

> I think we have all agreed in previous threads that if a mail anti virus 
> scanner does not know how to differentiate between a virus that spoofs 
> the sender and one that doesnt, it should silently discard all virus 
> infected email -- OR notify the local administrator/user at their 
> choosing, but NOT bounce it.

Since the notion not to bounce a "you mailed a virus" message back the 
sender is heard everywhere, I thought I'd mention this Our mail server 
generates an incredible amount of bounces because of user accounts either 
not existing or being over quota. The signature based virus scanner hooks 
in at the local delivery, so the mail spool isn't scanned for viruses. As 
a result many messages are returned intakt, including attached virus, to 
the fake 'From:' address.

The fun and games of an archaic, abused, defunct mail delivery system...

Adi

Stopping open proxies and open relays

[Adi Linden]

I am looking for ideas to stop the spam created by compromised Windows 
PC's. This is not about the various worms and viruses replicating but 
these boxes acting as open relays or open proxies.

There are valid reasons not to run antivirus software, coupled with 
clueless users, this results in machines that SPAM again just a few hours 
after having been cleaned.

Adi 

Re: Stopping open proxies and open relays

[Adi Linden]

> > There are valid reasons not to run antivirus software,
> 
> And they are?

P90w/32MB running Win95 used for email only... or insufficient finances 
to purchase anti virus software... to name a couple.

Adi

Re: Stopping open proxies and open relays

[Adi Linden]

> Not to be argumentative, but by that logic, I guess it is okay to drive my 
> 1948 Ford which doesn't have brakes if I don't have the cash to fix it.

This is a matter of opinion. While this was my initial first thought, I 
can't agree with it. An old PC is by no means a threat to others. The 
invasive and unlawful actions of a third party is what turns the computer 
into a threat.

I'd rather compare this with Canadian winter. It is so cold out that I 
have to start my vehicle and let it idle for a few minutes. This means an 
unattended vehicle with the key in the ignation. If the neighbours kid 
takes the vehicle and plays impersonates "Grand Theft Auto", who's 
responsible for the damage? As owner, at which point have I taken 
reasonable precautions against such an event?

There are programs happening which refurbish and distribute retired 
corporate PC's to schools and other organizations. All of this equipment 
is as I described. There are an enormous number of PC's out there that 
match the situation I described...

But that's all really not all that important to my question. What I really 
need is an easy to use solution to deal with the problem. Emphasis is on 
"easy to use" not necesarily easy to implement.

RE: Stopping open proxies and open relays

[Adi Linden]

> If stricter laws on computers forced even 50% of people to start caring a
> little more, wouldn't that be progress? The day a couple of grandmothers get
> taken away in handcuffs because a script kiddie took up residence in her
> computer is the day a few people will wake up to the fact that computers
> need regular maintenance... 

The the script kiddie gets taken away in handcuffs and lined up for the 
electric chair is when we see progress. I think you're confusing the 
criminal and the victim!

Adi

Re: Dumb users spread viruses

[Adi Linden]

> There is nothing wrong with a user who thinks they should not have to know
> how to protect their computer from virus infections.  

Thank you, you made my day! Now I know that my judgement isn't clouded by 
the severe chest cold I am suffering from.

Adi

Re: SMTP authentication for broadband providers

[Adi Linden]

> We're a medium sized regional MSO/broadband provider with 200k+
> mailboxes, strongly considering enabling SMTP authentication on our
> customer-facing SMTP mail servers.  

We're relying exclusively on SMTP AUTH for SMTP relaying. The single 
biggest issue is that it requires ongoing user education. After a few 
weeks people forget what they did do get rid of the "Relaying denied" 
error message. It doesn't help that SMTP AUTH is not an option the "New 
Account Wizard" of Outlook and Outlook Express asks for. It has to be 
setup manually after.

For "our" mail users it has been well received, ignoring the support 
calls. A big advantage is that roaming user no longer have to worry about 
who ip space they're on. That may change as networks install SMTP blocks.

Adi

Re: Cisco's Website down?

[Adi Linden]

> Anyone else seeing an error getting to www.cisco.com?

Maybe I missed to renew a service contract? They don't like me either.

Adi

Throttling mail

[Adi Linden]

Does anyone have any resources on building a mail relay that would limit 
the amount of email a single user or ip address can relay over a given 
time period?

I have a spam/virus problem that is getting out of hand.

Adi

Redirecting mail (Re: Throttling mail)

[Adi Linden]

Thank you for all the information. It gives me a few choices to maul over.

Right now the single largest issue are compromised PCs that are abused for 
sending SPAM and also send viruses. I am seriously considering the idea of 
forcing all smtp traffic through a mail relay of some sort.

The newest viruses are smart enough to find mail servers that are 
available to relay through on the network. So it is not the final answer 
to just have a relay. But at the very least it will provide a single point 
to deal with the problem.

Is there a way do transparently redirect smtp traffic to a server 
elsewhere on the network using Cisco gear? It would be much easier to 
implement this solution if smtp traffic is transparently sent through the 
dedicated box rather than 'cutting off' all users until they manually
reconfigure their clients to use the new mail relay.

Adi

Re: Redirecting mail (Re: Throttling mail)

[Adi Linden]

> On the other hand, it's probably more effective to find some way of making the
> Cisco gear block outbound 25 from abusive machines.  Transparently redirecting
> the traffic is evil unless you plan to take all responsibility for relaying the
> mail (including mail that has MAIL FROM/RCPT TO that you may not wish to
> relay).

Right now I am blocking all network access for ip addresses I receive 
believeable abuse reports for. The big problem is that it is a manual 
process that does not start until a PC has already sent a massive amount 
of abusive mail. After all, it does take time to read and act upon abuse 
reports. By forcing smtp through a specific server at least some proactive 
measures are possible such as throttling abusive behaviour. 

Adi

Re: Redirecting mail (Re: Throttling mail)

[Adi Linden]

> When you get bored fighting the fire with a leaking bucket of water, 
> technology exists that automates detection, redirection, posting 
> information to the end users and eventually re-enabling the subscribers 
> without any manual intervention. Makes days significantly less dull, but 
> I might be biased here :-)

Where?

Adi

Re: Redirecting mail (Re: Throttling mail)

[Adi Linden]

> Forcing it through a server doesn't automagically add the ability to throttle
> abusive behavior.  It's merely the obvious sledgehammer fix.

It's a means to deal with smtp traffic. 

> Now consider a router that's instrumented to collect flow data, feeding a
> real-time system that throttles the port if something abusive happens.  You get
> the same benefits of not having to read and act on abuse reports, plus you
> don't break non-abusive uses of the network.

Where is something like this documented and explained?

Adi

Re: Kremen's Buddy?

[Adi Linden]

> Once this subject took off on nanog, I have been oversaturated with people
> trying to "sell" me ip space.  I have had offers for several /16's for
> 10,000.00 each that are no longer in use by the companies who "own" lol
> them.  I want to say to those people that made those offers to me

Here is a very good point of why ip space should not be a property traded
on an open market. To me ip space is like a house number or a telephone
number. A resource required and useable for a presence on the global
internet only. The current process of allocating ip space based on need
makes perfect sense. In order to assess the need, certain aspects of a
network have to be disclosed to ARIN, that makes perfect sense as well.

I'd hate to see an open market place for ip space. The ability to afford
ip space based on wealth rather then technical merit makes little sense
to me.

For those who feel ARIN policy is too restrictive and obtaining PI space
it too difficult, perhaps working with ARIN to adjust those policies would
be a good place to start.

Adi