BGP announce/withdrawal history.
Earlier today I had an issue where a circuit to one of my two BGP connected upstreams went away for an hour or so. During this period, I expected BGP to act as expected and migrate the traffic to the second circuit with a second provider. This did not occur. Initially I figured this had to do with route flap amplification or similar causing route dampening. However, when the circuit came back up connectivity was almost immediately restored to the entire internet, which doesn't seem consistant with a route flap dampening, unless the timing was just coincidental. This leads me to believe that the routes may have not been withdrawn for the path through the second provider even though the circuit was down for ~90 minutes.How this would have occured I have no idea. At this point, I'm trying to reconstruct the state of the global routing table in relation to my prefixes during this period. I seem to recall at least historically that there was at least one or two places which were capturing route announcement/withdrawl data on the internet. However, google fails me. Is this data currently being captured anywhere, and if so, is this data publically available (or at least are the data owners willing to provide an extract for my prefixes)? Any pointers would be helpful. Thanks.
Re: Global Crossing Contact / BGP and SONET interaction question
Randy Epstein wrote: I don't have an answer to the root cause of your problem, and I'm not looking for a discussion on route dampening (there are enough debates onthis issue to make your head spin), but may I suggest you raise your hold timers to prevent your BGP sessions from going down on short disturbances as these? From what I can tell the disturbances are less than a second in duration. It doesn't appear that this is a hold-timer issue, although I would like GX to set it at something higher than 90 seconds (mine is already at a higher value- but the lower value wins during negotiation).I really suspect that either a) GX has some semi-weird configuration where the SONET ring switching from the normal to the protect path and back causes BGP to reset on the border router I'm attached to or b) There is a separate issue which is causing BGP to flap. Or of course, something else completely different. Unfortunately, I haven't been able to figure out how to talk to anyone at GX which actually has access to the routers and knows anything about BGP. -forrest
Global Crossing Contact / BGP and SONET interaction question
Two somewhat intertwined questions. I'll ask the second part first. I buy transit from Global Crossing and another carrier on HDLC encapsulated DS3's. Recently my BGP session has started flapping on the GX circuit... It looks something like this: Jul 21 21:17:43.731 UTC: %BGP-3-NOTIFICATION: received from neighbor 67.17.168.73 6/6 (cease) 0 bytes Jul 21 21:17:43.731 UTC: %BGP-5-ADJCHANGE: neighbor 67.17.168.73 Down BGP Notification received Jul 21 21:18:25.439 UTC: %BGP-5-ADJCHANGE: neighbor 67.17.168.73 Up Jul 21 21:29:52.315 UTC: %BGP-3-NOTIFICATION: received from neighbor 67.17.168.73 6/6 (cease) 0 bytes Jul 21 21:29:52.315 UTC: %BGP-5-ADJCHANGE: neighbor 67.17.168.73 Down BGP Notification received Jul 21 21:30:38.511 UTC: %BGP-5-ADJCHANGE: neighbor 67.17.168.73 Up Jul 21 21:31:34.411 UTC: %BGP-3-NOTIFICATION: received from neighbor 67.17.168.73 6/6 (cease) 0 bytes Jul 21 21:31:34.411 UTC: %BGP-5-ADJCHANGE: neighbor 67.17.168.73 Down BGP Notification received Jul 21 21:32:20.535 UTC: %BGP-5-ADJCHANGE: neighbor 67.17.168.73 Up Jul 21 21:32:52.547 UTC: %BGP-5-ADJCHANGE: neighbor 67.17.168.73 Down Peer closed the session Jul 21 21:33:32.703 UTC: %BGP-5-ADJCHANGE: neighbor 67.17.168.73 Up There are no other log entries during the periods when this occur. Unfortunately this causes enough prefix flaps that any prefixes which are preferred through GX are damped for like a half hour by certain providers as my BGP routes get added/withdrawn through the GX link. GX claims (although I'm not sure they really know) that these are caused by SONET ring switches. I can believe this, since I haven't seen any real circuit flaps, and my understanding is that a SONET switch should generally be fast enough that you normally won't see the transition other than perhaps an error counter or two cranking up. However, it seems strange that I'm getting a 6/6 (cease) notification which I read as configuration change from their router. GX also seems to be at a loss to explain why my BGP is flapping - other than to point at the SONET switches. I guess I'm trying to find out if someone on the list recognizes what this might be so I can perhaps help GX find and fix this. I'm also kinda curious as to whether or not typically a SONET ring switch event would actually propagate into a router in such a way that BGP would try to shut down the BGP sessions. I'm just having a hard time visualizing how a supposedly below-layer-two switch would cause bgp to reset in this manner. Not being a SONET expert even by any long stretch of the imagination leaves me with some holes here, but I thought the whole goal of SONET when used to provide DS3 circuits was to hide the ring switches as much as possible from the DS3 circuits - realizing that framing may be hard to preserve on a ring switch which would cause momentary loss of sync or similar - which usually shows up as an error instead of a interface flap. And finally, does anyone have a contact within GX with a clue? So far I'm not sure I've talked to anyone who knows anything but how to spell BGP. I'd really like to talk to someone about the real cause of these flaps and try to resolve them so they don't reoccur. -forrest
RFC1918 in-addr.arpa local copies
After a routing issue between us and an instance of the RFC1918 anycast servers blackhole-[12].iana.org which caused all sorts of bizzare failures within customer networks, I'm trying to figure out if there is a really good reason why I shouldn't keep a copy of the 1918 zones on my local recursive customer-facing DNS servers so breakage between us and these servers won't cause grief in the future. So my questions are: 1) Is there a good reason why I shouldn't host a local copy of the RFC1918 in-addr zones on my servers? 2) I've dug around and haven't been able to find an example of a RFC1918 zone file ala what's on the official servers. I'm assuming that these are basically just empty domain filas but I'd love to verify that this is the case. Of course, the blackhole servers I tried don't respond to AXFR. 3) Alternatively, I could host a local anycast instance of these servers, but I can think of lots of good reasons why this might be bad. Ideas? Comments? --forrest
Re: Interesting DNS problem.
On Thu, 16 Dec 2004, Bob Martin wrote: I didn't know this was possible. I thought there was a 1 to 1 relationship with nameserver names/addresses. I'm trying to figure out if this is or will be a problem. Paul Vixie can probably better address this than myself, but I will mention that with my experience with running backupdns.com, the main problems you run into from an operational standpoint are: 1) When you need to change IP addresses for the nameserver you now have to coordinate the change on a hundred different entries instead of just one. If you use a single name, you just change that entry. 2) Depending on the exact situation, the nameserver may or may not know that it is authoritative for the domains since it may or may not realize that a given nameserver name is itself. Especially if there are resolution issues with the name in question at load time. Again, Paul Vixie may be able to better respond to this one. At backupdns.com, we tell people it's permitted to use their own name for our secondary server (if they ask) - but ask that they list the official name for our nameserver in the NS records for the zone to make sure we answer authoritatively. That said, we do try to discourage this because we see it as potentially causing more harm than good. -forrest BackupDNS.com
Re: XO Mail engineers?
On Wed, 4 Aug 2004, Drew Weaver wrote: It is generally the responsibility of the ISP to provide the outgoing mail transport for your connected users. This BCP seems to be changing. The new BCP which seems to be evolving requires customers to authenticate to their home mail server on the MSA port and send mail that way. This appears to be being driven by SPF/Sender-ID-like mechanisms. -forrest
Re: T1 short-haul vs. long-haul - jack terminology
On Fri, 23 Jul 2004, Christopher Woodfield wrote: OK, from my reading in Newton's Telecom Dictionary, it appears that NIU is a generic term for whatever the customer plugs their cable into, be it a powered or a dumb device. Mea culpa. ... ...installed on the premises as a semi-intelligent demarcation point, the smart jack is completely passive until activated remotely by a digital code, typically something like 'FACILITY 2', sent down the T-1. This code activates a relay [that loops the circuit]. That may not accurately define the Adtran and Westell devices that are pictured (they appear to have additional features beyond this), but it's a good guess they provide the remote loopback function described above in addition to the monitor points and management console port. I also doubt that the Hyperedge unit pictured does so, although I can't seem to find any online documentation on the unit (it is, as you described it, a 'glorified patch panel'). Feel free to correct me. In Qwest land, NIU, Smart Jack, and Demarc (unless extended) are all in the same physical rack. When you get a T1, qwest installs an appropriately sized shelf. This shelf holds the adtran and westell devices shown in earlier posts. For example, we have one site with quite a few T1's, which they installed a rack like the one pictured at: http://www.westell.com/images/osp/dsawm214.jpg Note the RJ45's on the bottom. These are the demarc point for the circuit. Older ones have RJ45's on the right side and the cards are thicker - a lot thicker. When qwest says insert a loopback plug at the smartjack or unplug from the smartjack or whatever, they mean this device. Qwest can loop or unloop and do other tests to this device. On the newer HDSL cards, they can also plug a laptop in to get performance data, and I believe they can also get this data from the CO end. Also of note, I haven't seen qwest deploy anything but HDSL2 cards for quite a while. This basically means a full duplex, full-speed T1 over a single pair of copper with a quarter of the repeaters (12K wire feet without a repeater). -forrest
Re: Talked about this before
On Mon, 9 Sep 2002, Pawlukiewicz Jane wrote: Quick Question, how much memory does the bgp tables actually take. I'm estimating 32 mb in my plan, but I'm worried that's not enough. Two views: hln-cs1#sh ip bgp summ BGP router identifier 206.127.65.1, local AS number 4043 BGP table version is 132881, main routing table version 132881 112575 network entries and 336143 paths using 24365495 bytes of memory 60397 BGP path attribute entries using 3624720 bytes of memory 53004 BGP AS-PATH entries using 1426946 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 20536 BGP filter-list cache entries using 246432 bytes of memory Dampening enabled. 96 history paths, 45 dampened paths 111752 received paths for inbound soft reconfiguration BGP activity 112575/456 prefixes, 336319/176 paths, scan interval 15 secs That said: hln-cs1#sh mem HeadTotal(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 623C83E0 219380768 117525008 101855760 100536360 100521172 I/OF5011534336 8157292 3377044 3365952 3352444 By the time you populate the routing table and/or cef, and do a few other things, you probably want at least 256MB. If you are using something else, YMMV - it all depends on how efficient the software is at storing it in memory. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technologies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: IP address fee??
On Thu, 5 Sep 2002, Tony Tauber wrote: At least as importantly, why do 254 addresses get provided where the actual need might not warrant that quantity? Being out here on the edge, I ask that question a lot. Customer calls and says I need a static IP. I (actually our front line people) ask WHY?. If they mutter something like VPN or Mail Server or similar we give one to them without much discussion. If they say We need a block of 4 or 8 (/30 or /29) and they mutter something along the lines of We're running our own firewall and want to put a couple of servers on the outside, then we give them to them after some discusson of are you sure you need to do it this way? and explain the glories of PNAT to them. If they want a /28 or larger, they better be ready with a real netorking plan, really have a clue, and really understand why they don't want to use NAT or why they need more than the 8 addresses. IP Purists will probably be quick to jump all over me with the evils of NAT, but for the average small business it works perfectly well and solves a lot of security-related issues. (NOTE: I am not saying that NAT and a Stateful Inspection Firewall or similar is the same thing). The average office needs 1 probably-dynamic IP. Period. Back to the original poster's question. We charge a buck-a-month-per-ip more as a conservation tax than for anything else. Typically if we feel the customer has packed services as tightly as is reasonable in the address space we waive the fee (good use of NAT and/or other address conservation technologies and/or really valid technical reasons). Customers giving us reasons like I can't make my server do name-based (non SSL) virtual hosting so I need an IP for each domain I host or I think it would be cool to have a real publically visible address on each of my 100 computers in my Beowulf cluster of 486's are the types of things we don't waive the fees for even though they are valid enough reasons to hand out a block of address space for. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technologies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: IP address fee??
On Thu, 5 Sep 2002, Richard A Steenbergen wrote: Why in this day and age, 9 years after the invention of CIDR, are we still refering to class C's? I submit that the comonly used definition of Class C has changed from An address in the class C range to a block of addresses aligned on a /24 boundary. My guess of the real underlying reason is that saying I need a full class C or I need a block of [4,8,16,32,64] addresses seems to be a lot easier to say in a clear fashion over the phone or in person than I need a slash-twentyfour. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technologies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: BGP and aggregation
On Mon, 13 May 2002, Roger Marquis wrote: Last time I tried this (IOS11.X to IOS11.X GRE) it was unreliable due to MTU limits. Certain websites (mainly financial) send large packets and set DF. This probably works around some security issue but the result was that these SSL servers couldn't reach clients over the GRE. We have seen the same issue in recent history. Generally, we try to have most of the traffic not pass through a GRE tunnel. With some creative routing, we can pass the data back out to our upstream which knows the more specific for that route. That said, we do support /32 static dialups across our net - I.E. if you have a /32 static on your dialup, you get the same /32 no matter where you dialup. These generally pass through the GRE tunnel as we only know of them through OSPF through the GRE tunnel. We have found that setting a mtu of roughly 1514 on the tunnel fixes this. I think this forces the GRE encapsulation to frag the packets regardless of the setting of the DF bit. Whether the far end router reassembles them or not I'm not sure about and haven't had the opportunity to stick a packet sniffer on the far end to tell. Regardless, it seems to fix the broken sites. YMMV - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: BGP and aggregation
On Sun, 12 May 2002, Stephen J. Wilcox wrote: Interesting point there Scott.. we were discussing just that at a recent IXP meeting I was at. Theres a number of different ways (well hacks) in which you can keep connectivity between two halves of an AS network in the event of a split. Is anyone out there actually doing something either this or similar to keep two halves connected in the event of a split.. and have you actually run successfully on your backup and maintained a reasonable throughput (say 30 or 40Mbs) ? I'd be interested if anyone has a proven technique as I want to implement something myself and dont really want to test it by pulling the plug on some backbone links and waiting to see what happens! My answer isn't even to close to your reasonable throughput as the example is only T1 connected, but I have a site which we are only connected to via a non-igp path. Everything is via the internet (well sprint.net usually). We're announcing a /18 to sprint at our main site, and a /23 at the disconnected site. The disconnected site points default at sprint, and doesn't take a full routing table. Basically we have BGP up at the disconnected site just to announce the /23 with our AS. With some creative use of cisco routing tools including OSPF, GRE tunnels, and some creative static routing we maintain decent connectivity between the two sites. It works quite well. In fact, it works well enough that we're starting to buy circuits at each of our POPs as it is cheaper to buy circuits from sprint or similar to their internet PoPs than it is to buy circuits around the state. In most cases we will still be maintaining internal connectivity for backup and latency reasons. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: IP renumbering timeframe
On Mon, 6 May 2002, Ralph Doncaster wrote: What is the generally accpted timeframe for renumbering? My reading of ARIN policy would seem to imply at least 30 days. I've read some of your other notes so I'm aware there may be extenuating circumstances. That said, I want to mention normal policies as far as I can see here If you have a /22 from a provider, then your right to use it generally terminates with the end of the contract with that provider. If you knew this relationship was going bad, the correct thing would have been to renumber out of that space as soon as you saw the writing on the wall so to speak and prepare for this event. The bottom line is the space is theirs and they can do whatever they want with it. I know that if I terminate service to a customer (or the customer disconnects with me), I expect an immediate return of the space. If they want to keep it they need to keep service with me. Evidentally, there is no current service arrangement between you and Cogent. It sounds like you've got some stuff for the lawyers to fight about. Most likely cogent has done what a lot of us on the list would expect to be the right thing in relation to the space - immediately revoke use of address space upon termination of service. About the only leg you might have to stand on as far as this is concerned is the termination notice term language in the contract you signed with them ... I.E. they may have to give you 30 days notice of termination of service, or if you gave them notice, they might have to provide service for the remainder of the notice term. That said, I'd recommend you get runumbering as it will probably be faster to renumber than to work something out with cogent as it sounds like you aren't on the best of terms with them. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: anybody else been spammed by no-ip.com yet?
On Mon, 6 May 2002, Ralph Doncaster wrote: Actually, my analysis of spam seems to indicate authentication of remote SMTP servers through a process similar to joining this list would remove 99+% of SPAM. i.e. the first email from a particular remote server that is received, requires the sender to take some action (respond with a password, click on a URL, etc.) before the mail gets through. One of these days I hope to write the procmail rules to do it (if I don't find someone that has done it already) Tagged Message Delivery Agent. http://software.libertine.org/tmda/ - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: anybody else been spammed by no-ip.com yet?
I'm going to make a suggestion which I realize that today there isn't any easy way to do this. However, I want to throw this out because I think if we could figure out how to do it, I think the spam problem will go away. Anytime anyone sends a mail to my server, I want to be paid 2 cents. 2 cents is probably less than the combined costs of me recieving a mail message. (Maybe 3 is better). That said, even if it was 2 cents, then a spammer dropping 10,000 messages on my server would net us $200.00 - and better, cost the spammer $200.00. Normal email between two people would likely cancel out and be of no net cost. You would also want to be able to accept mail from certain senders for free. What I envision is some sort of micropayment protocol extension to SNMP. something like you exchange helo's, mail from, and rcpt to's, and the receiving server says to the sender That will be x cents please, at which point the server sends some sort of cert-signed digital cash. I'm not sure how you would bootstrap this or if it will ever be possible. I just think that if we could get even $0.02 per email from the spammers a lot of them would stop. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: anybody else been spammed by no-ip.com yet?
On Sat, 4 May 2002, Forrest W. Christian wrote: What I envision is some sort of micropayment protocol extension to SNMP. - Make that SMTP :) I guess I've been working on network monitoring too much recently. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: anybody else been spammed by no-ip.com yet?
I've been roasted privately and called naive in thinking that pay-per-mail is a valid solution. Let me first say that the $0.02 I pulled out of the air was derived simply by taking the $80/hr I bill to clients and dividing that by 3600 (number of seconds in an hour) thus $0.022. I'd say that about 1 second per email is probably real in relation to my time. Let me explain why I've come up the pay per message as an answer. I realize that this has got issues with it - such as abuses of the micropayment system, etc. etc. etc. Anyone who thinks that government can pass a law and this will go away is hopelessly naieve. The spammers will go overseas. Besides, if you look at the content of a lot of the spams I receive I doubt the senders care much about the law. The junk fax law, in my opinion, worked primarily because sending faxes from locations outside the us jurisdiction cost more and there were few things you could provide from overseas which were marketable via fax. Anyone who thinks we're going to be able to educate people and make them all close their open relays is going to make the problem go away is hopelessly naieve. There are just too many admins out there, most of which are of the I think running my own mail server is a good idea, but I really don't have much of a clue about how the mail server REALLY works variety. It's not possible. That leaves technological measures. Spam filters are a good idea, but spam is a very moving target. I run spamassassin (highly recommended) on a couple of mail servers. When I first install a newly-released version of spamassassin it is nearly perfect. Over a couple of months it gets less and less effective, at which point I install the newest version, which improves effectiveness again. Occam's razor is good, but in reality only catches spam if it has been reported to the razor. rbldns lists are effective only against the worst offenders, as the rest don't get reported until it is too late. and so on. I think the only other methods I can think of are best described as some sort of web of trust type method. These are essentially whitelist systems. In order to send me mail you have to *do* something. The first option is a traditional If you send me email and I don't know you, I'll bounce the message and you have to reply with a specially formatted mail message in order to get your mail through. The main problem with this model is that in circumstances where bulk mailing is necessary (such as notifications of credit card payment due, etc.), you run into a problem. The other thing is that eventually, spammers will learn how to respond to these messages automatically. The second is more of a secure-smtp model, in that each mail server is Certificated in one way or another and that you only accept mail from Certificated mail servers. One of the conditions of being certificated is verification of anti-spam technological and other measures (such as being able to identify spammers, etc.). In a small internet, this is a perfectly workable solution. In a globally sized one, it seems to me that the likelihood of spammers being able to work around the system is as close to 100% as you can get. The pay-per-message system I proposed was an outgrowth of the certificated option. In essence, my theory is that if you paid *something* for each message you send, than everything should equal out in the long run. Generally, other than mailing lists and spam, I send about 1 message for every one I receive. A spammer sends tens of thousands of messages for every one he receives. There are a whole new set of problems caused by this which I think have mostly been mentioned - to summarize, they mostly relate to the technical problems with doing this, plus the possibility of abuse of the system, etc. etc. etc. Someone pointed me to a discussion of camram at http://harvee.billerica.ma.us/~esj/camram.html. I initially *like* something like this option. In short, it forces the sender to spend a lot of CPU cycles for every message they send. Need to send a lot of email, well, spend a LOT of cpu cycles. The point I was trying to make with the pay-per-message is that the real cause of spam is an economic one. That is, the cost of sending the spam is less than the profit the spammers make from the spam. If we can increase the cost of sending the spam, then we will lessen the profitability of sending it, and the problem will diminish substantially. Remember almost 100% of the spam is driven by greed, and if we can't satisfy the greed of the spammers, they will go elsewhere. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648
Re: anybody else been spammed by no-ip.com yet?
I want to clarify this a bit, before I get flamed (not that I'm not going to anyways). On Sat, 4 May 2002, Forrest W. Christian wrote: The people in the middle would get *nothing* beyond what they are getting today. Grandma would get 2c for each mail she received. Grandma would pay 2c for each email she sent. Where does that cause the problems you are talking about? What I am *specifically* talking about is a situation where people who receive on average as many emails as they send don't pay ANYTHING above what they are paying now. We're trying to discourage bulk emailers, not individuals. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: anybody else been spammed by no-ip.com yet?
On Sat, 4 May 2002 [EMAIL PROTECTED] wrote: How about something along the lines of dial accounts having their outgoing SMTP connections rate limited to, oh, let's say 100 per day, and limiting the maximum number of recipients on any given email to some low number, say 5? A customer reaches the limit, the account auto-rejects all email for 24 hours. Someone bitches? Let them buy full rate dedicated services, with the first month, last month, and a security deposit up front before service is established. The problem with this is how do you enforce this across thousands of mail servers, controlled by many many different organizations? I'm not saying the pay-per-message option is perfect. In fact, the more I think about a camram-type solution the more I like it: where the sender proves to the recipient that they spent a fair bit of CPU time before sending the message. The bottom line is that in my opinion people need to give up *something* for the privlege of sending mail. I suggested a couple of cents per message. Others reject this as it will destroy the net. Camram requires people to give up CPU cycles. This might be an easier thing to swallow. Passing laws and putting on filters don't work. Depending on each mail server admin to do the right thing doesn't work. We need to find something else that will. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/ Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: anybody else been spammed by no-ip.com yet?
On Sat, 4 May 2002, Eric A. Hall wrote: Grandma would get 2c for each mail she received. Grandma would pay 2c for each email she sent. Where does that cause the problems you are talking about? I send a lot more mail than grandma does. Yes, but even if you send one a day and she never responds, this only comes out to $7.30/year. Hey, I'm not saying this is perfect. I'm just saying that passing laws and filtering and depending on admins to do the right thing just doesn't work. Ask people in those states which have anti-spam laws how many fewer spam messages they receive than before. We need something else. It must be enforceable at the receiving side, and we must be able to step into it gradually. The best solution I've seen, thanks to someone else on the list, is camram, which makes you pay for the email sending with proving you have spent about 15 seconds worth of CPU cycles. In fact, I'm thinking this is probably a better solution than the pay-per-message solution, as we don't have to worry about settlement, etc. etc. which was the real problem with the pay-per-message. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: UUNET instability?
On Fri, 26 Apr 2002, Lionel wrote: telnet bofh.engr.wisc.edu 666 Folks, please don't try to connect to that service. Posting it here seems to have Slashdotted it. Works fine here Are you sure you haven't got uunet between you and it? ;-) - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: Selective DNS replies
On Wed, 24 Apr 2002, Avleen Vig wrote: Is there any DNS server currently availible that can reply to DNS lookups based on the source IP address? Yes. djbdns has done this for quite a while. Note I am not necessarily recommending the use of djbdns, I am just saying it will do this. I also know that bind9 has added functionality similar to what you are looking for. I'm a bind fan myself. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: Qwest Transit
On 4 Apr 2002, John R. Levine wrote: Partially, but not primarily. The lead front page article in the Wednesday WSJ is about how badly mismanaged Qwest is. The gist of it is that US West was a sleepy RBOC with mediocre management, then Qwest which was what one might call a dot.fiber bubble company bought US West with fluffy puffy stock, then its incredibly arrogant and not very skillful management ran the company into the ground. I didn't see the WSJ article, but as a non-trivial Qwest Customer I can attest to the fact that there are *serious* management issues within the US West half of Qwest. They were bad before qwest took them over. I hoped Qwest would have fixed things. Now they're worse. I've been trying to get a quote for a PVC on an ATM circuit from them for 6 months now.. Customer service is going downhill. They're laying off the competent employees. They're reorganizing every week. In the last year or so I've had at least 6 sales reps. Just as we get them started on our issues they get changed. We can't talk to anyone but our reps because we're large enough that we're too important of a customer and they want us only to go through our sales engineer. We have billing issues almost 2 years old which haven't been taken of. We have circuits which were requested to be disconnected which still are active and being billed. We have a hunt group at one site which they've been trying to fix the hunting on (or at least SAYING They are trying to fix the hunt on) for at least 4 months now. And on and on and on and on. We had a conference call with our new sales rep and a couple of other people such as billing specialists, etc. It took us well over an hour just to go through all the pending stuff. We will see if they actually get anything done. I've told their management that they have something seriously broken internally that they need to fix, and they have acknowledged it. I just suspect that Qwest management trying to fix what is broken with Qwest is kinda like someone who doesn't even know how to turn on a computer trying to fix a router. As a final insult, Qwest is trying to convince the FCC to give them LATA relief (which would be a mixed blessing for us), because they are getting beat up by the competition. I say, show me ANYONE who is competing with you and we'll switch tomorrow. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: Help with bad announcement from UUnet
I've obviously caused a stir. Before I proceed, let me say I'm going to continue mentioning UU.net as I've had experience there... The responses to this list indicate this is a more widespread problem, so please don't take this as necessarily badmouthing uu.net. Let me first say EXACTLY what I was looking for. I'm multihomed. All I've wanted out of uu.net each time I've called is a traceroute and/or BGP output to determine which path my packets were heading back towards me on so *I* could get the problem fixed. I.E. to determine where the loss was really occuring and/or who was mis-announcing a prefix. In every case where I've tried to contact uu.net it's been obvious that as soon as traffic reaches their AS, everything goes to pot. Without being able to take a peek inside their network (via a traceroute or sh ip bgp) It's almost impossible to tell where the problem lies, since the problem is obviously with traffic getting back to my network. I agree with batz: On Fri, 29 Mar 2002, batz wrote: Because their network transits _most_ internet traffic and as a courtesy, they should provide some bare level of diagnostic services to the rest of the network. I can't think of a case where I've called the uu.net noc where I wanted more information than could have been queried through a standard looking glass (I.E. traceroute and BGP information). In fact, if uu.net provided a looking glass we probably wouldn't be having this discussion. Without rambling much further I'll add this: Yes, I realize there are scaling issues. Yes, I do want to call my upstream to get it fixed. No, I don't expect uu.net to own the problem (unless of course it IS their problem). BUT I can't tell which of my upstreams is having the problem in order to call them without a BGP or traceroute from the provider we're having problems reaching. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: Help with bad announcement from UUnet
After re-reading the following message I wanted to make sure I was clear that I am *not* currently having any connectivity problems with uu.net. It just happens often enough (and since it was brought up) that I wanted to find out what other people did to resolve this. I have recieved a couple of nice notes from people at uu.net offering to help in the future. I will be keeping those on file for future reference. I would like to say that my comments below still stand. I wouldn't have needed to contact the uunet NOC if a public looking glass was provided. On Fri, 29 Mar 2002, Forrest W. Christian wrote: Date: Fri, 29 Mar 2002 12:10:18 + (GMT) From: Forrest W. Christian [EMAIL PROTECTED] To: batz [EMAIL PROTECTED] Cc: Stephen J. Wilcox [EMAIL PROTECTED], Mark E. Mallett [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Help with bad announcement from UUnet I've obviously caused a stir. Before I proceed, let me say I'm going to continue mentioning UU.net as I've had experience there... The responses to this list indicate this is a more widespread problem, so please don't take this as necessarily badmouthing uu.net. Let me first say EXACTLY what I was looking for. I'm multihomed. All I've wanted out of uu.net each time I've called is a traceroute and/or BGP output to determine which path my packets were heading back towards me on so *I* could get the problem fixed. I.E. to determine where the loss was really occuring and/or who was mis-announcing a prefix. In every case where I've tried to contact uu.net it's been obvious that as soon as traffic reaches their AS, everything goes to pot. Without being able to take a peek inside their network (via a traceroute or sh ip bgp) It's almost impossible to tell where the problem lies, since the problem is obviously with traffic getting back to my network. I agree with batz: On Fri, 29 Mar 2002, batz wrote: Because their network transits _most_ internet traffic and as a courtesy, they should provide some bare level of diagnostic services to the rest of the network. I can't think of a case where I've called the uu.net noc where I wanted more information than could have been queried through a standard looking glass (I.E. traceroute and BGP information). In fact, if uu.net provided a looking glass we probably wouldn't be having this discussion. Without rambling much further I'll add this: Yes, I realize there are scaling issues. Yes, I do want to call my upstream to get it fixed. No, I don't expect uu.net to own the problem (unless of course it IS their problem). BUT I can't tell which of my upstreams is having the problem in order to call them without a BGP or traceroute from the provider we're having problems reaching. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/ - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/