RE: default routes question or any way to do the rebundant
Scott McGrath wrote: If we do not help the newbies how will they ever become clued. I can certainly remember when I did not know a bit from a byte. I agree, but I question if NANOG is the appropriate medium for such help. I tend to (maybe mistakenly) assume a working knowledge of basic multihoming concepts is essentially a prerequisite for active participation on the NANOG mailing list. Isn't this akin to posting to a profesional mathematics forum asking for help with your Algebra? I know I read the list for high-level discussions of the issues facing North American network operators, not for a rehash of multihoming 101. Certainly helping to educate newcomers can go a long way towards making all of lives easier, but that seems outside the scope of NANOG-L. If NANOG isn't the appropriate forum for those types of discussions, what is? Where should we be referring people to have clue bestowed upon them? Is there a lack of alternatives out there for such discussion? [vendor]-nsp seems like a decent choice for questions such as the one that sparked this discussion. Inet-access used be a good place for finding that type of information, but that list seems to be on life-support these days. Would it be appropriate for NANOG to start such a list? (NANOG Lite?) Would anyone bother subscribing/participating? Or are the available alternatives sufficient? Andrew Cruse
RE: default routes question or any way to do the rebundant
[EMAIL PROTECTED] wrote: On Fri, 21 Mar 2008 17:15:06 EDT, [EMAIL PROTECTED] said: mailing list. Isn't this akin to posting to a profesional mathematics forum asking for help with your Algebra? In 1943 he (Einstein) answered a little girl who had difficulties in school with mathematics. Do not worry about your difficulties in Mathematics. I can assure you mine are still greater. Best regards Professor Albert Einstein. http://www.einstein-website.de/z_kids/letterskids.html That's cute Valdis, but did the little girl and Einstein force thousands of people around the world to read their correspondence? I whole-heartily encourage and thank anyone willing to take the time to help the original poster. Off-list. Andrew
RE: Sicily to Egypt undersea cable disruption
Martin Hannigan wrote: On Feb 1, 2008 2:25 PM, Ahmed Maged (amaged) [EMAIL PROTECTED] wrote: Does look normal to me is far from a global conspiracy theory. Thank you for the translation but I think you got it wrong. I agree, there should be a sanity check as I understand that they are within close proximity of each other. Two ships slipping anchors and causing cable breaks in the same area is odd, but if there's a storm in the area, that would not be that much of a surprise. There should be some logic to the madness. I think that the moral of the story is that more operators should try to better understand what diversity means beyond the metro. The challenge is getting the information. The Teleography series of internet/sub maps are interesting. They don't demonstrate diversity though, since they show figurative routing. Those nice and straight lines are a pipe dream. -M -M Well, when you have all these cables running through narrow straits or converging to the same stretch of beach, it does not strike me as at all extraordinary. An important factor is cooperation. Is there cooperation between the fiber optic guys and fishing associations to minimize hits? I would wager there is close to zero. Roderick S. Beck Wouldn't that be a pretty narrow tightrope to walk from a security standpoint? The undersea cable maps are deliberately vague, specifically to try to avoid making them easy targets of terrorism. Which is the bigger threat? Boat anchors and fishing nets because of inaccurate maps or deliberate sabotage because of accurate maps? I guess you pick your poison. Andrew ...don't we rehash these same issues every time there's an undersea cable failure?
RE: Cost per prefix [was: request for help w/ ATT and terminology]
William Herrin wrote: Right now we rely on ARIN and the RIRs to artificially suppress the growth of the prefix count and with it the availability of PI space. This is a Really Bad Thing on so many levels, but absent a viable market-based solution to the problem, authority-based rationing is really the only thing we can do. If we can determine the cost to announce a prefix then we could develop a market-based solution to the problem... One where instead of suppressing the prefix count and dealing with it as business overhead, we GET PAID for announcing and propagating prefixes. Hi, I'm Google/Yahoo/Microsoft/ATT/AOL/Sprint/etc. and I plan to annnounce only /24's and I refuse to pay you to propagate those routes. Are you really going to drop those routes? Bottom line here is you're going to have trouble getting the big content providers to buy in, and you're going to have an equally tough time convincing the major carriers that they should essentially raise their rates for particular clients. So who exactly is going to pay and how are you going to convince them they should? If provider X tells me they're going to charge me $X per prefix I want them to propagate, I'll just go with provider Y. You're going to need 100% buy-in. Your solution here is merely a band-aid designed to disguise the actual problem. Growing prefix count is largely a symptom of missing BGP functionality. Fix or replace BGP in such a way that we can better control the flow of incoming traffic without needing hacks like announcing smaller subnets and prepending and the problem goes away without introducing extra fees and beauracracy like you're suggesting. Andrew Cruse
RE: Why do some ISP's have bandwidth quotas?
Joe Greco wrote: Technically the user can use the connection to it's maximum theoretical speed as much as they like, however, if an ISP has a quota set at 12G/month, it just means that the cost is passed along to them when they exceed it. And that seems like a bit of the handwaving. Where is it costing the ISP more when the user exceeds 12G/month? Think very carefully about that before you answer. If it was arranged that every customer of the ISP in question were to go to 100% utilization downloading 12G on the first of the month at 12:01AM, it seems clear to me that you could really screw up 95th. First, the total transfer vs. 95%ile issue. I would imagine that's just a matter of keeping it simple. John Q. Broadbanduser can understand the concept of total transfer. But try explaining 95%ile to him. Or for that matter, try explaining it to the average billing wonk at your average residential ISP. As far as the 12GB cap goes, I guess it would depend on the particular economics of the ISP in question. 12GB for a small ISP in a bandwidth-starved country isn't as insignificant as you make it sound. But lets look at your more realistic second whatif: 90GB/mo is still a relatively small amount of bandwidth. That works out to around a quarter of a megabit on average. This is nowhere near the 100% situation you're discussing. And it's also a lot higher than the 12GB/mo quota under discussion. As you say, 90GB is roughly .25Mbps on average. Of course, like you pointed out, the users actual bandwidth patterns are most likely not a straight line. 95%ile on that 90GB could be considerably higher. But let's take a conservative estimate and say that user uses .5Mbps 95%ile. And lets say this is a relatively large ISP paying $12/Mb. That user then costs that ISP $6/month in bandwidth. (I know, that's somewhat faulty logic, but how else is the ISP going to establish a cost basis?) If that user is only paying say $19.99/month for their connection, that leaves only $13.99 a month to pay for all the infrastructure to support that user, along with personnel, etc all while still trying to turn a profit. In those terms, it seems like a pretty reasonable level of service for the price. If that same user were to go direct to a carrier, they couldn't get .5Mbps for anywhere near that cost, even ignoring the cost of the last-mile local loop. And for that same price they're also probably getting email services with spam and virus filtering, 24-hr. phone support, probably a bit of web hosting space, and possibly even a backup dial-up connection. Andrew
Road Runner / Sprint routing / DNS issues this morning?
I've had a steady trickle of reachability complaints coming from Road Runner users over the course of the day today. I started seeing wackiness about 7:30AM Eastern this morning when a VPN tunnel into a Road Runner customer dropped off. It seems as if the problems have stabilized over the last hour or so, but I'm curious as to what happened. I'm hearing rumors of some type of Road Runner outage and/or DNS problems and/or general routing brokenness that may or may not have involved Sprint. (How's that for specificity?) Any truth to the rumors, or can anyone provide more detail? Thanks, Andrew Cruse
RE: Content Delivery Networks
Rodney Joffe wrote: On Aug 9, 2007, at 10:55 PM, Paul Reubens wrote: How do you engineer around enterprise and ISP recursors that don't honor TTL, instead caching DNS records for a week or more? In my little bit of research and experience over the last 10 years in this field, I have often pursued this urban myth. It remains largely just that. The most common supposed violator of this was AOL. I found myself in a position at one stage to get to the root of this, and was rather impressed to find that it was indeed a myth. We've just finished a small research project where we looked at approximately 16 million recursive servers. The only ones violating this were some CPE devices that ran local recursive services, and they were generally along the lines of returning the appropriate TTL the first time they were queried, and if the TTL was zero, they returned a higher TTL (1 seconds) to subsequent queries for a short period (5 minutes). It may have been a code bug, or a designed behavior given that these were CPE devices. Very interesting. We've all heard and probably all passed along that little bromide at one time or another. Is it possible that at one time it was true (even possibly for AOL) but with the rise of CDNs, policies of not honoring TTL's have fallen by the wayside? Andrew
RE: 96.0.0.0/6 reachability testing
Warren Kumari wrote: On May 2, 2007, at 2:58 PM, Scott Weeks wrote: --- [EMAIL PROTECTED] wrote: On 5/1/07 7:19 PM, Scott Weeks [EMAIL PROTECTED] wrote: Randy's MUA automatically deletes email sent directly to him... Probably because you have a 12+ line .sig full of lawyer-speak. Both practices arguably ingenious or idiotic... - Doesn't matter. He doesn't want to see the .sig and it's his email system. Others do the same. I gotta admit it's a really big .sig that's utterly useless. It *IS* being disseminated, distributed and copied and on a global basis. It's unlawful in what country? No one's going to delete all copies. Blah, blah, blah... I don't think that Ron is choosing to put this .sig in his mail, some ugly corporate mail gateway is probably appending it for him. While he could spend a huge amount of time trying to explain to someone at Time Warner that it is a stupid thing to do, I sure he has better things to do... I don't see anywhere in the NANOG charter that says we have to use our corporate email addresses in correspondence with list. From what I've seen, most of us don't. I agree 100% that trying to get $corporation to remove the useless and annoying .sig's is like tilting at windmills. But for the sanity and comfort of other list users, would it be too much to ask that people with annoying tacked-on .sig's use a personal mail account when posting to the list? I hear Google offers nice email accounts for a reasonable price. Andrew
RE: [funsec] Not so fast, broadband providers tell big users (fwd)
Sean Donelan wrote: Several US Providers are very happy to sell 1Gbps and even 10Gbps to anyone in major (i.e. NFL/top 30) cities, but not at $14.95/month. Sure, as long as you're willing to fork over the cash for CPE capable of handling OC-XX linecards. The service cost is hardly the only cost associated with buying that kind of bandwidth. It's amusing to me that we're worrying about FTTH when some of the largest carriers are still not capable of delivering ethernet handoffs in some of those same top 30 cities. Don't we need to get there first before we start wiring everyone's home with fiber and a small router with an SFP? Andrew Cruse
RE: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link]
Robert E. Seastrom wrote: [EMAIL PROTECTED] writes: On Thu, Nov 09, 2006 at 09:26:13AM -0500, Robert Boyle wrote: At 09:23 AM 11/9/2006, you wrote: On Thu, Nov 09, 2006, Robert Boyle wrote: You should also create a bogons list for your BGP routes which you accept from your upstream. Block all RFC1918 space and unassigned public addresses too. Just keep on top of it when new allocations are put into use. We see all kinds of crazy things which people try to announce (and successfully too - up to our borders anyway.) Is there a somewhat-reliable bogon BGP feed that can be subscribed to these days? We just maintain our own. I remember hearing about one a while ago, but we don't use it so I don't know any details. I'd strongly advise against folks doing it statically.. there seems to be ongoing issues with stale filters each time new address space is released. Even with the best of intentions folks change role or employer and things can get left unmanaged. The craziest stuff that gets announced isnt in the reserved/unallocated realm anyway so the effort seems to be disproportional to the benefits... and most issues I read about with reserved space is packets coming FROM them not TO them Steve's 100% spot-on here. I don't have bogon filters at all and it hasn't hurt me in the least. I think the notion that this is somehow a good practice needs to be quashed. Some people don't use condoms with hookers either. Just because they haven't caught anything yet doesn't make it a smart practice. Andrew
RE: WorldNIC nameserver issues
We're seeing a number of issues with WorldNIC nameservers failing from multiple points on our network this morning and was wondering if anyone was seeing similar problems. We're seeing issues with: ns47.worldnic.com (domain: cpurocket.com) ns48.worldnic.com (domain: cpurocket.com) ns87.worldnic.com (domain insightcollect.com) ns88.worldnic.com (domain insightcollect.com) and many many more... Anyone else seeing these failures? WorldNIC does a lot of authoritative DNS -david We're seeing the same thing with various combinations of WorldNIC name servers. Some work fine, others work but are very slow, others are completely nonresponsive. Seeing it from both MCI and TWT. Andrew Cruse
RE: Kremen's Buddy?
[EMAIL PROTECTED] wrote: Once this subject took off on nanog, I have been oversaturated with people trying to sell me ip space. I have had offers for several /16's for 10,000.00 each that are no longer in use by the companies who own lol them. It seems to me that this nicely illustrates a major problem with the current system. Here we have large blocks of IP space that, by their own rules, ARIN should take back. It all sounds nice on paper, but clearly there is a hole in the system whereby ARIN doesn't know and apparently has no way of figuring out that the space is no longer in use. It makes me wonder just how much space like that there is out there artifically increasing IP scarcity. I don't know what the solution is, but the way things currently work it seems like if you can justify a block today, it's yours forever even if you stop actively using it. Maybe allowing for some kind of IP market would cut down on that type of hoarding -- you would at the very least change the type of value those subnets have. Andrew Cruse
RE: [Fwd: Kremen VS Arin Antitrust Lawsuit - Anyone have feedback?]
3) What's wrong with treating assignments like property and setting up a market to buy and sell them? There's plenty of precedent for this: Mineral rights, mining claims, Oil and gas leases, radio spectrum. If a given commodity is truly scarce, nothing works as good as the free market in encouraging consumers to conserve and make the best use of it. I think you're dead-on there, but you forget who you're really trying to convince. It'll happen eventually but in the meantime the greybeards who were largely responsible for theInternet as we know it (and who by and large still wieldsignificant influence if not still stewardship) will be dragged there kicking and screaming from their academic/pseudo-Marxist ideals, some of whom seem to still resent the commercialization of the Internet. It's also hard to see the faults in the system when you are insulated by your position as member of the politburo. The flip side of the coin of course is that if you let the free market reign on IP's, you may price developing countries right off the Internet which I don't think anyone sees as a desirable outcome. There's sure to be a happy middle ground that people smarter than I will figure out, and maybe it takes a silly lawsuit such as this to kick things off. Andrew Cruse
RE: [Fwd: Kremen VS Arin Antitrust Lawsuit - Anyone have feedback?]
3) What's wrong with treating assignments like property and setting up a market to buy and sell them? There's plenty of precedent for this: Mineral rights, mining claims, Oil and gas leases, radio spectrum. If a given commodity is truly scarce, nothing works as good as the free market in encouraging consumers to conserve and make the best use of it. I think you're dead-on there, but you forget who you're really trying to convince. It'll happen eventually but in the meantime the greybeards who were largely responsible for theInternet as we know it (and who by and large still wieldsignificant influence if not still stewardship) will be dragged there kicking and screaming from their academic/pseudo-Marxist ideals, some of whom seem to still resent the commercialization of the Internet. It's also hard to see the faults in the system when you are insulated by your position as member of the politburo. The flip side of the coin of course is that if you let the free market reign on IP's, you may price developing countries right off the Internet which I don't think anyone sees as a desirable outcome. There's sure to be a happy middle ground that people smarter than I will figure out, and maybe it takes a silly lawsuit such as this to kick things off. Andrew Cruse Another somewhat important point is thatwe also needto conserve routing entries. If you make a market for addresses without regard to routability, you risk creating a situation where you flood the world with /32's. No thanks. Tony I would think that would tend to police itself. Even now with things as they are you're going to have serious reachability problems if you try to announce anything smaller than a /24. And if routing tables suddenly explode, I'd expect that threshold to quickly move in reaction. Andrew Cruse
RE: SORBS Contact
[EMAIL PROTECTED] wrote: I don't know what your problem is, but you're not making things any better by refusing to fix listings that aren't incorrect or, in some cases, never were. IMHO, it's not about making things 'better' - we don't expect NANOG'ers to be any more altruistic than other folk. It's about consumer protection, as the anti-spammers always say; if $BLACKLIST does a good job, we keep it. If it screws up too much, we go elsewhere. So Matt has an incentive to be correct, I should think. I fear we're veering off topic, but the problem with the If $BLACKLIST does a job, we'll keep using it axiom is that it makes the assumption that the majority of mail admins who use blacklists as part of their antispam arsenal are keeping close tabs on the efficacy and accuracy of the blacklists they use. Unfortunately I don't believe that is generally the case. In my experience, most use blacklists as a set and forget kind of weapon, and the only method they use to judge the reliability of a list is how many spams it blocks, regardless of accuracy. Too often you find admins that, when presented with an example of a false-positive caused by an inaccurate blacklist, cop the, Don't talk to me, talk to the blacklist operators attitude. And it isn't entirely a lazy admin problem. There really seems to be no *good* way to judge the relative accuracy of different blacklists. You can read thier policies and procedures, but how do you know if they actually follow them? Keeping an eye on mailing lists and newsgroups can help some, but how do you separate the net.kooks complaining about a valid listing from people with legitimate gripes? Especially when the blacklist admins often come off as bigger net.kooks than their detractors? It winds up looking like a big catch-22 to me. Blacklist operators essentially punt all responsibility for incorrectly blocked emails on the mail admins, and the mail admins punt all responsibility for incorrect listings back at the blacklist operators. And that leaves us with *no one* taking responsibility, which makes me seriously question the wisdom of using blacklists at all anymore. Personally, I think completely automated systems with very short listing times may be the way to go. It removes the human element from the listing and delisting process in order to avoid the personality-conflict/vendetta listings that seem to poison a number of popular blacklists. In the long run, though, I think the spammers have won the DNS blacklist war already and our time is better spent developing better content filters to worry with the actual content of the email than where it came from. Andrew Cruse
RE: Interesting new spam technique - getting a lot more popular.
At 7:03 PM -0400 6/14/06, Matt Buford wrote: There is also strong demand among web hosting customers to scatter sites across multiple /24's due to search engine optimization. I hear this line of thinking often, but to me it sounds like bulls^X^X^X^X^X... um, folklore. When our customers/salesdroids ask for it, I (politely) refuse. We acquired a hosting operation in 2004 that had blown a full /20 on literally a rack and a half of hardware, and I was aghast at what a nightmare that was. We're still untangling that mess. Anyway, if somebody could enlighten me to definitive proof, or stated policy by Goo... er search engines, that confirms this search engine result optimization by blatant abuse of IP addresses I'd appreciate it. I for one believe it is bunk dreamt up by somebody trying to sell something. If it is true though, I would have to say that it is evil and I would imagine many folks here (and not to mention ARIN, RIPE, et al) would agree. I think you're 100% right. AFAIK it *is* just folklore. But unfortunately, SEO's have to make their money somehow and all too often it seems they make their money making up crap like this. Then all the sheep that lap up every word that comes out of their favorite SEO's mouth start demanding whatever the latest craze in SEO is. This creates opposing pressures between the need to maintain a secure, reliable infrastructure and your salesdroids begging for whatever the clients are requesting. It's a tough balance to strike...best practices are all well and good, but rigid inflexibility is unlikely to win you many clients. (Especially when you consider that the vast majority of the webhosting clients out there couldn't care less about security until it affects them.) It's a shame, but the reality is I think market forces pressure most of us into making technology decisions against our better judgement from time to time. So does it surprise me in the least that there are datacenters out there running hundreds of customers out of one giant subnet? No, not one bit. Will it eventually come back to bite them, causing countless hours and $$$ to clean up the situation when it does? Inevitably. But I don't believe it's done out of ignorance in most cases. I honestly can't believe there is that much rampant incompetence out there. To me it's more likely to be a bunch of network geeks *who know better* kowtowing to pressures from management to deliver what customers are demanding, security risks be damned. But maybe that just highlights a niche market just waiting to be exploited. I imagine there's money to be made marketing security devices that allow for the convenience of being able to assign IP's on a one-by-one basis while still protecting against the various nonsense that can create, all with an easily manageable interface. Doesn't seem to far-fetched. The tools and technology already exist, just a matter of putting them all together and making it easy. Andrew Cruse
RE: Wiltel has gone pink.
[EMAIL PROTECTED] wrote: This morning we have started receive an abundance of spam from Wiltel customers, pointing boldly back to websites hosted in Wiltel space. OrgAbuseHandle: WAC18-ARIN OrgAbuseName: Wiltel Abuse Contact OrgAbusePhone: +1-918-547-2000 OrgAbuseEmail: [EMAIL PROTECTED] Messages to [EMAIL PROTECTED] are being rejected. This phone number goes to their conferencing group, which doesn't know what 'abuse' is, or even what an IP network is. I went through 4 levels of management, and was informed that they no longer had an abuse team -- that this was disbanded in a recent reorganization. In short, it would appear that Wiltel is now selling pink contracts. Or perhaps there's a more reasonable explanation like being assimilated with Level3 and perhaps some contact info. is a little stale at this point in the merger process... Never attribute to malfeasance what can be explained by everyday corporate beauracracy. Andrew Cruse
RE: WMF Microsoft Patch is out
[EMAIL PROTECTED] wrote: So rather than finish the testing they wanted to do, they rushed it out? Hmmm. Sounds a little scary to me The way the SANS folks have been going into hysterics over the vulnerability I'd say there was considerable pressure to get it out the door as soon as humanly possible... Andrew Cruse
RE: the future of the net
The URL http://www.linuxjournal.com/article/8673 now leads to the following message: Linux Journal Is Currently Unavailable Due to a Denial of Service (DoS) Attack Sorry for any inconvenience. That's intriguing ... Translation: Linux Journal has been linked to by Slashdot. Andrew Cruse
RE: Network Map Generator
[EMAIL PROTECTED] wrote: I'm looking for a product or script that will let us generate a network map for use in conjunction with Nagios. We have all of the parent/child dependencies defined in a SQL table, as well as the current status, but I can only find programs that will create a live map on my desktop. I also looked at the graphing Pear module, but it seems that it cannot generate an org-chart type map of the network. Anyone know of something that will generate an org-chart like network map dynamically? Depends on how fancy you want -- you could probably use Konfabulator to just display the stock network maps straight from Nagios. Andrew Cruse
RE: level3.net in Chicago - high packet loss?!?
[EMAIL PROTECTED] wrote: Best Practices of wide-area diagnosis, anyone? I'd be interested in a discussion of this as well. To answer a slightly different question, I usually point the ping and traceroute geeks to Karl's wonderful treatise on the subject: http://www.iwl.com/Resources/Papers/icmp-echo_print.html. Andrew Cruse
RE: djbdns: An alternative to BIND
[EMAIL PROTECTED] wrote: however, since BIND9 is compatible with BIND8 and BIND4, and with microsoft's DNS, and with virtually every other DNS in the world except for tinydns, Err, compatible because it detects them and then does the right thing, and uses the traditional protocol. You know...I'm reminded of something we're all familiar with that came up, oh...lets say 8 years ago. There were some new-fangled devices out there that were capable of communicating over POTS at somewhere close to 56 kbps. It seems to me there were two flavors of them, K-Flex and X2. You might have heard of them. Anyway, if your modem had K-Flex firmware and was trying to connect to something using X2, you couldn't connect anywhere near 56 kbps. And vice-versa. The two technologies were incompatible. And yet, once they detected the incompatability, they were able to renegotiate down to a protocol they had in common, say v.32. Now eventually we came out with the v.90 standard so that everyone could play together nicely. Point is, even before there *was* a 56k standard, all those incompatible modems could still communicate, just not using their new proprietary protocols. So, I guess I'm wonderinghow is what BIND9 does substantially different than the case I've outlined above? Andrew
RE: More on Vonage service disruptions...
[EMAIL PROTECTED] wrote: Subject: Re: More on Vonage service disruptions... Yeah, I forgot about the regulation thing. I suppose I'd give the ISP a call first, but I'd expect it to be working within a few hours. But now that cable modem providers themselves are providing VoIP/dialtone, wouldn't those be regulated by the FCC? A few quick observations here (my own, personal opinion): To paraphrase an earlier comment a 90K stream is not an issue but what about 10,000's of them? In the circuit switched arena, the LEC's compensate each other for either originating (toll free) or terminating traffic (LD) in a regulated environment. Thus there is some business reason to build the network out to handle the level traffic. That is not the case here (with VoIP), as most ISP's are paying for transport, peering connections, backhaul circuits, internal network bandwidth, etc. The IP Phone providers may be paying THEIR ISP, but the $$'s don't nescessarily flow down to the ISP that the customer is connected to. That end user's ISP must now pay more for transit, plus beef up their internal network infrastructure to handle the additional traffic. That would result in having to raise rates, perhaps making the previously viable, dirt cheap, VoIP look like not so competitive a choice (vs. traditional dialtone) to the end user anymore. A question to ponder - what would happen to your network , from both a technical and financial perspective if all of your customers circuit switched voice traffic suddenly became ip? I think you answered your own question. ISP's would have to raise rates, and voip may suddenly be not as attractive a choice for phone service. It seems to me that market forces will handle this problem rather nicely on their own. Right now VoIP providers and users are getting a bit of a free lunch. It's certain not to last. Andrew
RE: Why do so few mail providers support Port 587?
[EMAIL PROTECTED] wrote: On Thu, 24 Feb 2005 16:51:50 EST, [EMAIL PROTECTED] said: There seem to be many who feel there is no overwhelming reason to support 587. I can certainly see that point of view, but I guess my question is what reasons do those of you with that viewpoint have *not* to implement it? I just don't see the harm in either configuring your MTA to listen on an extra port, or just forward port 587 to 25 at the network level. Other than a few man-hours for implementation what are the added costs/risks that make you so reluctant? What am I missing? You *don't* want to just forward 587 to 25. You want to to use SMTP AUTH or similar on 587 to make sure only *your* users connect to it as a mail injection service (unless, of course, you *want* to be a spam relay ;) I guess my assumption was that SMTP AUTH was already configured on port 25. :-) That's how we're doing it -- I've opened up port 587 more as a move to help roaming users get around port 25 blocks imposed by various ISP's around the country than anything else. For us it was a fairly trivial change to make, which is why I was inquiring as to the apparent strenuous reluctance on the part of some to do the same. Andrew
RE: Why do so few mail providers support Port 587?
[EMAIL PROTECTED] wrote: On Thu, Feb 24, 2005 at 04:02:20PM -0700, Smoot Carl-Mitchell wrote: On Thu, 2005-02-24 at 17:14 -0500, Jim Popovitch wrote: If supporting one port is y hours of time and headache, then two ports is closer to y*2 than y (some might argue y-squared). 587 has some validity for providers of roaming services, but who else? Why not implement 587 behavior (auth from the outside coming in, and accept all where destin == this system) on 25 and leave the rest alone? I did run into a case where supporting port 587 was useful. I found out the hard way that one Internet service provider for hotels blocked outbound port 25, but not 587. So sending outbound mail to my mail relay would have been impossible without support for port 587. It's so funny. On this list many argued Port 25 outgoing must be blocked only to notice, that users actually seem to need it to send mail. Now we must configure our mailservers to listen on 587 to circumvent these filters, that were stupid in the first place. Now to my prophecy mode: Spammers will start using 587 to spam, which we then also all block outgoing, notice again that customers still want to send mail and open another port ... 652 maybe. But this in a while (true) loop until we run out of ports. That's being a bit disingenuous. The discussion here hasn't been to open up port 587 to relay for all comers, but rather to open it up for authenticated use only. If spammers start using it, then it's a result of either poor authentication security or an understaffed abuse department. I'll agree with you on one thing, though -- the whole business of port 587 is a bit silly overall...why can't the same authentication schemes being bandied about for 587 be applied to 25, thus negating the need for another port just for mail injection? Andrew
RE: Why do so few mail providers support Port 587?
Joe Maimon wrote: We need 587 because trusted authentication in SMTP does not transit with the message. So there is no way to require authenticated email only from all systems that would be worth a damn. Local delivery only unless authenticated isn't worth a damn? Is this really that difficult?? Andrew
RE: Why do so few mail providers support Port 587?
[EMAIL PROTECTED] wrote: Joe Maimon wrote: We need 587 because trusted authentication in SMTP does not transit with the message. So there is no way to require authenticated email only from all systems that would be worth a damn. Local delivery only unless authenticated isn't worth a damn? Is this really that difficult?? Andrew Sorry, I misread that. But I still fail to see how 587 changes that. Trojans, viruses, etc. etc. etc. can still exploit the authentication system regardless of what port it operates on. Different port, same old problems. Andrew
RE: Why do so few mail providers support Port 587?
[EMAIL PROTECTED] wrote: On Fri, 25 Feb 2005 12:56:50 EST, [EMAIL PROTECTED] said: Sorry, I misread that. But I still fail to see how 587 changes that. Trojans, viruses, etc. etc. etc. can still exploit the authentication system regardless of what port it operates on. Different port, same old problems. It changes it only in that it becomes a *lot* easier for you to track down which of your users has a compromised machine. (It's a lot easier to just look at the Received: headers than have to take the hostname, chase it back through your logs, and all that - especially if the user is roaming and just caught something over their Aunt Tilly's unsecured wireless access point) Yes. Authenticated SMTP makes tracking down which of your users is doing the spamming easier. But you're assuming that SMTP AUTH isn't being used on port 25 already. You can do SMTP AUTH just as easily on port 25 without having to re-educate your users and still net the same simplified tracking procedures that you mention. It sounds to me like what we should really be talking about is getting MTA operators to begin using SMTP authentication of some kind (any kind!), rather than harping on whether or not MTA's should accept mail on port 587... Andrew
RE: AOL scomp
The other 1/3rd are actual spam, but legitimately forwarded as the user requested from a personal or business domain to an AOL account. Any server in the path gets tagged as a spam source. Actually only the server that connected to AOL and relayed the mail into them. I have this same kind of gripe/complaint. Only for me about 2/3rds of my scomp reports are this. I see the same thing. At least 2/3rds are spam forwarded along as described above. I have to give some credit to AOL WRT handling that type of situation -- they're much better than MSN/Hotmail who do not have a whitelist or feedback loop and simply stop accepting mail for 12+ hours from any server that reaches a particular spam threshhold. They refuse to do anything about it, even after trying to explain the situation because It's the Symantec software that does it. Of course that fact they're causing affected servers to get their mail queues backed up with mail awaiting delivery to MSN/Hotmail isn't their problem either. Grrr... Andrew
RE: Why do so few mail providers support Port 587?
[EMAIL PROTECTED] wrote: On Thu, 24 Feb 2005 16:08:42 EST, Nils Ketelsen said: On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. If you're a roaming user from that provider, and you're at some other site that blocks or hijacks port 25, you can still send mail by tossing it to your main provider's 587. If that's not a good enough reason to motivate the provider to support it, nothing will (except maybe when the users show up en masse with pitchforks and other implements of destruction...) There seem to be many who feel there is no overwhelming reason to support 587. I can certainly see that point of view, but I guess my question is what reasons do those of you with that viewpoint have *not* to implement it? I just don't see the harm in either configuring your MTA to listen on an extra port, or just forward port 587 to 25 at the network level. Other than a few man-hours for implementation what are the added costs/risks that make you so reluctant? What am I missing? Andrew
RE: SLA Tool
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 01, 2004 3:04 PM To: Fisher, Shawn; [EMAIL PROTECTED] Subject: RE: SLA Tool JFFNMS (http://www.jffnms.org) seems to have a decent SLA configuration. Been working for us in a limited testing capacity. Regards, Jade -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fisher, Shawn Sent: Friday, October 01, 2004 3:20 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: SLA Tool Looking at www.cacti.net also, seems pretty decent. Cacti is a wonderful RRDTool frontend, but I don't believe it currently has any SLA enforcement capabilities. There's been some discussion in the Cacti forums about adding that feature, but nothing concrete. Andrew
Qwest engineer?
Sorry to bother the whole list with this...could someone involved in routing at Qwest ping me offlist? Thanks, Andrew
RE: Another DNS blacklist is taken down
So, my question for NANOG is how does one go about attracting the attention of law enforcement when your network is under attack? How does the target of such an attack get a large network provider who's customers are part of the attack to pay attention? Is media attention the only way to pressure a response from either group? These DDoS attacks have received some attention in mainstream media: People will pay attention as soon as there is money in black lists. ISP's are businesses. If losing the customer is cheaper than helping them far too many will choose to lose the customer. Many black lists don't pay the ISP at all, indeed they are offered as free services for the good of the community. As a result they get the response that any freeloader would, none. RBLs Sounds like a great application for P2P. Perhaps, but it also seems like moving an RBL onto a P2P network would making poisoning the RBL far too easy... Andrew
RE: Class A Data Center
Particularly of interest would be established standards for Class A Datacenter specifically relating to the physical plant -- Power, cooling, physical security, etc. I think we can all agree in general on N+1 everything, and we can go round and round again on what exactly constitutes Tier-1 provider, but what about the physical space itself? I can put a fully-redundant network with multiple Tier-1 connections in my garage but I still wouldn't consider my garage to then be a Class A Datacenter. Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob German Sent: Thursday, September 18, 2003 3:59 PM To: 'Jay Hennigan' Cc: [EMAIL PROTECTED] Subject: RE: Class A Data Center This is the assumption I have come to as well. Are there any established standards for enterprise datacenters at all, aside from the obvious, N+1 redundant everything, diverse paths, etc.? On Thu, 18 Sep 2003 [EMAIL PROTECTED] wrote: On Thu, 18 Sep 2003 12:08:43 EDT, Bob German [EMAIL PROTECTED] said: Can anyone point me to a set of standards that define a Class A Data Center? I'm not asking for requirements, but an actual pointer to standards hammered out by an organization or governing body. must have connectivity from a Tier-1 provider? :)
