Re: OT: One Wilshire photos.

[bmanning]

On Mon, Mar 03, 2008 at 05:35:22PM +0700, Roland Dobbins wrote:
> 
> 
http://www.wired.com/techbiz/it/multimedia/2008/03/gallery_one_wilshire?slide=5&slideView=9

nobody loves me, notbody care, nobody brings me {bits on} pairs...
-- with appologies to Shel

--bill

Re: IPV4 as a Commodity for Profit

[bmanning]

On Wed, Feb 20, 2008 at 07:42:51AM +, Paul Ferguson wrote:
> I never thought I'd be doing this but:
> 
> Can we please move this thread elsewhere?
> 
> - - ferg
> 

there is a list already established for just such
purposes:

List-Id: ARIN Discussion Mailing List

List-Unsubscribe: ,
  

List-Subscribe: ,  


--bill

Re: Question on the topology of Internet Exchange Points

[bmanning]

On Thu, Feb 14, 2008 at 11:02:54AM -0600, Kai Chen wrote:
> A typical Internet Exchange Point (IXP) consists of one or more network
> switches , to which each of the
> participating ISPs connect. We call it the exchange-based topology. My
> question is if some current IXPs use directly-connected topology, in
> which ISPs just connect to each other by direct link, not through a network
> switch?? If so, what's the percentage of this directly-connected case?
> 
> Kai

the "directly-connected" case - over point2point link is not
per se, an Internet Exchange Point (IXP) in that there is no
chance of multiplexing the link to connect more than one 
provider over that direct link.

the direct link can be a dedicated fiber pair, a cat5 cable, 
conditioned copper pair or coax  or combination of these layer
one transmission media (yeah, sat, microwave, avian carrier etc...)
depending on proximity and cost.

latency is usually less of an issue here, as is buffering, since there
is a single endpoint.  Its also much easier to maintain security
associations on direct links.


--bill

Re: Lessons from the AU model

[bmanning]

On Mon, Jan 21, 2008 at 01:20:12PM +1100, Geoff Huston wrote:
> 
> Randy Bush wrote:
> >
> >and pricing in australia had nothing to do with a monopilist telco with 
> >a rapacious plan highly well articulated and sold to the govt by an 
> >arch-capitalist with a silver tongue?
> 
> I don't know about that.  However, I do know that relatively small
> isolated communities in the bottom end of the South Pacific Ocean have
> to make somewhat tough calls in the provisioning of international
> connectivity. Satellite is too slow, so it has to be submarine cable. If
> you head west on cable then the costs escalate because of the
> transcontinental costs just to get the the west cost and the trans-
> Indian Ocean runs are either long or run very close to geologically
> active areas, and even when you get to Singapore you still have to do a
> full trans-Pacific to off load the majority of your traffic, so the end-
> to-end delays start to rise. 

her we start feeling for those poor Oz folk who want but can't
get sub 150ms latency.. and who's "buying" that they will forever be
held hostage to the low-latency center of the global network, the US.
one of the reasons GLORIAD was built was to get asian/eu connectivity
below 150ms.  

> If you head north from the East Coast of
> Australia then in theory you can tap into the larger equatorial and
> north Pacific east west capacity market, but at the same time the end to
> end delays are high and the cost of heading north is almost the same as
> the costs of heading north east. And the east west market is highly
> uncertain - during business slumps capacity could be had very cheaply,
> but when asian demand is strong hen the price escalates very quickly, so
> there are some risks with this option. Or you can head directly north
> east, as Southern Cross has done some years back. The transmission delay
> is as close to optimal as you can get, but it doesn't negate the fact
> that at one of the cable is a community of 24M people, which is not
> exactly a big market by anyone's metric, and these 24M individuals have
> to fuel the entire business case for the infrastructure investment.
> 
> Southern Cross cost some US $1B to construct about a decade ago - I
> suspect that a comparable project today would cost somewhere between
> $300M and $700M depending on the amount of redundancy you are after, lit
> capacity, and the precise landing points of the cable system. But these
> days its an investment not without risk, as the existing deployed
> systems have a significant capacity overhang in the AU/NZ end of the
> market and therefor have the ability to undercut the price of any new
> venture if they wished. So new ventures in cable systems in this part of
> the world normally requires the buy-in from larger cashed up players.
> The consequence is that aspirations of a fiercely competitive market
> with follow-on in pricing drops to end consumers tends to be difficult
> to realize. I suspect that in these markets it more of a battle between
> bankers and investment models than it has any bearing on the technology
> or the end user costs in the long run.

bankers, investment models, and government commitments tend
to drive nearly all infrastructure development.

end user costs are rarely, if ever reflected in the costs of
infrastructure deployment.

--bill

Re: Lessons from the AU model

[bmanning]

On Mon, Jan 21, 2008 at 10:46:58AM +1030, Matthew Moyle-Croft wrote:
> 
> The cost is getting out of Oz.   Once you get to Japan (Australia Japan 
> Cable) then it's not that expensive (heck cable station to Tokyo is more 
> than cable station to USA).  
> 
> Currently there are 3 cable systems out of Australia:
> 
> Southern Cross Cable (SXC) - 2 legs to the US, one via Fiji, one via NZ.
> Australia Japan Cable (AJC) - one leg from Sydney to Guam and onto Tokyo.
> SEAMEWE3 (SMW3) - Perth to Singapore (old, and expensive).
> PIPE Network is building Sydney to Guam (PPC-1) which will link up with 
> a VSNL Cable to Japan and onto the USA.
> 
> There's rumour another cable will be build Perth to Singapore, but it's 
> been that way for years so let's see.


the perth (to anywhere else) cable systems have been planned and
evetually binned for years- truth.  having been in on the planning
and design for a few of them.  the curent plan seems to have
legs, but is early days.  www.ochrenetworks.com  - if all goes
according to plan, this might go live before the  stablization 
of IPv4... :)

--bill

> 
> Matthew Moyle-Croft - Internode/Agile - Networks
> Level 5, 150 Grenfell Street, Adelaide, SA 5000 Australia
> Email: [EMAIL PROTECTED]  Web: http://www.on.net
> Direct: +61-8-8228-2909   Mobile: +61-419-900-366
> Reception: +61-8-8228-2999  Fax: +61-8-8235-6909
> 
>   "The difficulty lies, not in the new ideas, 
> but in escaping from the old ones" - John Maynard Keynes

Re: WG Action: Conclusion of IP Version 6 (ipv6)

[bmanning]

On Tue, Oct 02, 2007 at 01:57:15PM +, Paul Vixie wrote:
> 
> > On Oct 1, 2007, at 9:15 AM, John Curran wrote:
> > > What happens if folks can somehow obtain IPv4 address blocks
> > > but the cumulative route load from all of these non-hierarchical
> > > blocks prevents ISP's from routing them?
> 
> [EMAIL PROTECTED] (David Conrad) writes:
> > Presumably, the folks with the non-hierarchical address space that  
> > might get filtered would have potentially limited connectivity (as  
> > opposed to no connectivity if they didn't have IPv4 addresses).
> 
> i had a totally different picture in my head, which was of a rolling
> outage of routers unable to cope with "full routing" in the face of
> this kind of unaggregated/nonhierarchical table, followed by a surge
> of bankruptcies and mergers and buyouts as those without access to
> sufficient new-router capital gave way to those with such access,
> followed by another surge of bankruptcies and mergers as those who
> thought they had access to such capital couldn't make their payments.
> 
> call me a glass-half-full kind of guy, but the picture in my head in
> response to john's question is of a whole lot of network churn as the
> community jointly answers the question "who can still play in this
> world?" rather than "how useful will those new routes really be?"
> internet economics don't admit the possibility of not-full-routes, and
> so david's view that nonhierarchical routes won't be as useful as
> hierarchical makes me wonder, what isp anywhere will stay in business
> while not routing "everything" if other isp's can route "everything"?
> 
> we're all in this stew pot together.
> -- 
> Paul Vixie

stewing melds flavors, i hope we have a good chef.
that said, i'm kind of leaning toward what i think of 
as DRC's view...  but to clarify, can you tell me the
economic incentive to carry route prefixes that you will
only ever use to accept SPAM?

--bill

Re: Question on Loosely Synchronized Router Clocks

[bmanning]

 top posting to keep you alert!

 there are folks who syncronize clocks so that logs make sense.
 and those that do, tend to pick a common TZ...  there is nothing
 like syncronizing logs from routers in Nepal, India, China, and LA
 UTC can be your friend...  

 wrt acces to clock source - i'd be happy to have the httpd server 
 code pulled out and adding a GPS/802.11 timesource to the platform
 of joy.  of course presuming that a router clock is ammenable to 
 an external discipline source.  Many PC's are not...

--bill


On Tue, Sep 18, 2007 at 02:40:16PM -0500, Stephen Sprunk wrote:
> 
> Thus spake "Xin Liu" <[EMAIL PROTECTED]>
> >Sorry for the confusion. Let me clarify.
> >
> >We are interested in a number of questions:
> >1. Can we assume loosely synchronized router clocks in the
> >Internet, or we have to make absolutely no assumption about
> >router clocks at all?
> 
> That assumption is _generally_ true, but not often enough that you can rely 
> on it.
> 
> >2. If the router clocks are indeed loosely synchronized, what is
> >the granularity we can assume? Particularly, we are interested in
> >whether we can assume router clocks are synchronized within
> >10 minutes.
> 
> My experience is they'll either be within a few seconds or off by several 
> days to years.  There's not much middle ground.
> 
> >3. It's always possible that a router's clock goes wrong. In
> >practice, how often does this happen?
> 
> It's unlikely to "go wrong" to any noticeable degree _if it was ever 
> correct in the first place_.  However, many people do not bother setting 
> the clocks at all (which will often result in a clock that's off by a 
> decade or more), or intentionally set them to be wrong.  A lot of folks had 
> to set their clocks back a few years around Y2k, for instance.
> 
> S
> 
> Stephen Sprunk "God does not play dice."  --Albert Einstein
> CCIE #3723 "God is an inveterate gambler, and He throws the
> K5SSSdice at every possible opportunity." --Stephen Hawking 
> 

abandon cable & the price of copper

[bmanning]

this might be a revenue stream ...


--bill

Re: Route table growth and hardware limits...talk to the filter

[bmanning]

On Mon, Sep 10, 2007 at 10:16:17AM -0500, Stephen Sprunk wrote:
> 
> Thus spake "Jon Lewis" <[EMAIL PROTECTED]>
> >The trouble is, it turns out there are a number of networks where
> >CIDR isn't spoken.  They get their IP space from their RIR, break
> >it up into /24s, and announce those /24s (the ones they're using
> >anyway) into BGP as /24s with no covering CIDR.
> 
> IMHO, such networks are broken and they should be filtered.  If people 
> doing this found themselves unable to reach the significant fraction of the 
> Net (or certain key sites), they would add the covering route even if they 
> were hoping people would accept their incompetent/TE /24s.

well, your assumptio n about how prefixes are used might be 
tempered with the thought that some /24s are used for 
interconnecting ISP's at exchanges...

and for that matter it seems a lazy ISP to pass the buck 
on "routability" to an org that runs no transit infrastructure.
RIR's (Well ARIN anyway) has NEVER assured routability of
a delegated prefix.  Tracking /filters based on RIR delegation
policy seems like a leap to me...

--bill

> 
> Stephen Sprunk "God does not play dice."  --Albert Einstein

Re: shameful-cabling gallery of infamy - does anybody know where it went?

[bmanning]

> http://www.tux.org/wb8foz/66-666/a.jpg
> 
> ah, security through obscurity, a time honored strategy!
> 
> - lucy
> 

residents are not allowed phones?

--bill

Re: Congestion control train-wreck workshop at Stanford: Call for Demos

[bmanning]

On Mon, Sep 03, 2007 at 09:37:46PM -0400, John Curran wrote:
> 
> At 9:21 PM -0400 9/3/07, Joe Abley wrote:
> >
> >Is there a groundswell of *operators* who think TCP should be replaced, and 
> >believe it can be replaced?
> 
> Just imagine *that* switchover, with the same level of
> transition planning as we received with IPv6...
> ;-)
> /John

well, if you let the IETF do it...

--bill

Re: "2M today, 10M with no change in technology"? An informal survey.

[bmanning]

On Wed, Aug 29, 2007 at 06:48:43PM -0400, Jon Lewis wrote:
> 
> On Mon, 27 Aug 2007, David Conrad wrote:
> 
> >For a few more months.  What are upgrade cycles like again?  How common 
> >are the MSFC2s?
> 
> I think we'll find out in a few months, when the "internet breaks" in a 
> whole bunch of places where the admins aren't aware of this issue or 
> operations have been downsized to the point that things are mostly on 
> auto-pilot.  I'm guessing there are a good number of Sup2's in use, and 
> that a good % of them think they're fine...as they have 512MB RAM and on 
> the software based routers, that's plenty for current full BGP routes.

private replies suggest (w/ lots of handwaving) that perhaps 20-35%
of the forwarding engines in use might fit this catagory.

> Anyone want to bet there will be people posting to nanog and cisco-nsp in 
> a few months asking why either the CPU load on their Sup2's has suddenly 
> shot up or why they keep noticing parts of the internet have gone 
> unreachable?...oblivious to this thread.

that would be a sucker bet

> --
>  Jon Lewis   |  I route

--bill

Re: too many variables

[bmanning]

On Thu, Aug 09, 2007 at 02:56:31PM -0400, Patrick Giagnocavo wrote:
> 
> 
> On Aug 9, 2007, at 12:21 PM, [EMAIL PROTECTED] wrote:
> 
> > so putting a stake in the ground, BGP will stop working @ around
> > 2,500,000 routes - can't converge...  regardless of IPv4 or IPv6.
> > unless the CPU's change or the convergence algorithm changes.
> 
> That is a pretty big "unless" .

sure... how often do you completely swap out all your router
processors?  anyone running something other than BGP4? (BGP3
and EGP don't count)  


> 
> Cordially
> 
> Patrick Giagnocavo
> [EMAIL PROTECTED]
> 
> 

Re: An Internet IPv6 Transition Plan

[bmanning]

On Tue, Jul 24, 2007 at 10:59:34AM -0400, Durand, Alain wrote:
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] 
> 
> > > 1) What is the IPv6 'service'?
> > >For example, is it reasonable to define a 'basic' level
> > >service as web+mail and an 'extended' service as 
> > everything else?   
> > > 
> > 
> > actually, for some of us there is the thought that before 
> > the "basic" service of web+email can work at all, one needs
> > to have a couple of other infrastructure pieces in play, 
> > namely DNS and NTP... Oh, and the routing to knit these
> > services together.
> 
> Sure, this is very important... but I was talking about the "user
> experience".
> 
>   - Alain.

good point.  there are "levels" of basic services.
i suspect that the network operations folks would want
to have working viable v6 (naming, timestamps, audit,
measurement) running -before- turning up production
"basic" service for the "user experience".

assuming that is the case, what things to these assembled
operators think are critical for operational stability
in bringing online a new address family?

Randy had a non-exaustive list at the last IEPG.  To memory:
MIB, , DNS, NTP, SYSLOG, DHCP, RADIUS,
CALEA, etc. 

--bill

Re: An Internet IPv6 Transition Plan

[bmanning]

On Tue, Jul 24, 2007 at 01:41:18AM -0400, Durand, Alain wrote:
> 
> John,
> 
> Thank you for writing this down, this will help start the discussion.
> 
> One of the things that is missing IMHO is that there is no clear vision
> of what the IPv6 Internet will/should looks like. Let me focus on the
> residential
> broadband for a minute, I'm fully aware there are other cases, but let's
> start somewhere.
> 
> 1) What is the IPv6 'service'?
>For example, is it reasonable to define a 'basic' level
>service as web+mail and an 'extended' service as everything else?   
> 

actually, for some of us there is the thought that before 
the "basic" service of web+email can work at all, one needs
to have a couple of other infrastructure pieces in play, 
namely DNS and NTP... Oh, and the routing to knit these
services together.

--bill

verizon

[bmanning]

Industry consolidation denied.

http://www.bloomberg.com/apps/news?pid=20601103&sid=aeIORwl_Y1WA&refer=us&sa_campaign=search_engine/feedcast/google/Bloomberg_US/verizon


--bill

[EMAIL PROTECTED]: [arin-announce] ARIN Board Advises Internet Community on Migration to IPv6]

[bmanning]

this might be of interest to the operator community.

--bill

- forwarded ---


ARIN and the other Regional Internet Registries have distributed 
Internet Protocol version 6, IPv6, alongside IPv4 since 1999.  To date, 
ARIN has issued both protocol versions in tandem and has not advocated 
one over the other. ARIN has closely monitored trends in demand and 
distribution for both protocol versions with the understanding that the
IPv4 available resource pool would continue to diminish.

The available IPv4 resource pool has now been reduced to the point that 
ARIN is compelled to advise the Internet community that migration to 
IPv6 is necessary for any applications that require ongoing availability 
from ARIN of contiguous IP number resources.

On 7 May 2007, the ARIN Board of Trustees passed the following resolution:

RESOLUTION OF THE BOARD OF TRUSTEES OF ARIN ON INTERNET PROTOCOL 
NUMBERING RESOURCE AVAILABILITY

WHEREAS, community access to Internet Protocol (IP) numbering Resources 
has proved essential to the successful growth of the Internet; and,

WHEREAS, ongoing community access to Internet Protocol version 4 (IPv4) 
numbering resources can not be assured indefinitely; and,

WHEREAS, Internet Protocol version 6 (IPv6) numbering resources are 
available and suitable for many Internet applications,

BE IT RESOLVED, that this Board of Trustees hereby advises the Internet 
community that migration to IPv6 numbering resources is necessary for 
any applications which require ongoing availability from ARIN of 
contiguous IP numbering resources; and,

BE IT ORDERED, that this Board of Trustees hereby directs ARIN staff to 
take any and all measures necessary to assure veracity of applications 
to ARIN for IPv4 numbering resources; and,

BE IT RESOLVED, that this Board of Trustees hereby requests the ARIN 
Advisory Council to consider Internet Numbering Resource Policy changes 
advisable to encourage migration to IPv6 numbering resources where possible.

Implementation of this resolution will include both internal and 
external components. Internally, ARIN will review its resource request 
procedures and continue to provide policy experience reports to the 
Advisory Council. Externally, ARIN will send progress announcements to 
the ARIN community as well as the wider technical audience, government 
agencies, and media outlets. ARIN will produce new documentation, from 
basic introductory fact sheets to FAQs on how this resolution will 
affect users in the region. ARIN will focus on IPv6 in many of its 
general outreach activities, such as speaking engagements, trade shows, 
and technical community meetings.

For more information visit the IPv6 Information Center at: 
http://www.arin.net/v6/v6-info.html.

Regards,

Raymond A. Plzak
President and CEO
American Registry for Internet Numbers (ARIN)


- End forwarded message -

Re: Interesting new dns failures

[bmanning]

On Sun, May 20, 2007 at 10:19:30PM -0700, Roger Marquis wrote:
> 
> >>All the same, it would seem to be an easy and cheap abuse to address,
> >>at the gtlds.  Why are these obvious trojans are being propagated by
> >>the root servers anyhow?
> >
> >the root servers are responsible how exactly for the fast-flux issues?
> >Also, there might be some legittimate business that uses something like
> >the FF techniques... but, uhm... how are the root servers involved again?
> 
> Nobody's saying that the root servers are responsible, only that they
> are the point at which these domains would have to be squelched. In
> theory registrars could do this, but some would have a financial
> incentive not to. Also I don't believe registrars can update the roots
> quickly enough to be effective (correct me if I'm wrong).

ok... so you suggest that the roots squelch these domains?
i check the contents of the root zone and find that the closest
the roots come to being able to squelch these zones is to 
remove .com from the zone (since these other entries are not in 
the root but in the com zone).  

if you can get concensus to remove .com, i'm sure the roots would
be willing to help out.

--bill

> 
> Given the obvious differences between legitimate fast flux and the
> pattern/domains in question it would seem to be a no-brainer,
> technically at least.
> 
> -- 
> Roger Marquis
> Roble Systems Consulting
> http://www.roble.com/

Re: BOGON Announcement question

[bmanning]

On Mon, Apr 30, 2007 at 11:16:03AM -0400, Jon Lewis wrote:
> 
> On Mon, 30 Apr 2007, Jason Lewis wrote:
> 
> >I'm seeing this announced at CIXP
> >
> >Collector: CIXP
> >Prefix:   128.0.0.0/2
> >Last update time:   2007-04-27 07:36:30Z
> >Peer:  192.65.185.140
> >Origin:  29222
> >
> >My question is, why am I not seeing more issues because of the 
> >announcement? Is it just not propagating out of the exchange?  It's been 
> >announced for a few days and only seems to appear at the exchange.
> 
> It's so 'non-specific', all it's going to catch is traffic for 
> destinations for which there is no route in the global table.  i.e. it's 
> likely nobody would notice it (nothing broken) unless looking for it.
> 
> --
>  Jon Lewis   |  I route

The Ghost of Peter nee Sprint, 1995 has returned.

--bill

Re: from the academic side of the house

[bmanning]

On Sun, Apr 29, 2007 at 01:57:26PM +0200, JP Velders wrote:
> On Tue, 24 Apr 2007 [EMAIL PROTECTED] wrote:
> 
> > Date: Tue, 24 Apr 2007 15:36:51 +
> > From: [EMAIL PROTECTED]
> > Subject: from the academic side of the house
> 
> > For the first set of IPv6 records, a team from the University of Tokyo, WIDE
> > Project, NTT Communications, JGN2, SURFnet, CANARIE, Pacific Northwest
> > Gigapop and other institutions collaborated to create a network path over
> > 30,000 kilometers in distance, crossing 6 international networks - over 3/4
> > the circumference of the Earth. In doing so, the team successfully
> > transferred data in the single and multi-stream categories at a rate of 7.67
> > Gbps which is equal to 230,100 terabit-meters per second (Tb-m/s).  This
> > record setting attempt leveraged standard TCP to achieve the new mark.
> 
> Mind you, those crazy Japanese do this every year between christmas 
> and newyear... ;) Most of the pipes they used also carry other 
> research traffic throughout most of the year... This year was even 
> more cumbersome because of some issues with the OC192's between 
> Amsterdam and the USA...
> 
> Kind regards,
> JP Velders

we -love- the crazy Japanese doing this kind of stuff.
the US folks seemed to have lost momentum in the past decade.
while the pipes do get re-purposed on a regular basis, they
do tend to shake out interoperable problems, as you note above.

me, i await the spiral loop that includes the southern 
hemisphere ...

--bill

from the academic side of the house

[bmanning]

For the first set of IPv6 records, a team from the University of Tokyo, WIDE
Project, NTT Communications, JGN2, SURFnet, CANARIE, Pacific Northwest
Gigapop and other institutions collaborated to create a network path over
30,000 kilometers in distance, crossing 6 international networks - over 3/4
the circumference of the Earth. In doing so, the team successfully
transferred data in the single and multi-stream categories at a rate of 7.67
Gbps which is equal to 230,100 terabit-meters per second (Tb-m/s).  This
record setting attempt leveraged standard TCP to achieve the new mark.

The next day, the team used a modified version of TCP to achieve an even
greater record. Using the same 30,000 km path, the network was able to
achieve a throughput of 9.08 Gbps which is equal to 272,400 Tb-m/s for both
the IPv6 multi and single stream categories. In doing so, the team surpassed
the current IPv4 records, proving that IPv6 networks are able to provide the
same, if not better, performance as IPv4.

--bill

Re: IP Block 99/8 (DHS insanity - offtopic)

[bmanning]

On Mon, Apr 23, 2007 at 05:23:03PM -0400, Sandy Murphy wrote:
> 
> You might try taking a look at the various presentations at NANOG/RIPE/ARIN/
> APNIC/APRICOT about the whole idea.  Central point: the entity that gives
> you a suballocation of its own address space signs something that says you
> now hold it.
> 
> No governments involved.
> 
> --Sandy Murphy

no problemo...  when i hand out a block of space, i'll expect
my clients to hand me a DS record ...  then I sign the DS.
and I'll hand a DS to my parent, which they sign.
That works a treat today (if you run current code)
and gives you exactly what you describe above.

Oh, you want the prefix attestation to be used for soemthing
other than attestation as to whom holds a given prefix?

you wnat to attest to the "routability" of said prefix?
thats a bit more than a simple attestation of responsibility,
IMHO of course.

--bill

Re: IP Block 99/8

[bmanning]

On Fri, Apr 20, 2007 at 01:54:37PM -0400, Shai Balasingham wrote:
> 
> Hi,
> 
> I am Shai from Rogers Cable Inc. ISP in Canada. 
> 
> We own the following blocks:
> 
> 99.224.0.0/12
> 99.240.0.0/13
> 99.248.0.0/14
> 99.252.0.0/16
> 99.253.128.0/19
> 
> Shai.

Own?  ARIN gave you title?

--bill

counting the cost

[bmanning]

thanks ferg - and the local FBI concurs.

http://www.tech-404.com/calculator.html`

--bill

Re: America takes over DNS

[bmanning]

On Mon, Apr 02, 2007 at 07:45:08AM -0700, David Conrad wrote:
> 
> Hi,
> 
> >Wouldn't the holder of these keys be the only ones able to spoof  
> >DNSSEC?
> 
> Yes.  This is an assumption of DNSSEC, regardless of who signs the  
> root.  The implication of this (and the fact that emergency key  
> rollover requires everyone on the planet with a validating resolver  
> to update the root trust key manually) is that protecting the root  
> key signing key is a bit important.
> 
> Rgds,
> -drc

one important attribute of key roll would seem to be 
the lack of a "flag-day". ...  there are at least a 
couple of proposals that mitigate that particular risk.

--bill

Re: Ethernet won (was: RE: [funsec] Not so fast, broadband...)

[bmanning]

On Wed, Mar 14, 2007 at 10:50:19AM -0500, Stephen Sprunk wrote:
> Thus spake <[EMAIL PROTECTED]>
> >perhaps not.  but there is a real issue w/ the number
> >of businesses that operate from the home (according to
> >some numbers this is as high as 65% of all US business)
> >and the telcos still retain a mindset of business areas
> >and residential areas.  It is not possible to get some
> >"business services" deployed in a "residential" area.
> ...
> >persuading a telco, one home-based business at a time,
> >that regardless of the zoning - there are really 65% of
> >those apartments running businesses and want business-class
> >services is an exercise in futility.
> 
> It depends what "business" services you mean.  If you want a T1 or SONET 
> pipe, yeah, you're going to hit a serious wall even if the fiber runs 
> through your property.
> 
> However, most telcos have "business" DSL and "residential" DSL, and the 
> physical layer is the same (ditto for cable, all the way back to @Home vs 
> @Work).  The only differences are the AUP, the price tag, and the ability 
> to get static IPs.  Expect to pay 2-3x for the same bit rate; higher 
> bitrates may be available with "business" service, but the upload rates 
> still suck because their gear is designed for consumers.  Sticking with 
> "residential" service for your home office will pay for basic server colo 
> space somewhere else, and you'll get more for your money.
> 
> S
> 
> Stephen Sprunk  "Those people who think they know everything
> CCIE #3723 are a great annoyance to those of us who do."
> K5SSS --Isaac Asimov 
> 

dark/dim glass - don't want SONET, too expensive.  want
1g - 10G to the meet-me.  I should move to Stockholm, Tokyo,
Seoul, or some other enlightened place that sees that type 
of service in a viable business model.  No bundling please.

--bill

Re: Ethernet won (was: RE: [funsec] Not so fast, broadband...)

[bmanning]

On Wed, Mar 14, 2007 at 03:42:32AM +, Fergie wrote:
> 
> Perhaps, depending on the last-mile and the consumer/business
> distinction, but up through the late 90's, all that was available
> to consumers (at best) was ISDN in Bell Atlantic territory -- at
> least in Northern Virginia. I left that area around 2000.
> 
> >If you've got the money, they've got the ethernet for you.
> >
> >Unfortunately, "I want it" isn't a good business case.
> >
> 
> True enough, and let's not confuse "business services" with
> "consumer services." The telcos/cablecos don't. :-)
> 
> - - ferg

perhaps not.  but there is a real issue w/ the number
of businesses that operate from the home (according to 
some numbers this is as high as 65% of all US business)
and the telcos still retain a mindset of business areas
and residential areas.  It is not possible to get some
"business services" deployed in a "residential" area.

For example, the new AT&T wanted to charge me 45,000.00
for a 120meter build into my home...  it was cheaper 
to lease office space and then they did the buildout
for free. The MRC was/is the same.  The point being,
there are artifical constructs that define where "business"
and "consumer/residential" services can be offered.

persuading a telco, one home-based business at a time,
that regardless of the zoning - there are really 65% of
those apartments running businesses and want business-class
services is an exercise in futility.

--bill

Re: 96.2.0.0/16 Bogons

[bmanning]

On Wed, Feb 28, 2007 at 07:49:40AM +0800, Randy Bush wrote:
> [EMAIL PROTECTED] wrote:
> > On Tue, Feb 27, 2007 at 08:25:13AM +0900, Randy Bush wrote:
> >>> i know its all the rage to post/shame the offending parties (those
> >>> whois filtering policies don't reflect our own)
> >> bull
> >>
> >> we are trying to validate experimental results.  sorry if that
> >> offends you or you do your research result validation differently.
> >>
> > 
> > none taken... although "name/shame" as a technique for
> > validating experimetnal results is a tried & ture method,
> > an equally valid technique is to look in the other direction
> > and praise/name those whose practices match your expected
> > results. ...  i'd prefer to see the full curve, not just the
> > sigma-six folks on the left side.
> 
> your issues might be better based if you knew anything about what was
> happening instead of shooting off mouth in dark.
> 
> as i already said, but somehow you missed.  preso will be this afternoon
> (gmt+8).  i will try to post a pointer here.
> 
> randy

your interpersonal skills are improving.
will be interesting in the reported progress of your experiments.

--bill (gmt+10)

Re: 96.2.0.0/16 Bogons

[bmanning]

On Tue, Feb 27, 2007 at 08:25:13AM +0900, Randy Bush wrote:
> > i know its all the rage to post/shame the offending parties (those
> > whois filtering policies don't reflect our own)
> 
> bull
> 
> we are trying to validate experimental results.  sorry if that
> offends you or you do your research result validation differently.
> 
> randy

none taken... although "name/shame" as a technique for
validating experimetnal results is a tried & ture method,
an equally valid technique is to look in the other direction
and praise/name those whose practices match your expected
results. ...  i'd prefer to see the full curve, not just the
sigma-six folks on the left side.


--bill

Re: 96.2.0.0/16 Bogons

[bmanning]

i know its all the rage to post/shame the offending parties (those whois 
filtering
policies don't reflect our own) - BUT -   how hard would it be for you perl 
jocks
to publish the ASNs of the "good guys"

--bill

Re: DNS: Definitely Not Safe?

[bmanning]

On Wed, Feb 14, 2007 at 04:22:44PM -0200, MARLON BORBA wrote:
> 
> mea culpa, mea maxima culpa :-(
> my intention, when suggested that reading, was to get your attention about 
> that recent attack which targeted DNS top-level servers and to listen your 
> opinions.
> i promise not to post porn, ops, FUD material to nanog again.
> 
> 
> 
> Abraços,
> 
> Marlon Borba, CISSP, DataCenter Associate
> Técnico Judiciário - Segurança da Informação
> TRF 3ª Região
> (11) 3012-1683
> --
> 1997-2007 - Dez Anos da DSUP.
> Conhecimento Gerando Soluções.
> --

what is interesting to me is the "ripple" effect - kind of like the 
childrens game of "telephone".
second, third, and fourth hand interpretation of the events allows the 
reporter to project their own
worst nightmares onto the event ...  for some, its a way to raise the 
spector of fear, giving them
credence or the opportunity to market their particular services to the 
huddled, fearful masses.

and to borrow a line from another bit of this thread, http and dns are 
both applications.  applications
are vulnerable to attacks that exploit the underlaying protocols.  the 
BEST we can do, w/o replacing
IP & TCP/UDP is instrument the applications to alert us that there is a 
problem.  And the actions
you (as the target of packet love) take may make your local life 
manageable, (compartmentalization)
can have devestating impact on your peers/neighbors.

so don't worry, your posts seem fine to me

--bill

Re: death of the net predicted by deloitte -- film at 11

[bmanning]

On Mon, Feb 12, 2007 at 06:42:06AM -0500, Joe Abley wrote:
> 
> 
> On 12-Feb-2007, at 09:23, Brandon Butterworth wrote:
> 
> >Sure it degrades to effective unicast if too few people watch the same
> >channel in the same area (so just use unicast for those channels),  
> >that
> >doesn't mean it's no use for the popular channels that have  
> >millions of
> >viewers.
> 
> I think you're presupposing that the concept of "channels" is  
> something that will persist.
> 
> 
> Joe

perhaps you have to narrow a view of what a channel is?

--bill

Re: what the heck do i do now?

[bmanning]

On Thu, Feb 01, 2007 at 12:08:32PM -0800, Scott Weeks wrote:
> 
>  [EMAIL PROTECTED] wrote:---
> From: "Michael Froomkin - U.Miami School of Law" <[EMAIL PROTECTED]>
> 
> As an, ahem, lawyer, I think what you do and how you do it matter a lot 
> ...
> Pulling a plug after reasonable/lots of warnings (did you miss anyone? how 
> do you know for sure?) is on the safer end of the legal spectrum.
> 
> 
> Matters a lot?  In what country's legal spectrum?  Or did you assume the 
> queries are US-based only?  Or are you suggesting he treat US-based queries 
> differently than the rest of the world?  Or are you speaking from US-centric 
> tunnel vision?
> 
> scott

One might infer that since the service Paul offered and is considering
making changes to might reside in the US, and that (presumably) Paul
is a US national, that US legal interpretation might have some sway
in the matter.

Or not. 

--bill
quoting Jamie... "I reject your reality and subsitute my own."

Re: 4 Byte AS tested

[bmanning]

 in early feb, we will be announcing "B" root from an 32bit ASN.
 we expect this to be persistant.

--bill


On Fri, Jan 12, 2007 at 08:45:02AM +1000, George Michaelson wrote:
> 
> 
> If I can answer, yes, APNIC expects to deploy a node in Japan in the
> near future for more persistent testing of this kind of thing. -The
> equipment is just being commissioned.
> 
> Other experiments may be done before then of course.
> 
> cheers
> 
> -george

layer nine sandbox

[bmanning]

so, like unto the "suppress lawyers" subthread in recent days...
i offer up this little tidbit.  



Hi All

For info, ICANN is seeking public comments on proposed Terms of Reference,
which detail questions that would guide the independent review of ICANN's
Nominating Committee. The public comment period will last from 12 December
2006 to 11 January 2007. Send comments to: <[EMAIL PROTECTED]>.
View comments at: .
   

http://www.icann.org/announcements/announcement-12dec06.htm 
   

Re: Curious question on hop identity...

[bmanning]

> 
> Besides, why do you believe the text in an in-addr.arpa record?  Or why do 
> you think the absence of an in-addr.arpa record is meaningful?
> 

'cause i am a trusting sort... i tend to believe the DNS.
even more so when i can validate the signed replys... 
the absence of DNS entries (forward or reverse) leads me
to beleive that address literals are still a useful attribute...
(although I find it tough to justify using octal representations)

--bill

Re: Curious question on hop identity...

[bmanning]

 i'm sure someone knows -exactly- what those two hops are, but they may
 not be willing to say. 
 http://lists.elistx.com/archives/interesting-people/200605/msg00250.html
 might be an explaination for the paranoid.

--bill


On Thu, Dec 14, 2006 at 07:24:52AM +, Fergie wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> This may be far afield insofar as topic fodder, but I am curious
> if anyone knows exactly what these two hops [9] [10] below,
> actually are? 
> 
> [snip]
> 
>  [...]
> 
>   5   165 ms   161 ms   183 ms  10g-9-1-ur04.sanjose.ca.sfba.comcast.net
> [68.87.
> 192.49]
>   6   155 ms   156 ms   149 ms  10g-7-1-ur03.sanjose.ca.sfba.comcast.net
> [68.87.
> 192.41]
>   7 **  163 ms  10g-9-1-ar01.sfsutro.ca.sfba.comcast.net
> [68.87.
> 192.37]
>   8   161 ms   157 ms * 68.87.226.130
>   9   169 ms   185 ms   171 ms  12.116.90.17
>  10   197 ms   198 ms   196 ms  12.122.114.66
>  11   157 ms   169 ms   175 ms  ggr3-ge110.sffca.ip.att.net [12.122.82.169]
>  12   145 ms   149 ms   148 ms  192.205.33.82
>  13   182 ms   196 ms   209 ms  ae-2-54.bbr2.SanJose1.Level3.net
> [4.68.123.97]
>  14   344 ms   332 ms   339 ms  as-0-0.mp2.Stockholm1.Level3.net
> [4.68.128.70]
>  15   330 ms   343 ms   390 ms  ge-1-1.car2.Stockholm1.Level3.net
> [4.68.96.226]
> 
>  [...]
> 
> 
> [snip]
> 
> I have asked SBC/AT&T folks and received no reply at all...
> 
> Cheers,
> 
> - - ferg
> 
> -BEGIN PGP SIGNATURE-
> Version: PGP Desktop 9.5.1 (Build 1557)
> 
> wj8DBQFFgPw+q1pz9mNUZTMRAiFEAJ9y481aCutAqVuQrLcMPa3iC6SoXwCgigNC
> ZE+BBNraVc4VMlUKfyzYNJg=
> =34zg
> -END PGP SIGNATURE-
> 
> 
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawg(at)netzero.net
>  ferg's tech blog: http://fergdawg.blogspot.com/
> 

Re: Bogon Filter - Please check for 77/8 78/8 79/8

[bmanning]

On Mon, Dec 11, 2006 at 08:40:41AM -0600, Jack Bates wrote:
> 
> Allan Houston wrote:
> >This probably isn't helped much by sites like completewhois.com still 
> >showing these ranges as bogons..
> >
> >http://www.completewhois.com/bogons/active_bogons.htm
> >
> >They've ignored all my attempts to get them to update so far.. sigh..
> >
> 
> They just need someone using the address space to slap them with a lawsuit.
> 
> Jack Bates


lawsuit?  where does it say that someone MUST accept routes or
listen to a self-appointed authority?

--bill

Re: anycasting behind different ASNs?

[bmanning]

On Wed, Dec 06, 2006 at 09:38:10AM -0800, matthew zeier wrote:
> 
> 
> Are there any practical issues with announcing the same route behind 
> different ASNs?

there are any nubmer of self-appointed routing police
who will instruct you on their particular brand of 
correct behaviour.
> 
> Shortly I'll have two seperate sites (EU, US) announcing their own space 
> behind their own ASNs but have a desire to anycast a particular network 
> out of both locations as well.
> 
> (This is just my attempted to now have to deal with GRE tunnels between 
> sites that aren't logically connected anyways and using the same ASN).

this is done today for the AS112 servers.

--bill

Re: Reasons for attendance drop off

[bmanning]

On Mon, Dec 04, 2006 at 01:09:40PM -0800, William B. Norton wrote:
> On 12/4/06, Martin Hannigan <[EMAIL PROTECTED]> wrote:
> >Focusing on expense is a short term way to manage a loss in the
> >front end, the bottom line. It would be useful to talk about
> >solutions that drive attendance, IMHO.
> 
> I agree and would like to see if we can brainstorm some ideas that
> might spur discussions, other ideas, etc.
> 
> 1) Provide a mechanism for vendors to send to NANOG a box of schwag
> (Tshirts, USB memsticks, USB disks loaded with freeware, product
> literature, whatever). This might provide a subtle enticement to get a
> NANOG vendor kit.  I know some people purposely bring a bag with too
> few clothes with the expectation of getting tshirts to wear on the way
> home.

since you can't register w/o specifying a shirt size,
this is not an unreasonable assumption.

> 
> 2) Identify/recruit Adhoc Working Groups that may be for small public
> groups, and provide sign-outable breakout rooms for these meetings.
> This would leverage the "we are all in the same place at the same
> time" aspect of NANOG, and facilitate additional value for the
> attendees that attend these meetings. Their alternative might be going
> out to dinner, which may or may not work as well. I guess the addition
> here as compared with previous break out rooms is to assign a schedule
> (time and a meeting name, a facilitator) to allocated meetings and
> descriptions of the meeting.

for me, NANOG is mostly irrelevent to me, I'm not a "Tier-X" ISP,
and my networking needs only tangentially involve the 2x32 routes,
MPLS/circuit switching @ 100Gb, or the like.  So if I come to
NANOG, its to (borrowing from friend Gibbard) get a new/fresh
perspective on topics that are interesting to me.

> 
> >I would hope that there is plan in place to address this for the
> >Toronto meeting.

--bill

Re: How to get a list of research and academic ISP ?

[bmanning]

On Wed, Nov 15, 2006 at 06:46:06PM +0100, Maciej Kurant wrote:
> Dear all,
> 
>  
> 
> I am a PhD student at EPFL, Switzerland. My recent research interest is in
> large scale differences between the commercial and academic parts of the
> Internet. 
> 
>  
> 
> Of course, in order to perform this kind of studies I need a way to
> distinguish between these two worlds. I've learnt that Abilene does not
> provide commercial connectivity. This means that BGP prefixes and AS paths
> announced by Abilene BGP routers should lead only to research and academic
> destinations. 

that might be a flawed assumption. 

> I have extracted (from the BGP tables at
> http://abilene.internet2.edu/observatory) a list of all such destinations
> and obtained 1333 ASes (for data form July 2006). The number looks
> reasonable, but I would like to be sure that I am not making a mistake.
> Therefore I would be grateful if you could answer the following questions: 
> 
>  
> 
> 1)   Is this approach to obtain a list of research and academic ISPs
> correct?
> 2)   Do you maybe know of such lists compiled before? 

yes, check the NLANR/CAIDA data and the old MERIT/ISI datasets
for NSFnet-era policy splits.

> 3)   If I keep not only the destination ASes, but also all ASes on the
> AS paths towards these destination I obtain a list of about 1400 ASes. How
> should I understand this? Does it mean that some research and academic
> destinations are reachable from Abilene only by traversing the commercial
> Internet?
> 
> 4)   Of course, research and academic ASes are often well connected to
> the commercial Internet. My guess is that in most cases their peering
> relationship is "customer-provider", where commercial ASes are providers. Is
> it possible that an academic AS is a provider for some commercial ASes? If
> so, does it happen often?

some universities have "startup" entites that are spun up under the
perview of the university.  imho, its not common, but does happen.
 
>  
> 
> Thank you in advance for your comments.
> 
> Maciej Kurant
> 
>  
> 
>  
> 
>  
> 
> =
> 
>  
> 
> EPFL IC ISC LCA3
> 
> Maciej Kurant
> 
> PhD Student
> 
> CH-1015 Lausanne, Switzerland
> 
>  
> 
> web site:    http://lcawww.epfl.ch/kurant
> 
>  
> 
> =
> 
>  
> 

Re: UUNET issues?

[bmanning]

On Sun, Nov 05, 2006 at 03:39:57AM +, Chris L. Morrow wrote:
> > On Nov 4, 2006, at 7:54 PM, Herb Leong wrote:
> >
> > >
> > > Hi,
> > >
> > >   Anyone being impacted by UUNET?
> 
> I'm fairly sure I'm not the only one who's said this in the last (pick a
> months long period of time, I'll guess 6): "Could you be any less
> descriptive of the problem you are seeing?"

Perhaps he should see a dentist?

"Wisdom Teeth are impacted, people are affected by the effects of events."
from Rick Jones sig...  

--bill

Re: Collocation Access

[bmanning]

> Security by its nature is not fun, not productive, a drain on 
> resources and time.  Security is something we need only because there 
> are bad things out there - nefarious activity, inadvertent neglect, 
> design flaws, etc.  At best you have to "put up with security," don't 
> expect to enjoy it.
> 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis+1-571-434-5468
> NeuStar

"[Security] is like the weather, you can't do anything about it
so you might as well lay back and enjoy it" - paraphrase of Clayton 
Williams

--bill

Re: Practical Common Practice for Collocation Access

[bmanning]

On Mon, Oct 23, 2006 at 04:39:30PM -0400, Sean Donelan wrote:
> 
> 
> Is it enough of a problem, network operators would be interested in 
> publishing some Practical Common Practices (I hesitate to call it a BCP)
> collocation facilities could follow for some common access control 
> scenarios? Tenent access, pre-screened carrier, unscreened vendor, etc.


  i can see the reg headline now...  ISPs and BOFH's now pushing PCP!


> http://www.ncs.gov/nstac/reports/2005/Final%20TATF%20Report%2004-25-05.pdf
> 
> I wouldn't be surprised if most co-lo's don't actually have good reasons 
> why they do some things, and if presented with a reasonable industry 
> agreed practice, would adopt it.

colo's live/die based on paying customers.  getting input from
customers is not a bad idea.  tempering customer feedback w/
legal and liability concerns is always a trick.

--bill

that 4byte ASN you were considering...

[bmanning]

FYI...  ifyou think you have an opinion about this, it might be worth a read
before the IESG dictates how you can use/code these badboys...

-

The IESG has received a request from an individual submitter to consider
the following document:

- 'Canonical representation of 4-byte AS numbers '
as an Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action.  Please send any comments to the
iesg@ietf.org or ietf@ietf.org mailing lists by 2006-11-06.

The file can be obtained via
http://www.ietf.org/internet-drafts/draft-michaelson-4byte-as-representation-01.txt



--bill

Re: tech support being flooded due to IE 0day

[bmanning]

> > Does it impact the network operation?
> > Eg, does it adversely affect the network? (say, like Beagle did.)
> 
>   I was thinking sql-slammer, massive flood causing signifcant
> amount of network infrastructure to go down.  (people on low speed links
> with large blocks of address space were DoS'ed off the network).
> 
>   I don't think of drive-by browser/desktop infection as a networking
> issue, more of an end-host issue.
> 
>   - Jared

so, how many netops folks use or are forced to use IE
in the mgmt of their particular sector of an IP network?
netops being deaf/blind; "... the MRTG/Cricket graphs are 
not visable...  does that mean nothing is happening?..."
might be considered operationaly significant.  Or not..
YMMV...

--bill

Re: Removal of my brain

[bmanning]

On Wed, Sep 20, 2006 at 07:05:04PM -0400, Patrick W. Gilmore wrote:
> 
> On Sep 20, 2006, at 4:35 PM, Richard Irving wrote:
> 
> >[EMAIL PROTECTED] wrote:
> >
> >  Hrmm
> >
> >How many of you realize who Bill Manning is ?

yup.. i do.  he's a wizzend, cynical, troll (may or may not
be naked - see his previous post on not wanting to be forced
to wear a teeshirt)

> >   While you are at it, go flame Vinton Cerf... I am sure he
> >will learn from you, too..

been there, done that.  learned quite a bit.

> I have known Bill for years, and respect him for a lot of what he has  
> done.  But if he is wrong, I have zero trouble calling him on it.   
> Who you are doesn't change facts.

amen there.

> That said, I admit I probably hesitate a bit longer before flaming  
> Dr. Cerf. :)  If you've ever met them both, you would understand why.

Vint does present a smaller target most days.  :)

--bill

> 
> -- 
> TTFN,
> patrick

Re: Removal of my name (resend in plain text)

[bmanning]

Thanks.  Much easier.

--bill

Re: Removal of my name

[bmanning]

On Wed, Sep 20, 2006 at 11:14:27AM -0700, Bill Woodcock wrote:
>   On Wed, 20 Sep 2006 [EMAIL PROTECTED] wrote:
> > something in HTML that i can not parse...
> > care to repost in a format that is readable?
> 
> Bill, it's really time for you to upgrade from UCB Mail to Pine.  Those of 
> us who've gotten with the program and upgraded to 1990's software get all 
> the nasty  things stripped out automatically! 
> 
> -Bill

PINE?  looking at MUTT, but i'm really partial to 
UCBMail stripping out all kinds of cruft/spam.
Next you'll be telling me that IMAP is the wave of 
the future and that i should read email on some 
PDA/CELL thingie...


--bill

Re: Removal of my name

[bmanning]

On Wed, Sep 20, 2006 at 02:02:52PM -0400, Don Welch, Merit Network wrote:

something in HTML that i can not parse...
care to repost in a format that is readable?

--bill

required fields

[bmanning]

so... for registration for NANOG, i am REQUIRED to specify
a tee-shirt size before being allowed to proceed.

i've seen silly stuff in my day, but this might take the cake.

as a suggestion, if you (and you know who you are) insist on
requiring folks to specify clothing preferences/styles before
allowing them to register for a network operational conference
you -might- allow them to opt-out by specifing NONE.

as usual, YMMV

--bill

friends? you got friends?

[bmanning]

> Try looking at it from an outsider's point of view instead. If you're new 
> to dealing with ARIN, it is not uncommon to find the process is absolutely 
> baffling, frustrating, slow, expensive, and requiring intrusive disclosure 
> just shy of an anal cavity probe.

as is dealing with pretty much any bureaucracy for which you
are a novice. (FedWire/CBD anyone? :)

> In any kind of free market system, competition would have bitchslapped the 
> current ARIN way of doing things a long, long time ago. Personally I find 
> the single most compelling reason to move to IPv6 to be the removal of any 
> justification for ARIN's continued existance in its current form.

but its not "free-market" is it.

> Somehow I suspect the only folks who wouldn't welcome this are the ones 
> who benefit from the one thing ARIN is actually good at doing, namely 
> paying for frequent business class travel and accomodations to exotic 
> locations around the world under the pretense of "meetings". Hrm guess I 
> had better offer dinner in St Louis is on me for whichever one of my 
> friends on the "ARIN travel plan" complains about this post first. :)

while not i'm particularly enamored of the current status quo,
it has the distinct advantage of being member-driven.  and that
means if the members want a change, there is a clear path for 
that change to occur.  and perhaps its my particular POV, but 
arin members do seem adept at making "disruptive" changes in 
general RIR policies.

--bill


> -- 
> Richard A Steenbergen <[EMAIL PROTECTED]>   http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

portability... HAH!

[bmanning]

> >And the same way that government forced telephone number portability, I 
> >foresee one day government requiring IP number portability among ISPs in 
> >order to increase competition.  So all those SWIPS and PA assignments in 
> >ARIN/RIPE/APNIc may one day be used to allow Acme Nail with their /29 
> >assignment to leave ISP A and move to ISP B.  Legislators have been 
> >known to make more idiotic laws and regulations so don't think it 
> >couldn't happen.
> 
> Customers already have portability.  It's called DNS.
> 
> IP addresses aren't published in the big web rolodexes.  They don't need 
> their IP address to stay with them.
> 
> pt

yeah... like BGP peers are looked up thorugh DNS,
SNMP is all DNS-lookup based,
SYSLOG doesnt care about MAC or IP addresses,
ISP's -never- re-write their DNS entries to actually
  map the clients prefered/canonical DNS entries
application vendors always map software licenses to 
DNS names and never IP addresses.
and...  how do you find those DNS servers in the first 
place?

man I'd love to live in your universe...   or are you suggesting 
that things have evolved in the last decade to the point that the
ostensible goal of the IETF PIER wg can finally be met, to  
completely renumber the entire Internet every 20 minutes... :)

--bill

newbie howto

[bmanning]

ok, so perhaps i'm not a "newbie"...
the nanog web site indicates that registration opens in midAugust.
on my calender, 21aug is clearly past the mid-point, yet i see 
no way to register to attend nanog 38.

has registration filled up?  

--bill

Re: i am not a list moderator, but i do have a request

[bmanning]

On Mon, Aug 14, 2006 at 04:42:31PM +, Paul Vixie wrote:
> 
> > >  http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
> > 
> > thanks, didn't know about it. But isn't it still usefull, when urgent
> > matters concerning botnets will still discussed on the nanog-list?
> > Please let me disabussed to it, but it's just my opinion.
> 
> almost everything that happens in the world is urgent to somebody somewhere.
> not everything that happens on the internet is urgent to everybody on nanog.
> 
> there are too many topics (and too many botnets) for nanog to cover them all.
> -- 
> Paul Vixie

in other words...

Lack of
planning on
your part will
not constitute
an emergency
on my part

si?

--bill

Re: rDNS naming conventions (was: Re: SORBS Contact)

[bmanning]

On Thu, Aug 10, 2006 at 10:21:45AM -0400, Steven Champeon wrote:
> 
> on Thu, Aug 10, 2006 at 01:11:50AM -0700, william(at)elan.net wrote:
> > 
> > 
> > >>On Aug 9, 2006, at 1:06 PM, Matthew Sullivan wrote:
> > >>
> > >>>This is also why I took the time to create:
> > >>>
> > >>>
> > >>> 
> > 
> > The reason I do not like RDNS naming scheme is because it forces
> > one particular policy as part of the name.
> 
> Fair enough. FWIW, I've seen a wide variety of naming schemes (I've
> got a project that collects these as an antispam/anti-botnet measure,
> and so far we've got around 16K conventions documented for 11K domains).

first...  as a draft, it carries ZERO weight. -IF- it becomes an
RFC, its targeted status in INFORMATIONAL, e.g no standard of any kind.
So no one is going to -force- you to implement it.

hum...  why does this draft remind me of the (in)famous WKS RR?
what is WKS?  you know, that RR type that specified  the "well known 
services"
running on/at the particular lable.

WKS was depricated, in part due to the fact that "black hats" would
use WKS to groom thair attack profiles.  Use of the conventions 
outlined in this draft would be very useful in building targeted
attacks.  To paraphrase Randy Bush, "I encourage all my competition to 
implement these guidelines."

--bill  

Re: mitigating botnet C&Cs has become useless

[bmanning]

useless...

perhaps.  i'm partly of the mind that botnets, p2p networks, manets,
and other self-organizing systems are the "wave" of the future (or even the
present) and the technologies, per se, are not inherently "evil" or even bad.

imho, it is short sighted to try and curtail, mitigate, and eradicate 
these types of technologies -  its kind of like trying to kill off SMTP because 
it only sends spam, FTP because its only used to distribute PR0N... and HTTP
because its only used by peadophiles stalking my daughters on MySpace...

better to understand how these things are used and figure out how to
determine INTENT and then filter on that instead of technological eradication.

just my contrarian 0.02 rupias.

--bill

PIPE CLEANERS... was: APC Matrix 5000 question(s)

[bmanning]

 pipecleaners?

http://www.ppsa-online.com/about-pigs.php#UTILITY%20PIGS

do they make one for Internet Pipes?

--bill


On Wed, Aug 02, 2006 at 05:59:29PM -0700, joe mcguckin wrote:
> Can't you guys take this off-list? I'm seeing this thread gatewayed  
> on *another* mailing list also.
> 
> Somehow, APC battery maintenance doesn't seem like a critical topic  
> (unlike for example, internet pipe cleaning day) ^)
> 
> 
> Joe McGuckin
> ViaNet Communications
> 
> [EMAIL PROTECTED]
> 650-207-0372 cell
> 650-213-1302 office
> 650-969-2124 fax
> 
> 
> 
> On Aug 2, 2006, at 6:34 AM, [EMAIL PROTECTED] wrote:
> 
> >
> >On Wed, 2 Aug 2006, Matthew Sullivan wrote:
> >
> >>
> >>[EMAIL PROTECTED] wrote:
> >>>Update: I replaced the batteries today, and indeed, several of  
> >>>the old
> >>>ones (mostly in the first pack) were split and some had popped a  
> >>>couple of
> >>>their "sealed" tops.
> >>>
> >>>I left for several hours and came back to the house stinking like  
> >>>burning
> >>>rubber.  The new batteries are apparently melting the terminal  
> >>>rubber
> >>>insulation.  I had to throw it back into bypass mode and unplug  
> >>>that pack
> >>>(the only one with new batteries!)
> >>>
> >>>Any ideas to the cause?  The status screens looked ok. ("no bad  
> >>>batteries"
> >>>again)
> >>>
> >>Tip: Except where a newly supplied battery is faulty, replace all or
> >>none - across all your packs connected to the same UPS.
> >
> >Understood...that's why I unplugged the other 2 XR packs from the UPS.
> >APC rejected the notion that there was a controller problem, until  
> >they
> >had me perform the battery test, when it not only cut power (batteries
> >were fried anyway), it stayed in test mode until bypassed.   
> >According to
> >them, even with dead batteries, it should come out within 5-10  
> >seconds.
> >
> >James Smallacombe  PlantageNet, Inc. CEO and Janitor
> >[EMAIL PROTECTED]
> >http://3.am
> >== 
> >===
> 

Re: ipv6 @ sprint, somebody home?

[bmanning]

On Tue, Jun 06, 2006 at 07:38:51PM -0400, Jared Mauch wrote:
> 
> On Tue, Jun 06, 2006 at 09:45:18PM +0200, Jeroen Massar wrote:
> > And http://www.sprintv6.net/ doesn't contain any contact info before you
> > say "google" it. Then again the following url clearly shows their
> > 'interrest' http://www.sprintv6.net/aspath/bgp-page-complete.html
> > Last change on the tree detected on Sun DEC 11 2005, h.22:50
> 
>   those people at PAIX Palo Alto i think are still waiting
> for the "nap lan" to number out of 3ffe space.  It's the same as
> the IPv4 lan (vlan6) you just set up the v6 ips there..
> 
>   I suspect in another few days all these routes will go
> away and will start to be filtered more effectively.
> 
>   - jared
> 
> -- 
> Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
> clue++;  | http://puck.nether.net/~jared/  My statements are only mine.


they should not be waiting for those numbers, they have had them 
for a couple of years now.

--bill

Re: Fwd: 41/8 announcement

[bmanning]

 so how many ISPs will shun fastweb for hijacking address space?
 (please do -NOT- respond, its a retorical question...)

--bill


On Wed, May 24, 2006 at 11:37:12AM +0300, Richard Mikisa wrote:
> 
> This came in from someone in Italy..
> 
> -- Forwarded message --
> From:  *
> Date: May 24, 2006 11:15 AM
> Subject: Re: 41/8 announcement
> To: [EMAIL PROTECTED]
> 
> 
> >>Turns out the folks at fastweb (Italy) NAT there adsl clients but
> >>instead of using the rfc1918 space like most people, they use
> >>unassigned
> >>global /8s. Well 41/8 is one of there NATted allocations for Turin. No
> >>amount of emails will get them to respond, calling isn't any better
> >>as I
> >>get only Italian speaking people at the other end. Any ideas out
> >>there?
> 
> Yes: you lose, sorry. :-)
> Many of their networking people are less than clueful, and I fear that
> they are not going to renumber a whole city just to let their customers
> communicate with a few African networks...
> Let me know if you need more information.
> (Feel free to repost this if needed, but please remove my name.)
> 
> --
> ciao,
> ***
> 
> -- 
> cheers
> Richard

Re: How to tell if something is anycasted?

[bmanning]

well Peter, ONE root server operator has that practice.  Others
have different practices regarding anycast.

--bill


On Tue, May 16, 2006 at 11:59:54PM -0700, Peter Boothe wrote:
> 
> On Tue, 16 May 2006, David Hubbard wrote:
> 
> > So I'm looking at a company who offers anycasted DNS;
> > how do I tell if it's really anycasted?  Just hop on
> > different route servers to see if I can find different
> > AS paths and then do traceroutes to see if they suggest
> > the packets are not ending in the same location?
> > >From my routers' perspective I don't see a difference,
> > but then I don't think I should, correct?
> 
> If they conform to the convention that the DNS root servers practice, then
> a dig query from several locations should suffice.  Choosing an anycasted
> DNS root at random, you can do
>   dig @f.root-servers.net hostname.bind chaos txt
> And the response should include a line like
> hostname.bind.  0   CH  TXT "pao1b.f.root-servers.org"
> 
> >From other locations, it might be "sfo2c.f.root-servers.net" or somesuch.
> If they don't do that, then you are stuck with more ad-hoc methods like
> traceroutes from many different locations, or checking out AS-PATHS in
> Routeviews and using your intuition.
> 
>   -Peter
> 
> --
> Peter Boothe
> PhD Student "Young man, you think you're very
> Computer Sciencesmart, but it's turtles all the way
> University of Oregondown!"
> http://www.cs.uoregon.edu/~peter

Re: Tier Zero (was Re: Tier 2 - Lease?)

[bmanning]

On Thu, May 04, 2006 at 11:25:35AM -0500, John Dupuy wrote:
> 
> From an off-list discussion:
> 
> Does anyone know of an ISP that has paid transit from all known SFP 
> (Tier 1) providers? (sort of the old SAVVIS model on steroids.)
> 
> John 

why would anyone do that?

--bill

Re: Tier 2 - Lease?

[bmanning]

> (Disclaimer: we're neither a Tier 1 or 2.  And most of the routes we receive 
> via
> a regional provider that treats us *very* nicely - mostly because we have them
> by the short-and-curlies.  They piss us off too much, we turn off the phones 
> in
> their NOC. ;)

er... a typo?  should be...  "... we turn ON the phones in their NOC."

--bill

Re: Italy orders ISPs to block sites

[bmanning]

actually, they -can- order it... its the delivery thats
the hard part. :)  on-line gaming is handled pretty much
the same way - the tax authorities really want to know 
where that loot came from ... or went to !!! :)

--bill


On Tue, Mar 07, 2006 at 09:13:21AM +0100, tom wrote:
> 
> Hi Folks across the ocean..
> 
> I understand, that from an American point of view this kind of restriction
> looks strange and is against your act of freedom, however here in Europe
> gambling is a state controlled business that supports the state economy and
> in most European countries gambling outside state controlled casinos is
> simply illegal and forbidden by law.
> So I doubt, that the European Court would really rule agaist this
> Each country has specific laws, that othewr nations do not not understand
> and we all should accept that.
> Imagine, if kids in the US would be able to order Cannabis from Online-shops
> in the Netherlands (as it is leaglized there)through mail order? Would you
> or your legislation agree to that?
> 
> See..
> 
> I hope you don't mind this commentary from a European...
> 
> Tom
> 
> 
> 
> 
> -Ursprüngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von
> Owen DeLong
> Gesendet: Dienstag, 7. März 2006 08:54
> An: Christopher L. Morrow; Marco d'Itri
> Cc: NANOG
> Betreff: Re: Italy orders ISPs to block sites
> 
> 
> Singapore seems to force all of their ISPs to send all HTTP requests through
> a proxy that has a set of rules defining sites you are not allowed to visit.
> 
> Owen
> 
> 
> --On March 7, 2006 1:48:39 AM + "Christopher L. Morrow" 
> <[EMAIL PROTECTED]> wrote:
> 
> >
> >
> > On Tue, 7 Mar 2006, Marco d'Itri wrote:
> >
> >>
> >> On Mar 06, Rodney Joffe <[EMAIL PROTECTED]> wrote:
> >>
> >> > It appears that Italy has ordered Italian ISPs to block access to a 
> >> > number of Internet Gambling sites. It would be interesting to see 
> >> > how the Italian ISPs are handling this, what with dynamic DNS and 
> >> > all that...
> >> So far, the method officially recommended by the government entity 
> >> involved with collecting the gambling fees has been to create fake 
> >> zones on the caching resolvers of the large consumer ISPs.
> >
> > good thing people use dns servers other than those put up by their ISP 
> > :) when last faced with this situation, State-of-PA ChildPorn Law... 
> > Null routing the affected ip-addresses was the only 'good' solution :(
> >
> > -Chris
> 
> 
> 
> --
> If this message was not signed with gpg key 0FE2AA3D, it's probably a
> forgery.
> 
> 

Re: Time for IPv10? (was Re: Time for IPv8?)

[bmanning]

 oh yeah... IPX - that works a treat.  (who was it that said "Its Deja Vu 
 all over again")

--bill

> [ It's been pointed out that, due to various historical reasons, IPv8  
> might not be the best choice of version-number to use in this  
> context.  So, IPv10 can serve for purposes of discussion, in its  
> stead. ]
> 
> On Mar 5, 2006, at 7:19 PM, Roland Dobbins wrote:
> 
> >
> >
> >On Mar 5, 2006, at 6:59 PM, Owen DeLong wrote:
> >
> >>Far from it, but, there are lessons to be
> >>learned that are applicable to the internet, and, separating the
> >>end system identifier from the routing function is one we still seem
> >>determined to avoid for reasons passing my understanding.
> >
> >And this is the real answer, of course.
> >
> >There were two fundamental design decisions made back in the Olden  
> >Days which continue to exert a strong and in many cases quite  
> >negative sway over this entire set of inter-related issues:
> >
> >1.   Utilizing the endpoint identifier in the routing function, as
> > Vince Fuller and you (among others) have stated, and
> >
> >2.   The ships-in-the-night nature of the TCP/IP protocol stack.
> > This latter design decision is a big part of the reason TCP/IP
> > has been so successful to date; however, we find more and
> > more kludgey, brittle hacks to try and provide some sort
> > of linkages for purposes of enforcing policy, etc.  The
> > irony is that these attempts largely stem from the unforeseen
> > side-effects of #1, and also contribute to a reinforcing
> > feedback loop which further locks us into #1.
> >
> >Given the manifold difficulties we're facing today as a result of  
> >these two design decisions (#2 is a 'hidden' reason behind untold  
> >amounts of capex and opex being spent in frustratingly  
> >nonproductive ways), perhaps it is time to consider declaring the  
> >'Limited-Deployment IPv6 Proof-of-Concept Experiment' to be a  
> >success, take the lessons learned (there are a lot more unresolved  
> >and potentially problematic issues than those mentioned in this  
> >thread) into account and get started on IPv8.
> >
> >--
> >Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice
> >
> > Everything has been said.  But nobody listens.
> >
> >   -- Roger Shattuck
> 
> --
> Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice
> 
>  Everything has been said.  But nobody listens.
> 
>-- Roger Shattuck

Re: shim6 @ NANOG (forwarded note from John Payne)

[bmanning]

On Fri, Mar 03, 2006 at 09:50:55PM +0100, Iljitsch van Beijnum wrote:
> 
> On 3-mrt-2006, at 21:43, Brandon Ross wrote:
> 
> >>I will bet anyone reading this $ 20 USD right now that what will  
> >>actually happen is the development of a spot market in IPv4  
> >>address space.
> 
> >That's a sucker bet.
> 
> >What's worse is that unless people start changing their tune soon  
> >and make the ownership of IP space official, this will be a black  
> >market (like it is now, just much bigger).
> 
> But that will end as soon as interdomain routing is protected by  
> certificates given out by the RIRs.

er, not at all. RIR's issuing certificates and expecting 
the routing system to kowtow is a stretch.

--bill  

Re: shim6 @ NANOG (forwarded note from John Payne)

[bmanning]

On Fri, Mar 03, 2006 at 10:30:44AM +, [EMAIL PROTECTED] wrote:
> 
> > > If you feel you should qualify as an LIR,
> > 
> > With RIPE, an LIR is simply an organization that pays the membership 
> > fee and thus gets to submit requests for address space and AS 
> > numbers. ARIN doesn't seem to use this terminology except in their 
> > IPv6 address allocation policy.
> 
> That's what we were talking about. Shim6 and IPv6. The term
> LIR is used in IPv6 allocation policy in all regions and refers
> to an entity that assigns /48 blocks to its subscribers. Such
> an entity can receive a /32 from ARIN or RIPE or APNIC or LACNIC
> or AFRINIC.
> 
> --Michael Dillon

hum... so what happens if i chose to delegated /56's to my
customers?  does that invalidate my LIR status 'cause i'm  not
toeing the /48 line?

presuming of course i have LIR status along w/ the /32 that has ben
delegated to me.

to borrow a line, "some days your the IANA, some days your the endnode"

--bill

Re: shim6 @ NANOG (forwarded note from John Payne)

[bmanning]

ok... i've slept some.

let me rephrase my agnst this way...
when/if a shim6 proof of concept is built,
THEN is the time to start debating the merits 
of shim6 and setting policies on addressing plans.

Find one(or more) of the converted,
build the darned thing, run some tests, and
then there will be concrete, empirical evidence
to back the shim6 proponent assertions.  not just
thought experiments conducted on paper.

--bill (show me) manning

Re: shim6 @ NANOG (forwarded note from John Payne)

[bmanning]

On Wed, Mar 01, 2006 at 10:33:51AM -0500, John Payne wrote:
> 
> 
> On Mar 1, 2006, at 1:52 AM, Joe Abley wrote:
> 
> >Shim6 also has some features which aren't possible with the swamp  
> >-- for example, it allows *everybody* to multi-home, down to people  
> >whose entire infrastructure consists of an individual device, and  
> >to do so in a scaleable way.
> 
> Only if *everybody* has a shim6 capable stack...

and nobody does!  extrapolations and visions of
a brave new world are just that.  kind of like
the Boeing/Airbus mockups that have lounges, gyms&showers
and restrants onboard their 747 and A380 aircraft.
and attractive flight attendants talking about shoes... :)
yeah it -might- happen, but...

-- bill (particularly grumpy & cynical tonight)

Re: DNS deluge for x.p.ctrc.cc

[bmanning]

> i'm not following up on the dns related parts of this, since dns-operations@
> seems to be pulling some of the dns related load today and i don't want to
> say the same thing in both places.  see this URL for details:
> 
> http://lists.oarci.net/pipermail/dns-operations/2006-February/author.html
> -- 
> Paul Vixie


hum... i subscribed to this dns-operations@ list some days back and have
yet to see any postings.  i guess i'm not worthy.

--bill

Re: DNS deluge for x.p.ctrc.cc

[bmanning]

> ] other cctld servers have seen what are effectively ddos.  rob thomas
> ] seems to have the most clue on this, so i hope this troll will entice
> ] him to speak.
> 
> Did someone say "troll?"  :)
> 
> Yes, this is a real problem.  These attacks have exceeded several
> gigabits per second in size, and during one attack 122K DNS name
> servers were abused as amplifiers.  Ouch!
> 
> This abuse can be mitigated.  Here are a few tips.



> Limit recursion to trusted netblocks and customers.  Do not permit
> your name servers to provide recursion for the world.  If you do,
> you will contribute to one of these attacks.



> Watch for queries to your name servers that ask for "ANY" related
> to a DNS RR outside of the zones for which you are authoritative.
> This DNS RR will be LARGE.



> Limit UDP queries to 512 bytes.  This greatly decreases the
> amplification affect, though it doesn't stop it.



> Scan your IP space for name servers that permit recursive queries.
> It's amazing just how many of these name servers exist.


> 
> Refer to the following guides for some excellent insight and
> suggestions.
> 
>
>
>
> 
> Note we have our own Secure BIND Template which will help on the
> BIND side of life.
> 
>
> 
> If you need assistance with any of this, have endured one of these
> attacks, or have any other questions, please don't hesitate to ping
> on us at [EMAIL PROTECTED]  We're here to assist!
> 
> Thanks!
> Rob.
> -- 
> Rob Thomas
> Team Cymru
> http://www.cymru.com/
> ASSERT(coffee != empty);

ok, so i'm being a bit of a curmudgion here but just how,
if we throttle DNS to the minimum suite for todays services,
can we be expected to add new features/services?   grump grump grump...

-- (grumpy) bill

Re: and here are some answers [was: Quarantine your infected users spreading malware]

[bmanning]

On Tue, Feb 21, 2006 at 12:04:17AM -0600, Rob Thomas wrote:
> ] true enough.  but "auntie jane" doesn't have linux/unix web server(s)
> ] or router(s) (other than the one provided by her ISP and managed by 
> them)
> ] and has zero clue about overly permissive  machines.
> 
> Agreed.  Instead all of her financial records are on those
> unix web/database servers, or transit through those routers,
> etc.  There's a reason why such devices are popular with
> the criminals.  :(


whats the objective?  ID theft, fiscal mahem - go for the 
infrastructure stuff (like you say). lowest visable impact
for very high fiscal return.
destablize the trust model, perceptions of availability?
large zombie packs might be your best bet.  
(we're not in it for the money, we want social change!)

> 
> -- 
> Rob Thomas
> Team Cymru
> http://www.cymru.com/
> ASSERT(coffee != empty);

Re: and here are some answers [was: Quarantine your infected users spreading malware]

[bmanning]

On Mon, Feb 20, 2006 at 07:49:04PM -0600, Rob Thomas wrote:
> 
> Hey, Bill.
> 
> ] wht is the mean-time-to-infection for a stock windows XP system
> ] when plugged intot he net?... 2-5minutes?  you can't get patches
> ] down that fast.
> 
> The same case can be made for Linux and Unix-based web servers with
> vulnerable PHP-based tools.  There's also a large number of poorly
> configured devices such as routers with easily guessed passwords,
> overly permissive DNS name servers, etc.
> 
> It's not simply a Windows problem.
> 
> Thanks,
> Rob.

true enough.  but "auntie jane" doesn't have linux/unix web server(s)
or router(s) (other than the one provided by her ISP and managed by 
them)
and has zero clue about overly permissive  machines.

me thinks it is a -much- larger pool that gets taken advantage of
wiht a much higher threshold of ignorance about problems. 

--bill

Re: and here are some answers [was: Quarantine your infected users spreading malware]

[bmanning]

> Edward W. Ray wrote:
> >IMHO, a user should have to demonstrate a minimum amount of expertise and
> >have a up-to-date AV, anti-spyware and firewall solution for their PCs.
> 
> The mostly-user ISP's will have to eventually do something or end up 
> being either regulated, spending more and more and more on tech support 
> and/OR abuse personnel, or written down as blackhat AS's.
> 
>   Gadi.

if i may 


to borrow a bit more from the "licensed to net" analogy...
are vendors being let off scott free and leaving the burden of 
responsibility to the consumer?  ISPs are the roads (likley toll)
and they should not be forced to create barriers, speed bumps,
and control mthods for poor drivers who are sold crap for vechiles.
wht is the mean-time-to-infection for a stock windows XP system
when plugged intot he net?... 2-5minutes?  you can't get patches
down that fast.

i'm begining to think that botnet like structures are in fac t the
wave of the future.  ... and instead of trying to irradicate them, we 
should 
be looking at ways to use botnet like structures for adding value to
an increasingly more connected mesh of devices.  ...  

of course YMMV - but i'm not persuaded that botnet.hivemind constructs 
are
-NOT- inherently evil... they can be turned that way, but if there is a
value to such things, we ought to be able to use them for our own
purposes.



--bill  (who really has better things todo, but slugs are still in bed...)

Re: Fed Bill Would Restrict Web Server Logs

[bmanning]

On Tue, Feb 14, 2006 at 11:31:48AM -0500, [EMAIL PROTECTED] wrote:
> On Tue, 14 Feb 2006 16:14:11 GMT, Andy Davidson said:
> > It's interesting that the US government is requiring less user data is 
> > stored when European politicians are calling for greater data and log 
> > retention rules.
> 
> Obviously, none of the Total Info Awareness proponents were able to get
> their tentacles involved here...
> 

Hum... tentacles...  

http://www.cthulhu.org/cthulhu/index.html

--bill
unsigned email is a sign of plausable deniability...

Re: Middle Eastern Exchange Points

[bmanning]

On Wed, Feb 08, 2006 at 10:45:47AM -0800, Bill Woodcock wrote:
> 
>   On Wed, 8 Feb 2006, Martin Hannigan wrote:
> > Guys, are you being semantic? 
> 
> Yes, we're doggedly insisting that words mean what they're defined to 
> mean, rather than the opposite.
> 
> > You keep saying EMIX
> > and you're confusing me. Peering or no? "IX" naturally insinuates
> > yes regardless of neutrality.
>
> Exactly.  "IX" as a component of a name is _intended to insinuate_ the 
> availability of peering, _regardless of whether that's actually true or 
> false_.  Which is why we keep analogizing to the STIX, which was _called_ 
> an IX, but was _not_ an IX, in that it had nothing to do with peering, 
> only with a single provider's commercial transit product.  The same is 
> currently true throughout much of the Middle East.
> 
> -Bill

the CIX & STIX (as originally designed) models architecturally slightly 
different than
what seems to be the case for EMIX and a few other tricks (PLDT comes 
to mind) where
a telco is offering transit over its infrastructure.  In the first two 
cases, all
the participants (customers) fateshare ... the design was "layer 3" 
peering, eg.
everyone terminates on a port on a common router, managed by the 
friendly, neutral
telco/cooperative association.  

Nearly everyone these days equates IX with a neutral "layer 2" fabric.  
In a wide-area,
you are still "captive" to the transmission provider to "knit" the 
disparate bits
into a single, cohesive whole.

--bill

Re: So -- what did happen to Panix?

[bmanning]

On Fri, Jan 27, 2006 at 11:39:27AM -0500, Joe Abley wrote:
> 
> On 27-Jan-2006, at 11:12, [EMAIL PROTECTED] wrote:
> 
> > but by definition, the right-most entry is the prefix origin...
> 
> Suppose AS 9327 decides to originate 198.32.6.0/24, but prepends 4555  
> to the AS_PATH as it does so. Suppose 9327's uses a transit provider  
> which builds prefix filters from the IRR, and the "as9327" aut-num  
> object is modified to include policy which suggests 9327 provides  
> transit for 4555. Suppose this is not actually the case, though, and  
> in fact 9327 is a rogue AS which is trying to capture 4555's traffic.
> 
> The rest of the world sees a prefix with an AS_PATH attribute which  
> ends with "9327 4555".
> 
> In this case, from the point of view of those trying to discern  
> legitimacy of advertisements, what is the origin of the prefix? Is it  
> 4555, or 9327?


from BGP's perspective, you tell me.  being the naive BGP
listen/speaker - i think that AS 4555 is the origin.

now... what does  Prefix 198.32.6.0/24 say is the correct
origin?  

> Is it possible to tell, from just the right-most entry in the AS_PATH  
> attribute?

nope - but you have jumped right into the path question.
(what does the as4555 aut-num object say about using 9327
as an upstream AS?)


> Joe
> 
> [note: 9327 is not a rogue AS, in fact. This is just hypothetical :-)]

sez you :) (reminder to send Cingular the royalty check if you
receive the above two characters ":" and ")" as listed above
AND you chose to infer mood or intent.)

I think -all- AS are run by rouges and pirates.

-- (headless) bill

Re: So -- what did happen to Panix?

[bmanning]

On Fri, Jan 27, 2006 at 10:42:11AM -0500, Joe Abley wrote:
> 
> On 27-Jan-2006, at 07:51, [EMAIL PROTECTED] wrote:
> 
> > perhaps you mean certified validation of prefix origin
> > and path.
> 
> In the absense of path valdiation, a method of determining the real  
> origin of a prefix is also required, if the goal is to prevent  
> intentional hijacking as well as unintentional origination. Simply  
> looking at the right-most entry in the AS_PATH doesn't cut it, since  
> anybody can "set as-path prepend P".

but by definition, the right-most entry is the prefix origin...
the question becomes, is that the origin the prefix expects?
to use an historical example:

198.32.6.0/24 thinks that AS 4555 is the correct origin
AS 4555 thinks that it should (and does) originate prefix 198.32.6.0/24
AS 4555 uses AS 226 and 701 as transit providers.

AS 1239 wants to be helpful and tells its peers that it is 
the proper origin for prefix 198.32.0.0/16 -BUT- never tells
AS 4555 about this and has no direct means to deliver packets
to AS 4555. 

Or... we see 128.9.160.0/24 as originating from multiple ASNs.
there is no requirement for single AS origin - is that "theft"
or an engineering tradeoff?

> 
> This suggests to me that either we can't separate origin validation  
> from path validation (which sucks the former into the more difficult  
> problems associated with the latter), or we need a better measure of  
> "origin" (e.g. a PKI and an attribute which carries a signature).

i was just interested in the problem of assertion of origination.   
it needs to be done w/o a centralized repositiory (imho) because
that method has scalability problems.  such a technique does open
new chances to "confuse" ...  e.g. what happens when the prefix
is seen from the same apparent AS but w/ two or more different 
signatures?

path validation is (again imho) a severable problem the prefix/as
origin.
> 
> 
> Joe

Re: So -- what did happen to Panix?

[bmanning]

On Fri, Jan 27, 2006 at 04:36:28AM -0800, Randy Bush wrote:
> 
> > what I saw by going through the diffs, etc.. that I have
> > available to me is that the prefix was registered to be announced
> > by our customer and hence made it into our automatic IRR filters.
> 
> i.e., the 'error' was intended, and followed all process.
> 
> so, what i don't see is how any hacks on routing, such as delay,
> history, ... will prevent this while not, at the same time, have
> very undesired effects on those legitimately changing isps.
> 
> seems to me that certified validation of prefix ownership and as
> path are the only real way out of these problems that does not
> teach us the 42 reasons we use a *dynamic* protocol.

perhaps you mean certified validation of prefix origin
and path.  Ownership of any given prefix is a dicey concept
at best.

as a start, i'd want two things for authentication and integrity
checks:  AS P asserts it is the origin of prefix R and prefix R
asserts the true origin AS is P (or Q or some list).  Being able
to check these assertions and being assured of the authenticity
and integrity of the answers goes a long way, at least for me.

path validation is something else and a worthwhile goal.
--bill

> 
> what am i missing here?
> 
> randy

Re: cctld server traffic

[bmanning]

i am aware of at least 10 of them, 11 if you count NANOG.

--bill


On Mon, Jan 23, 2006 at 01:48:19PM -0800, william(at)elan.net wrote:
> 
> 
> Maybe I'm ignorant, but isn't there [cc]tld operations mail list somewhere?
> 
> On Mon, 23 Jan 2006, Gustavo Lozano wrote:
> 
> >At 10:42 AM 1/22/2006 +0900, Randy Bush wrote:
> >
> >>any cctld ops seeing unusual traffic in the last hours?
> >
> >Nope at .mx.
> >
> >Gustavo
> >
> >>randy
> >
> >
> >gus

Re: DOS attack against DNS?

[bmanning]

On Sun, Jan 15, 2006 at 05:27:40PM +, Paul Vixie wrote:
> 
> > client xx.xx.xx.xx#6704: query: z.tn.co.za ANY ANY +E
> 
> class "ANY" has no purpose in the real world, not even for debugging.  if
> you see it in a query, you can assume malicious intent.  if you hear it in
> a query, you can safely ignore that query, or at best, map it to class "IN".
> -- 
> Paul Vixie

er... i guess that is true, although the DNS does work for 
things other than IP based networks...  dispite our respective
best efforts to cripple it.

--bill

Re: AW: Odd policy question.

[bmanning]

On Fri, Jan 13, 2006 at 12:09:51PM -1000, Randy Bush wrote:
> 
> > Well, RFC2010 section 2.12 hints at cache pollution attacks, and that's
> > been discussed already.  Note that I can't seem to find the same claim
> > in RFC2870, which obsoletes 2010 (and the direction against recursive
> > service is still there).
> 
> despite others saying that 2870 should apply to servers other
> than root servers, i do not support that.  and that leaves
> aside that some root servers do not follow it very well.
> 
> randy

RFC 2870 was crafted at a time when the machines hosting the
root zone also hosted several -large- TLD zones.  Anycast was
not widely used when this document was written.  RFC 2010 did
indicate that requirements would likely change in future, while
RFC 2870 reinforced the then status quo.

Perhaps the most fatal mistake of RFC 2870 was the ambigious
treatment of the service provisioning as distinctly different
than protecting the availability of the (single?) instance of
the hardware that provides that service.  

Given the changed nature of the publication platform for the root
zone, (no big TLDs hosted there anymore) and the widescale use of
anycast in the root, while not with many TLDs - it is clear to me
that RFC 2870 applicability is oriented more toward TLD operations.

For these and a few other reasons, no root server operator that
i am aware of (save ICANN) actually tries to follow RFC 2870... 
Several try and follow RFC 2010 still ... despite the I[E/V]TF's 
marking of "obsolete" on RFC 2010.  That said, there might be a 
replacement for both offered up - if time allows.  


--bill

Re: workhorse of the future...

[bmanning]

On Thu, Jan 12, 2006 at 09:56:33AM +1100, Lincoln Dale wrote:
> Bill,
> 
> alas, i think the days of being able to deploy one type of "god box" 
> swiss-army-knife router are passing.

that is too true...  some misty-eyed moments for the demise
of chaosnet support ... 
> 
> depending on what it is that the router is planned to be "doing" defines 
> its PPS requirements & what speeds/feeds you need to run various 
> features at.
> 
> from http://www.merit.edu/mail.archives/nanog/2005-09/msg00635.html can 
> you classify what functionality you see yourself as needing?

nice list, but incomplete.  while the pace of innovation
has slowed, O&M "features" have grown, and a raw desire to
keep up the ROI by pandering to the idol of convergence have
not kept me aware of the fact that NEW, UNEXPECTED events
will place demands on my boxen for the forseeable future - and
a s/w driven box has more resilience in that vector.

> that pretty much sets the discussion as to whether you're after 
> something that can be s/w-forwarding or not ...

i guess i was hoping for some kind soul to provide some insight
as to other factors that may be "sea-change" events to the routing
system in the next 48-60month horizon.  IPv6 table size, on-board
key/sig mgmt/computation are TWO...  are there others?

--bill

> 
> 
> cheers,
> 
> lincoln.
> 
> 
> [EMAIL PROTECTED] wrote:
> >
> >first it was the vitalinks, then the bridge gear, then proteon, then cisco 
> >AGS,
> >then 7600VXR, then 7301s
> >
> >looking to find the next-gen workhorse ... looking for 4-6yr life 
> >expectancy.
> >pointers(private are ok) are appreciated - as well as -why- you think the
> >suggested boxen are likely candidates.
> >
> >--bill
> >
> >

workhorse of the future...

[bmanning]

first it was the vitalinks, then the bridge gear, then proteon, then cisco AGS,
then 7600VXR, then 7301s

looking to find the next-gen workhorse ... looking for 4-6yr life expectancy.
pointers(private are ok) are appreciated - as well as -why- you think the
suggested boxen are likely candidates.

--bill

Re: QWest is having some pretty nice DNS issues right now

[bmanning]

On Mon, Jan 09, 2006 at 10:36:11AM -1000, Randy Bush wrote:
> 
> > It seems like maybe that is all too common. Are the 'best practices'
> > documented for Authoritative DNS somewhere central?
> 
> 2182

in deference to the previous RFC editor, who was  particular about these
things, the proper form is; RFC 2182. 

--bill

Re: QWest is having some pretty nice DNS issues right now

[bmanning]

On Mon, Jan 09, 2006 at 05:30:12PM +, Christopher L. Morrow wrote:
> 
> On Mon, 9 Jan 2006, Simon Waters wrote:
> 
> >
> > On Saturday 07 Jan 2006 02:54, you wrote:
> > >
> > > While it's tempting to make fun of Qwest here, variations on this theme -
> >
> > I do agree the management issue with DNS are far harder, and here longer TTL
> > are a double edged sword. But it is hard to design a system where the
> > mistakes don't propagate to every DNS server, although some of the common
> > tools do make it easier to check things are okay before updates are 
> > unleased.
> 
> What's interesting to me, atleast, is that this is about the 5th time
> someone has said similar things in the last 6 months: "DNS is harder than
> I thought it was" (or something along that line...)
> 
> So, do most folks think:
> 1) get domain-name
> 2) get 2 machines for DNS servers
> 3) put ips in TLD system and roll!
> 
> It seems like maybe that is all too common. Are the 'best practices'
> documented for Authoritative DNS somewhere central? Are they just not well
> publicized? Do registrars offer this information for end-users/clients? Do
> they show how their hosted solutions are better/works/in-compliance-with
> these best practices? (worldnic comes to mind)
> 
> Should this perhaps be better documented and presented at a future NANOG
> meeting? (and thus placed online in presentation format)
> 
> -Chris

IETF tech transfer failure...  see RFC 2870 (mislabled as 
root-server) for TLD zone machine best practices from several
years ago... for even older guidelines ... RFC 1219.

--bill

Re: live chat with other nanog'ers

[bmanning]

On Mon, Jan 02, 2006 at 02:05:16PM -1000, Randy Bush wrote:
> 
> here's the real challenge.  i would like to chat to a couple of
> dead nanog users.
> 
> randy

punctuation is all...   

dead nanog, users
dead, nanog users

--bill

Re: Deploying IPv6 in a datacenter (Was: Awful quiet?)

[bmanning]

On Wed, Dec 21, 2005 at 11:13:31AM -0500, Kevin Loch wrote:
> 
> Kevin Day wrote:
> 
> >9) Once we started publishing  records for a few sites, we started 
> >getting complaints from some users that they couldn't reach the sites. 
> 
> It is possible that a broken 6to4 relay somewhere was causing problems.
> Running your own local 6to4 relay (rfc3068) will improve performance and
> reduce the chances of going through a broken one.

we have been running w/  records for production systems
for the past six years w/o complaint and no 6to4 relay.

--bill

> - Kevin

Re: who's receiving comvalid/bgpsentinel spam? (Re: BGP )

[bmanning]

 your not the only one... 

--bill

On Thu, Dec 15, 2005 at 02:04:16PM +, [EMAIL PROTECTED] wrote:
> 
> is anybody else receiving this spam when they advertise a new AS nowadays?
> (i'm trying to figure out which whois information is being policy-violated
> and who to complain about, but if i'm the only one receiving it, i may JHD.)
> 
> re:
> 
> # From: "Antony Gullusci" <[EMAIL PROTECTED]>
> # To: <[EMAIL PROTECTED]>
> # Subject: BGP
> # Date: Thu, 15 Dec 2005 14:09:19 +0100
> # X-Mailer: Microsoft Outlook Express 6.00.2900.2180
> # 

[EMAIL PROTECTED]: Re: Two Tiered Internet]

[bmanning]

somhow, this esacped into a private thread.  i'm pretty
sure that there is a fairly high thermal component to this
thread and not too many photons... so this is it for me
on this thread... 

- Forwarded message from [EMAIL PROTECTED] -

> > > You start with a flawed assumption, you end up with wrong conclusions.
> > > Who said this had anything to do with "the Internet"?
> >
> > well... the press?  the telco marketing droids??
> 
> It seems to be the press and the Google lobbyist droids trying to stir
> things up that use the "Internet" word the most.  A problem is some
> reporters think anything that uses IP (Internet Protocol) means the
> same thing as "the Internet."

that is common... in part 'cause you can't ever tell if its
-not- part of the Internet.  (I note the subject line of this
thread talks about a two-tier Internet... which we are both
actively responding to... :)  If its not Internet, then lets 
call it what you claim it is,  private virtual pipes, some of
which touch the commodity Internet and some which run a private,
IP-based network for Telcos use only.  Right there next to the
dedicated copper, lambdas, and glass that they lease to others.
 
> Most, but not all, of the telco droids have tried to stay on message,
> that this is about bringing more competition to video.  It is not the
> Internet, it is not cable TV, it is IPTV.  But when people expand the
> acronym IPTV, it seems to come out as Internet video.  Much like VOIP
> seems to turn into Voice over the Internet, even though a lot of VOIP
> uses private networks.

-IF- we can be assured that the telco/  folks -REALLY- will keep
 (or cable co)
parts of thier network fabric isolated and disconnected from 
the Internet, and have the ability for random, third-party 
inspection that these closed, private networks that use IP
-STAY- that way, then sure.

> > they should not call it "the Internet" then should they? :)
> Maybe it would have helped if the technologists had chosen less similar
> names for the network ("Internet") and the networking protocal ("IP").
> There are lots of networks using IP which are not the Internet.

again, its nearly impossible to tell when/if an IP network is
or is not part of what might be part of the Internet.  Mobil
nodes are common and mobil networks are becoming so.  Virtually
every (save two) IP based network that I have touched in the 
last 25 years has at one point or another touched other IP based
networks... thus becoming part of the Internet... as seen by others.
That said, there are many IPbased networks which rarely touch
what most think of as the Internet.  I've come to the conclusion
that the commodity or commercial services Internet is a small subset
of the larger Internet. as usual, YMMV.

--bill
- End forwarded message -

Re: Two Tiered Internet

[bmanning]

On Wed, Dec 14, 2005 at 07:28:06PM -0500, Sean Donelan wrote:
> On Wed, 14 Dec 2005 [EMAIL PROTECTED] wrote:
> > but do i get "the Internet"?  ... your claim is that
> > i am not paying for it.  my bills indicate that i -am-
> > paying for it.  (regardless of priority... after all, the
> > Internet is "best-effort" ... and w/ QoS, i don't get that
> > anymore... i get the choice to buy crap instead of best effort...)
> > Best effort is the top-tier of the QoS/priority pyramid... as
> > sad as that is.
> 
> You start with a flawed assumption, you end up with wrong conclusions.
> Who said this had anything to do with "the Internet"?

well... the press?  the telco marketing droids??
---
= Telecoms want their products to travel on a faster Internet
= Major site owners oppose 2-tier system
= By Hiawatha Bray, Globe Staff  |  December 13, 2005
= 
= 
= AT&T Inc. and BellSouth Corp. are lobbying Capitol Hill for the right
= to create a two-tiered Internet, where the telecom carriers' own
= Internet services would be transmitted faster and more efficiently
= than those of their competitors.
--

darn that pesky Internet word keeps cropping up.
to borrow a phrase;  "... I do not think it means what 
you think it means..." - Princess Bride


> Instead, this is about additional private network services, which cable
> companies already do over coax, that telco's want to offer over a
> multiservice access line in addition to "the Internet."  Coax can carry
> over a Gigibit of data, but cable companies usually sell user's less
> than 10Mbps for Internet data.  Cable companies reserve the rest of
> the their network capacity for private services like HBO, video on
> demand and voice.  Just because part of a physical line is used for
> Internet service doesn't mean everything going across the same line
> is the Internet.

sure... if thats really the case.

> The telephone companies are asking for the same ability to sell multiple
> services over the same physical line.  Cable companies didn't make their
> Internet service slower when they add more private services, why do
> people expect the telephone companies to make their Internet service
> worse when the telephone companies add private services to their network?

they should not call it "the Internet" then should they? :)

Re: Two Tiered Internet

[bmanning]

On Wed, Dec 14, 2005 at 09:59:15AM -0800, Bob Snyder wrote:
> 
> [EMAIL PROTECTED] wrote:
> 
> >Since QoS works by degrading the quality of service
> >for some streams of packets in a congestion scenario
> >and since congestion scenarios are most common on 
> >end customer links, it makes sense to let the end
> >customers fiddle with the QoS settings in both
> >directions on their link.
> >
> > 
> >
> So where would the payback be for this for the last-mile provider? 
> Compared to the pain of setting this up and supporting it, what 
> percentage of customers would actually use something like this? Just 
> trying to educate users on this would be quite challenging. "Well, sir, 
> the service allows you to select which of your traffic is important and 
> should get priority..." "But all my traffic is important!"
> 
> It gets more fun when the medium you use to get to the end customer is a 
> shared medium, with some normal amount of oversubscription.
> 
> Bob

since Internet is "best-effort" ... any overt attempt 
to reduce this best effort service to explictly degraded
service (perhaps due to intentional overprovisioning, causing
degraded service) ... -is NOT the Internet- ... its some
propriatary, substandard networking technology to get me
to the Internet.  So i suspect that marketing folks be very
clear on what is being sold.

--bill

Re: Gothcas of changing the IP Address of an Authoritative DNS Server

[bmanning]

On Wed, Dec 14, 2005 at 10:02:56AM -0500, Joe Abley wrote:
> 
> 
> On 13-Dec-2005, at 16:28, Steven M. Bellovin wrote:
> 
> >In message  
> ><[EMAIL PROTECTED]>, Sam Cr
> >ooks writes:
> >>
> >>I would think you would want to drop your DNS record TTLs for all
> >>domains being moved to something very low several days before the
> >>switch-over period.
> >
> >More precisely, you want to change the TTL on the NS records, which  
> >are
> >in the parent zone.  If you're keeping the name but changing the
> >address, worry about the A records, too.
> 
> You also want to check all the registries which are superordinate to  
> zones your server is authoritative for, and check that any IP  
> addresses stored in those registries for your nameserver are updated,  
> otherwise you will experience either immediate or future glue madness.
> 
> A conservative approach to this kind of transition is to arrange for  
> your nameserver (or different nameservers hosting the same data) to  
> respond on both the old and new addresses, and to continue in that  
> mode until you see no queries directed at the old address for some  
> safe-seeming interval (bearing in mind TTLs and cached records,  
> alluded to by Steven and Sam).

currently in the middle of such a safe, conservative 
transition leads me to believe that there will -NEVER-
be a point w/ there are no queries to the old address.
(he says, 24 months into a transition...)  The right 
tactic is to make the change, based on 2x the TTL of the SOA.

--bill
> 
> 
> Joe

Re: Two Tiered Internet

[bmanning]

On Wed, Dec 14, 2005 at 11:39:51AM -0500, Hannigan, Martin wrote:
> > 
> > On Wed, Dec 14, 2005 at 04:59:44AM -0500, Hannigan, Martin wrote:
> > > 
> > > Since the model is based around cash, there is no perception
> > > except you pay, you get priority. 
> > > 
> > > Someone has to pay for the Internet. The users aren't.
> > 
> > hum... then what am i getting for my monthly 4000+
> > bills from telcos and ISPs for "data services" and 
> > "internet transit" services?  
> 
> 
> You don't get priority. :-)
> 
> -M<

but do i get "the Internet"?  ... your claim is that
i am not paying for it.  my bills indicate that i -am-
paying for it.  (regardless of priority... after all, the
Internet is "best-effort" ... and w/ QoS, i don't get that
anymore... i get the choice to buy crap instead of best effort...)
Best effort is the top-tier of the QoS/priority pyramid... as
sad as that is.

and as others have cleverly pointed out, what i really 
am buying is full employment for the AP departments of 
telco/isps.  :)

--bill

Re: Two Tiered Internet

[bmanning]

On Wed, Dec 14, 2005 at 04:59:44AM -0500, Hannigan, Martin wrote:
> 
> Since the model is based around cash, there is no perception
> except you pay, you get priority. 
> 
> Someone has to pay for the Internet. The users aren't.

hum... then what am i getting for my monthly 4000+
bills from telcos and ISPs for "data services" and 
"internet transit" services?  

--bill 
> 
> -M<
> 
> 

Re: BGP Security and PKI Hierarchies

[bmanning]

On Mon, Nov 28, 2005 at 11:48:13AM -0500, Sandy Murphy wrote:
> 
> Michael Dillon said:
> 
> >The fees are not charged for past services that were
> >received for free, only for future services.
> 
> So you are saying that legacy space holder who signed a memberhsip
> agreement would not owe the usual yearly fee associated with their
> legacy space holdings but only those fees associated with any
> future address space allocations/assignments?  I imagine that would
> please the legacy space holders.
> 
> Do you know that this would be the case?  I'm not a registry
> canon law expert myself.

i believe Michael is extrapolating his ideal and
not the actual practice at RIRs.

--bill

> 
> --Sandy

Re: the future of the net

[bmanning]

 and it still is in mine  the print edition doesn't have 
 clickable links, but is also a fine resource.

--bill


On Wed, Nov 16, 2005 at 09:08:26PM -0500, Gordon Cook wrote:
> 
> I hit it right after randy posted it and read the whole thing...very  
> good very rich ...filled with links and yeah
> 
> now its gone and the text seems not to be retrievable from my cache.
> 
> Doc Searles will surely say what the heck happened???  spooky
> 
> and i agree with the kevin werbach quote - be very afraid.
> =
> The COOK Report on Internet Protocol, 431 Greenway Ave, Ewing, NJ  
> 08618 USA
> 609 882-2572 (PSTN) 415 651-4147 (Lingo) [EMAIL PROTECTED]  
> Subscription
> info: http://cookreport.com/subscriptions.shtml IMS and  an Internet
> Economic  & Business Model  at: http://cookreport.com/14.09.shtml
> =
> 
> 
> 
> 
> On Nov 16, 2005, at 8:53 PM, Randy Bush wrote:
> 
> >
> >
> >>Oh, the irony - all I get is:
> >>Access denied
> >>You are not authorized to access this page.
> >>I guess in the future the net is going to be exactly the same is it
> >>it now...
> >>
> >>>http://www.linuxjournal.com/article/8673
> >>>
> >
> >same here not half an hour after i read it at that url
> >
> >i guess the sbc ceo did not like the article.  too bad,
> >as the first third was *very* well framed, if a bit on
> >the hyperbolic.
> >
> >perhaps someone with connections at linuxjournal can
> >sort this out for us.  i'm a bsd user.
> >
> >randy
> >
> >
> >
> >

Re: the iab simplifies internet architecture!

[bmanning]

> >>Ops folks need to participate in the IETF.
> >because they want to sell what?  clue?  seems unmarketable.
> 
> So that they can affect the protocols that are going to be implemented 
> at a stage where they can still be modified to suit their needs, 
> scenarios, requirements, etc.
> 
> Options for changing the protocols are somewhat more limited (though 
> not zero) when the specs and code (those that don't address the needs 
> of a particular set of operators as-is, in any case) have already 
> shipped.

i think ops folks have leverage in slightly different ways.
for commondity products, i expect you are right. for high end
products, i have found that when i ask a vendor for certain features,
and am willing to give them money, they tend to treat those feaure
requests with favor.  features may or may not be reflected as IETF
or other SDO based specifications.  in fact, recent events lead me
to believe that marketing groups from vendors, having done some 
market/customer research, are presuring the engineeering groups to
push certain specs in the IETF.  To have the actual customers show
up at the IETF and attempt to influence the specs directly will 
put the engineering folks in a bind. ...  believe the customer or
the marketing department? if a vendor ships code that does not meet
my needs or is harmful to my operations,  i will either dump the 
vendor or encourage them to build to my needs, regardless of the IETF.  

--bill

> 
> -- 
> Pekka Savola "You each name yourselves king, yet the
> Netcore Oykingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Re: the iab simplifies internet architecture!

[bmanning]

On Mon, Nov 14, 2005 at 05:53:04AM -0800, Fred Baker wrote:
> I believe that it is attributable to John Hart, Vitalink, late  
> 1980's. If he didn't coin it, he sure quoted it a lot.
> 
> Radia would have said something more like "bridge within a campus and  
> route between them", I suspect.
> 
> On Nov 11, 2005, at 1:36 PM, [EMAIL PROTECTED] wrote:
> 
> > "bridge where you can, route where you must."  -- i forgot where  
> >this came from? Radia?


there was 3com inthere somewhere too. (fond memories of Vitalink and a 
globally bridged network.  ARP storms have a special place in my heart)

the counter phrase was, of course, "route where you can, bridge where you must".

--bill

Re: IAB and "private" numbering

[bmanning]

On Sun, Nov 13, 2005 at 02:12:13AM +, Christopher L. Morrow wrote:
> 
> 'public routing table' == Internet

as seen from which ASN?  or are they all the same?
if you don't have a more specific, or a covering prefix
and are not deluding yourself (aka Sprint circa 1994
w/ the great 192.0.0.0/3 lie) does NOT mean you have
a full routing table... it just means you have a covering
prefix or more specific prefix from each of your peers...
  does not mean you have all routes tho.

> nothing more, nothing less. this is distinct from SIPRnet and some
> portions of NIPRnet, or other 'private' networks out there.

as alluded to earlier, "private" networks overtook the
"Internet" before...  it could happen again.  :)

--bill