Re: ISP port blocking practice/Free Speech
should we now look forward to deep technical opinons from law clerks
Re: Nanog Mentioned in TED Video: Jonathan Zittrain
On Oct 25, 2009, at 5:56 PM, Patrick W. Gilmore wrote: On Oct 25, 2009, at 2:24 PM, Owen DeLong wrote: On Oct 24, 2009, at 6:59 PM, Patrick W. Gilmore wrote: On Oct 24, 2009, at 9:55 PM, Israel Lopez-LISTS wrote: Remember when youtube went down? Mr. Zittrain briefly mentions nanog during his TED talk in July 2009. http://www.ted.com/talks/jonathan_zittrain_the_web_is_a_random_act_of_kindness.html Been discussed. He's obviously wrong about some things. No one does anything without getting paid. But he is kinda right in some ways too. Lots of us actually do lots of things without getting paid. Mea culpa! You are (most obviously) correct. I meant to say "no one passes a packet without getting paid", specifically in response to his passing the beer in the stadium analogy. Hurricane Electric offers free IPv6 transit to virtually anyone. We also provide IPv4 transit for free to a number of non-profit and community benefit organizations. While it is true there are a few packets passed without payment, I'm pretty sure it's 0% of the total, to several decimal places. Maybe 2 or 3 decimal places, but, I honestly don't have the exact statistic. Owen smime.p7s Description: S/MIME cryptographic signature
Re: ingress filtering and multiple Internet conenctions
On Oct 25, 2009, at 4:58 PM, Joe Greco wrote: Joe Greco wrote: There's a problem: I can validly emit a variety of other addresses, in particular any address in 206.55.64.0/20 and some other networks. I am not "forging" packets if I emit 206.55.64.0/20-sourced addresses down a Comcast pipe. How many people realistically have this problem? Well, potentially, lots. Anyone who uses a VPN could have a legitimate IP address on their machine; because of BCP38 (and other security policy) it is common for a VPN setup to forward Internet-bound traffic back to the VPN server rather than directly out the Internet. In some cases, one could reasonably argue that this is undesirable. I would like to take the opportunity to urge vendors of routers and firewalls to take extra special care and attention to make sure that The Right Thing can always happen whenever multiple egress services are employed. This means that policy routing for network AND ALL locally generated traffic should be available and work as the operator intends it to. Right now things still suck pretty hard, depending on what you are using. Who defines what "The Right Thing" is? Allowing (what are to the service provider) random IP's inbound, even if there's some mechanism to limit it, means that the ISP now has some additional responsibilities to be able to transport packets for space that isn't theirs; a transit upstream or peer might filter, especially for smaller service providers. Basically, allowing this dooms BCP38. Allowing the operator the configuration OPTION in all cases is good. Rational defaults in favor of BCP-38 are acceptable. The inability to override those defaults is bad. Owen smime.p7s Description: S/MIME cryptographic signature
Re: ingress filtering and multiple Internet conenctions
On Oct 25, 2009, at 4:05 PM, Joe Maimon wrote: Joe Greco wrote: There's a problem: I can validly emit a variety of other addresses, in particular any address in 206.55.64.0/20 and some other networks. I am not "forging" packets if I emit 206.55.64.0/20-sourced addresses down a Comcast pipe. How many people realistically have this problem? Well, potentially, lots. Anyone who uses a VPN could have a legitimate IP address on their machine; because of BCP38 (and other security policy) it is common for a VPN setup to forward Internet-bound traffic back to the VPN server rather than directly out the Internet. In some cases, one could reasonably argue that this is undesirable. I would like to take the opportunity to urge vendors of routers and firewalls to take extra special care and attention to make sure that The Right Thing can always happen whenever multiple egress services are employed. This means that policy routing for network AND ALL locally generated traffic should be available and work as the operator intends it to. This includes the ability to turn OFF stateful inspection in all cases if desired, and, full ability to support asymmetrical (or Triangle) routing in cases where it is desired. Also, not breaking PMTU-D would be good. Right now things still suck pretty hard, depending on what you are using. Indeed. Owen smime.p7s Description: S/MIME cryptographic signature
Re: Nanog Mentioned in TED Video: Jonathan Zittrain
On Oct 25, 2009, at 2:24 PM, Owen DeLong wrote: On Oct 24, 2009, at 6:59 PM, Patrick W. Gilmore wrote: On Oct 24, 2009, at 9:55 PM, Israel Lopez-LISTS wrote: Remember when youtube went down? Mr. Zittrain briefly mentions nanog during his TED talk in July 2009. http://www.ted.com/talks/jonathan_zittrain_the_web_is_a_random_act_of_kindness.html Been discussed. He's obviously wrong about some things. No one does anything without getting paid. But he is kinda right in some ways too. Lots of us actually do lots of things without getting paid. Mea culpa! You are (most obviously) correct. I meant to say "no one passes a packet without getting paid", specifically in response to his passing the beer in the stadium analogy. While it is true there are a few packets passed without payment, I'm pretty sure it's 0% of the total, to several decimal places. Thank you for pointing out my error. -- TTFN, patrick We also do some things for which we get paid. Owen
Re: ingress filtering and multiple Internet conenctions
Joe Greco wrote: Joe Greco wrote: Right now things still suck pretty hard, depending on what you are using. Who defines what "The Right Thing" is? The right thing is to allow the operator to twiddle the knobs so that everything works properly with multiple internet connections specifically when the ISP is using BCP38. Basically, allowing this dooms BCP38. ... JG Basically getting this wrong dooms BCP38.
Re: ingress filtering and multiple Internet conenctions
> Joe Greco wrote: > > There's a problem: I can validly emit a variety of other addresses, in > > particular any address in 206.55.64.0/20 and some other networks. I am > > not "forging" packets if I emit 206.55.64.0/20-sourced addresses down a > > Comcast pipe. > > > > How many people realistically have this problem? Well, potentially, > > lots. Anyone who uses a VPN could have a legitimate IP address on their > > machine; because of BCP38 (and other security policy) it is common > > for a VPN setup to forward Internet-bound traffic back to the VPN > > server rather than directly out the Internet. In some cases, one could > > reasonably argue that this is undesirable. > > I would like to take the opportunity to urge vendors of routers and > firewalls to take extra special care and attention to make sure that The > Right Thing can always happen whenever multiple egress services are > employed. > > This means that policy routing for network AND ALL locally generated > traffic should be available and work as the operator intends it to. > > Right now things still suck pretty hard, depending on what you are using. Who defines what "The Right Thing" is? Allowing (what are to the service provider) random IP's inbound, even if there's some mechanism to limit it, means that the ISP now has some additional responsibilities to be able to transport packets for space that isn't theirs; a transit upstream or peer might filter, especially for smaller service providers. Basically, allowing this dooms BCP38. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: ISP port blocking practice
On Fri, Oct 23, 2009 at 04:19:23PM -0500, Lee Riemer wrote: > Isn't blocking any port against the idea of Net Neutrality? Which demonstrates just how relevant to reality such things are. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: ingress filtering and multiple Internet conenctions
Joe Greco wrote: There's a problem: I can validly emit a variety of other addresses, in particular any address in 206.55.64.0/20 and some other networks. I am not "forging" packets if I emit 206.55.64.0/20-sourced addresses down a Comcast pipe. How many people realistically have this problem? Well, potentially, lots. Anyone who uses a VPN could have a legitimate IP address on their machine; because of BCP38 (and other security policy) it is common for a VPN setup to forward Internet-bound traffic back to the VPN server rather than directly out the Internet. In some cases, one could reasonably argue that this is undesirable. I would like to take the opportunity to urge vendors of routers and firewalls to take extra special care and attention to make sure that The Right Thing can always happen whenever multiple egress services are employed. This means that policy routing for network AND ALL locally generated traffic should be available and work as the operator intends it to. Right now things still suck pretty hard, depending on what you are using. Joe
Re: What should ISPs ASPs MSPs xSPs do?
Sean Donelan wrote: Other than the usual damned if they do, damned if they don't; is there any rough consensus about some practical things ISPs, ASPs, MSPs, xSPs (and customers/users) should do or should not do? It depends mostly on the environment they operate under which needs to take into account the vagaries of their customer base. You will need to define things a whole lot better to get rough consensus on any specifics. Act locally think globally is probably the best you can get otherwise. Or is it just rough consensus what other people should do, but you'll get upset if that rough consensus stopped you from doing something? Stop stuff you don't like immediately, anytime of the day or night; but give you years to fix your stuff even if it is hurting other people's stuff. Thats just human nature.
What should ISPs ASPs MSPs xSPs do?
Other than the usual damned if they do, damned if they don't; is there any rough consensus about some practical things ISPs, ASPs, MSPs, xSPs (and customers/users) should do or should not do? Or is it just rough consensus what other people should do, but you'll get upset if that rough consensus stopped you from doing something? Stop stuff you don't like immediately, anytime of the day or night; but give you years to fix your stuff even if it is hurting other people's stuff.
Re: ISP port blocking practice/Free Speech
>Your scholar is wrong -- or he is giving the simplified explanation >for children and others incapable of rational though and >understanding, and you are believing the summary because it is >simpler for you than understanding the underlying rational. Ah, the classic nerd legal misconception. Laws are not software, because they are interpreted by politicians and judges, not CPU chips. Dartmouth has a fine tradition of legal scholarship dating back at least to Daniel Webster, and he knows what he is talking about. There is plenty of documention of the way that judges around the country interpret the First Amendment, and if you look, you will find that his description is the way they interpret it. You are of course welcome to interpret the law any way you want, but don't expect to impress any courts with your theories. ObOperations: Since ISPs are not government actors, the First Amendment doesn't apply unless we get intrusive Net Neut laws. R's, John PS: I used to be the mayor of my small municipality, and we learned quite a lot about the First Amendment as applied when we tried to revise our sign ordinance.
Re: Nanog Mentioned in TED Video: Jonathan Zittrain
On Oct 24, 2009, at 6:59 PM, Patrick W. Gilmore wrote: On Oct 24, 2009, at 9:55 PM, Israel Lopez-LISTS wrote: Remember when youtube went down? Mr. Zittrain briefly mentions nanog during his TED talk in July 2009. http://www.ted.com/talks/jonathan_zittrain_the_web_is_a_random_act_of_kindness.html Been discussed. He's obviously wrong about some things. No one does anything without getting paid. But he is kinda right in some ways too. Lots of us actually do lots of things without getting paid. We also do some things for which we get paid. Owen
RE: ISP port blocking practice/Free Speech
Your scholar is wrong -- or he is giving the simplified explanation for children and others incapable of rational though and understanding, and you are believing the summary because it is simpler for you than understanding the underlying rational. Notice that in both cases your presumption of prohibition is based on the actualization of a consequence. It is the intentional causing of the consequence that is the Criminal Act, and not the method by which that consequence is actualized. In other words, it is the causing of panic, mayhem and injury that is the Criminal Act which cannot be saved by your first amendment protections, and the shouting FIRE is but an example of an item WHICH MAY CAUSE such a result. It is not the shouting FIRE which is wrong, it is the mayhem that it causes. In any event of the cause, prior restraint is prohibited in any system of positive law. (Though I have already pointed out that both the UK and the United States are no longer systems of positive law, but rather have become Fascist Dictatorships and a priori prohibition is a hallmark of such regimes). Anyway, if you fail to understand cause and effect and the difference between them when you have obviously passed the age of four years, it is unlikely that I will be able to educate you at this point in your life. This is OT and we will not continue this any further. -- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org > -Original Message- > From: Richard E. Brown [mailto:richard.e.br...@dartware.com] > Sent: Sunday, 25 October, 2009 10:05 > To: nanog@nanog.org > Subject: RE: ISP port blocking practice/Free Speech > > > > Free speech doesn't include the freedom to shout fire in > a crowded theatre. > > > > It most certainly does! There is absolutely nothing to > prevent one from > > shouting "FIRE" in a crowded theatre. > > Actually, it doesn't. When I was on-staff at the computer > center at Dartmouth, > our provost also happened to be a first-amendment scholar, > and he gave us an impromptu > speech about the first amendment at a staff meeting :-) > > The US Supreme Court recognizes a couple exceptions to the > broad permission to > speak freely: > > - Shouting fire in a crowded theater is explicitly prohibited > because of the obvious > danger and risk of injury. > > - "Fighting words", that by their very utterance inflict > injury or tend to incite > an immediate breach of the peace". [Wikipedia] The example he > gave was this: someone > standing on a soapbox in Hanover NH, saying that we should > storm the gates in > Washington and burn the place down is just exercising their > free speech rights > - there's no credible *imminent* threat. However, standing > there and saying that > we should burn down the Town Hall could clearly be believed > to be a real threat, > and the government would be justified in stepping in. > > Rich Brownrichard.e.br...@dartware.com > Dartware, LLC http://www.dartware.com > 66-7 Benning Street Telephone: 603-643-9600 > West Lebanon, NH 03784-3407 Fax: 603-643-2289 > >
RE: ISP port blocking practice/Free Speech
> Free speech doesn't include the freedom to shout fire in a crowded theatre. It most certainly does! There is absolutely nothing to prevent one from shouting "FIRE" in a crowded theatre. Actually, it doesn't. When I was on-staff at the computer center at Dartmouth, our provost also happened to be a first-amendment scholar, and he gave us an impromptu speech about the first amendment at a staff meeting :-) The US Supreme Court recognizes a couple exceptions to the broad permission to speak freely: - Shouting fire in a crowded theater is explicitly prohibited because of the obvious danger and risk of injury. - "Fighting words", that by their very utterance inflict injury or tend to incite an immediate breach of the peace". [Wikipedia] The example he gave was this: someone standing on a soapbox in Hanover NH, saying that we should storm the gates in Washington and burn the place down is just exercising their free speech rights - there's no credible *imminent* threat. However, standing there and saying that we should burn down the Town Hall could clearly be believed to be a real threat, and the government would be justified in stepping in. Rich Brownrichard.e.br...@dartware.com Dartware, LLC http://www.dartware.com 66-7 Benning Street Telephone: 603-643-9600 West Lebanon, NH 03784-3407 Fax: 603-643-2289
Re: {SPAM?} Re: IPv6 Deployment for the LAN
Could have been a server in drag? ;) Karl Auer wrote: > On Fri, 2009-10-23 at 20:48 -0700, Joel Jaeggli wrote: > >> the mac address of the rouge server >> > > > > It's R-O-G-U-E - rogue. > > Rouge is French for red and English for red make-up. > > > > Regards, K. > >
application recommendation
Hey guys, I have a need for your candid opinion. I am searching for an enterprise sized application (commercial or otherwise) that can accomplish diversified network access from the inside. This is roughly the situation: A diversified very large (multinational) enterprise, consisting of a multitude of local networks. Each of the local networks provide direct hard-wired local and Internet access with our equipment to our employees. Our company has many third-party users. We would want to provide to the latter (after a secure admission session) Internet access with their own equipment through our (the same hard-wired) connection (and subsequently with our firewall services and using our corporate endpoint security), but no access to the internal/local networks. Which application would accomplish this? Appreciating your recommendations. Best, Jack Jack Ryan Network Architecture National Railway System nso...@gmail.com
Re: {SPAM?} Re: IPv6 Deployment for the LAN
On Sun, 25 Oct 2009 17:33:34 +1100 Karl Auer wrote: > On Fri, 2009-10-23 at 20:48 -0700, Joel Jaeggli wrote: > > the mac address of the rouge server > > > > It's R-O-G-U-E - rogue. > > Rouge is French for red and English for red make-up. > > > Also the colour of the faces of angry net admins when they discover a rogue, possibly rouge coloured server. > Regards, K. > > -- > ~~~ > Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) > http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) > > GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF >
