Re: Weekend Gedankenexperiment - The Kill Switch

[Hank Nussbacher]

On Thu, 3 Feb 2011, Ryan Wilkins wrote:


 Original Message -

What do you do when you get home to put it back on the air -- let's
say email as a base service, since it is -- do you have the gear laying around,
and how long would it take?


Focus on this part, BTW, folks; let's ignore the politics behind the
shutdown.  :-)


1.  I always keep a printed copy of all email and cellphone contacts that
   I normally would have access to online.

2.  Critical is contacting your users.  Normally your company has its
   mailing list but that is now down.  You could set up a new list via
   Google groups or Yahoogroups or even your own Mailman on a VPS, but
   what about the list of users?  Always keep an updated exported list of
   your users on a DoK so you can rebuild later.

3.  Website: as above, keep a duplicate copy of your basic HTML pages on
   some DoK that you can take with you.  Have the user+pswd to your
   registrar so you can repoint your DNS to some new site you now setup up
   with the new updated info about your downtime.

-Hank

Re: Weekend Gedankenexperiment - The Kill Switch

[JC Dill]

 On 03/02/11 10:38 PM, Paul Ferguson wrote:


And as an aside, governments will always believe that that they can control
the flow of information, when push comes to shove.

This has always been a hazard, and will always continue to be so.

As technologists, we need to be cognizant of that fact.


In the US, by accident (surely not by design) we are lucky that our 
network of networks does not have the convenient 4 chokepoints that the 
Egyptian network had, making it easy for the government to shut off the 
entier internet by putting pressure on just 4 companies.


Where we *really* need to be fighting this battle is in the laws and 
policies that are producing a duopoly in much of the US where consumers 
have 2 choices, the ILEC for DSL or their local cableco for Cable 
Internet.  As theses companies push smaller competing ISPs out of 
business, and as they consolidate (e.g. Cablecos buying each other up, 
resulting in fewer and fewer cablecos over time), we head down the 
direction of Egypt, where pressure on just a few companies CAN shut down 
the entire internet.  Otherwise we end up with a few companies that will 
play Visa and PayPal and roll over and play dead when a government 
official says "Wikileaks is bad" - and equally easily will shut down 
their entire networks for "national security".


If you *really* believe that the TSA is effective, you would be in favor 
of an Internet Kill Switch.  If you understand that this is really 
security theater, and despite all the inconvenience we aren't really any 
safer, then you should equally be very concerned that someone ever has 
the power to order that the internet be "shut down" for our safety.


jc

Re: And so it ends...

[Jimmy Hess]

On Thu, Feb 3, 2011 at 1:34 PM, Jay Ashworth  wrote:
> I strongly suspect that his question is actually "Does ARIN have any
> enforceable legal authority to compel an entity to cease using a
> specific block of address space, absent a contract?"

ARIN has about as much to do with legally compelling an entity (who
has signed no contract with ARIN) to stop using a block of IP address
space,  as a DNSBL  has to do with  compelling some random spammer to
stop attempting to send spam.

What keeps people using only IPs they were allocated by a registry are network
policies of cooperating networks who are independent of ARIN  (aside
from possibly
receiving an assignment of their own from ARIN). The RIRs and IANA have not been
shown to have any  legally enforceable authority of their own to stop
an IP network
from using IPs not assigned by the registry,  or to prevent someone
from starting
to use IPs already assigned by the RIR  to someone else.

If you need examples; look at all the unofficial usage of 1.0.0.0/8
and 5.0.0.0/8
in private networks,  that the RIRs did not attempt to compel anyone to stop.

ARIN does not appear to directly legally compel any entity to cease
using any specific
block of address space.  Neither is any other RIR in the business of
'enforcing'
that only a  registrant uses the IPs, nor does the registry detect if
a wrong entity is
using the IPs.

Neither does any internet registry  promise that allocations can be
routed on the public internet.

You can ignore the RIRs and use whatever IP addresses you want, at
your own peril.
That peril is not created by any RIR, however;   the "peril"  is the
community response,
and response by other organizations you rely on for connectivity.


Neither does any internet registry promise that allocations will be
unique on the public internet.
A competing (non-cooperating) registry could have made a conflicting assignment.
The RIRs can only make promises about uniqueness within their own
allocations, and
that they made the allocations within address space they were delegated by other
registries  according to  their policies.


The only thing a registration tells you the registrant is this
particular registry administers a
database containing that block of IPs,  and  you are the only
organization currently assigned
that IP space _by that  registry_.

If you as a network operator do not cooperate with IANA,  then,
perhaps you create
your own registry, and just use whatever IP addresses you want.
However, other networks may refuse to interconnect with you due to
their policies determining that to be "improper addressing".



It is not as if ARIN has a policy of looking for hijacked/unofficial
announcements of address
space and dispatching an army of lawyers with 'cease and decist' letters.

Instead,  what happens is members of the internet community
investigate IP space
and AS numbers before turning up new interconnections,  and decide on their own,
which blocks to route,  based on peering network's request. Internet connected
 networks will  find the entry in the IANA database
for  the /8  the requested prefix resides in, find delegation to ARIN,  look
in the ARIN  WHOIS  database,   and then make a decision to route the
blocks or not.

The new peer might be required to show correct current registry
delegation of the block, authorization from the
contact listed in the database,  OR  merely sign a promise that they
will only originate prefixes assigned to them
through IANA or a RIR recognized by IANA,  BUTthe registry operator,
ARIN itself  is not the entity that  imposes any specific requirement.


If IP address space is legacy and not properly kept up to date in the
registry under current RIR policies,
then  some community members might choose to reject or disallow their use
by a peer,   based on their own internal routing policies.



Also,  many members of the community  rely on the ICANN delegated DNS
root for all DNS
lookups. the  .ARPA  TLD  servers refer to ARIN  for  Reverse DNS;
which is important for adequate SMTP operation,
in many mail environments,   lack of proper reverse DNS can lead to
mail being rejected.

If IP address spaces appear to be used by a person other than the registrant,
the listed registrant might submit complaints to ISPs  in order to act according
to their network's  routing policies;  if  their policy is to recognize ARIN's
listings as the authoritative ones,   they might even turn off  prior
users of the IP addresses.


There is the RPKI pilot.In the future,  members of the community
may authenticate
resource assignment through resource certification according to the
policies of the
accepted registry, through cryptographic methods.

That would certainly give ICANN,  IANA, and the RIRs  stronger
technical enforcement powers.
It's even conceivable this could be used in the future to  "Revoke
such and such evil
outside country network's  Resource certificates"   (so they will be
forcibly disconnected)


But it's still n

Re: And so it ends...

[Robert Bonomi]

> Subject: Re: And so it ends...
> From: David Conrad 
> Date: Thu, 3 Feb 2011 15:42:01 -1000
> Cc: NANOG list 
> To: Robert Bonomi 
>
> Robert,
>
> On Feb 3, 2011, at 12:34 PM, Robert Bonomi wrote:
> > Abssolutely *NOT*.  their unique status derives from the actions of a 
> > contractor "faithfully executing" it's duties on the behalf of the U.S. 
> > Gov't.  'Antitrust' does not apply to the Gov't, nor to those acting on 
> > its behalf, nor to anyone operating a government-sanctioned monopoly.
>
> As far as I am aware, the USG contract is with ICANN, not ARIN (see  
> http://www.ntia.doc.gov/ntiahome/domainname/iana/ianacontract_081406.pdf, 
> section C.2.2.1.3).

Correct.  _They_ can can delegate "as they see fit", with no requirement
to provide competing alternatives.  ARIN, the delegatee, is not the 
'monopolist' -- the party controlling the situation -- they are just a
delagatee of the party who has the monopoly position.  Any action to
"enforce" competition would be against the monopolist -- the authority
who _delegates_ operations, ICANN.  Which doesn't fly for the reasons
stated.

Basically, you cannot force a RIR to share with others that which they get
from somebody else.  To enforce competition, you would have to force the
party who 'controls' the distribution to also provide the thing to the
aforeentioned 'somebody else' (singular or plural).  Which one cannot 
do under Sherman, when that party is a government actor.

>
> >> What about the other RIRs worldwide?
> > They're outside U.S. jurisdiction.  Sherman Acg 2  is irrelevant to 
> > their operation.
>
> The question was about other RIRs.  Other countries have 
> anti-monopoly/anti-cartel laws.

Irrelevant and immateral to the operation of ICANN.  


ICANN "controls" everything, under the auspices of the U.S.G.  They have
issued 'territory-protected franchises' to a limited number of parties.

You cannot force the frachisee to 'share' their franchise.  You have to go
after the franchisor, and force -them- to issue competing franchises.

Nothing prevents anyone in the 'territory' of one franchisee from attempting
to do business with a diffrent franchisee.  

*IF* the franchisees agree among themselves not to deal with anyone that is
not within the limits of their protected territory, _that_ could be a 
proscribed anti-competitive practice *by*the*franchisee*.

IF, on the other hand, the 'grant of franchise' allows them to 'sell' only
to parties in the defined territory, a refusal to deal with an extra-
territorial party is -not- an anti-competitive act by the franchisee.
In this situation, one would have to act against the franchisor.  Who is
exempt as a governent actor.


>
> Regards,
> -drc
>
>

RE: Significant Announcement (re: IPv4) 3 February - Watch it Live!

[Frank Bulk]

It started at 9:25 am -- I normally tune in to online videos late, but I'm
glad I checked earlier.

Frank

-Original Message-
From: Patrick W. Gilmore [mailto:patr...@ianai.net] 
Sent: Thursday, February 03, 2011 9:29 AM
To: NANOG list
Subject: Re: Significant Announcement (re: IPv4) 3 February - Watch it Live!

On Feb 3, 2011, at 9:58 AM, Antonio Querubin wrote:
> On Thu, 3 Feb 2011, Randy Carpenter wrote:
> 
>> It didn't work too bad.  Does anyone know why it was pretty much over at
9:30, when they said it would start? Did they start a half-hour early or
something?
> 
> I think that was just the ceremony for handing out the last /8s and it
went very quickly.  The press conference starts at 10:00.

It definitely started at 9:30, and it was very short.

Boring actually.  But that's the way it should have been.  Not like this was
a surprise.  Even the reporter from ZDNet asked "since we gave out the last
2 to APNIC last week, why is this day important?"  If ZDNet gets it, NANOG
(actually *NOG) members should as well.

That said, I guess just like when any long time friend leaves us, we should
have a ceremony to mark the passing.

-- 
TTFN,
patrick

Re: Weekend Gedankenexperiment - The Kill Switch

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Feb 3, 2011 at 10:34 PM, Martin Millnert 
wrote:

>
> Essentially, I'm not seeing the upside in assuming any state will
> always be good, forever and always.  And it boils down to what's been
> discussed earlier: centralizing control of the Internet, whether
> political or technical, makes it less robust to failures and more
> prone to abuse/attack, as the value of a single point or target
> increases.
>

In this, we completely agree.

And as an aside, governments will always believe that that they can control
the flow of information, when push comes to shove.

This has always been a hazard, and will always continue to be so.

As technologists, we need to be cognizant of that fact.

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFNS57lq1pz9mNUZTMRAlnAAKDoz15jmBf/N54958iUDbysbDPWkwCgx42x
TAOZkWP+Dq0aOe7qzOB8WvQ=
=rEH0
-END PGP SIGNATURE-


-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/

Re: Weekend Gedankenexperiment - The Kill Switch

[Martin Millnert]

Paul,

a key piece in the article is on the second page:
"In fact, a lot of what the bill provides for are a very good ideas.
The bill sets out the concept that cyberspace is a strategic asset for
the United States and needs to be protected like any other strategic
asset. This is good.

The bill also acknowledges that we’re likely to come under severe
attack and need to have a way to respond. We also need to have a
single point of authority to make sure we respond in a coordinated
way, instead of having all of America’s security forces working at
cross-purposes. That single point of authority is the President. This
makes sense."


In all seriousness here, I wonder how the Egyptian law was worded,
that allowed them to legally (let's assume so) send out propaganda
text messages through all mobile operators (force operators to
comply), and even shut down the Internet (force operators to comply).

It is fully possible that the law says something very similar to that
above, that when the state is under stress or attack (by its own storm
troopers...), the state is allowed to step in to take protective
measures, all in the good interest of the state, authorized by their
single point of authority.

This is a dangerous design, specifically as it assumes that the state
under all circumstances is good which most observers will note,
especially now, that states cannot be assumed to be, forever and
always.

Essentially, I'm not seeing the upside in assuming any state will
always be good, forever and always.  And it boils down to what's been
discussed earlier: centralizing control of the Internet, whether
political or technical, makes it less robust to failures and more
prone to abuse/attack, as the value of a single point or target
increases.


This sub-thread is a bit off-topic, and to the thread starter I only
suggest you look into the Egypt situation/operations a bit, but I
guess that's where you got your inspiration for the question anyway.
:)

Cheers,
Martin

On Fri, Feb 4, 2011 at 12:32 AM, Paul Ferguson  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Thu, Feb 3, 2011 at 9:27 PM, Mark Newton 
> wrote:
>
>>
>> On 04/02/2011, at 3:43 PM, Paul Ferguson wrote:
>>
>>> On Thu, Feb 3, 2011 at 9:09 PM, Mark Newton 
>>> wrote:
>>>

 On 04/02/2011, at 2:13 PM, Jay Ashworth wrote:

> An armed FBI special agent shows up at your facility and tells your
> ranking manager to "shut down the Internet".

 Turn off the room lights, salute, and shout, "Mission Accomplished."
 The FBI dude with the gun won't know the difference.

>>>
>>> No. The correct answer is that in the U.S., if the Agent in question has
>>> a valid subpoena or N.S.L., you must comply.
>>
>> Subpoenas and NSLs are used to gather information, not to shut down
>> telcos.  They're just an enforceable request for records.
>>
>> Considering that politicians in the US have suggested that they need
>> "kill switch" legislation passed before they can do it, and further
>> considering that "kill switch" legislation doesn't currently exist,
>> what lawful means do you anticipate an FBI special agent to rely on
>> in making such a request?
>>
>> I'm not actually in the US.  In a question arising from the Egypt
>> demonstrations earlier this week, Australia's Communications Minister
>> said he didn't think the law as written at the moment provided the
>> government with the lawful ability to shut down telecommunications
>> services.
>> http://delimiter.com.au/2011/02/03/no-internet-kill-switch-for-australia-
>> says-conroy/
>>
>
> I share your sentiment.
>
> One of the best commentaries I have read lately on this issue was earlier
> today:
>
> http://www.zdnet.com/blog/government/ive-changed-my-mind-america-must-never
> - -allow-an-internet-kill-switch-heres-why/9982
>
> Worth a quick read.
>
> - - ferg
>
> -BEGIN PGP SIGNATURE-
> Version: PGP Desktop 9.5.3 (Build 5003)
>
> wj8DBQFNS49Qq1pz9mNUZTMRAg63AJ9XifxhugBVp9eyMrGQW7W9uKiAMACgor23
> ISBUTZgvbwKKjJ5qBnJxPrg=
> =O3vq
> -END PGP SIGNATURE-
>
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawgster(at)gmail.com
>  ferg's tech blog: http://fergdawg.blogspot.com/
>
>

Re: Weekend Gedankenexperiment - The Kill Switch

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Feb 3, 2011 at 10:07 PM, George Bonser  wrote:

>
> The federal government clearly has the authority to manage
> communications across the border of the country and between states but
> it would be questionable if the federal government has the authority to
> manage any communications completely within a state.  Do they have the
> authority to tell me to turn down a connection that terminates within
> the same state that I am in?
>
> Sure, they would have the authority to tell me to turn down any
> international tunnels I might have running or a point-to-point that
> crosses state lines but I doubt they have the authority to tell me to
> turn down a cross-connect terminating in the same building.  That would
> be the jurisdiction of state authority, not federal.
>

I am making no argument to the contrary.

But I should caution you that there are forces at work currently which are
making motions to federalize this authority.

I think we all should be deeply concerned -- some of this
pandering/politicizing/scar-mongering can have ill effects.

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFNS5kHq1pz9mNUZTMRAv3oAKCsa61VtcyKOiVWqGZ2mJX4eFScuACffSWB
thx5VA2MbLZyGn/GzH3Qz2M=
=oKF9
-END PGP SIGNATURE-





-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/

RE: Weekend Gedankenexperiment - The Kill Switch

[George Bonser]

> No. The correct answer is that in the U.S., if the Agent in question
> has a
> valid subpoena or N.S.L., you must comply. If he doesn't, then you do
> not
> have to comply.
> 
> I cannot answer for any other jurisdiction.
> 
> Also, make sure you have staff attorneys well-versed in Internet law
--
> you'll need them either way.
> 
> - - ferg

The federal government clearly has the authority to manage
communications across the border of the country and between states but
it would be questionable if the federal government has the authority to
manage any communications completely within a state.  Do they have the
authority to tell me to turn down a connection that terminates within
the same state that I am in?  

Sure, they would have the authority to tell me to turn down any
international tunnels I might have running or a point-to-point that
crosses state lines but I doubt they have the authority to tell me to
turn down a cross-connect terminating in the same building.  That would
be the jurisdiction of state authority, not federal.

Re: Weekend Gedankenexperiment - The Kill Switch

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Feb 3, 2011 at 9:27 PM, Mark Newton 
wrote:

>
> On 04/02/2011, at 3:43 PM, Paul Ferguson wrote:
>
>> On Thu, Feb 3, 2011 at 9:09 PM, Mark Newton 
>> wrote:
>>
>>>
>>> On 04/02/2011, at 2:13 PM, Jay Ashworth wrote:
>>>
 An armed FBI special agent shows up at your facility and tells your
 ranking manager to "shut down the Internet".
>>>
>>> Turn off the room lights, salute, and shout, "Mission Accomplished."
>>> The FBI dude with the gun won't know the difference.
>>>
>>
>> No. The correct answer is that in the U.S., if the Agent in question has
>> a valid subpoena or N.S.L., you must comply.
>
> Subpoenas and NSLs are used to gather information, not to shut down
> telcos.  They're just an enforceable request for records.
>
> Considering that politicians in the US have suggested that they need
> "kill switch" legislation passed before they can do it, and further
> considering that "kill switch" legislation doesn't currently exist,
> what lawful means do you anticipate an FBI special agent to rely on
> in making such a request?
>
> I'm not actually in the US.  In a question arising from the Egypt
> demonstrations earlier this week, Australia's Communications Minister
> said he didn't think the law as written at the moment provided the
> government with the lawful ability to shut down telecommunications
> services.
> http://delimiter.com.au/2011/02/03/no-internet-kill-switch-for-australia-
> says-conroy/
>

I share your sentiment.

One of the best commentaries I have read lately on this issue was earlier
today:

http://www.zdnet.com/blog/government/ive-changed-my-mind-america-must-never
- -allow-an-internet-kill-switch-heres-why/9982

Worth a quick read.

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFNS49Qq1pz9mNUZTMRAg63AJ9XifxhugBVp9eyMrGQW7W9uKiAMACgor23
ISBUTZgvbwKKjJ5qBnJxPrg=
=O3vq
-END PGP SIGNATURE-

-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/

Re: Weekend Gedankenexperiment - The Kill Switch

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Feb 3, 2011 at 9:26 PM, Matthew Moyle-Croft 
wrote:

>
> On 04/02/2011, at 3:43 PM, Paul Ferguson wrote:
>
> Also, make sure you have staff attorneys well-versed in Internet law --
> you'll need them either way.
>
>
> The Internet has it's own law now?

The Internet is not immune to the law, as you should well know. In fact,
the Internet seems to be a legal "proving ground" these days, so word to
the wise.

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFNS46qq1pz9mNUZTMRAphoAJsGW/J6Y7lrWkJF0nQMMudHmom5dQCg13a9
LSNA73S6cRpfNELRSsyApTc=
=t13Y
-END PGP SIGNATURE-


-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/

Re: Weekend Gedankenexperiment - The Kill Switch

[Mark Newton]

On 04/02/2011, at 3:43 PM, Paul Ferguson wrote:

> On Thu, Feb 3, 2011 at 9:09 PM, Mark Newton 
> wrote:
> 
>> 
>> On 04/02/2011, at 2:13 PM, Jay Ashworth wrote:
>> 
>>> An armed FBI special agent shows up at your facility and tells your
>>> ranking manager to "shut down the Internet".
>> 
>> Turn off the room lights, salute, and shout, "Mission Accomplished."
>> The FBI dude with the gun won't know the difference.
>> 
> 
> No. The correct answer is that in the U.S., if the Agent in question has a
> valid subpoena or N.S.L., you must comply.

Subpoenas and NSLs are used to gather information, not to shut down
telcos.  They're just an enforceable request for records.

Considering that politicians in the US have suggested that they need
"kill switch" legislation passed before they can do it, and further
considering that "kill switch" legislation doesn't currently exist,
what lawful means do you anticipate an FBI special agent to rely on
in making such a request?

I'm not actually in the US.  In a question arising from the Egypt
demonstrations earlier this week, Australia's Communications Minister
said he didn't think the law as written at the moment provided the
government with the lawful ability to shut down telecommunications
services.
http://delimiter.com.au/2011/02/03/no-internet-kill-switch-for-australia-says-conroy/


  - mark

--
Mark Newton   Email:  new...@internode.com.au (W)
Network Engineer  Email:  new...@atdot.dotat.org  (H)
Internode Pty Ltd Desk:   +61-8-82282999
"Network Man" - Anagram of "Mark Newton"  Mobile: +61-416-202-223

Re: Weekend Gedankenexperiment - The Kill Switch

[Matthew Moyle-Croft]

On 04/02/2011, at 3:43 PM, Paul Ferguson wrote:


Also, make sure you have staff attorneys well-versed in Internet law --
you'll need them either way.


The Internet has it's own law now?

MMC

--
Matthew Moyle-Croft
Peering Manager and Team Lead - Commercial and DSLAMs
Internode /Agile
Level 5, 150 Grenfell Street, Adelaide, SA 5000 Australia
Email: m...@internode.com.auWeb: 
http://www.on.net
Direct: +61-8-8228-2909  Mobile: +61-419-900-366
Reception: +61-8-8228-2999Fax: +61-8-8235-6909

Re: Weekend Gedankenexperiment - The Kill Switch

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Feb 3, 2011 at 9:09 PM, Mark Newton 
wrote:

>
> On 04/02/2011, at 2:13 PM, Jay Ashworth wrote:
>
>> An armed FBI special agent shows up at your facility and tells your
>> ranking manager to "shut down the Internet".
>
> Turn off the room lights, salute, and shout, "Mission Accomplished."
> The FBI dude with the gun won't know the difference.
>

No. The correct answer is that in the U.S., if the Agent in question has a
valid subpoena or N.S.L., you must comply. If he doesn't, then you do not
have to comply.

I cannot answer for any other jurisdiction.

Also, make sure you have staff attorneys well-versed in Internet law --
you'll need them either way.

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFNS4sCq1pz9mNUZTMRAu1EAKCMTVfXnYlbzjpyrKNfiW1grhaUgwCfQTos
KDDZdBA0Xd/2cy0Wx9qf3gc=
=vNsc
-END PGP SIGNATURE-


-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/

Re: Weekend Gedankenexperiment - The Kill Switch

[Mark Newton]

On 04/02/2011, at 2:13 PM, Jay Ashworth wrote:

> An armed FBI special agent shows up at your facility and tells your ranking
> manager to "shut down the Internet".

Turn off the room lights, salute, and shout, "Mission Accomplished."
The FBI dude with the gun won't know the difference.

  - mark

--
Mark Newton   Email:  new...@internode.com.au (W)
Network Engineer  Email:  new...@atdot.dotat.org  (H)
Internode Pty Ltd Desk:   +61-8-82282999
"Network Man" - Anagram of "Mark Newton"  Mobile: +61-416-202-223

Re: Weekend Gedankenexperiment - The Kill Switch

[Ryan Wilkins]

On Feb 3, 2011, at 10:10 PM, Jay Ashworth wrote:

>  Original Message -
>> What do you do when you get home to put it back on the air -- let's
>> say email as a base service, since it is -- do you have the gear laying 
>> around,
>> and how long would it take?
> 
> Focus on this part, BTW, folks; let's ignore the politics behind the
> shutdown.  :-)
> 

So if I get what you're saying, I could have something operational from scratch 
in a few hours.  I've got a variety of Cisco routers and switches, Linux and 
Mac OS X boxes in various shapes and sizes, and a five CPE + one AP 5 GHz 
Mikrotik RouterOS-based radio system, 802.11b/g wireless AP, 800' of Cat 5e 
cable, connectors, and crimpers.  The radios, if well placed, could allow me to 
connect up several strategic locations, or perhaps use them to connect to other 
sources of Internet access, if available.  If it really came down to it, I 
could probably gather enough satellite communications gear from the office to 
allow me to stand up satellite Internet to someone.  Of course, the trick would 
be to talk to that "someone" to coordinate connectivity over the satellite 
which may be hard to do given the communications outage you described.  I 
wouldn't be so worried about transmitting to the satellite, in this case I'd 
just transmit without authorization, but someone needs to be receiving my 
transmission and vice versa for this to be useful.  At a minimum, I could 
enable communications between my neighbors.

Regards,
Ryan Wilkins

Re: You Tube Problems

[Joly MacFie]

This is only in the last week or so.

What might be a possibility is that YouTube is actually choking under the
demand for Egypt related footage, nearly all of which is hosted on the site.

j

On Thu, Feb 3, 2011 at 11:13 PM, William Pitcock
wrote:

> On Fri, 4 Feb 2011 16:37:55 +1300 (FJST)
> Franck Martin  wrote:
>
> > Any relation?
> >
> >
> http://mobile.slashdot.org/story/11/02/04/0043234/Verizon-To-Throttle-High-Bandwidth-Users
>
> No, that has to do with wireless users, not DSL.  Wireless is an
> entirely different part of the Verizon empire.
>
> William
>



-- 
---
Joly MacFie  218 565 9365 Skype:punkcast
WWWhatsup NYC - http://wwwhatsup.com
 http://pinstand.com - http://punkcast.com
  VP (Admin) - ISOC-NY - http://isoc-ny.org
---

Re: Weekend Gedankenexperiment - The Kill Switch

[Joe Provo]

On Thu, Feb 03, 2011 at 10:43:09PM -0500, Jay Ashworth wrote:
> An armed FBI special agent shows up at your facility and tells your ranking
> manager to "shut down the Internet".

legal paperwork or pound sand.  [very small hurdle, pathetic how many
LEOs seek to avoid it]  The rest of it waits for that.

-- 
 RSUC / GweepNet / Spunk / FnB / Usenix / SAGE

Re: You Tube Problems

[William Pitcock]

On Fri, 4 Feb 2011 16:37:55 +1300 (FJST)
Franck Martin  wrote:

> Any relation?
> 
> http://mobile.slashdot.org/story/11/02/04/0043234/Verizon-To-Throttle-High-Bandwidth-Users

No, that has to do with wireless users, not DSL.  Wireless is an
entirely different part of the Verizon empire.

William

Re: Weekend Gedankenexperiment - The Kill Switch

[Jay Ashworth]

 Original Message -
> What do you do when you get home to put it back on the air -- let's
> say email as a base service, since it is -- do you have the gear laying 
> around,
> and how long would it take?

Focus on this part, BTW, folks; let's ignore the politics behind the
shutdown.  :-)

Cheers,
-- jra

Re: My upstream ISP does not support IPv6

[Peter Lothberg]

> So it was far from simply adding v6 to our existing circuit(s) and another 
> BGP session.  It has taken months.

You don't need a new BGP session to turn on IPv6, you just need to
enable IPv6 NLRI on your V4 session.. 

So, in theory your upstream can enable IPv6 on their side and then
wait until you are ready.. It helps to have a IPv6 address on the
link, but it does not need to carry the the BGP session over IPv6..

This is a feature that also simplifies your IBGP.. 

-P

(My mother has had IPv6 since 2007, and she lives in the boonies!)

Weekend Gedankenexperiment - The Kill Switch

[Jay Ashworth]

An armed FBI special agent shows up at your facility and tells your ranking
manager to "shut down the Internet".

What do you do when you get home to put it back on the air -- let's say email
as a base service, since it is -- do you have the gear laying around, and how
long would it take?

Do you have out-of-band communications (let's say phone numbers) for enough
remote contacts?

Cheers,
-- jra

Re: My upstream ISP does not support IPv6

[Randy Carpenter]

IPv6 from both of my upstream providers has been "coming soon" for about a year 
and a half.

One is a very major national provider, one is a regional which is connected to 
numerous national carriers.

The major national provider is supposed to be swapping out equipment any day 
now in order to support IPv6. The regional is claiming that their upstreams do 
not have IPv6 support yet. Their upstream providers certainly do have IPv6, but 
I do not know if they are not offering it to their downstream ISP customers.

I don't know, but as a company that manages the internet operations for 
numerous ISPs, and needs to have full monitoring capability for said customers, 
it is frustrating not to have native IPv6.

-Randy

Re: You Tube Problems

[Joly MacFie]

I think that refers to mobile. I am talking common and garden residential
3mpbs dsl.

j



On Thu, Feb 3, 2011 at 10:37 PM, Franck Martin  wrote:

> Any relation?
>
>
> http://mobile.slashdot.org/story/11/02/04/0043234/Verizon-To-Throttle-High-Bandwidth-Users
>
> - Original Message -
> From: "Joly MacFie" 
> To: "North American Network Operators Group" 
> Sent: Friday, 4 February, 2011 4:30:27 PM
> Subject: Fwd: You Tube Problems
>
> This was recently posted to a mailing list I'm on from the UK. I'd laugh it
> off, but I've been seeing the same thing here in NYC on my Verizon DSL - a
> lot of the time I''m only getting around 200kpbs out of YouTube while
> speedtest shows I have 3mbps.
>
> Any comments?
>
> j
>
>


-- 
---
Joly MacFie  218 565 9365 Skype:punkcast
WWWhatsup NYC - http://wwwhatsup.com
 http://pinstand.com - http://punkcast.com
  VP (Admin) - ISOC-NY - http://isoc-ny.org
---

Re: You Tube Problems

[Franck Martin]

Any relation?

http://mobile.slashdot.org/story/11/02/04/0043234/Verizon-To-Throttle-High-Bandwidth-Users

- Original Message -
From: "Joly MacFie" 
To: "North American Network Operators Group" 
Sent: Friday, 4 February, 2011 4:30:27 PM
Subject: Fwd: You Tube Problems

This was recently posted to a mailing list I'm on from the UK. I'd laugh it
off, but I've been seeing the same thing here in NYC on my Verizon DSL - a
lot of the time I''m only getting around 200kpbs out of YouTube while
speedtest shows I have 3mbps.

Any comments?

j

Fwd: You Tube Problems

[Joly MacFie]

This was recently posted to a mailing list I'm on from the UK. I'd laugh it
off, but I've been seeing the same thing here in NYC on my Verizon DSL - a
lot of the time I''m only getting around 200kpbs out of YouTube while
speedtest shows I have 3mbps.

Any comments?

j

-- Forwarded message --
From:  (a uk user)

For several days now I have found it impossible to view  anything on You
Tube properly. A few seconds & then it freezes, starts  again, then freezes
&
so on & 0n.
It's like the bad old days of "dial up" but I have had  Broadband for some
years & not had this problem for ages. Any advise ,  anybody , please ?

Mike T


-- 
---
Joly MacFie  218 565 9365 Skype:punkcast
WWWhatsup NYC - http://wwwhatsup.com
 http://pinstand.com - http://punkcast.com
  VP (Admin) - ISOC-NY - http://isoc-ny.org
---

Re: My upstream ISP does not support IPv6

[Brandon Applegate]

On Fri, 4 Feb 2011, Franck Martin wrote:


The biggest complaint that I hear from ISPs, is that their upstream ISP does 
not support IPv6 or will not provide them with a native IPv6 circuit.

Is that bull?

I thought the whole backbone is IPv6 now, and it is only the residential ISPs 
that are still figuring it out because CPE are still not there yet.

Where can I get more information? Any list of peering ISPs that have IPv6 as 
part of their products?

It seems to me the typical answer sales people say when asked about IPv6: "Gosh, 
this is the first time I'm asked this one".



I can provide anecdotal feedback on this.  When we did v6 on our network - 
we did it to full v4 parity.  I.e. if we offer v4 / HSRP redundancy / BGP 
full table, etc in a given site, we need to be able to do the same with 
v6.  We acheived that.  At this point I had a decent v6 network, but was 
isolated from the world.  I had to talk to upstreams.


In a nutshell, it was non-trivial.  The upstreams in question will remain 
nameless to protect the guilty, but they are all who some would call 'tier 
1'.  The common themes were:


-	Hmm, don't know our process for that, let me send emails and 
'reach out' and get back to you.


-	We can do it, but we have to home you to a different router.  This 
will be a provisioning exercise and you will get new /30 (/126, etc) and 
new circuit ID.


So it was far from simply adding v6 to our existing circuit(s) and another 
BGP session.  It has taken months.


I couldn't quite wait that long so I did a tunnel w/ BGP to Hurricane and 
got it up in a matter of days.  At that point, at least I could traceroute 
somewhere :)  We are just now finishing up getting native on our transit 
circuits.


--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996
"SH1-0151.  This is the serial number, of our orbital gun."

Re: My upstream ISP does not support IPv6

[Christopher Morrow]

On Thu, Feb 3, 2011 at 6:17 PM, Justin M. Streiner
 wrote:
> On Fri, 4 Feb 2011, Franck Martin wrote:
>
>> The biggest complaint that I hear from ISPs, is that their upstream ISP
>> does not support IPv6 or will not provide them with a native IPv6 circuit.
>
> I know of a few regional ISPs that don't (yet) support IPv6.
>
> As far as carriers go, some seem to support it readily, and others seem like
> they're being dragged into it kicking and screaming.  With the IPv4 well
> running dry in some sense, the people who aren't supporting it yet will have
> to realize sooner or later that they're swimming against the tide.

1) in which city you exist
2) in which city does IPV6 support exist for the carrier(s) you choose
to do business with
3) can you get your sales-droid to actually sleep eye-pee-vee-six and
sell it to you?

how many times, for the simple case, has someone piped up on nanog
(here) about VZB and their attempts to find someone with a clue about
getting ipv6 enabled? (I can easily count 10 in the last ~4 years) The
same goes for ATT and L3...

I believe all of these carriers (and NTT since I see Jared responding
as well) have v6 capabilities, they may hide SOME of their issues in
marketting-speak: "Oh, we have that available in 75% of our pops(*)"
(* in south-east oozbekistan) or "We offer ipv6 to the customers of
our Mananged Internet Services network(*)" (* wholesale internet is
not currently able to signup/route ipv6)

Asking straight, clear, concise questions of your sales driod, finding
his management when he's unable to answer satisfactorily, and parsing
the answers closely is your only way forward. (I think)

-Chris

>> It seems to me the typical answer sales people say when asked about IPv6:
>> "Gosh, this is the first time I'm asked this one".
>
> In some organizations, that's an organizational problem.  In others, it just
> means you got the wrong salesdroid...
>
> jms
>
>

Re: My upstream ISP does not support IPv6

[Paul Graydon]

On 02/03/2011 05:04 PM, Franck Martin wrote:

The biggest complaint that I hear from ISPs, is that their upstream ISP does 
not support IPv6 or will not provide them with a native IPv6 circuit.

Is that bull?

I thought the whole backbone is IPv6 now, and it is only the residential ISPs 
that are still figuring it out because CPE are still not there yet.

Where can I get more information? Any list of peering ISPs that have IPv6 as 
part of their products?

It seems to me the typical answer sales people say when asked about IPv6: "Gosh, 
this is the first time I'm asked this one".
I've just been trying to persuade our upstream provider that they can 
actually get IPv6 addresses.  They seem to be operating under the belief 
that they can only get IPv6 addresses once they're running out of IPv4 
before going through the usual justification business.  It seems bizarre 
that they've specifically gone to the extent of testing and changing 
their infrastructure to ensure it's fully IPv6 capable, yet not go all 
the way and actually get a range or poll customers to find out if 
they're interested in one.


I sent them this link : 
https://www.arin.net/resources/request/ipv6_initial_alloc.html and 
brought their attention to point 1.  Yet to hear back from them..


Paul

Re: My upstream ISP does not support IPv6

[Jared Mauch]

On Feb 3, 2011, at 10:04 PM, Franck Martin wrote:

> The biggest complaint that I hear from ISPs, is that their upstream ISP does 
> not support IPv6 or will not provide them with a native IPv6 circuit. 
> 
> Is that bull? 
> 
> I thought the whole backbone is IPv6 now, and it is only the residential ISPs 
> that are still figuring it out because CPE are still not there yet. 
> 
> Where can I get more information? Any list of peering ISPs that have IPv6 as 
> part of their products? 
> 
> It seems to me the typical answer sales people say when asked about IPv6: 
> "Gosh, this is the first time I'm asked this one". 

There is a wikipedia article on this:

http://en.wikipedia.org/wiki/Comparison_of_IPv6_support_by_major_transit_providers

It's not very marketing nor deep in details.  There are also a variety of other 
sites as well with various lists that are more focused on the edge networks 
such as:

http://www.sixxs.net/faq/connectivity/?faq=native

I'm not aware of a fully comprehensive list, but it may be worthwhile to ask 
over on the ipv6-ops list with further details about where you are located or 
looking at desiring service:

http://lists.cluenet.de/mailman/listinfo/ipv6-ops

There's good discussion over there, and a great resource if you are looking for 
details on enabling IPv6.

- Jared

Re: My upstream ISP does not support IPv6

[Justin M. Streiner]

On Fri, 4 Feb 2011, Franck Martin wrote:

The biggest complaint that I hear from ISPs, is that their upstream ISP 
does not support IPv6 or will not provide them with a native IPv6 
circuit.


I know of a few regional ISPs that don't (yet) support IPv6.

As far as carriers go, some seem to support it readily, and others seem 
like they're being dragged into it kicking and screaming.  With the IPv4 
well running dry in some sense, the people who aren't supporting it yet 
will have to realize sooner or later that they're swimming against the 
tide.


It seems to me the typical answer sales people say when asked about 
IPv6: "Gosh, this is the first time I'm asked this one".


In some organizations, that's an organizational problem.  In others, it 
just means you got the wrong salesdroid...


jms

Re: My upstream ISP does not support IPv6

[Richard Barnes]

This seems ironic, given the number of ISPs I've heard say "There's no
customer demand."
--Richard


On Thu, Feb 3, 2011 at 10:04 PM, Franck Martin  wrote:
> The biggest complaint that I hear from ISPs, is that their upstream ISP does 
> not support IPv6 or will not provide them with a native IPv6 circuit.
>
> Is that bull?
>
> I thought the whole backbone is IPv6 now, and it is only the residential ISPs 
> that are still figuring it out because CPE are still not there yet.
>
> Where can I get more information? Any list of peering ISPs that have IPv6 as 
> part of their products?
>
> It seems to me the typical answer sales people say when asked about IPv6: 
> "Gosh, this is the first time I'm asked this one".
>

Re: My upstream ISP does not support IPv6

[Dobbins, Roland]

On Feb 4, 2011, at 10:04 AM, Franck Martin wrote:

> Where can I get more information?


There's some survey data related to this topic presented in the latest 
Worldwide Infrastructure Security Report, available at 
.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

My upstream ISP does not support IPv6

[Franck Martin]

The biggest complaint that I hear from ISPs, is that their upstream ISP does 
not support IPv6 or will not provide them with a native IPv6 circuit. 

Is that bull? 

I thought the whole backbone is IPv6 now, and it is only the residential ISPs 
that are still figuring it out because CPE are still not there yet. 

Where can I get more information? Any list of peering ISPs that have IPv6 as 
part of their products? 

It seems to me the typical answer sales people say when asked about IPv6: 
"Gosh, this is the first time I'm asked this one". 

Re: External sanity checks

[Christopher Morrow]

not sure where these folks are in terms of deployment or meeting the
OP's needs, but the owner/founder is a nanog person:



so maybe you can link up with him and ask some questions?

-Chris


On Thu, Feb 3, 2011 at 9:37 PM,   wrote:
>
>
> On Thursday, February 3, 2011 8:31pm, "Jeffrey Lyon" 
>  said:
>
>> On Thu, Feb 3, 2011 at 9:25 PM, Justin Horstman
>>  wrote:
>>> +1 vote for Gomez, they are the most advanced and most capable in this 
>>> space.
>>> They are also not very cheap...
>>>
>>>
>>> ~J
>>>
 -Original Message-
 From: Greg Dendy [mailto:gde...@equinix.com]
 Sent: Thursday, February 03, 2011 10:35 AM
 To: Brandon Galbraith
 Cc: nanog
 Subject: Re: External sanity checks

 Gomez isn't too bad either for the http side.

 http://www.gomez.com/


 Greg

 On Feb 3, 2011, at 10:29 AM, "Brandon Galbraith"
  wrote:

 > Pingdom will do most of what you're looking for (www.pingdom.com).
 We're
 > quite fond of them after a bad Keynote experience.
 >
 > -brandon
 >
 > On Thu, Feb 3, 2011 at 12:04 PM, Philip Lavine
 wrote:
 >
 >> To all,
 >>
 >> Does any one know a Vendor (NOT Keynote) that can do sanity checks
 against
 >> your web/smtp/ftp farms with pings, traceroutes, latency checks as
 well as
 >> application checks (GET, POST, ESMTP, etc)
 >>
 >> Thank you,
 >>
 >> Philip
 >>
 >>
 >>
 >>
 >>
 >>
 >
 >
 > --
 > Brandon Galbraith
 > US Voice: 630.492.0464

>>>
>>>
>>>
>>
>> Pingdom has been pretty solid, only criticism is that all of their
>> nodes are North America and Europe.
>>
>> --
>> Jeffrey Lyon, Leadership Team
>> jeffrey.l...@blacklotus.net | http://www.blacklotus.net
>> Black Lotus Communications - AS32421
>> First and Leading in DDoS Protection Solutions
>
> http://www.websitepulse.com/ been around and solid for years, much more 
> advanced than pingdom.com but pingdom.com is great for certain levels of 
> testing.
>
> -- Nevin Lyne
> -- Founder / Director of Technology
> -- EngineHosting.com
> -- 888-576-HOST or 612-234-8964
>
>
>
>

Internet number resource policy in the ARIN region

[John Curran]

Nanog Folks -

   Your participation makes a significant difference in the ARIN number
   resource policy, and while you may think that there's not much going
   on, the truth is that there are significant number of policy proposals
   at any given moment, and to the extent that you care about the actual
   policies used in number resource management, it would be very helpful
   if you could read and comment on policies while they are being developed.

   Please find attached the results of the last Advisory Council (AC) meeting;
   discussions of these proposals are taking place on the ARIN PPML mailing
   list and are open to all parties.  Information on the Policy Development
   Process, the PPML mailing list, and the current proposals are all included
   in the attached message.

Thanks!
/John

John Curran
President and CEO
ARIN


Begin forwarded message:

From: ARIN mailto:i...@arin.net>>
Date: February 3, 2011 4:44:40 PM EST
To: arin-p...@arin.net
Subject: [arin-ppml] Advisory Council Meeting Results - January 2011

In accordance with the ARIN Policy Development Process (PDP), the ARIN
Advisory Council (AC) held a meeting on 28 January 2011 and made
decisions about several draft policies and proposals.

The AC recommended that the ARIN Board of Trustees adopt the following
draft policy:

 ARIN-2010-14: Standardize IP Reassignment Registration Requirements

The AC selected the following proposals as draft policies for adoption
discussion online and at the ARIN XXVII Public Policy Meeting in San
Juan, Puerto Rico. Each draft policy will be posted shortly to the PPML.

 ARIN-prop-119. Globally Coordinated Transfer Policy
 ARIN-prop-120. Protecting Number Resources
 ARIN-prop-121. Better IPv6 Allocation for ISPs
 ARIN-prop-123. Reserved Pool for Critical Infrastructure
 ARIN-prop-127. Shared Transition Space for IPv4 Address Extension

The AC added the following proposal to their docket but decided not to
select it as a draft policy at this time:

 ARIN-prop-126. Compliance Requirement

The AC abandoned the following proposals:

 ARIN-prop-128. Replacement of Section 4.2.4.4
 ARIN-prop-129. IPv4 Addresses for Process Participants
 ARIN-prop-130. IPv4 Transition Reservation for Every ASN

The AC abandoned ARIN-prop-128 due to opposition on the list, and
because there is insufficient time to implement the proposal through the
normal PDP. As a result, the proposal would need to be a Board Emergency
PDP action to have any effect. The AC understands that the use of the
emergency process requires that there be significant risk to ARIN should
the Board allow a situation to continue. This matter does not warrant
the use of the emergency process.

The AC abandoned ARIN-prop-129 and ARIN-prop-130 because they violate
the community principle of needs-based assignments.

The PDP states, “Any member of the community, including a proposal
originator, may initiate a Discussion Petition if they are dissatisfied
with the action taken by the Advisory Council regarding any specific
policy proposal.” Proposals 126, 128, 129 and 130 may be petitioned
(Discussion Petition) to try to change them into draft policies for
adoption discussion on the Public Policy Mailing List and at the April
Public Policy Meeting. The deadline to begin a petition will be five
business days after the AC's draft meeting minutes are published.

For more information on starting and participating in petitions, see PDP
Petitions at: https://www.arin.net/policy/pdp_petitions.html

Draft Policy and Policy Proposal texts are available at:
https://www.arin.net/policy/proposals/index.html

The ARIN Policy Development Process can be found at:
https://www.arin.net/policy/pdp.html

Regards,

Communications and Member Services
American Registry for Internet Numbers (ARIN)
_
PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (arin-p...@arin.net).
Unsubscribe or manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/arin-ppml
Please contact i...@arin.net if you experience any issues.

Re: quietly....

[Mark Andrews]

In message <4d4b5dcb.3090...@brightok.net>, Jack Bates writes:
> On 2/3/2011 7:50 PM, Mark Andrews wrote:
> > This was blindling obvious to me years ago and should have been to
> > any CPE developer.
> >
> It doesn't appear to be blindingly simple for the cpe-router-bis draft, 
> which leaves it as TBD, or the cpe-router draft which also is silent. 
> General consensus I got from v6ops was that IAIDs won't be utilized by 
> CPE routers, which means they don't expect your requesting upstream logic.

Well the DHCP server has to support multiple IAID's as that is how
it is spec'd.  A DHCP server that doesn't do this is broken.

There doesn't have to be consensus in this area because it does not
matter.  Different vendors can choose different solutions to how
they make upstream requests.

> In fact, they didn't seem to like any of my ideas on versatility for 
> handling this job, which means we'll likely have interoperability 
> problems between CPE manufacturers.
> 
> 
> Jack
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: External sanity checks

[nevin]

On Thursday, February 3, 2011 8:31pm, "Jeffrey Lyon" 
 said:

> On Thu, Feb 3, 2011 at 9:25 PM, Justin Horstman
>  wrote:
>> +1 vote for Gomez, they are the most advanced and most capable in this space.
>> They are also not very cheap...
>>
>>
>> ~J
>>
>>> -Original Message-
>>> From: Greg Dendy [mailto:gde...@equinix.com]
>>> Sent: Thursday, February 03, 2011 10:35 AM
>>> To: Brandon Galbraith
>>> Cc: nanog
>>> Subject: Re: External sanity checks
>>>
>>> Gomez isn't too bad either for the http side.
>>>
>>> http://www.gomez.com/
>>>
>>>
>>> Greg
>>>
>>> On Feb 3, 2011, at 10:29 AM, "Brandon Galbraith"
>>>  wrote:
>>>
>>> > Pingdom will do most of what you're looking for (www.pingdom.com).
>>> We're
>>> > quite fond of them after a bad Keynote experience.
>>> >
>>> > -brandon
>>> >
>>> > On Thu, Feb 3, 2011 at 12:04 PM, Philip Lavine
>>> wrote:
>>> >
>>> >> To all,
>>> >>
>>> >> Does any one know a Vendor (NOT Keynote) that can do sanity checks
>>> against
>>> >> your web/smtp/ftp farms with pings, traceroutes, latency checks as
>>> well as
>>> >> application checks (GET, POST, ESMTP, etc)
>>> >>
>>> >> Thank you,
>>> >>
>>> >> Philip
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >
>>> >
>>> > --
>>> > Brandon Galbraith
>>> > US Voice: 630.492.0464
>>>
>>
>>
>>
> 
> Pingdom has been pretty solid, only criticism is that all of their
> nodes are North America and Europe.
> 
> --
> Jeffrey Lyon, Leadership Team
> jeffrey.l...@blacklotus.net | http://www.blacklotus.net
> Black Lotus Communications - AS32421
> First and Leading in DDoS Protection Solutions

http://www.websitepulse.com/ been around and solid for years, much more 
advanced than pingdom.com but pingdom.com is great for certain levels of 
testing.

-- Nevin Lyne
-- Founder / Director of Technology
-- EngineHosting.com
-- 888-576-HOST or 612-234-8964

Re: External sanity checks

[Franck Martin]

- Original Message -
> From: "Paul Graydon" 
> To: nanog@nanog.org
> Sent: Friday, 4 February, 2011 8:39:09 AM
> Subject: Re: External sanity checks
> On 02/03/2011 08:04 AM, Philip Lavine wrote:
> > To all,
> >
> > Does any one know a Vendor (NOT Keynote) that can do sanity checks
> > against your web/smtp/ftp farms with pings, traceroutes, latency
> > checks as well as application checks (GET, POST, ESMTP, etc)
> >
> > Thank you,
> >
> > Philip
> >
> Slight hijack, I'm interested in the answer to this question, but I'm
> also wondering about a service that will actually phone you (or is
> there
> a reliable text/e-mail->phone call service?) I'd appreciate actually
> being phoned overnight if something dies drastically to the outside
> world!

A bit different, but if you are looking for something that works a bit before 
the problem becomes visible to the user, check:

http://www.avonsys.com/Application+Monitoring

Re: External sanity checks

[Suresh Ramasubramanian]

On Fri, Feb 4, 2011 at 7:55 AM, Justin Horstman
 wrote:
> +1 vote for Gomez, they are the most advanced and most capable in this space. 
> They are also not very cheap...

Depends on whether you're monitoring SLA or performance from remote locations.

There's also webmetrics (acquired by neustar sometime back) -
http://www.webmetrics.com

-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: External sanity checks

[Jeffrey Lyon]

On Thu, Feb 3, 2011 at 9:25 PM, Justin Horstman
 wrote:
> +1 vote for Gomez, they are the most advanced and most capable in this space. 
> They are also not very cheap...
>
>
> ~J
>
>> -Original Message-
>> From: Greg Dendy [mailto:gde...@equinix.com]
>> Sent: Thursday, February 03, 2011 10:35 AM
>> To: Brandon Galbraith
>> Cc: nanog
>> Subject: Re: External sanity checks
>>
>> Gomez isn't too bad either for the http side.
>>
>> http://www.gomez.com/
>>
>>
>> Greg
>>
>> On Feb 3, 2011, at 10:29 AM, "Brandon Galbraith"
>>  wrote:
>>
>> > Pingdom will do most of what you're looking for (www.pingdom.com).
>> We're
>> > quite fond of them after a bad Keynote experience.
>> >
>> > -brandon
>> >
>> > On Thu, Feb 3, 2011 at 12:04 PM, Philip Lavine
>> wrote:
>> >
>> >> To all,
>> >>
>> >> Does any one know a Vendor (NOT Keynote) that can do sanity checks
>> against
>> >> your web/smtp/ftp farms with pings, traceroutes, latency checks as
>> well as
>> >> application checks (GET, POST, ESMTP, etc)
>> >>
>> >> Thank you,
>> >>
>> >> Philip
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> > --
>> > Brandon Galbraith
>> > US Voice: 630.492.0464
>>
>
>
>

Pingdom has been pretty solid, only criticism is that all of their
nodes are North America and Europe.

-- 
Jeffrey Lyon, Leadership Team
jeffrey.l...@blacklotus.net | http://www.blacklotus.net
Black Lotus Communications - AS32421
First and Leading in DDoS Protection Solutions

RE: External sanity checks

[Justin Horstman]

+1 vote for Gomez, they are the most advanced and most capable in this space. 
They are also not very cheap...


~J

> -Original Message-
> From: Greg Dendy [mailto:gde...@equinix.com]
> Sent: Thursday, February 03, 2011 10:35 AM
> To: Brandon Galbraith
> Cc: nanog
> Subject: Re: External sanity checks
> 
> Gomez isn't too bad either for the http side.
> 
> http://www.gomez.com/
> 
> 
> Greg
> 
> On Feb 3, 2011, at 10:29 AM, "Brandon Galbraith"
>  wrote:
> 
> > Pingdom will do most of what you're looking for (www.pingdom.com).
> We're
> > quite fond of them after a bad Keynote experience.
> >
> > -brandon
> >
> > On Thu, Feb 3, 2011 at 12:04 PM, Philip Lavine
> wrote:
> >
> >> To all,
> >>
> >> Does any one know a Vendor (NOT Keynote) that can do sanity checks
> against
> >> your web/smtp/ftp farms with pings, traceroutes, latency checks as
> well as
> >> application checks (GET, POST, ESMTP, etc)
> >>
> >> Thank you,
> >>
> >> Philip
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> > --
> > Brandon Galbraith
> > US Voice: 630.492.0464
> 

Re: And so it ends...

[Suresh Ramasubramanian]

If you want to follow it up there's a pretty interesting thread
ongoing in the ripe anti abuse working group

All of the traffic from 2011 (only a few posts) ..
http://ripe.net/ripe/maillists/archives/anti-abuse-wg/2011/

Start with this note here -
http://ripe.net/ripe/maillists/archives/anti-abuse-wg/2011/msg0.html
- where (a few months late) I wrote in to protest Richard Cox's being
removed as co-chair of the ripe anti abuse working group because he
made much the same points.  There was some argument that RIPE WG
co-chairs are responsible to the RIPE chair / board etc and should be
removed if they are overly critical of these, as richard admittedly
was.

Then go off far afield into various topics including whether that wg
was really operational, and then the same question you asked .. what
to do when the same entities acquiring /15s get themselves IPv6
netblocks?  There seems to be a belief (in various posts in those
threads) that v6 is so vast it just wont matter.  Not sure that I
share the belief but ..

Anyway as this is about RIPE LIRs, those interested please join the
abuse wg (link above) and chip in.

--srs

On Thu, Feb 3, 2011 at 10:02 PM, Jon Lewis  wrote:
> On Thu, 3 Feb 2011, Patrick W. Gilmore wrote:
>
>> On Feb 3, 2011, at 10:11 AM, Jon Lewis wrote:
>>
>>> The real fun's going to be over the next several years as the RIR's
>>> become irrelevant in the acquisition of scarce IPv4 resources...and things
>>> become less stable as lots of orgs rush to implement a strange new IP
>>> version.
>>
>> Supposedly[*] transfers between private entities are still supposed to be
>> justified to the local RIRs.  (At least that's how it works in ARIN's area.)
>
> I was going to say this when I walked up to the mic at the IPv4 runout talk
> yesterday morning, but sat down when they said "we're going to wrap this up
> now" and ended up going and talking to the RIPE people about it.
>
> For a year or more, there have been RIPE region LIRs willing to lease
> relatively large amounts of IPv4 to anyone willing to pay.  The ones I've
> been noticing have been "snowshoe spammers" who get their RIPE space and
> then announce it in datacenters in the US...presumably on rented dedicated
> servers from which they send spam.
>
> My point being, the leasing of IP space to non-connectivity customers is
> already well established, whether it's technically permitted by the
> [ir]relevant RIRs.  I fully expect this to continue and spread. Eventually,
> holders of large legacy blocks will realize they can make good money acting
> as an LIR, leasing portions of their unused space to people who need it and
> can't get it, want it and don't qualify, etc.
>
> These start-up LIRs won't be bound by RIR policies, both because in some
> cases they'll be legacy space holders with no RSA with their region's RIR,
> and because they won't be worried about eligibility for future RIR
> allocations of v4 space...because there won't be any.
>
> --
>  Jon Lewis, MCP :)           |  I route
>  Senior Network Engineer     |  therefore you are
>  Atlantic Net                |
> _ http://www.lewis.org/~jlewis/pgp for PGP public key_
>
>



-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: quietly....

[Jack Bates]

On 2/3/2011 7:50 PM, Mark Andrews wrote:

This was blindling obvious to me years ago and should have been to
any CPE developer.

It doesn't appear to be blindingly simple for the cpe-router-bis draft, 
which leaves it as TBD, or the cpe-router draft which also is silent. 
General consensus I got from v6ops was that IAIDs won't be utilized by 
CPE routers, which means they don't expect your requesting upstream logic.


In fact, they didn't seem to like any of my ideas on versatility for 
handling this job, which means we'll likely have interoperability 
problems between CPE manufacturers.



Jack

Re: quietly....

[Mark Andrews]

In message <4d4b51ea.2030...@brightok.net>, Jack Bates writes:
> On 2/3/2011 6:03 PM, Mark Andrews wrote:
> >
> > The protocol was done in December 2003.  Any CPE vendor could have
> > added support anytime in the last 7 years.  Did we really need to
> > specify how to daisy chain PD requests when these vendors have been
> > daisy chaining DHCPv4 for various option without any written
> > specification?
> >
> NAT definitely made it easier. The same can't be said for DHCPv6-PD. And 
> yes, replacing NAT with a protocol that will handle dissemination of 
> network prefixes deserved having a standards based formula. For CPEs to 
> work well, there must be expectations of what will happen in a number of 
> scenarios so that they can deal with it. For example, will the CPE just 
> hand out /64 networks behind it to other routers? Will it hand out a 
> prefix one longer than what it received and increment up until it's out 
> of space? How does this work in the myriad of ways home users connect 
> things?
> 
> Cheap CPE routers have come a long way over the last decade. They are 
> probably as close to perfect as you can expect for the price. Now we're 
> just starting over to go through the pains of trying to automate home 
> routers.
> 
> > Seriously. CPE vendors could have release IPv6 capable products
> > that had a stateful firewall, DHCPv6 with prefix delegation 7 years
> > ago.  There was *nothing* stopping them except themselves.
> >
> > People have been retrofitting CPE devices to have this functionality
> > for about as long as this.
> 
> Prefix delegation replaces NAT, but there's no standard for how to 
> divide it up?

Why does there have to be a standard way to divide it up?  You
fullfill the request if you can or you ask upstream for more, record
the result and add a prefix to the routing table pointing at the
requesting device.  There done.  Even with a /48 you are only going
to get to 64000 routes which these devices should be able to handle.
In practice it will be a lot less.  If you don't have a route you
send upstream.

The ISP doesn't want to have 64000*customers PD leases so it will
return a /48.

This matches what's done with IPv4 and NATs.

This was blindling obvious to me years ago and should have been to
any CPE developer.

> Sure, people have retrofit it for years. I have myself. 
> However, even in linux, it's a very manual process and involves deciding 
> for yourself how you will hand out prefixes behind the front router. 
> This wasn't a concern with NAT. The most NAT had to worry about was 
> conflicting addresses on the LAN/WAN (and most, these days, will auto 
> renumber if necessary).

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: And so it ends...

[David Conrad]

Robert,

On Feb 3, 2011, at 12:34 PM, Robert Bonomi wrote:
> Abssolutely *NOT*.  their unique status derives from the actions of a 
> contractor "faithfully executing" it's duties on the behalf of the U.S.
> Gov't.  'Antitrust' does not apply to the Gov't, nor to those acting
> on its behalf, nor to anyone operating a government-sanctioned monopoly.

As far as I am aware, the USG contract is with ICANN, not ARIN (see  
http://www.ntia.doc.gov/ntiahome/domainname/iana/ianacontract_081406.pdf, 
section C.2.2.1.3). 

>> What about the other RIRs worldwide?
> They're outside U.S. jurisdiction.  Sherman Acg 2  is irrelevant to their
> operation.

The question was about other RIRs.  Other countries have 
anti-monopoly/anti-cartel laws.

Regards,
-drc

Re: quietly....

[Jack Bates]

On 2/3/2011 7:31 PM, Mark Andrews wrote:

And they didn't mangle packets.  You either pass through a gateway
or not.  You don't have your internal organs re-arranged as you go
through.


Next you'll tell me that Compuserve had a real IP stack.

Jack

Re: quietly....

[Mark Andrews]

In message <4680378.4717.1296777587916.javamail.r...@benjamin.baylink.com>, Jay
 Ashworth writes:
> - Original Message -
> > From: "Mark Andrews" 
> 
> [ me, to Valdis: ]
> > > C'mon; this isn't *your* first rodeo, either. From the viewpoint of
> > > The Internet, *my edge router* is The Node -- as long as everything
> > > gets to there ok, it's nunya damn business what I do inside. Only what
> > > comes out.
> > >
> > > That's Why I Have A Router.
> > 
> > Routers don't mangle packets. They route packet and decrement hop
> > counts.
> 
> I will remind you, Mark, that routers were originally called *gateways*.

And they didn't mangle packets.  You either pass through a gateway
or not.  You don't have your internal organs re-arranged as you go
through.

> That was for a reason.
> 
> Cheers,
> -- jra
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: quietly....

[Owen DeLong]

On Feb 3, 2011, at 3:14 PM, david raistrick wrote:

> On Thu, 3 Feb 2011, valdis.kletni...@vt.edu wrote:
> 
>> Well, it's official - the original end-to-end design principal of the 
>> Internet is dead, deceased, and buried.  Henceforth, there will be Clients, 
>> and there will be Servers, and all nodes will be permanently classified as 
>> one or the other, with no changing or intermixing of status allowed.
> 
> Er.  That's not news.  That's been the state of the art for what, 15+ years 
> or so now?   SIP (because it's peer to peer) and P2P are really the only 
> things that actually give a damn about it.
> 
Largely because we've been living with the tradeoff that we had to break the 
end-to-end model to temporarily compensate for an address shortage. Those of us 
that remember life before NAT would prefer not to bring this damage forward 
into an area of address abundance. In other words, yes, we gave up on the 
end-to-end model and accepted that some innovations simply wouldn't happen for 
a while. That doesn't mean we want to make that tradeoff or those limitations 
permanent.

> 
> No one is going to check out their neighbors website running on their 
> neighbors computer if the neighbor didn't make an effort to make their 
> computer a server (by assigning DNS, running server software, etc) regardless 
> of NAT etc etc.
> 

So? That's an extremely narrow view of the potential applications of restored 
globally unique host addressing.

Owen

Re: quietly....

[Jack Bates]

On 2/3/2011 6:03 PM, Mark Andrews wrote:


The protocol was done in December 2003.  Any CPE vendor could have
added support anytime in the last 7 years.  Did we really need to
specify how to daisy chain PD requests when these vendors have been
daisy chaining DHCPv4 for various option without any written
specification?

NAT definitely made it easier. The same can't be said for DHCPv6-PD. And 
yes, replacing NAT with a protocol that will handle dissemination of 
network prefixes deserved having a standards based formula. For CPEs to 
work well, there must be expectations of what will happen in a number of 
scenarios so that they can deal with it. For example, will the CPE just 
hand out /64 networks behind it to other routers? Will it hand out a 
prefix one longer than what it received and increment up until it's out 
of space? How does this work in the myriad of ways home users connect 
things?


Cheap CPE routers have come a long way over the last decade. They are 
probably as close to perfect as you can expect for the price. Now we're 
just starting over to go through the pains of trying to automate home 
routers.



Seriously. CPE vendors could have release IPv6 capable products
that had a stateful firewall, DHCPv6 with prefix delegation 7 years
ago.  There was *nothing* stopping them except themselves.

People have been retrofitting CPE devices to have this functionality
for about as long as this.

Prefix delegation replaces NAT, but there's no standard for how to 
divide it up? Sure, people have retrofit it for years. I have myself. 
However, even in linux, it's a very manual process and involves deciding 
for yourself how you will hand out prefixes behind the front router. 
This wasn't a concern with NAT. The most NAT had to worry about was 
conflicting addresses on the LAN/WAN (and most, these days, will auto 
renumber if necessary).



Jack

Re: And so it ends...

[Owen DeLong]

On Feb 3, 2011, at 12:51 PM, Jeffrey Lyon wrote:

> On Thu, Feb 3, 2011 at 3:48 PM, Ernie Rubi  wrote:
>> Um, I think that's what ARIN means when they say changing the registrant on 
>> a block from Entity A to Entity B means.  That's effectively 'reclaiming'.
>> 
>> As I understand it, I think they also contend that the 'community' could say 
>> to ARIN 'take back X legacy block' and that ARIN would have no choice but to 
>> do it if the 'community' wished it so (via policy process, etc).
>> 
>> On Feb 3, 2011, at 3:28 PM, Jeffrey Lyon wrote:
>> 
>>> I think what John Curran is trying to say is that ARIN does not have
>>> the authority to reclaim any space
>> 
>> 
>> 
> 
> 
> Perhaps i'm missing the point, but my interpretation is that legacy
> holders are sovereign and have the same standing in the community as
> the RIR's. The only way to get that space back is to ask nicely or for
> operators to stop routing legacy space. I very seriously doubt that it
> is within ARIN's mission to form policy that directly impacts
> non-members.

Most ARIN policies directly impact non-members. The vast majority of
ARIN resource holders are non-members.

Owen

Re: quietly....

[Mark Andrews]

In message , Roland Perry writes:
> In article <20110203220604.a8bae9a5...@drugs.dv.isc.org>, Mark Andrews 
>  writes
> 
> >> In any event, two of my applications are not IPv6 compatible, and would
> >> require significant upgrading. And will my ADSL provider and my 3G
> >> provider both switch to IPv6 at about the same time?
> >
> >You shouldn't have to care.  Properly written clients will connect
> >over whatever is available without significant delay and since you
> >are multi-homed
> 
> I'd call it more alternate-homed.
> 
> >you really do want your clients to be properly written.  If they are 
> >not complain to your vendor as they are not meeting the RFC 1123 
> >requirements.
> 
> One client is no longer maintained (but I am very attached to it). The 
> other is nailed inside a five-year-old VoIP box and I suspect they'll 
> say "buy a new one".
> 
> These are just my straw poll of what may be difficult for small 
> enterprises in a change to IPv6.

It isn't "change to", its "add IPv6".

I expect to see IPv4 used for years inside homes and enterprises
where there is enough IPv4 addresses to meet the internal needs.
It's external communication which needs to switch to IPv6.  Internal
communication just comes along for the ride.

Mark

> -- 
> Roland Perry
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

BGP Looking glass and monitoring

[Bret Palsson]

I'm interested to know what tools everyone uses for the following:

Looking Glass server.
BGP Monitoring
BGP Management, ie. cost/preferred path management.

Does anyone use tools to make changes to configurations? For example svn. 
How do you push changes? Manually, approval process, scripts?

Currently the only thing we use is subversion to track changes in 
configurations. Now that we are up to around 20 routers and growing we are 
looking for better methods to manage our infrastructure. 

Thanks guys!

-Bret

Re: quietly....

[Mark Andrews]

In message <4d4b2e12.5000...@brightok.net>, Jack Bates writes:
> 
> 
> On 2/3/2011 4:17 PM, valdis.kletni...@vt.edu wrote:
> > Seems there's a lot of engineers out there that only want to make sure
> > last year's protocols work, and are willing to totally ignore next year's.
> 
> To give them respect, they do have the job of making what currently 
> works keep working in the way they originally engineered them to.
> 
> Switching to IPv6 should not have had to require any changes from IPv4 
> outside of a larger address and some minor protocol differences. The 
> support tools to enhance IPv6 beyond IPv4 should be the icing.
> 
> For example. The CPE side of things and how chaining DHCPv6-PD is still 
> an unfinished product, yet we are saying that everyone should be a go. 
> There are too many configurations and setups out there to make it worth 
> smoothly. We are taking a step backwards from how we do things in IPv4.

The protocol was done in December 2003.  Any CPE vendor could have
added support anytime in the last 7 years.  Did we really need to
specify how to daisy chain PD requests when these vendors have been
daisy chaining DHCPv4 for various option without any written
specification?

People have been begging the CPE vendors for IPv6 support for years.

> I'm all for doing away with NAT on CPEs, but the work should have been 
> completed before now on how to properly handle CPEs. The Imperial 
> Geniuses apparently forgot.

Seriously.  CPE vendors could have release IPv6 capable products
that had a stateful firewall, DHCPv6 with prefix delegation 7 years
ago.  There was *nothing* stopping them except themselves.

People have been retrofitting CPE devices to have this functionality
for about as long as this.

> As for corporate networks, NAT is perfectly fine and they can use it 
> until they need the new protocols we develop. Then they'll have to 
> adapt, but they'll at least already have some of the IPv6 work done.
> 
> Jack
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: And so it ends...

[John Curran]

On Feb 3, 2011, at 6:38 PM, Benson Schliesser wrote:

> Having said that, it should be clear that I view ARIN "reclaiming" legacy 
> addresses that aren't under contract (i.e. LRSA) as fraud, perhaps even in 
> the legal sense of the word.  It might also be considered theft by some.  But 
> outright reclaiming from ongoing address holders isn't a big concern of mine, 
> because I doubt ARIN will go far down that path (if it goes at all).  My real 
> concern is that ARIN might refuse to recognize legacy transfers, fail to 
> update the Whois database, issue RPKI inappropriately, and cause real damage 
> to live networks.  This would be bad for the networks that implement ARIN 
> Whois-based policy, of course.  

Benson - 

ARIN provides legacy holders with WHOIS and IN-ADDR services without charge.
If a legacy holder simply wishes to make use of their resources and maintains 
current directory information, ARIN left them fairly undisturbed since its 
formation.  

Via the Legacy RSA, ARIN offers contractual assurances to legacy holders of 
ARIN providing these services, as well as certain protections from reclamation 
and policy changes.  Note that ARIN can't allow transfers contrary to the
community-developed policy, so legacy address holders who wish to do more
then just use their resources (e.g. transfer them) are encouraged to get
involved in the community to create policies that match their needs.

/John

John Curran
President and CEO
ARIN

Re: quietly....

[Jay Ashworth]

- Original Message -
> From: "Mark Andrews" 

[ me, to Valdis: ]
> > C'mon; this isn't *your* first rodeo, either. From the viewpoint of
> > The Internet, *my edge router* is The Node -- as long as everything
> > gets to there ok, it's nunya damn business what I do inside. Only what
> > comes out.
> >
> > That's Why I Have A Router.
> 
> Routers don't mangle packets. They route packet and decrement hop
> counts.

I will remind you, Mark, that routers were originally called *gateways*.

That was for a reason.

Cheers,
-- jra

Re: quietly....

[Mark Andrews]

In message <18979697.4665.1296772215500.javamail.r...@benjamin.baylink.com>, Ja
y Ashworth writes:
> - Original Message -
> > From: "Valdis Kletnieks" 
> 
> > On Thu, 03 Feb 2011 17:01:52 EST, Jay Ashworth said:
> > > > Ahem. Please quit confusing "the protocol" with "that small
> > > > segment of
> > > > the protocol we choose to allow/support on our network".
> > >
> > > Ahem.
> > >
> > > Please quit confusing "The Internet" with "my small edge network,
> > > which I interconnect with The Internet".
> > 
> > Corporations use a different version of RFC5321 that's 30% shorter and
> > removes features they happen to not use? Or are they using the same
> > RFC5321, but simply not using all the features?
> 
> Probably the latter.
> 
> C'mon; this isn't *your* first rodeo, either.  From the viewpoint of 
> The Internet, *my edge router* is The Node -- as long as everything gets
> to there ok, it's nunya damn business what I do inside.   Only what
> comes out.
> 
> That's Why I Have A Router.

Routers don't mangle packets.  They route packet and decrement hop counts.

> Cheers,
> -- jra
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: And so it ends...

[Benson Schliesser]

On Feb 3, 2011, at 2:22 PM, John Curran wrote:

> To be clear, that's not ARIN "legally compelling an entity to cease using 
> a specific block of address space"  We've never claimed that authority,
> and I'm not aware of any entity that does claim such authority to compel
> organizations to make router and system configuration changes.  We do 
> claim authority to manage the database as part of our organizational 
> mission.

I recognize the technical difference, but I don't think it's material in this 
instance.  Although I'm not a lawyer, I see a few legal hazards in the position 
you've described.  Foremost: (a) there still is potential liability in 
contributing to a harm (or crime) even if you're not the firsthand actor, and 
(b) being "community-driven" and "following policy" is not a valid legal 
defense.  ARIN is a business league that maintains a database commonly relied 
upon for establishing "rights" to use addresses (or "ownership" depending on 
your view).  ARIN may not control the networks that leverage this data, but 
there is responsibility in publishing it.  If people act in a coordinated 
manner, directly as a result of data that ARIN publishes, then ARIN would be 
hard pressed to avoid liability.

Having said that, it should be clear that I view ARIN "reclaiming" legacy 
addresses that aren't under contract (i.e. LRSA) as fraud, perhaps even in the 
legal sense of the word.  It might also be considered theft by some.  But 
outright reclaiming from ongoing address holders isn't a big concern of mine, 
because I doubt ARIN will go far down that path (if it goes at all).  My real 
concern is that ARIN might refuse to recognize legacy transfers, fail to update 
the Whois database, issue RPKI inappropriately, and cause real damage to live 
networks.  This would be bad for the networks that implement ARIN Whois-based 
policy, of course.  It would also be bad for ARIN if it causes legal disputes 
(and costs).

On that note, I'm going to take my discussion of policy to the PPML list.  I'd 
be interested, however, in NANOG discussion of my comments on Whois, RPKI, etc.

Cheers,
-Benson

Re: quietly....

[Paul Graydon]

On 02/02/2011 06:31 PM, Jay Ashworth wrote:

- Original Message -

From: "david raistrick"
On Tue, 1 Feb 2011, Dave Israel wrote:


responsibility. If they want to use DHCPv6, or NAT, or Packet over
Avian
Carrier to achieve that, let them. If using them causes them
problems, then
they should not use them. It really isn't the community's place to
force
people not to use tools they find useful because we do not like
them.

Not to mention that when you take tools -away- from people that solve
an existing problem, you'll get a lot of pushback.

I, personally, have been waiting to hear what happens when network techs
discover that they can't carry IP addresses around in their heads anymore.

That sounds trivial, perhaps, but I don't think it will be.

Absolutely, it's certainly one thing I'm dreading.  I know, DNS is 
awesome, but DNS also breaks (SysAdmin mantra: "It's a DNS problem", 
because if something is behaving in an unusual fashion, it's usually DNS 
that's at fault).  I guess I'll routinely be storing a copy of the zone 
file in my DropBox or something as a precaution so I can access it from 
my phone.


Paul

Re: quietly....

[david raistrick]

On Wed, 2 Feb 2011, Jimmy Hess wrote:

SOCKS5 can be used to forward any TCP based protocol, and most UDP 
protocols,


Because SOCKS didn't break things worse than NAT?  Really?


--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: quietly....

[Owen DeLong]

On Feb 3, 2011, at 11:11 AM, Jay Ashworth wrote:

> - Original Message -
>> From: "Valdis Kletnieks" 
> 
>> (We'll overlook the fun and games that start when you have a laptop that
>> travels between a site where 2002:: is verboten, and another where 2002:: is
>> the way it has to be done... Doesn't happen much.. *yet*. Good luck 
>> explaining
>> *that* to Joe Sixpack)
> 
> With all due respect to the people who had to get it done...
> 
> And so *this* you call "engineering"?
> 
> Was TCP/IP this bad back in 1983, folks?
> 
> Cheers,
> -- jra

In different ways, yes, it was.

Owen

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

[George Herbert]

On Thu, Feb 3, 2011 at 3:17 PM, Fernando Gont  wrote:
> On 03/02/2011 10:07 a.m., Rob Evans wrote:
>
>>> You must be kiddin'... You're considering going through this mess
>>> again in a few decades?
>>
>> I'm mildly surprised if you think we're going to be done with *this*
>> mess in a few decades.
>
> I fully agree. But planning/expecting to go through this mess *again* is
> insane. -- I hope the lesson has been learned, and we won't repeat history.

There is not yet a consensus understanding of what the problems are;
that's a prerequisite to avoiding repeats.

IPv4 was patched (well enough) to handle all the problems it
encountered, until we hit address exhaustion.

Some of the next couple of decades' problems may require another new
protocol, hitting a non-address-exhaustion problem.

That new problem could come out of various topology changes, inherent
mobility, lots of other things.  It could even come from address
management (we won't likely exhaust 128 bits, but could hit
configurations we can't route).  Or from out of left field.



-- 
-george william herbert
george.herb...@gmail.com

Re: quietly....

[david raistrick]

On Wed, 2 Feb 2011, Jay Ashworth wrote:


I, personally, have been waiting to hear what happens when network techs
discover that they can't carry IP addresses around in their heads anymore.

That sounds trivial, perhaps, but I don't think it will be.


Heh.

My personal hope, anyway, is that it will motivate certain software 
engineers (and companies) who decide that DNS isn't worthwhile to support 
(for x y z or no reason) will never be able to remember the new addressing 
schemes, and find themselves having to use DNS...and thereby adding 
support to their code.


In which case, bring it on!  :)



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: quietly....

[Lamar Owen]

On Thursday, February 03, 2011 05:47:44 pm valdis.kletni...@vt.edu wrote:
> ETRN (RFC1985) FTW.

POP (RFC918), and the current version, POP3 (RFC1081) both predate the ETRN 
RFC: by 12 and 8 years, respectively.  By 1996, POP3 was so thoroughly 
entrenched that ETRN really didn't have a chance to replace POP3 in normal use; 
of course, there was the point you mention below, too, that makes it less than 
useful for most e-mail tasks.  The ETRN portion, however, introduces the idea 
of a distinct server and a distinct client that the server holds state for.

> (Of course, the operational problem with ETRN is that it in fact *does*
> implement "every workstation gets its mail directly through SMTP", when the
> actual need is "every *mail recipient*".

That has its advantages for certain uses.  And its distinct disadvantages, as 
you correctly note, for most 'normal' uses.

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

[Fernando Gont]

On 03/02/2011 10:07 a.m., Rob Evans wrote:

>> You must be kiddin'... You're considering going through this mess
>> again in a few decades?
> 
> I'm mildly surprised if you think we're going to be done with *this* 
> mess in a few decades.

I fully agree. But planning/expecting to go through this mess *again* is
insane. -- I hope the lesson has been learned, and we won't repeat history.

Thanks,
-- 
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Re: quietly....

[david raistrick]

On Thu, 3 Feb 2011, valdis.kletni...@vt.edu wrote:

Well, it's official - the original end-to-end design principal of the 
Internet is dead, deceased, and buried.  Henceforth, there will be 
Clients, and there will be Servers, and all nodes will be permanently 
classified as one or the other, with no changing or intermixing of 
status allowed.


Er.  That's not news.  That's been the state of the art for what, 15+ 
years or so now?   SIP (because it's peer to peer) and P2P are really the 
only things that actually give a damn about it.



No one is going to check out their neighbors website running on their 
neighbors computer if the neighbor didn't make an effort to make their 
computer a server (by assigning DNS, running server software, etc) 
regardless of NAT etc etc.








--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: And so it ends...

[John Curran]

On Feb 3, 2011, at 5:34 PM, Robert Bonomi wrote:
> 
> Abssolutely *NOT*.  their unique status derives from the actions of a 
> contractor "faithfully executing" it's duties on the behalf of the U.S.
> Gov't.  'Antitrust' does not apply to the Gov't, nor to those acting
> on its behalf, nor to anyone operating a government-sanctioned monopoly.

Robert - 
 
  To be clear, ARIN was formed by the Internet operator community to 
  perform these Internet Registry functions.  While the USG acknowledged
  its formation and facilitated the transition of the performance of  
  these functions to ARIN, ARIN is not performing these duties under 
  USG contract.  I have no view on the question to which you replied,
  but want to be certain everyone has clear facts for the discussion.

FYI,
/John

John Curran
President and CEO
ARIN

Re: quietly....

[Roland Perry]

In article <20110203220604.a8bae9a5...@drugs.dv.isc.org>, Mark Andrews 
 writes



In any event, two of my applications are not IPv6 compatible, and would
require significant upgrading. And will my ADSL provider and my 3G
provider both switch to IPv6 at about the same time?


You shouldn't have to care.  Properly written clients will connect
over whatever is available without significant delay and since you
are multi-homed


I'd call it more alternate-homed.

you really do want your clients to be properly written.  If they are 
not complain to your vendor as they are not meeting the RFC 1123 
requirements.


One client is no longer maintained (but I am very attached to it). The 
other is nailed inside a five-year-old VoIP box and I suspect they'll 
say "buy a new one".


These are just my straw poll of what may be difficult for small 
enterprises in a change to IPv6.

--
Roland Perry

Re: And so it ends...

[Benson Schliesser]

On Feb 3, 2011, at 4:29 PM, John Curran wrote:

> On Feb 3, 2011, at 3:42 PM, David Conrad wrote:
> 
>> Second, neither ICANN nor the USG has (to my knowledge) declared the RIRs to 
>> be "successor registries" (whatever they are).  
> 
> David - ARIN succeeded Network Solutions in 1997 in the performance of IP 
> number assignment, Autonomous System number assignment, and IN-ADDR.ARPA 
> tasks.

I succeeded my father.  That fact does not automatically grant me any authority 
of his - it has to be legally provided for (e.g. inherited per the law) if I'm 
to claim it legitimately.

Does ARIN have a privileged legal status as a result of their formation by 
NetSol, by contract with IANA or the US Govt, or otherwise?

-Benson

Re: And so it ends...

[Benson Schliesser]

On Feb 3, 2011, at 4:34 PM, Robert Bonomi wrote:

> Abssolutely *NOT*.  their unique status derives from the actions of a 
> contractor "faithfully executing" it's duties on the behalf of the U.S.
> Gov't.  'Antitrust' does not apply to the Gov't, nor to those acting
> on its behalf, nor to anyone operating a government-sanctioned monopoly.

Maybe that applies to ICANN.  But how does it apply to ARIN?

-Benson

Re: quietly....

[Lamar Owen]

On Thursday, February 03, 2011 05:30:15 pm Jay Ashworth wrote:
> C'mon; this isn't *your* first rodeo, either.  From the viewpoint of 
> The Internet, *my edge router* is The Node 

Isn't that where this thing all started, with ARPAnet 'routers' on those leased 
lines?

End-to-end is in reality, these days, AS-to-AS.  Beyond that, each AS can do 
whatever it wants with those packets; if it wants to insert the full text of 
the Niagara Falls skit (with copyright owner's permission) into every packet, 
it can do that, and no other AS can make it do differently.

Sure, it would be nice in ways to have full end to end at the individual host 
level, everybody has static addresses and domain names are free and address 
space at the /64 level is portable to kingdom come and back without routing 
table bloat 

NAT in IPv4 came about because people were doing it, and the standards were 
after the fact.  Deja Vu, all over again.

Make it easy to do what people want to do, but without NAT, perhaps 
overloading, port-translating NAT66 won't get traction.

Re: And so it ends...

[Owen DeLong]

On Feb 3, 2011, at 10:15 AM, Kevin Stange wrote:

> On 02/03/2011 11:41 AM, Jeffrey Lyon wrote:
>> I'm not inclined to believe that ARIN members will collectively agree
>> on anything significant, so the policy process is a lot like U.S.
>> government (not a lot getting done).
> 
> ARIN members don't make binding votes on individual policy actions, they
> elect the Advisory Council and Board of ARIN.  ARIN solicits policy
> proposals and takes feedback and general counts of yea and nay votes for
> those proposals before deciding whether to adopt them.
> 
Those advisory votes are by the community, not the membership as well.


Owen

Re: quietly....

[Valdis . Kletnieks]

On Thu, 03 Feb 2011 17:25:14 EST, Lamar Owen said:
> If it were peer-to-peer at that connection there would be no POP3 or IMAP
> stacks needed to go get the mail, rather, every workstation would receive its
> mail directly through SMTP.

ETRN (RFC1985) FTW.

Just because you don't use it, or don't realize it's there, doesn't mean the
protocol doesn't already support it.

(Of course, the operational problem with ETRN is that it in fact *does*
implement "every workstation gets its mail directly through SMTP", when the
actual need is "every *mail recipient*". POP included that whole concept of
USER/PASS so you could snarf down the mail queued for one recipient, not one
workstation.)



pgpTIY5WgCbU3.pgp
Description: PGP signature

Re: quietly....

[Joe Greco]

> > Seems there's a lot of engineers out there that only want to make sure
> > last year's protocols work, and are willing to totally ignore next year's=
> .
> 
> It really is a different universe for  University/ISP versus corporate netw=
> orks. Neither is wrong or right, but both have different needs. My complain=
> t is that my sense is that Ipv6 was designed and favors the ISP environment=
>  rather than corporate networks.
> 
> A corporate network really does want to ignore next year's new hot protocol=
>  unless it makes business sense to support it. There may be regulatory reas=
> ons to block it (we are required to archive all email and instant messages)=
>  or management may decide it's a waste of time to support or management may=
>  feel it's a waste of people's work time to use. Obviously as a end-user wi=
> th residential FTTH, I want something completely different from my ISP.

This is not necessarily a good reason for taking business policies and
using them to engineer a network that _cannot_ work with next year's new
hot protocol.

If we rewind ten years, you might find that the IP component of many
business networks was merely another protocol stack alongside their
existing one and a Socks proxy connecting to the Internet which was
set up to "enforce policy"; I cannot recall having seen one of these
setups survive the last decade.  It seemed like a great idea at the
time, but didn't really allow for many of the new technologies that
businesses now use and rely on.

Of course, the best consultants will advise you to implement that
type of "great idea", because it means that they'll be seeing you 
again in a few years when you want your network to support that next
new hot protocol.

It may be better, however, and also simultaneously less disruptive in
the long run, to engineer a network that *can* implement that next, new 
hot protocol and just use firewall policy to prevent it.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: quietly....

[Jack Bates]

On 2/3/2011 4:17 PM, valdis.kletni...@vt.edu wrote:

Seems there's a lot of engineers out there that only want to make sure
last year's protocols work, and are willing to totally ignore next year's.


To give them respect, they do have the job of making what currently 
works keep working in the way they originally engineered them to.


Switching to IPv6 should not have had to require any changes from IPv4 
outside of a larger address and some minor protocol differences. The 
support tools to enhance IPv6 beyond IPv4 should be the icing.


For example. The CPE side of things and how chaining DHCPv6-PD is still 
an unfinished product, yet we are saying that everyone should be a go. 
There are too many configurations and setups out there to make it worth 
smoothly. We are taking a step backwards from how we do things in IPv4.


I'm all for doing away with NAT on CPEs, but the work should have been 
completed before now on how to properly handle CPEs. The Imperial 
Geniuses apparently forgot.


As for corporate networks, NAT is perfectly fine and they can use it 
until they need the new protocols we develop. Then they'll have to 
adapt, but they'll at least already have some of the IPv6 work done.



Jack

Re: And so it ends...

[Robert Bonomi]

> Subject: Re: And so it ends...
> From: Ernie Rubi 
> Date: Thu, 3 Feb 2011 16:08:50 -0500
> To: David Conrad 
> Cc: NANOG list 
>
> Way off topic here...and into the legal arena:
>
> As to the monopoly classification, do you think, at least with ARIN 
> (since it is a US/Virginia corporation) that Sherman Act  2 (i.e. 
> antitrust) principles could be applied to require that it relinquish some 
> of the control over said IP space/database and act in a more competitive 
> manner?  

Abssolutely *NOT*.  their unique status derives from the actions of a 
contractor "faithfully executing" it's duties on the behalf of the U.S.
Gov't.  'Antitrust' does not apply to the Gov't, nor to those acting
on its behalf, nor to anyone operating a government-sanctioned monopoly.

>  What about the other RIRs worldwide?

They're outside U.S. jurisdiction.  Sherman Acg 2  is irrelevant to their
operation.

Even _if_ they were held to be subject to U.S. jurisdiction the prior
logic would apply to them as well.

>I'm not an antitrust 
> lawyer,

Obvously.  

> but there may be an issue there.

nope.

> > No.  First, "IANA" does not exist.  The term "IANA" now refers to a 
> > series of functions currently performed under contract from the US 
> > Dept. of Commerce, NTIA by ICANN.  As such it can't declare anything.
 >

Re: quietly....

[Jay Ashworth]

- Original Message -
> From: "Matthew Huff" 

> It really is a different universe for University/ISP versus corporate
> networks. Neither is wrong or right, but both have different needs. My
> complaint is that my sense is that Ipv6 was designed and favors the
> ISP environment rather than corporate networks.
> 
> A corporate network really does want to ignore next year's new hot
> protocol unless it makes business sense to support it. There may be
> regulatory reasons to block it (we are required to archive all email
> and instant messages) or management may decide it's a waste of time to
> support or management may feel it's a waste of people's work time to
> use. Obviously as a end-user with residential FTTH, I want something
> completely different from my ISP.

To steal some telco terminology, and tie into my previous reply to Valdis,
*what is the demarcation point*?

In most cases, it's the edge router.

In .edu, it's generally a departmental or resnet router, or even closer to 
the end workstations than that.

But inside the demarc, policy and engineering may -- and nearly always 
will -- hew to different standards.

Cheers,
-- jra

Re: quietly....

[Scott Helms]

But that doesn't mean that edge networks should be *forbidden* from imposing
their own restrictions; thos restrictions are (usually) business-based, where
backbone decisions must be more engineering-based.

Cheers,
-- jra


Well said, edge needs are virtually always dependent on client 
demands/realities and while they don't always mesh with elegant 
engineering they are just as vital.


--
Scott Helms
Vice President of Technology
ISP Alliance, Inc. DBA ZCorum
(678) 507-5000

http://twitter.com/kscotthelms

Re: And so it ends...

[John Curran]

On Feb 3, 2011, at 3:42 PM, David Conrad wrote:

> Second, neither ICANN nor the USG has (to my knowledge) declared the RIRs to 
> be "successor registries" (whatever they are).  

David - ARIN succeeded Network Solutions in 1997 in the performance of IP 
number assignment, Autonomous System number assignment, and IN-ADDR.ARPA tasks.

> However, pragmatically speaking, the folks who matter in any of this are the 
> ISPs.  The RIRs exist primarily as a means by which ISPs can avoid doing a 
> myriad set of bilateral agreements as to who "owns" what address space to 
> ensure uniqueness.  If the RIRs reduce their value by no longer providing 
> that service in an effective way (e.g., by doing what you suggest), I suspect 
> the ISPs would find other entities to provide global uniqueness services.

Full agreement on that point.

/John

Re: quietly....

[Jay Ashworth]

- Original Message -
> From: "Valdis Kletnieks" 

> On Thu, 03 Feb 2011 17:01:52 EST, Jay Ashworth said:
> > > Ahem. Please quit confusing "the protocol" with "that small
> > > segment of
> > > the protocol we choose to allow/support on our network".
> >
> > Ahem.
> >
> > Please quit confusing "The Internet" with "my small edge network,
> > which I interconnect with The Internet".
> 
> Corporations use a different version of RFC5321 that's 30% shorter and
> removes features they happen to not use? Or are they using the same
> RFC5321, but simply not using all the features?

Probably the latter.

C'mon; this isn't *your* first rodeo, either.  From the viewpoint of 
The Internet, *my edge router* is The Node -- as long as everything gets
to there ok, it's nunya damn business what I do inside.   Only what
comes out.

That's Why I Have A Router.

Cheers,
-- jra

Re: quietly....

[Valdis . Kletnieks]

On Thu, 03 Feb 2011 17:01:52 EST, Jay Ashworth said:
> - Original Message -
> > From: "Valdis Kletnieks" 
> 
> > On Thu, 03 Feb 2011 16:41:12 EST, Matthew Huff said:
> > > SMTP is definitely not a p2p protocol in most corporate
> > > environments.
> > 
> > Ahem. Please quit confusing "the protocol" with "that small segment of
> > the protocol we choose to allow/support on our network".
> 
> Ahem.
> 
> Please quit confusing "The Internet" with "my small edge network, which I
> interconnect with The Internet".

Corporations use a different version of RFC5321 that's 30% shorter and
removes features they happen to not use?  Or are they using the same
RFC5321, but simply not using all the features?

The distinction is in fact important.


pgpENv0pD5CYP.pgp
Description: PGP signature

RE: quietly....

[Matthew Huff]

> Seems there's a lot of engineers out there that only want to make sure
> last year's protocols work, and are willing to totally ignore next year's.

It really is a different universe for  University/ISP versus corporate 
networks. Neither is wrong or right, but both have different needs. My 
complaint is that my sense is that Ipv6 was designed and favors the ISP 
environment rather than corporate networks.

A corporate network really does want to ignore next year's new hot protocol 
unless it makes business sense to support it. There may be regulatory reasons 
to block it (we are required to archive all email and instant messages) or 
management may decide it's a waste of time to support or management may feel 
it's a waste of people's work time to use. Obviously as a end-user with 
residential FTTH, I want something completely different from my ISP.

Re: quietly....

[Jay Ashworth]

- Original Message -
> From: "Valdis Kletnieks" 

> On Thu, 03 Feb 2011 17:00:55 EST, Jay Ashworth said:
> > Wow. $ANONYMOUS_COMMENTER was right: end-to-end isn't an engineering
> > principle, it's a religion.
[ ... ]
> Seems there's a lot of engineers out there that only want to make sure
> last year's protocols work, and are willing to totally ignore next
> year's.

Perhaps.  But I think a large part of our disconnect here is that there are
lots of backbone-level ops listening to lots of edge-network ops, and failing
to take into account that the latter group has *substantially* different
constraints on their engineering decisions and practices, and that both
groups' limitations are inherent in what they do.

Certainly the backbone has to not mess with stuff.

But that doesn't mean that edge networks should be *forbidden* from imposing
their own restrictions; thos restrictions are (usually) business-based, where
backbone decisions must be more engineering-based.

Cheers,
-- jra

Re: quietly....

[Lamar Owen]

On Thursday, February 03, 2011 03:59:56 pm Matthew Palmer wrote:
> On Thu, Feb 03, 2011 at 03:20:25PM -0500, Lamar Owen wrote:
> > FTP is a in essence a peer-to-peer protocol, as both ends initiate TCP
> > streams.  I know that's nitpicking, but it is true.

> So is SMTP, by the same token.  Aptly demonstrating why the term "P2P" is so
> mind-alteringly stupid.

Yeah, SMTP between servers is peer-to-peer, since both ends can transmit and 
both ends can receive, using the same protocol, but in different sessions, 
unlike FTP, where one session needs two streams, and one originates at the file 
storage end.  But it's also used as a client-server protocol between an SMTP 
sender and an SMTP receiver, which we commonly call the SMTP server.  If it 
were peer-to-peer at that connection there would be no POP3 or IMAP stacks 
needed to go get the mail, rather, every workstation would receive its mail 
directly through SMTP.  The peer-to-peer nature of SMTP is broken not by NAT, 
but by dynamically addressed and often disconnected clients, whether their IP 
addresses are globally routable or not.  Sometimes it would be better to get a 
five day bounce than for the mail to be delivered to the smarthost but the 
client never picks it up. There's a reason POP is the Post Office Protocol, 
as the addresses are then essentially PO Boxes.

But, with my apologies to Moe, Larry, and Curly:
"NATagara Falls!  Slowly I turned, step by step, inch by inch.."  (with a 
subject of 'quietly' I've been wanting to quote that all thread)  Some are 
that knee-jerk whenever the Three Letter Acronym That Must Not Be Mentioned is 
writ large

RE: quietly....

[Matthew Huff]

In a corporate environment, that's the way it's been for almost 30 years. The 
feeling I get is that people want to re-litigate that with Ipv6, and make every 
desktop an end-to-end node. Not going to happen. In most corporate 
environments, even with sarcasm, you are right. There are clients and there are 
servers there are no such things as nodes. This is a major reason there is very 
little deployment of ipv6 within corporate networks. Things like DHCPv6 
integrated with NAC/802.1x, RA Guard, etc are another. Oh, and telling everyone 
that all server addresses had to be dynamic and determined by your ISP (PA 
space) was another funny. Again, not going to happen. 

We have PI space and are testing Ipv6, but still waiting on consistent support 
from all Oses in use (Solaris, Linux and various flavors of Windows). Things 
like address token support (works fine in Solaris, I assume it's available 
somewhere in Linux but can't find it), and not available at all with Windows.





> -Original Message-
> From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu]
> Sent: Thursday, February 03, 2011 4:47 PM
> To: Lamar Owen
> Cc: nanog@nanog.org
> Subject: Re: quietly
> 
> On Thu, 03 Feb 2011 15:20:25 EST, Lamar Owen said:
> > FTP is a in essence a peer-to-peer protocol, as both ends initiate TCP 
> > streams.  I know that's
> nitpicking, but it is true.
> 
> Well, it's official - the original end-to-end design principal of the 
> Internet is
> dead, deceased, and buried.  Henceforth, there will be Clients, and there will
> be Servers, and all nodes will be permanently classified as one or the other,
> with no changing or intermixing of status allowed.

Re: quietly....

[Valdis . Kletnieks]

On Thu, 03 Feb 2011 17:00:55 EST, Jay Ashworth said:

> Wow.  $ANONYMOUS_COMMENTER was right: end-to-end isn't an engineering 
> principle,
> it's a religion.

No, I was commenting on the "FTP is peer-to-peer as both ends initiate
connections" (which is true as far as it goes) - but when you look at the
bigger context of "what protocols besides VoIP and p2p" it's important.  First
off, VoIP is merely one special case of peer-to-peer.

The second, and more important, point is that if end-to-end is a religion,
there is another, even more sizeable religion called "The Internet As A Whole
Doesn't Need Any More Than The Small Subset of Protocols I Need For *MY*
Network".

Seems there's a lot of engineers out there that only want to make sure
last year's protocols work, and are willing to totally ignore next year's.


pgpmhsdSQrrYY.pgp
Description: PGP signature

Re: And so it ends...

[George Herbert]

On Thu, Feb 3, 2011 at 1:52 PM,   wrote:
> On Thu, 03 Feb 2011 13:39:25 PST, George Herbert said:
>
>> It's probably most practical for them to renumber into a subset of
>> their existing space, collapsing down from the whole /8 into a /10 or
>> something longer, which would free up 75% of that space or more.
>
> And they want to go to the trouble of doing that, why, exactly?
>
> Imagine taking that to the CIO and/or budgeting people: "We want to start this
> $mumble-million project to renumber".  What's the first question they'll ask?
> "What's it mean for *our* bottom line?" What's the second? "Then why do we 
> want
> to spend this money?"
>
> It just ain't gonna happen till  you have good answers to those. "We can spend
> $mumble-million renumbering into 1/4 of the space, and then sell off the other
> 3/4 to various entities for an estimated $mumble-million+20%".
>
> *Then* it will happen.


Some of them won't have to renumber at all to collapse into a subset
(from what I was told).  Some are spaghetti messes.

Putting out a policy best practice that says "You really should do
this, please" doesn't force multi-million-dollar projects, no.  But
might prompt returns where no renumbering is required.  And can
hopefully encourage network revamps going forwards to recover space as
they go, if it's not too painful.

The alternate method - to just openly commoditize it - will also work,
but will incur significant political pushback within the community.

I don't know which path is ultimately more productive over long
timescales.  I think that a best practice asking for handbacks is at
least harmless in the nearterm.  If we need time to overcome
opposition to commoditization on our side of the fence, then that
should start now, but we can't plan for overcoming that on a
particular schedule.  Given that APNIC hits their wall in 6-7
months-ish, I don't know that we can move quickly enough, but someone
needs to start and see what happens.


-- 
-george william herbert
george.herb...@gmail.com

Re: quietly....

[Mark Andrews]

In message , Roland Perry writes:
> In article <5a055785-d55e-47a3-87b0-58b0de81f...@delong.com>, Owen 
> DeLong  writes
> >>> NAT provides a solution to, lets call it, enterprise multihoming.
> >>> Remote office with a local Internet connection, but failover through
> >>> the corporate network.
> >>
> >> And for home (/homeworker) networks ... eg I have a NAT box with a
> >>default connection to my ADSL provider and an automatic failover to
> >>3G (completely separate supplier).
> >>
> >> Almost everything inside my network doesn't notice when it switches over.
> >>
> >> Now, if only I could get it to automatically revert to ADSL when
> >>it reappears - I wouldn't have to worry so much about the 3G bill.
> >
> >In this case in IPv6, the better choice is to have addresses on each
> >host from both providers. When a provider goes away, the router should
> >invalidate the prefix in the RAs. If the hosts have proper address
> >selection policies, they will actually go back to the ADSL prefix as
> >soon as it reappears.
> 
> Which in turn implies that I'd have to start getting involved in DNS for 
> the hosts inside my network. At the moment I can ignore that and just 
> enter their rfc1918 address into various applications.

No, you can enter their ULA if you don't want to use the DNS.

For external client you enter both their external addresses in the
DNS.  Clients don't need to be stupid about connecting to a multi-homed
server.  It's just that the client developers have ignored RFC
1123's suggestions for 20+ years and there hasn't been a lot of
multi-homed servers.  See the following for C code that works well
even when the network layer fails to report connection errors to
the application.

http://www.isc.org/community/blog/201101/how-to-connect-to-a-multi-homed-server-over-tcp

If a application you depend apon doesn't do something like this
complain to its developers.

UDP is harder but not impossible.  DNS is a classic example.  DNS
servers deal with UDP over dead network paths and has done for the
last 20 years.

> [This is all under Windows, of course, the sort of user I'm playing at 
> being doesn't use anything more sophisticated.]
> 
> In any event, two of my applications are not IPv6 compatible, and would 
> require significant upgrading. And will my ADSL provider and my 3G 
> provider both switch to IPv6 at about the same time?

You shouldn't have to care.  Properly written clients will connect
over whatever is available without significant delay and since you
are multi-homed you really do want your clients to be properly
written.  If they are not complain to your vendor as they are not
meeting the RFC 1123 requirements.

> Unfortunately this all sounds like a lot of work, but am I a rare kind 
> of user?
> -- 
> Roland Perry
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: quietly....

[Jay Ashworth]

- Original Message -
> From: "Valdis Kletnieks" 

> On Thu, 03 Feb 2011 16:41:12 EST, Matthew Huff said:
> > SMTP is definitely not a p2p protocol in most corporate
> > environments.
> 
> Ahem. Please quit confusing "the protocol" with "that small segment of
> the protocol we choose to allow/support on our network".

Ahem.

Please quit confusing "The Internet" with "my small edge network, which I
interconnect with The Internet".

Cheers,
-- jra

Re: quietly....

[Jay Ashworth]

- Original Message -
> From: "Valdis Kletnieks" 

> Subject: Re: quietly
> On Thu, 03 Feb 2011 15:20:25 EST, Lamar Owen said:
> > FTP is a in essence a peer-to-peer protocol, as both ends initiate
> > TCP streams. I know that's nitpicking, but it is true.
> 
> Well, it's official - the original end-to-end design principal of the
> Internet is
> dead, deceased, and buried. Henceforth, there will be Clients, and
> there will
> be Servers, and all nodes will be permanently classified as one or the
> other,
> with no changing or intermixing of status allowed.

Wow.  $ANONYMOUS_COMMENTER was right: end-to-end isn't an engineering principle,
it's a religion.

There's nothing inherent in v6 that breaks it, Valdis, just as there was 
nothing in v4 that broke it.  Or NAT44.  Or whatever gets deployed for NAT66.

If I, as the party responsible for an *end-user edge site*, decide that
I do not feel the need to support it *all the way through my edge router*,
that is my choice to make.  It only affects *end users under my control*,
and they're my users to make that decision for.

But please don't go on about how the parrot has ceased to be, ok?

Cheers,
-- jra

Re: Egypt 'hijacked Vodafone network'

[Valdis . Kletnieks]

On Thu, 03 Feb 2011 13:41:15 PST, Mike Lyon said:
> That is horrible
> 
> Next thing you know they'll be sending SMS messages to the people saying
> "TEXT 666 to donate 58 Egyption Pounds to support Mubarak"

I got an e-mail this morning...

"Attention:
I am a consultant to the Egyptian President. I am contacting you for a possible
business deal based on the present political crisis in Egypt. The conglomerate
of Mobarak is ready to partner with you to help secure the resources of the
president since the office of the presidency has been dissolved."




pgpqZAP24Yh6I.pgp
Description: PGP signature

Re: And so it ends...

[Valdis . Kletnieks]

On Thu, 03 Feb 2011 13:39:25 PST, George Herbert said:

> It's probably most practical for them to renumber into a subset of
> their existing space, collapsing down from the whole /8 into a /10 or
> something longer, which would free up 75% of that space or more.

And they want to go to the trouble of doing that, why, exactly?

Imagine taking that to the CIO and/or budgeting people: "We want to start this
$mumble-million project to renumber".  What's the first question they'll ask?
"What's it mean for *our* bottom line?" What's the second? "Then why do we want
to spend this money?"

It just ain't gonna happen till  you have good answers to those. "We can spend
$mumble-million renumbering into 1/4 of the space, and then sell off the other
3/4 to various entities for an estimated $mumble-million+20%".

*Then* it will happen.



pgpPv31v0tpP9.pgp
Description: PGP signature

Re: quietly....

[Valdis . Kletnieks]

On Thu, 03 Feb 2011 16:41:12 EST, Matthew Huff said:
> SMTP is definitely not a p2p protocol in most corporate environments.

Ahem. Please quit confusing "the protocol" with "that small segment of
the protocol we choose to allow/support on our network".


pgplO3AQCRjzB.pgp
Description: PGP signature

Re: quietly....

[Valdis . Kletnieks]

On Thu, 03 Feb 2011 15:20:25 EST, Lamar Owen said:
> FTP is a in essence a peer-to-peer protocol, as both ends initiate TCP 
> streams.  I know that's nitpicking, but it is true.

Well, it's official - the original end-to-end design principal of the Internet 
is
dead, deceased, and buried.  Henceforth, there will be Clients, and there will
be Servers, and all nodes will be permanently classified as one or the other,
with no changing or intermixing of status allowed.


pgp6vESvjDuLb.pgp
Description: PGP signature

Re: And so it ends...

[Brandon Butterworth]

> But are they going to go up against someone big?
> 
> Do Lilly, DuPont and Merck need /8?  HP need a /7?

You decide. Make a policy proposal, if enough agree the database
changes and is reflected in many ISP networks.

"we route therefore you are"

I imagine (ianal) they would have to sue every ISP using ARIN data, I
don't see how ARIN should be sued for changing some text in their
memmers database at the request of their members.

If the prefix concerned wasn't in use on the net I imagine
they'd have a hard time but they're probably all reading
this and thinking "let's just advertise it in case someone
land grabs anyway". If there were to be good reason to do
this I imagine peopel would try a more friendly approach first.

If the space was used in, for example, China on services that
the legacy user never used and the new user never needed to contact
the legacy user they'd probably not even notice.

brandon

RE: quietly....

[Matthew Huff]

Oh, don't get me started on the confusion between FTP over SSH versus FTP over 
TLS/SSL let alone ftp over ssh versus sftp.
So many vendors and users use ftps or sftp indiscriminately to describe both 
and neither.

By sftp, I mean ftp over ssh (not tunnelled) as an alternate to scp. I would 
personally prefer scp to sftp, but that isn't what is being deployed by our 
peers.



> -Original Message-
> From: Randy Carpenter [mailto:rcar...@network1.net]
> Sent: Thursday, February 03, 2011 4:32 PM
> To: Matthew Huff
> Cc: nanog@nanog.org; Valdis Kletnieks
> Subject: Re: quietly
> 
> - Original Message -
> > Well, since ssh is a straight up tcp socket protocol on a well know
> > port with no gimmicks needed like FTP, yeah, I would say it isn't a
> > hack. FTP over TLS/SSL is much worse. In some implementations you can
> > do an non-encrypted control channel and an encrypted data channel, so
> > that a SPI firewall can "hack" it through, but unfortunately a lot of
> > servers and/or clients won't negotiate that correctly and only allow
> > both type of channels to be encrypted which is not possible to pass
> > through a SPI firewall.
> >
> > There are two other sorta widely implemented secure file transfer
> > protocols, SCP and WebDav over TLS/SSL. Either works fine through a
> > SPI firewall, but the consensus for file transfer (at least over the
> > pub net) within the financial services community appears to be
> > converging to FTP over ssh.
> 
> Do you mean sftp, or ftp over an ssh tunnel?
> 
> -Randy

Re: Egypt 'hijacked Vodafone network'

[Mike Lyon]

That is horrible

Next thing you know they'll be sending SMS messages to the people saying
"TEXT 666 to donate 58 Egyption Pounds to support Mubarak"

On Thu, Feb 3, 2011 at 1:32 PM, andrew.wallace <
andrew.wall...@rocketmail.com> wrote:

> On Thu, Feb 3, 2011 at 7:48 PM, Marshall Eubanks 
> wrote:
> >
> > On Feb 3, 2011, at 2:20 PM, andrew.wallace wrote:
> >
> >> On Thu, Feb 3, 2011 at 6:59 PM, Scott Brim 
> wrote:
> >>> On 02/03/2011 10:14 EST, Marshall Eubanks wrote:
> >>>>
> >>>> On Feb 3, 2011, at 9:24 AM, andrew.wallace wrote:
> >>>>
> >>>>> Mobile phone firm Vodafone accuses the Egyptian authorities of
> >>>>> using its network to send pro-government text messages.
> >>>>>
> >>>>> http://www.bbc.co.uk/news/business-12357694
> >>>>
> >>>> Here is their PR
> >>>>
> >>>> http://www.vodafone.com/content/index/press.html
> >>>>
> >>>> Note that this is entirely legal, under "the emergency powers
> >>>> provisions of the Telecoms Act"
> >>>
> >>> Which is legal, Vodafone's protest or the government's telling them to
> >>> send messages?  afaik the agreement was that the operator would have
> >>> preloaded canned messages, agreed on in advance with the government,
> and
> >>> now the government is telling them to send out arbitrary messages they
> >>> compose on the spot.
> >>>
> >>>
> >>
> >> I wonder if these messages were blockable by the end-user or if they
> were being sent as a service announcement from Vodafone.
> >>
> >> Certainly, if the government were sending the messages under the company
> name then something sounds wrong about that.
> >>
> >> What I would like is to hear from someone who received the messages and
> what their experiences were.
> >>
> >
> > They were described to me as being "from Vodafone." I assumed that this
> meant that they were service messages.
> >
> > Marshall
>
> A text message received Sunday by an Associated Press reporter in Egypt
> appealed to
> the country's "honest and loyal men to confront the traitors and
> criminals and protect our people and honor."
>
> Another urged Egyptians to
> attend a pro-Mubarak rally in Cairo on Wednesday. The first was marked as
> coming from "Vodafone." The other was signed: "Egypt Lovers."
>
> http://news.yahoo.com/s/ap/20110203/ap_on_hi_te/eu_egypt_cell_phones
>
> Andrew
>
>
>
>
>
>

RE: quietly....

[Matthew Huff]

SMTP is definitely not a p2p protocol in most corporate environments. In ours, 
all email (even ones that you would think should be host2host) go to a central 
"smarthost" that processes the mail, and archive it for compliance. All 
internal to external and external to internal email is tightly controlled and 
only goes through a very specific route.

Again, big difference between a univerisity or ISP environment and a corporate 
one.



> -Original Message-
> From: Matthew Palmer [mailto:mpal...@hezmatt.org]
> Sent: Thursday, February 03, 2011 4:00 PM
> To: nanog@nanog.org
> Subject: Re: quietly
> 
> On Thu, Feb 03, 2011 at 03:20:25PM -0500, Lamar Owen wrote:
> > On Thursday, February 03, 2011 02:28:32 pm valdis.kletni...@vt.edu wrote:
> > > The only reason FTP works through a NAT is because the NAT has already
> > > been hacked up to further mangle the data stream to make up for the
> > > mangling it does.
> >
> > FTP is a in essence a peer-to-peer protocol, as both ends initiate TCP
> > streams.  I know that's nitpicking, but it is true.
> 
> So is SMTP, by the same token.  Aptly demonstrating why the term "P2P" is so
> mind-alteringly stupid.
> 
> - Matt

Re: And so it ends...

[George Herbert]

On Thu, Feb 3, 2011 at 1:27 PM, Jeffrey Lyon
 wrote:
> Pragmatically, compelling the release of a legacy allocation to a
> major company could be difficult, however, if the ARIN community were
> to draft a resolution to reclaim the space it may have a profound
> effect on public sentiment toward those companies.

A best practice doc / resolution would be good.

It's probably most practical for them to renumber into a subset of
their existing space, collapsing down from the whole /8 into a /10 or
something longer, which would free up 75% of that space or more.  A
resolution that made that practice a best practice and that asked that
enterprises give a general utilization report to the public to give an
idea of whether they were close to being able to do that or far from
it seems harmless.

It all depends on what their internal network allocation model has
been all along.  Hopefully sane, but we can't plan on it.


-- 
-george william herbert
george.herb...@gmail.com

Re: quietly....

[Mark Andrews]

In message <32825.1296757039@localhost>, valdis.kletni...@vt.edu writes:
> --==_Exmh_1296757039_6170P
> Content-Type: text/plain; charset=us-ascii
> 
> On Thu, 03 Feb 2011 09:18:25 +1100, Mark Andrews said:
> 
> > Or you just filter them out in the laptop.   With the proper tools you just
> > ignore and RA's containing 2002:.  Done that for years now.
> 
> You're welcome to stop by and fix 30,000+ systems here, most of which we do
> *not* have administrative control over because they're personal laptops and t
> he
> like.  For most of these users, if it doesn't do the filtering correctly out 
> of
> the box when they pick it at Best Buy or Walmart or whatever, it isn't going 
> to
> get reconfigured. (We do provide a free "configure your box for our network" 
> CD
> that does all this stuff and installs a site-licensed AV and all that, but no
> t
> everybody actually uses it, and there's no really good way to mandate it - an
> d
> anyhow, that's a purely local fix for a problem that's more than local).
> 
> (We'll overlook the fun and games that start when you have a laptop that
> travels between a site where 2002:: is verboten, and another where 2002:: is
> the way it has to be done... Doesn't happen much.. *yet*.  Good luck explaini
> ng
> *that* to Joe Sixpack)

Joe sixpack is quite capable of learning this stuff.  That said
modern OS also come with connection profiles which make this even
easier and will reduce the incidents of rougue RA as DHCP as
connection sharing gets tied to the profile.

Additionally connection sharing will shift for using 6to4 to doing
prefix delegation.  OS vendors that support connection sharing
should also look at the IPv6 CPE draft as lots of that is applicable.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org