RE: Yahoo and IPv6

2011-05-10 Thread Frank Bulk
If I can anticipate Igor's response, he'll say that he'll whitelist those
IPv6-only networks and so he's just help 182,000 people.

Frank

-Original Message-
From: Owen DeLong [mailto:o...@delong.com] 
Sent: Tuesday, May 10, 2011 1:23 PM
To: Igor Gashinsky
Cc: nanog@nanog.org
Subject: Re: Yahoo and IPv6

On May 10, 2011, at 9:32 AM, Igor Gashinsky wrote:

> On Tue, 10 May 2011, valdis.kletni...@vt.edu wrote:
> 
> :: On Tue, 10 May 2011 02:17:46 EDT, Igor Gashinsky said:
> :: 
> :: > The time for finger-pointing is over, period, all we are all trying
to do 
> :: > now is figure out how to deal with the present (sucky) situation. The

> :: > current reality is that for a non-insignificant percentage of users
when 
> :: > you enable dual-stack, they are gong to drop off the face of the
planet. 
> :: > Now, for *you*, 0.026% may be insignificant (and, standalone, that
number 
> :: > is insignificant), but for a global content provider that has ~700M
users, 
> :: > that's 182 *thousand* users that *you*, *through your actions* just
took 
> :: > out.. 182,000 - that is *not* insignificant
> :: 
> :: At any given instant, there's a *lot* more than 182,000 users who are
cut off
> :: due to various *IPv4* misconfigurations and issues.
> 
> Yes, but *these* 182,000 users have perfectly working ipv4 connectivity, 
> and you are asking *me* to break them through *my* actions. Sorry, that's 
> simply too many to break for me, without a damn good reason to do so.
> 
In other words, Igor can't turn on  records generally until there are
182,001 IPv6-only users that are broken from his lack of  records.

Given IP address consumption rates in Asia and the lack of available IPv4
resources in Asia, with a traditional growth month to month of nearly
30 million IPv4 addresses consumed, I suspect it will not be long before
the 182,001 broken IPv6 users become relevant.

> Doing that on world ipv6 day, when there is a lot of press, and most other

> large content players doing the same, *is* a good reason - it may actually

> has a shot of accomplishing some good, since it may get those users to 
> realize that they are broken, and fix their systems, but outside of flag 
> day, if I enabled  by default for all users, all I'm going to do is 
> send those "broken" users to my competitors who chose not to enable  
> on their sites. 
> 
Agreed. I think IPv6 day is a great plan for this very reason. I also hope
that
a lot of organizations that try things out on IPv6 day will decide that the
brokenness that has been so hyped wasn't actually noticeable and then
leave their  records in place. I do not expect Yahoo or Google to
be among them, but, hopefully a lot of other organizations will do so.

> This is why I think automatic, measurement-based whitelisting/blacklisting

> to minimize the collateral damage of enabling  is going to be 
> inevitable (with the trigger set to something around 99.99%), and about 
> the only way we see wide-scale IPv6 adoption by content players, outside 
> events like world ipv6 day.
> 
This will be interesting. Personally, I think it will be more along the
lines
of when there are more IPv6 only eye-balls with broken IPv4 than there
are IPv4 eye-balls with broken IPv6,  will become the obvious
solution.

In my opinion, this is just a matter of time and will happen much sooner
than
I think most people anticipate.

Owen





RE: Yahoo and IPv6

2011-05-10 Thread Frank Bulk
If I can anticipate Igor's response, he'll say that he'll whitelist those
IPv6-only networks and so he's just help 182,000 people.

Frank

-Original Message-
From: Owen DeLong [mailto:o...@delong.com] 
Sent: Tuesday, May 10, 2011 1:23 PM
To: Igor Gashinsky
Cc: nanog@nanog.org
Subject: Re: Yahoo and IPv6

On May 10, 2011, at 9:32 AM, Igor Gashinsky wrote:

> On Tue, 10 May 2011, valdis.kletni...@vt.edu wrote:
> 
> :: On Tue, 10 May 2011 02:17:46 EDT, Igor Gashinsky said:
> :: 
> :: > The time for finger-pointing is over, period, all we are all trying
to do 
> :: > now is figure out how to deal with the present (sucky) situation. The

> :: > current reality is that for a non-insignificant percentage of users
when 
> :: > you enable dual-stack, they are gong to drop off the face of the
planet. 
> :: > Now, for *you*, 0.026% may be insignificant (and, standalone, that
number 
> :: > is insignificant), but for a global content provider that has ~700M
users, 
> :: > that's 182 *thousand* users that *you*, *through your actions* just
took 
> :: > out.. 182,000 - that is *not* insignificant
> :: 
> :: At any given instant, there's a *lot* more than 182,000 users who are
cut off
> :: due to various *IPv4* misconfigurations and issues.
> 
> Yes, but *these* 182,000 users have perfectly working ipv4 connectivity, 
> and you are asking *me* to break them through *my* actions. Sorry, that's 
> simply too many to break for me, without a damn good reason to do so.
> 
In other words, Igor can't turn on  records generally until there are
182,001 IPv6-only users that are broken from his lack of  records.

Given IP address consumption rates in Asia and the lack of available IPv4
resources in Asia, with a traditional growth month to month of nearly
30 million IPv4 addresses consumed, I suspect it will not be long before
the 182,001 broken IPv6 users become relevant.

> Doing that on world ipv6 day, when there is a lot of press, and most other

> large content players doing the same, *is* a good reason - it may actually

> has a shot of accomplishing some good, since it may get those users to 
> realize that they are broken, and fix their systems, but outside of flag 
> day, if I enabled  by default for all users, all I'm going to do is 
> send those "broken" users to my competitors who chose not to enable  
> on their sites. 
> 
Agreed. I think IPv6 day is a great plan for this very reason. I also hope
that
a lot of organizations that try things out on IPv6 day will decide that the
brokenness that has been so hyped wasn't actually noticeable and then
leave their  records in place. I do not expect Yahoo or Google to
be among them, but, hopefully a lot of other organizations will do so.

> This is why I think automatic, measurement-based whitelisting/blacklisting

> to minimize the collateral damage of enabling  is going to be 
> inevitable (with the trigger set to something around 99.99%), and about 
> the only way we see wide-scale IPv6 adoption by content players, outside 
> events like world ipv6 day.
> 
This will be interesting. Personally, I think it will be more along the
lines
of when there are more IPv6 only eye-balls with broken IPv4 than there
are IPv4 eye-balls with broken IPv6,  will become the obvious
solution.

In my opinion, this is just a matter of time and will happen much sooner
than
I think most people anticipate.

Owen





Re: 23,000 IP addresses

2011-05-10 Thread Mark Radabaugh

On 5/10/11 8:30 PM, Jimmy Hess wrote:

On Tue, May 10, 2011 at 8:54 AM, Mark Radabaugh  wrote:

On 5/10/11 9:07 AM, Marshall Eubanks wrote:
A good reason why every ISP should have a published civil subpoena
compliance fee.
23,000 * $150 each should only cost them $3.45M to get the information.
Seems like that would take the profit out pretty quickly.

+1.
But don't the fees actually have to be reasonable?

Facebook charges $150.00  (not a great link but 
http://lawyerist.com/subpoena-facebook-information/


Finding that on facebook's site is difficult.  Other sites have Facebook 
charging $250 to $500 for civil subpoena fees.


Courts like precedent.  I choose Facebook's precedent.  Seems reasonable 
to me.


Mark




Re: 23,000 IP addresses

2011-05-10 Thread Steven Bellovin

On May 10, 2011, at 9:53 16PM, Michael Painter wrote:

> Deepak Jain wrote:
>> For examples, see the RIAA's attempts and more recently the criminal 
>> investigations of child porn downloads from unsecured access
>> points. From what I understand (or wildly guess) is that ISPs with remote 
>> diagnostic capabilities are being asked if their
>> provided access point is secure or unsecure BEFORE they serve their warrants 
>> to avoid further embarrassments. [It'll probably
>> take another 6 months and more goofs before they realize that customers are 
>> perfectly capable of poorly installing their own
>> access points behind ISP provided gear].
> 
> Exactly...what about those who choose WEP/WPA-TKIP for their 'secured' access 
> point?
> I can just imagine being in front of a judge/jury after having been arrested 
> for, as you say, "child porn downloads " and listening to my law^H^H^H public 
> defender explain the mechanisms of how the access point was 'cracked' and may 
> have been used by someone sitting in their car down the street. 
> 
> 
It's happened -- here are two cases I know of:
http://news.cnet.com/Wi-Fi-arrest-highlights-security-dangers/2100-1039_3-5112000.html
http://news.nationalpost.com/2010/05/27/ontario-man-accused-of-downloading-child-porn-because-of-free-wifi-connection/


--Steve Bellovin, https://www.cs.columbia.edu/~smb








Re: Yahoo and IPv6

2011-05-10 Thread Mark Andrews

In message <1305074385.18376.566.camel@karl>, Karl Auer writes:
> On Wed, 2011-05-11 at 10:19 +1000, Mark Andrews wrote:
> > For the record Apple's current iChat (the OS (10.6.7) is completely
> > up to date) fails such a test.  It will try IPv6 and not fallback
> > to IPv4.  End users shouldn't be seeing these sorts of errors.
> 
> Is that possibly a failure of the underlying resolver library? Do other
> applications on the same platform behave correctly?

It doesn't matter where in the system the fault is.  It's all Apple
components.  If the application doesn't get and try all addresses
it is broken.  The nameservers have all addresses in their caches.
MacOS's local cache have all addresses in it.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org



Re: 23,000 IP addresses

2011-05-10 Thread Ong Beng Hui

Hi,

I am not an US citizen and I don't live in US. But I am interested to 
know how the case progress, because we have similar such cases in my 
country. :P


But seriously, are they after the end-user or making the ISP responsible 
for their end-user ?


while, I am not a lawyer, so what after they know who is using that 
broadband connection for that IP. So, they have identified the 80yr old, 
what next ? and what if i have a free-for-all wireless router in my 
house which anyone can tap on, which i regularly switch off during 
nighttime for energy saving reason. :)


On 5/11/11 1:28 AM, Deepak Jain wrote:

A Federal Judge has decided to let the "U.S. Copyright Group" subpoena
ISPs over 23,000 alleged downloads of some
Sylvester Stallone movie I have never heard of; subpoenas are expected
to go out this week.

I thought that there might be some interest in the list of these
addresses :

http://www.wired.com/images_blogs/threatlevel/2011/05/expendibleipaddre
sses.pdf

This will stop when a 80+ yr old is taken to court over a download her 8 year 
old grandkid might have made when visiting for the weekend. The media will make 
the case that technologists can't.

For examples, see the RIAA's attempts and more recently the criminal 
investigations of child porn downloads from unsecured access points. From what 
I understand (or wildly guess) is that ISPs with remote diagnostic capabilities 
are being asked if their provided access point is secure or unsecure BEFORE 
they serve their warrants to avoid further embarrassments. [It'll probably take 
another 6 months and more goofs before they realize that customers are 
perfectly capable of poorly installing their own access points behind ISP 
provided gear].

The torrent stuff is fundamentally no different in that a single IP can and is 
shared by lots of people as common practice and the transient nature of it 
(e.g. airport access point, starbucks, etc) reasonably makes the lawyer's case 
much, much harder.

There is a real theft/crime here in many cases, but whether there is actually 
any value in prosecution of movie downloads will depend... but most likely, the 
outcome will be iMovies or similar and the movie industry will shrink the way 
the music industry has.

DJ






Re: 23,000 IP addresses

2011-05-10 Thread Michael Painter

Deepak Jain wrote:
For examples, see the RIAA's attempts and more recently the criminal investigations of child porn downloads from 
unsecured access
points. From what I understand (or wildly guess) is that ISPs with remote diagnostic capabilities are being asked if 
their
provided access point is secure or unsecure BEFORE they serve their warrants to avoid further embarrassments. [It'll 
probably
take another 6 months and more goofs before they realize that customers are perfectly capable of poorly installing their 
own

access points behind ISP provided gear].


Exactly...what about those who choose WEP/WPA-TKIP for their 'secured' access 
point?
I can just imagine being in front of a judge/jury after having been arrested for, as you say, "child porn downloads " and 
listening to my law^H^H^H public defender explain the mechanisms of how the access point was 'cracked' and may have been 
used by someone sitting in their car down the street. 





Re: Yahoo and IPv6

2011-05-10 Thread Matthew Petach
On Tue, May 10, 2011 at 1:58 PM, Iljitsch van Beijnum
 wrote:
> On 10 mei 2011, at 22:31, Warren Kumari wrote:
>> I'm also a little surprised that you figured that there were no plans past 
>> the event -- much of the point of this is for data gathering -- did you 
>> figure folk were just going to gather the data and then ignore it?
>
> I asked the ISOC press people about this after they sent me their press 
> release but they never replied (they may have replied to my message but not 
> with an answer to the question). There is nothing on the ISOC site that 
> mentions anything happening after june 8.
>
> Of course I'm assuming individual participants will do stuff, but that 
> doesn't change that this IPv6 day as it stands now is a one-off event, not 
> the first step towards the Ultimate Goal.
>

Speaking only for myself, and not for anybody at all, I wouldn't be terribly
surprised if the 24 hour experiment goes smoothly to see it followed up
by a week-long trial round the next time.

If it doesn't go well, I imagine there will be much data analysis, figuring
out what needs to be fixed, and a "24 hour trial, take 2" once a sufficient
level of fixage has occurred.

Matt



Re: Yahoo and IPv6

2011-05-10 Thread Owen DeLong

On May 10, 2011, at 6:03 PM, Matthew Palmer wrote:

> On Tue, May 10, 2011 at 11:22:54AM -0700, Owen DeLong wrote:
>> On May 10, 2011, at 9:32 AM, Igor Gashinsky wrote:
>>> On Tue, 10 May 2011, valdis.kletni...@vt.edu wrote:
>>> :: On Tue, 10 May 2011 02:17:46 EDT, Igor Gashinsky said:
>>> :: > The time for finger-pointing is over, period, all we are all trying to 
>>> do 
>>> :: > now is figure out how to deal with the present (sucky) situation. The 
>>> :: > current reality is that for a non-insignificant percentage of users 
>>> when 
>>> :: > you enable dual-stack, they are gong to drop off the face of the 
>>> planet. 
>>> :: > Now, for *you*, 0.026% may be insignificant (and, standalone, that 
>>> number 
>>> :: > is insignificant), but for a global content provider that has ~700M 
>>> users, 
>>> :: > that's 182 *thousand* users that *you*, *through your actions* just 
>>> took 
>>> :: > out.. 182,000 - that is *not* insignificant
>>> :: 
>>> :: At any given instant, there's a *lot* more than 182,000 users who are 
>>> cut off
>>> :: due to various *IPv4* misconfigurations and issues.
>>> 
>>> Yes, but *these* 182,000 users have perfectly working ipv4 connectivity, 
>>> and you are asking *me* to break them through *my* actions. Sorry, that's 
>>> simply too many to break for me, without a damn good reason to do so.
>>> 
>> In other words, Igor can't turn on  records generally until there are
>> 182,001 IPv6-only users that are broken from his lack of  records.
> 
> There may be something stupid I haven't considered about this, but wouldn't
> a v6-only end user be making their DNS requests over v6 (at least to their
> ISP's resolver), and if their provider was nice enough to continue that
> v6ness up the chain, wouldn't it be fairly simple (to the point of "I'd be
> stunned if everyone wasn't already doing this") to say to
> Yahoo/Google/whatever's ultra-smart whitelisting DNS servers, "v6-whitelist
> all v6 DNS requests"?
> 
Not necessarily and almost entirely irrelevant. Yahoo may or may not get
the query from the ISP's resolver directly. An IPv6-only client might
have a private IPv4 address that reaches an IPv4 resolver within their
local network that may or may not have public IPv4 connectivity.

There is no clean or reliable way to infer anything about the protocol
stack on the client from an authoritative DNS server.

> That way, v6-only people are guaranteed to get the  records they so
> badly crave, without making an excessive mess for anyone else.
> 
Another beautiful theory murdered by a brutal gang of facts.

> I know this falls down if your v6-only-providing ISP takes your recursive
> DNS requests on IPv6 and sends them out via IPv4 even if  records were
> available, but why would anyone be that dumb?  Since the initial request
> would come in via v6, anything whitelisting in this fashion would be sending
> the  records out, so you should never have to fall back to v4 unless
> someone isn't providing DNS via v6 at all, and who would willingly have
> their site v6 enabled without v6 enabling the DNS?  (Yes, I'm aware of
> registrars who don't accept v6 glue, but get your whacking sticks out and
> keep whackin' 'til they fix it -- and kudos to gkg.net for having that
> sorted *before* I put my first v6 site up).
> 
It's not a matter of dumb. There are all kinds of reasons this might occur.
For example, an IPv6-only host behind an HE Tunnel on a network that
gets IPv4 only service from another ISP, but, is out of IPv4 addresses.

Owen




Re: Yahoo and IPv6

2011-05-10 Thread Matthew Palmer
On Tue, May 10, 2011 at 11:22:54AM -0700, Owen DeLong wrote:
> On May 10, 2011, at 9:32 AM, Igor Gashinsky wrote:
> > On Tue, 10 May 2011, valdis.kletni...@vt.edu wrote:
> > :: On Tue, 10 May 2011 02:17:46 EDT, Igor Gashinsky said:
> > :: > The time for finger-pointing is over, period, all we are all trying to 
> > do 
> > :: > now is figure out how to deal with the present (sucky) situation. The 
> > :: > current reality is that for a non-insignificant percentage of users 
> > when 
> > :: > you enable dual-stack, they are gong to drop off the face of the 
> > planet. 
> > :: > Now, for *you*, 0.026% may be insignificant (and, standalone, that 
> > number 
> > :: > is insignificant), but for a global content provider that has ~700M 
> > users, 
> > :: > that's 182 *thousand* users that *you*, *through your actions* just 
> > took 
> > :: > out.. 182,000 - that is *not* insignificant
> > :: 
> > :: At any given instant, there's a *lot* more than 182,000 users who are 
> > cut off
> > :: due to various *IPv4* misconfigurations and issues.
> > 
> > Yes, but *these* 182,000 users have perfectly working ipv4 connectivity, 
> > and you are asking *me* to break them through *my* actions. Sorry, that's 
> > simply too many to break for me, without a damn good reason to do so.
> > 
> In other words, Igor can't turn on  records generally until there are
> 182,001 IPv6-only users that are broken from his lack of  records.

There may be something stupid I haven't considered about this, but wouldn't
a v6-only end user be making their DNS requests over v6 (at least to their
ISP's resolver), and if their provider was nice enough to continue that
v6ness up the chain, wouldn't it be fairly simple (to the point of "I'd be
stunned if everyone wasn't already doing this") to say to
Yahoo/Google/whatever's ultra-smart whitelisting DNS servers, "v6-whitelist
all v6 DNS requests"?

That way, v6-only people are guaranteed to get the  records they so
badly crave, without making an excessive mess for anyone else.

I know this falls down if your v6-only-providing ISP takes your recursive
DNS requests on IPv6 and sends them out via IPv4 even if  records were
available, but why would anyone be that dumb?  Since the initial request
would come in via v6, anything whitelisting in this fashion would be sending
the  records out, so you should never have to fall back to v4 unless
someone isn't providing DNS via v6 at all, and who would willingly have
their site v6 enabled without v6 enabling the DNS?  (Yes, I'm aware of
registrars who don't accept v6 glue, but get your whacking sticks out and
keep whackin' 'til they fix it -- and kudos to gkg.net for having that
sorted *before* I put my first v6 site up).

- Matt

-- 
Ruby's the only language I've ever used that feels like it was designed by a
programmer, and not by a hardware engineer (Java, C, C++), an academic
theorist (Lisp, Haskell, OCaml), or an editor of PC World (Python).
-- William Morgan



Re: Yahoo and IPv6

2011-05-10 Thread TR Shaw

On May 9, 2011, at 11:16 AM, Arie Vayner wrote:

> Actually, I have just noticed a slightly more disturbing thing on the Yahoo
> IPv6 help page...
> 
> I have IPv6 connectivity through a HE tunnel, and I can reach IPv6 services
> (the only issue is that my ISP's DNS is not IPv6 enabled), but I tried to
> run the "Start IPv6 Test" tool at http://help.yahoo.com/l/us/yahoo/ipv6/ and
> it says:
> "We detected an issue with your IPv6 configuration. On World IPv6 Day, you
> will have issues reaching Yahoo!, as well as your other favorite web sites.
> We recommend disabling
> IPv6,
> or seeking assistance in order to fix your system's IPv6 configuration
> through your ISP or computer manufacturer."
> 

Weird as I also use the HE tunnel and the yahoo report for me was clean.

Tom





Re: Yahoo and IPv6

2011-05-10 Thread Karl Auer
On Wed, 2011-05-11 at 10:19 +1000, Mark Andrews wrote:
> For the record Apple's current iChat (the OS (10.6.7) is completely
> up to date) fails such a test.  It will try IPv6 and not fallback
> to IPv4.  End users shouldn't be seeing these sorts of errors.

Is that possibly a failure of the underlying resolver library? Do other
applications on the same platform behave correctly?

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156


signature.asc
Description: This is a digitally signed message part


Re: 23,000 IP addresses

2011-05-10 Thread Jimmy Hess
On Tue, May 10, 2011 at 8:54 AM, Mark Radabaugh  wrote:
> On 5/10/11 9:07 AM, Marshall Eubanks wrote:
> A good reason why every ISP should have a published civil subpoena
> compliance fee.
> 23,000 * $150 each should only cost them $3.45M to get the information.
> Seems like that would take the profit out pretty quickly.

+1.
But don't the fees actually have to be reasonable?

If you say your fee is  $150 per IP address,  I think they might bring
it to the judge
and claim the ISP is attempting to avoid subpoena compliance by charging an
unreasonable fee.

They can point to all the competitors charging $40 per IP.

This would be very interesting with IPv6 though,  and customers assigned /56s.

"You want all the records for every IP in this /56,  really?"


--
-JH



Re: Yahoo and IPv6

2011-05-10 Thread Mark Andrews

In message , Jason Fesler wr
ites:
> > Of course I'm assuming individual participants will do stuff, but that 
> > doesn't change that this IPv6 day as it stands now is a one-off event,
> > not the first step towards the Ultimate Goal.
> 
> The intent is to get folks together after we digest the data, to talk 
> about next steps.  Date is not yet picked.
> 
> I'm hoping we collectively prove there is no broken user problem.  I 
> realistically expect we'll have another "v6d" - either as 24h, or as a 
> roll-on-and-stick.   But, until we get through the day, and analyze the 
> data, any decisions on what to do next are premature.
> 
> The NANOG following v6d should be interesting; I'm hoping a number of 
> folks from both access and content are willing to share any early stats 
> they have.

What I would like OS and application vendors to do is test every
network product they ship with 3 sets dual stack servers which are
configured:

* With the service on both IPv4 and IPv6.
* With the service on IPv4 and the IPv6 service silently blocked.
* With the service on IPv6 and the IPv4 service silently blocked.

If the product is designed to work on a dual stack client it should
work correctly though perhaps slowly with the server configured in
all three of these states.  This isn't hard and is just basic quality
control.  And for Apple, don't forget to prime the address cache
so that both A and  records are present.  There is no excuse
for any vendor to be currently shipping products that fail such a
test.

For the record Apple's current iChat (the OS (10.6.7) is completely
up to date) fails such a test.  It will try IPv6 and not fallback
to IPv4.  End users shouldn't be seeing these sorts of errors.

Yes, this is name and shame.
Yes, I have reported this to Apple through their web site.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org



Re: 23,000 IP addresses

2011-05-10 Thread Daniel Staal

--As of May 10, 2011 9:37:55 AM -0400, Jon Lewis is alleged to have said:


I wonder how things go if you challenge them in court.  This is surely a
topic for another list, but it seems to me it'd be fairly difficult to
prove unless they downloaded part of the movie from your IP and verified
that what they got really was a part of the movie.  If they're going
after any IP that connected to and downloaded from an agent of the studio
(and that's what it sounds like) who hosted the file, can they really
expect to prosecute people for downloading something they were giving
away?


--As for the rest, it is mine.

Typically the response (from what media coverage I've read) is that they'll 
put up a token defense to see if you are really interested, and then drop 
it at the first opportunity if you continue.  Keeping them in court once 
they have dropped the prosecution is tricky, and they will resist that with 
all available resources.


Actually paying court costs and spending billable time on these cuts into 
their business model.


Daniel T. Staal

---
This email copyright the author.  Unless otherwise noted, you
are expressly allowed to retransmit, quote, or otherwise use
the contents for non-commercial purposes.  This copyright will
expire 5 years after the author's death, or in 30 years,
whichever is longer, unless such a period is in excess of
local copyright law.
---



Re: Yahoo and IPv6

2011-05-10 Thread Jason Fesler
Of course I'm assuming individual participants will do stuff, but that 
doesn't change that this IPv6 day as it stands now is a one-off event,

not the first step towards the Ultimate Goal.


The intent is to get folks together after we digest the data, to talk 
about next steps.  Date is not yet picked.


I'm hoping we collectively prove there is no broken user problem.  I 
realistically expect we'll have another "v6d" - either as 24h, or as a 
roll-on-and-stick.   But, until we get through the day, and analyze the 
data, any decisions on what to do next are premature.


The NANOG following v6d should be interesting; I'm hoping a number of 
folks from both access and content are willing to share any early stats 
they have.




Re: Downstream Usage-BGP Communites

2011-05-10 Thread Richard A Steenbergen
On Tue, May 10, 2011 at 06:47:11PM -0400, Nick Olsen wrote:
> Ah, Sorry for the confusion. 
> We have a mutual agreement with AS100 (call it transit or peering) we send 
> them full routes, They send us full routes.
> AS100 is a transit customer of AS4323.
> I understand I would be at the mercy of how people have things setup. I do 
> know for a fact I'm not filtered by AS100 as I've already tested it.
> Thanks to everyone for the info so far.

Erm ok, well as long as you're a transit customer of AS100 (for some 
definition of transit customer), and they're a transit customer of 
AS4323, you should have no problems. This is completely different from 
"peering", when money changes hands communities get listened to. :)

-- 
Richard A Steenbergenhttp://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)



Re: Removal from mailing list

2011-05-10 Thread Ken Chase
On Tue, May 10, 2011 at 05:40:43PM -0500, Lyle Giese said:
>
>> Then some kids decided to take it over and discuss and trade commodore-64
>> juarez on it (and then, seeming to having a shred of clue, they were
>> harassed by others for help to get off the list) til we noticed and figured 
>> we
>> were abetting piracy, so we shut it down.
>>
>> Ah those were the days. (nods to old nm-listers, be ye out there.)
>>
>> /kc
>
> Yep, the good ole days...  Back then I started my business doing chip  
> level repairs on Commodore 64's.
>
> You know you can buy a C-64 now?  Someone bought the name and created a  
> PC in a case that looks identical to a C-64.

and runs a C64 emulator at 100x the speed of the original 64, meaning
the games are unplayable without a nullop routine :)

/kc

>
> Lyle Giese
> LCR Computer Services, Inc.
>

-- 
Ken Chase - k...@heavycomputing.ca skype:kenchase23 +1 416 897 6284 Toronto 
Canada
Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front 
St. W.



Re: Downstream Usage-BGP Communites

2011-05-10 Thread Nick Olsen
Ah, Sorry for the confusion. 
We have a mutual agreement with AS100 (call it transit or peering) we send 
them full routes, They send us full routes.
AS100 is a transit customer of AS4323.
I understand I would be at the mercy of how people have things setup. I do 
know for a fact I'm not filtered by AS100 as I've already tested it.
Thanks to everyone for the info so far.

Nick Olsen
Network Operations (855) FLSPEED  x106


 From: "Richard A Steenbergen" 
Sent: Tuesday, May 10, 2011 6:27 PM
To: "Nick Olsen" 
Subject: Re: Downstream Usage-BGP Communites

On Tue, May 10, 2011 at 05:52:39PM -0400, Nick Olsen wrote:
> Greetings NANOG,
> Was hoping to gain some insight into common practice with using BGP 
> Communities downstream.
> 
> For instance:
> We peer with AS100 (example)
> AS100 peers with TW Telecom (AS4323).
> Since I happen to know that AS100 doesn't sanitize the communities I send 

> with my routes. I can take advantage of TW Telecom's BGP communities for 

> traffic engineering. Such as 4323:666 (Keep in TWTC Backbone). Would this 

> be something that is generally frowned upon? Still under the assumption 
> that the communities aren't scrubbed off my routes. Could I do this with 

> other AS's beyond TW Telecom? Such as TW's peering with Global Crossing 
> (AS3549)?

Well first off, if you're using the words "peers with" in the normal 
sense, your routes would never propagate to AS4323 in the first place. 
Assuming what you actually mean is that at least one of those sessions 
is a transit feed, essentially all (non-stupid) networks will filter 
their own TE communities from their transits/peers, so the odds of this 
working are almost non-existant.

You also have about a 50/50 shot of AS100 stripping your communities 
before they even make it to AS4323 (or any other network). Personally my 
belief is that this is a bad thing, and you should only filter 
communities in your own name-space (i.e. $YOURASN:*), but this doesn't 
stop a large number of obnoxious networks from doing it anyways. :)

-- 
Richard A Steenbergenhttp://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)



Re: Removal from mailing list

2011-05-10 Thread Lyle Giese



Then some kids decided to take it over and discuss and trade commodore-64
juarez on it (and then, seeming to having a shred of clue, they were
harassed by others for help to get off the list) til we noticed and figured we
were abetting piracy, so we shut it down.

Ah those were the days. (nods to old nm-listers, be ye out there.)

/kc


Yep, the good ole days...  Back then I started my business doing chip 
level repairs on Commodore 64's.


You know you can buy a C-64 now?  Someone bought the name and created a 
PC in a case that looks identical to a C-64.


Lyle Giese
LCR Computer Services, Inc.




Re: Downstream Usage-BGP Communites

2011-05-10 Thread Justin M. Streiner

On Tue, 10 May 2011, Nick Olsen wrote:


Was hoping to gain some insight into common practice with using BGP
Communities downstream.


Generally, the transitive BGP attribute you have the most direct control 
over is AS_PATH, though it's not impossible for a provider to munge the 
AS_PATH on routes they receive from their transits and peers, beyond your 
control.


Some providers might have communities that let you pass things along to 
their transit providers and peers, or influence traffic patterns / route 
propagation.


For example, if I buy transit from ISP X, and they get transit from 
Level3 and Sprint, they might offer a community that lets me selectively 
prepend to Sprint (or Level3), I can affect how traffic flows to my 
network.  In your example, AS100 might have a community that you can 
set on your announcements that will cause them to set 4323:666 on that 
prefix when it's passed to TWTC.  If they don't offer a community, then 
doing what you're looking for would require one of their network people to 
put something manual in place.  Many large networks don't like to (or 
won't) do that because one-off requests don't scale very well, and it can 
add complexity when troubleshooting a connectivity problem, or when 
someone fat-fingers an access-list/distribute-list/prefix-list.


This varies greatly, based on the level of control your direct BGP 
neighbors are willing or able to offer to you.  Also, in general, the 
farther away a network is from you (in terms of AS hops), the less likely 
you are to have control over how they propagate and act upon your 
announcements.


jms



Re: Downstream Usage-BGP Communites

2011-05-10 Thread Richard A Steenbergen
On Tue, May 10, 2011 at 05:52:39PM -0400, Nick Olsen wrote:
> Greetings NANOG,
> Was hoping to gain some insight into common practice with using BGP 
> Communities downstream.
> 
> For instance:
> We peer with AS100 (example)
> AS100 peers with TW Telecom (AS4323).
> Since I happen to know that AS100 doesn't sanitize the communities I send 
> with my routes. I can take advantage of TW Telecom's BGP communities for 
> traffic engineering. Such as 4323:666 (Keep in TWTC Backbone). Would this 
> be something that is generally frowned upon? Still under the assumption 
> that the communities aren't scrubbed off my routes. Could I do this with 
> other AS's beyond TW Telecom? Such as TW's peering with Global Crossing 
> (AS3549)?

Well first off, if you're using the words "peers with" in the normal 
sense, your routes would never propagate to AS4323 in the first place. 
Assuming what you actually mean is that at least one of those sessions 
is a transit feed, essentially all (non-stupid) networks will filter 
their own TE communities from their transits/peers, so the odds of this 
working are almost non-existant.

You also have about a 50/50 shot of AS100 stripping your communities 
before they even make it to AS4323 (or any other network). Personally my 
belief is that this is a bad thing, and you should only filter 
communities in your own name-space (i.e. $YOURASN:*), but this doesn't 
stop a large number of obnoxious networks from doing it anyways. :)

-- 
Richard A Steenbergenhttp://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)



Re: Removal from mailing list

2011-05-10 Thread Ken Chase
On Tue, May 10, 2011 at 02:48:51PM -0700, Michael J Wise said:
  >
  >> Can I please get taken off all nanog mailing list.
  >
  >Some email programs will spell it out, but ...
  >In the full headers, we see this:
  >
  >List-Unsubscribe: ,
  > 

Oh god how did this get here? I am not good with computers.

Shouldnt getting on the list be a lot harder than getting off? Skill
testing questions?

20 years ago, when we were young whippersnappers on nm-list ('new
[forms of] music' list), we had much spam of this type, so we'd manually unsub
them, then sub them to 'blackhole-list', which had a very clear daily email of
instructions of how to get off the list.

That didnt help.

Some still people posting, even daily, to that list, asking to be taken off...
sometimes arguing with eachother, even to the point of flame wars (!) - others
even cooperating on trying to figure it out once and for all. Like a bunch of
drunken sheep bouncing off eachother in a pen with the gate wide open, but no
one ever bounces into the right spot for escape...

Then some kids decided to take it over and discuss and trade commodore-64
juarez on it (and then, seeming to having a shred of clue, they were
harassed by others for help to get off the list) til we noticed and figured we
were abetting piracy, so we shut it down.

Ah those were the days. (nods to old nm-listers, be ye out there.)

/kc
-- 
Ken Chase - k...@heavycomputing.ca skype:kenchase23 +1 416 897 6284 Toronto 
Canada
Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front 
St. W.



Re: Downstream Usage-BGP Communites

2011-05-10 Thread Michael Hallgren
Le mardi 10 mai 2011 à 17:52 -0400, Nick Olsen a écrit :
> Greetings NANOG,
> Was hoping to gain some insight into common practice with using BGP 
> Communities downstream.
> 
> For instance:
> We peer with AS100 (example)
> AS100 peers with TW Telecom (AS4323).
> Since I happen to know that AS100 doesn't sanitize the communities I send 
> with my routes. I can take advantage of TW Telecom's BGP communities for 
> traffic engineering. Such as 4323:666 (Keep in TWTC Backbone). Would this 
> be something that is generally frowned upon? Still under the assumption 
> that the communities aren't scrubbed off my routes. Could I do this with 
> other AS's beyond TW Telecom? Such as TW's peering with Global Crossing 
> (AS3549)?

It's quite common, in my experience, that we remove (or at least filter;
usually looking at geo-origin ones only) BGP community values from peers
and filter them (modulo some set of agreed ones) from customers. 

In other words, don't generally expect transitivity.

mh

> 
> Nick Olsen
> Network Operations (855) FLSPEED  x106
> 
>  





Downstream Usage-BGP Communites

2011-05-10 Thread Nick Olsen
Greetings NANOG,
Was hoping to gain some insight into common practice with using BGP 
Communities downstream.

For instance:
We peer with AS100 (example)
AS100 peers with TW Telecom (AS4323).
Since I happen to know that AS100 doesn't sanitize the communities I send 
with my routes. I can take advantage of TW Telecom's BGP communities for 
traffic engineering. Such as 4323:666 (Keep in TWTC Backbone). Would this 
be something that is generally frowned upon? Still under the assumption 
that the communities aren't scrubbed off my routes. Could I do this with 
other AS's beyond TW Telecom? Such as TW's peering with Global Crossing 
(AS3549)?

Nick Olsen
Network Operations (855) FLSPEED  x106

 


Re: Removal from mailing list

2011-05-10 Thread Michael J Wise

> Can I please get taken off all nanog mailing list.

Some email programs will spell it out, but ...
In the full headers, we see this:

List-Unsubscribe: ,
 

Aloha mai Nai`a.
-- 
" So this is how Liberty dies ...
" To Thunderous Applause.





Re: Yahoo and IPv6

2011-05-10 Thread Scott Whyte
On Tue, May 10, 2011 at 13:58, Iljitsch van Beijnum  wrote:
> On 10 mei 2011, at 22:31, Warren Kumari wrote:
>
>>> :: I applaud the first step, but I'm bothered by the fact that no second 
>>> step is planned.
>
>> Igor is right on both counts here -- 0.05% is definitely noticeable at these 
>> sorts of scale,
>
> Ok, removed my infamatory reply. But tell me how 0.05% is visible in the 
> up/down motions of traffic as it starts raining, there is something 
> especially good/bad on TV, people have to reboot because of a Windows update 
> or whatever.

Its the delta between v4 and v6 that is visible and significant.  If
some machine's addresses are all down hard, that is no problem in this
scenario.

-Scott



Removal from mailing list

2011-05-10 Thread Mitchell Manning
Can I please get taken off all nanog mailing list.

 

Thanks,

 

Mitch



Re: Yahoo and IPv6

2011-05-10 Thread Iljitsch van Beijnum
On 10 mei 2011, at 22:31, Warren Kumari wrote:

>> :: I applaud the first step, but I'm bothered by the fact that no second 
>> step is planned.

> Igor is right on both counts here -- 0.05% is definitely noticeable at these 
> sorts of scale,

Ok, removed my infamatory reply. But tell me how 0.05% is visible in the 
up/down motions of traffic as it starts raining, there is something especially 
good/bad on TV, people have to reboot because of a Windows update or whatever.

Earlier today I tracerouted the top 1000 websites as per Alexa. I couldn't 
resolve the DNS for 6 of them. The internet is never 100% up.

> I'm also a little surprised that you figured that there were no plans past 
> the event -- much of the point of this is for data gathering -- did you 
> figure folk were just going to gather the data and then ignore it?

I asked the ISOC press people about this after they sent me their press release 
but they never replied (they may have replied to my message but not with an 
answer to the question). There is nothing on the ISOC site that mentions 
anything happening after june 8.

Of course I'm assuming individual participants will do stuff, but that doesn't 
change that this IPv6 day as it stands now is a one-off event, not the first 
step towards the Ultimate Goal.


Re: 23,000 IP addresses

2011-05-10 Thread Bill Bogstad
On Tue, May 10, 2011 at 4:31 PM, Steven Bellovin  wrote:

>>
>>
> If I've found the right case, it was 05-1404, and published as 451 F.3d 226 
> (2006);
> see http://law.justia.com/cases/federal/appellate-courts/F3/451/226/627290/
> I have no idea if it's still good law.

According to EDUCAUSE the appellate decision was complex:

http://www.educause.edu/Policy+Analysis+%26+Advocacy/PressReleases/CALEACourtDecisionMixedforHigh/17136

This status page indicates that 'most' campus networks would be exempt:

http://www.educause.edu/Resources/Browse/CALEA/30781

Definitely a case of 'talk to your lawyers' to be sure.

Bill Bogstad
bogs...@pobox.com



Re: 23,000 IP addresses

2011-05-10 Thread Steven Bellovin

On May 10, 2011, at 3:51 32PM, Michael Holstein wrote:

> 
>> In the US, I believe that CALEA requires you to have those records for 7 
>> years.
>> 
> 
> No, it doesn't (records *of the requests* are required, but no
> obligation to create subscriber records exists).
> 
> Even if it did .. academic institutions are exempt (to CALEA) as private
> networks.*
> 
> There are various legislative attempts afoot to create one here in the
> US .. but none have passed.
> 
> Regards,
> 
> Michael Holstein
> Information Security Administrator
> Cleveland State Unviersity
> 
> (*): US Court of Appeals, District of Columbia, 50-1504.
> 
> 
If I've found the right case, it was 05-1404, and published as 451 F.3d 226 
(2006);
see http://law.justia.com/cases/federal/appellate-courts/F3/451/226/627290/
I have no idea if it's still good law.
> 


--Steve Bellovin, https://www.cs.columbia.edu/~smb








Re: Yahoo and IPv6

2011-05-10 Thread Warren Kumari

On May 10, 2011, at 12:37 PM, Igor Gashinsky wrote:

> On Tue, 10 May 2011, Iljitsch van Beijnum wrote:
> 
> :: On 9 mei 2011, at 21:40, Tony Hain wrote:
> :: 
> :: >> Publicly held corporations are responsible to their shareholders to get
> :: >> eyeballs on their content. *That* is their job, not promoting cool new
> :: >> network tech. When you have millions of users hitting your site every
> :: >> day losing 1/2000 is a large chunk of revenue.
> :: 
> :: Nonsense. 0.05% is well below the noise margin for anything that involves 
> humans.
> 
> I assure you, it is not. 0.005% might be "in the noise", but 0.05% is 
> quite measurable given a large enough audience.
> 
> :: >> The fact that the big
> :: >> players are doing world IPv6 day at all should be celebrated, promoted,
> :: >> and we should all be ready to take to heart the lessons learned from
> :: >> it.
> :: 
> :: I applaud the first step, but I'm bothered by the fact that no second step 
> is planned.
> 
> Just because it's not public, doesn't mean that it hasn't been planned :)
> 
> Most of us want to see the data that we get from the first step, before 
> making the decision on which second step to take, I'm sure most people 
> can understand that.


Argck, I cannot believe that I am going to do this, let alone publicly, but 
here goes...

Igor is right on both counts here -- 0.05% is definitely noticeable at these 
sorts of scale, and I'd be shocked if Yahoo didn't have a set of alerts that 
fire if projections differ from actual traffic by this amount. I'm also a 
little surprised that you figured that there were no plans past the event -- 
much of the point of this is for data gathering -- did you figure folk were 
just going to gather the data and then ignore it?

Ok, that fully used up my "agreeing with Igor" quota for the year...

W

> 
> -igor
> 




Re: 23,000 IP addresses

2011-05-10 Thread Kevin Oberman
> Date: Tue, 10 May 2011 15:51:32 -0400
> From: Michael Holstein 
> 
> 
> > In the US, I believe that CALEA requires you to have those records for 7 
> > years.
> >   
> 
> No, it doesn't (records *of the requests* are required, but no
> obligation to create subscriber records exists).
> 
> Even if it did .. academic institutions are exempt (to CALEA) as private
> networks.*
> 
> There are various legislative attempts afoot to create one here in the
> US .. but none have passed.

There is a great deal of uncertainty about the issue of academic
institutions being exempt. I know tha that the opinion of the
University of California's Counsel was that the wording in the last
CALEA update a few years ago removed that exemption and a representative
of the FBI, speaking on CALEA requirements, was explicit in saying that
they were not exempt. (Of course, that would be the FBI's position.)

In any case, get your own legal opinion about this. Don't rely on NANOG
for legal advice.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.net  Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751



Re: 23,000 IP addresses

2011-05-10 Thread Claudio Lapidus
Hello,

On Tue, May 10, 2011 at 4:02 PM, Owen DeLong  wrote:

>  In the US, I believe that CALEA requires you to have those records for 7
> years.
>
FWIW, in Argentina there is a requirement to hold all records for a full ten
years. A sweet bite for the storage folks here...

regards,
cl.


Re: 23,000 IP addresses

2011-05-10 Thread Michael Holstein

> In the US, I believe that CALEA requires you to have those records for 7 
> years.
>   

No, it doesn't (records *of the requests* are required, but no
obligation to create subscriber records exists).

Even if it did .. academic institutions are exempt (to CALEA) as private
networks.*

There are various legislative attempts afoot to create one here in the
US .. but none have passed.

Regards,

Michael Holstein
Information Security Administrator
Cleveland State Unviersity

(*): US Court of Appeals, District of Columbia, 50-1504.




Re: 23,000 IP addresses

2011-05-10 Thread Justin M. Streiner

On Tue, 10 May 2011, Owen DeLong wrote:

In the US, I believe that CALEA requires you to have those records for 
7 years.


Some universities have taken the position that they do not meet the 
criteria for being "communications service providers" under CALEA, and 
therefore not subject to the intercept and data retention requirements. 
Whether or not that has been tested in court yet, I don't 
know.


jms



Re: 23,000 IP addresses

2011-05-10 Thread Kevin Oberman
> From: Owen DeLong 
> Date: Tue, 10 May 2011 12:02:33 -0700
> 
> On May 10, 2011, at 11:49 AM, Michael Holstein wrote:
> 
> > 
> >> In the EU you have Directive 2006/24/EC:
> >> 
> > 
> > But I'm not, and neither are most of the ISPs in the linked document.
> > 
> > Regards,
> > 
> > Michael Holstein
> > Information Security Administrator
> > Cleveland State University
> 
> In the US, I believe that CALEA requires you to have those records for
> 7 years.

Owen,

Afraid not. As of this time there are no data retention requirements in
CALEA. There is a proposal to add data retention to CALEA this year, but
I can't even find anything indicating the legislation has been
introduced.

According to an article in the NY Times last fall, the FBI will be asking
for several new tools in CALEA that include data retention requirements,
requiring P2P software to allow intercept and requiring that providers
dong encryption (e.g. Blackberry) to provide the ability for the
government to decrypt the data. I don't know that legislation has
actually been introduced, though.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.net  Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751



Re: 23,000 IP addresses

2011-05-10 Thread Steven Bellovin

On May 10, 2011, at 3:02 33PM, Owen DeLong wrote:

> 
> On May 10, 2011, at 11:49 AM, Michael Holstein wrote:
> 
>> 
>>> In the EU you have Directive 2006/24/EC:
>>> 
>> 
>> But I'm not, and neither are most of the ISPs in the linked document.
>> 
>> Regards,
>> 
>> Michael Holstein
>> Information Security Administrator
>> Cleveland State University
> 
> In the US, I believe that CALEA requires you to have those records for 7 
> years.
> 
Source, please -- I've never heard of this, nor can I find anything like it
at askcalea.com.  All I've found is that you have to keep records of 
*interceptions*.  I've also seen numerous news stories about how the FBI
wants that to be added to the law, thus implying that it isn't there now.
See, for example, http://news.cnet.com/8301-13578_3-10448060-38.html


--Steve Bellovin, https://www.cs.columbia.edu/~smb








Gas Company?

2011-05-10 Thread Santino Codispoti
I know this is a bit of an odd request but does anyone on the list
work at a Gas company such has BP or Mobile?



Re: .io registrar

2011-05-10 Thread Jeff Blaum
Moniker.com ftw

On Tue, May 10, 2011 at 11:19 AM, Jeremy Kister
wrote:

> Does anyone know of a competent .io registrar who charges in the <= $75/yr
> area ?
>
> I've been using tierra.net (domaindiscover.com) but they continually break
> my domains.
>
> this year, although their website says my domain expires 4/2012, my domain
> stopped working today.  the .io servers aren't serving records, and 
> nic.iosays the domain expired 4/8/2011.
>
> i got a hold of them this morning got a ticket -- but after 4 hours still
> no response.
>
>
> also, although nic.io lists a bunch of .io registrars, when I called them
> they almost all say "we don't register .io" :D
>
>
> --
>
> Jeremy Kister
> http://jeremy.kister.net./
>
>


Re: 23,000 IP addresses

2011-05-10 Thread Owen DeLong

On May 10, 2011, at 11:49 AM, Michael Holstein wrote:

> 
>> In the EU you have Directive 2006/24/EC:
>> 
> 
> But I'm not, and neither are most of the ISPs in the linked document.
> 
> Regards,
> 
> Michael Holstein
> Information Security Administrator
> Cleveland State University

In the US, I believe that CALEA requires you to have those records for 7 years.

Owen




Re: .io registrar

2011-05-10 Thread Niall Kearney
Although its not in your price range ive found blacknight.ie to be reliable
for registering domians and they do .io but for 80 euro a year. If the
currency rates change it could be more viable for you.
On May 10, 2011 7:20 p.m., "Jeremy Kister" 
wrote:
> Does anyone know of a competent .io registrar who charges in the <=
> $75/yr area ?
>
> I've been using tierra.net (domaindiscover.com) but they continually
> break my domains.
>
> this year, although their website says my domain expires 4/2012, my
> domain stopped working today. the .io servers aren't serving records,
> and nic.io says the domain expired 4/8/2011.
>
> i got a hold of them this morning got a ticket -- but after 4 hours
> still no response.
>
>
> also, although nic.io lists a bunch of .io registrars, when I called
> them they almost all say "we don't register .io" :D
>
>
> --
>
> Jeremy Kister
> http://jeremy.kister.net./
>


Re: Fwd: 23,000 IP addresses

2011-05-10 Thread Michael Holstein

> In the EU you have Directive 2006/24/EC:
>   

But I'm not, and neither are most of the ISPs in the linked document.

Regards,

Michael Holstein
Information Security Administrator
Cleveland State University



Re: 23,000 IP addresses

2011-05-10 Thread Steven Bellovin

On May 10, 2011, at 2:10 10PM, Wil Schultz wrote:

> On May 10, 2011, at 10:56 AM, Steven Bellovin wrote:
> 
>> 
>> On May 10, 2011, at 9:07 11AM, Marshall Eubanks wrote:
>> 
>> 
>> Has anyone converted that file to some useful format like ASCII?  You know
>> -- something greppable?
>> 
> 
> I've converted it to ascii, but I don't have a place to host it.
> 
> I can send to anyone that would like it.
> 

Thanks.  I've uploaded it as https://www.cs.columbia.edu/~smb/23000.txt.gz and
https://www.cs.columbia.edu/~smb/23000-clean.txt.gz ; the latter has page 
breaks,
headers, etc., stripped out; nothing but data.

--Steve Bellovin, https://www.cs.columbia.edu/~smb








Re: Yahoo and IPv6

2011-05-10 Thread Owen DeLong

On May 10, 2011, at 9:32 AM, Igor Gashinsky wrote:

> On Tue, 10 May 2011, valdis.kletni...@vt.edu wrote:
> 
> :: On Tue, 10 May 2011 02:17:46 EDT, Igor Gashinsky said:
> :: 
> :: > The time for finger-pointing is over, period, all we are all trying to 
> do 
> :: > now is figure out how to deal with the present (sucky) situation. The 
> :: > current reality is that for a non-insignificant percentage of users when 
> :: > you enable dual-stack, they are gong to drop off the face of the planet. 
> :: > Now, for *you*, 0.026% may be insignificant (and, standalone, that 
> number 
> :: > is insignificant), but for a global content provider that has ~700M 
> users, 
> :: > that's 182 *thousand* users that *you*, *through your actions* just took 
> :: > out.. 182,000 - that is *not* insignificant
> :: 
> :: At any given instant, there's a *lot* more than 182,000 users who are cut 
> off
> :: due to various *IPv4* misconfigurations and issues.
> 
> Yes, but *these* 182,000 users have perfectly working ipv4 connectivity, 
> and you are asking *me* to break them through *my* actions. Sorry, that's 
> simply too many to break for me, without a damn good reason to do so.
> 
In other words, Igor can't turn on  records generally until there are
182,001 IPv6-only users that are broken from his lack of  records.

Given IP address consumption rates in Asia and the lack of available IPv4
resources in Asia, with a traditional growth month to month of nearly
30 million IPv4 addresses consumed, I suspect it will not be long before
the 182,001 broken IPv6 users become relevant.

> Doing that on world ipv6 day, when there is a lot of press, and most other 
> large content players doing the same, *is* a good reason - it may actually 
> has a shot of accomplishing some good, since it may get those users to 
> realize that they are broken, and fix their systems, but outside of flag 
> day, if I enabled  by default for all users, all I'm going to do is 
> send those "broken" users to my competitors who chose not to enable  
> on their sites. 
> 
Agreed. I think IPv6 day is a great plan for this very reason. I also hope that
a lot of organizations that try things out on IPv6 day will decide that the
brokenness that has been so hyped wasn't actually noticeable and then
leave their  records in place. I do not expect Yahoo or Google to
be among them, but, hopefully a lot of other organizations will do so.

> This is why I think automatic, measurement-based whitelisting/blacklisting 
> to minimize the collateral damage of enabling  is going to be 
> inevitable (with the trigger set to something around 99.99%), and about 
> the only way we see wide-scale IPv6 adoption by content players, outside 
> events like world ipv6 day.
> 
This will be interesting. Personally, I think it will be more along the lines
of when there are more IPv6 only eye-balls with broken IPv4 than there
are IPv4 eye-balls with broken IPv6,  will become the obvious
solution.

In my opinion, this is just a matter of time and will happen much sooner than
I think most people anticipate.


Owen




.io registrar

2011-05-10 Thread Jeremy Kister
Does anyone know of a competent .io registrar who charges in the <= 
$75/yr area ?


I've been using tierra.net (domaindiscover.com) but they continually 
break my domains.


this year, although their website says my domain expires 4/2012, my 
domain stopped working today.  the .io servers aren't serving records, 
and nic.io says the domain expired 4/8/2011.


i got a hold of them this morning got a ticket -- but after 4 hours 
still no response.



also, although nic.io lists a bunch of .io registrars, when I called 
them they almost all say "we don't register .io" :D



--

Jeremy Kister
http://jeremy.kister.net./



Re: 23,000 IP addresses

2011-05-10 Thread Wil Schultz
On May 10, 2011, at 10:56 AM, Steven Bellovin wrote:

> 
> On May 10, 2011, at 9:07 11AM, Marshall Eubanks wrote:
> 
> 
> Has anyone converted that file to some useful format like ASCII?  You know
> -- something greppable?
> 

I've converted it to ascii, but I don't have a place to host it.

I can send to anyone that would like it.

-wil 




Re: VPN tunnels between US and China dropping/slow

2011-05-10 Thread Thomas York
Yes. Every day at roughly 2AM EDT the latency climbs to 700ms+ with about 25% 
packet loss and fluctuates until about 6-7AM.

-- Thomas York

Joel Jaeggli  wrote:

>On 5/10/11 10:10 AM, Adam Rothschild wrote:
>> Realize also that China Telecom is congested both internally and on
>> certain peering interfaces.
>> 
>> While DPI is a likely culprit, be sure to not overlook a good
>> old-fashioned inability to manage capacity, combined with certain
>> hashing algorithms...
>
>if you're measuring the end-to-end path you'll likely see evidenced of
>the latency climbing on a near daily cycle.
>
>my median rtt from the us east coast is 268ms sometimes it's north of
>370 with essentially the same loss properties.
>
>> -a
>> 
>


Re: 23,000 IP addresses

2011-05-10 Thread Steven Bellovin

On May 10, 2011, at 9:07 11AM, Marshall Eubanks wrote:

> A Federal Judge has decided to let the "U.S. Copyright Group" subpoena ISPs 
> over 23,000 alleged downloads of some
> Sylvester Stallone movie I have never heard of; subpoenas are expected to go 
> out this week. 
> 
> I thought that there might be some interest in the list of these addresses :
> 
> http://www.wired.com/images_blogs/threatlevel/2011/05/expendibleipaddresses.pdf
> 
> If you have IP addresses on this list, expect to receive papers shortly. 

Has anyone converted that file to some useful format like ASCII?  You know
-- something greppable?

> 
> Here is more of the backstory :
> 
> http://www.wired.com/threatlevel/2011/05/biggest-bittorrent-case/
> 
> This is turning into quite a legal racket (get order $ 3000 for sending a 
> threatening letter); I expect to see a lot
> more of this until some sense returns to the legal system. 
> 
There's amazing slime behind some similar efforts -- in another case,
of people charged with downloading "Nude Nuns with Big Guns" (yes, you
read that correctly), there are two different that each claim the rights
to the movie and hence the right to sue (alleged) downloaders:
http://www.wired.com/threatlevel/2011/05/nude-nuns-brouhaha/

--Steve Bellovin, https://www.cs.columbia.edu/~smb








RE: 23,000 IP addresses

2011-05-10 Thread Deepak Jain
> A Federal Judge has decided to let the "U.S. Copyright Group" subpoena
> ISPs over 23,000 alleged downloads of some
> Sylvester Stallone movie I have never heard of; subpoenas are expected
> to go out this week.
> 
> I thought that there might be some interest in the list of these
> addresses :
> 
> http://www.wired.com/images_blogs/threatlevel/2011/05/expendibleipaddre
> sses.pdf

This will stop when a 80+ yr old is taken to court over a download her 8 year 
old grandkid might have made when visiting for the weekend. The media will make 
the case that technologists can't.

For examples, see the RIAA's attempts and more recently the criminal 
investigations of child porn downloads from unsecured access points. From what 
I understand (or wildly guess) is that ISPs with remote diagnostic capabilities 
are being asked if their provided access point is secure or unsecure BEFORE 
they serve their warrants to avoid further embarrassments. [It'll probably take 
another 6 months and more goofs before they realize that customers are 
perfectly capable of poorly installing their own access points behind ISP 
provided gear].

The torrent stuff is fundamentally no different in that a single IP can and is 
shared by lots of people as common practice and the transient nature of it 
(e.g. airport access point, starbucks, etc) reasonably makes the lawyer's case 
much, much harder. 

There is a real theft/crime here in many cases, but whether there is actually 
any value in prosecution of movie downloads will depend... but most likely, the 
outcome will be iMovies or similar and the movie industry will shrink the way 
the music industry has.

DJ



Re: VPN tunnels between US and China dropping/slow

2011-05-10 Thread Thomas York
I tried to tell my bosses that and I got a blank stare.

-- Thomas York

Adam Rothschild  wrote:

>Realize also that China Telecom is congested both internally and on
>certain peering interfaces.
>
>While DPI is a likely culprit, be sure to not overlook a good
>old-fashioned inability to manage capacity, combined with certain
>hashing algorithms...
>
>-a


Re: VPN tunnels between US and China dropping/slow

2011-05-10 Thread Joel Jaeggli
On 5/10/11 10:10 AM, Adam Rothschild wrote:
> Realize also that China Telecom is congested both internally and on
> certain peering interfaces.
> 
> While DPI is a likely culprit, be sure to not overlook a good
> old-fashioned inability to manage capacity, combined with certain
> hashing algorithms...

if you're measuring the end-to-end path you'll likely see evidenced of
the latency climbing on a near daily cycle.

my median rtt from the us east coast is 268ms sometimes it's north of
370 with essentially the same loss properties.

> -a
> 




Re: VPN tunnels between US and China dropping/slow

2011-05-10 Thread Adam Rothschild
Realize also that China Telecom is congested both internally and on
certain peering interfaces.

While DPI is a likely culprit, be sure to not overlook a good
old-fashioned inability to manage capacity, combined with certain
hashing algorithms...

-a



Re: 23,000 IP addresses

2011-05-10 Thread Roland Perry
In article , Roland Perry  writes
>Attempts a bit like this have come unstuck in the UK. Search for
>"Davenport Lyons" and "ACS Law"

And this ruling (and fine) have appeared from the UK's privacy regulator
today (note especially that the fine would have been ~$300k if the
company was still trading):


-- 
Roland Perry



Re: Yahoo and IPv6

2011-05-10 Thread Igor Gashinsky
On Tue, 10 May 2011, Iljitsch van Beijnum wrote:

:: On 9 mei 2011, at 21:40, Tony Hain wrote:
:: 
:: >> Publicly held corporations are responsible to their shareholders to get
:: >> eyeballs on their content. *That* is their job, not promoting cool new
:: >> network tech. When you have millions of users hitting your site every
:: >> day losing 1/2000 is a large chunk of revenue.
:: 
:: Nonsense. 0.05% is well below the noise margin for anything that involves 
humans.

I assure you, it is not. 0.005% might be "in the noise", but 0.05% is 
quite measurable given a large enough audience.

:: >> The fact that the big
:: >> players are doing world IPv6 day at all should be celebrated, promoted,
:: >> and we should all be ready to take to heart the lessons learned from
:: >> it.
:: 
:: I applaud the first step, but I'm bothered by the fact that no second step 
is planned.

Just because it's not public, doesn't mean that it hasn't been planned :)

Most of us want to see the data that we get from the first step, before 
making the decision on which second step to take, I'm sure most people 
can understand that.

-igor



Re: Yahoo and IPv6

2011-05-10 Thread Igor Gashinsky
On Tue, 10 May 2011, valdis.kletni...@vt.edu wrote:

:: On Tue, 10 May 2011 02:17:46 EDT, Igor Gashinsky said:
:: 
:: > The time for finger-pointing is over, period, all we are all trying to do 
:: > now is figure out how to deal with the present (sucky) situation. The 
:: > current reality is that for a non-insignificant percentage of users when 
:: > you enable dual-stack, they are gong to drop off the face of the planet. 
:: > Now, for *you*, 0.026% may be insignificant (and, standalone, that number 
:: > is insignificant), but for a global content provider that has ~700M users, 
:: > that's 182 *thousand* users that *you*, *through your actions* just took 
:: > out.. 182,000 - that is *not* insignificant
:: 
:: At any given instant, there's a *lot* more than 182,000 users who are cut off
:: due to various *IPv4* misconfigurations and issues.

Yes, but *these* 182,000 users have perfectly working ipv4 connectivity, 
and you are asking *me* to break them through *my* actions. Sorry, that's 
simply too many to break for me, without a damn good reason to do so.

Doing that on world ipv6 day, when there is a lot of press, and most other 
large content players doing the same, *is* a good reason - it may actually 
has a shot of accomplishing some good, since it may get those users to 
realize that they are broken, and fix their systems, but outside of flag 
day, if I enabled  by default for all users, all I'm going to do is 
send those "broken" users to my competitors who chose not to enable  
on their sites. 

This is why I think automatic, measurement-based whitelisting/blacklisting 
to minimize the collateral damage of enabling  is going to be 
inevitable (with the trigger set to something around 99.99%), and about 
the only way we see wide-scale IPv6 adoption by content players, outside 
events like world ipv6 day.

-igor



RE: L3 ECMP over links with different RTT

2011-05-10 Thread Rettke, Brian
Per flow is generally the best method, and allows the employ of CEF (or the 
equivalent).

I've done load balancing in this method, and in others I've configured 
active/standby for the reasons specified.  It depends on whether you need true 
link redundancy more than the latency will affect traffic.

Another option, of course, is to apply PBR to get your low latency queues to 
use the preferred link. I've done that as well, using EEM to remove the forced 
next hop if the interface drops.

Sincerely,

Brian A . Rettke
RHCT, CCDP, CCNP, CCIP
Network Engineer, CableONE Internet Services

-Original Message-
From: Iljitsch van Beijnum [mailto:iljit...@muada.com]
Sent: Tuesday, May 10, 2011 7:37 AM
To: Dikkema, Michael (Business Technology)
Cc: nanog@nanog.org
Subject: Re: L3 ECMP over links with different RTT

On 10 mei 2011, at 16:28, Dikkema, Michael (Business Technology) wrote:

> Is it foolish to build a L3 ECMP connection between 2 iBGP routers with one 
> of the links having a 50% longer RTT?

No problem at all as long as you don't do per-packet load balancing but 
something that makes sure a single flow only goes over a single link. There are 
many ways to skin that particular cat, best practice is based on the 5-tuple 
(source and dest addresses and ports and the protocol number) which will give 
you the best chance of having a similar load on both links as long as you have 
at least some 1000 flows at any given time. With less granular load balancing 
there's a much bigger risk that one link will be full and the other more or 
less idle unless you have very, very many flows. You may want to use VLANs so 
you can load balance some stuff as per the above and manually balance some 
other stuff to go over the faster link.



Re: 23,000 IP addresses

2011-05-10 Thread Marshall Eubanks

On May 10, 2011, at 10:08 AM, Roland Perry wrote:

> In article , chip 
>  writes
> 
>> Interesting, especially after this:
>> 
>> http://torrentfreak.com/ip-address-not-a-person-bittorrent-case-judge-says-110503/
> 
> It depends whether you are suing the subscriber or the downloader (maybe both 
> can be liable in some cases). Also whether the subscriber was running an open 
> Wifi (normally not recommended), which is a matter of evidential fact to be 
> explored in each particular case.
> 

And, perhaps most critically, which judge you come before. (It will take a 
while, and maybe a visit to the Supreme Court, before you can
expect legal consistency here.) 

Note also that these generally do not go to trial.

Regards
Marshall 


>> On Tue, May 10, 2011 at 9:07 AM, Marshall Eubanks  
>> wrote:
>>> A Federal Judge has decided to let the "U.S. Copyright Group" subpoena ISPs 
>>> over 23,000 alleged downloads of some
>>> Sylvester Stallone movie I have never heard of; subpoenas are expected to 
>>> go out this week.
>>> 
>>> I thought that there might be some interest in the list of these addresses :
>>> 
>>> http://www.wired.com/images_blogs/threatlevel/2011/05/expendibleipaddresses.pdf
>>> 
>>> If you have IP addresses on this list, expect to receive papers shortly.
>>> 
>>> Here is more of the backstory :
>>> 
>>> http://www.wired.com/threatlevel/2011/05/biggest-bittorrent-case/
>>> 
>>> This is turning into quite a legal racket (get order $ 3000 for sending a 
>>> threatening letter); I expect to see a lot
>>> more of this until some sense returns to the legal system.
> 
> Attempts a bit like this have come unstuck in the UK. Search for "Davenport 
> Lyons" and "ACS Law"
> -- 
> Roland Perry
> 
> 




Fwd: 23,000 IP addresses

2011-05-10 Thread Luis Marta
 On Tue, May 10, 2011 at 3:38 PM, Michael Holstein <
michael.holst...@csuohio.edu> wrote:

>
> >
> http://www.wired.com/images_blogs/threatlevel/2011/05/expendibleipaddresses.pdf
> >
>
> The dates in the timestamps are back in February. We deleted those logs
> "..in the regular course of business.."
> a LONG TIME AGO.
>
> If you didn't do that, you really ought to ask yourself why.
>
> Regards,
>
> Michael Holstein
> Information Security Administrator
> Cleveland State University
>


In the EU you have Directive 2006/24/EC:
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF

Article 6 - Periods of retention
Member States shall ensure that the categories of data specified in Article
5 are retained for periods of not less than six months and not more than two
years from the date of the communication.

Article 5 - Categories of data to be retained
1. Member States shall ensure that the following categories of data are
retained under this Directive:
(a) data necessary to trace and identify the source of a communication:
(...) the name and address of the subscriber or registered user to whom an
Internet Protocol (IP) address, user ID or telephone number was allocated at
the time of the communication;


Each member state creates its own law, according to the directive. In
Portugal, you have to retain the data for one year.

Best Regards,
Luís Marta.


Re: Cent OS migration

2011-05-10 Thread Blake Hudson


William Pitcock wrote:
> Anyway, I was just wondering what the general consensus of NANOG is
> regarding CentOS vs Scientific Linux.  SL generally has faster security
> updates and people are *paid* to work on it fulltime.  CentOS on the
> other hand is supported out-of-the-box by most software.
>
> William

The two teams have different goals. Scientific Linux is designed to
create a common install base for labs. Which helps ensure repeatable
results and reduces the need for schools to develop and maintain their
own independent OS/software projects. SL uses RHEL as a base, but has a
different build environment, and may build against different versions of
libraries, as well as include packages which add or change functionality.

The goal of CentOS is to create a 100% compatible version of RHEL. Cent
tries to replicate the build environment of RHEL as closely as possible.
This ensures 100% compatible programs - bugs, regressions, and all.

For most, I suspect this difference in philosophy results in negligible
difference. However, some may need this. Especially if they test with
CentOS, and use RHEL in production, relying on the two to function and
perform identically.


I support CentOS, and hope the project resolves some of these problems
that have been lingering for the last year. As long as there are
individuals who support the project, there will still be a CentOS.

--Blake



Re: VPN tunnels between US and China dropping/slow

2011-05-10 Thread Mike Tancsa
On 5/10/2011 10:12 AM, Thomas York wrote:
> At my current place of business, we have several manufacturing plants in
> China as well as the United States. All of the plants have an OVPN tunnel to
> a datacenter here in Indianapolis which connect all of the plants. Our China
> plants pay for the basic 3mbit/3mbit fiber internet connections. I've had a
> hell of a time keeping their tunnels up. They're running on port 443 over
> TCP now, but every month or so the tunnel degrades so badly I have to switch
> the port. I've recently tried tunneling OVPN (UDP) over a GRE tunnel and

Perhaps a DPI issue ?  We make use of OpenVPN a lot here.  When the
local ILEC started rolling out their DPI boxes, our VPN traffic was
initially identified as bit torrent traffic and was being tampered with.
 Of course they said that was impossible... It took a good month before
I was able to get to the right people to actually look at the pcaps that
demonstrated the issue.  I setup an openvpn tunnel between the two
impacted sites (A,B)

>From A, I would do a straight up icmp ping to B. It would get to the
other side 100% clean.

At the same, time, I would do a ping inside the VPN tunnel.  It would
show dropped packets.

I then used hping to generate UDP packets of the same size or bigger of
the VPN packets, but with all FF as the payload, so it didnt look like
anything to the DPI boxes. This too would get to the other side 100% of
the time.  But the VPN UDP packets would experience loss.  The DPI
vendor then made some patches and/or config changes to stop messing up
our traffic and we have been ok since.

Not sure what you can do on the China side to test things, but perhaps
setup an OpenVPN instance in one of those free test instances in Amazon
and see if you see the loss from there to China.


---Mike

-- 
---
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/



Re: 23,000 IP addresses

2011-05-10 Thread Christopher Morrow
On Tue, May 10, 2011 at 10:37 AM, William Pitcock
 wrote:
> On Tue, 10 May 2011 10:22:03 -0400
> Christopher Morrow  wrote:
>> At least baytsp got theirs? (money I mean)
>>
>
> Do you have any links to evidence of this?  I would love to just be
> able to automatically throw BayTSP mails in the garbage, but I can't
> just blindly do it if there is any chance of them being legitimate.

sadly I do not have evidence anymore... I do know that the isp
essentially stopped replying to baytsp though. some form of monitoring
netflow on your network + matching baytsp requests against that
pattern would likely be enough I suspect (ask lawyer-cat of course)

-chris



Re: Yahoo and IPv6

2011-05-10 Thread Valdis . Kletnieks
On Tue, 10 May 2011 02:17:46 EDT, Igor Gashinsky said:

> The time for finger-pointing is over, period, all we are all trying to do 
> now is figure out how to deal with the present (sucky) situation. The 
> current reality is that for a non-insignificant percentage of users when 
> you enable dual-stack, they are gong to drop off the face of the planet. 
> Now, for *you*, 0.026% may be insignificant (and, standalone, that number 
> is insignificant), but for a global content provider that has ~700M users, 
> that's 182 *thousand* users that *you*, *through your actions* just took 
> out.. 182,000 - that is *not* insignificant

At any given instant, there's a *lot* more than 182,000 users who are cut off
due to various *IPv4* misconfigurations and issues.

Let's keep a sense of proportion, shall we?


pgpMo2KyFwCh8.pgp
Description: PGP signature


Re: 23,000 IP addresses

2011-05-10 Thread Michael Holstein

> http://www.wired.com/images_blogs/threatlevel/2011/05/expendibleipaddresses.pdf
>   

The dates in the timestamps are back in February. We deleted those logs
"..in the regular course of business.."
a LONG TIME AGO.

If you didn't do that, you really ought to ask yourself why.

Regards,

Michael Holstein
Information Security Administrator
Cleveland State University



Re: L3 ECMP over links with different RTT

2011-05-10 Thread Iljitsch van Beijnum
On 10 mei 2011, at 16:28, Dikkema, Michael (Business Technology) wrote:

> Is it foolish to build a L3 ECMP connection between 2 iBGP routers with one 
> of the links having a 50% longer RTT?

No problem at all as long as you don't do per-packet load balancing but 
something that makes sure a single flow only goes over a single link. There are 
many ways to skin that particular cat, best practice is based on the 5-tuple 
(source and dest addresses and ports and the protocol number) which will give 
you the best chance of having a similar load on both links as long as you have 
at least some 1000 flows at any given time. With less granular load balancing 
there's a much bigger risk that one link will be full and the other more or 
less idle unless you have very, very many flows. You may want to use VLANs so 
you can load balance some stuff as per the above and manually balance some 
other stuff to go over the faster link.


Re: 23,000 IP addresses

2011-05-10 Thread William Pitcock
On Tue, 10 May 2011 10:22:03 -0400
Christopher Morrow  wrote:

> On Tue, May 10, 2011 at 10:15 AM, Scott Brim 
> wrote:
> > On Tue, May 10, 2011 at 09:42, Leigh Porter
> >  wrote:
> >> So are they basing this on you downloading it or on making it
> >> available for others?
> >
> > Without knowing the details, I wouldn't assume any such level of
> > competence or integrity.  It could just be a broad witch hunt.
> 
> I know of a decent sized global ISP that ran (runs?) a large darknet
> that was the equivalent of a few /16's routed to a fbsd host running
> 'tcpdump' (a tad more complex, but essentially this). BayTSP (one of
> the 'make legal threats for the mpaa/riaa' firms) sent ~2k notes to
> the ISP about downloaders on these ips.
> 
> Looking at netflow data (sample 1:1 on that interface) they had
> portscanned (from ip space registered in their name) each address in
> the range and sent subpoena-material to all ips that they thought they
> got a response from.
> 
> At least baytsp got theirs? (money I mean)
> 

Do you have any links to evidence of this?  I would love to just be
able to automatically throw BayTSP mails in the garbage, but I can't
just blindly do it if there is any chance of them being legitimate.

William



Re: VPN tunnels between US and China dropping/slow

2011-05-10 Thread Christopher Morrow
On Tue, May 10, 2011 at 10:35 AM, William Pitcock
 wrote:

>> Currently, we're talking to Time Warner and some of our customers who
>> have plants in China to see what solutions they're using to get
>> around this kind of issue. One thing we are hearing quite often is
>> that they're using a MPLS based connection to Hong Kong, then going
>> to the USA from there. We're happy to try this, but due to cost
>> issues we're (management mostly) considering this a last resort
>> option. Are there any other options maybe some of you have to fixing
>> this issue? Thanks
>
> The only option is to get transport to an endpoint outside China, e.g.
> in Hong Kong.

or just tunnel without a protocol... or spread-spectrum across more
than one endpoint set



Re: VPN tunnels between US and China dropping/slow

2011-05-10 Thread William Pitcock
On Tue, 10 May 2011 10:12:57 -0400
"Thomas York"  wrote:

> At my current place of business, we have several manufacturing plants
> in China as well as the United States. All of the plants have an OVPN
> tunnel to a datacenter here in Indianapolis which connect all of the
> plants. Our China plants pay for the basic 3mbit/3mbit fiber internet
> connections. I've had a hell of a time keeping their tunnels up.
> They're running on port 443 over TCP now, but every month or so the
> tunnel degrades so badly I have to switch the port. I've recently
> tried tunneling OVPN (UDP) over a GRE tunnel and that has worked for
> a few months..but even now is degrading. The interesting thing is
> that ONLY the tunnel traffic gets degraded. I've replaced all of the
> equipment on both ends of all of the VPN tunnels, which changed
> nothing.
> 
> 

This is actually caused by the Chinese firewall trying to reset the VPN
connection.  The reason why they are doing this is because people are
buying VPN services to get around the firewall.  As of late, they have
become a lot more clever about VPN blocking.

> 
> Currently, we're talking to Time Warner and some of our customers who
> have plants in China to see what solutions they're using to get
> around this kind of issue. One thing we are hearing quite often is
> that they're using a MPLS based connection to Hong Kong, then going
> to the USA from there. We're happy to try this, but due to cost
> issues we're (management mostly) considering this a last resort
> option. Are there any other options maybe some of you have to fixing
> this issue? Thanks

The only option is to get transport to an endpoint outside China, e.g.
in Hong Kong.

William



L3 ECMP over links with different RTT

2011-05-10 Thread Dikkema, Michael (Business Technology)
Hi,

Is it foolish to build a L3 ECMP connection between 2 iBGP routers with one of 
the links having a 50% longer RTT? We're building fiber between 2 locations 
with the option of going both north and south around the great lakes. One link 
will have a 20ms RTT and one with around 35ms. The majority of our peering and 
transit will be on one side, with the enterprise datacenter on the other.

The design right now would use OSPF as an IGP over these links with iBGP 
peering on loopbacks. Both links are 1G.

Any thoughts on doing this different/better would be appreciated.

Thanks.



Re: 23,000 IP addresses

2011-05-10 Thread Christopher Morrow
On Tue, May 10, 2011 at 10:15 AM, Scott Brim  wrote:
> On Tue, May 10, 2011 at 09:42, Leigh Porter
>  wrote:
>> So are they basing this on you downloading it or on making it available for 
>> others?
>
> Without knowing the details, I wouldn't assume any such level of
> competence or integrity.  It could just be a broad witch hunt.

I know of a decent sized global ISP that ran (runs?) a large darknet
that was the equivalent of a few /16's routed to a fbsd host running
'tcpdump' (a tad more complex, but essentially this). BayTSP (one of
the 'make legal threats for the mpaa/riaa' firms) sent ~2k notes to
the ISP about downloaders on these ips.

Looking at netflow data (sample 1:1 on that interface) they had
portscanned (from ip space registered in their name) each address in
the range and sent subpoena-material to all ips that they thought they
got a response from.

At least baytsp got theirs? (money I mean)



Re: 23,000 IP addresses

2011-05-10 Thread Scott Brim
On Tue, May 10, 2011 at 09:42, Leigh Porter
 wrote:
> So are they basing this on you downloading it or on making it available for 
> others?

Without knowing the details, I wouldn't assume any such level of
competence or integrity.  It could just be a broad witch hunt.

> Apologies for the top post...

Never apologize for top posting, it just starts the flame war all over again.



VPN tunnels between US and China dropping/slow

2011-05-10 Thread Thomas York
At my current place of business, we have several manufacturing plants in
China as well as the United States. All of the plants have an OVPN tunnel to
a datacenter here in Indianapolis which connect all of the plants. Our China
plants pay for the basic 3mbit/3mbit fiber internet connections. I've had a
hell of a time keeping their tunnels up. They're running on port 443 over
TCP now, but every month or so the tunnel degrades so badly I have to switch
the port. I've recently tried tunneling OVPN (UDP) over a GRE tunnel and
that has worked for a few months..but even now is degrading. The interesting
thing is that ONLY the tunnel traffic gets degraded. I've replaced all of
the equipment on both ends of all of the VPN tunnels, which changed nothing.

 

Currently, we're talking to Time Warner and some of our customers who have
plants in China to see what solutions they're using to get around this kind
of issue. One thing we are hearing quite often is that they're using a MPLS
based connection to Hong Kong, then going to the USA from there. We're happy
to try this, but due to cost issues we're (management mostly) considering
this a last resort option. Are there any other options maybe some of you
have to fixing this issue? Thanks

 

Thomas York



smime.p7s
Description: S/MIME cryptographic signature


Re: 23,000 IP addresses

2011-05-10 Thread Roland Perry
In article , chip 
 writes



Interesting, especially after this:

http://torrentfreak.com/ip-address-not-a-person-bittorrent-case-judge-says-110503/


It depends whether you are suing the subscriber or the downloader (maybe 
both can be liable in some cases). Also whether the subscriber was 
running an open Wifi (normally not recommended), which is a matter of 
evidential fact to be explored in each particular case.



On Tue, May 10, 2011 at 9:07 AM, Marshall Eubanks  
wrote:

A Federal Judge has decided to let the "U.S. Copyright Group" subpoena ISPs 
over 23,000 alleged downloads of some
Sylvester Stallone movie I have never heard of; subpoenas are expected to go 
out this week.

I thought that there might be some interest in the list of these addresses :

http://www.wired.com/images_blogs/threatlevel/2011/05/expendibleipaddresses.pdf

If you have IP addresses on this list, expect to receive papers shortly.

Here is more of the backstory :

http://www.wired.com/threatlevel/2011/05/biggest-bittorrent-case/

This is turning into quite a legal racket (get order $ 3000 for sending a 
threatening letter); I expect to see a lot
more of this until some sense returns to the legal system.


Attempts a bit like this have come unstuck in the UK. Search for 
"Davenport Lyons" and "ACS Law"

--
Roland Perry



RE: Yahoo and IPv6

2011-05-10 Thread Tony Hain
Igor Gashinsky wrote:
> :: >> In any case, the content side can mitigate all of the latency
> related issues
> :: >> they complain about in 6to4 by putting in a local 6to4 router and
> publishing
> :: >> the corresponding 2002:: prefix based address in DNS for their
> content. They
> :: >> choose to hold their breath and turn blue, blaming the network
> for the lack
> :: >> of 5-9's access to the eyeballs when they hold at least part of a
> solution
> :: >> in their own hands.
> :: >
> :: > Looking at that from the content provider side for a second, what
> is their motivation for doing it? The IETF created 6to4, and some
> foolish OS and/or hardware vendors enabled it by default. So you're
> saying that it's up to the content providers to spend money to fix a
> problem they didn't create, when the easy/free solution is simply not
> to turn on IPv6 at all? I completely fail to see an incentive for the
> content providers to do this, but maybe I'm missing something.
> :: >
> 
> So, just for the record, I am not speaking for my employer, and am
> speaking strictly for myself here, and I'm going to try to keep this my
> one and only message about finger-pointing :)
> 
> The time for finger-pointing is over, period, all we are all trying to
> do
> now is figure out how to deal with the present (sucky) situation. The
> current reality is that for a non-insignificant percentage of users
> when
> you enable dual-stack, they are gong to drop off the face of the
> planet.
> Now, for *you*, 0.026% may be insignificant (and, standalone, that
> number
> is insignificant), but for a global content provider that has ~700M
> users,
> that's 182 *thousand* users that *you*, *through your actions* just
> took
> out.. 182,000 - that is *not* insignificant
> 
> *That* is what world ipv6 day is about to me -- getting enough
> attention
> at the problem so that all of us can try to move the needle in the
> right
> direction. If enough users realize that they are broken, and end up
> "fixing themselves", then it will be a resounding success. And, yes, to
> me, disabling broken ipv6 *is* "fixing themselves". If they turn broken
> ipv6 into working ipv6, even better, I just hope all the access
> networks
> staffed up their helpdesk to deal with the call volumes..
> 
> And, if the breakage stats remain bad, well, that's what DNS
> "whitelists/blacklists" are going to be for..
> 
> :: While we're not directly a content provider, we do host several of
> them and we do
> :: run the largest network of 6to4 relays that I am aware of. In our
> experience at HE,
> :: this has dramatically improved the IPv6 experience for our clients.
> As such, I would
> :: think that providing a better user experience should serve as
> reasonable motivation
> :: for any rational content provider. It's not like running 6to4 relays
> is difficult or
> :: expensive.
> 
> No, running *return* 6to4 relays is not difficult at all, in fact, some
> content providers have a ton of them up right now. The problem is that
> content providers can't control the forward relays, 

So take the relays out of the path by putting up a 6to4 router and a 2002::
prefix address on the content servers. Longest match will cause 6to4
connected systems to prefer that prefix while native connected systems will
prefer the current prefix. The resulting IPv4 path will be exactly what it
is today door-to-door. Forcing traffic through a third party by holding to a
purity principle for dns, and then complaining about the results is not
exactly the most productive thing one could do.

> or protocol 41
> filtering that's out in the wild. 

Putting 2002:: in dns will not fix this, but it is not clear to me where
this comes from. The argument is that enterprise firewalls are blocking it,
but that makes no sense because many/most enterprises are in 1918 space so
6to4 will not be attempted to begin with, and for those that have public
space internally the oft-cited systems that are domain members will have
6to4 off by default. To get them to turn it on would require the IT staff to
explicitly enable it for the end systems but then turn around and block it
at the firewall ... Not exactly a likely scenario.

The most likely source of public space for non-domain joined systems would
be universities, but no one that is complaining about protocol 41 filtering
has shown that the source addresses are coming from those easily
identifiable places. 

That leaves the case of networks that use public addresses internally, but
nat those at the border. This would confuse the client into thinking 6to4
should be viable, only to have protocol 41 blocked by the nat. These
networks do exist, and the only way to detect them would be to have an
instrumented 6to4 router or relay that compared the IPv4-bits in the source
address between the two headers. They don't have to match exactly because a
6to4 router would use its address as a source, but if the embedded bits said
25.25.25.25 while the external IPv4 header sa

Re: 23,000 IP addresses

2011-05-10 Thread Leigh Porter
So are they basing this on you downloading it or on making it available for 
others?

Apologies for the top post...

-- 
Leigh Porter


On 10 May 2011, at 14:40, "Jon Lewis"  wrote:

> On Tue, 10 May 2011, Marshall Eubanks wrote:
> 
>> A Federal Judge has decided to let the "U.S. Copyright Group" subpoena ISPs 
>> over 23,000 alleged downloads of some
>> Sylvester Stallone movie I have never heard of; subpoenas are expected to go 
>> out this week.
>> 
>> I thought that there might be some interest in the list of these addresses :
>> 
>> http://www.wired.com/images_blogs/threatlevel/2011/05/expendibleipaddresses.pdf
> 
> It wasn't that good a movie, so I guess they need to squeeze every bit of $ 
> they can out of anyone who saw it.  I bought it a a Blockbuster liquidation 
> sale (having not seen it previously).
> 
>> http://www.wired.com/threatlevel/2011/05/biggest-bittorrent-case/
>> 
>> This is turning into quite a legal racket (get order $ 3000 for sending a 
>> threatening letter); I expect to see a lot
>> more of this until some sense returns to the legal system.
> 
> I wonder how things go if you challenge them in court.  This is surely a 
> topic for another list, but it seems to me it'd be fairly difficult to prove 
> unless they downloaded part of the movie from your IP and verified that what 
> they got really was a part of the movie.  If they're going after any IP that 
> connected to and downloaded from an agent of the studio (and thats what it 
> sounds like) who hosted the file, can they really expect to prosecute people 
> for downloading something they were giving away?
> 
> Wouldn't that be like the RIAA making bootleg copies of audio CDs, giving 
> them away, and then prosecuting anyone who accepted one?
> 
> --
> Jon Lewis, MCP :)   |  I route
> Senior Network Engineer |  therefore you are
> Atlantic Net|
> _ http://www.lewis.org/~jlewis/pgp for PGP public key_
> 
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> __

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__



RE: 23,000 IP addresses

2011-05-10 Thread Baklarz, Ron
Maybe they can use the Clinton marijuana-non-inhalation defense - I downloaded 
the movie but I didn't watch it!

Ron Baklarz CISSP, CISA, CISM, NSA-IAM/IEM
Chief Information Security Officer
National Passenger Railroad Corporation
10 G Street, NE  Office 6E606
Washington, DC 20002
bakl...@amtrak.com

-Original Message-
From: Jon Lewis [mailto:jle...@lewis.org]
Sent: Tuesday, May 10, 2011 9:38 AM
To: Marshall Eubanks
Cc: NANOG list
Subject: Re: 23,000 IP addresses

On Tue, 10 May 2011, Marshall Eubanks wrote:

> A Federal Judge has decided to let the "U.S. Copyright Group" subpoena ISPs 
> over 23,000 alleged downloads of some
> Sylvester Stallone movie I have never heard of; subpoenas are expected to go 
> out this week.
>
> I thought that there might be some interest in the list of these addresses :
>
> http://www.wired.com/images_blogs/threatlevel/2011/05/expendibleipaddresses.pdf

It wasn't that good a movie, so I guess they need to squeeze every bit of
$ they can out of anyone who saw it.  I bought it a a Blockbuster
liquidation sale (having not seen it previously).

> http://www.wired.com/threatlevel/2011/05/biggest-bittorrent-case/
>
> This is turning into quite a legal racket (get order $ 3000 for sending a 
> threatening letter); I expect to see a lot
> more of this until some sense returns to the legal system.

I wonder how things go if you challenge them in court.  This is surely a
topic for another list, but it seems to me it'd be fairly difficult to
prove unless they downloaded part of the movie from your IP and verified
that what they got really was a part of the movie.  If they're going after
any IP that connected to and downloaded from an agent of the studio (and
thats what it sounds like) who hosted the file, can they really expect to
prosecute people for downloading something they were giving away?

Wouldn't that be like the RIAA making bootleg copies of audio CDs, giving
them away, and then prosecuting anyone who accepted one?

--
  Jon Lewis, MCP :)   |  I route
  Senior Network Engineer |  therefore you are
  Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_




Re: 23,000 IP addresses

2011-05-10 Thread Mark Radabaugh

On 5/10/11 9:07 AM, Marshall Eubanks wrote:

A Federal Judge has decided to let the "U.S. Copyright Group" subpoena ISPs 
over 23,000 alleged downloads of some
Sylvester Stallone movie I have never heard of; subpoenas are expected to go 
out this week.

I thought that there might be some interest in the list of these addresses :

http://www.wired.com/images_blogs/threatlevel/2011/05/expendibleipaddresses.pdf

If you have IP addresses on this list, expect to receive papers shortly.

Here is more of the backstory :

http://www.wired.com/threatlevel/2011/05/biggest-bittorrent-case/

This is turning into quite a legal racket (get order $ 3000 for sending a 
threatening letter); I expect to see a lot
more of this until some sense returns to the legal system.

Regards
Marshall


A good reason why every ISP should have a published civil subpoena 
compliance fee.


23,000 * $150 each should only cost them $3.45M to get the information.

Seems like that would take the profit out pretty quickly.

--
Mark Radabaugh
Amplex

m...@amplex.net  419.837.5015




Re: 23,000 IP addresses

2011-05-10 Thread Dale Carstensen
>A Federal Judge has decided to let the "U.S. Copyright Group" subpoena
>ISPs over 23,000 alleged downloads of some Sylvester Stallone movie I have 
>never heard of [. . .]
>I thought that there might be some interest in the list of these addresses :
>http://www.wired.com/images_blogs/threatlevel/2011/05/expendibleipaddresses.pd
f
> [. . .]
>Marshall

There are only 34 unique ISP names, representing somewhat fewer ISPs
(4 or so have Comcast in the name, I think SBC, Bellsouth and AT&T are
all one, Frontier has a couple of names, etc.)  And they probably are
represented proportional to the number of customers they have, mostly
big cable, ILEC, cell carrier:

   5892 Comcast Cable
   3719 Road Runner
   2997 SBC Internet Services
   2331 Verizon Internet Services
   1293 BellSouth.net
   1010 Cox Communications
977 Charter Communications
681 Qwest Communications
656 Optimum Online
572 Windstream Communications
334 Clearwire Corporation
269 Sprint PCS
258 Frontier Communications of America
180 Suddenlink Communications
168 EarthLink
136 WideOpenWest
136 Comcast Business Communications
118 AT&T Services
111 Insight Communications Company
 98 Fairpoint Communications
 97 Frontier Communications
 92 RCN Corporation
 70 ALLTEL Corporation
 59 Bresnan Communications
 59 AT&T Global Network Services, LLC
 57 Wave Broadband
 55 Midcontinent Communications
 51 Atlantic Broadband
 48 Sprint
 21 HUGHES NETWORK SYSTEMS
 19 Road Runner Business
 14 Verizon Business
  3 Comcast Telecommunications
  2 Comcast - Houston





Re: 23,000 IP addresses

2011-05-10 Thread Julien Gormotte

On Tue, 10 May 2011 09:07:11 -0400, Marshall Eubanks wrote:

A Federal Judge has decided to let the "U.S. Copyright Group"
subpoena ISPs over 23,000 alleged downloads of some
Sylvester Stallone movie I have never heard of;


Good for you : it was one of the worst films I've ever seen. And I've 
seen Iron Man 2.



subpoenas are
expected to go out this week.

I thought that there might be some interest in the list of these 
addresses :



http://www.wired.com/images_blogs/threatlevel/2011/05/expendibleipaddresses.pdf


Mine is not. These are only US ISPs ?

If you have IP addresses on this list, expect to receive papers 
shortly.


Here is more of the backstory :

http://www.wired.com/threatlevel/2011/05/biggest-bittorrent-case/

This is turning into quite a legal racket (get order $ 3000 for
sending a threatening letter); I expect to see a lot
more of this until some sense returns to the legal system.


And these problems are spreading everywhere in the world.



Regards
Marshall





Re: 23,000 IP addresses

2011-05-10 Thread Jon Lewis

On Tue, 10 May 2011, Marshall Eubanks wrote:


A Federal Judge has decided to let the "U.S. Copyright Group" subpoena ISPs 
over 23,000 alleged downloads of some
Sylvester Stallone movie I have never heard of; subpoenas are expected to go 
out this week.

I thought that there might be some interest in the list of these addresses :

http://www.wired.com/images_blogs/threatlevel/2011/05/expendibleipaddresses.pdf


It wasn't that good a movie, so I guess they need to squeeze every bit of 
$ they can out of anyone who saw it.  I bought it a a Blockbuster 
liquidation sale (having not seen it previously).



http://www.wired.com/threatlevel/2011/05/biggest-bittorrent-case/

This is turning into quite a legal racket (get order $ 3000 for sending a 
threatening letter); I expect to see a lot
more of this until some sense returns to the legal system.


I wonder how things go if you challenge them in court.  This is surely a 
topic for another list, but it seems to me it'd be fairly difficult to 
prove unless they downloaded part of the movie from your IP and verified 
that what they got really was a part of the movie.  If they're going after 
any IP that connected to and downloaded from an agent of the studio (and 
thats what it sounds like) who hosted the file, can they really expect to 
prosecute people for downloading something they were giving away?


Wouldn't that be like the RIAA making bootleg copies of audio CDs, giving 
them away, and then prosecuting anyone who accepted one?


--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: 23,000 IP addresses

2011-05-10 Thread chip
Interesting, especially after this:

http://torrentfreak.com/ip-address-not-a-person-bittorrent-case-judge-says-110503/



On Tue, May 10, 2011 at 9:07 AM, Marshall Eubanks  
wrote:
> A Federal Judge has decided to let the "U.S. Copyright Group" subpoena ISPs 
> over 23,000 alleged downloads of some
> Sylvester Stallone movie I have never heard of; subpoenas are expected to go 
> out this week.
>
> I thought that there might be some interest in the list of these addresses :
>
> http://www.wired.com/images_blogs/threatlevel/2011/05/expendibleipaddresses.pdf
>
> If you have IP addresses on this list, expect to receive papers shortly.
>
> Here is more of the backstory :
>
> http://www.wired.com/threatlevel/2011/05/biggest-bittorrent-case/
>
> This is turning into quite a legal racket (get order $ 3000 for sending a 
> threatening letter); I expect to see a lot
> more of this until some sense returns to the legal system.
>
> Regards
> Marshall
>
>
>



-- 
Just my $.02, your mileage may vary,  batteries not included, etc



23,000 IP addresses

2011-05-10 Thread Marshall Eubanks
A Federal Judge has decided to let the "U.S. Copyright Group" subpoena ISPs 
over 23,000 alleged downloads of some
Sylvester Stallone movie I have never heard of; subpoenas are expected to go 
out this week. 

I thought that there might be some interest in the list of these addresses :

http://www.wired.com/images_blogs/threatlevel/2011/05/expendibleipaddresses.pdf

If you have IP addresses on this list, expect to receive papers shortly. 

Here is more of the backstory :

http://www.wired.com/threatlevel/2011/05/biggest-bittorrent-case/

This is turning into quite a legal racket (get order $ 3000 for sending a 
threatening letter); I expect to see a lot
more of this until some sense returns to the legal system. 

Regards
Marshall 




Banks and IPv6 (was Re: Yahoo and IPv6)

2011-05-10 Thread Jared Mauch

On May 10, 2011, at 6:03 AM, Iljitsch van Beijnum wrote:

> On 9 mei 2011, at 21:40, Tony Hain wrote:
> 
>>> Publicly held corporations are responsible to their shareholders to get
>>> eyeballs on their content. *That* is their job, not promoting cool new
>>> network tech. When you have millions of users hitting your site every
>>> day losing 1/2000 is a large chunk of revenue.
> 
> Nonsense. 0.05% is well below the noise margin for anything that involves 
> humans.

I think it will be interesting when people start to look at the results. 
Following the delegation of someplace like a bank that has a financial interest 
in

a) security (ie: modern software)
b) people reaching their site

There's a lot of IPv6 brokeness in their services.

do "dig +trace  www.citibank.co.uk"

You will eventually reach their load balancer dns servers that start giving out 
bad referrals/authority.

www.citibank.co.uk. 3600IN  NS  ldefdc-egsl01-7000.nsroot2.com.
www.citibank.co.uk. 3600IN  NS  lgbrdc-egsl01-7000.nsroot1.com.
;; Received 153 bytes from 192.193.214.2#53(192.193.214.2) in 36 ms

[trimmed]
.   360 IN  NS  m.root-servers.net.
;; BAD REFERRAL
;; Received 500 bytes from 199.67.203.246#53(199.67.203.246) in 100 ms


When you look at the top "25" broken sites, it quickly starts to look like 
something interesting.  The temporary failure shows some error in the resolver 
library looking for an  record.  If you ask a non-bind nameserver you may 
have better luck as they seem to have relaxed SOA tracking.

www.capitalone.com.|208.80.48.112|OK|Temporary failure in name resolution
www.priceline.com.|64.6.17.1|OK|Temporary failure in name resolution
www.kitco.com.|66.38.218.33|OK|Temporary failure in name resolution
www.dmm.co.jp.|203.209.147.15|OK|Temporary failure in name resolution
www.lg.com.|174.35.24.66,174.35.24.81|OK|Temporary failure in name resolution
www.theweathernetwork.com.|207.96.160.181|OK|Temporary failure in name 
resolution
www.ovguide.com.|64.94.88.21|OK|Temporary failure in name resolution
www.alipay.com.|110.75.132.21|OK|Temporary failure in name resolution
www.sznews.com.|210.21.197.161|OK|Temporary failure in name resolution
www.ryanair.com.|193.95.148.90|OK|Temporary failure in name resolution
www.kbb.com.|209.67.183.100|OK|Temporary failure in name resolution
www.royalbank.com.|142.245.1.203|OK|Temporary failure in name resolution
www.opentable.com.|66.151.130.32|OK|Temporary failure in name resolution
www.bookryanair.com.|193.95.148.91|OK|Temporary failure in name resolution
aleadpay.com.|121.14.17.41|OK|Temporary failure in name resolution
www.20minutos.es.|85.62.13.190|OK|Temporary failure in name resolution
www.nzherald.co.nz.|184.154.158.58|OK|Temporary failure in name resolution
www.rbcroyalbank.com.|142.245.1.15|OK|Temporary failure in name resolution
www.hangzhou.com.cn.|218.108.127.43|OK|Temporary failure in name resolution
www.klikbca.com.|202.6.208.8|OK|Temporary failure in name resolution
www.uk.to.|195.144.11.40|OK|Temporary failure in name resolution
www.atdmt.com.|65.203.229.39,65.242.27.40|OK|Temporary failure in name 
resolution
www.hc360.com.|221.233.134.141,221.233.134.143|OK|Temporary failure in name 
resolution
www.dmm.com.|203.209.147.53|OK|Temporary failure in name resolution
www.businesswire.com.|204.8.173.52|OK|Temporary failure in name resolution

Aside from the above, it does seem that there are a fair number of sites that 
have enabled IPv6 and gone without notice.

take www.informationweek.com which (from my view) sits behind AS209 with their 
IPv6 space, very similar to their v4 address.

I'm optimistic that more people will 'just enable' ipv6.  Hopefully other 
technical websites will do it as well, perhaps anyone that matches a regex of 
"ars" can influence the powers that be.  If they can get people to disable 
adblock, maybe they can serve up some  as well. :)

- Jared


Re: Yahoo and IPv6

2011-05-10 Thread Iljitsch van Beijnum
On 9 mei 2011, at 21:40, Tony Hain wrote:

>> Publicly held corporations are responsible to their shareholders to get
>> eyeballs on their content. *That* is their job, not promoting cool new
>> network tech. When you have millions of users hitting your site every
>> day losing 1/2000 is a large chunk of revenue.

Nonsense. 0.05% is well below the noise margin for anything that involves 
humans.

>> The fact that the big
>> players are doing world IPv6 day at all should be celebrated, promoted,
>> and we should all be ready to take to heart the lessons learned from
>> it.

I applaud the first step, but I'm bothered by the fact that no second step is 
planned.

>> The content providers are not to be blamed for the giant mess that IPv6
>> deployment has become. If 6to4 and Teredo had never happened, in all
>> likelihood we wouldn't be in this situation today.

> The entire point of those technologies you are complaining about was to
> break the stalemate between content and network, because both sides will
> always wait and blame the other.

You're both somewhat right: there's nothing wrong with having 6to4 and Teredo 
available as an option for people who want/need easy IPv6, which is too hard to 
get otherwise for most people. The big mistake was to enable it by default. 
That ALWAYS ends badly. (See for instance HTTP pipelining, good idea but it got 
tainted by buggy implementations on the client side that made it impossible to 
enable on the server side.)

> The fact that the content side chose to
> wait until the last possible minute to start is where the approach falls
> down. Expecting magic to cover for lack of proactive effort 5-10 years ago
> is asking a bit much, even for the content mafia. 

The content people don't feel the address crunch and they have no incremental 
deployment: either you  or you don't . The opposite is true for the 
eyeball people, so they are the ones that will have to get this ball rolling.

> In any case, the content side can mitigate all of the latency related issues
> they complain about in 6to4 by putting in a local 6to4 router and publishing
> the corresponding 2002:: prefix based address in DNS for their content.

That wouldn't help people behind firewalls that block protocol 41 (which is way 
too common) and it's harmful to those with non-6to4 connectivity but no (good) 
RFC 3484 support so they connect to those 2002:: addresses. (I'm looking at 
you, MacOS. Try for yourself here: http://6to4test3.runningipv6.net/ )

> We are about the witness the most expensive, complex, blame-fest of a
> transition that one could have imagined 10 years ago. This is simply due to
> the lack of up-front effort that both sides have demonstrated in getting to
> this point. Now that time has expired, all that is left to do is sit back
> and watch the fireworks.

I love fireworks.

I don't think it'll be all that bad, though. Pretty much all the pieces are in 
place now, it's mostly a question of simply enabling IPv6. Yes, people will 
whine but how else would we know the NANOG list is still working between 
operational issues?


Re: Yahoo and IPv6

2011-05-10 Thread Arie Vayner
Igor,

When testing, you should take into consideration that people from all across
the world may use this tool, and in some places speed is not the same as in
other places... Latency... Bad linkes... Etc.

Arie

On Tue, May 10, 2011 at 7:58 AM, Igor Gashinsky  wrote:

> On Mon, 9 May 2011, valdis.kletni...@vt.edu wrote:
>
> :: Given the following posting from earlier this morning:
> ::
> :: > The location that's affecting the results is pending removal from DNS;
> :: > and ASAP we hope to have the name moved to the geo-LB that suppors v6,
> :: > instead of the round robin it is today.
> ::
> :: I feel pretty damned justified in saying it wasn't *my* network causing
> the retransmits.
> ::
> :: (Oh - and kudos for the person quoted above for 'fessing up, and to the
> people
> :: that tracked down the actual issue. That always sucks when the test rig
> itself
> :: has issues. Glad to hear it will be fixed)
>
> In the spirit of full disclosure, I'll "fess up" a little more then :) We
> did have the cname for the help pages point to an old rotation, something
> that is getting rectified, and the timeout in the javascript was a tad too
> aggressive (would lead to some unwanted false negatives), so that timeout
> is going to be up'ed to between 5 and 10 seconds (we are measuring a few
> different things, so which value will be used will depend on what is being
> measured where).
>
> Thank you for catching this -- we are still working on finishing up the
> monitoring component of flag day related content :)
>
> -igor
>


Re: Yahoo and IPv6

2011-05-10 Thread Owen DeLong
> :: > I do agree with you that pointing fingers at this stage is really not 
> helpful. I continue to maintain that being supportive of those content 
> networks that are willing to wade in is the right answer.
> :: > 
> :: Agreed, but, it's also important to point out when they're starting to 
> swim in directions
> :: that are counterproductive, such as having help sites that advise users to 
> turn off
> :: IPv6 with fixing their IPv6 capabilities as a secondary option.
> 
> "We recommend disabling IPv6 or seeking assistance in order to fix your 
> system's IPv6 configuration through your ISP or computer manufacturer"
> 
> So, your problem is that a help page gives the user 2 options, 
> the first one of them being a quick and easy fix that a user can do 
> himself in less then a minute, and suggesting contacting the ISP or 
> manufacturer *second* (and possibly spending quite a bit of time on 
> hold/troubleshooting, and then saying "screw it")?!? 
> 
Vs. other more useful options which I have spelled out elsewhere in this
thread, yes.

> Honestly, I think the people who want ipv6 to work, and are willing and 
> capable to troubleshoot it, will; and those who don't will just 
> turn it off... Seems like the right outcome to me..
> 
We can agree to disagree. Turning it off really isn't a good outcome because
it just postpones the inevitable. Encouraging people to call their ISPs to
troubleshoot their IPv6 problems accomplishes two things:

1.  It raises visibility of the need for IPv6 at the eyeball ISPs. 
It shows
that there are users encountering things that cause them to care
about IPv6 working.

2.  It helps users resolve their IPv6 problems and get working
IPv6.

I applaud your employer's efforts to get IPv6 deployed and their leadership
in working towards IPv6 day. Hopefully they can eventually take a more
positive leadership position towards successful eyeball transitions as
well.

Owen




Re: Suspecious anycast prefixes

2011-05-10 Thread Randy Bush
> I might not explain the background clearly and confused people. We're
> doing research on multiple origin AS issue, and we want to confirm if
> our inference is correct based on history data we collected. For
> example, we found several hundreds of prefixes with multiple origins
> more than two, some of them were inferred as anycast using our
> methodology, but we're not positive with the conjecture, so we want to
> find the ground truth from operators. Thanks for the detailed
> explanations.

the ucla obsession with multiple-origin announcements has a long
history.  the problem is that you think you can make something that
looks forward.  but how will you decide if tomorrow's announcement of
P from A0 and A1 is anycast, ops kink, or an actual mis-announcement?

randy