Re: ICANN to allow commercial gTLDs

[Joly MacFie]

And you are to be complimented on your diligence in this respect, Eric.

On Mon, Jun 20, 2011 at 6:21 PM,  wrote:

>
> this is still an area of active work, i was working on it ... yesterday
> and the day before, today, and tomorrow and the day after tomorrow ...
>
>

-- 
---
Joly MacFie  218 565 9365 Skype:punkcast
WWWhatsup NYC - http://wwwhatsup.com
 http://pinstand.com - http://punkcast.com
 VP (Admin) - ISOC-NY - http://isoc-ny.org
--
-

Re: Address Assignment Question

[Steven Bellovin]

On Jun 20, 2011, at 10:22 45PM, John R. Levine wrote:

>> All they need -- or, I suspect, need to assert -- is to have
>> multiple physical networks.  They can claim a production net, a DMZ,
>> a management net, a back-end net for their databases, a developer
>> net, and no one would question an architecture like that
> 
> My impression is that this is about a client whose stuff is all hosted in a 
> single data center.
> 
Then take out the developer net (or make it a VPN) but the rest remains.


--Steve Bellovin, https://www.cs.columbia.edu/~smb

Re: Address Assignment Question

[John R. Levine]

All they need -- or, I suspect, need to assert -- is to have
multiple physical networks.  They can claim a production net, a DMZ,
a management net, a back-end net for their databases, a developer
net, and no one would question an architecture like that


My impression is that this is about a client whose stuff is all hosted in 
a single data center.


R's,
John

Re: Address Assignment Question

[Steven Bellovin]

On Jun 20, 2011, at 5:52 27PM, John Levine wrote:

>> They have inquired about IPv6 already, but it's only gone so far as
>> that.  I would gladly give them a /64 and be done with it, but my
>> concern is that they are going to want several /64 subnets for the
>> same reason and I don't really *think* it's a legitimate reason.
> 
> No legitimate mailer needs more than one /64 per physical network.
> Same reason.
> 
Note that the OP spoke of assigning them one /64, rather than one per
physical net.  I also note that ARIN, at least, suggests "/56 for small 
sites, those expected to need only a few subnets over the next 5 years",
which would seem to include this site even without their justification.
All they need -- or, I suspect, need to assert -- is to have
multiple physical networks.  They can claim a production net, a DMZ,
a management net, a back-end net for their databases, a developer
net, and no one would question an architecture like that


--Steve Bellovin, https://www.cs.columbia.edu/~smb

Re: Address Assignment Question

[Jérôme Nicolle]

2011/6/21 Tony Finch :
> Spamhaus. And none of your complaints apply to them.

Oh really ? So the blame is to throw at Google Docs administrators for
beeing blacklisted (on the SBL, which should contain only "verified
spam source", thus implying discussion with the service manager) ? And
BTW, who is Spamhaus to claim any legitimacy about who can or can't
register a domain ? (referal to the .at phishing campaign).

Alright, those are probably exceptions, and _some_ lists may be
usefull, but obviously noone can claim to have an efficient "zero
false-positive" list. Blindly relying on those lists _will_ lead to
false positives and are a comodity for mail server administrators that
might lead to sloopy filtering and weaker control over their mail
infrastructure.

Also, such lists are _centralized_ systems that *might* (worst case
scenario) be spotted for attacks. What would be your mail
infrastructure load if you rely on a list that disapear overnight ?
Yeah, right, anycasted DNS infrastructure, redundancy over 4
continents, that's fine for most of us ('til it fails).

In my opinion, the use of RBLs as a first level filter for incoming
mail, instead of greylisting, rDNS and strict protocol compliance
(cluttered with some Exchange bug-compatibility perhaps), is less
reliable, so it's against what I shall consider as a best practice.

I hope that clarifies my point of view, and please excuse me for the
previous insults, I just have a hard time reading "hey, my critical
services are dependant of an external, centralized entity with no
transparency and that's good for the Internet" without compulsive
expressions including F. words.

-- 
Jérôme Nicolle

Re: ICANN to allow commercial gTLDs

[Jay Ashworth]

- Original Message -
> From: "Mark Andrews" 

> In message <20110620223618.2927.qm...@joyce.lan>, "John Levine"
> writes:
> > You're in good company. It's hard to find a modern mail system that
> > allows abbreviated domain names in addresses. I just checked the
> > mail at AOL, Yahoo, Gmail, and Hotmail, and the one at Tucows which is
> > used by a lot of large corporate mail systems, and none of them will let
> > you send a message to an address like foo@bar. Note that Yahoo and
> > Hotmail each handle mail for many large ISPs.
> 
> Abbreviated names make perfect sense within a company be they mail
> (submission), ssh or telnet or within the home.

And to take that rebuttal even further, I would suspect that
username@division is a pretty common pattern in really large companies, 
in addition to colleges; I'm certain, for example, that USF has that
pattern in its email addresses -- though whether it's mailers permit
users to short cut addresses, I'm not sure.

I'm sure we have some college email admins here, or on mailops; I'll 
ask over there and see.

You would, clearly, have to be using the *internal* SMTP server, regardless
of where you were sending from, in order to do that.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274

Re: ICANN to allow commercial gTLDs

[Joel Maslak]

I wonder what sort of money .wpad would be worth...

Re: ICANN to allow commercial gTLDs

[brunner]

> 185K is just the application few, the process includes some
> requirements to have a given amount of dough for operations in escrow,
> add what you need to pay attorneys, "experts"
> , lobbyists, and setup and staff a small corporation even if you plan
> to outsource part of the dayt-2-day operations to a back end operator,
> you can easy reach a $2M figure just to start playing on that level.

correct that the $185k is just the application fee, and there is a schedule
of additional fees which may be applicable, e.g., extended evaluation if
the application fails some evaluation criteria, and objections should any
party with standing pay a fee to file an objection, etc.,

the continuity cost is undefined and the subject of lengthy communication
between primarily myself and icann staff on the tdg-legal mailing list,
though a vendor also commented on an aspect of continuity there as well.

opinions on what a dead registry has to do (necessary functions) while
waiting to time out and go "poof" or find a new operator sought.

clue, in units of business organizations, finance, human resources,
leasing, (law) and consensus policy, existing and advocacy, and registry
constituency issues (icann policy), and registry and registrar contractual
(law) issues are useful.

the if-outsource-then-2m back-of-an-bar-napkin figure may be beer dampened,
as standard offers by platform operators offer revenue sharing (whether all
are equally exploitive of applicants as eventual registry contract holders
is a question of projection, expectation, and taste) terms, resulting in
significantly lower initial cost-to-acquire outcomes.

a data point is .cat, which started with two thousand euros as its total
marketing budget, and what i personally consider reasonable commercial
terms from one non-profit (platform operator) to another (registry contract
holding foundation).

another is .museum, which started on a desktop in a kitchen.

comments critical of their post-initial investment outcome should, though
rarely are, be informed by restrictions placed upon the respective access
to registrants, a subject just commented upon recently by both the antitrust
division of the department of justice, and the european commission.

a counter-example of course is the public record of a 2000 round standard
gtld applicant, which spent approximately $20m on its buildout, before
down-sizing its head-count by approximately 100 in late 2001, and which ten
years of operational art has obtained an approximately 4% market share of
generic names.

> Yesterday's vote was just for the cameras, the program was approved
> long time ago, the staff just got the directive to start implementing,
> but there are still many holes in the process.

broadly true, though missing both the ongoing gac-board dynamic, and the
senior leadership transition(s) as driving this particular date and 
place of announcement.

> All those part now the ICANN ecosystem are celebrating in fantastic
> parties while the developing world supposedly has to be happy because
> they reserved $2M (when the organization has at least a $70M/yr
> running budget) for assistance...

this is still an area of active work, i was working on it ... yesterday
and the day before, today, and tomorrow and the day after tomorrow ...

there will be a gac+alac statement in about 24 hours from now on the
subject of support for applicants meeting the qualifications contained
in the mile stone 2 report of the joint application support working group.

it is a matter of record that i contribute to the jas-wg, and that the
alac formed a drafting team to work with the gac, and that i am one of
the members of that drafting team.

what i'd like to see is some "i can help" notes cluttering my inbox, or
the list -- real soon now this is going to be blades or 1us in cages with
4 and 6 provisioning and cash and clue (see above). hell, the only reason
i'm in singapore is that a high-status privacy-only issue advocacy guy
quit and left a unit of travel support for re-allocation. i don't want to
have to walk to senegal in three months time to finalize the forms of support
available to applicants, and icann wasn't funding me, they were funding
the guy who quit.

-e

Re: ICANN to allow commercial gTLDs

[Mark Andrews]

In message <20110620223618.2927.qm...@joyce.lan>, "John Levine" writes:
> >> do you want to issue a RFC that bans search lists?
> >
> >Personally, I think search lists are a mistake and don't use them.
> 
> You're in good company.  It's hard to find a modern mail system that
> allows abbreviated domain names in addresses.  I just checked the mail
> at AOL, Yahoo, Gmail, and Hotmail, and the one at Tucows which is used
> by a lot of large corporate mail systems, and none of them will let
> you send a message to an address like foo@bar.  Note that Yahoo and
> Hotmail each handle mail for many large ISPs.

Abbreviated names make perfect sense within a company be they mail
(submission), ssh or telnet or within the home.  

> There's a lot of advice that made sense in 1989 which is irrelevant
> now.  Programming around mail systems that rewrite partially qualified
> addresses is in that category.  It may not be possible for people to
> send mail to addresses like n@ai, but that's a very different problem
> from it going to the wrong place.
> 
> R's,
> John
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: ICANN to allow commercial gTLDs

[Mark Andrews]

In message <201106202158.p5klwaxw088...@bartok.nlnetlabs.nl>, Jaap Akkerhuis wr
ites:
> 
> (Marka)
> See RFC 1535.  Yes, a mistake was made implementing search lists.
> A RFC was issued to say don't do search lists this way.
> 
> Which RFC? What way?

RFC 1535.
   A Security Problem and Proposed Correction
   With Widely Deployed DNS Software

It had to do with how search lists are constructed and processed.
A wildcard record for *.EDU.COM was added it broke communications
from COM sites to EDU sites by creating a unexpected match.  It is
the unexpected match that is the problem not the wildcard though
that made *lots* more unexpected matches.

If you want the gory detail I can give them to you.

It is the unexpected match that is the problem with simple hostnames
as global identifiers.  People expect global identifiers to work
globally and simple hostnames can't in the presence of search lists
as they produce unexpected matches.

> It would be nice if you would say what you mean instead keep referring to
> things the reader has to guess.
> 
>   jaap

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: ICANN to allow commercial gTLDs

[Mark Andrews]

In message , David Conrad
 writes:
> On Jun 20, 2011, at 11:19 AM, Mark Andrews wrote:
> > do you want to issue a RFC that bans search lists?
> 
> Personally, I think search lists are a mistake and don't use them.  If
> you do use them, then you are accepting a certain amount of ambiguity.
> Naked TLDs will increase that ambiguity and would recommend against
> their use, however there is no Internet Police to enforce such things
> (ICANN certainly isn't since ccTLDs can do whatever they like). I have
> significant doubt that an RFC will magically solve this problem (for any
> value of "this").

While there are no internet police, they are not supposed to exist
and ICANN and the IAB can make statements to that effect.

Similarly ICANN could direct Verisign to meet its RFC 1034 requirements
by ensuring that regular checks of delegations be made to ensure
they both sides of the zone cut are consistent and if not ensure
that steps are take to make them constistent.

ICANN and Verisign don't pick up the support cost caused by Verisign's
and ultimately ICANN's failure to ensure these checks are done.
The support costs falls to ISPs and nameserver vendors explaining
that lookups are failing because the delegation in broken.  Broken
delegations that should have been caught and corrected by the regular
checks.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: ICANN to allow commercial gTLDs

[Jorge Amodio]

185K is just the application few, the process includes some
requirements to have a given amount of dough for operations in escrow,
add what you need to pay attorneys, "experts"
, lobbyists, and setup and staff a small corporation even if you plan
to outsource part of the dayt-2-day operations to a back end operator,
you can easy reach a $2M figure just to start playing on that level.

And BTW, there is no guarantee you will get it, and that the NTIA will
give green light to IANA to add it.

And after the last pissing contest between the ICANN BoD and GAC, we
still need to see how everything will play out.

Yesterday's vote was just for the cameras, the program was approved
long time ago, the staff just got the directive to start implementing,
but there are still many holes in the process.

All those part now the ICANN ecosystem are celebrating in fantastic
parties while the developing world supposedly has to be happy because
they reserved $2M (when the organization has at least a $70M/yr
running budget) for assistance...

The circus continues, Jon Postel watching from above the root zone ...

My $185,000 - 184,998.
Jorge

Re: unqualified domains, was ICANN to allow commercial gTLDs

[Mark Andrews]

In message <3da313a7-911e-4439-9082-b50844338...@dotat.at>, Tony Finch writes:
> On 20 Jun 2011, at 08:43, Mark Andrews  wrote:
> >=20
> > There is also no such thing as "in-bailiwick glue for the TLD=E2=80=99s DN=
> S servers".  The root zone contains glue for TLDs.  No TLD zone contains glu=
> e for TLDs.
> 
> "In-bailiwick" means that the nameservers for a zone are under the apex of t=
> hat zone. So the uk TLD servers are in-bailiwick: they are all of the form n=
> sX.nic.uk for various X. The com TLD servers are not in-bailiwick since they=
>  are all under gtld-servers.net; similarly the .aero servers are under .de, .
> =
> ch, .info, .org. If a zone has in-bailiwick nameservers then it must have gl=
> ue in the parent zone. It is possible for a TLD to have no glue of its own (=
> like .com) if all of its nameservers are under other TLDs. It is possible fo=
> r a TLD to have no glue at all if it shares no nameservers with any other TL=
> D - so .com has glue (shared with .net) but the .aero nameservers are all un=
> der other TLDs and are different from those TLDs' servers, so it can work wi=
> thout glue.
> 
> Tony.

I will repeat my assertion.  There is no such thing as glue records
for the nameservers at the top of the zone within the zone itself
be they in-baliwick or not.  Glue records live in the parent zone
and are there to avoid the catch 22 situation of needing the records
to find the records.

Now glue records which match the address records of the nameservers
for the zone may still be needed but they are glue records for a
delegated zone, not the zone's apex.

One can add obsured address records for the zone's nameservers to
the zone but they are not glue records and are not needed for
operational purposes and will cause problems if loaded into old
nameservers as they will incorrectly be returned as answers. Even
some modern nameservers treat them incorrectly by returning them
as additional data.

All glue records are obsured records.  Not all obsured records are
glue records be they address records or otherwise.  Obsured records
can be of any type.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Address Assignment Question

[Brielle Bruns]

On 6/20/11 9:26 AM, Jérôme Nicolle wrote:

But most RBL managers are shitheads anyway, so help them evade,
that'll be one more proof of spamhaus&co. uselessness and negative
impact on the Internet's best practices.


I do believe in this one paragraph, we know who the real shithead is.

Noted and filed away for future use.

--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

Re: ICANN to allow commercial gTLDs

[John Levine]

>> do you want to issue a RFC that bans search lists?
>
>Personally, I think search lists are a mistake and don't use them.

You're in good company.  It's hard to find a modern mail system that
allows abbreviated domain names in addresses.  I just checked the mail
at AOL, Yahoo, Gmail, and Hotmail, and the one at Tucows which is used
by a lot of large corporate mail systems, and none of them will let
you send a message to an address like foo@bar.  Note that Yahoo and
Hotmail each handle mail for many large ISPs.

There's a lot of advice that made sense in 1989 which is irrelevant
now.  Programming around mail systems that rewrite partially qualified
addresses is in that category.  It may not be possible for people to
send mail to addresses like n@ai, but that's a very different problem
from it going to the wrong place.

R's,
John

Re: ICANN to allow commercial gTLDs

[Jeroen van Aart]

Paul Graydon wrote:
I've seen the stuff about adding a few extra TLDs, like XXX.  I haven't 
seen any references until now of them considering doing it on a 
commercial basis.   I don't mind new TLDs, but company ones are crazy 
and going to lead to a confusing and messy internet.


I don't know about you, but *I* really like to browse to 
http://google.google or https://yahoo.yahoo or 
http://microsoft.microsoft (or www.microsoft.microsoft, or 
www.com.microsoft, or...) instead of their .com equivalents. It makes 
perfect sense. Except I fear the extra characters transmitted may add to 
the global CO2 emmissions ;~C


In addition, from TFA:
""We're advising people to buy their brands, park them and redirect 
visitors to their existing site, at the very least," says Hnarakis, 
whose more than 3,500 customers include Volvo, Lego and GlaxoSmithKline."


I for one welcome the increased influx of money to registrars world wide 
and ICANN in particular. The more money goes to the "those who operate 
the c0re of the innernets" the more tools they have to improve it.


Forward we go, never look back.

Greetings,
Jeroen

--
http://goldmark.org/jeff/stupid-disclaimers/
http://linuxmafia.com/~rick/faq/plural-of-virus.html

Re: Address Assignment Question

[Tony Finch]

On 20 Jun 2011, at 23:09, Jérôme Nicolle  wrote:
> 
>  But if you can point me to any serious organisation
> providing a real value-added service maintained by real professionals,
> those who performs thorough checks _before_ putting a legitimaite mail
> server in a blacklist, then i'd enjoy benchmarking it on a test
> domain.

Spamhaus. And none of your complaints apply to them.

Tony.
--
f.anthony.n.finchhttp://dotat.at/

Re: Address Assignment Question

[Jérôme Nicolle]

Seth,

2011/6/21 Seth Mos :
> We use the black lists for scoring spam messages, but we never outright block 
> messages. I was not implying that blacklists are not useful at all. I just 
> see things in shades of grey over black and white.

Thanks for pointing this out : I was whining about amateurs using RBLs
as a pre-processing hard filter. Using it with a scoring system isn't
bad IMHO, depends on the weight you set to these rules.

-- 
Jérôme Nicolle

Re: Address Assignment Question

[Jérôme Nicolle]

2011/6/20 John Levine :
> Hi.  I'm the guy who wrote the CEAS paper on greylisting.

URL ?

> Greylisting is useful, but anyone who thinks it's a substitute for
> DNSBLs has never run a large mail system.

You're right, greylisting on a large system may not be efficient as it
won't block everything and will eat-up quite a lot of system
ressources. But it's a good start once basic protocol-checks have
already eliminated the 80% amount of bullshit sent from botnets.

My point is : combining server-side checks of different nature is
often enough to avoid the use of RBLs and still provide a goode
quality of service. It probably won't scale to comcast' or AOL' MXs
but it's way better than relying on an external authority for your
corporate or personnal mailserver.

-- 
Jérôme Nicolle

Re: Address Assignment Question

[Jérôme Nicolle]

2011/6/20 David Miller :
> OK.  I'll bite.  What particular "internet best practices" are Spamhaus
> trampling on?

RBL's are often seen as an "easy solution" to a quite complex problem.
Most mail administrators are relying on them so blindly that some may
forget to evaluate an RBL's pertinence regarding their particular
needs.

Providing such an "easy" way to avoid learning how to provide your
mail service definitely has a bad influence for the overall quality of
mail services. That's a first negative impact : letting noobs think
they can manage a mail server because "the magic RBLs seems to solve
my major issue" without looking to further side-effects.

Next in line, RBL managers don't even try to contact abuse@ or
postmaster@. So mail admins can't use them as a way to improve their
setups. Well, of course, it probably started with large corporation
routing ther ab...@bigestrmailserviceonearth.com to /dev/null, but
that's not the point : if you pretend to improve mail services, do it
right : use abuse@ and postmaster@ before blacklisting (note : botnets
sending from forged domains have to be considered differently of
course, but the rDNS check often fits that part quite well).

Last but not least, some RBLs are extorsion scams requiring one to pay
to get it's inetnum removed from any blacklist. It might be just an
incentive to help a non-profit charity cause, it still smells like a
mafia-related scam to me.

Let the RBLs' maintainers clean up their front doors before asking for
any legitimacy. Right now, relying on them is either stupidity or
lazyness. But if you can point me to any serious organisation
providing a real value-added service maintained by real professionals,
those who performs thorough checks _before_ putting a legitimaite mail
server in a blacklist, then i'd enjoy benchmarking it on a test
domain. Just let me doubt it'll be of any good regarding how
efficients is a properly managed mail server with just a few tech
tricks.



-- 
Jérôme Nicolle
06 19 31 27 14

Re: Address Assignment Question

[Seth Mos]

Op 20 jun 2011, om 23:55 heeft John Levine het volgende geschreven:

>> An organization that blocks 90% of spam with no false positives is
>> incredibly useful.
> 
>> Using a greylisting system is equally effective without the black
>> list part.
> 
> Hi.  I'm the guy who wrote the CEAS paper on greylisting.
> 
> Greylisting is useful, but anyone who thinks it's a substitute for
> DNSBLs has never run a large mail system.

We use the black lists for scoring spam messages, but we never outright block 
messages. I was not implying that blacklists are not useful at all. I just see 
things in shades of grey over black and white.

Of the 17 domains we have with roughly 250 users it does well enough.

Regards,

Seth

RE: VMware ESX LACP Support

[Holmes,David A]

ESX does support link aggregation, if by that is meant more than one Ethernet 
switch-to-ESX bundle, acting as a single logical pipe, and with stacked TOR 
switch configurations the bundles Ethernet links can connect to different TOR 
switches for redundancy. Nexus 1000V is better for network visibility and 
management, though.

-Original Message-
From: Josh Smith [mailto:juice...@gmail.com]
Sent: Monday, June 20, 2011 1:43 PM
To: Manu Chao
Cc: nanog@nanog.org
Subject: Re: VMware ESX LACP Support

ESX does NOT support LACP out of the box.  Not sure about the nexus 1kv.


Thanks,
Josh Smith
KD8HRX
email/jabber:  juice...@gmail.com
phone:  304.237.9369(c)





On Mon, Jun 20, 2011 at 4:39 PM, Manu Chao  wrote:
> I would like to design VSS LACP based MECs with ESX hosts.
>
> Does VMware ESX support LACP?
>
> Do we need Nexus 1000 for ESX LACP support?
>
> R/
> Manu
>


This communication, together with any attachments or embedded links, is for the 
sole use of the intended recipient(s) and may contain information that is 
confidential or legally protected. If you are not the intended recipient, you 
are hereby notified that any review, disclosure, copying, dissemination, 
distribution or use of this communication is strictly prohibited. If you have 
received this communication in error, please notify the sender immediately by 
return e-mail message and delete the original and all copies of the 
communication, along with any attachments or embedded links, from your system.

Re: VMware ESX LACP Support

[Jimmy Hess]

On Mon, Jun 20, 2011 at 3:39 PM, Manu Chao  wrote:
> I would like to design VSS LACP based MECs with ESX hosts.
> Does VMware ESX support LACP?

No, ESX does not support the LACP protocol for control and negotiation of
link aggregation.

Should you want link aggregation, and the default load balancing
operation of ESX
does not meet requirements,  it is possible to use a statically configured
aggregation in  non-negotiated ("on")  state;   or a third party solution.

The standard way to load balance NICs in ESX,  is to just plug in
additional NICs to the
same network, add the extra pNICs to the same vSwitch,  and have all
NICs in 'active' mode.
The default operation is   Load balancing based on Originating vSwitch port ID.

That is, every time a new vNIC is connected to the vSwitch,  it is
assigned a port ID,
which can be used to distribute outgoing traffic from the the vNICs
among the pNICs,
so individual VMs can be load balanced.

> Do we need Nexus 1000 for ESX LACP support?

The Nexus 1000v  for ESX has LACP as a supported feature.

The Nexus 1000v   is one third party solution for VS link aggregation
for  Enterprise Plus  ESX environments   that use the VDS feature.

VDS is a lot of complexity and expense to add, just to tick
a "LACP Support"  checkbox, however;  if you don't also need its
other features

--
-JH

Re: ICANN to allow commercial gTLDs

[Jaap Akkerhuis]

(Marka)
See RFC 1535.  Yes, a mistake was made implementing search lists.
A RFC was issued to say don't do search lists this way.

Which RFC? What way?

It would be nice if you would say what you mean instead keep referring to
things the reader has to guess.

jaap

Re: Address Assignment Question

[John Levine]

> An organization that blocks 90% of spam with no false positives is
>incredibly useful.

>Using a greylisting system is equally effective without the black
> list part.

Hi.  I'm the guy who wrote the CEAS paper on greylisting.

Greylisting is useful, but anyone who thinks it's a substitute for
DNSBLs has never run a large mail system.

R's,
John

Re: Address Assignment Question

[John Levine]

>They have inquired about IPv6 already, but it's only gone so far as
>that.  I would gladly give them a /64 and be done with it, but my
>concern is that they are going to want several /64 subnets for the
>same reason and I don't really *think* it's a legitimate reason.

No legitimate mailer needs more than one /64 per physical network.
Same reason.

R's,
John

Re: Address Assignment Question

[John Levine]

> My feeling is that (paraphrasing here) "we might get blocked
> occasionally" and "we need this many IPs on our MTAs because they
> can't handle the load" are *not* legitimate reasons for requesting
> so many addresses.

It is definitely not your job to help spammers evade blocking.  If
someone's blocking their mail, that's a message to stop sending it,
not to try to sneak it in the back door.  The valid scenarios for
spreading out IPs are so rare (and generally involve guys with guns)
that you can ignore them.

Legitimate bulk senders want their IPs in a compact block so they can
set up feedback loops from ISPs and stop sending mail that people
don't want.  As other people have noted, you can send vast amounts of
mail from a small number of IPs, and anyone big enough to have a valid
need for a lot of address space is also big enough that you have
already heard of them.

Friendly threat: around here, if we know that an ISP is hands out IP
ranges for snowshoe spamming, we often block their entire address
range preemptively to avoid the tedium of blocking it one little chunk
at a time.

R's,
John

Re: Address Assignment Question

[Jérôme Nicolle]

2011/6/20 Tony Finch :
> An organization that blocks 90% of spam with no false positives is incredibly 
> useful.

Greylisting and reverse-DNS checks alone blocks 95-98% with no impact
on mail sent from properly maintained mail servers. RBLs are only
usefull for lazy mailadmins, and to save some network and CPU
resources while avoiding greylisting and rDNS. But it implies you
fully trust the RBL author, and some really ain't trustworthy.

I'd rather loose some mails from poorly managed domains than rely on
any external almighty authority, it looks to me like an incentive to
consider SMTP administration seriously rather than using default
settings from the package maintainer...

-- 
Jérôme Nicolle

Re: Address Assignment Question

[David Miller]

On 6/20/2011 11:26 AM, Jérôme Nicolle wrote:

< SNIP />
Unless many contiguous blocks are assigned as different objects : a
RBL must NOT presume of one end-user's inetnum unless it has been
cathed doing nasty things AND didn't comply to abuse@ requests.


An RBL *can* do whatever an RBL wants to do.

An RBL *can* block an entire allocation for whatever reason they chose 
including - a single spam message with no requests sent to abuse@ or any 
contact of any kind with the group allocated the space.


The only "control" over an RBL is their desire to remain relevant by 
preserving an opinion of accuracy in the minds of end users.  If end 
users believe that an RBL is no longer meeting their needs, then they 
will stop using that RBL.



But most RBL managers are shitheads anyway, so help them evade,
that'll be one more proof of spamhaus&co. uselessness and negative
impact on the Internet's best practices.



OK.  I'll bite.  What particular "internet best practices" are Spamhaus 
trampling on?


-DMM

Re: ICANN to allow commercial gTLDs

[Mark Andrews]

In message <20110620190517.2242.qm...@joyce.lan>, "John Levine" writes:
> >> Simple hostnames as, global identifiers, were supposed to cease
> >> to work in 1984.
> >> 
> >> Can you point out where that is stated?
> >> 
> >>jaap
> >
> >RFC 897.
> 
> I see where it says that all of the hosts that existed in 1984 were
> supposed to change their names to something with at least two
> components, as part of the transition to the DNS.  I think we can
> assume that process is now complete.
> 
> I don't see where it says that new DNS names can't have a single
> component.  A page and line reference would be helpful.

Heirachical names have 2 or more labels or else they become simple
names (one label).  They are dis-joint sets.

Then you hace RFC 1123 which explictly acknowledges the use of
unqualified names.  Simple names are indistingishable from unqualified
names and unqualified names need to be qualified and the only
syntaxically valid way to do that is to add a label.

   Although RFC-822 allows the local use of abbreviated
   domain names within a domain, the application of
   RFC-822 in Internet mail does not allow this.  The
   intent is that an Internet host must not send an SMTP
   message header containing an abbreviated domain name
   in an address field.  This allows the address fields
   of the header to be passed without alteration across
   the Internet, as required in Section 5.2.6.

Then you have SUBMISSION, RFC 4409 section 4.2., Ensure All Domains
Are Fully-Qualified.  This allows simple names on input and says
to qualify them.  

Or do you want more examples of where the use of simple names as
global identifiers will cause things to break.

Allowing or using address and MX records at the apex of a TLD is
stupid, reckless behaviour.  Configuring a TLD to behave as if it
is a simple host names is stupid, reckless behaviour, i.e.  be
careful about which SRV records you add.  Some are used with host
names equivalents as suffixes and some arn't.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Address Assignment Question

[Seth Mos]

Op 20 jun 2011, om 23:24 heeft Tony Finch het volgende geschreven:

> On 20 Jun 2011, at 16:26, Jérôme Nicolle  wrote:
>> 
>> But most RBL managers are shitheads anyway, so help them evade, that'll be 
>> one more proof of spamhaus &co. uselessness and negative impact on the 
>> Internet's best practices.
> 
> An organization that blocks 90% of spam with no false positives is incredibly 
> useful.

Using a greylisting system is equally effective without the black list part.

My milter-greylist installation is aimed at allowing as much mail through as it 
can, instead of the other way around. Milter-greylist has a nice urlcheck 
feature and/or ldap verification for users. In my case it's a PHP script.

If I can verify the IP to be inside a /22 of the MX records, www records or 
domain records that is sufficient to bypass the greylisting. The timers are 
also quite lenient. Just 15 minutes of wait is enough, of they are persistent 
if we've seen them before by domain. We get the email regardless and phone 
calls are rare, and I never run the risk of never getting the email.

This has turned out to be a really effective way to allow normal email through 
without much delay. After just 2 days at work it's whitelisted over 75% of the 
active domains we do business with.

We have about 17 domains and I know what the poster is asking, we've been 
emailing our customers before, subscribed customers none the less. We've had 
our share of blacklisting before. And we even sent the emails with unsubscribe 
links.

But some of them will click the "report this as spam" link in their favourite 
mail agent as a means to unsubscribe. I mean, clicking a link is hard. The end 
result is that we end up on various block lists. It's a good thing that the 
email servers at large isps are often sensible enough to let the email through.

Some of the smaller ones had rather odd draconian limits set. This makes the 
situation for all of us worse.

Regards,

Seth

Re: ICANN to allow commercial gTLDs

[David Sparro]

On 6/18/2011 4:14 PM, John R. Levine wrote:

If the USG operators said "sorry, the DOJ anti-trust rules don't
allow us to serve a zone with .HONDA and .BACARDI", why would the
the pressure be on them rather than on ICANN?  Nobody outside the
ICANN bubble cares about more TLDs.


I think the most inclusive root zone will win.  Nobody is going to
complain to their ISP that the website http://civc.honda/ 'works.'  On 
the other hand if http://farmville.facebook/ doesn't...



How do you propose to do that? The addresses of the roots are hard
wired into the config of a million DNS caches around the world. If
it came to a fight between ICANN and the root operators, it is hard
to see how ICANN could win.


Yes, but that list will be replaced by the list found during the normal
query resolution process.  Therefore if one or two of the IP addresses
get replaced on the ICANN list of roots, the outsiders will get
marginalized.

I think that you'd need quite a few root server operators to join you in
your mutiny if you want to ensure victory.



--
Dave

Re: ICANN to allow commercial gTLDs

[David Conrad]

On Jun 20, 2011, at 11:19 AM, Mark Andrews wrote:
> do you want to issue a RFC that bans search lists?

Personally, I think search lists are a mistake and don't use them.  If you do 
use them, then you are accepting a certain amount of ambiguity. Naked TLDs will 
increase that ambiguity and would recommend against their use, however there is 
no Internet Police to enforce such things (ICANN certainly isn't since ccTLDs 
can do whatever they like). I have significant doubt that an RFC will magically 
solve this problem (for any value of "this"). 

Regards,
-drc

Re: Address Assignment Question

[Tony Finch]

On 20 Jun 2011, at 16:26, Jérôme Nicolle  wrote:
> 
> But most RBL managers are shitheads anyway, so help them evade, that'll be 
> one more proof of spamhaus &co. uselessness and negative impact on the 
> Internet's best practices.

An organization that blocks 90% of spam with no false positives is incredibly 
useful.

Tony.
--
f.anthony.n.finchhttp://dotat.at/

Re: ICANN to allow commercial gTLDs

[Mark Andrews]

In message <77733847-fbf7-460a-ad30-08dc42dc3...@virtualized.org>, David Conrad
 writes:
> On Jun 20, 2011, at 12:14 AM, Mark Andrews wrote:
> >> So they get what they ask for: Ambiguity in resolving the name space.
> > There is no ambiguity if tld operators don't unilaterally add address
> > records causing simple hostnames to resolve.
> 
> EDU.COM.

See RFC 1535.  Yes, a mistake was made implementing search lists.
A RFC was issued to say don't do search lists this way.

B.T.W. EDU.COM makes the point that TLD shouldn't make simple
hostnames operational as doing so deliberately add ambiguity or do
you want to issue a RFC that bans search lists?

Mark
> Regards,
> -drc
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: VMware ESX LACP Support

[Leigh Porter]

Does not out of the box mean that there is an LACP 'fix' ?

-- 
Leigh Porter


On 20 Jun 2011, at 21:45, "Josh Smith"  wrote:

> ESX does NOT support LACP out of the box.  Not sure about the nexus 1kv.
> 
> 
> Thanks,
> Josh Smith
> KD8HRX
> email/jabber:  juice...@gmail.com
> phone:  304.237.9369(c)
> 
> 
> 
> 
> 
> On Mon, Jun 20, 2011 at 4:39 PM, Manu Chao  wrote:
>> I would like to design VSS LACP based MECs with ESX hosts.
>> 
>> Does VMware ESX support LACP?
>> 
>> Do we need Nexus 1000 for ESX LACP support?
>> 
>> R/
>> Manu
>> 
> 
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> __

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: unqualified domains, was ICANN to allow commercial gTLDs

[brunner]

> Another avenue could be At-Large.  The North American Regional At-Large
> Organization (NARALO)  - uniquely amongst the RALO's - accepts individual
> members.

as the elected unaffiliated member representative (or "umr") i suppose i
should point out that (a) yes, the structural feature of individual
membership exists in the naralo, and (b) it is unique to this ralo, and
(c) these members do elect an officer to the ralo leadership, in some
cases by accliamation or apathy, depending upon point of view, and (d)
redundently, i am that stuckee.

points (c) and (d) are not terribly important to the issue of how any
number of persons having no other "at large structure" (als) membership,
say a local isoc chapter, may, if they choose, lobby for what they each,
jointly or severally -- to express involvement as a liability -- think
is in the public interest. i simply mention (c) and (d) for completeness.

i do have a caveat to offer. when i switched from the contracted parties
to the naralo mailing lists i found a "technical" working group and hoped
right on over. i foud that its purpose was not to provide a venue for the
technical evaluation of policy issues, such as the sanity of v6-uber-alles
as a non-negotiable requirement for new registries located where there is
no v6, but to educate others. at that point i hoped right out.

i don't think "policy for dummies" is any more attractive than "tech for
dumies" as process and competency models.

> http://naralo.org

as joly's comment implies, there's a link to click, and consequences in
the form of works, not faith.

-e

Re: unqualified domains, was ICANN to allow commercial gTLDs

[Tony Finch]

On 20 Jun 2011, at 08:43, Mark Andrews  wrote:
> 
> There is also no such thing as "in-bailiwick glue for the TLD’s DNS servers". 
>  The root zone contains glue for TLDs.  No TLD zone contains glue for TLDs.

"In-bailiwick" means that the nameservers for a zone are under the apex of that 
zone. So the uk TLD servers are in-bailiwick: they are all of the form 
nsX.nic.uk for various X. The com TLD servers are not in-bailiwick since they 
are all under gtld-servers.net; similarly the .aero servers are under .de, .ch, 
.info, .org. If a zone has in-bailiwick nameservers then it must have glue in 
the parent zone. It is possible for a TLD to have no glue of its own (like 
.com) if all of its nameservers are under other TLDs. It is possible for a TLD 
to have no glue at all if it shares no nameservers with any other TLD - so .com 
has glue (shared with .net) but the .aero nameservers are all under other TLDs 
and are different from those TLDs' servers, so it can work without glue.

Tony.
--
f.anthony.n.finchhttp://dotat.at/

Re: ICANN to allow commercial gTLDs

[brunner]

ray,

> ... only trust ".band" and that ".com" et. al. are "less secure".

"secure" is not a well-defined term.

as the .com registry access model accepts credit card fraud risk,
a hypothetical registry, say .giro, with wholesale registration at
the same dollar price point but an access mechanism accepting less
risk than credit card fraud would have less "insecure" registration
events.

as john levine pointed out, the hstld advisory group attempted to
address a property of "zone file(s)." as a member of that advisory
group i made public comments on the issues, technical and process,
it encountered.


> With a $185,000 application fee this tends to really kill small
> businesses and conditions the public to favor ecommerce with the
> giants, not to mention a nice revenue boost for ICANN.
> 
> Would love to hear the dirt on backroom conversations that led to this
> decision...

a mainer has been invovled in policy development since, before there
was an icann. a vermonter is on the current icann board.

when looking for root causes, while the policy recommendation made by
the policy development body did not restrict the implementation of the
new gtld application process to a single event, staff adversity to law
suit risk precluded distinguishing between types of applications based
on policy -- say "high policy" applications like the original sponsored
applications before "low policy" applications like the original standard
applications -- and evaluating one type before the other. i suggest to
you that institutional risk adversity (there exists a litigation history
with the legacy monopoly operator) is the answer to questions of the
form "wny one single, indivisible, wicked expensive, evaluation process
for all?"

> ... there will be enough public outcry to reverse it... but I'm
> not optimistic.

i would prefer "participation" over "outcry", and the act of "involvment"
seems to be more on point than the mental state of being "optimistic",
but milage always varies.

on thursday there will be a text from the governmental, and the at
large, advisory groups, on applicant support from developing economies. 

-e

Re: VMware ESX LACP Support

[Josh Smith]

ESX does NOT support LACP out of the box.  Not sure about the nexus 1kv.


Thanks,
Josh Smith
KD8HRX
email/jabber:  juice...@gmail.com
phone:  304.237.9369(c)





On Mon, Jun 20, 2011 at 4:39 PM, Manu Chao  wrote:
> I would like to design VSS LACP based MECs with ESX hosts.
>
> Does VMware ESX support LACP?
>
> Do we need Nexus 1000 for ESX LACP support?
>
> R/
> Manu
>

VMware ESX LACP Support

[Manu Chao]

I would like to design VSS LACP based MECs with ESX hosts.

Does VMware ESX support LACP?

Do we need Nexus 1000 for ESX LACP support?

R/
Manu

Re: unqualified domains, was ICANN to allow commercial gTLDs

[Owen DeLong]

On Jun 19, 2011, at 7:22 PM, Michael Thomas wrote:

> On 06/19/2011 07:08 PM, Paul Vixie wrote:
>>> From: David Conrad
>>> Date: Sun, 19 Jun 2011 16:04:09 -1000
>>> 
>>> On Jun 19, 2011, at 3:24 PM, Paul Vixie wrote:
>>> 
>>> 
 i think we have to just discourage lookups of single-token names,
 universally.
   
>>> How?
>>> 
>> that's a good question.  marka mentioned writing an RFC, but i expect
>> that ICANN could also have an impact on this by having applicants sign
>> something that says "i know that my single-label top level domain name
>> will not be directly usable the way normal domain names are and i intend
>> to use it only to register subdomain names which will work normally."
>>   
> 
> Isn't this problem self regulating? If sufficient things break
> with a single label, people will stop making themselves
> effectively unreachable, right?
> 
> Mike

I suspect that most of the entities in question will put both in to the DNS
and the issues will persist.

Owen

Re: ICANN to allow commercial gTLDs

[John Levine]

>> Simple hostnames as, global identifiers, were supposed to cease
>> to work in 1984.
>> 
>> Can you point out where that is stated?
>> 
>>  jaap
>
>RFC 897.

I see where it says that all of the hosts that existed in 1984 were
supposed to change their names to something with at least two
components, as part of the transition to the DNS.  I think we can
assume that process is now complete.

I don't see where it says that new DNS names can't have a single
component.  A page and line reference would be helpful.

R's,
John

RE: ICANN to allow commercial gTLDs

[George Bonser]

> With a $185,000 application fee this tends to really kill small
> businesses and conditions the public to favor ecommerce with the
> giants, not to mention a nice revenue boost for ICANN.
> 
> Would love to hear the dirt on backroom conversations that led to this
> decision...
> 
> Hopefully there will be enough public outcry to reverse it... but I'm
> not optimistic.

Looking at the array of other fees:

Registry Services Review Fee - $50,000
Dispute Resolution Filing Fee - $1000 - $5000 per party per filing
Community Priority Evaluation Fee  - $10,000

It looks like this is a great opportunity for ICANN to staff up and
boost salaries all around!  I wish there were some other aspect of real
estate where I could do something like this.  Maybe my town could make a
killing by deciding to name streets after famous brands for a low-low
fee of only $185,000 plus annual fees ... per street.  Maybe McDonalds
and Burger King would bid up the price of the name of the main drag
where they both have an outlet.  Or maybe Sears would fight with
Penney's over the name of the entrance road to the mall.  Hmmm.

The internet is pretty cool because "vital real estate" can be created
out of thin air and it can apparently cost a fortune.

Re: ICANN to allow commercial gTLDs

[David Conrad]

On Jun 20, 2011, at 2:35 AM, Robert E. Seastrom wrote:
> Randy Bush  writes:
>> what's new?  how about the operational technical effects, like data from
>> modeling various resolvers' responses to a large root zone?

Yep.  That is an area that has been identified as needing additional study (see 
comments by kc, summarized in 
http://www.icann.org/en/topics/new-gtlds/summary-analysis-root-zone-scaling-impact-21feb11-en.pdf).
 

> Things can get hairy with high update
> rates, so I'd encourage ICANN to dig in its heels about the 2x per day
> update rate

I don't know anyone who is pushing to increase the update rate of the root zone.

> An interesting question is what the load effects will be on the root.

One of the studies relevant to this was done by DNS-OARC. See 
http://www.icann.org/en/topics/ssr/root-zone-augementation-analysis-17sep09-en.pdf.
  There was an intent to do some follow-on studies, but from ICANN's 
perspective the interesting scaling questions turned out to be related to the 
provisioning side, so focus moved away from impact on the root servers.

Regards,
-drc

Re: ICANN to allow commercial gTLDs

[John Levine]

>How long before we see marketing campaigns urging people to only trust
>".band" and that ".com" et. al. are "less secure".

An interesting question.  There was a group that was supposed to work
on "high security TLDs".  I suggested that to be usefully high
security, the registry should make site visits to the registrants to
verify their identity and processes, and charge accordingly, like
$1000/yr or more.  You could hear the sound of people reaching for
their smelling salts.

Shortly afterwards it was hijacked by marketers who came up with a
laundry list of low value security features, nearly all of which any
competent registry would do anyway, useful only as a gimmick to upsell
registrants.  Then they tried and failed to find someone competent yet
cynical enough to administer the laundry list process, nobody was
willing to do so, and the group collapsed.

The motivation for HSTLD was fear that the banking industry might
register their own .BANK with their own idea of high security, which
might yet happen.

R's,
John

Re: unqualified domains, was ICANN to allow commercial gTLDs

[Jay Ashworth]

- Original Message -
> From: "Tony Finch" 

> Trailing dots are not permitted on mail domains.

I couldn't believe that, so I went and checked 5322.  Tony's right: 
there is no way to write an email address which is deterministic,
unless mail servers ignore the DNS search path.  At least, that's 
what it sounds like to me.

> There has been an ongoing argument about the interaction between
> unqualified domains and TLDs in mail domains. RFC 2821 said
> single-label mail domains were syntax errors, but this was probably an
> editorial mistake and RFC 5321 permits them. It's probably safest to
> assume that a single-label mail domain is a local unqualified domain
> which will have its qualifying labels appended by the message
> submission server, and in other contexts all bets are off.

In fact what matters is what the processing rules and code of mail servers
*do* with monocomponent RHSs.  Do they try to apply the server's DNS
search path to them?  Or whatever's in their configs?  Or do they just
try to look them up in DNS, monocomponent.

Cheers,
-- jr 'Eric Allman, Wietse Venema, DJB; please pick up the courtesy phone' a
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274

Re: unqualified domains, was ICANN to allow commercial gTLDs

[Tony Finch]

On 20 Jun 2011, at 02:24, Paul Vixie  wrote:
> 
> furthermore, the internet has more in it than just the web, and i know that
> "foo@sony." will not have its RHS ("sony.") treated as a hierarchical name.

Trailing dots are not permitted on mail domains.

There has been an ongoing argument about the interaction between unqualified 
domains and TLDs in mail domains. RFC 2821 said single-label mail domains were 
syntax errors, but this was probably an editorial mistake and RFC 5321 permits 
them. It's probably safest to assume that a single-label mail domain is a local 
unqualified domain which will have its qualifying labels appended by the 
message submission server, and in other contexts all bets are off.

Tony.
--
f.anthony.n.finchhttp://dotat.at/

Re: unqualified domains, was ICANN to allow commercial gTLDs

[Ray Soucy]

Now that the cat is out of the bag, maybe we should look at trying to
get people to make use of FQDN's more.

I just added a rewrite to my person site to give it a try, and threw a
quick note up about it:

http://soucy.org./whydot.php

So far, it looks like every browser correctly respects the use of a
FQDN; though it looks like SSL is completely broken by it.  The
solution there is either to generate certificates with the correct
FQDN CN, or to make browsers assume that every CN is a FQDN (better
option IMHO).

To be honest, I think we've all been a little lazy leaving off the
last dot and are just annoyed now that it's going to cause a potential
problem.

On Fri, Jun 17, 2011 at 9:33 PM, John Levine  wrote:
>>The notion of a single-component FQDN  would be quite a breakage for
>>the basic concept of using both FQDNs and Unqualified names.
>
> Well, you know, there's a guy whose email address has been n@ai for
> many years.  People have varying amounts of success sending him mail.
>
> R's,
> John
>
>



-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

Re: Address Assignment Question

[Seth Mattinen]

On 6/20/11 5:44 AM, Steve Richardson wrote:
> 
> They have inquired about IPv6 already, but it's only gone so far as
> that.  I would gladly give them a /64 and be done with it, but my
> concern is that they are going to want several /64 subnets for the
> same reason and I don't really *think* it's a legitimate reason.  Bear
> in mind that "legitimate" in this context is referring to the
> justification itself, not their business model.
> 

Then just give them /64s randomly from under a single /48. ;)

~Seth

Re: Cogent depeers ESnet

[George B.]

>
>> internet connectivity, and that much $ is at stake, you're stupid if you 
>> don't have some redundancy.  Nothing works all the time forever.
>
> I can't consider Cogent even a redundant link, since I need two other
> upstreams to reach the Internet redundantly.
>
> -cjp
>

Well, they aren't someone you can take a default route from (either
ipv4 or ipv6), that's for sure.  So yeah, could use them if taking
full routes.

Re: unqualified domains, was ICANN to allow commercial gTLDs

[Robert Bonomi]

> From nanog-bounces+bonomi=mail.r-bonomi@nanog.org  Mon Jun 20 00:15:32 
> 2011
> To: David Conrad 
> From: Mark Andrews 
> Subject: Re: unqualified domains, was ICANN to allow commercial gTLDs
> Date: Mon, 20 Jun 2011 15:14:49 +1000
> Cc: NANOG list 
>
>
> In message <83163718-fa5b-47ba-ba50-67701abd5...@virtualized.org>, David 
> Conrad
>  writes:
> > On Jun 19, 2011, at 6:39 PM, Mark Andrews wrote:
> > > I'm curious how anyone that has not signed a agreement with ICANN can 
> > > be bound to anything in any applicant guide book. =20
> >
> > In order to obtain a gTLD, you have to sign a contractual agreement 
> > with = ICANN.
>
> David, you are missing the point.  The TM holder doesn't want the gtld, 
> they just want to protect their trademark.  The TM holder doesn't have a 
> contract with ICANN.  They do however have a legitimate right to the name 
> and want to spend $0 keeping the name out of anybodys hands but theirs.  
> $187K is not longer a amount to be sneezed at.
>
> Mark
>
> > > Also rfp-clean-30may11-en.pdf basically deals with ..
> >
> > You might want to re-read pretty much any part of that document (e.g., 
> > = the title).
> >
> > Regards,
> > -drc
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>

Re: Cogent depeers ESnet

[Christopher Pilkington]

On Jun 20, 2011, at 10:53 AM, Jon Lewis  wrote:

> internet connectivity, and that much $ is at stake, you're stupid if you 
> don't have some redundancy.  Nothing works all the time forever.

I can't consider Cogent even a redundant link, since I need two other
upstreams to reach the Internet redundantly.

-cjp

Re: ICANN to allow commercial gTLDs

[Ray Soucy]

Technical issues aside (and there are many...)

How long before we see marketing campaigns urging people to only trust
".band" and that ".com" et. al. are "less secure".

With a $185,000 application fee this tends to really kill small
businesses and conditions the public to favor ecommerce with the
giants, not to mention a nice revenue boost for ICANN.

Would love to hear the dirt on backroom conversations that led to this
decision...

Hopefully there will be enough public outcry to reverse it... but I'm
not optimistic.

On Fri, Jun 17, 2011 at 5:04 PM, Jay Ashworth  wrote:
> Aw, Jeezus.
>
> No.  Just, no.
>
>  http://tech.slashdot.org/story/11/06/17/202245/
>
> Cjeers,
> -- jra
> --
> Jay R. Ashworth                  Baylink                       
> j...@baylink.com
> Designer                     The Things I Think                       RFC 2100
> Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
> St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274
>
>



-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

Re: ICANN to allow commercial gTLDs

[Tony Finch]

On 18 Jun 2011, at 09:22, Owen DeLong  wrote:
> 
> In . lives a pointer to apple. consisting of one or more NS records and 
> possibly some A/ glue for those nameservers if they are within apple.

Don't forget the DS records containing the hash of Apple's DNSSEC KSK.

Tony.
--
f.anthony.n.finchhttp://dotat.at/

Re: unqualified domains, was ICANN to allow commercial gTLDs

[Joly MacFie]

Another avenue could be At-Large.  The North American Regional At-Large
Organization (NARALO)  - uniquely amongst the RALO's - accepts individual
members.

http://naralo.org

j

On Sun, Jun 19, 2011 at 10:26 PM, David Conrad  wrote:

>
> Well, yes, ICANN could have contracted parties (e.g., the new gTLDs) do
> this. A bit late to get it into the Applicant's Guidebook, but maybe
> something could be slipped in after the fact.  Who is going to lead the
> contingent from NANOG to raise this in the GNSO?
>
> Of course, changing existing contracts tends to be challenging since the
> contracted parties have to agree to the changes and I wouldn't be surprised
> if they demanded ICANN give something up in exchange for agreeing to this
> new restriction. It'll probably take a while.
>
> ICANN can respectfully request ccTLD folks do the same, but whether or not
> the ccTLDs listen is a separate matter.  If the ccTLD folks feel they gain
> benefit from having naked TLDs, they'll tell ICANN to take a hike.
>
> Not sure what will happen with the IDN ccTLDs since they appear to be sort
> of a combination of ccTLDs and contracted parties.
>
> You probably know all this, but things in the ICANN world probably don't
> work the way most folks think.
>
> Regards,
> -drc
>
>
>


-- 
---
Joly MacFie  218 565 9365 Skype:punkcast
WWWhatsup NYC - http://wwwhatsup.com
 http://pinstand.com - http://punkcast.com
 VP (Admin) - ISOC-NY - http://isoc-ny.org
--
-

Re: ICANN to allow commercial gTLDs

[David Conrad]

On Jun 20, 2011, at 12:14 AM, Mark Andrews wrote:
>> So they get what they ask for: Ambiguity in resolving the name space.
> There is no ambiguity if tld operators don't unilaterally add address
> records causing simple hostnames to resolve.

EDU.COM.

Regards,
-drc

Re: Address Assignment Question

[Jérôme Nicolle]

2011/6/20 Leo Bicknell :
> In a message written on Mon, Jun 20, 2011 at 08:01:24AM -0700, JC Dill wrote:
>> I would use this answer in reply to the customer, and ask them to
>> (specifically) justify their request for the discontiguous blocks.

That's like asking them to state the obvious...

> Or, just don't offer it.  Make them fit in one block, giving them
> 3 months to renumber into a single, larger block if necessary.

Well, forcing a periodic renumbering whenever adress gets freed and
there's a potential agregation is a good thing. It should be stated in
service agreements, IMHO.

> It sends a strong message you're willing to give them all the space
> they need, but won't help them evade RBL's.

Unless many contiguous blocks are assigned as different objects : a
RBL must NOT presume of one end-user's inetnum unless it has been
cathed doing nasty things AND didn't comply to abuse@ requests.

But most RBL managers are shitheads anyway, so help them evade,
that'll be one more proof of spamhaus &co. uselessness and negative
impact on the Internet's best practices.


-- 
Jérôme Nicolle

Re: Address Assignment Question

[Leo Bicknell]

In a message written on Mon, Jun 20, 2011 at 08:01:24AM -0700, JC Dill wrote:
> I would use this answer in reply to the customer, and ask them to 
> (specifically) justify their request for the discontiguous blocks.

Or, just don't offer it.  Make them fit in one block, giving them
3 months to renumber into a single, larger block if necessary.

It sends a strong message you're willing to give them all the space
they need, but won't help them evade RBL's.

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/


pgpJ0Bw4stqOo.pgp
Description: PGP signature

Re: Address Assignment Question

[Matthew Palmer]

On Mon, Jun 20, 2011 at 09:26:30AM -0400, Steve Richardson wrote:
> Hi Jason,
> 
> On Mon, Jun 20, 2011 at 9:06 AM, Jason Baugher  wrote:
> > Did everyone miss that the customer didn't request a /24, they requested a
> > "/24s worth in even more dis-contiguous blocks". I can only think of one
> > reason why a customer would specifically ask for that. They are concerned
> > that they'll get blacklisted. They're hoping if they do, it will be a small
> > block of many rather than one entire block.
> >
> > When customers make strange requests without giving a good explanation, I
> > have to assume they're up to something.
> >
> > Jason
> 
> They provided an explanation, describing how the IPs were going to be
> used.  Yes, part of it does have to do with being blocked, which
> *definitely* concerns me.  One thing they do say is that they need
> several IPs per block to assign to their MTAs to handle such a large
> amount of email (3 to 5 million per day).  Being primarily focused on
> layers 1 through 4, I don't have an incredible amount of experience
> with high volume email server configuration, so I have no idea if they
> are feeding me a line of BS or not.

I've worked at a company that did managed services (including the pipe and
address range) of a "legitimate" bulk mailer[1], and the logic provided to
you is "legit", as far as it goes -- that is to say, what they're saying is
probably why they really want the space (whether it's a legitimate
justification for the allocation of IP space as per current policies is a
different matter).

Basically, what your customer wants is to evade big e-mail providers'
anti-spam measures.  From their perspective, of course, I'm sure they think
they're doing the "right thing", and the people they're delivering to
really, really want this e-mail, and it's just the nasty e-mail provider
getting in the way.

As I understand it, a common technique at these big providers is to have
reputation for IP addresses by spamminess, as an element of the overall
determination of whether a particular e-mail is spam.  If an address doesn't
have a reputation (yet), then it's rate limited, to limit the damage that a
new spammer can do before the e-mail provider gets feedback (from users)
about whether the e-mail they're getting is spam or not.  This reputation
score (presumably) extends to the /24 (and probably, to a lesser extent, the
WHOIS block, but I'm not as confident about that bit).

What makes me think you're being scammed is that, for all the troubles we
had with our customer, they never needed more address space once they'd
gotten a good reputation for their initial allocation.  Maybe my customer
just didn't grow as much as yours did, so their spamcannon didn't need any
more barrels.  Still, I'm led to believe that once an IP address has good
reputation, it should be effectively unlimited, so if they need more
addresses it's because the current ones don't have real good rep...

> My feeling is that (paraphrasing here) "we might get blocked
> occasionally" and "we need this many IPs on our MTAs because they
> can't handle the load" are *not* legitimate reasons for requesting so
> many addresses.

You are correct; as far as I know ARIN doesn't take those as valid
justifications if you need to go back to them for more space, so you can't
either.

At this point they've admitted to you that they're shitting on your good
name, and setting you up for headaches down the line (dealing with
complaints from people who don't like their spam, having to clean up the IP
addresses they discard when they're useless (or they leave).  In techie
utopia, you'd be able to sting them a fairly hefty surety to cover the costs
associated with cleaning up their shit -- and then tell them that the IP
addresses they've already got are enough, and if they need more capacity, 
they should clean up the addresses they've got.

In reality, though, unless you've got management with a far more cavalier
attitude to revenue than mine did, they won't do anything to piss off a
customer who is, in their eyes, quite the cash cow.  I'm mildly surprised
that you got to evaluate their address request to the degree you have; I
predict that any attempts to actually deny them more space (let alone
extract additional compensation for their destruction of your resources)
will be overridden by management.

- Matt

[1] I use scare quotes because as far as I'm concerned, if your business
model is based on sending lots of e-mail, sooner or later you're going to be
sending spam because that's what makes you the money.  If you didn't
personally collect the addresses, you're in for a world of hurt, and if you
don't know that, you don't deserve to be in the business of bulk e-mail, and
if you do know that, then at best you're a spammer-by-proxy.


-- 
Q: Why do Marxists only drink herbal tea?
A: Because proper tea is theft.
-- Chris Suslowicz, in the Monastery

Re: Address Assignment Question

[JC Dill]

 On 20/06/11 6:18 AM, Leo Bicknell wrote:


Almost every customer I've dealt with who requested such a thing
eventually ended up having their contract terminated for spamming.


I would use this answer in reply to the customer, and ask them to 
(specifically) justify their request for the discontiguous blocks.



Many of the RBL's chose to increase the size of their blocks to put
more pressure on ISP's.  So if you give them /29's in 10 different
blocks they will block the /24 in each, then a /23 in each, and so
on.  Basically this becomes a quick way for you to get 100% of your
address space blocked, and make the rest of your customers really
unhappy.  When the RBL's see you gave them a bunch of small blocks
in different supernets they assume you are spammer friendly.


And mention all of this as well.  If you don't have a special fee you 
charge when you have to deal with cleaning up or recovering contaminated 
IPs, include one with this next allocation.


Theory:  Since their current userbase is not currently creating a spam 
problem, they are doing one of two things:


1)  They are going after a more risky new userbase (e.g. looking at 
providing services for more spammy customers).


2)  They are *concerned* about the possibility of accidentally acquiring 
a more risky new userbase, and proactively designing their network to 
have the least collateral damage (to themselves) if such a customer 
should appear on their network.  This would be prudent, good business 
even.  Except for how it prepares for a business shift to #1.


The big risk it that they are going to try to sell you on theory #2 when 
their real business plan is theory #1.


I would charge a significant extra fee for discontiguous address space, 
enough that you can afford to carefully assign the rest of the block to 
non-web-non-mail-server uses, to not put other customers at risk.


jc

Re: Cogent depeers ESnet

[Jon Lewis]

On Sat, 18 Jun 2011, George B. wrote:


I suppose the moral of the story is:  "never single-home to Cogent"


The moral is multihome.  It gets real old hearing people whine that 
they're losing $XXX,XXX.XX per hour, minute, whatever, when their internet 
access fails...but they spend some tiny fraction (like 1% or a lot less) 
of that per month on a single internet connection.  If your business 
depends on internet connectivity, and that much $ is at stake, you're 
stupid if you don't have some redundancy.  Nothing works all the time 
forever.


--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: Address Assignment Question

[William Herrin]

On Mon, Jun 20, 2011 at 8:13 AM, Steve Richardson
 wrote:
> We have a customer who, over the years, has amassed several small subnet
> assignments from us for their colo.  They are an email marketer.  They have
> requested these assignments in as many discontiguous netblocks as we can
> manage.  They are now asking for more addresses (a /24s worth) in even more
> discontiguous blocks.  What I'd like to know is whether there is a
> legitimate use for so many addresses in discontiguous networks besides
> spam?

Hi Steve,

Best case scenario: they're using lists from their customers who
claimed they followed proper practices when building the lists but
didn't... because nobody who farms out bulk email builds a list via
"confirmed opt in" as expected by best practices. When one of the
lists gets filtered, they want the others to be protected.

Worst case scenario they are deliberately spamming and trying to hide
under the radar by spreading it out.


> I am trying my best to give them the benefit of the doubt here,
> because they do work directly with Spamhaus to not be listed (I realize
> reasons on both sides why this could be) and searches on Google and spam
> newsgroups for their highest traffic email domains yield next to nothing,
> given the amount of email they say they send out.

Try tools like http://www.mxtoolbox.com/blacklists.aspx and
http://www.anti-abuse.org/multi-rbl-check/ and run through their
existing address space. When you're skirting the gray zone, Spamhaus
is generally the last one to list you. Find out what the other RBLs
think.


> However, if they
> *are* legitimate, which certainly is possible, are discontiguous networks a
> common practice for even legit operators, as it's quite likely that even
> legit email marketers will end up being blocked because someone accidentally
> hit 'Spam' instead of 'Delete' in their AOL software?

If this was a brand new customer, I'd say hell no: they're obviously a
spammer. Since they've been with you for years and haven't tripped the
filters yet, I wouldn't be inclined to send them packing. As a
contingency to receiving the spread-out assignments, however, I would
ask them to sign a document to the effect that they only use email
lists built with confirmed opt-in with a stiff and escalating dollar
penalty clause should your abuse department receive convincing and
voluminous complaints that they didn't.

Regards,
Bill Herrin



-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: So... is it time to do IPv6 day monthy yet?

[Mark Andrews]

In message <3da28681-35cf-4a48-9840-af5f8ed34...@dotat.at>, Tony Finch writes:
> On 18 Jun 2011, at 19:35, Owen DeLong  wrote:
> >=20
> > Note, none of these came with glue.
> 
> No, you used dig +trace which does not show the additional section. If they h
> =
> ad not included glue then resolution would have failed.=20

And if you want to see the glue use "dig +trace +all" or 
"dig +trace +additional".

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Address Assignment Question

[David Miller]

On 6/20/2011 9:52 AM, valdis.kletni...@vt.edu wrote:

On Mon, 20 Jun 2011 09:26:30 EDT, Steve Richardson said:


*definitely* concerns me.  One thing they do say is that they need
several IPs per block to assign to their MTAs to handle such a large
amount of email (3 to 5 million per day).  Being primarily focused on
layers 1 through 4, I don't have an incredible amount of experience
with high volume email server configuration, so I have no idea if they
are feeding me a line of BS or not.

It's BS.  5M a day is only about 60 per second, not at all a problem for a
single IP address running properly configured SMTP software.

For comparison, in the mid-90s, I was moving 1M RCPT TO's a day (and probably
half that number of envelopes) on a Listserv host using Sendmail on an IBM
RS6000-220 - a whole whopping 66MZ Power 604E processor and something like 64M
of RAM (The same basic firepower as an old Apple 6600 Mac, if you remember
them...)  Doing 10M messages a day on a single box is *easy* these days - the
hardest part is getting a disk subsystem that survives all the fsync() beating
most MTAs like to dish out



Well... 10M messages per day on a single box today would be fine for 
hardware power, if most messages are accepted remotely on the first try, 
but not necessarily doable in the SMTP environment of today.  Mail 
servers that send a lot of email have to hold a lot higher percentage of 
messages in queue for longer today due to greylisting and other 
deferrals - particularly from freemail sites.


Your customer should only need X addresses per block for SMTP load 
sharing if they are going to have X number of physical servers.  If they 
are not going to have that many physical servers, then multiple 
addresses in the same block per server provides no additional throughput 
and could only be for block avoidance.  SMTP servers do most of their 
work managing mail queues - accepting new messages into queue, keeping 
track of messages in flight (those that failed and need to be retried), 
spoon feeding messages out to broken MTAs, etc... more IPs per box 
doesn't help this.


Someone who expects to be "blocked occasionally" would only need two (or 
a few...) address blocks.  Someone who expects to be "blocked all the 
time" would need *many* different discontiguous address blocks.


Are you getting spam complaints for their current blocks at an 
unreasonable (to you) rate?


Are they doing all the right things with SPF, DK/DKIM (not an invitation 
for a holy war on whether or not these are good or useful)?


If I put my tin foil hat on for a moment, I might suspect that your 
email marketer may be feeling the pinch of the economic downturn and 
might be considering implementing less scrupulous practices than they 
have followed in the past.  Even with my tin foil hat blocking out 
external voices... most internal voices agree that this sounds spammy.


-DMM

Graphical representation of a v6 address space usage

[Jérôme Nicolle]

Hi !

I'm trying to put together some statistical data about the allocation
status of a (rather large) IPv6 LIR range. I'm used to representing v4
address space using Hilbert curves, but it's not really optimal for
IPv6 as the allocated space is too sparse, and the unitary allocations
way too small to label them on the graphical representation.

So I'm looking for "graphical representation best practices", such as
an anamorphic scaling algorithm to draw a more readable map while
still pointing out the vast amount of free space remaining with a non
proportionnal surface.

Did anyone see such a tool ?

Thanks !

-- 
Jérôme Nicolle

Re: Address Assignment Question

[Jon Lewis]

On Mon, 20 Jun 2011, Steve Richardson wrote:


We have a customer who, over the years, has amassed several small subnet
assignments from us for their colo.  They are an email marketer.  They have
requested these assignments in as many discontiguous netblocks as we can
manage.  They are now asking for more addresses (a /24s worth) in even more
discontiguous blocks.  What I'd like to know is whether there is a
legitimate use for so many addresses in discontiguous networks besides
spam?


The most common uses for such IP assignments are SEO and snowshoe 
spamming.  It may seem a crazy idea, but have you asked them why they need 
a bunch of subnets from as many different /24s as possible rather than 
just a /24?  What was their justification for the /24 (regardless of 
contiguity)?



IPv4 addresses are becoming more of a scarce resource.  However, if they
*are* legitimate, which certainly is possible, are discontiguous networks a
common practice for even legit operators, as it's quite likely that even
legit email marketers will end up being blocked because someone accidentally
hit 'Spam' instead of 'Delete' in their AOL software?


No...and I'd say asking for that is a gamble which suggests they're not 
legit.  A legit mailer should have no objection (or even prefer) to have 
all their IPs contiguous, so as not to be mixed up with and confused for 
another customer (one that might be a worse spammer than they are).


--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: Address Assignment Question

[Valdis . Kletnieks]

On Mon, 20 Jun 2011 09:26:30 EDT, Steve Richardson said:

> *definitely* concerns me.  One thing they do say is that they need
> several IPs per block to assign to their MTAs to handle such a large
> amount of email (3 to 5 million per day).  Being primarily focused on
> layers 1 through 4, I don't have an incredible amount of experience
> with high volume email server configuration, so I have no idea if they
> are feeding me a line of BS or not.

It's BS.  5M a day is only about 60 per second, not at all a problem for a
single IP address running properly configured SMTP software.

For comparison, in the mid-90s, I was moving 1M RCPT TO's a day (and probably
half that number of envelopes) on a Listserv host using Sendmail on an IBM
RS6000-220 - a whole whopping 66MZ Power 604E processor and something like 64M
of RAM (The same basic firepower as an old Apple 6600 Mac, if you remember
them...)  Doing 10M messages a day on a single box is *easy* these days - the
hardest part is getting a disk subsystem that survives all the fsync() beating
most MTAs like to dish out



pgpMlSCDav2bT.pgp
Description: PGP signature

Re: unqualified domains, was ICANN to allow commercial gTLDs

[Adam Atkinson]

Florian Weimer wrote:


It was a very long time ago, but I seem to recall being shown
http://dk, the home page of Denmark, some time in the mid 90s.

Must I be recalling incorrectly?


It must have been before 1996.  Windows environments cannot resolve
A/ records for single-label domain names.


This would have been May 1995 at the latest. And I don't recall
the OS being used at the time. Some flavour of Unix, Windows or
MacOS (or "System 7" or whatever it was called at the time) or possibly
even an Amiga.

Re: So... is it time to do IPv6 day monthy yet?

[Tony Finch]

On 18 Jun 2011, at 19:35, Owen DeLong  wrote:
> 
> Note, none of these came with glue.

No, you used dig +trace which does not show the additional section. If they had 
not included glue then resolution would have failed. 

Tony.
--
f.anthony.n.finchhttp://dotat.at/

Re: Address Assignment Question

[John Peach]

On Mon, 20 Jun 2011 09:26:30 -0400
Steve Richardson  wrote:

> Hi Jason,
> 
> On Mon, Jun 20, 2011 at 9:06 AM, Jason Baugher
>  wrote:
> > Did everyone miss that the customer didn't request a /24, they
> > requested a "/24s worth in even more dis-contiguous blocks". I can
> > only think of one reason why a customer would specifically ask for
> > that. They are concerned that they'll get blacklisted. They're
> > hoping if they do, it will be a small block of many rather than one
> > entire block.
> >
> > When customers make strange requests without giving a good
> > explanation, I have to assume they're up to something.
> >
> > Jason
> 
> They provided an explanation, describing how the IPs were going to be
> used.  Yes, part of it does have to do with being blocked, which
> *definitely* concerns me.  One thing they do say is that they need
> several IPs per block to assign to their MTAs to handle such a large
> amount of email (3 to 5 million per day).  Being primarily focused on
> layers 1 through 4, I don't have an incredible amount of experience
> with high volume email server configuration, so I have no idea if they
> are feeding me a line of BS or not.
> 
> My feeling is that (paraphrasing here) "we might get blocked
> occasionally" and "we need this many IPs on our MTAs because they
> can't handle the load" are *not* legitimate reasons for requesting so
> many addresses.

If it helps you make your mind up, please give us the ranges you are
going to give them and we'll pre-emptively block them.

Re: Address Assignment Question

[Steve Richardson]

Hi Jason,

On Mon, Jun 20, 2011 at 9:06 AM, Jason Baugher  wrote:
> Did everyone miss that the customer didn't request a /24, they requested a
> "/24s worth in even more dis-contiguous blocks". I can only think of one
> reason why a customer would specifically ask for that. They are concerned
> that they'll get blacklisted. They're hoping if they do, it will be a small
> block of many rather than one entire block.
>
> When customers make strange requests without giving a good explanation, I
> have to assume they're up to something.
>
> Jason

They provided an explanation, describing how the IPs were going to be
used.  Yes, part of it does have to do with being blocked, which
*definitely* concerns me.  One thing they do say is that they need
several IPs per block to assign to their MTAs to handle such a large
amount of email (3 to 5 million per day).  Being primarily focused on
layers 1 through 4, I don't have an incredible amount of experience
with high volume email server configuration, so I have no idea if they
are feeding me a line of BS or not.

My feeling is that (paraphrasing here) "we might get blocked
occasionally" and "we need this many IPs on our MTAs because they
can't handle the load" are *not* legitimate reasons for requesting so
many addresses.

Thanks,
steve

Re: Address Assignment Question

[Aftab Siddiqui]

On Mon, Jun 20, 2011 at 5:30 PM, Bret Clark wrote:

> On 06/20/2011 08:13 AM, Steve Richardson wrote:
>
>> What I'd like to know is whether there is a
>> legitimate use for so many addresses in discontiguous networks besides
>> spam?  I am trying my best to give them the benefit of the doubt here,
>> because they do work directly with Spamhaus to not be listed (I realize
>> reasons on both sides why this could be) and searches on Google and spam
>> newsgroups for their highest traffic email domains yield next to nothing,
>> given the amount of email they say they send out.
>>
> Well, not so sure I would worry about legit or not legit use...while ISP's
> are looked at being the police, legally law enforcement are the ones to
> pursue illegal use. But it sounds like you've done you're home work and they
> sound legit. Have them fill out an IP Justification form (as ARIN requires
> i) and go from there. I wouldn't worry about providing them the /24.
> Personally I would charge them for the /24 too, makes users think twice
> about the need for a block that large.
>

Well its my responsbility (being an ISP) to know whether it is legit or not,
because if it is legitimate than it will take My ASN to pollute the internet
because I don't see if the customer has its own ASN. My reputation will be
at stake because I failed to recognize the difference between policing or
doing my business the right way..

Best Wishes,

Aftab A. Siddiqui

Re: Address Assignment Question

[Leo Bicknell]

In a message written on Mon, Jun 20, 2011 at 08:06:44AM -0500, Jason Baugher 
wrote:
> Did everyone miss that the customer didn't request a /24, they requested 
> a "/24s worth in even more dis-contiguous blocks". I can only think of 
> one reason why a customer would specifically ask for that. They are 
> concerned that they'll get blacklisted. They're hoping if they do, it 
> will be a small block of many rather than one entire block.

+1

Almost every customer I've dealt with who requested such a thing
eventually ended up having their contract terminated for spamming.

Many of the RBL's chose to increase the size of their blocks to put
more pressure on ISP's.  So if you give them /29's in 10 different
blocks they will block the /24 in each, then a /23 in each, and so
on.  Basically this becomes a quick way for you to get 100% of your
address space blocked, and make the rest of your customers really
unhappy.  When the RBL's see you gave them a bunch of small blocks
in different supernets they assume you are spammer friendly.

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/


pgpyitn1YnJJT.pgp
Description: PGP signature

Re: Address Assignment Question

[Aftab Siddiqui]

Let them submit the IP justification form, I would like to read how spammers
justify their IP usage and I would really like to see how RIR would take it.

*Interetesting*

Regards,

Aftab A. Siddiqui


On Mon, Jun 20, 2011 at 6:06 PM, Jason Baugher wrote:

> On 6/20/2011 7:44 AM, Steve Richardson wrote:
>
>> Hi,
>>
>> On Mon, Jun 20, 2011 at 8:32 AM, Jared Mauch
>>  wrote:
>>
>>> On Jun 20, 2011, at 8:30 AM, Bret Clark wrote:
>>>
>>>  Personally I would charge them for the /24 too, makes users think twice
 about the need for a block that large.

>>> We do charge them for addresses already and cost doesn't come into
>> play.  We charge for assignments shorter than /28 to discourage IP
>> hogs.
>>
>>  I would also give them a /64 per lan (alt: broadcast domain) as well to
>>> allow them to start working with IPv6 for their email.
>>>
>>> - Jared
>>>
>> They have inquired about IPv6 already, but it's only gone so far as
>> that.  I would gladly give them a /64 and be done with it, but my
>> concern is that they are going to want several /64 subnets for the
>> same reason and I don't really *think* it's a legitimate reason.  Bear
>> in mind that "legitimate" in this context is referring to the
>> justification itself, not their business model.
>>
>> Thanks,
>> steve
>>
>>  Did everyone miss that the customer didn't request a /24, they requested
> a "/24s worth in even more dis-contiguous blocks". I can only think of one
> reason why a customer would specifically ask for that. They are concerned
> that they'll get blacklisted. They're hoping if they do, it will be a small
> block of many rather than one entire block.
>
> When customers make strange requests without giving a good explanation, I
> have to assume they're up to something.
>
> Jason
>
>

Re: Address Assignment Question

[Suresh Ramasubramanian]

That behavior is usually a warning sign of "snowshoe" bulk mailing,
especially when coupled with randomly named domains / hostnames

As for working directly with spamhaus .. did they specify how they do
that?   You might find http://www.spamhaus.org/news.lasso?article=641
worth reading

On Mon, Jun 20, 2011 at 5:43 PM, Steve Richardson
 wrote:
>
> assignments from us for their colo.  They are an email marketer.  They have
> requested these assignments in as many discontiguous netblocks as we can
> manage.  They are now asking for more addresses (a /24s worth) in even more
> discontiguous blocks.  What I'd like to know is whether there is a



-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: Address Assignment Question

[Jason Baugher]

On 6/20/2011 7:44 AM, Steve Richardson wrote:

Hi,

On Mon, Jun 20, 2011 at 8:32 AM, Jared Mauch  wrote:

On Jun 20, 2011, at 8:30 AM, Bret Clark wrote:


Personally I would charge them for the /24 too, makes users think twice about 
the need for a block that large.

We do charge them for addresses already and cost doesn't come into
play.  We charge for assignments shorter than /28 to discourage IP
hogs.


I would also give them a /64 per lan (alt: broadcast domain) as well to allow 
them to start working with IPv6 for their email.

- Jared

They have inquired about IPv6 already, but it's only gone so far as
that.  I would gladly give them a /64 and be done with it, but my
concern is that they are going to want several /64 subnets for the
same reason and I don't really *think* it's a legitimate reason.  Bear
in mind that "legitimate" in this context is referring to the
justification itself, not their business model.

Thanks,
steve

Did everyone miss that the customer didn't request a /24, they requested 
a "/24s worth in even more dis-contiguous blocks". I can only think of 
one reason why a customer would specifically ask for that. They are 
concerned that they'll get blacklisted. They're hoping if they do, it 
will be a small block of many rather than one entire block.


When customers make strange requests without giving a good explanation, 
I have to assume they're up to something.


Jason

Re: Address Assignment Question

[Steve Richardson]

Hi,

On Mon, Jun 20, 2011 at 8:32 AM, Jared Mauch  wrote:
>
> On Jun 20, 2011, at 8:30 AM, Bret Clark wrote:
>
>> Personally I would charge them for the /24 too, makes users think twice 
>> about the need for a block that large.

We do charge them for addresses already and cost doesn't come into
play.  We charge for assignments shorter than /28 to discourage IP
hogs.

> I would also give them a /64 per lan (alt: broadcast domain) as well to allow 
> them to start working with IPv6 for their email.
>
> - Jared

They have inquired about IPv6 already, but it's only gone so far as
that.  I would gladly give them a /64 and be done with it, but my
concern is that they are going to want several /64 subnets for the
same reason and I don't really *think* it's a legitimate reason.  Bear
in mind that "legitimate" in this context is referring to the
justification itself, not their business model.

Thanks,
steve

Re: ICANN to allow commercial gTLDs

[Robert E. Seastrom]

Matthew Palmer  writes:

> And it only gets better from there... how many places have various "cutesy"
> naming schemes that might include one or more trademarks (or whatever) that
> someone might want as a TLD? 

As it happens, I have a set of routers that are named { craftsman,
makita, dewalt, black-and-decker, jet } etc.  A couple of notably
small ones are named "dremel" and "proxxon".  Likewise, our VM hosting
machines are named after container shipping lines.  Trademarks and
candidates for dropping $185k on a TLD all.

In my experience this sort of naming scheme is the rule rather than
the exception.

-r

Re: unqualified domains, was ICANN to allow commercial gTLDs

[Florian Weimer]

* Adam Atkinson:

> It was a very long time ago, but I seem to recall being shown
> http://dk, the home page of Denmark, some time in the mid 90s.
>
> Must I be recalling incorrectly?

It must have been before 1996.  Windows environments cannot resolve
A/ records for single-label domain names.

-- 
Florian Weimer
BFK edv-consulting GmbH   http://www.bfk.de/
Kriegsstraße 100  tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

Re: ICANN to allow commercial gTLDs

[Robert E. Seastrom]

Randy Bush  writes:

> what's new?  how about the operational technical effects, like data from
> modeling various resolvers' responses to a large root zone?

I think the proper model is popular TLDs, perhaps the traditional
gTLDs.  As any (even former) decent sized TLD operator can tell you,
both BIND and NSD are both quite functional for this, and there are
also some proprietary authoritative nameservers out there that have
excellet performance.  Getting north of 100k queries/second answered
authoritatively [*] from a single nameserver process on a single box
(large zone, millions of records) is almost something one can do with
an out of the box config.  Things can get hairy with high update
rates, so I'd encourage ICANN to dig in its heels about the 2x per day
update rate, though even if they did it on demand, the $185k fee is
probably sufficient to keep the number of delegations, and thus
updates, down to a dull roar.

An interesting question is what the load effects will be on the root.
Inasmuch as the root operators (who can provide more detailed data
themselves) send NXDOMAIN, REFUSED, or some SOL-semantically-similar
response to 99%+ of the queries they get already, even a two order of
magnitude lift on the number of legit queries will result in only a 2x
lift in load on the roots.  The operative question is "is two orders
of magnitude a safe guess?".  I don't have a good answer for that.

The team over at ICANN has already likely thought this through in
insane detail and I'm not saying anything new (to them anyway).  Maybe
they can speak to it.

-r

[*] to be pedantic, the AA flag is not set on the response to an NS
query to a delegating nameserver.  We'll call it authoritative anyway,
since it is for the zone in which the delegation lives.  :-P

Re: Address Assignment Question

[Jared Mauch]

On Jun 20, 2011, at 8:30 AM, Bret Clark wrote:

> Personally I would charge them for the /24 too, makes users think twice about 
> the need for a block that large.

I would also give them a /64 per lan (alt: broadcast domain) as well to allow 
them to start working with IPv6 for their email.

- Jared

Re: Address Assignment Question

[Bret Clark]

On 06/20/2011 08:13 AM, Steve Richardson wrote:

What I'd like to know is whether there is a
legitimate use for so many addresses in discontiguous networks besides
spam?  I am trying my best to give them the benefit of the doubt here,
because they do work directly with Spamhaus to not be listed (I realize
reasons on both sides why this could be) and searches on Google and spam
newsgroups for their highest traffic email domains yield next to nothing,
given the amount of email they say they send out.
Well, not so sure I would worry about legit or not legit use...while 
ISP's are looked at being the police, legally law enforcement are the 
ones to pursue illegal use. But it sounds like you've done you're home 
work and they sound legit. Have them fill out an IP Justification form 
(as ARIN requires i) and go from there. I wouldn't worry about providing 
them the /24. Personally I would charge them for the /24 too, makes 
users think twice about the need for a block that large.


Bret

Address Assignment Question

[Steve Richardson]

Hello NANOG,
I work for a medium-sized ISP with our own ARIN assignments (several /18 and
/19 netblocks) and I've got a question about a possibly dubious customer
request.  I know a lot of you have experience on a much grander scale than
myself, so I'm looking for some good advice.

We have a customer who, over the years, has amassed several small subnet
assignments from us for their colo.  They are an email marketer.  They have
requested these assignments in as many discontiguous netblocks as we can
manage.  They are now asking for more addresses (a /24s worth) in even more
discontiguous blocks.  What I'd like to know is whether there is a
legitimate use for so many addresses in discontiguous networks besides
spam?  I am trying my best to give them the benefit of the doubt here,
because they do work directly with Spamhaus to not be listed (I realize
reasons on both sides why this could be) and searches on Google and spam
newsgroups for their highest traffic email domains yield next to nothing,
given the amount of email they say they send out.  I strongly believe that
their given justification for so many addresses is not a good one (many
addresses on an MTA, off-chance one gets blocked, etc), especially now that
IPv4 addresses are becoming more of a scarce resource.  However, if they
*are* legitimate, which certainly is possible, are discontiguous networks a
common practice for even legit operators, as it's quite likely that even
legit email marketers will end up being blocked because someone accidentally
hit 'Spam' instead of 'Delete' in their AOL software?

Thanks,
steve

Note:  I hate spammers as much as anyone out there, but I *do* know that not
everyone who sends out massive amounts of email is a spammer.  While it's
possible they don't deserve it, I'm trying to give my customer the benefit
of the doubt.

Re: ICANN to allow commercial gTLDs

[Mark Andrews]

In message <201106201034.p5kayz2e008...@bartok.nlnetlabs.nl>, Jaap Akkerhuis wr
ites:
> 
> 
> Simple hostnames as, global identifiers, were supposed to cease
> to work in 1984.
> 
> Can you point out where that is stated?
> 
>   jaap

RFC 897.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: ICANN to allow commercial gTLDs

[Jaap Akkerhuis]

Simple hostnames as, global identifiers, were supposed to cease
to work in 1984.

Can you point out where that is stated?

jaap

Re: ICANN to allow commercial gTLDs

[Mark Andrews]

In message <201106200951.p5k9pmsw051...@bartok.nlnetlabs.nl>, Jaap Akkerhuis wr
ites:
> Which is your choice.  Lots of others want search lists.  I've seen
> requests for 20+ elements.
> 
> So they get what they ask for: Ambiguity in resolving the name space.
> 
>   jaap

There is no ambiguity if tld operators don't unilaterally add address
records causing simple hostnames to resolve.  Simple hostnames as,
global identifiers, were supposed to cease to work in  1984.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: ICANN to allow commercial gTLDs

[Jaap Akkerhuis]

Which is your choice.  Lots of others want search lists.  I've seen
requests for 20+ elements.

So they get what they ask for: Ambiguity in resolving the name space.

jaap

Re: future revenue at risk vs near term cost ratio

[Tim Chown]

On 20 Jun 2011, at 08:00, Doug Barton wrote:

> On 06/19/2011 23:38, Mike Leber wrote:
>> 
>> 
>> On 6/19/11 10:47 PM, Paul Vixie wrote:
 Date: Sun, 19 Jun 2011 22:32:59 -0700
 From: Doug Barton
 
 ... the highly risk-averse folks who won't unconditionally enable IPv6
 on their web sites because it will cause problems for 1/2000 of their
 customers.
>>> let me just say that if i was making millions of dollars a day and i had
>>> the choice of reducing that by 1/2000th or not i would not choose to
>>> reduce it. as much as i love the free interchange of ideas i will point
>>> out that commerce is what's paid the internet's bills all these years.
>> 
>> Fortunately, 1/2000th was just the now proven false boogey man that
>> people substituted as a placeholder for the unknown.
> 
> Actually the people using that number had hard facts to back it up, but that 
> was all debated at length already, and I don't see any point going over it 
> again.

Except that if there's new evidence showing the figure is lower, let's see it :)

The measurements we have made show 0.07% over the past month or so, the figure 
being users who can access a site with an A record, but not one with an A and 
 record.  There are still corner case issues out there, but I suspect that 
that small percentage may well be down to users who don't update their OS or 
software.  It would be very interesting to know the real causes.  I would hope 
things like 3484-bis and happy eyeballs will help reduce these further.

Tim

Re: ICANN to allow commercial gTLDs

[Mark Andrews]

In message <201106200739.p5k7dxhj071...@bartok.nlnetlabs.nl>, Jaap Akkerhuis wr
ites:
> 
> (Mark:)
> Which just means we need to write yet another RFC saying that
> resolvers shouldn't lookup simple host names in the DNS.  Simple
> host names should be qualified against a search list.
> 
> I don't see the problem. I'm happily running with a empty search
> list for the last 25 year or so.

Which is your choice.  Lots of others want search lists.  I've seen
requests for 20+ elements.

>   jaap
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: ICANN to allow commercial gTLDs

[Warren Kumari]

On Jun 17, 2011, at 9:13 PM, David Conrad wrote:

> On Jun 17, 2011, at 4:04 PM, Owen DeLong wrote:
>> I really don't think that namespace issues are part of the role for the ASO 
>> AC.
> 
> Why do you think there is an ASO?
> 
>> This is clearly a problem for ICANN's disaster-ridden domain-name side, and 
>> not
>> for the ASO/NRO side of things.
> 
> Because there is clearly no inter-relation between domains and address and the
> operation of the Internet.
> 
>> Operationally, it's a horrible idea, but,
>> most of us in layers 1-4 stopped paying much attention to the disasters 
>> happening
>> at ICANN for DNS along time ago as we sort of came to believe that we didn't 
>> have
>> enough money to bribe^h^h^h^h^hinfluence the right people in a sufficiently
>> meaningful way to make our voices heard.
> 
> Aren't you one of the folks who state that if you don't participate in PPML 
> then
> you have no reason to criticize ARIN policies?

+1 -- If you haven't bothered to be involved, you have lost the right to 
kvetch… If enough operational folk had bothered to stay involved, ICANN would 
be more operational. Claiming that it is all driven by money is a cop out. Yes, 
it's very political, yes there are LOTS of lawyers and policy folk, yes the 
atmosphere is not fun, yes the registries and registrars are the big players 
(because they have bothered to play), but technical folk CAN and DO make a 
difference…

Warren "serves on the SSAC" Kumari

> 
> Regards,
> -drc
> 
> 

Re: unqualified domains, was ICANN to allow commercial gTLDs

[Mark Andrews]

In message <4dfedb8b.5080...@dougbarton.us>, Doug Barton writes:
> On 06/19/2011 19:31, Paul Vixie wrote:
> >> Date: Sun, 19 Jun 2011 19:22:46 -0700
> >> From: Michael Thomas
> >>
> >>> that's a good question.  marka mentioned writing an RFC, but i expect
> >>> that ICANN could also have an impact on this by having applicants sign
> >>> something that says "i know that my single-label top level domain name
> >>> will not be directly usable the way normal domain names are and i intend
> >>> to use it only to register subdomain names which will work normally."
> >>
> >> Isn't this problem self regulating? If sufficient things break with a
> >> single label, people will stop making themselves effectively unreachable,
> >> right?
> >
> > alas, no.  if someone adds something to the internet that doesn't work righ
> t
> > but they ignore this and press onward until they have market share, then th
> e
> > final disposition will be based on market size not on first mover advantage
> .
> 
> I think you're going to see 2 primary use cases. Those who will do it 
> anyway, either because they are ignorant of the possible downsides, or 
> don't care. The other use case will be the highly risk-averse folks who 
> won't unconditionally enable IPv6 on their web sites because it will 
> cause problems for 1/2000 of their customers.
> 
> If it will make $YOU (not nec. Paul or Michael) feel better, sure 
> produce an RFC. Shout it from the housetops, whatever. You're not going 
> to change anyone's mind.
> 
> Meanwhile, David is right. Further pontificating on this topic without 
> even reading the latest DAG is just useless nanog-chin-wagging. 
> Completely aside from the fact that the assumption no one in the ICANN 
> world has put any thought into this for the last 10+ years is sort of 
> insulting.
> 
> 
> Doug
> 
> -- 
> 
>   Nothin' ever doesn't change, but nothin' changes much.
>   -- OK Go
> 
>   Breadth of IT experience, and depth of knowledge in the DNS.
>   Yours for the right price.  :)  http://SupersetSolutions.com/

Where is the addition of address/mx records at the zone apex prohibited?

B.T.W. Address and mx records are very common, just their *use* at
the apex of a TLD is or should be uncommon.

There is also no such thing as "in-bailiwick glue for the TLD’s DNS
servers".  The root zone contains glue for TLDs.  No TLD zone
contains glue for TLDs.

The agreement explicitly outlaws the use of wildcard records.  It
would not have been hard to explicitly outlaw the addition of address
and MX records at the zones apex.  One can only think that the loose
wording here was done to explictly allow address and MX records at
the apex of a TLD.

Mark

2.2.3.3   TLD Zone Contents

ICANN receives a number of inquiries about use of various 
record types in a registry zone, as entities contemplate 
different business and technical models. Permissible zone 
contents for a TLD zone are: 

* Apex SOA record.  
* Apex NS records and in-bailiwick glue for the TLD’s
  DNS servers. 
* NS records and in-bailiwick glue for DNS servers of 
  registered names in the TLD. 
* DS records for registered names in the TLD. 
* Records associated with signing the TLD zone (i.e., 
  RRSIG, DNSKEY, NSEC, and NSEC3). 

An applicant wishing to place any other record types into 
its TLD zone should describe in detail its proposal in the 
registry services section of the application. This will be 
evaluated and could result in an extended evaluation to 
determine whether the service would create a risk of a 
meaningful adverse impact on security or stability of the 
DNS.  Applicants should be aware that a service based on 
use of less-common DNS resource records in the TLD zone, 
even if approved in the registry services review, might not 
work as intended for all users due to lack of application 
support.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: ICANN to allow commercial gTLDs

[Jaap Akkerhuis]

(Mark:)
Which just means we need to write yet another RFC saying that
resolvers shouldn't lookup simple host names in the DNS.  Simple
host names should be qualified against a search list.

I don't see the problem. I'm happily running with a empty search
list for the last 25 year or so.

jaap

Re: future revenue at risk vs near term cost ratio

[Doug Barton]

On 06/19/2011 23:38, Mike Leber wrote:



On 6/19/11 10:47 PM, Paul Vixie wrote:

Date: Sun, 19 Jun 2011 22:32:59 -0700
From: Doug Barton

... the highly risk-averse folks who won't unconditionally enable IPv6
on their web sites because it will cause problems for 1/2000 of their
customers.

let me just say that if i was making millions of dollars a day and i had
the choice of reducing that by 1/2000th or not i would not choose to
reduce it. as much as i love the free interchange of ideas i will point
out that commerce is what's paid the internet's bills all these years.


Fortunately, 1/2000th was just the now proven false boogey man that
people substituted as a placeholder for the unknown.


Actually the people using that number had hard facts to back it up, but 
that was all debated at length already, and I don't see any point going 
over it again.



What if the risk of you not enabling it was that at some later date you
lose 1/10th of your revenue due to either competitive pressures or the
inability to provide the next generation service customers want? (Or if
you are a non profit, what if it meant that you can't service 10 percent
of your user base in the way they want.)


We've already been over this too:
A) Users don't want "IPvanything," they want "the Internet."
B) The date you propose is so far out in the future as to be not worth 
discussing at this point.


My personal take on B is that long before we reach the tipping point you 
propose that the switch will have been flipped. I think W6D was a good 
step in the right direction, and I know that serious people are 
crunching the numbers from it and are overwhelmingly likely to make the 
right decisions going forward.



hth,

Doug

--

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/