Re: ARIN / RIR Pragmatism (WAS: Re: RADB)
On Oct 27, 2014, at 12:58 AM, Randy Bush ra...@psg.com wrote: LACNIC numbers (as a percent) are quite good, but my question was why only RIPE has the very impressive total count of ROAs. conjecture follows of course one can never know. but i conject o the are the largest registry actively promotin registration o the ncc, particularly alex, tim, oleg, ... have put significant effort into making it very easy to register o they have a culture of cooperation and doing things well Reasonable conjecture; implies that in this region we need to overcome our interesting legal situation, make things easy to use, and then do some significant promotion. You can clearly point to ARIN's legal treatment of the risks involved, but that is not applicable in the APNIC case it is hard to register in apnic, ask folk who have tried. the most active folk are under NIRs, who are only now working on deployment. apnic is not really promoting it. Ah, good to know (and reinforces potential ARIN issues beyond legal wrangling) You don't feel there's any correlation between RIPE's IRR approach and their RPKI success? that's the cooperative culture bit, actually interested in the net running well. Presumably the NANOG community is also interested in keeping the net running well, so if ARIN can provide some reasonably usable services, that shouldn't be an issue. Thanks! /John John Curran President and CEO ARIN
Re: Linux: concerns over systemd [OT]
- Original Message - From: Gregory Boyce gregory.bo...@gmail.com On Wed, Oct 22, 2014 at 5:17 PM, Jeffrey Ollie j...@ocjtech.us wrote: I think that Debian's plan to allow multiple init systems (irregardless of which one is default) is a bad plan. The non-default ones won't get any love - at some point they'll just stop working (or indeed, work at all). If they break then one of two things will happen: 1) Someone will fix it. 2) No one will fix it because no one cares. If no one cares, then it being broken doesn't matter. Killing off choice/alternatives just in case no one cares about them isn't especially helpful. 3) A lot of people who do care and either cannot afford to or are technically competent to fix it are screwed. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Linux: concerns over systemd adoption and Debian's decision to switch
- Original Message - From: Chris Adams c...@cmadams.net Once upon a time, Jay Ashworth j...@baylink.com said: Try to do everything *inside PID 1* is the real problem. And that is not what systemd is doing; make sure you know what you are complaining about. systemd-the-project != systemd-the-pid-1. PID 1 is responsible for managing services/daemons, and AFAIK that's all systemd's PID 1 does. Indeed. I was quoting (I thought) better read people than me. If that's the case, I retract about 25% of my distaste for it. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Linux: concerns over systemd [OT]
Original Message - From: Jeffrey Ollie j...@ocjtech.us On Wed, Oct 22, 2014 at 9:48 PM, Jimmy Hess mysi...@gmail.com wrote: On Wed, Oct 22, 2014 at 1:31 PM, Barry Shein b...@world.std.com wrote: And you whisk all that away with it's not really clear to me that 'reboots in seconds' is a think to be optimized False dilemma. [ snip ] 10 seconds from power on to user interface for desktops, will meaningfully improve the user experience, but not for servers. It's a false dilemma only if you're thinking about traditional physical servers. Consider: 1) What if you're spinning up several thousand Hadoop nodes on AWS or GCE so that you can do some sort of big data operation. 2) What if PewDiePie just mentioned one of your products in a video and you need to quickly scale up the number of backend servers to handle the load. I'm sure that there are many other scenarios that I could devise where a fast server boot time was important. I will stipulate this use case. I will counter with you wouldn't be running a real distro in that case anyway; you'd be running something super trimmed down, and possibly custom built, or based on something like CoreOS, that only does one job. Well. :-) Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Linux: concerns over systemd [OT]
after watching this discussion for a while, i have decided that i am in favour of systemd. i encourage its development, and widespread adoption. it will hasten the demise of linux in the server enviroment, which can only be a good thing. if people really want to run their servers on the *nix equivilent of Windows/XP, i say let them go ahead. every day that i have to work with linux, is another day i spend holding my nose. --jim -- Jim Mercer Reptilian Research j...@reptiles.org+1 416 410-5633 He who dies with the most toys is nonetheless dead
Trying to identify hosts
We get lots of probes from subdomains of southwestdoor.com and secureserver.net 's SOA and I'm curious who these guys are? The only web page I could find was southwestdoor redirects to http://www.arcadiacustoms.com and then to http://arcadia-custom.com/ (a hardware company is causing unwanted network traffic - not unless they're owned) Traceroute for southwestdoor.com goes through secureserver.net and they have lots of references (in dns) to themselves, jomax.net and domaincontrol.com. Can someone give me a better picture of how this all fits together on a company level - as in how do these guys make money and why are they probing our network? I understand scans from ISPs and colos, but I can't directly identify these guys as either.
Re: Linux: concerns over systemd [OT]
On Mon, Oct 27, 2014 at 10:35 AM, Jay Ashworth j...@baylink.com wrote: I will stipulate this use case. I will counter with you wouldn't be running a real distro in that case anyway; you'd be running something super trimmed down, and possibly custom built, or based on something like CoreOS, that only does one job. Well. :-) From: https://coreos.com/using-coreos/systemd/ CoreOS uses systemd as the core of its distributed init system, fleet. Systemd is well supported in many Linux distros, making it familiar to most engineers. Every aspect of CoreOS is deeply integrated with systemd. -- Jeff Ollie
Re: NOC Calendar
There are boxes that do that, but it’s really not a good solution… Here’s why: 1. TV signals in NTSC max out at 640x480. In ATSC, you get up to 1920x1080. Many monitors today are capable of 2560x1440 or more. 2. It’s expensive and has few advantages over a traditional KVM switch. 3. An HDMI switcher and graphic cards with HDMI output are not particularly hard to find these days. DVI-HDMI is also relatively easy if you have trouble getting HDMI out of the machine. This is a much less expensive solution. Its fairly trivial to get VM video out to HDMI if you’re willing to dedicate hardware to the task. Owen On Oct 24, 2014, at 7:38 AM, chris tknch...@gmail.com wrote: I was looking into something like this a while back and one thing that didnt seem to exist but I thought would be cool is if you could have a x86 box or appliance that could take video output of lets say a couple virtual machines and encode it into a standard TV signal so your average TV with a builtin tuner and have each VM's display encoded into a different TV channel. This way you could throw up TV's everywhere and easily change whats displayed at any time without having to have devices plugged into every TV. If this already exists or someone has built anything like this I would love to hear about it. - chris On Fri, Oct 24, 2014 at 10:07 AM, James Wininger jwinin...@ifncom.net wrote: Does anyone on the list have a reference to a good NOC calendar? What I mean by that is a calendar that is view only for the NOC, but looks good on a larger LCD panel display. Ideally it would automatically rotate on a given schedule (say 6am), and then show only that days scheduled events, there would be no need for the NOC to interact with the calendar, just consume the data. Perhaps it would be color coded to show DWDM work, vs MPLS work, or even new installs. But the idea is that the NOC would have readily accessible view only at a glance. They would not have to load up outlook, go to calendar, select the MPLS, install etc to see what work is happening. -- Jim Wininger
Re: Linux: concerns over systemd [OT]
- Original Message - From: Jeffrey Ollie j...@ocjtech.us On Mon, Oct 27, 2014 at 10:35 AM, Jay Ashworth j...@baylink.com wrote: I will stipulate this use case. I will counter with you wouldn't be running a real distro in that case anyway; you'd be running something super trimmed down, and possibly custom built, or based on something like CoreOS, that only does one job. Well. :-) From: https://coreos.com/using-coreos/systemd/ CoreOS uses systemd as the core of its distributed init system, fleet. Systemd is well supported in many Linux distros, making it familiar to most engineers. Every aspect of CoreOS is deeply integrated with systemd. Surprisingly, I actually knew this already. You might want to stop trying to score points, rather than actually, y'know, just advancing the conversation. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Trying to identify hosts
Ok, got a few off list replies that secureserver.net is godaddy which is fine - makes sense. I just wish this would link back to them easier (some backup ns being something.godaddy.com or some SOA of an IP listed in the spf being something.godaddy.com or whatever). Thank y'all for the info. On Mon, Oct 27, 2014 at 11:57 AM, shawn wilson ag4ve...@gmail.com wrote: We get lots of probes from subdomains of southwestdoor.com and secureserver.net 's SOA and I'm curious who these guys are? The only web page I could find was southwestdoor redirects to http://www.arcadiacustoms.com and then to http://arcadia-custom.com/ (a hardware company is causing unwanted network traffic - not unless they're owned) Traceroute for southwestdoor.com goes through secureserver.net and they have lots of references (in dns) to themselves, jomax.net and domaincontrol.com. Can someone give me a better picture of how this all fits together on a company level - as in how do these guys make money and why are they probing our network? I understand scans from ISPs and colos, but I can't directly identify these guys as either.
Re: Trying to identify hosts
Oh and along that line of trying to find the source - nothing indicates godaddy here (kinda annoying): % curl -I secureserver.net ~ swlap1 HTTP/1.1 301 Moved Permanently Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Content-Length: 145 Expires: 0 Location: http://www.secureserver.net/ Server: Microsoft-IIS/7.0 P3P: policyref=/w3c/p3p.xml, CP=COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND Date: Mon, 27 Oct 2014 16:02:33 GMT % curl -I www.secureserver.net ~ swlap1 HTTP/1.1 302 Found Cache-Control: no-cache Pragma: no-cache Content-Length: 160 Content-Type: text/html; charset=utf-8 Expires: -1 Location: http://www.secureserver.net/default404.aspx Server: Microsoft-IIS/7.0 Set-Cookie: language0=en-US; domain=secureserver.net; expires=Tue, 27-Oct-2015 16:02:35 GMT; path=/ Set-Cookie: market=en-US; domain=secureserver.net; expires=Tue, 27-Oct-2015 16:02:35 GMT; path=/ Set-Cookie: language0=en-US; domain=secureserver.net; expires=Tue, 27-Oct-2015 16:02:35 GMT; path=/ Set-Cookie: market=en-US; domain=secureserver.net; expires=Tue, 27-Oct-2015 16:02:35 GMT; path=/ Set-Cookie: ATL.SID.SALES= iMxiGMyW7sDBszdtMEyatYk7buGydr4hjvissnKiLec%3d; path=/; HttpOnly Set-Cookie: gdCassCluster.sePQKXdv2U=2; path=/ Set-Cookie: language0=en-US; domain=secureserver.net; expires=Tue, 27-Oct-2015 16:02:35 GMT; path=/ Set-Cookie: market=en-US; domain=secureserver.net; expires=Tue, 27-Oct-2015 16:02:35 GMT; path=/ Set-Cookie: ATL.SID.SALES=iMxiGMyW7sDBszdtMEyatYk7buGydr4hjvissnKiLec%3d; path=/; HttpOnly Set-Cookie: gdCassCluster.sePQKXdv2U=2; path=/ Set-Cookie: mobile.redirect.browser=0; path=/ P3P: policyref=/w3c/p3p.xml, CP=COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR OUR IND Date: Mon, 27 Oct 2014 16:02:34 GMT % echo QUIT | openssl s_client -connect www.secureserver.net:443 | head -10 ~ swlap1 depth=2 C = US, ST = Arizona, L = Scottsdale, O = Starfield Technologies, Inc., CN = Starfield Root Certificate Authority - G2 verify error:num=20:unable to get local issuer certificate DONE CONNECTED(0003) --- Certificate chain 0 s:/C=US/ST=Arizona/L=Scottsdale/O=Special Domain Services, LLC/CN=*.secureserver.net i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2 1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2 i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2 2 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2 i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority --- On Mon, Oct 27, 2014 at 1:21 PM, shawn wilson ag4ve...@gmail.com wrote: Ok, got a few off list replies that secureserver.net is godaddy which is fine - makes sense. I just wish this would link back to them easier (some backup ns being something.godaddy.com or some SOA of an IP listed in the spf being something.godaddy.com or whatever). Thank y'all for the info. On Mon, Oct 27, 2014 at 11:57 AM, shawn wilson ag4ve...@gmail.com wrote: We get lots of probes from subdomains of southwestdoor.com and secureserver.net 's SOA and I'm curious who these guys are? The only web page I could find was southwestdoor redirects to http://www.arcadiacustoms.com and then to http://arcadia-custom.com/ (a hardware company is causing unwanted network traffic - not unless they're owned) Traceroute for southwestdoor.com goes through secureserver.net and they have lots of references (in dns) to themselves, jomax.net and domaincontrol.com. Can someone give me a better picture of how this all fits together on a company level - as in how do these guys make money and why are they probing our network? I understand scans from ISPs and colos, but I can't directly identify these guys as either.
Re: A translation (was Re: An update from the ICANN ISPCP meeting...)
On October 24, 2014 at 19:34 d...@virtualized.org (David Conrad) wrote: Barry, On Oct 24, 2014, at 12:13 PM, Barry Shein b...@world.std.com wrote: I believe this never-ending quest for more reliable domain registration data is being driven by intellectual property lawyers to lower the cost of serving those they see as infringers either by domain or web site content. I would agree that the intellectual property folks have interests in this area, however having sat through sessions on various illegal activities facilitated by domain names (e.g., trade in endangered species, child porn, illegal pharmacies, etc) as well as having been to anti-abuse meetings (e.g., MAAWG, APWG, RIPE abuse-wt, etc), I am fairly confident there are far more people interested in accurate registration data than merely intellectual property lawyers. Oh no! The Four Horsement of the Infocalypse! http://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalypse Sure, agree with me or you're a child porn enabler! I just tend to doubt this effort will help much. It's just selling some idealized vision of domain registration data. At any rate, I'm not against better data, my concern is more in the realm of: At what cost? Who has access? Who specifically bears the cost of all this goodness? I think I mentioned this but in LA I was in a near shouting match with an IP lawyer whose specialty was brands protection who couldn't understand why service providers were so difficult to deal with when asked for customer info, take downs, whatever they wanted. I said hey, you're being paid like $300/hour to deal with this, you're offering me zero. You imagine this is just your little request but it's not, it's a time sinkhole as you chase words that rhyme with your client's brand or other potential business. One of the more sordid aspects of the law is that one can enact more and more stringent and time-consuming reporting etc rules and at some point it's just a free ride. Suddenly the law REQUIRES service providers to expend whatever effort it takes to provide accurate and timely discovery information. Meanwhile Verizon and other big telcos are getting like $500 per for taps etc, to the tune of tens of millions per month? http://www.forbes.com/sites/robertlenzner/2013/09/23/attverizonsprint-are-paid-cash-by-nsa-for-your-private-communications/ or http://tinyurl.com/q74oa7u I'm not against the concept, but it needs balance and it's reasonable to advocate. That doesn't make someone a child-porn enabler. Goodness costs money. Heck, I heard even some network operators would like to have accurate registration databases and I don't think many of those folks are intellectual property lawyers. FWIW, my suggestion was to put the WHOIS data into the DNS (a new RR perhaps) under the control of whoever manages that DNS record and if someone needs more correct information then perhaps the registrars could provide it (perhaps for a fee) from the sales slips (so to speak.) You're too late: I believe there is a t-shirt that has the slogan F* that, let's just put it in the DNS... :) I suppose that's better than I've never heard anyone suggest this but you!, so I'll take it! It's just a sales record, not sure why some are trying to move heaven and earth to idealize the information and access to it. I disagree. Perhaps my age is showing, but I believe the whole point of the registration database is to provide contact information to allow someone to contact the registrant for whatever reason, e.g., hey, stop that!. It's the old problem, crooks don't hand out business cards. And, again, at what cost, and to whom? P.S. And of course the new WHOIS proposal involves creating classes of access to go along with improved correctness. That is one part of the outcome of ICANN's ongoing effort to try to fix the multiple decade long nightmare that is Whois, yes. It needs a public examination. This is a big change. It's reasonable to be suspicious that it will be turned into a privileged and expensive resource. So only bona-fide lawyers with paid-up bar dues will be able to get at the info because, you know, lawyers, esq. I'm not sure such a wild mischaracterization of the _166 page_ proposal for A Next Generation Registration Directory Service is actually helpful. The whole question of registration data is extremely complicated with a vast array of mutually contradictory requirements. As I understand it, the tiered access proposal was largely driven by the requirement to deal with the differing privacy requirements/laws/customs/etc. across the planet (e.g., the EU data privacy directives). As with anything that suggests non-trivial change, there is much that is controversial in the proposal, however I suspect it would be more useful if the controversy was based in actual reality instead of
Re: A translation (was Re: An update from the ICANN ISPCP meeting...)
On Mon, 27 Oct 2014, Barry Shein wrote: I disagree. Perhaps my age is showing, but I believe the whole point of the registration database is to provide contact information to allow someone to contact the registrant for whatever reason, e.g., hey, stop that!. It's the old problem, crooks don't hand out business cards. And, again, at what cost, and to whom? If you can't be bothered to have correct contact info, your packets go into the scavenger queue. Or get redirected to a webpage explaining why your network is blocked until you correct it. Your customers will be the ones complaining to you. -Dan
.mil postmaster Contacts?
We're seeing issues deliving email to certain .mil domains. MX hosts for these domains are not responding on port 25 and have verified from off-network as well. Anyone else seeing the same or can point me to a technical POC to start with? navy.mil, usmc.mil, uscg.mil are just a few that seem to be having issues. Ray
RBL alert: impending sh*tshow for rbl.orbitrbl.com
As some of you may know, we recently took over ZoneEdit.com and it's customer base. We've found a domain on the system: rbl.orbitrbl.com which is delegated to zoneedit nameservers, broken (it is not allowed to zone transfer from it's designated master), unresponsive (account owner is not answering email, has an address in Sri Lanka and no telephone number), is using excessive queries (~ 500M queries per day on a free dns domain) and attracting repeated, multiple DDoS attacks. As such, we will be wildcarding this zone and setting a long TTL fairly soon. If you're actually using this RBL in your MTAs, now's a good time to stop. (this RBL is broken on 5 out of it's 6 delegated nameservers across 3 separate providers). - mark -- Mark E. Jeftovic mar...@easydns.com Founder CEO, easyDNS Technologies Inc. +1-(416)-535-8672 ext 225 Read my blog: http://markable.com
Re: .mil postmaster Contacts?
On Mon, Oct 27, 2014 at 10:52:07AM -0700, Ray Van Dolson wrote: We're seeing issues deliving email to certain .mil domains. MX hosts for these domains are not responding on port 25 and have verified from off-network as well. Anyone else seeing the same or can point me to a technical POC to start with? navy.mil, usmc.mil, uscg.mil are just a few that seem to be having issues. When we (state gummint) had trouble delivering work-related mail to some .mil addresses in our state, I found that the best way was to look up the contacts on the installation's website, make a phone call, and ask for the IT people. We found that sometimes they shut mail down, sometimes higher HQ publish an overly wide firewall block list, and sometimes Stuff Just Happens. YMMV, as always. -- Mike Andrews, W5EGO mi...@mikea.ath.cx Tired old sysadmin
Re: Linux: concerns over systemd adoption and Debian's decision to switch [OT]
On 10/25/2014 04:55 PM, Matthew Petach wrote: Completely agree on this point--but I fail to see why it has to be one or the other? Why can't systemd have a --text flag to tell it to output in ascii text mode for those of us who prefer it that way? It still logs to syslog, and syslog can still log to text. Systemd certainly writes a nice text /var/log/messages on my CentOS 7 system. There is also a --log-target command line option, where there are several possible targets. Further, the binary log is generated by journald, not by systemd itself, which can log directly to syslog without using the binary journal (see: http://fitzcarraldoblog.wordpress.com/2014/09/20/change-systemds-binary-logging-to-text-logging-in-sabayon-linux/ for how to do this in one particular Linux distribution, Sabayon). The more I dig into systemd, the less I dislike it. I'm still not thrilled, but it's not as bad as I first heard it was going to be.
Re: .mil postmaster Contacts?
Those all appear to be going through DISA's Enterprise Email system. http://www.disa.mil/Services/Computing/~/media/Files/DISA/Services/Computing/DECCServiceDeskContact.pdf If they don't have an option specifically for Enterprise Email, try contacting the extension for Oklahoma City. --- -ITG (ITechGeek) i...@itechgeek.com https://itg.nu/ GPG Keys: https://itg.nu/contact/gpg-key Preferred GPG Key: Fingerprint: AB46B7E363DA7E04ABFA57852AA9910A DCB1191A Google Voice: +1-703-493-0128 / Twitter: ITechGeek / Facebook: http://fb.me/Jbwa.Net On Mon, Oct 27, 2014 at 2:23 PM, Mike A mi...@mikea.ath.cx wrote: On Mon, Oct 27, 2014 at 10:52:07AM -0700, Ray Van Dolson wrote: We're seeing issues deliving email to certain .mil domains. MX hosts for these domains are not responding on port 25 and have verified from off-network as well. Anyone else seeing the same or can point me to a technical POC to start with? navy.mil, usmc.mil, uscg.mil are just a few that seem to be having issues. When we (state gummint) had trouble delivering work-related mail to some .mil addresses in our state, I found that the best way was to look up the contacts on the installation's website, make a phone call, and ask for the IT people. We found that sometimes they shut mail down, sometimes higher HQ publish an overly wide firewall block list, and sometimes Stuff Just Happens. YMMV, as always. -- Mike Andrews, W5EGO mi...@mikea.ath.cx Tired old sysadmin
Re: Linux: concerns over systemd [OT]
On 10/27/2014 11:35 AM, Jay Ashworth wrote: I will counter with you wouldn't be running a real distro in that case anyway; you'd be running something super trimmed down, and possibly custom built, or based on something like CoreOS, that only does one job. Well. Hmm, now this one I wasn't aware of this tidbit here has made this thread worthwhile to me, as we work on developing some clustered 'things' for use here. CoreOS wasn't even on the 'look at this at some point in time' list before, but it is now. Thanks, Jay.
Re: Linux: concerns over systemd [OT]
Lamar Owen wrote: On 10/27/2014 11:35 AM, Jay Ashworth wrote: I will counter with you wouldn't be running a real distro in that case anyway; you'd be running something super trimmed down, and possibly custom built, or based on something like CoreOS, that only does one job. Well. Hmm, now this one I wasn't aware of this tidbit here has made this thread worthwhile to me, as we work on developing some clustered 'things' for use here. CoreOS wasn't even on the 'look at this at some point in time' list before, but it is now. Thanks, Jay. Funny, and here my reaction is just the opposite - to remove CoreOS from my list of things to look at. Cheers, Miles Fidelman
Re: A translation (was Re: An update from the ICANN ISPCP meeting...)
On Oct 24, 2014, at 11:07 AM, Eric Brunner-Williams brun...@nic-naa.net wrote: On 10/23/14 7:27 PM, David Conrad wrote: in other words, the bc and ispc were, and for the most part, imho, remain captive properties of the intellectual property constituency. Here, Eric is suggesting the intellectual property folks are driving policy issues on behalf of the folks interested in security/stability of e-commerce and as well as ISPs and connectivity providers. I have no reason to doubt Eric's opinion as I've not been involved enough in that part of ICANN and he has. somethings get lost in translation. even the best of translations. i suggest that the agenda of the intellectual property constituency is the agenda of business and internet service provider constituencies, as measured (in 2008) by staff summary of policy initiatives and votes on policy by the constituencies of the gnso, due to the very high correlations of the constituency votes of record, but it could all be mere, though persistent, coincidence. Perhaps this is more indicative of the fact that the fractions of the business and ISP constituencies that actually care enough to devote resources to ICANN meetings and such are, in fact, those businesses most closely tied with the Intellectual Property interests as the rest of the world basically doesn’t give a damn unless something goes horribly wrong and DNS stops doing what they expect. a nuance is whether the accuracy of whois data (a problem dave crocker and i and others tried to fix at the los angeles icann meeting in november 2001, and which, as hordes of the undead, lives on and on and on) is what is generally meant by security and stability, or if the value of accuracy of whois data has significant value to parties other than the intellectual property constituency. I don’t think it is all that is meant by that term, but certainly it is a component. were the oarc meeting not held, by mere coincidence of course, in a particular hotel in los angeles last week, fewer people with operational roles might have been present. True. I think that as a general rule, operators are conspicuously absent from most ICANN proceedings. the protocol supporting organization tired of having a voting responsibility on the icann board and got the bylaws changed in 2003 to eliminate itself as a supporting organization holding voting seats on the icann board and created a technical advisory body tasked to periodically provide non-voting persons to offer technical advice to the icann board. Which I think says more about the tedium and general lack of relevance of most of what ICANN does to the operational and technical constituencies than it says about the protocol supporting organization. i suppose a choice that addresses the problem warren noted is to ask if there is a continued need for operators-or-whatever-as-a-voting-body within the gnso. as much as i participated in the gnso reform program (which may have simply improved some of the ornamental decoration and changed some names from constituencies to stakeholder groups without changing the balance of forces david noted -- trademark protection vs volume sales -- and would prefer to see the ispcp develop a broader agenda than mere marks protection), taking a step back i'm no longer convinced that operational issues, and therefore operators, have any place, usefully, in the generic domain name supporting organization. Now there’s a lovely thought… We don’t like what few operators who haven’t walked away in disgust are telling us, so, it’s perhaps better to call their voices irrelevant and simply dismiss them as a non-relevant constituency. Owen
Re: A translation (was Re: An update from the ICANN ISPCP meeting...)
On Mon, 27 Oct 2014, Eric Brunner-Williams wrote: On 10/27/14 10:12 AM, goe...@anime.net wrote: If you can't be bothered to have correct contact info, your packets go into the scavenger queue. Or get redirected to a webpage explaining why your network is blocked until you correct it. Your customers will be the ones complaining to you. the (icann accredited) registrar which accepted {bogus|non-verified|accurate} registrant data at some point in time less than 10 years ago which is now {bogus|non-verified|accurate|aged-out} is likely to be providing dns for the domain in question, or the dns is likely to be provided by the registrant, so the packets [DO NOT] go into the scavenger queue. NOR are they redirected ... I should clarify I was thinking about whois on the IP blocks and/or ASN. not dns for domain names. if your network is spewing sewage, there should be some way to contact you. if you are uninterested in being contacted, there's always RBLs I guess. -Dan
[NANOG-announce] NANOG 63 - San Antonio - Call for Presentations is Open!
Greetings NANOG Folks, It was great to see so many of you (~700) at NANOG 62 in Baltimore. NANOG will hold its 63rd meeting in San Antonio, TX on February 2-4, 2015, hosted by CyrusOne. The NANOG Program Committee is now seeking proposals for presentations, panels, tutorials, tracks sessions, and keynote materials for the NANOG 63 program. We invite presentations highlighting issues relating to technology already deployed or soon-to-be deployed in the Internet, . Vendors are encouraged to work with operators to present real-world deployment experiences with the vendor's products and interoperability. Key dates to track if you wish to submit a presentation: Date Event/Deadline Oct. 27, 2014 CFP Opens for NANOG 63 Dec. 05, 2014 CFP Deadline #1: Presentation Abstracts Due Dec. 12, 2014 CFP Topic List Posted Jan. 02, 2015 CFP Deadline #2: Presentation Slides Due Jan. 09, 2015 Meeting Agenda Published Jan. 30, 2015 Speaker FINAL presentations to PCTool or speaker-support Feb. 02, 2015 Lightning Talk Submissions Open (Abstracts Only) NANOG 63 submissions are welcome on the Program Committee Site https://pc.nanog.org/ or email me if you have questions. See the detailed NANOG63 Call for Presentations https://www.nanog.org/meetings/nanog63/callforpresentations for more information. Let's see each other in San Antonio where, apparently, the typical high temps in February are 65F/18C. Thanks, Tony Tauber Chair, Program Committee North American Network Operator Group (NANOG) ___ NANOG-announce mailing list nanog-annou...@mailman.nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-announce
Now Hiring At Equinix: Network Architect
Equinix is now hiring a Network Architect to help design the next-generation of interconnection platforms, come join a great team. http://equinix.hodesiq.com/job_detail.asp?JobID=4652823user_id= Interested, or know someone that is? Apply online, or let me know. Greg
Re: A translation (was Re: An update from the ICANN ISPCP meeting...)
Barry, On Oct 27, 2014, at 10:28 AM, Barry Shein b...@world.std.com wrote: Oh no! The Four Horsement of the Infocalypse! Being dismissive of concerns related to illegal activities that make use of the DNS does not, of course, make those concerns go away. A number of folks make use of the registration database in attempting to address illegal activities, as such it seems to me that it would be useful if that database was accurate. It's the old problem, Not really. crooks don't hand out business cards. Registration data is used to identify registrants, not crooks. As Mark Andrews pointed out, there are uses for identifying non-crook registrants. In rare cases, registrants are crooks and while I'd agree the sophisticated crooks will find ways around any requirements for accuracy, I believe there is value to having accuracy in the general case. Or are you arguing we should simply remove Whois as a service available to the Internet? And, again, at what cost, and to whom? The cost obviously depends on the requirements and implementation. The whom is and will always be the registrant. However, for the vast majority of registrants with a handful of domains, the costs are likely to be in the pennies. Granted, for the domainers with huge portfolios, the costs may be significant, however that is a cost of doing that particular business. That is one part of the outcome of ICANN's ongoing effort to try to fix the multiple decade long nightmare that is Whois, yes. It needs a public examination. This is a big change. Agreed! And, in particular, it would be nice if network operators, who I believe make non-trivial use of Whois examine that change and determine whether the changes meet their requirements and if not, dare I say, participate in ICANN to make sure it does. Regards, -drc signature.asc Description: Message signed with OpenPGP using GPGMail
Re: An update from the ICANN ISPCP meeting...
On Thu, Oct 23, 2014 at 6:15 PM, Eric Brunner-Williams brun...@nic-naa.net wrote: some history. at the montevideo icann meeting (september, 2001), there were so few attendees to either the ispc (now ispcp) and the bc (still bc), that these two meetings merged. at the paris icann meeting (june, 2008) staff presented an analysis of the voting patters of the gnso constituencies -- to my non-surprise, both the bc and the ispc votes (now ispcp) correlated very highly with the intellectual property constituency, and unlike that constituency, originated very little in the way of policy issues for which an eventual vote was recorded. in other words, the bc and ispc were, and for the most part, imho, remain captive properties of the intellectual property constituency. this could change, but the isps that fund suits need to change the suits they send, the trademark lawyer of eyeball network operator X is not the vp of ops of network operator X. Unless folk here *like* having their views represented as being aligned with intellectual property folk? Well, do you? If not, come to an ICANN meeting and say so... W meanwhile, whois, the udrp, and other bits o' other-people's-business-model take up all the available time. eric On 10/23/14 2:58 PM, Warren Kumari wrote: Those of y'all who were at NANOG62 may remember a presentation from the ICANN Internet Service Provider and Connectivity Providers Constituency (ISPCP). I feel somewhat bad because I misunderstood what they were sayingin, and kinda lost my cool during the preso. Anyway, the ISPCP met at ICANN 51 last week. Unfortunately I was not able to attend, but the meeting audio stream is posted at: http://la51.icann.org/en/schedule/tue-ispcp If you'd rather read than listen, the transcript is posted here: http://la51.icann.org/en/schedule/tue-ispcp/transcript-ispcp-14oct14-en.pdf I snipped a bit that mentions NANOG: The next outreach experience that we had was at NANOG. NANOG, as you may know, is the North American Network Operators Group, an area where we really wanted to make an impact because it is the network operators groups that can really bring the insight that we need to act on being a unique and special voice within the ICANN community on issues that matter to ISPs around some of the things that are on our agenda today, such as universal access, such as name collisions. And we wanted to get more technical voices in the mix and more resources in the door so that we could make a better impact there. A lot of what we received when we stood up to give our presentation were messages from people who had attempted to engage in ICANN in the past or attempted to engage in the ISPCP in the past and had had very difficult time doing. They said when you come into this arena you spend so much time talking about process, so much time talking about Whois and what board seats, about what needs to happen around transparency. I'm a technical guy, I want to focus on technical issues and I don't have a unique venue for being able to do that. So we spent some time as a group trying to figure out how we can address that because we do need those voices. Our goal has been to take the feedback that we receive from NANOG and create an action plan to make sure that we can pull in voices like that and go back to the NOG community, go back to the technical operators community, bring them on board and say we've got a different path for you. Anyway, go listen / read the full transcript if you are so inclined... W -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
Re: A translation (was Re: An update from the ICANN ISPCP meeting...)
On October 27, 2014 at 15:34 d...@virtualized.org (David Conrad) wrote: Barry, On Oct 27, 2014, at 10:28 AM, Barry Shein b...@world.std.com wrote: Oh no! The Four Horsement of the Infocalypse! Being dismissive of concerns related to illegal activities that make use of the DNS does not, of course, make those concerns go away. A number of folks make use of the registration database in attempting to address illegal activities, as such it seems to me that it would be useful if that database was accurate. Leading with child porn etc as a first-mentioned motivation strikes me as an attempt to snatch the moral high ground rather than discuss the issues -- oh and if you disagree with me you must be ok with child porn. I've chased child pornographers with LEO. By and large they are very, very careful about their identities. You're not going to just do a WHOIS query and jot down their address and phone number and pay them a visit. At any rate, we can all drive at 20MPH max and think of how many thousands of lives that would save every year...etc. Disagree? Do you want people to die?!? And so forth. That there's an intent or possibility to improve criminal investigations doesn't necessarily justify the means. And I still believe a lot of the energy behind the WHOIS rewrite has come from the intellectual property crowd (to reduce the cost of discovery) tho yes law enforcement loves better identity sources particularly if it's on someone else's budget. It's the old problem, Not really. crooks don't hand out business cards. Registration data is used to identify registrants, not crooks. As Mark Andrews pointed out, there are uses for identifying non-crook registrants. In rare cases, registrants are crooks and while I'd agree the sophisticated crooks will find ways around any requirements for accuracy, I believe there is value to having accuracy in the general case. You're still just repeating potential motivations rather than telling us how these changes will accomplish those goals, and at what cost. How is any of that being accomplished by limiting access to the WHOIS data? From page 21 of the Final Report: ...the EWG recommends abandoning today's WHOIS model -- giving every user the same anonymous public access to (too often inaccurate) gTLD registration data. Instead, the EWG recommends a paradigm shift whereby gTLD registration data is collected, validated and disclosed for permissible purposes only, with some data elements being accessible only to authenticated requestors that are then held accountable for appropriate use. (me: EWG = Expert Working Group) Ok, admittedly there's a lot more to the report than we're discussing here and the only fair way to review it is to read it which I recommend, again that URL: https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf or http://tinyurl.com/kdjdu7c Don't get me wrong, I consider it by and large well-intentioned. But that doesn't mean we can't disagree on some recommendations. Or are you arguing we should simply remove Whois as a service available to the Internet? And, again, at what cost, and to whom? The cost obviously depends on the requirements and implementation. The whom is and will always be the registrant. However, for the vast majority of registrants with a handful of domains, the costs are likely to be in the pennies. Granted, for the domainers with huge portfolios, the costs may be significant, however that is a cost of doing that particular business. What about charging those with need for access to the data? Once we've limited access to authenticated requestors why not charge a fee for that authenticated access? That was part of my suggestion to put the public data in the DNS. Public data accessed via the DNS is free (for some value of free, but not usage charged.) And it has roughly the accuracy and precision we experience today. For more accurate data you can pay for a record request. Up to and including presenting a court order though I would hope that's not the common case. That is one part of the outcome of ICANN's ongoing effort to try to fix the multiple decade long nightmare that is Whois, yes. I don't see it as a nightmare. It very much reflects the spirit of the internet. Much of it is free and voluntary and worth more than you paid for it. It's only when some imagine some specific, valuable use that they might become frustrated. Shall we try to clean up google (et al) result accuracy also? It needs a public examination. This is a big change. Agreed! And, in particular, it would be nice if network operators, who I believe make non-trivial use of Whois examine that change and determine whether the changes meet their requirements and if not, dare I say, participate in ICANN to make sure it does. I don't think we're very far apart. We just have slightly
RE: .mil postmaster Contacts?
You sure it's not a DNS issue? I've had problems resolving various *.disa.mil sites today. Google DNS claims they don't exist. Chuck -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ray Van Dolson Sent: Monday, October 27, 2014 1:52 PM To: nanog@nanog.org Subject: .mil postmaster Contacts? We're seeing issues deliving email to certain .mil domains. MX hosts for these domains are not responding on port 25 and have verified from off-network as well. Anyone else seeing the same or can point me to a technical POC to start with? navy.mil, usmc.mil, uscg.mil are just a few that seem to be having issues. Ray
Re: A translation (was Re: An update from the ICANN ISPCP meeting...)
Whois's primary purpose is to keep the network running. CP, IP, LEO are all secondary issues. This tends to get lost. I can easily contact all the TLD operators using whois data and do so from time to time when I see issues with the servers. The one time I couldn't (both email addresses bounced) was reported to IANA who are working on getting the contact details corrected. Whois data for other zones is a real pain in the back side to get let alone process. .GOV just tells you if the zone exists. This is a !@#$!@#@$# joke. They are government departments. They should be contactable without having to depend upon web sites being up as sometimes you are complaining about the sites being down. For those of you who are US citizens please complain to your representatives about this. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: NOC Calendar
On 10/27/14 9:27 AM, Owen DeLong wrote: There are boxes that do that, but it’s really not a good solution… Here’s why: 1.TV signals in NTSC max out at 640x480. In ATSC, you get up to 1920x1080. Many monitors today are capable of 2560x1440 or more. 2.It’s expensive and has few advantages over a traditional KVM switch. 3.An HDMI switcher and graphic cards with HDMI output are not particularly hard to find these days. DVI-HDMI is also relatively easy if you have trouble getting HDMI out of the machine. This is a much less expensive solution. Its fairly trivial to get VM video out to HDMI if you’re willing to dedicate hardware to the task. It is pretty trivial at this point to have a network attached device serve as a remote display for essentially arbitrary sources. There's no real point imho in attaching to any machine other than the one directly in front of you over anything other than ip protocol. Owen On Oct 24, 2014, at 7:38 AM, chris tknch...@gmail.com wrote: I was looking into something like this a while back and one thing that didnt seem to exist but I thought would be cool is if you could have a x86 box or appliance that could take video output of lets say a couple virtual machines and encode it into a standard TV signal so your average TV with a builtin tuner and have each VM's display encoded into a different TV channel. This way you could throw up TV's everywhere and easily change whats displayed at any time without having to have devices plugged into every TV. If this already exists or someone has built anything like this I would love to hear about it. - chris On Fri, Oct 24, 2014 at 10:07 AM, James Wininger jwinin...@ifncom.net wrote: Does anyone on the list have a reference to a good NOC calendar? What I mean by that is a calendar that is view only for the NOC, but looks good on a larger LCD panel display. Ideally it would automatically rotate on a given schedule (say 6am), and then show only that days scheduled events, there would be no need for the NOC to interact with the calendar, just consume the data. Perhaps it would be color coded to show DWDM work, vs MPLS work, or even new installs. But the idea is that the NOC would have readily accessible view only at a glance. They would not have to load up outlook, go to calendar, select the MPLS, install etc to see what work is happening. -- Jim Wininger signature.asc Description: OpenPGP digital signature