Re: Government agency renting or selling IP space

[Mel Beckman]

John,

It's a California State government agency. Does that make a difference?

 -mel 

> On Mar 16, 2017, at 9:53 PM, John Curran  wrote:
> 
> Mel -
> 
> US Government agencies should contact GSA (or DoD/DISA, for those in 
> military/intelligence communities) for advice on these matters. 
> 
> Thanks,
> /John
> 
> John Curran
> President and CEO
> ARIN
> 
>> On Mar 17, 2017, at 12:12 AM, Mel Beckman  wrote:
>> 
>> I have a government agency client with a number of /24s that they acquired 
>> back in the 1990s when they operated as an ISP for other agencies. They are 
>> interested in renting or selling these addresses. Are there any existing 
>> ARIN or other legal restrictions against government organizations doing this?
>> 
>> -mel beckman

Re: Government agency renting or selling IP space

[John Curran]

Mel -

US Government agencies should contact GSA (or DoD/DISA, for those in 
military/intelligence communities) for advice on these matters. 

Thanks,
/John

John Curran
President and CEO
ARIN

> On Mar 17, 2017, at 12:12 AM, Mel Beckman  wrote:
> 
> I have a government agency client with a number of /24s that they acquired 
> back in the 1990s when they operated as an ISP for other agencies. They are 
> interested in renting or selling these addresses. Are there any existing ARIN 
> or other legal restrictions against government organizations doing this?
> 
> -mel beckman

Re: Government agency renting or selling IP space

[William Herrin]

On Thu, Mar 16, 2017 at 11:13 PM, Mel Beckman  wrote:

> Their space is legacy, and they don't pay ARIN. They declined the offer to
> pay ARIN some time ago :)
>

Ah, well good news and bad news.

The good news is that they can do whatever they want with their space
except make ARIN recognize a transfer. They are under no contractual or
legal obligations to ARIN whatsoever.

To transfer the block, the buyer will have to jump through all of ARIN's
hoops after which your agency can sign an LRSA for the block to be sold
just long enough to sell and transfer it (ending the LRSA contract).

The bad news is that unless they become an ARIN ISP, pay up and sign
contracts agreeing to obey ARIN's ISP rules, the whois information for any
rented address blocks will continue to lead right back to them. That will
make renting to private organizations challenging.

Regards,
Bill Herrin



-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: Government agency renting or selling IP space

[Mel Beckman]

Jimmy,

Their ARIN record says Direct Assignment rather than Direct Allocation, so it 
does appear ARIN considers them an end user. Also, I see no prior SWIPs, so 
possibly they never SWIPed their previous customers. I'll have to give ARIN a 
call.

 -mel 

> On Mar 16, 2017, at 6:08 PM, Jimmy Hess  wrote:
> 
>> On Thu, Mar 16, 2017 at 7:39 PM, Mel Beckman  wrote:
>> Bill,
>> Is there a technically a restriction preventing swiping of this IP space 
>> when it's being rented? How is that different from an ISP swiping  its 
>> customers that are renting bandwidth?
> 
> This is a difference between an "Allocated" block of addresses to an
> ISP and an "Assigned" network prefix belonging to a end-user.
> 
> End-User Orgs typically lack technical ability to create re-assignment
> records showing a different
> organization,  b/c  they have IPs assigned for a specific network
> 
> ISPs / Co-location providers who are ARIN members with Allocated addresses
> can Re-Allocate to a downstream ISP or Assign a network prefix from allocated
> space to a downstream End-user organization.
> 
> An End user can likely show they're an ISP, join ARIN as an ISP member,   &
> request  Direct Assignments from ARIN be combined into new Allocations;
> 
> If the character of the network changes,  I would expect the new ISP
> may have to show information to ARIN establishing that the change to
> an ISP Allocation  will be consistent with the NRPM requirements.
> 
> (Seeing as Assignments to End-Users and Allocations to ISPs have
> different  policies  for creation described in the NRPM,  and there's
> no mention in the Policy they can be directly converted  without a
> Transfer or Renumber/Consolidate  or Return & renumber)
> 
> 
>> -mel via cell
> --
> -JH

Re: Government agency renting or selling IP space

[Mel Beckman]

Their space is legacy, and they don't pay ARIN. They declined the offer to pay 
ARIN some time ago :)

 -mel 

> On Mar 16, 2017, at 5:50 PM, Bob Evans  wrote:
> 
> Simple to check. Most likely legacy space if early 90s. Enter them in the
> ARIN search box and learn more. And note if the agency is paying arin
> annually? Possible?
> Thank You
> Bob Evans
> CTO
> 
> 
> 
> 
>> I have a government agency client with a number of /24s that they acquired
>> back in the 1990s when they operated as an ISP for other agencies. They
>> are interested in renting or selling these addresses. Are there any
>> existing ARIN or other legal restrictions against government organizations
>> doing this?
>> 
>> -mel beckman
> 
> 

Re: Government agency renting or selling IP space

[Mel Beckman]

This agency already is an ISP - they started out as an ISP for other government 
agencies. But I'll verify their ARIN records to be sure ARIN sees it that way, 
since they launched as an ISP back in the 1990s.

 -mel 

> On Mar 16, 2017, at 5:44 PM, William Herrin  wrote:
> 
>> On Thu, Mar 16, 2017 at 8:39 PM, Mel Beckman  wrote:
>> Is there a technically a restriction preventing swiping of this IP space 
>> when it's being rented? How is that different from an ISP swiping  its 
>> customers that are renting bandwidth?
> 
> Hi Mel,
> 
> You'd have to ask ARIN to be sure, but I beleive they only accept
> SWIPs for ISP registrants. Nothing stops the agency from
> re-registering as an ISP (ARIN will accept you as an ISP if you want
> to be) but it means new signing new documents (which may be a problem
> with your legal dept) and possibly paying more money each year.
> 
> Regards,
> Bill Herrin
> 
> -- 
> William Herrin  her...@dirtside.com  b...@herrin.us
> Dirtside Systems . Web: 

RE: Microsoft Skype for Business Contact - Broken PMTUD

[Christian Kuhtz via NANOG]

Hi Reuben,

I've responded offline.

Thanks,
Christian


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Reuben Farrelly via 
NANOG
Sent: Thursday, March 16, 2017 6:15 PM
To: nanog@nanog.org
Subject: Microsoft Skype for Business Contact - Broken PMTUD

Hi,

Can someone from Microsoft who manages the network for the Skype for Business 
please contact me to help resolve what I believe is a problem with the S4B 
network?

I am experiencing PMTUD issues whereby connections with an IPv4 TCP MSS above 
1492 and an IPv6 TCP MSS of above 1432 do not function.  I can run a clean 1500 
byte MTU on both IPv4 and IPv6 from the connection I am testing with.

External validation (thus ruling out my own link) from 
https://wand.net.nz/pmtud/ reports that the following URLs used by Lync/S4B are 
failing PMTUD:

meet.lync.com
webdir0b.online.lync.com

--

tbit from 2001:df0:4:4000::1:115 to 2603:1047:0:a::12
  server-mss 1440, result: pmtud-fail
  app: http, url: https://meet.lync.com/
  [  0.010] TX SYN 64  seq = 0:0
  [  0.049] RX SYN/ACK 64  seq = 0:1
  [  0.049] TX 60  seq = 1:1
  [  0.049] TX373  seq = 1:1(313)
  [  0.097] RX   1500  seq = 1:314(1440)
  [  0.097] RX   1500  seq = 1441:314(1440)
  [  0.097] RX868  seq = 2881:314(808)
  [  0.097] TX PTB   1280  mtu = 1280
  [  0.097] TX 60  seq = 314:1
  [  0.399] RX   1500  seq = 1:314(1440)
  [  0.399] TX PTB   1280  mtu = 1280
  [  0.994] RX   1500  seq = 1:314(1440)
  [  0.994] TX PTB   1280  mtu = 1280
  [  2.197] RX   1500  seq = 1:314(1440)
  [  2.197] TX PTB   1280  mtu = 1280
  [  4.603] RX   1500  seq = 1:314(1440)
tbit from 130.217.250.115 to 52.113.65.78
  server-mss 1460, result: pmtud-fail
  app: http, url: https://meet.lync.com/
  [  0.009] TX SYN 44  seq = 0:0  c5c9
  [  0.152] RX SYN/ACK 44  seq = 0:1  56ef
  [  0.152] TX 40  seq = 1:1  c5ca
  [  0.153] TX353  seq = 1:1(313) c5cb DF
  [  0.299] RX808  seq = 2921:314(768)56f7 DF
  [  0.299] RX   1500  seq = 1:314(1460)  56f5 DF
  [  0.299] RX   1500  seq = 1461:314(1460)   56f6 DF
  [  0.299] TX 40  seq = 314:1c5cc
  [  0.299] TX PTB 56  mtu = 1280
  [  0.763] RX   1500  seq = 1:314(1460)  5720 DF
  [  0.764] TX PTB 56  mtu = 1280
  [  1.592] RX   1500  seq = 1:314(1460)  5750 DF
  [  1.592] TX PTB 56  mtu = 1280
  [  3.232] RX   1500  seq = 1:314(1460)  57dc DF
  [  3.232] TX PTB 56  mtu = 1280
  [  6.514] RX   1500  seq = 1:314(1460)  5910 DF

-

This is in the Asia Pacific region.

Thanks,
Reuben Farrelly

Microsoft Skype for Business Contact - Broken PMTUD

[Reuben Farrelly via NANOG]

Hi,

Can someone from Microsoft who manages the network for the Skype for 
Business please contact me to help resolve what I believe is a problem 
with the S4B network?


I am experiencing PMTUD issues whereby connections with an IPv4 TCP MSS 
above 1492 and an IPv6 TCP MSS of above 1432 do not function.  I can run 
a clean 1500 byte MTU on both IPv4 and IPv6 from the connection I am 
testing with.


External validation (thus ruling out my own link) from 
https://wand.net.nz/pmtud/ reports that the following URLs used by 
Lync/S4B are failing PMTUD:


meet.lync.com
webdir0b.online.lync.com

--

tbit from 2001:df0:4:4000::1:115 to 2603:1047:0:a::12
 server-mss 1440, result: pmtud-fail
 app: http, url: https://meet.lync.com/
 [  0.010] TX SYN 64  seq = 0:0
 [  0.049] RX SYN/ACK 64  seq = 0:1
 [  0.049] TX 60  seq = 1:1
 [  0.049] TX373  seq = 1:1(313)
 [  0.097] RX   1500  seq = 1:314(1440)
 [  0.097] RX   1500  seq = 1441:314(1440)
 [  0.097] RX868  seq = 2881:314(808)
 [  0.097] TX PTB   1280  mtu = 1280
 [  0.097] TX 60  seq = 314:1
 [  0.399] RX   1500  seq = 1:314(1440)
 [  0.399] TX PTB   1280  mtu = 1280
 [  0.994] RX   1500  seq = 1:314(1440)
 [  0.994] TX PTB   1280  mtu = 1280
 [  2.197] RX   1500  seq = 1:314(1440)
 [  2.197] TX PTB   1280  mtu = 1280
 [  4.603] RX   1500  seq = 1:314(1440)
tbit from 130.217.250.115 to 52.113.65.78
 server-mss 1460, result: pmtud-fail
 app: http, url: https://meet.lync.com/
 [  0.009] TX SYN 44  seq = 0:0  c5c9
 [  0.152] RX SYN/ACK 44  seq = 0:1  56ef
 [  0.152] TX 40  seq = 1:1  c5ca
 [  0.153] TX353  seq = 1:1(313) c5cb DF
 [  0.299] RX808  seq = 2921:314(768)56f7 DF
 [  0.299] RX   1500  seq = 1:314(1460)  56f5 DF
 [  0.299] RX   1500  seq = 1461:314(1460)   56f6 DF
 [  0.299] TX 40  seq = 314:1c5cc
 [  0.299] TX PTB 56  mtu = 1280
 [  0.763] RX   1500  seq = 1:314(1460)  5720 DF
 [  0.764] TX PTB 56  mtu = 1280
 [  1.592] RX   1500  seq = 1:314(1460)  5750 DF
 [  1.592] TX PTB 56  mtu = 1280
 [  3.232] RX   1500  seq = 1:314(1460)  57dc DF
 [  3.232] TX PTB 56  mtu = 1280
 [  6.514] RX   1500  seq = 1:314(1460)  5910 DF

-

This is in the Asia Pacific region.

Thanks,
Reuben Farrelly

Re: Government agency renting or selling IP space

[Jimmy Hess]

On Thu, Mar 16, 2017 at 7:39 PM, Mel Beckman  wrote:
> Bill,
> Is there a technically a restriction preventing swiping of this IP space when 
> it's being rented? How is that different from an ISP swiping  its customers 
> that are renting bandwidth?

This is a difference between an "Allocated" block of addresses to an
ISP and an "Assigned" network prefix belonging to a end-user.

End-User Orgs typically lack technical ability to create re-assignment
records showing a different
organization,  b/c  they have IPs assigned for a specific network

 ISPs / Co-location providers who are ARIN members with Allocated addresses
can Re-Allocate to a downstream ISP or Assign a network prefix from allocated
space to a downstream End-user organization.

An End user can likely show they're an ISP, join ARIN as an ISP member,   &
request  Direct Assignments from ARIN be combined into new Allocations;

If the character of the network changes,  I would expect the new ISP
may have to show information to ARIN establishing that the change to
an ISP Allocation  will be consistent with the NRPM requirements.

(Seeing as Assignments to End-Users and Allocations to ISPs have
different  policies  for creation described in the NRPM,  and there's
no mention in the Policy they can be directly converted  without a
Transfer or Renumber/Consolidate  or Return & renumber)


> -mel via cell
--
-JH

Re: Government agency renting or selling IP space

[Bob Evans]

Simple to check. Most likely legacy space if early 90s. Enter them in the
ARIN search box and learn more. And note if the agency is paying arin
annually? Possible?
Thank You
Bob Evans
CTO




> I have a government agency client with a number of /24s that they acquired
> back in the 1990s when they operated as an ISP for other agencies. They
> are interested in renting or selling these addresses. Are there any
> existing ARIN or other legal restrictions against government organizations
> doing this?
>
>  -mel beckman

Re: Government agency renting or selling IP space

[William Herrin]

On Thu, Mar 16, 2017 at 8:39 PM, Mel Beckman  wrote:
> Is there a technically a restriction preventing swiping of this IP space when 
> it's being rented? How is that different from an ISP swiping  its customers 
> that are renting bandwidth?

Hi Mel,

You'd have to ask ARIN to be sure, but I beleive they only accept
SWIPs for ISP registrants. Nothing stops the agency from
re-registering as an ISP (ARIN will accept you as an ISP if you want
to be) but it means new signing new documents (which may be a problem
with your legal dept) and possibly paying more money each year.

Regards,
Bill Herrin

-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: Government agency renting or selling IP space

[Mel Beckman]

Bill,

Is there a technically a restriction preventing swiping of this IP space when 
it's being rented? How is that different from an ISP swiping  its customers 
that are renting bandwidth?

-mel via cell

> On Mar 16, 2017, at 5:28 PM, Seth Mattinen  wrote:
> 
> On 3/16/17 17:19, William Herrin wrote:
>>> There's probably a legal mess around a government entity renting IP
>>> addresses. If the entity is registered as an end user (instead of as
>>> an ISP) then such rentals might also be considered fraudulent.
>> On a purely pragmatic level, it's also an exceedingly bad idea to let
>> a private party who may turn out to be a criminal use IP addresses
>> authentically registered to your government agency to commit crimes.
>> As an end-user, you won't be able to SWIP information about the
>> rental, leading angry law enforcement offers to knock upon your door.
> 
> 
> Or they're the perfect set of addresses to use for criminal purposes.
> 
> ~Seth

Re: Government agency renting or selling IP space

[Seth Mattinen]

On 3/16/17 17:19, William Herrin wrote:

There's probably a legal mess around a government entity renting IP
addresses. If the entity is registered as an end user (instead of as
an ISP) then such rentals might also be considered fraudulent.

On a purely pragmatic level, it's also an exceedingly bad idea to let
a private party who may turn out to be a criminal use IP addresses
authentically registered to your government agency to commit crimes.
As an end-user, you won't be able to SWIP information about the
rental, leading angry law enforcement offers to knock upon your door.



Or they're the perfect set of addresses to use for criminal purposes.

~Seth

Re: Government agency renting or selling IP space

[William Herrin]

> There's probably a legal mess around a government entity renting IP
> addresses. If the entity is registered as an end user (instead of as
> an ISP) then such rentals might also be considered fraudulent.

On a purely pragmatic level, it's also an exceedingly bad idea to let
a private party who may turn out to be a criminal use IP addresses
authentically registered to your government agency to commit crimes.
As an end-user, you won't be able to SWIP information about the
rental, leading angry law enforcement offers to knock upon your door.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: Government agency renting or selling IP space

[William Herrin]

On Thu, Mar 16, 2017 at 7:12 PM, Mel Beckman  wrote:
> I have a government agency client with a number of /24s that they acquired 
> back in the
> 1990s when they operated as an ISP for other agencies. They are interested in 
> renting
> or selling these addresses. Are there any existing ARIN or other legal 
> restrictions
> against government organizations doing this?

Hi Mel,

The agency may follow the same "specified transfer" process as
everyone else to sell the addresses. See ARIN NRPM section 8.5.

There's probably a legal mess around a government entity renting IP
addresses. If the entity is registered as an end user (instead of as
an ISP) then such rentals might also be considered fraudulent.

Regards,
Bill Herrin



-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Government agency renting or selling IP space

[Mel Beckman]

I have a government agency client with a number of /24s that they acquired back 
in the 1990s when they operated as an ISP for other agencies. They are 
interested in renting or selling these addresses. Are there any existing ARIN 
or other legal restrictions against government organizations doing this?

 -mel beckman

Re: 4or6.con question

[jimmy keffer]

i finally  got to wondows firewall hides some ports even when open
calles stealth mode had to fix wirh this page
https://docs.storj.io/docs/windows-firewall-with-advanced-security-stealth-mode-applies-to-windows-vista-and-server-2008-and-higher

took 4 days find it

Re: 4or6.con question

[Alexandru Suciu via NANOG]

If its a linux box and most likely it isand depending on the number of
hops from 4or6.com to your target machine it is possible that the probes
reach you with higher port number the the ones you allowed.

For example this is what I get when I trace to google which is 10 hops
away. Probes that make it to 8.8.8.8 are 33462 and higher:

13:31:51.822851 IP 8.8.8.8 > 10.83.13.12: ICMP 8.8.8.8 udp port 33462
unreachable, length 68
13:31:51.822914 IP 8.8.8.8 > 10.83.13.12: ICMP 8.8.8.8 udp port 33461
unreachable, length 68

13:31:51.825698 IP 8.8.8.8 > 10.83.13.12: ICMP 8.8.8.8 udp port 33472
unreachable, length 68
13:31:51.828361 IP 8.8.8.8 > 10.83.13.12: ICMP 8.8.8.8 udp port 33473
unreachable, length 68
13:31:51.828375 IP 8.8.8.8 > 10.83.13.12: ICMP 8.8.8.8 udp port 33474
unreachable, length 68

Try and allow allow ports till 40k for the duration of the test and see if
there is any change.
Also might be worth to try a ICMP test, get the source IP and then permit
all traffic for that IP and check if tht helps.

Are you behind NAT? Maybe the probes stop at the router that is doing the
NAT.
Lastly, does the traceroute make it anywhere near you, like the subnet your
public IP is in? Does it fail on the last hop(your machine) or does it fail
somewhere in the middle?



On Wed, Mar 15, 2017 at 3:25 PM, jimmy keffer 
wrote:

> does anyone know what ports 4or6.com uses for udp traceroute its failing
> on my windows firewall i opened 33434-33464 udp but no help i goggled
> but can't find
> jimmy
>



-- 



Software Driven Cloud Networking





Alexandru Suciu
Technical Solutions Engineer - EMEA
e. asu...@arista.com
m.  +1 866-476-
*www.arista.com* 

4or6.con question

[jimmy keffer]

does anyone know what ports 4or6.com uses for udp traceroute its failing
on my windows firewall i opened 33434-33464 udp but no help i goggled
but can't find
jimmy