Re: Gmail (thus Nanog) rejecting ipv6 email

[John Levine]

It appears that Bjørn Mork  said:
>Google has been trying to move away from Internet email for many years
>now.  Just let them.  There is no way you can "fix" that problem on your
>side.

Don't be silly.  Gmail has over a billion users and hosts mail for
vast numbers of businesses large and small.

I agree that they are stricter than many others at mail authentication
but considering how big they are, they do a very good job of doing what
the standards say.  Way better than Y**o* ot M*o**.

R's,
John
-- 
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: Gmail (thus Nanog) rejecting ipv6 email

[John Levine]

It appears that Michael Thomas  said:
>
>On 4/3/22 12:12 PM, Bjørn Mork wrote:
>> On a slightly related subject... This DKIM failure surprised me, but at
>> least I verified that many NANOG subscribers have mailservers returning
>> DMARC failure reports ;-)
>
>Oh wow, you should report that to Murray.

It's on Github, so you can open an issue and if you're
feeling inspired a fork and a patch.  There's currently
67 open issues and 15 pull requests so don't hold your breath.

https://github.com/trusteddomainproject/OpenDKIM

R's,
John

>> Bjørn Mork  writes:
>>
>>> Authentication-Results: mx.google.com;
>>>   dkim=fail header.i=@mork.no header.s=b header.b=NB0BT8Ez;
>>>   spf=pass (google.com: best guess record for domain of 
>>> bj...@miraculix.mork.no
>>>   designates 2001:41c8:51:8a:feff:ff:fe00:e5 as permitted sender)
>>>   smtp.mailfrom=bj...@miraculix.mork.no;
>>>   dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mork.no
>>> Received: from canardo.dyn.mork.no ([IPv6:2a01:799:c9f:8600:0:0:0:1])
>>>   (authenticated bits=0)
>>>   by louie.mork.no (8.15.2/8.15.2) with ESMTPSA id 233IGnGC342047
>>>   (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=OK);
>>>   Sun, 3 Apr 2022 19:16:50 +0100
>>> Received: from miraculix.mork.no 
>>> ([IPv6:2a01:799:c9f:8602:8cd5:a7b0:d07:d516])
>>>   (authenticated bits=0)
>>>   by canardo.dyn.mork.no (8.15.2/8.15.2) with ESMTPSA id 233IGnKb1147676
>>>   (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=OK);
>>>   Sun, 3 Apr 2022 20:16:49 +0200
>>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mork.no; s=b;
>>>   t=1649009809; bh=ZByFGHIiZPQYmJjQnCv16CXFZhKG8U3fTayR+Mx3piY=;
>>>   h=From:To:Cc:Subject:References:Date:Message-ID:From;
>>>   b=NB0BT8EzJBl2E3jzDaz7QY4C/utMGKFF+HCs8qjQFoHA4JHTD21ZkTk34jp2VOiJ0
>>>   pYWHUNXCNaEBK44Hr4U96h5pfXor+dqo0cSuRPTLNnRsoLAQg2kqmQkvylagdeezZc
>>>   4p+jQEQv5La2KbjzEIvW6iSGwwe4ltT9hu7h0H8U=
>>> Received: (nullmailer pid 389787 invoked by uid 1000);
>>>   Sun, 03 Apr 2022 18:16:48 -
>>> From: =?utf-8?Q?Bj=C3=B8rn_Mork?= 
>>> To: Randy Bush 
>>> Cc: John Levine ,
>>>  "North American Network Operators' Group" 
>>> Subject: Re: Gmail (thus Nanog) rejecting ipv6 email
>>> Organization: m
>>> References: <875ynqcvsl@miraculix.mork.no>
>>>   <20220403164123.4ce413a4b...@ary.qy> 
>>> Date: Sun, 03 Apr 2022 20:16:48 +0200
>>> In-Reply-To:  (Randy Bush's message of "Sun, 03
>>>   Apr 2022 10:50:06 -0700")
>>> Message-ID: <87v8vqav73@miraculix.mork.no>
>>
>> Did a little testing, and it looks like opendkim create a bogus
>> signature if a quoted-string diplay name in a To or Cc headers contains
>> an apostrophe. Not good at all.

Re: antique CGN complaints, was V6 still not supported

[John Levine]

It appears that JORDI PALET MARTINEZ via NANOG  
said:
>Related to the LEA agencies and CGN:
>
>https://www.europol.europa.eu/media-press/newsroom/news/are-you-sharing-same-ip-address-criminal-law-enforcement-call-for-end-of-carrier-grade-nat-cgn-to-increase-accountability-online

Before we freak out too much, you might note that this page is dated 17 Oct 
2017.

I'm pretty sure that CGNs didn't disappear four years ago.

R's,
John

Re: Court orders for blocking of streaming services

[John Levine]

It appears that Joe Greco  said:
>While the issue of domains being confiscated and being handed over to a
>prevailing plaintiff for an international domain with no obvious nexus
>to the United States ...

Most of the domains do have US nexus. Two are in .TV, one in .COM,
both run by Verisign, one in .XYZ which is assigned to an LLC in Las
Vegas, registered via registrar Namecheap which is in Phoenix. .DEV is
Google, again registered via Namecheap. The ones in .AC .LY .TO and
the non-existent .ISR, not so much.

I agree that the rest of the language demanding that every ISP,
hosting provider, credit union, bank, and presumably nail salon and
coin laundry in the US stop serving the defendants is nuts.

The defendants didn't show up in court so the plantiffs would have
provided a proposed order which it looks like the court just rubber
stamped. That was pretty sloppy of her.

R's,
John

Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.)

[John Levine]

It appears that Ray Bellis  said:
>> On March 27, 1991, in a case that transformed the nascent online database 
>> publishing industry, the Supreme Court ruled unanimously that there is no
>copyright protection for purely factual products such as a telephone directory 
>white pages. 
>
>I wasn’t talking about US law…

Is there any case law where someone has asserted a database right for a DNS 
zone?

It seems like a rather stupid thing to do. If someone asserted such a
right, I would make sure not to infringe it by ensuring no entries
from that database entered my DNS caches or other software.

Also, I see that in a decision last year the ECJ required "substantial
extraction" also caused "significant detriment" to the investment in
the database.  I'm having trouble coming up with a scenario in which copying
even the entire thing would impair the investment unless they are going to
assert that the structure of the names somehow gave away secrets about their
business plans.

R's,
John

Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.)

[John Levine]

It appears that Ray Bellis  said:
>
>> Is there any case law where someone has asserted a database right for a DNS 
>> zone?
>
>> It seems like a rather stupid thing to do. If someone asserted such a
>> right, I would make sure not to infringe it by ensuring no entries
>> from that database entered my DNS caches or other software.
>
>It wasn’t the zone itself as such - the concern was use of enumerated zone 
>data to then perform bulk collection of Whois data.

It's perfectly reasonable to claim a database right in the WHOIS data,
but the offense is scraping WHOIS, not enumerating the DNS zone.

I could enumerate the DNS zone twice a day every day and so long as I stayed
away from WHOIS, nobody would notice or care.

R's,
John

Re: Re: 10 Do's + Don'ts for Visiting Québec + Register Now for N85!

[John Levine]

It appears that Laura Smith via NANOG  said:
>
>--- Original Message ---
>On Friday, May 6th, 2022 at 13:59, J EMail <70ford...@gmail.com> wrote:
>
>> poutine should be on this list.
>
>God no ! 
>There are many great things about Canada and Québec  but poutine most 
>certainly is not. A culinary abomination that deserves to be confined to the 
>history books.

I dunno.  The foie gras poutine at Au Pied de Cochon, on R. Duluth in the 
plateau, is pretty darn tasty.

R's,
John

Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.)

[John Levine]

It appears that Rubens Kuhl  said:
>> It's perfectly reasonable to claim a database right in the WHOIS data,
>> but the offense is scraping WHOIS, not enumerating the DNS zone. ...

>The zone file could be seen as an accessory to the database rip-off.
>For instance, it would be hard to see such a dependency on Alexa 1M
>top domains, since they are already enumerated. But some spam actors
>deliberately compared zone file editions to single out additions, and
>then harass the owners of newly registered domains, both by e-mail and
>phone.

Yeah, I know, and some of us download and diff zone files every day to
see what's new to track abuse trends.  That doesn't annoy anyone other
than perhaps people whose phish campaigns it might disrupt.

Once again, the issue is WHOIS scraping, not the DNS.

R's,
John

Re: FCC proposes higher speed goals (100/20 Mbps) for USF providers

[John Levine]

It appears that Owen DeLong via NANOG  said:
>-=-=-=-=-=-
>Forgive me if I have little or no sympathy for them.

The laws of physics make it rather difficult to provide symmetrical speeds on
shared media like coax or cellular radio.  As wired networks move to all fiber
they'll get more symmetrical but in the meantime I expect that Comcast, 
Spectrum,
Cox, AT&T, Verizon, and T-Mobile are deeply troubled by your disapproval.

R's,
John

>> On May 29, 2022, at 14:10, Eric Kuhnke  wrote:
>> 
>> This is going to be very painful and difficult for a number of DOCSIS3 
>> operators, including some of the largest ISPs in the USA with
>multi-millions of subscribers with tons of legacy coax plant that have no 
>intention of ever changing the RF channel setup and
>downstream/upstream asymmetric bandwidth allocation to provide more than 
>15-20Mbps upstream per home. 
>> 
>> 
>> On Thu, 26 May 2022 at 16:59, Jeff Shultz > > wrote:
>> I think we have a winner here - we don't necessarily need 1G down, but we do 
>> need to get the upload speeds up to symmetrical 50/50,
>100/100 etc... there are enough people putting in HD security cameras and the 
>like that upstream speeds are beginning to be an issue. 
>> 
>> On Tue, May 24, 2022 at 4:37 AM David Bass > > wrote:
>> The real problem most users experience isn’t that they have a gig, or even 
>> 100Mb of available download bandwidth…it’s that
>they infrequently are able to use that full bandwidth due to massive over 
>subscription .  
>> 
>> The other issue is the minimal upload speed.  It’s fairly easy to consume 
>> the 10Mb that you’re typically getting as a
>residential customer.  Even “business class” broadband service has a pretty 
>poor upload bandwidth limit.  
>> 
>> We are a pretty high usage family, and 100/10 has been adequate, but there’s 
>> been times when we are pegged at the 10 Mb upload
>limit, and we start to see issues. 
>> 
>> I’d say 25/5 is a minimum for a single person. 
>> 
>> Would 1 gig be nice…yeah as long as the upload speed is dramatically 
>> increased as part of that.  We would rarely use it, but that
>would likely be sufficient for a long time.  I wouldn’t pay for the extra at 
>this point though. 
>> 

Re: FCC vs FAA Story

[John Levine]

It appears that Crist Clark  said:
>ProPublica published an investigative report on it last week,
>
>https://www.propublica.org/article/fcc-faa-5g-planes-trump-biden
>
>Whaddya know. Plenty of blame to go around. Government regulative bodies
>captured by the industries they’re supposed to regulate. The usual stuff.

That piece has way too much inside baseball and misses the actual question
of whether C band radios would break radio altimeters.

Harold Feld did a much better job in November:

https://wetmachine.com/tales-of-the-sausage-factory/what-the-eff-faa-my-insanely-long-field-guide-to-the-faa-fcc-5g-c-band-fight/

R's,
John

Re: FCC vs FAA Story

[John Levine]

It appears that Miles Fidelman  said:
>> Harold Feld did a much better job in November:
>>
>> https://wetmachine.com/tales-of-the-sausage-factory/what-the-eff-faa-my-insanely-long-field-guide-to-the-faa-fcc-5g-c-band-fight/
>Well... a bit better look at the politics & motivations of the folks 
>involved.  Still doesn't address whether or not C band radios break 
>radio altimeters.

 To translate from the FCC-esse: “Air industry, we cannot screw over
 the U.S. deployment in 5G by taking the single largest, most useful
 allocation of 5G spectrum off the shelf indefinitely because a handful
 of older, crappy altimeters might under some wildly improbable set of
 circumstances experience harmful interference. While we take air
 safety issues seriously, you guys are gonna need to recognize that “no
 5G in lower C-Band” is not a realistic expectation. So please work
 with the wireless industry here to figure out if you are going to need
 to get people to upgrade their equipment.”

Also this link from the article, which is self-serving but I believe
their numbers are accurate:

https://www.5gandaviation.com/

R's,
John

Re: What say you, nanog re: Starlink vs 5G?

[John Levine]

It appears that Eric Kuhnke  said:
>Adding a terrestrial transmitter source mounted on towers and with CPEs
>that stomps on the same frequencies as the last 20 years of existing two
>way VSAT terminals throughout the US seems like a bad idea. Even if you
>ignore the existence of Starlink, there's a myriad of low bandwidth but
>critical SCADA systems out there and remote locations on ku-band two way
>geostationary terminals right now.

I think the original thought was that the satellite service would be used in
rural areas and 5G in cities so there'd be geographic separation, but Starlink
is selling service all over the place.

Re: ICANN

[John Levine]

It appears that Keith Medcalf  said:
>
>Does anyone have contact information (or address for service of legal
>documents) for ICANN?  There web site does not appear to contain contact
>information.

If you really wish to send such a letter, I would send it by paper mail,
attn General Counsel.  Their address is on the web site.  But first ...

>ICANN apparently promulgates a policy which requires clickage on spam
>links in e-mail.  I intend to sue them for trillions of dollars for this
>policy.

Could you give us some hints about the legal theory under which you believe
they are liable?  ICANN is incorporated in California so only laws that apply
in the US matter.

R's,
John

Re: Sigh, friends don't let politicians write tech laws

[John Levine]

It appears that Michael Thomas  said:
>-=-=-=-=-=-
>
>
>https://www.congress.gov/bill/117th-congress/senate-bill/4409/text?r=9&s=1
>
>the body of the proposed law:

This bill was filed by a bunch of the usual right wing suspects about
a month ago.  It was referred to committee, like all filed bills, and
I very much doubt it will ever emerge.

The US congress is not a parliamentary system and even bills from 
members of the majority party usually go nowhere.

R's,
John

Re: IERS ponders reverse leapsecond...

[John Levine]

>> > General press loses its *mind*:

No more than usual.  They're just rewriting this Facebook blog post:

https://engineering.fb.com/2022/07/25/production-engineering/its-time-to-leave-the-leap-second-in-the-past/

It appears that Forrest Christian (List Account)  said:
>Personally I'd like to see the UTC timescale be fixed to the TAI timescale
>with a fixed offset determined by whatever the offset is when they make the
>change.

That's what Facebook, Google, and AWS want, too.  Who knows, for once they 
might be right.

Re: U.S. Court PACER system overloaded by public interest

[John Levine]

It appears that Jeffrey Ollie  said:
>-=-=-=-=-=-
>
>Anyone that regularly uses PACER should absolutely be using
>https://www.courtlistener.com/.

And the RECAP browser plugin, which both looks in courtlistener
for you, and uploads copies to it when you do a PACER download.
(The actual documents are public, only the downloading costs money.)

Start here: https://free.law/recap

R's,
John

Re: FCC chairwoman: Fines alone aren't enough (Robocalls)

[John Levine]

It appears that Matthew Black  said:
>-=-=-=-=-=-
>This might have been what I read years ago:
>
>Teltech Systems Inc. v. Bryant, 5th Cir., No. 12-60027

No, that just said that federal law preempts a Mississippi state law
that purported to regulate Caller ID.

The federal law in 47 USC 227(e) says:

(1)In general 

 It shall be unlawful for any person within the United
 States, or any person outside the United States if the recipient is
 within the United States, in connection with any voice service or text
 messaging service, to cause any caller identification service to
 knowingly transmit misleading or inaccurate caller identification
 information with the intent to defraud, cause harm, or wrongfully
 obtain anything of value, unless such transmission is exempted
 pursuant to paragraph (3)(B).

In (3)(B) is a narrow carve-out for law enforcement and court orders.

The important point is that spoofing is illegal with fraudulent
intent, OK with benign intent.

R's,
John

Re: txt.att.net outage?

[John Levine]

It appears that Simmons, Jay via NANOG  said:
>-=-=-=-=-=-
>This may be the issue

Sorry, but no.

>Here are some details on this Government protocol implemented by all Telecom 
>Carriers.
>
>Why it is being done? To support FCC mandate for STIR/SHAKEN, an industry set 
>of rules designed to authenticate
>and validate CallerID information associated with phone calls using digital 
>signatures.
>
>SHAKEN/STIR ...

STIR/SHAKEN only affects voice calls.  It has nothing to do with SMS.

As several other people have said, if you're sending safety critical SMS 
messages, use
a real SMS service, not a carrier's courtesy low volume e-mail gateway.

SMS services are not free, but they are not expensive, typically about 1/2 cent 
per message.

R's,
John

Re: Smaller than a /24 for BGP?

[John Levine]

It appears that Chris J. Ruschmann  said:
>-=-=-=-=-=-
>How do you plan on getting rid of all the filters that don’t accept anything 
>less than a /24?
>
>In all seriousness If I have these, I’d imagine everyone else does too.

Right. Since the Internet has no settlements, there is no way to
persuade a network of whom you are not a customer to accept your
announcements if they don't want to, and even for the largest
networks, that is 99% of the other networks in the world. So no,
they're not going to accept your /25 no matter how deeply you believe
that they should.

I'm kind of surprised that we haven't seen pushback against sloppily
disaggregated announcements.  It is my impression that the route table
would be appreciably smaller if a few networks combined adjacent a
bunch of /24's into larger blocks.

R's,
John

Is malicious asymmetrical routing still a thing?

[John Levine]

Back in the olden days, a spammer would set up a server with a fast
broadband connection and a dialup connection, and send out lots of
spam over the broadband connection using the dialup's IP address.  Since
mail traffic is quite asymmetric, this got them most of the broadband
speed, and when the dialup provider cancelled their service, they could
just dial into someone else.  Or maybe work through that giant pile of
AOL CD-ROMs we all had.  The broadband provider often wouldn't notice
since it wasn't their IP and they didn't get the complaints.

Is this still a thing? Broadband providers fixed this by some
combination of filtering port 25 traffic both ways, and BCP38 so you
can only send packets with your own address. Do providers do both of
these? More of one than the other? TIA.

R's,
John

Re: Treasurydirect.gov unreachable over IPv6?

[John Levine]

It appears that holow29  said:
>-=-=-=-=-=-
>
>Is anyone able to reach treasurydirect.gov over IPv6? Unable to do so over
>Verizon Fios, and I'm not sure if it is a routing issue or an issue on
>Treasury's end.

Works fine via a HE tunnel.

R's,
John

Re: Northern Virginia has had enough with data centers

[John Levine]

It appears that Michael Thomas  said:
>
>On 6/26/23 6:06 PM, Ron Yokubaitis wrote:
>> Dalles: government subsidized Hydroelectric Power, that’s why.
>
>Well that maybe, but electric rates are hella cheap in Oregon regardless.

Well, yeah, that's what he said although I would argue about the
subsidy part. The feds subsidized construction somewhere between 50
and 90 years ago, but the power charges have paid for O+M since then.
If you have the right geography, hydro is really cheap. Just ask the
people in Labrador who sell their power to Hydro Quebec for 0.2c/kWh.

By the way, here in the decadent northeast I pay about 9.5c/kwh
retail. What are the prices like in Oregon?

R's,
John

Re: whois server

[John Levine]

It appears that Matt Corallo  said:
>But, like they say, modern whois knows where to look, no need to use anything 
>else, I think as long 
>as you're not stuck trying to use macOS or something else shipping weird 
>ancient un-updated unix tools.

If you're inclined to roll your own, I keep a set of whois server
pointers at .whois.services.net so for example
aero.whois.services.net is a CNAME for the whois server for .aero. I
update it daily using a the info in the IANA database and a bunch of
kludges to fill in the gaps.

There's a similar set at .whois-servers.net which seems to be
less up to date.

R"s,
John

PS: Someday I'll do it for rDNS, too.

Re: Historical info on how 'x.com' came to be registered

[John Levine]

It appears that Drew Weaver  said:
>-=-=-=-=-=-
>
>Does anyone have any historical information on how 'x.com' came to be 
>registered even though single letters were reserved?
>
>Is there a story or is it as simple as it was registered prior to the 
>reservation?

Here's a story about its history.  It's very old, from 1992.

https://jimmysoni.substack.com/p/the-colorful-history-of-xcom-aka

R's,
John

Re: Hawaiian ILEC infrastructure and fire

[John Levine]

According to Eric Kuhnke :
>-=-=-=-=-=-
>
>It's my understanding that the Hawaiian ILEC is now owned by Cincinnati
>Bell, which is also a unique historical artifact, as it was its own
>independent corporation/operating entity in the region of Cincinnati during
>the era of the pre-1984 Bell system.

Not that unique, SNET was also a Bell affiliate in most of Connecticut.

Hawaiian Tel has a very painful history. It was independent until
1967, then bought by GTE, then merged into Verizon along with the rest
of GTE in 2000, then sold to a hedge fund in 2004 which knew nothing
about telephony and ran it into bankruptcy, then an independent public
company from 2010 to 2017, when it was bought by Cincinnati Bell,
which in turn was bought in 2021 by Australian conglomerate Macquarie.

Running phone systems on islands is very expensive. There's only
160,000 people on Maui, about the same as Salinas CA, but separated
from the rest of the world by a lot of water.

-- 
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: it's mailman time again

[John Levine]

It appears that Rich Kulawiec  said:
>On Fri, Sep 01, 2023 at 10:16:05AM -0700, Randy Bush wrote:
>> and i just have to wonder about sending passords over the net in
>> cleartext in 2023.  really?
>
>This is a non-issue.

It's like changing your password, it sort of made sense in the 1980s
when networks meant coax Ethernets and bored students could sniff
passwords, and now it's cargo cult security. These days the only
sniffable shared media left is passwordless wifi and even there as you
note, mail all goes through TLS tunnels.

Re: it's mailman time again

[John Levine]

It appears that Aaron de Bruyn via NANOG  said:
>-=-=-=-=-=-
>
>I donno Rich...a couple of decades ago I lost my Slashdot account because 
>someone was able to access it.
>I used the password in two places...Slashdot and all the blasted mailman 
>instances I was signed up with.

I can believe that your Slashdot account got hacked, but why do you
think that's because someone read a monthly mailing list reminder,
figured out how to connect that list to your Slashdot account, and
broke in? That's quite a stretch.

More likely some Slashdot subcontractor sold it*, or you logged in
from a device that was compromised somehow. Or maybe it was just brute
forced.

R's,
John

* - I use tagged email on all my subscriptions and it's amazing how
passwords leak from places like the Wall Street Journal and the
Economist who really should know better. On the other hand, the NY
Times and WaPo don't leak, so pick your subcontractors carefully.

Re: We have it here, including the conclusions (was Re: Special Counsel Office report web site)

[John Levine]

In article  you write:
>Oops..the link would be helpful, sorry!
>
>We have made the full report available here, including conclusions (full 
>report both embedded by iframe, and linked to the actual report at DOJ).

The DOJ web site is hosted on Akamai's CDN.  I don't think anyone's
had trouble getting to it or downloading the report.  I certainly didn't.

Re: Packetstream - how does this not violate just about every provider's ToS?

[John Levine]

In article  you write:
>-=-=-=-=-=-
>
>feeling cranky, are we, job?   (accusing an antispam expert of spamming on a 
>mailing list by having too long a .sig?)
>but it’s true!  anne runs the internet, and the rest of us (except for ICANN 
>GAC representatives) all accept that.
>
>to actually try to make a more substantial point, i am quite curious how the 
>AUPs of carriers try to disallow
>bandwidth resale while permitting
>
>• cybercafe operations and other “free wifi" (where internet service might be 
>provided for patrons in a
>hotel or cafe)
>• wireless access point schemes where you make money or get credit for 
>allowing use of your bandwidth (e.g. Fon)
>• other proxy services that use bandwidth such as tor exit nodes and openvpn 
>gateways

To belabor the fairly obvious, residential and business service are
different even if the technology is the same.  For example, Comcast's
residential TOS says:

  You agree that the Service(s) and the Xfinity Equipment will be used
  only for personal, residential, non-commercial purposes, unless
  otherwise specifically authorized by us in writing. You are prohibited
  from reselling or permitting another to resell the Service(s) in whole
  or in part, ... [ long list of other forbidden things ]

Their business TOS is different.  It says no third party use unless
your agreement permits it, so I presume they have a coffee shop plan.
(The agreements don't seem to be on their web site.)  I'd also observe
that coffee shop wifi isn't "resale" since it's free, it's an amenity.

As to how do these guys think they'll get away with it, my guess is
that they heard that "disruption" means ignoring laws and contracts
and someone told them that is a good thing.

R's,
John

Re: Packetstream - how does this not violate just about every provider's ToS?

[John Levine]

In article <44a32613-a255-44eb-a094-cee68b6d088a@Spark> you write:
>-=-=-=-=-=-
>
>particularly "interesting" when someone downloads CP (or, as it now seems to 
>be called, CSAM) using their
>ipaddr and causes them to become a Person of Interest.

I was thinking the same thing, that'll do it.  Or maybe videos showing
how to behead members of religious or cultural groups against whom
someone holds a grudge.

Re: Packetstream - how does this not violate just about every provider's ToS?

[John Levine]

In article <003d01d4fc27$ba0bb300$2e231900$@netconsultings.com> you write:
>But isn't there a law in US that protects oblivious or outright simple-mined
>population from falling for these type of "easy money" schemes by
>prohibiting these types of business? 

If it became popular enough to be annoying I expect that the large
cable or phone providers could claim tortious interference by inducing
their customers to violate their contracts.

I assumed that something this sleazy would be offshore, but their
terms of service say they're in Los Angeles.

Re: any interesting/useful resources available to IPv6 only?

[John Levine]

In article  you write:
>Another provider offering discounted IPv6 only VPSes is gandi.net
>
>https://www.gandi.net/en/cloud -- the two cheapest options "XS-V6" and 
>"Small - IPv6" are IPv6 only.

That's not very persuasive since even their v6 only prices are pretty
high.  Gandi charges $13.10 for 1GB RAM and 20GB disk.  Amazon will
give you 1GB RAM and 40GB of disk and a v4 address for $5/mo.  I like
Gandi just fine but those v6 VPS only make sense as a back end to
something else.  It will be a very long time until there are public
services that anyone cares about on v6 only.

There are perfectly good reasons to use v6: no NAT in front of your
devices, every service gets its own IP, better connections to devices
on mobile networks and home networks that are behind v4 NATs.

R's,
John

Re: any interesting/useful resources available to IPv6 only?

[John Levine]

In article <3ccd8c9a687b1a780c7f2e0f9e89b6d55ccdb2a7.ca...@interlinx.bc.ca> you 
write:
>But the came I am making is to PHBs, not engineers and I am trying to
>find a path of least resistance.

Oh, then tell them that IPv4 addresses now cost (wave hands) ten bucks
each while IPv6 addresses are free because there's so many more of
them.  The sooner you're able to run your own infrastructure on v6,
the longer your now-valuable v4 addresses will last.

I wouldn't say it's strictly true, but it's less false than claiming
there will be services other places you can only get to on v6.

Re: What can ISPs do better? Removing racism out of internet

[John Levine]

In article <6956e76b-e6b7-409f-a636-c7607bfd8...@beckman.org> you write:
>Mehmet,
>
>I’m not sure if you understand the terms under which ISPs operate as “common 
>carriers”, and thus enjoy immunity from lawsuits due to the acts of their 
>customers.

ISPs in the U.S. are not carriers and never have been.  Even the ISPs
that are subsidaries of telcos, which are common carriers for their
telco operations, are not common carriers for their ISPs.

This should not come as surprise to anyone who's spent 15 minutes
looking at the relevant law.

ISPs are probably protected by 47 USC 230(c)(1) but all of the case
law I know is related to web sites or hosting providers.

Re: What can ISPs do better? Removing racism out of internet

[John Levine]

In article <56cbb25e-9a53-4e5e-b2cb-3e769112f...@truenet.com> you write:
>John,
>
>Seriously, just quote so people don’t have to look it up.  Honestly, though 
>others are probably right in that case law usually will over-ride written law 
>due
>to our legal structure.

Well, kind of, but in this particular case they're well aligned.

>> ISPs are probably protected by 47 USC 230(c)(1) but all of the case
>> law I know is related to web sites or hosting providers.
>
>[ (1)Treatment of publisher or speaker
> No provider or user of an interactive computer service shall be treated as 
> the publisher or speaker of any information provided by another information 
> content
>provider. ]
>
>Sounds great on paper, but sort of caught backpage in a quondam, perhaps 
>because they installed filters to begin with.

Keep reading and look at 47 USC 230(c)(2).

 No provider or user of an interactive computer service shall be held
 liable on account of— 

 (A) any action voluntarily taken in good faith to restrict access to
 or availability of material that the provider or user considers to be
 obscene, lewd, lascivious, filthy, excessively violent, harassing, or
 otherwise objectionable, whether or not such material is
 constitutionally protected; ...

Courts have construed "otherwise objectionable" very broadly.  It
includes spam filtering.

The section Mel has been trying to interpret is different, 17 USC
512(a) which says that if you're carrying traffic in a mechanical way
(defined in more detail, see the statute) you're not responsible for
copyright violations.  This is not even sort of like being a common
carrier, of course.


>Technically, will anyone else booting customer’s for any offense of TOS be 
>similar is still up for grabs, since it’s basically a political nightmare for
>lawyers right now.

No, really, it's not.  ISPs and CDNs don't have to provide service to
anyone.  I suppose a lawyer could make a case if a provider refused to
provide service to members of a protected class ("we don't serve black
people") but the kind of people you find on 8chan aren't a protected
class.

R's,
John

Re: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users

[John Levine]

In article <8580e3e4-98b8-2828-e43f-6115c92fa...@massar.ch> you write:
>Currently though:
>
>use-application-dns.net. 172800IN  NS  
>ns-cloud-b1.googledomains.com.
>use-application-dns.net. 172800IN  NS  
>ns-cloud-b2.googledomains.com.
>use-application-dns.net. 172800IN  NS  
>ns-cloud-b3.googledomains.com.
>use-application-dns.net. 172800IN  NS  
>ns-cloud-b4.googledomains.com.

Nope.

;; ANSWER SECTION:

;; AUTHORITY SECTION:
use-application-dns.net.172800  IN  NS  ns4-64.akam.net.
use-application-dns.net.172800  IN  NS  ns7-66.akam.net.
use-application-dns.net.172800  IN  NS  ns5-65.akam.net.
use-application-dns.net.172800  IN  NS  ns1-240.akam.net.

$ drill @ns5-65.akam.net. use-application-dns.net a
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 48353
;; flags: qr aa rd ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; use-application-dns.net. IN  A

;; ANSWER SECTION:
use-application-dns.net.60  IN  A   185.199.108.153
use-application-dns.net.60  IN  A   185.199.109.153
use-application-dns.net.60  IN  A   185.199.111.153
use-application-dns.net.60  IN  A   185.199.110.153

I have this special-cased in my own resolver, of course.

-- 
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: This DNS over HTTP thing

[John Levine]

In article <20191001074011.n4xjouqg6lhsv...@nic.fr> you write:
>Note that the UK is probably the country in Europe with the biggest
>use of lying DNS resolvers for censorship. No wonder that the people
>who censor don't like anti-censorship techniques.

Most UK ISPs use the Internet Watch Foundation's advice intended to
block child sexual abuse material.

Circumventing it enables people to access that material.

We can shout CHILD PORNOGRAPHY just as loud as you can shout
CENSORSHIP so perhaps we should both stop now.  There are plenty of
valid reasons for a DNS resolver to block some results.

R's,
John

Re: This DNS over HTTP thing

[John Levine]

In article <146431.1569964368@turing-police> you write:
>-=-=-=-=-=-
>
>On Tue, 01 Oct 2019 16:24:30 -0400, Warren Kumari said:
>
>> "More concretely, the experiment in Chrome 78 will **check if the
>> user’s current DNS provider** is among a list of DoH-compatible
>> providers, and upgrade to the equivalent DoH service **from the same
>> provider**. If the DNS provider isn’t in the list, Chrome will
>> **continue to operate as it does today.**"
>
>I suppose this is the point somebody has to put the words "nostrils", "tent",
>and "camel" in the same sentence?

This looks to me more like the tail end of the caravan.  Users have always been
at the mercy of their browsers, which have always done unexpected things.

Assuming we agree that automatically upgrading http requests to https
is OK, how is this any different?  Same endpoints, encrypted channel.

The Google people I've talked to are quite aware of the implications
of using a different DNS resolver and I would be surprised if they
ever did it without a very explicit request from the user.  In this
regard they are quite different from Mozilla who are impervious to the
reasons that sending random users' traffic to Cloudflare is not a good
idea.

R's,
John

Re: IPv6 Thought Experiment

[John Levine]

In article <5dcae7a8-1d33-4ea2-bbb1-7a3e8132d...@gmail.com> you write:
>What do you think would happen? Would it be the only way to reach 100% IPv6 
>deployment, or even that wouldn’t be sufficient?

If you have to impose an artificial tax to force people to use IPv6,
you've clearly admitted that IPv6 is a failure and can't stand on its
own merits.  Should this happen, I'd expect massive use of CGN to hide
entire networks behind a single IPv4 address, and a mass exodus of
hosting business to other places which are not so stupid.  Mobile networks
would be less affected because many of them are IPv6 internally already.

>What I am trying to understand is whether deploying IPv6 is a pure financial 
>problem.

To some degree, anything is a financial problem.  How about if I
charge you a hundred dollars for every packet you send using IP rather
than CLNS and CLNP and a thousand dollars for every virtual circuit
using TCP rather than X.25?

Re: IPv6 Pain Experiment

[John Levine]

In article  
you write:
>For a small organization with limited staff and small margins, I'm curious
>where the actual burden in supporting IPv6 lies. In my experience, it's not
>any more costly than deploying IPv4 is ...

Right, but that means it doubles your deployment costs since IPv4
isn't going away any time soon.  First you have to get IPv6 into your
network, directly or through a tunnel (thanks, HE.)  Then you have to
assign IPv6 addresses to every device that has a name, put that in
your DNS and configure the devices, either by whatever means the
device has (typically a web control panel) or maybe by a DHCP entry,
if the device can be persuaded to use DHCP rather than SLAAC.  In
many cases, notably web servers, you need yet more configuration to
connect each v6 address with whatever service the v6 adddress is
supposed to provide.

Then you have to set up firewall rules to match your v4 firewall rules.

Then you spin it all up, and you have to check that every device
actually does respond on its IPv6 address, and that it acts reasonably
to mixed v4 and v6 requests (so-called happy eyeballs.)

None of this is impossible, I've done it all, but I've also often
asked myself what exactly is the benefit of doing all this.  On my
home network the v4 stuff is behind a NAT so v6 allows me access
to devices from the outside (carefully managed with the firewall)
but on my hosted servers which have v4 addresses for everything, meh.

Re: This DNS over HTTP thing

[John Levine]

In article <804699748.1254612.1570037049931.javamail.zim...@baylink.com> you 
write:
>Tools. Are. Neutral.
>
>Any solution to a problem that involves outlawing or breaking tools will.
>Not. Solve. Your. Problem.

I think in the outside world you'll find very little support for an argument
that filtering DNS is fundamentally broken.

Sure, you can do it in broken ways, but it's going to be really hard
to persuade anyone that their lives are better if they have unfiltered
access to the malware links in their spam.

Re: This DNS over HTTP thing

[John Levine]

In article <6533015105f2d548812b4a445275b...@mail.dessus.com> you write:
>Having unfiltered access to the malware installed by links in spam is a 
>self-limiting problem.  Remove the DNS blocks and in
>rather short order the problem will go away as all the idiots click their way 
>to oblivion.

It must be wonderful to live in the world you live in.

Here in this world, that ain't how it works.

R's,
John

Re: IPv6 Pain Experiment

[John Levine]

In article  
you write:
>that gets me on to my small annoyance... /64 bit subnet masks for
>local networks. really?

Yup.

> ALL of that address space and then throw such
>a large range away on subnets commonly populated
>with no more than a couple of hundred clients...maybe a few thousand
>at worst. what a mistake.

Nope.  The whole point of 128 bit addresses is that you can waste bits
with wild abandon.  My upstream originally assigned me a /64 but since
I have two network segments, they gave me a /48, of which I am using
two /64s.  Since they have a /32, they won't run short of /48's until
they have 65,000 clients with multi segment networks, which will take
a very long time.  In the unlikely event that happens, they can
upgrade their /32 to a /31, since ARIN allocates the /32's with slop
between them.

The programming and configuration is much easier since we can always
assume that every network will have a /64 and no more and no less.


>I come from a background where we had IPv4/DECNET/AppleTalk/IPX all
>around the place - 

Unlike all of them, one mistake that IPv6 did *not* make was to make
addresses too short.

In the same way, IPv6 ULAs are a lot better than IPv4 RFC1918 space.
So long as you follow the spec and pick a truly random ULA prefix,
even if your networks later merge with others the chances of ULAs
colliding rounds to zero.

Re: IPv6 Pain Experiment

[John Levine]

In article  
you write:
>Doug Barton wrote:
>
>> Not if you configure your services (like DNS) with static addresses, 
>> which as we've already discussed is not only possible, but easy.

Yup.

>Automatic renumbering involving DNS was important design goal
>of IPv6 with reasons.

News flash: nobody used the A6 RRTYPE which was intended to support
IPv6 renumbering.  In 2002, RFC 3363 made A6 experimental. In 2012,
RFC 6563 made A6 historic.

These days we all use , and we assign static addresses to our IPv6
servers.

R's,
John

Re: worse than IPv6 Pain Experiment

[John Levine]

In article <23963.65395.763065.591...@gargle.gargle.howl> you write:
>So I proposed we dump numeric addresses entirely and use basically
>URLs in IP packets and elsewhere.
>
>I really meant something like 'IP://www.TheWorld.com' in the
>source/dest addr, possibly more specific for multiple interfaces but
>whatevs.
>
>Leave out the implied 'IP://' and my example is 16 chars just like
>IPv6.
>
>Routers could of course do what they like with those internally such
>as maintain a hash table to speed look-ups. Not anyone outside of
>router software developers' problem. ...

This is more or less equivalent to using device MAC addresses
everywhere.

I think that if you talk to people who build routers, you will find
that they depend really heavily on the detail that every IP address
has a network part and a host part, and they route using the network
part.

Ethernet switches send traffic to arbitrary MAC addresses, at the cost
of remembering every MAC address they've seen, typically in a table
with a few thousand entries.  I know you've been on the net long
enough to remember the good old days when there were only a few
thousand URLs, but I fear it's unlikely we'll go back there.

R's,
John

Re: Comcast outages continue even in areas with PG&E power restored

[John Levine]

In article  you write:
>On 10/11/19 9:43 PM, Matt Hoppes wrote:
>How distributed is the power on a typical HFC system in practice?  I'm 
>sure I'm missing some of them, but having walked out most of a small-ish 
>(~2000 residences) city recently for a FTTx deployment, I think I only 
>saw 2-3 power nodes on Comcast's plant.

I spend too much time looking up at the power lines while walking the
dog and around here, Spectrum ex-Roadrunner, on just about every block
I see something on the cable plant with an electric meter.  I can't
tell how many are amplifiers and how many are fiber to coax adapters.
None have any evident batteries although I suppose there might be some
in the cabinets.

My current phone and Internet service is FTTH from the local RLEC.
The box they installed here is powered from a 12v UPS and I'm
reasonably sure there are no active components between here and the CO
since it's only 1/4 mile away, so I'll be interested to see how it
does when the power goes out.

Re: Gmail email blocking is off the rails (again)

[John Levine]

In article  
you write:
>Google still rejects email from my own domain name as outlined in a
>prior message on this list a month or two ago:

Google accepts my mail just fine, including from my mailing lists.
Their goal is to make their users happy by accepting the mail the
users want and not the mail the users don't want.

Perhaps it would be more productive to figure out in what ways your system
is different from others.  It would also help to stop being coy and tell
us the actual IP addresses and domains that are having trouble so people
who might want to help can do so.



-- 
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: Fwd: urgent opening: Engineer-Transport - III

[John Levine]

In article  
you write:
>-=-=-=-=-=-
>
>In case some is interested, Got this email today:

Please, no.  If we want help wanted ads, we know where to find them.

This particular one is so specific that as likely as not it's a fake
ad to justify and H1-B hire.

R's,
John

Re: power to the internet

[John Levine]

In article  
you write:
>To reanswer the question posed though, is still the same ; $$$. If network
>operators take the position that the electric utility supply should be more
>reliable than it is, then they need to start influencing and lobbying for
>ways for that to happen. If not, they will have to increase investments
>into local generation or storage capacity to bridge those gaps.
>
>You seem to imply that regulation is inherently bad; however the scenario
>that you describe (power failures impacting 911 service) is only a concern
>to an operator if there is a legislatively define deterrent.

California suffers from an unusual combination of a dry climate that
is getting dryer and political decisions that made sense in the short
run but are now showing their long term consequences, notably land use
that encourages sprawl and construction in ill-suited areas, and a
regulator that keeps short term consumer prices down at the cost of
reliability and long term stability.  None of this should be a
surprise to anyone familiar with the situation.

Even well run US utilities are much less reliable than the norm in
Europe or Japan.  Where ISPs in the US are figuring out how to install
batteries and backup generators or private windmills or whatever,
their European peers pay somewhat higher utility bills and don't have
to worry about the other stuff.  You'll pay either way.  European
utilities aren't more reliable by accident; that's how they're
regulated.

Calfornia also offers an interesting natural experiment comparing
privately run utilities PG&E and SCE and the city owned Los Angeles
DWP.

Re: power to the internet

[John Levine]

In article  you write:
>> run but are now showing their long term consequences, notably land use
>> that encourages sprawl and construction in ill-suited areas
>
>If we stopped construction in all of the ill-suited areas, we'd stop 
>construction all together, and tear down much more. We have it all here: 
>earthquakes, floods, fires; often the trifecta.  We could certainly be 
>smarter, but the nature of the geography here is both a blessing and a 
>curse.

Among California's many problems is a bizarre terror of upzoning and
infill construction, hence the sprawl.  Here in my rustic bit of
upstate New York you can build a two-family anywhere you can build a
single family and the world has not come to an end.

>PG&E is especially egregious as it has extremely high rates and 
>piss-poor maintenance. Where does all of that money go? Execs and 
>shareholders.

Evidently not since they've been through bankruptcy a few times.  I
think they're just institutionally incompetent as well as having an
unusually environmentally hostile territory to serve.  (Around here when
the power company screws up, the power fails but the county does not
catch fire.)

>I don't know what the ultimate solution is, but 
>whatever it is cannot have those perverse incentives.

The LA DWP seems to do OK.

R's,
John

Re: power to the internet

[John Levine]

In article <87y2up1vc4@mid.deneb.enyo.de> you write:
>I found the connection rather puzzling (that is, how switching off
>power distribution prevents wildfires or at least reduces their risk).
>I found some explanations here (downed lines, vegetation contact,
>conductor slap, repetitive faults, apparatus failures):
>
>

Oh, you're in Europe.  You wouldn't believe how cruddy US power
distribution systems are.  California is particularly bad becuase the
populist state regulator has keep retail prices low at the cost of
reliability, safety, and everything else.

Also keep in mind that California has conditions seen nowhere in
Europe: bone dry forests with 40C temperaturees and 100Kph winds,
and a power company too underfunded to keep up with tree trimming.

R's,
John

PS: You also wouldn't believe how cheap the power is.  California's
prices are high compared to most of the US, but it's still only about
€0.15 per KWh.

Re: power to the internet

[John Levine]

In article 
 you 
write:
>-=-=-=-=-=-
>It helps that we have a 2.6GW pumped storage generation facility near
>Niagara Falls. :)

It does, but all that power goes to the munis, not the commercial
company that supplies me.  We do import a lot of hydro power from
Quebec.  There's another power plant the same size on the other side
of the river that provides power for Toronto.


>On Thu, Jan 2, 2020 at 5:05 PM Scott Weeks  wrote:
>
>>
>> -
>> > I don't know where you live, but I pay around 38 cents/KWh. Depending
>> > on your rate, that can go up to 53 cents/KWh during peak times.
>>
>> I live in upstate New York where I pay about 8c/kwh and a fixed $15/mo
>> connection charge.  We have day/night rates available but they're not very
>> different for retail customers.  I get a slight discount due to credits
>> from remote net metering at a nearby solar farm.

Re: phone fun, was GeoIP database issues and the real world consequences

[John Levine]

>OK, let us suppose I want to be a law biding, up right American and use 
>only a cellphone for the "right" area.
>
>I drive a big truck OTR.  I usually know what part of which state I am 
>in, but I frequently do not know which part of what state I will be in 
>in 24 hours.
>
>What should I do?

As previous messages have explained, mobile 9-1-1 uses a variety of
GPS and tower info to determine where you are.  Telcos, stupid though
they may be, have figured out that people with mobile phones are
likely to be, you know, mobile.

If you drive a big truck, you're likely to spend a lot of time on
major highways, and many of those highways have signs that tell you
what to dial to contact the appropriate police for that road, e.g.
*MSP on the Mass Pike.

R's,
John

Re: phone fun, was GeoIP database issues and the real world consequences

[John Levine]

>NA has a 10 digit scheme (3 area code - 7 local) though most of the
>time you end up dialing the 10 digits.
>
>Australia has a 9 digit scheme (1 area code - 8 local) ...

North America uses en bloc signalling, Australia uses CCITT style
compelled signalling.  That's why you have variable length
numbers and the split between area code and local number can
change.

>We are no longer in a age where we need to route calls on a digit
>by digit basis.

Right.  North America left that age in 1947, the rest of the world
only caught up in the 2000s.

R's,
John

Re: phone fun, was GeoIP database issues and the real world consequences

[John Levine]

>The other answers address the history here better than I ever good, but
>I wanted to point out one example I hadn't seen mentioned.
>
>https://en.wikipedia.org/wiki/Area_code_917
>
>917 was originally a mobile only area code overlay in New York City.
>For reasons that are unclear to me, after that experiment it was
>decided that the US would never do that again.

The FCC found in 1999 that service-specific overlays are "unreasonably
discriminatory and anti-competitive."  I gather the thinking at the
time was that 917 was full of pagers, voice mail, and car phones,
while "real" phones were in 212.

Times have changed and they're now prepared to approve an overlay in
Connecticut that would cover the whole state, both area codes 203 and
860, with the new area code used for services that are not location
specific, for which they give mobile phones and Onstar as examples.

R's,
John

Re: phone fun, was GeoIP database issues and the real world consequences

[John Levine]

>> For the most part, “long distance” calls within the US are a thing of the
>> past and at least one mobile carrier now treats US/CA/MX as a single
>> local calling area 
>
>Is this a case of telcos having switched to IP trunks and can reach
>other carriers for "free"

No, it's because fiber bandwidth is so cheap.  It's equally cheap whether
the framing is ATM or IP.

>Or are wholesale long distance still billed between carriers but at
>prices so low that they can afford to offer "free" long distance at
>retail level ?

Some of each.  Some carriers do reciprocal compensation at very low
rates, small fractions of a cent per minute, some do bill and keep
with no settlements at all.

The history of settlements is closely tied to the history of the
Internet.  Before the Bell breakup separations (within Bell) and
settlements (between Bell and independents) were uncontentious, moving
money around to make the rate of return on invested capital at each
carrier come out right.

Then when cell phones were new, the Bell companies observed that
traffic was highly imbalanced, far more cell->landline than the other
way, so they demanded high reciprocal compensation, and the cellcos
were willing to pay since it gave the Bells the incentive to build the
interconnecting trunks.  One of Verizon's predecessors famously
derided "bilk and keep."

Then the dialup Internet became a big thing, the Bells ignored it as a
passing fad (which it was, but not for the reasons they thought), and
CLECs realized they could build modem banks and make a lot of money
from the incoming calls from Bell customers to the modems.  So the
Bells did a pirouette and suddenly discovered that bill and keep was a
law of nature and recip comp was a quaint artifact that needed to be
snuffed out as fast as possible.

These days the FCC likes to see cost justifications for settlements,
and the actual per-minute cost of calls is tiny compared to the fixed
costs of the links and equipment.  The main place where you see
settlements is to tiny local telcos with very high costs, with the per
minute payments a deliberate subsidy to them.  Then some greedy little
telcos added conference call lines to pump up their incoming traffic ...

R's,
John

Re: phone fun, was GeoIP database issues and the real world consequences

[John Levine]

>> On our VOIP service we include US, Canada and Puerto Rico as "local"
>> calling.

>I would imagine for VOIP that's because all three are country code 1 :)

If you know a VoIP carrier that offers flat rates to 1-473, 1-664, and
1-767, I know some people who'd like to talk to you.  At great length.

R's,
John

Re: IPv6 is better than ipv4

[John Levine]

>responded, "Why not just get more IPv4 addresses?  Just go back to
>IANA[sic] for more if you don't have enough already."

I can't say I'm surprised.  Within the past year we've had mail from
people here on NANOG who haven't gotten the memo that Network
Solutions and Verisign are not the same company.

R's,
John

Re: Netflix VPN detection - actual engineer needed

[John Levine]

>What is non-standard about an HE tunnel? It conforms to the relevant RFCs and
>is a very common configuration widely deployed to many thousands of locations
>around the internet.

Nothing whatsoever, but so what?

>Most likely, these steps are being taken at the behest of their content 
>providers,
>but to the best of my knowledge, that is merely speculation so far as I don’t
>believe Netflix themselves have confirmed this. (It’s not unlikely that they 
>are
>unable to do so due to those same content providers likely insisting on these
>requirements being considered proprietary information subject to NDA.)

Of course they are.  Movie licenses are invariably country specific.

R's,
John

Re: HE tunnels, was Netflix VPN detection - actual engineer needed

[John Levine]

>Another question: what benefit does one get from having a HE tunnel broker
>connection?  Is it just geek points, or is there a practical benefit too?

It gets your network a reliable IPv6 connection when your own ISP
doesn't support IPv6 yet.  That's why I use them.

And please skip the rant about how I should stamp my feet and demand
my ISP support IPv6,  They're perfectly reasonable, but they're dual
homed, one of their upstreams doesn't do IPv6, and the number of
reasonable providers in semi-rural upstate NY is not huge.

R's,
John

Bitcoin mining reward halved

[John Levine]

At about 16:46 UTC block 420001 showed up on the Bitcoin blockchain,
so the mining reward per block dropped from 25 to 12.5 btc.

Depending on whom you believe, nothing will change, or most of the
miners will go offline, or something else.  My blockchain client saw
420002 was over 25 minutes after 420001 ago, and over 10,000 waiting
transactions, so perhaps the second theory is correct.

Anyone here tracking bitcoin P2P traffic?

R's,
John

Re: Email to text - vtext.com blacklisting ip

[John Levine]

In article  
you write:
>If it's critical I'd suggest a service than can depended on...

Pretty much any VoIP provider has an API you can use to send SMS for
5c each or less.  Or if you're worried about your upstream connection
dying, the cheap GSM modem is a good option.

R's,
John

Re: cheap SMS, was Email to text -

[John Levine]

>Then I went into a t-mobile store and bought a few $25/mo SIM cards, put 
>credit card on file to auto renew each month, slapped them in, and pointed our 
>NMS’s at them. 

Since this comes up from time to time, here's the cheapest US SIM plans I know 
of.

Tracfone BYOD runs on AT&T or Verizon (the latter is LTE only) and the
cheapest plan is $18 for 90 days if you sign up and autorenew.  That
gives you 180 SMS. and if you want them 180 mins of voice and 180MB of
data, unused rolls over.  Customer service is OK, seems to be in the
US, aimed at a bilingual Spanish/English market.

Airvoice Wireless runs on AT&T.  Their $10/mo plan is good for 500
SMS/mo, no rollover.  Their $20/mo plan has unmetered SMS and voice.
They have very good US-based customer service.

R's,
John

Re: cheap SMS, was Email to text -

[John Levine]

>Tings pricing looks really good.

>Anyone know of an equiv in Canada?

There isn't one.  Ting is run by Tucows who are located in Toronto.
They'd love to provide similar service in Canada, but the network
operators aren't interested.

R's,
John

Re: Why the internal network delays, Gmail?

[John Levine]

In article  
you write:
>Help (and hi)!
>
>I work in higher education and we've been experiencing problems with Google
>delaying or queuing email for delivery to our domain.

This is a question for Google, not for nanog.  Only they know how their network
is set up and how their mail servers are managed.

R's,
John

PS: Also keep in mind that sometimes free services are worth what you pay for 
them.

Re: Why the internal network delays, Gmail?

[John Levine]

In article  
you write:
>I was working within the limits of what I had available.

Here's the subscription page for mailop.  It's got about as odd
a mix of people as nanog, ranging from people with single user linux
machines to people who run some of the largest mail systems in
the world, including Gmail:

https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

R's,
John

Re: Can someone from Amazon please answer.

[John Levine]

>> If you ask for  of www.thruway.ny.gov it is a CNAME to =
>> www.wip.thruway.ny.gov and that
>> breaks a number of DNS servers and load balancers, eg:

>Your tax payer dollars at work.

Naah.  The Thruway is supported by user fees, no taxes involved.

I will agree they have a couple of pretty braindead nameservers,
though.

R's,
John

Re: Lawsuits for falsyfying DNS responses ?

[John Levine]

In article  you write:
>Canada's Anti-Spam Legislation has specific sections that makes altering 
>of data illegal under the Act.
>
>In my non-lawyer opinion, sections 10 (5) (b) and (e) would be violated 
>by hijacking someone preference to go to Website A and replace it with 
>Website B without their express consent to do so.

That section only applies to 10(4) which is about getting permission
to install downloaded software.

>Description of functions
>
>(5) A function referred to in subsection (4) is any of the following 
>functions ...

I don't think the Quebec law is a good idea, or is likely to be
effective, but I also don't think it has preemption issues.

R's,
John

Re: Domain renawals

[John Levine]

In article  
you write:
>FWIW, as I'm in the middle of this right now. It would appear that many of
>the less expensive registrars no longer support glue records in any
>meaningful way.  They all expect you to host DNS with them. So might want
>to check on that before buying the cheapest and hosting your own DNS.

I resell Tucows, and glue records definitely work.  You have to
specifically export the ones you want, but when you do, it works.

R's,
John

Re: Domain renawals

[John Levine]

>For domain registration I found that joining the GoDaddy Domain Club 
>( $120/year or less if you pay ahead for multiple years [1] ) ...

There's a lot of registrars with prepay discounts.  Gandi's domains
are cheaper if you prepay $600, a lot cheaper if you prepay $2000.

R's,
John

Re: Domain renawals

[John Levine]

>In order for clients to find your nameserver  to figure out what
>NS1.example.com resolves to,
>it first needs to be able to find a nameserver for  Example.com,
>which is NS1.example.com.
>
>This is what is circular without a Hint in the Additional section of
>the DNS reply from the parent nameserver.

That's true, but there's also cross-domain name servers.  I have
domains in .org with nameservers in .com.  The org. registry won't
publish the NS records if my registrar hasn't told the .com registry
to push the name server records out to other TLDs.

Those are two different kinds of glue, but in practice you need both.
You could argue that .org doesn't need to publish cross-domain glue,
and you would be right, but you still won't get your .org NS published
if they don't have the glue.

R's,
John

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

[John Levine]

>> Well...by anycast, I meant BGP anycast, spreading the "target"
>> geographically to a dozen or more well connected/peered origins.  At that
>> point, your ~600G DDoS might only be around
>
>anycast and tcp? the heck you say! :)

People who've tried it say it works fine.  Routes don't flap that often.

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

[John Levine]

>> Yeh, bcp38 is not a viable solution.

Krebs said this DDoS came from insecure IoT devices, of which there
are a kazillion, with the numbers growing every day.  Why would they
need to spoof IPs?  How would BCP38 help?

R's,
John

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

[John Levine]

>>That paper is about reflection attacks.  From what I've read, this was 
>>not a reflection attack.  The IoT devices are infected with botware 
>>which sends attack traffic directly.  Address spoofing is not particularly 
>>useful for controlling botnets.  
>
>But that's not only remaining use of source address spoofing in direct 
>attacks, no?  Even if reflection and amplification are not used, spoofing 
>can still be used for obfuscation.

I agree that it would be nice if more networks did ingress filtering,
but if you're expecting a major decrease in evil, you will be
disappointed.

At this point it's mostly useful for identifying the guilty or
negligent parties afterwards.

R's,
John

Re: Request for comment -- BCP38

[John Levine]

>If you have links from both ISP A and ISP B and decide to send traffic out 
>ISP A's link sourced from addresses ISP B allocated to you, ISP A *should* 
>drop that traffic on the floor.  There is no automated or scalable way for 
>ISP A to distinguish this "legitimate" use from spoofing; unless you 
>consider it scalable for ISP A to maintain thousands if not more 
>"exception" ACLs to uRPF and BCP38 egress filters to cover all of the cases 
>of customers X, Y, and Z sourcing traffic into ISP A's network using IPs 
>allocated to them by other ISPs?

I gather the usual customer response to this is "if you don't want our
$50K/mo, I'm sure we can find another ISP who does."

>From the conversations I've had with ISPs, the inability to manage
legitimate traffic from dual homed customer networks is the most
significant bar to widespread BCP38.  I realize there's no way to do
it automatically now, but it doesn't seem like total rocket science to
come up with some way for providers to pass down a signed object to
the customer routers that the routers can then pass back up to the
customer's other providers.

R's,
John

PS: "Illegitimate" is not a synonym for inconvenient, or hard to handle.

Re: Request for comment -- BCP38

[John Levine]

>>>
>>> If you have links from both ISP A and ISP B and decide to send traffic
>>> out ISP A's link sourced from addresses ISP B allocated to you, ISP A
>>> *should* drop that traffic on the floor.
>
>> This is a legitimate and interesting use case that is broken by BCP38.
>
>I don't agree that this is legitimate.
>
>Also we're talking about typical mom & pop home users here.

There are SOHO modems that will fall back to a second connection if
the primary one fails, but that's not what we're talking about here.

The customers I'm talking about are businesses large enough to have
two dedicated upstreams, and a chunk of address spaced SWIP'ed from
each.  Some run BGP but I get the impression as likely as not they
have static routes to the two upstreams.

For people who missed it the last time, I said $50K/mo, not $50/mo.  Letters 
matter.

R's,
John

Re: Legislative proposal sent to my Congressman

[John Levine]

In article  you write:
>> But that does not remove those devices from the network.
>
>That ship has sailed.

This is where device profiles could help.  If enough devices register
profiles with the local router, at some point the router's default
could be closed, so devices with no profile can't talk to the outside.

For a lot of devices like lightbulbs, that would probably make no
difference at all.  It would mean you couldn't remotely monitor your
five year old CCTV camera unless you take in the camera for an upgrade
or replace it, but I can't get too upset about that.

R's,
John

Re: IoT security, was Krebs on Security booted off Akamai network

[John Levine]

>> It helps solve the bad (including manufacturer's default) password
>> problem which was one of the attack vectors.

That problem has been adddressed pretty well by giving each device a
random password and printing the password on the device.  Another hack
that works pretty well is a button you push that allows TOFU
authentication for 30 seconds or so.

Neither is perfect, but they both largely solve the problem of
scanning for open ports unless the scanner happens to scan at exactly
the right time.

Re: Death of the Internet, Film at 11

[John Levine]

>Dumb question:
>
>If some camera, vaccum cleaner, toothbrush or refrigirator is behind
>NAT, can it do IP spoofing ?  Won't the "from" address be replaced by
>the CPE router with the proper IP address assigned to that customer so
>that on the Internet itself, that packet will travel with a real IP
>routable back to the CPE ?

Depends on the way the NAT box works.  But since Dyn-style attacks
don't use IP spoofing, it doesn't really matter.

>Could mobile phones become a source of such attacks ?

Depends both on the phone and on the network.  But since Dyn-style
attacks don't use IP spoofing, it doesn't really matter.

>If the number of infected devices in eastern USA is insufficient to have
>caused that DDoS, can one infer that the attack used an actual IP
>address instead of the anycast one in order to target the the eastern USA
>hosts irrespective of the location of the infected device ?

No.  Anycast addresses are real IP addresses.  There isn't a "real"
address to attack.

R's,
John

Re: Should abuse mailboxes have quotas?

[John Levine]

>Are there any ISP's left that read and respond to abuse@ in a timely
>fashion?  I haven't seen one in at least a decade.  Maybe I e-mail the
>wrong ones.

Or maybe you send reports that they can't act on.  Mine are all in ARF
format and ISPs reply and tell me they've acted on them all the time.

In many cases they reports go into ticketing systems, so they'll get
acted on but you don't get an answer from a person.  That's fine with
me, I'd rather they spend time swatting bad guys than composing mail
by hand.

R's,
John

Re: Spitballing IoT Security

[John Levine]

>Please don't, bring it to your nearest Apple Store instead where it
>will be properly recycled, .

My nearest Apple stores are 50 miles away.  I'm not sure 100 miles in
the car is a good tradeoff for one phone.

Avalanche botnet takedown

[John Levine]

Avalanche is a large nasty botnet, which was just disabled by a large
coordinated action by industry and law enforcement in multiple
countries.  It was a lot of work, involving among other things
disabling or sinkholing 800,000 domain names used to control it.

More info here:

https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation

http://blog.shadowserver.org/2016/12/01/avalanche/

As both items point out, if your users are infected with Avalance,
they're still infected, but now if you disinfect them, they won't get
reinfected.  At least not with that particular flavor of malware.

R's,
John

Re: South Carolina attempts to repeal Rule 34

[John Levine]

In article  
you write:
>Let's call it for what it is. It's a new tax.

No, it's just grandstanding.  The proposed law egregiously violates
the First Amendment and wouldn't last 5 minutes in a court challenge.

R's,
John

Re: replacing EPP?

[John Levine]

In article 
 
you write:
>Has there been an discussion about  replacing EPP with something more modern?

No.  That was easy.  The spec has been updated a few times, most
recently by RFC 5730 and 5734 in 2009 but it hasn't changed much.

There is an active eppext working group in the IETF that spends most
of its time documenting and cleaning up EPP extensions that regstries
and registrars have been using all along but never got around to
writing up clearly.

A new protocol called RDAP is intended to replace WHOIS.  It's pretty
modern, blobs of JSON over http.  You can read all about it in RFC
7480 through 7484.  Some people want to use RDAP to check whether a
domain is available, but there's been a lot of pushback and advice
to use EPP, that's what it's for.

R's,
John

Re: Is WHOIS going to go away?

[John Levine]

In article <23257.12824.250276.763...@gargle.gargle.howl> you write:
>So you think restricting WHOIS access will protect dissidents from
>abusive governments?
>
>Of all the rationalizations that one seems particularly weak.

Oh, you're missing the point.  This is a meme that's been floating
around in academia for a decade: the brave dissident who somehow has
managed to find web hosting, e-mail, broadband, and mobile phone
service but for whom nothing stands between her and certain death but
the proxy whois on her vanity domain.

If someone makes this argument you can be 100% sure he's parroting
something he heard somewhere and has no idea how the Internet actually
works.

R's,
John

Re: Is WHOIS going to go away?

[John Levine]

In article 

 you write:
>The days when some in the technical community could just discard others 
>arguments by saying that  "[you] have no idea how the
>Internet works" have long passed. I will not get intimidated nor will I step 
>back. Old tricks, won't work, it's as old as the
>dysfunctional WHOIS and will disappear.

Now I'm confused.  Surely you do not mean that we should take your
arguments seriously even though you have no idea how the Internet
works.

In my experience, the nanog crowd can be grumpy but it is entirely
open to discussions that are based on facts and an understanding of
the issues.

R's,
John

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[John Levine]

In article <240538927.8145.1526388210820.JavaMail.mhammett@ThunderFuck> you 
write:
>Encrypted e-mail is so incredibly niche, this won't affect almost everyone. 

Bruce Schneier's blog entry on this arcane buglet ended by saying that
if you care about encryption use Signal or WhatsApp.

R's,
John

PS: I don't see any point in following up the discussion of HTML mail
because it appears to have fallen through a wormhole from 15 years ago.

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[John Levine]

In article <47acebac-7df1-0dbb-9584-27062a945...@netassist.ua> you write:
>Really? Use extremely centralized closed source "solution"?

You might want to learn a little about Signal.

R's,
John

>
>LOL.
>
>15.05.18 18:47, John Levine пише:
>> In article <240538927.8145.1526388210820.JavaMail.mhammett@ThunderFuck> you 
>> write:
>>> Encrypted e-mail is so incredibly niche, this won't affect almost everyone. 
>> 
>> Bruce Schneier's blog entry on this arcane buglet ended by saying that
>> if you care about encryption use Signal or WhatsApp.

Re: Whois vs GDPR, latest news

[John Levine]

>What about the likely truth that if anyone from Europe mails the list, then
>every mail server operator with subscribers to the list must follow the
>GDPR Article 14 notification requirements, as the few exceptions appear to
>not apply (unless you’re just running an archive).

Some of us whose businesses and equipment are entirely in North
America will take our chances.  This is NANOG, not EUNOG, you know.

Also, one thing that has become painfully clear is that the number of
people who imagine that they understand the GDPR exceeds the number
who actually understand it by several orders of magnitude.

The "you have to delete all my messages from the archive if I
unsubscribe" nonsense is a good indicator.

R's,
John

Re: Whois vs GDPR, latest news

[John Levine]

In article  
you write:
>I asked one of the EU regulators at RSA how they intended to enforce GDPR
>violations on businesses that don't operate in their jurisdiction and
>without hesitation he told me they'd use civil courts to sue the offending
>companies.

He probably thought you meant if he's in France and the business is in
Ireland, since they're both in the EU.  Outside the EU, on the other
hand, ...

If they try to sue in, say, US courts, the US court will ask them to
explain why a US court should try a suit under foreign law.  There is
a very short list of reasons to do that, and this isn't on it.

I'm not saying that one should gratuitously poke EU regulators in the
eye but it's pretty silly to imagine that they will waste time
harassing people over whom they have no jurisdiction and against whom
they have no recourse.

R's,
John

Re: Whois vs GDPR, latest news

[John Levine]

No, but in the absence of a law that specifically bars the courts from
doing so the will under current reciprocal treaty arrangements.


No, really, what treaties?  I understand treaties about domesticating a 
tort judgement but this isn't a tort, this is a regulation.


R's,
John

PS:


can treaties supercede US law?


That question has a very complicated answer.  tl;dr: sometimes

Re: GDPR outside Europe, was Whois vs GDPR, latest news

[John Levine]

In article <0bb31bbb-388d-4832-85dd-30c01c187...@jeffmurphy.org> you write:
>There’s speculation that enforcement could occur via the FTC Privacy Shield 
>program. 

Privacy Shield is entirely optional. Joining it requires a lot of
paperwork and a substantial administrative fee.  If you don't do all
that, it doesn't apply to you.  Please see my previous comment about
people who think they understand the GDPR vs. people who actually do.

https://www.privacyshield.gov/welcome

Also, Privacy Shield is a retread of the Safe Harbour deal which EU
courts invalidated in 2015.  Max Schrems, the guy who filed the case
against Safe Harbour, has filed a similar suit against Privacy Shield,
with Facebook as the defendant.  I wouldn't bet a lot on Privacy
Shield lasting any better than Safe Harbour did.

https://techcrunch.com/2018/04/13/privacy-shield-now-facing-questions-via-legal-challenge-to-facebook-data-flows/

R's,
John

PS: For anyone who came into the middle of this argument, my point is
that if you have no EU nexus, the realistic chances of the EU taking
action against you round to zero.  If you do have EU nexus, you better
behave.

Re: Whois vs GDPR, latest news

[John Levine]

In article <230722.1527374...@turing-police.cc.vt.edu> you write:
>Now here's the big question - a *lot* of companies are targeting "anybody with
>a freemail account like GMail and a valid Visa or Mastercard card" or similar
>business models - does that count as "specifically targeting at EU", or not?

This is an excellent question, because anyone who purports to give you
an answer has self-identifed as a fool.

The closest thing to an answer is that nobody knows, maybe after some
rulings from various national authorities we'll have an idea, except
that they'll probably be inconsistent and contradictory.

R's,
John

Re: SIP fax sending software?

[John Levine]

In article  you write:
>Have you considered paying the $0.50 per page to have the local copy
>shop send the once-a-month faxes?

Since the local copy shop is about a half hour drive from here, no.

I don't really care if it's flaky.  For one fax a month a few retries
are not a big deal.  But hellofax's free 5 pages a month will probably
do the job.

R's,
John

Re: ICANN GDPR lawsuit

[John Levine]

In article  you write:
>http://www.circleid.com/posts/20180527_icann_files_legal_action_against_domain_registrar_whois_data/

Elliot said that if he had to choose between fighting ICANN and
fighting governments, he'd fight ICANN.  I can't blame him.

http://www.tucows.com/tucows-statement-on-icann-legal-action/

R's,
John

Re: Anyone from Delta on list?

[John Levine]

In article <2d8e2754-662a-4029-b6fa-6714b1b6c...@semperen.com> you write:
>-=-=-=-=-=-
>
>If so, can you contact me off list, please and thank you?

Delta the airline?  Delta the hotel chain?  Delta the plumbing fixture
maker?  Delta the construction company?

Signed,
Baffled

Re: unwise filtering policy on abuse mailboxes

[John Levine]

In article  you write:
>I'm saying people who filter their abuse mailboxes need to stop doing so.

See Canute, King.

R's,
John

Re: Confirming source-routed multicast is dead on the public Internet

[John Levine]

In article  you 
write:
>Multicast is being used in various private IP networks. It seems to work 
>very well for satellite content distribution because multicast doesn't 
>require ack's. Enterprise networks also use multicast.

I would think it'd work fine on private networks, but since there's no
authentication, on the public Internet how could you tell the
multicast you want from random malicious junk on the same IP address?

Re: Best practices on logical separation of abuse@ vs dmca@ role inboxes

[John Levine]

In article  you write:
>The main issue with the notion of keeping abuse@ separate from a 
>dedicated DMCA takedown mailbox is companies like IP Echelon will just 
>blindly E-mail whatever abuse POC is associated with either the AS 
>record or whichever POCs are specifically associated with the NET block.
>
>So it becomes kind of difficult to keep them routing to different 
>places.
>
>The guys doing the DMCA takedowns use automated tooling.   So asking 
>them nicely isn't going to help you.

Seems to me that if you've registered your DMCA address in the Library
of Congress database, and they send takedowns somewhere else, that's
their problem, not not yours.

If you haven't registered, you should.  You can do the whole thing
online in a couple of minutes. The fee is $6 per update no matter how
many business names and domain names you register.

See https://www.copyright.gov/dmca-directory/

R's,
John

Re: Best practices on logical separation of abuse@ vs dmca@ role inboxes

[John Levine]

In article  you write:
>I'm very sorry to read that, as an ISP, you have to comply with a
>para-judicial process that puts you in charge of censorship.

Dealing with DMCA notices is a matter of statute law in the US, and it
is a really, really bad idea to ignore them unread.  It doesn't matter
what anyone here thinks about it.

R's,
John

PS: Here's why:

https://www.techdirt.com/articles/20180802/17420540355/sensing-blood-water-all-major-labels-sue-cox-ignoring-their-dmca-notices.shtml