> > ... A broadband provider who takes a "hell no, I won't buy" attitude
> > with a large tier 1 can drive Gigabits of traffic away from the tier
> > 1's revenue stream by peering around that provider and directing
> > traffic down paths that avoid the tier 1.
>
> "Peering around" only works if
r job on peering architecture than
is being done now. when i added my comments to the parent thread, i only
meant to indicate my surprise that such isn't being tried -- NOT any
disappointment.
--
Paul Vixie
nsultant, so my words
here are not nec'ily representative of mfn's or paix's actual plans/desires.
--
Paul Vixie
> Hmm.. surely emailing everyone hoping for a quick change over for roots
> on parts of a fragmented root namespace is just asking for the fragments
> to fragment up some more?
>
> :)
it's a joke. i know it isn't april 1, so you have to look for subtleties.
> > For those of you who add the OR
c# for that?
> The final point of this insanity is that there is NOT a single root.
> Hasn't been for a hell of a long time, and I suspect that there never
> will be again.
another protocol upgrade, perhaps? rfc#, anybody?
--
Paul Vixie
> What is the connection between unregulated peering and the financial
> difficulties we have seen?
>
> The problems have been caused by:
>
> - Bad business models
> - Greed
> - Corporate officers who have shirked their fudiciary responsibilities to
> the stockholders
>
> If you can somehow
hods
were found to get something that looked an awful lot like "both peering and
transit", but for the most part abovenet was always seen by its customers
as an *alternative* to having to build a wide area network and employ BGP
engineers, since there would be just as much path splay at probably less
total cost and without the hassle of directly employing anybody who has
ever posted to NANOG. (for the most part we don't dress nicely and are a
surely a surly lot, but don't call me shirley.)
--
Paul Vixie
ow this might work. "More later."
--
Paul Vixie
> ... beyond that, security and anycast don't mix well without the data
> being authenticated, e.g. dnssec.
i won't disagree. anycast's cost:benefit analysis is compellingly against
its use in most situations. root name service may be one of them. now, if
the ops community can figure out a wa
trongly hope that UUNT won't share WCOM's fate, if negative.
--
Paul Vixie
one small note, in passing:
> In other words..intermittent intergap delay?
when PAIX sells what it calls Fractional Gig E, it's just Gig E with
rate limiting. nothing special at the link level.
m the kpn/qwest deal
saw it as a good thing, but older customers probably wish it hadn't happened.)
--
Paul Vixie
quot; and the answers were apparently non-pretty.
(disclaimer: i've got nothing against Q or WCOM per se.)
--
Paul Vixie
P's are grossly negligent for not doing
edge RPF since at least 1996 is not debatable. Cut Mr. Clark *that* slack,
even if you must (righteously, I might add) blast him on other issues.
--
Paul Vixie
> > When I tell USG how I feel, they seem to ignore me. Your mileage may vary.
>
> True enough. But their machines could always be removed from the
> list of known root servers, and I don't think that there's much they
> could do about it.
that is absolutely false, in several different
ve with LMI.
If on the other hand the MTBF is best measured in months or years, then when
it does fail the failure is likely to be *in* the extra complexity you added.
--
Paul Vixie
st got added with Neighbor
> Discovery on IPv6.
if so, then, you misunderstand.
--
Paul Vixie
> I suppose the discussion is what do you want from your exchange pt
> operator and what do you NOT want.
At the IXP level, "bits per month" always trumps "bits per second",
and usually trumps "pennies per bit" as well. There are now a number
of companies trying to sell wide area ethernet -- e
after six reports that 192.5.5.241's address has been forged as the source
of a tcp "fragmented scan" probe, i'm ready to have it stop. but just in
case it doesn't, this is fair warning to the community: F's address is in
unlawful use by as-yet-unidentified third parties.
re:
--- Forwarded
> How about <[EMAIL PROTECTED]>?
> Wasn't this set up for this very purpose?
Nobody goes there any more, it's too crowded.
--
Paul Vixie
totalitarian regime". Save it, please -- I can
write, have written, and will write that whitepaper myself. This is not
the same topic. I want to know what the homeland security department is
likely to do about all this, not what is good/bad for the citizens of
hostile nations or even nonhostile nations.)
--
Paul Vixie
et
hosting center would be, and that makes them the only game in that town.
i recommend that you work hard at helping them fix whatever it is they're
doing wrong. think of your work in that regard as a public service.
--
Paul Vixie
> Speakig of paix's and locations, I know the mfn filings have held up
> progress but I wondered and maybe others on this list wonder what the
> status of the paix nyiix interconnection might be?
until mfn finishes selling paix, there will likely be no progress on this.
ertification hierarchy other than my own; and (2) there's
no compelling technical reason to keep the number of ultimately trusted keys
small. (verisign/thawte may feel that there are compelling business reasons,
however.)
--
Paul Vixie
d whereby cooperating e-mail senders and
receivers can detect forged source/return addresses in e-mail.
--
Paul Vixie
nonexistent domain names are not the
subject of http://www.vix.com/~vixie/mailfrom.txt; rather, i'm
trying to address the issue of spammers who lie about _existing_
source/return domain names.
--
Paul Vixie
ller, you'll understand the
economics. If one of those simple things is blocking outbound TCP/25, then I
hope you have alternatives including changing ISP's...
...but if you don't, then it's between you and your ISP, and best of luck.
--
Paul Vixie
still seems pretty careful and pretty professional (and pretty public.)
--
Paul Vixie
> > If this function of your ISP costs less than 1 FTE per 10,000
> > dialups or 1,000 T1's or 100 T3's, then your ISP is a slacker and
> > probably a magnet for professional spammers as well.
> ... you're offering very definitive figures/labeling, and I'm curious
> as to what you are basing you
though that's the example that appears in the rfc. the only
users i'm aware of are Microsoft and Apple for their respective service
discovery systems, and MIT Kerberos iff your domain name and your realm name
are the same.
--
Paul Vixie
which does not progressively leverage the combined small
efforts of millions of spam victims will ever be measurably effective other
than in some small locality and/or for some brief instant. see the DCC
for an example (http://dcc.rhyolite.com/) of how to build and apply that
leverage. (i'm not giving the reference to vipul's razor because i said
"millions.")
--
Paul Vixie
. i mentioned it not because it needed a hearing --
it had already been heard on those very other lists i mentioned -- but to
demonstrate that the most powerful force on the internet is someone who
says something won't work. thank y'all for your help in the demonstration.
--
Paul Vixie
[EMAIL PROTECTED] (Paul Vixie) writes:
> whenever you get spammed, it's because some isp somewhere is a slacker,
what i meant to say was "whenever you're getting repeat spam from the same
place, day after week after month, it's because some isp somewhere is a
slacker.
> > In the fullness of time, the universe itself will die of heat. So what?
>
> How come this makes me want to raise the issue of our immortal souls?
spammers have souls?
> So for example saying this or that filter appears to have repelled 1M
> spam msgs per day doesn't really prove much unle
> > ... (http://dcc.rhyolite.com/) ...
>
> Indeed, that is a cool idea. I definitely want to look into
> that a lot more closely. Perhaps we can combine this with deep
> blacklist checking (beyond just the first hop), tagging, and Bayesian
> content filtering. Perhaps then we will have
> Interesting...I can't find any mention of integrating dcc support into
> postfix (other than invoking procmail). Do you have any details or is this
> wishful speculation? > > That would be quite nice...
it's wishful speculation unless i'm underemployed for too much longer in
which case it's a
raining
and policy and toolworks all catches up to the need.
--
Paul Vixie
in it. (no, my .procmailrc is not for sale, so go make your own.)
in the general case, "we let" this happen because there is no procedure for
excluding folks from "the list" on any basis, including "insulting".
--
Paul Vixie
s no help for that in the short term. if some
internet cafe has a CuCme camera setup then you can find a way to let that
traffic off-net without rate shaping. this will be the exception.
--
Paul Vixie
> One of the basic problems with discussions about spam control is that it
> focuses entirely on spam. Blocking output SMTP from individual dial-ups
> has a serious negative consequence:
>
> Laptop mobile users cannot use their home SMTP server.
in the business, we call this "tough
lter both bgp advertisements
and ip source addresses from all customers, and require them to do
likewise"?
and if not, why not, and how long do you think it's going to take before
we use economic methods to solve this scourge?
--
Paul Vixie
> Does anyone have any comments (good or bad) about Cognet as a transit
> provider in New York?
No. But we (ISC) are using them in San Francisco (at 200 Paul Street) and
they've been fine.
--
Paul Vixie
ll these years... chopped liver?
there have been Plenty of asian isp's in los angeles for Quite a while now.
there also seems to be a PAIX switch inside 1 Wilshire now. (mfn's chap.11
filing having sawn off any hope we had of opening PAIX-LA.)
--
Paul Vixie
> I have heard that the new paix switch will be attached [to laap] as well.
> But only rumored not sure if its true.
it's true. there was a launch party recently when the paix switch was
announced for 1 wilshire, and laap was absolutely mentioned along with
the words "just like seattle" with re
reports of equinix's demise appear to have been grossly premature. see
http://biz.yahoo.com/bw/021002/20088_1.html, whose title is something like:
> Equinix Gains Strategic Investment From Singapore Technologies Telemedia
> and Creates the Largest Global Network Neutral Internet Exchange
> Serv
since the last time we cleared the firewall statistics on c.root-servers.net,
1895GB of udp/53 input has led to 6687GB of udp/53 output, but, and this is
the important part now so pay attention, 185GB of input was dropped due to an
RFC1918 source address.
who needs DDOS when most network operato
lter out egress 1918 toward
our peers/transits.
Like I said, I had no idea this was generally thought to be so complicated.
--
Paul Vixie
offerred to shut this
traffic off further upstream, as F-root's network operators were doing until
yesterday, but I asked that it not be filtered anywhere except C-root itself
(where I can measure it) or distant source-AS's (which is where it makes
sense.)
--
Paul Vixie
> Just out of interest how do you co-ordinate use of RFC 1918 addresses
> and routes amongst your customers? Do you run a registry for them, or
> do you just let them fight it out and the one with the biggest packets
> wins or something like that?
there's a registry. we also maintain IN-ADDR z
. however, after the cleansing ritual of chapter 11, i think
they will be in a fine position to reset their per-megabit charges in ways
that make them a compelling transit provider. their network's been great.
--
Paul Vixie
i wrote:
> > transit prices have been in free fall, and worldcom has not been
> > following them downward. however, after the cleansing ritual of
> > chapter 11, i think they will be in a fine position to reset their
> > per-megabit charges in ways that make them a compelling transit
> > provide
someone wrote, in response to my piece this morning...
> Can you explain more about why you think transit prices will return to
> the $200-$300/mbps. I've been quoted $40/mbps on a 50mbps commit
> (95th%) ... which I think is pretty much as low as it's going to get.
> I can understand prices go
> How do you compute CGS on a network that is 25% utilized?
"bad"
> Is it expenses/current utilization or expenses/maximum capacity?
i want to be in a situation where i owe income taxes. so it's all
about costs vs. sales.
> I think a lot of the low-ball pricing that is in the market is the
>
t, not icmp reply.
--
Paul Vixie
> (Okay Paul - here's your chance to rant about how badly they misquoted
> you! )
I think it's clear that editors were involved.
--
Paul Vixie
s the average person who just
wanted to use DNS to get their work done didn't seem to notice it at all.
--
Paul Vixie
between network providers.
>
> Are there some down-sides? Sure. But who really needs the end-to-end
> principle or uncontrolled innovation.
i can see how the end to end principle applies in cases 2 and 3, but not 1.
--
Paul Vixie
> > > 1. Require all providers install and manage firewalls on all subscriber
> > > connections enforcing source address validation.
> >
> > i can see how the end to end principle applies in cases 2 and 3, but not 1.
>
> I didn't make any of these up. They've all been proposed by serious,
> well
> Not only that, but unless _everyone_ implements 2 and/or 3, all the bad
> people that exploit the things these are meant to protect will migrate to
> the networks that lack these measures, mitigating the benefits.
not just the bad people. all the people. a network with 2 or 3 in place
is usel
> > not just the bad people. all the people. a network with 2 or 3 in place
> > is useless. there is no way to make 2 or 3 happen.
> As part of their anti-spam efforts, several providers block SMTP port
> 25, and force their subscribers to only use that provider's SMTP
> relay/proxy to send ma
> Source address validation, or more generally anti-spoofing filters, do
> not require providers maintain logs, perform content inspection or
> install firewalls. But source address validation won't stop attacks,
> viruses, child porn, terrorists, gambling, music sharing or any other
> evil that e
cation. as to who the
root server operators are, http://root-servers.org/ has a list. valdis writes:
> And remember - Paul Vixie has shown that 10% of the inbound traffic at
> c.root-server.net is bogus rfc1918 sourced. Making the addresses public
> will serve as a DDoS vector against t
t; (or sometimes "customer"),
and their security policies are generally, by long standing tradition,
nonexistent.
--
Paul Vixie
> >1 - Connection Taxonomy
> >1.1. The Internet is a "network of networks", where the component
> >networks are called Autonomous Systems (AS), each having a unique AS
> >Number (ASN).
>
> Even if this reflects the original intent of ASNs, it certainly does not fit
> current real
) right now, and
150 by the end of the decade, and ultimately any "metro" with population
greater than 50K in a 100 sq Km area will need a neutral exchange point
(even if it's 1500 sqft in the bottom of a bank building.)
--
Paul Vixie
> > I'm putting the number closer to 40 (the "NFL cities") right now, and
> > 150 by the end of the decade, and ultimately any "metro" with population
> > greater than 50K in a 100 sq Km area will need a neutral exchange point
> > (even if it's 1500 sqft in the bottom of a bank building.)
>
> Wha
speaking of paix, for those of you in atlanta (ietf) this week, i'm
going to do a couple of site walkthroughs. send me e-mail if interested.
--
Paul Vixie
http://www.businesswire.com/cgi-bin/f_headline.cgi?day0/223210010&ticker=
ns, and that
with appropriate NDA's in place, they would tell you more about PAIX-ATL1's
likely future under their ownership.
paul
re:
> > speaking of paix, for those of you in atlanta (ietf) this week, i'm
> > going to do a couple of site walkthroughs. send me e-mail if interested.
> > --
> > Paul Vixie
in the last few months since i most recently cleared out the database,
my test network (a defunct /16) has received 3.8M http transactions
containing 460K distinct worm bodies sent from 137K source addresses.
the top 8, by quantity, are:
srcaddr | count |first|l
> Which signature database you use to match these or just log the 404's ?
i wrote my own. since it's only 247 lines long, i'll include it here.
/* httpk - killer of http requests
* vixie 05aug01 [from netperf 14jan92 [original]]
*
* $Id: httpk.c,v 1.5 2002/11/18 21:33:33 vixie Exp $
*/
#in
s. (The meet-me
room there was originally built to be a PAIX, and we were very proud of it.)
--
Paul Vixie
retry. that's why greylisting has been so effective -- to
combat it the spammers would have to add the one thing they cannot afford:
"state." see http://www.rhyolite.com/dcc/ for how to get started.
--
Paul Vixie
no matter whether the last response code was
4xx or 5xx. all three will make themselves easier to triangulate upon, and
the conviction rate will edge upward slightly.
(the things spammers do to avoid brightmail and DCC smell really strong --
there's no mistaking that kind of zwil for honest e-mail, even robotically.)
--
Paul Vixie
s no surprise that ipv6 didn't do much about this
"weakness".
attempting to symmetrize cost/benefit without design changes in either human
nature or the tcp/ip protocol suite has had mixed results. (i.e., MAPS.)
so, the article sean quoted is all very entertaining, but says nothing new,
which is sad, because i for one would really like to hear something new.
--
Paul Vixie
nts is right out.
--
Paul Vixie
e there are forces that
will make the competition have to comply also.
but while as individuals we might have lots of energy for this fight, as a
community we are lazy, and we'd rather think about next generation router
design than next generation abuse design. and yet it always seems to surprise
us when the greedy undereducated middle managers, salespeople, and lawyers
keep finding new ways to make the abuse problem worse. lazy, lazy, lazy.
--
Paul Vixie
it from their suppliers and BGP peers,
this would have further criminalized spam just by comparison. but since these
companies don't want the perceived costs of verifying permission, they're
stuck trying to criminalize "spam" when there is no difference, in principle,
between what "spammers" do and what "reputable companies" do. lazy-lazy-lazy.
--
Paul Vixie
ry one of
them a printed copy of the www.vix.com/personalcolo web page. problem solved,
costs reduced, revenue upheld, what the heck is stopping them?
--
Paul Vixie
is spam; 30% are bounces from
> accept-then-bounce servers; and we're quickly approaching 99% spam for
> several of the domains we host mail for.
60%? "luxury!"
> The last thing we need is for ISPs to deal with their inbound problem by
> ignoring abuse reports or making it more difficult for victims to report
> spam or viruses originating from their networks.
that time is past.
--
Paul Vixie
l to someplace out in
then that's a tradeoff i can live with.
--
Paul Vixie
[EMAIL PROTECTED] (John Curran) writes:
> The question is, do you change approach after a decade without progress?
Based on my archives of this and related mailing lists... "nope."
--
Paul Vixie
buys
> at me.
the only people who benefit from the current pricing model are registrars.
if domains cost $300 a year we'd have less than 1% of the number we have now,
but the ones we have would actually get used. i have never received mail
from a domain ending in .biz that was not spam, for example.
--
Paul Vixie
email delivery. Delays up to days
> are not too uncommon occurrences.
...for things to keep getting worse, to encourage innovative & independence.
--
Paul Vixie
> > preventing DDoS and IP source address forgery each also break what the
> > IAB calls "the end-to-end model".
>
> How so?
I was thinking of RFC 1958:
An end-to-end protocol design should not rely on the maintenance of
state (i.e. information about the state of the end-to-end
communi
> On the other hand, we've had DDoS prevention mechanisms (based on
> multiple rate-limiters, for different kinds of packets) deployed for
> over 6 months now. They seem to work just fine, are always active,
> and require no state in the network.
you know how to rate-limit without state in the n
> Yes, this is a problem. I'm not sure NAT is the solution, though. I mean,
> if you're going to use NAT, why switch to IPv6 in the first place?
reasons will vary from "because my vendors are pushing it" to "because it
has some feature that makes my life easier" to "because some application
my us
st a million hosts on it now, and about 20% of the ones who probe my
smtpk (which always accepts all mail you send it) later try to spam my main
mail server (which is in a different netblock). i'd say i've learned quite
a lot about how spammers and wormers work together nowadays.
httpk=# select count(*) from trans where srcaddr<<='209.148.235.0/24';
count
---
21
(1 row)
ahhh, postgresql and its inet/cidr datatypes. (try 'em, you'll like 'em.)
--
Paul Vixie
> > ...
> > anyway, there will absolutely be NAT in ipv6 enterprise networks, but the
> > reason for it won't be a shortage of globally unique address space.
>
> Hmmm, or rather, there just wont be any demand for IPv6 deployment, at
> least from the edges (consumers, small/medium networks). Why b
BBL" disabled outbound TCP/25, or not, so, they probably just wouldn't, but,
they probably aren't going to, no matter whether a "BBL" exists or not.)
The new motto here is: "Blackhole 'em all and let market forces sort 'em out."
--
Paul Vixie
CT avhead
/^Subject:.*\[SmartFilter\] Virus Alert / REJECT avhead
/^Subject:.*\[Virus detected\]/ REJECT avhead
/^Subject:.*\{VIRUS\?\}/REJECT avhead
/^From:.*Symantec_AntiVirus_for_SMTP_Gateways\@/ REJECT avhead
/^Subject:.*VIRUS POSLAN SA VASE ADRES/ REJECT avhead
/^Subject:.*Unsolicited commercial email rejected/ REJECT avhead
--
Paul Vixie
> I suggested using something like HINFO in the in-addr.arpa address
> zones for service providers to give similar information about IP
> addresses. Yes, I know, using DNS for yet something else. LDAP or
> RWHOIS or any other global mechanism could be used.
more uses for dns is actually a good
> > ... Margin pressure makes it impossible for most "broadband" service
> > providers to even catalogue known-defect customer systems or process
> > complaints about them.
>
> What is the estimated cost per subscriber of such an operation in your
> opinion and where should it be to make it feasib
> Maybe a stupid question... But if broadband providers aren't going to do
> this, and considering there are way less legitimate SMTP senders than
> broadband users, wouldn't it make more sense to whitelist known real SMTP
> sources rather than blacklist all addresses that potentially have a fake
t;acceptable use policies by the service provider.
...this. if you're on this mailing list, please configure your user
interface to output 79-column ascii card images, with no =foo or html.
if or when nanog@ moves to a different format, it'll likely be jabber
rather than html or richtext.
--
Paul Vixie
> Be careful about the slice and dice effect. Depending on how you divide
> up the numbers you can make any thing come out on top. In some sense
> the problem is a lot worse. Its not just spam, worms, viruses. Its not
> just residential broadband users. Its not even just Microsoft Windows.
w
> >there's no choice at all, really.
>
> Are you suggesting to drop all traffic (which, if widespread would get
> attention) or just email?
at the moment i'm proposing just e-mail. but that's only because we should
already be rejecting udp/137 and udp/138 and udp/139 from outside our campuses
an
ases onto a protocol
> that does not interfere with the Internet's critical DNS systems and I
> believe that LDAP is that protocol.
re-inventing a distributed, hierarchical, autonomous, reliable database
just to avoid using DNS as its inventor intended it, seems like a great
waste of time, IMHO.
--
Paul Vixie
trend isn't good.
> With better identification, you directly receive the benefit of
> keeping your computer clean. You eliminate the third-party dependency
> of needing to fix other's peoples mistakes in order to do your work.
> It also makes it easier for other people to take action, because the
> collateral damage is less.
you sound like a man with a vision. care to pass that bong over this way?
--
Paul Vixie
omers wraith, or due to lack of technology
inside the headend, or whatever), it's going to get done by the dreaded
giant merciless monster known as "market forces".
--
Paul Vixie
201 - 300 of 807 matches
Mail list logo
