Re: Schneier: ISPs should bear security burden
On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: So much for any sort of journalistic ethic, fact checking, or, unbiased reporting. Schneier isn't a journalist or reporter; He's a security vendor. - mark -- Mark Newton Email: [EMAIL PROTECTED] (W) Network Engineer Email: [EMAIL PROTECTED] (H) Internode Systems Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Schneier: ISPs should bear security burden
And you're a network engineer. What's your point? - ferg -- Mark Newton [EMAIL PROTECTED] wrote: On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: So much for any sort of journalistic ethic, fact checking, or, unbiased reporting. Schneier isn't a journalist or reporter; He's a security vendor. - mark -- Mark Newton Email: [EMAIL PROTECTED] (W) Network Engineer Email: [EMAIL PROTECTED] (H) Internode Systems Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223 -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Schneier: ISPs should bear security burden
On Wed, Apr 27, 2005 at 06:06:22AM +, Fergie (Paul Ferguson) wrote: -- Mark Newton [EMAIL PROTECTED] wrote: On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: So much for any sort of journalistic ethic, fact checking, or, unbiased reporting. Schneier isn't a journalist or reporter; He's a security vendor. And you're a network engineer. What's your point? Merely that Owen's expectation of journalistic ethic, fact checking, or unbiased reporting was misplaced because his remarks are addressing someone who has a vested interest in the outcome of the debate, not an ethical, unbiased disinterested observer. - mark -- Mark Newton Email: [EMAIL PROTECTED] (W) Network Engineer Email: [EMAIL PROTECTED] (H) Internode Systems Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Schneier: ISPs should bear security burden
On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water. er.. bad analogy warning... please take a sample of tap water to an independent lab for analysis... and find out just what the water company is putting into your water. This is like asking the phone company to prevent minors from hearing swear-words on telephone calls or prevent people from being able to make prank phone calls from pay-phones. more bad analogies... :) Owen - ferg that said, if you don't want your ISP to diddle your packets, may i suggest IPSEC? --bill
Re: Schneier: ISPs should bear security burden
Hi, maybe this is an OLD topic, but the problem is what is security? or how to define a secure internet access service . E.g. should ISP respond for managing application transmitted across its backbone? if so, how to define standard appliation model while keeping internet a flexible platform? Could we maintein the scalability of IP network while keeping it secure high performance? To business consideration , would people pay more money for a limited, secure internet access service while his/her child is able to visit those Nude website? So, IMHO, it's a good idea but it's not a feasible proposal. Joe --- Jerry Pasker [EMAIL PROTECTED] wrote: I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. It means 10 different things to 10 different people. The article was vague. Security could mean blocking a few ports, simple Proxy/NAT, blocking port 25 (or 139... or 53.. heh heh) or a thousand different things. There is a market for this, it's called managed services. _ Do You Yahoo!? http://cn.rd.yahoo.com/mail_cn/tag/10m/*http://cn.mail.yahoo.com/event/10m.html
Re: Internet2
Maybe you should checkout some performance measurement numbers/papers from ACM (www.acm.org) which should help answer some of your questions. having been an acm member since '67, i am aware of the volume published. give me a specific cite, please. http://www.slac.stanford.edu/comp/net/wan-mon/netmon.html am well aware of les's work for many years. have always argued with him of the accuracy of his pinger. you might find http://www.nanog.org/mtg-0105/casner.html relevant randy
Detecting VoIP traffic in ISP network
Hi, we want to collect statistics in our backbone networks. Is there any good method to this? is there any product for this ? Joe _ Do You Yahoo!? http://cn.rd.yahoo.com/mail_cn/tag/10m/*http://cn.mail.yahoo.com/event/10m.html
Re: Schneier: ISPs should bear security burden
On April 26, 2005 11:36 pm, [EMAIL PROTECTED] wrote: On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water. er.. bad analogy warning... please take a sample of tap water to an independent lab for analysis... and find out just what the water company is putting into your water. Actually that _is_ a bad analogy. According to my sister (who works in that area as a regional water expert), tap-water is held to higher standards than bottled water. In Canada at least... ymmv. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada May 4-6 2005 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp
Re: using TCP53 for DNS
On Tue, Apr 26, 2005 at 12:39:09PM -0400, Patrick W. Gilmore [EMAIL PROTECTED] wrote a message of 22 lines which said: From the thread (certainly not a scientific sampling), many people seem to be filtering port 53 TCP to their name servers. Again, a non-scientific sampling but AFNIC (.fr registry) *requires* a successful technical check of the name servers *before* delegation or technical change of a .fr domain. soapboxEvery TLD should do so./soapbox Among the things we check is the TCP access to all the name servers. A lot (lot is not a scientific word, I know) of people complain. Very often, they are clueless (TCP is only for zone transfers), very often also they don't master their infrastucture (DNS hosted somewhere else, firewall middlebox which is an unmanaged black box, firewall which is managed by an external contractor on a per-change charge basis, etc).
Re: using TCP53 for DNS
On Tue, Apr 26, 2005 at 07:01:47PM +, Christopher L. Morrow [EMAIL PROTECTED] wrote a message of 29 lines which said: Even after I imagine that folks left the filters in place either 'because' or 'I don't run router acls' or 'laziness' [Warning, operational content.] Remember that most firewalls or other middleboxes on the Internet are completely unmanaged. They were configured once and for all. (See the problems with former bogons or with 192.0.0.0/8.) The architecture of the Internet was designed for a network where all the routers were heavily managed and by knowledgeable people. Now, the switch to a network of mostly unmanaged boxes is a big challenge.
Re: using TCP53 for DNS
On Tue, Apr 26, 2005 at 03:04:25PM -0400, Patrick W. Gilmore [EMAIL PROTECTED] wrote a message of 46 lines which said: I am interested in how many name servers - caching or authoritative - are filtering incoming and/or outgoing TCP port 53. For authoritative name servers of TLD, you can browse: http://www.generic-nic.net/dyn/mon/ And see that incoming TCP is often filtered, even on serious TLD: w: Server doesn't listen/answer on port 53 for TCP protocol * Ref: IETF RFC1035 (p.32 4.2. Transport) The DNS assumes that messages will be transmitted as datagrams or in a byte stream carried by a virtual circuit. While virtual circuits can be used for any DNS activity, datagrams are preferred for queries due to their lower overhead and better performance. * ns.cnc.ac.cn./159.226.1.1 * ns.cernet.net./202.112.0.44
clarity
On Wed, Apr 27, 2005 at 12:13:16AM -0700, Dragos Ruiu wrote: On April 26, 2005 11:36 pm, [EMAIL PROTECTED] wrote: On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water. er.. bad analogy warning... please take a sample of tap water to an independent lab for analysis... and find out just what the water company is putting into your water. Actually that _is_ a bad analogy. According to my sister (who works in that area as a regional water expert), tap-water is held to higher standards than bottled water. In Canada at least... ymmv. cheers, --dr perhaps you mis-read. water companies -always- add things to water, to kill off germs, balance mineral content, etc.. they do this to -meet- the higher standards. and by their tampering, they pollute the water... their pollution may make the water drinkable and safe. does n ot change the fact that the water was tampered with. --bill
Re: Schneier: ISPs should bear security burden
On Wed, 27 Apr 2005, Dragos Ruiu wrote: an independent lab for analysis... and find out just what the water company is putting into your water. Actually that _is_ a bad analogy. According to my sister (who works in that area as a regional water expert), tap-water is held to higher standards than bottled water. In Canada at least... ymmv. Yeah, gotta to clean it up from pollutants [spam, ddos], add antibacterial [antivirus] agents, check that the supply [latency] is not too low [high], make sure there are no leaks [anauthorized access]. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Sheet could shelter Wi-Fi from eavesdroppers
Assuming your walls, roofs and floors have the same level of protection, and you need windows then this product is a good fit. Certain British institutions I have been involved with in the past don't bother with windows and the walls are faraday cages (internal ones as well!). -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Fergie (Paul Ferguson) wrote: Well, occasionally something really cool comes along, and you just gotta share it. :-) This is semi-operational, so http://news.com.com/Sheet+could+shelter+Wi-Fi+from+eavesdroppers/2100-1029_3-5685431.html ..there. :-) - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/ ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Internet2
On 4/26/05, Adam McKenna [EMAIL PROTECTED] wrote: On Tue, Apr 26, 2005 at 11:18:08PM +0200, Mikael Abrahamsson wrote: On Tue, 26 Apr 2005, Vicky Rode wrote: Basically I meant to say not congested as the current Internet is. If your ISP has congested links you should complain and switch if not fixed promptly. WTF.. She asked a simple question and five people are slamming her for no apparent reason. Actually, I interpreted it as someone asking a question while obviously imbibing too often from the I2 kool-aid pitcher. My attitude towards I2 is that it is a really, really nice private WAN that I have the joy of funding indirectly through NSF grant awards and such - oh, and it has a really catchy name. That doesn't make it better, less congested or faster than the Internet. As Patrick already pointed out, it is difficult to say anything about the Internet as a whole. On 4/26/05, Vicky Rode [EMAIL PROTECTED] wrote: Then again, I'm not saying that Internet is going to crash and burn, its doomed and that one should switch to I2. All I'm asking is for some insight about potential risk of I2 abuse, that's all. That's good to know, because if the internet were to crash and burn, Abilene would be right behind it. As far as I can see from the outside, there's nothing beind done on I2 that couldn't be done on the Internet with fat enough pipes and quality-of-service. -doug
Re: Schneier: ISPs should bear security burden
Ferg, you asked for it. I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. Links here: http://www.vnunet.com/news/1162720 Schneier has a profound interest in the ISPs being forced to buy his (or his competitors) security gear to fulfill the customers' dreams of a clean Internet connection. Pretty biased, if you don't mind. What he lacks to understand is the reasons why ISPs don't do it. It's not just lazyness (only part) or lack of responsibility; it's more like that it's expensive and nobody would pay for it - no, not the customers; they like to get everything for free, remember? The most prominent reason keeping ISPs from filtering their clients' data streams is - tada - jurisdiction. It's simply not allowed in countries that don't officially harvest everything they can get their hands on. There is something called privacy rights. Nobody may legally interfere with the data stream that reaches my boxes, and nobody - not even my boss! - must fiddle with my email if not expressly allowed by myself. So it is a damn good sign of the ISP's responsibility if it does _not_ place filters in the data stream. But then, my sympathies for Bruce have long evaporated, so I am of course biased as well. Elmar. -- Begehe nur nicht den Fehler, Meinung durch Sachverstand zu substituieren. (PLemken, [EMAIL PROTECTED]) --[ ELMI-RIPE ]---
Re: Schneier: ISPs should bear security burden
[EMAIL PROTECTED] (william(at)elan.net) wrote: According to my sister (who works in that area as a regional water expert), tap-water is held to higher standards than bottled water. In Canada at least... ymmv. Yeah, gotta to clean it up from pollutants [spam, ddos], add antibacterial [antivirus] agents, check that the supply [latency] is not too low [high], make sure there are no leaks [anauthorized access]. In fact, the tap-water analogy is a very bad and at the same time a very good one. (1) In some countries, tap water is really pure and clean, often a lot better than what you can buy in bottles. This is especially true for Germany, Austria, and, according to Dragos, for Canada, too. The reason for the water quality here in ol' Europe is defined quality standards and ongoing tests. (2) In other countries, water companies are allowed to adhere to a lot less rigid standards. I was pretty surprised how awful water in the US midwest was. Full of chlorine and tasting dead. I still cannot believe, people drink it there every day (but they do, it's what Coke's made with there). So we do see differences here, some of which stem from the available water supplies in the area, and some of which are the effect of different defined standards and - inherently - jurisdiction. Countries are different, there is - legally spoken - no world-wide Internet. Everyone falls under the legislation of their home country (for various values of home...). And while we may not like it, this jurisdiction can be very different from mine. Or yours. Elmar. -- Begehe nur nicht den Fehler, Meinung durch Sachverstand zu substituieren. (PLemken, [EMAIL PROTECTED]) --[ ELMI-RIPE ]---
Re: FCC Chief Wants 911 Service for Internet Phones
Prepare for the inevitable. - ferg The inevitable: Cellular Phone emergency call handling in Germany Well its 110 not 911, but tabernak its just the same nonsense. Aerea Deathvalley between Heppenheim (Hessen) and Laudenbach (Baden-Wuertemberg). The two towns are some 5 KM, less than 3 miles apart. Heppenheims sun does not shine over Deathvalley there is no radio contact. Laudenbach is not in charge of Deathvalley. The officer told me to disconnect and dial again. On my hamradio I got help finally - from a french radioamateuer some 200 km away. So I guess it would be a good idea to have all european emergency calls directed to AFRINIC. Directing all American emergency calls to Australia makes sense. Emergencies will happen when erverybody is asleep. That is when sun shines over Australia. I think they are good at handling things like that. If only they would speak french :) Regards, Peter Dambier -- Peter und Karin Dambier Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-6252-599091 (O2 Genion) +1-360-226-6583-9738 (INAIC) [EMAIL PROTECTED] www.peter-dambier.de iason.site.voila.fr
Re: Port 25 - Blacklash
Hmm, the onses who block everything and cut wires off send 0 spam. So what? - Original Message - From: Daniel Golding [EMAIL PROTECTED] To: Hank Nussbacher [EMAIL PROTECTED]; Adam Jacob Muller [EMAIL PROTECTED] Cc: Nanog Mailing list nanog@merit.edu Sent: Tuesday, April 26, 2005 2:50 PM Subject: Re: Port 25 - Blacklash Do all of Comcast's markets block port 25? Is there a correlation between spam volume and the ones that do (or don't)? In any event the malware is already ahead of port 25 blocking and is leveraging ISP smarthosting. SMTP-Auth is the pill to ease this pain/ - Dan On 4/26/05 2:49 PM, Hank Nussbacher [EMAIL PROTECTED] wrote: On Tue, 26 Apr 2005, Adam Jacob Muller wrote: Doesn't seem to be stemming the tide of emails from Comcast though: http://www.senderbase.org/?searchBy=organizationsearchString=Comcast%20Cab le -Hank For example, about 2 months ago, comcast decided to block outgoing port 25 from my entire neighborhood. I called comcast, and while sitting on hold I had the idea to setup a ssh tunnel to a machine at work and viola problem solved before anyone from comcast even answered the phone.
Re: Port 25 - Blacklash
On Tue, 26 Apr 2005, Daniel Golding wrote: Do all of Comcast's markets block port 25? Is there a correlation between spam volume and the ones that do (or don't)? In any event the malware is already ahead of port 25 blocking and is leveraging ISP smarthosting. SMTP-Auth is the pill to ease this pain/ Really smtp-auth will solve it? or do most windows mua's cache your password? - Dan On 4/26/05 2:49 PM, Hank Nussbacher [EMAIL PROTECTED] wrote: On Tue, 26 Apr 2005, Adam Jacob Muller wrote: Doesn't seem to be stemming the tide of emails from Comcast though: http://www.senderbase.org/?searchBy=organizationsearchString=Comcast%20Cable -Hank For example, about 2 months ago, comcast decided to block outgoing port 25 from my entire neighborhood. I called comcast, and while sitting on hold I had the idea to setup a ssh tunnel to a machine at work and viola problem solved before anyone from comcast even answered the phone. -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Re: The not long discussion thread....
Steve Sobol allegedly replied to my reply with: What were the router ACLs doing that the DNS server ACLs weren't/couldn't? The ACLs were doing it for the entire server network. Since I prefer my job as a router-rat over everything else I do, I find it easiest to use the biggest hammer available to me when dealing with DoS attacks. One router ACL vs. 10 server ACLs? When I'm under attack I'll take the one router ACL. Then, per their request, I added it to the networks that my collocation clients were on. They were getting 0wn3d regularly, and it really simplified my life in a time when new BIND 8 exploits were coming out every 4 minutes. The router ACLs made my life easier, not harder. Besides, it's my ASN, and I can do what I want. ;-) Christopher L. Morrow allegedly wrote: This, it seems, was an unfortunate side effect (as I pointed out earlier) of legacy software and legacy config... if I had to guess. You guess wrong. See the above. And don't pass judgement. (am I being sited for lack of clue? It kind of feels like it) It wasn't a *BAD* thing, it was a *GOOD* thing. It made things better, not worse. I still may go back and re-implement port 53 blocks in the future if I find a good reason to. I know now that it doesn't really cause operational problems. At least not in a smaller ISP environment. Would I want a transit network to block TCP 53? Of course not. But my end customers request those types of services regularly, so I try to provide what they want. And don't think I'm coming off as all ticked off and defensive. I'm not ticked off, I'm actually enjoying this. As for being defensive? Maybe. I'm trying hard not to be though. I really can't help myselfI have this lurking fear that I'm being tossed in to the clueless block TCP 53 with an outsourced firewall, and don't know what I'm doing beyond that group that I so despise. ;-) Especially on this list, full of people that I have so much respect for. I knew I was opening myself up a little when I decided to help out by sharing my worldnic.com experiences, but figured it was for the good of the group, and therefore, worth it. And I still think that. -Jerry
Re: Port 25 - Blacklash
On 4/27/05, Joel Jaeggli [EMAIL PROTECTED] wrote: In any event the malware is already ahead of port 25 blocking and is leveraging ISP smarthosting. SMTP-Auth is the pill to ease this pain/ Really smtp-auth will solve it? or do most windows mua's cache your password? They sure do cache the password. But with smtp auth, the infected user is stamped in the email headers, and all over my MTA logs, when a bot that hijacks his PC starts spamming. I can easily remove auth privileges for his account, and/or limit his access to a walled garden till such time as he cleans up - without taking the trouble to match timestamps of the spam + dig into radius logs Easier to identify, and easier to lock down, than unauthenticated access --srs
Re: Detecting VoIP traffic in ISP network
Local telco concerned about voip eating into their revenues, and wants to push through legislation or something? :) On 4/27/05, Joe Shen [EMAIL PROTECTED] wrote: we want to collect statistics in our backbone networks. Is there any good method to this? is there any product for this ? Joe _ Do You Yahoo!? http://cn.rd.yahoo.com/mail_cn/tag/10m/*http://cn.mail.yahoo.com/event/10m.html -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Schneier: ISPs should bear security burden
On Tue, 26 Apr 2005, Jerry Pasker wrote: I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. It means 10 different things to 10 different people. The article was yep, and the danger is you agree with the article and some politicians or journalists think you are advocating a full police service which would be bad. i do think we have an obligation to try to keep the net clean to a certain degree, think anti-ddos wg's etc but providing full security for all users is unrealistic. there seems to be some moves to offering partial security and this is probably a good thing eg blocking common ms ports will likely be effective. Steve
Re: Schneier: ISPs should bear security burden
Sound about right? No, not at all. I'm not advocating a wild west every man for himself, but, I think that solving end-node oriented problems at the transport layer is equally absurd. It's like expecting to be able to throw crude oil into a tanker at one end and demanding that the trucker deliver gasoline at the other. ISPs transport packets. That's what they do. That's what most consumers pay them to do. I haven't actually seen a lot of consumers asking for protected internet. I've seen lots of marketing hype pushing it, but, very little actual consumer demand. Sure, the hype will probably generate eventual demand, but, so far, it hasn't really. Do you really want an internet where everything has to run over ports 80 and 443 because those are all that's left that ISPs don't filter? That's where a lot of this crap is headed. Heck, Micr0$0ft is ready for that... They already tunnel almost all of the viruses through those two ports in order to facilitate them penetrating corporate firewalls and such. How much functionality are we going to destroy before we realize that you can't fix end-node problems in the transit network? Owen pgp4iwb4xprqY.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
I was referring to the article which contained the schneier quote, not schneier. The article was written by someone at least pretending to be a journalist, and, was put out as news, not editorial or advertising. As such, it should be held to the standard that should apply to news. Instead, it was yet another example of advertising disguised as news. Owen --On Wednesday, April 27, 2005 15:42 +0930 Mark Newton [EMAIL PROTECTED] wrote: On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: So much for any sort of journalistic ethic, fact checking, or, unbiased reporting. Schneier isn't a journalist or reporter; He's a security vendor. - mark pgpot09ccyZsd.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
--On Wednesday, April 27, 2005 6:36 + [EMAIL PROTECTED] wrote: On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water. er.. bad analogy warning... please take a sample of tap water to an independent lab for analysis... and find out just what the water company is putting into your water. Admittedly, there are contaminants in the water, but, I don't believe most of them are added in transit. (If I did, I'd be putting pressure on to get that fixed). If you're talking about fluoridation, I am fortunate enough to live in an area where they figured out that was a bad idea. This is like asking the phone company to prevent minors from hearing swear-words on telephone calls or prevent people from being able to make prank phone calls from pay-phones. more bad analogies... :) Why is this a bad analogy? Neither of these actions are currently prevented by the telcos. that said, if you don't want your ISP to diddle your packets, may i suggest IPSEC? Sometimes I use IPSEC, but, I don't want my ISP to diddle my packets whether they're tunneled or not. Fortunately, so far, I've been able to find ISPs that don't. Owen pgpfxNOOUquYD.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
On 4/27/05, Stephen J. Wilcox [EMAIL PROTECTED] wrote: i do think we have an obligation to try to keep the net clean to a certain degree, think anti-ddos wg's etc but providing full security for all users is unrealistic. there seems to be some moves to offering partial security and this is probably a good thing eg blocking common ms ports will likely be effective. As complete security as possible, to your end users. That doesnt extend to applying filters to circuits you provision for your customers (managed T1 type stuff maybe, but definitely, more useful in the case of end user stuff like at the edge of broadband / dialup pools) -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: clarity
--On Wednesday, April 27, 2005 7:39 + [EMAIL PROTECTED] wrote: On Wed, Apr 27, 2005 at 12:13:16AM -0700, Dragos Ruiu wrote: On April 26, 2005 11:36 pm, [EMAIL PROTECTED] wrote: On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water. er.. bad analogy warning... please take a sample of tap water to an independent lab for analysis... and find out just what the water company is putting into your water. Actually that _is_ a bad analogy. According to my sister (who works in that area as a regional water expert), tap-water is held to higher standards than bottled water. In Canada at least... ymmv. cheers, --dr perhaps you mis-read. water companies -always- add things to water, to kill off germs, balance mineral content, etc.. they do this to -meet- the higher standards. and by their tampering, they pollute the water... their pollution may make the water drinkable and safe. does n ot change the fact that the water was tampered with. Bill, I was very specific about transit. Yes, most water transit companies are also the water supply company, but, in my analogy, and, in some areas, as a matter of fact, they are not the same. The chemical tampering of which you speak is done by the water supply company at the supply point before it is put in the pipes for transit to the end user. The water delivery company runs said pipes, and, my expectation from them is that they deliver what they got from the water supply company without any additional contaminants. Think of the web hoster as a water supply company. The household user is an end user. The ISP is merely a pipeline. Owen --bill pgpnCD6zSJr9b.pgp Description: PGP signature
Re: clarity
Missing here is a critical part of the analogy - if it's to apply to the internet, we have to assume that the contaminants we are speaking of are put back INTO the system from the end user, just just delivered in one direction. Rare, I would assume, is the ability of a water end user to put back water into the system, unless we also speak of the waste disposal system too :) /john On Wed, Apr 27, 2005 at 03:19:04AM -0700, Owen DeLong is reputed to have mumbled: --On Wednesday, April 27, 2005 7:39 + [EMAIL PROTECTED] wrote: On Wed, Apr 27, 2005 at 12:13:16AM -0700, Dragos Ruiu wrote: On April 26, 2005 11:36 pm, [EMAIL PROTECTED] wrote: On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water. er.. bad analogy warning... please take a sample of tap water to an independent lab for analysis... and find out just what the water company is putting into your water. Actually that _is_ a bad analogy. According to my sister (who works in that area as a regional water expert), tap-water is held to higher standards than bottled water. In Canada at least... ymmv. cheers, --dr perhaps you mis-read. water companies -always- add things to water, to kill off germs, balance mineral content, etc.. they do this to -meet- the higher standards. and by their tampering, they pollute the water... their pollution may make the water drinkable and safe. does n ot change the fact that the water was tampered with. Bill, I was very specific about transit. Yes, most water transit companies are also the water supply company, but, in my analogy, and, in some areas, as a matter of fact, they are not the same. The chemical tampering of which you speak is done by the water supply company at the supply point before it is put in the pipes for transit to the end user. The water delivery company runs said pipes, and, my expectation from them is that they deliver what they got from the water supply company without any additional contaminants. Think of the web hoster as a water supply company. The household user is an end user. The ISP is merely a pipeline. Owen --bill -- John L Clarke III shibumi.com PGP: DF3D D546 596E EC16 2A96 BEDA F3AC A45C PGP: C3C4 938A D83B 6CB3 F9E8 3201 94F5 9A80
Re: Schneier: ISPs should bear security burden
I'm not advocating a wild west every man for himself, but, I think that solving end-node oriented problems at the transport layer is equally absurd. That's not what was being suggested. The article suggested that ISPs, the providers of the transport layer service, should consider branching out and offering other value added services in addition to the transport layer, because customers want to buy value-added services and not just the raw, unfiltered transport layer. It's up to the ISP as to how they configure and manage those services. The company that I work for decided to build a separate global IP network in 20 countries to connect about 150 providers of application and data services to their customers, currently just under 11,000 of them. This IP network provides vastly higher levels of security than the public Internet and that is part of our contracts and SLAs. There is no technical reason why other ISPs could not offer similar value-add services other than a failure of the imagination. And we all know what failure of the imagination buys you. In the telecom industry it led to the rise of the ISP and the Internet because the incumbents could not imagine what we have today. In the U.S. political arena it led to 9/11 because the people charged with protecting the country could not imagine that a small group of people based in one of the most backward countries on earth could pose a threat to American soil. The report of the 911 commission makes interesting reading if one is able to see the abstract lessons that it draws. Many of those lessons relate to failure of imagination and failure to move on and change with the changing times. ISPs transport packets. That's what they do. You're wrong there. ISPs provide Internet services. That's what they have always done. In the early days they ran mail servers and web servers and news servers and terminal servers and many other things. We have gone through a period of specialization where ISPs have been differentiated into providing a subset of all possible Internet services. Some do indeed specialise in pure packet transport, but that is rare and they are usually part of a larger company that provides other services. In any case, it's time to move on and change some more, perhaps by adding new value-added services on that last mile connection. I haven't actually seen a lot of consumers asking for protected internet. That's because you don't work for Yahoo email or for AOL. Do you really want an internet where everything has to run over ports 80 and 443 because those are all that's left that ISPs don't filter? No. But I want an Internet in which different ISPs are free to offer different services rather than have a regulated environment that says that ISPs MUST offer a specific service in a specific way. I want choices. --Michael Dillon
bearing burdens
faster than ADSL and removes the telco for last-mile considerations. http://www.notes.co.il/benbasat/10991.asp --bill
Re: Schneier: ISPs should bear security burden
Thing is, protecting them from themselves and their own stupidity is also the thing that most everyone else needs, too. Do you really want an internet where everything has to run over ports 80 and 443 because those are all that's left that ISPs don't filter? They should be filtered, too. For standard bottom-feeder accounts, *everything* should be filtered and transparent proxied. And the accounts should be priced so that they pay for their own upkeep. What will cost money is to turn off the filters selectively for certain accounts, and people who want that should be in a position to pay for it. I'm sorry, but, I simply do not share your belief that the educated should be forced to subsidize the ignorant. This belief is at the heart of a number of today's socialogical problems, and, I, for one, would rather not expand its influence. How much functionality are we going to destroy before we realize that you can't fix end-node problems in the transit network? How much of the Internet is going to be destroyed before we realize that the users are too stupid to be trusted to run their end-nodes, and if the transit network wants to protect itself from the worst offenses it will need to provide only managed services and not let these people out of the corral to being with? Strangely, for all the FUD in the above paragraph, I'm just not buying it. The internet, as near as I can tell, is functioning today at least as well as it ever has in my 20+ years of experience working with it. The vast majority of the end node problems come from one particular software vendor. If that vendor could be held accountable for the problems they have created, things would be much better. The major advanatage of the internet is the ability to deploy new applications and protocols quickly and easily. Transparent proxies, btw, would not prevent most of the harmful stuff available via 443, so, I'm not sure what you think that accomplishes. Malware will quickly adapt to any such filtration at the transport layer. As long as you can get some form of undefined content through the internet, malware will have a way to gain transit. It must be addressed at the end node. Owen pgpCED2dFkTpD.pgp Description: PGP signature
Re: clarity
On Wed, 27 Apr 2005, Owen DeLong wrote: Yes, most water transit companies are also the water supply company, Water supply comes from rivers, lakes, etc. While water company take water from those sources, they do not produce it and just take what they can get, clean it up and then deliver around the city. but, in my analogy, and, in some areas, as a matter of fact, they are not the same. The chemical tampering of which you speak is done by the water supply company at the supply point before it is put in the pipes for transit to the end user. I've heard that Israel is considering (or buying already?) water from Turkey. Do you really think they are going to just deliver it as is or do you think the water company will clean it up on the local level before delivering it to the homes? And BTW - you do realize contamination on the Internet usually at the source, right? The water delivery company runs said pipes, and, my expectation from them is that they deliver what they got from the water supply company without any additional contaminants. If the water supply was contaminated, I'd fully expect water delivery company to clean it up before delivering to me. Think of the web hoster as a water supply company. The household user is an end user. The ISP is merely a pipeline. In any case, I don't think this is quite the correct analogy. Water company usually delivers from just one (ok, maybe not one for larger areas but its in lower tens order) source and have typically control (directly or indirectly with signed agreement) over the source. If you want to compare this to ISP, it would be like me having peering agreement and direct connection with few dozen content providers and only giving access to users to those few dozen websites. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: clarity
--On Wednesday, April 27, 2005 3:50 -0700 william(at)elan.net [EMAIL PROTECTED] wrote: On Wed, 27 Apr 2005, Owen DeLong wrote: Yes, most water transit companies are also the water supply company, Water supply comes from rivers, lakes, etc. While water company take water from those sources, they do not produce it and just take what they can get, clean it up and then deliver around the city. In many places, the company that obtains and filters the water from these various sources and the company that delivers it to end users are different companies. That is what my analogy speaks of. An example would be Palo Alto, California. The City of San Francisco obtains and processes the water from Hetch Hetchi and other sources. They then sell it to the city of Palo Alto which maintains it's own pumping resources and pipelines to deliver to the end users. In this case, the city of Palo Alto is analogous to the ISP. The city of San Francisco is analogous to the end node. but, in my analogy, and, in some areas, as a matter of fact, they are not the same. The chemical tampering of which you speak is done by the water supply company at the supply point before it is put in the pipes for transit to the end user. I've heard that Israel is considering (or buying already?) water from Turkey. Do you really think they are going to just deliver it as is or do you think the water company will clean it up on the local level before delivering it to the homes? That depends, I guess, on the quality of water that Turkey delivers and the SLA that Israel expects. An example of what the situation I describe is above, and, it is real. And BTW - you do realize contamination on the Internet usually at the source, right? Right... Exactly my point. Solving source point contamination in the transit network isn't a good idea. The water delivery company runs said pipes, and, my expectation from them is that they deliver what they got from the water supply company without any additional contaminants. If the water supply was contaminated, I'd fully expect water delivery company to clean it up before delivering to me. In many cases, the water delivery company has no ability or facility to do so. I expect them to deliver clean water. Frankly, I don't care too much whether they act as a supply company or a delivery company, so long as they deliver clean water. My point was that it is perfectly acceptable for a delivery only company to deliver without additives or filtration. Sure, in the case of water, since the delivery company is choosing the source point, they have some additional responsibilities with regard to the source quality, but, that isn't the case in the internet. The end user is choosing the source, and, the ISP is a pure delivery company. Think of the web hoster as a water supply company. The household user is an end user. The ISP is merely a pipeline. In any case, I don't think this is quite the correct analogy. Any analogy will break if you pick at it hard enough. Water company usually delivers from just one (ok, maybe not one for larger areas but its in lower tens order) source and have typically control (directly or indirectly with signed agreement) over the source. Yes. If you want to compare this to ISP, it would be like me having peering agreement and direct connection with few dozen content providers and only giving access to users to those few dozen websites. Perhaps I should have used electric companies as a better example. Owen pgpbu57V3T9Pi.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
On Wed, 27 Apr 2005, Fergie (Paul Ferguson) wrote: I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. Of course Bruce Schneider is going to allocate ISP's handling security so he can sell them more of his crappy Counterpane products. I find it offensive that Mr. Schneider would categorize ISPs as lazy and unresponsible, and it does nothing but encourage me to sell anything BUT Counterpane to my customers. Our customers vary greatly, and their security needs differ just as much. There is no one stop solution for every customer, and it is not the ISP's responsibility to filter traffic and firewall their customers. Those that do invariable end up with trouble. -- Vice President of N2Net, a New Age Consulting Service, Inc. Company http://www.n2net.net Where everything clicks into place! KP-216-121-ST
Re: Schneier: ISPs should bear security burden
I understand that, but opinions being what they are, everyone is certainly entitled to have one of their own. Placing value on those opinions is an exercise left to the reader. And not everyone's opinions are constructed to to simply allow financial benefit -- somethimes it is just a simple observation. Cheers, - ferg -- Mark Newton [EMAIL PROTECTED] wrote: Schneier isn't a journalist or reporter; He's a security vendor. And you're a network engineer. What's your point? Merely that Owen's expectation of journalistic ethic, fact checking, or unbiased reporting was misplaced because his remarks are addressing someone who has a vested interest in the outcome of the debate, not an ethical, unbiased disinterested observer. - mark -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Schneier: ISPs should bear security burden
On Wed, 27 Apr 2005, Fergie (Paul Ferguson) wrote: Oh, please. If you think that the Internet should remain an every man for himself, wild wild west, Ok Corral, situation (not my words, mind you), then you better get with the powers that will steam-roll all of us if we let it -- money and marketing. This ain't no science project anymore. Bruce is right -- right as rain -- I don't give two damns whether you think it is an issue of marketing, or protecive self-advertising. The issue is that the _consumers_ want it, that's what they'll pay for, and it is the ISP's perogative to either honor that wish, or lose the business. We owe to our customers, and we owe it to ourselves, so let's just stop finding excise to side-step the issue. Sound about right? No. Not at all. I agree that if customers are willing to pay for managed security services that ISP's should provide them. However, an ISP that does not provide them is not lazy and irresponsible, as characterized in the article. As for security, intelligent ISPs will be monitoring their network and will have sensors in place to alert them to abnormal traffic (NetFlow, Snort, SNMP Traps, Log watchers) patterns and take action, but that does NOT extend to enforcing a security policy on the public without their consent. If the public agrees to it, and requests it, that is one thing. Universally filtering packets because it makes our lives easier is another. No one said this business would be easy. -- Vice President of N2Net, a New Age Consulting Service, Inc. Company http://www.n2net.net Where everything clicks into place! KP-216-121-ST
Re: Schneier: ISPs should bear security burden
Speaking on Deep Background, the Press Secretary whispered: Schneier has a profound interest in the ISPs being forced to buy his (or his competitors) security gear to fulfill the customers' dreams of a clean Internet connection. Pretty biased, if you don't mind. Err... What gear? Last I heard he sold security consulting services, not hardware. He also writes books. And the worse the net-wide situation, the more customers he gets for both. So it sounds to me as if he's cutting his own throat with this position. So at least to my ears, claiming he is just trying to sell hardware is not only a cheap shot, but a clear miss. I've got a radical idea: why not discuss/debate his statement|proposal on its merits|debits, vice proported ulterior motives? Such debate is how many of us learn. -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: Schneier: ISPs should bear security burden
None -- when you disconnect [correct, block, whatever] abusive end-systems in your administrative domain. Act locally, think globally. In fact, an ISP in AUS just did this last week... - ferg Owen DeLong [EMAIL PROTECTED] wrote: How much functionality are we going to destroy before we realize that you can't fix end-node problems in the transit network? -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Schneier: ISPs should bear security burden
clean it up from pollutants [spam, ddos], add antibacterial [antivirus] agents, ;) My hotel confirmation for NANOG 34 was marked as spam. Thankfully, the ISP let it through anyway. It would be nice if the ISPs protected me from bad stuff on the Internet - but why are they to be held to a higher standard than similar services? E.g., (not intended as a water-tight analogy) the roads around me have laws and enforcement (sometimes). If I am hit by someone who breaks a rule, my insurance takes care of that. But the road system offers no protection to guarantee my on-time arrival at a Wednesday night beering session. (No over-provisioning there.) If we can't make it easy to get to happy hour, how are we going to make the Internet safe? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis+1-571-434-5468 NeuStar If you knew what I was thinking, you'd understand what I was saying.
Re: Schneier: ISPs should bear security burden
Finally -- an analogy I can relate to. ;-) As an aside, perhaps if we worked on making the Internet safer, as opposed to strictly safe, we might make some progress. You know -- baby steps. And Big Pond is my hero. :-) http://www.zdnet.com.au/news/communications/0,261791,39188135,00.htm - ferg -- Edward Lewis [EMAIL PROTECTED] wrote: If we can't make it easy to get to happy hour, how are we going to make the Internet safe? -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
PAIX Outages
I have heard rumors that SD has been having persistent switch problems with their switches at PAIX (Palo Alto), and I was kind of wondering if anyone actually cared?
Re: Schneier: ISPs should bear security burden
On Wed, 27 Apr 2005, Brad Knowles wrote: At 8:13 AM -0400 2005-04-27, Greg Boehnlein wrote: As for security, intelligent ISPs will be monitoring their network and will have sensors in place to alert them to abnormal traffic (NetFlow, Snort, SNMP Traps, Log watchers) patterns and take action, but that does NOT extend to enforcing a security policy on the public without their consent. This assumes intelligence on the part of ISPs. This is no more valid than assuming that all users are intelligent. No, it assumes that some ISPs are intelligent and that they will do what is neccessary. Darwinism will take care of the less intelligent. ;) -- Vice President of N2Net, a New Age Consulting Service, Inc. Company http://www.n2net.net Where everything clicks into place! KP-216-121-ST
Re: Port 25 - Blacklash
Suresh Ramasubramanian wrote: On 4/27/05, Joel Jaeggli [EMAIL PROTECTED] wrote: In any event the malware is already ahead of port 25 blocking and is leveraging ISP smarthosting. SMTP-Auth is the pill to ease this pain/ Really smtp-auth will solve it? or do most windows mua's cache your password? They sure do cache the password. But with smtp auth, the infected user is stamped in the email headers, and all over my MTA logs, when a bot that hijacks his PC starts spamming. I can easily remove auth privileges for his account, and/or limit his access to a walled garden till such time as he cleans up - without taking the trouble to match timestamps of the spam + dig into radius logs Easier to identify, and easier to lock down, than unauthenticated access --srs You forgot to add the ability to rate-limit by ip sender or by authenticated user, all tools in bringing trojaned users under control.
Another panix.com scenario? Hushmail this time
http://www.theregister.co.uk/2005/04/25/hushmail_dns_attack/ Surfers trying to visit the web site of popular secure email service Hushmail were redirected to a false site early Sunday following a hacking attack. Hush Communications said hackers changed Hushmail's DNS records after compromising the security of its domain registrar (Network Solutions). These changes were undone after a few hours on Sunday and normal Hushmail services have now been restored.
Re: Another panix.com scenario? Hushmail this time
Not quite the same thing, it looks as though they just changed the DNS records and didn't change the actual ownership of the domain. It also seems to have been resolved quite quickly. I wonder how much of this is due to increased awareness following the panix.com issue, and how much is due to the fact that this happened on a monday, verses the panix issue happening on a friday, sadly, it's probably the latter. Though it's also probably the fact that this seems to be pretty clear-cut, when the panix.com issue happened, no one was quite sure what had happened, and how it had occurred. Adam On Apr 27, 2005, at 11:28 AM, Suresh Ramasubramanian wrote: http://www.theregister.co.uk/2005/04/25/hushmail_dns_attack/ Surfers trying to visit the web site of popular secure email service Hushmail were redirected to a false site early Sunday following a hacking attack. Hush Communications said hackers changed Hushmail's DNS records after compromising the security of its domain registrar (Network Solutions). These changes were undone after a few hours on Sunday and normal Hushmail services have now been restored. !DSPAM:426fafa9105791677319536!
Re: Port 25 - Blacklash
On Tue, Apr 26, 2005 at 05:50:11PM -0400, Daniel Golding wrote: Do all of Comcast's markets block port 25? Not yet.
Re: Schneier: ISPs should bear security burden
And Big Pond is my hero. :-) http://www.zdnet.com.au/news/communications/0,261791,39188135,00.htm I'm not sure I'd break my arm trying to pat them on the back yet. They have a ways to go in SMTP filtering their users so that when they are infected with trojans, they aren't abused to send spam out. From the above article, they are only disconnecting those users now because BigPond is feeling some pain on their own infrastructure. Our numbers of rejects from their users are consistently 3-4 hundred per day. sam
Re: Port 25 - Blacklash
On Wed, 27 Apr 2005 14:31:42 +0530, Suresh Ramasubramanian said: But with smtp auth, the infected user is stamped in the email headers, and all over my MTA logs, when a bot that hijacks his PC starts spamming. Of course, the same ISPs that will use the ID in the email headers are, by and large, the same ones that already know how to match the IP in the headers to their radius/tacacs/etc logs pgp4hXQZ4SSHQ.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
In message [EMAIL PROTECTED], Fergie (Paul Ferguson) writes: I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. Links here: http://www.vnunet.com/news/1162720 At a recent forum at Fordham Law School, Susan Crawford -- an attorney, not a network operator -- expressed it very well: if we make ISPs into police, we're all in the ghetto. Bruce is a smart guy, and a good friend of mine, but he's not a network operator or architect. There are a small number of times when operators can, should, and -- in a very few cases -- act, but those are rare. The most obvious case is flooding attacks, since they represent an abuse of the network itself; operators also have responsibility for other pieces of the infrastructure they control, such as (many) name servers. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: Port 25 - Blacklash
On 4/27/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Of course, the same ISPs that will use the ID in the email headers are, by and large, the same ones that already know how to match the IP in the headers to their radius/tacacs/etc logs With a great deal less effort. When you are trying to speed up processing of this sort, the less effort wasted and less time taken nailing down one trojaned box the better -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Schneier: ISPs should bear security burden
On Wed, 27 Apr 2005, Owen DeLong wrote: Strangely, for all the FUD in the above paragraph, I'm just not buying it. The internet, as near as I can tell, is functioning today at least as well as it ever has in my 20+ years of experience working with it. You must not have used it much in those 20 years. I can definitely say worms, trojans, spam, phishing, ddos, and other attacks is up several orders of magnitude in those 20 years. Malicious packets now account for a significant percentage of all ip traffic. Eventually I expect malicious packets will outnumber legitimate packets, just like malicious email outnumbers legitimate email today. As long as the environmental polluter model continues to be championed and promoted on nanog (of all places), the problem will only get worse. -Dan
cox communications contact please?
Hello, Anyone from Cox Communications reading this list? If so, please contact me off-list regarding a routing issue on your network. Thank you!
Re: clarity
on Wed, Apr 27, 2005 at 03:19:04AM -0700, Owen DeLong wrote: Yes, most water transit companies are also the water supply company, but, in my analogy, and, in some areas, as a matter of fact, they are not the same. The chemical tampering of which you speak is done by the water supply company at the supply point before it is put in the pipes for transit to the end user. The water delivery company runs said pipes, and, my expectation from them is that they deliver what they got from the water supply company without any additional contaminants. Think of the web hoster as a water supply company. The household user is an end user. The ISP is merely a pipeline. I think the problem isn't with dirty water arriving from the water company, it's the fact that so many end users are allowing raw sewage to be poured into /other people's water/, and some ISPs don't feel compelled to do anything to save other ISPs from their users' pollutants. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
Re: Detecting VoIP traffic in ISP network
Suresh Ramasubramanian wrote: Local telco concerned about voip eating into their revenues, and wants to push through legislation or something? :) Or somebody who would like to provision adequate bandwidth to accommodate for services on the rise? Not everybody is installed with the evil bit enabled by default :-) Pete On 4/27/05, Joe Shen [EMAIL PROTECTED] wrote: we want to collect statistics in our backbone networks. Is there any good method to this? is there any product for this ? Joe _ Do You Yahoo!? http://cn.rd.yahoo.com/mail_cn/tag/10m/*http://cn.mail.yahoo.com/event/10m.html
Re: Internet2
Steve Casner's paper, which you cited, and Sue Moon's paper at http://an.kaist.ac.kr/~sbmoon/paper/infocom2004.pdf, both report very limited variation in delay within the ISP network. Sue's paper goes on to describe points of variation on the order of ten and 100 ms in some detail as well as reporting the general case of low variation in delay. But most people don't live within the PE-PE domain, where these studies were done - they connect to the backbone ISP through an access carrier or through an enterprise network, or connect via some longer path. So responding defensively give me numbers and citing as proof of your case a paper that only looks at the path within the ISP has the effect of shutting down and making an end-to-end discussion appear to be invalid when Casner and Moon in fact only perform a measurement of a part of the path. uh, fred. it was vicky who made the comparison i2 to internet, not i. i2 does not include site links, and some are good and some are bad. it is common wisdom today that the internet backbone is not where congestion occurs, but rather the customer tails. though one should always be suspicious of common wisdom, this particular bit seems pretty well supported, pings from uganda's makerere university notwithstanding. you/ve been pushing qos for a long time, fred. but, in the current situation, where the tails are the issue, signaling back from dest to source is still the big gap. imiho, from the ops perspective, only sally's ecn has made any useful approach. sadly, we may be able to judge the actual demand for e2e qos by ecn's very slow deployment. i think this is unfortunate, as ecn is pretty cool. but, in this community, the question would seem to be how long the current situation will prevail, where it is far simpler and less expensive to throw bandwidth at the backbone, as opposed to spending even more on opex-eating complexety and ever more complex and expensive routers. i suspect it'll be a while before we even see cotton balls being blown, and a very long while before new ducts. i.e., raw bandwidth costs will likely stay low. even the price of lighting it is declining. this has been discussed recently, both here and in simon lam's 2004 sigcomm award paper (recent ccr). so, i think we should o encorage i2 as the usg's way of subsidizing higher ed [0] and providing a playpen where big spikes and other traffic anomalies are not discouraged o encourage qos research o keep the real internet as simple as possible, after all, it is fools such as i who have to run it randy --- [0] - and i mean it. the lack of govt support for education in the us is a horrifying tragedy ever in the making
Re: Detecting VoIP traffic in ISP network
You sure about that? ;-) http://fergdawg.blogspot.com/2005/04/57-evil-43-good.html - ferg -- Petri Helenius [EMAIL PROTECTED] wrote: Suresh Ramasubramanian wrote: Local telco concerned about voip eating into their revenues, and wants to push through legislation or something? :) Or somebody who would like to provision adequate bandwidth to accommodate for services on the rise? Not everybody is installed with the evil bit enabled by default :-) Pete -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Schneier: ISPs should bear security burden
On Wed, Apr 27, 2005 at 11:08:42AM -0700, Dan Hollis wrote: Malicious packets now account for a significant percentage of all ip traffic. As a data point: An unused, never before used or even just announced /21 currently draws an average of 112pps und 70kbit/s, translating to about 1GB (1 Gigabyte!) of traffic per day, or about 30GB per month. In some countries, that translates to real money (I'm hearing INTERESTING price tags on bandwidth in South Africa). Looking at psmith's weekly routing table report, this would extrapolate (totally non-scientific and ignoring several effects) to at least about 675GB daily stray traffic in the whole Internet, WITHOUT any host answering to the viruses, trojans, whatever. I hope to find the time to do some capturing and analysis of this traffic. If anyone here has experience with that I'd be happy to hear from them... don't want to waste time doing something others already did... :-) Best regards, Daniel -- CLUE-RIPE -- Jabber: [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- PGP: 0xA85C8AA0
Re: PAIX Outages
I have heard rumors that SD has been having persistent switch problems with their switches at PAIX (Palo Alto), and I was kind of wondering if anyone actually cared? well, they've sure been having fun up at the six in seattle randy
Re: Schneier: ISPs should bear security burden
Fergie (Paul Ferguson) wrote: We owe to our customers, and we owe it to ourselves, so let's just stop finding excise to side-step the issue. So are you saying that managed security services are not avaialble for paying consumers in USA? Pete
Re: Schneier: ISPs should bear security burden
Owen DeLong [EMAIL PROTECTED] wrote: Why do ISPs owe this to their customers. They don't. (I would argue that they owe it to the rest of the Internet, but that argument is tangential to this discussion.) However, I'd like to add an additional data point: Those of us in .us have undoubtedly seen the AOL commercials touting their comprehensive anti-virus services. (Don't know if they do other malware, FWIW) The services are offered to AOL members at no cost to them. Anyone who thinks AOL is doing this out of the goodness of their hearts, please speak up now... [FX: sound of crickets chirping] Yup. That's what I thought. Not having to support people who have tons of viruses saves money, and therefore is a good idea. Making it easier for people to avoid infection is good business, especially when you are talking about AOL's userbase (in terms of sheer numbers and the Internet expertise of the stereotypical AOL member). It's not up to the online service or ISP to force security updates on their customers. It might be a good idea for them to at least *offer* said updates, though. How many do, besides AOL? And I'd argue that Owen's attitude is appropriate for transit and business-class connections[0] - but if you're talking about a consumer ISP, that's different. If the Big Four[1] US cable companies followed AOL's lead, we'd see a huge drop in malware incidents and zombies. **SJS [0] Always appropriate for transit. Generally appropriate for business-class bandwidth services, although you will still run into a lot of clueless business owners who might end up with the same problems as residential customers. [1] Soon to be Big Three, but currently Comcast, Time Warner, Charter, and Adelphia. -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / [EMAIL PROTECTED] / PGP: 0xE3AE35ED The wisdom of a fool won't set you free --New Order, Bizarre Love Triangle
Re: Schneier: ISPs should bear security burden
On Wed, 27 Apr 2005, Petri Helenius wrote: We owe to our customers, and we owe it to ourselves, so let's just stop finding excise to side-step the issue. So are you saying that managed security services are not avaialble for paying consumers in USA? I think the debate is if default should be managed or unanaged. And some here are concerned that if default becomes managed throught the industry, they'd never be able to get unmanaged from anyone. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Schneier: ISPs should bear security burden
At 01:39 PM 4/27/2005, you wrote: In message [EMAIL PROTECTED], Fergie (Paul Ferguson) writes: I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. Links here: http://www.vnunet.com/news/1162720 At a recent forum at Fordham Law School, Susan Crawford -- an attorney, not a network operator -- expressed it very well: if we make ISPs into police, we're all in the ghetto. Bruce is a smart guy, and a good friend of mine, but he's not a network operator or architect. There are a small number of times when operators can, should, and -- in a very few cases -- act, but those are rare. The most obvious case is flooding attacks, since they represent an abuse of the network itself; operators also have responsibility for other pieces of the infrastructure they control, such as (many) name servers. While this stance works for backbone network operators, I'm not entirely convinced it's a viable business strategy for ISPs dealing directly with end user customers (business or residential). The problem at the edge is customers insist they don't want the spam and viruses, and expect the ISP to help. Earthlink and AOL provide such services, and in the course of doing this raise an expectation. Now a regional or local ISP can either say it's not our job to protect you and have their customers migrate away, or they can make efforts to help and retain customers. So, is this a technical issue or a business issue? Network engineers are not necessarily qualified to make business decisions, unless they wear both hats. Customers at the retail level expect basic protection services as a part of the price of service. Whether that's a good thing or not, it's where we are on the business side of providing retail ISP services.
Re: Schneier: ISPs should bear security burden
Of course there are. What I'm saying is that too many providers do nothing, regardless of whether it is a managed (read: paid) service, or not. - ferg -- Petri Helenius [EMAIL PROTECTED] wrote: We owe to our customers, and we owe it to ourselves, so let's just stop finding excise to side-step the issue. So are you saying that managed security services are not avaialble for paying consumers in USA? Pete -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Schneier: ISPs should bear security burden
Thank you, Steve, for a very articulate rational post. :-) - ferg -- Steve Sobol [EMAIL PROTECTED] wrote: [snip] Anyone who thinks AOL is doing this out of the goodness of their hearts, please speak up now... [FX: sound of crickets chirping] Yup. That's what I thought. Not having to support people who have tons of viruses saves money, and therefore is a good idea. Making it easier for people to avoid infection is good business, especially when you are talking about AOL's userbase (in terms of sheer numbers and the Internet expertise of the stereotypical AOL member). [snip] -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Paul Wilson and Geoff Huston of APNIC on IP address allocation ITU v/s ICANN etc
On Tue, 26 Apr 2005, Suresh Ramasubramanian wrote: : : On 4/20/05, Suresh Ramasubramanian [EMAIL PROTECTED] wrote: : http://www.circleid.com/article/1045_0_1_0_C/ : : That's a must read article, I'd say. : : Followup article by Paul Wilson - : http://www.circleid.com/article.php?id=1049_0_1_0_C/ : The Geography of Internet Addressing Probably, I'll have to research through the ITU site to find out this information, but surely these arguments have been presented to the ITU while they're making their choice of how to proceed with IP address allocation. Does anyone have a couple of links that support their position for doing it the national allocations way? scott
Re: Schneier: ISPs should bear security burden
I have no problem with disconnecting known abusers. However, there's lots of other actions implied in the ISP responsibility described that are things like filtering port 25, blocking NetBIOS, etc. Some ISPs do this. I'm all for having an AUP and/or TOS that allows you to disconnect abusers. When I was working for various ISPs, I personally disconnected a number of such abusers. However, IMHO, disconnecting abusers is a far cry from Providing a clean internet. Owen --On Wednesday, April 27, 2005 12:26 PM + Fergie (Paul Ferguson) [EMAIL PROTECTED] wrote: None -- when you disconnect [correct, block, whatever] abusive end-systems in your administrative domain. Act locally, think globally. In fact, an ISP in AUS just did this last week... - ferg Owen DeLong [EMAIL PROTECTED] wrote: How much functionality are we going to destroy before we realize that you can't fix end-node problems in the transit network? -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/ -- If it wasn't crypto-signed, it probably didn't come from me. pgp8GCFEpWpWC.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
We know that almost all users are too stupid to know what they really need or how to get it, and that they need to be protected from their own stupidity -- as well as protecting the rest of the world from their stupidity. Not only do I not know this, I find it to be patently false. Yes, I think a high percentage of users is too ignorant to know what they need or how to get it. However, protecting them from that ignorance only propogates and perpetuates it. Pain is one of natures most effective educators. Allowing people to experience the full (as long as it's non-fatal) effect of their ignorance often creates a strong desire for education. This incredible expansion of We must protect people from themselves philosophy is wasteful, expensive, and, worst of all, highly destructive to society in the long run. Government or any other regulatory body should protect people from each other, not from themselves. Similarly, while knowingly producing a dangerous product should carry some civil and criminal liabilty, the fact that we have effectively made companies and professionals liable for any act of stupidity comitted by their consumers unless they specifically disclaimed or warned (and sometimes even if they did) the consumer is about 2/3rds of the cost of medicine today. It's about 1/2 of the cost of an airline ticket. It's about 3/4 of the cost of aircraft parts. The list goes on. Owen -- If it wasn't crypto-signed, it probably didn't come from me. pgpTt1wnqpTqv.pgp Description: PGP signature
Re: Paul Wilson and Geoff Huston of APNIC on IP address allocation ITU v/s ICANN etc
Probably, I'll have to research through the ITU site to find out this information, but surely these arguments have been presented to the ITU while they're making their choice of how to proceed with IP address allocation. and arguments were presented to bolton that his cuban/syrian/... agenda was not supported by reality. did that change his agenda? the itu: bridge building across the digital divide by the same folk who brought us the analog divide. and if you believe the'll do it, then i have this bridge ... randy
Re: Schneier: ISPs should bear security burden
In message [EMAIL PROTECTED], Steve Sobol writes: And I'd argue that Owen's attitude is appropriate for transit and business-class connections[0] - but if you're talking about a consumer ISP, that's different. If the Big Four[1] US cable companies followed AOL's lead, we'd see a huge drop in malware incidents and zombies. I see your point, and I almost agree -- almost, but not quite, because there's a very big problem: consumers have very little choice of which broadband ISP they can subscribe to. As you note, there are very few cable ISPs, at least one of whom is also a major content owner. The LEcs are flexing their muscles to get rid of UNE, which may eliminate DSL options in many places. That will leave consumers with at most two choices, and the players in that space seem to love walled gardens. Is, for example, p2p abuse? After all, it uses up bandwidth. I worry about giving too much power to unaccountable monopolists. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: Schneier: ISPs should bear security burden
On Wed, 2005-04-27 at 13:39 -0400, Steven M. Bellovin wrote: snip At a recent forum at Fordham Law School, Susan Crawford -- an attorney, not a network operator -- expressed it very well: if we make ISPs into police, we're all in the ghetto. Bruce is a smart guy, and a good friend of mine, but he's not a network operator or architect. There are a small number of times when operators can, should, and -- in a very few cases -- act, but those are rare. The most obvious case is flooding attacks, since they represent an abuse of the network itself; operators also have responsibility for other pieces of the infrastructure they control, such as (many) name servers. Internet service providers should ensure protective strategies do not harm hapless consumers. While an ISP's protective obligations easily include Domain Name and routing services, few systems withstand unfettered abuse or tampering. Should a provider expect active cooperation from others granted access to their networks? The strength of the Internet is dependent upon cooperation and policy enforcement. While an egalitarian view would insist all be granted equal access, a response to abuse should be considered, even when only guarding essential services. What is a reasonable threshold before a provider rarely acts? You listed only one, a flood attack. -Doug
Re: Schneier: ISPs should bear security burden
--On Wednesday, April 27, 2005 11:08 AM -0700 Dan Hollis [EMAIL PROTECTED] wrote: On Wed, 27 Apr 2005, Owen DeLong wrote: Strangely, for all the FUD in the above paragraph, I'm just not buying it. The internet, as near as I can tell, is functioning today at least as well as it ever has in my 20+ years of experience working with it. You must not have used it much in those 20 years. I can definitely say worms, trojans, spam, phishing, ddos, and other attacks is up several orders of magnitude in those 20 years. Malicious packets now account for a significant percentage of all ip traffic. Eventually I expect malicious packets will outnumber legitimate packets, just like malicious email outnumbers legitimate email today. All of that is true. However, I don't define functioning internet in terms of the lack of these things. I define it in terms of when I try to get a connection from my point A to far-end point B, what is the loss and/or failure rate of the desired traffic. From that perspective, in my experience, things are better today than they ever have been. As long as the environmental polluter model continues to be championed and promoted on nanog (of all places), the problem will only get worse. I'm not attempting to encourage the environmental polluter model. However, making making the guy that owns the pipeline responsible for the chemical plant 200 miles away that is polluting the product provided to him by the water production company still doesn't make sense to me. You have to make the chemical plant responsible, or, the problem just keeps getting more expensive. My point is we need to look to solve problems, not symptoms of problems. Transit solutions to end-node problems are costly and progressively less effective over time. Owen -- If it wasn't crypto-signed, it probably didn't come from me. pgplaDDIU5oV7.pgp Description: PGP signature
Re: clarity
I think the problem isn't with dirty water arriving from the water company, it's the fact that so many end users are allowing raw sewage to be poured into /other people's water/, and some ISPs don't feel compelled to do anything to save other ISPs from their users' pollutants. I agree that an ISP should disconnect a user dumping raw sewage into the water system. However, that's a big difference from providing an end user a clean internet which is what the article proposed. To me, that means providing filtered internet services. That's a transit solution to an end-node problem. Disconnecting the abusing end-node(s) is an end-node solution. Owen -- If it wasn't crypto-signed, it probably didn't come from me. pgpnVXd4dLa7B.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
At Wed Apr 27 15:04:46 2005, Steve Sobol wrote: [1] Soon to be Big Three, but currently Comcast, Time Warner, Charter, and Adelphia. --- Adelphia is #5, you forgot Cox (#3). -MH W. Mark Herrick, Jr. Director - Data and Network Security - Adelphia Communications 5619 DTC Parkway, Greenwood Village, CO 80111 (O) 303-268-6440 (C) 720-252-5929 (F) 303-268-6687 AIM: AdelphiaSecWMH
Re: Schneier: ISPs should bear security burden
Is VoIP? Of course not. But, it does brings the dicussion full circle - ferg -- Steven M. Bellovin [EMAIL PROTECTED] wrote: Is, for example, p2p abuse? After all, it uses up bandwidth. -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Internet2
On Wed, 27 Apr 2005, Randy Bush wrote: to source is still the big gap. imiho, from the ops perspective, only sally's ecn has made any useful approach. sadly, we may be able to judge the actual demand for e2e qos by ecn's very slow deployment. i think this is unfortunate, as ecn is pretty cool. The low demand is partially due to IWF[0] who unwittingly block it. Many OSes deploy with ecn support but default it off due to the IWF problem. And there are so many IWF that applying enough cluebats to clear the path for ECN is going to take enormous effort. We could demonstrate how cool ECN is, if there werent so many IWF making this impossible. Entities who try to deploy ECN are deluged with hey wtf I cant reach site XYZ anymore, your shit is broken, fix it you ***! I have no idea if microsoft supports ECN yet, but if they dont then I suspect that a sufficiently embarassing benchmark would prod them into adding it. I wonder how many network operators on nanog block ECN. If you do, why? -Dan [0]Idiots With Firewalls. See http://urchin.earth.li/cgi-bin/ecn.pl
Re: Schneier: ISPs should bear security burden
On Wed, 27 Apr 2005, Owen DeLong wrote: From that perspective, in my experience, things are better today than they ever have been. The only thing I've seen in the past 20 years which has made any positive impact on overall internet reliability is BGP dampening. In all other cases its gotten worse as networks are ground to dust by daily DDOS attacks. You can read daily about sites xyz or networks xyz being unreachable for hours/days/weeks/months due to DDOS attacks. Compared to 20 years ago I would have to say overall things are worse not better. -Dan
Re: Paul Wilson and Geoff Huston of APNIC on IP address allocation ITU v/s ICANN etc
In a message written on Wed, Apr 20, 2005 at 07:41:52AM +0530, Suresh Ramasubramanian wrote: http://www.circleid.com/article/1045_0_1_0_C/ That's a must read article, I'd say. If you're interested in these issues I strongly encourage you to read and be involved in your local RIR and/or the IETF processes. Network engineers with hands on day to day experience tend to be underrepresented in both forums. For those of you in North America (after all, this is NANOG) check out ARIN's Public Policy Mailing List, information is on ARIN's web site. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgphwdNYfJc1V.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
The only thing I've seen in the past 20 years which has made any positive impact on overall internet reliability is BGP dampening. In all other cases its gotten worse as networks are ground to dust by daily DDOS attacks. You can read daily about sites xyz or networks xyz being unreachable for hours/days/weeks/months due to DDOS attacks. Compared to 20 years ago I would have to say overall things are worse not better. Yes... The news reports more outages today than they reported back then. Of course, part of that is because 20 years ago, the media couldn't spell internet, let alone connect to it. However, the huge expansion in overall bandwidth, the increase in bandwidth to subscriber ratio, the proliferation of firewall appliances, and, faster and better switching and routing capabilities, packet over sonet, MPLS have all contributed to a more reliable and more flexible internet. YMMV, but, for me, today, when I try to connect to things on the internet, I have a much higher success rate than I did 20 years ago. My links aren't clogged with DDOS or abuse, even though I'm on a completely unfiltered link. Sure, I see the occasional DDOS, lots of probes, and, many many attempts to use my systems to relay SPAM. The relay attempts are quietly discarded, the DDOS stays down in the noise threshold for the most part, and, the other abuse attempts are logged and fail. However, the things I try to do with the internet mostly succeed. Judging by the server logs, people are getting to the web servers I host without difficulty. 20, even 10, heck, even 5 years ago, my success rates were lower than they are today. They've been roughly the same for the last 5 years, but, that's pretty good, so, I'm generally happy. I'm not saying we shouldn't make efforts to eliminate abuse. I'm not saying abuse isn't a reliability issue or that it doesn't have a cost. However, eliminating end-node abuse at the transit just adds more cost and is, in the long run, an ineffective solution at best, usually with unintended side consequences. Owen -- If it wasn't crypto-signed, it probably didn't come from me. pgphERjqzlcW1.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
Daniel Roesen wrote: I hope to find the time to do some capturing and analysis of this traffic. If anyone here has experience with that I'd be happy to hear from them... don't want to waste time doing something others already did... :-) Sure, what would you like to know? Pete
Re: Paul Wilson and Geoff Huston of APNIC on IP address allocation ITU v/s ICANN etc
On Wed, 27 Apr 2005, Randy Bush wrote: : Probably, I'll have to research through the ITU site to find out this : information, but surely these arguments have been presented to the ITU : while they're making their choice of how to proceed with IP address : allocation. : : and arguments were presented to bolton that his cuban/syrian/... agenda : was not supported by reality. did that change his agenda? : : the itu: bridge building across the digital divide by the same folk who : brought us the analog divide. and if you believe the'll do it, then i : have this bridge ... No, I don't believe they'll do it correctly. I was just wondering why they'd chose to do it the national allocation way when good arguments are presented that it'd only disrupt things. I thought they may have a good reason, but evidently it's just not true. It's just more bureaucratic ignorance of what is being legislated. I'll just start reading the site's info before resopnding further. I thought someone here might point me in a direction where I could get to the info faster. I replied to the list as IP addressing is so central to network operations and the 2 references were also posted here. I may have made a mistake. I know how these things slide off topic faster than a greased pig on a plastic sheet on a steep hillside. ;-) scott
Re: Schneier: ISPs should bear security burden
Fergie (Paul Ferguson) wrote: Of course there are. What I'm saying is that too many providers do nothing, regardless of whether it is a managed (read: paid) service, or not. So why don't the market economy work and solve the problem? Because there is no tax on pollution? Pete - ferg -- Petri Helenius [EMAIL PROTECTED] wrote: We owe to our customers, and we owe it to ourselves, so let's just stop finding excise to side-step the issue. So are you saying that managed security services are not avaialble for paying consumers in USA? Pete -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Paul Wilson and Geoff Huston of APNIC on IP address allocation ITU v/s ICANN etc
On Wed, Apr 27, 2005 at 10:41:07AM -1000, Scott Weeks wrote: On Wed, 27 Apr 2005, Randy Bush wrote: : Probably, I'll have to research through the ITU site to find out this : information, but surely these arguments have been presented to the ITU : while they're making their choice of how to proceed with IP address : allocation. : : and arguments were presented to bolton that his cuban/syrian/... agenda : was not supported by reality. did that change his agenda? : : the itu: bridge building across the digital divide by the same folk who : brought us the analog divide. and if you believe the'll do it, then i : have this bridge ... No, I don't believe they'll do it correctly. I was just wondering why they'd chose to do it the national allocation way when good arguments are presented that it'd only disrupt things. I thought they may have a good reason, but evidently it's just not true. It's just more bureaucratic ignorance of what is being legislated. I'll just start reading the site's info before resopnding further. I thought someone here might point me in a direction where I could get to the info faster. I replied to the list as IP addressing is so central to network operations and the 2 references were also posted here. I may have made a mistake. I know how these things slide off topic faster than a greased pig on a plastic sheet on a steep hillside. ;-) scott Scott, it pays to understand tht the ITU has -zero- interest in actual operations. They do what their members tell them and the only entities that can be members are nations/governments. Hence the stated desire for national allocations as a way to re-enforce national pride. Operational networking is not a goal, equity of resource distribution is. No well reasoned argument (such as Paul Geoff's) can make any substantive impact, excep;t to the extent that we (you/me) can beat our respective government representatives into understanding that WE want things a certain way (working) and would they -please- cooperate with their citizens and not pander so some special interests. and yes, i am biased here - do your own research and make up your own mind. --bill
Re: Schneier: ISPs should bear security burden
That's a good question. - ferg -- Petri Helenius [EMAIL PROTECTED] wrote: What I'm saying is that too many providers do nothing, regardless of whether it is a managed (read: paid) service, or not. So why don't the market economy work and solve the problem? Because there is no tax on pollution? Pete -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Internet2
* Dan Hollis: And there are so many IWF that applying enough cluebats to clear the path for ECN is going to take enormous effort. ECN favors non-conformant endpoints. Therefore, it won't help you in the long run if the congestion is on a path which is shared by multiple customers. Popular file sharing software will just set the proper flags to decrease the discard probability, just like Netscape opened multiple HTTP connections to the same server.
Re: Schneier: ISPs should bear security burden
On 27 Apr 2005, at 06:07, Owen DeLong wrote: ISPs transport packets. That's what they do. That's what most consumers pay them to do. I haven't actually seen a lot of consumers asking for protected internet. I've seen lots of marketing hype pushing it, but, very little actual consumer demand. Sure, the hype will probably generate eventual demand, but, so far, it hasn't really. I'm not sure I agree with this statement. Our customers are retained based on our value added services, including protected internet initiatives, more than for the Internet service we provide. Internet service is becoming commoditized to the end user, with multiple choices at competitive pricing in many markets. Consumers within single provider markets might expect ISPs to only transport packets, however in multi vendor markets the ISPs are being chosen for offerings above and beyond network access. This is becoming especially true for companies like AOL, which are attempting to move their value added services independently of their Internet access in anticipation of dropping profit margins on network access as well as an attempt to break into new single vendor markets. Moving packets is no longer enough for ISPs. If customer retention is based on value added services then consumers are making market decisions based on more than network transit. I expect NSPs to transport packets. I expect ISPs to provide Internet services, including security services. On 27 Apr 2005, at 06:43, Owen DeLong wrote: I'm sorry, but, I simply do not share your belief that the educated should be forced to subsidize the ignorant. This belief is at the heart of a number of today's socialogical problems, and, I, for one, would rather not expand its influence. It is becoming more expensive for ISPs to cater to the educated than to restrict the ignorant. I appears you would prefer the ignorant bear the burden for the educated. Unfortunately, there are many more ignorant who are willing to purchase restricted internet than educated who require unfettered access, moreover the educated understand the value of unrestricted internet access. As it has a value above and beyond restricted access, in the sense of unrestricted traffic transport, it should be billed at a higher rate accordingly. On 27 Apr 2005, at 16:33, Owen DeLong wrote: However, eliminating end-node abuse at the transit just adds more cost and is, in the long run, an ineffective solution at best, usually with unintended side consequences. For many problems, eliminating the issue at the transit level increases cost to the transit provider but reduces cost to the consumer. This cost reduction can be recouped through effective marketing and having the customer realize those cost savings. If you reduce customer rollover you can tolerate or encourage core infrastructure cost increases as your bottom line can remain the same or increase. --- James Baldwin hkp://pgp.mit.edu/[EMAIL PROTECTED] Syntatic sugar causes cancer of the semicolon. PGP.sig Description: This is a digitally signed message part
Re: Paul Wilson and Geoff Huston of APNIC on IP address allocation ITU v/s ICANN etc
I was just wondering why they'd chose to do it the national allocation way when good arguments are presented that it'd only disrupt things. because that is what they know from the telco numbering plan. and it lets them play the this should be run by governments plan, the folk from whom they are used to drawing their power. just imagine what it must feel like to have run a global monopoly game with brandy, cigars, a building in geneve` and many fine lunches and dinners, and to have a disruptive technology blind-side you from both the engineering and political/social vectors at the same time. they're as desperate as the riaa and movie owners; if we can't figure out the market, send in the lawyers and politicians as a holding action until we can. I thought they may have a good reason, but evidently it's just not true. to the itu, and circuitzilla in general, if it worked for voice, then it must work for the internet, no real understanding required. randy
Re: Schneier: ISPs should bear security burden
Steve Sobol wrote: And I'd argue that Owen's attitude is appropriate for transit and business-class connections[0] - but if you're talking about a consumer ISP, that's different. If the Big Four[1] US cable companies followed AOL's lead, we'd see a huge drop in malware incidents and zombies. You could solve 90% of the problems that you perceive are being caused by unrestricted cable modem users by using blocklists to ignore traffic from them. As somebody who picked a DSL provider specifically because it allows me to run any kind of server I want, I'm not highly in favor of blocking traffic from broadband users and killing the end-to-end principle that makes the Internet work, but if the noise-to-signal ratio is too high, it's easy to set up your mail servers to reject mail from cable modem users, or set your routers to null-route their packets, or even null-route-plus-strict-uRPF them if that's what makes your users happy. You'd see a huge drop in zombies because they'd become invisible to you, and while being surrounded by invisible zombies isn't all it's cracked up to be, it's a good start. It puts the choices in the hands of the recipients, and market-like processes will find a balance that's much more varied than imposing technical restrictions on senders (as opposed to don't-spam types of restrictions.) (And in spite of my self-righteous pontificating about not broadly blocking big chunks of people because it blocks the good along with the bad, my main email ISP allows users to pick blocklists by country, and you can bet that I'm blocking email from China, Korea, and Nigeria, and anybody there who wants to reach me can email my work address or use a Yahoo account. I'm not using the DSL/cable blocklists, though, but that mail gets spam-filtered.) -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: Schneier: ISPs should bear security burden
On 4/27/05, Owen DeLong [EMAIL PROTECTED] wrote: I was referring to the article which contained the schneier quote, not schneier. The article was written by someone at least pretending to be a journalist, and, was put out as news, not editorial or advertising. As such, it should be held to the standard that should apply to news. Instead, it was yet another example of advertising disguised as news. The standards of technology journalism involve writing about many different things you don't know much about, and sometimes a few that you do, and getting lots of press releases that were written by PR people who might or might not understand what the companies they're writing for are making, and trying to make it interesting enough that you sell enough advertising while meeting your deadlines. Often it gets better than this, and some journalists are really good, but often it doesn't, and sometimes they're doing well to spell the names right and pick the most relevant couple of sentences to quote. The standards for non-technology journalism are pretty similar - the big differences are that in fields you know something about, you're able to recognize bad fact-checking and lack of insight, and you might know some of the important things that got left out, whereas in non-technical journalism, such as political reporting, you might not know enough about what really occurred or who the people are who are getting quoted/interviewed to recognize bad fact-checking or differentiate between organized propaganda campaigns and naive me-too reporting. So be liberal in what you accept, and conservative in what parts of it you actually believe, and try to differentiate between people who have strong opinions vs people who are just being self-serving.I thought the VNUnet article was reasonable for something that short - it hit a couple of issues, and quoted at least one other person who had a somewhat different perspective. On the other hand, most of the other news articles reported on Schneier's criticism of the overuse of terms like cyber-terrorism by self-promoting or agency-agenda-promoting people. Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: Detecting VoIP traffic in ISP network
No, it's not for legislation. In fact, we're planning to collect information on how people use internet as Voice carrier and the Voice communication quality they got. By this way, it could be evaluated that what's the possible best way of resource provisioning how NGN voice traffic should be carried at the best performance/cost rate. joe --- Suresh Ramasubramanian [EMAIL PROTECTED] wrote: Local telco concerned about voip eating into their revenues, and wants to push through legislation or something? :) On 4/27/05, Joe Shen [EMAIL PROTECTED] wrote: we want to collect statistics in our backbone networks. Is there any good method to this? is there any product for this ? Joe _ Do You Yahoo!? ÏÓÓÊÏä̫С£¿ÑÅ»¢µçÓÊ×ÔÖúÀ©ÈÝ£¡ http://cn.rd.yahoo.com/mail_cn/tag/10m/*http://cn.mail.yahoo.com/event/10m.html -- Suresh Ramasubramanian ([EMAIL PROTECTED]) __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: The not long discussion thread....
On Wed, 27 Apr 2005, Jerry Pasker wrote: Christopher L. Morrow allegedly wrote: This, it seems, was an unfortunate side effect (as I pointed out earlier) of legacy software and legacy config... if I had to guess. You guess wrong. See the above. And don't pass judgement. (am I being sited for lack of clue? It kind of feels like it) It wasn't a no lack of clue meant, just pointing out one possible cause of the acl usage. I don't think I saw the original reasoning in the original email. *BAD* thing, it was a *GOOD* thing. It made things better, not worse. I still may go back and re-implement port 53 blocks in the future if I find a good reason to. I know now that it doesn't really cause operational problems. At least not in a smaller ISP environment. Would I want a transit network to block TCP 53? Of course not. But my end customers request those types of services regularly, so I try to provide what they want. Sure, this is a form of 'managed security services' and the custommer (and you) agree to that policy change. And don't think I'm coming off as all ticked off and defensive. I'm not ticked off, I'm actually enjoying this. As for being defensive? Maybe. I'm trying hard not to be though. I really can't help myselfI have this lurking fear that I'm being tossed in to the clueless block TCP 53 with an outsourced firewall, and don't know what I'm doing beyond that group that I so despise. ;-) Especially on this list, full of people that I have so much respect for. either way, it was just one possibliity of many for the acl to be there, nothing more :) good of the group, and therefore, worth it. And I still think that. excellent, it probably helps Patrick, the world-nic folks and others as well :)
Re: Schneier: ISPs should bear security burden
Bill Stewart wrote: You could solve 90% of the problems that you perceive are being caused by unrestricted cable modem users by using blocklists to ignore traffic from them. Which would be great if cable/DSL providers offered some insight into which of their netblocks should be blocked and which shouldn't, but that generally isn't the case, so by blocking a certain ip or /24 or whatever, I don't know if I'm blocking customers whose TOS allows them to run servers, or even perhaps blocking Internet-facing servers run by the provider. (Aside from other valid issues mentioned in a reply that apparently hasn't hit nanog yet) As somebody who picked a DSL provider specifically because it allows me to run any kind of server I want What's rDNS for the ip address(es) assigned to you? I'm not highly in favor of blocking traffic from broadband users and killing the end-to-end principle that makes the Internet work, I'm not in favor of mindless blocking of entire netblocks that may contain stuff that should not be blocked, but broadband providers are notorious for (e.g.) lumping residential customers that can be blocked, with no collateral damage, in the same netblocks as business customers who need to run Internet facing servers, and (e.g.) not providing an easy way to differentiate between the two classes of customer in the first place. -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / [EMAIL PROTECTED] / PGP: 0xE3AE35ED The wisdom of a fool won't set you free --New Order, Bizarre Love Triangle
Re: Paul Wilson and Geoff Huston of APNIC on IP address allocation ITU v/s ICANN etc
On 4/28/05, Scott Weeks [EMAIL PROTECTED] wrote: Probably, I'll have to research through the ITU site to find out this information, but surely these arguments have been presented to the ITU while they're making their choice of how to proceed with IP address allocation. Does anyone have a couple of links that support their position for doing it the national allocations way? Poke around http://www.nro.net for a detailed correspondence + submissions on both sides between the RIRs and ITU-T -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Schneier: ISPs should bear security burden
What's rDNS for the ip address(es) assigned to you? I don't know about him, but, on my ADSL connection, it is controlled by my nameservers: ;; ANSWER SECTION: 10.159.192.in-addr.arpa. 86400 IN NS ns.rop.edu. 10.159.192.in-addr.arpa. 86400 IN NS ns.delong.sj.ca.us. I'm not highly in favor of blocking traffic from broadband users and killing the end-to-end principle that makes the Internet work, I'm not in favor of mindless blocking of entire netblocks that may contain stuff that should not be blocked, but broadband providers are notorious for (e.g.) lumping residential customers that can be blocked, with no collateral damage, in the same netblocks as business customers who need to run Internet facing servers, and (e.g.) not providing an easy way to differentiate between the two classes of customer in the first place. Who are you to decide that there is no damage to blocking residential customers? I'm a residential customer, but, I have a number of servers running, and, a port 25 block would be very destructive to the operation of my mailserver. Why should an ISP decide what a residential customer can or can't do with their internet connection. (This is not an advocation for abandoning TOS or allowing abuse. I am talking about within the confines of legitimate internet use, such as hosting a web site (or even several), running nameservers, mail server(s), etc.) Owen -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery. pgp2RG8Tc3CcP.pgp Description: PGP signature