Re: who offers cheap (personal) 1U colo?
Restrict it to people you've met or spoken to enough to think you know them.. ^ That is the problem. Password access to a members-only looking glass can prevent temptation and grief. And nobody needs shell access per se because we are talking about people who have root on their own servers. Some people have done a lot of work on locking down the original looking-glass script. Is there a version of this that is generally accepted to be the best? How useful would it be to folks to have access to a set of looking glasses that have a few more options than the classic one, i.e. TCP traceroute, PathChirp one-way latency measurements, etc.? --Michael Dillon
Re: net-co-op (was Re: who offers cheap (personal) 1U colo?)
On Wed, 17 Mar 2004 13:28:24 PST, Jay Hennigan said: Oh come on, what was .coop for if not this? :) People in the poultry business? :-) Actually, a somewhat reasonable conclusion for a non-native speaker of English, and a concern that *does* have to be addressed by many of the plethora of TLD proposals that crop up every once in a while. '.coop' probably has less mnemonic value on a worldwide basis than the Mandarin characters for the capital city of China pgp0.pgp Description: PGP signature
Re: Long-term identifiers (was Re: who offers cheap (personal) 1U colo?)
Sean, SD ... A long-term end-to-end SD identifier would let me immediately drop the specific infected computer's SD traffic regardless of its rotating IP addresses, even if your abuse What is to prevent rapid changes to the identifier, even more easily than rapidly changing IP addresses? In other words, why trust the identifier? Or at least, how would this identifier really be long term? d/ -- Dave Crocker dcrocker-at-brandenburg-dot-com Brandenburg InternetWorking www.brandenburg.com Sunnyvale, CA USA tel:+1.408.246.8253
[Fwd: Re: who offers cheap (personal) 1U colo?]
Stephen J. Wilcox wrote: if the market for this is nanog and you're just looking for smtp/shell surely we can manage this between ourselves without charge (ask your nanog buddy for a shell as a favour).. I know I can and will do this Well, I do have motives beyond outbound smtp. I actually looked at some of the mail only services, but I really want someplace that will do IMAP and authenticated SMTP. I want to be able to configure how I filter spam, which I don't want to do at the MUA level because I'll need to access mail various ways from various locations. Besides mail, I want to be able to create and control firewall rules on the box. I also want to be able to setup Apache exactly like I want it, etc. And sometimes its nice to have shell access on a machine in a different location for troubleshooting purposes. However, I do like the idea of setting up a community of like minded individuals who would be willing to do secondary MX and/or DNS for each other, and perhaps provide basic shell accounts... On the other hand, I'm a little leary of giving someone I don't know access to one of my boxes. I'm curious how a virtual colocation or dedicated server co-op could work, with values statements on how servers must be run (secure, no SPAM), etc. Would there be member fees? Would members have to democratically vote to let new members in after some kind of vetting process? Would anyone even be interested in such an idea? It would also be interesting to see what kind of monitoring tools could be developed with a diverse set of servers in different parts of the world... could we set up a co-op version of keynote monitoring, where we helped monitor each other?
Re: who offers cheap (personal) 1U colo?
On Wed, 17 Mar 2004, Janet Sullivan wrote: How would this vetting process work? I'm willing to give other nanog folks shell accounts on my machine in return for same, but I really don't want to hand out accounts to packet kiddies. Restrict it to people you've met or spoken to enough to think you know them.. Steve
Re: who offers cheap (personal) 1U colo?
Hello Janet/List - First, allow me to introduce myself, my name is Jonathan M. Slivko and I work for InvisibleHand Networks, Inc. (http://www.invisiblehand.net). Currently, we offer colocation and bandwidth services in the New York/New Jersey market (Telehouse and Equinix to be precise). The reason for this post is to put forth a suggestion: InvisibleHand Networks, Inc. allows you to buy bandwidth on demand as needed without having to commit to any bandwidth level, 95th percentile or long term contract. We can colocate personal 1U servers at either facility for a set price per server and then you can purchase bandwidth on our spot market. All of our services are on month-to-month contracts and we can offer you some kind of discount if you buy in bulk. However, without having a valid consensus as to how many people would be interested in such a deal, I cannot/will not offer pricing on this list (contact me offlist if interested). I look forward to talking to you soon. Janet Sullivan wrote: I have been aching for this now for about six years. In every professional setting I've ever been in, a need for this kind of thing arises and my advice to my employer/client is always the same: pay the $x per month for a colo server for your network/system engineers to use as an outpost for emergencies, external analysis, and monitoring. Exactly! While route servers are great, sometimes I need the flexablity of an outside shell account to do troubleshooting. I know a few other people at work who also keep outside shell accounts somewhere for this very purpose. It seems like approaching one of the larger colo providers and coordinating some sort of NANOG Discount might be one quick route. I'm of two minds on this. Obviously, if a group of us go to provider X and say we want Z amount of rack space, we can probably get a good deal. On the other hand, I'm also interested in a community of like minded folks with servers located in diverse environments who would trade access with one another. If we're all in one rack in one datacenter, there is more of a chance we'll all go down together. If we have a diverse footprint, that is much less likely to happen. The discount could be restricted to those who are appropriately vetted. This program would be of value to the colo provider because of the potential for discount recipients to direct business their way. How would this vetting process work? I'm willing to give other nanog folks shell accounts on my machine in return for same, but I really don't want to hand out accounts to packet kiddies. Suffice it to say, I'm interested, both to address current work-day issues and for personal use. I'm also interested. I do currently have a dedicated FreeBSD server in Australia for personal use. Those of us who are running our own personal mail DNS servers could get together to back each other up. -- Jonathan M. Slivko [EMAIL PROTECTED] Sales/Network Operations Invisible Hand Networks, Inc. http://www.invisiblehand.net 670 Broadway, 2nd Floor, New York, NY 10012 Ph: 212-226-1422 F: 212-202-7640 M: 646-924-9211
Re: who offers cheap (personal) 1U colo?
Mike Damm wrote: That being said, I've had the idea for a couple years now of getting enough geeky folks together to rent a rack on both coasts and populate it with a few different operating systems and bits of gear for just the reasons outlined in this thread. So if you decide to put something together, I'm up for it. I got an email from Eric Brunner-Williams who hangs out on freebsd-isp and nanog that really sparked my interest. Go to http://wampumpeag.net/vixie-personal-1U-colo.html At the bottom of the page it reads: We've started the paperwork with the NCBA to form a real honest-to-goodness member-owned cooperative for bloggers, and a real honest-to-goodness member-owned cooperative for personal 1U colo is just a second set of paper. This is about as vague as a price sheet can get, but this was where we were headed before Paul popped the question on NANOG, and in April we'll be accepting member 1U units.
net-co-op (was Re: who offers cheap (personal) 1U colo?)
Based on the response I've gotten off-list from people interested in sharing our resources know-how with each other, I've just registered net-co-op.org. In the next couple of days I'll set up a mailing list and a basic web page. Once the mailing list is set up, I'll post another message to NANOG. On the net-co-op mailing list we can hash out a basic charter agreement and get to know each other. More to come... Janet
Re: net-co-op (was Re: who offers cheap (personal) 1U colo?)
On Wed, Mar 17, 2004 at 02:01:43PM -0700, Janet Sullivan wrote: Based on the response I've gotten off-list from people interested in sharing our resources know-how with each other, I've just registered net-co-op.org. ... Oh come on, what was .coop for if not this? :) -- Daniel Medina
Re: net-co-op (was Re: who offers cheap (personal) 1U colo?)
Janet, Since your note earlier today there have been just under 200 fetches of the html. I've written to Byron Henderson and asked him to help me with the coop formation. He and I worked on the .coop sTLD proposal, and as I mention I discussed member-owned colo coop with Carolyn Hoover of the NCBA this week, as well as the similar idea for bloggers as a vhost user class in Rome last week. There are not a lot of cooperatives out there ... Mt. Xinu was employee owned. Poptel was an employee-owned coop in the ISP and hosting markets, including the .coop registry implementor and operator, but recently was forced to convert to structured venture-equity ownership. There is some bandwidth purchaser's cooperative in the South West ... Cheers, Eric
Re: net-co-op (was Re: who offers cheap (personal) 1U colo?)
On Wed, 17 Mar 2004, Daniel Medina wrote: On Wed, Mar 17, 2004 at 02:01:43PM -0700, Janet Sullivan wrote: Based on the response I've gotten off-list from people interested in sharing our resources know-how with each other, I've just registered net-co-op.org. ... Oh come on, what was .coop for if not this? :) People in the poultry business? :-) -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
Re: net-co-op (was Re: who offers cheap (personal) 1U colo?)
net-co-op.org. ... Oh come on, what was .coop for if not this? :) People in the poultry business? :-) chicken.coop was sought for by many, myself included. The Director, Co-op Business Development and Member Services, National Cooperative Business Association, and I are now playing phone tag, so I expect to have some progress to report for a member-owned colo coop on a daily basis. It occurs to me that a member-owned colo coop is not necessarily location-dependent, nor uniquely valued. Eric
network or not? Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
On Mon, 15 Mar 2004, Alexei Roudnev wrote: First, let me say that I appreciate your s wrt the s2n ratio here. I don't want to indicate otherwise. But, to get into the circle with everyone else and shoot some marbles... :) : Ok - is name resoluution issue network issue or not? if it is, how can you : answer anything without knowing, for example, of existing Windows DNS : client with internal cache, and difference between 'ping' and 'nslookup' : name resolution on Solaris? : : Is ARP problem - network one or not? if it is, how can you determine, what : happen, if some crazy server became ARP proxy and sends wrong : information to everyone? Loopback plug, sniffer or some similar geek thingie. Not the network; hand the ticket off. I guess it means defining what we mean by the network. : For tier-2 - I agree. For real tier-3 - I can not. Those friends, who are : excellent network engineers (much better than me, with CCIE : and other _really good_ experience), knows Windows and Unix on a very good : level. (of course, if some HR asks them 'where is configuration file for : SAMBA on Solaris - no one answer, but it does not mean that they do not know : Solaris; and you can always met religious people 'my god is MS / my god is : Linux'). I never said a good netgeek didn't know these things. I only said, you don't HAVE to know them to be a good escalation network engineer for a big ass network with specialized folks. : Is it bad, If they (your sysadmins) understand your backbone : infrastructure and understand such things, as MTU MTU discovery, knows : about ACL filters (without extra details) and existing limitations? They : are not required to know about VPN mode or T3 card configuration, but : they must understand basic things. This is what makes good network/system engineers on both sides of the fence. When the ticket is tossed over the fence, the crapwork is done. Person that gets the ticket is happy and returns the favor when tossing a ticket your way. Get both sides caring about tossing tickets properly and you gotta kick-ass team going on. damn, i miss the days... : Else, everything ends up in a long delays and 10 person technical : meetings (by the phone, of course) - which is the best way of wasting : anyone's time. OUCH!!! The pain in my brain from absorbing that idea!! :-) scott : : - Original Message - : From: Scott Weeks [EMAIL PROTECTED] : To: [EMAIL PROTECTED] : Sent: Monday, March 15, 2004 1:32 PM : Subject: Re: Platinum accounts for the Internet (was Re: who offers cheap : (personal) 1U colo?) : : : : : : On Mon, 15 Mar 2004, Alexei Roudnev wrote: : : : I expect, that good (tier-3, to say) network engineer MUST know Windows : and : : Unix (== Linux, FreeBSD etc) on tear-2 (or better) level. Else, he will : not : : be able to troubleshout his _network problem_ (because they are more : likely : : complex Network + System + Application + Cable problem). : : : : So, it is not a good answer. : : No true in many cases. All I have to prove is it's not the network and : then I hand it off to the windows/*nix/whatever sysadmins. To prove : it's not the network, I don't need to know the end systems in any sort of : detail. : : scott : : : : : : : - Original Message - : : From: Pete Templin [EMAIL PROTECTED] : : To: [EMAIL PROTECTED] : : Sent: Monday, March 15, 2004 7:16 AM : : Subject: Re: Platinum accounts for the Internet (was Re: who offers : cheap : : (personal) 1U colo?) : : : : : : : : Laurence F. Sheldon, Jr. wrote: : : : : Pete Templin wrote: : : There's a reason I've gotten out of small ISP consulting - I don't : do : : Windows, and I'm getting overrun by Linux corrosion slowly. I : route, : : I switch, I help with securing networks. And I do wear a lot of : hats : : at my day job, but I remind them that they hired a specialist, and : : promised lots of server support all along the way. Granted, the : : Windows guy is overloaded and the UNIX/Linux guy would snore in : front : : of his PHB... : : : : If you are in Nebraska I can help you with the Unemploy^WWorkforce : : Development paperwork. : : : : I didn't suggest saying I'm not gonna do it. I just suggested You : : hired me to deploy dynamic routing on your statically-routed network. : : What prompted you to think that I could configure site-wide anti-virus : : services such that no one ever reports a virus leak from our : enterprise, : : without training, time to test and develop such a critical solution, : or : : both? : : : : pt : : : : : : :
Re: who offers cheap (personal) 1U colo?
Too bad I can't automate the web logins. Huh!? http://curl.haxx.se/ And then there are all those Windows macro recorder programs http://www.tucows.com/macros95_default.html --Michael Dillon
Re: who offers cheap (personal) 1U colo?
On Mon, 15 Mar 2004 23:17:27 -0500 (EST) Andrew Dorsett [EMAIL PROTECTED] wrote: I'm not referring to the time required to implement. I'm talking about the time it takes for the user. On the user end. Lets do some simple math. Lets say I turn on my laptop before I shower, I power it down during the day while I'm in class and I turn it back on when I get home in the evening. This means two logins per day. Lets say that the login The systems I've my familiar with require only a single login per quarter, semester or school year unless there is a manual de-registration, which is most often due to a AUP violation or system compromise. John
RE: who offers cheap (personal) 1U colo?
On Mon, 15 Mar 2004, Andrew Dorsett wrote: On Mon, 15 Mar 2004, Vivien M. wrote: Yes I am... I am referring to a system which an unmentionable university has in place. It requires the user to enter their username and password each time the link state changes before they are allowed outside of the local lan. This is also similar to the new port authentication system on the Extreme Networks switches. It automatically delves out an address to the user so they can access a login portal and then it reissues them a legitimate address once they have been authenticated. This is a pretty slick setup for mobile users who connect in temporarily to public portals but it makes little sense in a fixed network environment of a dorm room or office. Its the same type of system used for hotspots. Curtis -- Curtis Maurand mailto:[EMAIL PROTECTED] http://www.maurand.com
Re: who offers cheap (personal) 1U colo?
Curtis Maurand wrote: Then anyone can walk up to the machine and get onto the network simply by turning on the machine. The system you're looking for involve biometrics or smartcards. Firewalls between student and administration areas would be a good idea as well. It must be dreadful to work in a place where everybody is The Enemy. In case I every get another job at a University, how do you separate student areas from administration areas? In my limited experience, we had students in labs, classrooms, and offices in the Administration Building, administrators (RA'a, residents, offices) in the Residence Halls, all kinds of creepy people in the libraries, classrooms, offices, dining rooms, and recreational and exercise facilities. Do you use armed guards to keep everybody in their proper areas? -- Requiescas in pace o email
Re: who offers cheap (personal) 1U colo?
Painting with a broad brush the differentiation between student and administrative networks is based on location,role and ownership A public ethernet port in a library is a student network even though administrative computers may be connected from time to time. The librarian's machine is attached to a administrative network. This is a fluid definition since the students often work on administrative computers. The real differentiator is the student networks are comprised of machines the university does not own or have direct administrative control over and securing these machines is up to the owner. An administrative network is a network of machines owned and controlled by the university hence the security policy is defined, implemented and enforced by the responsible parties within the university. Scott C. McGrath On Tue, 16 Mar 2004, Laurence F. Sheldon, Jr. wrote: Curtis Maurand wrote: Then anyone can walk up to the machine and get onto the network simply by turning on the machine. The system you're looking for involve biometrics or smartcards. Firewalls between student and administration areas would be a good idea as well. It must be dreadful to work in a place where everybody is The Enemy. In case I every get another job at a University, how do you separate student areas from administration areas? In my limited experience, we had students in labs, classrooms, and offices in the Administration Building, administrators (RA'a, residents, offices) in the Residence Halls, all kinds of creepy people in the libraries, classrooms, offices, dining rooms, and recreational and exercise facilities. Do you use armed guards to keep everybody in their proper areas? -- Requiescas in pace o email
Re: who offers cheap (personal) 1U colo?
In case I every get another job at a University, how do you separate student areas from administration areas? When we disable the network in a particular area, if a non-student calls then its a non-student area ;) Eric :)
Re: who offers cheap (personal) 1U colo?
Ken Diliberto wrote: The smarter students put a NAT box on their port so they can run their desktop, laptop, XBox and have a place their friend can plug in. NAT is evil, not smart. If the addresses run out because of legitimate use, more addresses should be allocated. Pete
Re: who offers cheap (personal) 1U colo?
Paul Vixie wrote: at scale, with things as they now are, i simply don't believe this. with a 1:1 ratio (daily customers to onduty clues), it is never going to be possible to contact every customer out of band (by phone, that is) when they need to be told how to de-virus their win/xp box. not for $30/month. you can fiddle with the ratio -- 800:1 may work -- and you might be able to hire clues very cheaply for a while -- but not at scale. i'd love to be proved wrong on this point. I see this as a two different processes. There are definetly some individuals who have no help whatsoever with their computers and need the abuse/helpdesk to walk them through the disinfecting process. However in my experience these are only a small fraction of the population with infected machines. It really solves 90%+ of the problem by just getting the message to the individual that they have a problem and they´ll find somebody to fix it for them. Pete
Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
On Mon, 15 Mar 2004, Petri Helenius wrote: I see this as a two different processes. There are definetly some individuals who have no help whatsoever with their computers and need the abuse/helpdesk to walk them through the disinfecting process. Gartner estimates the total cost of ownership of a PC at $450/month. If someone is paying $50/month, I wonder where the other $400 goes? Is it marketing suicide in other industries have premium customer programs. Pay more or have a better credit rating, and you get a platinum credit card. Fly more or pay more and you get to sit in first class and board the plan first. Why not have special IP addresses reserved for the Internet elite? ISPs are desperately looking for new revenue streams. Would you pay an extra $50/month for platinum-level Internet address? ARIN could charge extra to certify those ISPs receiving platinum Internet addresses. Mass mailers already pay companies like Habeas and IronPort for bonded e-mail. Suppose we create Internet++ using 126/8 as the starting IP address block. Only ISPs agreeing to the good code of conduct could use 126/8 addresses assigned independently of any other IP addresses in use. ISPs might reserve 126/8 addresses to only a few of their most secure servers, and a few very trusted customers. If it was successfull, IANA could extend the range to 125/8, 124/8 and so on However in my experience these are only a small fraction of the population with infected machines. It really solves 90%+ of the problem by just getting the message to the individual that they have a problem and they´ll find somebody to fix it for them. Doubtful. If you look at large samples, e.g. 10,000 infected computers, the repair rate is essentially identical between a group told their computers are infected and a group which wasn't told. Perhaps more scary, the rate of repair after being notified doesn't change whether the group are self-described computer experts or general users. I expect every NANOG conference from now on will be filled with announcements asking people to please fix their computers because worms are killing the network. NANOG has less than 500 attendees, yet has about the same number as infected computers as any other ad-hoc network population.
Long-term identifiers (was Re: who offers cheap (personal) 1U colo?)
On Sun, 14 Mar 2004, Andrew Dorsett wrote: In a dorm room situation or an apartment situation, you again know the physical port the DHCP request came in on. You then know which room that port is connected to and you therefore have a general idea of who the abuser is. So whats the big deal if you turn off the ports to the room until the users complain and the problem is resolved? It has to do with response time. If I send an abuse complaint to an organization's mailbox on a Friday night, will it be dealt with in the next 10 seconds? Or sometime next week? If the computer reboots every 60 seconds, and gets different IP addresses every time, a single infected computer can appear with lots of different IP addresses which results in overblocking. Similar things happen when a very large corporation has a NAT firewall, and attacks appear to come from all over their address ranges. A long-term end-to-end identifier would let me immediately drop the specific infected computer's traffic regardless of its rotating IP addresses, even if your abuse department doesn't open until next monday to track down the user to permanently fix it. The other issue is assuming abuse is defined the same way. If I can uniquly identify the source, we don't have to debate whether my definition of abuse is the same as your definition. You might have a three-strike policy and I have a zero-tolerance policy. It doesn't matter if there was an end-to-end long-term identifier. While you are waiting for the other strikes, I can immediately block that specific computer regardless of what IP address it has today. That way reputation could be tied to the infected computer instead of random address ranges. If IPsec ever gets fully deployed, then we may be able to negotiate end-to-end identification. The long-term end-to-end identifier does not need to include personally identifiable information.
Re: who offers cheap (personal) 1U colo?
## On 2004-03-14 11:58 - Simon Lockhart typed: SL SL If someone can point me to Virtual Solaris Machine, then I'd willingly offer SL that as a service (the colo I help run as a hobby is Sun only). AFAIK that will be in Solaris 10 - See N1 Grid Containers on http://wwws.sun.com/software/solaris/10/ You can get a non-supported preview for free (or pay 99$ for one year support) -- HTH, Rafi SL SL The reason people are doing it on Linux is that it's available. (And, in the SL case of LVM, free) SL SL Simon SL
Re: who offers cheap (personal) 1U colo?
On Mon Mar 15, 2004 at 12:26:09PM +0200, Rafi Sadowsky wrote: AFAIK that will be in Solaris 10 - See N1 Grid Containers on http://wwws.sun.com/software/solaris/10/ You can get a non-supported preview for free (or pay 99$ for one year support) Well, it's Zones. I downloaded the latest Solaris Express release last night and got a simple Zones implementation running on a spare box. It certainly looks very interesting. Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (x(01)37720) | Si fractum Technology Manager | Fax: +44 (0)1628 407701 (x(01)37701) | non sit, noli BBC Internet Ops | Email: [EMAIL PROTECTED]| id reficere BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
Re: who offers cheap (personal) 1U colo?
Sorry this thread is huge, I hope I'm not repeating comments.. if the market for this is nanog and you're just looking for smtp/shell surely we can manage this between ourselves without charge (ask your nanog buddy for a shell as a favour).. I know I can and will do this Steve On Sun, 14 Mar 2004, Janet Sullivan wrote: Paul Vixie wrote: every time i tell somebody that they shouldn't bother trying to send e-mail from their dsl or cablemodem ip address due to the unlikelihood of a well staffed and well trained and empowered abuse desk defending the reputation of that address space, i also say buy a 1U and put it someplace with a real abuse desk, and use your dsl or cablemodem to tunnel to that place. My cable modem provider filters port 25, so I can't run my own SMTP server. Their mail servers suck. Yes, I could pay for a business class cable modem connection and they'd unblock the port... but I'd likely still be filtered. Guess who is having a dedicated 1U set up right now? ;-) I think Paul is right, there is a small niche market for this.
Re: who offers cheap (personal) 1U colo?
$50/month at 40U rentable is $2000/rack/month if it's full. And then there's the newer high-density rackmount units like this one http://www.rlx.com/products/serverblades/dense.php This product puts up to 24 server blades in a 3U chassis which basically means you can put 8 times as many servers in a rack. And if any of you have played with things like the Zaurus C760/C860 then you know where all this is headed. $50/month today, $25/month in a year or two, and then in about 5 years it will be a free perk if you sign a two-year contract with your broadband provider. --Michael Dillon
RE: who offers cheap (personal) 1U colo?
For most people it'd probably make much more sense to find a provider that offers some form of SMTP relay service. It'd probably be cheaper/month, and they wouldn't have the trouble and expense of providing/maintaining a colo server. Yep, if you aren't technically inclined that is better. What if the cost were only $10/month and they didn't have to maintain anything other than a set of usernames/passwds (SMTP Auth) or perhaps a list of their own IPs (relaying based on IP)? It's starting to sound like a nice little business for a college senior to set up using one of the colo providers from Paul's list. It would be a lot more palatable for large providers to crack down on unauthenticated SMTP if there were such alternatives available. Then instead of cracking down on users they would be supporting new small businesses. I imagine there are a lot of people doing this already but we just don't see it because they don't have a catchy name for themselves like ISP. --Michael Dillon
Re: who offers cheap (personal) 1U colo?
Certianly the point central to your arguement is that with the right abuse-desk to customer ratio AND the right customer base, things could be kept clean for smtp/web/ftp/blah 'hosting'. I'll take the right customer base for $50 please Alex. This is most certainly the case... I look forward to seeing your list of providers and prices :) Rick Adams and Mike O'Dell had an idea in 1987. How is this any different? Eric
Re: Long-term identifiers (was Re: who offers cheap (personal) 1U colo?)
Sean Donelan wrote: If I send an abuse complaint to an organization's mailbox on a Friday night, will it be dealt with in the next 10 seconds? Or sometime next week? If the computer reboots every 60 seconds, and gets different IP addresses every time, a single infected computer can appear with lots of different IP addresses which results in overblocking. Similar things Most DHCP servers are capable of assigning the same IP address to the same MAC address both with DHCPDISCOVER and DHCPREQUEST. It just needs the configuring party to want that. (with the caveat that somebody got to the address first, which is possible but unlikely) Since static ip addresses are considered a premium service, most providers opt towards approaches which make the IP address change more often. Pete
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
I expect every NANOG conference from now on will be filled with announcements asking people to please fix their computers because worms are killing the network. NANOG has less than 500 attendees, yet has about the same number as infected computers as any other ad-hoc network population. Maybe NANOG needs to implement a system where you have to log in to a web page with your NANOG meeting passcode in order to get a usable IP address. Then, when an infected computer shows up we will know exactly whose it was. Might even be interesting for a researcher to interview every infected party and figure out why it is happening even among a supposedly clueful group. --Michael Dillon
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
[EMAIL PROTECTED] writes: Maybe NANOG needs to implement a system where you have to log in to a web page with your NANOG meeting passcode in order to get a usable IP address. Then, when an infected computer shows up we will know exactly whose it was. Might even be interesting for a researcher to interview every infected party and figure out why it is happening even among a supposedly clueful group. Seconded. This is dirt simple to do. If we believe in public humiliation, a list of infected machines and their owners (along with a suitably snarky don't hire these top network engineers to maintain your fleet of windows boxes message) could be displayed on the projection screens at the break. ---Rob
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
a suitably snarky don't hire these top network engineers to maintain your fleet of windows boxes message) could be displayed on the Is this an opt-in list? I'd like to opt-in. Now. Nu. Proto. A lifetime ago.
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
Robert E. Seastrom wrote: Seconded. This is dirt simple to do. If we believe in public humiliation, a list of infected machines and their owners (along with a suitably snarky don't hire these top network engineers to maintain your fleet of windows boxes message) could be displayed on the projection screens at the break. Employee to PHB: You hired me to provide core network engineering and lead the level 2 network ops staff. Tell me again why you want me to provide any server engineering, if you knew my strengths when you hired me? There's a reason I've gotten out of small ISP consulting - I don't do Windows, and I'm getting overrun by Linux corrosion slowly. I route, I switch, I help with securing networks. And I do wear a lot of hats at my day job, but I remind them that they hired a specialist, and promised lots of server support all along the way. Granted, the Windows guy is overloaded and the UNIX/Linux guy would snore in front of his PHB... pt
Re: who offers cheap (personal) 1U colo?
On Sun, 14 Mar 2004 01:29:29 -0500 (EST) Andrew Dorsett [EMAIL PROTECTED] wrote: This is a topic I get very soap-boxish about. I have too many problems with providers who don't understand the college student market. I can There are certain environments where it would be nice for people to have spent some time. Working at a university would be one good experience for many people, particularly in this field, to have had. think of one university who requires students to login through a web portal before giving them a routable address. This is such a waste of time for both parties. Sure it makes tracking down the abusers much easier, but is it worth the time and effort to manage? This is a very In most implementations I'm familiar with, the time and effort is mostly spent in the initial deployment of such a system. legitimate idea for public portals in common areas, but not in dorm rooms. In a dorm room situation or an apartment situation, you again know the physical port the DHCP request came in on. You then know which room that port is connected to and you therefore have a general idea of who the abuser is. So whats the big deal if you turn off the ports to the room until the users complain and the problem is resolved? As someone else mentioned, an AUP may be a reason for such a system. In addition, these systems often allow an i.d. to be notified, restricted or disabled and not just from a single port, but from any port where this system is used. Also know that some schools' dorm resident information is not populated nor easily accessible in network connectivity records. The portal systems are often used as a way to be proactive in testing a dorm user's system for vulnerabilities and allowing minimal connectivity for getting fixed up if they are. This is often referred to as the quarantine network. Many institutions have tried to simply turn off a port and deal with the problem when a user calls. Sometimes the user moves, but even if they don't this doesn't scale very well for widespread problems such as some of the more common worms and viruses that infect a large population. A lot of institutions don't have 24x7 support to handle calls from dorm students who are often up til midnight or later doing work. Many systems can have the connection registration pulled, forcing a new registration immediately. This may be due to proactive scanning or simply to refresh the database at the end of a school year. I guess this requires very detailed cable map databases and is something some providers are relunctant to develop. Scary thought. Correct, this is a problem for universities too. Especially when many of their cabling systems are old and have often been managed (or not) by transient workers (e.g. student employees) over the years. John
Re: who offers cheap (personal) 1U colo?
Ken Diliberto wrote: Something else I just remembered: Connecting so much equipment in our dorms creates a fire hazard. The are only two or three outlets (what I've been told) in a room shared by two or three students. Add to the computer equipment a TV, stereo, DVD player, alarm clocks, cordless phones, etc., etc., etc. and you have the makings for newspaper headlines. Hasn't happened yet to my knowledge, but it could and students don't consider these things. If you were willing to live in a place where an electrical overload caused a fire (as opposed to tripping a circuit-breaker or blowing a fuse), you have not correctly identified your worst problem, or the the University's. -- Requiescas in pace o email
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
Pete Templin wrote: Employee to PHB: You hired me to provide core network engineering and lead the level 2 network ops staff. Tell me again why you want me to provide any server engineering, if you knew my strengths when you hired me? There's a reason I've gotten out of small ISP consulting - I don't do Windows, and I'm getting overrun by Linux corrosion slowly. I route, I switch, I help with securing networks. And I do wear a lot of hats at my day job, but I remind them that they hired a specialist, and promised lots of server support all along the way. Granted, the Windows guy is overloaded and the UNIX/Linux guy would snore in front of his PHB... If you are in Nebraska I can help you with the Unemploy^WWorkforce Development paperwork. -- Requiescas in pace o email
Re: who offers cheap (personal) 1U colo?
Laurence F. Sheldon, Jr. [3/15/2004 7:39 PM] : If you were willing to live in a place where an electrical overload caused a fire (as opposed to tripping a circuit-breaker or blowing a fuse), you have not correctly identified your worst problem, or the the University's. That's always there, but at least one dorm that I know of has this rule against running appliances in a dorm room. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: who offers cheap (personal) 1U colo?
Suresh Ramasubramanian wrote: Laurence F. Sheldon, Jr. [3/15/2004 7:39 PM] : If you were willing to live in a place where an electrical overload caused a fire (as opposed to tripping a circuit-breaker or blowing a fuse), you have not correctly identified your worst problem, or the the University's. That's always there, but at least one dorm that I know of has this rule against running appliances in a dorm room. A rule against running a hotplate or other heat-generating appliance (or all appliances to avoind the arguments) makes sense. A rule against running power-consumers that were not in the cost-of-overhead calculation makes sense. Restricting (or trying to restrict) computers in today's University environment is delusional. -- Requiescas in pace o email
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
Laurence F. Sheldon, Jr. wrote: Pete Templin wrote: There's a reason I've gotten out of small ISP consulting - I don't do Windows, and I'm getting overrun by Linux corrosion slowly. I route, I switch, I help with securing networks. And I do wear a lot of hats at my day job, but I remind them that they hired a specialist, and promised lots of server support all along the way. Granted, the Windows guy is overloaded and the UNIX/Linux guy would snore in front of his PHB... If you are in Nebraska I can help you with the Unemploy^WWorkforce Development paperwork. I didn't suggest saying I'm not gonna do it. I just suggested You hired me to deploy dynamic routing on your statically-routed network. What prompted you to think that I could configure site-wide anti-virus services such that no one ever reports a virus leak from our enterprise, without training, time to test and develop such a critical solution, or both? pt
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
Pete Templin wrote: Laurence F. Sheldon, Jr. wrote: Pete Templin wrote: There's a reason I've gotten out of small ISP consulting - I don't do Windows, and I'm getting overrun by Linux corrosion slowly. I route, I switch, I help with securing networks. And I do wear a lot of hats at my day job, but I remind them that they hired a specialist, and promised lots of server support all along the way. Granted, the Windows guy is overloaded and the UNIX/Linux guy would snore in front of his PHB... If you are in Nebraska I can help you with the Unemploy^WWorkforce Development paperwork. I didn't suggest saying I'm not gonna do it. I just suggested You hired me to deploy dynamic routing on your statically-routed network. What prompted you to think that I could configure site-wide anti-virus services such that no one ever reports a virus leak from our enterprise, without training, time to test and develop such a critical solution, or both? It turns out that they can hire people with all kinds of certifications that say thye can do all of that for a lot less than what they are paying a specialist. -- Requiescas in pace o email
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
On Mon, 15 Mar 2004 04:57:03 -0500 (EST), Sean Donelan wrote: NANOG has less than 500 attendees, yet has about the same number as infected computers as any other ad-hoc network population. If true this is a very significant fact
Re: who offers cheap (personal) 1U colo?
Stephen J. Wilcox wrote: if the market for this is nanog and you're just looking for smtp/shell surely we can manage this between ourselves without charge (ask your nanog buddy for a shell as a favour).. I know I can and will do this Well, I do have motives beyond outbound smtp. I actually looked at some of the mail only services, but I really want someplace that will do IMAP and authenticated SMTP. I want to be able to configure how I filter spam, which I don't want to do at the MUA level because I'll need to access mail various ways from various locations. Besides mail, I want to be able to create and control firewall rules on the box. I also want to be able to setup Apache exactly like I want it, etc. And sometimes its nice to have shell access on a machine in a different location for troubleshooting purposes. However, I do like the idea of setting up a community of like minded individuals who would be willing to do secondary MX and/or DNS for each other, and perhaps provide basic shell accounts... On the other hand, I'm a little leary of giving someone I don't know access to one of my boxes. I'm curious how a virtual colocation or dedicated server co-op could work, with values statements on how servers must be run (secure, no SPAM), etc. Would there be member fees? Would members have to democratically vote to let new members in after some kind of vetting process? Would anyone even be interested in such an idea? It would also be interesting to see what kind of monitoring tools could be developed with a diverse set of servers in different parts of the world... could we set up a co-op version of keynote monitoring, where we helped monitor each other?
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
On 15 Mar 2004 08:01:15 -0500 Robert E. Seastrom [EMAIL PROTECTED] wrote: Maybe NANOG needs to implement a system where you have to log in to a web page with your NANOG meeting passcode in order to get a usable IP address. Then, when an infected computer shows [...] Seconded. This is dirt simple to do. If we believe in public humiliation, a list of infected machines and their owners (along with [...] In the case of some networks and some type of malware, you might need to do more than this. For example, if a compromised host continues to spew out packets without a valid IP, this still eats link capacity. If the network is relatively flat, which is often is in wireless configurations, you still have a problem to solve before normal access for everyone else is restored. John
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
John, There are the beginnings of some wireless devices that are capable of directing wireless clients to cease transmission with L2 link control messages. These are just beginning to emerge, and unfortunately I'm certain that with only a matter of time people will write drivers that ignore such control messages. The end result is that AP's can effectively address a DoS at an invalid/penalty-boxed host on the wireless ether, and allow everyone else to remain connected. There is a b/w penalty for the flood of control messages. One implementation I have been researching leaves ~75% of b/w available for valid traffic. That doesn't seem too bad to me, but I need to research real stats for how much b/w is consumed by the worms in the first place. Cheers, Ben. John On 15 Mar 2004 08:01:15 -0500 John Robert E. Seastrom [EMAIL PROTECTED] wrote: Maybe NANOG needs to implement a system where you have to log in to a web page with your NANOG meeting passcode in order to get a usable IP address. Then, when an infected computer shows John [...] Seconded. This is dirt simple to do. If we believe in public humiliation, a list of infected machines and their owners (along with John [...] John In the case of some networks and some type of malware, you might need to John do more than this. For example, if a compromised host continues to spew John out packets without a valid IP, this still eats link capacity. If the John network is relatively flat, which is often is in wireless configurations, John you still have a problem to solve before normal access for everyone else John is restored. John John
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
Laurence F. Sheldon, Jr. wrote: Pete Templin wrote: I didn't suggest saying I'm not gonna do it. I just suggested You hired me to deploy dynamic routing on your statically-routed network. What prompted you to think that I could configure site-wide anti-virus services such that no one ever reports a virus leak from our enterprise, without training, time to test and develop such a critical solution, or both? It turns out that they can hire people with all kinds of certifications that say thye can do all of that for a lot less than what they are paying a specialist. You're right again. But those generalists would earn a spot on the don't hire these top network engineers to maintain your fleet of windows boxes list projected on the screen, while the specialists either wouldn't be doing work outside their scope or the PHB would understand that it's not their specialty. pt
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
I expect, that good (tier-3, to say) network engineer MUST know Windows and Unix (== Linux, FreeBSD etc) on tear-2 (or better) level. Else, he will not be able to troubleshout his _network problem_ (because they are more likely complex Network + System + Application + Cable problem). So, it is not a good answer. - Original Message - From: Pete Templin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 15, 2004 7:16 AM Subject: Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?) Laurence F. Sheldon, Jr. wrote: Pete Templin wrote: There's a reason I've gotten out of small ISP consulting - I don't do Windows, and I'm getting overrun by Linux corrosion slowly. I route, I switch, I help with securing networks. And I do wear a lot of hats at my day job, but I remind them that they hired a specialist, and promised lots of server support all along the way. Granted, the Windows guy is overloaded and the UNIX/Linux guy would snore in front of his PHB... If you are in Nebraska I can help you with the Unemploy^WWorkforce Development paperwork. I didn't suggest saying I'm not gonna do it. I just suggested You hired me to deploy dynamic routing on your statically-routed network. What prompted you to think that I could configure site-wide anti-virus services such that no one ever reports a virus leak from our enterprise, without training, time to test and develop such a critical solution, or both? pt
.edueyeball LART RE: who offers cheap (personal) 1U colo?
: This is a topic I get very soap-boxish about. I have too : many problems with providers who don't understand the college : student market. I can think of one university who requires : students to login through a web portal before giving them a : routable address. This is such a waste of time for both : parties. Sure it makes tracking down the abusers much : easier, but is it worth the time and effort to manage? This : is a very legitimate idea for public portals in common areas, : but not in dorm rooms. In a dorm room situation or an : apartment situation, you again know the physical port the : DHCP request came in on. You then know which room that port : is connected to and you therefore have a general idea of who : the abuser is. So whats the big deal if you turn off the : ports to the room until the users complain and the problem is : resolved? Since no one's mentioned it, the program everyone is referring to is netreg: www.netreg.org www.net.cmu.edu/netreg Also, most .edueyeball networks have (and have always had) a VERY low budget for networking stuff. As a result, generally, there is little to no plant map documentation, so it isn't the case of looking up the physical port on a map and shutting it off. Netreg allows you to bad web folks. They can go nowhere until they call the helpdesk. It's a great LART. :-) === That's an evil smile... scott
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
On Mon, 15 Mar 2004, Alexei Roudnev wrote: : I expect, that good (tier-3, to say) network engineer MUST know Windows and : Unix (== Linux, FreeBSD etc) on tear-2 (or better) level. Else, he will not : be able to troubleshout his _network problem_ (because they are more likely : complex Network + System + Application + Cable problem). : : So, it is not a good answer. No true in many cases. All I have to prove is it's not the network and then I hand it off to the windows/*nix/whatever sysadmins. To prove it's not the network, I don't need to know the end systems in any sort of detail. scott : : - Original Message - : From: Pete Templin [EMAIL PROTECTED] : To: [EMAIL PROTECTED] : Sent: Monday, March 15, 2004 7:16 AM : Subject: Re: Platinum accounts for the Internet (was Re: who offers cheap : (personal) 1U colo?) : : : : Laurence F. Sheldon, Jr. wrote: : : Pete Templin wrote: : There's a reason I've gotten out of small ISP consulting - I don't do : Windows, and I'm getting overrun by Linux corrosion slowly. I route, : I switch, I help with securing networks. And I do wear a lot of hats : at my day job, but I remind them that they hired a specialist, and : promised lots of server support all along the way. Granted, the : Windows guy is overloaded and the UNIX/Linux guy would snore in front : of his PHB... : : If you are in Nebraska I can help you with the Unemploy^WWorkforce : Development paperwork. : : I didn't suggest saying I'm not gonna do it. I just suggested You : hired me to deploy dynamic routing on your statically-routed network. : What prompted you to think that I could configure site-wide anti-virus : services such that no one ever reports a virus leak from our enterprise, : without training, time to test and develop such a critical solution, or : both? : : pt : :
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
No true in many cases. All I have to prove is it's not the network and then I hand it off to the windows/*nix/whatever sysadmins. To prove it's not the network, I don't need to know the end systems in any sort of detail. to pass the buck, one needs to know nothing. what makes a great noc engineer is taking ownership of the user's problem. randy
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
On Mon, Mar 15, 2004 at 12:21:54PM -1000, Randy Bush wrote: No true in many cases. All I have to prove is it's not the network and then I hand it off to the windows/*nix/whatever sysadmins. To prove it's not the network, I don't need to know the end systems in any sort of detail. to pass the buck, one needs to know nothing. what makes a great noc engineer is taking ownership of the user's problem. The fact of the matter is, business environments today do not frequently seek specific expertise to solve specific problems, preferring instead to (ab)use existing employees to do more than they were hired to do with less time, less training, and fewer resources than they need. Similarly, experts brought in from the outside are usually expected to opine on their areas of expertise as little as possible so that they can be similarly (ab)used to do things other than what they were contracted to do. While taking responsibility for solving problems is an important quality, knowing how to effectively use your time is equally important. On a good note, contract killers seem exempt from this trend. Kelly
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
On Mon, 15 Mar 2004, Randy Bush wrote: : No true in many cases. All I have to prove is it's not the network and : then I hand it off to the windows/*nix/whatever sysadmins. To prove : it's not the network, I don't need to know the end systems in any sort of : detail. : : to pass the buck, one needs to know nothing. what makes a great noc : engineer is taking ownership of the user's problem. In smaller networks, sure. However, it's not about passing the buck in large networks. It's about responsibilities. There, if you take ownership of the sysadmin's part of the ticket (where there're a lot of sysadmins for every OS), you'll likely get =them= chopped off and hung on the wall as an example to others. I would be pissed if one of the sysadmin folks tried to troubleshoot the backbone network instead of handing it off to me after clearing their part of the problem... All I need to do is clear my part and pass it to them with all helpful data points included in the ticket. Any more than that and I'm stomping on other folks' toes. scott
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
On Mon, 15 Mar 2004 [EMAIL PROTECTED] wrote: Maybe NANOG needs to implement a system where you have to log in to a web page with your NANOG meeting passcode in order to get a usable IP address. Then, when an infected computer shows up we will know exactly whose it was. Might even be interesting for a researcher to interview every infected party and figure out why it is happening even among a supposedly clueful group. I find it ironic that one of the presentations at the last nanog was about a system kind of like that: http://www.nanog.org/mtg-0402/gauthier.html and that we had some luser on the nanog30 wireless network infected by SQL slammer. Does anyone know who that was, how/if they were located and removed from the network, and whether they brought an infected PC (either via stupidity or as a joke) or simply brought an unpatched system out from behind their firewall/packet filters and got infected before they got a chance to actually use the network? After that incident, I sniffed the wireless for a little while and noticed slammer is alive and well out on the internet and still trying to infect the rest of the internet. We're still blocking it at our transit borders. The one time it was removed (accidentally), a colo customer was infected very shortly after the filter's protection was lost. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
I find it ironic that one of the presentations at the last nanog was about a system kind of like that: http://www.nanog.org/mtg-0402/gauthier.html and that we had some luser on the nanog30 wireless network infected by SQL slammer. Well it wouldnt be nanog without a few infections, password grabs and other random security breaches Does anyone know who that was, how/if they were located and removed from the network, and whether they brought an infected PC (either via stupidity or as a joke) or simply brought an unpatched system out from behind their firewall/packet filters and got infected before they got a chance to actually use the network? Probably genuine error (clueless/oversight), no names.. where is Randy when you want him? After that incident, I sniffed the wireless for a little while and noticed slammer is alive and well out on the internet and still trying to infect the rest of the internet. *jlewis in network sniffing shock!* We're still blocking it at our transit borders. The one time it was removed (accidentally), a colo customer was infected very shortly after the filter's protection was lost. yeah theres lots, we filter for several known worms on the gateway routers at the meetings we sponsor, i recommend nanog sponsors do the same (altho it cant save u from the devil within) Steve -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
Ok - is name resoluution issue network issue or not? if it is, how can you answer anything without knowing, for example, of existing Windows DNS client with internal cache, and difference between 'ping' and 'nslookup' name resolution on Solaris? Is ARP problem - network one or not? if it is, how can you determine, what happen, if some crazy server became ARP proxy and sends wrong information to everyone? For tier-2 - I agree. For real tier-3 - I can not. Those friends, who are excellent network engineers (much better than me, with CCIE and other _really good_ experience), knows Windows and Unix on a very good level. (of course, if some HR asks them 'where is configuration file for SAMBA on Solaris - no one answer, but it does not mean that they do not know Solaris; and you can always met religious people 'my god is MS / my god is Linux'). - Original Message - From: Scott Weeks [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 15, 2004 1:32 PM Subject: Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?) On Mon, 15 Mar 2004, Alexei Roudnev wrote: : I expect, that good (tier-3, to say) network engineer MUST know Windows and : Unix (== Linux, FreeBSD etc) on tear-2 (or better) level. Else, he will not : be able to troubleshout his _network problem_ (because they are more likely : complex Network + System + Application + Cable problem). : : So, it is not a good answer. No true in many cases. All I have to prove is it's not the network and then I hand it off to the windows/*nix/whatever sysadmins. To prove it's not the network, I don't need to know the end systems in any sort of detail. scott : : - Original Message - : From: Pete Templin [EMAIL PROTECTED] : To: [EMAIL PROTECTED] : Sent: Monday, March 15, 2004 7:16 AM : Subject: Re: Platinum accounts for the Internet (was Re: who offers cheap : (personal) 1U colo?) : : : : Laurence F. Sheldon, Jr. wrote: : : Pete Templin wrote: : There's a reason I've gotten out of small ISP consulting - I don't do : Windows, and I'm getting overrun by Linux corrosion slowly. I route, : I switch, I help with securing networks. And I do wear a lot of hats : at my day job, but I remind them that they hired a specialist, and : promised lots of server support all along the way. Granted, the : Windows guy is overloaded and the UNIX/Linux guy would snore in front : of his PHB... : : If you are in Nebraska I can help you with the Unemploy^WWorkforce : Development paperwork. : : I didn't suggest saying I'm not gonna do it. I just suggested You : hired me to deploy dynamic routing on your statically-routed network. : What prompted you to think that I could configure site-wide anti-virus : services such that no one ever reports a virus leak from our enterprise, : without training, time to test and develop such a critical solution, or : both? : : pt : :
Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
Is it bad, If they (your sysadmins) understand your backbone infrastructure and understand such things, as MTU MTU discovery, knows about ACL filters (without extra details) and existing limitations? They are not required to know about VPN mode or T3 card configuration, but they must understand basic things. Else, everything ends up in a long delays and 10 person technical meetings (by the phone, of course) - which is the best way of wasting anyone's time. : : to pass the buck, one needs to know nothing. what makes a great noc : engineer is taking ownership of the user's problem. In smaller networks, sure. However, it's not about passing the buck in large networks. It's about responsibilities. There, if you take ownership of the sysadmin's part of the ticket (where there're a lot of sysadmins for every OS), you'll likely get =them= chopped off and hung on the wall as an example to others. I would be pissed if one of the sysadmin folks tried to troubleshoot the backbone network instead of handing it off to me after clearing their part of the problem... All I need to do is clear my part and pass it to them with all helpful data points included in the ticket. Any more than that and I'm stomping on other folks' toes. scott
Re: .edueyeball LART RE: who offers cheap (personal) 1U colo?
On Mon, 15 Mar 2004 11:27:42 -1000, Scott Weeks [EMAIL PROTECTED] said: Also, most .edueyeball networks have (and have always had) a VERY low budget for networking stuff. As a result, generally, there is little to no plant map documentation, so it isn't the case of looking up the physical port on a map and shutting it off. OK, maybe our network crew is more clued and better financed than most, but we discovered long ago that although having all the plant documented is expensive, the alternative is even more costly in the long run. pgp0.pgp Description: PGP signature
Re: who offers cheap (personal) 1U colo?
On Mon, 15 Mar 2004, Eric Brunner-Williams in Portland Maine wrote: Certianly the point central to your arguement is that with the right abuse-desk to customer ratio AND the right customer base, things could be kept clean for smtp/web/ftp/blah 'hosting'. I'll take the right customer base for $50 please Alex. which is NOT the current dsl/cable-modem user, obviously? This is most certainly the case... I look forward to seeing your list of providers and prices :) Rick Adams and Mike O'Dell had an idea in 1987. How is this any different? mumble, mumble giant telephone company mumble mumble... In all seriousness, I'm not sure this is any different. Their idea, if I got it right, was 'ip everywhere'. Perhaps providing smaller scale 'good' colo with strong abuse/support is possible, just don't get greedy and get gigantic. Paul, does your list include those providers that provide the hardware upfront also? or is part of your deal that the equipment comes from the customer so they are more willing to behave?
Re: who offers cheap (personal) 1U colo?
Rick Adams and Mike O'Dell had an idea in 1987. How is this any different? actually rick had the idea by himself in 1987. mike came a bit later. Their idea, if I got it right, was 'ip everywhere'. in that most other companies still thought ISO/OSI was going to be the commercial protocol of choice, the idea (which was alternet, not the original 1987 uunet), yes, rick's idea was i'll bet you're all wrong and that IP will be the way commercial data networking actually builds out. Perhaps providing smaller scale 'good' colo with strong abuse/support is possible, just don't get greedy and get gigantic. the greed problems don't come in with customer base size but rather management team experience. once you get folks running the business who don't know the industry or the culture or the customers, they start to think in terms of margin pressure. a modern-uunet-sized abuse desk should cost about $2M a year, but would add nothing to revenue, so they don't have it. there's no reason you couldn't fill out a 20Ksqft colo room with personal 1U boxes, as long as you were willing to spend the same or more money per customer (on customer care issues) as you did when it was a half rack. that means your margin will not grow at the same speed as your revenues, and may actually shrink as a function of revenue growth. that in turn means that the founders will have to run it forever, you will not be able to rent a CEO who graduated business school and simultaneously defend the reputation of the colo and its IP address space. (go figure.) Paul, does your list include those providers that provide the hardware upfront also? or is part of your deal that the equipment comes from the customer so they are more willing to behave? under duress, i'm listing all three kinds (virtual, included, and BYO1U). note that the virtuals have got me quite concerned since there's NO evidence that a deposit is taken. spammers are going to have a field day with them, and i expect to have to drop them from the list, but first, we'll try it and hope for the best. -- Paul Vixie
Re: who offers cheap (personal) 1U colo?
[EMAIL PROTECTED] writes: And then there's the newer high-density rackmount units like http://www.rlx.com/products/serverblades/dense.php. This product puts up to 24 server blades in a 3U chassis which basically means you can put 8 times as many servers in a rack. sadly, the blade vendors don't want you to be able to buy your backplane from source A and your blades from sources B, C, and D. in this niche, people often already have a 1U or have a special way of getting one (like e-bay or office surplus), and they need plug and play at the colo level. when there's a blade standard that integrates power, perhaps cooling (liquid or conduction), network, and serial or other outofband console, then we might see blade servers used for personal colo boxes. until then the smallest standard interface is a 1U w/ DB9, 100baseTX, and 3prong power. And if any of you have played with things like the Zaurus C760/C860 then you know where all this is headed. $50/month today, $25/month in a year or two, and then in about 5 years it will be a free perk if you sign a two-year contract with your broadband provider. given the number of virtual hosters i've heard from, i don't think it'll end like that. ultimately it'll end with something very much like multics was planned to be. in fact this seems more likely than a standard blade interface. -- Paul Vixie
Re: who offers cheap (personal) 1U colo?
On Mon, 15 Mar 2004, John Kristoff wrote: There are certain environments where it would be nice for people to have spent some time. Working at a university would be one good experience for many people, particularly in this field, to have had. I fully agree...This is the one environment where you definately can't trust your users. Unlike most home markets and corporate markets. These kids often forget they are paying for service and thus abuse it. think of one university who requires students to login through a web portal before giving them a routable address. This is such a waste of In most implementations I'm familiar with, the time and effort is mostly spent in the initial deployment of such a system. I'm not referring to the time required to implement. I'm talking about the time it takes for the user. On the user end. Lets do some simple math. Lets say I turn on my laptop before I shower, I power it down during the day while I'm in class and I turn it back on when I get home in the evening. This means two logins per day. Lets say that the login process is very rapid and takes 30 seconds. This is a whole minute per day required to login. Now multiply this by a month and you've wasted 30 minutes of my time. I coulda spent that time watching TV or heaven forbid, doing homework. :) My big thing is that often users are the one who are paying the price and spending the time. I think either system (the mac-ip lookup or the user auth) system could be created in a week using C++ or perl. This week of development is nothing in the long run when compared to the amount of time it now costs the users. Come on, how many users save their mail passwords so they don't have to type it in everytime? What about your dialup password? Too bad I can't automate the web logins. I don't know a single normal (not one of us NANOG folks...) user who has not opted to save their WinXP password so they don't have to type it in everytime they reboot the computer. Andrew --- [EMAIL PROTECTED] http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Learn from the mistakes of others. You won't live long enough to make all of them yourself.
RE: who offers cheap (personal) 1U colo?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Dorsett Sent: March 15, 2004 11:17 PM To: John Kristoff Cc: [EMAIL PROTECTED] Subject: Re: who offers cheap (personal) 1U colo? I'm not referring to the time required to implement. I'm talking about the time it takes for the user. On the user end. Lets do some simple math. Lets say I turn on my laptop before I shower, I power it down during the day while I'm in class and I turn it back on when I get home in the evening. This means two logins per day. Lets say that the login process is very rapid and takes 30 seconds. This is a whole minute per day required to login. Now multiply this by a month and you've wasted 30 minutes of my time. I coulda spent that time watching TV or heaven forbid, doing homework. :) My big thing is that often users are the one who are paying the price and spending the time. I think either system (the mac-ip lookup or the user auth) system could be created in a week using C++ or perl. This week of development is nothing in the long run when compared to the amount of time it now costs the users. Come on, how many users save their mail passwords so they don't have to type it in everytime? What about your dialup password? Too bad I can't automate the web logins. You must be talking about a different Netreg system that the one everyone else has used. The one we're talking about involves you logging in when you connect with an unknown MAC - once you've used the system to match your MAC to your student number/login/etc, then the DHCP server will give you a real IP the next time you request a lease... Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: who offers cheap (personal) 1U colo?
On Mon, 15 Mar 2004, Vivien M. wrote: You must be talking about a different Netreg system that the one everyone else has used. The one we're talking about involves you logging in when you connect with an unknown MAC - once you've used the system to match your MAC to your student number/login/etc, then the DHCP server will give you a real IP the next time you request a lease... Yes I am... I am referring to a system which an unmentionable university has in place. It requires the user to enter their username and password each time the link state changes before they are allowed outside of the local lan. This is also similar to the new port authentication system on the Extreme Networks switches. It automatically delves out an address to the user so they can access a login portal and then it reissues them a legitimate address once they have been authenticated. This is a pretty slick setup for mobile users who connect in temporarily to public portals but it makes little sense in a fixed network environment of a dorm room or office. Andrew --- [EMAIL PROTECTED] http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Learn from the mistakes of others. You won't live long enough to make all of them yourself.
Re: who offers cheap (personal) 1U colo?
On Sun, Mar 14, 2004 at 12:10:01AM -0800, George William Herbert wrote: I do not know that there are several racks full of people like me, even in the SF Bay area, but I would be willing to bet that the answer is yes. What would be nice is someone who charges you for bandwidth, not for data transfered. There's an excellent company in the UK who do exactly this: www.mailbox.net.uk for ~UKP65 a month you can get 256kb/s in 2U. Something needs to be developed along these lines: 256kb/s sustained = ~80gbyte month transfered. The current bandwidth limit should be calculated such that based on how much I've used since the start of the month, my bw cap would go up or down to keep me on the average to end at 80gbyte. Example: If I only use 128k/s sustained for 15 days (total 20Gb), for the last 15 days I should be allowed to use ~384kb/s so that I end exactly at my allotted 80Gb, no more. Now *that* would be useful. -- Avleen Vig Systems Administrator Personal: www.silverwraith.com EFnet:irc.mindspring.com (Earthlink user access only)
Re: who offers cheap (personal) 1U colo?
$50/month at 40U rentable is $2000/rack/month if it's full. after paying for 60A of power and 50Mbits/sec of transit and whatever the rack rents for, the provider's gross margin will be between 25% and 50%, out of which they have to pay salaries. as a standalone business this makes no sense, but at scale or as part of another business, $50/month @1U is just about right. I've only seen a few comments on the business aspect of this, so I'd like to throw my two cents in. Given: at least certain Linux distributions are free to copy Given: the various BSD distributions are all free to copy Given: vmware workstation is a relatively low-cost product Given: Linux and BSD run in virtual machines on Vmware on Linux Question: Why can't a provider sell virtual PC colocation, instead of physical PC colocation? So instead of 40 physical machines per rack, why can't it be 80 or 160 or even more virtual machines, running on 40 physical Linux boxes? I think the economics could shift significantly under those circumstances. For personal colo the virtual CPU would probably be idle at least 99% of the time. My home servers usually are. Which means that when hosting 4 typical virtual machines a real CPU would still be mostly idling. Also a small IDE drive now is about 120 GB. Divide that by 4 and each colo still has 30 GB of disk space, more than enough for most needs. The hardware cost per machine certainly goes down, and other than the vmware licenses the OS software is free, either BSD licensed free or GPL licensed free. Either is good enough for this purpose. Is some hosting company already doing this?
Re: who offers cheap (personal) 1U colo?
On Sun Mar 14, 2004 at 02:42:20AM -0800, Bohdan Tashchuk wrote: Is some hosting company already doing this? http://www.bytemark-hosting.co.uk/ Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (x(01)37720) | Si fractum Technology Manager | Fax: +44 (0)1628 407701 (x(01)37701) | non sit, noli BBC Internet Ops | Email: [EMAIL PROTECTED]| id reficere BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
Re: who offers cheap (personal) 1U colo?
Simon Lockhart wrote: On Sun Mar 14, 2004 at 02:42:20AM -0800, Bohdan Tashchuk wrote: Is some hosting company already doing this? http://www.bytemark-hosting.co.uk/ Simon Any which would offer operating systems where the source is not full of four letter words and license being questionable with some bowing to the legal action already? Or is it just fashionable to restrict an operation to Linux? Pete
Re: who offers cheap (personal) 1U colo?
On Sun Mar 14, 2004 at 01:48:44PM +0200, Petri Helenius wrote: Any which would offer operating systems where the source is not full of four letter words and license being questionable with some bowing to the legal action already? Or is it just fashionable to restrict an operation to Linux? If someone can point me to Virtual Solaris Machine, then I'd willingly offer that as a service (the colo I help run as a hobby is Sun only). The reason people are doing it on Linux is that it's available. (And, in the case of LVM, free) Simon
Re: who offers cheap (personal) 1U colo?
On Sun, 2004-03-14 at 06:31, Simon Lockhart wrote: On Sun Mar 14, 2004 at 02:42:20AM -0800, Bohdan Tashchuk wrote: Is some hosting company already doing this? http://www.bytemark-hosting.co.uk/ Here to: http://www.interland.com/shared/, and for less than $50 per month. I have had nothing but excellent experience with them. -Jim P.
Re: who offers cheap (personal) 1U colo?
Why shouldn't an individual be able to operated a server on their DSL or cable modem connection? Because DSL and cable moden networks have evolved into lowest-cost, widest-reach service networks designed to allow anyone with $30 access to a relatively fat pipe. As a result those networks have turned into rich sources of net garbage, and most clueful network operators have taken to defending themselves against this torrent of silliness. So, I suppose that the question is not so much of one being allowed to run a server on an xDSL or cable link, but of the real world effectiveness of doing so. Why prevent people from running servers on DSL and cable modem connections, yet say they could run an identical server in a colo? Why is one unsafe, and the other is considered Ok? Nothing is 100% safe, but I'd much rather accept unrestricted traffic from a network with 1000 customers and 2 geek engineers than from a network with 1,000,000 customers and 25 engineers on staff wading through mountains of abuse reports. At least at the smaller, more geek intensive level, there is a greater ability to deal with mischief in a timely and decisive fashion. -- Drew Linsalata The Gotham Bus Company, Inc. Colocation and Dedicated Access Solutions http://www.gothambus.com
Re: who offers cheap (personal) 1U colo?
On Sun, 14 Mar 2004, Simon Lockhart wrote: : If someone can point me to Virtual Solaris Machine, then I'd willingly offer : that as a service (the colo I help run as a hobby is Sun only). : : The reason people are doing it on Linux is that it's available. (And, in the : case of LVM, free) mmm, NetBSD. Runs on all of x86, amd64, and sparc64 hardware, and runs Linux and Solaris binaries (for the appropriate processor type). RAIDframe is free and included in the base system too. 8-) -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
RE: who offers cheap (personal) 1U colo?
http://www.serverpronto.com -Original Message- From: Todd Vierling [mailto:[EMAIL PROTECTED] Sent: Sunday, March 14, 2004 8:56 AM To: Simon Lockhart Cc: [EMAIL PROTECTED] Subject: Re: who offers cheap (personal) 1U colo? On Sun, 14 Mar 2004, Simon Lockhart wrote: : If someone can point me to Virtual Solaris Machine, then I'd willingly offer : that as a service (the colo I help run as a hobby is Sun only). : : The reason people are doing it on Linux is that it's available. (And, in the : case of LVM, free) mmm, NetBSD. Runs on all of x86, amd64, and sparc64 hardware, and runs Linux and Solaris binaries (for the appropriate processor type). RAIDframe is free and included in the base system too. 8-) -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: who offers cheap (personal) 1U colo?
Paul Vixie wrote: [EMAIL PROTECTED] (Sean Donelan) writes: If the block list operators think it is a dialup range, they pre-emptively block all the addresses in the range. that's because at $30/month there's no budget for a dialup provider to call their worm-infested customers one at a time and talk them through Windows Update, and the free antivirus software they include on their customer cdroms is crippleware or adware or both. providers who refuse to enter the race to the bottom can get their dialup blocks delisted from any blackhole list operator i know of, just by demonstrating clue and conviction. You're naive on this. There are enough of these blacklists, and many of them are totally unresponsive to an ISP's assertions (and empirical evidence) of aggressive handling of abuse. I know because I've tried to do this. An ISP *cannot* effectively change the status of these IP blocks...even with empirical evidence of dealing with abuse. It just doesn't happen. ... But large DSL or cable address ranges, even if the addresses are statically assigned to specific customers, are pre-emptively blocked. there's a sound statistical basis for this. and a strong abuse desk (which would show up as higher-than-$30/month-fees) would change those statistics and improve the reputation of that kind of address space. But you were just arguing above that it wasn't a statistical situation, and that a provider to get unlisted from these blacklists. Now you're arguing that its a statistical thing, therefore it *doesn't* have to do with the empirical actions of the ISP. This second argument is the correct one, FWIW. Its statistical, and an individual ISP effectively cannot influence their listings on the blacklists. rather, i think that your employer and other dsl providers ought to get into the $50/month 1U colo business and market this to their power users and budget for a strong abuse desk for the small amounts of address space used by that function. (and if you do, please send me the URL and details.) I'm sorry, Paul, but the $50/month 1U colo business that you keep going on about is, at best, a niche market. It is not, and will not be, a substitute for DSL/Cable. At best, it will be in addition to DSL/Cable, which means an extra expense for customers, which means that it will never be more than a niche. Other's have said, and they are absolutely right, that there is no real technical difference between a DSL line with a static IP, and a colo box. There are ISPs out there that are providing clueful DSL service, including allowing servers on it, with aggressive abuse response, at competitive price points. It can be, and is being, done. Its rare, yes, but it can be found. So, the argument that we need to all start selling $50/month 1U colo boxes because responsible DSL service can't be done is bogus. it would be marketing suicide to offer a different dsl-dhcp ip address to people willing to pay enough to budget for an abuse desk. You're wrong here. It can be done, and it can be done profitably. -- Jeff McAdams He who laughs last, thinks slowest. -- anonymous signature.asc Description: OpenPGP digital signature
Re: who offers cheap (personal) 1U colo?
netadm wrote: http://www.serverpronto.com Given the thread was started for people who want to get a server for mail clear of blocklists, why would I want to use a provider on a number of blocklists per http://www.openrbl.org/, including a SBL/ROKSO listing? Bob
RE: who offers cheap (personal) 1U colo?
I don't think you find ANY significant provider that does not have network blocks listed in block lists. -Original Message- From: Bob Snyder [mailto:[EMAIL PROTECTED] Sent: Sunday, March 14, 2004 11:51 AM To: [EMAIL PROTECTED] Subject: Re: who offers cheap (personal) 1U colo? netadm wrote: http://www.serverpronto.com Given the thread was started for people who want to get a server for mail clear of blocklists, why would I want to use a provider on a number of blocklists per http://www.openrbl.org/, including a SBL/ROKSO listing? Bob
RE: who offers cheap (personal) 1U colo?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Dorsett Sent: March 14, 2004 1:29 AM To: North American Noise and Off-topic Gripes Subject: Re: who offers cheap (personal) 1U colo? This is a topic I get very soap-boxish about. I have too many problems with providers who don't understand the college student market. I can think of one university who requires students to login through a web portal before giving them a routable address. This is such a waste of time for both parties. Sure it makes tracking down the abusers much easier, but is it worth the time and effort to manage? This is a very legitimate idea for public portals in common areas, but not in dorm rooms. In a dorm room situation or an apartment situation, you again know the physical port the DHCP request came in on. You then know which room that port is connected to and you therefore have a general idea of who the abuser is. So whats the big deal if you turn off the ports to the room until the users complain and the problem is resolved? Actually, you're forgetting what I think is the biggest reason for doing this: before the user registers via the web-based DHCP thing, they are shown the AUP and have to say they agree to it. If you just leave straight IP connections available in rooms, and people violate the AUP, they can QUITE credibly argue But I never read this AUP. The web-based DHCP registration system prevents that. Other advantages would be A) It prevents students (or at least, all but the most clueful) from taking multiple IPs and having hubs and such in their rooms B) It makes it very easy to track what MAC address/IP address is which person, as you yourself admitted. Sure, this system requires a bit of effort to set up initially (though I think open source implementations are easily available), but afterwards, you don't need to have your most clueful network engineer dig through to try and figure out which room is what IP. If you lower the clue level required to operate an abuse desk, I would argue you improve its efficiency in many cases... C) It avoids issues of changing ports. Let's say I'm in room 101, and my friend Bob is in room 102. I take my laptop to Bob's room and plug it into the network and go and do something dumb... If you hunt down my MAC address to a particular port, it looks like Bob is the AUP violator. If you have a registration system, you know that this MAC address belongs to me, not Bob. Oh, and what about wireless networks? I have my nice 802.11b card, how do you propose to track that without MAC registration (or hackish VPN systems, which are also deployed in some campuses)? [Note: most of the argument above assumes that people are not clueful enough to change their MAC address, of course... And I would argue that most college students are too busy getting drunk or saturating networks with P2P software to figure this out] Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
Re: who offers cheap (personal) 1U colo?
(Three replies here.) [EMAIL PROTECTED] (Bohdan Tashchuk) writes: ... Question: Why can't a provider sell virtual PC colocation, instead of physical PC colocation? Some do. However, without a server that can be impounded and then sold on E-Bay, there's no reason to think that the provider will have less abuse volume from such customers than they would have from SMTP AUTH customers or DSL customers or what-have-you. Show me the sheet-metal. I've seen vmware, freebsd jails, linux lvm's. Unless the provider asks for a USD$1000 deposit against bad behaviour, refundable with interest after the first year... I don't expect the address space to have a good enough reputation that *I* would want to be in that neighborhood. [EMAIL PROTECTED] (Jim Popovitch) writes: Here to: http://www.interland.com/shared/, and for less than $50 per month. I have had nothing but excellent experience with them. InterLand has essentially got no abuse desk. My complaints to them about their customers mostly go unanswered. Blackholing them here has been my only recourse. Maybe you'd want to live in that kind of neighborhood, but not I. (Tell me an address block and I'll show you my lartomatic records.) [EMAIL PROTECTED] (Jeff McAdams) writes: I'm sorry, Paul, but the $50/month 1U colo business that you keep going on about is, at best, a niche market. It is not, and will not be, a substitute for DSL/Cable. I'm not presenting it as a substitute for DSL/Cable. I'm sure that many thousands of BSD-aware or Linux-aware power users will continue to love the price-performance ratio of DSL/Cable a lot more than they loved their modems. However, I'm calling a spade a spade -- DSL/Cable is usually just a replacement for a modem, and you'd better plan on having someplace real on the other side of that modem to have as your full time living space. At best, it will be in addition to DSL/Cable, which means an extra expense for customers, which means that it will never be more than a niche. I think we're in a same-planet-different-worlds scenario here. Because less than 1% of the internet population is capable of administering their own 1U (or virtual machine or whatever) running BSD or Linux, this whole thing is already a niche, irrespective of costs. (I'd've thought that was obvious.) Other's have said, and they are absolutely right, that there is no real technical difference between a DSL line with a static IP, and a colo box. And others were wrong, when they said that. See George Herbert's excellent Message-Id: [EMAIL PROTECTED] for a fine rebuttal. There are ISPs out there that are providing clueful DSL service, including allowing servers on it, with aggressive abuse response, at competitive price points. It can be, and is being, done. Its rare, yes, but it can be found. In a minority of markets, that's true, and I hope that more such appear. So, the argument that we need to all start selling $50/month 1U colo boxes because responsible DSL service can't be done is bogus. One power user acting alone can sign up for a $50/month 1U personal colo. Only a well backed company can solve the no decent DSL in Sacramento problem. (And such a company would most likely be sucked into the race to the bottom by price-competition, so it's a risk at best unless you're first in a market that's unattractive to larger players.) it would be marketing suicide to offer a different dsl-dhcp ip address to people willing to pay enough to budget for an abuse desk. You're wrong here. It can be done, and it can be done profitably. Looks like you didn't read what you quoted. I know it can be done profitably but I also know that offering two price-levels of DSL, one with an abuse desk capable of calling you and telling you your XP box has been rooted and talking you through Windows Update; the other with a tailgate warranty -- this would be marketing suicide since the irresponsibility of the latter would become intolerable if it were thusly highlighted. -- Paul Vixie
Re: who offers cheap (personal) 1U colo?
Paul Vixie wrote: it would be marketing suicide to offer a different dsl-dhcp ip address to people willing to pay enough to budget for an abuse desk. You're wrong here. It can be done, and it can be done profitably. Looks like you didn't read what you quoted. I know it can be done profitably but I also know that offering two price-levels of DSL, one with an abuse desk capable of calling you and telling you your XP box has been rooted and talking you through Windows Update; the other with a tailgate warranty -- this would be marketing suicide since the irresponsibility of the latter would become intolerable if it were thusly highlighted. No, you're presenting a false dichotomy. A provider can provide a first-rate abuse desk, and still be price competitive. It can be done. It requires a fair amount of clue level in the ISP, but it most definitely can be done. -- Jeff McAdams He who laughs last, thinks slowest. -- anonymous signature.asc Description: OpenPGP digital signature
Re: who offers cheap (personal) 1U colo?
On Sun, Mar 14, 2004 at 01:29:29AM -0500, Andrew Dorsett wrote: This is a topic I get very soap-boxish about. I have too many problems with providers who don't understand the college student market. I can think of one university who requires students to login through a web portal before giving them a routable address. This is such a waste of time for both parties. Sure it makes tracking down the abusers much easier, but is it worth the time and effort to manage? This is a very In the UK it certainly does. To absolve ourselves of liability for misuse 'net access must be from an 'identifiable' user. This is part of our institution-wide security policy. legitimate idea for public portals in common areas, but not in dorm rooms. In a dorm room situation or an apartment situation, you again know the physical port the DHCP request came in on. You then know which room that port is connected to and you therefore have a general idea of who the abuser is. So whats the big deal if you turn off the ports to the room until the users complain and the problem is resolved? That's all very well if you have switches which can do DHCP option 82 but most educational institutions have strict budgets to work to, which may involve reuse of older kit which was previously used for core academic purposes. I guess this requires very detailed cable map databases and is something some providers are relunctant to develop. Scary thought. I'd say having a login system which identifies the user is considerably less difficult than maintaining a very extensive database of cable patches which will inevitably get out of date (think replacement of dead switches...) within a very short timeframe. It's much easier to index an abuse report from an IP directly to a username, there's less room for argument and error. Functionally, this is the way most broadband access networks are run anyway, username/password gets you the PPPoA or PPPoE session. W
Re: who offers cheap (personal) 1U colo?
On Sat, 13 Mar 2004, Stephen Sprunk wrote: Thus spake Steven M. Bellovin [EMAIL PROTECTED] filter, and the upstream repeaters are fed by a low-pass filter. If too many people are fielding home servers, it affects everyone. So DOCSIS has a technical limitation which may or may not apply. This is reasonable justification for limiting upstream bandwidth, not for specifying that users can't run servers. If users can run servers effectively in the limited available upstream bandwidth, then there is no _technical_ reason to prevent them. how are 'servers' (smtp/web/ftp/imap) different than the existing P2P apps? Wouldn't a cable provider, if the decision was based on upstream bandwidth sharing alone, care MORE about P2P than 'servers' ? Other last-mile technologies provide symmetric bandwidth yet providers still prohibit servers; this is clearly a business issue, not a technical one. Correct, or so it would seem... the cable modem providers can charge you more for a 'business class' service, which allows 'servers' to be hosted. --Chris (formerly [EMAIL PROTECTED]) ### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-886-3823 (C)703-338-7319 ## ###
Re: who offers cheap (personal) 1U colo?
On Sun, 14 Mar 2004, Paul Vixie wrote: [EMAIL PROTECTED] (Sean Donelan) writes: If the block list operators think it is a dialup range, they pre-emptively block all the addresses in the range. providers who refuse to enter the race to the bottom can get their dialup blocks delisted from any blackhole list operator i know of, just by demonstrating clue and conviction. There are several blacklists that clearly want more from the ISP than an explanation that the offendors are being/were removed... one good example is 'spews'. It has very little to do with the quality of the ISP's abuse desk. long term, it does. my sister is in sbc-dsl territory and before i linuxed her and tunneled her, i had a terrible time getting e-mail from her. the /24 that her nat/dsl box got by dhcp had a dozen open proxies in it. sbc's abuse desk sure as hell didn't want to hear from me about it and the owners of the infected pee cee's wouldn't've wanted to hear from me even if i'd had some way to identify them and offer them a free linux upgrade if they'd just open their front door and lead me to their pee cee. As was pointed out to me by a co-worker: Linux is not anymore inherently secure than anyother OS. The difference really comes in the administration of the pee cee. So, would upgrading joe-random-user to Linux really make things better for them? (or us?) That is not clear at all at this point. Certianly the point central to your arguement is that with the right abuse-desk to customer ratio AND the right customer base, things could be kept clean for smtp/web/ftp/blah 'hosting'. This is most certainly the case... I look forward to seeing your list of providers and prices :) --Chris (formerly [EMAIL PROTECTED]) ### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-886-3823 (C)703-338-7319 ## ###
Re: who offers cheap (personal) 1U colo?
Christopher L. Morrow wrote: how are 'servers' (smtp/web/ftp/imap) different than the existing P2P apps? Wouldn't a cable provider, if the decision was based on upstream bandwidth sharing alone, care MORE about P2P than 'servers' ? But the decision is a business decision, because you can make businesses pay more for something that can run servers. And it´s harder to kludge smtp/http/etc. to work where servers are not permitted as p2p works by default. Pete
Re: who offers cheap (personal) 1U colo?
Paul Vixie wrote: every time i tell somebody that they shouldn't bother trying to send e-mail from their dsl or cablemodem ip address due to the unlikelihood of a well staffed and well trained and empowered abuse desk defending the reputation of that address space, i also say buy a 1U and put it someplace with a real abuse desk, and use your dsl or cablemodem to tunnel to that place. My cable modem provider filters port 25, so I can't run my own SMTP server. Their mail servers suck. Yes, I could pay for a business class cable modem connection and they'd unblock the port... but I'd likely still be filtered. Guess who is having a dedicated 1U set up right now? ;-) I think Paul is right, there is a small niche market for this.
Re: who offers cheap (personal) 1U colo?
On Sunday, March 14, 2004 4:58 PM [EST], Janet Sullivan [EMAIL PROTECTED] wrote: My cable modem provider filters port 25, so I can't run my own SMTP server. Their mail servers suck. Yes, I could pay for a business class cable modem connection and they'd unblock the port... but I'd likely still be filtered. Guess who is having a dedicated 1U set up right now? ;-) I think Paul is right, there is a small niche market for this. Hm, are there companies out there that offer outbound SMTP services (for people who are blocked, or which need a mail server thats not blacklisted because their provider isn't dealing with spam problems)? I never really looked into too much, but I haven't seen it offered on provider's sites outright. I was considering setting up a service like this (we have 2-3 outbound mail relay servers that are sitting idle because we don't need them yet), but wasn't sure how interested people would be. Like, say, setup a service that offers people the ability to send outbound mail through based on IP ACLs, possibly SMTP AUTH, TLS/SSL certs, and other things which could authenticate the sender, and have it accept SMTP on various other non-25 ports. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
RE: who offers cheap (personal) 1U colo?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Bruns Sent: March 14, 2004 5:19 PM To: [EMAIL PROTECTED] Subject: Re: who offers cheap (personal) 1U colo? Hm, are there companies out there that offer outbound SMTP services (for people who are blocked, or which need a mail server thats not blacklisted because their provider isn't dealing with spam problems)? I never really looked into too much, but I haven't seen it offered on provider's sites outright. Have you been looking at providers in the right industry? Such services are usually offered as addons by people who sell DNS services (especially dynamic DNS) and other such things designed to make it easier for people to run their own servers. They do exist, and as was pointed out earlier in this discussion, cost much less than the 1U colo alternative. We do it, and I know at least one or two others in our industry do... Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
RE: who offers cheap (personal) 1U colo?
On Sun, March 14, 2004 5:45 pm, Vivien M. said: Have you been looking at providers in the right industry? Such services are usually offered as addons by people who sell DNS services (especially dynamic DNS) and other such things designed to make it easier for people to run their own servers. They do exist, and as was pointed out earlier in this discussion, cost much less than the 1U colo alternative. We do it, and I know at least one or two others in our industry do... I have actually. I see an awful lot of services for incoming SMTP filtering of spam/viruses, or just to hold the mail while you are offline, but haven't seen outgoing SMTP services - which is why I asked :-) -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
RE: who offers cheap (personal) 1U colo?
On Sun, 14 Mar 2004, Brian Bruns wrote: I have actually. I see an awful lot of services for incoming SMTP filtering of spam/viruses, or just to hold the mail while you are offline, but haven't seen outgoing SMTP services - which is why I asked :-) As I posted earlier in this thread, DynDNS.org's outgoing SMTP service (available on port 25 and several others as well): http://www.dyndns.org/services/mailhop/outbound/ Some others I know of off-hand: http://www.no-ip.com/services.php/mail/smtp http://www.smtp.com/ -- Tim Wilde [EMAIL PROTECTED] Systems Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
Re: who offers cheap (personal) 1U colo?
On Sun, 14 Mar 2004, Bohdan Tashchuk wrote: Question: Why can't a provider sell virtual PC colocation, instead of physical PC colocation? Several do. We nearly bought a failing one that was doing alot of this with a commercial Linux virtualization product. So instead of 40 physical machines per rack, why can't it be 80 or 160 or even more virtual machines, running on 40 physical Linux boxes? I think the economics could shift significantly under those circumstances. During the short time we managed their network and systems, I had to poke around on a couple of the virtual machines to fix customer issues. I don't remember how many virtual machines they ran per physical machine, but IIRC, they were all P4's with several GB of RAM. Each customer got root and their own IPs on what appeared to them to be a dedicated server. IIRC, Paul was suggesting part of the value in the $50/month colo deal was that customers were motivated to be good else you keep their server or ebay it. You lose that with the virtual private server model...but does anyone actually have in their contract/AUP that AUP violators will forfeit their hardware? We've kicked some spammer colo customers where I'd love to have had such a clause. I only know of one case where we did that...and it was for non-payment. The customer's hardware was worth less than their balance, so they chose to simply write us off. Being located in another country, it wasn't worth the effort to try extracting $ from them. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: who offers cheap (personal) 1U colo?
On Sun, 14 Mar 2004, Christopher L. Morrow wrote: There are several blacklists that clearly want more from the ISP than an explanation that the offendors are being/were removed... one good example is 'spews'. What do you think spews wants? My experience with them has been that that's pretty much the only thing that will satisfy them. I have had customer IPs in spews, and got them removed. I've also been collateral damage (at a consulting client's site), which sucks, but that's the stick spews wields. In most cases, that's encouragement enough for a provider to clean up their network or keep it from becoming a mess. Sometimes it's not. As was pointed out to me by a co-worker: Linux is not anymore inherently secure than anyother OS. The difference really comes in the administration of the pee cee. So, would upgrading joe-random-user to Linux really make things better for them? (or us?) That is not clear at all at this point. That's an argument for another list...but the short answer is no, giving JRU who knows nothing about Linux a default install, especially a popular one, say Red Hat, is not much, if any, better. They won't maintain it. It will be hacked. At least it probably won't be done with and then participate in email viruses. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: who offers cheap (personal) 1U colo?
On Sun, 14 Mar 2004 [EMAIL PROTECTED] wrote: On Sun, 14 Mar 2004, Christopher L. Morrow wrote: There are several blacklists that clearly want more from the ISP than an explanation that the offendors are being/were removed... one good example is 'spews'. What do you think spews wants? My experience with them has been that that's pretty much the only thing that will satisfy them. I have had That's funny since we've cleaned up several over the years, yet they are still listed... and in some cases the listings have expanded. :( Spews does not provide a decent path to get listings remoevd, and they don't seem to remove listings if you do show the change.
Re: who offers cheap (personal) 1U colo?
On Sun, 14 Mar 2004, Christopher L. Morrow wrote: What do you think spews wants? My experience with them has been that that's pretty much the only thing that will satisfy them. I have had That's funny since we've cleaned up several over the years, yet they are still listed... and in some cases the listings have expanded. :( Spews does not provide a decent path to get listings remoevd, and they don't seem to remove listings if you do show the change. You might want to post to NANAE (or better to new clean newsgroup news.admin.net-abuse.blocklisting) and actually say that that such and such customer has been disconnected and or such and such ip block is no longer in use them). Most blacklist administors dont really check on each and every listing every month (although they probably should to keep good lists, but spamhaus maybe the only ones who do it and even with them I'm not sure). In fact one of the reasons I think that some blacklist operators have bad impression on UUNET is that you don't inform what you do and they think you do nothing, while in fact I'm sure its not the case. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: who offers cheap (personal) 1U colo?
Thus spake Christopher L. Morrow [EMAIL PROTECTED] On Sat, 13 Mar 2004, Stephen Sprunk wrote: So DOCSIS has a technical limitation which may or may not apply. This is reasonable justification for limiting upstream bandwidth, not for specifying that users can't run servers. If users can run servers effectively in the limited available upstream bandwidth, then there is no _technical_ reason to prevent them. how are 'servers' (smtp/web/ftp/imap) different than the existing P2P apps? Wouldn't a cable provider, if the decision was based on upstream bandwidth sharing alone, care MORE about P2P than 'servers' ? I don't know how common this is, but my ISP's AUP considers P2P apps to be servers and thus banned. I don't use file-sharing apps so this doesn't really affect me, but I'm betting my SIP phone is technically a violation too. S Stephen SprunkStupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them. --Aaron Sorkin
Re: who offers cheap (personal) 1U colo?
Thus spake Vivien M. [EMAIL PROTECTED] Actually, you're forgetting what I think is the biggest reason for doing this: before the user registers via the web-based DHCP thing, they are shown the AUP and have to say they agree to it. If you just leave straight IP connections available in rooms, and people violate the AUP, they can QUITE credibly argue But I never read this AUP. The web-based DHCP registration system prevents that. Students have an existing legal relationship with the school; they can be required to accept the AUP in writing at some point during the enrollment process. Other advantages would be A) It prevents students (or at least, all but the most clueful) from taking multiple IPs and having hubs and such in their rooms There's nothing inherently wrong with that. B) It makes it very easy to track what MAC address/IP address is which person, as you yourself admitted. Sure, this system requires a bit of effort to set up initially (though I think open source implementations are easily available), but afterwards, you don't need to have your most clueful network engineer dig through to try and figure out which room is what IP. If you lower the clue level required to operate an abuse desk, I would argue you improve its efficiency in many cases... Tracking an IP address to a particular switch port via ARP and bridging tables is straightforward; however this relies on detailed cabling plant data. C) It avoids issues of changing ports. Let's say I'm in room 101, and my friend Bob is in room 102. I take my laptop to Bob's room and plug it into the network and go and do something dumb... If you hunt down my MAC address to a particular port, it looks like Bob is the AUP violator. If you have a registration system, you know that this MAC address belongs to me, not Bob. Or, if you use 802.1x, you can skip the MAC registration and identify the user directly each time he logs in. Oh, and what about wireless networks? I have my nice 802.11b card, how do you propose to track that without MAC registration (or hackish VPN systems, which are also deployed in some campuses)? 802.1x S Stephen SprunkStupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them. --Aaron Sorkin
Re: who offers cheap (personal) 1U colo?
On Sun, 14 Mar 2004, Stephen Sprunk wrote: Students have an existing legal relationship with the school; they can be required to accept the AUP in writing at some point during the enrollment process. They may have legal relationship with the school but internet service can be considered to be an added service that there is not available until you actually ask for it. This is like parking - there are always some rules and regulations for when you use school garage (usually written on the wall or available from parking attendent), if you dont use the garage and park your car somewhere else (or don't have car at all), you don't have to bother with parking rules. Same for internet access - students don't have to use school internet access, they can buy internet access from some other ISP or they might not have a computer at all. But if they use internet access, they accept rules regarding it - i.e. AUP. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: who offers cheap (personal) 1U colo?
Stephen Sprunk wrote: Thus spake Vivien M. [EMAIL PROTECTED] Actually, you're forgetting what I think is the biggest reason for doing this: before the user registers via the web-based DHCP thing, they are shown the AUP and have to say they agree to it. If you just leave straight IP connections available in rooms, and people violate the AUP, they can QUITE credibly argue But I never read this AUP. The web-based DHCP registration system prevents that. Students have an existing legal relationship with the school; they can be required to accept the AUP in writing at some point during the enrollment process. It all comes down to how you view the people on your network--students, faculty, administrators, subscribers, whatever. If they are customers you take one set of views and one way of solving problems. If you see them as lusers, to take another. -- Requiescas in pace o email
Re: who offers cheap (personal) 1U colo?
--On Sunday, March 14, 2004 19:14 -0600 Stephen Sprunk [EMAIL PROTECTED] wrote: Students have an existing legal relationship with the school; they can be required to accept the AUP in writing at some point during the enrollment process. Experiment ... go to a college dorm that's wired, plug your laptop or PC in, start using the net. Assumption here of course is you're not a student there. Nine times out of ten you wont' be challenged and you'll be allowed to use the network. Students also often have friends over that use their systems. Thus you can't assume that every user is a student or faculty. -- Undocumented Features quote of the moment... It's not the one bullet with your name on it that you have to worry about; it's the twenty thousand-odd rounds labeled `occupant.' --Murphy's Laws of Combat
RE: who offers cheap (personal) 1U colo?
On Sun, 14 Mar 2004, Tim Wilde wrote: : I have actually. I see an awful lot of services for incoming SMTP : filtering of spam/viruses, or just to hold the mail while you are offline, : but haven't seen outgoing SMTP services - which is why I asked :-) : : As I posted earlier in this thread, DynDNS.org's outgoing SMTP service : (available on port 25 and several others as well): : : http://www.dyndns.org/services/mailhop/outbound/ : : Some others I know of off-hand: : : http://www.no-ip.com/services.php/mail/smtp : http://www.smtp.com/ http://www.pobox.com/ - All accounts come with free (but must be enabled in the web admin interface) SASL-authenticated outbound SMTP. See this mail's headers. I don't mean to rain on Tim's parade, but it's comparably priced ($15/yr). So pick which service provides the pair of things you need: SMTP and dynamic DNS (dyndns.org), or SMTP and aliasing (pobox.com). -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
RE: who offers cheap (personal) 1U colo?
On Sun, 14 Mar 2004, Vivien M. wrote: credibly argue But I never read this AUP. The web-based DHCP registration system prevents that. Ok, I'll give that one to you. :) Got me there hehehe Though now we are making the AUP a part of the freshman orientation session so there are no excuses. Plus they agree to it when they place the installation cd in their drive (if they use the installation cd which many don't) A) It prevents students (or at least, all but the most clueful) from taking multiple IPs and having hubs and such in their rooms That's protected by port security. Just limit them to one mac address per port. So only the last machine transmitting will get the reply. Works quite well, shut me down for a few days a few years ago when it was first turned on. B) It makes it very easy to track what MAC address/IP address is which person, as you yourself admitted. Sure, this system requires a bit of effort to set up initially (though I think open source implementations are easily available), but afterwards, you don't need to have your most clueful network engineer dig through to try and figure out which room is what IP. If you lower the clue level required to operate an abuse desk, I would argue you improve its efficiency in many cases... See this is not something that requires a clueful engineer. Only requires the clueful engineer to create a script that does it all automatically. In fact I've seen the web interface to the whole system. VERY nice. Even tracks changes, so I can tell if the user pulled the cables, swapped ports, did bad stuff and then swapped them back to place the blame on the roommate. I can enter the IP in question and time period and it will then tell me the mac address in question, then it will automatically look up the cable database to return the room, and then it will return the names of the individuals living in the rooms. I argue that the username system has significant problems which can lead to denial of service. What happens when your radius box goes offline? This is what caused me to turn against the offending university. Their authentication box wouldn't stay online and so I'd have to cross my fingers after a reboot to hope that I could get back on the network. C) It avoids issues of changing ports. Let's say I'm in room 101, and my friend Bob is in room 102. I take my laptop to Bob's room and plug it into the network and go and do something dumb... If you hunt down my MAC address to a particular port, it looks like Bob is the AUP violator. If you have a registration system, you know that this MAC address belongs to me, not Bob. True true that can happen, but again if I log changes I can tell that someone unplugged their computer and so when Bob gets turned in the judicial system will be able to question what occured...They know it may not be him thats guilty but hopefully he will turn in the offender. Oh, and what about wireless networks? I have my nice 802.11b card, how do you propose to track that without MAC registration (or hackish VPN systems, which are also deployed in some campuses)? As for wireless, well yeah we require you to register the mac off your wireless nic. Only macs that are in the database are allowed access. Sure you can spoof someone elses legitmate mac, but thats a different story. At least I have someone I can blame and let him try to deny it through the judicial system. Andrew --- [EMAIL PROTECTED] http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Learn from the mistakes of others. You won't live long enough to make all of them yourself.
Re: who offers cheap (personal) 1U colo?
Andrew Dorsett [3/15/2004 8:26 AM] : That's protected by port security. Just limit them to one mac address per port. So only the last machine transmitting will get the reply. Works quite well, shut me down for a few days a few years ago when it was first turned on. Most common or garden wireless APs / broadband routers will let you clone the mac address, so this is not exactly difficult to get around And what is wrong with setting up a hub or something in a dormroom? I find it quite convenient to leave both my PC and a laptop running on my desk, for various reasons (too many open terminals and windows is one of them ...) srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: who offers cheap (personal) 1U colo?
quote who=Michael Loftis Experiment ... go to a college dorm that's wired, plug your laptop or PC in, start using the net. Nine times out of ten you wont' be challenged and you'll be allowed to use the network. Has it been a while since you've been on a resnet? They're bad, but most all ResNet's I know of are now implementing some sort of MAC/DHCP combo at the very least. That might have been true a couple years ago but recent DMCA notices and Worm activity have /forced/ (often by their upstream) ResNet's to clean up their act. I don't think our ResNet is a shining example of excellence by any stretch but they know who is registered behind each port/ip/mac address which gives you a pretty good idea of who is on your network. I won't comment on what leaves the ResNet on port 25 and what leaves the network with no prayer of ever routing back. *cough* That's a whole 'nother issue for them to deal with, and at some point soon, I think they will. -davidu (speaking only for himself) David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net