Re: Clarification needed
On Mon, 02 Dec 2002 10:18:22 +0530, Ramana Divvi [EMAIL PROTECTED] said: IHL -- IHL is the Total IPv4 header length, maximum is 15 ( 15x4 = 60 bytes) refer RFC 791 DataOffset -- DataOffset is total TCP header size ( in simple words) , maximum is 15 ( 15x4 = 60 bytes) refer RFC 793 From above two, combined TCP/IP header maximum length is 120 bytes. Correct. But in RFC 1144 (page 13) , it was defined as 128 bytes. Is it correct? If so please clarify the same. No. You need a 128 octet buffer *for the compressed header*. The hint is since the output packet can be larger than the input packet. Contemplate the algorithm, and see if you can see what states will cause the 120 byte header to require 128 bytes after compression. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg09540/pgp0.pgp Description: PGP signature
RE: Clarification needed
Hi Valdis, Thanks for your reply. Still I am not clear with the explanation given. Why we need 8 bytes extra space? I will agree with the statement since the output packet can be larger than the input packet but it never exceed standard allowed maximum header length( 120 bytes). Hope you got my problem about extra 8 bytes space. If I am wrong please correct me. With Kind Regards, Ramana. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, 2 December 2002 1:59 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject:Re: Clarification needed File: ATT3.dat On Mon, 02 Dec 2002 10:18:22 +0530, Ramana Divvi [EMAIL PROTECTED] said: IHL -- IHL is the Total IPv4 header length, maximum is 15 ( 15x4 = 60 bytes) refer RFC 791 DataOffset -- DataOffset is total TCP header size ( in simple words) , maximum is 15 ( 15x4 = 60 bytes) refer RFC 793 From above two, combined TCP/IP header maximum length is 120 bytes. Correct. But in RFC 1144 (page 13) , it was defined as 128 bytes. Is it correct? If so please clarify the same. No. You need a 128 octet buffer *for the compressed header*. The hint is since the output packet can be larger than the input packet. Contemplate the algorithm, and see if you can see what states will cause the 120 byte header to require 128 bytes after compression. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech *** This message is proprietary to Future Software Limited (FSL) and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. FSL accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus. ***
Re: namedroppers mismanagement, continued
Thus spake Keith Moore [EMAIL PROTECTED] The list moderator asked him to add his email address to the list, and indicated that as a result of doing so his mail would be unmoderated. Is it so hard to do? frankly, it's ridiculous to expect people to subscribe to every list to which they wish to contribute. Frankly, it's ridiculous to expect either (a) all WG members to receive dozens of spams per day due to no filtering, or (b) the WG chair to read and manually approve any emails (among the dozens of spams) which are relevant. We have the least-bad technical solution in place today. We'd all like open lists, but the community's inability to control spam has made that a moot point. S
Re: namedroppers mismanagement, continued
(namedroppers removed as my comment is more of a meta-comment on running mailing lists and I'm not subscribed to namedroppers itself) Olafur Gudmundsson [EMAIL PROTECTED] writes: Randy is currently wasting valuable time in manually scanning 100+ spams a day that are sent to namedroppers and other IETF mailing lists he runs and we all should thank him for the good citizen service he provides! Every meesage that is reposted from the bounced list contains a header explaining that posting address is not a subscribed address. This is an obnoxious amount of work. I can thank him for the service he's providing in trying to keep the list free of spam and also think that this is way more work than someone should be expected to do. :) While I really dislike the technology when applied to personal mailboxes, this sounds like a place where a confirmation system would work well. If the list receives a message from a non-subscriber, send back a message saying so and asking them to respond and include a confirmation code of some kind, similar to mailing list subscription confirmations. If they do so, release the message into the mailing list and also whitelist their address (in case they're participating in an ongoing discussion). My experience with a technique like this is that it eliminates 99% of the spam still, is reasonably intuitive for at least a technical audience, and eliminates the need for anyone to wade through all the spam to look for the gems, a task that I would not wish on anyone. It also has the side advantage of being unassailably impartial. We all already spend far too much human effort dealing with spam. Centralizing that human effort onto one person optimizes it somewhat but still wastes valuable time that could be better used for some productive purpose. It's rather like periodically cleaning the bathroom, and if there were some way we could get computers to do that for us, I think we should jump at the chance, even if the computer doesn't do *quite* as good of a job. :) This solution does require some additional setup on the server side: The list software has to be able to do those sorts of confirmations, has to maintain a server-side queue of messages that are pending confirmation, and has to implement the whitelist system. It would likely require a small amount of work to implement over an existing mailing list manager, and I'm certainly not suggesting that Randy have to do that implementation work. But since this situation comes up very frequently for IETF mailing lists, perhaps someone could volunteer to implement this feature for whatever mailing list management software the IETF mailng list system is using? That would at least help the problem for people hosting their lists with the IETF. I wonder if Mailman already has this feature. If not, that might be a good place to start in adding it, since Mailman is very actively developed and seems to be passing the venerable Majordomo as the most widely deployed mailing list management system. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
The IETF_Censored mailing list
The IETF_Censored mailing list At times, the IETF list is subject to debates that have little to do with the purposes for which the IETF list was created. Some people would appreciate a quieter forum for the relevant debates that take place, but the IETF's policy of openness has so far prevented the IETF from imposing any censorship policy on the [EMAIL PROTECTED] list. To give people an alternative, there is a list called [EMAIL PROTECTED]. This list is a sublist (that is, it gets the same messages as) the open IETF discussion list. However, this list will not forward all messages; in particular, the filters have been set so that persons and discussions that are, in the view of Raffaele D'Albenzio, irrelevant to the IETF list are not forwarded. Because this filter is automated, the criteria include: * Well known troublemakers * Well known crosspostings * Subjects that have led to recent non-conclusive exchanges * Some ways to say unsubscribe * Some out-of-office-reply messages To join the list, send the word subscribe in the BODY of a message to [EMAIL PROTECTED] (the URL here is an RFC 2368 mailto URL that does the Right Thing). To unsubscribe, send the word unsubscribe in the BODY of a message to [EMAIL PROTECTED] Do not send to the list - your message will be filtered! (members of the main IETF list itself must follow instructions for that list, of course. You are only a member of ietf_censored if there is a comment on the bottom of your IETF list mail saying that the message has been sent through the ietf_censored list.) For fun, there is a special list for the rejected messages: [EMAIL PROTECTED] - subscribe in the same fashion, by mail to [EMAIL PROTECTED] By public request, the current set of filters are listed at http://vesuvio.ipv6.tilab.com/cgi-bin/ietf_censored-filters This page is http://carmen.ipv6.cselt.it/ietf_censored.html, and is posted monthly in text form to [EMAIL PROTECTED] _ Raffaele D'Albenzio [EMAIL PROTECTED]
Re: namedroppers mismanagement, continued
At 11:50 AM 11/27/2002 -0500, Michael Froomkin - U.Miami School of Law wrote: Regardless of the specifics of this case, I think a good rule would be to say that all bounced messages on any IETF list MUST be archived on a separate 'bounced' list. Sounds good on the surface, but you might want to reconsider operationally. We drop probably 30-40 messages a day from the IAB list, mostly KLEZ Viruses, 419 scams, spam in oriental characters, and random other sales stuff. This is after having moved it from [EMAIL PROTECTED] to [EMAIL PROTECTED]; you'd be amazed how much crud goes to the former list. Since it is a members-only list, we *do* use a recognized persons list to reduce the filtering load; this has allowed a few virus-mails through, but not much. In acting as one of the four moderators for six months, I have approved perhaps a dozen messages total, and in each case added the sender to the recognized sender list so I don't have to mess with it. The recognized senders, btw, include all IESG members and all working group chairs as of a certain date, and we add other folks as needed. The kooks-and-nonsense notes I have silently discarded have been less than I allowed through, perhaps three or four at most. I think it is positively dangerous to archive Klez emails, and a waste of online storage. A person reviewing the email might open the application. I could see archiving the kooks-and-nonsense email. It wouldn't be a very interesting archive - you have to *earn* a place on that list, and as a result I'll bet that most folks on this list have that list built into their individual email filters already. But I really don't see the value of archiving the spam.
Re: namedroppers mismanagement, continued
Thus spake Michael Froomkin - U.Miami School of Law [EMAIL PROTECTED] I have just run into an example of this (POISSON) when I was unable to find the archive. I was surprised -- and puzzled. Surely the storage costs for archiving ALL IETF lists, especially in their spamless form, can't be that great? What sort of volume are we talking about ? Depends on the list; the main IETF list is over 1.5MB/mo in my personal archives. Given that the WG lists are maintained by volunteers, it would be a significant cost to provide several years of archives out of the list maintainer's pocket, especially when you add in the trolls and spam which are not part of the list's relevant content. 2. The volume of spam in a bounced-messages archive would quickly change your mind. Here, you could well be right. But would that have to be held beyond the life of the group? If you consider the bounced messages to be legitimate content worth archiving, then their archive should be kept as long as the non-bounced archive. 3. All of this would be easily solved by someone (e.g. IETF secretariat) providing list service for all WGs with a consistent policy. Agree. But I'd like to also suggest that part of this policy is keeping the (unspammed) archives around, if only for the sake of people (like me) who try sometimes to write the history of decision-making in some of these areas. I agree. I've petitioned several times for centralized lists and archives, and have even offerred to provide them free to all WGs, but so far the IESG has taken no action. My guess is there's nobody we all trust to be such a central manager -- right now one of the IESG members is being accused of list mismanagement. S
Re: new.net (was: Root Server DDoS Attack: What The Media Did NotTell You)
On Fri, 29 Nov 2002, at 14:08 [=GMT-0500], Keith Moore wrote: Well, it also matters that the set be constrained to some degree. A large flat root would not be very managable, and caches wouldn't be very effective with large numbers of TLDs. That's old fiction. If it works for .com it will work for .. well, it's not clear that it works well for .com. try measuring delay and reliability of queries for a large number of samples sometime, and also cache effectiveness. I guess the burden of proof is on those who argue that it doesn _not_ work well. let's put it another way. under the current organization if .com breaks the other TLDs will still work. if we break the root, everything fails. Since .com was running _on_ the root-servers.net until recently without problems, what are we talking about? Naturally there won't be 1 million TLDs all at once. We could start with a couple of hundreds. That would merely double the size of the root.
Re: new.net (was: Root Server DDoS Attack: What The Media Did NotTell You)
On Fri, 29 Nov 2002, at 14:37 [=GMT-0500], Keith Moore wrote: let's put it another way. under the current organization if .com breaks the other TLDs will still work. if we break the root, everything fails. Naturally there won't be 1 million TLDs all at once. We could start with a couple of hundreds. That would merely double the size of the root. It's not just the size of the root that matters - the distribution of usage (and thus locality of reference) also matters. For those in databases: What runs more smoothly: a few subgroups in a main group with millions of records, or a few thousand subgroups with thousands of records? The point is that if removing constraints on the root causes problems (and there are reasons to believe that it will) we can't easily go back to the way things were before. Sure, call it a testbed, like the IDN-testbed of VeriSign.
Re: new.net (was: Root Server DDoS Attack: What The Media Did NotTell You)
On Fri, 29 Nov 2002, at 17:13 [=GMT-0500], Keith Moore wrote: If when .com breaks, the other TLDs still work... then, isn't that a good reason to have more TLDs? it's a good reason to not put all of your eggs in one basket. also by limiting the size of the root we make it somewhat easier to verify that the root is working correctly. So this means not millions of TLDs. I agree with that. Not even thousands, I would say. Not everyone who now has a .com needs a . That would flatten the namespace, already flattened to the second level, completely. First target: twice as many as now. And these 300 or so will also include a lot that will be small like so many ccTLDs now are. -- [05] Round the clock here on the internet. http://logoff.org/
Re: trying to sweep namedroppers mismanagement under the rug
[ post by non-subscriber. with the massive amount of spam, it is easy to mis s and therefore delete posts by non-subscribers. your subscription address i s [EMAIL PROTECTED], please post from it or, if yo u wish to regularly post from an address that is not subscribed to this mailing list, send a message to [EMAIL PROTECTED] and ask to have the alternate address added to the list of addresses from which submissions are automatically accepted. ] Bill Strahm writes: I believe the problem is in your court That's patently absurd. It's not _my_ fault that a bunch of messages from _other_ people are being silently discarded. If they're not subscribers and they're not on a posting exception list, there's no reason their messages should be posted. Every complaint message I've seen from djb about this has had an explanation prepended by the list software like the one above, and su bscription information appended automatically. This is a non-problem. Could we stop hearing about it. -jsq
Re: trying to sweep namedroppers mismanagement under the rug
I would agree the problem is solved if Bush adds the proper addresses to the approved subscribers list, as publicly requested. But since it has taken so much discussion to arrive at that solution (and I'm not sure we have yet), list management is clearly a problem, and has been a chronic problem. --Dean If they're not subscribers and they're not on a posting exception list, there's no reason their messages should be posted. Every complaint message I've seen from djb about this has had an explanation prepended by the list software like the one above, and su bscription information appended automatically. This is a non-problem. Could we stop hearing about it. -jsq
Re: new.net (was: Root Server DDoS Attack: What The Media Did NotTell You)
On Fri, 29 Nov 2002, at 17:24 [=GMT-0500], Keith Moore wrote: First target: twice as many as now. why? how will that improve life on the internet? It would make long domain names of the type domainnamebargainscheaper.com obsolete. Using domains will become easier. Less load on nameservers (incl. tld servers) because of typo's. That is just on a practical level. Other improvements (probably off topic here) include lower prices, breaking of a cartel.
Re: new.net (was: Root Server DDoS Attack: What The Media Did Not Tell You)
On Sat, 30 Nov 2002 16:57:20 +0100, Marc Schneiders said: It would make long domain names of the type domainnamebargainscheaper.com obsolete. Why? unless you manage to get 'cheaper.' as a TLD, and create the name as domain.name.bargains.cheaper. - or am I missing something? Using domains will become easier. Empirical evidence indicates the biggest problem is finding the 1 out of 41M .com domains and avoiding all the typosquatters... Less load on nameservers (incl. tld servers) because of typo's. See the NANOG url I posted yesterday - 98% of the TLD load is borked, and nothing we do about this will address the issues (in fact, if anything, the traffic for that part of the 98% due to non-caching will increase). That is just on a practical level. Other improvements (probably off topic here) include lower prices, breaking of a cartel. Notice that you don't get the lower prices and cartel breaking by increasing the number of domains, you get it by increasing the number of registrars. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg09554/pgp0.pgp Description: PGP signature
Re: new.net (was: Root Server DDoS Attack: What The Media Did Not Tell You)
Thus spake Marc Schneiders [EMAIL PROTECTED] Since .com was running _on_ the root-servers.net until recently without problems, what are we talking about? Naturally there won't be 1 million TLDs all at once. We could start with a couple of hundreds. That would merely double the size of the root. Okay, so when every foo.com. applies to become a foo., how will you control the growth? What is to keep the root from becoming a flat namespace within a few weeks? It won't take long for the masses realize that an SLD is not as prestigious as their own personal TLD... IMHO, the only solution to this problem is the elimination of gTLDs entirely. S
Re: trying to sweep namedroppers mismanagement under the rug
Thus spake Dean Anderson [EMAIL PROTECTED] I would agree the problem is solved if Bush adds the proper addresses to the approved subscribers list, as publicly requested. But since it has taken so much discussion to arrive at that solution (and I'm not sure we have yet), list management is clearly a problem, and has been a chronic problem. List management is not a problem; there is a policy statement and it is followed. If individuals refuse to follow the documented process because they wish to be a martyr, that is not the IETF's or IESG's problem. If someone has a problem with the process, that needs to be directed at the IESG in a general form, not as a personal attack against a list maintainer as long as said maintainer is following the IESG's policy. S
Re: new.net (was: Root Server DDoS Attack: What The Media Did Not Tell You)
From: [EMAIL PROTECTED] On Sat, 30 Nov 2002 16:57:20 +0100, Marc Schneiders said: It would make long domain names of the type domainnamebargainscheaper.com obsolete. Why? unless you manage to get 'cheaper.' as a TLD, and create the name as domain.name.bargains.cheaper. - or am I missing something? And what's wrong with DomainNameBargainsCheaper.com or domain-name-bargains-cheaper.com? How would replacing '-' with '.' affect anything? I've noticed an odd thing while draining my spam traps. When I see an advertised domain name that consists of two or concatenated more English words, it's usually Oriental. I don't mean necessarily hosted in Asia but with non-ASCII content. It's as if Oriental spammers are smarter about creating memorable English domain names and avoiding the squatters. Using domains will become easier. Empirical evidence indicates the biggest problem is finding the 1 out of 41M .com domains and avoiding all the typosquatters... and neither of those has anything to do with the last 4 characters of the name. Vernon Schryver[EMAIL PROTECTED]
Re: new.net (was: Root Server DDoS Attack: What The Media Did NotTell You)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --On Friday, November 29, 2002 17:24:43 -0500 Keith Moore [EMAIL PROTECTED] wrote: First target: twice as many as now. why? how will that improve life on the internet? Basically, it will take some of the exclusiveness out of the TLD concept. That is a good thing for peace and quiet on several mailing lists and on the Internet name debate in general. I hope it would shut the nutcases arguing about new TLDs up, because they have been given what they so hotly desire (why escapes me, but I suppose they believe they'll make a big bag of money selling domain names. Good luck.) Technically, it is no problem to keep 500 delegations in sync -- even with higher demands on correctness than are made today, both for the root and most TLDs. However, there can only be one root. That is not up for discussion. (in case somebody thought I think so.) - -- Måns Nilssonhttp://vvv.besserwisser.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE9654E02/pMZDM1cURArisAKCna8uTBH2ueV52O+FaYti9RS9JxACgniNh SCNhNLgmFRP7ViXav1KZxvI= =cZdX -END PGP SIGNATURE-
Re: new.net (was: Root Server DDoS Attack: What The Media Did NotTell You)
[ cc list trimmed ] On Mon, 2 Dec 2002, Stephen Sprunk wrote: Okay, so when every foo.com. applies to become a foo., how will you control the growth? What is to keep the root from becoming a flat namespace within a few weeks? It won't take long for the masses realize that an SLD is not as prestigious as their own personal TLD... I know... a nameing hierarchy like in usenet but it will only be controlling at the top -- then a organization will be CHARTERED to be the caretaker of each of the top level names. maybe we'll start off with just 3 and see how it goes... -rick
Re: namedroppers mismanagement, continued
OK, I'm convinced about not keeping the spam. I still think the kooks list has two values: 1) people who think they are being unfairly discriminated against have a simple database to point to for evidence; 2) who know what people 50 years from now will find interestingwhich goes to the related question of keeping the whole archive available somewhere when the working group finishes. (There's of course a theoretical issue with some hypothetical listowner treating criticism as spam, but sufficent until the day...) On Mon, 2 Dec 2002, Fred Baker wrote: At 11:50 AM 11/27/2002 -0500, Michael Froomkin - U.Miami School of Law wrote: Regardless of the specifics of this case, I think a good rule would be to say that all bounced messages on any IETF list MUST be archived on a separate 'bounced' list. Sounds good on the surface, but you might want to reconsider operationally. We drop probably 30-40 messages a day from the IAB list, mostly KLEZ Viruses, 419 scams, spam in oriental characters, and random other sales stuff. This is after having moved it from [EMAIL PROTECTED] to [EMAIL PROTECTED]; you'd be amazed how much crud goes to the former list. Since it is a members-only list, we *do* use a recognized persons list to reduce the filtering load; this has allowed a few virus-mails through, but not much. In acting as one of the four moderators for six months, I have approved perhaps a dozen messages total, and in each case added the sender to the recognized sender list so I don't have to mess with it. The recognized senders, btw, include all IESG members and all working group chairs as of a certain date, and we add other folks as needed. The kooks-and-nonsense notes I have silently discarded have been less than I allowed through, perhaps three or four at most. I think it is positively dangerous to archive Klez emails, and a waste of online storage. A person reviewing the email might open the application. I could see archiving the kooks-and-nonsense email. It wouldn't be a very interesting archive - you have to *earn* a place on that list, and as a result I'll bet that most folks on this list have that list built into their individual email filters already. But I really don't see the value of archiving the spam. -- Please visit http://www.icannwatch.org A. Michael Froomkin |Professor of Law| [EMAIL PROTECTED] U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA +1 (305) 284-4285 | +1 (305) 284-6506 (fax) | http://www.law.tm --It's warm here.--
Re: namedroppers mismanagement, continued
I would think that archive.org would do the job if we asked them to? Else, this is a natural for a grant... On Mon, 2 Dec 2002, Stephen Sprunk wrote: Thus spake Michael Froomkin - U.Miami School of Law [EMAIL PROTECTED] I have just run into an example of this (POISSON) when I was unable to find the archive. I was surprised -- and puzzled. Surely the storage costs for archiving ALL IETF lists, especially in their spamless form, can't be that great? What sort of volume are we talking about ? Depends on the list; the main IETF list is over 1.5MB/mo in my personal archives. Given that the WG lists are maintained by volunteers, it would be a significant cost to provide several years of archives out of the list maintainer's pocket, especially when you add in the trolls and spam which are not part of the list's relevant content. 2. The volume of spam in a bounced-messages archive would quickly change your mind. Here, you could well be right. But would that have to be held beyond the life of the group? If you consider the bounced messages to be legitimate content worth archiving, then their archive should be kept as long as the non-bounced archive. 3. All of this would be easily solved by someone (e.g. IETF secretariat) providing list service for all WGs with a consistent policy. Agree. But I'd like to also suggest that part of this policy is keeping the (unspammed) archives around, if only for the sake of people (like me) who try sometimes to write the history of decision-making in some of these areas. I agree. I've petitioned several times for centralized lists and archives, and have even offerred to provide them free to all WGs, but so far the IESG has taken no action. My guess is there's nobody we all trust to be such a central manager -- right now one of the IESG members is being accused of list mismanagement. S -- Please visit http://www.icannwatch.org A. Michael Froomkin |Professor of Law| [EMAIL PROTECTED] U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA +1 (305) 284-4285 | +1 (305) 284-6506 (fax) | http://www.law.tm --It's warm here.--
Re: new.net (was: Root Server DDoS Attack: What The Media Did NotTell You)
I dispute the accuracy of this assertion below (unless registrars is a typo for registries in which case we agree totally and you can ignore what follows): On Mon, 2 Dec 2002 [EMAIL PROTECTED] wrote: Notice that you don't get the lower prices and cartel breaking by increasing the number of domains, you get it by increasing the number of registrars. Please explain your reasoning. In particular, note whether you consider registrars and registries to be separate vertical markets. If so, please explain how competition in a downstream market affects prices upstream. Also, please note the vital distinction between number of domains (which I agree increasing does not increase competition if the number of registry operators remains constant) and number of registry operators (which I submit *will* increase competition if this increases as the number of domains increases -- at least if the new operators are allowed to pick their character string and given substantial freedom to set their policies as opposed to the ICANN model of picking strings and setting highly restrictive policies to discourage wide use [e.g. .coop]). -- Please visit http://www.icannwatch.org A. Michael Froomkin |Professor of Law| [EMAIL PROTECTED] U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA +1 (305) 284-4285 | +1 (305) 284-6506 (fax) | http://www.law.tm --It's warm here.--
Re: Obsolete it, when you cannot reform it? (Was: Re: new.net (was: Root Server DDoS Attack: What The Media Did Not Tell You))
In message [EMAIL PROTECTED], Marc Schneiders writes: Which would have the same result as what you predict for a few hundred extra TLDs. The solution to the whole problem is of course to replace DNS by something better. I've heard more than a few times in the past, that it will be replaced by other functions/schemes/directories. Not that I am aware of any that seems to qualify for all the functions so far. Still, it would be quite on topic, if I may say so, to discuss what we should develop to do a better job. Obsolete it, if you cannot reform it? I think that a requirements document for that would be entirely in order. I suspect that no one system will be able to fulfill all requirements. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (Firewalls book)
Re: Obsolete it, when you cannot reform it? (Was: Re: new.net (was: Root Server DDoS Attack: What The Media Did Not Tell You))
The solution to the whole problem is of course to replace DNS by something better. I don't think we're likely to be able to replace a globally unique, federated namespace anytime soon. As for other kinds of human-friendly names, there have been lots of attempts to create them, and little success in actually getting people to use them.
Obsolete it, when you cannot reform it? (Was: Re: new.net (was: RootServer DDoS Attack: What The Media Did Not Tell You))
On Mon, 2 Dec 2002, at 11:13 [=GMT-0600], Stephen Sprunk wrote: Thus spake Marc Schneiders [EMAIL PROTECTED] Since .com was running _on_ the root-servers.net until recently without problems, what are we talking about? Naturally there won't be 1 million TLDs all at once. We could start with a couple of hundreds. That would merely double the size of the root. Okay, so when every foo.com. applies to become a foo., how will you control the growth? What is to keep the root from becoming a flat namespace within a few weeks? It won't take long for the masses realize that an SLD is not as prestigious as their own personal TLD... IMHO, the only solution to this problem is the elimination of gTLDs entirely. Which would have the same result as what you predict for a few hundred extra TLDs. The solution to the whole problem is of course to replace DNS by something better. I've heard more than a few times in the past, that it will be replaced by other functions/schemes/directories. Not that I am aware of any that seems to qualify for all the functions so far. Still, it would be quite on topic, if I may say so, to discuss what we should develop to do a better job. Obsolete it, if you cannot reform it?
RE: namedroppers, continued
This whole discussion should be taken to the YWKTIEDNWWFALNORIBNLTICSADEWSIFOSTFSTNOML working group. (yes we know that internet email does not work well for a large number of reasons, including but not limited to, incorrect code, spam and dare we say it failure of smtp to fully support the needs of mailing lists). The only way to resolve this issue properly would be to require every submission to an IETF mailing list to be cryptographically signed (PGP or S/MIME), to require the subscribers to register their signing key and to then filter the mail sent out on the list so that only signed mail gets through. While this would require a moderate degree of work on the part of the list users it would eliminate the need for moderator action. Problem posters could be dealt with by means of a formal process. Thawte still provides free S/MIME certificates, however for the purposes of this proposal it would suffice to use a self signed certificate. SPAM is becomming a serious problem - as Bersnteins own rather offensive spam protection measures atest. The only way to resolve that problem in the long run is to start authenticating the good signal at source. The strategy of attempting to isolate the bad signal from the good is failling progressively as the spam companies employ counter measures. The relevance of this to DNS is that the ability to authenticate an SRV record provides an imense amount of leverage in automating this process. For example I can have some form of information service set up linked to the DNS that tells people that I sign every one of my emails without exception and that any unsigned mail message can be rejected. SPAM is a security problem. If we don't fix it the signal to noise ratio will fall way below acceptable levels for many users. Phill -Original Message- From: Pekka Savola [mailto:[EMAIL PROTECTED]] Sent: Saturday, November 30, 2002 8:00 AM To: D. J. Bernstein Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: namedroppers, continued [ post by non-subscriber. with the massive amount of spam, it is easy to miss and therefore delete posts by non-subscribers. if you wish to regularly post from an address that is not subscribed to this mailing list, send a message to listname[EMAIL PROTECTED] and ask to have the alternate address added to the list of addresses from which submissions are automatically accepted. ] On 29 Nov 2002, D. J. Bernstein wrote: Keith claims that allowing ``contributions from outsiders'' requires delay and manual review. That claim is absurd. Immediately bounce the message to the ``outsider,'' with instructions explaining how to have the message sent to subscribers; end of problem. No, it's not 'end of problem'. If I cross-post a reply to some message with was cross-posted to a list I'm subscribed at and a list I'm not, in the general case I do *not* want to subscribe to the other list to be able to send my cross-post reply to both. Waiting for moderator approval is just fine for me, much better than requiring to subscribe or do something else. It's not black and white. -- Pekka Savola Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: http://ops.ietf.org/lists/namedroppers/ smime.p7s Description: application/pkcs7-signature
Re: namedroppers, continued
Hallam-Baker, Phillip wrote: The only way to resolve this issue properly would be to require every submission to an IETF mailing list to be cryptographically signed [and] to require the subscribers to register their signing key And how do we prevent spammers from registering their signing key? Are you suggesting that we change the IETF's open enrollment policy? -- Aaron Swartz [http://www.aaronsw.com]
RE: namedroppers, continued
First off, the problem of SPAM is one of the perfect being the enemy of the good. If we can cut the spam by 95% then that is a pretty useful achievement. So, no I don't think that the folk selling feather luggage, herbal viagra, p0rn etc are likely to go to that length in great numbers, unless that is the Internet as a whole adopts the same type of measure following our lead. However I have thought ahead to the issues of scale here, let us imagine that a large number of groups use the same scheme, that email agents that filter based on signatures are available and widely used. First, consider the effect of a minor authentication requirement on certificate issue, the ability to read email sent to the address specified in the certificate. Using that technique we could eliminate spams with bogus addresses which itself would be a major advance. The amount of spam that comes through with a valid email address is vanishingly small. Second consider that if the whole internet follows our lead and starts to use cryptography routinely there are a lot of additional steps that then become possible that are not practical until most people have a public key and there is a means of discovering that via a DNS linkage. Third one of the things we could do in an extended enrollment process would be to get participants to agree to the following set of terms: 1) Thou shalt not SPAM. 2) Thou shalt permit your messages to be posted in the archives. 3) Thou shalt provide timely notice of any intellectual property claims. 4) Thou shalt not take the name of the chair in vain unless she deserves it. 5) etc. Then we could sue the b*#*@#ds if they spammed after that. People have been looking for a test case for digital signatures for ages, so don't worry about the cost. A side benefit of this is that it would cause a lot of people to start using secure email and thus start to create some critical mass for email security. What we need is for someone to take Majordomo or the like and merge in some sort of filter to check S/MIME and PGP signatures. Then find a group that wanted to serve as a guinea pig (S/MIME or PKIX perhaps?). Alternatively we should perhaps form a group 'Deployment of secure email' which could apply this rubric. Phill -Original Message- From: Aaron Swartz [mailto:[EMAIL PROTECTED]] Sent: Monday, December 02, 2002 1:43 PM To: Hallam-Baker, Phillip Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: namedroppers, continued Hallam-Baker, Phillip wrote: The only way to resolve this issue properly would be to require every submission to an IETF mailing list to be cryptographically signed [and] to require the subscribers to register their signing key And how do we prevent spammers from registering their signing key? Are you suggesting that we change the IETF's open enrollment policy? -- Aaron Swartz [http://www.aaronsw.com] smime.p7s Description: application/pkcs7-signature
Re: namedroppers, continued
On Mon, 02 Dec 2002 08:28:57 PST, Hallam-Baker, Phillip said: The only way to resolve this issue properly would be to require every submission to an IETF mailing list to be cryptographically signed (PGP or S/MIME), to require the subscribers to register their signing key and to then filter the mail sent out on the list so that only signed mail gets through. OK.. Almost plausible. However note that currently, the PGP web-of-trust covers only a small percentage of the subscribers to the IETF list, and there's no *really* good PKI for S/MIME yet (hint - we don't seem to even understand how to apply 'basicConstraints', so if you think we're going to have working CRLs anytime soon, please share the name and address of your pharmaceutical supplier.. ;) Thawte still provides free S/MIME certificates, however for the purposes of this proposal it would suffice to use a self signed certificate. Unfortunately, although a self-signed cert works really nicely for some purposes (for instance, it's quite sufficient to get an SSL tunnel started so passive snooping doesn't work), it's inadequate here. The problem is that there's no good way to tell my self-signed cert from Dan Bernstein's self-signed cert from J. Slimy Spammer's self-signed cert. I'd be interested in knowing what quality of a self-signed cert would denote that the poster was possessed of the Non-Spammer Nature. I propose to you that using a Thawte free S/MIME cert proves approximately zero - a spammer can just get one for each run (and remember that no matter how much a spammer tries to hid their identity, they *still* have to provide a working way to reach them (via smtp or http or whatever) or they don't get any feedback) /Valdis msg09571/pgp0.pgp Description: PGP signature
Re: namedroppers, continued
On Mon, 02 Dec 2002 11:12:36 PST, Hallam-Baker, Phillip said: First, consider the effect of a minor authentication requirement on certificate issue, the ability to read email sent to the address specified in the certificate. Using that technique we could eliminate spams with bogus addresses which itself would be a major advance. The amount of spam that comes through with a valid email address is vanishingly small. You don't need a cert for this - a simple OK this magic cookie confirmation scheme (as supported by almost all mailing-list management software) is enough. Then we could sue the b*#*@#ds if they spammed after that. People have been looking for a test case for digital signatures for ages, so don't worry about the cost. People have been looking for somebody ELSE to be the test case for ages. The EFF is in the business of raising money to fight legal battles. The IETF isn't. You might want to ask the IESG if they have the budget for this - and remember that quite often, there *isnt* case law about some interesting point because one party or the other decides it's easier and cheaper to just settle rather than take it to court. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg09572/pgp0.pgp Description: PGP signature
Re: new.net (was: Root Server DDoS Attack: What The Media Did Not Tell You)
From: Stephen Sprunk [EMAIL PROTECTED] ... I'm not sure it's been demonstrated anyone other than the _registrars_ actually want more gTLD's. biz and info have been up for quite a while and I can only think of one web site I've been to in either of them. ... I've found that the spam filter of rejecting all mail from .tv, .biz, .info, .bz, .nu, and .ws has had a 0.0% false positive rate. There's not enough of that spam to make this filter exciting, but it is distinctly useful. Those domains are actively marketed to spammers or sound cool to spammers and other incompetent sales people. Of course, you're mileage may vary, especially if you have a legitimate domain in one of those TLDs. Vernon Schryver[EMAIL PROTECTED]
Dislike your Spam for breakfast?
Seems like there is a sort of mail loop or some nasty business on this list. I like my ideas enough to hope to see them repeated here: once. If you get an extra serving. Sorry. its not me doing it. Well, if you *never* pay a ransom, you *never* give to a panhandler and you *never* bite at the *FREE for you click here* you attenuate the activity (hostage taking, begging and spam) to non-existence. The problem is on rare ocassion, the unsolicited thing is compelling enough so people respond, and of course, this validates it as an activity if it is ultimately a legitimate transaction. As you know, all unsolicted advertising by EMail with a single california target is supposed to begin with a subject line ADV: http://www.spamlaws.com/state/ca1.html (g) In the case of e-mail that consists of unsolicited advertising material for the lease, sale, rental, gift offer, or other disposition of any realty, goods, services, or extension of credit, the subject line of each and every message shall include ADV: as the first four characters. If these messages contain information that consists of unsolicited advertising material for the lease, sale, rental, gift offer, or other disposition of any realty, goods, services, or extension of credit, that may only be viewed, purchased, rented, leased, or held in possession by an individual 18 years of age and older, the subject line of each and every message shall include ADV:ADLT as the first eight characters. So, all you need is one more law; (sorry, just one, or amend this one) that anything you get without that filerable warning, you keep for free. Order it with a credit card; (preferrably a cancelled one). Send them a perfectly bad check. Break into their building and TAKE it; (Well, if they posted it was free for the taking and they don't send it to you). Promise to take the vice president of the bank of Nigeria to a big dinner, whatever. Keep, eat, wear or smoke what you get. Then cite the law to protect you, and if your feeling meaner, look over transaction for a bonus charge like Libel. The paper world of mail enclosures has endured this basically and they still fill my porch and mailbox pretty good. Without that recourse, I'd have to use a fork lift, I guess. By seriously I like crypto and use it a lot. I think this is the rare case of a technology driven problem, which is only a minor problem, but still, has no clear technocrat fix. Yup Dan
Re: new.net (was: Root Server DDoS Attack: What The Media Did Not Tell You)
Thus spake Joe Baptista [EMAIL PROTECTED] I disagree. The current arrangement of increasing registrars looks alot like a multi level marketing scam. Basically the goal is to squeeze every penny out of the dot.com universe. It' don't wash. Users want *.choice in their tlds. The whole idea behind tlds are to establish simple nameing conventions which give users of domains an internet precense. unfortunately there's not much choice in the existing USG root infrastructure. Users are by their nature creative when it comes to naming concervtions and i'm sure they would have more fun in the alt.universes then they do in the USG system. Unfortunately the USG is not very creative in this regard. I'm not sure it's been demonstrated anyone other than the _registrars_ actually want more gTLD's. biz and info have been up for quite a while and I can only think of one web site I've been to in either of them. Despite the heated arguments and bureaucratic infighting, demand simply hasn't materialized when we increased supply. End users expect everything to be in .com, period (no pun intended). I still get multi-year Internet users (admittedly of the AOL variety) who don't believe my personal email address in .org is real -- they've never noticed anything but .com and .net out there, and they're confused enough about the minor difference between those two. They don't need another few thousand TLDs. S
Re: new.net (was: Root Server DDoS Attack: What The Media Did Not Tell You)
On 22:57 02/12/02, Stephen Sprunk said: End users expect everything to be in .com, period (no pun intended). I still get multi-year Internet users (admittedly of the AOL variety) who don't believe my personal email address in .org is real -- they've never noticed anything but .com and .net out there, and they're confused enough about the minor difference between those two. They don't need another few thousand TLDs. Dear Stephen, initially every name was .arpa. Why did they not stick to it :-) Let say that you have stephen.sprunk.org and the people you quote are lost (what is correct as people see no reason why not to resolve Stephen Sprunk in their mind as stephen.sprunk.com in the Internet, from what they understand). Would they be lost the same with stephen.sprunk.org.com ? I guess not. Now, if someone comes and tell them that stephen.sprunk.org is just an abreviation of stephen.sprunk.org.com, you know what they will ask? They will as why stephen.sprunk is not an abreviation of stephen.sprunk.org. And they will never believe him if he tells them this is not possible because of a program written in 1983 and a forgotten agreement of 1984. As if I told someone he cannot have 10 digit telephone numbers because of the way mechanichal telephone switchers worked in the 60s. I would advise we do not to confuse too much the trust of the people with them being dumb. ICANN just does that too many times. jfc
Re: namedroppers, continued
On Mon, 02 Dec 2002 14:33:16 PST, Hallam-Baker, Phillip said: If the spammer wants to perform custom operations for each constituency they want to spam. No - you need a single custom cert/identity for each spamming run of several million. Unless you were *really* intending to cross-check the 3,000 spams they dropped on the IETF lists against the ones they sent to yahoo.com's mailers, and the ones to AOL, and the ones to MSN, etc etc.. The worst part is that they would then present the *same* credentials to the main IETF list and all the working groups. This ends up leveraging one of the strong points of digital signatures - if a signature is well known because it's seen widely, it gets taken more seriously. And there's no really good way to tune this - I'm sure I post more to IETF lists than most spammers do, so you can't even say if they post more than X/day they're spammers I don't think they do, they have to be able to spam millions of people at a time or the response rate is simply too low. Reported response rates are in the thousandths of a percent, so spamming the entire IETF gets less than a tenth of a customer. But they got a tenth of a customer for *ONE* piece of outbound mail. Which is an extraordinary response rate. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg09577/pgp0.pgp Description: PGP signature
Re: namedroppers, continued
On Mon, 02 Dec 2002 14:33:16 PST, Hallam-Baker, Phillip said: OCSP scales fine for revocation checking. We can use the same platform that currently serves 6 billion DNS queries a day. The fact that OCSP scales fine for revocation checking doesn't mean that you have a system that scales fine for the *TOTAL PROCESS*. Remember - the tough part isn't checking the list - the tough part is getting entries *INTO* the list in a secure manner. Go back and re-read the issue at http://www.cert.org/advisories/CA-2001-04.html and ask yourself if a CRL would have been handled any differently. Remember - it was a *process* failure, not a software failure. The DNS may answer 6 billion DNS queries a day. But I can name some DNS registrars that would take *MONTHS* to correctly transfer a domain. (The continuing refrain for *years* on NANOG: Has *anybody* ever gotten PGP auth to work with these bozos?) Also, there's the added issue that the DNS cuts down on traffic by way of caching. Unfortunately, that's the LAST thing you want a CRL to be doing (in particular, negative caching is an extreme no-no). You can tell the ISP's DNS server to cache the SOA and NS entries for amazon.com. You can't tell the ISP's OCSP server to cache the fact that there aren't any CRLs for the SSL cert that www.amazon.com uses. /Valdis msg09578/pgp0.pgp Description: PGP signature
Re: namedroppers mismanagement, continued
- in the current situation, even postings from occasional posters are being blocked. and when postings are blocked, the message is terse and cryptic (even insulting) and contains no clue about how to workaround the problem Do you have specific recent examples of this? If it is the case it needs to be fixed. I think I was simply mistaken about this ; I was remembering the post from non-subscriber messages I'd seen recently and confusing them with the list won't accept posts from non-subscribers messages I used to occasionally see from that list. - getting on the approved posters list is not well documented or understood. for some list software this is a manual operation requiring the list admin to edit a file; on others it is under control of the subscriber but he/she has to subscribe the alternate address using some obscure option like /NOMAIL. Perhaps in the case of namedroppers the added [ post by non-subscriber... ] note can include the instructions on how to get added to that list. ideally, I think, the instructions would come in the form of a response sent back to the sender, rather than being sent to the list. and they should explain how to get on the approved poster list rather than expecting everyone to post from their subscription address.