Re: BGP hijack from 23724 - 4134 China?
On 08.04 14:36, Brielle Bruns wrote: I'm starting to wonder if someone is 'testing the waters' in China to see what they can get away with. I hate to be like this, but there's a reason why I have all of China filtered on my routers. Beware of prejudice influencing observations and their interpretation. Amazing how much SSH hammering, spam, and other nastiness went away within minutes of the filtering going in place. Objectively for my networks the vast majority of the SSH hammering, spam and other nastiness would go away if I filtered out the prefixes allocated by ARIN. I do not do that because I want to talk to hosts at these addressses. Sometimes I even want to talk to hosts that originnate the nastiness. I certainly do not want my upstreams start preventing me from doing that. Selectively preventing packet flow is *not* a security measure. Selectively preventing packet flow leads to unexpected and hard to diagnose breakage. Many independent actors selectively preventing packet flow will eventually partition the Internet sufficiently to break it beyond recognition. Preventing packet flow may be necessary to mitigate DoS and to do local security; I have pulled out the network cable before too. However doing it at many different places in the network according to local policies leads to bad breakage. Daniel
Re: BGP hijack from 23724 - 4134 China?
It depends. Preventing packet flow from a rather more carefully selected list of prefixes may actually make sense. These for example - www.spamhaus.org/drop/ Filtering prefixes that your customers may actually exchange valid email / traffic with, and that are not 100% bad is not the best way to go. Block specific prefixes from China, the USA, Eastern Europe, wherever - that are a specific threat to your network .. great. Even better if you are able to manage that blocking and avoid turning your router ACLs into a sort of Hotel California for prefixes. On Fri, Apr 9, 2010 at 11:52 AM, Daniel Karrenberg daniel.karrenb...@ripe.net wrote: Selectively preventing packet flow is *not* a security measure. Selectively preventing packet flow leads to unexpected and hard to diagnose breakage. Many independent actors selectively preventing packet flow will eventually partition the Internet sufficiently to break it beyond recognition. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: BGP hijack from 23724 - 4134 China?
:-) ;-) ;-) And now for the political analysis in our morning programming broadcasted to North America: Beware of unintentionally helping the Chinese government to implement the Great Firewall by blocking packet flow right there in the land of Free Speech(TM). The satisfaction of vigorously loosing shots will qiuckly dissipate as soon as the bullets start impacting feet very nearby. Now let us return to our regular mix of operationally tinted programming. :-) ;-) ;-)
Re: ARIN IP6 policy for those with legacy IP4 Space
Because a legacy holder doesn't care about ARIN i do not think that statement is defensible there is a difference between caring and being willing to give up rights for no benefit
Re: Behold - the Address-Yenta!
On 4/8/10 8:02 PM, John Curran wrote: On Apr 8, 2010, at 7:51 PM, David Conrad wrote: In the cases I'm aware of (which were some time ago), there was (to my knowledge) no fraud involved. If you see more recent cases of this occurring, please report them. Or are you indicating the mechanisms I described are in some way fraudulent? Potentially, yes. And with no statute of limitations! Not all things are solved by laws. Or economics. Thanks for taking up this issue, John.
Re: APNIC's report on traffic directed to 1.0.0.0/8
On 4/7/10 10:22 PM, Scott Howard wrote: http://mailman.apnic.net/mailing-lists/apnic-talk/archive/2010/04/msg2.html (There's also a PDF version with easier to enlarge images at http://www.potaroo.net/studies/1slash8/1slash8.pdf ) It was a nice read. But it didn't indicate where (source AS, or country, or whatever) the traffic was originating. Any data?
Re: Behold - the Address-Yenta!
Or are you indicating the mechanisms I described are in some way fraudulent? Potentially, yes. pfui. the current security level is chartreuse. you will get 15,000 free flier miles for spying on your neighbor. john, addresses are assets. people will transfer assets. get over it. two female ostriches are walking down the beach one looks behind says don't look now, but two males are following us the other says, let's walk faster, so they do the first looks behind and says they are catching up! so they break into a trot the first looks behind and says they are still catching up! so they start running full tilt the first looks behind and says they are catching up even more quickly! they both slam on the brakes and stick their heads in the sand a minute later the two males arrive the males look around and say, where did they go? randy
Re: ARIN IP6 policy for those with legacy IP4 Space
Excellent questions... The direction with respect to ARIN is that the Board has spent significant time considering this issue and the guidance provided to date is that ARIN is to focus on its core mission of providing allocation and registration services, and be supportive of other related organizations (e.g. NANOG, ICANN, ISOC) which perform related functions in the community. This approach has reduced the risk of mission creep (at least as far as I can tell... :-) From a practical matter, it also means that we need to consider a future for ARIN which provides a core address registry function, modest IPv4 updates and modest IPv6 new allocation activity, and likely a very stable policy framework. This vision of the future is highly compatible with automation, and ARIN is indeed working aggressively in this area with ARIN Online. I do think that automation plus a reduction in activity will result in a modest reduction in overall costs, but the costs associated with having an open community-based organization aren't necessarily changing: i think this is realistic, wise, and admirable. it is damned hard for an organization to resist mission creep, etc., and focus on mission, especially when that means long term shrinkage. the board and management are to be commended. randy
Re: ARIN IP6 policy for those with legacy IP4 Space
1) Justify why we need a heavy bureaucracy such as ARIN for IPv6 numbering resources, Because the members of ARIN (and the other four RIRs) want it that way. And because nobody has yet made a serious proposal to ICANN that would replace ARIN. Using the organization to justify the need for the organization is circular reasoning. 2) Tell me why something like the old pre-depletion pre-ARIN model of InterNIC and just handing out prefixes with substantially less paper-pushing wouldn't result in a cheaper-to-run RIR. Because the ARIN members, who pay most of ARIN's fees, are not complaining about the level of those fees. This means that they think the fees are cheap enough, or else they would demand that the fees be changed. All ARIN fees are set by the ARIN members. Again, ... Anyways, the non-answers to these questions are very illuminating. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: ARIN IP6 policy for those with legacy IP4 Space
I have my doubts, based on a ~decade of observation. I don't think ARIN is deliberately evil, but I think there are some bits that'd be hard to fix. I believe that anything at ARIN which the community at large and the membership can come to consensus is broken will be relatively easy to fix. Perhaps the true issue is that what you see as broken is perceived as working as intended by much of the community and membership? That's a great point. Would you agree, then, that much of the community and membership implicitly sees little value in IPv6? You can claim that's a bit of a stretch, but quite frankly, the RIR policies, the sketchy support by providers, the lack of v6 support in much common gear, and so many other things seem to be all conspiring against v6 adoption. I need only point to v6 adoption rates to support that statement. This is an impediment that I've been idly pondering for some years now, which is why I rattle cages to encourage discussion whenever I see a promising opportunity. Put differently, you work in this arena too... you've presumably talked to stakeholders. Can you list some of the reasons people have provided for not adopting v6, and are any of them related to the v6 policies regarding address space? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: ARIN IP6 policy for those with legacy IP4 Space
$quoted_author = Joe Greco ; Using the organization to justify the need for the organization is circular reasoning. I would have thought the role ARIN (and the other RIRs) has to play is clear from it's charter (registration of number resources to ensure uniqueness and fair allocation of a finite resource). And the need for someone or something to serve that role is best highlighted when it fails (e.g. duplicate ASes in RIPE and ARIN last year). Anyways, the non-answers to these questions are very illuminating. Feel free to not deploy IPv6. Or get a /48 from a tunnel broker or your ISP. You have plenty of options, just one of which is provider independent space from ARIN. cheers Marty
Re: ARIN IP6 policy for those with legacy IP4 Space
On Fri, Apr 09, 2010 at 06:09:19AM -0500, Joe Greco wrote: 1) Justify why we need a heavy bureaucracy such as ARIN for IPv6 numbering resources, Because the members of ARIN (and the other four RIRs) want it that way. And because nobody has yet made a serious proposal to ICANN that would replace ARIN. Using the organization to justify the need for the organization is circular reasoning. 2) Tell me why something like the old pre-depletion pre-ARIN model of InterNIC and just handing out prefixes with substantially less paper-pushing wouldn't result in a cheaper-to-run RIR. Because the ARIN members, who pay most of ARIN's fees, are not complaining about the level of those fees. This means that they think the fees are cheap enough, or else they would demand that the fees be changed. All ARIN fees are set by the ARIN members. Again, ... Anyways, the non-answers to these questions are very illuminating. This is an answer though. The vast majority of people who need address space in North America are ARIN members. These ARIN members are happy with the current organisation. If the set of people who need IP address tend towards being happy with the current system, there is no reason to change it for a new system, which they may not be happy with. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. -- --
Re: ARIN IP6 policy for those with legacy IP4 Space
$quoted_author = Joe Greco ; Perhaps the true issue is that what you see as broken is perceived as working as intended by much of the community and membership? That's a great point. Would you agree, then, that much of the community and membership implicitly sees little value in IPv6? Is that orthogonal to Owen's statement? You can claim that's a bit of a stretch, but quite frankly, the RIR policies, the sketchy support by providers, the lack of v6 support in much common gear, and so many other things seem to be all conspiring against v6 adoption. I need only point to v6 adoption rates to support that statement. Which rates would those be? http://www.ipv6actnow.org/info/statistics/ IPv6 has had a slow start but it's certainly picking up. cheers Marty
Re: Behold - the Address-Yenta!
On Apr 9, 2010, at 4:17 AM, Randy Bush wrote: john, addresses are assets. ... Randy - You may believe that IP addresses are assets; feel free to do so. ARIN's position follows RFC 2008 and RFC 2050 and will continue to do so until the community directs otherwise. For the legal discussion, see: http://www.chtlj.org/sites/default/files/media/articles/v024/v024.i2.Ryan.pdf people will transfer assets. get over it. ARIN recognizes transfers of IP address blocks to designated recipients under the transfer policy which was extensively discussed by this community and adopted in June of last year: https://www.arin.net/policy/nrpm.html#eight3 Other regional registries have also adopted transfer policies. That is not the question. The question discussed is the practice of performing resource review as a result of fraudulent applications. This is clearly intended by the community in NRPM section 12 https://www.arin.net/policy/nrpm.html#twelve so ARIN will do its best to enforce the policy as adopted. /John John Curran President and CEO ARIN
Re: ARIN IP6 policy for those with legacy IP4 Space
In my experience ARIN/RIR policies have not been a noticeable barrier to IPv6 adoption. Lack of IA/security gear tops the list for my clients, with WAN Acceleration a runner-up. /TJ On Apr 9, 2010 7:23 AM, Joe Greco jgr...@ns.sol.net wrote: I have my doubts, based on a ~decade of observation. I don't think ARIN is deliberately evil, but I think there are some bits that'd be hard to fix. I believe that anything at ARIN which the community at large and the membership can come to consensus is broken will be relatively easy to fix. Perhaps the true issue is that what you see as broken is perceived as working as intended by much of the community and membership? That's a great point. Would you agree, then, that much of the community and membership implicitly sees little value in IPv6? You can claim that's a bit of a stretch, but quite frankly, the RIR policies, the sketchy support by providers, the lack of v6 support in much common gear, and so many other things seem to be all conspiring against v6 adoption. I need only point to v6 adoption rates to support that statement. This is an impediment that I've been idly pondering for some years now, which is why I rattle cages to encourage discussion whenever I see a promising opportunity. Put differently, you work in this arena too... you've presumably talked to stakeholders. Can you list some of the reasons people have provided for not adopting v6, and are any of them related to the v6 policies regarding address space? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it th...
Re: Behold - the Address-Yenta!
The question discussed is the practice of performing resource review as a result of fraudulent applications. no. what was being discussed was transfers. you turned left, asserted that they were fraudulent, and told people to turn in their neighbors. randy
Re: ARIN IP6 policy for those with legacy IP4 Space
The vast majority of people who need address space in North America are ARIN members. These ARIN members are happy with the current organisation. If the set of people who need IP address tend towards being happy with the current system, there is no reason to change it for a new system, which they may not be happy with. not a useful argument. it amounts to the vast majority of the rich are happy being rich. randy
Re: ARIN IP6 policy for those with legacy IP4 Space
On Apr 8, 2010, at 4:35 PM, Joe Greco wrote: The problem, as I've heard it, is that ARIN's fees are steep in order to pay for various costs. Since there isn't the economy of scale of hundreds of millions of domain names, and instead you just have ... what? Probably less than a hundred thousand objects that are revenue-generating? If you charge $1/yr for each registered object, that means your organizational budget is sufficient for one full time person, maybe two. At $100/yr, you have enough funding for some office space, some gear, and a small staff. Joe - Your financial breakdown is heading the right direction, but let help out with some more information (FYI - ARIN's 2009 Budget is available at https://www.arin.net/about_us/corp_docs/budget.html, and the 2010 one should be there sometime next week.) ARIN runs about a $15M annual operating expense. As you noted below, it can be hard to separate into distinct products', and in fact, in some cases it is not appropriate to separate since one function (e.g. support for public policy development) might actually be a prerequisite for another (i.e.new address allocations). I am actually working to get more service- oriented cost information going forward, but this is non-trivial to make happen. In terms of fees, we have about 3500 ISPs (whose registration subscription service fees cover the bulk of ARIN's expenses, i.e. an average of several thousand dollars per ISP per year) In other fees, we have over 1000 end-user organization and presently about 800 legacy RSA holders which pay $100/year for maintenance. This doesn't really cover much expense, and that is quite appropriate since handling registration services requests (and the supporting public policy process) does dominant the expenses of ARIN, at least today. The question is how that evolves over time, particularly if the level of registration services requests in an post-IPv6 world is very modest. At that point, ARIN's expenses will be predominantly registry systems support, and whatever public policy process the community wishes us to maintain. These costs will need to be predominantly covered by the maintenance fees, and will support the objects in the database, which includes the resource records of 3500 ISPs, 1000+ enduser organizations, the signed LRSA holders, and estimated 15000 legacy resource holders who have not signed an LRSA... At the end of the day, the Board of Trustees will determine the best fee schedule to provide for cost-recovery of whatever functions are needed for the mission at that time. So when you run into expensive stuff, like litigation, the best course of action is to avoid it unless you absolutely can't. Correct. Further, if you've suffered mission creep and are funding other things such as IPv6 educational outreach, that's going to run up your costs as well. Presently, IPv6 outreach is not considered mission creep, as it has been an overwhelming request of the community both online and in the public policy meetings. An established entity like ARIN typically has a very rough time going on any sort of diet. Further, companies typically do not segregate their products well: if IPv4 policy enforcement runs into legal wrangling and lawsuits, ARIN as a whole gets sued, and it is tempting to spread the resulting expenses over all their products. Segregation into two (or more!) entities is a trivial way to fix that, though it also brings about other challenges. Absolutely correct. I think it is possible to understand those costs better, but in some cases they can't be put into separate organizations without some changes to structural assumptions about ARIN's mission. I have my doubts, based on a ~decade of observation. I don't think ARIN is deliberately evil, but I think there are some bits that'd be hard to fix. Joe - If you want to improve ARIN policy, jump right in. If you want to propose policy for the sake of changing the nature of the organization, that's also fine, if you contact me I'll assist in providing estimates of cost savings and structural changes that can result from your proposals. At the end of the day, it will be the community's discussion of your proposal, and the AC Boards consideration of the discussion which will decide the matter. /John John Curran President and CEO ARIN
Re: ARIN IP6 policy for those with legacy IP4 Space
[context restored] If you don't have a contract with ARIN, why should ARIN provide you with anything? [I replied] Because a legacy holder doesn't care about ARIN i do not think that statement is defensible there is a difference between caring and being willing to give up rights for no benefit I meant in the context of an answer to the question above. A legacy holder doesn't really care _who_ is currently providing the services that InterNIC once provided. It doesn't matter to me if our legacy space is currently handled by ARIN, RIPE, APNIC, ICANN, or whatever. Put less tersely: We were assigned space, under a policy whose purpose was primarily to guarantee uniqueness in IPv4 numbering. As with other legacy holders, we obtained portable space to avoid the technical problems associated with renumbering, problems with in-addr.arpa subdelegation, etc. Part of that was an understanding that the space was ours (let's not get distracted by any ownership debate, but just agree for the sake of this point that it was definitely understood that we'd possess it). This served the good of the Internet by promoting stability within an AS and allowed us to spend engineering time on finer points (such as maintaining PTR's) rather than renumbering gear every time we changed upstreams. Eventually InterNIC was disbanded, and components went in various directions. ARIN landed the numbering assignment portion of InterNIC. Along with that, maintenance of the legacy resources drifted along to ARIN. ARIN might not have a contract with us, or with other legacy holders. It wasn't our choice for ARIN to be tasked with holding up InterNIC's end of things. However, it's likely that they've concluded that they better do so, because if they don't, it'll probably turn into a costly legal battle on many fronts, and I doubt ARIN has the budget for that. As a legacy holder, we don't really care who is currently responsible for legacy maintenance/etc. However, whoever it is, if they're not going to take on those responsibilities, that's a problem. The previous poster asked, If you don't have a contract with ARIN, why should ARIN provide you with anything? Well, the flip side to that is, ARIN doesn't have a contract with us, but we still have copies of the InterNIC policies under which we were assigned space, and ARIN undertook those duties, so ARIN is actually the one with significant worries if they were to try to pull anything, otherwise, we don't really care. Is that a suitable defense of that statement (which might not have been saying quite what you thought)? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: ARIN IP6 policy for those with legacy IP4 Space
On Apr 8, 2010, at 2:51 PM, Kevin Stange wrote: On 04/08/2010 01:47 PM, Dorn Hetzel wrote: If there was an automatic website that just handed out up to a /40 on demand, and charged a one-time fee of $100, I don't think the space would ever be exhausted, there isn't enough money. I'd hate to see that routing table. Another bright gentleman many years ago suggested that we have an online website which allows anyone to pay a fee and get an address block. This is not inconceivable, but does completely set aside hierarchical routing which is currently an underlying mechanism for making our addressing framework scalable. Another way to accomplish this would be a functional global model for the settlement of costs relating to routing entries, and which would effectively be against routing entries caused by unique provider-independent prefixes. ISPs today don't get specifically compensated for routing a PI address block, but they do get to participate in the various RIR processes and have some say in the impacts of public policies as they are discussed. Historically, this has proved to be sufficient input that ISPs generally respect the tradeoffs inherent in the approved policy, and will route the result. If you have an economic mechanism which handles this function instead, and an abundance of resources (e.g. IPv6), then it might be possible to operate under very different assumptions than the present Internet registry system, and the resulting costs of operating the registry portion could be minimal. The implementation of this is left as an exercise for the reader... /John p.s. These are my personal thoughts only and in no way reflect any position of ARIN or the ARIN Board of Trustees. I provide them solely to help outline some of the tradeoffs inherent in the current Registry system.
Re: BGP hijack from 23724 - 4134 China?
On Thu, Apr 08, 2010 at 06:29:07PM -0600, Beavis wrote: Is it possible for you to share that filter list you have for china? See ipdeny.com for allocations covering about 225 countries. Alternatively, please see http://www.okean.com/asianspamblocks.html for lists that cover China and Korea only. The former is furnished in CIDR; the latter in CIDR, Apache htaccess, Cisco ACL, and Linux iptables. ---Rsk
Re: ARIN IP6 policy for those with legacy IP4 Space
On Apr 9, 2010, at 8:27 AM, Joe Greco wrote: Eventually InterNIC was disbanded, and components went in various directions. ARIN landed the numbering assignment portion of InterNIC. Along with that, maintenance of the legacy resources drifted along to ARIN. Correct (ARIN is the successor registry) ARIN might not have a contract with us, or with other legacy holders. It wasn't our choice for ARIN to be tasked with holding up InterNIC's end of things. However, it's likely that they've concluded that they better do so, because if they don't, it'll probably turn into a costly legal battle on many fronts, and I doubt ARIN has the budget for that. ARIN has a budget which includes legal reserves for contingencies such as these, but would need to have a clear direction supported by the community before taking any action in this area. As a legacy holder, we don't really care who is currently responsible for legacy maintenance/etc. However, whoever it is, if they're not going to take on those responsibilities, that's a problem. The previous poster asked, If you don't have a contract with ARIN, why should ARIN provide you with anything? Well, the flip side to that is, ARIN doesn't have a contract with us, but we still have copies of the InterNIC policies under which we were assigned space, and ARIN undertook those duties, so ARIN is actually the one with significant worries if they were to try to pull anything, otherwise, we don't really care. Alas, Joe, ARIN will follow the policies directed by the community with respect to service provided to legacy address holders, and invites you to participate in that community to help establish those policies. If the community directs ARIN to provide some set of services to legacy address holders for free, or on a cost recovery, or whatever, ARIN will comply. You may not have realized it when you received your address allocation, but you were implicitly joining a community which includes the IAB/IETF, IANA, and ARIN, and opting to ignore that community does not necessarily mean you won't be affected by its policies. /John John Curran President and CEO ARIN
RE: FCC dealt major blow in net neutrality ruling favoring Comcast
In Europe you rarely encounter courts circumscribing regulatory power. And it is well known that the District Court is dominated by anti-regulatory judges. -Original Message- From: Michael Holstein [mailto:michael.holst...@csuohio.edu] Sent: Tue 4/6/2010 7:40 PM To: Patrick W. Gilmore Cc: NANOG list Subject: Re: FCC dealt major blow in net neutrality ruling favoring Comcast http://thehill.com/blogs/hillicon-valley/technology/90747-fcc-dealt-major-blow-in-net-neutrality-ruling-favoring-comcast Seems on-topic, even though policy related.
Re: ARIN IP6 policy for those with legacy IP4 Space
On Apr 9, 2010, at 9:58 AM, Curtis Maurand wrote: According to the docs that I read that's 1250 for the first year and 100/yr thereafter. The big boys pay more up front, but pay $100.00 per year thereafter. There's the competitive disadvantage. ATT, Comcast, Time-Warner pay $100.00/yr for huge address space while the little by pays $100.00/yr for a comparatively tiny one. Something's not quite right with that structure. A large *end-user* pays maintenance fees of $100/year. ISPs pay an annual registration services subscription fee each year, proportional to the size of aggregate address space held. /John John Curran President and CEO ARIN
ARIN XXV Policy Discussions
One important note for NANOG folks - The ARIN XXV Public Policy and Members Meeting will be held in 10 days in Toronto. There are policy proposals which may effect you being discussed. You may participate in discussing these on the ARIN PPML mailing list or during the meeting via remote participation (details attached). My apologies for forwarding this message, but I would be remiss to not bring these policy discussions to your attention. Thank you! /John John Curran President and CEO ARIN Begin forwarded message: From: Member Services i...@arin.netmailto:i...@arin.net Date: April 9, 2010 10:04:52 AM EDT To: arin-annou...@arin.netmailto:arin-annou...@arin.net Subject: [arin-announce] ARIN XXV Policy Discussions The ARIN XXV Public Policy and Members Meeting will be held very soon in Toronto. Whether you’re attending in person or participating remotely, be sure to review the agenda so you don’t miss your chance to share your thoughts during the policy discussions: Monday, 19 April 2010-3: Customer Confidentiality 2010-6: Simplified MA transfer policy 2010-2: /24 End User Minimum Assignment Unit 2010-5: Reduce and Simplify IPv4 Initial Allocations Tuesday, 20 April 2010-7: Simplified IPv6 policy 2010-8: Rework of IPv6 assignment criteria 2010-4: Rework of IPv6 allocation criteria 2010-1: Waiting List for Unmet IPv4 Requests View the agenda for specific times at https://www.arin.net/ARIN-XXV/agenda.html. The agenda is subject to change, but we will make every effort not to change the times for policy discussions. We will be sending daily agenda updates to all attendees and registered remote participants. You can also follow us on Twitter @TeamARIN for schedule updates. Be sure to use the #arin25 tag for your own tweets about the meeting. Complete information on the text of the draft policies being discussed is available at https://www.arin.net/policy/proposals/. If you’re not able to be there in person, you can still take advantage of remote participation features that will allow your voice to be heard during critical policy discussions. In addition to following the video or audio webcast, you can read along with the live transcript, submit questions and comments, and vote in straw polls via Jabber chat. To register as a remote participant, learn more about the remote participation services, or access the meeting materials please go to https://www.arin.net/ARIN-XXV/remote.html. We look forward to your participation. Regards, Member Services American Registry for Internet Numbers (ARIN)
Re: BGP hijack from 23724 - 4134 China?
Is it possible for you to share that filter list you have for china? im getting bogged down by those ssh-bruts as well coming in from china. Good ones available here : in several notations (including Cisco ACL) : http://www.okean.com/antispam/china.html Cheers, Michael Holstein Cleveland State University
Re: ARIN IP6 policy for those with legacy IP4 Space
On 4/8/2010 10:32 AM, Stephen Sprunk wrote: On 07 Apr 2010 18:40, N. Yaakov Ziskind wrote: I don't think the issue is *money* (at least the big issue; money is *always* an issue), but rather the all-of-sudden jump from being unregulated to regulated, whatever that means. ARIN is not a regulator. The jump is from not paying for services that you have no contract for to paying for services that you do have a contract for. BULL SH*T, ARIN makes determinations as to how many IP addresses it will issue and in that sense it is exactly a regulator. I would think multiple times before making that jump. Hence my suggestion to set up a separate organization to request IPv6 space, and thus not 'endanger' whatever I had before. Signing an RSA to get new space does not _in any way_ endanger or otherwise affect legacy resources. Putting legacy resources under LRSA (or RSA, if you wished) is a completely separate action and is, for now at least, completely optional. You do not need to set up a separate organization; all that does is waste your time and ARIN's. S attachment: tglassey.vcf
Re: ARIN IP6 policy for those with legacy IP4 Space
On 4/9/2010 10:10 AM, John Curran wrote: A large *end-user* pays maintenance fees of $100/year. ISPs pay an annual registration services subscription fee each year, proportional to the size of aggregate address space held. I stand corrected. I misunderstood the doc. I could never read. :-) --Curtis
Re: BGP hijack from 23724 - 4134 China?
So basically, the idea is to disconnect China's Internet even more than what it inflicts to itself? How fun. What was the FCC/Comcast case about again? I'm totally against this practice, but if you (stupidly) want to apply it, do it for good. http://ftp.apnic.net/stats/apnic/delegated-apnic-latest grep '|CN|ipv4|' and to get your network length from the number of IP in the range: $len=32-log($num_of_IP)/log(2) Michael Holstein a écrit : Is it possible for you to share that filter list you have for china? im getting bogged down by those ssh-bruts as well coming in from china. Good ones available here : in several notations (including Cisco ACL) : http://www.okean.com/antispam/china.html Cheers, Michael Holstein Cleveland State University
Re: ARIN IP6 policy for those with legacy IP4 Space
On Apr 9, 2010, at 4:09 AM, Joe Greco wrote: 1) Justify why we need a heavy bureaucracy such as ARIN for IPv6 numbering resources, Because the members of ARIN (and the other four RIRs) want it that way. And because nobody has yet made a serious proposal to ICANN that would replace ARIN. Using the organization to justify the need for the organization is circular reasoning. He didn't use the organization. He used the members of the organizations. The fact is that the majority of the members of the organization(s) are sufficiently happy with the status quo that they have not seen fit to change it. If the members of ARIN want to change or eliminate the organization, it is within their power to do so. 2) Tell me why something like the old pre-depletion pre-ARIN model of InterNIC and just handing out prefixes with substantially less paper-pushing wouldn't result in a cheaper-to-run RIR. Because the ARIN members, who pay most of ARIN's fees, are not complaining about the level of those fees. This means that they think the fees are cheap enough, or else they would demand that the fees be changed. All ARIN fees are set by the ARIN members. Again, ... Anyways, the non-answers to these questions are very illuminating. While this may not be the answer you wanted, I do not think it is a non-answer. ARIN is a membership driven organization. The members have the power to change the organization. There will be another election this fall. If you think there is significant support for changing the organization, then you should run for the Board of Trustees and champion those changes. Owen
Re: ARIN IP6 policy for those with legacy IP4 Space
This is an answer though. The vast majority of people who need address space in North America are ARIN members. These ARIN members are happy with the current organisation. If the set of people who need IP address tend towards being happy with the current system, there is no reason to change it for a new system, which they may not be happy with. Actually, I don't believe that is completely true. The vast majority of address space in North America is given to ARIN members. However, the vast majority of people who need address space in North America are end users, most of whom get their address space from ARIN members or descendent LIRs from ARIN members. In some cases, they are end users who get address space from ARIN but are not ARIN members. Some end users are ARIN members, but, I do not believe the majority of them are. I'm not saying there is anything wrong with it being this way, just that it is an important distinction in address consumption vs. membership. Owen
Re: ARIN IP6 policy for those with legacy IP4 Space
On Apr 9, 2010, at 4:39 AM, Martin Barry wrote: $quoted_author = Joe Greco ; Perhaps the true issue is that what you see as broken is perceived as working as intended by much of the community and membership? That's a great point. Would you agree, then, that much of the community and membership implicitly sees little value in IPv6? I really don't know how much or how little value is seen in IPv6 by much of the community. I see tremendous value in IPv6. I also see a number of flaws in IPv6 (failure to include a scalable routing paradigm, for example). Nonetheless, IPv4 is unsustainable going forward (NAT is bad enough, LSN is even worse). I do believe that IPv6 is being deployed and that deployment is accelerating. I'm actually in a pretty good position to see that happen since I have access to flow statistics for a good portion of the IPv6 internet. The IPv6 internet today is already carrying more traffic than the IPv4 internet carried 10 years ago. Many others see value in IPv6. Comcast and Verizon have both announced residential customer IPv6 trials. Google, You Tube and Netflix are all available as production services on IPv6. Yahoo has publicly announced plans to have production services on IPv6 in the near future although they have not yet announced specific dates. I leave it up to you to consider whether that constitutes much of the community or not. Is that orthogonal to Owen's statement? I don't see how the term orthogonal would apply here. You can claim that's a bit of a stretch, but quite frankly, the RIR policies, the sketchy support by providers, the lack of v6 support in much common gear, and so many other things seem to be all conspiring against v6 adoption. I need only point to v6 adoption rates to support that statement. Which rates would those be? http://www.ipv6actnow.org/info/statistics/ IPv6 has had a slow start but it's certainly picking up. IPv6 started approximately 20 years behind IPv4. It's already caught up with IPv4 traffic levels of 10 years ago. Deployment is accelerating and IPv4 will hit a sustainability wall in the near future. Owen
Re: Behold - the Address-Yenta!
John, On Apr 9, 2010, at 1:43 AM, John Curran wrote: ARIN's position follows RFC 2008 This seems to be contradicted by ARIN's (perfectly reasonable) policies regarding the assignment of provider independent address space to end users. As to whether addresses are assets, I suspect we'll have to wait until the courts rule. I'm sure folks at Networld+InterOp, Apple, HP, etc. will be quite surprised if the courts rule according to ARIN's views. The question discussed is the practice of performing resource review as a result of fraudulent applications. Actually, no. The question was whether the practice of creating a company to hold IP addresses then selling that company to another organization was considered by ARIN to be fraudulent. In the particular (historical) cases I'm aware of, the address space in question was legacy /24s and the transfers were done (as I understand it) according to ARIN policies of the time. Speaking personally (of course), I'll admit a certain lack of comfort with the idea of ARIN (or any RIR) acting as lawmaker, police, judge, jury, and (assuming RPKI gets deployed) executioner. Regards, -drc
Re: ARIN IP6 policy for those with legacy IP4 Space
Put differently, you work in this arena too... you've presumably talked to stakeholders. Can you list some of the reasons people have provided for not adopting v6, and are any of them related to the v6 policies regarding address space? Reasons: + Fear People simply fear deploying new technology to their environment. + Uncertainty The future is uncertain. Many people fail to realize that IPv4's future is even more uncertain than that of IPv6. + Doubt You are not the only one expressing doubt in IPv6. The reality, however, is that I think that LSN and a multi-layer NAT internet are even more worthy of doubt than IPv6. + Inertia Many people are approaching this like driving at night with the headlights off. They refuse to alter course until they can see the wall. There is a wall coming in two years whether you can see it or not. If you have not begun to deploy IPv6 (changed course), then there will soon come a point where the accident has already occurred, even though you cannot yet see the wall and have not yet made physical contact with it. A classic example of this phenomenon would be a certain large unsinkable ship where the captain chose to try and make better time to New York rather than use a lower speed to have time to avoid ice bergs. The ship never arrived in New York and its name became an adjective to describe large disasters. Owen
Re: ARIN IP6 policy for those with legacy IP4 Space
On 4/9/2010 12:30 PM, Owen DeLong wrote: Put differently, you work in this arena too... you've presumably talked to stakeholders. Can you list some of the reasons people have provided for not adopting v6, and are any of them related to the v6 policies regarding address space? Reasons: (many excellent reasons removed) Let me just add on: +Bonus Fear: Because IPv6 deployments are small and vendors are still ironing out software, there's concern that deploying it in a production network could cause issues. (Whether or not this fear is legitimate with vendor x, y, or z isn't the issue. The fear exists.) +Bonus Uncertainty: There is a lack of consensus on how IPv6 is to be deployed. For example, look at the ongoing debates on point to point network sizes and the /64 network boundary in general. There's also no tangible benefit to deploying IPv6 right now, and the tangible danger that your v6 deployment will just have to be redone because there's some flaw in the current v6 protocol or best practices that will be uncovered. +Bonus Doubt: Because we've been told that IPv4 will be dead in 2 years for the last 20 years, and that IPv6 will be deployed and a way of life in 2 years for the past 10, nobody really believes it anymore. There's been an ongoing chant of wolf for so long, many people won't believe it until things are much, much worse. -Dave
Re: NAT444 vs IPv6 (was RE: legacy /8)
On Apr 7, 2010, at 11:29 AM, Lee Howard wrote: Can you provide pointers to these analyses? Any evidence-backed data showing how CGN is more expensive would be very helpful. It depends. ... That math may or may not make sense for your network.. Right. My question was more along the lines of pointers to written up case studies, empirical analyses, actual cost comparisons, etc. between CGNs and IPv6 that could be presented (in summarized form) to executives, government officials, etc. Regards, -drc
Re: ARIN IP6 policy for those with legacy IP4 Space
Put less tersely: We were assigned space, under a policy whose purpose was primarily to guarantee uniqueness in IPv4 numbering. As with other legacy holders, we obtained portable space to avoid the technical problems associated with renumbering, problems with in-addr.arpa subdelegation, etc. So far, correct. Part of that was an understanding that the space was ours (let's not get distracted by any ownership debate, but just agree for the sake of this point that it was definitely understood that we'd possess it). This served the good of the Internet by promoting stability within an AS and allowed us to spend engineering time on finer points (such as maintaining PTR's) rather than renumbering gear every time we changed upstreams. This is fictitious unless you are claiming that your allocation predates: RFC2050 November, 1996 RFC1466 May, 1993 RFC1174 August, 1990 Prior to that, it was less clear, but, the concept was still generally justified need so long as that need persisted. Eventually InterNIC was disbanded, and components went in various directions. ARIN landed the numbering assignment portion of InterNIC. Along with that, maintenance of the legacy resources drifted along to ARIN. Actually, ARIN was spun off from InterNIC (containing most of the same staff that had been doing the job at InterNIC) well before InterNIC was disbanded. ARIN might not have a contract with us, or with other legacy holders. It wasn't our choice for ARIN to be tasked with holding up InterNIC's end of things. However, it's likely that they've concluded that they better do so, because if they don't, it'll probably turn into a costly legal battle on many fronts, and I doubt ARIN has the budget for that. This is going to be one of those situations that could become a legal battle on many fronts either way. On the one hand you have legacy holders who have no contractual right to services from anyone (If you want to pursue InterNIC for failing to live up to whatever agreement you have/had with them, I wish you the very best of luck in that endeavor, especially since you don't have a written contract from them, either). On the other hand, in a relatively short timeframe, you are likely to have litigants asking why ARIN has failed to reclaim/reuse the underutilized IPv4 space sitting in so many legacy registrations. Which of those two bodies of litigants is larger or better funded is left as an exercise for the reader. Nonetheless, ARIN is going to be in an interesting position between those two groups (which one is rock and which is hard place is also left as an exercise for the reader) going forward regardless of what action is taken by ARIN in this area. That is why the legacy RSA is important. It represents ARIN trying very hard to codify and defend the rights of the legacy holders. As a legacy holder, we don't really care who is currently responsible for legacy maintenance/etc. However, whoever it is, if they're not going to take on those responsibilities, that's a problem. You assume that anyone is currently responsible. What documentation do you have that there is any such responsibility? As a point in fact, ARIN has, for the good of the community, extended the courtesy of maintaining those records and providing services to legacy holders free of charge because it is perceived as being in the best interests of the community. The previous poster asked, If you don't have a contract with ARIN, why should ARIN provide you with anything? Well, the flip side to that is, ARIN doesn't have a contract with us, but we still have copies of the InterNIC policies under which we were assigned space, and ARIN undertook those duties, so ARIN is actually the one with significant worries if they were to try to pull anything, otherwise, we don't really care. Could you please provide those to Steve Ryan, John Curran, and, ideally, I'd like to see them too. Is that a suitable defense of that statement (which might not have been saying quite what you thought)? I don't know. I have yet to see the content of the documents which you claim are your defense. Owen
Re: Running out of IPv6 (Re: ARIN IP6 policy for those with legacyIP4 Space)
If you have downstream customers, even if they're just dialups, expect to assign at least a /60 to each one. Many folks recommend /56 or /48. ARIN counts a /56 or a /48 per customer, your choice. There is no point in allocating less. More to the point, soon the IPv4 address shortage and the transition to IPv6 will hit the mainstream press, and hundred of writers will be writing advice columns about it. From their point of view, more for the customer at the same price is better, and I fully expect that they will be advising folks to make their ISP choice based on how much address space is allocated. If you allocate less than a /56 per customer, then you won't be able to sell to new customers or hang on to old ones. Just don't do it, because you are only damaging your own business. ARIN will not give you a discount or give you better terms just because you allocate a /60 to dialup customers. There is simply no benefit to you or to the networking community in allocating a prefix longer than /56. --Michael Dillon
Re: ARIN IP6 policy for those with legacy IP4 Space
On Apr 9, 2010, at 6:58 AM, Curtis Maurand wrote: On 4/8/2010 7:18 PM, Gary E. Miller wrote: Since I just need one /64 that is $1,250/yr for the /64. That puts me at a large competitive disadvantage to the big boys. According to the docs that I read that's 1250 for the first year and 100/yr thereafter. The big boys pay more up front, but pay $100.00 per year thereafter. There's the competitive disadvantage. ATT, Comcast, Time-Warner pay $100.00/yr for huge address space while the little by pays $100.00/yr for a comparatively tiny one. Something's not quite right with that structure. Cheers, Curtis No. ATT, Comcast, Time-Warner are not End-Users. They are ISPs. They pay ISP fees. I believe each of the ones you mention are in the X-large category, thus paying $18,000/year, not $100/year. An ISP which needs less than a /40 (which currently has no supporting allocation policy) would pay $1250/year. However, the nature of current IPv6 allocation policy is that an ISP would get a /32 and the minimum ISP IPv6 fee would, therefore, be $2,250/year. An end user pays $1,250 for anything smaller than a /40 (usually a /48) once, then, $100/year thereafter for ALL of their resources. Owen
Re: ARIN IP6 policy for those with legacy IP4 Space
On Apr 9, 2010, at 7:30 AM, todd glassey wrote: On 4/8/2010 10:32 AM, Stephen Sprunk wrote: On 07 Apr 2010 18:40, N. Yaakov Ziskind wrote: I don't think the issue is *money* (at least the big issue; money is *always* an issue), but rather the all-of-sudden jump from being unregulated to regulated, whatever that means. ARIN is not a regulator. The jump is from not paying for services that you have no contract for to paying for services that you do have a contract for. BULL SH*T, ARIN makes determinations as to how many IP addresses it will issue and in that sense it is exactly a regulator. No, ARIN is not a regulator. Regulators have guns or access to people with guns to enforce the regulations that they enact. ARIN has no such power. The FCC is a regulator. The California PUC is a regulator. ARIN is not a regulator. Owen
Re: China prefix hijack
On Apr 10, 2010, at 12:17 AM, Paul Vixie wrote: are we all freaking out especially much because this is coming from china today, and we suppose there must be some kind of geopolitical intent because china-vs-google's been in the news a lot today? There's been a fair amount of speculation that at least some of these incidents may be related to censorship mechanisms, and a further tendency to conflate them, rather than looking more closely at the dynamics of each occurrence. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
Re: ARIN IP6 policy for those with legacy IP4 Space
On Apr 9, 2010, at 2:34 AM, John Curran wrote: Another bright gentleman many years ago suggested that we have an online website which allows anyone to pay a fee and get an address block. This is not inconceivable, but does completely set aside hierarchical routing which is currently an underlying mechanism for making our addressing framework scalable. Doesn't end user PI assignment already do this? Note I'm not arguing against end user PI assignment policy, rather just making the observation that given IPv6 did not address routing scalability, the path we're heading down is obvious, the only question is how fast. The problem is that ARIN is getting in the way of people (some of which are ARIN members) dumping nitrous into the combustion chamber. This doesn't seem like a stable, long term viable situation to me. Regards, -drc
Re: ARIN IP6 policy for those with legacy IP4 Space
Owen, On Apr 9, 2010, at 7:07 AM, Owen DeLong wrote: No, ARIN is not a regulator. Regulators have guns or access to people with guns to enforce the regulations that they enact. ARIN has no such power. I'm a little confused on the distinction you're making. Today, ARIN can remove whois data/reverse delegations as a way of enforcing 'regulations'. In the future, assuming RPKI is deployed, ARIN could, in theory, revoke the certification of a resource. While not a gun, these are means of coercion. Are you being literal when you say gun or figurative? Regards, -drc
Re: ARIN IP6 policy for those with legacy IP4 Space
On Apr 8, 2010, at 11:32 AM, Michael Dillon wrote: All ARIN fees are set by the ARIN members. No they are not. Regards, -drc
Re: ARIN IP6 policy for those with legacy IP4 Space
On Fri, Apr 9, 2010 at 1:07 PM, Owen DeLong o...@delong.com wrote: On Apr 9, 2010, at 7:30 AM, todd glassey wrote: BULL SH*T, ARIN makes determinations as to how many IP addresses it will issue and in that sense it is exactly a regulator. No, ARIN is not a regulator. Regulators have guns or access to people with guns to enforce the regulations that they enact. ARIN has no such power. The FCC is a regulator. The California PUC is a regulator. ARIN is not a regulator. Last I heard, the FCC has access to people with law degrees not guns. Much like ARIN, really. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: ARIN IP6 policy for those with legacy IP4 Space
On Fri, 9 Apr 2010, William Herrin wrote: Last I heard, the FCC has access to people with law degrees not guns. Much like ARIN, really. Oh really? So if I start using a frequency that requires a license and I don't have one, won't they tell me to stop? And if I say no, I won't stop, what happens then? Will they never call the cops and have them show up and forcibly shut down my equipment? And if I try to defend my equipment, will the cops not shoot me? Sorry, all government policies are enforced by guns. ARIN is not government, if I don't pay ARIN for my address space and keep using it anyway, no cops will show up at my door. Sure my upstreams may decide to shut off my announcements, but a gun never gets involved. -- Brandon Ross AIM: BrandonNRoss
Re: ARIN IP6 policy for those with legacy IP4 Space
On Apr 9, 2010, at 1:26 PM, David Conrad wrote: Doesn't end user PI assignment already do this? Note I'm not arguing against end user PI assignment policy, rather just making the observation that given IPv6 did not address routing scalability, the path we're heading down is obvious, the only question is how fast. David, The ISPs participating in ARIN get to disusss the impact of various allocation thresholds on their routing during the policy development process. If you have a magic vendor machine issuing prefixes to all comers regardless of need, then the routing scalability problem becomes much, much poignant, and the ability of the community to course correct is zero. /John
Re: ARIN IP6 policy for those with legacy IP4 Space
On 09 Apr 2010 12:34, David Conrad wrote: On Apr 9, 2010, at 7:07 AM, Owen DeLong wrote: No, ARIN is not a regulator. Regulators have guns or access to people with guns to enforce the regulations that they enact. ARIN has no such power. I'm a little confused on the distinction you're making. Today, ARIN can remove whois data/reverse delegations as a way of enforcing 'regulations'. In the future, assuming RPKI is deployed, ARIN could, in theory, revoke the certification of a resource. While not a gun, these are means of coercion. Are you being literal when you say gun or figurative? As Mao famously said, power grows from the barrel of a gun. Regulators have (either directly or indirectly) lots of guns at their disposal to enforce their will on those they regulate, i.e. their regulations have the force of law. In contrast, ARIN's policies do not have the force of law. If operators choose not to look in ARIN's WHOIS database to verify addresses are registered to some org, or they choose to use another RDNS provider, or they choose to use a RPKI certificate scheme not rooted at ARIN/ICANN, that is their choice and ARIN couldn't do a damn thing to stop them. ARIN has no guns. S -- Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking smime.p7s Description: S/MIME Cryptographic Signature
Re: ARIN IP6 policy for those with legacy IP4 Space
Unless the ip you takes belongs to the rbn, mafia, or a three letter government org. -- -- Brian Raaen Network Engineer bra...@zcorum.com On Friday 09 April 2010, Brandon Ross wrote: On Fri, 9 Apr 2010, William Herrin wrote: Last I heard, the FCC has access to people with law degrees not guns. Much like ARIN, really. Oh really? So if I start using a frequency that requires a license and I don't have one, won't they tell me to stop? And if I say no, I won't stop, what happens then? Will they never call the cops and have them show up and forcibly shut down my equipment? And if I try to defend my equipment, will the cops not shoot me? Sorry, all government policies are enforced by guns. ARIN is not government, if I don't pay ARIN for my address space and keep using it anyway, no cops will show up at my door. Sure my upstreams may decide to shut off my announcements, but a gun never gets involved. -- Brandon Ross AIM: BrandonNRoss
Re: ARIN IP6 policy for those with legacy IP4 Space
On Fri, Apr 9, 2010 at 1:50 PM, Brandon Ross br...@pobox.com wrote: On Fri, 9 Apr 2010, William Herrin wrote: Last I heard, the FCC has access to people with law degrees not guns. Much like ARIN, really. Oh really? So if I start using a frequency that requires a license and I don't have one, won't they tell me to stop? And if I say no, I won't stop, what happens then? Brandon, Fun movies notwithstanding, they generally issue a fine and work it through the civil courts. If you were doing something extraordinary, like jamming emergency communications, I expect they might well call the police for assistance. But those are police, not FCC agents, and they're acting as much on behalf of the folks whose signals you're jamming as they are on behalf of the FCC. You'll find that any of us (including ARIN) can summon police for assistance with assaults upon us. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: ARIN IP6 policy for those with legacy IP4 Space
On 09 Apr 2010 12:43, William Herrin wrote: On Fri, Apr 9, 2010 at 1:07 PM, Owen DeLong o...@delong.com wrote: On Apr 9, 2010, at 7:30 AM, todd glassey wrote: BULL SH*T, ARIN makes determinations as to how many IP addresses it will issue and in that sense it is exactly a regulator. No, ARIN is not a regulator. Regulators have guns or access to people with guns to enforce the regulations that they enact. ARIN has no such power. The FCC is a regulator. The California PUC is a regulator. ARIN is not a regulator. Last I heard, the FCC has access to people with law degrees not guns. Much like ARIN, really. If you violate FCC regulations, their first step is to take you to court for violating their regulations, but if you ignore the court's ruling against you, people with guns (the FBI, IIRC) _will_ come stop your violations, whether that means putting you in jail or putting you in the ground. That is what the force of law means. ARIN's authority ends at the contract you signed with them, and their only remedy (not providing any further services) is specified in that contract. If you did not sign a contract with them, they have no authority at all--and no obligation to provide any services to you. ARIN policy therefore does _not_ have the force of law. You are free to ignore them if you wish, unlike a regulator. S -- Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking smime.p7s Description: S/MIME Cryptographic Signature
capirca : Google Network Filtering Management
http://code.google.com/p/capirca/ Developed internally at Google, this system is designed to utilize common definitions of networks and services and high-level policy files to facilitate the development and manipulation of network access control filters (ACLs) for various platforms. __ Get your own *free* email address like this one from www.OwnEmail.com
Re: Behold - the Address-Yenta!
On Apr 9, 2010, at 12:20 PM, David Conrad wrote: The question discussed is the practice of performing resource review as a result of fraudulent applications. Actually, no. The question was whether the practice of creating a company to hold IP addresses then selling that company to another organization was considered by ARIN to be fraudulent. In the particular (historical) cases I'm aware of, the address space in question was legacy /24s and the transfers were done (as I understand it) according to ARIN policies of the time. David - I didn't say that the practice of creating a company to hold IP addresses then selling that company to another organization was considered fraudulent by ARIN. I asked that you please report such cases, as depending on the specific circumstances they are *potentially* fraudulent. Speaking personally (of course), I'll admit a certain lack of comfort with the idea of ARIN (or any RIR) acting as lawmaker, police, judge, jury, and (assuming RPKI gets deployed) executioner. As a member of the community, you are free to propose changes to or elimination of the policies in the NRPM which you are not comfortable with; I expect that you will find them in sections 8 and 12. The policy development role is open to the community, but specifically not the ARIN Board and Staff, so there is perhaps a little more separation present than your email suggests. /John John Curran President and CEO ARIN
Weekly Routing Table Report
This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to bgp-st...@lists.apnic.net For historical data, please see http://thyme.apnic.net. If you have any comments please contact Philip Smith pfsi...@gmail.com. Routing Table Report 04:00 +10GMT Sat 10 Apr, 2010 Report Website: http://thyme.apnic.net Detailed Analysis: http://thyme.apnic.net/current/ Analysis Summary BGP routing table entries examined: 317715 Prefixes after maximum aggregation: 146886 Deaggregation factor: 2.16 Unique aggregates announced to Internet: 154431 Total ASes present in the Internet Routing Table: 33740 Prefixes per ASN: 9.42 Origin-only ASes present in the Internet Routing Table: 29288 Origin ASes announcing only one prefix: 14309 Transit ASes present in the Internet Routing Table:4452 Transit-only ASes present in the Internet Routing Table:102 Average AS path length visible in the Internet Routing Table: 3.6 Max AS path length visible: 24 Max AS path prepend of ASN (32374) 19 Prefixes from unregistered ASNs in the Routing Table: 555 Unregistered ASNs in the Routing Table: 134 Number of 32-bit ASNs allocated by the RIRs:513 Prefixes from 32-bit ASNs in the Routing Table: 548 Special use prefixes present in the Routing Table:0 Prefixes being announced from unallocated address space:231 Number of addresses announced to Internet: 2194938368 Equivalent to 130 /8s, 212 /16s and 26 /24s Percentage of available address space announced: 59.2 Percentage of allocated address space announced: 65.8 Percentage of available address space allocated: 90.0 Percentage of address space in use by end-sites: 82.1 Total number of prefixes smaller than registry allocations: 152258 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes:76202 Total APNIC prefixes after maximum aggregation: 26387 APNIC Deaggregation factor:2.89 Prefixes being announced from the APNIC address blocks: 73052 Unique aggregates announced from the APNIC address blocks:31963 APNIC Region origin ASes present in the Internet Routing Table:3990 APNIC Prefixes per ASN: 18.31 APNIC Region origin ASes announcing only one prefix: 1096 APNIC Region transit ASes present in the Internet Routing Table:625 Average APNIC Region AS path length visible:3.6 Max APNIC Region AS path length visible: 15 Number of APNIC addresses announced to Internet: 507394112 Equivalent to 30 /8s, 62 /16s and 56 /24s Percentage of available APNIC address space announced: 79.6 APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079 55296-56319, 131072-132095 APNIC Address Blocks 1/8, 27/8, 43/8, 58/8, 59/8, 60/8, 61/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes:132971 Total ARIN prefixes after maximum aggregation:68737 ARIN Deaggregation factor: 1.93 Prefixes being announced from the ARIN address blocks: 105911 Unique aggregates announced from the ARIN address blocks: 40478 ARIN Region origin ASes present in the Internet Routing Table:13621 ARIN Prefixes per ASN: 7.78 ARIN Region origin ASes announcing only one prefix:5272 ARIN Region transit ASes present in the Internet Routing Table:1347 Average ARIN Region AS path length visible: 3.4 Max ARIN Region AS path length visible: 22 Number of ARIN addresses announced to Internet: 724849952 Equivalent to 43 /8s, 52 /16s and 85 /24s Percentage of available ARIN address space announced:
Re: ARIN IP6 policy for those with legacy IP4 Space
On 4/9/2010 1:43 PM, William Herrin wrote: No, ARIN is not a regulator. Regulators have guns or access to people with guns to enforce the regulations that they enact. ARIN has no such power. The FCC is a regulator. The California PUC is a regulator. ARIN is not a regulator. Last I heard, the FCC has access to people with law degrees not guns. Much like ARIN, really. ARIN can act by de-allocating your network and revoking your ASN's. They can't fine you, but if you violate the RSA, they can revoke your stuff. That seems regulatory to me. --Curtis
RE: ARIN IP6 policy for those with legacy IP4 Space
Regulatory bodies can fine you. Not all regulation comes with guns, hippies. ;) And .. The FCC does have access to people with guns, as does any US Federal Agency. Try transmitting illegally on an FM band for a while and see who shows up. I'd be shocked if people with guns didn't arrive in record time. -Original Message- From: Curtis Maurand [mailto:cmaur...@xyonet.com] Sent: Friday, April 09, 2010 10:15 AM To: nanog@nanog.org Subject: Re: ARIN IP6 policy for those with legacy IP4 Space On 4/9/2010 1:43 PM, William Herrin wrote: No, ARIN is not a regulator. Regulators have guns or access to people with guns to enforce the regulations that they enact. ARIN has no such power. The FCC is a regulator. The California PUC is a regulator. ARIN is not a regulator. Last I heard, the FCC has access to people with law degrees not guns. Much like ARIN, really. ARIN can act by de-allocating your network and revoking your ASN's. They can't fine you, but if you violate the RSA, they can revoke your stuff. That seems regulatory to me. --Curtis
RE: ARIN IP6 policy for those with legacy IP4 Space
-Original Message- From: Joe Greco [mailto:jgr...@ns.sol.net] Sent: Thursday, April 08, 2010 4:14 PM To: John Payne Cc: NANOG list Subject: Re: ARIN IP6 policy for those with legacy IP4 Space On Apr 8, 2010, at 11:36 AM, Joe Greco wrote: IPv6-only content won't be meaningful for years yet, and IPv6-only eyeballs will necessarily be given ways to reach v4 for many years to come. So again, why do WE have to encourage YOU to adopt IPv6? Why should WE care what you do to the point of creating new rules so YOU don't have to pay like everyone else? Flip it around: Why should WE care about IPv6? WE would have to sign an onerous RSA with ARIN, giving up some of our rights in the process. WE have sufficient IP space to sit it out awhile; by doing that, WE save cash in a tight economy. WE are not so large that we spend four figures without batting an eyelash, so that's attractive. You don't. No one is going to make you set up IPv6. If you don't ever want or need to reach v6 enabled hosts, that's fine... Depending on your business, you may never need to change. But maybe someday you will want to, and you can set up v6 then. For a lot of folks, especially ISP's and content providers, there is much to be gained by deploying early: operational experience, and competitive advantage. It may not all go smoothly, so the sooner folks who know they will need IPv6, get started, the more time they have to work out any kinks. I think that is one of the interesting things about this problem. Unlike y2k, the deadline is different for everyone - and depends a lot on what your business is. Seriously? an onerous RSA What, specifically, do you consider so onerous? Are there no other situations where you willingly give up certain rights in order to obtain a service, or for the betterment or stability of your community/society? When you purchase internet transit, you surely sign a contract that has some terms of service, including an Acceptable Use Policy. You likely give up the right to spam, host copyrighted works, the right to intentionally disrupt networks, etc. It's likely that your provider can terminate services for violations. Do you consider this onerous? Even if you did, it didn't stop you from purchasing service. Further, anyone who is providing IPv6-only content has cut off most of the Internet, so basically no significant content is available on IPv6- only. That means there is no motivation for US to jump on the IPv6 bandwagon. Even more, anyone who is on an IPv6-only eyeball network is cut off from most of the content of the Internet; this means that ISP's will be having to provide IPv6-to-v4 services. Either they'll be good, or if customers complain, WE will be telling them how badly their ISP sucks. *I* am personally convinced that IPv6 is great, but on the other hand, I do not see so much value in v6 that I am prepared to compel the budgeting for ARIN v6 fees, especially since someone from ARIN just described all the ways in which they fritter away money. You can get IPv6 addresses from your upstream provider, often times free of charge, you don't ever have to deal with ARIN if you don't want to. You won't ever have tosign and agreement with ARIN if you don't want to. But, if you want to get a direct allocation, you got to pay to play - and also, agree to play by the same rules that everyone else is - it's a social contract of sorts- give up some rights in order to gain some benefits. As a result, the state of affairs simply retards the uptake and adoption of v6 among networks that would otherwise be agreeable to the idea; so, tell me, do you see that as being beneficial to the Internet community at large, or not? Note that I'm taking a strongly opposing stance for the sake of debate, the reality is a bit softer. Given a moderately good offer, we'd almost certainly adopt IPv6. Moderately good offer Like getting a prefix from your provider? Probably for free, without signing anything from ARIN. Have you talked to your provider? Or a certain well known tunnel broker will give you a /48 along w/ a free tunnel. http://nlayer.net/ipv6 route-views6.routeviews.org sh bgp ipv6 2001:0590::::::/32 BGP routing table entry for 2001:590::/32 Paths: (15 available, best #6, table Default-IP-Routing-Table) Not advertised to any peer 33437 6939 4436 2001:4810::1 from 2001:4810::1 (66.117.34.140) Origin IGP, localpref 100, valid, external Last update: Thu Apr 8 20:43:30 2010 ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: BGP hijack from 23724 - 4134 China?
Rich Kulawiec wrote: See ipdeny.com for allocations covering about 225 countries. Alternatively, please see http://www.okean.com/asianspamblocks.html for lists that cover China and Korea only. The former is furnished in CIDR; the latter in CIDR, Apache htaccess, Cisco ACL, and Linux iptables. Thanks, the iptables list comes in quite handy. People may wish to block port 22 as well as port 25. Although something like fail2ban takes care of that nicely. Greetings, Jeroen
RE: BGP hijack from 23724 - 4134 China?
Are we to believe that filtering .cn will filter all Chinese attacks? I know that if I was up to no good in China, I'd buy a cheap VSAT connection, tld's are probably not a good way to identify bad guys. My two cents.. //warren -Original Message- From: Jeroen van Aart [mailto:jer...@mompl.net] Sent: Friday, April 09, 2010 11:14 AM To: nanog@nanog.org Subject: Re: BGP hijack from 23724 - 4134 China? Rich Kulawiec wrote: See ipdeny.com for allocations covering about 225 countries. Alternatively, please see http://www.okean.com/asianspamblocks.html for lists that cover China and Korea only. The former is furnished in CIDR; the latter in CIDR, Apache htaccess, Cisco ACL, and Linux iptables. Thanks, the iptables list comes in quite handy. People may wish to block port 22 as well as port 25. Although something like fail2ban takes care of that nicely. Greetings, Jeroen
Re: Behold - the Address-Yenta!
The question discussed is the practice of performing resource review as a result of fraudulent applications. no. what was being discussed was transfers. you turned left, asserted that they were fraudulent, and told people to turn in their neighbors. If a company can justify a /?? with ARIN, they are free to turn around and pay someone else for a /?? or less. They can even buy a corporate shell that has a registered address range and it is not fraudulent. Where fraud enters the picture is where the buyer is doing an end run around ARIN policy and buys a /?? which they cannot justify under ARIN rules. Or, when they buy a corporate shell that has the same name as the registrant of a legacy address range, but that corporate shell is not actually the successor of the company who originally registered the addresses. The group of neighbors who depend on IP addresses for their organization's networks and internetworks, have gathered together in the IETF and later in ARIN, to set up some ground rules for how IP addresses are managed. The process is open, and transparent and based on the necessities of limited supply and technical details of IP routing. Yes, if someone is cheating the rest of their neighbors then you should turn them in. --Michael Dillon
Re: BGP hijack from 23724 - 4134 China?
Benjamin BILLON wrote: So basically, the idea is to disconnect China's Internet even more than what it inflicts to itself? And that is wrong why exactly? ;-) How fun. What was the FCC/Comcast case about again? It's only port 25, at least here: http://www.okean.com/antispam/iptables/iptables.html
Re: ARIN IP6 policy for those with legacy IP4 Space
On 9 April 2010 18:36, David Conrad d...@virtualized.org wrote: On Apr 8, 2010, at 11:32 AM, Michael Dillon wrote: All ARIN fees are set by the ARIN members. No they are not. According to https://www.arin.net/fees/overview.html: The Fee Schedule, is continually reviewed by ARIN's membership, and its Advisory Council, and Board of Trustees to identify ways in which ARIN can improve service to the community and to ensure that ARIN's operational needs are met Since the AC and Board of Trustees are elected by the Members, ultimately the members have control of fees. -- Michael Dillon
RE: BGP hijack from 23724 - 4134 China?
-Original Message- From: Warren Bailey [mailto:wbai...@gci.com] Sent: Friday, April 09, 2010 12:31 PM To: Jeroen van Aart; nanog@nanog.org Subject: RE: BGP hijack from 23724 - 4134 China? Are we to believe that filtering .cn will filter all Chinese attacks? I know that if I was up to no good in China, I'd buy a cheap VSAT connection, tld's are probably not a good way to identify bad guys. My two cents.. //warren -- As was pointed out that might have been the point of hijacking IP space from outside cn.net. -Jim
Re: BGP hijack from 23724 - 4134 China?
So basically, the idea is to disconnect China's Internet even more than what it inflicts to itself? And that is wrong why exactly? ;-) Nah, I'm not answering that =D Nice try, though. How fun. What was the FCC/Comcast case about again? It's only port 25, at least here: http://www.okean.com/antispam/iptables/iptables.html This is also blocking Sina, Netease, Yahoo.cn and other major Chinese ISP/ESP. Am I the only to think this is not very smart? If you think Chinese DUL would be interesting, please tell me.
Re: FCC dealt major blow in net neutrality ruling favoring Comcast
Let me see if I understand this correctly. People are defending the FCC? The same FCC that ruled that any data service over 200Kbits was broadband, not Information Service and thus came under the purview of the FBI and CALEA - directly contravening the language and intent of the CALEA act? Sometimes the enemy of your enemy is just your enemy. Joe McGuckin ViaNet Communications j...@via.net 650-207-0372 cell 650-213-1302 office 650-969-2124 fax On Apr 9, 2010, at 6:59 AM, Rod Beck wrote: In Europe you rarely encounter courts circumscribing regulatory power. And it is well known that the District Court is dominated by anti-regulatory judges. -Original Message- From: Michael Holstein [mailto:michael.holst...@csuohio.edu] Sent: Tue 4/6/2010 7:40 PM To: Patrick W. Gilmore Cc: NANOG list Subject: Re: FCC dealt major blow in net neutrality ruling favoring Comcast http://thehill.com/blogs/hillicon-valley/technology/90747-fcc-dealt-major-blow-in-net-neutrality-ruling-favoring-comcast Seems on-topic, even though policy related.
Re: FCC dealt major blow in net neutrality ruling favoring Comcast
On Apr 7, 2010, at 7:21 AM, Mark Smith wrote: One thing which would significantly help this argument for or against Network Neutrality is defining exactly what it is. The FCC has a definition of sorts, in terms of its six principles. Page three of http://www.fcc.gov/Daily_Releases/Daily_Business/2009/db1022/DOC-294152A1.pdf gives you those.
Re: capirca : Google Network Filtering Management
On Fri, Apr 9, 2010 at 2:09 PM, William Duck na...@qualitymail.com wrote: http://code.google.com/p/capirca/ Developed internally at Google, this system is designed to utilize common definitions of networks and services and high-level policy files to facilitate the development and manipulation of network access control filters (ACLs) for various platforms. would be interesting (to the community to get the authors to present some material about this at a meeting? (a nanog meeting) -Chris
BGP Update Report
BGP Update Report Interval: 01-Apr-10 -to- 08-Apr-10 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS629840434 4.5% 15.5 -- ASN-CXA-PH-6298-CBS - Cox Communications Inc. 2 - AS23724 34670 3.8% 2.7 -- CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation 3 - AS20115 13023 1.4% 9.3 -- CHARTER-NET-HKY-NC - Charter Communications 4 - AS28477 11412 1.2%1268.0 -- Universidad Autonoma del Esstado de Morelos 5 - AS25620 10855 1.2% 81.6 -- COTAS LTDA. 6 - AS671310746 1.2% 64.3 -- IAM-AS 7 - AS764310563 1.2% 97.8 -- VNPT-AS-VN Vietnam Posts and Telecommunications (VNPT) 8 - AS982910191 1.1% 15.8 -- BSNL-NIB National Internet Backbone 9 - AS124798848 1.0% 384.7 -- UNI2-AS Uni2 - Lince telecomunicaciones 10 - AS334758524 0.9% 36.3 -- RSN-1 - RockSolid Network, Inc. 11 - AS260258251 0.9%8251.0 -- COC - City of Calgary 12 - AS165697967 0.9%7967.0 -- ASN-CITY-OF-CALGARY - City of Calgary 13 - AS4847 7556 0.8% 23.1 -- CNIX-AP China Networks Inter-Exchange 14 - AS9116 6267 0.7% 12.4 -- GOLDENLINES-ASN 012 Smile Communications Main Autonomous System 15 - AS245606070 0.7% 15.6 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 16 - AS179645382 0.6% 36.6 -- DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd. 17 - AS419005345 0.6% 205.6 -- ORACLE-AS Oracle Investments Group 18 - AS337765296 0.6% 26.2 -- STARCOMMS-ASN 19 - AS144205285 0.6% 13.2 -- CORPORACION NACIONAL DE TELECOMUNICACIONES CNT S.A. 20 - AS179745206 0.6% 6.1 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name 1 - AS260258251 0.9%8251.0 -- COC - City of Calgary 2 - AS165697967 0.9%7967.0 -- ASN-CITY-OF-CALGARY - City of Calgary 3 - AS5691 2624 0.3%2624.0 -- MITRE-AS-5 - The MITRE Corporation 4 - AS349192266 0.2%2266.0 -- MONTAN-NET IP upstream provider network of Montan Telecom AG, Vaduz, Liechtenstein 5 - AS28477 11412 1.2%1268.0 -- Universidad Autonoma del Esstado de Morelos 6 - AS50181 619 0.1% 619.0 -- GAX-KABELSZAT KabelszatNet-2002. Musoreloszto es Kereskedelmi Kft. 7 - AS42214 605 0.1% 605.0 -- IWC-AS SC International Work Company SRL 8 - AS5963 551 0.1% 551.0 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 9 - AS28052 495 0.1% 495.0 -- Arte Radiotelevisivo Argentino 10 - AS11613 453 0.1% 453.0 -- U-SAVE - U-Save Auto Rental of America, Inc. 11 - AS45960 421 0.1% 421.0 -- YTLCOMMS-AS-AP YTL COMMUNICATIONS SDN BHD 12 - AS35291 822 0.1% 411.0 -- ICOMM-AS SC Internet Communication Systems SRL 13 - AS22395 410 0.1% 410.0 -- GHCO-INTERNAP - Goldenberg Hehmeyer 14 - AS32794 789 0.1% 394.5 -- ICFG - International Church of the Foursquare Gospel 15 - AS124798848 1.0% 384.7 -- UNI2-AS Uni2 - Lince telecomunicaciones 16 - AS30332 370 0.0% 370.0 -- EBUS-GENET - Partylite Gifts, Inc. 17 - AS104452180 0.2% 363.3 -- HTG - Huntleigh Telcom 18 - AS36892 348 0.0% 348.0 -- AFSAT_TZ 19 - AS196474031 0.4% 268.7 -- HPOD20001 - Hewlett-Packard Operation Division 20 - AS16868 537 0.1% 268.5 -- PRAXAIR-INC - Praxair Inc TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 200.13.36.0/2411292 1.1% AS28477 -- Universidad Autonoma del Esstado de Morelos 2 - 208.98.231.0/248251 0.8% AS26025 -- COC - City of Calgary 3 - 208.98.230.0/247967 0.8% AS16569 -- ASN-CITY-OF-CALGARY - City of Calgary 4 - 85.60.194.0/23 2817 0.3% AS12479 -- UNI2-AS Uni2 - Lince telecomunicaciones 5 - 206.184.16.0/242792 0.3% AS174 -- COGENT Cogent/PSI 6 - 192.12.120.0/242624 0.3% AS5691 -- MITRE-AS-5 - The MITRE Corporation 7 - 203.162.118.128/ 2517 0.2% AS7643 -- VNPT-AS-VN Vietnam Posts and Telecommunications (VNPT) 8 - 222.255.186.0/25 2516 0.2% AS7643 -- VNPT-AS-VN Vietnam Posts and Telecommunications (VNPT) 9 - 196.44.176.0/202441 0.2% AS31856 -- CABSAS 12 - 85.204.64.0/23 2349 0.2% AS6746 -- ASTRAL UPC Romania Srl, Romania 13 - 193.238.204.0/22 2266 0.2% AS34919 -- MONTAN-NET IP upstream provider network of Montan Telecom AG, Vaduz, Liechtenstein 14 - 85.60.192.0/23 2213 0.2% AS12479 -- UNI2-AS Uni2 - Lince
The Cidr Report
This report has been generated at Fri Apr 9 21:11:36 2010 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date PrefixesCIDR Agg 02-04-10319323 196232 03-04-10319154 196271 04-04-10319087 196340 05-04-10319110 196496 06-04-10319260 196788 07-04-10319667 196864 08-04-10320046 197056 09-04-10319885 197303 AS Summary 34115 Number of ASes in routing system 14558 Number of ASes announcing only one prefix 4419 Largest number of prefixes announced by an AS AS4323 : TWTC - tw telecom holdings, inc. 97058304 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 09Apr10 --- ASnumNetsNow NetsAggr NetGain % Gain Description Table 320231 197232 12299938.4% All ASes AS6389 4015 302 371392.5% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS4323 4419 1331 308869.9% TWTC - tw telecom holdings, inc. AS4766 1840 492 134873.3% KIXS-AS-KR Korea Telecom AS4755 1301 207 109484.1% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS22773 1139 76 106393.3% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS1785 1754 717 103759.1% AS-PAETEC-NET - PaeTec Communications, Inc. AS18566 1059 33 102696.9% COVAD - Covad Communications Co. AS17488 1309 338 97174.2% HATHWAY-NET-AP Hathway IP Over Cable Internet AS8151 1538 622 91659.6% Uninet S.A. de C.V. AS7545 1119 250 86977.7% TPG-INTERNET-AP TPG Internet Pty Ltd AS19262 1089 247 84277.3% VZGNI-TRANSIT - Verizon Internet Services Inc. AS10620 1027 197 83080.8% Telmex Colombia S.A. AS6478 1187 447 74062.3% ATT-INTERNET3 - ATT WorldNet Services AS5668 807 199 60875.3% AS-5668 - CenturyTel Internet Holdings, Inc. AS24560 874 274 60068.6% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS4808 845 250 59570.4% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS4804 678 84 59487.6% MPX-AS Microplex PTY LTD AS7303 699 109 59084.4% Telecom Argentina S.A. AS18101 686 97 58985.9% RIL-IDC Reliance Infocom Ltd Internet Data Centre, AS8452 939 356 58362.1% TEDATA TEDATA AS7018 1568 998 57036.4% ATT-INTERNET4 - ATT WorldNet Services AS17908 772 242 53068.7% TCISL Tata Communications AS3356 1232 706 52642.7% LEVEL3 Level 3 Communications AS35805 613 96 51784.3% UTG-AS United Telecom AS AS4780 670 169 50174.8% SEEDNET Digital United Inc. AS22047 540 47 49391.3% VTR BANDA ANCHA S.A. AS17676 572 84 48885.3% GIGAINFRA Softbank BB Corp. AS9443 555 74 48186.7% INTERNETPRIMUS-AS-AP Primus Telecommunications AS7011 664 44740.2% FRONTIER-AND-CITIZENS - Frontier Communications of America, Inc. AS7738 477 30 44793.7% Telecomunicacoes da Bahia S.A. Total 36434 97382669673.3% Top 30 total Possible Bogus Routes 2.0.0.0/16 AS12654
[ot/bronog] !summon ..!clue!charter/HSI
Looking for clue within Charter HSI realm (or people that can give contact / forward issues) .. HSI seems to be taboo even within Charter (even $work's Charter biz/fiber acct mgrs are without clue as to who to call) . . Off list help is appreciated .. Thanks in advance -jamie
Re: [ot/bronog] !summon ..!clue!charter/HSI
I was told : Charter is very decentralized. This is for endpoints (currently) GMT-5 - Chicago IL and Madison WI. Thanks again -jamie
Re: BGP hijack from 23724 - 4134 China?
Benjamin Billon wrote: And that is wrong why exactly? ;-) Nah, I'm not answering that =D Nice try, though. Hah ;-) This is also blocking Sina, Netease, Yahoo.cn and other major Chinese ISP/ESP. Am I the only to think this is not very smart? It depends. I'am not a fan of country blocking. But in my case it can work for a home server. You could adapt the list and block port 22 only for production servers where you can't expect to never have email from China, but can safely block brute force ssh attacks. Regards, Jeroen
Re: BGP hijack from 23724 - 4134 China?
This is also blocking Sina, Netease, Yahoo.cn and other major Chinese ISP/ESP. Am I the only to think this is not very smart? It depends. I'am not a fan of country blocking. But in my case it can work for a home server. You could adapt the list and block port 22 only for production servers where you can't expect to never have email from China, but can safely block brute force ssh attacks. Yep, home server, your server. That's not the same when you have customers who rely on your server. IMHO, port 22 and other critical ports should always be blocked except from known places.
Re: FCC dealt major blow in net neutrality ruling favoring Comcast
On Apr 9, 2010, at 5:22 PM, joe mcguckin wrote: Let me see if I understand this correctly. People are defending the FCC? The same FCC that ruled that any data service over 200Kbits was broadband, not Information Service and thus came under the purview of the FBI and CALEA - directly contravening the language and intent of the CALEA act? Very specifically NOT the same FCC. The FCC may retain the name, but the management, political bent, philosophies, and attitude are very different from the one that made that ruling. That said, it is entirely possible this FCC would make the same ruling. Doesn't change what I said above. Sometimes the enemy of your enemy is just your enemy. Sometimes. And sometimes he is neither, so it might be advantageous to work with him on the occasional project where your interest and his correlate well. -- TTFN, patrick On Apr 9, 2010, at 6:59 AM, Rod Beck wrote: In Europe you rarely encounter courts circumscribing regulatory power. And it is well known that the District Court is dominated by anti-regulatory judges. -Original Message- From: Michael Holstein [mailto:michael.holst...@csuohio.edu] Sent: Tue 4/6/2010 7:40 PM To: Patrick W. Gilmore Cc: NANOG list Subject: Re: FCC dealt major blow in net neutrality ruling favoring Comcast http://thehill.com/blogs/hillicon-valley/technology/90747-fcc-dealt-major-blow-in-net-neutrality-ruling-favoring-comcast Seems on-topic, even though policy related.
Re: FCC dealt major blow in net neutrality ruling favoring Comcast
On Apr 9, 2010, at 6:51 PM, Patrick W. Gilmore wrote: On Apr 9, 2010, at 5:22 PM, joe mcguckin wrote: Let me see if I understand this correctly. People are defending the FCC? The same FCC that ruled that any data service over 200Kbits was broadband, not Information Service and thus came under the purview of the FBI and CALEA - directly contravening the language and intent of the CALEA act? Very specifically NOT the same FCC. The FCC may retain the name, but the management, political bent, philosophies, and attitude are very different from the one that made that ruling. That said, it is entirely possible this FCC would make the same ruling. Doesn't change what I said above. Sometimes the enemy of your enemy is just your enemy. Sometimes. And sometimes he is neither, so it might be advantageous to work with him on the occasional project where your interest and his correlate well. I believe you are doing a disservice to the FCC by making these inflammatory statements. There are plenty of GOOD people at the FCC, I'm guessing you may not have spent much time talking to them. (I met with the FCC about CALEA due to concerns about there being no mature 10G intercept platforms. There are vendors that are shipping devices that are not CALEA compliant, but may be compliant under other lawful intercept methods/statutes). You have to understand that there are political appointees (that must be confirmed) and the regular staffers that operate in this space. The federal register and comment process is abundant, allowing people to file comments on nearly anything the government is discussing. If you've not engaged in getting the daily notices from the Federal Register, and did not file form 445, you may want to take a look at it. Phone the FCC. Phone the DoJ and ask for the CALEA Implementation Unit, the folks there are behind the http://askcalea.net website. As with many things, there is a lot of (mis-)information out there. (Gotta run kids are bleeding!).
RE: BGP hijack from 23724 - 4134 China?
-Original Message- From: Brielle Bruns [mailto:br...@2mbit.com] Sent: Thursday, April 08, 2010 7:06 PM To: nanog@nanog.org Subject: Re: BGP hijack from 23724 - 4134 China? On 4/8/10 7:50 PM, Aaron Wendel wrote: Please. Since there's been alot of requests for the ACLs, i've gone ahead and put the info on our wiki for easy access. http://wiki.sosdg.org/sosdg:internal:chinafilter I suppose it is easier and takes less of your resources to get the world to block you than it is to block the world. From China's point of view, it might just make their firewalling a whole lot easier.
Re: FCC dealt major blow in net neutrality ruling favoring Comcast
On 4/9/2010 16:22, joe mcguckin wrote: Let me see if I understand this correctly. People are defending the FCC? After looking at who they elect, why does that surprise? The same FCC that ruled that any data service over 200Kbits was broadband, not Information Service and thus came under the purview of the FBI and CALEA - directly contravening the language and intent of the CALEA act? Sometimes the enemy of your enemy is just your enemy. The calculus is really simpler. Somebody famous should have said (or maybe Ronald Reagan _did_ say: Government is not the solution to the problem. Government IS the problem. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: capirca : Google Network Filtering Management
On Fri, Apr 9, 2010 at 5:57 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Apr 9, 2010 at 2:09 PM, William Duck na...@qualitymail.com wrote: http://code.google.com/p/capirca/ Developed internally at Google, this system is designed to utilize common definitions of networks and services and high-level policy files to facilitate the development and manipulation of network access control filters (ACLs) for various platforms. would be interesting (to the community to get the authors to present some material about this at a meeting? (a nanog meeting) -Chris The authors gave an excellent tag-team presentation at USENIX LISA '09. Video might be available. It would be good at a NANOG meeting. Jon
Re: BGP hijack from 23724 - 4134 China?
Benjamin Billon wrote: So basically, the idea is to disconnect China's Internet even more than what it inflicts to itself? And that is wrong why exactly? ;-) Nah, I'm not answering that =D Nice try, though. How fun. What was the FCC/Comcast case about again? It's only port 25, at least here: http://www.okean.com/antispam/iptables/iptables.html This is also blocking Sina, Netease, Yahoo.cn and other major Chinese ISP/ESP. Am I the only to think this is not very smart? If you think Chinese DUL would be interesting, please tell me. This DID actually bite my company about 3 years ago. A customer went to China (usually in NYC) and could not send email through the mail server because they were using POP-before-SMTP instead of the mail submission port . Upon return, the customer switched mail service away from us. --Patrick
Re: ARIN IP6 policy for those with legacy IP4 Space
On 04/09/2010 09:56 AM, Dave Israel wrote: +Bonus Uncertainty: There is a lack of consensus on how IPv6 is to be deployed. For example, look at the ongoing debates on point to point network sizes and the /64 network boundary in general. There's also no tangible benefit to deploying IPv6 right now, and the tangible danger that your v6 deployment will just have to be redone because there's some flaw in the current v6 protocol or best practices that will be uncovered. This lack of consensus seems to most be associated with people who haven't deployed. those of us who have in some cases a decade ago, don't wonder very much... You can deploy point-to-points as /112s or /64s. if you do anything that isn't aligned on a byte boundary the brains will leak out of the ears of your engineers. If you don't believe me go ahead and try it. any subnet that has more than 2 devices on it is a /64 do anything else and you'll shoot yourself or someone else in the foot and probably sooner rather than later. +Bonus Doubt: Because we've been told that IPv4 will be dead in 2 years for the last 20 years, and that IPv6 will be deployed and a way of life in 2 years for the past 10, nobody really believes it anymore. There's been an ongoing chant of wolf for so long, many people won't believe it until things are much, much worse. I bet you're really good at predicting the stock market as well. you can be right and still go bankrupt. It is posisble to mistake postive but nearly random outcomes for skill or insight. I don't have to be right about needing an ipv6 deployment plan or even believe that ipv6 is deployable in it's present form (I happen to believe that, buts it's beside the point), because I need a business continuity plan for what happens around ipv4 exhaustion, I may have more than one, but I have a fiduciary duty to my company to not fly this particular plane into avoidable terrain. -Dave
Re: ARIN IP6 policy for those with legacy IP4 Space
On 04/09/2010 11:01 AM, William Herrin wrote: Fun movies notwithstanding, they generally issue a fine and work it through the civil courts. If you were doing something extraordinary, like jamming emergency communications, I expect they might well call the police for assistance. But those are police, not FCC agents, and they're acting as much on behalf of the folks whose signals you're jamming as they are on behalf of the FCC. You'll find that any of us (including ARIN) can summon police for assistance with assaults upon us. No, the FCC uses the US Marshalls service and the unites states attorney for this sort of activity, and it has statutory authority to do so... google up FCC raid if you want some background. Regards, Bill Herrin
Re: BGP hijack from 23724 - 4134 China?
Patrick Giagnocavo wrote: This DID actually bite my company about 3 years ago. A customer went to China (usually in NYC) and could not send email through the mail server because they were using POP-before-SMTP instead of the mail submission port . The problem did not lie with blocking IPs. But with offering a flawed service such as pop before smtp to begin with. I know many ISPs/ESPs still do, much to my chagrin. The only way to submit email should be port 587 with TLS encryption, 3 years ago one could be forgiven for offering deprecated (*) port 465 with SSL, but not anymore (msoft clients have been fixed). Regards, Jeroen http://www.iana.org/assignments/port-numbers * urd 465/tcpURL Rendesvous Directory for SSM
Re: capirca : Google Network Filtering Management
On Fri, Apr 09, 2010 at 11:09:09AM -0700, William Duck wrote: http://code.google.com/p/capirca/ Developed internally at Google, this system is designed to utilize common definitions of networks and services and high-level policy files to facilitate the development and manipulation of network access control filters (ACLs) for various platforms. __ Get your own *free* email address like this one from www.OwnEmail.com There is a lot of potential here, however it almost seems like abandonware. I've been tinkering with it in house, but ran into the obstacle of not knowing Python (yet) to fix and improve it myself. Thankfully a colleague has been able to write up some important patches which are available on the issue tracker [1]. -r [1] http://code.google.com/p/capirca/issues/list
Re: capirca : Google Network Filtering Management
On Fri, Apr 9, 2010 at 7:55 PM, Jon Meek mee...@gmail.com wrote: On Fri, Apr 9, 2010 at 5:57 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Apr 9, 2010 at 2:09 PM, William Duck na...@qualitymail.com wrote: http://code.google.com/p/capirca/ Developed internally at Google, this system is designed to utilize common definitions of networks and services and high-level policy files to facilitate the development and manipulation of network access control filters (ACLs) for various platforms. would be interesting (to the community to get the authors to present some material about this at a meeting? (a nanog meeting) -Chris The authors gave an excellent tag-team presentation at USENIX LISA '09. Video might be available. It would be good at a NANOG meeting. they did, so I hear, since the next nanog is in their home-court it'd be easy to ask them to swing by and re-present :) (as a user of this system it's really quite nice) -Chris
Fwd: [c-nsp] capirca : Google Network Filtering Management
Would someone from Google kindly confirm/deny this claim? I'm as patient as any other, but I'm beginning to feel for those who have yet (but are ready to) to trigger the filters... Thankfully, my 'reasonable' regex knowledge has me ready to list a heaping pile of filth into the ether, if the community consensus is that the person contained in the 'From:' below has never contributed anything worth value to our community. ...give the word. Original Message Date: Fri, 09 Apr 2010 20:11:48 +0200 From: Guillaume FORTAINE gforta...@live.com To: cisco-...@puck.nether.net Subject: [c-nsp] capirca : Google Network Filtering Management http://code.google.com/p/capirca/ Developed internally at Google, this system is designed to utilize common definitions of networks and services and high-level policy files to facilitate the development and manipulation of network access control filters (ACLs) for various platforms. ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
RE: BGP hijack from 23724 - 4134 China?
On Fri, 9 Apr 2010, George Bonser wrote: I suppose it is easier and takes less of your resources to get the world to block you than it is to block the world. operating a bullet proof spam network, ignoring complaints, is certainly one way to achieve that. anyone remember chinanet's lying autoresponder: In your SPAM eMail,I can't find the IP or the IP is not by my control.Please give me the correct IP.Thank you. ? -Dan
Re: BGP hijack from 23724 - 4134 China?
On 4/9/2010 15:42, Benjamin Billon wrote: This is also blocking Sina, Netease, Yahoo.cn and other major Chinese ISP/ESP. Am I the only to think this is not very smart? It depends. I'am not a fan of country blocking. But in my case it can work for a home server. You could adapt the list and block port 22 only for production servers where you can't expect to never have email from China, but can safely block brute force ssh attacks. Yep, home server, your server. That's not the same when you have customers who rely on your server. IMHO, port 22 and other critical ports should always be blocked except from known places. I personally use a port knocking setup and it pretty much eliminates SSH brute force account/password hacks. Actually, on one box that didn't have the ability to do that, I simply moved the SSH port. This was surprisingly effective, although a bit inconvenient. I'll have to say that a very large number of the brute attempts were from Chinese IPs. Hopefully they're not reading this. ;-)
Re: ARIN IP6 policy for those with legacy IP4 Space
some nut i procmail wrote No, ARIN is not a regulator. Regulators have guns or access to people with guns to enforce the regulations that they enact. ARIN has no such power. I'm a little confused on the distinction you're making. confusion between the army and the fcc, who, even under cheney, did not use guns. randy
Re: ARIN IP6 policy for those with legacy IP4 Space
On 04/09/2010 07:49 PM, Randy Bush wrote: some nut i procmail wrote No, ARIN is not a regulator. Regulators have guns or access to people with guns to enforce the regulations that they enact. ARIN has no such power. I'm a little confused on the distinction you're making. confusion between the army and the fcc, who, even under cheney, did not use guns. Gewaltmonopol des Staates... Failure to restrain the use of coercive violence is one (modern) definition of a failed state. randy
Re: Fwd: [c-nsp] capirca : Google Network Filtering Management
On Fri, 2010-04-09 at 22:10 -0400, Steve Bertrand wrote: Would someone from Google kindly confirm/deny this claim? I'm as patient as any other, but I'm beginning to feel for those who have yet (but are ready to) to trigger the filters... Thankfully, my 'reasonable' regex knowledge has me ready to list a heaping pile of filth into the ether, if the community consensus is that the person contained in the 'From:' below has never contributed anything worth value to our community. ...give the word. It is a legitimate Google product, but I don't work at Google. William
Re: ARIN IP6 policy for those with legacy IP4 Space
On Apr 9, 2010, at 10:43 AM, William Herrin wrote: On Fri, Apr 9, 2010 at 1:07 PM, Owen DeLong o...@delong.com wrote: On Apr 9, 2010, at 7:30 AM, todd glassey wrote: BULL SH*T, ARIN makes determinations as to how many IP addresses it will issue and in that sense it is exactly a regulator. No, ARIN is not a regulator. Regulators have guns or access to people with guns to enforce the regulations that they enact. ARIN has no such power. The FCC is a regulator. The California PUC is a regulator. ARIN is not a regulator. Last I heard, the FCC has access to people with law degrees not guns. Much like ARIN, really. If the FCC finds that you have violated an FCC regulation, they are well and truly capable of bringing in the FBI and State or Local law enforcement to enforce their regulation. All three of those entities have guns. To do so, the FCC does not need a court order. ARIN cannot get the FBI, State, or Local law enforcement to enforce ARIN policy unless that policy is further backed by a court order. (Of course, at that point, they are acting under the force of a regulator in the form of the court more than under ARIN). Owen
Re: ARIN IP6 policy for those with legacy IP4 Space
On Apr 9, 2010, at 10:34 AM, David Conrad wrote: Owen, On Apr 9, 2010, at 7:07 AM, Owen DeLong wrote: No, ARIN is not a regulator. Regulators have guns or access to people with guns to enforce the regulations that they enact. ARIN has no such power. I'm a little confused on the distinction you're making. Today, ARIN can remove whois data/reverse delegations as a way of enforcing 'regulations'. In the future, assuming RPKI is deployed, ARIN could, in theory, revoke the certification of a resource. While not a gun, these are means of coercion. Are you being literal when you say gun or figurative? Regards, -drc Nothing forces anyone who wants to route a prefix to follow the IANA or ARIN RPKI. It is followed by agreement of the community, if it gets followed at all. There is no regulation that would prevent someone from setting up an alternate RPKI certificate authority and issuing certificates for resources alternative to the RIR system. Try doing that with Callsigns and using them on the air. The FCC will either fine you or have you locked up in relatively short order. ARIN cannot. It cannot become a criminal offense subject to incarceration for you to violate ARIN policy. It is a purely civil matter. Actual regulators have the force of law. ARIN does not. Owen
OECD Reports on State of IPv6 Deployment for Policy Makers
http://www.circleid.com/posts/20100409_oecd_reports_on_state_of_ipv6_deployment_for_policy_makers/
Re: OECD Reports on State of IPv6 Deployment for Policy Makers
http://www.circleid.com/posts/20100409_oecd_reports_on_state_of_ipv6_deployment_for_policy_makers/ karine perset's work is, as usual, good enough that it should be seen in it's original, not some circle-je^h^hid hack of a small part of it. http://www.oecd.org/dataoecd/48/8/44961688.pdf randy
Re: OECD Reports on State of IPv6 Deployment for Policy Makers
karine perset's work is, as usual, good enough that it should be seen in it's original, not some circle-je^h^hid hack of a small part of it. On of the best parts of her presentation: Government’s role *is not about regulation*, but about working with technical experts and business to: •Role 1: Build awareness of issue help to ease bottlenecks through multi-stakeholder co-operation. •Role 2: Being early adopters. •Role 3: International co-operation and helping to monitor progress of deployment. Will they get it any day ? Regards Jorge
Re: ARIN IP6 policy for those with legacy IP4 Space
One really good thing about spam was that, before it became a big problem, all Usenet / Internet discussions had a risk of devolving into libertarians vs. socialists flamewars, but that got replaced by *%^%* spammers, and eventually we got that nice little checklist as a way to quiet even those discussions. Let's put the regulators with guns discussion back into the pre-spam bin, and take this back to the making IPv6 actually work topics, of which there are plenty. (Because after all, the IPv6ian People's Front side is wrong, wrong, wrong! :-) -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: OECD Reports on State of IPv6 Deployment for Policy Makers
You should have seen the CNN experiment on cyber attack... It took 3/4 of the time for the government to realize they need to ask the private sector to help them. The first 3/4 were spent to discuss what the president can do or not do so they can take over the infrastructure and tell the operators what to do... - Original Message - From: Jorge Amodio jmamo...@gmail.com To: Randy Bush ra...@psg.com Cc: Franck Martin fra...@genius.com, nanog@nanog.org Sent: Saturday, 10 April, 2010 4:49:18 PM Subject: Re: OECD Reports on State of IPv6 Deployment for Policy Makers karine perset's work is, as usual, good enough that it should be seen in it's original, not some circle-je^h^hid hack of a small part of it. On of the best parts of her presentation: Government’s role *is not about regulation*, but about working with technical experts and business to: •Role 1: Build awareness of issue help to ease bottlenecks through multi-stakeholder co-operation. •Role 2: Being early adopters. •Role 3: International co-operation and helping to monitor progress of deployment. Will they get it any day ? Regards Jorge
Re: OECD Reports on State of IPv6 Deployment for Policy Makers
You should have seen the CNN experiment on cyber attack... you mean the failed chertoff/cheney wanna make the news clueless crap? puhleeze! the fcc has more guns than that mob had clue. randy