Re: Creating an IPv6 addressing plan for end users
Hi Liudvikas, Thank you very much for your feedback. On Mar 23, 2011, at 4:56 PM, Liudvikas Bukys wrote: Hi, I saw your document Preparing an IPv6 Addressing Plan after its URL was posted to NANOG. I have one small comment that perhaps you would consider in future revisions: The use of decimal numbers coded in hexadecimal is introduced in section 3.2, Direct Link Between IPv4 and IPv6 Addresses, without discussion. It's also implicit in section 4.9 when encoding decimal VLAN numbers in hexadecimal address ranges. My opinion is that this may be a source of confusion, and should be explicitly described somewhere before section 3.2, as a deliberate implementation choice that makes it easier for human operators to configure and recognize deliberately-chosen mappings between decimals in IPv4 addresses and integers and corresponding fields in hexadecimal address ranges. You are right, we could explain this section in more detail and we have received this feedback from some other readers as well. We will take this into account for future revision. Without an explicit discussion, this point may be missed by some readers -- especially since this is a training document. Just my opinion! I'm also curious as to whether this describes the way the world has already settled on, or whether this is a novel, controversial, or only-occasonally-observed technique. I see that RFC 5963 - IPv6 Deployment in Internet Exchange Points (IXPs) of August 2010 does mention BCD encoding of both ASNs and IPV4 digits, so I guess it's not that novel. As I'm not the author of the document - only the initiator of the translation - I'm not sure if I'm the right person to answer this question :) However, I do think it is an interesting discussion on how far the world has already settled on different IPv6 implementation techniques. There are relatively only a few mature operational IPv6 implementations at the moment and the intention of this document is to have people think of a structure for their address plan and give them some pointers. In case you would like to know more of the background of this document, please talk to Sander Steffann (the author). I'm sure he will be happy to answer your questions. Kind regards, Nathalie Trenaman RIPE NCC Trainer -Original Message- From: Nathalie Trenaman [mailto:natha...@ripe.net] Sent: Wednesday, March 16, 2011 5:05 AM To: nanog@nanog.org Subject: Creating an IPv6 addressing plan for end users Hi all, In our IPv6 courses, we often get the question: I give my customers a /48 (or a /56 or a /52) but they have no idea how to distribute that space in their network. In December Sander Steffann and Surfnet wrote a manual explaining exactly that, in clear language with nice graphics. A very useful document but it was in Dutch, so RIPE NCC decided to translate that document to English. Yesterday, we have published that document on our website and we hope this document is able to take away some of the fear that end users seem to have for these huge blocks. You can find this document here: http://bit.ly/IPv6addrplan (PDF) I look forward to your feedback, tips and comments. With kind regards, Nathalie Trenaman RIPE NCC Trainer
Re: The state-level attack on the SSL CA security model
* Dobbins, Roland (rdobb...@arbor.net) wrote: On Mar 24, 2011, at 11:05 AM, Martin Millnert wrote: Announcing this high and loud even before fixes were available would not have exposed more users to threats, but less. An argument against doing this prior to fixes being available is that miscreants who didn't know about this previously would be alerted to the possibility of using one of these certs (assuming they could get their hands on one) in conjunction with name resolution manipulation. The fix here is to delete the compromised UID and revoke the certs, thats done immediately, then inform the public, no reason to wait after that. IF the speculations about a specific nation is true then there is a risk that people there run real (like physical) risks by using e.g. yahoo the last few days. They would have appreciated being informed. Note that announcing this prior to fixes would've dramatically increased the resale value of these certificates in the underground economy, making them much more attractive/lucrative. Why? Surely the value of stolen certs are higher if the public do not know that they exist. /Joakim
Re: The state-level attack on the SSL CA security model
On Mar 24, 2011, at 6:19 PM, Joakim Aronius wrote: Surely the value of stolen certs are higher if the public do not know that they exist. A wider swathe of interested parties would know of their existence, and their existence would be officially confirmed, which would make them more valuable. Unfortunately, the general public neither know, understand, or care about such things. They happily click 'I Understand the Risks' or whatever the button says in their browsers of choice to accept self-signed certificates all the time. I don't know enough details of what actually transpired to have an actual opinion on the Comodo situation one way or another; but I can see both sides of the argument. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde
Re: The state-level attack on the SSL CA security model
* Roland Dobbins: A wider swathe of interested parties would know of their existence, and their existence would be officially confirmed, which would make them more valuable. This is at odds with what happens in other contexts. Disclosure devalues information. -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
http://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.html Nortel, in bankruptcy, sells IPv4 address block for $7.5 million by Milton Mueller on Wed 23 Mar 2011 10:30 PM EDT | Permanent Link | ShareThis Wake up call for our friends in the Regional Internet Registries. Nortel, the Canadian telecommunications equipment manufacturer that filed for bankruptcy protection in 2009, has succeeded in making its legacy IPv4 address block an asset that can be sold to generate money for its creditors. The March 23 edition of the Dow Jones Daily Bankruptcy Report has reported that Nortel's block of 666,624 IPv4's was sold for $7.5 million - a price of $11.25 per IP address. The buyer of the addresses was Microsoft. More information is in its filing in a Delware bankruptcy court. Now the interesting question becomes, does the price of IPv4s go up or down from here? As the realities of dual stack sink in, I'm betting...up.
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
666,624 is kind of odd number, isn't it? That comes out to a /13,/15,/19,/21 and a /22. On Thu, Mar 24, 2011 at 8:57 AM, Eugen Leitl eu...@leitl.org wrote: http://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.html Nortel, in bankruptcy, sells IPv4 address block for $7.5 million by Milton Mueller on Wed 23 Mar 2011 10:30 PM EDT | Permanent Link | ShareThis Wake up call for our friends in the Regional Internet Registries. Nortel, the Canadian telecommunications equipment manufacturer that filed for bankruptcy protection in 2009, has succeeded in making its legacy IPv4 address block an asset that can be sold to generate money for its creditors. The March 23 edition of the Dow Jones Daily Bankruptcy Report has reported that Nortel's block of 666,624 IPv4's was sold for $7.5 million - a price of $11.25 per IP address. The buyer of the addresses was Microsoft. More information is in its filing in a Delware bankruptcy court. Now the interesting question becomes, does the price of IPv4s go up or down from here? As the realities of dual stack sink in, I'm betting...up.
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Thu, 2011-03-24 at 09:10 -0400, Jay Nakamura wrote: 666,624 is kind of odd number, isn't it? That comes out to a /13,/15,/19,/21 and a /22. Yeah, I was trying to work that out -- well done for persevering. :)
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
Jay Nakamura zeusda...@gmail.com wrote: 666,624 is kind of odd number, isn't it? That comes out to a /13,/15,/19,/21 and a /22. From the court documents I gather that it is a collection of miscellaneous blocks that Nortel acquired over the years, presumable via corporate MA. However there isn't (as far as I can see) a list of the actual blocks. See docket 5143 at http://chapter11.epiqsystems.com/NNI/docket/Default.aspx Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ South-east Iceland: Cyclonic 4 or 5, increasing 5 to 7 for a time in north. Moderate or rough. Occasional rain. Moderate or good.
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
Why would Microsoft need this many IP's? I could see the benefiting service providers much more. On 03/24/2011 09:27 AM, Tony Finch wrote: Jay Nakamurazeusda...@gmail.com wrote: 666,624 is kind of odd number, isn't it? That comes out to a /13,/15,/19,/21 and a /22. From the court documents I gather that it is a collection of miscellaneous blocks that Nortel acquired over the years, presumable via corporate MA. However there isn't (as far as I can see) a list of the actual blocks. See docket 5143 at http://chapter11.epiqsystems.com/NNI/docket/Default.aspx Tony.
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
yay cloud. On Thu, Mar 24, 2011 at 6:32 AM, Bret Clark bcl...@spectraaccess.comwrote: Why would Microsoft need this many IP's? I could see the benefiting service providers much more.
Re: Creating an IPv6 addressing plan for end users
On Mar 24, 2011, at 1:06 AM, Nathalie Trenaman wrote: Hi Liudvikas, Thank you very much for your feedback. On Mar 23, 2011, at 4:56 PM, Liudvikas Bukys wrote: Hi, I saw your document Preparing an IPv6 Addressing Plan after its URL was posted to NANOG. I have one small comment that perhaps you would consider in future revisions: The use of decimal numbers coded in hexadecimal is introduced in section 3.2, Direct Link Between IPv4 and IPv6 Addresses, without discussion. It's also implicit in section 4.9 when encoding decimal VLAN numbers in hexadecimal address ranges. My opinion is that this may be a source of confusion, and should be explicitly described somewhere before section 3.2, as a deliberate implementation choice that makes it easier for human operators to configure and recognize deliberately-chosen mappings between decimals in IPv4 addresses and integers and corresponding fields in hexadecimal address ranges. You are right, we could explain this section in more detail and we have received this feedback from some other readers as well. We will take this into account for future revision. Without an explicit discussion, this point may be missed by some readers -- especially since this is a training document. Just my opinion! I'm also curious as to whether this describes the way the world has already settled on, or whether this is a novel, controversial, or only-occasonally-observed technique. I see that RFC 5963 - IPv6 Deployment in Internet Exchange Points (IXPs) of August 2010 does mention BCD encoding of both ASNs and IPV4 digits, so I guess it's not that novel. As I'm not the author of the document - only the initiator of the translation - I'm not sure if I'm the right person to answer this question :) However, I do think it is an interesting discussion on how far the world has already settled on different IPv6 implementation techniques. There are relatively only a few mature operational IPv6 implementations at the moment and the intention of this document is to have people think of a structure for their address plan and give them some pointers. I believe based on my observation and experience that it describes a relatively common practice, but, not one which has in any way been standardized. It is one approach that is available and which has proven useful to others. Both the BCD and Hex translation techniques are in relatively common use, but, the BCD mechanism seems to be somewhat more common. The important thing to be careful about with BCD is that you do not attempt to represent all four octets of an address with each cluster representing an octet because you will violate the first 12 bits of a static suffix must be zero rule (following that rule avoids accidental conflicts with stateless autoconf). Owen
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Thu, Mar 24, 2011 at 7:02 PM, Bret Clark bcl...@spectraaccess.com wrote: Why would Microsoft need this many IP's? I could see the benefiting service providers much more. Microsoft runs Hotmail. Office Live and a bunch of other services you might have heard of. And if every common or garden snowshoer can get a /15, why can't a legitimate corporation get some for itself? :) -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Mar 24, 2011, at 6:20 AM, Tom Hill wrote: On Thu, 2011-03-24 at 09:10 -0400, Jay Nakamura wrote: 666,624 is kind of odd number, isn't it? That comes out to a /13,/15,/19,/21 and a /22. Yeah, I was trying to work that out -- well done for persevering. :) Sounds like the pieces of their /8 that weren't in use or something like that. Owen
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Thu, Mar 24, 2011 at 01:27:29PM +, Tony Finch wrote: Jay Nakamura zeusda...@gmail.com wrote: 666,624 is kind of odd number, isn't it? That comes out to a /13,/15,/19,/21 and a /22. From the court documents I gather that it is a collection of miscellaneous blocks that Nortel acquired over the years, presumable via corporate MA. However there isn't (as far as I can see) a list of the actual blocks. See docket 5143 at http://chapter11.epiqsystems.com/NNI/docket/Default.aspx Exhibit B expressly indicates they were listed but filed under seal; interesting to request that. Previous documents indicate they used a third party to shop things around, who got a $200k retainer and is getting paid 5% of the sale. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
In a message written on Thu, Mar 24, 2011 at 09:32:21AM -0400, Bret Clark wrote: Why would Microsoft need this many IP's? I could see the benefiting service providers much more. I think the more interesting question is why would Microsoft pay $7.5 million for something they can, at least for the moment, get for free. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ pgps2ZyqCx6Pp.pgp Description: PGP signature
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
That's a good question. Maybe they can't qualify under Arin rules. Another question will be: how is Arin going to handle it? Im pretty sure that the RSA says that in the event of bankruptcy ips revert to the Arin pool. I understand that these were legacy addresses but... Aaron Sent via DROID on Verizon Wireless -Original message- From: Leo Bicknell bickn...@ufp.org To: nanog@nanog.org Sent: Thu, Mar 24, 2011 14:08:21 GMT+00:00 Subject: Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million In a message written on Thu, Mar 24, 2011 at 09:32:21AM -0400, Bret Clark wrote: Why would Microsoft need this many IP's? I could see the benefiting service providers much more. I think the more interesting question is why would Microsoft pay $7.5 million for something they can, at least for the moment, get for free. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
* Leo Bicknell I think the more interesting question is why would Microsoft pay $7.5 million for something they can, at least for the moment, get for free. A very interesting question indeed! However, they can only get them for free from ARIN if they can document an immediate demand. Perhaps they don't have an immediate demand, and are simply stockpiling addresses for later use post ARIN depletion? Or perhaps they hope to make a profit then by selling them to someone else. Either way, it sure seems they're speculating that the market price of an IPv4 address is going to rise to more than US$11.25. -- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com Tel: +47 21 54 41 27
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Thu, 24 Mar 2011 09:27:58 CDT, Aaron Wendel said: That's a good question. Maybe they can't qualify under Arin rules. Another question will be: how is Arin going to handle it? Im pretty sure that the RSA says that in the event of bankruptcy ips revert to the Arin pool. I understand that these were legacy addresses but... The *important* question is - do they *remain* legacy addresses under the legacy address rules after the Microsoft acquisition, and thus re-sellable at a later date? If so, we may have seen the first case of IP address speculation, and the start of the bubble. I don't want to see how this bubble bursts.. pgp06xTSeUav1.pgp Description: PGP signature
Re: The state-level attack on the SSL CA security model
Harald Koch c...@pobox.com writes: On 3/23/2011 11:05 PM, Martin Millnert wrote: To my surprise, I did not see a mention in this community of the latest proof of the complete failure of the SSL CA model to actually do what it is supposed to: provide security, rather than a false sense of security. This story strikes me as a success - the certs were revoked immediately, and it took a surprisingly short amount of time for security fixes to appear all over the place. But revocation doesn't work, and people don't install updates, so this is only a *theoretical* success. -- Leif Nixon - Security officer National Supercomputer Centre - Swedish National Infrastructure for Computing Nordic Data Grid Facility - European Grid Infrastructure
RE: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
Just wondering if Microsoft has to justify the address space once they change ownerships with Arin ? -Original Message- From: Tore Anderson [mailto:tore.ander...@redpill-linpro.com] Sent: Thursday, March 24, 2011 10:40 AM To: nanog@nanog.org Subject: Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million * Leo Bicknell I think the more interesting question is why would Microsoft pay $7.5 million for something they can, at least for the moment, get for free. A very interesting question indeed! However, they can only get them for free from ARIN if they can document an immediate demand. Perhaps they don't have an immediate demand, and are simply stockpiling addresses for later use post ARIN depletion? Or perhaps they hope to make a profit then by selling them to someone else. Either way, it sure seems they're speculating that the market price of an IPv4 address is going to rise to more than US$11.25. -- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com Tel: +47 21 54 41 27
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Mar 24, 2011, at 7:40 AM, Tore Anderson wrote: They can only get them for free from ARIN if they can document an immediate demand. Perhaps they don't have an immediate demand… They can only get them _at all_ if they can document need. All receipt of address space, whether from the free-pool or through a transfer, is needs-based. Anything else would be removing a critical resource from use. -Bill
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
At 15:40 24/03/2011 +0100, Tore Anderson wrote: Either way, it sure seems they're speculating that the market price of an IPv4 address is going to rise to more than US$11.25. Anything that has ceased to be produced and has demand will go up in value. Just rename IPv4 as Pontiac GTO. -Hank
Re: The state-level attack on the SSL CA security model
Harald Koch c...@pobox.com wrote: This story strikes me as a success - the certs were revoked immediately, and it took a surprisingly short amount of time for security fixes to appear all over the place. It would have been much easier if certificate revocation actually worked properly. http://www.imperialviolet.org/2011/03/18/revocation.html Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Viking, North Utsire, South Utsire: Westerly veering northerly, 4 or 5, occasionally 6 at first. Moderate or rough. Occasional rain. Moderate or good, occasionally poor at first.
Re: The state-level attack on the SSL CA security model
On 24/03/11 10:09 -0400, Harald Koch wrote: On 3/23/2011 11:05 PM, Martin Millnert wrote: To my surprise, I did not see a mention in this community of the latest proof of the complete failure of the SSL CA model to actually do what it is supposed to: provide security, rather than a false sense of security. This story strikes me as a success - the certs were revoked immediately, and it took a surprisingly short amount of time for security fixes to appear all over the place. The point is that the 'short amount of time' should have been zero (from the time of the update of the CRL) which would have allowed an immediate announcement of the revocation to the public, with sufficient details for the public to make educated decisions about their internet usage. But because the CRL publication did not facilitate that, due to whatever deficiency there existed in the procotol or in browser implementations, announcement had to be delayed, providing a small group of attackers a larger window than necessary to compromise information. -- Dan White
Re: The state-level attack on the SSL CA security model
Which is especially funny since Comodo is citing the fact that they've had no OCSP requests for the bad certs as evidence that they haven't been used. --Richard On Thu, Mar 24, 2011 at 10:53 AM, Tony Finch d...@dotat.at wrote: Harald Koch c...@pobox.com wrote: This story strikes me as a success - the certs were revoked immediately, and it took a surprisingly short amount of time for security fixes to appear all over the place. It would have been much easier if certificate revocation actually worked properly. http://www.imperialviolet.org/2011/03/18/revocation.html Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Viking, North Utsire, South Utsire: Westerly veering northerly, 4 or 5, occasionally 6 at first. Moderate or rough. Occasional rain. Moderate or good, occasionally poor at first.
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
* Bill Woodcock They can only get them _at all_ if they can document need. All receipt of address space, whether from the free-pool or through a transfer, is needs-based. I've understood that this claim is undisputed *only* for address space that is covered by the ARIN LRSA or any other normal RIR agreement. (I have no idea if that is the case for this particular address space or not.) -- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com Tel: +47 21 54 41 27
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On 03/24/2011 10:06 AM, Joe Provo wrote: On Thu, Mar 24, 2011 at 01:27:29PM +, Tony Finch wrote: Jay Nakamurazeusda...@gmail.com wrote: 666,624 is kind of odd number, isn't it? That comes out to a /13,/15,/19,/21 and a /22. From the court documents I gather that it is a collection of miscellaneous blocks that Nortel acquired over the years, presumable via corporate MA. However there isn't (as far as I can see) a list of the actual blocks. See docket 5143 at http://chapter11.epiqsystems.com/NNI/docket/Default.aspx Exhibit B expressly indicates they were listed but filed under seal; interesting to request that. Previous documents indicate they used a third party to shop things around, who got a $200k retainer and is getting paid 5% of the sale. Docket #4435, Exhibit B has more information on the IP address broker, Addrex, Inc., of Reston, Va. Here's the president and related companies -- http://www.linkedin.com/pub/charles-m-lee/22/414/a94 http://www.denuo.com http://www.addrex.net http://www.depository.net
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
They can only get them _at all_ if they can document need. All receipt of address space, whether from the free-pool or through a transfer, is needs-based. Anything else would be removing a critical resource from use. http://en.wikipedia.org/wiki/Canute
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Mar 24, 2011, at 10:27 58AM, Aaron Wendel wrote: That's a good question. Maybe they can't qualify under Arin rules. Another question will be: how is Arin going to handle it? Im pretty sure that the RSA says that in the event of bankruptcy ips revert to the Arin pool. I understand that these were legacy addresses but... I wonder if the bankruptcy court agrees with that. Does it have the power to order ARIN to accept this? Send lawyers, guns, and money... --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Mar 24, 2011, at 8:57 AM, Eugen Leitl wrote: http://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.html Read the comment at the end (attached here for reference). /John John Curran President and CEO ARIN Re: Nortel, in bankruptcy, Requests Approval of Sale of IPv4 address blocks by John Curran on Thu 24 Mar 2011 11:31 AM EDT | Profile | Permanent Link Milton - Did you have an opportunity to review the actual docket materials, or is your coverage based just on your review of the referenced article? The parties have requested approval of a sale order from the Bankruptcy judge. There is a timeline for making filings and a hearing date. There is not an approved sale order at this time, contrary to your blog entry title. ARIN has a responsibility to make clear the community-developed policies by which we maintain the ARIN Whois database, and any actual transfer of number resources in compliance with such policies will be reflected in the database. FYI, /John
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Mar 24, 2011, at 11:16 AM, Randy Bush wrote: They can only get them _at all_ if they can document need. All receipt of address space, whether from the free-pool or through a transfer, is needs-based. Anything else would be removing a critical resource from use. http://en.wikipedia.org/wiki/Canute Thank you Randy. Give Canute a community-developed set of marching orders, and make the ocean a little more pliable and you might have something there. As usual, I will simply point out to folks that ARIN will indeed administer the policy as adopted, and will explain it as necessary in various courtrooms. I ask that the community spend its time thinking about what policies are indeed desirable, and make sure those are reflected in the adopted policies. That's the first priority in making sure that we're doing the right thing and our efforts are productive and useful to the community. /John John Curran President and CEO ARIN
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Thu, Mar 24, 2011 at 11:34:13AM -0400, Steven Bellovin wrote: On Mar 24, 2011, at 10:27 58AM, Aaron Wendel wrote: That's a good question. Maybe they can't qualify under Arin rules. Another question will be: how is Arin going to handle it? Im pretty sure that the RSA says that in the event of bankruptcy ips revert to the Arin pool. I understand that these were legacy addresses but... I wonder if the bankruptcy court agrees with that. Does it have the power to order ARIN to accept this? Send lawyers, guns, and money... Disregard previous; I see the bankruptcy is in the Delaware courts. -- Mike Andrews, W5EGO mi...@mikea.ath.cx Tired old sysadmin
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
Actually ARIN rules don't say anything about bankruptcy. However, in the event that the organization ceases to exist and there is no successor organization taking over the network infrastructure under an 8.2 transfer, yes, the resources would revert to ARIN. The only other (legitimate) possibility is a section 8.3 transfer (which would require approval by ARIN also). In both an 8.2 and an 8.3 transfer, the recipient organization has to show justified need. The collection of blocks in question does not sound like it would be permitted under 8.3, so, perhaps Micr0$0ft is also acquiring part of Nortel's operations that are using those addresses as well. Owen Sent from my iPad On Mar 24, 2011, at 9:27 AM, Aaron Wendelaa...@wholesaleinternet.net wrote: That's a good question. Maybe they can't qualify under Arin rules. Another question will be: how is Arin going to handle it? Im pretty sure that the RSA says that in the event of bankruptcy ips revert to the Arin pool. I understand that these were legacy addresses but... Aaron Sent via DROID on Verizon Wireless -Original message- From: Leo Bicknell bickn...@ufp.org To: nanog@nanog.org Sent: Thu, Mar 24, 2011 14:08:21 GMT+00:00 Subject: Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million In a message written on Thu, Mar 24, 2011 at 09:32:21AM -0400, Bret Clark wrote: Why would Microsoft need this many IP's? I could see the benefitingservice providers much more. I think the more interesting question is why would Microsoft pay $7.5 million for something they can, at least for the moment, get for free. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Comcast contact for DNS issues
Does anyone know or works for Comcast that can deal with DNS Issues? Please reply to me :) Thanks
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
They can only get them _at all_ if they can document need. All receipt of address space, whether from the free-pool or through a transfer, is needs-based. Anything else would be removing a critical resource from use. http://en.wikipedia.org/wiki/Canute Thank you Randy. Give Canute a community-developed set of marching orders, and make the ocean a little more pliable and you might have something there. at some point, the arin policy wonk weenies will face reality. or not. it really makes little difference. i don't particularly like the reality either, but i find it easier and more productive to align my actions and how i spend my time. not a lot of high paying jobs pushing water uphill. randy
IN-ADDR.ARPA Nameserver Change Complete
IN-ADDR.ARPA NAMESERVER CHANGE COMPLETE This is a courtesy notification of the completion of a change to the nameserver set for the IN-ADDR.ARPA zone. There is no expected impact on the functional operation of the DNS due to this change. There are no actions required by DNS server operators or end users. For more information about this work, please see http://in-addr-transition.icann.org/. DETAIL The IN-ADDR.ARPA zone is used to provide reverse mapping (number to name) for IPv4. The servers which now provide authoritative DNS service for the IN-ADDR.ARPA zone are as follows: A.IN-ADDR-SERVERS.ARPA (operated by ARIN) B.IN-ADDR-SERVERS.ARPA (operated by ICANN) C.IN-ADDR-SERVERS.ARPA (operated by AfriNIC) D.IN-ADDR-SERVERS.ARPA (operated by LACNIC) E.IN-ADDR-SERVERS.ARPA (operated by APNIC) F.IN-ADDR-SERVERS.ARPA (operated by RIPE NCC) All root servers dropped the IN-ADDR.ARPA zone according to the schedule posted earlier, and all root servers now respond to queries under IN-ADDR.ARPA with an appropriate referral. Note that as part of this transition, the IN-ADDR.ARPA zone is now signed with DNSSEC and a complete chain of trust now exists from the root zone to the IN-ADDR.ARPA zone. IP6.ARPA, the corresponnding zone for IPv6 reverse mapping, was signed similarly some time ago. Regards, Joe Abley Director DNS Operations ICANN
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Thu, Mar 24, 2011 at 11:10 AM, Tore Anderson tore.ander...@redpill-linpro.com wrote: * Bill Woodcock They can only get them _at all_ if they can document need. All receipt of address space, whether from the free-pool or through a transfer, is needs-based. I've understood that this claim is undisputed *only* for address space that is covered by the ARIN LRSA or any other normal RIR agreement. (I have no idea if that is the case for this particular address space or not.) Tore, Legacy address transferability has been disputed before. Kremen v. ARIN. Kremen lost. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
John, On Mar 24, 2011, at 5:42 AM, John Curran wrote: As usual, I will simply point out to folks that ARIN will indeed administer the policy as adopted, and will explain it as necessary in various courtrooms. Oddly, when I said something similar a few years back, I was accused of attempting to 'destroy the Internet' by an ARIN board member. Out of curiosity, which policy declares 'legacy' space under ARIN administration, when was it adopted, and by whom? Regards, -drc
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Mar 24, 2011, at 8:15 AM, William Herrin wrote: Legacy address transferability has been disputed before. Kremen v. ARIN. Kremen lost. Yes, Kremen lost, but not based on anything related to address policy: http://blog.ericgoldman.org/archives/2007/01/kremen_loses_ch_1.htm Regards, -drc
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
Agreed, Look at: http://ciara.fiu.edu/publications/Rubi%20-%20Property%20Rights%20in%20IP%20Numbers.pdf Even assuming Kremen was decided as ARIN says; United States District Courts can and do disagree. On Mar 24, 2011, at 2:24 PM, David Conrad wrote: Yes, Kremen lost, but not based on anything related to address policy:
Regional AS model
I have seen age old discussions on single AS vs multiple AS for backbone and datacenter design. I am particularly interested in operational challenges for running AS per region e.g. one AS for US, one EU etc or I have heard folks do one AS per DC. I particularly don't see any advantage in doing one AS per region or datacenter since most of the reasons I hear is to reduce the iBGP mesh. I generally prefer one AS and making use of confederation. Zaid
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Thu, Mar 24, 2011 at 2:32 PM, Ernie Rubi erne...@cs.fiu.edu wrote: http://ciara.fiu.edu/publications/Rubi%20-%20Property%20Rights%20in%20IP%20Numbers.pdf Even assuming Kremen was decided as ARIN says; United States District Courts can and do disagree. Hi Ernie, The case you refer to was a dispute about a trademark which the a particular domain name infringed. The court's theory was that the property right in the trademark (well documented in law) covered the domain name too (fresh precedent). So while a court could disagree about IP addresses, it's not really accurate to say that one has. As you acknowledge in your paper, no such extension of existing intellectual property law has been proposed to cover any particular formulation of integers, including IP addresses. At least within the US, article I section 8 clause 8 would seem to preclude the courts from recognizing intellectual property outside the rationally extensible bounds of what the congress has defined. So it's not really clear under what theory of property law a court would choose to compel ARIN to transfer a legacy registration while retaining legacy status. Indeed, you point out that in a similar situation - telephone numbers - the courts have steadfastly refused to recognize a property interest. Finally, in the case you refer to, the result was a change in party in an explicit signed contract. No such document has been executed between ARIN and the legacy registrants or between those registrants and ARIN's predecessors. The absence of any such legal instrument sets a high bar indeed for anyone attempting to compel ARIN to change a registration outside the course of ARIN's normal policy-defined process. It can't even be tortious interference as the parties knew or should have known ARIN's stance before they began talking. Now, if congress tomorrow passes a bill that says IP addresses are a new form of intellectual property then they're property henceforward and the legal regime underpinning ARIN falls apart. But that hasn't happened yet. It hasn't even been proposed. On a technical note, your URLs will work more reliably if you don't put spaces in the file names. Although Google Gmail is probably the party at fault, your URL got translated to +'s instead of spaces. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Thu, 24 Mar 2011 11:10:14 -0400, Larry Blunk l...@merit.edu wrote: On 03/24/2011 10:06 AM, Joe Provo wrote: On Thu, Mar 24, 2011 at 01:27:29PM +, Tony Finch wrote: Jay Nakamurazeusda...@gmail.com wrote: 666,624 is kind of odd number, isn't it? That comes out to a /13,/15,/19,/21 and a /22. From the court documents I gather that it is a collection of miscellaneous blocks that Nortel acquired over the years, presumable via corporate MA. However there isn't (as far as I can see) a list of the actual blocks. See docket 5143 at http://chapter11.epiqsystems.com/NNI/docket/Default.aspx Exhibit B expressly indicates they were listed but filed under seal; interesting to request that. Previous documents indicate they used a third party to shop things around, who got a $200k retainer and is getting paid 5% of the sale. Docket #4435, Exhibit B has more information on the IP address broker, Addrex, Inc., of Reston, Va. Here's the president and related companies -- http://www.linkedin.com/pub/charles-m-lee/22/414/a94 http://www.denuo.com http://www.addrex.net http://www.depository.net I actually dug back through the thread to find this e-mail. I particularly find the last link of interest. Aaron
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
Sent from my iPad On Mar 24, 2011, at 8:40 AM, Tore Anderson tore.ander...@redpill-linpro.com wrote: * Leo Bicknell I think the more interesting question is why would Microsoft pay $7.5 million for something they can, at least for the moment, get for free. A very interesting question indeed! However, they can only get them for free from ARIN if they can document an immediate demand. Perhaps they don't have an immediate demand, and are simply stockpiling addresses for later use post ARIN depletion? Or perhaps they hope to make a profit then by selling them to someone else. Either way, it sure seems they're speculating that the market price of an IPv4 address is going to rise to more than US$11.25. -- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com Tel: +47 21 54 41 27 If they are stockpiling and can't justify need, they are doing so outside of ARIN policy and I will be surprised if that doesn't get challenged by ARIN. Owen
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Thu, Mar 24, 2011 at 3:07 PM, aa...@wholesaleinternet.net wrote: On Thu, 24 Mar 2011 11:10:14 -0400, Larry Blunk l...@merit.edu wrote: On 03/24/2011 10:06 AM, Joe Provo wrote: Exhibit B expressly indicates they were listed but filed under seal; interesting to request that. Previous documents indicate they used a third party to shop things around, who got a $200k retainer and is getting paid 5% of the sale. Docket #4435, Exhibit B has more information on the IP address broker, Addrex, Inc., of Reston, Va. Here's the president and related companies -- http://www.linkedin.com/pub/charles-m-lee/22/414/a94 http://www.denuo.com http://www.addrex.net http://www.depository.net I actually dug back through the thread to find this e-mail. I particularly find the last link of interest. So -that's- why Peter Thimmesch was privately contacting ARIN PPML posters last month. I wondered what the guy hoped to gain; he was trying to establish legitimacy for depository.net in support of this sale. -Bill -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
Sent from my iPad On Mar 24, 2011, at 8:43 AM, valdis.kletni...@vt.edu wrote: On Thu, 24 Mar 2011 09:27:58 CDT, Aaron Wendel said: That's a good question. Maybe they can't qualify under Arin rules. Another question will be: how is Arin going to handle it? Im pretty sure that the RSA says that in the event of bankruptcy ips revert to the Arin pool. I understand that these were legacy addresses but... The *important* question is - do they *remain* legacy addresses under the legacy address rules after the Microsoft acquisition, and thus re-sellable at a later date? If so, we may have seen the first case of IP address speculation, and the start of the bubble. I don't want to see how this bubble bursts.. In order for the transfer to be recognized by ARIN, they would not be able to remain legacy addresses. However, nothing in ARIN policy precludes resale of transferred addresses at a later date. What it does preclude, however, is acquiring the addresses without justified need. Owen
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Thu, 24 Mar 2011 14:15:45 EDT, William Herrin said: Legacy address transferability has been disputed before. Kremen v. ARIN. Kremen lost. Yes, but Microsoft's lawyers can probably beat up ARIN's lawyers. pgp5OIWovGzD3.pgp Description: PGP signature
Re: Regional AS model
Sent from my iPad On Mar 24, 2011, at 12:42 PM, Zaid Ali z...@zaidali.com wrote: I have seen age old discussions on single AS vs multiple AS for backbone and datacenter design. I am particularly interested in operational challenges for running AS per region e.g. one AS for US, one EU etc or I have heard folks do one AS per DC. I particularly don't see any advantage in doing one AS per region or datacenter since most of the reasons I hear is to reduce the iBGP mesh. I generally prefer one AS and making use of confederation. Zaid If you have good backbone between the locations, then, it's mostly a matter of personal preference. If you have discreet autonomous sites that are not connected by internal circuits (not VPNs), then, AS per site is greatly preferable. Owen
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
Alright, how about this - let's wait and see what the bankruptcy judge says. Which firm do you practice for? On Mar 24, 2011, at 3:05 PM, William Herrin wrote: On Thu, Mar 24, 2011 at 2:32 PM, Ernie Rubi erne...@cs.fiu.edu wrote: http://ciara.fiu.edu/publications/Rubi%20-%20Property%20Rights%20in%20IP%20Numbers.pdf Even assuming Kremen was decided as ARIN says; United States District Courts can and do disagree. Hi Ernie, The case you refer to was a dispute about a trademark which the a particular domain name infringed. The court's theory was that the property right in the trademark (well documented in law) covered the domain name too (fresh precedent). So while a court could disagree about IP addresses, it's not really accurate to say that one has.
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Thu, Mar 24, 2011 at 3:43 PM, Ernie Rubi erne...@cs.fiu.edu wrote: Alright, how about this - let's wait and see what the bankruptcy judge says. With bated breath. -Bill -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Regional AS model
On Mar 24, 2011, at 3:40 PM, Owen DeLong wrote: On Mar 24, 2011, at 12:42 PM, Zaid Ali z...@zaidali.com wrote: I have seen age old discussions on single AS vs multiple AS for backbone and datacenter design. I am particularly interested in operational challenges for running AS per region e.g. one AS for US, one EU etc or I have heard folks do one AS per DC. I particularly don't see any advantage in doing one AS per region or datacenter since most of the reasons I hear is to reduce the iBGP mesh. I generally prefer one AS and making use of confederation. Zaid If you have good backbone between the locations, then, it's mostly a matter of personal preference. If you have discreet autonomous sites that are not connected by internal circuits (not VPNs), then, AS per site is greatly preferable. We disagree. Single AS worldwide is fine with or without a backbone. Which is preferable is up to you, your situation, and your personal tastes. (I guess one could argue that wasting AS numbers, or polluting the table with lots of AS numbers is bad or un-ashetically pleasing, but I think you should do whatever fits your situation anyway.) -- TTFN, patrick
Re: The state-level attack on the SSL CA security model
On Mar 24, 2011, at 7:09 AM, Harald Koch wrote: On 3/23/2011 11:05 PM, Martin Millnert wrote: To my surprise, I did not see a mention in this community of the latest proof of the complete failure of the SSL CA model to actually do what it is supposed to: provide security, rather than a false sense of security. This story strikes me as a success - the certs were revoked immediately, and it took a surprisingly short amount of time for security fixes to appear all over the place. snip -- Harald I'd hardly call the fact that it required manual blacklist patches to every browser a success. SSL is a failure if real revocation requires creating a patch for browsers and relying on users to install it. -- bk
Re: Regional AS model
Multiple AS, one per region, is about extracting maximum revenue from your client base. In 2000 we had no technical reason to do it, I can't see a technical reason to do it today. This is a layer 8/9 issue. jy On 25/03/2011, at 5:42 AM, Zaid Ali z...@zaidali.com wrote: I have seen age old discussions on single AS vs multiple AS for backbone and datacenter design. I am particularly interested in operational challenges for running AS per region e.g. one AS for US, one EU etc or I have heard folks do one AS per DC. I particularly don't see any advantage in doing one AS per region or datacenter since most of the reasons I hear is to reduce the iBGP mesh. I generally prefer one AS and making use of confederation. Zaid
Re: Regional AS model
On Mar 24, 2011, at 1:47 PM, Patrick W. Gilmore wrote: On Mar 24, 2011, at 3:40 PM, Owen DeLong wrote: On Mar 24, 2011, at 12:42 PM, Zaid Ali z...@zaidali.com wrote: I have seen age old discussions on single AS vs multiple AS for backbone and datacenter design. I am particularly interested in operational challenges for running AS per region e.g. one AS for US, one EU etc or I have heard folks do one AS per DC. I particularly don't see any advantage in doing one AS per region or datacenter since most of the reasons I hear is to reduce the iBGP mesh. I generally prefer one AS and making use of confederation. If you have good backbone between the locations, then, it's mostly a matter of personal preference. If you have discreet autonomous sites that are not connected by internal circuits (not VPNs), then, AS per site is greatly preferable. We disagree. Single AS worldwide is fine with or without a backbone. Which is preferable is up to you, your situation, and your personal tastes. We're with Patrick on this one. We operate a single AS across seventy-some-odd locations in dozens of countries, with very little of what an eyeball operator would call backbone between them, and we've never seen any potential benefit from splitting them. I think the management headache alone would be sufficient to make it unattractive to us. -Bill
Re: The state-level attack on the SSL CA security model
On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote: Disclosure devalues information. I think this case is different, given the perception of the cert as a 'thing' to be bartered. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde
Re: The state-level attack on the SSL CA security model
- Original Message - From: Roland Dobbins rdobb...@arbor.net To: nanog group nanog@nanog.org Sent: Friday, 25 March, 2011 9:33:27 AM Subject: Re: The state-level attack on the SSL CA security model On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote: Disclosure devalues information. I think this case is different, given the perception of the cert as a 'thing' to be bartered. Isn't there any law that obliges company to disclose security breaches that involve consumer data?
Re: The state-level attack on the SSL CA security model
On Thu, Mar 24, 2011 at 2:39 PM, Franck Martin fra...@genius.com wrote: - Original Message - From: Roland Dobbins rdobb...@arbor.net To: nanog group nanog@nanog.org Sent: Friday, 25 March, 2011 9:33:27 AM Subject: Re: The state-level attack on the SSL CA security model On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote: Disclosure devalues information. I think this case is different, given the perception of the cert as a 'thing' to be bartered. Isn't there any law that obliges company to disclose security breaches that involve consumer data? I don't think SSL certs are consumer data, per se. Back on original point - if the *actual effective* model of browser security is browsers with an internal revoked cert list - then there's a case to be made that a pre-announcement in private to the browser vendors, enough time for them to spin patches, and then widespread public discussion is the most responsible model approach. The public knowing before their browser knows how to handle the bad cert isn't helpful, unless you can effectively tell people how to get their browser to actually go verify every cert. -- -george william herbert george.herb...@gmail.com
Re: Regional AS model
On Mar 24, 2011, at 11:08 AM, Jeffrey S. Young wrote: Multiple AS, one per region, is about extracting maximum revenue from your client base. In 2000 we had no technical reason to do it, I can't see a technical reason to do it today. This is a layer 8/9 issue. http://tools.ietf.org/html/draft-mcpherson-unique-origin-as-00 Regards, -drc
Re: Regional AS model
Quoting Zaid Ali z...@zaidali.com: I have seen age old discussions on single AS vs multiple AS for backbone and datacenter design. I am particularly interested in operational challenges for running AS per region e.g. one AS for US, one EU etc or I have heard folks do one AS per DC. I particularly don't see any advantage in doing one AS per region or datacenter since most of the reasons I hear is to reduce the iBGP mesh. I generally prefer one AS and making use of confederation. Zaid Hi Zaid, What timing - this is fresh on my mind too as I am in the middle of doing this myself with three locations, all with independent edges with different transit providers. I actually do have a private Layer2 circuit between, with one site being in the middle. I only have one public AS, but I have selected doing the confederation approach (which some may consider to be overkill with only three edges). Each site has their own set of IPs and would originate out of their respective edge, and using EIGRP metric changes at each core to get 0.0.0.0/0 from another edge if the local fails. Each edge is then announcing each others' subnets with an extra pad or two to keep the asymmetrical routing down (the private L2 isn't as fast as my transits). Good luck with your deployment! -graham
Re: Regional AS model
On Mar 24, 2011, at 5:45 PM, David Conrad wrote: On Mar 24, 2011, at 11:08 AM, Jeffrey S. Young wrote: Multiple AS, one per region, is about extracting maximum revenue from your client base. In 2000 we had no technical reason to do it, I can't see a technical reason to do it today. This is a layer 8/9 issue. http://tools.ietf.org/html/draft-mcpherson-unique-origin-as-00 Latest is here (which still needs a few minor comments incorporated): http://tools.ietf.org/html/draft-ietf-grow-unique-origin-as-00 And the operative bits relative to this discussion are provided in the title: Unique Per-Node Origin ASNs for Globally Anycasted Services -danny
Re: Regional AS model
Le jeudi 24 mars 2011 à 14:26 -0700, Bill Woodcock a écrit : On Mar 24, 2011, at 1:47 PM, Patrick W. Gilmore wrote: On Mar 24, 2011, at 3:40 PM, Owen DeLong wrote: On Mar 24, 2011, at 12:42 PM, Zaid Ali z...@zaidali.com wrote: I have seen age old discussions on single AS vs multiple AS for backbone and datacenter design. I am particularly interested in operational challenges for running AS per region e.g. one AS for US, one EU etc or I have heard folks do one AS per DC. I particularly don't see any advantage in doing one AS per region or datacenter since most of the reasons I hear is to reduce the iBGP mesh. I generally prefer one AS and making use of confederation. If you have good backbone between the locations, then, it's mostly a matter of personal preference. If you have discreet autonomous sites that are not connected by internal circuits (not VPNs), then, AS per site is greatly preferable. We disagree. Single AS worldwide is fine with or without a backbone. Which is preferable is up to you, your situation, and your personal tastes. We're with Patrick on this one. We operate a single AS across seventy-some-odd locations in dozens of countries, with very little of what an eyeball operator would call backbone between them, and we've never seen any potential benefit from splitting them. I think the management headache alone would be sufficient to make it unattractive to us. -Bill Right. I think that a single AS is most often quite fine. I think our problem space is rather about how you organise the routing in your AS. Flat, route-reflection, confederations? How much policing between regions do you feel that you need? In some scenarios, I think confederations may be a pretty sound replacement of the multiple-AS approach. Policing iBGP sessions in a route-reflector topology? Limits? Thoughts? Cheers, mh
Re: The state-level attack on the SSL CA security model
On Thu, Mar 24, 2011 at 7:09 AM, Harald Koch c...@pobox.com wrote: On 3/23/2011 11:05 PM, Martin Millnert wrote: To my surprise, I did not see a mention in this community of the latest proof of the complete failure of the SSL CA model to actually do what it is supposed to: provide security, rather than a false sense of security. This story strikes me as a success - the certs were revoked immediately, and it took a surprisingly short amount of time for security fixes to appear all over the place. In some places, failure of internet security means people die Those people know that using highly visible services like gmail and skype is asking to be exposed... This is definitively not true. There is no evidence of the active use of these services (or circumvention systems to reach them) being used as evidence or an indication that a particular target should be detained, threatened or punished, in Iran in particular and actually globally. I say this, because such evidence would actually reinforce some security recommendations that I and other human rights groups have made, so I'm always on the look out for it. On the other hand, both gmail and Skype are used by many individuals on the assumption that they are more secure than the alternatives (non-SSL protected webmail or those with servers in local jurisdictions; unencrypted instant messaging clients). You can argue about whether these tools *are* more protective, but you certainly can't say that these high-risk groups use them on the understanding they can expect the same level of knowledge or retribution by their adversaries than if these systems were openly surveillable. A security breach like this makes the details of specific communications readable, which also places people who do *not* use these tools at far more risk also. I'm personally not yet convinced that the attackers in this case were the Iranian state; that's something that is incredibly hard to ascertain, and I'm surprised Comodo were so quick to draw this conclusion. Even if these attacks came from Iran, that could be for false flag reasons, plus as others have pointed out, criminals have as much interest in obtaining these certificates as the Iranian state -- although factions within the Iranian government could certainly be potential clients. Other states might have an interest too. Just because you have an organisation with CA authority within the reach of a government doesn't mean you'd want to use those signing powers when dealing with dissidents. The arguments on NANOG about why non-disclosure in this case might have been a good idea I think contribute to the debate. Nonetheless, I'd strongly urge anyone not to assume that activists and journalists at physical risk in states like Iran assume that risk by using specific tools, or that major (if temporary) failures in the PKI structure don't put them and their colleagues at far greater risk. Best, d. Danny O'Brien, Committee to Protect Journalists https://cpj.org/internet -- Harald
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
Owen, I (and I presume Eric Goldman, author of the post I referenced) was looking at Judge James Ware's actual ruling (http://docs.justia.com/cases/federal/district-courts/california/candce/5:2006cv02554/181054/41/). I don't see anything in there discussing that 'the transfer had to be done in a manner that complied with ARIN policy' or Kremen was 'required to sign the RSA'. It isn't a very long document (and surprisingly easy to read for a court judgement). Not being a lawyer, I can't be certain, but all I see is time-barred and statute of limitations. The only thing relevant I can see in subsequent filings is that Kremen and ARIN came to a settlement in which ARIN didn't have to do anything and Kremen wouldn't pursue the matter. Can you point to where the Judge said anything (much less definitively) about complying with ARIN policy, signing an RSA, etc.? Regards, -drc On Mar 24, 2011, at 10:26 AM, Owen DeLong wrote: The judge definitely ruled that the transfer had to be done in a manner that complied with ARIN policy and made it clear that the recipient was, indeed, required to sign the RSA. So, yes, Kremen also lost on the address policy basis, which I believe may have been an additional ruling subsequent to what is covered at the cited URL. Owen Sent from my iPad On Mar 24, 2011, at 12:24 PM, David Conrad d...@virtualized.org wrote: On Mar 24, 2011, at 8:15 AM, William Herrin wrote: Legacy address transferability has been disputed before. Kremen v. ARIN. Kremen lost. Yes, Kremen lost, but not based on anything related to address policy: http://blog.ericgoldman.org/archives/2007/01/kremen_loses_ch_1.htm Regards, -drc
Peering Traffic Volume
Hi All - I am new to this mailer. Hopefully my question is posed to the correct list. I am using 2.5 Tbps as the peak volume of peering traffic over all peering points for a Tier 1 ISP, for some modeling purposes. Is that a reasonable estimate? Thanks Ravi
Re: Regional AS model
While it's a very interesting read and it's always nice to know what Danny is up to, the concept is a pretty extreme corner case when you consider the original question. I took the original question to be about global versus regional AS in a provider backbone. On the other hand if we'd had this capability years ago the notion of a CDN based on anycasting would be viable in a multi-provider environment. Maybe time to revive that idea? jy On 25/03/2011, at 8:45 AM, David Conrad d...@virtualized.org wrote: On Mar 24, 2011, at 11:08 AM, Jeffrey S. Young wrote: Multiple AS, one per region, is about extracting maximum revenue from your client base. In 2000 we had no technical reason to do it, I can't see a technical reason to do it today. This is a layer 8/9 issue. http://tools.ietf.org/html/draft-mcpherson-unique-origin-as-00 Regards, -drc
Re: Regional AS model
On Thu, Mar 24, 2011 at 5:51 PM, Graham Wooden gra...@g-rock.net wrote: with one site being in the middle. I only have one public AS, but I have selected doing the confederation approach (which some may consider to be overkill with only three edges). There are really several issues to consider, one of which certainly is overkill, but the others are: 1) in your case, you have to run allowas-in *anyway* because if your transport or your middle POP goes down, so will your network and its customers; so confederating isn't really buying you anything unless your backbone is really vendor L3VPN 2) confederating / clustering can add to MED headaches and similar While this is not directed at your deployment specifically, it is a common newbie mistake to confederate something that doesn't need to be, or to otherwise complicate your backbone because you think you need to turn knobs to prepare for future growth. Guess what, that growth might happen later on, but if you don't understand emergent properties of your knob-turning, your plan for the future is really a plan to fail, as you'll have to re-architect your network at some point anyway, probably right when you need that scalability you thought you engineered in early-on. List readers should be strongly discouraged from confederating unless they know they need to, understand its benefits, and understand its potential weaknesses. In general, a network with effectively three or six routers should never have a confederated backbone. The number of guys who really understand confederating / route-reflection within the backbone is very small compared to the number of guys who *think* they are knowledgeable about everything that falls under router bgp, our beloved inter-domain routing protocol which gives the operator plenty of rope with which to hang himself (or the next guy who holds his job after he moves on.) On Thu, Mar 24, 2011 at 7:50 PM, Jeffrey S. Young yo...@jsyoung.net wrote: On the other hand if we'd had this capability years ago the notion of a CDN based on anycasting would be viable in a multi-provider environment. Maybe time to revive that idea? That draft doesn't identify any particular technical challenges to originating a prefix from multiple discrete origin ASNs other than the obvious fact that they'll show up in the various inconsistent origin AS reports such as CIDR Report, etc. It of course does identify some advantages to doing it. I imagine Danny McPherson and his colleagues have spent some time looking into this, and can probably say with confidence that there are in fact no real challenges to doing it today besides showing up in some weekly email as a possible anomaly. It seems to be a taboo topic, but once a few folks start doing it, I think it'll quickly become somewhat normal. Note that in the current IRR routing information system, it is possible to publish two route objects, each with the same prefix, and each with a different origin ASN. This is by design. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
List, since there are IRR databases operated by non-RIRs, does one need to register a prefix in any RIR-DB at all, to see it reachable on the Internet? Have there been any presentations/research done on reachability of RIR-registered vs non-RIR-registered vs completely unregistered announcements? ( When I say RPKI below I mean the entire secure BGP routing infrastructure developments. ) I think it is pretty clear what the greatest motivation from RIRs on RPKI is: (Unregistered) legacy v4-space (ie, reaching a critical mass so that the network effect starts to apply positively for the reachability of non-RIR-registered space. John Currant has written on RPKI = certification of RIR-DB contents on this list before, but that could in all seriousness be equally accomplished simply by having a usable and trusted API-connection to query the DB itself. And that I think hardly anyone would oppose. (AFAIK ARIN has already deployed this by now; and as soon as their services has some sort of authentication (DNSSEC'ed DNS with SSL cert in it, for example? It's ~trivial to program a client for this!) a lot will have been accomplished already! What's different and unique with the RPKI effort is that it integrates this information directly into BGP itself, in an effort to claim control on what's being announced on the Internet. The former I welcome warmly, while the latter I think it remains to be seen how successful it will be. Regards, Martin On Thu, Mar 24, 2011 at 11:35 AM, John Curran jcur...@arin.net wrote: On Mar 24, 2011, at 8:57 AM, Eugen Leitl wrote: http://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.html Read the comment at the end (attached here for reference). /John John Curran President and CEO ARIN Re: Nortel, in bankruptcy, Requests Approval of Sale of IPv4 address blocks by John Curran on Thu 24 Mar 2011 11:31 AM EDT | Profile | Permanent Link Milton - Did you have an opportunity to review the actual docket materials, or is your coverage based just on your review of the referenced article? The parties have requested approval of a sale order from the Bankruptcy judge. There is a timeline for making filings and a hearing date. There is not an approved sale order at this time, contrary to your blog entry title. ARIN has a responsibility to make clear the community-developed policies by which we maintain the ARIN Whois database, and any actual transfer of number resources in compliance with such policies will be reflected in the database. FYI, /John
Google Geolocation
Would someone from Google please contact me offlist? You're geolocating some of $DAYJOB's IP space to the Netherlands, and I'm not sure how to fix it. Sadly, very few of my $DAYJOB's customers in Seattle are fluent in Dutch. (If there's an obvious form somewhere to fix this, and I missed it, then I apologize for the useless post!) Nathan
Re: Google Geolocation
On Thu, Mar 24, 2011 at 5:28 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Would someone from Google please contact me offlist? You're geolocating some of $DAYJOB's IP space to the Netherlands, and I'm not sure how to fix it. Sadly, very few of my $DAYJOB's customers in Seattle are fluent in Dutch. (If there's an obvious form somewhere to fix this, and I missed it, then I apologize for the useless post!) Nathan http://www.google.com/support/websearch/bin/answer.py?hl=enanswer=873
Re: Regional AS model
On 25Mar2011, at 09.17, Michael Hallgren wrote: Le jeudi 24 mars 2011 à 14:26 -0700, Bill Woodcock a écrit : On Mar 24, 2011, at 1:47 PM, Patrick W. Gilmore wrote: On Mar 24, 2011, at 3:40 PM, Owen DeLong wrote: On Mar 24, 2011, at 12:42 PM, Zaid Ali z...@zaidali.com wrote: I have seen age old discussions on single AS vs multiple AS for backbone and datacenter design. I am particularly interested in operational challenges for running AS per region e.g. one AS for US, one EU etc or I have heard folks do one AS per DC. I particularly don't see any advantage in doing one AS per region or datacenter since most of the reasons I hear is to reduce the iBGP mesh. I generally prefer one AS and making use of confederation. If you have good backbone between the locations, then, it's mostly a matter of personal preference. If you have discreet autonomous sites that are not connected by internal circuits (not VPNs), then, AS per site is greatly preferable. We disagree. Single AS worldwide is fine with or without a backbone. Which is preferable is up to you, your situation, and your personal tastes. We're with Patrick on this one. We operate a single AS across seventy-some-odd locations in dozens of countries, with very little of what an eyeball operator would call backbone between them, and we've never seen any potential benefit from splitting them. I think the management headache alone would be sufficient to make it unattractive to us. Experience with a major backbone in the early 2000's that spanned 50 core sites and 4 continents - single AS is not really a problem. We chose IS-IS with wide metrics as the IGP, and one-layer of route-reflection for the bgp mesh control. The only reason I could possibly see doing multi-AS in a general case is if your route policies are different in different regions (i.e. in one region a peer AS is a 'peer' and in another region the same AS is a 'transit' or 'upstream'). You CAN do it with a single AS, but it's more painful... -Bill Right. I think that a single AS is most often quite fine. I think our problem space is rather about how you organise the routing in your AS. Flat, route-reflection, confederations? How much policing between regions do you feel that you need? In some scenarios, I think confederations may be a pretty sound replacement of the multiple-AS approach. Policing iBGP sessions in a route-reflector topology? Limits? Thoughts? Cheers, mh --- 李柯睿 Check my PGP key here: https://www.asgaard.org/~cdl/cdl.asc PGP.sig Description: This is a digitally signed message part
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Mar 24, 2011, at 9:13 PM, Benson Schliesser wrote: At your suggestion, I went to the IGP blog and read the last comment. I see there is a response by Ernie Rubi to your blog comment, which captures my question so well that (with apologies to Mr Rubi) I'll quote him: Mr. Rubi is likely already aware from his legal studies that it is imprudent to argue cases in public in advance of filing. /John John Curran President and CEO ARIN
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Thu, Mar 24, 2011 at 08:13:46PM -0500, Benson Schliesser wrote: [snip] It's obvious that ARIN, as well as other whois database providers, should pay attention to the proceedings. But under what premise might ARIN act as a party to this lawsuit? The proper question might be that if neither NNI nor MS nor the middlemen believed ARIN to be a relevant party, why would they have bothered sending notification to them? Perhaps it has something to do with one of the many points their 5% fee being hinged upon the Internet Assets are successfully registered in the name of that buyer, along with the successful registration of related address routes. I presume fulfilling the first part if why Addrex/Denuo are trying to pitch Depository as an something more than just another IRR node (the second part), and notifying ARIN was just hedging their bets. But looping ARIN in could be interpreted as inviting them in... Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
What is needed is for the networks in the transit-free club to decide they will not honor any gray market route advertisements resulting from extra-normal transfers of this nature, whether the announcement is from a peer or a customer. As we are all aware, no real dent was ever made in routing table growth except by Sprint deciding what it was willing to accept. The up-side to a huge, unchecked gray market benefits bad guys, such as spammers, much more than it does ordinary operators and end-users, on this I think we can all agree. The recent thread on DFZ growth also demonstrates clearly that uncertainty as to whether or not such an unchecked gray market will be allowed to exist, or even thrive, is driving most of us to strike routers with 500k FIB from our list (many of us have been doing so for years.) This means that the uncertainty has already created cost for operators and thus end-users. The sooner the big players get together on this and decide not to allow such a gray market, the better off we will be. Since some of these big players have huge legacy address pools already, there is little disadvantage to those networks refusing to honor gray market announcements from their customers, and probably no disadvantage to accepting them from peers, as long as they are not the sole actor. I anxiously await an xtra-normal announcement forbidding extra-normal routes. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Thu, Mar 24, 2011 at 10:07 PM, Matthew Kaufman matt...@matthew.at wrote: On 3/24/2011 7:59 PM, Jimmy Hess wrote: Because that's what IP addresses are. Totally worthless unless community participants voluntarily route traffic for those IPs to the assignee. Would de-peer with Microsoft (or turn down a transit contract from them) just because they wanted to announce some Nortel address space? Microsoft would likely be able to find someone who would not turn them down for transit. Would ARIN really erase the Nortel entry and move these addresses to the free pool if Microsoft doesn't play along with one of the transfer policies? Unknown.I would expect ARIN to erase entries, if the situation exists where RIR policy requires that, or to refrain from effecting the transfer in the DB, unless that transfer requested is valid under policy and and the request is made correctly with all normal requirements met. Would you announce addresses someone had just obtained from ARIN that were already being announced by Microsoft? Most certainly, some networks would, if assigned space in that block, probably without noticing Microsoft's announcement. -- -JH
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Mar 24, 2011, at 11:15 PM, Jimmy Hess wrote: On Thu, Mar 24, 2011 at 10:07 PM, Matthew Kaufman matt...@matthew.at wrote: On 3/24/2011 7:59 PM, Jimmy Hess wrote: Because that's what IP addresses are. Totally worthless unless community participants voluntarily route traffic for those IPs to the assignee. Would de-peer with Microsoft (or turn down a transit contract from them) just because they wanted to announce some Nortel address space? Microsoft would likely be able to find someone who would not turn them down for transit. Would ARIN really erase the Nortel entry and move these addresses to the free pool if Microsoft doesn't play along with one of the transfer policies? Unknown.I would expect ARIN to erase entries, if the situation exists where RIR policy requires that, or to refrain from effecting the transfer in the DB, unless that transfer requested is valid under policy and and the request is made correctly with all normal requirements met. Would you announce addresses someone had just obtained from ARIN that were already being announced by Microsoft? Most certainly, some networks would, if assigned space in that block, probably without noticing Microsoft's announcement. It that the right question ? I am sure some networks would also continue to use Microsoft's announcements in this scenario. So, it would be a mess. So, I think that the right question is something more like : If ARIN reassigned the space, and Microsoft continued to announce it anyway, would either announcing entity be have enough of a critical mass that the conflict wouldn't matter to it ? I would submit that any address assignments with continual major operational issues arising from assignment conflicts would not be very attractive. I also don't think that that would be good for the Internet. Regards Marshall -- -JH
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
Bankruptcy courts have done this with phone numbers, read my paper - the 'phone number as assets' in bankruptcy cases are cited in there. Just saying Sent from my iPhone On Mar 24, 2011, at 10:59 PM, Jimmy Hess mysi...@gmail.com wrote: On Thu, Mar 24, 2011 at 8:24 PM, John Curran jcur...@arin.net wrote: On Mar 24, 2011, at 9:13 PM, Benson Schliesser wrote: At your suggestion, I went to the IGP blog and read the last comment. I see there is a response by Ernie Rubi to your blog comment, which captures my question so well that (with apologies to Mr Rubi) I'll quote him: Mr. Rubi is likely already aware from his legal studies that it is imprudent to argue cases in public in advance of filing. /John So I wonder rhetorically speaking.. what happens when a bankruptcy court accidentally sells something that doesn't actually exist, something that is 'fictional', or dead... like an appliance warranty without the appliance, or something that consisted of third parties voluntarily doing something for the original holder, without any promise to continue under mistaken belief the third parties had guaranteed something that could be assigned to a successor? Because that's what IP addresses are. Totally worthless unless community participants voluntarily route traffic for those IPs to the assignee. E.g. Suppose I gave my neighbors a 100% discount on widgets for their use, just because they were neighbors, it was the community thing to do or something (legacy IP addresses with no agreement, no fees, contracts, etc). One of them declared bankruptcy, came to the court, and listed as one of their assets 100% widget discounts, and went to sell it to some major retailer, who wants to get a massive number of widgets to resell for profit (my name not mentioned, just as ARIN's name not mentioned)... is there really anything the buyer actually obtains? I mean, it sounds like someone threw 7.5 million into a furnace, unless they are going specified transfer Perhaps they come to ARIN eventually, but ARIN should enforce their policies. Meaning if MS has an RSA in force, all their resources should be compliant with ARIN policies, and all transfer policies should be followed with regards to justified need. I have little doubt that MS will properly construct/justify the need if they are obtaining resources.It's probably an easier/cheaper task for them to justify legitimately under RIR policies than trying to find some method of fighting with the community and risking an outcome that could be unfavorable and sully their own reputation in ways that might be hard to predict. Who knows, they have plenty of resources already and might plan a renumber and return; I would not assume the worst -- -JH
Re: Peering Traffic Volume
On 3/24/2011 10:34 PM, Patrick W. Gilmore wrote: On Mar 24, 2011, at 7:27 PM, Ravi Ramaswamy wrote: Tier 1 ISP is a nebulous term. Indeed it is. See http://en.wikipedia.org/wiki/Peering and http://en.wikipedia.org/wiki/Tier_1_network for more information. I'm guessing you are using Tier 1 to refer to $LARGE_TELCOS (ATT/VZ/L3) and I'm guessing their sustained daily traffic volume is well over 10tb. The top few networks in the world (not all of them are tier 1 ISPs - and one is not even a network :) Facebook and google probably push that much traffic daily. I used to work for a company that did 100Gbps sustained on a daily basis. are much larger. The smaller tier 1s are probably that size or less. I agree.
Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
On Mar 24, 2011, at 9:59 PM, Jimmy Hess wrote: So I wonder rhetorically speaking.. what happens when a bankruptcy court accidentally sells something that doesn't actually exist, ... Because that's what IP addresses are. Totally worthless unless community participants voluntarily route traffic for those IPs to the assignee. There are a small number of examples, of intellectual property that exists solely by convention and yet has value. But you're correct: the property structure of IP addresses is ambiguous. We never had to define it because we had free supply, but times are changing. Meaning if MS has an RSA in force, all their resources should be compliant with ARIN policies, and all transfer policies should be followed with regards to justified need. If I recall correctly, the ARIN RSA only applies to resources acquired from ARIN. It's a contract for ARIN services and doesn't cover legacy blocks, blocks from other RIRs, etc - it doesn't automatically extend ARIN's authority. On Mar 24, 2011, at 10:34 PM, Marshall Eubanks wrote: If ARIN reassigned the space, and Microsoft continued to announce it anyway, would either announcing entity be have enough of a critical mass that the conflict wouldn't matter to it ? I would submit that any address assignments with continual major operational issues arising from assignment conflicts would not be very attractive. I also don't think that that would be good for the Internet. I agree. Which is why ARIN should keep their Whois updated with accurate data, rather than fighting for control of resources beyond RSA scope. Cheers, -Benson