Re: GMAIL?
On 4/17/13 6:28 AM, Caio Alves wrote: Someone has access problems in GMAIL? Here in Brazil, many complaints about the service. Google made a change so that the user account name must be just MAILBOX, and not MAILBOX@gmail.com. Deleting the domain name fixed my account this morning. ry --
Re: What do people use public suffix for?
Jay Ashworth j...@baylink.com writes: - Original Message - From: John Levine jo...@iecc.com The public suffix list contains points in the DNS where (roughly speaking) names below that point are under different management from each other and from that name. It's here: http://publicsuffix.org/ The idea is that abc.foo.com and xyz.foo.com have the same management, but abc.co.uk and xyz.co.uk do not. You don't have to tell me that it's a gross crock, but it seems to be a useful one. What do people use it for? Here's what I know of: * Web browsers use it to manage cookies to keep a site from putting cookies that will affect other sites, e.g. abc.foo.co.uk can set a cookie for foo.co.uk but not for co.uk. * DMARC (www.dmarc.org) uses it to find a policy record in the DNS that describes a subtree, e.g., if you get mail that purports to be from e...@reply1.ebay.com it checks the policy at ebay.com. What other current applications are there? Seems to me that it's a crock because *it should be in the DNS*. It is already, isn't it? The NS and SOA records will tell you all there is to know about zone splits and cross zone relations. I should be able to retrieve the AS (administrative split) record for .co.uk, and there should be one that says, yup, there's an administrative split below me; nothing under there is mine unless you also get an exception record for a subdomain. Use the SOA record. If it is identical for two zones, then the adminstrative authority for those zones is the same. For example, microsoft.co.uk and microsoft.com can be considered under the same administration: bjorn@nemi:~$ dig +short soa microsoft.co.uk ns1.msft.net. msnhst.microsoft.com. 2013032601 1800 900 2419200 3600 bjorn@nemi:~$ dig +short soa microsoft.com ns1.msft.net. msnhst.microsoft.com. 2013041803 300 600 2419200 3600 While apple.co.uk and apple.com may be, depending on how strict you are going to be when comparing: bjorn@nemi:~$ dig +short soa apple.co.uk nserver.euro.apple.com. hostmaster.apple.com. 10 1800 900 2592000 1800 bjorn@nemi:~$ dig +short soa apple.com gridmaster-ib.apple.com. hostmaster.apple.com. 2010086586 1800 900 2016000 86500 etc. Bjørn
Weekly Routing Table Report
This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, TRNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-st...@lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith pfsi...@gmail.com. Routing Table Report 04:00 +10GMT Sat 20 Apr, 2013 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary BGP routing table entries examined: 450189 Prefixes after maximum aggregation: 184599 Deaggregation factor: 2.44 Unique aggregates announced to Internet: 222556 Total ASes present in the Internet Routing Table: 43876 Prefixes per ASN: 10.26 Origin-only ASes present in the Internet Routing Table: 34506 Origin ASes announcing only one prefix: 16073 Transit ASes present in the Internet Routing Table:5787 Transit-only ASes present in the Internet Routing Table:142 Average AS path length visible in the Internet Routing Table: 4.6 Max AS path length visible: 29 Max AS path prepend of ASN ( 19037) 22 Prefixes from unregistered ASNs in the Routing Table: 358 Unregistered ASNs in the Routing Table: 132 Number of 32-bit ASNs allocated by the RIRs: 4729 Number of 32-bit ASNs visible in the Routing Table:3583 Prefixes from 32-bit ASNs in the Routing Table: 10155 Special use prefixes present in the Routing Table: 22 Prefixes being announced from unallocated address space:220 Number of addresses announced to Internet: 2613629004 Equivalent to 155 /8s, 200 /16s and 208 /24s Percentage of available address space announced: 70.6 Percentage of allocated address space announced: 70.6 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 94.4 Total number of prefixes smaller than registry allocations: 158679 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes: 108086 Total APNIC prefixes after maximum aggregation: 33445 APNIC Deaggregation factor:3.23 Prefixes being announced from the APNIC address blocks: 109312 Unique aggregates announced from the APNIC address blocks:44563 APNIC Region origin ASes present in the Internet Routing Table:4821 APNIC Prefixes per ASN: 22.67 APNIC Region origin ASes announcing only one prefix: 1215 APNIC Region transit ASes present in the Internet Routing Table:818 Average APNIC Region AS path length visible:4.8 Max APNIC Region AS path length visible: 22 Number of APNIC region 32-bit ASNs visible in the Routing Table:500 Number of APNIC addresses announced to Internet: 720782272 Equivalent to 42 /8s, 246 /16s and 67 /24s Percentage of available APNIC address space announced: 84.2 APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 131072-133119 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8, 163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes:158276 Total ARIN prefixes after maximum aggregation:79767 ARIN Deaggregation factor: 1.98 Prefixes being announced from the ARIN address blocks: 158919 Unique aggregates announced from the ARIN address blocks: 72644 ARIN Region origin ASes present in the Internet Routing Table:15649 ARIN Prefixes per ASN:10.16 ARIN Region origin
Re: What do people use public suffix for?
On 2013-04-19, at 14:17, Bjørn Mork bj...@mork.no wrote: It is already, isn't it? The NS and SOA records will tell you all there is to know about zone splits and cross zone relations. Not really. In general, just because a zone is served by the same nameservers as another zone doesn't mean that they are administratively equivalent (e.g. for cookie hygiene purposes). Just because two zones are served on different nameservers doesn't mean they are administratively separate. Lots of administratively-separate domains share the same nameservers. Drawing related conclusions from similarity of SOA RDATA between zones, or the number of zone cuts between a particular zone and the root, or the number of labels in a domain name is similarly flawed. If the rule was just the nameservers need to be the same and the SOA RDATA needs to be the same, for some well-documented meaning of 'same' then gaming that rule (e.g. for purposes of cookie injection) as a miscreant is unpleasantly straightforward. Joe
Re: What do people use public suffix for?
Joe Abley jab...@hopcount.ca wrote: If the rule was just the nameservers need to be the same and the SOA RDATA needs to be the same, for some well-documented meaning of 'same' then gaming that rule (e.g. for purposes of cookie injection) as a miscreant is unpleasantly straightforward. To reinforce Joe's point, there doesn't even need to be a zone cut for there to be an administrative cut. There are various ISPs and dynamic DNS providers that put all their users in the same zone, and the common suffix of a zone like this should be treated as public suffix even though there is no zone cut. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.
Re: What do people use public suffix for?
On 4/19/2013 12:57 PM, Tony Finch wrote: To reinforce Joe's point, there doesn't even need to be a zone cut for there to be an administrative cut. There are various ISPs and dynamic DNS providers that put all their users in the same zone, and the common suffix of a zone like this should be treated as public suffix even though there is no zone cut. Zones are nice constructs for partitioning operational management of DNS data, but I believe they were not intended to impart semantics about organizational boundaries. The fact that they often correlate moderately well makes it easy to miss the facts that a) that's not their job, and b) the correlation isn't perfect. And the imperfections matter. That is why there is the current interest in developing a cheap, accurate method that /is/ intended to define organizational boundaries. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
The Cidr Report
This report has been generated at Fri Apr 19 21:13:18 2013 AEST.
The report analyses the BGP Routing Table of AS2.0 router
and generates a report on aggregation potential within the table.
Check http://www.cidr-report.org for a current version of this report.
Recent Table History
Date PrefixesCIDR Agg
12-04-13452468 259891
13-04-13452722 260158
14-04-13452855 259735
15-04-13452981 259914
16-04-13453089 260043
17-04-13452364 260094
18-04-13452245 260759
19-04-13452740 260944
AS Summary
44002 Number of ASes in routing system
18232 Number of ASes announcing only one prefix
3037 Largest number of prefixes announced by an AS
AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc.
116992736 Largest address span announced by an AS (/32s)
AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street
Aggregation Summary
The algorithm used in this report proposes aggregation only
when there is a precise match using the AS path, so as
to preserve traffic transit policies. Aggregation is also
proposed across non-advertised address space ('holes').
--- 19Apr13 ---
ASnumNetsNow NetsAggr NetGain % Gain Description
Table 452863 260867 19199642.4% All ASes
AS6389 3037 91 294697.0% BELLSOUTH-NET-BLK -
BellSouth.net Inc.
AS4766 2952 938 201468.2% KIXS-AS-KR Korea Telecom
AS17974 2514 570 194477.3% TELKOMNET-AS2-AP PT
Telekomunikasi Indonesia
AS28573 2629 787 184270.1% NET Serviços de Comunicação
S.A.
AS22773 1984 197 178790.1% ASN-CXA-ALL-CCI-22773-RDC -
Cox Communications Inc.
AS18566 2067 473 159477.1% COVAD - Covad Communications
Co.
AS2118 1430 49 138196.6% RELCOM-AS OOO NPO Relcom
AS7303 1676 449 122773.2% Telecom Argentina S.A.
AS4323 1612 402 121075.1% TWTC - tw telecom holdings,
inc.
AS10620 2374 1252 112247.3% Telmex Colombia S.A.
AS4755 1738 643 109563.0% TATACOMM-AS TATA
Communications formerly VSNL
is Leading ISP
AS7552 1170 198 97283.1% VIETEL-AS-AP Vietel
Corporation
AS7029 2173 1240 93342.9% WINDSTREAM - Windstream
Communications Inc
AS18881 859 21 83897.6% Global Village Telecom
AS18101 1001 179 82282.1% RELIANCE-COMMUNICATIONS-IN
Reliance Communications
Ltd.DAKC MUMBAI
AS36998 1137 382 75566.4% SDN-MOBITEL
AS1785 1974 1226 74837.9% AS-PAETEC-NET - PaeTec
Communications, Inc.
AS4808 1107 367 74066.8% CHINA169-BJ CNCGROUP IP
network China169 Beijing
Province Network
AS13977 839 130 70984.5% CTELCO - FAIRPOINT
COMMUNICATIONS, INC.
AS855737 54 68392.7% CANET-ASN-4 - Bell Aliant
Regional Communications, Inc.
AS6983 1134 482 65257.5% ITCDELTA - ITC^Deltacom
AS8151 1243 607 63651.2% Uninet S.A. de C.V.
AS22561 1085 454 63158.2% DIGITAL-TELEPORT - Digital
Teleport Inc.
AS17676 730 108 62285.2% GIGAINFRA Softbank BB Corp.
AS24560 1067 447 62058.1% AIRTELBROADBAND-AS-AP Bharti
Airtel Ltd., Telemedia
Services
AS3549 1055 446 60957.7% GBLX Global Crossing Ltd.
AS34744 656 51 60592.2% GVM S.C. GVM SISTEM 2003
S.R.L.
AS3356 1090 494 59654.7% LEVEL3 Level 3 Communications
AS17908 793 197 59675.2% TCISL Tata Communications
AS19262 999 403 59659.7% VZGNI-TRANSIT - Verizon Online
LLC
Total 44862133373152570.3% Top 30 total
Possible Bogus Routes
BGP Update Report
BGP Update Report Interval: 11-Apr-13 -to- 18-Apr-13 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS47331 72724 3.2% 35.3 -- TTNET TTNet A.S. 2 - AS58113 67954 3.0% 102.0 -- LIR-AS LIR DATACENTER TELECOM SRL 3 - AS982961658 2.8% 74.6 -- BSNL-NIB National Internet Backbone 4 - AS840239683 1.8% 35.6 -- CORBINA-AS OJSC Vimpelcom 5 - AS390925132 1.1%6283.0 -- QWEST-AS-3908 - Qwest Communications Company, LLC 6 - AS270818314 0.8% 231.8 -- Universidad de Guanajuato 7 - AS36998 16814 0.8% 24.2 -- SDN-MOBITEL 8 - AS24863 15868 0.7% 27.5 -- LINKdotNET-AS 9 - AS28573 15560 0.7% 10.3 -- NET Serviços de Comunicação S.A. 10 - AS34984 15326 0.7% 21.1 -- TELLCOM-AS TELLCOM ILETISIM HIZMETLERI A.S. 11 - AS33776 14457 0.7% 116.6 -- STARCOMMS-ASN 12 - AS21947 13698 0.6%1956.9 -- TRANSARIA - TransAria, Inc. 13 - AS17974 13486 0.6% 10.8 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia 14 - AS671313478 0.6% 25.3 -- IAM-AS 15 - AS855113196 0.6% 17.0 -- BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone 16 - AS453812952 0.6% 27.6 -- ERX-CERNET-BKB China Education and Research Network Center 17 - AS27738 12662 0.6% 22.3 -- Ecuadortelecom S.A. 18 - AS211812473 0.6% 8.8 -- RELCOM-AS OOO NPO Relcom 19 - AS29049 11133 0.5% 32.9 -- DELTA-TELECOM-AS Delta Telecom LTD. 20 - AS22561 10874 0.5% 57.5 -- DIGITAL-TELEPORT - Digital Teleport Inc. TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name 1 - AS6629 7384 0.3%7384.0 -- NOAA-AS - NOAA 2 - AS109876953 0.3%6953.0 -- PLUMCREEK-AS - Plum Creek Marketing, Inc. 3 - AS335216660 0.3%6660.0 -- MSLA-SCHOOLS - Missoula County Public Schools 4 - AS390925132 1.1%6283.0 -- QWEST-AS-3908 - Qwest Communications Company, LLC 5 - AS194064161 0.2%4161.0 -- TWRS-MA - Towerstream I, Inc. 6 - AS531684066 0.2%4066.0 -- CIA ESTADUAL DE GERAÇÃO E TRANSMISSÃO DE ENERGIA E 7 - AS6174 5682 0.2%2841.0 -- SPRINTLINK8 - Sprint 8 - AS146806894 0.3%2298.0 -- REALE-6 - Auction.com 9 - AS21947 13698 0.6%1956.9 -- TRANSARIA - TransAria, Inc. 10 - AS486128605 0.4%1229.3 -- RTC-ORENBURG-AS CJSC Comstar-Regions 11 - AS373672377 0.1%1188.5 -- CALLKEY 12 - AS5074 2376 0.1%1188.0 -- ASN-ATTELS - ATT BMGS 13 - AS9950 3468 0.2%1156.0 -- PUBNETPLUS2-AS-KR DACOM 14 - AS4467 1122 0.1%1122.0 -- EASYLINK3 - ATT Services, Inc. 15 - AS428601021 0.1%1021.0 -- EFT Energy Financing Team (Switzerland) AG 16 - AS55062 991 0.0% 991.0 -- GSC-MINNEAPOLISMN - Gannett Supply Corp. - Minneapolis, MN 17 - AS222167505 0.3% 750.5 -- SIEMENS-PLM - Siemens Corporation 18 - AS23295 750 0.0% 750.0 -- EA-01 - Extend America 19 - AS172932933 0.1% 733.2 -- VTXC - VTX Communications 20 - AS17783 961 0.0% 480.5 -- SRILRPG-AS SRIL RPG Autonomous System TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 209.142.140.0/24 9691 0.4% AS22561 -- DIGITAL-TELEPORT - Digital Teleport Inc. 2 - 92.246.207.0/248589 0.4% AS48612 -- RTC-ORENBURG-AS CJSC Comstar-Regions 3 - 193.19.90.0/23 8448 0.3% AS25233 -- AWALNET-ASN Arab Company For Internet Communications Services (AwalNet)LLC AS29684 -- NOURNET-ASN Nour Communication Co.Ltd - Nournet 4 - 151.118.18.0/247549 0.3% AS3909 -- QWEST-AS-3908 - Qwest Communications Company, LLC 5 - 151.118.255.0/24 7520 0.3% AS3909 -- QWEST-AS-3908 - Qwest Communications Company, LLC 6 - 151.118.254.0/24 7520 0.3% AS3909 -- QWEST-AS-3908 - Qwest Communications Company, LLC 7 - 192.58.232.0/247384 0.3% AS6629 -- NOAA-AS - NOAA 8 - 209.200.208.0/24 6987 0.3% AS21947 -- TRANSARIA - TransAria, Inc. 9 - 199.0.244.0/22 6953 0.3% AS10987 -- PLUMCREEK-AS - Plum Creek Marketing, Inc. 10 - 69.165.112.0/206676 0.3% AS21947 -- TRANSARIA - TransAria, Inc. 11 - 64.25.130.0/24 6660 0.3% AS33521 -- MSLA-SCHOOLS - Missoula County Public Schools 12 - 12.139.133.0/245612 0.2% AS14680 -- REALE-6 - Auction.com 13 - 202.41.70.0/24 5004 0.2% AS2697 -- ERX-ERNET-AS Education and Research Network 14 - 194.63.9.0/24 4682 0.2% AS1273 -- CW Cable and Wireless Worldwide plc 15 - 69.38.178.0/24 4161 0.2% AS19406 -- TWRS-MA -
Re: What do people use public suffix for?
On 4/19/13, Dave Crocker d...@dcrocker.net wrote: On 4/19/2013 12:57 PM, Tony Finch wrote: To reinforce Joe's point, there doesn't even need to be a zone cut for there to be an administrative cut. There are various ISPs and dynamic DNS providers that put all their users in the same zone, and the common [snip] In this case, there really is no administrative cut though... the provider administers the DNS record. The fact that they often correlate moderately well makes it easy to miss the facts that a) that's not their job, and b) the correlation isn't perfect. And the imperfections matter. That is why there is the current interest in developing a cheap, accurate method that /is/ intended to define organizational boundaries. It seems this is more about providing a security function to DNS, to inform the public, about where the responsible parties change. The right place for this, is clearly the DNSSEC extensions If the DS record identifies a different signer, then you have an administrative split, or if the e-mail address field in the SOA fields of the parent zone are different, then you have an administrative split, OR if one of the two zones has RP (responsible party records), and the list of RP records are different for the two zones, then you have an administrative split. If the DS record identifies the same signer, ANDthee-mail address in the SOA records is the same; or the list of e-mail addresses in the two zones' RP records are identical, then you don't have an administrative split. -- -JH
Re: What do people use public suffix for?
If the DS record identifies a different signer, then you have an administrative split, or if the e-mail address field in the SOA fields of the parent zone are different, then you have an administrative split, OR if one of the two zones has RP (responsible party records), and the list of RP records are different for the two zones, then you have an administrative split. Sigh. See messages from about an hour ago about why zone cuts aren't the same as management boundaries. Sprinking DNSSEC pixie dust on the zone cuts doesn't change that.
Re: What do people use public suffix for?
On 4/19/2013 4:33 PM, Jimmy Hess wrote: It seems this is more about providing a security function to DNS, to inform the public, about where the responsible parties change. Absent a view that somehow says all metadata is a security function, I don't see how the marking of administrative boundaries qualifies as a security function. It's easy to imagine security functions that are 'in support of' the enforcement of the boundaries, but that's quite different from having an annotation mechanism to assert the boundaries. Let's be careful not to overload functions here. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
Re: What do people use public suffix for?
On 4/19/13, Dave Crocker d...@dcrocker.net wrote: On 4/19/2013 4:33 PM, Jimmy Hess wrote: [snip] Absent a view that somehow says all metadata is a security function, I don't see how the marking of administrative boundaries qualifies as a security function. The security function comes in immediately, when you consider any actual uses for said kind of metadata. The issues are alleviated only by assuming that an administrative division always exists, unless you can show otherwise, and showing that the records are in the same zone is one way of showing otherwise. When you come to rely on it, there are new security issues. It becomes such that; It is perfectly safe to assume that there is an administrative division when there is not (in the worst case, you break some desired function, such as the sharing of cookies across subdomains within the same administrative boundary). But if you assume no administrative division exists, when there is supposed to be one -- you have some kind of access control permit leakage or data leaking through permissions that are supposed to block operations across the administrative boundaries. Only a zone signed with DNSSEC can really be trusted not to be tampered with; therefore, any declaration of an administrative division cannot be proven, and should not be relied upon, if any parent zone up the tree is not signed with delegation validated using signed records. Let's be careful not to overload functions here. The function becomes pretty useless, if you cannot safely rely on it in the real world. Because tampering can occur through lack of integrity validation, Or by a child domain claiming to not be administratively divided (when actually, there is supposed to be an administrative division). In those cases, a static list is safer. d/ -- -JH
Re: What do people use public suffix for?
1. Explicitly marking an administrative boundary is not inherently a 'security' function, although properly authorizing and protecting the marking no doubt would be. 2. Defining a marking mechanism that is built into a security mechanism that is designed for other purposes is overloading functionality, as well as setting up a problematic critical dependency. That's not just asking for trouble, it's guaranteeing it. 3. Since you made reference to assumptions a couple of times: the goal here is an explicit marking mechanisms. No assumptions involved. d/ On 4/19/2013 7:58 PM, Jimmy Hess wrote: On 4/19/13, Dave Crocker d...@dcrocker.net wrote: On 4/19/2013 4:33 PM, Jimmy Hess wrote: [snip] Absent a view that somehow says all metadata is a security function, I don't see how the marking of administrative boundaries qualifies as a security function. The security function comes in immediately, when you consider any actual uses for said kind of metadata. The issues are alleviated only by assuming that an administrative division always exists, unless you can show otherwise, and showing that the records are in the same zone is one way of showing otherwise. When you come to rely on it, there are new security issues. It becomes such that; It is perfectly safe to assume that there is an administrative division when there is not -- Dave Crocker Brandenburg InternetWorking bbiw.net -- Dave Crocker Brandenburg InternetWorking bbiw.net
Re: What do people use public suffix for?
On 4/19/13, Dave Crocker d...@dcrocker.net wrote: That is only theoretically possible, if every boundary keeper participates. In reality, you would wind up with some zones having explicit marking, and most zones not having any marking at all, just because the admin didn't bother to pick up on the new idea and implement it. 3. Since you made reference to assumptions a couple of times: the goal here is an explicit marking mechanisms. No assumptions involved. d/ -- -JH
