Re: national security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On onsdag, dec 3, 2003, at 04:12 Europe/Stockholm, Franck Martin wrote: ITU is worried like hell, because the Internet is a process that escapes the Telcos. The telcos in most of our world are in fact governments and governments/ITU are saying dealing with country names is a thing of national sovereignty. What they most of the time fail to see, is that most registry are willing to hand it over to the governments provided they DO understand the issues, and not use DNS to empower telcos in more exclusive licencing power. ITU has been also misleading countries by making them think that DNS issues will be solved at ITU meetings. I have been telling countries that they must attend ICANN meetings and no other one. When this happens, US corporations will have less power over ICANN and things will be better. I agree and realize this. However, the let's take that argument out in the open and not hide it behind national security. The countries I have worked with, do have national disaster plans that can handle a IP network completely cut off from the rest of the world. But those plans are made together with the industry, as today you can not have this type of planning without co-operation of the large, world wide companies. Even if the governments own and control many of the telcos of the world, the operation of the sub-sea cables that transport the traffic is mostly run by organizations they have no control over. Best regards, - - kurtis - -BEGIN PGP SIGNATURE- Version: PGP 8.0.2 iQA/AwUBP82dC6arNKXTPFCVEQIqZQCcDd1ffRAvtfBjvUSJXfoaw1ilVkQAnRqH V/3ZsmgatgorFVGQYmDmXLcM =yrRB -END PGP SIGNATURE-
RE: Future IETF Meetings
There is also an excellent steak house just the other side of the street, that's even skyway accessible. And only ~$50 minimum per dinner ...
Re: Future IETF Meetings
With the current number of practicing IETF vegetarians, I had assumed this was a joke... - Original Message - From: Susan Harris [EMAIL PROTECTED] To: Michel Py [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 7:08 AM Subject: RE: Future IETF Meetings There is also an excellent steak house just the other side of the street, that's even skyway accessible. And only ~$50 minimum per dinner ... ___ This message was passed through [EMAIL PROTECTED], which is a sublist of [EMAIL PROTECTED] Not all messages are passed. Decisions on what to pass are made solely by IETF_CENSORED ML Administrator ([EMAIL PROTECTED]).
RE: arguments against NAT?
I'm not arguing about that, it is delaying things indeed. However I wonder which kind of instant messaging you are referring to, as all the ones I've seen work fine through NAT. Peer-to-peer CUSeeMe stopped working for me when I installed a NAT box at home. Now I can only do peer-to-peer CUSeeMe on a single computer for which I've installed the appropriate port redirects in the NAT box. Sure, server-based CUSeeMe still works on all the computers, but peer-to-peer now only works on the one. Any protocol where you have to receive an incoming connection on a fixed port, and want to do so on multiple machines, just doesn't work when a NAT is in place. /jeff
RE: arguments against NAT?
Armando, Michel Py wrote: I'm not arguing about that, it is delaying things indeed. However I wonder which kind of instant messaging you are referring to, as all the ones I've seen work fine through NAT. Armando L. Caro Jr. Yahoo and AOL (I have never used MSN). Sure, you can do normal chatting, but once you extend into the other features such as file transfer, voice, and webcam... things break. In many enterprise environments, this would be a feature not a bug. There are some webcams that are definitely inappropriate in a business setup; given the lack of good enterprise content filtering solutions for IM, if NAT does break IM webcams I don't have a problem with it. As of file transfer, it does not bother me either as like a lot of other network administrators I have a problem with users sharing their office computer files with anyone unknown on the net. For voice there's always that thing called the telephone that has the advantage to work all the time with anybody and can be logged. Michel.
Re: arguments against NAT?
On Wed, 03 Dec 2003 09:15:07 PST, Michel Py said: In many enterprise environments, this would be a feature not a bug. There are some webcams that are definitely inappropriate in a business setup; given the lack of good enterprise content filtering solutions for IM, if NAT does break IM webcams I don't have a problem with it. That's backwards. That kind of webcam is often *not* behind a NAT at the source end, so can be contacted. What breaks is that *your* user can't have a videoconferencing solution that your business partners can contact. If your user is running that kind of webcam from their office, you have bigger management issues than a NAT. :) For voice there's always that thing called the telephone that has the advantage to work all the time with anybody and can be logged. Ever notice that this works a *lot* better when each user has their own phone number, rather than one number that rings at the receptionist's desk and may or may not get transferred to the actual person? There's a lesson there. pgp0.pgp Description: PGP signature
Re: arguments against NAT?
Michel Py wrote: Joe Touch wrote: Since we've been lacking a similar non-NAT solution, we (ISI) built one called TetherNet, as posted earlier: http://www.isi.edu/tethernet What is this beside a box that setups a tunnel? What's the difference with: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_e xample09186a00801982ae.shtml The same difference, in principle, between DHCP and setting the IP address yourself. The details of which are in the ISI web page above. FWIW, the seriousness of the impediments (Michael Py) are felt wherever NATs are deployed. Yeah right. That's why there are millions of NAT sites and they all have serious impediments. There are millions of Compaq computers sold; all that run Windows (the vast majority) rely on a local web server to manage Compaq software updates. But the people behind NATs don't know that. They just don't get the updates. There are other cases where things just silently fail, and people go out and buy alternatives that work, or live without. You deem this, in other mail, a 'security feature'; I deem it a bug. Ignorance is bliss, but only when it's not expensive and/or frustrating. Your other post to Melinda was closer to the primary issue, IMO - whether we can create an alternative which is as easy to use. The whole point of my post is that this can be done. Our solution may not be the best or the only one, but it proves (by example) that NATs aren't the only way to automated subnets, and that there is a way to undo the effects of NATs if - or when - those effects are finally noticed. Joe
Re: IPv6 addressing limitations (was national security)
See, that's the classic mistake: Everyone wants to divide the entire address space RIGHT NOW, without any clue as to how the world will evolve in years to come. Nature may abhor a vacuum, but it certainly That not correct. See: http://www.iana.org/assignments/ipv6-address-space Where it says: 2) For now, IANA should limit its allocation of IPv6 unicast address space to the range of addresses that start with binary value 001. The rest of the global unicast address space (approximately 85% of the IPv6 address space) is reserved for future definition and use, and is not to be assigned by IANA at this time. It was well understood that it was important to keep most of the IPv6 address space open to allow for future use. Bob
RE: arguments against NAT?
On Tue, 2 Dec 2003, Michel Py wrote: I'm not arguing about that, it is delaying things indeed. However I wonder which kind of instant messaging you are referring to, as all the ones I've seen work fine through NAT. Yahoo and AOL (I have never used MSN). Sure, you can do normal chatting, but once you extend into the other features such as file transfer, voice, and webcam... things break. You can get _some_ subset of features to work if you have control of the NAT, but otherwise your stuck. ~armando 0-- --0 | Armando L. Caro Jr. | Protocol Engineering Lab | | www.armandocaro.net |University of Delaware | 0-- --0
RE: arguments against NAT?
On Wed, 3 Dec 2003, Michel Py wrote: Michel Py wrote: I'm not arguing about that, it is delaying things indeed. However I wonder which kind of instant messaging you are referring to, as all the ones I've seen work fine through NAT. Armando L. Caro Jr. Yahoo and AOL (I have never used MSN). Sure, you can do normal chatting, but once you extend into the other features such as file transfer, voice, and webcam... things break. In many enterprise environments, this would be a feature not a bug. Maybe, but that's not the point. Not everyone who is forced to be behind a NAT is in an enterprise environment. Plus, if enterprise environments want to implement this feature, firewalls work fine. There are some webcams that are definitely inappropriate in a business setup; Says who? Each business is different. given the lack of good enterprise content filtering solutions for IM, if NAT does break IM webcams I don't have a problem with it. You don't have a problem with it, but others do. Plus, why are firewalls not sufficient for blocking IM? As of file transfer, it does not bother me either as like a lot of other network administrators I have a problem with users sharing their office computer files with anyone unknown on the net. Again, YOU are ok with file transfer breaking... not everyone. For voice there's always that thing called the telephone that has the advantage to work all the time with anybody and can be logged. Oh, your right... so all the time that IM vendors invested in implementing voice chat was truly a waste, because there is absolutely NO demand for it. And all those users that currently are using voice chat as we speak/type have simply missed the fact that they could pick up the phone to pay more for their conversation. (As I finish this reply, I realize it was a waste of my time... but now that it's written, I'll send it anyway.) ~armando 0-- --0 | Armando L. Caro Jr. | Protocol Engineering Lab | | www.armandocaro.net |University of Delaware | 0-- --0
Re: arguments against NAT?
In many enterprise environments, this would be a feature not a bug. There are some webcams that are definitely inappropriate in a business setup; given the lack of good enterprise content filtering solutions for IM, if NAT does break IM webcams I don't have a problem with it. As of file transfer, it does not bother me either as like a lot of other network administrators I have a problem with users sharing their office computer files with anyone unknown on the net. For voice there's always that thing called the telephone that has the advantage to work all the How nice for you to be able to determine what everyone else should be able to run on their networks.
Re: arguments against NAT?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Keith Moore wrote: |In many enterprise environments, this would be a feature not a bug. |There are some webcams that are definitely inappropriate in a business |setup; given the lack of good enterprise content filtering solutions for |IM, if NAT does break IM webcams I don't have a problem with it. | | |As of |file transfer, it does not bother me either as like a lot of other |network administrators I have a problem with users sharing their office |computer files with anyone unknown on the net. | | |For voice there's always |that thing called the telephone that has the advantage to work all the | | | How nice for you to be able to determine what everyone else should be able | to run on their networks. | Yeah. The level of clueloss boggles the mind. MVH leifj -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/zlIj8Jx8FtbMZncRAuK0AKC9pb1scpTssHJtSbWuwM/AV/zCugCeIK6N 9XAfBN0fpbRH8AZGIiSs4/A= =Rutg -END PGP SIGNATURE-
Re[2]: IPv6 addressing limitations (was national security)
Bob Hinden writes: 2) For now, IANA should limit its allocation of IPv6 unicast address space to the range of addresses that start with binary value 001. The rest of the global unicast address space (approximately 85% of the IPv6 address space) is reserved for future definition and use, and is not to be assigned by IANA at this time. It was well understood that it was important to keep most of the IPv6 address space open to allow for future use. If it were well understood, nobody would have ever been foolish enough to suggest blowing 2^125 addresses right up front. I've already explained the folly of this in a previous post.
Re: national security
On 3 Dec 2003, Franck Martin wrote: ITU is worried like hell, because the Internet is a process that escapes the Telcos. The telcos in most of our world are in fact governments and governments/ITU are saying dealing with country names is a thing of national sovereignty. What they most of the time fail to see, is that most registry are willing to hand it over to the governments provided they DO understand the issues, and not use DNS to empower telcos in more exclusive licencing power. I'm not sure that this is really the case with respect to assignment of ccTLD registries. Though I can't personally vouch for this, I think all of the ccTLD's have been handed to government designated representatives when the governments asked. So I dispute the implied assertion that there is present evidence of ICANN, IETF, or IANA involvement or interference in political or governmental controls. But of course, governments have the sovereign right to control the communications of their citizens, and if the governments choose, can 'use DNS to empower telcos in more exclusive licencing power'. If governments are concerned about information anarchy, they will undoubtedly bring it up through the UN and through the ITU. Or perhaps they will just employ national firewalls like China did to block unwanted information. --Dean
Re: arguments against NAT?
Michel Py wrote: [..] As of file transfer, it does not bother me either as like a lot of other network administrators I have a problem with users sharing their office computer files with anyone unknown on the net. I trust you frisk all employees for CD-R/RWs, floppies and USB sticks on their way home each evening too cheers, gja
Ietf ITU DNS stuff
Dean said: But of course, governments have the sovereign right to control the communications of their citizens... Dan says: Well, I don't agree. If you believe in speech divorced from action; (ex. Commercial speech, inciting to riot, fraud), in which speech is a component of an act... Just simple communications. I don't believe: governments have the sovereign right to control the communications of their citizens. They do (goverments), I guess. I can't think of any good that's come of this so far. It seems to me the subtext of less control in telecomm is a newly evolving civil right. Interesting how much people can differ in what is to them an obvious first principle. This existing structure isn't broken, and recalling its mostly about bare faced power to repress ideas helps understand the motives, however. Weird how indirect and bogusely indirect it all is. I mean, the excuse factory has to run full blast to justify some of all this. regards to all, Dan
Re: Re[2]: IPv6 addressing limitations (was national security)
On 3-dec-03, at 21:21, Anthony G. Atkielski wrote: It was well understood that it was important to keep most of the IPv6 address space open to allow for future use. If it were well understood, nobody would have ever been foolish enough to suggest blowing 2^125 addresses right up front. I've already explained the folly of this in a previous post. You seem to assume that being frugal with address space would make it possible to use addresess that are much smaller than 128 bits. This might have been the case if efficiency in address allocation were the only issue we'd have to deal with. However, stateless autoconfiguration is an important feature, and it eats up a significant amount of address space because the interface identifier must be reasonably unique. But more important are routing limitations. We need to keep the size of the global routing table in check, which means wasting a good deal of address space. Even in IPv4, where addresses are considered at least somewhat scarce, a significant part of all possible addresses is lost because of this. If we want to keep stateless autoconfig and be modestly future-proof we need at least a little over 80 bits. 96 would have been a good number, but I have no idea what the tradeoffs are in using a broken power of two. If we assume at least 96 bits are necessary, IPv6 only wastes 2 x 32 bits = 8 bytes per packet, or about 0,5% of a maximum size packet. Not a huge deal. And there's always header compression.
Re[4]: IPv6 addressing limitations (was national security)
Iljitsch van Beijnum writes: You seem to assume that being frugal with address space would make it possible to use addresess that are much smaller than 128 bits. I assume that if we are getting by with 2^32 addresses now, we don't need 2^93 times that many any time in the foreseeable future. This might have been the case if efficiency in address allocation were the only issue we'd have to deal with. If we continue to throw away address space like this, it will be. That's fully 1/8 of the _entire_ 2^128 addresses. But more important are routing limitations. We need to keep the size of the global routing table in check, which means wasting a good deal of address space. Even in IPv4, where addresses are considered at least somewhat scarce, a significant part of all possible addresses is lost because of this. Maybe it's time to find a different way to route.
Re: Ietf ITU DNS stuff
I don't mean to say I think excessive government control is a good thing. Rather, this is a political question that ICANN/IETF/IANA has to avoid. The ITU has avoided this studiously for decades, throughout the cold war even. As I think you note, its just is the way it is. As the saying goes 'we give functionality, not policy.' There are, though, good reasons to have some government controls on telecom. Whether these controls are too excessive or too lax is not up to ICANN or the ITU. I can think of cases were some good has come of it. E911, for example. Radio, TV, cellphone allocations. Ham Radio licences. If license-free wireless operation weren't restricted in power, few people would be able to use 802.11 because one company would be broadcasting at hundreds of watts, etc. --Dean On Wed, 3 Dec 2003, Dan Kolis wrote:
Ietf ITU DNS stuff III
Dean said: There are, though, good reasons to have some government controls on telecom. Whether these controls are too excessive or too lax is not up to ICANN or the ITU. I can think of cases were some good has come of it. E911, for example. Radio, TV, cellphone allocations. Ham Radio licences. If license-free wireless operation weren't restricted in power, few people would be able to use 802.11 because one company would be broadcasting at hundreds of watts, etc. Well, you know both charters and constitutions can be revised with consent. Of course, you're right, some brokerage and allocation is necessary. Italy had a UHF Don't care policy for low power TV and it turned out to be probably not in the public interest. Still the essence of all this is content versus communications. The general idea surely of the ITU came about exactly in the context of limited frequencies and power, etc. So, fine. Coordination of this is reasonable. Internet needs *far* less of this thinking then any previous globally built system. The reason is, mostly you have 65535 ways to do most anything... minimum and some odd hundreds of millions of places/machines/people to do it. If Internet didn't exist in its present form and work... ITU types would make dire predictions over how without regulation it simply wouldn't work independent of content. The argument would be framed as a common sense technological issue. The variant of it is unless the real adults take over... sooner of later (FILL_IN_THE_BLANK) will hyjack it, trust us! (FILL_IN_THE_BLANK) is Pornographers | Spammers | Terrorists | Microsoft | Mumbo_Jumbo | etc. I'm trying to seek in my little gray matter even one benefit of having the ITU do anything with the DNS. I mean, maybe somebody can point out a URL of something with an upside to it whatsoever. In January, some obscure protocol is going to link Internet *IN GENERAL REALLY* to two orbiters around Mars to talk to little buggies which hopefully will land and work. So this thinking, so far has not only worked here quite well, but even seems to be usable off planet. Am I missing something? Regsards, Dan I hope this isn't too far afield of ietf stuffola. I'm kinda of worried about that, (but no too worried to click on SEND)
Re: Ietf ITU DNS stuff III
On Thu, 2003-12-04 at 13:19, Dan Kolis wrote: Dean said: There are, though, good reasons to have some government controls on telecom. Whether these controls are too excessive or too lax is not up to ICANN or the ITU. I can think of cases were some good has come of it. E911, for example. Radio, TV, cellphone allocations. Ham Radio licences. If license-free wireless operation weren't restricted in power, few people would be able to use 802.11 because one company would be broadcasting at hundreds of watts, etc. Well, you know both charters and constitutions can be revised with consent. Of course, you're right, some brokerage and allocation is necessary. Italy had a UHF Don't care policy for low power TV and it turned out to be probably not in the public interest. Still the essence of all this is content versus communications. The general idea surely of the ITU came about exactly in the context of limited frequencies and power, etc. So, fine. Coordination of this is reasonable. Internet needs *far* less of this thinking then any previous globally built system. The reason is, mostly you have 65535 ways to do most anything... minimum and some odd hundreds of millions of places/machines/people to do it. If Internet didn't exist in its present form and work... ITU types would make dire predictions over how without regulation it simply wouldn't work independent of content. The argument would be framed as a common sense technological issue. The variant of it is unless the real adults take over... sooner of later (FILL_IN_THE_BLANK) will hyjack it, trust us! (FILL_IN_THE_BLANK) is Pornographers | Spammers | Terrorists | Microsoft | Mumbo_Jumbo | etc. I'm trying to seek in my little gray matter even one benefit of having the ITU do anything with the DNS. I mean, maybe somebody can point out a URL of something with an upside to it whatsoever. In January, some obscure protocol is going to link Internet *IN GENERAL REALLY* to two orbiters around Mars to talk to little buggies which hopefully will land and work. So this thinking, so far has not only worked here quite well, but even seems to be usable off planet. Am I missing something? Regsards, Dan I hope this isn't too far afield of ietf stuffola. I'm kinda of worried about that, (but no too worried to click on SEND) Well to come back to my original comment, is that IETF, IANA and ICANN by being individual members organisations do not have the front of ITU, which is unfortunate as the Internet is not being done in ITU. Governments have to understand that and for that dissociate themselves from the old telco concept... Franck Martin [EMAIL PROTECTED] SOPAC, Fiji GPG Key fingerprint = 44A4 8AE4 392A 3B92 FDF9 D9C6 BE79 9E60 81D9 1320 Toute connaissance est une reponse a une question G.Bachelard
Re: Re[4]: IPv6 addressing limitations (was national security)
On Thu, 04 Dec 2003 00:53:57 +0100, Anthony G. Atkielski [EMAIL PROTECTED] said: Maybe it's time to find a different way to route. If you know of a better way than BGP, feel free to suggest it, Make sure you do at least some back-of-envelope checks that it Does The Right Thing when a single burp on one link of a multihomed site causes the withdrawal and re-announcement of 50K routes. And that the Right Thing happens when a link outage happens 4-5 hops upstream... While you're designing, remember that the routing table would be a lot bigger if we weren't doing heavy CIDR aggregation - and that you'll burn a few bits ensuring that aggregation works (try aggregating a /8 and 2 /12's even if they're all announced from the same AS and are numerically consecutive...) pgp0.pgp Description: PGP signature
Re: IPv6 addressing limitations (was national security)
Iljitsch; We need to keep the size of the global routing table in check, which means wasting a good deal of address space. That's not untrue. However, as the size of the global routing table is limited, we don't need so much number of bits for routing. 61 bits, allowing 4 layers of routing each with 32K entries, is a lot more than enough. Even in IPv4, where addresses are considered at least somewhat scarce, a significant part of all possible addresses is lost because of this. Only 20 bits or so for routing is, certainly, no good. If we want to keep stateless autoconfig and be modestly future-proof we need at least a little over 80 bits. 96 would have been a good number, but I have no idea what the tradeoffs are in using a broken power of two. If we assume at least 96 bits are necessary, IPv6 only wastes 2 x 32 bits = 8 bytes per packet, or about 0,5% of a maximum size packet. Not a huge deal. And there's always header compression. Stateless autoconfig is mostly useless feature applicable only to hosts within a private IP network that 64 bits could have worked. 128 bit is here to enable separation of 64 bit structured ID and 64 bit locator. Masataka Ohta
Re: Ietf ITU DNS stuff III
I find this and a couple of other threads completely and totally fascinating. I find myself wondering who really is dialed in to what's going on and who isn't. And that includes Vint. Of all the people that stay tuned in, Vint is the one that should know. The things that are going on are not being addressed directly and honestly in this thread or any other public thread. The people that are pulling the strings don't do it on these threads or in public. That's a good thing and a bad thing. Good that technonerds like ourselves can air things out in public, try, and still believe thiskeeps things in the open and honest. Bad that if we believe that we can really affect important things here,we will wake up one day to find out all our words and thoughts and trying were flushed by the people that want to control, and don't care for our input. It's just a sign of the times. And a sign that the Internet has succeeded so well that the big boys want to control it. For their own purposes. And they will. The simplest clue is that the IETF (supposedly) once consisted of individuals working for common interests, but now there or very few that speak for themselves. They are captive to their employer or contractor (for you "academicians" out there that want to pretend your motives are pure).
Re: Ietf ITU DNS stuff III
... just a sign of the times. And a sign that the Internet has succeeded so well that the big boys want to control it. For their own purposes. And they will. to misquote john gilmore, the internet interprets control as damage and routes around it. anything nonconsensual ends up self-marginalizing. look at software implementations of internet-series protocols for examples. the implementations with the most control over the present and future of these protocols are the ones with unclear ownership that are given away for free. there's plenty to worry about wrt the big boys controlling things, but the internet is definitionally and constitutionally uncontrollable. yay! -- Paul Vixie