me later), we'll be in deep doo.
--
Paul Vixie
in more places.
--
Paul Vixie
changing the routing preference
between the the networks requires renumbering.
...is fatal to this approach.
i still prefer A6/DNAME. (dammit.)
--
Paul Vixie
The point is that Randy was wrong when he said there weren't any v6 ISPs
in 2002, because at least some were doing it a year before that.
actually that was me. i had no idea anybody was offering ipv6 transit service
when isc first brought up ipv6; while he.net and verio both offered us
,
these are the kinds of details that can change every week or every day.)
--
Paul Vixie
) with limited on site
support (power backup assumed standard)...
http://www.vix.com/personalcolo/ has a number of amsterdam entries, and a
few of them offer space by the rack, not just by the RU. it's worth a look.
--
Paul Vixie
...
Actually, the policy also specifies that you must not be an end-site.
well, you sure caught me this time. in august 2002 when the /32 in question
first came to isc, i had not read the policy. so i don't know if it was
different from the current policy. i assume it was, because i know
.
--
Paul Vixie
please remove all public informtion about B from
http://www.root-servers.org. The public data about B
on that site is not 100% accurate and does not have 100% participation
amoungst root-server operators wrt publishing accurate information.
you've got root on that
to back up that statement? apply for an ipv6 prefix from arin, and let
us (all of nanog) know how it goes.
--
Paul Vixie
I don't care whether you want to call it PI space or not, the bottom line
is that it has all the same practical uses and effect as PI space, and,
this is exactly what the real world is likely to do with v6 for any
organization that wants to multihome without renumbering. They'll get
an AS
comments here that the web
site is inaccurate or out-of-date in some way he's directly aware of, and
i just don't think that's true.
--
Paul Vixie
it's not as easy as the solaris token thing described earlier in this
thread, but it actually works fine and it's become universal on ISC's hosts.
--
Paul Vixie
in DNS. Dead, dead, dead. For years now.
Several of those responsible for the killing are present on this mailing
list, so perhaps they will explain just why A6 apparently needed killing.
--
Paul Vixie
as PI, even though ISC is neither
an IX nor a rootserver. (f-root has its own /48, which is something else.)
--
Paul Vixie
and ineffective+unenforceable prohibitions against those.
and of course, see BCP38 (or if you're in management, SAC004).
--
Paul Vixie
or port number, rather than EDNS or
packet size.
--
Paul Vixie
a customer of chello.be has been repeating a dns dynamic update against my
zone every four minutes since october 20. chello's abuse reporting channel
is no doubt full of spam reports. their noc no doubt doesn't care about
end-user problems. i nmap'd the offending box:
Starting nmap 3.50 (
. Especially where you
really don't know that your customer's customer is doing this.
It's 2004, and so, your customers who want to do this have to explain why,
and you have to maintain extra-ordinary filters for such customers, at either
your cost or the customer's cost.
--
Paul Vixie
i got the room just before the deadline, it's in the nanog/arin hotel,
but i'm not going to make it to DC after all. first come first served;
if you wanted to be in the conference hotel but missed the deadline, i
can tell the hotel to put the room in your name and you can call them
and give them
off. apparently, lots o' folks don't book their room while there still
is one at the group rate.
--
Paul Vixie
And what do you do with a BGP customer which sends you traffic
from prefixes he doesn't want to announce to you? There are such
customers. Fail filter ACL?
This has been my question with uRPF from the beginning. You can
solve this on for some networks, but it doesn't scale
) should have to take explicit, non-default action which would
probably include a source-address ACL, or static routes, or something.
--
Paul Vixie
call multihomed networks an issue wrt BCP38 deployment. in
fact, you should read it, and BCP38, and BCP84, before participating in
this discussion at all, either here, or at the bar-bofs next week.
--
Paul Vixie
.
--
Paul Vixie
i was recently chastised for posting non-operational content to nanog, and
so, while i am willing to beat the drum for source address validation, i'm
very concerned about commenting further in what has to be the 40th or 50th
version of this thread in the last ten years. with trepidation, then:
someone who wished to remain publically unnamed answered me by saying:
I got chastized a little while ago, too, for a single post, and told that
it was my THIRD warning (having not received any at all before). Feh.
i can't think of anyone among all nanog posters since the beginning of time
is lesser effort. The controllers are a priority.
wide scale BCP38 conformity is the only way any of this will ever happen.
--
Paul Vixie
in http://www.vix.com/personalcolo/
makes sense to me. the gmail / aol.com / yahoo.com / etc approach does not.
--
Paul Vixie
you could bet that by closing off this avenue, SPF will force
spammers to use other methods that are more easily detected /
filtered, and that if you play this catmouse game long enough, it
will drive the cost of spam so high (or drive the volume benefit so
low) that it'll just die out.
update SAN FRANCISCO--The Internet needs to be upgraded with a new layer
of abilities that will deal with imminent problems of capacity, security
and reliability, Intel Chief Technology Officer Pat Gelsinger said
Thursday.
Gelsinger pointed to PlanetLab, an experimental network that sits on top
i'd asked:
Anybody had notable (good or bad) billing and/or customer service
experiences with Voicestream or any other GSM provider with native
coverage in the San Francisco Bay Area?
many people said:
I think Voicestream and T-Mobile are the same company now. If you've
had problems
True, but bounces, and anything else with NULL return path, can be taken
care of with SRS.
SRS is probably a higher pairwise deployment barrier than SPF. but in any
case you should take this argument to the IETF MARID WG, since getting
agreement on nanog@ (assuming it's possible) won't stop
in http://news.bbc.co.uk/2/hi/technology/3634572.stm we see:
Campaigners against spam on the internet have won a major battle
against the world's second largest internet service provider.
US firm Savvis was allegedly earning up to $2 million a month from
148 of the world's worst
digital communications again before whitelists;
everything we do in the mean time is just a way to prove that to the public
so they'll be willing to live with the high cost of fully distributing trust.
--
Paul Vixie
whose only
guaranteed effect is to force spammers to have to be smarter. (they will!)
--
Paul Vixie
reasons, or a universal reason.
--
Paul Vixie
was going to
happen?
--
Paul Vixie
You can get most of these phones unlocked from the sim lock
and then britishflog/british it on ebay - goes to the time
and effort costs of the aggrevation of dealing with mobile
operators.
i plan to send the shattered remains of that phone back to ATT
in case they think that my small
to the list.)
--
Paul Vixie
, then you will have to
do something a hell of a lot smarter than incoherent dns. there are open
source packages to help you do this. they involve sending back an HTTP
redirect to clients who would be best served by some other member of the
distributed mirror cluster.
--
Paul Vixie
[EMAIL PROTECTED] (Paul Vixie) writes:
... four times in the last two months, a life flight helicopter has ...
oops, five times. the helicopter engine noise i was listening to while
typing the above, turned out to be another red one from stanford hospital.
my apologies to anyone who
because glue searches
aren't required to find wildcards.)
if you put a zone like that in place on a server that's receiving
unwanted queries for some zone, they will soon stop, or not. you
win either way -- the queries stop, or you laugh your ass off.
--
Paul Vixie
i wrote:
... confuse and make errors for whoever queries it:
@ SOA localhost hostmaster.localhost
NS localhost
localhost A127.0.0.1
* MX 0 localhost
A127.0.0.1
if you put a zone like that
-source, these three alternatives are
interchangeable.
it's definite that filtering out spoofed-source is the best thing to do,
but since this is way harder to do as a recipient than as a sender, it's
not a realistic alternative to running a dns server with deliberately bad
zone data.
--
Paul Vixie
? (oops, it's all of you, isn't it?)
--
Paul Vixie
[EMAIL PROTECTED] (Paul Vixie) writes:
in the example i posted earlier, i included some numbers from one member of
the f troop, which showed ~21M packets from rfc1918 space over the course
of ~106 days. that's 241 queries per second. on only one host of many.
granted it's not much
...
Unfortunately, SiteFinder did not have such a destructive effect as we
had all wanted it to have.
...
that apparently depends on what you wanted and what you consider destructive.
to me, as a domain holder under .COM, the damage was latent, coming in the
form of unacceptable business
Verisign or any other TLD operator does?
root server operators don't control the root zone, they only publish it.
some combination of itu (via the iso3166 process), icann/iana, ietf/iab,
and us-DoC are the folks you'd go to if you wanted a toplevel wildcard.
--
Paul Vixie
been able to agree on are that
(1) the root zone should be published with maximum reachability and uptime,
(2) the root zone should not be edited by the root server operators, and
that, finally, (3) there should never be a (3).
--
Paul Vixie
these questions is worse than useless.
--
Paul Vixie
what i meant by act globally, think locally in connection with That
MIT Paper is that the caching effects seen at mit are at best
representative of that part of mit's campus for that week, and that
even a variance of 1% in caching effectiveness at MIT that's due to
generally high or low TTL's (on
to acknowledge. For
example, Paul Vixie, a member of the committee who is cited three
times as evidentiary support for the Committee¡Çs conclusions, fails
to disclose that he is the president of Internet Systems Corporation
(IS C), which released the BIND software patch discussed
to register your keys, and in the early days,
will probably have an unjustifiably poor cost:benefit ratio for doing so.
it will NOT, unless i'm completely confused, be that there are too many RR's.
--
Paul Vixie
i wrote:
wrt the mit paper on why small ttl's are harmless, i recommend that
y'all actually read it, the whole thing, plus some of the references,
rather than assuming that the abstract is well supported by the body.
http://nms.lcs.mit.edu/papers/dns-imw2001.html
here's what i've learned
Paul Vixie wrote:
on the other hand, if you do this for a nameserver that your customers
depend on, then there is probably some liability for either trademark
infringement, tortious interference with prospective economic advantage,
and the gods alone know what else. if you do this, keep
infringement, tortious interference with prospective economic advantage,
and the gods alone know what else. if you do this, keep it to a server
you run on 127.0.0.1 and ensure that you are its only user.
--
Paul Vixie
the primary beneficiaries of this new functionality are spammers and
other malfeasants
... The primary beneficiaries are all
^
intended
current and future .com/.net domain holders:
I'm not talking about intended beneficiaries. I agree with your
, but let's please
not also increase dynamicism of delegation change and domain deletion.
--
Paul Vixie
is well supported by the body.
--
Paul Vixie
... so, let's increase dynamicism of domain addition, but let's please
not also increase dynamicism of delegation change and domain deletion.
What would be your suggestion to achieve the desired effect that many seek
by lower TTL's, which is changing A records to point to available, lower
i'd said:
wrt the mit paper on why small ttl's are harmless, i recommend that
y'all actually read it, the whole thing, plus some of the references,
rather than assuming that the abstract is well supported by the body.
someone asked me:
Would you happen to have the URL for the MIT paper?
, and parity was needed. the primary beneficiaries of this
new functionality are spammers and other malfeasants, and the impact of
having it in many TLD's will be to put downward pressure on TTL's. this
all needs to be looked at very carefully.
--
Paul Vixie
and non-radical
for its time.)
--
Paul Vixie
I think depeering is a bit over the top for this situation, ...
if their customer was sucking blood from your customer, and if your peer
was taking a cut of the proceeds, would the issues be any clearer?
I guess the big question is, is there anyone (other than those profiting
directly from
. meanwhile, disintermediation is still my
favorite word in the internet dictionary. i like it when one's competitors
are free to do business with each other, it leads to more and better
innovation.
--
Paul Vixie
i've been told that if i ran a tier-1 i would lose my love for the
vni/pni approach, which i think scales quite nicely even when it
involves an ethernet cable through the occasional ceiling. perhaps
i'll eat these words when and if that promotion comes through.
meanwhile,
meanwhile your sister has the hassle of getting southwest to send that
fax, or changing her travel plans. i'm sure glad you're not running my
isp.
if i were running your isp, paying customers would get to choose.
So you think it's futile to try to get software vendors to improve their
products. I suppose I can go along with that to a certain degree. But how
can you expect end-users to work around the brokenness in the software they
use? This seems both unfair and futile.
at my aforementioned sister's
warning. this is about humans rather than about IOS configs. hit D now.
Also, an easy fix like this may lower the pressure on the parties
who are really responsible for allowing this to happen: the makers
of insecure software / insecure operational procedures (banks!) and
gullible
It's wholy unfair to the innocent parties affected by the blacklisting.
i.e. the collateral damage.
maybe so. but it'll happen anyway, because victims often have no recourse
that won't inflict collateral damage. the aggregate microscopic damage of
this kind is becoming measurable and
the root cause of network abuse is humans and human behaviour, not
hardware or software or corporations or corporate behaviour. if most
people weren't sheep-like, they would pay some attention to the results
of their actions and inactions.
It's easy to blame the user, and usually they
and the necessary traffic always finds a way
to get through. fixing layer 7 problems by denying layer 3 service has
indeed proven to be the only way to get remote CEO's to care (or notice).
--
Paul Vixie
spamhaus has gotten too agressive.
Its now preventing too much legitimate email.
that's funny, really funny. s/spamhaus/maps/ or s/spamhaus/sorbs/ or indeed
look at any receiver-side filtering mechanism that gets a little traction,
and sooner or later folks will say it's too aggressive and
domainholders against sender-forgery, at which point the
spammers will have to use real domain names they get from .biz at $5 each,
and the total spam sent continue to rise month by month.
and what a marketing triumph THAT will be.
--
Paul Vixie
Just curious. How much would it differ from
http://www.amazon.com/exec/obidos/redirect?tag=icannwatch-20path=tg/detail/-/0262134128/qid%3D1041619276/sr%3D1-1
and
http://www.law.miami.edu/~froomkin/articles/icann.pdf
as i said, it can't be written by an ambulance-chaser or nobody will
on the ICANN Security and Stability Advisory Committee. what their
First Amended Complaint says about me is that:
Paul Vixie is a Site Finder co-conspirator [...].
Paul Vixie is an existing provider of competitive services for
registry operations, including providing TLD
PV Paul Vixie is an existing provider of competitive services for
PV registry operations, including providing TLD domain name hosting
PV services for ccTLDs and gTLDs, and a competitor of VeriSign for
PV new registry operations. [...]
I'm missing something
there's some overlap with the registry/registrar community
that verisign might be thinking of.
--
Paul Vixie
observers.
--
Paul Vixie
it to prevent a wildcard
from ever being added. (i like my nxdomains straight up, no ice, no soda.)
[EMAIL PROTECTED] (Henry Linneweh) writes:
...
It is amazing that one psrson Paul Vixie could be so intimidating that he
must be intimidated and maligned as a conspirator in order to eliminate
him
. if
you reply to this message, there's a good chance of your e-mail appearing
in court filings at some point.)
--
Paul Vixie
Anything I/we can do to help the cause?
not at the moment. i'm not a defendant, just a named co-conspirator.
for the output from their
network, and the ones who won't, are going to be treated by their victims
as bad internet neighborhoods. hopefully sean is ready to stop whining
about that by this point in the thread. if not i can do another database
extract for him.
--
Paul Vixie
else that pleases us, invent all the rules and
new technology we want, but it will all come down to treaties between nations.
unfortunately, my own nation is so interested in appeasing our spammers that
they are unable to provide any leadership in this area. someone else should
step up.
--
Paul
We have methods of dealing with these abuse problems today, unfortanately
as Paul Vixie often points out there are business reasons why these
problems persist. Often the 'business' reason isn't the tin-foil-
hat-brigade's reason so much as 'we can't afford to keep these abuse
folks around
the routers on both ends of my home t1.
--
Paul Vixie
| 63.202.127.13 | 202
2002-12-13 | 2004-04-28 | 63.202.127.14 |18
2003-09-04 | 2003-09-04 | 63.202.127.162 | 1
(595 rows)
--
Paul Vixie
the people who need this service to pay for it. it's worth a try? --
Paul Vixie
proxy is regularly reported by norton's tools because it sets
unusual bits in the tcp header. and so on.
--
Paul Vixie
| 249 | 63.207.141.20 | 2
2002-12-28 | 247 | 63.199.186.142 |97
(500 rows)
--
Paul Vixie
, again since you make the profit from these customers.
google for chemical polluter business model if you want more background.
--
Paul Vixie
So you claim even the ISPs you ran yourself have never attempted to do
any of these things?
the last access-side isp i had anything to do with running used uucp and
shell and was just getting going on c-slip when i pushed off. (i assure
that any rmail or rnews spam was grounds for suspension
so you aren't going to google for chemical polluter business model, huh?
I hope you also google for Nonpoint Source Pollution.
ISPs don't put the pollution in the water, ISPs are trying to clean up
the water polluted by others. ISPs are spending a lot of money cleaning
up problems
over the process and ultimately decide who does or
does not put things into those pipes and influence the policies.
yea, verily.
--
Paul Vixie
, as long as *you're* ok.
feh.
Paul Vixie proposed that people should be required to use personal Co-Lo
^^(1)
so the co-lo provider has collateral to seize when the customer fails to
^^^(2)
keep the computer
% or more... as you all saw, the list *was* longer.)
there are any number of unemployed bgp experts haunting this mailing list
looking for post-dotbomb work. many of them would accept work as short term
consultants to help you folks get down under the 80% level. just ask!
--
Paul Vixie
hour spent on such research would turn up even more.
--
Paul Vixie
://www.dcc-servers.net/dcc/graphs/, most people get
most of the same spam, even if this doesn't appear in local measurements.
(note that these graphs are subtle and complex and wonderful, and deserve
several minutes of careful study before you try to draw any conclusions.)
--
Paul Vixie
arrested, if
you possibly can. this changes your costs from 10 hours to 15 hours but it
actually puts some chips on the table and makes the game worthwhile.
--
Paul Vixie
301 - 400 of 738 matches
Mail list logo