As noted about a zillion messages ago, one of the concerns about IPv6 mail
is whether DNSBLs will be workable, with one of the questions being
whether the lookups will blow away DNS caches. As far as I can tell,
there is basically no research on DNS cache behavior other than a few very
old
Contrary to the commonly held belief that this is fundamentally
impossible, we propose several solutions that do achieve a reasonable level
of double spending prevention
Yes, that's Bitcoin's claim to fame.
Perhaps the number of zeroes doesn't make a difference; but solving the
double
Don't forget Vanquish was a complete failure, so why would this be
any different? and do I want Phil Raymond to sue me for violating
the patent on this exact scheme?
That was a specific reply by me to a specific suggestion of a
mechanism refunding e-postage to the sender if one wanted an
The numbers you list in your argument against a micropayment
system being able to function are a fraction of the number of
transactions Facebook deals with in updating newsfeeds for
the billion+ users on their system.[0]
... which is completely irrelevant because they don't have a double
mailbox@[IPv6:2001:12:34:56::78:ab:cd]
You aren't allowed to use :: to abbreviate one zero hexadectet according
to RFC 5952.
http://www.rfc-editor.org/errata_search.php?eid=2467
Oh, look at that. I wonder how many people realized that it made an
incompatible change to RFC 4291 four years
Ergo, ad hominem. Please quit doing that.
As a side note I happen to run my own mail server without spam filters
-- it works for me. I might not be the norm, but then again, is there
really a norm? (A norm that transcends SMTP RFC reach, that is --
I know a lot of people who run a lot of mail
It must be nice to live in world where there is so little spam and
other mail abuse that you don't have to do any of the anti-abuse
things that real providers in the real world have to do.
What is a real provider? And what in the email specifications tells us
that the email needs and solutions
I'm not saying John Klensin shouldn't have a say in how the IPv6 address is
defined, but I do think it would be best for everyone to work it out in an
official place somewhere so that email software isn't doing the complete
opposite of everyone else.
Too late.
Regards,
John Levine,
Or he could just not like NSL and the fact the ISP's are required
to abide by them. If people want their email going through where
it can be snooped apon that is their perogative. Just don't force
people to have to use I-WILL-SNOOP-ISP!!!
Who said anything about being required to use your
None of this is REQUIRED. It is forced on people by a cartel of
email providers.
It must be nice to live in world where there is so little spam and other
mail abuse that you don't have to do any of the anti-abuse things that
real providers in the real world have to do.
Regards,
John
I would suggest the formation of an IPv6 SMTP Server operator's club,
with a system for enrolling certain IP address source ranges as Active
mail servers, active IP addresses and SMTP domain names under the
authority of a member.
Surely you don't think this is a new idea.
R's,
John
How long, exactly, do you expect 3.2 billion unicast addresses to provide
enough addressing for 6.8+ billion people?
Oh, I'd say a decade. Like I said, I have IPv6 on my server and my home
broadband, which mostly works, with the emphasis on the mostly.
We've just barely started to move
The ITU is an agency of the United Nations.Which is an organization
created by treaty, of which various nations' governments are members.
Actually, the ITU is more than twice as old as the UN, and merged with the
UN in 1947. As noted in a previous message, the ITU has both government
What's the worst they can do at this point? Make .bobtodd and
.bubbagump TLDs? This is different from some of the crap we've got now
in what way??
Well, ICANN has come pretty close to delegating .HOME and .CORP to domain
speculators, despite the vast amount of informal use which would get
I look forward to the ITU equitably allocating domain names and IP
addresses.
NTIA will not accept a proposal that replaces the NTIA role with a
government or an inter-governmental organization solution.
Let's hope you're right, but I note that the ITU isn't an
inter-governmental
If ISP has customer A with multiple *known* valid networks --doesn't matter
if ISP allocated them to customer or not-- and ISP lets them all out, but
filters everything else, ISP is still complying with BCP 38.
Of course. The question is how the ISP knows what the customer's address
ranges
It seems thata hosts sending large amounts of NTP traffic over the
public Internet can be safely filtered if you don't already know that
it's one of the handful that's in the ntp.org pools or another well
known NTP master.
Speaking as one of the 3841 servers in the pool.ntp.org pool, I'm happy
I was thinking that the ntp.org servers on any particular network are a small
set of exceptions to a general rule to rate limit outgoing NTP traffic.
www.pool.ntp.org allows any NTP operator to opt-in to receive NTP traffic
should their clock be available and accurate.
I believe you, but I
and we'll see endless arguments between buyers of IPv4 space and ARIN,
when ARIN refuses the updates to the address registry.
This would be bad. I can think of few more effective ways of
destroying the RIR system than by refusing to update the address
registry.
I completely agree, but there
I don't see ARIN recognizing bogus transfers in the registry -- if the
transfer policy wasn't followed, then no transfer occurred.
I expect the party that paid good money for the address space, and the
party who they paid, and their respective attorneys, will strenously
disagree with you, but
Perhaps the host prior to the ones that had the error were doing recipient
checking?
Nope, I got the error immediately after trying to connect, before it could
even send EHLO.
R's,
John
M.
From: John Levine
Sent: Sunday, January 19, 2014 17:56
To: nanog@nanog.org
Subject: Where does
Now I'm starting to really wonder- I'm having this trouble over a SixXS
tunnel but some of the non-tunnel'd IPv6 environments I have access to
are working fine. Perhaps the issue here is actually MTU or MSS
related?
Possibly. It works fine for me through a HE tunnel, but I think I had
They'd really like to have a process which is less ad-hoc. For
example, it'd be great if these points were annotated in the DNS
itself, perhaps with a record which points to the corresponding
whois server.
I've been thinking about a way to do that, but I want to understand the
use cases
Man is this strange: when I set my DHCP server to assign the Sipura box a
fixed IP address, the VoIP box didn't work. When I let it assign an
address out of the pool, it did work. Same device, same LAN, same /24
subnet, same ISC DHCP server. The Sipura has a web server, so I could
confirm
Man is this strange: when I set my DHCP server to assign the Sipura box a
fixed IP address, the VoIP box didn't work. When I let it assign an
address out of the pool, it did work.
So what happens if you now configure the DHCP server so that the (working) IP
is removed from the pool, and have
Strangely enough, Cisco SPA-112. Formerly known as Sipura, then
Linksys. I do not know if they move to Belkin as part of the Linksys
sale.
Just got a Sipura SPA-1001. It also has registration problems. Hmmn.
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for
The muni providers have a bunch of cost advantages that help them keep the
price lower.
Yes, but:
A) NYSEG customers are still paying off boondoggles due to incompetent
current and former management that have nothing to do with their
for-profit status
B) So what? The customers get better
1. I generally agree that the Internet has too much spit and duct tape, however;
2. Siccing the ITU on that problem - or allowing them near it - would
be a disaster of a magnitude not often seen in human affairs.
No disagreement there. The Internet isn't designed to be a phone network.
and going home is likely not worth the trivial amount of money involved.
Trivial to whom? Is $11M/year trivial relative to the $181M/year ITU
budget? Relative to the $2M/year IETF budget? Relative to the
$600K/year budget of NANOG?
Trivial to the US government, who's appropriating the
One is a stunt rDNS server that synthesizes the records on demand.
(Bonus points for doing DNSSEC, too. Double bonus points for doing
NSEC3.)
NSEC3 is a waste of time in ip6.arpa or any similarly structured
zone so -100 for doing NEC3 and effectively doing a DoS attack
against yourself and
Are you, at this moment, able to acquire a falsely signed certificate
for www.herrin.us that my web browser will accept?
Me, no, although I have read credible reports that otherwise reputable SSL
signers have issued MITM certs to governments for their filtering
firewalls.
Regards,
John
However, the procedures required to exploit these weaknesses are
slightly more complicated than simply producing a self-signed
certificate on the fly for man in the middle use -- they require
planning, a waiting period, because CAs do not typically issue
immediately.
Hmmn, I guess I was
You won't have enough addresses for Dark Matter, Neutrinos, etc. Atoms
wind up using up about 63 bits (2^10^82) based on the current SWAG. The
missing mass is 84% of the universe.
Fortunately, until we find it, it doesn't need addresses.
-Original Message-
From: Randy Bush
On Tue, 18 Sep 2012, james jones wrote:
Are we still talking about this? I setup a lan at home once at that used
6/8 :)
They have nuclear weapons, too. Just saying.
R's,
John
On Tue, Sep 18, 2012 at 6:17 PM, Christopher Morrow morrowc.li...@gmail.com
wrote:
On Tue, Sep 18, 2012 at
IPv6 has its problems, but running out of addresses is not one of them.
For those of us worried about abuse management, the problem is the
opposite, even the current tiny sliver of addresses is so huge that
techniques from IPv4 to map who's doing what where don't scale.
Well, in IPv4... NAT
dnslists = dialups.mail-abuse.org \
: rbl-plus.mail-abuse.org \
Are you paying Trend for access to these?
yes, i have an arrangement
I used to pay (not very much) but realized several years ago that after
using the Spamhaus lists, MAPS didn't catch
It's not pr0n that's killing Usenet, the problem is spam
junk mail, chain letters
I gather you haven't looked at usenet for a long time. The spam and chain
letters have followed the crowd. I can't remember the last time I saw a
chain letter, and there's surprisingly little spam.
E-mail
The IDN TLDs (to date, with the exception of the test IDN TLDs) are more
properly considered ccTLDs as they are the localized version of country names.
Good point.
Also, one could make a distinction between sponsored TLDs and generic TLDs, but
that's probably splitting hairs.
I suppose,
I suppose if you buy a SSL certificate, you should be looking for
your CA to have insurance to reimburse the cost of the certificate
should that happen, and an ironclad refund clause in the
agreement/contract under which a SSL cert is issued
These certs cost $9.00. You're not going to
These certs cost $9.00. You're not going to get much of an insurance policy
at that price.
again, startssl.com - free. why pay? it's (as you say) not actually
buying you anything except random bits anyway... if you can get them
for free, why would you not do that?
The free ones are supposed
The DNS industry is putting us a long way from when RFC 2826 was written.
That's true, but you can't just blow off the majority of people in the
world who use languages that you can't write in the ASCII character set.
It's a hard problem. I wouldn't say that ICANN's approach has been
All they need -- or, I suspect, need to assert -- is to have
multiple physical networks. They can claim a production net, a DMZ,
a management net, a back-end net for their databases, a developer
net, and no one would question an architecture like that
My impression is that this is about a
And your technical solution to ensure http://apple/; always resolves
to apple. and doesn't break people using http://apple/; to reach
http://apple.example.net/; is?
Whatever people have been doing for the past decade to deal with
http://dk/ and http://bi/.
As I think I said in fairly easy to
By the way, the ICANN board just voted to approve the new gTLD program.
Time to place bets on what the next move will be.
My money is on lawsuits by US trademark lawyers.
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies,
Please consider the environment
run by agencies of the US government, who knows what will happen in
the future.
I'm not so sure volunteer root operators are in a position to editorialize
and for that to have a positive effect. ICANN could go down the
path of stating that this causes internet stability (due to operators
Arithmetic, mostly. There are 40,000 co-ops in the United States,
160,000 in Europe, and apparently several million world-wide, yet
there are only 6700 domains in .COOP. I would find it hard to say
that under 3% takeup was significant support.
Do you attach any significance to the restriction
No. They knew about that when they applied.
You are mistaken. This was a lively subject of negotiation involving Louis
Touton and the parties. I was involved as well. There was real shock when
Louis came back from the Registrar Constituency with the message that rather
than the initial
US Code TITLE 18 PART I CHAPTER 71 § 1470
http://www.law.cornell.edu/uscode/18/usc_sec_18_1470000-.html
That law includes the phrase knowing that such other individual has not
attained the age of 16 years. That's why porn sites have a home page
that asks you how old you are. As
If there have been cases with a willing seller and a willing buyer
where ARIN has refused to update WHOIS or rDNS, I'd be interested to
hear about them.
Isn't it moot when you can reallocate the entire block to the other party?
Contractual agreements of the sale would enforce the inability to
I have told a hotel they need to install equipment that supports RA
guard as I've checked out. This was a hotel that only offered IPv4.
Hotels ask for feedback on their services. If you see a fault report
it in writing.
Sure. Bet you ten bucks that no hotel in North America offers IPv6 this
We do remember, don't we, that the domain that started this discussion
were shut down by Verisign, the registry, not a registrar?
interesting that in THIS case the registry just took the action, was
the domain registered through their registrar arm?
They haven't had a registrar arm since
I think Verisign DBMS acts as a registrar for ccTLDs.
No, they're a registry. Not the same thing.
The registry holds the definitive database and manages the DNS zone.
Registrars face the public and use some sort of API to pass the changes to
the registry.
Regards,
John Levine,
yea... so I wonder if the NCFTA folks would pony up warrants for
things like the content highlighted by www.abuse.ch ?
They do all sorts of stuff, but for obvious reasons they don't gossip
about it in public.
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for
http://175.45.179.68/
If that's in the DPRK, you may have slashdotted an entire country.
Ooh. Maybe they'll be thrilled, or maybe they'll figure that it's an
attack. Probably both.
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies,
Please consider the
It's been extremely effective in blocking spam sent by spambots on
large ISPs. It's not a magic anti-spam bullet. (If you know one,
please let us know.)
That simply hasn't been my experience. I still get lots of spam from booted
hosts in large provider networks, and yes, that includes many
Does the data show that blocking was effective, as in the host didn't detect
the block and proceed around it, or, merely that lots of hosts try the direct
approach first?
Yes.
R's,
John
Convincingly said here on an ISP mailing list. But what about the
folks who were denied address assignments by ARIN policies over the
last 15 years? Denied them based on the fiction that ISPs didn't own
IP addresses, that they were merely holding the addresses in trust for
the public they serve.
I don't entirely understand the process. Here's the flow chart as far
as I've figured it out:
1. A sells a /20 of IPv4 space to B for, say, $5,000
2. A tells ARIN to transfer the chunk to B
3. ARIN says no, B hasn't shown that they need it
4. A and B say screw it, and B announces the
Of course what they offer over those long long rural runs and what they can
actually provide are two different things. DSL performance decreases with
distance rather dramatically..
That's what I thought, but my friend out on the sheep farm in the next
county says he gets 3Mb just like I do
Did you use Yahoo IM, AIM, or Skype?
Yes, yes, and yes. Works fine.
Did you use any of those for
Video Chat and/or to transfer files?
Skype video chat, all the time, works fine. Don't remember about file
transfer.
Did you do any peer to peer filesharing?
Yeah, I got the latest
We ADDED Spamhaus to our IronPort because it was inexpensive. I recall using
MAPS RBL many years earlier with a lot of false positives and angry companies
trying to reach our users.
Yeah, I used to pay for MAPS but dropped them several years ago because
of the false positives and the high
The point is that rather than try to enforce agreements individually,
automatically slapping the notices on is not so unreasonable all
considered.
While it may be annoying, its not baseless. It certaintly isn't
useless in discovery.
Once again, I would be most interested in any statute or case
So write to her from a gmail account. APEWS is pretty kooky, and I'm kind
of surprised if SORBS is using it.
On Fri, 2009-12-11 at 23:39 +, John Levine wrote:
ASPEWS is listing 216.83.32.0/20 as being associated with the whole
Atrivo incident of 2008. My memory does not recall
It's why I run an ssh server on 443 somewhere -- and as needed, I
ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections
as I really need...
Same here. It's the most reliable way to break out of a hotel jail.
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of The
Right. The only major mail system that pays attention to SPF is
Hotmail, but there are enough small poorly run MTAs that use it that
an SPF record which lists your outbounds and ~all (not -all) can be
marginally useful to avoid bogus rejections of your mail.
For example :
[ various large ISPs
5 is 'edns ping', but it was effectively blocked because people
thought DNSSEC would be easier to do, or demanded that EDNS PING
(http://edns-ping.org) would offer everything that DNSSEC offered.
I'm surprised you failed to mention http://dnscurve.org/crypto.html,
which is
3 works, but offers zero protection against 'kaminsky spoofing the
root' since you can't fold the case of 123456789.. And the root is
the goal.
Good point.
5) Download your own copy of the root zone every few days from
http://www.internic.net/domain/, check the signature if you can find the
http://dnscurve.org/crypto.html, which is always brought up, but
never seems to solve the problems mentioned.
As I understand it, dnscurve protects transmissions, not objects.
That's not the way DNS operates today, what with N levels of cache. It
may or may not be better, but it's a much
And what's the next protocol that is going to be stomped on?
Anything except http; at which point everything will move to http, and
the firewalls are again useless.
Um, if you think that http on consumer networks is transparent, I have
some really bad news for you.
Regards,
John
So is this going to become like the great firewall of China
eventually?
Who knows. It's hardly the first government attempt to block illegal
content, viz. the secret Pennsylvania list of child porn sites.
R's,
John
AOL sends its spam button feedback in industry standard ARF format. It
took me about 20 minutes to write a perl script that picks out the
relevant bits from AOL and Hotmail feedback messages and sends unsub
commands to my list manager.
Yes, but you're using qmail and ezmlm which send separate
AOL's ARF redaction also causes problems identifying problem .forwarders.
I don't understand what they are trying to defend against.
Oh, I went around with them a few times and finally got a reasonable
explanation. They're concerned about disclosing the recipient of a
message to someone who
This also pre-dates organized crime becoming heavily involved, and pre-dates
the obsession with browser exploits. Back then a lot of spam was sent by
semi-legitimate marketers from the US. These days all the bad guys are out
to get you to click on a single link.
Right. Back in the 90s
You're that confident people know the difference between a real communication
from a party they conversed with before and a phish designed to look like the
same thing?
If it's a bank, probably not. If it's a random online store, there's
about a 99.9% chance it's actual junk mail and .01%
101 - 174 of 174 matches
Mail list logo
