Ok let me answer two at once here: On Fri, Apr 07, 2006 at 06:57:50PM -0400, Steven M. Bellovin wrote:
Did you read the posting? His ISP is charging him. He's also put in a fair amount of time trying to get this resolved. As for transit -- NTP works much better with short RTTs, which is precisely why it's good to have a server in Denmark.
Actually, no. Incase it wasn't clear, the IP (192.38.7.240) is out of an IX subnet for the DIX. Even if you didn't know this particular block, looking at the reverse DNS for nearby IPs makes it painfully obvious. See: http://www.peeringdb.com/dns-scan/192-38-7-0-24.txt The real issue here is that DIX used a /24 from an aggregate block which is announced in BGP (198.38.0.0/17) for their IX space, thus making it reachable from anywhere on the Internet. Incase anyone didn't know this before, now you do, this is a Bad Idea (tm). The prices phk mentions appear to be the cost of a DIX port. According to their website: A connection at the DIX with 10 or 100 Mbit/s ethernet has a yearly fee of DKK 27.000. A connection at the DIX with 1000 Mbit/s Ethernet costs a yearly fee of DKK 38.700. According to the service description, this NTP server was intended to be used only by DIX connected networks. If the /24 had been pulled from a direct /24 allocation or EP.net space, this would never be a problem, because the /24 for the IX shouldn't be propagated globally. In this particular case they could filter packets coming in via AS1835's border links, but since the block is announced globally already this may create further problems from people who don't know they need to carry the /24 and propagate it to their customers. Personally I'm not sure what to be more appalled by, that DIX would want to charge him for something that is clearly a service which benefits only them and which they should probably be paying HIM for (and which wouldn't cost them a dime if not for their poorly implemented architecture), or that a consultant charged $5000 to track this down. Both concepts are actually more repulsive to me than dlink picking 25 publicly accessable nameservers. On Sat, Apr 08, 2006 at 01:30:31AM +0100, Per Gregers Bilse wrote:
I know phk personally (give or take a little, we're from the same country, and have both participated vigorously in the same UNIX user group [yes, there have been such entities]); for those who are unaware of his credentials, let me cut and paste the following from the FreeBSD GBDE manual page:
Yes thank you everyone knows who phk is (or at least I hope they do), that is the only reason anyone is giving this a second glance, the reason it made it to slashdot, etc. However, that doesn't change the facts here. This is a non-issue, and there are many many easy ways to fix it. I'm perfectly ok with calling out dlink for their stupidity, but I think expecting them (or phk) to pay $62k or more for this is ridiculous. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)