NANOG Digest Tuesday, May 29 2001 Volume 01 : Number 737 In this issue: RE: VPN Solution (WAS: ORBS (Re: Scanning)) Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) Re: Possible solution? (e-mail parcel vs. FTP) Re: EMAIL != FTP Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) Re: VPN Solution (WAS: ORBS (Re: Scanning)) Layer4 Re: VPN Solution (WAS: ORBS (Re: Scanning)) Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) RE: Layer4 Re: VPN Solution (WAS: ORBS (Re: Scanning)) Re: EMAIL != FTP Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) Re: Mitch tries to defend his open relay again (was Re: ORBS (Re:Scanning)) Re: ORBS (Re: Scanning) Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) RE: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) Re: VPN Solution (WAS: ORBS (Re: Scanning)) Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) QOS or more bandwidth RE: QOS or more bandwidth Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) See the end of this message for information about the nanog-digest list, including (un)subscription instructions. ---------------------------------------------------------------------- Date: Mon, 28 May 2001 01:03:01 -0700 From: "Craig Holland" <cholland@yahoo-inc.com> Subject: RE: VPN Solution (WAS: ORBS (Re: Scanning)) The Altiga/CiscoVPN3000 series allows you to do split tunneling. You give it a list of networks, and it drops this on the client when it connects. The client will check the list, and if the network is there, will send the packets through the tunnel. Works great for users who have a LAN printer but still want remote access. craig - -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Patrick W. Gilmore Sent: Sunday, May 27, 2001 10:25 PM To: nanog@nanog.org Subject: VPN Solution (WAS: ORBS (Re: Scanning)) At 06:58 PM 5/27/2001 -0700, Owen DeLong wrote:
Roaming staff usually needs some form of VPN access, anyway, and even if they don't, this is a great use for one. Put a VPN client on the roamer's computer (Linux, Mac, and Windows 9x/NT/ME/2k all have IPSEC capable clients available), then use the VPN to get back to the mail relay. If the mail relay is behind the VPN tunnel termination point at the server end, then it should only accept mail for relay from valid VPN clients. As such, you solve the roaming staff problem without an open relay. VPN boxes like Ravlin and Nokia Crypto Cluster are cheap enough today that I would consider it a valid cost of doing business if you don't have a better solution.
I have an "operational" question. (SURPRISE! :) VPN solutions are getting inexpensive. However, they are sometimes far from optimal. The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every* packet from the end user machine to the VPN end-point, not just selected packets (like with SSH tunneling). This can cause extremely poor performance for some roaming users. For instance, someone in Sydney with a home office in New York trying to get to a Sydney web server suddenly has to make two round trips to New York, just to cross town. Considering trans-pacific fiber congestion and other problems, this can make the VPN nearly unusable. Of course, you could tell the user to turn off the VPN, but you try to explain to a typical end user when he should and should not have the VPN turned on, or that he cannot send mail while browsing the web, or things like that. So, does anyone know of a VPN that does selective forwarding like SSH tunneling?
Owen
TTFN, patrick ------------------------------ Date: Mon, 28 May 2001 04:36:38 -0400 (EDT) From: Mitch Halmu <mitch@netside.net> Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) On Sun, 27 May 2001, J.D. Falk wrote:
On 05/27/01, Mitch Halmu <mitch@netside.net> wrote:
Is there a rule that, except for local dial-in, we cannot offer the same services to a client located in a part of the world that we dont't have a dial-in POP as we offer to our local clients? Why shouldn't such clients be able to get their dial-in somewhere and the rest of their services from somewhere else? That includes using a remote SMTP server in the same way a local user can, period.
You have to balance that desire against your users' generally unspoken requirement that your service be functioning, usable, and able to deliver mail to its' final destination. If this were any other kind of service that commonly requires user authentication (accounting, data storage, etc.) there wouldn't even be a question.
The service is functional, usable, and able to deliver mail to those destinations your organization or the other overseas rival gang have no control over. Some users left because of the blockade. Others stayed, because they understand the reasoning posted at http://www.dotcomeon.com That *should* worry you. It shows that most Joe users hate Big Brother.
And seriously, Mitch, when was the last time that you heard a new argument for why you should close your relay? Since you're obviously unwilling to do so, what's the point of bringing it up again and again?
-- J.D. Falk SILENCE IS FOO! <jdfalk@cybernothing.org>
I didn't bring it up this time, you did, and even changed the topic. Vixie himself posted a request for comments on this also (twice, uh oh), and I haven't seen any replies. Perhaps others are afraid? I resisted the temptation to answer, although you can imagine I had a lot to say to your boss (btw, I did put on a shirt and shoes just to write these lines ;) I did reply once to this message, since it's been addressed to me, and my private post bounces from your network. It seems you still cannot answer the top paragraph intelligently. So here's the essence of my reasoning: your approach to combat spamming and your methods of enforcement are wrong. You employ the same argument to restrict relays as used against lawful gun owners by those that want to take them away. You are unwilling to go after the actual spammers, and instead punish network owners for someone else's client deeds. Well, that won't fly in America. There is your legal precedent in spirit. I am in favor of explicit federal legislation regulating this aspect of electronic communications. Then we'll all know exactly what's legal and what's not, and the playing field becomes level again for all. That would likely put you out of a job, I'm afraid... FOO! - --Mitch NetSide ------------------------------ Date: Mon, 28 May 2001 11:39:45 +0200 (CEST) From: Sabri Berisha <sabri@bit.nl> Subject: Re: Possible solution? (e-mail parcel vs. FTP) On Fri, 25 May 2001, E.B. Dreger wrote: Hi,
Methinks that it's proxy time. Why not hack the popular MTAs so that they take attachments, spool them in a Web-accessible directory, then modify the message.
I've given some thinking to this subject, however I thought of the following objections: - - users do no longer have it under control (ie don't have the choice to mail/put on web) anymore; - - confidential information *could* be stored unwantingly lang online on the other side, it might be a good solution to give the cluefull users a choice: ie with an extra header: X-No-Attachment-Stealing: yes or something like that. - -- /* Sabri Berisha CCNA,BOFH,+iO O.O speaking for just myself * Join HAL!!: www.HAL2001.org ____oOo_U_oOo____ http://www.bit.nl/~sabri * For the exceedingly thick-headed, experience is the only way to learn. * Sam Thomas - NANOG */ ------------------------------ Date: Mon, 28 May 2001 11:42:03 +0200 (CEST) From: Sabri Berisha <sabri@bit.nl> Subject: Re: EMAIL != FTP On Sat, 26 May 2001, Mitch Halmu wrote:
Being blackholed by New Zealanders should be an insignificant threat to US-based networks. If it starts being a noticeable problem, you have a serious national security breach.
If someone at an internet exchange outside your control starts announcing your netblocks, you have the same issue.. I see your point but I don't think its an argument; there are thousands of possibilities to harm a nationwide network. - -- /* Sabri Berisha CCNA,BOFH,+iO O.O speaking for just myself * Join HAL!!: www.HAL2001.org ____oOo_U_oOo____ http://www.bit.nl/~sabri * For the exceedingly thick-headed, experience is the only way to learn. * Sam Thomas - NANOG */ ------------------------------ Date: Mon, 28 May 2001 11:38:53 +0100 (BST) From: "Stephen J. Wilcox" <steve@opaltelecom.co.uk> Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
Is there a rule that, except for local dial-in, we cannot offer the same services to a client located in a part of the world that we dont't have
Auth-SMTP?
control over. Some users left because of the blockade. Others stayed, because they understand the reasoning posted at http://www.dotcomeon.com
heh, personal vendetta or what! (for the record i would have left)
That *should* worry you. It shows that most Joe users hate Big Brother.
or arent really following the technical reasoning and arguments..
I didn't bring it up this time, you did, and even changed the topic. Vixie himself posted a request for comments on this also (twice, uh oh),
did he turn you down for a job or something? said something bad about your mother?
I did reply once to this message, since it's been addressed to me, and my private post bounces from your network. It seems you still cannot
you could get a hotmail account until you become a fully functional provider?
So here's the essence of my reasoning: your approach to combat spamming and your methods of enforcement are wrong. You employ the same argument to restrict relays as used against lawful gun owners by those that want to take them away. You are unwilling to go after the actual spammers, and instead punish network owners for someone else's client deeds. Well, that won't fly in America. There is your legal precedent in spirit.
guns aside, how can you go after spammers? the internet is global and anonymous. you're getting strangely patriotic over the discussion on open relays, surprised theres no mp3 of star spangled banner attached..
I am in favor of explicit federal legislation regulating this aspect of electronic communications. Then we'll all know exactly what's legal and what's not, and the playing field becomes level again for all. That would likely put you out of a job, I'm afraid...
The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every* packet from the end user machine to the VPN end-point, not just selected packets (like with SSH tunneling). If you want a commercial solution that does selective tunnelling - the FW-1 addin (VPN-1) exports a "topography" file to the client at setup; this really consists of a list of subnets that the VPN will handle, and is set at
good plan, one small flaw; not sure on the exact figures but theres many o.r servers outside the US, especially asia.. and much of the spam i receive is not of US origin, and not being in the US i wouldnt have to honour any such legislation. so tell me, how will US federal law improve on ORBS/MAPS other than you'd be able to start sending email directly to Vixie again! (you could always setup another - closed - mail server if you insist on o.r. for roaming users to get around MAPS/ORBS) Interesting as this thread may be (sarc), is there actually any topical discussion going on here or are a few individuals publicly airing their problems at the expense of my Inbox? .. suggest someone either contributes or we give up this thread!!! Steve ------------------------------ Date: Mon, 28 May 2001 13:45:06 +0100 From: "David Howe" <DaveHowe@gmx.co.uk> Subject: Re: VPN Solution (WAS: ORBS (Re: Scanning)) the server side. anything not on the topography list goes out via the dialup adaptor or network card as normal. ------------------------------ Date: Mon, 28 May 2001 07:37:00 -0700 From: Jon Mansey <jon@interpacket.net> Subject: Layer4 Re: VPN Solution (WAS: ORBS (Re: Scanning)) Does anyone know of a way to put layer 4 switching in front of a VPN client such that (for example) email and nntp dont get tunnelled while everything else does, or vice-versa? We're probably talking Windows software here I know...... Jon.
The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every* packet from the end user machine to the VPN end-point, not just selected packets (like with SSH tunneling). If you want a commercial solution that does selective tunnelling - the FW-1 addin (VPN-1) exports a "topography" file to the client at setup; this really consists of a list of subnets that the VPN will handle, and is set at the server side. anything not on the topography list goes out via the dialup adaptor or network card as normal.
------------------------------ Date: Mon, 28 May 2001 12:29:04 -0400 From: Adam Rothschild <asr@latency.net> Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) On Mon, May 28, 2001 at 04:36:38AM -0400, Mitch Halmu wrote:
The service is functional, usable, and able to deliver mail to those destinations your organization or the other overseas rival gang have no control over. Some users left because of the blockade. Others stayed, because they understand the reasoning posted at http://www.dotcomeon.com
That *should* worry you.
No, what worries me is that you realize you're running an open SMTP relay for no real reason other than stubbornness, and outright refuse to fix it, even though it's widely regarded as an irresponsible operational practice. Please quit whining and close it up already. Thanks! - -a ------------------------------ Date: Mon, 28 May 2001 09:54:29 -0700 From: Roeland Meyer <rmeyer@mhsc.com> Subject: RE: Layer4 Re: VPN Solution (WAS: ORBS (Re: Scanning))
From: Jon Mansey [mailto:jon@interpacket.net] Sent: Monday, May 28, 2001 7:37 AM
Does anyone know of a way to put layer 4 switching in front of a VPN client such that (for example) email and nntp dont get tunnelled while everything else does, or vice-versa?
Depending on requirements, isn't the whole idea to put the email into the tunnel? That's why this thread came up in the first place. BTW, SSH tunneling can drop every packet through the tunnel with a forward-all config. it isn't even very hard and can be done with a Win client, using F-Secure. In fact, sometimes that works, when PPTP doesn't, in Windows-hostile environments (*nix bigots sometimes do everything they can to screw up Win machines). However, none of it works when port 22 is blocked by the firewall.
We're probably talking Windows software here I know......
The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every* packet from the end user machine to the VPN end-point, not just selected packets (like with SSH tunneling). If you want a commercial solution that does selective tunnelling - the FW-1 addin (VPN-1) exports a "topography" file to the client at setup; this really consists of a list of subnets that the VPN will handle, and is set at the server side. anything not on the topography list goes out via the dialup adaptor or network card as normal.
------------------------------ Date: Mon, 28 May 2001 13:45:51 -0400 From: Steve Sobol <sjsobol@NorthShoreTechnologies.net> Subject: Re: EMAIL != FTP Mitch Halmu wrote:
Or ORBS could take sides in an international conflict and do it themselves. I'm not the only one that said they blackhole for political reasons, or that they are extremists. No sooner were those words uttered, someone from Calcutta, India [202.86.168.81 - caltiger.com] decided to remind us that, besides the atomic bomb, they now have connected computers too.
How is caltiger.com related to ORBS? - -- Tired of Earthlink? Get JustTheNet! Nationwide Dialup, ISDN, DSL, ATM, Frame Relay, T-1, T-3, and more. EARTHLINK AMNESTY PROGRAM: Buy a year, get two months free More info coming soon to http://JustThe.net, or e-mail me! B!ff: K3wl, w3'v3 r00t3D da N@vy... 0h CrAp, INC0M!Ng $%^NO CARRIER ------------------------------ Date: Mon, 28 May 2001 13:47:47 -0400 From: Steve Sobol <sjsobol@NorthShoreTechnologies.net> Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) Mitch Halmu wrote:
The service is functional, usable, and able to deliver mail to those destinations your organization or the other overseas rival gang have no control over. Some users left because of the blockade. Others stayed, because they understand the reasoning posted at http://www.dotcomeon.com
That *should* worry you. It shows that most Joe users hate Big Brother.
If use of the blackhole lists was mandatory, I would say that that last statment has some validity. Since it's completely optional, the statement has no validity. - -- Tired of Earthlink? Get JustTheNet! Nationwide Dialup, ISDN, DSL, ATM, Frame Relay, T-1, T-3, and more. EARTHLINK AMNESTY PROGRAM: Buy a year, get two months free More info coming soon to http://JustThe.net, or e-mail me! B!ff: K3wl, w3'v3 r00t3D da N@vy... 0h CrAp, INC0M!Ng $%^NO CARRIER ------------------------------ Date: Mon, 28 May 2001 13:49:22 -0400 From: Steve Sobol <sjsobol@NorthShoreTechnologies.net> Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re:Scanning)) "Stephen J. Wilcox" wrote:
Is there a rule that, except for local dial-in, we cannot offer the same services to a client located in a part of the world that we dont't have
Auth-SMTP?
As I said to Roeland Meyer, it's a good solution and all but eliminates the roaming user problem. - -- Tired of Earthlink? Get JustTheNet! Nationwide Dialup, ISDN, DSL, ATM, Frame Relay, T-1, T-3, and more. EARTHLINK AMNESTY PROGRAM: Buy a year, get two months free More info coming soon to http://JustThe.net, or e-mail me! B!ff: K3wl, w3'v3 r00t3D da N@vy... 0h CrAp, INC0M!Ng $%^NO CARRIER ------------------------------ Date: Mon, 28 May 2001 13:52:57 -0400 From: Steve Sobol <sjsobol@NorthShoreTechnologies.net> Subject: Re: ORBS (Re: Scanning) Mitch Halmu wrote:
Is there a rule that, except for local dial-in, we cannot offer the same services to a client located in a part of the world that we dont't have a dial-in POP as we offer to our local clients? Why shouldn't such clients be able to get their dial-in somewhere and the rest of their services from somewhere else? That includes using a remote SMTP server in the same way a local user can, period.
You *can* do all that. I prefer SMTP AUTH to POP-before-SMTP because PbS leaves a small vulnerability on your mail server - very small, but it exists nonetheless. But many providers use PbS too. If this whole issue cropped up because you wanted to provide roaming access to your mail servers, those are two very widely-implemented solutions. If you want, I can even offer some help getting it set up as I have had a longstanding policy of offering relay-closing help at no charge to ISPs who need it. The only requirement is that you be running an MTA that I'm familiar with. - -- Tired of Earthlink? Get JustTheNet! Nationwide Dialup, ISDN, DSL, ATM, Frame Relay, T-1, T-3, and more. EARTHLINK AMNESTY PROGRAM: Buy a year, get two months free More info coming soon to http://JustThe.net, or e-mail me! B!ff: K3wl, w3'v3 r00t3D da N@vy... 0h CrAp, INC0M!Ng $%^NO CARRIER ------------------------------ Date: Mon, 28 May 2001 11:21:46 -0700 From: "J.D. Falk" <jdfalk@cybernothing.org> Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) On 05/28/01, Mitch Halmu <mitch@netside.net> wrote:
So here's the essence of my reasoning: your approach to combat spamming and your methods of enforcement are wrong. You employ the same argument to restrict relays as used against lawful gun owners by those that want to take them away. You are unwilling to go after the actual spammers, and instead punish network owners for someone else's client deeds. Well, that won't fly in America. There is your legal precedent in spirit.
The core problem with your reasoning is that you consider any site's refusal of your mail to be "enforcement," presumably some type of punishment, while most of the folks who deny your mail see it as security. They are protecting themselves from the people that YOU have allowed to abuse your mail server. They don't know or care who you are, who your users are, or what your reasons for allowing that abuse might be. I don't expect you to admit to being wrong this late in the thread, but please, think about that difference for a while, even if you disagree with it.
I am in favor of explicit federal legislation regulating this aspect of electronic communications. Then we'll all know exactly what's legal and what's not, and the playing field becomes level again for all. That would likely put you out of a job, I'm afraid...
It is the fervent wish of every sane anti-spammer (and yes, I know, there's a lot who aren't sane) that we could stop doing this work entirely. Oh, and you appear to be mistaken about which organizations I am currently involved with. I will endeavor to ensure that all relevant web sties are updated. - -- J.D. Falk SILENCE IS FOO! <jdfalk@cybernothing.org> ------------------------------ Date: Mon, 28 May 2001 15:21:21 -0400 (EDT) From: <up@3.am> Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) On Mon, 28 May 2001, J.D. Falk wrote:
On 05/28/01, Mitch Halmu <mitch@netside.net> wrote:
So here's the essence of my reasoning: your approach to combat spamming and your methods of enforcement are wrong. You employ the same argument to restrict relays as used against lawful gun owners by those that want to take them away. You are unwilling to go after the actual spammers, and
This is nonsense...most of us "go after the actual spammers" as best as we can and the law permits us. If you supply plastic explosives to terrorists with no checks, you may not be directly responsible for their actions, but you are certainly part of the problem. If you have an open relay, you are a big part of the spam problem, whether you like it or not.
instead punish network owners for someone else's client deeds. Well, that won't fly in America. There is your legal precedent in spirit.
What does "america" have to do with it? Open relays are all over the place, and a big PITA. Refusing your mail is *my* right, as owner of my network; and also my responsibility. Of course it is your "right" to have an open relay if you like, just don't expect everyone else to accept email from it.
The core problem with your reasoning is that you consider any site's refusal of your mail to be "enforcement," presumably some type of punishment, while most of the folks who deny your mail see it as security. They are protecting themselves from the people that YOU have allowed to abuse your mail server. They don't know or care who you are, who your users are, or what your reasons for allowing that abuse might be.
I would argue that it's both "enforcement" and security. I know MAPS has to argue otherwise in court, but let's face it, incentive is alot of what it's about. James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am ========================================================================= ------------------------------ Date: Mon, 28 May 2001 16:43:08 -0400 (EDT) From: John Fraizer <nanog@Overkill.EnterZone.Net> Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) OK folks. Please. Leave poor Mitch alone and maybe he'll realize that this ISN'T the forum for him and go away. If you want a huge laugh, (and want to give ole Mitch the /. or NANOG effect) go check out http://www.netside.net/sys.html "Network and Communications NetSide is connected directly to the Internet backbone via a high speed point-to-point full T1 link (1.544 Mbps) into the MCI backbone (at Pompano Beach). A Cisco 4000 router is used to direct the in-house Ethernet TCP/IP network traffic to and from the Internet. To help reduce the network load and improve performance, two Ethernet 10-BaseT interfaces, connected to separate AT&T StarLAN 10 hubs (with blinking lights :-) forming in effect subnets, are used on the servers. Each subnet connects to a different Ethernet port on the Cisco router." That's some FAT pipe you have there Mitch. What EVER do you do with your spare bandwidth? heheheh And your network just blows me away. I love the "To help reduce the network load" part. Where's the load? You've got serious issues if you can't pass a DS1 worth of traffic without your net melting. "Emergency Provisions Besides redundant servers, NetSide is also prepared to operate in emergency conditions, such as city-wide power failures as experienced during Hurricane Andrew. Housed in a solid concrete block structure, we don't expect heavy storm damage to occur. Our fiber rack (for telephone and data lines) has 3 rows of battery backup rated for 8 hours of continuous operation. NetSide owns 2 emergency generators: an extended-run heavy-duty Coleman Powermate Vantage (14HP 2cyl electric start gas engine - - 7000W), and a portable medium-duty Dayton (5HP gas engine - 2200W)." Wow! So, you've got enough generator to power the lights, soda machine and coffee maker. You gonna invite all the customers to your site and sit around and watch the servers not run drinking soda and coffee? Sounds like fun. Mitch. You're an END USER. Sure, you sell dialup access. You couldn't do much more with that big FAT DS1 you've got. You're an END USER. 9 border3-fddi-0.PompanoBeach.cw.net (204.70.92.19) [3561] 62.524 ms 60.403 ms 63.456 ms 10 netside-corporation.PompanoBeach.cw.net (204.70.95.18) [3561] 166.477 ms 198.570 ms 117.225 ms 11 205.159.140.2 (205.159.140.2) [3561] 195.153 ms * 194.081 ms You see, if you were a real network operator: (1) That would be more than a DS1. (2) The last hop wouldn't show up with the ASN of your upstream. (3) The last hop would RESOLVE in in-addr. NetSide Corporation (NET-NETSIDE) P.O.Box 403895 Miami Beach, FL 33140 US Netname: NETSIDE Netblock: 205.159.140.0 - 205.159.140.255 Maintainer: NETS Coordinator: Halmu, Mircea L. (MLH3-ARIN) admin@NETSIDE.NET 305-531-1995 Record last updated on 29-Oct-1998. Database last updated on 26-May-2001 22:57:19 EDT. It might be a good idea to register some in-addr resolution servers for that block there Mitch. ...Then again, why would we expect you to run any other portion of your operation any more professionally than you run your mailserver? I tell you what. You rate right up there in my book. Open Relay: 1,000,000,000 points Big FAT T1: 10,000,000 points Broken in-addr.arpa: 5,999,550 points HUBS not SWITCHES: 99,999,999,999 TILT! TILT! TILT! - --- John Fraizer EnterZone, Inc ------------------------------ Date: Mon, 28 May 2001 16:54:51 -0400 From: "Vivien M." <vivienm@dyndns.org> Subject: RE: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of John Fraizer Sent: May 28, 2001 4:43 PM To: Mitch Halmu Cc: nanog@nanog.org Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
[note: the thing below was quoted by John from Mitch's site]
point-to-point full T1 link (1.544 Mbps) into the MCI backbone (at Pompano
That's the problem with Mitch, then. He must have gotten stuck in some type of time warp (or cool cryogenics), if he hasn't noticed that the "MCI" backbone was sold to Cable & Wireless nearly three years ago now (IIRC). Give the man a break... if he just woke up from an extended deep sleep or something, then it's no surprise that he still wants to run his mail server the way people ran mail servers five years ago. Vivien - -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/ ------------------------------ Date: Mon, 28 May 2001 22:07:06 +0100 (BST) From: "Stephen J. Wilcox" <steve@opaltelecom.co.uk> Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) I dont generally participate in flame especially where its cruel pointless and at someone elses expense but thanks John for the laugh! You forgot to mention the main server, a Sun Sparcstation 10 with dual 75Mhz CPU.. (they have FIVE in total).. complete with 19" Trinitron monitors.. and running the all powerful Solaris 2.4 and 2.5.1 augmented with GNU, perl and python. Its even kitted up with a 64-port serial card for the sparc and microcom modems which is able to support a huge 33.6k dialup pool.... Altho I'm confused at how 'Netside offers a full uncensored usenet feed' with only '18Gb of dedicated news storage' and not to mention the T1 capacity problem? ... Good job they have TWO starlan hubs!! ... i need to lie down, my sides hurt ... On Mon, 28 May 2001, John Fraizer wrote:
OK folks. Please. Leave poor Mitch alone and maybe he'll realize that this ISN'T the forum for him and go away.
If you want a huge laugh, (and want to give ole Mitch the /. or NANOG effect) go check out http://www.netside.net/sys.html
"Network and Communications NetSide is connected directly to the Internet backbone via a high speed point-to-point full T1 link (1.544 Mbps) into the MCI backbone (at Pompano Beach). A Cisco 4000 router is used to direct the in-house Ethernet TCP/IP network traffic to and from the Internet. To help reduce the network load and improve performance, two Ethernet 10-BaseT interfaces, connected to separate AT&T StarLAN 10 hubs (with blinking lights :-) forming in effect subnets, are used on the servers. Each subnet connects to a different Ethernet port on the Cisco router."
That's some FAT pipe you have there Mitch. What EVER do you do with your spare bandwidth? heheheh And your network just blows me away. I love the "To help reduce the network load" part. Where's the load? You've got serious issues if you can't pass a DS1 worth of traffic without your net melting.
"Emergency Provisions Besides redundant servers, NetSide is also prepared to operate in emergency conditions, such as city-wide power failures as experienced during Hurricane Andrew. Housed in a solid concrete block structure, we don't expect heavy storm damage to occur. Our fiber rack (for telephone and data lines) has 3 rows of battery backup rated for 8 hours of continuous operation. NetSide owns 2 emergency generators: an extended-run heavy-duty Coleman Powermate Vantage (14HP 2cyl electric start gas engine - 7000W), and a portable medium-duty Dayton (5HP gas engine - 2200W)."
Wow! So, you've got enough generator to power the lights, soda machine and coffee maker. You gonna invite all the customers to your site and sit around and watch the servers not run drinking soda and coffee? Sounds like fun.
Mitch. You're an END USER. Sure, you sell dialup access. You couldn't do much more with that big FAT DS1 you've got. You're an END USER.
9 border3-fddi-0.PompanoBeach.cw.net (204.70.92.19) [3561] 62.524 ms 60.403 ms 63.456 ms 10 netside-corporation.PompanoBeach.cw.net (204.70.95.18) [3561] 166.477 ms 198.570 ms 117.225 ms 11 205.159.140.2 (205.159.140.2) [3561] 195.153 ms * 194.081 ms
You see, if you were a real network operator:
(1) That would be more than a DS1. (2) The last hop wouldn't show up with the ASN of your upstream. (3) The last hop would RESOLVE in in-addr.
NetSide Corporation (NET-NETSIDE) P.O.Box 403895 Miami Beach, FL 33140 US
Netname: NETSIDE Netblock: 205.159.140.0 - 205.159.140.255 Maintainer: NETS
Coordinator: Halmu, Mircea L. (MLH3-ARIN) admin@NETSIDE.NET 305-531-1995
Record last updated on 29-Oct-1998. Database last updated on 26-May-2001 22:57:19 EDT.
It might be a good idea to register some in-addr resolution servers for that block there Mitch.
...Then again, why would we expect you to run any other portion of your operation any more professionally than you run your mailserver?
I tell you what. You rate right up there in my book.
Open Relay: 1,000,000,000 points Big FAT T1: 10,000,000 points Broken in-addr.arpa: 5,999,550 points HUBS not SWITCHES: 99,999,999,999 TILT! TILT! TILT!
--- John Fraizer EnterZone, Inc
- -- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008 ------------------------------ Date: Mon, 28 May 2001 15:43:18 -0600 From: Andy Bradford <bradipo@xmission.com> Subject: Re: VPN Solution (WAS: ORBS (Re: Scanning)) Thus said "Patrick W. Gilmore" on Mon, 28 May 2001 01:24:58 EDT:
The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every* packet from the end user machine to the VPN end-point, not just selected packets (like with SSH tunneling).
This should be configureable, if it isn't then maybe it's time for a switch in protocols/software. :-)
So, does anyone know of a VPN that does selective forwarding like SSH tunneling?
FreeS/Wan does this by default. Only traffic defined by the tunnel security association is encrypted, the rest goes through untouched. Very optimal. :-) I don't believe this is specific to FreeS/Wan either, as most IPSEC implementations I have seen do something similar. (including hardware solutions). Andy [-----------[system uptime]--------------------------------------------] 3:43pm up 19 days, 18:20, 6 users, load average: 1.00, 1.01, 1.00 ------------------------------ Date: Mon, 28 May 2001 23:50:48 -0400 From: Valdis.Kletnieks@vt.edu Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) On Mon, 28 May 2001 22:07:06 BST, "Stephen J. Wilcox" said:
Altho I'm confused at how 'Netside offers a full uncensored usenet feed' with only '18Gb of dedicated news storage' and not to mention the T1 capacity problem? ... Good job they have TWO starlan hubs!!
It's obvious.. it's a 1995 feed. We're talking a COMPLETE time warp here. ------------------------------ Date: 28 May 2001 23:17:46 -0700 From: Sean Donelan <sean@donelan.com> Subject: QOS or more bandwidth While its generally more effective to add more bandwidth than rationing it with QOS, with the recent downturn in capital markets will QOS become more popular? If your budget for bandwidth has been cut, I'm not sure people will have any budget for QOS either. But what QOS features are included in the standard product offerings? ------------------------------ Date: Tue, 29 May 2001 03:19:27 -0400 (EDT) From: Frank Coluccio <fcoluccio@dticonsulting.com> Subject: RE: QOS or more bandwidth
But what QOS features are included in the standard product offerings?<<<
Most competitive vendors now provide native and upgrade provisions for QoS in one form or another. The problems most often encountered revolve around multi-vendor cos/qos feature implementation incompatibilities. The "least common denominator features" that are needed for basic interworking usually do not extend to 'differentiating' features that vendors like to hold close to the vest, such as prioritization and cos/qos features. Not without much grief, in any event. It forces one to seriously consider single vendor solutions. fwiw. - ------Original Message------ From: Sean Donelan <sean@donelan.com> To: nanog@merit.edu Sent: May 29, 2001 6:17:46 AM GMT Subject: QOS or more bandwidth While its generally more effective to add more bandwidth than rationing it with QOS, with the recent downturn in capital markets will QOS become more popular? If your budget for bandwidth has been cut, I'm not sure people will have any budget for QOS either. But what QOS features are included in the standard product offerings? ------------------------------ Date: Tue, 29 May 2001 03:58:25 -0400 (EDT) From: Mitch Halmu <mitch@netside.net> Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) On Mon, 28 May 2001 Valdis.Kletnieks@vt.edu wrote:
On Mon, 28 May 2001 22:07:06 BST, "Stephen J. Wilcox" said:
Altho I'm confused at how 'Netside offers a full uncensored usenet feed' with only '18Gb of dedicated news storage' and not to mention the T1 capacity problem? ... Good job they have TWO starlan hubs!!
It's obvious.. it's a 1995 feed. We're talking a COMPLETE time warp here.
It's a 1995 page which hasn't been updated in ages. I didn't even remember it was still live. But at least it proves NetSide was around in those times. Let's see, I have a copy of a uu.net active file, dated Jan 6, 1996. At that time, they were the norm. It contains 13090 lines. You do the math. File URL http://www.dotcomeon.com/active.uunet I responded to Wilcox and Fraizer in private. Their bashful posts serve to illustrate exactly why such people cannot dictate policy to others. There is one lesson to learn from this. We have reached a stage where the rights of an individual or entity to existence in cyberspace need to be protected under the law. You may take the lead in applying democratic principles that follow the real world laws, or the legislature will do it ad hoc. - --Mitch NetSide ------------------------------ Date: Tue, 29 May 2001 06:28:42 -0400 (EDT) From: John Fraizer <nanog@Overkill.EnterZone.Net> Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning)) On Tue, 29 May 2001, Mitch Halmu wrote:
I responded to Wilcox and Fraizer in private. Their bashful posts serve to illustrate exactly why such people cannot dictate policy to others.
Mitch, If you desire to reply to me in private, might I suggest that you do it from a mailserver that isn't listed in MAPS... May 28 18:19:11 Overkill sendmail[8797]: f4SMJBu08797: ruleset=check_rcpt, arg1=<nanog@Overkill.EnterZone.Net>, relay=[205.159 .140.2], reject=553 5.3.0 <nanog@Overkill.EnterZone.Net>... Open spam relay - see http://www.mail-abuse.org/rss/ May 28 18:19:12 Overkill sendmail[8797]: f4SMJBu08797: from=<mitch@netside.net>, size=6370, class=0, nrcpts=0, proto=ESMTP, da emon=MTA, relay=[205.159.140.2] May 29 05:33:39 Overkill sendmail[26337]: f4T9Xcu26337: ruleset=check_rcpt, arg1=<nanog@Overkill.EnterZone.Net>, relay=[205.15 9.140.2], reject=553 5.3.0 <nanog@Overkill.EnterZone.Net>... Open spam relay - see http://www.mail-abuse.org/rss/ May 29 05:33:39 Overkill sendmail[26337]: f4T9Xcu26337: from=<mitch@netside.net>, size=1439, class=0, nrcpts=0, proto=ESMTP, d aemon=MTA, relay=[205.159.140.2] - --- John Fraizer EnterZone, Inc ------------------------------ End of NANOG Digest V1 #737 *************************** To unsubscribe from the nanog-digest mailing list, send mail to majordomo@merit.edu with the following command in the body: unsubscribe nanog-digest Questions about the list may be sent to nanog-digest-owner@merit.edu.
Hmm, is this just me, or did someone else start receiving the digest version this morning,too - without any action on his/her own? Simultaneously, I receive the regular (non-digest) list mail as well. Both come from the same host (trapdoor.merit.edu).
Received: from trapdoor.merit.edu (postfix@trapdoor.merit.edu [198.108.1.26]) by conti.nu (8.9.3/8.9.3) with ESMTP id GAA06067 for <kai@pac-rim.net>; Tue, 29 May 2001 06:35:35 -0400 (EDT) Received-Date: Tue, 29 May 2001 06:35:35 -0400 (EDT) Received: by trapdoor.merit.edu (Postfix) id 227A291218; Tue, 29 May 2001 06:28:57 -0400 (EDT) Delivered-To: nanog-digest-outgoing@trapdoor.merit.edu Received: by trapdoor.merit.edu (Postfix, from userid 56) id B735C91217; Tue, 29 May 2001 06:28:56 -0400 (EDT) From: owner-nanog-digest@trapdoor.merit.edu (NANOG Digest) To: nanog-digest@trapdoor.merit.edu Subject: NANOG Digest V1 #737 Reply-To: Sender: owner-nanog-digest@trapdoor.merit.edu Errors-To: owner-nanog-digest@trapdoor.merit.edu Precedence: bulk Message-Id: <20010529102856.B735C91217@trapdoor.merit.edu> Date: Tue, 29 May 2001 06:28:56 -0400 (EDT) X-UIDL: 913bee7d2f58a5cea4042a463d2a49f6
On Tue, May 29, 2001 at 11:02:28AM -0400, Kai Schlichting wrote:
Hmm, is this just me, or did someone else start receiving the digest version this morning,too - without any action on his/her own? Simultaneously, I receive the regular (non-digest) list mail as well. Both come from the same host (trapdoor.merit.edu).
Same deal here.
At 11:02 AM -0400 5/29/01, Kai Schlichting wrote:
Hmm, is this just me, or did someone else start receiving the digest version this morning,too - without any action on his/her own? Simultaneously, I receive the regular (non-digest) list mail as well. Both come from the same host (trapdoor.merit.edu).
I got it as well... I figured something @ merit hiccup'ed. D -- +---------------------+-----------------------------------------+ | dredd@megacity.org | "Conan! What is best in life?" | | Derek J. Balling | "To crush your enemies, see them | | | driven before you, and to hear the | | | lamentation of their women!" | +---------------------+-----------------------------------------+
Hmm, is this just me, or did someone else start receiving the digest version this morning,too - without any action on his/her own? Simultaneously, I receive the regular (non-digest) list mail as well. Both come from the same host (trapdoor.merit.edu).
No, it is not just you. I am getting this crap as well. Alex
Happened here too. A quick check showed that according to Majordomo, we weren't subscribed. Must have been a glitch. On Tue, 29 May 2001, Kai Schlichting wrote:
Hmm, is this just me, or did someone else start receiving the digest version this morning,too - without any action on his/her own? Simultaneously, I receive the regular (non-digest) list mail as well. Both come from the same host (trapdoor.merit.edu).
Received: from trapdoor.merit.edu (postfix@trapdoor.merit.edu [198.108.1.26]) by conti.nu (8.9.3/8.9.3) with ESMTP id GAA06067 for <kai@pac-rim.net>; Tue, 29 May 2001 06:35:35 -0400 (EDT) Received-Date: Tue, 29 May 2001 06:35:35 -0400 (EDT) Received: by trapdoor.merit.edu (Postfix) id 227A291218; Tue, 29 May 2001 06:28:57 -0400 (EDT) Delivered-To: nanog-digest-outgoing@trapdoor.merit.edu Received: by trapdoor.merit.edu (Postfix, from userid 56) id B735C91217; Tue, 29 May 2001 06:28:56 -0400 (EDT) From: owner-nanog-digest@trapdoor.merit.edu (NANOG Digest) To: nanog-digest@trapdoor.merit.edu Subject: NANOG Digest V1 #737 Reply-To: Sender: owner-nanog-digest@trapdoor.merit.edu Errors-To: owner-nanog-digest@trapdoor.merit.edu Precedence: bulk Message-Id: <20010529102856.B735C91217@trapdoor.merit.edu> Date: Tue, 29 May 2001 06:28:56 -0400 (EDT) X-UIDL: 913bee7d2f58a5cea4042a463d2a49f6
--- John Fraizer EnterZone, Inc
Me too. Maybe someone at merit thought switching everyone to digest would slow things down and effectively kill some of the recent high-traffic/low-content arguthreads. On Tue, 29 May 2001, Kai Schlichting wrote:
Hmm, is this just me, or did someone else start receiving the digest version this morning,too - without any action on his/her own? Simultaneously, I receive the regular (non-digest) list mail as well. Both come from the same host (trapdoor.merit.edu).
Received: from trapdoor.merit.edu (postfix@trapdoor.merit.edu [198.108.1.26]) by conti.nu (8.9.3/8.9.3) with ESMTP id GAA06067 for <kai@pac-rim.net>; Tue, 29 May 2001 06:35:35 -0400 (EDT) Received-Date: Tue, 29 May 2001 06:35:35 -0400 (EDT) Received: by trapdoor.merit.edu (Postfix) id 227A291218; Tue, 29 May 2001 06:28:57 -0400 (EDT) Delivered-To: nanog-digest-outgoing@trapdoor.merit.edu Received: by trapdoor.merit.edu (Postfix, from userid 56) id B735C91217; Tue, 29 May 2001 06:28:56 -0400 (EDT) From: owner-nanog-digest@trapdoor.merit.edu (NANOG Digest) To: nanog-digest@trapdoor.merit.edu Subject: NANOG Digest V1 #737 Reply-To: Sender: owner-nanog-digest@trapdoor.merit.edu Errors-To: owner-nanog-digest@trapdoor.merit.edu Precedence: bulk Message-Id: <20010529102856.B735C91217@trapdoor.merit.edu> Date: Tue, 29 May 2001 06:28:56 -0400 (EDT) X-UIDL: 913bee7d2f58a5cea4042a463d2a49f6
-- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
participants (7)
-
alex@yuriev.com
-
Christopher B. Zydel
-
Derek Balling
-
jlewis@lewis.org
-
John Fraizer
-
Kai Schlichting
-
owner-nanog-digest@trapdoor.merit.edu