who offers cheap (personal) 1U colo?
every time i tell somebody that they shouldn't bother trying to send e-mail from their dsl or cablemodem ip address due to the unlikelihood of a well staffed and well trained and empowered abuse desk defending the reputation of that address space, i also say "buy a 1U and put it someplace with a real abuse desk, and use your dsl or cablemodem to tunnel to that place." and then a few questions come in -- "where can i put a 1U for the $50/month you claim is possible?" so as a public service i've decided to gather some answers to that question and put them on the web someplace so i can refer folks to it when i'm asked. if you know of a place that offers 1U/month for $50/month with some kind of bandwidth limitations (moderate peak, low average), and a strong abuse desk (including repossessing the 1U server upon proof of abuse or neglect), please send me e-mail with a url and some details. i'll summarize it all online and report the aggregation URL back to this mailing list.
On Sat, 13 Mar 2004, Paul Vixie wrote:
every time i tell somebody that they shouldn't bother trying to send e-mail from their dsl or cablemodem ip address due to the unlikelihood of a well staffed and well trained and empowered abuse desk defending the reputation of that address space, i also say "buy a 1U and put it someplace with a real abuse desk, and use your dsl or cablemodem to tunnel to that place."
Why the assumption that a server connected via a patch cord will be better administered than a server connected by a dsl or cable modem or T1 line? What you seem to actually be looking for is a connection with a fixed IP address which doesn't share "address reputation" with others. Old timers who were able to obtain small IP address blocks for free don't have as much of a problem. They can arrange for any ISP to announce those IP addresses from any location, including their home basement colo over a DSL line. Their "address reputation" less dependent on third-parties. But with address conservation measures, new IP addresses are much more tightly packed with all sorts of address assignments very close to each other. Unlike "provider independent" IP addresses, some operators of block lists will block large numbers of provider assigned addresses even if any particular address has never done anything "wrong." Even if an ISP had a perfect abuse response desk, some people pre-emptively block all so-called "dialup" address ranges. Why shouldn't an individual be able to operated a server on their DSL or cable modem connection? Wasn't the original end-to-end nature of the Internet based on that? Why prevent people from running servers on DSL and cable modem connections, yet say they could run an identical server in a colo? Why is one unsafe, and the other is considered Ok?
Why the assumption that a server connected via a patch cord will be better administered than a server connected by a dsl or cable modem or T1 line?
partly it's a question of scale. if a provider is terribly successful at this low end personal colo business they might have 10 racks of 40 customers per rack, such that they could quit their day job and just run this low-end personal colo business. which would be a 400:1 ratio between customers and staff, which is better than the 10000:1 ratio you'll see from your best-case dsl or cable isp. thus, a customer who neglects their server and allows others to use it as an abuse-staging platform, or a script kiddie who stupidly fouls their own nest by staging an attack from their own host, will get noticed by someone with clue, in nearly real time.
What you seem to actually be looking for is a connection with a fixed IP address which doesn't share "address reputation" with others.
no, i'm looking for a way to share address reputation amongst a group of serious-minded professional power-users who have learned over the years how to maintain their own BSD or Linux platform.
Why shouldn't an individual be able to operated a server on their DSL or cable modem connection?
because their provider is, statistically speaking, a money-grubbing slob.
Wasn't the original end-to-end nature of the Internet based on that?
why, yes, it was. but an implicit design criteria was that all of the users would always be as smart and as professional as the scientists, engineers, and educators who were the first generation of IP's users. (big mistake.)
Why prevent people from running servers on DSL and cable modem connections, yet say they could run an identical server in a colo?
because most providers don't want to give out static ip addresses, for one thing. because these providers are counting on a high suck:blow ratios from its customer base. because these providers know that people will pay more to get real internet access and they're holding you all for ransom. take your pick.
Why is one unsafe, and the other is considered Ok?
one is totally governed by a bilateral relationship between a 1U owner and a colo provider, neither of whom has a monopoly, and both of whom have something to lose if the IP address used in the relationship is abused. this isn't a technical thing. it's all about people getting what they want. -- Paul Vixie
On Sat, 14 Mar 2004, Paul Vixie wrote:
What you seem to actually be looking for is a connection with a fixed IP address which doesn't share "address reputation" with others.
no, i'm looking for a way to share address reputation amongst a group of serious-minded professional power-users who have learned over the years how to maintain their own BSD or Linux platform.
Ah, so its mostly a boutique mystic issue. I understand. I can't afford Equinix's prices, so I have my personal server in a small colo outside the California earthquake zone. Strictly an issue of money.
Why prevent people from running servers on DSL and cable modem connections, yet say they could run an identical server in a colo?
because most providers don't want to give out static ip addresses, for one thing.
Most DSL and Cable modem providers will assign static IP address, just not for the same price for the same product. You pay more, which turns out to be very close to what you would pay for a static IP address in a colo. Coincidence?
Why is one unsafe, and the other is considered Ok? this isn't a technical thing. it's all about people getting what they want.
Actually its about convincing block list operators that your IP address is "Ok" to run a server. Some block list operators choose to list large ranges of IP address, even if any particular address never did anything, such as all APNIC address or anything they think (but not always is) a "dialup" address. Because block list operators make mistakes, people wanting to run servers are forced to find IP address ranges "far enough away" not to be mistaken for a dialup address range. If the block list operators think it is a "dialup" range, they pre-emptively block all the addresses in the range. If the block list operators think it is a "static" range, regardless if it is a server in a colo or T1 line to your house, they usually don't pre-emptively block the address. It has very little to do with the quality of the ISP's abuse desk. UUNET is listed by Spamhaus as one of the worst ISPs for spam, but UUNET T1 address ranges aren't pre-emptively blocked. But large DSL or cable address ranges, even if the addresses are statically assigned to specific customers, are pre-emptively blocked. I suppose ISPs could create boutique service provider subsidaries for serious-minded professional power-users. Ask ARIN for independent "elite" IP address ranges. Maybe even get a different 1-800 number for customer service and abuse complaints. Of course, customers would pay more for this "elite" service.
sean@donelan.com (Sean Donelan) writes:
If the block list operators think it is a "dialup" range, they pre-emptively block all the addresses in the range.
that's because at $30/month there's no budget for a "dialup" provider to call their worm-infested customers one at a time and talk them through "Windows Update", and the "free" "antivirus" software they include on their customer cdroms is crippleware or adware or both. providers who refuse to enter the "race to the bottom" can get their dialup blocks delisted from any blackhole list operator i know of, just by demonstrating clue and conviction.
It has very little to do with the quality of the ISP's abuse desk.
long term, it does. my sister is in sbc-dsl territory and before i linuxed her and tunneled her, i had a terrible time getting e-mail from her. the /24 that her nat/dsl box got by dhcp had a dozen open proxies in it. sbc's abuse desk sure as hell didn't want to hear from me about it and the owners of the infected pee cee's wouldn't've wanted to hear from me even if i'd had some way to identify them and offer them a free linux upgrade if they'd just open their front door and lead me to their pee cee.
... But large DSL or cable address ranges, even if the addresses are statically assigned to specific customers, are pre-emptively blocked.
there's a sound statistical basis for this. and a strong abuse desk (which would show up as higher-than-$30/month-fees) would change those statistics and improve the reputation of that "kind" of address space.
I suppose ISPs could create boutique service provider subsidaries for serious-minded professional power-users. Ask ARIN for independent "elite" IP address ranges. Maybe even get a different 1-800 number for customer service and abuse complaints. Of course, customers would pay more for this "elite" service.
rather, i think that your employer and other dsl providers ought to get into the $50/month 1U colo business and market this to their power users and budget for a strong abuse desk for the small amounts of address space used by that function. (and if you do, please send me the URL and details.) it would be marketing suicide to offer a different dsl-dhcp ip address to people willing to pay enough to budget for an abuse desk. but if you call it colocation then it doesn't look as if you're cheap bastards for not being willing to budget for a strong abuse desk for ALL your customers. -- Paul Vixie
Paul Vixie wrote:
sean@donelan.com (Sean Donelan) writes:
If the block list operators think it is a "dialup" range, they pre-emptively block all the addresses in the range.
that's because at $30/month there's no budget for a "dialup" provider to call their worm-infested customers one at a time and talk them through "Windows Update", and the "free" "antivirus" software they include on their customer cdroms is crippleware or adware or both.
providers who refuse to enter the "race to the bottom" can get their dialup blocks delisted from any blackhole list operator i know of, just by demonstrating clue and conviction.
You're naive on this. There are enough of these blacklists, and many of them are totally unresponsive to an ISP's assertions (and empirical evidence) of aggressive handling of abuse. I know because I've tried to do this. An ISP *cannot* effectively change the status of these IP blocks...even with empirical evidence of dealing with abuse. It just doesn't happen.
... But large DSL or cable address ranges, even if the addresses are statically assigned to specific customers, are pre-emptively blocked.
there's a sound statistical basis for this. and a strong abuse desk (which would show up as higher-than-$30/month-fees) would change those statistics and improve the reputation of that "kind" of address space.
But you were just arguing above that it wasn't a statistical situation, and that a provider to get unlisted from these blacklists. Now you're arguing that its a statistical thing, therefore it *doesn't* have to do with the empirical actions of the ISP. This second argument is the correct one, FWIW. Its statistical, and an individual ISP effectively cannot influence their listings on the blacklists.
rather, i think that your employer and other dsl providers ought to get into the $50/month 1U colo business and market this to their power users and budget for a strong abuse desk for the small amounts of address space used by that function. (and if you do, please send me the URL and details.)
I'm sorry, Paul, but the "$50/month 1U colo business" that you keep going on about is, at best, a niche market. It is not, and will not be, a substitute for DSL/Cable. At best, it will be in addition to DSL/Cable, which means an extra expense for customers, which means that it will never be more than a niche. Other's have said, and they are absolutely right, that there is no real technical difference between a DSL line with a static IP, and a colo box. There are ISPs out there that are providing clueful DSL service, including allowing servers on it, with aggressive abuse response, at competitive price points. It can be, and is being, done. Its rare, yes, but it can be found. So, the argument that we need to all start selling "$50/month 1U colo boxes" because responsible DSL service can't be done is bogus.
it would be marketing suicide to offer a different dsl-dhcp ip address to people willing to pay enough to budget for an abuse desk.
You're wrong here. It can be done, and it can be done profitably. -- Jeff McAdams "He who laughs last, thinks slowest." -- anonymous
On Sun, 14 Mar 2004, Paul Vixie wrote:
sean@donelan.com (Sean Donelan) writes:
If the block list operators think it is a "dialup" range, they pre-emptively block all the addresses in the range.
providers who refuse to enter the "race to the bottom" can get their dialup blocks delisted from any blackhole list operator i know of, just by demonstrating clue and conviction.
There are several blacklists that clearly want more from the ISP than an explanation that the offendors are being/were removed... one good example is 'spews'.
It has very little to do with the quality of the ISP's abuse desk.
long term, it does. my sister is in sbc-dsl territory and before i linuxed her and tunneled her, i had a terrible time getting e-mail from her. the /24 that her nat/dsl box got by dhcp had a dozen open proxies in it. sbc's abuse desk sure as hell didn't want to hear from me about it and the owners of the infected pee cee's wouldn't've wanted to hear from me even if i'd had some way to identify them and offer them a free linux upgrade if they'd just open their front door and lead me to their pee cee.
As was pointed out to me by a co-worker: "Linux is not anymore inherently secure than anyother OS." The difference really comes in the administration of the pee cee. So, would upgrading joe-random-user to Linux really make things better for them? (or us?) That is not clear at all at this point. Certianly the point central to your arguement is that with the right abuse-desk to customer ratio AND the right customer base, things could be kept clean for smtp/web/ftp/blah 'hosting'. This is most certainly the case... I look forward to seeing your list of providers and prices :) --Chris (formerly chris@uu.net) ####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-886-3823 (C)703-338-7319 ## #######################################################
On Sun, 14 Mar 2004, Christopher L. Morrow wrote:
There are several blacklists that clearly want more from the ISP than an explanation that the offendors are being/were removed... one good example is 'spews'.
What do you think spews wants? My experience with them has been that that's pretty much the only thing that will satisfy them. I have had customer IPs in spews, and got them removed. "I've" also been collateral damage (at a consulting client's site), which sucks, but that's the stick spews wields. In most cases, that's encouragement enough for a provider to clean up their network or keep it from becoming a mess. Sometimes it's not.
As was pointed out to me by a co-worker: "Linux is not anymore inherently secure than anyother OS." The difference really comes in the administration of the pee cee. So, would upgrading joe-random-user to Linux really make things better for them? (or us?) That is not clear at all at this point.
That's an argument for another list...but the short answer is no, giving JRU who knows nothing about Linux a default install, especially a popular one, say Red Hat, is not much, if any, better. They won't maintain it. It will be hacked. At least it probably won't be done with and then participate in email viruses. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Sun, 14 Mar 2004 jlewis@lewis.org wrote:
On Sun, 14 Mar 2004, Christopher L. Morrow wrote:
There are several blacklists that clearly want more from the ISP than an explanation that the offendors are being/were removed... one good example is 'spews'.
What do you think spews wants? My experience with them has been that that's pretty much the only thing that will satisfy them. I have had
That's funny since we've cleaned up several over the years, yet they are still listed... and in some cases the listings have expanded. :( Spews does not provide a decent path to get listings remoevd, and they don't seem to remove listings if you do show the change.
On Sun, 14 Mar 2004, Christopher L. Morrow wrote:
What do you think spews wants? My experience with them has been that that's pretty much the only thing that will satisfy them. I have had
That's funny since we've cleaned up several over the years, yet they are still listed... and in some cases the listings have expanded. :( Spews does not provide a decent path to get listings remoevd, and they don't seem to remove listings if you do show the change.
You might want to post to NANAE (or better to new "clean" newsgroup news.admin.net-abuse.blocklisting) and actually say that that such and such customer has been disconnected and or such and such ip block is no longer in use them). Most blacklist administors dont really check on each and every listing every month (although they probably should to keep good lists, but spamhaus maybe the only ones who do it and even with them I'm not sure). In fact one of the reasons I think that some blacklist operators have bad impression on UUNET is that you don't inform what you do and they think you do nothing, while in fact I'm sure its not the case. -- William Leibzon Elan Networks william@elan.net
christopher.morrow@mci.com ("Christopher L. Morrow") writes:
It has very little to do with the quality of the ISP's abuse desk.
long term, it does. my sister is in sbc-dsl territory and before i linuxed her and tunneled her, ...
As was pointed out to me by a co-worker: "Linux is not anymore inherently secure than anyother OS."
your co-worker needs to spend a few thanksgiving holidays the way i spent my last one, and then i'll listen to what he's got to say.
The difference really comes in the administration of the pee cee. So, would upgrading joe-random-user to Linux really make things better for them? (or us?) That is not clear at all at this point.
it makes a number of things easier, like tunnelling. the fact that no viruses are being crafted for it is apparently (according to bill gates in a recent interview) not an indication of software quality but rather market size. whatever.
Certianly the point central to your arguement is that with the right abuse-desk to customer ratio AND the right customer base, things could be kept clean for smtp/web/ftp/blah 'hosting'. This is most certainly the case...
righto.
I look forward to seeing your list of providers and prices :)
naturally everybody has their own units of measure, so it's proving difficult to regularize it. perhaps another beer will help. -- Paul Vixie
Certianly the point central to your arguement is that with the right abuse-desk to customer ratio AND the right customer base, things could be kept clean for smtp/web/ftp/blah 'hosting'.
I'll take "the right customer base" for $50 please Alex.
This is most certainly the case... I look forward to seeing your list of providers and prices :)
Rick Adams and Mike O'Dell had an idea in 1987. How is this any different? Eric
On Mon, 15 Mar 2004, Eric Brunner-Williams in Portland Maine wrote:
Certianly the point central to your arguement is that with the right abuse-desk to customer ratio AND the right customer base, things could be kept clean for smtp/web/ftp/blah 'hosting'.
I'll take "the right customer base" for $50 please Alex.
which is NOT the current dsl/cable-modem user, obviously?
This is most certainly the case... I look forward to seeing your list of providers and prices :)
Rick Adams and Mike O'Dell had an idea in 1987. How is this any different?
mumble, mumble giant telephone company mumble mumble... In all seriousness, I'm not sure this is any different. Their idea, if I got it right, was 'ip everywhere'. Perhaps providing smaller scale 'good' colo with strong abuse/support is possible, just don't get greedy and get gigantic. Paul, does your list include those providers that provide the hardware upfront also? or is part of your deal that the equipment comes from the customer so they are more willing to behave?
Rick Adams and Mike O'Dell had an idea in 1987. How is this any different?
actually rick had the idea by himself in 1987. mike came a bit later.
Their idea, if I got it right, was 'ip everywhere'.
in that most other companies still thought ISO/OSI was going to be the commercial protocol of choice, the idea (which was "alternet", not the original 1987 "uunet"), yes, rick's idea was "i'll bet you're all wrong and that IP will be the way commercial data networking actually builds out."
Perhaps providing smaller scale 'good' colo with strong abuse/support is possible, just don't get greedy and get gigantic.
the greed problems don't come in with customer base size but rather management team experience. once you get folks running the business who don't know the industry or the culture or the customers, they start to think in terms of margin pressure. a modern-uunet-sized abuse desk should cost about $2M a year, but would add nothing to revenue, so they don't have it. there's no reason you couldn't fill out a 20Ksqft colo room with personal 1U boxes, as long as you were willing to spend the same or more money per customer (on "customer care" issues) as you did when it was a half rack. that means your margin will not grow at the same speed as your revenues, and may actually shrink as a function of revenue growth. that in turn means that the founders will have to run it forever, you will not be able to rent a CEO who graduated business school and simultaneously defend the reputation of the colo and its IP address space. (go figure.)
Paul, does your list include those providers that provide the hardware upfront also? or is part of your deal that the equipment comes from the customer so they are more willing to behave?
under duress, i'm listing all three kinds (virtual, included, and BYO1U). note that the virtuals have got me quite concerned since there's NO evidence that a deposit is taken. spammers are going to have a field day with them, and i expect to have to drop them from the list, but first, we'll try it and hope for the best. -- Paul Vixie
I'll take "the right customer base" for $50 please Alex.
which is NOT the current dsl/cable-modem user, obviously?
Correct.
Rick Adams and Mike O'Dell had an idea in 1987. How is this any different?
mumble, mumble giant telephone company mumble mumble... In all seriousness, I'm not sure this is any different. Their idea, if I got it right, was 'ip everywhere'. Perhaps providing smaller scale 'good' colo with strong abuse/support is possible, just don't get greedy and get gigantic.
The original idea was for USENIX to fund provisioning commercial UUCP and Usenet access. Go beyond the Federal green-stamp and .edu gardens, which was NOT the same as going into direct competition with The Well. It was sparse. It went beyond the then-edge of UUCP and Usenet provisioned transport and content, but it assumed the existance of a damping function, and at this point in time, it isn't a waste of time to mull over both of the positions argued later by Eric Allman and Peter Honneyman. Eric
anyone seen a new email virus that uses windows help file attachments to infect a machine? I just received what looks like a new attempt to trojan folks via email. It claims to be an AV warning with instructions contained in a help file attachment. Geo.
In message <g3oer05gom.fsf@sa.vix.com>, Paul Vixie writes:
Why prevent people from running servers on DSL and cable modem connections, yet say they could run an identical server in a colo?
because most providers don't want to give out static ip addresses, for one thing. because these providers are counting on a high suck:blow ratios from its customer base. because these providers know that people will pay more to get real internet access and they're holding you all for ransom. take your pick.
Why is one unsafe, and the other is considered Ok?
one is totally governed by a bilateral relationship between a 1U owner and a colo provider, neither of whom has a monopoly, and both of whom have something to lose if the IP address used in the relationship is abused.
this isn't a technical thing. it's all about people getting what they want.
And in fact, there are technical reasons as well. Downstream IP transmission on a cable plant uses any arbitrary channel; if there's a lot of downstream traffic, just displace the Home Gerbil Channel or some such and allocate more bandwidth to IP. Upstream traffic uses the band below channel 1, and it's not easy to add more unless you split the tree and put in another fiber node. This is done for the sake of the repeaters -- the downstream repeaters are fed by a high-pass filter, and the upstream repeaters are fed by a low-pass filter. If too many people are fielding home servers, it affects everyone. --Steve Bellovin, http://www.research.att.com/~smb
Thus spake "Steven M. Bellovin" <smb@research.att.com>
And in fact, there are technical reasons as well. Downstream IP transmission on a cable plant uses any arbitrary channel; if there's a lot of downstream traffic, just displace the Home Gerbil Channel or some such and allocate more bandwidth to IP. Upstream traffic uses the band below channel 1, and it's not easy to add more unless you split the tree and put in another fiber node. This is done for the sake of the repeaters -- the downstream repeaters are fed by a high-pass filter, and the upstream repeaters are fed by a low-pass filter. If too many people are fielding home servers, it affects everyone.
So DOCSIS has a technical limitation which may or may not apply. This is reasonable justification for limiting upstream bandwidth, not for specifying that users can't run servers. If users can run servers effectively in the limited available upstream bandwidth, then there is no _technical_ reason to prevent them. Other last-mile technologies provide symmetric bandwidth yet providers still prohibit servers; this is clearly a business issue, not a technical one. S Stephen Sprunk "Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
On Sat, 13 Mar 2004, Stephen Sprunk wrote:
So DOCSIS has a technical limitation which may or may not apply. This is reasonable justification for limiting upstream bandwidth, not for specifying that users can't run servers. If users can run servers effectively in the limited available upstream bandwidth, then there is no _technical_ reason to prevent them.
I think people are being sloppy about saying no servers on certain types of networks. I think the actual requirement is for a long-term end-to-end identifier for systems, and maybe even network users, before they can do certain activities on the network so you can trace or block the system. Systems without long-term unique end-to-end identifiers would only be able to do a limited number of things because they are essentially fungible. Neither the location nor type of access media is important. A student in a college dorm room with an uncontrolled DHCP address may not be able to run a server, even though they have more than enough symetric Gig-ethernet bandwidth and you know what dorm it is physically located because all student servers look alike. On the other hand, a mobile server on a US Navy ship on a 1200 baud radio connection with a fixed address would be permitted to run a server even though you may have no idea where in the world the ship is physically located today because you could identify which server it was. (server clusters acting as a single system doesn't change this.) If you want to spend about $50/month for a static IP address for your DSL line, then the question becomes should you be able to send mail directly from your home server with a static IP address on a DSL line until abused? No need to buy another box, find a colo or figure out how to remotely administer another system or tunnel to it to send mail.
On Sun, 14 Mar 2004, Sean Donelan wrote:
I think the actual requirement is for a long-term end-to-end identifier for systems, and maybe even network users, before they can do certain activities on the network so you can trace or block the system. Systems
Now my question becomes....Is this an identifier that other providers can use to trace the machine, or only for the local isp. I look at it this way. If I'm the provider I don't really care what username they are, I can determine their location by the logs. Sure they may be a DSL, but they will at some point request an address. When they request an address I have their circuit ID and I can at least narrow it down to a house or apartment.
A student in a college dorm room with an uncontrolled DHCP address may not be able to run a server, even though they have more than enough symetric Gig-ethernet bandwidth and you know what dorm it is physically located because all student servers look alike. On the other hand, a mobile
This is a topic I get very soap-boxish about. I have too many problems with providers who don't understand the college student market. I can think of one university who requires students to login through a web portal before giving them a routable address. This is such a waste of time for both parties. Sure it makes tracking down the abusers much easier, but is it worth the time and effort to manage? This is a very legitimate idea for public portals in common areas, but not in dorm rooms. In a dorm room situation or an apartment situation, you again know the physical port the DHCP request came in on. You then know which room that port is connected to and you therefore have a general idea of who the abuser is. So whats the big deal if you turn off the ports to the room until the users complain and the problem is resolved? I guess this requires very detailed cable map databases and is something some providers are relunctant to develop. Scary thought..... Andrew --- <zerocool@netpath.net> http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate "Learn from the mistakes of others. You won't live long enough to make all of them yourself."
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Andrew Dorsett Sent: March 14, 2004 1:29 AM To: North American Noise and Off-topic Gripes Subject: Re: who offers cheap (personal) 1U colo?
This is a topic I get very soap-boxish about. I have too many problems with providers who don't understand the college student market. I can think of one university who requires students to login through a web portal before giving them a routable address. This is such a waste of time for both parties. Sure it makes tracking down the abusers much easier, but is it worth the time and effort to manage? This is a very legitimate idea for public portals in common areas, but not in dorm rooms. In a dorm room situation or an apartment situation, you again know the physical port the DHCP request came in on. You then know which room that port is connected to and you therefore have a general idea of who the abuser is. So whats the big deal if you turn off the ports to the room until the users complain and the problem is resolved?
Actually, you're forgetting what I think is the biggest reason for doing this: before the user registers via the web-based DHCP thing, they are shown the AUP and have to say they agree to it. If you just leave straight IP connections available in rooms, and people violate the AUP, they can QUITE credibly argue "But I never read this AUP". The web-based DHCP registration system prevents that. Other advantages would be A) It prevents students (or at least, all but the most clueful) from taking multiple IPs and having hubs and such in their rooms B) It makes it very easy to track what MAC address/IP address is which person, as you yourself admitted. Sure, this system requires a bit of effort to set up initially (though I think open source implementations are easily available), but afterwards, you don't need to have your most clueful network engineer dig through to try and figure out which room is what IP. If you lower the clue level required to operate an abuse desk, I would argue you improve its efficiency in many cases... C) It avoids issues of changing ports. Let's say I'm in room 101, and my friend Bob is in room 102. I take my laptop to Bob's room and plug it into the network and go and do something dumb... If you hunt down my MAC address to a particular port, it looks like Bob is the AUP violator. If you have a registration system, you know that this MAC address belongs to me, not Bob. Oh, and what about wireless networks? I have my nice 802.11b card, how do you propose to track that without MAC registration (or hackish VPN systems, which are also deployed in some campuses)? [Note: most of the argument above assumes that people are not clueful enough to change their MAC address, of course... And I would argue that most college students are too busy getting drunk or saturating networks with P2P software to figure this out] Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
Thus spake "Vivien M." <vivienm@dyndns.org>
Actually, you're forgetting what I think is the biggest reason for doing this: before the user registers via the web-based DHCP thing, they are shown the AUP and have to say they agree to it. If you just leave straight IP connections available in rooms, and people violate the AUP, they can QUITE credibly argue "But I never read this AUP". The web-based DHCP registration system prevents that.
Students have an existing legal relationship with the school; they can be required to accept the AUP in writing at some point during the enrollment process.
Other advantages would be A) It prevents students (or at least, all but the most clueful) from taking multiple IPs and having hubs and such in their rooms
There's nothing inherently wrong with that.
B) It makes it very easy to track what MAC address/IP address is which person, as you yourself admitted. Sure, this system requires a bit of effort to set up initially (though I think open source implementations are easily available), but afterwards, you don't need to have your most clueful network engineer dig through to try and figure out which room is what IP. If you lower the clue level required to operate an abuse desk, I would argue you improve its efficiency in many cases...
Tracking an IP address to a particular switch port via ARP and bridging tables is straightforward; however this relies on detailed cabling plant data.
C) It avoids issues of changing ports. Let's say I'm in room 101, and my friend Bob is in room 102. I take my laptop to Bob's room and plug it into the network and go and do something dumb... If you hunt down my MAC address to a particular port, it looks like Bob is the AUP violator. If you have a registration system, you know that this MAC address belongs to me, not Bob.
Or, if you use 802.1x, you can skip the MAC registration and identify the user directly each time he logs in.
Oh, and what about wireless networks? I have my nice 802.11b card, how do you propose to track that without MAC registration (or hackish VPN systems, which are also deployed in some campuses)?
802.1x S Stephen Sprunk "Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
Stephen Sprunk wrote:
Thus spake "Vivien M." <vivienm@dyndns.org>
Actually, you're forgetting what I think is the biggest reason for doing this: before the user registers via the web-based DHCP thing, they are shown the AUP and have to say they agree to it. If you just leave straight IP connections available in rooms, and people violate the AUP, they can QUITE credibly argue "But I never read this AUP". The web-based DHCP registration system prevents that.
Students have an existing legal relationship with the school; they can be required to accept the AUP in writing at some point during the enrollment process.
It all comes down to how you view the people on your network--students, faculty, administrators, subscribers, whatever. If they are "customers" you take one set of views and one way of solving problems. If you see them as "lusers", to take another. -- Requiescas in pace o email
--On Sunday, March 14, 2004 19:14 -0600 Stephen Sprunk <stephen@sprunk.org> wrote:
Students have an existing legal relationship with the school; they can be required to accept the AUP in writing at some point during the enrollment process.
Experiment ... go to a college dorm that's wired, plug your laptop or PC in, start using the net. Assumption here of course is you're not a student there. Nine times out of ten you wont' be challenged and you'll be allowed to use the network. Students also often have friends over that use their systems. Thus you can't assume that every user is a student or faculty. -- Undocumented Features quote of the moment... "It's not the one bullet with your name on it that you have to worry about; it's the twenty thousand-odd rounds labeled `occupant.'" --Murphy's Laws of Combat
<quote who="Michael Loftis">
Experiment ... go to a college dorm that's wired, plug your laptop or PC in, start using the net.
Nine times out of ten you wont' be challenged and you'll be allowed to use the network.
Has it been a while since you've been on a resnet? They're bad, but most all "ResNet's" I know of are now implementing some sort of MAC/DHCP combo at the very least. That might have been true a couple years ago but recent DMCA notices and Worm activity have /forced/ (often by their upstream) ResNet's to clean up their act. I don't think our ResNet is a shining example of excellence by any stretch but they know who is registered behind each port/ip/mac address which gives you a pretty good idea of who is on your network. I won't comment on what leaves the ResNet on port 25 and what leaves the network with no prayer of ever routing back. *cough* That's a whole 'nother issue for them to deal with, and at some point soon, I think they will. -davidu (speaking only for himself) ---------------------------------------------------- David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net ----------------------------------------------------
On Sun, 14 Mar 2004, David A. Ulevitch wrote:
Has it been a while since you've been on a resnet? They're bad, but most all "ResNet's" I know of are now implementing some sort of MAC/DHCP combo at the very least.
The thing to remember is that all rooms are locked until someone is issued a key. So you have someone to blame if the port becomes hot in a dorm room. The public portals are another story and should require some sort of registration. The university I've been hounding for a while now had a problem...They didn't require you to authenticate yourself only when your mac changed, they required you to do it everytime the link status changed on your port. Problems with this are a many... 1. I have a laptop, I turn it off and on a lot...That's quite a bit of logging in and with it being web based with SSL now it makes it even harder for me to automate the login process. 2. Everytime they rebooted a switch, the switch powered off, etc...I'd have to relogin. This would always catch me when I had left my machine online during the day to retreive something remotely while at work. (I can't take a laptop to work with me...but I can download from the net) I go back to my statement time and time again...Who cares if there are 6 people in the room, I issue an honor system referral to ALL parties in the room and let the justice system sort out who was at fault. If they need more information, I'll assign a senior engineer to investigate and pull logs and check machines. Often times the naughty student will fess to their dirty work without requiring the extra work. Less hassle for the general population and less questions when the newbies can't figure out how to login to access the Internet. This login thing can also be extended to colleges who require VPNs for wireless...Way to kill the battery on my ipaq doing all the calculations. Plus it creates major setup complications for the general newbie and I often wonder if its worth the hassle when most universities should worry about the much worse problems like students who are sharing illegal warez. In a corporate environment with confidential data flying around...There better be a VPN on that wireless or one day you are going to have fun explaining to your boss why your new top secret cookie recipe is on IRC. :) I know I'm shooting in the wrong forest but I think some of the practices of universities and supporting small ISPs really needs to be discussed. Some of the IT management folks just don't have a clue because they have never provided carrier class services. As shown with the small ISP who tried to stick hundreds of users behind a small, underpowered firewall...*sigh* I seriously investigated satellite based net access until I found the regulation prohibiting dishes from being outside the window. Andrew --- <zerocool@netpath.net> http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate "Learn from the mistakes of others. You won't live long enough to make all of them yourself."
On Sun, 14 Mar 2004, Stephen Sprunk wrote:
Students have an existing legal relationship with the school; they can be required to accept the AUP in writing at some point during the enrollment process.
They may have legal relationship with the school but internet service can be considered to be an added service that there is not available until you actually ask for it. This is like parking - there are always some rules and regulations for when you use school garage (usually written on the wall or available from parking attendent), if you dont use the garage and park your car somewhere else (or don't have car at all), you don't have to bother with parking rules. Same for internet access - students don't have to use school internet access, they can buy internet access from some other ISP or they might not have a computer at all. But if they use internet access, they accept rules regarding it - i.e. AUP. -- William Leibzon Elan Networks william@elan.net
On Sun, 14 Mar 2004, Vivien M. wrote:
credibly argue "But I never read this AUP". The web-based DHCP registration system prevents that.
Ok, I'll give that one to you. :) Got me there hehehe Though now we are making the AUP a part of the freshman orientation session so there are no excuses. Plus they agree to it when they place the installation cd in their drive (if they use the installation cd which many don't)
A) It prevents students (or at least, all but the most clueful) from taking multiple IPs and having hubs and such in their rooms
That's protected by port security. Just limit them to one mac address per port. So only the last machine transmitting will get the reply. Works quite well, shut me down for a few days a few years ago when it was first turned on.
B) It makes it very easy to track what MAC address/IP address is which person, as you yourself admitted. Sure, this system requires a bit of effort to set up initially (though I think open source implementations are easily available), but afterwards, you don't need to have your most clueful network engineer dig through to try and figure out which room is what IP. If you lower the clue level required to operate an abuse desk, I would argue you improve its efficiency in many cases...
See this is not something that requires a clueful engineer. Only requires the clueful engineer to create a script that does it all automatically. In fact I've seen the web interface to the whole system. VERY nice. Even tracks changes, so I can tell if the user pulled the cables, swapped ports, did bad stuff and then swapped them back to place the blame on the roommate. I can enter the IP in question and time period and it will then tell me the mac address in question, then it will automatically look up the cable database to return the room, and then it will return the names of the individuals living in the rooms. I argue that the username system has significant problems which can lead to denial of service. What happens when your radius box goes offline? This is what caused me to turn against the offending university. Their authentication box wouldn't stay online and so I'd have to cross my fingers after a reboot to hope that I could get back on the network.
C) It avoids issues of changing ports. Let's say I'm in room 101, and my friend Bob is in room 102. I take my laptop to Bob's room and plug it into the network and go and do something dumb... If you hunt down my MAC address to a particular port, it looks like Bob is the AUP violator. If you have a registration system, you know that this MAC address belongs to me, not Bob.
True true that can happen, but again if I log changes I can tell that someone unplugged their computer and so when Bob gets turned in the judicial system will be able to question what occured...They know it may not be him thats guilty but hopefully he will turn in the offender.
Oh, and what about wireless networks? I have my nice 802.11b card, how do you propose to track that without MAC registration (or hackish VPN systems, which are also deployed in some campuses)?
As for wireless, well yeah we require you to register the mac off your wireless nic. Only macs that are in the database are allowed access. Sure you can spoof someone elses legitmate mac, but thats a different story. At least I have someone I can blame and let him try to deny it through the judicial system. Andrew --- <zerocool@netpath.net> http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate "Learn from the mistakes of others. You won't live long enough to make all of them yourself."
Andrew Dorsett [3/15/2004 8:26 AM] :
That's protected by port security. Just limit them to one mac address per port. So only the last machine transmitting will get the reply. Works quite well, shut me down for a few days a few years ago when it was first turned on.
Most common or garden wireless APs / broadband routers will let you clone the mac address, so this is not exactly difficult to get around And what is wrong with setting up a hub or something in a dormroom? I find it quite convenient to leave both my PC and a laptop running on my desk, for various reasons (too many open terminals and windows is one of them ...) srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Suresh Ramasubramanian wrote:
And what is wrong with setting up a hub or something in a dormroom? I find it quite convenient to leave both my PC and a laptop running on my desk, for various reasons (too many open terminals and windows is one of them ...)
I've been trying to figure out what is wrong with that too. At my ex-employers, on of the things they did right is encourage study groups, and with multi-occupant suites, several stations (including one or more printers, plotters, and such) was normal. Most of the residence halls had hubs or small switches available for check-out. Is it the contention that each student should only use one pencil? -- Requiescas in pace o email
Laurence F. Sheldon, Jr. wrote:
Suresh Ramasubramanian wrote:
And what is wrong with setting up a hub or something in a dormroom? I find it quite convenient to leave both my PC and a laptop running on my desk, for various reasons (too many open terminals and windows is one of them ...)
I've been trying to figure out what is wrong with that too.
At my ex-employers, on of the things they did right is encourage study groups, and with multi-occupant suites, several stations (including one or more printers, plotters, and such) was normal.
Most of the residence halls had hubs or small switches available for check-out.
Is it the contention that each student should only use one pencil?
If you have 300 students and 500 pencils, then the answer is yes. If everyone grabbed 3 pencils, you'd run out pretty quick. There are only so many addresses available in the DHCP pool. The smarter students put a NAT box on their port so they can run their desktop, laptop, XBox and have a place their friend can plug in. Ken
-----Original Message----- From: Suresh Ramasubramanian [mailto:suresh@outblaze.com] Sent: March 14, 2004 10:16 PM To: Andrew Dorsett Cc: Vivien M.; 'North American Noise and Off-topic Gripes' Subject: Re: who offers cheap (personal) 1U colo?
And what is wrong with setting up a hub or something in a dormroom? I find it quite convenient to leave both my PC and a laptop running on my desk, for various reasons (too many open terminals and windows is one of them ...)
Nothing wrong with it as far as I'm concerned, but IT departments in post-secondary institutions seem/seemed to have a problem with it, for some reason. Perhaps they just figure that two machines means increased potential for abuse (since presumably two people could use the port simultaneously)? Vivien P.S. I do the same thing you do... -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
<quote who="Suresh Ramasubramanian">
And what is wrong with setting up a hub or something in a dormroom? I find it quite convenient to leave both my PC and a laptop running on my desk, for various reasons (too many open terminals and windows is one of them ...)
Our ResNet doesn't forbid that in the AUP (yet). They provide the network connection to the person and tie it to a MAC address. If the student can figure out the rest and not abuse it, more power to them. When they complain about not being able to use the network dorm printers they don't get much support though...those are the breaks. I'm not sure if this policy applies to non-resnet users (depts., faculty, staff, etc), but for most issues, the resnet case is the one that matters. -davidu ---------------------------------------------------- David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net ----------------------------------------------------
On Mon, 15 Mar 2004, Suresh Ramasubramanian wrote:
And what is wrong with setting up a hub or something in a dormroom? I find it quite convenient to leave both my PC and a laptop running on my desk, for various reasons (too many open terminals and windows is one of them ...)
Well whats wrong with you setting up a small router and using one IP? The crap I hear most of the time is that they want to only issue one ip per student unless you pay for more. The other thing is that at a very technical university like ours, a lot of engineers will opt for multiple machines thus much more address space required if only using a hub. The other argument is that they want to make sure they have plenty of capacity by knowing how many users they have and hopefully not multiple machines that they don't know about behind a firewall. Again, more BS because geez each wall portal can spit out 10/100 regardless of how many machines are behind it. Lets not even get into what OS's can really use outta those respective pipes, thats another story. :) Look outside of the university to the small college ISPs. They even actively hunt for cable/dsl routers and turn off ports if they think they have found them. Don't want students cheating their service by wiring up the whole apartment to one cable modem. What a ripoff....And why ? Because most college students have no clue and are willing to accept it. Plus some apartment complexes have contracts with specific providers that provides a monopoly situation. I miss the good ol days when I worked for the ISP I had access through....At least then I could remove myself from the restrictions...Guess when I finally move to MD for work I'll have to make friends with someone at Comcast. ;-) Andrew --- <zerocool@netpath.net> http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate "Learn from the mistakes of others. You won't live long enough to make all of them yourself."
Andrew Dorsett [3/15/2004 9:52 AM] :
Well whats wrong with you setting up a small router and using one IP? The crap I hear most of the time is that they want to only issue one ip per
Nothing particularly wrong with it as long as there's some mechanism to zero in on rooted / abused machines there. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
On Mon, 15 Mar 2004, Suresh Ramasubramanian wrote:
Andrew Dorsett [3/15/2004 9:52 AM] :
Well whats wrong with you setting up a small router and using one IP? The crap I hear most of the time is that they want to only issue one ip per
Nothing particularly wrong with it as long as there's some mechanism to zero in on rooted / abused machines there.
Exactly my point! But so many universities and small ISPs are against it with a vengance. Like I keep saying, they are sharing one wall portal. I know go to that keystone, find the hub and then go "Who's is this?" Tell them to clean up their machine because its infected and give them what I know....ie: it was ip blah blah or sorry I can't tell you anything because it was coming through your NAT box and all I see is a single IP. Personally, shhh don't tell certain people who I know are lurking on this list :) But I ran a NAT box with 4 machines at one point. An XP box for my general use, an SGI box for development, a linux box for development, and another linux box acting as my ftp server. Andrew --- <zerocool@netpath.net> http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate "Learn from the mistakes of others. You won't live long enough to make all of them yourself."
Andrew Dorsett wrote:
On Mon, 15 Mar 2004, Suresh Ramasubramanian wrote:
Andrew Dorsett [3/15/2004 9:52 AM] :
Well whats wrong with you setting up a small router and using one IP? The crap I hear most of the time is that they want to only issue one ip per
Nothing particularly wrong with it as long as there's some mechanism to zero in on rooted / abused machines there.
Exactly my point! But so many universities and small ISPs are against it with a vengance. Like I keep saying, they are sharing one wall portal. I know go to that keystone, find the hub and then go "Who's is this?" Tell them to clean up their machine because its infected and give them what I know....ie: it was ip blah blah or sorry I can't tell you anything because it was coming through your NAT box and all I see is a single IP.
Personally, shhh don't tell certain people who I know are lurking on this list :) But I ran a NAT box with 4 machines at one point. An XP box for my general use, an SGI box for development, a linux box for development, and another linux box acting as my ftp server.
Andrew
Something else I just remembered: Connecting so much equipment in our dorms creates a fire hazard. The are only two or three outlets (what I've been told) in a room shared by two or three students. Add to the computer equipment a TV, stereo, DVD player, alarm clocks, cordless phones, etc., etc., etc. and you have the makings for newspaper headlines. Hasn't happened yet to my knowledge, but it could and students don't consider these things. Ken
Ken Diliberto wrote:
Something else I just remembered:
Connecting so much equipment in our dorms creates a fire hazard. The are only two or three outlets (what I've been told) in a room shared by two or three students. Add to the computer equipment a TV, stereo, DVD player, alarm clocks, cordless phones, etc., etc., etc. and you have the makings for newspaper headlines. Hasn't happened yet to my knowledge, but it could and students don't consider these things.
If you were willing to live in a place where an electrical overload caused a fire (as opposed to tripping a circuit-breaker or blowing a fuse), you have not correctly identified your worst problem, or the the University's. -- Requiescas in pace o email
Laurence F. Sheldon, Jr. [3/15/2004 7:39 PM] :
If you were willing to live in a place where an electrical overload caused a fire (as opposed to tripping a circuit-breaker or blowing a fuse), you have not correctly identified your worst problem, or the the University's.
That's always there, but at least one dorm that I know of has this rule against running appliances in a dorm room. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Suresh Ramasubramanian wrote:
Laurence F. Sheldon, Jr. [3/15/2004 7:39 PM] :
If you were willing to live in a place where an electrical overload caused a fire (as opposed to tripping a circuit-breaker or blowing a fuse), you have not correctly identified your worst problem, or the the University's.
That's always there, but at least one dorm that I know of has this rule against running appliances in a dorm room.
A rule against running a "hotplate" or other heat-generating appliance (or all "appliances" to avoind the arguments) makes sense. A rule against running power-consumers that were not in the cost-of-overhead calculation makes sense. Restricting (or trying to restrict) computers in today's University environment is delusional. -- Requiescas in pace o email
: > This is a topic I get very soap-boxish about. I have too : > many problems with providers who don't understand the college : > student market. I can think of one university who requires : > students to login through a web portal before giving them a : > routable address. This is such a waste of time for both : > parties. Sure it makes tracking down the abusers much : > easier, but is it worth the time and effort to manage? This : > is a very legitimate idea for public portals in common areas, : > but not in dorm rooms. In a dorm room situation or an : > apartment situation, you again know the physical port the : > DHCP request came in on. You then know which room that port : > is connected to and you therefore have a general idea of who : > the abuser is. So whats the big deal if you turn off the : > ports to the room until the users complain and the problem is : > resolved? Since no one's mentioned it, the program everyone is referring to is netreg: www.netreg.org www.net.cmu.edu/netreg Also, most .edueyeball networks have (and have always had) a VERY low budget for networking stuff. As a result, generally, there is little to no plant map documentation, so it isn't the case of looking up the physical port on a map and shutting it off. Netreg allows you to "bad web" folks. They can go nowhere until they call the helpdesk. It's a great LART. >:-) <=== That's an evil smile... scott
On Mon, 15 Mar 2004 11:27:42 -1000, Scott Weeks <surfer@mauigateway.com> said:
Also, most .edueyeball networks have (and have always had) a VERY low budget for networking stuff. As a result, generally, there is little to no plant map documentation, so it isn't the case of looking up the physical port on a map and shutting it off.
OK, maybe our network crew is more clued and better financed than most, but we discovered long ago that although having all the plant documented is expensive, the alternative is even more costly in the long run.
Andrew Dorsett wrote:
On Sun, 14 Mar 2004, Sean Donelan wrote:
A student in a college dorm room with an uncontrolled DHCP address may not be able to run a server, even though they have more than enough symetric Gig-ethernet bandwidth and you know what dorm it is physically located because all student servers look alike. On the other hand, a mobile
This is a topic I get very soap-boxish about. I have too many problems with providers who don't understand the college student market. I can think of one university who requires students to login through a web portal before giving them a routable address. This is such a waste of time for both parties. Sure it makes tracking down the abusers much easier, but is it worth the time and effort to manage? This is a very legitimate idea for public portals in common areas, but not in dorm rooms. In a dorm room situation or an apartment situation, you again know the physical port the DHCP request came in on. You then know which room that port is connected to and you therefore have a general idea of who the abuser is. So whats the big deal if you turn off the ports to the room until the users complain and the problem is resolved?
I guess this requires very detailed cable map databases and is something some providers are relunctant to develop. Scary thought.....
Andrew
I'm curious about the concept of "College Student Market". We have several thousand students in our dorms who only have two choices for Internet service - our dedicated Ethernet or their dial-up (which they would have to pay for). We firewall them, packet shape them and don't pay much attention when they saturate their router. Housing has a choice to use campus services or go outside for Internet service - a much more expensive choice considering the amount they pay the campus. We respond to complaints about abusers on the ResNet by first disabling the port. This is considered a strike against the resident for an AUP violation. In theory, three strikes and they're out. After we upgrade the ResNet equipment, we're planning on 802.1x authentication on the port. I'm toying with suggesting certificates so we can simply revoke a cert if someone is a serious abuser which could (in theory) deny their workstation (laptop in most cases) access to the campus network. The problem with this idea is the amount of overhead required to manage the certificate infrastructure. As to the question of "is it worth the time and effort to manage", I think yes. When the SQL Slammer worm hit last year, I put blocks at the border and blocks between subnets to contain the problem as best I could for two reasons (well, could be more but this is all I'm going to point out): 1 - Maintaining the usability of the campus network. 2 - Protecting the Internet in general from us. How many ISP's care about either? How many won't do either because it would affect their bottom line? Back to the original topic. We have a fairly good cable map. We can track DHCP and can even black hole a MAC address so it can't get an address. Why would we want a user to authenticate to the network? It adds accountability and a little more paranoia that if they do something they shouldn't, they'll get caught and we'll turn them off. Remember: If you ask a student about their Internet access, you'll hear that it's free and they shouldn't be restricted as to what they can do. Ken
On Sun, Mar 14, 2004 at 01:29:29AM -0500, Andrew Dorsett wrote:
This is a topic I get very soap-boxish about. I have too many problems with providers who don't understand the college student market. I can think of one university who requires students to login through a web portal before giving them a routable address. This is such a waste of time for both parties. Sure it makes tracking down the abusers much easier, but is it worth the time and effort to manage? This is a very
In the UK it certainly does. To absolve ourselves of liability for misuse 'net access must be from an 'identifiable' user. This is part of our institution-wide security policy.
legitimate idea for public portals in common areas, but not in dorm rooms. In a dorm room situation or an apartment situation, you again know the physical port the DHCP request came in on. You then know which room that port is connected to and you therefore have a general idea of who the abuser is. So whats the big deal if you turn off the ports to the room until the users complain and the problem is resolved?
That's all very well if you have switches which can do DHCP option 82 but most educational institutions have strict budgets to work to, which may involve reuse of older kit which was previously used for core academic purposes.
I guess this requires very detailed cable map databases and is something some providers are relunctant to develop. Scary thought.....
I'd say having a login system which identifies the user is considerably less difficult than maintaining a very extensive database of cable patches which will inevitably get out of date (think replacement of dead switches...) within a very short timeframe. It's much easier to index an abuse report from an IP directly to a username, there's less room for argument and error. Functionally, this is the way most broadband access networks are run anyway, username/password gets you the PPPoA or PPPoE session. W
On Sun, 14 Mar 2004, Andrew Dorsett wrote:
In a dorm room situation or an apartment situation, you again know the physical port the DHCP request came in on. You then know which room that port is connected to and you therefore have a general idea of who the abuser is. So whats the big deal if you turn off the ports to the room until the users complain and the problem is resolved?
It has to do with response time. If I send an abuse complaint to an organization's mailbox on a Friday night, will it be dealt with in the next 10 seconds? Or sometime next week? If the computer reboots every 60 seconds, and gets different IP addresses every time, a single infected computer can appear with lots of different IP addresses which results in overblocking. Similar things happen when a very large corporation has a NAT firewall, and attacks appear to come from all over their address ranges. A long-term end-to-end identifier would let me immediately drop the specific infected computer's traffic regardless of its rotating IP addresses, even if your abuse department doesn't open until next monday to track down the user to permanently fix it. The other issue is assuming "abuse" is defined the same way. If I can uniquly identify the source, we don't have to debate whether my definition of abuse is the same as your definition. You might have a three-strike policy and I have a zero-tolerance policy. It doesn't matter if there was an end-to-end long-term identifier. While you are waiting for the other strikes, I can immediately block that specific computer regardless of what IP address it has today. That way "reputation" could be tied to the infected computer instead of random address ranges. If IPsec ever gets fully deployed, then we may be able to negotiate end-to-end identification. The long-term end-to-end identifier does not need to include personally identifiable information.
Sean Donelan wrote:
If I send an abuse complaint to an organization's mailbox on a Friday night, will it be dealt with in the next 10 seconds? Or sometime next week? If the computer reboots every 60 seconds, and gets different IP addresses every time, a single infected computer can appear with lots of different IP addresses which results in overblocking. Similar things
Most DHCP servers are capable of assigning the same IP address to the same MAC address both with DHCPDISCOVER and DHCPREQUEST. It just needs the configuring party to want that. (with the caveat that somebody got to the address first, which is possible but unlikely) Since static ip addresses are considered a premium service, most providers opt towards approaches which make the IP address change more often. Pete
Sean, SD> ... A long-term end-to-end SD> identifier would let me immediately drop the specific infected computer's SD> traffic regardless of its rotating IP addresses, even if your abuse What is to prevent rapid changes to the identifier, even more easily than rapidly changing IP addresses? In other words, why "trust" the identifier? Or at least, how would this identifier really be long term? d/ -- Dave Crocker <dcrocker-at-brandenburg-dot-com> Brandenburg InternetWorking <www.brandenburg.com> Sunnyvale, CA USA <tel:+1.408.246.8253>
On Sun, 14 Mar 2004 01:29:29 -0500 (EST) Andrew Dorsett <zerocool@netpath.net> wrote:
This is a topic I get very soap-boxish about. I have too many problems with providers who don't understand the college student market. I can
There are certain environments where it would be nice for people to have spent some time. Working at a university would be one good experience for many people, particularly in this field, to have had.
think of one university who requires students to login through a web portal before giving them a routable address. This is such a waste of time for both parties. Sure it makes tracking down the abusers much easier, but is it worth the time and effort to manage? This is a very
In most implementations I'm familiar with, the time and effort is mostly spent in the initial deployment of such a system.
legitimate idea for public portals in common areas, but not in dorm rooms. In a dorm room situation or an apartment situation, you again know the physical port the DHCP request came in on. You then know which room that port is connected to and you therefore have a general idea of who the abuser is. So whats the big deal if you turn off the ports to the room until the users complain and the problem is resolved?
As someone else mentioned, an AUP may be a reason for such a system. In addition, these systems often allow an i.d. to be notified, restricted or disabled and not just from a single port, but from any port where this system is used. Also know that some schools' dorm resident information is not populated nor easily accessible in network connectivity records. The portal systems are often used as a way to be proactive in testing a dorm user's system for vulnerabilities and allowing minimal connectivity for getting fixed up if they are. This is often referred to as the quarantine network. Many institutions have tried to simply turn off a port and deal with the problem when a user calls. Sometimes the user moves, but even if they don't this doesn't scale very well for widespread problems such as some of the more common worms and viruses that infect a large population. A lot of institutions don't have 24x7 support to handle calls from dorm students who are often up til midnight or later doing work. Many systems can have the connection registration pulled, forcing a new registration immediately. This may be due to proactive scanning or simply to refresh the database at the end of a school year.
I guess this requires very detailed cable map databases and is something some providers are relunctant to develop. Scary thought.....
Correct, this is a problem for universities too. Especially when many of their cabling systems are old and have often been managed (or not) by transient workers (e.g. student employees) over the years. John
On Mon, 15 Mar 2004, John Kristoff wrote:
There are certain environments where it would be nice for people to have spent some time. Working at a university would be one good experience for many people, particularly in this field, to have had.
I fully agree...This is the one environment where you definately can't trust your users. Unlike most home markets and corporate markets. These kids often forget they are paying for service and thus abuse it.
think of one university who requires students to login through a web portal before giving them a routable address. This is such a waste of
In most implementations I'm familiar with, the time and effort is mostly spent in the initial deployment of such a system.
I'm not referring to the time required to implement. I'm talking about the time it takes for the user. On the user end. Lets do some simple math. Lets say I turn on my laptop before I shower, I power it down during the day while I'm in class and I turn it back on when I get home in the evening. This means two logins per day. Lets say that the login process is very rapid and takes 30 seconds. This is a whole minute per day required to login. Now multiply this by a month and you've wasted 30 minutes of my time. I coulda spent that time watching TV or heaven forbid, doing homework. :) My big thing is that often users are the one who are paying the price and spending the time. I think either system (the mac-ip lookup or the user auth) system could be created in a week using C++ or perl. This week of development is nothing in the long run when compared to the amount of time it now costs the users. Come on, how many users save their mail passwords so they don't have to type it in everytime? What about your dialup password? Too bad I can't automate the web logins. I don't know a single "normal" (not one of us NANOG folks...) user who has not opted to save their WinXP password so they don't have to type it in everytime they reboot the computer. Andrew --- <zerocool@netpath.net> http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate "Learn from the mistakes of others. You won't live long enough to make all of them yourself."
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Andrew Dorsett Sent: March 15, 2004 11:17 PM To: John Kristoff Cc: nanog@merit.edu Subject: Re: who offers cheap (personal) 1U colo?
I'm not referring to the time required to implement. I'm talking about the time it takes for the user. On the user end. Lets do some simple math. Lets say I turn on my laptop before I shower, I power it down during the day while I'm in class and I turn it back on when I get home in the evening. This means two logins per day. Lets say that the login process is very rapid and takes 30 seconds. This is a whole minute per day required to login. Now multiply this by a month and you've wasted 30 minutes of my time. I coulda spent that time watching TV or heaven forbid, doing homework. :) My big thing is that often users are the one who are paying the price and spending the time. I think either system (the mac-ip lookup or the user auth) system could be created in a week using C++ or perl. This week of development is nothing in the long run when compared to the amount of time it now costs the users. Come on, how many users save their mail passwords so they don't have to type it in everytime? What about your dialup password? Too bad I can't automate the web logins.
You must be talking about a different Netreg system that the one everyone else has used. The one we're talking about involves you logging in when you connect with an unknown MAC - once you've used the system to match your MAC to your student number/login/etc, then the DHCP server will give you a real IP the next time you request a lease... Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
On Mon, 15 Mar 2004, Vivien M. wrote:
You must be talking about a different Netreg system that the one everyone else has used. The one we're talking about involves you logging in when you connect with an unknown MAC - once you've used the system to match your MAC to your student number/login/etc, then the DHCP server will give you a real IP the next time you request a lease...
Yes I am... I am referring to a system which an unmentionable university has in place. It requires the user to enter their username and password each time the link state changes before they are allowed outside of the local lan. This is also similar to the new port authentication system on the Extreme Networks switches. It automatically delves out an address to the user so they can access a login portal and then it reissues them a legitimate address once they have been authenticated. This is a pretty slick setup for mobile users who connect in temporarily to public portals but it makes little sense in a fixed network environment of a dorm room or office. Andrew --- <zerocool@netpath.net> http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate "Learn from the mistakes of others. You won't live long enough to make all of them yourself."
On Mon, 15 Mar 2004, Andrew Dorsett wrote:
On Mon, 15 Mar 2004, Vivien M. wrote: Yes I am... I am referring to a system which an unmentionable university has in place. It requires the user to enter their username and password each time the link state changes before they are allowed outside of the local lan. This is also similar to the new port authentication system on the Extreme Networks switches. It automatically delves out an address to the user so they can access a login portal and then it reissues them a legitimate address once they have been authenticated. This is a pretty slick setup for mobile users who connect in temporarily to public portals but it makes little sense in a fixed network environment of a dorm room or office.
Its the same type of system used for hotspots. Curtis -- Curtis Maurand mailto:curtis@maurand.com http://www.maurand.com
On Mon, 15 Mar 2004, Vivien M. wrote:
You must be talking about a different Netreg system that the one everyone else has used. The one we're talking about involves you logging in when you connect with an unknown MAC - once you've used the system to match your MAC to your student number/login/etc, then the DHCP server will give you a real IP the next time you request a lease...
Then anyone can walk up to the machine and get onto the network simply by turning on the machine. The system you're looking for involve biometrics or smartcards. Firewalls between student and administration areas would be a good idea as well. Curtis -- Curtis Maurand mailto:curtis@maurand.com http://www.maurand.com
Curtis Maurand wrote:
Then anyone can walk up to the machine and get onto the network simply by turning on the machine.
The system you're looking for involve biometrics or smartcards. Firewalls between student and administration areas would be a good idea as well.
It must be dreadful to work in a place where everybody is The Enemy. In case I every get another job at a University, how do you separate "student areas" from "administration areas"? In my limited experience, we had students in labs, classrooms, and offices in the Administration Building, administrators (RA'a, residents, offices) in the Residence Halls, all kinds of creepy people in the libraries, classrooms, offices, dining rooms, and recreational and exercise facilities. Do you use armed guards to keep everybody in their proper areas? -- Requiescas in pace o email
Painting with a broad brush the differentiation between student and administrative networks is based on location,role and ownership A public ethernet port in a library is a "student" network even though "administrative" computers may be connected from time to time. The librarian's machine is attached to a "administrative" network. This is a fluid definition since the students often work on "administrative" computers. The real differentiator is the "student" networks are comprised of machines the university does not own or have direct administrative control over and securing these machines is up to the owner. An administrative network is a network of machines owned and controlled by the university hence the security policy is defined, implemented and enforced by the responsible parties within the university. Scott C. McGrath On Tue, 16 Mar 2004, Laurence F. Sheldon, Jr. wrote:
Curtis Maurand wrote:
Then anyone can walk up to the machine and get onto the network simply by turning on the machine.
The system you're looking for involve biometrics or smartcards. Firewalls between student and administration areas would be a good idea as well.
It must be dreadful to work in a place where everybody is The Enemy.
In case I every get another job at a University, how do you separate "student areas" from "administration areas"?
In my limited experience, we had students in labs, classrooms, and offices in the Administration Building, administrators (RA'a, residents, offices) in the Residence Halls, all kinds of creepy people in the libraries, classrooms, offices, dining rooms, and recreational and exercise facilities. Do you use armed guards to keep everybody in their proper areas?
-- Requiescas in pace o email
On Mon, 15 Mar 2004 23:17:27 -0500 (EST) Andrew Dorsett <zerocool@netpath.net> wrote:
I'm not referring to the time required to implement. I'm talking about the time it takes for the user. On the user end. Lets do some simple math. Lets say I turn on my laptop before I shower, I power it down during the day while I'm in class and I turn it back on when I get home in the evening. This means two logins per day. Lets say that the login
The systems I've my familiar with require only a single login per quarter, semester or school year unless there is a manual de-registration, which is most often due to a AUP violation or system compromise. John
On Sun, 14 Mar 2004, Sean Donelan wrote:
line, then the question becomes should you be able to send mail directly from your home server with a static IP address on a DSL line until abused? No need to buy another box, find a colo or figure out how to remotely administer another system or tunnel to it to send mail.
I think this is hinting at another larger issue. The fact that so many ISPs are filtering services and controlling what a user can and can't do. I know several providers who block SMTP outbound at their border for anything thats not their mail box or a registered mail host. Sure this stops spam complaints but if I'm paying for service I'm wanting raw access, not some censored service. I had major issues with a small ISP who decided they would firewall all of their customers and filter in/out ports. It got to the point I couldn't even send or receive files with individuals using that ISP. Finally I ended up building a VPN through their firewall to conduct business. As far as SMTP goes, in the past I've allowed mail into my machine from anywhere for my domain, then I'd relay my outbound mail through my providers SMTP box just to bypass all the stupid blacklists. I don't mind the idea of having to register my servers with my isp or some future regulatory board but that becomes rediculous when I'm constantly changing my home network/lab. Andrew --- <zerocool@netpath.net> http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate "Learn from the mistakes of others. You won't live long enough to make all of them yourself."
On Sat, 13 Mar 2004, Stephen Sprunk wrote:
So DOCSIS has a technical limitation which may or may not apply. This is reasonable justification for limiting upstream bandwidth, not for specifying that users can't run servers. If users can run servers effectively in
Thus spake "Sean Donelan" <sean@donelan.com> the
limited available upstream bandwidth, then there is no _technical_ reason to prevent them.
I think people are being sloppy about saying no servers on certain types of networks.
Sloppy? IMHO it's completely intentional. Most consumer/residential AUPs explicitly ban running any sort of server -- you have to pay more for that "privledge".
I think the actual requirement is for a long-term end-to-end identifier for systems, and maybe even network users, before they can do certain activities on the network so you can trace or block the system. Systems without long-term unique end-to-end identifiers would only be able to do a limited number of things because they are essentially fungible.
You're talking about the complete death of anonymity... This also touches on a fundamental problem with IP -- its addresses are both locators and identifiers.
If you want to spend about $50/month for a static IP address for your DSL line, then the question becomes should you be able to send mail directly from your home server with a static IP address on a DSL line until abused? No need to buy another box, find a colo or figure out how to remotely administer another system or tunnel to it to send mail.
Some ISPs block or intercept all outbound traffic on port 25 unless you register your mail server (for free). Given the amount of spam coming from virus-infected PCs these days, I have a tough time arguing with that. S Stephen Sprunk "Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
On Sat, 13 Mar 2004, Stephen Sprunk wrote:
Thus spake "Steven M. Bellovin" <smb@research.att.com>
filter, and the upstream repeaters are fed by a low-pass filter. If too many people are fielding home servers, it affects everyone.
So DOCSIS has a technical limitation which may or may not apply. This is reasonable justification for limiting upstream bandwidth, not for specifying that users can't run servers. If users can run servers effectively in the limited available upstream bandwidth, then there is no _technical_ reason to prevent them.
how are 'servers' (smtp/web/ftp/imap) different than the existing P2P apps? Wouldn't a cable provider, if the decision was based on upstream bandwidth sharing alone, care MORE about P2P than 'servers' ?
Other last-mile technologies provide symmetric bandwidth yet providers still prohibit servers; this is clearly a business issue, not a technical one.
Correct, or so it would seem... the cable modem providers can charge you more for a 'business class' service, which allows 'servers' to be hosted. --Chris (formerly chris@uu.net) ####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-886-3823 (C)703-338-7319 ## #######################################################
Christopher L. Morrow wrote:
how are 'servers' (smtp/web/ftp/imap) different than the existing P2P apps? Wouldn't a cable provider, if the decision was based on upstream bandwidth sharing alone, care MORE about P2P than 'servers' ?
But the decision is a business decision, because you can make "businesses" pay more for something that can run servers. And it´s harder to kludge smtp/http/etc. to work where servers are not permitted as p2p works by default. Pete
On Sat, 13 Mar 2004, Stephen Sprunk wrote:
So DOCSIS has a technical limitation which may or may not apply. This is reasonable justification for limiting upstream bandwidth, not for specifying that users can't run servers. If users can run servers effectively in
Thus spake "Christopher L. Morrow" <christopher.morrow@mci.com> the
limited available upstream bandwidth, then there is no _technical_ reason to prevent them.
how are 'servers' (smtp/web/ftp/imap) different than the existing P2P apps? Wouldn't a cable provider, if the decision was based on upstream bandwidth sharing alone, care MORE about P2P than 'servers' ?
I don't know how common this is, but my ISP's AUP considers P2P apps to be "servers" and thus banned. I don't use file-sharing apps so this doesn't really affect me, but I'm betting my SIP phone is technically a violation too. S Stephen Sprunk "Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
Why shouldn't an individual be able to operated a server on their DSL or cable modem connection?
Because DSL and cable moden networks have evolved into lowest-cost, widest-reach service networks designed to allow anyone with $30 access to a relatively fat pipe. As a result those networks have turned into rich sources of net garbage, and most clueful network operators have taken to defending themselves against this torrent of silliness. So, I suppose that the question is not so much of one being "allowed" to run a server on an xDSL or cable link, but of the real world effectiveness of doing so.
Why prevent people from running servers on DSL and cable modem connections, yet say they could run an identical server in a colo? Why is one unsafe, and the other is considered Ok?
Nothing is 100% safe, but I'd much rather accept unrestricted traffic from a network with 1000 customers and 2 geek engineers than from a network with 1,000,000 customers and 25 engineers on staff wading through mountains of abuse reports. At least at the smaller, more "geek intensive" level, there is a greater ability to deal with mischief in a timely and decisive fashion. -- Drew Linsalata The Gotham Bus Company, Inc. Colocation and Dedicated Access Solutions http://www.gothambus.com
Paul Vixie wrote:
every time i tell somebody that they shouldn't bother trying to send e-mail from their dsl or cablemodem ip address due to the unlikelihood of a well staffed and well trained and empowered abuse desk defending the reputation of that address space, i also say "buy a 1U and put it someplace with a real abuse desk, and use your dsl or cablemodem to tunnel to that place."
My cable modem provider filters port 25, so I can't run my own SMTP server. Their mail servers suck. Yes, I could pay for a business class cable modem connection and they'd unblock the port... but I'd likely still be filtered. Guess who is having a dedicated 1U set up right now? ;-) I think Paul is right, there is a small niche market for this.
On Sunday, March 14, 2004 4:58 PM [EST], Janet Sullivan <ciscogeek@bgp4.net> wrote:
My cable modem provider filters port 25, so I can't run my own SMTP server. Their mail servers suck. Yes, I could pay for a business class cable modem connection and they'd unblock the port... but I'd likely still be filtered.
Guess who is having a dedicated 1U set up right now? ;-)
I think Paul is right, there is a small niche market for this.
Hm, are there companies out there that offer outbound SMTP services (for people who are blocked, or which need a mail server thats not blacklisted because their provider isn't dealing with spam problems)? I never really looked into too much, but I haven't seen it offered on provider's sites outright. I was considering setting up a service like this (we have 2-3 outbound mail relay servers that are sitting idle because we don't need them yet), but wasn't sure how interested people would be. Like, say, setup a service that offers people the ability to send outbound mail through based on IP ACLs, possibly SMTP AUTH, TLS/SSL certs, and other things which could authenticate the sender, and have it accept SMTP on various other non-25 ports. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Brian Bruns Sent: March 14, 2004 5:19 PM To: nanog@merit.edu Subject: Re: who offers cheap (personal) 1U colo?
Hm, are there companies out there that offer outbound SMTP services (for people who are blocked, or which need a mail server thats not blacklisted because their provider isn't dealing with spam problems)? I never really looked into too much, but I haven't seen it offered on provider's sites outright.
Have you been looking at providers in the right industry? Such services are usually offered as addons by people who sell DNS services (especially dynamic DNS) and other such things designed to make it easier for people to run their own servers. They do exist, and as was pointed out earlier in this discussion, cost much less than the 1U colo alternative. We do it, and I know at least one or two others in our industry do... Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
On Sun, March 14, 2004 5:45 pm, Vivien M. said:
Have you been looking at providers in the right industry? Such services are usually offered as addons by people who sell DNS services (especially dynamic DNS) and other such things designed to make it easier for people to run their own servers. They do exist, and as was pointed out earlier in this discussion, cost much less than the 1U colo alternative. We do it, and I know at least one or two others in our industry do...
I have actually. I see an awful lot of services for incoming SMTP filtering of spam/viruses, or just to hold the mail while you are offline, but haven't seen outgoing SMTP services - which is why I asked :-) -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
On Sun, 14 Mar 2004, Brian Bruns wrote:
I have actually. I see an awful lot of services for incoming SMTP filtering of spam/viruses, or just to hold the mail while you are offline, but haven't seen outgoing SMTP services - which is why I asked :-)
As I posted earlier in this thread, DynDNS.org's outgoing SMTP service (available on port 25 and several others as well): http://www.dyndns.org/services/mailhop/outbound/ Some others I know of off-hand: http://www.no-ip.com/services.php/mail/smtp http://www.smtp.com/ -- Tim Wilde twilde@dyndns.org Systems Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
On Sun, 14 Mar 2004, Tim Wilde wrote: : > I have actually. I see an awful lot of services for incoming SMTP : > filtering of spam/viruses, or just to hold the mail while you are offline, : > but haven't seen outgoing SMTP services - which is why I asked :-) : : As I posted earlier in this thread, DynDNS.org's outgoing SMTP service : (available on port 25 and several others as well): : : http://www.dyndns.org/services/mailhop/outbound/ : : Some others I know of off-hand: : : http://www.no-ip.com/services.php/mail/smtp : http://www.smtp.com/ http://www.pobox.com/ - All accounts come with free (but must be enabled in the web admin interface) SASL-authenticated outbound SMTP. "See this mail's headers." I don't mean to rain on Tim's parade, but it's comparably priced ($15/yr). So pick which service provides the pair of things you need: SMTP and dynamic DNS (dyndns.org), or SMTP and aliasing (pobox.com). -- -- Todd Vierling <tv@duh.org> <tv@pobox.com>
Sorry this thread is huge, I hope I'm not repeating comments.. if the market for this is nanog and you're just looking for smtp/shell surely we can manage this between ourselves without charge (ask your nanog buddy for a shell as a favour).. I know I can and will do this Steve On Sun, 14 Mar 2004, Janet Sullivan wrote:
Paul Vixie wrote:
every time i tell somebody that they shouldn't bother trying to send e-mail from their dsl or cablemodem ip address due to the unlikelihood of a well staffed and well trained and empowered abuse desk defending the reputation of that address space, i also say "buy a 1U and put it someplace with a real abuse desk, and use your dsl or cablemodem to tunnel to that place."
My cable modem provider filters port 25, so I can't run my own SMTP server. Their mail servers suck. Yes, I could pay for a business class cable modem connection and they'd unblock the port... but I'd likely still be filtered.
Guess who is having a dedicated 1U set up right now? ;-)
I think Paul is right, there is a small niche market for this.
Stephen J. Wilcox wrote:
if the market for this is nanog and you're just looking for smtp/shell surely we can manage this between ourselves without charge (ask your nanog buddy for a shell as a favour).. I know I can and will do this
Well, I do have motives beyond outbound smtp. I actually looked at some of the mail only services, but I really want someplace that will do IMAP and authenticated SMTP. I want to be able to configure how I filter spam, which I don't want to do at the MUA level because I'll need to access mail various ways from various locations. Besides mail, I want to be able to create and control firewall rules on the box. I also want to be able to setup Apache exactly like I want it, etc. And sometimes its nice to have shell access on a machine in a different location for troubleshooting purposes. However, I do like the idea of setting up a community of like minded individuals who would be willing to do secondary MX and/or DNS for each other, and perhaps provide basic shell accounts... On the other hand, I'm a little leary of giving someone I don't know access to one of my boxes. I'm curious how a virtual colocation or dedicated server co-op could work, with values statements on how servers must be run (secure, no SPAM), etc. Would there be member fees? Would members have to democratically vote to let new members in after some kind of vetting process? Would anyone even be interested in such an idea? It would also be interesting to see what kind of monitoring tools could be developed with a diverse set of servers in different parts of the world... could we set up a co-op version of keynote monitoring, where we helped monitor each other?
On Sat, 13 Mar 2004, Paul Vixie wrote:
if you know of a place that offers 1U/month for $50/month with some kind of bandwidth limitations (moderate peak, low average), and a strong abuse desk (including repossessing the 1U server upon proof of abuse or neglect), please send me e-mail with a url and some details. i'll summarize it all online and report the aggregation URL back to this mailing list.
I've always wanted to enter a "niche market" like this. I've never had a boss that saw this as big enough to break even. This really is a small enough endeavour for a few people to start up. Here in NYC, you can get some decent co-lo at a "Tier 1" for $650/mo. and bandwidth at $150/MB with no commit. And that's at a very nice facility. I'm sure that others know of even better deals, but I think that's a fair market price for a facility/name that everyone knows and trusts. If anyone on the east coast also thinks this is something worth putting together (either for-profit or as a co-op situation), feel free to contact me directly. Thanks, Charles
<quote who="Charles Sprickman">
If anyone on the east coast also thinks this is something worth putting together (either for-profit or as a co-op situation), feel free to contact me directly.
This is currently being organized in the IAD area: http://lists.gotroot.com/mailman/listinfo/dcccp We've done a similar setup as a non-profit in SFO/SJC). http://www.communitycolo.net/ It's not for everyone, but it is more than adequate for most people's needs. With some more networking volunteers (as opposed to systems people) we could probably become a lot more robust than we already are. We are currently using 8 cabinets at Hurricane Electric off a 100mbit feed with a bunch of Cisco 1900 and 2900 series switches. Email's to me offlist for anyone interested in knowing more. -davidu ---------------------------------------------------- David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net ----------------------------------------------------
participants (34)
-
Andrew Dorsett
-
Brian Bruns
-
Charles Sprickman
-
Christopher L. Morrow
-
Curtis Maurand
-
Dave Crocker
-
David A. Ulevitch
-
Drew Linsalata
-
Eric Brunner-Williams in Portland Maine
-
Eric Gauthier
-
Geo.
-
Janet Sullivan
-
Jeff McAdams
-
jlewis@lewis.org
-
John Kristoff
-
Ken Diliberto
-
Laurence F. Sheldon, Jr.
-
Michael Loftis
-
Paul Vixie
-
Paul Vixie
-
Petri Helenius
-
Scott McGrath
-
Scott Weeks
-
Sean Donelan
-
Stephen J. Wilcox
-
Stephen Sprunk
-
Steven M. Bellovin
-
Suresh Ramasubramanian
-
Tim Wilde
-
Todd Vierling
-
Valdis.Kletnieks@vt.edu
-
Vivien M.
-
Will Hargrave
-
william(at)elan.net