Schneier: ISPs should bear security burden
I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. Links here: http://www.vnunet.com/news/1162720 ...and, of course, here: http://fergdawg.blogspot.com/2005/04/schneier-isps-should-bear-security.html Off list, if you'd like. Or not. - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/
On 4/27/05, Fergie (Paul Ferguson) <fergdawg@netzero.net> wrote:
I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this.
He's right. ISPs owe it to their users, if not to the rest of the Internet community, to do this. A lot of it is also part of the MAAWG bcps on spam (though the BCPs, when implemented, will do a lot more good than just cut down on spam) -- Suresh Ramasubramanian (ops.lists@gmail.com)
Why do ISPs owe this to their customers. I expect my ISP to deliver packets sent to me, and, to pass along packets I send out. That is the sum total of what I expect from my ISP, and, it's what my contract says is supposed to happen. Where does this belief that when user A at company Y sends a packet full of garbage to user B ad company Z the ISP at either end is responsible for the contents of the packet? That's like making the phone company responsible for the content of a conversation or saying that Safeway distribution is responsible for the content of Arrowhead spring water bottles that reach Safeway stores. Owen --On Wednesday, April 27, 2005 8:54 +0530 Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
On 4/27/05, Fergie (Paul Ferguson) <fergdawg@netzero.net> wrote:
I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this.
He's right. ISPs owe it to their users, if not to the rest of the Internet community, to do this. A lot of it is also part of the MAAWG bcps on spam (though the BCPs, when implemented, will do a lot more good than just cut down on spam)
-- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery.
Owen DeLong <owen@delong.com> wrote:
Why do ISPs owe this to their customers.
They don't. (I would argue that they owe it to the rest of the Internet, but that argument is tangential to this discussion.) However, I'd like to add an additional data point: Those of us in .us have undoubtedly seen the AOL commercials touting their comprehensive anti-virus services. (Don't know if they do other malware, FWIW) The services are offered to AOL members at no cost to them. Anyone who thinks AOL is doing this out of the goodness of their hearts, please speak up now... [FX: sound of crickets chirping] Yup. That's what I thought. Not having to support people who have tons of viruses saves money, and therefore is a good idea. Making it easier for people to avoid infection is good business, especially when you are talking about AOL's userbase (in terms of sheer numbers and the Internet expertise of the stereotypical AOL member). It's not up to the online service or ISP to force security updates on their customers. It might be a good idea for them to at least *offer* said updates, though. How many do, besides AOL? And I'd argue that Owen's attitude is appropriate for transit and business-class connections[0] - but if you're talking about a consumer ISP, that's different. If the Big Four[1] US cable companies followed AOL's lead, we'd see a huge drop in malware incidents and zombies. **SJS [0] Always appropriate for transit. Generally appropriate for business-class bandwidth services, although you will still run into a lot of clueless business owners who might end up with the same problems as residential customers. [1] Soon to be Big Three, but currently Comcast, Time Warner, Charter, and Adelphia. -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / sjsobol@JustThe.net / PGP: 0xE3AE35ED "The wisdom of a fool won't set you free" --New Order, "Bizarre Love Triangle"
In message <ifmcvl.cm0wwg@yourwebmail.com>, "Steve Sobol" writes:
And I'd argue that Owen's attitude is appropriate for transit and business-class connections[0] - but if you're talking about a consumer ISP, that's different. If the Big Four[1] US cable companies followed AOL's lead, we'd see a huge drop in malware incidents and zombies.
I see your point, and I almost agree -- almost, but not quite, because there's a very big problem: consumers have very little choice of which broadband ISP they can subscribe to. As you note, there are very few cable ISPs, at least one of whom is also a major content owner. The LEcs are flexing their muscles to get rid of UNE, which may eliminate DSL options in many places. That will leave consumers with at most two choices, and the players in that space seem to love walled gardens. Is, for example, p2p "abuse"? After all, it uses up bandwidth. I worry about giving too much power to unaccountable monopolists. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Steve Sobol wrote:
And I'd argue that Owen's attitude is appropriate for transit and business-class connections[0] - but if you're talking about a consumer ISP, that's different. If the Big Four[1] US cable companies followed AOL's lead, we'd see a huge drop in malware incidents and zombies.
You could solve 90% of the problems that you perceive are being caused by unrestricted cable modem users by using blocklists to ignore traffic from them. As somebody who picked a DSL provider specifically because it allows me to run any kind of server I want, I'm not highly in favor of blocking traffic from broadband users and killing the end-to-end principle that makes the Internet work, but if the noise-to-signal ratio is too high, it's easy to set up your mail servers to reject mail from cable modem users, or set your routers to null-route their packets, or even null-route-plus-strict-uRPF them if that's what makes your users happy. You'd see a huge drop in zombies because they'd become invisible to you, and while being surrounded by invisible zombies isn't all it's cracked up to be, it's a good start. It puts the choices in the hands of the recipients, and market-like processes will find a balance that's much more varied than imposing technical restrictions on senders (as opposed to don't-spam types of restrictions.) (And in spite of my self-righteous pontificating about not broadly blocking big chunks of people because it blocks the good along with the bad, my main email ISP allows users to pick blocklists by country, and you can bet that I'm blocking email from China, Korea, and Nigeria, and anybody there who wants to reach me can email my work address or use a Yahoo account. I'm not using the DSL/cable blocklists, though, but that mail gets spam-filtered.) -- ---- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Bill Stewart wrote:
You could solve 90% of the problems that you perceive are being caused by unrestricted cable modem users by using blocklists to ignore traffic from them.
Which would be great if cable/DSL providers offered some insight into which of their netblocks should be blocked and which shouldn't, but that generally isn't the case, so by blocking a certain ip or /24 or whatever, I don't know if I'm blocking customers whose TOS allows them to run servers, or even perhaps blocking Internet-facing servers run by the provider. (Aside from other valid issues mentioned in a reply that apparently hasn't hit nanog yet)
As somebody who picked a DSL provider specifically because it allows me to run any kind of server I want
What's rDNS for the ip address(es) assigned to you?
I'm not highly in favor of blocking traffic from broadband users and killing the end-to-end principle that makes the Internet work,
I'm not in favor of mindless blocking of entire netblocks that may contain stuff that should not be blocked, but broadband providers are notorious for (e.g.) lumping residential customers that can be blocked, with no collateral damage, in the same netblocks as business customers who need to run Internet facing servers, and (e.g.) not providing an easy way to differentiate between the two classes of customer in the first place. -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / sjsobol@JustThe.net / PGP: 0xE3AE35ED "The wisdom of a fool won't set you free" --New Order, "Bizarre Love Triangle"
What's rDNS for the ip address(es) assigned to you?
I don't know about him, but, on my ADSL connection, it is controlled by my nameservers: ;; ANSWER SECTION: 10.159.192.in-addr.arpa. 86400 IN NS ns.rop.edu. 10.159.192.in-addr.arpa. 86400 IN NS ns.delong.sj.ca.us.
I'm not highly in favor of blocking traffic from broadband users and killing the end-to-end principle that makes the Internet work,
I'm not in favor of mindless blocking of entire netblocks that may contain stuff that should not be blocked, but broadband providers are notorious for (e.g.) lumping residential customers that can be blocked, with no collateral damage, in the same netblocks as business customers who need to run Internet facing servers, and (e.g.) not providing an easy way to differentiate between the two classes of customer in the first place.
Who are you to decide that there is no damage to blocking residential customers? I'm a residential customer, but, I have a number of servers running, and, a port 25 block would be very destructive to the operation of my mailserver. Why should an ISP decide what a residential customer can or can't do with their internet connection. (This is not an advocation for abandoning TOS or allowing abuse. I am talking about within the confines of legitimate internet use, such as hosting a web site (or even several), running nameservers, mail server(s), etc.) Owen -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery.
On Wed, 27 Apr 2005, Owen DeLong wrote:
What's rDNS for the ip address(es) assigned to you?
I don't know about him, but, on my ADSL connection, it is controlled by my nameservers:
;; ANSWER SECTION: 10.159.192.in-addr.arpa. 86400 IN NS ns.rop.edu. 10.159.192.in-addr.arpa. 86400 IN NS ns.delong.sj.ca.us.
Who are you to decide that there is no damage to blocking residential customers? I'm a residential customer, but, I have a number of servers running, and, a port 25 block would be very destructive to the operation of my mailserver.
Ah, but *you* wouldn't get blocked. You maintain your own rDNS and presumably have enough clue to not make the rDNS look like a pool of dynamic residential IPs that aren't terribly important. To wit: sjsobol@amethyst: ~ $host 192.159.10.1 1.10.159.192.in-addr.arpa domain name pointer ns.delong.sj.ca.us. sjsobol@amethyst: ~ $host 192.159.10.2 2.10.159.192.in-addr.arpa domain name pointer owen.delong.sj.ca.us. sjsobol@amethyst: ~ $host 192.159.10.8 8.10.159.192.in-addr.arpa domain name pointer www.diagnostix.com. Those are OBVIOUSLY not hostnames that comply with de-facto standards for dynamically assigned dialup and broadband pools like ip-192-168-0-1.AppleValleyCA.BigDSLProvider.net or port1.as29.phoenix.DialupFarm.com (for example). The idea is that your ISP should either allow you to run your own DNS or give you DNS that doesn't look like something out of a big pool of addresses, which makes it much, MUCH easier to decide what to block and what not to block. Any IP that a provider allows servers on should have distinctive, non-dynamic-looking DNS (and preferably be in a separate netblock from the dynamically-assigned IPs). That way you can be reasonably sure that you're not blocking someone whose ISP has allowed them to run servers. (Some providers are much better than others at doing this kind of thing...)
Why should an ISP decide what a residential customer can or can't do with their internet connection. (This is not an advocation for abandoning TOS or allowing abuse. I am talking about within the confines of legitimate internet use, such as hosting a web site (or even several), running nameservers, mail server(s), etc.)
Your ISP, or the provider of the person deciding whether to block you? Is there anything wrong with an ISP saying "you can't run servers on certain types of Internet connection"? -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / sjsobol@JustThe.net / PGP: 0xE3AE35ED "The wisdom of a fool won't set you free" --New Order, "Bizarre Love Triangle"
Ah, but *you* wouldn't get blocked. You maintain your own rDNS and presumably have enough clue to not make the rDNS look like a pool of dynamic residential IPs that aren't terribly important. To wit:
Um, that's not what I thought this discussion was about. I thought this discussion was about ISPs that are blocking things like my going out to port 25 on various random hosts (something mailhost.delong.com does on a regular basis, as does owen.delong.com, both of which are mail relay machines, neither of which is an open relay).
Those are OBVIOUSLY not hostnames that comply with de-facto standards for dynamically assigned dialup and broadband pools like
I would hope not. I've put lots of work into naming my hosts. :-)
The idea is that your ISP should either allow you to run your own DNS or give you DNS that doesn't look like something out of a big pool of addresses, which makes it much, MUCH easier to decide what to block and what not to block. Any IP that a provider allows servers on should have distinctive, non-dynamic-looking DNS (and preferably be in a separate netblock from the dynamically-assigned IPs).
Again, we're talking about apples and oranges. You're talking about some other ISP blocking based on rDNS. I'm talking about my ISP blocking based on ports. What other ISPs block is between them and their customers. Yes, sometimes it's annoying, but, it's really between them and their customers, so, little I can do. What I'm saying is I don't want an ISP that blocks my ports in either direction by default. However, I am a residential ADSL customer using a UNI.
That way you can be reasonably sure that you're not blocking someone whose ISP has allowed them to run servers.
Generally, until someone abuses my network, I don't block anyone trying to get to any of the ports on which I choose to offer services.
Why should an ISP decide what a residential customer can or can't do with their internet connection. (This is not an advocation for abandoning TOS or allowing abuse. I am talking about within the confines of legitimate internet use, such as hosting a web site (or even several), running nameservers, mail server(s), etc.)
Your ISP, or the provider of the person deciding whether to block you?
Either.
Is there anything wrong with an ISP saying "you can't run servers on certain types of Internet connection"?
Yes. I can see the ISP saying "You're not allowed to push more than X bandwidth" on certain types of connections. I can even see them being unwilling to provide a static IP. However, telling me what I can or can't use the bandwidth for is absurd. What difference does it make to the ISP which side initiated the TCP connection or sent the first UDP datagram in a given flow? Owen
On Thu, Apr 28, 2005 at 02:16:36AM -0400, Steven J. Sobol wrote:
Any IP that a provider allows servers on should have distinctive, non-dynamic-looking DNS (and preferably be in a separate netblock from the dynamically-assigned IPs).
What the hell is a "non-dynamic-looking DNS"? Sure, if I see something like "static-192-168-1-1.isp.net" I can be reasonably sure that it's non-dynamic-looking, but what does the same thing look like in Portugese? German? Spanish? French? (Korean? Chinese?) Just wait'll we start getting unicode DNS names in non-English alphabets. Perhaps then you can tell what to look for in a string of Kanji symbols which might be suggestive of the concept of "static". - mark -- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Systems Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
Mark Newton <newton@internode.com.au> wrote:
On Thu, Apr 28, 2005 at 02:16:36AM -0400, Steven J. Sobol wrote:
Any IP that a provider allows servers on should have distinctive, non-dynamic-looking DNS (and preferably be in a separate netblock from the dynamically-assigned IPs).
What the hell is a "non-dynamic-looking DNS"? Sure, if I see something like "static-192-168-1-1.isp.net" I can be reasonably sure that it's non-dynamic-looking, but what does the same thing look like in Portugese? German? Spanish? French? (Korean? Chinese?)
France Telecom has a reasonably easy-to-understand naming scheme that ends in <POP-Location>.wanadoo.fr. Deutsche Telekom has an equally easy-to-understand scheme that ends in dip.t-dialin.de (for their German dialups, anyhow).
Just wait'll we start getting unicode DNS names in non-English alphabets. Perhaps then you can tell what to look for in a string of Kanji symbols which might be suggestive of the concept of "static".
There are some basic rules of thumb you can use. The problem is that they're not guaranteed to work. The best solution was created years ago (Gordon Fecyk's DUL, which lists IP ranges the ISPs specifically register as dynamic/not supposed to host servers) and eventually came under the purview of Kelkea/MAPS, but there wasn't a ton of ISP buy-in. If we could create a similar list and actually get ISPs to register the appropriate netblocks (and not mix in IPs where servers are allowed, and IPs where they aren't, in the same block), that'd be great. -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / sjsobol@JustThe.net / PGP: 0xE3AE35ED "The wisdom of a fool won't set you free" --New Order, "Bizarre Love Triangle"
on Thu, Apr 28, 2005 at 10:20:37AM -0400, Steve Sobol wrote:
Mark Newton <newton@internode.com.au> wrote:
On Thu, Apr 28, 2005 at 02:16:36AM -0400, Steven J. Sobol wrote:
Any IP that a provider allows servers on should have distinctive, non-dynamic-looking DNS (and preferably be in a separate netblock from the dynamically-assigned IPs).
What the hell is a "non-dynamic-looking DNS"? Sure, if I see something like "static-192-168-1-1.isp.net" I can be reasonably sure that it's non-dynamic-looking, but what does the same thing look like in Portugese? German? Spanish? French? (Korean? Chinese?)
France Telecom has a reasonably easy-to-understand naming scheme that ends in <POP-Location>.wanadoo.fr.
Hrm? The only examples I have are: .abo.wanadoo.fr .adsl.wanadoo.fr \ --- haven't seen any of these in a long time, though .cable.wanadoo.fr / with the POP-Location coming at the forefront, after 'A', e.g. ANantes-106-1-5-107.w193-251.abo.wanadoo.fr AVelizy-154-1-44-113.w82-124.abo.wanadoo.fr APoitiers-152-1-35-162.w83-193.abo.wanadoo.fr or 'L' or 'M' Laubervilliers-151_11-15-186.w82-127.abo.wanadoo.fr LNeuilly-152_21-4-2.w82-127.abo.wanadoo.fr Mix-Amiens-107-2-8.w193-248.abo.wanadoo.fr or 'ca', which I assume is for cable: ca-angers-2-19.w80-8.abo.wanadoo.fr
Deutsche Telekom has an equally easy-to-understand scheme that ends in dip.t-dialin.de (for their German dialups, anyhow).
They must be filtering/redirecting outbound port 25, then; it's been some time since I saw any of their traffic here in the logs. Or maybe it's because they're using t-dialin.net now. <clickety clack> Yep. I don't see any t-dialin.de in 60 days, but tons of t-dialin.net hosts. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!
On Thu, 28 Apr 2005 16:38:00 +0930, Mark Newton said:
Just wait'll we start getting unicode DNS names in non-English alphabets. Perhaps then you can tell what to look for in a string of Kanji symbols which might be suggestive of the concept of "static".
We may not even have to wait that long, as it appears to be in the pipe already.... http://www.i-dns.net/newsroom/news/GE050301-01.html
on Thu, Apr 28, 2005 at 04:38:00PM +0930, Mark Newton wrote:
On Thu, Apr 28, 2005 at 02:16:36AM -0400, Steven J. Sobol wrote:
Any IP that a provider allows servers on should have distinctive, non-dynamic-looking DNS (and preferably be in a separate netblock from the dynamically-assigned IPs).
What the hell is a "non-dynamic-looking DNS"? Sure, if I see something like "static-192-168-1-1.isp.net" I can be reasonably sure that it's non-dynamic-looking,
Eh, doesn't really matter to me, it's still generic, and still impossible to tell from static-192-168-1-2.isp.net, and if they've sent me spam or a virus or hammered on my ssh/ftp/pop servers, I'm not going to accept mail from them, either. Want to run a mail server? Give it non-generic rDNS. I already assume that it should be on a static IP, but that doesn't mean I assume that all static connections are worth accepting mail from.
but what does the same thing look like in Portugese?
e.g. 197.87.30.213.rev.vodafone.pt (rev? boy, there's an informative naming convention for rDNS - it's "rev", everybody) adsl-norte02-1-136.vianw.pt - no way to tell if it's static/dynamic 195-23-87-54.tvtel.pt - no way to tell adslfixo-b3-115-101.telepac.pt - static adslsapo-b4-38-128.telepac.pt - 'sapo' means 'frog', apparently dial-b3-61-196.telepac.pt - assumed dynamic 0000007790-10001150399.acesso.oni.pt - acesso? static or dynamic? 195-23-125-174.net.novis.pt - apparently, it's some kind of network 48-29.dial.nortenet.pt - assumed dynamic pal-213-228-134-120.netvisao.pt - no way to tell a213-22-198-130.netcabo.pt - no way to tell 0000002180-0001062928.dial.net4b.pt - no way to tell, assumed dynamic d173018.csc.net.KPNQwest.pt - ".net"? no way to tell 213-63-0-209.jdsl.jazznet.pt - no way to tell 194-79-84-31.nr.ip.pt - no idea At least some of the Portuguese providers use right-anchored substrings so you don't have to use regexes to block mail from generic hosts. All of those hosts have spammed me, so I don't accept mail from any of them or anything that looks like them anymore. Brazil is a mess, but they still adhere to many of the same sorts of rDNS naming conventions as everyone else, they just tend to do it really haphazardly. You'll see 'fixo' for static, 'dinamico' for dynamic, 'cliente' for client. 'rede' for network, 'cabo' for cable. I've seen at least one 'conexao'. I dunno about PT influence on other parts of the world.
German?
213-239-235-249.clients.your-server.de pop8-427.catv.wtnet.de 62.241.33.6.rev.worldbone.de dont-blame-admin-its-a-dsl-pool-12-41.wobline.de <-- a personal fave 189-50.access.witcom.de u2-25.dsl.vianetworks.de ppp025.f.ipdial.vianetworks.de 154.2.sr1.DTM1.ip.versanet.de a188060.studnetz.uni-leipzig.de <-- resnet dynamic202.jura.uni-bonn.de ip-112-188.travedsl.de c-217.27.193.195.host.tnp-potsdam.de 42.adsl.tnp-potsdam.de p213.54.0.171.tisdip.tiscali.de td9091b9a.adsl.terralink.de td9091c62.pool.terralink.de etc. Same case as above. You might be surprised at how consistent the naming conventions are, with very little local color.
Spanish?
Some regional differences between Mexico and Latin America on the one hand and Spain on the other, but some examples from both: via-addr11018.vianetworks.es 62-36-112-5.dialup.uni2.es 62-37-53-13.mad2.adsl.uni2.es 62-36-123-150.unresolved.net.uni2.es <-- personal fave 193-152-205-108.uc.nombres.ttd.es 213-129-168-49.DialUp.tiscali.es 48.host.terra.es cm-213.141.42-126.telecable.es d213-102-65-192.cust.tele2.es 128-VIGO-X6.libre.retevision.es 81-172-11-216.usuarios.retecal.es 62-15-203-25.inversas.jazztel.es eu04-11.clientes.euskaltel.es host-200.77.152.40-cust.telemedia.net.mx dsl-201-128-15-62.prodigy.net.mx ip-fir-clbi207-249-85-82mexis.net.mx (sic) host112197.metrored.net.mx customer-COB-122-31.megared.net.mx dialip-200-53-62-177-gdl.marcanet.net.mx ap-tp-acs15-093.ap.infosel.net.mx dial-148-243-59-179.zone-1.dial.net.mx cablea0olr.cybercable.net.mx cmodem067.zona5.cablered.net.mx host-148-244-152-186.block.alestra.net.mx telviso-dsl-bloques-03-200-85-107-243.telviso.net.ar adsl187-teco.via-net-works.net.ar 200-42-111-172.dup.prima.net.ar 200-42-83-250.cab.prima.net.ar 200-55-75-126.dsl.prima.net.ar dig-ppp69156547.copetel.net.ar line106.comsat.net.ar 'red', mostly, for 'network'. And 'usuarios' for 'users', 'linea' for line. The universities are the worst; as you end up with names of sciences and disciplines and so forth, but as long as you don't block 'correo' or 'fpe' or 'fep' you should be fine.
French?
French is more difficult, as you might expect, because of course they all use French words from time to time and last I knew, the official government position was to create French words to replace any borrowed American/English words so as to prevent the lingo from being corrupted. So, a lot more mail servers named "courrier-electronique1.example.fr" and the like. But when it comes to the multinationals, the naming is usually the same or similar. ANantes-106-1-5-107.w193-251.abo.wanadoo.fr dyn-195-242-113-210.ppp.tiscali.fr rev.host-159.6.tiscali-business.fr d213-103-74-10.cust.tele2.fr c2cea00e.adsl.oleane.fr c3065fb3.tutti.oleane.fr <-- dunno. "all"? ip-202.net-81-220-135.standre.rev.numericable.fr e232.dhcp212-198-94.noos.fr ppp-6.net-102.magic.fr isdn-211.nantes.imaginet.fr du-201-1.nat.dialup.freesurf.fr infodis6238-2.clients.easynet.fr du-214-105.nat.adsl.claranet.fr You'll see 'abo' for 'cable', perhaps? as well as 'cable'. But for most of the abbreviations and acronyms you'll see the same thing worldwide. They haven't bothered to backtranslate PPP or ISDN or ADSL or DHCP. And in Canada, where the movement to require multiple PTR records for each IP in both French and English has stalled, you'll see stuff like: d109.rocler.qc.ca - wtf? IGV-C122.rocler.qc.ca - ? ppp1239.webnet.qc.ca dyn-230.loisirquebec.QC.CA ppp36.67-113-216.ivic.qc.ca ppp2-15.infoteck.qc.ca dsl-205-205-142-112.cooptel.qc.ca cnq20-253.cablevision.qc.ca 181-111-cormier-56k.9bit.qc.ca You'll also see 'modemcable' or 'mc', such as videotron.ca, or intermonde.ca uses, but they're the only ones I know of.
(Korean? Chinese?)
Dunno. Don't have many examples of those, as I block most traffic from there, and what I didn't block didn't often have rDNS anyway. The one net.cn example I have, nova, named all of their rDNS with user.nova.net.cn - yep, that's it - what every host is named. And the other non-edu example I have is ppp191-188-129-61.online.sh.cn Taiwan, on the other hand, is a complete mess in the edu space. But in .net.tw it's pretty anglified and for the most part uses right anchors: tp167099.adsl.tisnet.net.tw tp167099.adsl.static.tisnet.net.tw 150-186.73.211-tdtv.tinp.net.tw 25.69.81.219.dynamic.tfn.net.tw 219-81-103-119.static.tfn.net.tw 61-62-33-143-adsl-tai.STATIC.so-net.net.tw 139-175-217-18.dialup.dynamic.seed.net.tw 221-169-101-166.adsl.static.seed.net.tw 218-187-123-82.dynamic.best.lsc.net.tw 243-197-63-61.lease.isl.net.tw 61-70-116-205.adsl.static.giga.net.tw 203-203-103-33.cable.dynamic.giga.net.tw host81.21067173.gcn.net.tw FPT Viet Nam uses 'adsl-pool-xxx', 'adsl-fix-xxx', and 'dialup-xxx' (yes, the x's are part of the actual name, not a placeholder for the numbers). The only ISPs naming conventions I've had a difficult time translating are the Finns, and the occasional Hungarian or Rumanian; and even those give an opportunity for creativity: dsl-XXII-150.kotikaista.weppi.fi - yep, Roman numerals There are three or more Finnish ISPs using full-on Roman Numerals for their rDNS naming. multi.fi, weppi.fi, and saunalahti.fi. But even the rest of the Finns use 'dsl', 'catv', 'dialup'. I think the only regional variation is 'netti', which I assume means 'net'. The Swedes use 'bredband'. The Japanese use 'flets' and 'ftth', the Dutch and others sometimes use 'kabel', Spanish speakers have 'telviso', and dial into 'pooles'. 'dedicado' is the name of an ISP in Uruguay, but they name all their hosts with two numbers e.g. 107-15.dedicado.com.uy. Almost all of the edu space uses 'dorm' or 'resnet' or some variation, except UNC Greensboro, who, in a boon to address scrapers everywhere, actually encourage abuse of their students' email by naming their dynamically assigned hosts after the user's uncc.edu email address (I noticed this in an rDNS scan trying to find a pattern so I could block abuse from their network, and noticed that whereas most of the names looked like flast-type formations, e.g., schampeon.uncg.edu, (naturally, not subdomained off into 'students' or 'resnet', either) some of them looked like schampeonuncgedu.uncg.edu, and then came somebody75aolcom.uncg.edu. If I've noticed it, be sure the spammers have.
Just wait'll we start getting unicode DNS names in non-English alphabets. Perhaps then you can tell what to look for in a string of Kanji symbols which might be suggestive of the concept of "static".
Well, when that happens, I'm sure we'll all have to learn the Kanji or Mandarin strings for static and dynamic and ppp and so forth. Oh, well. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!
On 4/30/05, Steven Champeon <schampeo@hesketh.com> wrote:
ANantes-106-1-5-107.w193-251.abo.wanadoo.fr
You'll see 'abo' for 'cable', perhaps? as well as 'cable'. But for most
abo = short for "abonnement", that is, "subscription" / "subscriber" Just means its a pool of IPs assigned to users, I guess.
Dunno. Don't have many examples of those, as I block most traffic from there, and what I didn't block didn't often have rDNS anyway. The one net.cn example I have, nova, named all of their rDNS with user.nova.net.cn - yep, that's it - what every host is named.
And there's a vietnamese ISP that was clever enough to give the same rDNS - "localhost" - to all their IP space. Don't know which one of the three ISPs there does this, but as APNIC 20 is in Hanoi, I'll most likely find that out for myself.
FPT Viet Nam uses 'adsl-pool-xxx', 'adsl-fix-xxx', and 'dialup-xxx' (yes, the x's are part of the actual name, not a placeholder for the numbers).
So its not FPT Vietnam, but one of the two other ISPs there
'bredband'. The Japanese use 'flets' and 'ftth', the Dutch and others
ftth = fiber to the home. flets is also some kind of fiber. --srs -- Suresh Ramasubramanian (ops.lists@gmail.com)
on Sat, Apr 30, 2005 at 07:41:34AM +0530, Suresh Ramasubramanian wrote:
On 4/30/05, Steven Champeon <schampeo@hesketh.com> wrote:
ANantes-106-1-5-107.w193-251.abo.wanadoo.fr
You'll see 'abo' for 'cable', perhaps? as well as 'cable'. But for most
abo = short for "abonnement", that is, "subscription" / "subscriber" Just means its a pool of IPs assigned to users, I guess.
Yes, Romain Komorn was kind enough to tell me this offlist. Thanks.
Dunno. Don't have many examples of those, as I block most traffic from there, and what I didn't block didn't often have rDNS anyway. The one net.cn example I have, nova, named all of their rDNS with user.nova.net.cn - yep, that's it - what every host is named.
And there's a vietnamese ISP that was clever enough to give the same rDNS - "localhost" - to all their IP space. Don't know which one of the three ISPs there does this, but as APNIC 20 is in Hanoi, I'll most likely find that out for myself.
Yep - got a rule to block stuff from them and everyone else who does something that stupid, too.
FPT Viet Nam uses 'adsl-pool-xxx', 'adsl-fix-xxx', and 'dialup-xxx' (yes, the x's are part of the actual name, not a placeholder for the numbers).
So its not FPT Vietnam, but one of the two other ISPs there
They may use it, too. I dunno. It's not reliable to assume that any one given network always has the same rDNS naming conventions.
'bredband'. The Japanese use 'flets' and 'ftth', the Dutch and others
ftth = fiber to the home. flets is also some kind of fiber.
infoweb.ne.jp uses ftth, as does solcon.nl, onsnet.nu, and a few US ISPs, such as brightohio.net, cvalley.net, and surewest.net. nmt.ne.jp uses flets, as does across.or.jp, netwave.or.jp, dsn.jp, alpha-net.ne.jp (which also apparently uses "bflets", and incl.ne.jp. Google suggests others do, too, but they haven't come across my radar yet, or don't use it in rDNS naming. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!
Suresh Ramasubramanian wrote:
On 4/30/05, Steven Champeon <schampeo@hesketh.com> wrote:
ANantes-106-1-5-107.w193-251.abo.wanadoo.fr
You'll see 'abo' for 'cable', perhaps? as well as 'cable'. But for most
abo = short for "abonnement", that is, "subscription" / "subscriber" Just means its a pool of IPs assigned to users, I guess.
Dunno. Don't have many examples of those, as I block most traffic from there, and what I didn't block didn't often have rDNS anyway. The one net.cn example I have, nova, named all of their rDNS with user.nova.net.cn - yep, that's it - what every host is named.
And there's a vietnamese ISP that was clever enough to give the same rDNS - "localhost" - to all their IP space. Don't know which one of the three ISPs there does this, but as APNIC 20 is in Hanoi, I'll most likely find that out for myself.
I was actually bored enough to figure that out one day: [FT@fenrir G]$ dig +short -x 203.160.1.66 -x 203.160.1.67 -x 203.160.1.68 -x 203.160.1.69 localhost. localhost. localhost. localhost. [FT@fenrir G]$ whois 203.160.1.66 % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 203.160.0.0 - 203.160.1.255 netname: VNPT-VNNIC-VN country: VN descr: Vietnam Posts and Telecommunications (VNPT) descr: 23 Phan Chu Trinh st., Hanoi capital, Vietnam admin-c: NXC1-AP tech-c: KNH1-AP status: ALLOCATED PORTABLE changed: hm-changed@vnnic.net.vn 20041011 mnt-by: MAINT-VN-VNNIC mnt-lower: MAINT-VN-VNPT source: APNIC
Nicholas Suan wrote:
Suresh Ramasubramanian wrote:
On 4/30/05, Steven Champeon <schampeo@hesketh.com> wrote:
ANantes-106-1-5-107.w193-251.abo.wanadoo.fr
You'll see 'abo' for 'cable', perhaps? as well as 'cable'. But for most
abo = short for "abonnement", that is, "subscription" / "subscriber" Just means its a pool of IPs assigned to users, I guess.
What does the rest of the internet gain when all IPs have boilerplate reverse DNS setup for them, especialy with all these wildly differing and wacky naming "conventions"? Isnt it a much simpler world where simply having rDNS lends the assumption of a supported "static" system as opposed to none?
On 5/2/05, Joe Maimon <jmaimon@ttec.com> wrote:
Isnt it a much simpler world where simply having rDNS lends the assumption of a supported "static" system as opposed to none?
yup, like ppp-12345.townname.dialup.example.com -- Suresh Ramasubramanian (ops.lists@gmail.com)
on Sun, May 01, 2005 at 10:40:21PM -0400, Joe Maimon wrote:
What does the rest of the internet gain when all IPs have boilerplate reverse DNS setup for them, especialy with all these wildly differing and wacky naming "conventions"?
I don't care what the rest of the Internet gains, but I can say that knowing something about these "wildly differing and wacky naming conventions" has cut my spam load down by 98% or more. By knowing who names their networks what, even wild-assed guesses at times have kept the DDoS that is spam botnets from destroying the utility of email here.
Isnt it a much simpler world where simply having rDNS lends the assumption of a supported "static" system as opposed to none?
Bwahahaha. You mean "supported static systems" like: not-a-legal-address [140.113.12.106] 66.domain.tld [216.109.16.66] customer-reverse-entry.209.213.197.128 [209.213.197.128] suspended.for.aup.violation [216.41.37.5] unassigned [66.240.153.10] unassigned-64.23.24.128 [64.23.24.128] alameda.net.has.not.owned.this.ip.for.more.then.four.years [209.0.51.16] nolonger.a.customer.cancelled.for.AUPviolation [209.208.31.84] ...just to pick a few? I believe Suresh has already supplied the answer to the question of rDNS having anything to do with staticity. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!
Steven Champeon wrote:
on Sun, May 01, 2005 at 10:40:21PM -0400, Joe Maimon wrote:
What does the rest of the internet gain when all IPs have boilerplate reverse DNS setup for them, especialy with all these wildly differing and wacky naming "conventions"?
I don't care what the rest of the Internet gains, but I can say that knowing something about these "wildly differing and wacky naming conventions" has cut my spam load down by 98% or more. By knowing who names their networks what, even wild-assed guesses at times have kept the DDoS that is spam botnets from destroying the utility of email here.
Thats not quite what I was asking. Would you not have preferred being able to do all the above simply by being able to assume that all these "dialup" systems would not have any RDNS? The question restated is what is the benifit in advocating "dialup names" as opposed to simply recommending that dialup ranges get NO rDNS? For spam/abuse prevention it surely is less usefull. Its much easier to block IP with no rDNS than to maintain a list of patterns of rDNS that should be blocked. I understand that RFCs recommend/require it. I want to know about specific benefits to the internet at large (not to the user who now has rDNS) Given a choice between ISP using unpredictable naming patterns or no name for dialup ranges, what would your preference be?
Isnt it a much simpler world where simply having rDNS lends the assumption of a supported "static" system as opposed to none?
Bwahahaha. You mean "supported static systems" like:
not-a-legal-address [140.113.12.106] 66.domain.tld [216.109.16.66] customer-reverse-entry.209.213.197.128 [209.213.197.128] suspended.for.aup.violation [216.41.37.5] unassigned [66.240.153.10] unassigned-64.23.24.128 [64.23.24.128] alameda.net.has.not.owned.this.ip.for.more.then.four.years [209.0.51.16] nolonger.a.customer.cancelled.for.AUPviolation [209.208.31.84]
...just to pick a few? I believe Suresh has already supplied the answer to the question of rDNS having anything to do with staticity.
Exactly the problem.
on Mon, May 02, 2005 at 01:16:40PM -0400, Joe Maimon wrote:
Steven Champeon wrote:
on Sun, May 01, 2005 at 10:40:21PM -0400, Joe Maimon wrote:
What does the rest of the internet gain when all IPs have boilerplate reverse DNS setup for them, especialy with all these wildly differing and wacky naming "conventions"?
I don't care what the rest of the Internet gains, but I can say that knowing something about these "wildly differing and wacky naming conventions" has cut my spam load down by 98% or more. By knowing who names their networks what, even wild-assed guesses at times have kept the DDoS that is spam botnets from destroying the utility of email here.
Thats not quite what I was asking. Would you not have preferred being able to do all the above simply by being able to assume that all these "dialup" systems would not have any RDNS?
No.
The question restated is what is the benifit in advocating "dialup names" as opposed to simply recommending that dialup ranges get NO rDNS?
More information is always better.
For spam/abuse prevention it surely is less usefull. Its much easier to block IP with no rDNS than to maintain a list of patterns of rDNS that should be blocked.
Surely. And yet, knowing that Comcast addresses are responsible for a third of the abuse against my mail server is easier when all of the hosts' rDNS ends in "comcast.net", so I don't need to do whois lookups on each IP.
I understand that RFCs recommend/require it. I want to know about specific benefits to the internet at large (not to the user who now has rDNS)
Given a choice between ISP using unpredictable naming patterns or no name for dialup ranges, what would your preference be?
Predictable naming conventions, preferably right-anchored, such as '.dialup.dynamic.example.net' If you're saying that's not possible, then I'd prefer unpredictable names over no rDNS at all (though preferably at least consistently implemented within a given rDNS domain)... -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!
On Mon, 02 May 2005 13:16:40 EDT, Joe Maimon said:
Thats not quite what I was asking. Would you not have preferred being able to do all the above simply by being able to assume that all these "dialup" systems would not have any RDNS?
Not having any RDNS would help, but...
Given a choice between ISP using unpredictable naming patterns or no name for dialup ranges, what would your preference be?
I'd prefer unpredictable - because as squirrelly *that* is, it's better than the mess we'll see when the clueless bozos decide that having an internally visible RDNS is useful to them, and they botch deploying split views for inside and outside.. over and over in myriad different ways....
As somebody who picked a DSL provider specifically because it allows me to run any kind of server I want, I'm not highly in favor of blocking traffic from broadband users and killing the end-to-end principle that makes the Internet work,
When I sign up for an internet account, does the fine print say that I am to accept all garbage pouring out of the RJ-45...? Why should it be the recipients job to filter all incoming traffic? When my PC grabs an IP address, I'd expect to see zero traffic from the world unless I make a request for content. Only then should I see traffic and only the content I requested. Adi
On 28-apr-2005, at 16:01, Adi Linden wrote:
When I sign up for an internet account, does the fine print say that I am to accept all garbage pouring out of the RJ-45...? Why should it be the recipients job to filter all incoming traffic?
Because by definition the recipient is the party who receives something... And what about garbage pouring out of RJ-11 sockets?
When my PC grabs an IP address, I'd expect to see zero traffic from the world unless I make a request for content. Only then should I see traffic and only the content I requested.
So I do I obtain your permission to send you a packet? And where in the packet does it show that the packet comes from someone who has said permission?
And what about garbage pouring out of RJ-11 sockets?
Hmmm... so because we have garbage coming out of the RJ-11 we might as well have garbage coming out of the RJ-45, too? 4 wires vs. 8 wires, twices the garabe out of the RJ-45.
So I do I obtain your permission to send you a packet?
By replying to my request.
And where in the packet does it show that the packet comes from someone who has said permission?
The packet only exists if it is in response to my request. Keep in mind that I am talking about enduser PC here. Adi
On 28-apr-2005, at 16:21, Adi Linden wrote:
So I do I obtain your permission to send you a packet?
By replying to my request.
So ask your ISP to NAT you. (Most people do this themselves but you seem to feel filtering out unwanted packets isn't something you want to do.) You won't receive any packets that aren't responses to your request, so you'll be be very happy that way. Of course you can't use VoIP reliably or engage in other peer-to-peer protocols with others who feel the same way.
And where in the packet does it show that the packet comes from someone who has said permission?
The packet only exists if it is in response to my request. Keep in mind that I am talking about enduser PC here.
I guess there are people who are happy with always being the requester and never being the requestee... Fortunately that isn't true for the entire population.
On Thu, 28 Apr 2005 16:10:54 +0200, Iljitsch van Beijnum said:
And where in the packet does it show that the packet comes from someone who has said permission?
Well, if you didn't have permission, you're probably up to no good and should be setting the appropriate bits as per RFC3514....
On Thu, 28 Apr 2005 09:01:26 CDT, Adi Linden said:
When my PC grabs an IP address, I'd expect to see zero traffic from the world unless I make a request for content. Only then should I see traffic and only the content I requested.
Remember - the RST packet is there so you can tell the other end that they're trying to talk to a connection that isn't there - often due to the connection having been with the *previous* machine using that IP address....
When I sign up for an internet account, does the fine print say that I am to accept all garbage pouring out of the RJ-45...? Why should it be the recipients job to filter all incoming traffic?
No... You should, for an appropriate fee, be able to find an ISP that will filter whatever you request them to filter. My point is that I oppose filtration by default.
When my PC grabs an IP address, I'd expect to see zero traffic from the world unless I make a request for content. Only then should I see traffic and only the content I requested.
So, when you take a ride on the subway, you expect not to be exposed to any random germs floating about in the atmosphere? You live in a very interesting world. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this.
It means 10 different things to 10 different people. The article was vague. "Security" could mean blocking a few ports, simple Proxy/NAT, blocking port 25 (or 139... or 53.. heh heh) or a thousand different things. There is a market for this, it's called "managed services." ISPs do this type of thing all the time. And customers pay for it. Maybe he means "broadband home users". News flash... home users will get it wherever it's cheap. And cheap means no managed services. To the author of the article: Should ISPs be *REQUIRED* to do it? Just try it and see what happens.... try to pass a law and regulate the internet, I dare you... :-) (I double-dog-dare you to get the law makers to understand it first!) Every security appliance ven-duh on the planet would be in there, trying to have laws written that would require the use of their own proprietary solutions to the "problem." (and the proposed problem would differ depending upon the "solutions" that the particular ven-duh offered) Wait a second... this article was FROM security ven-duhs... all offering solutions to these problems...uh-oh.... this is probably their first move in getting a law..... step 1) cause a public outcry....... so it's starting already. I think we've all seen this act before......... Some days, the world really annoys me. :-( -Jerry
On Tue, 26 Apr 2005, Jerry Pasker wrote:
I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this.
It means 10 different things to 10 different people. The article was
yep, and the danger is you agree with the article and some politicians or journalists think you are advocating a full police service which would be bad. i do think we have an obligation to try to keep the net clean to a certain degree, think anti-ddos wg's etc but providing full security for all users is unrealistic. there seems to be some moves to offering partial security and this is probably a good thing eg blocking common ms ports will likely be effective. Steve
On 4/27/05, Stephen J. Wilcox <steve@telecomplete.co.uk> wrote:
i do think we have an obligation to try to keep the net clean to a certain degree, think anti-ddos wg's etc but providing full security for all users is unrealistic. there seems to be some moves to offering partial security and this is probably a good thing eg blocking common ms ports will likely be effective.
As complete security as possible, to your end users. That doesnt extend to applying filters to circuits you provision for your customers (managed T1 type stuff maybe, but definitely, more useful in the case of end user stuff like at the edge of broadband / dialup pools) -- Suresh Ramasubramanian (ops.lists@gmail.com)
I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water. This is like asking the phone company to prevent minors from hearing swear-words on telephone calls or prevent people from being able to make prank phone calls from pay-phones. When Mr. Schneier gets that level of service from his phone company, then, perhaps he can expect the same from his ISP. The worst part of that article is that it only quotes people with a vested interest in sellling service-provider based solutions to end-host based problems. So much for any sort of journalistic ethic, fact checking, or, unbiased reporting. Owen --On Wednesday, April 27, 2005 3:09 +0000 "Fergie (Paul Ferguson)" <fergdawg@netzero.net> wrote:
I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this.
Links here: http://www.vnunet.com/news/1162720
...and, of course, here: http://fergdawg.blogspot.com/2005/04/schneier-isps-should-bear-security.h tml
Off list, if you'd like. Or not.
- ferg
-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/
-- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery.
On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote:
So much for any sort of journalistic ethic, fact checking, or, unbiased reporting.
Schneier isn't a journalist or reporter; He's a security vendor. - mark -- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Systems Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
I was referring to the article which contained the schneier quote, not schneier. The article was written by someone at least pretending to be a journalist, and, was put out as news, not editorial or advertising. As such, it should be held to the standard that should apply to news. Instead, it was yet another example of advertising disguised as news. Owen --On Wednesday, April 27, 2005 15:42 +0930 Mark Newton <newton@internode.com.au> wrote:
On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote:
So much for any sort of journalistic ethic, fact checking, or, unbiased reporting.
Schneier isn't a journalist or reporter; He's a security vendor.
- mark
On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote:
I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water.
er.. bad analogy warning... please take a sample of tap water to an independent lab for analysis... and find out just what the water company is putting into your water.
This is like asking the phone company to prevent minors from hearing swear-words on telephone calls or prevent people from being able to make prank phone calls from pay-phones.
more bad analogies... :)
Owen
- ferg
that said, if you don't want your ISP to diddle your packets, may i suggest IPSEC? --bill
On April 26, 2005 11:36 pm, bmanning@vacation.karoshi.com wrote:
On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote:
I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water.
er.. bad analogy warning... please take a sample of tap water to an independent lab for analysis... and find out just what the water company is putting into your water.
Actually that _is_ a bad analogy. According to my sister (who works in that area as a regional water expert), tap-water is held to higher standards than bottled water. In Canada at least... ymmv. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada May 4-6 2005 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp
On Wed, Apr 27, 2005 at 12:13:16AM -0700, Dragos Ruiu wrote:
On April 26, 2005 11:36 pm, bmanning@vacation.karoshi.com wrote:
On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote:
I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water.
er.. bad analogy warning... please take a sample of tap water to an independent lab for analysis... and find out just what the water company is putting into your water.
Actually that _is_ a bad analogy.
According to my sister (who works in that area as a regional water expert), tap-water is held to higher standards than bottled water. In Canada at least... ymmv.
cheers, --dr
perhaps you mis-read. water companies -always- add things to water, to kill off germs, balance mineral content, etc.. they do this to -meet- the "higher" standards. and by their tampering, they pollute the water... their pollution may make the water drinkable and safe. does n ot change the fact that the water was tampered with. --bill
--On Wednesday, April 27, 2005 7:39 +0000 bmanning@vacation.karoshi.com wrote:
On Wed, Apr 27, 2005 at 12:13:16AM -0700, Dragos Ruiu wrote:
On April 26, 2005 11:36 pm, bmanning@vacation.karoshi.com wrote:
On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote:
I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water.
er.. bad analogy warning... please take a sample of tap water to an independent lab for analysis... and find out just what the water company is putting into your water.
Actually that _is_ a bad analogy.
According to my sister (who works in that area as a regional water expert), tap-water is held to higher standards than bottled water. In Canada at least... ymmv.
cheers, --dr
perhaps you mis-read. water companies -always- add things to water, to kill off germs, balance mineral content, etc.. they do this to -meet- the "higher" standards. and by their tampering, they pollute the water... their pollution may make the water drinkable and safe. does n ot change the fact that the water was tampered with.
Bill, I was very specific about transit. Yes, most water transit companies are also the water supply company, but, in my analogy, and, in some areas, as a matter of fact, they are not the same. The chemical tampering of which you speak is done by the water supply company at the supply point before it is put in the pipes for transit to the end user. The water delivery company runs said pipes, and, my expectation from them is that they deliver what they got from the water supply company without any additional contaminants. Think of the web hoster as a water supply company. The household user is an end user. The ISP is merely a pipeline. Owen
--bill
On Wed, 27 Apr 2005, Owen DeLong wrote:
Yes, most water transit companies are also the water supply company,
Water supply comes from rivers, lakes, etc. While water company take water from those sources, they do not produce it and just take what they can get, clean it up and then deliver around the city.
but, in my analogy, and, in some areas, as a matter of fact, they are not the same. The chemical tampering of which you speak is done by the water supply company at the supply point before it is put in the pipes for transit to the end user.
I've heard that Israel is considering (or buying already?) water from Turkey. Do you really think they are going to just deliver it as is or do you think the water company will clean it up on the local level before delivering it to the homes? And BTW - you do realize "contamination" on the Internet usually at the source, right?
The water delivery company runs said pipes, and, my expectation from them is that they deliver what they got from the water supply company without any additional contaminants.
If the water supply was contaminated, I'd fully expect water delivery company to clean it up before delivering to me.
Think of the web hoster as a water supply company. The household user is an end user. The ISP is merely a pipeline.
In any case, I don't think this is quite the correct analogy. Water company usually delivers from just one (ok, maybe not one for larger areas but its in lower tens order) source and have typically control (directly or indirectly with signed agreement) over the source. If you want to compare this to ISP, it would be like me having peering agreement and direct connection with few dozen content providers and only giving access to users to those few dozen websites. -- William Leibzon Elan Networks william@elan.net
--On Wednesday, April 27, 2005 3:50 -0700 "william(at)elan.net" <william@elan.net> wrote:
On Wed, 27 Apr 2005, Owen DeLong wrote:
Yes, most water transit companies are also the water supply company,
Water supply comes from rivers, lakes, etc. While water company take water from those sources, they do not produce it and just take what they can get, clean it up and then deliver around the city.
In many places, the company that obtains and filters the water from these various sources and the company that delivers it to end users are different companies. That is what my analogy speaks of. An example would be Palo Alto, California. The City of San Francisco obtains and processes the water from Hetch Hetchi and other sources. They then sell it to the city of Palo Alto which maintains it's own pumping resources and pipelines to deliver to the end users. In this case, the city of Palo Alto is analogous to the ISP. The city of San Francisco is analogous to the end node.
but, in my analogy, and, in some areas, as a matter of fact, they are not the same. The chemical tampering of which you speak is done by the water supply company at the supply point before it is put in the pipes for transit to the end user.
I've heard that Israel is considering (or buying already?) water from Turkey. Do you really think they are going to just deliver it as is or do you think the water company will clean it up on the local level before delivering it to the homes?
That depends, I guess, on the quality of water that Turkey delivers and the SLA that Israel expects. An example of what the situation I describe is above, and, it is real.
And BTW - you do realize "contamination" on the Internet usually at the source, right?
Right... Exactly my point. Solving source point contamination in the transit network isn't a good idea.
The water delivery company runs said pipes, and, my expectation from them is that they deliver what they got from the water supply company without any additional contaminants.
If the water supply was contaminated, I'd fully expect water delivery company to clean it up before delivering to me.
In many cases, the water delivery company has no ability or facility to do so. I expect them to deliver clean water. Frankly, I don't care too much whether they act as a supply company or a delivery company, so long as they deliver clean water. My point was that it is perfectly acceptable for a delivery only company to deliver without additives or filtration. Sure, in the case of water, since the delivery company is choosing the source point, they have some additional responsibilities with regard to the source quality, but, that isn't the case in the internet. The end user is choosing the source, and, the ISP is a pure delivery company.
Think of the web hoster as a water supply company. The household user is an end user. The ISP is merely a pipeline.
In any case, I don't think this is quite the correct analogy.
Any analogy will break if you pick at it hard enough.
Water company usually delivers from just one (ok, maybe not one for larger areas but its in lower tens order) source and have typically control (directly or indirectly with signed agreement) over the source.
Yes.
If you want to compare this to ISP, it would be like me having peering agreement and direct connection with few dozen content providers and only giving access to users to those few dozen websites.
Perhaps I should have used electric companies as a better example. Owen
On Wed, Apr 27, 2005 at 04:12:57AM -0700, Owen DeLong wrote:
If you want to compare this to ISP, it would be like me having peering agreement and direct connection with few dozen content providers and only giving access to users to those few dozen websites.
Perhaps I should have used electric companies as a better example.
No, I think that water is actually better: it's easier for an end-user to cause problems with delivered water than with delivered electricity... though admittedly *neither* is "easy", as we usually use that term. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Designer Baylink RFC 2100 Ashworth & Associates The Things I Think '87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
on Wed, Apr 27, 2005 at 03:19:04AM -0700, Owen DeLong wrote:
Yes, most water transit companies are also the water supply company, but, in my analogy, and, in some areas, as a matter of fact, they are not the same. The chemical tampering of which you speak is done by the water supply company at the supply point before it is put in the pipes for transit to the end user.
The water delivery company runs said pipes, and, my expectation from them is that they deliver what they got from the water supply company without any additional contaminants.
Think of the web hoster as a water supply company. The household user is an end user. The ISP is merely a pipeline.
I think the problem isn't with dirty water arriving from the water company, it's the fact that so many end users are allowing raw sewage to be poured into /other people's water/, and some ISPs don't feel compelled to do anything to save other ISPs from their users' pollutants. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!
I think the problem isn't with dirty water arriving from the water company, it's the fact that so many end users are allowing raw sewage to be poured into /other people's water/, and some ISPs don't feel compelled to do anything to save other ISPs from their users' pollutants.
I agree that an ISP should disconnect a user dumping raw sewage into the water system. However, that's a big difference from providing an end user a "clean internet" which is what the article proposed. To me, that means providing filtered internet services. That's a transit solution to an end-node problem. Disconnecting the abusing end-node(s) is an end-node solution. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
On Wed, Apr 27, 2005 at 03:19:04AM -0700, Owen DeLong wrote:
perhaps you mis-read. water companies -always- add things to water, to kill off germs, balance mineral content, etc.. they do this to -meet- the "higher" standards. and by their tampering, they pollute the water... their pollution may make the water drinkable and safe. does n ot change the fact that the water was tampered with.
Bill, I was very specific about transit.
Yes, most water transit companies are also the water supply company, but, in my analogy, and, in some areas, as a matter of fact, they are not the same. The chemical tampering of which you speak is done by the water supply company at the supply point before it is put in the pipes for transit to the end user.
And this was my point as well, Owen... but I have to admit, it didn't *look* to me like this was the point you were making in your original message; perhaps I misread you as well.
The water delivery company runs said pipes, and, my expectation from them is that they deliver what they got from the water supply company without any additional contaminants.
Actually, no, this is the point he's making. The Florida West Coast Regional Water Supply Authority is not the one that adds chemicals and the like to the water around here; The St Petersburg Water System, or Pinellas County Utilities do that, before the water arrives at retail.
Think of the web hoster as a water supply company. The household user is an end user. The ISP is merely a pipeline.
And *here*, we get into "what's an ISP, really; and how do we distinguish that from the other things people do with packets?" Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Designer Baylink RFC 2100 Ashworth & Associates The Things I Think '87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
On Wed, 27 Apr 2005, Dragos Ruiu wrote:
an independent lab for analysis... and find out just what the water company is putting into your water.
Actually that _is_ a bad analogy.
According to my sister (who works in that area as a regional water expert), tap-water is held to higher standards than bottled water. In Canada at least... ymmv.
Yeah, gotta to clean it up from pollutants [spam, ddos], add antibacterial [antivirus] agents, check that the supply [latency] is not too low [high], make sure there are no leaks [anauthorized access]. -- William Leibzon Elan Networks william@elan.net
william@elan.net (william(at)elan.net) wrote:
According to my sister (who works in that area as a regional water expert), tap-water is held to higher standards than bottled water. In Canada at least... ymmv.
Yeah, gotta to clean it up from pollutants [spam, ddos], add antibacterial [antivirus] agents, check that the supply [latency] is not too low [high], make sure there are no leaks [anauthorized access].
In fact, the tap-water analogy is a very bad and at the same time a very good one. (1) In some countries, tap water is really pure and clean, often a lot better than what you can buy in bottles. This is especially true for Germany, Austria, and, according to Dragos, for Canada, too. The reason for the water quality here in ol' Europe is defined quality standards and ongoing tests. (2) In other countries, water companies are allowed to adhere to a lot less rigid standards. I was pretty surprised how awful water in the US midwest was. Full of chlorine and tasting dead. I still cannot believe, people drink it there every day (but they do, it's what Coke's made with there). So we do see differences here, some of which stem from the available water supplies in the area, and some of which are the effect of different defined standards and - inherently - jurisdiction. Countries are different, there is - legally spoken - no world-wide Internet. Everyone falls under the legislation of their home country (for various values of home...). And while we may not like it, this jurisdiction can be very different from mine. Or yours. Elmar. -- "Begehe nur nicht den Fehler, Meinung durch Sachverstand zu substituieren." (PLemken, <bu6o7e$e6v0p$2@ID-31.news.uni-berlin.de>) --------------------------------------------------------------[ ELMI-RIPE ]---
clean it up from pollutants [spam, ddos], add antibacterial [antivirus] agents, ;) My hotel confirmation for NANOG 34 was marked as spam. Thankfully, the ISP let it through anyway.
It would be nice if the ISPs protected me from bad stuff on the Internet - but why are they to be held to a higher standard than similar services? E.g., (not intended as a water-tight analogy) the roads around me have laws and enforcement (sometimes). If I am hit by someone who breaks a rule, my insurance takes care of that. But the road system offers no protection to guarantee my on-time arrival at a Wednesday night beering session. (No over-provisioning there.) If we can't make it easy to get to happy hour, how are we going to make the Internet safe? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar If you knew what I was thinking, you'd understand what I was saying.
On Wed, Apr 27, 2005 at 09:25:55AM -0400, Edward Lewis wrote:
It would be nice if the ISPs protected me from bad stuff on the Internet - but why are they to be held to a higher standard than similar services?
Have we drifted? I thought the topic was "tragedy of the commons", not "protect the end users"...? Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Designer Baylink RFC 2100 Ashworth & Associates The Things I Think '87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
--On Wednesday, April 27, 2005 6:36 +0000 bmanning@vacation.karoshi.com wrote:
On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote:
I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water.
er.. bad analogy warning... please take a sample of tap water to an independent lab for analysis... and find out just what the water company is putting into your water.
Admittedly, there are contaminants in the water, but, I don't believe most of them are added in transit. (If I did, I'd be putting pressure on to get that fixed). If you're talking about fluoridation, I am fortunate enough to live in an area where they figured out that was a bad idea.
This is like asking the phone company to prevent minors from hearing swear-words on telephone calls or prevent people from being able to make prank phone calls from pay-phones.
more bad analogies... :)
Why is this a bad analogy? Neither of these actions are currently prevented by the telcos.
that said, if you don't want your ISP to diddle your packets, may i suggest IPSEC?
Sometimes I use IPSEC, but, I don't want my ISP to diddle my packets whether they're tunneled or not. Fortunately, so far, I've been able to find ISPs that don't. Owen
On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote:
I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water.
Water delivery is unidirectional, otherwise water utilities would infact have to filter out bad things introduced by notional bad actors which could cause other users problems and risks. See "tragedy of the commons". Do I think *everyone* should do this sort of thing? No. Do I think people should be regulated into doing it? Well, my knee jerk reaction is no... but it's a knee jerk reaction. Do I think that people should, by and large, be able to assume that they can treat the internet at large as a utility? (At the T-1 and up direct connect level, I mean) Yeah, probably. Does that require that consumer-level providers do some filtering...? Yeah, probably. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Designer Baylink RFC 2100 Ashworth & Associates The Things I Think '87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Ferg, you asked for it.
I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this.
Links here: http://www.vnunet.com/news/1162720
Schneier has a profound interest in the ISPs being forced to buy his (or his competitors) security gear to fulfill the customers' dreams of a "clean Internet connection". Pretty biased, if you don't mind. What he lacks to understand is the reasons why ISPs don't do it. It's not just lazyness (only part) or lack of responsibility; it's more like that it's expensive and nobody would pay for it - no, not the customers; they like to get everything for free, remember? The most prominent reason keeping ISPs from filtering their clients' data streams is - tada - jurisdiction. It's simply not allowed in countries that don't officially harvest everything they can get their hands on. There is something called "privacy rights". Nobody may legally interfere with the data stream that reaches my boxes, and nobody - not even my boss! - must fiddle with my email if not expressly allowed by myself. So it is a damn good sign of the ISP's responsibility if it does _not_ place filters in the data stream. But then, my sympathies for Bruce have long evaporated, so I am of course biased as well. Elmar. -- "Begehe nur nicht den Fehler, Meinung durch Sachverstand zu substituieren." (PLemken, <bu6o7e$e6v0p$2@ID-31.news.uni-berlin.de>) --------------------------------------------------------------[ ELMI-RIPE ]---
Speaking on Deep Background, the Press Secretary whispered:
Schneier has a profound interest in the ISPs being forced to buy his (or his competitors) security gear to fulfill the customers' dreams of a "clean Internet connection". Pretty biased, if you don't mind.
Err... What gear? Last I heard he sold security consulting services, not hardware. He also writes books. And the worse the net-wide situation, the more customers he gets for both. So it sounds to me as if he's cutting his own throat with this position. So at least to my ears, claiming he is just trying to sell hardware is not only a cheap shot, but a clear miss. I've got a radical idea: why not discuss/debate his statement|proposal on its merits|debits, vice proported ulterior motives? Such debate is how many of us learn. -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
On Wed, 27 Apr 2005, Fergie (Paul Ferguson) wrote:
I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this.
Of course Bruce Schneider is going to allocate ISP's handling security so he can sell them more of his crappy Counterpane products. I find it offensive that Mr. Schneider would categorize ISPs as lazy and unresponsible, and it does nothing but encourage me to sell anything BUT Counterpane to my customers. Our customers vary greatly, and their security needs differ just as much. There is no one stop solution for every customer, and it is not the ISP's responsibility to filter traffic and firewall their customers. Those that do invariable end up with trouble. -- Vice President of N2Net, a New Age Consulting Service, Inc. Company http://www.n2net.net Where everything clicks into place! KP-216-121-ST
On Wed, Apr 27, 2005 at 08:06:51AM -0400, Greg Boehnlein wrote:
On Wed, 27 Apr 2005, Fergie (Paul Ferguson) wrote:
I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this.
Of course Bruce Schneider is going to allocate ISP's handling security so he can sell them more of his crappy Counterpane products. I find it offensive that Mr. Schneider would categorize ISPs as lazy and unresponsible, and it does nothing but encourage me to sell anything BUT Counterpane to my customers.
He doesn't, as noted, sell much by way of "products"... and please spell his name correctly. Cheers, -- jr 'or is that the New Age spelling?' a -- Jay R. Ashworth jra@baylink.com Designer Baylink RFC 2100 Ashworth & Associates The Things I Think '87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
In message <20050426.200918.11519.516537@webmail04.lax.untd.com>, "Fergie (Paul Ferguson)" writes:
I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this.
Links here: http://www.vnunet.com/news/1162720
At a recent forum at Fordham Law School, Susan Crawford -- an attorney, not a network operator -- expressed it very well: "if we make ISPs into police, we're all in the ghetto". Bruce is a smart guy, and a good friend of mine, but he's not a network operator or architect. There are a small number of times when operators can, should, and -- in a very few cases -- act, but those are rare. The most obvious case is flooding attacks, since they represent an abuse of the network itself; operators also have responsibility for other pieces of the infrastructure they control, such as (many) name servers. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
At 01:39 PM 4/27/2005, you wrote:
In message <20050426.200918.11519.516537@webmail04.lax.untd.com>, "Fergie (Paul Ferguson)" writes:
I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this.
Links here: http://www.vnunet.com/news/1162720
At a recent forum at Fordham Law School, Susan Crawford -- an attorney, not a network operator -- expressed it very well: "if we make ISPs into police, we're all in the ghetto".
Bruce is a smart guy, and a good friend of mine, but he's not a network operator or architect. There are a small number of times when operators can, should, and -- in a very few cases -- act, but those are rare. The most obvious case is flooding attacks, since they represent an abuse of the network itself; operators also have responsibility for other pieces of the infrastructure they control, such as (many) name servers.
While this stance works for backbone network operators, I'm not entirely convinced it's a viable business strategy for ISPs dealing directly with end user customers (business or residential). The problem at the edge is customers insist they don't want the spam and viruses, and expect the ISP to help. Earthlink and AOL provide such services, and in the course of doing this raise an expectation. Now a regional or local ISP can either say "it's not our job to protect you" and have their customers migrate away, or they can make efforts to help and retain customers. So, is this a technical issue or a business issue? Network engineers are not necessarily qualified to make business decisions, unless they wear both hats. Customers at the retail level expect basic protection services as a part of the price of service. Whether that's a good thing or not, it's where we are on the business side of providing retail ISP services.
On Wed, 2005-04-27 at 13:39 -0400, Steven M. Bellovin wrote: <snip>
At a recent forum at Fordham Law School, Susan Crawford -- an attorney, not a network operator -- expressed it very well: "if we make ISPs into police, we're all in the ghetto".
Bruce is a smart guy, and a good friend of mine, but he's not a network operator or architect. There are a small number of times when operators can, should, and -- in a very few cases -- act, but those are rare. The most obvious case is flooding attacks, since they represent an abuse of the network itself; operators also have responsibility for other pieces of the infrastructure they control, such as (many) name servers.
Internet service providers should ensure protective strategies do not harm hapless consumers. While an ISP's protective obligations easily include Domain Name and routing services, few systems withstand unfettered abuse or tampering. Should a provider expect active cooperation from others granted access to their networks? The strength of the Internet is dependent upon cooperation and policy enforcement. While an egalitarian view would insist all be granted equal access, a response to abuse should be considered, even when only guarding essential services. What is a reasonable threshold before a provider "rarely" acts? You listed only one, a flood attack. -Doug
participants (26)
-
Adi Linden
-
Bill Stewart
-
bmanning@vacation.karoshi.com
-
Daniel Senie
-
David Lesher
-
Douglas Otis
-
Dragos Ruiu
-
Edward Lewis
-
Elmar K. Bins
-
Fergie (Paul Ferguson)
-
Greg Boehnlein
-
Iljitsch van Beijnum
-
Jay R. Ashworth
-
Jerry Pasker
-
Joe Maimon
-
Mark Newton
-
Nicholas Suan
-
Owen DeLong
-
Stephen J. Wilcox
-
Steve Sobol
-
Steven Champeon
-
Steven J. Sobol
-
Steven M. Bellovin
-
Suresh Ramasubramanian
-
Valdis.Kletnieks@vt.edu
-
william(at)elan.net