Re: ARIN Policy on IP-based Web Hosting
"John A. Tamplin" wrote:
Well, if the policy is that you have to use name-based hosting everywhere feasible and do something different for those customers that need something different, that can be quite a hardship on existing setups. For example, re-engineering all the tools to create and maintain vdom services, changing existing customer setups, etc. It is certainly easier to treat all hosting customers alike, rather than have completely separate setups and then have to change a customer from one to the other when they add or delete services (including downtime).
That was also brought up at the meeting, however it was generally agreed that the address savings were worth the work.
Another issue nobody has mentioned is security between virtual servers. Under name-based hosting, they all run as the same user-id and thus to get the same security you have with separate IP-based servers you have to put all the access conrol checks in all the tools that can be used. This can be hard if not impossible to do when you allow full shell access to the files used by the server.
Not if you chroot() the user into their file space. That may not be ideal, but there are ways to deal with it. Alec -- Alec H. Peterson - ahp@hilander.com Staff Scientist CenterGate Research Group - http://www.centergate.com "Technology so advanced, even _we_ don't understand it!"
On Thu, 31 Aug 2000, Alec H. Peterson wrote:
"John A. Tamplin" wrote:
Another issue nobody has mentioned is security between virtual servers. Under name-based hosting, they all run as the same user-id and thus to get the same security you have with separate IP-based servers you have to put all the access conrol checks in all the tools that can be used. This can be hard if not impossible to do when you allow full shell access to the files used by the server.
Not if you chroot() the user into their file space. That may not be ideal, but there are ways to deal with it.
Simple solution to this one, if using Apache... httpd runs as 500:100 httpd also in group 200 users in group 100 users have uid $uid suexec used to make CGIs run as $uid:100 home directories have ownership $uid:200 and mode 0750 Users can only get into their own home directories, the web server process can serve pages from all of them, and CGIs run under the appropriate permissions. Works like a charm. I've no idea whether any commercial web server software can do the same thing, but if a free offering can it'd be a bit weird if they couldn't... -- Patrick Evans - Sysadmin, bran addict and couch potato pre at pre dot org www.pre.org/pre
On the off-topic subject of security for IP vs name based: Apache has this cunning feature called suExec. The server uses the id of site files owner (as configured in the virtualhost configuration) when accessing the site. CGI are executed with that ID. On Thu, 31 Aug 2000, Alec H. Peterson wrote:
"John A. Tamplin" wrote:
Well, if the policy is that you have to use name-based hosting everywhere feasible and do something different for those customers that need something different, that can be quite a hardship on existing setups. For example, re-engineering all the tools to create and maintain vdom services, changing existing customer setups, etc. It is certainly easier to treat all hosting customers alike, rather than have completely separate setups and then have to change a customer from one to the other when they add or delete services (including downtime).
That was also brought up at the meeting, however it was generally agreed that the address savings were worth the work.
Another issue nobody has mentioned is security between virtual servers. Under name-based hosting, they all run as the same user-id and thus to get the same security you have with separate IP-based servers you have to put all the access conrol checks in all the tools that can be used. This can be hard if not impossible to do when you allow full shell access to the files used by the server.
Not if you chroot() the user into their file space. That may not be ideal, but there are ways to deal with it.
Alec
This is not meant at anyone personally, its just something I noticed. When we are deciding that IP savings, etc are worth it, why not make all Cable/DSL/Dialup providers use NAT to map access logins to a small pool of IPs too? The software to do that transparently is already available for a very high percentage of applications. Heck, even upstreams could then NAT their downstreams' pools of IPs. We could run the whole internet off a single class C again. This would of course be an inconvenience to some networks that use a lot of applications that haven't been updated, but we're sure the savings are worth the pain too. --- I guess the point/concern I have is that the largest providers can now pick up /13s because they use that many IPs in 3 months, but if you subtract out the number of truly unique IPs even the largest network would absolutely need, applying all available technology, the number might be as low as a few hundred unique IPs. Deepak Jain AiNET On Thu, 31 Aug 2000, Alec H. Peterson wrote:
"John A. Tamplin" wrote:
Well, if the policy is that you have to use name-based hosting everywhere feasible and do something different for those customers that need something different, that can be quite a hardship on existing setups. For example, re-engineering all the tools to create and maintain vdom services, changing existing customer setups, etc. It is certainly easier to treat all hosting customers alike, rather than have completely separate setups and then have to change a customer from one to the other when they add or delete services (including downtime).
That was also brought up at the meeting, however it was generally agreed that the address savings were worth the work.
Another issue nobody has mentioned is security between virtual servers. Under name-based hosting, they all run as the same user-id and thus to get the same security you have with separate IP-based servers you have to put all the access conrol checks in all the tools that can be used. This can be hard if not impossible to do when you allow full shell access to the files used by the server.
Not if you chroot() the user into their file space. That may not be ideal, but there are ways to deal with it.
Alec
-- Alec H. Peterson - ahp@hilander.com Staff Scientist CenterGate Research Group - http://www.centergate.com "Technology so advanced, even _we_ don't understand it!"
On Thu, 31 Aug 2000, Deepak Jain wrote:
When we are deciding that IP savings, etc are worth it, why not make all Cable/DSL/Dialup providers use NAT to map access logins to a small pool of IPs too?
I wouldn't even bother with that yet. How about reclaiming the unused class A space assigned to several large companies and universities first? Oh, but wait: that would require proactive effort on ARIN's part. They're too busy tightening down the rules for new applicants to spend the time working on organizations that can't reasonably justify their grandfathered allocations. -- Edward S. Marshall <emarshal@logic.net> http://www.nyx.net/~emarshal/ ------------------------------------------------------------------------------- [ Felix qui potuit rerum cognoscere causas. ]
On Thu, Aug 31, 2000 at 03:59:16PM -0400, Deepak Jain wrote:
This is not meant at anyone personally, its just something I noticed.
When we are deciding that IP savings, etc are worth it, why not make all Cable/DSL/Dialup providers use NAT to map access logins to a small pool of IPs too?
Because that only works if none of your customers want to access their home boxes from outside in any way, and if none of their applications require a return channel. Telling your customers they can't telnet, ssh, or VNC into their home boxes costs you all your *nix users, and telling them they can't use Napster costs you all your Windows users. The few Mac users you have left don't keep you profitable. :-)
Why can't they use those apps through NAT? I do it from home quite often. Deepak Jain AiNET On Thu, 31 Aug 2000, Shawn McMahon wrote:
On Thu, Aug 31, 2000 at 03:59:16PM -0400, Deepak Jain wrote:
This is not meant at anyone personally, its just something I noticed.
When we are deciding that IP savings, etc are worth it, why not make all Cable/DSL/Dialup providers use NAT to map access logins to a small pool of IPs too?
Because that only works if none of your customers want to access their home boxes from outside in any way, and if none of their applications require a return channel.
Telling your customers they can't telnet, ssh, or VNC into their home boxes costs you all your *nix users, and telling them they can't use Napster costs you all your Windows users.
The few Mac users you have left don't keep you profitable. :-)
On Thu, Aug 31, 2000 at 06:09:11PM -0400, Deepak Jain wrote:
Why can't they use those apps through NAT? I do it from home quite often.
Are you going to set up the port forwarding for 500,000 customers? 1 million? You and I can set things up so port 22 goes to one machine, port 23 to another, etc., but what are you going to do for 500,000 customers? And what are you going to do for only 1,000 customers, with some of them wanting telnet, some VNC, some ssh, some Napster, some webcams, etc. etc. etc.? Set up a dozen ports for each of 500,000 customers? Or do you have some magic NAT that automatically figures out every protocol, known or unknown, currently existing or yet to be written, and routes it to the correct machine?
At 18:15 31/08/00 -0400, Shawn McMahon wrote:
On Thu, Aug 31, 2000 at 06:09:11PM -0400, Deepak Jain wrote:
Why can't they use those apps through NAT? I do it from home quite often.
Are you going to set up the port forwarding for 500,000 customers? 1 million?
You and I can set things up so port 22 goes to one machine, port 23 to another, etc., but what are you going to do for 500,000 customers?
Based on Cisco: http://www.cisco.com/warp/customer/701/60.html "As a result, Cisco IOS PAT [Port Address Translation - HN] supports about 4000 local addresses that can be mapped to the same global address." -Hank
And what are you going to do for only 1,000 customers, with some of them wanting telnet, some VNC, some ssh, some Napster, some webcams, etc. etc. etc.?
Set up a dozen ports for each of 500,000 customers?
Or do you have some magic NAT that automatically figures out every protocol, known or unknown, currently existing or yet to be written, and routes it to the correct machine?
On Fri, 1 Sep 2000, Hank Nussbacher wrote: : At 18:15 31/08/00 -0400, Shawn McMahon wrote: : >On Thu, Aug 31, 2000 at 06:09:11PM -0400, Deepak Jain wrote: : > > : > > Why can't they use those apps through NAT? I do it from home quite often. : > : >Are you going to set up the port forwarding for 500,000 customers? 1 million? : > : >You and I can set things up so port 22 goes to one machine, port 23 to : >another, : >etc., but what are you going to do for 500,000 customers? : : Based on Cisco: : http://www.cisco.com/warp/customer/701/60.html : : "As a result, Cisco IOS PAT [Port Address Translation - HN] supports about : 4000 local addresses that can be mapped to the same global address." Try to explain to a current user that (s)/he needs to use a different port for each ftp server they're running, and that their (likely win98/2k) customers need to adjust their clients accordingly. Then expand that to include other services. I'm all for the preservation of IP space, but (sure, I'm singing to the chior) we're not talking about a one-size-fits-all issue. I'm catching up at the apparent tail end of the thread, so I'll relegate additional posts to ppml. Cheers, brian
Based on Cisco: http://www.cisco.com/warp/customer/701/60.html
"As a result, Cisco IOS PAT [Port Address Translation - HN] supports about 4000 local addresses that can be mapped to the same global address."
And that exactly scales how at an ISP/NSP level with millions of subs? Has anyone here ever considered the ops effort required to make this work and keep it working, nevermind the calls you'll receive into your call center to keep all your customers working and happy? -- Christian Kuhtz, Sr. Network Architect Architecture, BellSouth.net <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm Atlanta, GA "Speaking for myself only."
Why can't they use those apps through NAT? I do it from home quite often.
Ever tried peer to peer communication between two peers, each hidden behind seperate NAT'ed networks? (i won't even mention the poorly written application routine) *slams buzzer* sorry, using an intermediate server is typically not a terribly scalable approach. thanks for playing, though. :-) To prescribe such process that you must NAT as a default is insane. Nonetheless, it should be encouraged where feasible. -- Christian Kuhtz, Sr. Network Architect Architecture, BellSouth.net <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm Atlanta, GA "Speaking for myself only."
On Thu, 31 Aug 2000, Deepak Jain wrote:
Why can't they use those apps through NAT? I do it from home quite often.
Deepak Jain AiNET
So, you connect to your home machine sitting behind a NAT device from someplace else on the global internet? While I know this is possible using port-forwarding, etc, please explain how you would scale this to the ISP/NSP level. --- John Fraizer EnterZone, Inc
Telling your customers they can't telnet, ssh, or VNC into their home boxes costs you all your *nix users,
all 0.1% of them.....
and telling them they can't use Napster costs you all your Windows users.
Erm, I thought napster worked OK through NAT...
The few Mac users you have left don't keep you profitable. :-)
Isnt it time we differentiated between a home surfer who 99.9% of the time never needs to access his home machine from outside and in fact may be happy that others cant access his "always-on" machine, and those who need a real IP address to host some service or other? Seems that for the paltry $39/m for a T1 speed cable access, I shouldn't deserve a dedicated IP address inlcuded. IMHO, jon.
On Thu, Aug 31, 2000 at 03:18:27PM -0700, Jon Mansey wrote:
Erm, I thought napster worked OK through NAT...
Not if both sides are using NAT. And, since what we're talking about here is getting EVERYBODY to use it, it thus stands to reason that this would be the case. NAT is a kludge. IP was made to use addresses, anything else is a kludge and always will be.
Erm, I thought napster worked OK through NAT...
Not if both sides are using NAT. And, since what we're talking about here is getting EVERYBODY to use it, it thus stands to reason that this would be the case.
Exactly. Finally somebody who gets it.
NAT is a kludge. IP was made to use addresses, anything else is a kludge and always will be.
Perhaps it's time for this forum and others to seriously worry about IPv6 deployment, instead of finding yet another fix for the fix of a fix to further break a broken allocation model. Anyone who believes that you can somehow permanently slow of freeze the need for ip addresses significantly needs a reality check, IMHO. -- Christian Kuhtz, Sr. Network Architect Architecture, BellSouth.net <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm Atlanta, GA "Speaking for myself only."
Christian Kuhtz wrote:
Perhaps it's time for this forum and others to seriously worry about IPv6 deployment, instead of finding yet another fix for the fix of a fix to further break a broken allocation model.
It seems to me that there's been a lot of discussion about IPv6, to the point that the authors of some operating systems[0] have claimed to actually have working code that implements it. However, I haven't seen much talk about actually deploying it[1]. [0] OK, one. I recall seeing somewhere that Linux's TCP/IP code supports it. [1] Truthfully, I don't spend my time with my nose buried in technical journals, and I don't keep up as much with the infrastructure side of things as I'd like to (and probably should), but I would think that this would be big news if it had actually happened. -- North Shore Technologies, Cleveland, OH http://NorthShoreTechnologies.net Steve Sobol, BOFH - President, Chief Website Architect and Janitor Linux Instructor, PC/LAN Program, Natl. Institute of Technology, Akron, OH sjsobol@NorthShoreTechnologies.net - 888.480.4NET - 216.619.2NET
[0] OK, one. I recall seeing somewhere that Linux's TCP/IP code supports it.
There's a list of implementations at: http://playground.sun.com/pub/ipng/html/ipng-implementations.html FreeBSD and NetBSD both have stacks, and a raft of vendor-supplied flavors of UNIX. And Microsoft, as was already noted. Regarding deployment:
[1] Truthfully, I don't spend my time with my nose buried in technical journals, and I don't keep up as much with the infrastructure side of things as I'd like to (and probably should), but I would think that this would be big news if it had actually happened.
http://www.cnn.com/2000/TECH/computing/03/22/first.ipv6.idg/index.html Apparently there was no earth-shattering kaboom. Stephen
When we are deciding that IP savings, etc are worth it, why not make all Cable/DSL/Dialup providers use NAT to map access logins to a small pool of IPs too? The software to do that transparently is already available for a very high percentage of applications. Heck, even upstreams could then NAT their downstreams' pools of IPs. We could run the whole internet off a single class C again.
We have been NATing a large percentage of our customers for years with great results, even delivering email behind the NAT by using a relay mail server. When I am scrambling for IP space and my requests for a portable /20 or even a portable /24 are denied, and cable/adsl.. providers put obtuse end users on live IP's....... The security and hacking problems alone make this a good idea. This is a far bigger problem I fear than web hosting. Most of us use Virtual Hosts for many good reasons already, only WinNT is a pain to setup for virtual hosting, and even it works. --Mike--
On Thu, 31 Aug 2000, Alec H. Peterson wrote:
"John A. Tamplin" wrote:
Well, if the policy is that you have to use name-based hosting everywhere feasible and do something different for those customers that need something different, that can be quite a hardship on existing setups. For example, re-engineering all the tools to create and maintain vdom services, changing existing customer setups, etc. It is certainly easier to treat all hosting customers alike, rather than have completely separate setups and then have to change a customer from one to the other when they add or delete services (including downtime).
That was also brought up at the meeting, however it was generally agreed that the address savings were worth the work.
Very thoughtful of the assemblage to make that determination for everyone else.
In a democratic process, which ARIN is, refusal to participate in the voting process, when eligible, usually removes one's standing to complain. This is a non-issue. Very few hosting companies of any size are assigning individual IPs to individual sites. Most use some sort of HTTP file transfer as well. This is not due to any benefit or deficiency in HTTP or FTP. It's done this way to reduce IP usage, and to make the end-user experience a smooth one. End-users of web services generally prefer the dreaded "klicky" interface over it's trickier cousin, command line FTP. Daniel Golding On Thu, 31 Aug 2000, Patrick Greenwell wrote:
On Thu, 31 Aug 2000, Alec H. Peterson wrote:
"John A. Tamplin" wrote:
Well, if the policy is that you have to use name-based hosting everywhere feasible and do something different for those customers that need something different, that can be quite a hardship on existing setups. For example, re-engineering all the tools to create and maintain vdom services, changing existing customer setups, etc. It is certainly easier to treat all hosting customers alike, rather than have completely separate setups and then have to change a customer from one to the other when they add or delete services (including downtime).
That was also brought up at the meeting, however it was generally agreed that the address savings were worth the work.
Very thoughtful of the assemblage to make that determination for everyone else.
dan@netrail.net wrote:
In a democratic process, which ARIN is, refusal to participate in the voting process, when eligible, usually removes one's standing to complain.
Cough up your $500 as an individual and you can buy a vote. Sounds democratic...
This is a non-issue. Very few hosting companies of any size are assigning individual IPs to individual sites. Most use some sort of HTTP file transfer as well.
Your authoritative statement is interesting. Could you provide the quantitative data that your statements represent? Using words like "few" and "most" tend to imply a knowledge of the numbers.
This is not due to any benefit or deficiency in HTTP or FTP. It's done this way to reduce IP usage, and to make the end-user experience a smooth one. End-users of web services generally prefer the dreaded "klicky" interface over it's trickier cousin, command line FTP.
Must be an interesting study. Would like to read it. Please give citations. In my clearly unscientific polling of a few friends, they had no trouble with using FTP, from a command line, no less. It'll be interesting to see just how small a minority we are.
On Thu, 31 Aug 2000, Patrick Greenwell wrote:
On Thu, 31 Aug 2000, Alec H. Peterson wrote:
"John A. Tamplin" wrote:
Well, if the policy is that you have to use name-based hosting everywhere feasible and do something different for those customers that need something different, that can be quite a hardship on existing setups. For example, re-engineering all the tools to create and maintain vdom services, changing existing customer setups, etc. It is certainly easier to treat all hosting customers alike, rather than have completely separate setups and then have to change a customer from one to the other when they add or delete services (including downtime).
That was also brought up at the meeting, however it was generally agreed that the address savings were worth the work.
Very thoughtful of the assemblage to make that determination for everyone else.
-- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
On Thu, 31 Aug 2000, Daniel Senie wrote:
dan@netrail.net wrote:
In a democratic process, which ARIN is, refusal to participate in the voting process, when eligible, usually removes one's standing to complain.
Cough up your $500 as an individual and you can buy a vote. Sounds democratic...
The vast majority of the participants here work for ARIN member companies. They get a vote. It's democratic.
This is a non-issue. Very few hosting companies of any size are assigning individual IPs to individual sites. Most use some sort of HTTP file transfer as well.
Your authoritative statement is interesting. Could you provide the quantitative data that your statements represent? Using words like "few" and "most" tend to imply a knowledge of the numbers.
My only experience comes from having worked at a company that was the second largest commercial web hoster in the world. While I haven't done a complete study, I suspect no one has. Therefore, we must rely on anecdotal data.
This is not due to any benefit or deficiency in HTTP or FTP. It's done this way to reduce IP usage, and to make the end-user experience a smooth one. End-users of web services generally prefer the dreaded "klicky" interface over it's trickier cousin, command line FTP.
Must be an interesting study. Would like to read it. Please give citations. In my clearly unscientific polling of a few friends, they had no trouble with using FTP, from a command line, no less. It'll be interesting to see just how small a minority we are.
Unscientific is a good word for it. I can think of others. I doubt your friends (or the participants on this list) are in any way representative of end-user web hosters. Please be realistic here - most folks who own web sites want a clicky interface. I'm not talking about yahoo, and I'm not talking about a few techies. I'm refering to the mass market. - Dan Golding
On Thu, 31 Aug 2000, Patrick Greenwell wrote:
On Thu, 31 Aug 2000, Alec H. Peterson wrote:
"John A. Tamplin" wrote:
Well, if the policy is that you have to use name-based hosting everywhere feasible and do something different for those customers that need something different, that can be quite a hardship on existing setups. For example, re-engineering all the tools to create and maintain vdom services, changing existing customer setups, etc. It is certainly easier to treat all hosting customers alike, rather than have completely separate setups and then have to change a customer from one to the other when they add or delete services (including downtime).
That was also brought up at the meeting, however it was generally agreed that the address savings were worth the work.
Very thoughtful of the assemblage to make that determination for everyone else.
-- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
On Thu, 31 Aug 2000 dan@netrail.net wrote: > In a democratic process, which ARIN is, refusal to participate in the > voting process, when eligible, usually removes one's standing to complain. I once heard that the derivation of the word "idiot" was from the Greek word for someone who didn't participate in his own governance. -Bill
In a democratic process, which ARIN is, refusal to participate in the voting process, when eligible, usually removes one's standing to complain.
Not sure where this notion of democracy is coming from, but in either case, one needs to provide sufficient means to respond even if not able to attend personally. Most democracies and near democracies do so. Which usually also means long response periods and other ways of dealing with capturing the most votes overall. If you don't make that effort, you don't have a democracy or anything anywhere near it. Just as much as it is your responsibility as a citizen of a democracy to go and vote, a democracy must make a considerable effort to make it easy and encourage people to vote; beyond just making it merely possible. Strange notions around here. -- Christian Kuhtz, Sr. Network Architect Architecture, BellSouth.net <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm Atlanta, GA "Speaking for myself only."
Patrick Greenwell wrote:
Very thoughtful of the assemblage to make that determination for everyone else.
*shrug*, if people choose not to attend and participate then that's their problem. I'd love to see more people at the public policy meeting myself. Alec -- Alec H. Peterson - ahp@hilander.com Staff Scientist CenterGate Research Group - http://www.centergate.com "Technology so advanced, even _we_ don't understand it!"
On Thu, 31 Aug 2000, Alec H. Peterson wrote:
Patrick Greenwell wrote:
Very thoughtful of the assemblage to make that determination for everyone else.
*shrug*, if people choose not to attend and participate then that's their problem.
Have you considered the possibility that some people do not have the time to be physically present when votes on how everyone will be forced to run their business are taken?
Patrick Greenwell wrote:
Have you considered the possibility that some people do not have the time to be physically present when votes on how everyone will be forced to run their business are taken?
Certainly. That's what ppml@arin.net is for. Alec -- Alec H. Peterson - ahp@hilander.com Staff Scientist CenterGate Research Group - http://www.centergate.com "Technology so advanced, even _we_ don't understand it!"
On Thu, 31 Aug 2000, Alec H. Peterson wrote:
Patrick Greenwell wrote:
Very thoughtful of the assemblage to make that determination for everyone else.
*shrug*, if people choose not to attend and participate then that's their problem.
Have you considered the possibility that some people do not have the time to be physically present when votes on how everyone will be forced to run their business are taken?
I second that notion. With all due respect, this voting business is a ridiculous notion in this issue. Thanks, Chris -- Christian Kuhtz, Sr. Network Architect Architecture, BellSouth.net <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm Atlanta, GA "Speaking for myself only."
Christian Kuhtz wrote:
I second that notion. With all due respect, this voting business is a ridiculous notion in this issue.
Which is the primary reason that the ARIN AC exists; to represent the members' views through policy recommendations to the board. This specific issue came to a head at the AC meeting in Calgary, so it made sense to bring the issue to the attention of the membership at that time. The issue had been circulating for some time. Perhaps we need to develop a better process for getting feedback on policy recommendations. Perhaps a discussion period on the ppml@arin.net is called for? Hrm, this really doesn't have much to do with NANOG any more, and is better suited for ppml@arin.net. Anybody who wants to participate further should subscribe to that list, as I'm signing off of this thread on the NANOG list. Alec -- Alec H. Peterson - ahp@hilander.com Staff Scientist CenterGate Research Group - http://www.centergate.com "Technology so advanced, even _we_ don't understand it!"
On Thu, 31 Aug 2000, Patrick Greenwell wrote:
*shrug*, if people choose not to attend and participate then that's their problem.
Have you considered the possibility that some people do not have the time to be physically present when votes on how everyone will be forced to run their business are taken?
That's why I asked about some form of proxy for members who can't be present. I'd love to go to every ARIN public meeting (and lots of other conferences). Who's going to pay my way and cover for me at the office though? I own stocks and have only gone to a share holders meeting once...but I get lots of proxy voting materials in the mail, so when I care, I actually can vote without having to travel. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Thu, 31 Aug 2000 jlewis@lewis.org wrote:
On Thu, 31 Aug 2000, Patrick Greenwell wrote:
*shrug*, if people choose not to attend and participate then that's their problem.
Have you considered the possibility that some people do not have the time to be physically present when votes on how everyone will be forced to run their business are taken?
That's why I asked about some form of proxy for members who can't be present.
Given the effects of the decisions that ARIN is making that would seem to be a very prudent idea. It should be noted however, that no matter how "democratic" any organization is or claims to be, the decisions they make do not supercede the laws of the country(ies) that they operate in. At the point that someone feels their rights under the law are being violated sufficiently (such as restraint of trade) and has the necessary resources, I imagine these sorts of things will simply end up in court.
Patrick Greenwell wrote:
It should be noted however, that no matter how "democratic" any organization is or claims to be, the decisions they make do not supercede the laws of the country(ies) that they operate in. At the point that someone feels their rights under the law are being violated sufficiently (such as restraint of trade) and has the necessary resources, I imagine these sorts of things will simply end up in court.
It would appear that NSI has demonstrated that this is not neccessarily successful. -- Rodney Joffe CenterGate Research Group, LLC. http://www.centergate.com "Technology so advanced, even we don't understand it!"(SM)
On Thu, Aug 31, 2000, Patrick Greenwell wrote:
That's why I asked about some form of proxy for members who can't be present.
Given the effects of the decisions that ARIN is making that would seem to be a very prudent idea.
It should be noted however, that no matter how "democratic" any organization is or claims to be, the decisions they make do not supercede the laws of the country(ies) that they operate in. At the point that someone feels their rights under the law are being violated sufficiently (such as restraint of trade) and has the necessary resources, I imagine these sorts of things will simply end up in court.
.. and if this kind of thing happens because a company can't get what they want out of a body like ARIN, we are all pretty much doomed. You know, you would *think* that this kind of change, regardless of whether its "right" or "wrong" would tickle *some* people into creating new soutions based upon changing constraints. This *IS* what we are paid for, right? Adrian -- Adrian Chadd "If a butterfly flaps its wings in China, <adrian@creative.net.au> will a women get naked in Amsterdam?" -- Ashley Penney on Chaos Theory
Patrick Greenwell wrote:
Have you considered the possibility that some people do not have the time to be physically present when votes on how everyone will be forced to run their business are taken?
That's a disingenuous response, Patrick. Perhaps you could suggest an alternative? Not having a vote because some people can't be there is no way to run a democracy, which this still appears to be in this case. Would an absentee ballot system work for you? How would you be part of the discussions? What would you have happen? -- Rodney Joffe CenterGate Research Group, LLC. http://www.centergate.com "Technology so advanced, even we don't understand it!"(SM)
* Rodney Joffe <rjoffe@centergate.com> [20000831 16:05]:
Patrick Greenwell wrote:
Have you considered the possibility that some people do not have the time to be physically present when votes on how everyone will be forced to run their business are taken?
That's a disingenuous response, Patrick.
Perhaps you could suggest an alternative? Not having a vote because some people can't be there is no way to run a democracy, which this still appears to be in this case.
Would an absentee ballot system work for you? How would you be part of the discussions?
What would you have happen?
Web based voting system. The members log-in and vote. Voting is open for a specified time period (24-96 hours?). We are IP-based companies afterall. :-) -jr ---- Josh Richards [JTR38/JR539-ARIN] <jrichard@cubicle.net/fix.net/freedom.gen.ca.us/geekresearch.com> Geek Research LLC IP Network Engineering and Consulting
Web based voting system. The members log-in and vote. Voting is open for a specified time period (24-96 hours?).
Too short. Allow a week, or more realistically multiples thereof. Some decisions require the members to build consent in their organizations and need to be discussed, which requires time. It's a silly notion to assume that large organizations can respond to these types of things in a matter of hours/days; given that this industry as a whole is generally always overworked.
We are IP-based companies afterall. :-)
Make sure you have a backup process, which may further increase the length of your voting window (snail mail, etc). -- Christian Kuhtz, Sr. Network Architect Architecture, BellSouth.net <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm Atlanta, GA "Speaking for myself only."
On Thu, 31 Aug 2000, Rodney Joffe wrote:
Patrick Greenwell wrote:
Have you considered the possibility that some people do not have the time to be physically present when votes on how everyone will be forced to run their business are taken?
That's a disingenuous response, Patrick.
Is it? How so?
Perhaps you could suggest an alternative?
Well, voting by proxy was brought up, which seems like a reasonable idea.
Patrick Greenwell wrote:
On Thu, 31 Aug 2000, Rodney Joffe wrote:
That's a disingenuous response, Patrick.
Is it? How so?
Because failure to appear at a public hearing was never an excuse for refusing to abide by the decisions made at that hearing. The board that made the recommendation/decision was elected by the membership. So it is a democracy. If you don't like the decisions and you don't have the time to go to the meetings to voice your opinions, and you don't have the inclination to voice them on the appropriate list, then vote for board members who you believe will do "the right thing(tm)". Or run for the board yourself. Maybe I'll even vote for you ;-) Unfortunately, it appears you'll have to wait for the next election as the current one closed nominations 2 days ago.
Perhaps you could suggest an alternative?
Well, voting by proxy was brought up, which seems like a reasonable idea.
You already did (if you're a member) by electing the board who made the decision. Maybe you mean an absentee ballot system? After a while, that becomes an inefficient way to run the system. DISCLAIMER: I am not affected by the decision, so I may be biased. I'm not sure how I would feel if I was affected by an ARIN decision. -- Rodney Joffe CenterGate Research Group, LLC. http://www.centergate.com "Technology so advanced, even we don't understand it!"(SM)
On Thu, Aug 31, 2000 at 05:22:58PM -0700, Rodney Joffe wrote:
refusing to abide by the decisions made at that hearing. The board that made the recommendation/decision was elected by the membership. So it is a democracy.
You've just described a republic, not a democracy.
On Thu, 31 Aug 2000, Rodney Joffe wrote:
Patrick Greenwell wrote:
On Thu, 31 Aug 2000, Rodney Joffe wrote:
That's a disingenuous response, Patrick.
Is it? How so?
Because failure to appear at a public hearing was never an excuse for refusing to abide by the decisions made at that hearing.
Please define "public." That ARIN may be practicing governance does not make it a government. To the best of my knowledge ARIN is a private, membership-based organization, and as such referring to any meetings they might hold as "public" would seem to me to be somewhat of a misnomer. In fact, the Organizational structure document http://www.arin.net/arin/organ.htm is pretty clear on the subject: "Membership is required for voting on issues that affect the operations of ARIN, and for nominating and electing the Board of Trustees and the Advisory Council." ARIN membership is available to those not already paying for IP allocation for a fee. So it would be fair to say that one is afforded the opportunity to buy a vote in the operation of ARIN. If I want anything approximating a voice in ARIN, I have to pay for it. What's the value proposition? What am I receiving in exchange for my money?
The board that made the recommendation/decision was elected by the membership. So it is a democracy.
Candidates for the board are selected by a nominating committee, which the membership is then afforded the opportunity to vote on. The elected board elect the officers of the organization, and makes decisions. As someone else pointed out that is more of a republic than a democracy.
If you don't like the decisions and you don't have the time to go to the meetings to voice your opinions, and you don't have the inclination to voice them on the appropriate list,
Anyone can voice an opinion on a list, it doesn't automatically equate to consideration. If that were the case, the loons would rule the day given their ability to produce sheer volume.
then vote for board members who you believe will do "the right thing(tm)".
A more accurate statement would be: "then vote for the board members selected by the nominating committee who you believe will do the right thing."
Or run for the board yourself. Maybe I'll even vote for you ;-)
No, you wouldn't. Trust me, you wouldn't like my position on what should be done to fix the current state of affairs.
Perhaps you could suggest an alternative?
Well, voting by proxy was brought up, which seems like a reasonable idea.
You already did (if you're a member) by electing the board who made the decision.
B.S. The nominating committee decides who can be elected, and there is no requirement for board members to vote any particular way. That does not describe the ability to vote by proxy.
Maybe you mean an absentee ballot system? After a while, that becomes an inefficient way to run the system.
A democracy is the most inefficient form of government. If you want the most efficient form of government a dictatorship work best. Better a little inefficiency than a lot of inequity. Consider that the certain players automatically are "in the club" http://www.arin.net/arin/organ.htm: "Internet Service Providers (ISPs) receiving IP addresses from ARIN (subscribing customers) automatically become members." Those providers are any organization big enough to receive an allocation according to ARIN policies. Are smaller provider not affected by the policies that ARIN lays down? Further, since by definition those providers are not large enough to secure portable space, aren't they in fact affected to even a *greater* degree than larger providers who automatically receive a vote?
DISCLAIMER: I am not affected by the decision, so I may be biased.
I am not going to even begin to offer comment on that given our respective positions and involvement.
I'm not sure how I would feel if I was affected by an ARIN decision.
I am not affected either currently. One does not have to suffer personally in order to formulate and offer opinions on the matter. Apologies to all if this has strayed too far off of operational content. I'll shut up now(snide remarks happily routed to the bitbucket.) :-)
Because failure to appear at a public hearing was never an excuse for refusing to abide by the decisions made at that hearing.
Typically there's always a plethora of proxy options as well as lengthy response timeframes as well. Don't forget that. These things are not as simple as they are presented here. In fact, many processes in which failure of appearance results in a default decision etc provide extensive paths for extensions, reviews etc to give people every opportunity to voice their views if something prevents them. Typically you can't just set one date and say, if you can't make it you default. That's not how this works.
The board that made the recommendation/decision was elected by the membership. So it is a democracy.
.. By far the shortest definition of democracy I've ever seen. *sigh*
You already did (if you're a member) by electing the board who made the decision. Maybe you mean an absentee ballot system? After a while, that becomes an inefficient way to run the system.
How is that? Inefficiency is a reason to curtail your so-called democratic process? I think anyone who believes democracies are by nature efficient is out there. Dictators are by far the most efficient rulers as far as decision making is concerned. -- Christian Kuhtz, Sr. Network Architect Architecture, BellSouth.net <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm Atlanta, GA "Speaking for myself only."
Perhaps you could suggest an alternative? Not having a vote because some people can't be there is no way to run a democracy, which this still appears to be in this case.
All depends on what sample size and proportion you mean by "some" people.
Would an absentee ballot system work for you? How would you be part of the discussions?
That's one possibility. I think there's more needed. IMHO, one must publish the choices, and make arguments for each side easily accessible, and create a very large sample for the vote. -- Christian Kuhtz, Sr. Network Architect Architecture, BellSouth.net <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm Atlanta, GA "Speaking for myself only."
participants (22)
-
Adrian Chadd
-
Alec H. Peterson
-
Bill Woodcock
-
Brian Wallingford
-
Christian Kuhtz
-
dan@netrail.net
-
Dana Hudes
-
Daniel Senie
-
Deepak Jain
-
Edward S. Marshall
-
Hank Nussbacher
-
jlewis@lewis.org
-
John Fraizer
-
Jon Mansey
-
Josh Richards
-
mike harrison
-
Patrick Evans
-
Patrick Greenwell
-
Rodney Joffe
-
Shawn McMahon
-
Stephen Stuart
-
Steve Sobol