-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Let's have a reality check here. Our job as **OPERATORS** is to provide our subscribers with simple and reliable access to what they consider as the Global Internet. They have the following 2 reasonable expectations: 1) That they can access any publicly acessible web, ftp, email, etc server anywhere in the world by using the destination's published textual address. Without, I might add, having to know that certain locations require loading a special plug-in, changing their resolver, or artificially padding the name. 2) That their customers or prospective customers can access any server OF ANY TYPE that they declare to be public by means of a single published textual address, usually in URL format. Again, with the same caveats as item 1. ************************************************* ** I challenge anyone to prove to me that ** ** their actual customers DON'T expect this!!! ** ************************************************* Remember that, regardless of theoretical arguments, _WE_ are the ones that have to deal with the messes that result from things like this... _WE_ are the ones who will have to pay for the increased NOC and Tech Support staff and phone charges... Tim -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOq+znRRIXzEQLahvEQLjwQCg9TRKv6/zUrD6LAChoqUPNT0yzAUAoKjZ MHVyzwga/VMrkQ0tu7rSfMbE =xFJb -----END PGP SIGNATURE-----
On Wed, 14 Mar 2001, Timothy R. McKee wrote:
Let's have a reality check here.
Our job as **OPERATORS** is to provide our subscribers with simple and reliable access to what they consider as the Global Internet. They have the following 2 reasonable expectations:
1) That they can access any publicly acessible web, ftp, email, etc server anywhere in the world by using the destination's published textual address. Without, I might add, having to know that certain locations require loading a special plug-in, changing their resolver, or artificially padding the name.
Bear in mind that in many cases, this is an illusion. They aren't accessing the same machine at all. Someone is using round robin DNS to map one name into several IP addresses, or a Local Director to map one IP address into many IP addresses, or there is some other such substitution being employed. In some cases the party serving the data is involved in the illusion. In others, as in transparent proxying, someone along the way is intervening. This is often silent and may have the consent of neither the user/client or whoever is running the intended target.
Remember that, regardless of theoretical arguments, _WE_ are the ones that have to deal with the messes that result from things like this... _WE_ are the ones who will have to pay for the increased NOC and Tech Support staff and phone charges...
My point is that we are already in the world that you are warning us about. People are happily using one address space within their company and quite another to talk to the outside world, with NAT mediating between the two. Their internal DNS is also different from the DNS seen on the global Internet. And it all seems to be working exceedingly well, despite the fact the games people play with IP addresses and domain names are becoming very subtle indeed. -- Jim Dixon VBCnet GB Ltd http://www.vbc.net tel +44 117 929 1316 fax +44 117 927 2015
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Technical points taken, but we need to clearly differentiate between the internal (including local director type internal) addresses and what I and the end users would consider to be published PUBLIC addresses. These had better work or we will start to lose customers followed shortly thereafter by revenue.
Our job as **OPERATORS** is to provide our subscribers with simple and reliable access to what they consider as the Global Internet. They have the following 2 reasonable expectations:
1) That they can access any publicly acessible web, ftp, email, etc server anywhere in the world by using the destination's published textual address. Without, I might add, having to know that certain locations require loading a special plug-in, changing their resolver, or artificially padding the name.
Bear in mind that in many cases, this is an illusion. They aren't accessing the same machine at all. Someone is using round robin DNS to map one name into several IP addresses, or a Local Director to map one IP address into many IP addresses, or there is some other such substitution being employed.
In some cases the party serving the data is involved in the illusion. In others, as in transparent proxying, someone along the way is intervening. This is often silent and may have the consent of neither the user/client or whoever is running the intended target.
Yet in all cases, except where something is physically broken or out of synch, the initiating user and the terminating server expect that access to information or services via a documented public mnemonic URL will provide the same information (or a cached copy of it) to every user globally. If it doesn't WE are the ones that are held responsible by the users.
Remember that, regardless of theoretical arguments, _WE_ are the ones that have to deal with the messes that result from things like this... _WE_ are the ones who will have to pay for the increased NOC and Tech Support staff and phone charges...
My point is that we are already in the world that you are warning us about. People are happily using one address space within their company and quite another to talk to the outside world, with NAT mediating between the two. Their internal DNS is also different from the DNS seen on the global Internet. And it all seems to be working exceedingly well, despite the fact the games people play with IP addresses and domain names are becoming very subtle indeed.
But once again, when they access or publish a PUBLIC URL, they have expectations that it will work and it will work the same for everyone regardless of location or ISP affiliation. I don't consider internal network workings to be public in nature. Tim -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOq/UeBRIXzEQLahvEQJJlQCg885pkVl0JedfKUHTofW2WYMqIckAn3yT FlSWsEPh4ToopQkgzJL6CfOO =j5l4 -----END PGP SIGNATURE-----
On Wed, 14 Mar 2001, Timothy R. McKee wrote:
Bear in mind that in many cases, this is an illusion. They aren't accessing the same machine at all. Someone is using round robin DNS to map one name into several IP addresses, or a Local Director to map one IP address into many IP addresses, or there is some other such substitution being employed.
In some cases the party serving the data is involved in the illusion. In others, as in transparent proxying, someone along the way is intervening. This is often silent and may have the consent of neither the user/client or whoever is running the intended target.
Yet in all cases, except where something is physically broken or out of synch, the initiating user and the terminating server expect that access to information or services via a documented public mnemonic URL will provide the same information (or a cached copy of it) to every user globally. If it doesn't WE are the ones that are held responsible by the users.
That may be true. Nevertheless, the existing system works. Whenever it fails to work, we fix it.
My point is that we are already in the world that you are warning us about. People are happily using one address space within their company and quite another to talk to the outside world, with NAT mediating between the two. Their internal DNS is also different from the DNS seen on the global Internet. And it all seems to be working exceedingly well, despite the fact the games people play with IP addresses and domain names are becoming very subtle indeed.
But once again, when they access or publish a PUBLIC URL, they have expectations that it will work and it will work the same for everyone regardless of location or ISP affiliation. I don't consider internal network workings to be public in nature.
And that is of course true. But we still have a working system, one in which we, the network operators, ensure that our customers are content that the illusion with which we present them is correct. Now consider the relative complexity of the systems involved. In one, there are at least tens of thousands of address fiddles in operation, cases in which the machine you think you are accessing is not the machine that you are really accessing. This goes on all the time. Moderately often there are glitches. When there are, we fix it or complain to someone who can. Generally speaking, problems get resolved fairly quickly. In the other case, there are a couple of hundred mappings from domain names like .COM, .UK, .NET, .FR into the IP addresses of name servers authoritative for these names. Someone else pointed out that the information involve is around 60 KB in all. Please convince me that the world's ISPs are not capable of managing this simple task. Spelling out the obvious: let's say that VBCnet started referring our customers to the wrong name server to resolve names in .COM. How many minutes would it be before the phones began ringing off the hook? I can assure you that we would fix it really fast, and take steps to make sure that we didn't screw up again. -- Jim Dixon VBCnet GB Ltd http://www.vbc.net tel +44 117 929 1316 fax +44 117 927 2015
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, we fix things when they break. We have done so for years. What I don't want to see happen is for us to allow a system to be put in place that CAN'T BE FIXED. If several 'pirate' TLD providers all offer up the same TLD how do we fix conflicts? No matter which one we choose to put first in our search list we will end up being sued by the others... It's guaranteed. The only legally defensible mechanism is to not allow ANY patches - that is to say we enforce the only root zone authority that has any real recognized legal standing. I know if I started one of these companies I would start looking for legal targets immediately.... There's more potential money there than in the registration business itself. Tim
-----Original Message----- From: Jim Dixon [mailto:jdd@vbc.net] Sent: Wednesday, March 14, 2001 16:13 To: Timothy R. McKee Cc: nanog@merit.edu Subject: RE: Reality Check
On Wed, 14 Mar 2001, Timothy R. McKee wrote:
Bear in mind that in many cases, this is an illusion. They aren't accessing the same machine at all. Someone is using round robin DNS to map one name into several IP addresses, or a Local Director to map one IP address into many IP addresses, or there is some other such substitution being employed.
In some cases the party serving the data is involved in the illusion. In others, as in transparent proxying, someone along the way is intervening. This is often silent and may have the consent of neither the user/client or whoever is running the intended target.
Yet in all cases, except where something is physically broken or out of synch, the initiating user and the terminating server expect that access to information or services via a documented public mnemonic URL will provide the same information (or a cached copy of it) to every user globally. If it doesn't WE are the ones that are held responsible by the users.
That may be true. Nevertheless, the existing system works. Whenever it fails to work, we fix it.
My point is that we are already in the world that you are warning us about. People are happily using one address space within their company and quite another to talk to the outside world, with NAT mediating between the two. Their internal DNS is also different from the DNS seen on the global Internet. And it all seems to be working exceedingly well, despite the fact the games people play with IP addresses and domain names are becoming very subtle indeed.
But once again, when they access or publish a PUBLIC URL, they have expectations that it will work and it will work the same for everyone regardless of location or ISP affiliation. I don't consider internal network workings to be public in nature.
And that is of course true. But we still have a working system, one in which we, the network operators, ensure that our customers are content that the illusion with which we present them is correct.
Now consider the relative complexity of the systems involved. In one, there are at least tens of thousands of address fiddles in operation, cases in which the machine you think you are accessing is not the machine that you are really accessing. This goes on all the time. Moderately often there are glitches. When there are, we fix it or complain to someone who can. Generally speaking, problems get resolved fairly quickly.
In the other case, there are a couple of hundred mappings from domain names like .COM, .UK, .NET, .FR into the IP addresses of name servers authoritative for these names. Someone else pointed out that the information involve is around 60 KB in all. Please convince me that the world's ISPs are not capable of managing this simple task.
Spelling out the obvious: let's say that VBCnet started referring our customers to the wrong name server to resolve names in .COM. How many minutes would it be before the phones began ringing off the hook? I can assure you that we would fix it really fast, and take steps to make sure that we didn't screw up again.
-- Jim Dixon VBCnet GB Ltd http://www.vbc.net tel +44 117 929 1316 fax +44 117 927 2015
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOq/kbBRIXzEQLahvEQI+6wCgiiEdWjITchTh0nM/5kb95ilYWwYAoIXg ZgTwPi6yCAl500LYyhK8R8iK =5MsO -----END PGP SIGNATURE-----
On Wed, 14 Mar 2001, Timothy R. McKee wrote:
Yes, we fix things when they break. We have done so for years. What I don't want to see happen is for us to allow a system to be put in place that CAN'T BE FIXED.
With all due respect, you are ignoring everything that I have said. We are already dealing with a system that is far more complex than the one that you are describing as unfixable -- and we are coping with it quite well.
If several 'pirate' TLD providers all offer up the same TLD how do we fix conflicts? No matter which one we choose to put first in our search list we will end up being sued by the others... It's guaranteed. The only legally
I must be missing something. Various parties have been providing access to alternative roots of one kind or another for several years. Who is suing anybody? What would the grounds for the lawsuit be? And does this sudden shift in arguments mean that you are conceding my main point, that there are no serious technical difficulties involved?
defensible mechanism is to not allow ANY patches - that is to say we enforce the only root zone authority that has any real recognized legal standing. I know if I started one of these companies I would start looking for legal targets immediately.... There's more potential money there than in the registration business itself.
I think that in the real world if several different registries offered the same top level domain and this resulted in any ambiguity, no one would use the top level domain. The market would sort out any ambiguity very very quickly.
-----Original Message----- From: Jim Dixon [mailto:jdd@vbc.net] Sent: Wednesday, March 14, 2001 16:13 To: Timothy R. McKee Cc: nanog@merit.edu Subject: RE: Reality Check
On Wed, 14 Mar 2001, Timothy R. McKee wrote:
Bear in mind that in many cases, this is an illusion. They aren't accessing the same machine at all. Someone is using round robin DNS to map one name into several IP addresses, or a Local Director to map one IP address into many IP addresses, or there is some other such substitution being employed.
In some cases the party serving the data is involved in the illusion. In others, as in transparent proxying, someone along the way is intervening. This is often silent and may have the consent of neither the user/client or whoever is running the intended target.
Yet in all cases, except where something is physically broken or out of synch, the initiating user and the terminating server expect that access to information or services via a documented public mnemonic URL will provide the same information (or a cached copy of it) to every user globally. If it doesn't WE are the ones that are held responsible by the users.
That may be true. Nevertheless, the existing system works. Whenever it fails to work, we fix it.
My point is that we are already in the world that you are warning us about. People are happily using one address space within their company and quite another to talk to the outside world, with NAT mediating between the two. Their internal DNS is also different from the DNS seen on the global Internet. And it all seems to be working exceedingly well, despite the fact the games people play with IP addresses and domain names are becoming very subtle indeed.
But once again, when they access or publish a PUBLIC URL, they have expectations that it will work and it will work the same for everyone regardless of location or ISP affiliation. I don't consider internal network workings to be public in nature.
And that is of course true. But we still have a working system, one in which we, the network operators, ensure that our customers are content that the illusion with which we present them is correct.
Now consider the relative complexity of the systems involved. In one, there are at least tens of thousands of address fiddles in operation, cases in which the machine you think you are accessing is not the machine that you are really accessing. This goes on all the time. Moderately often there are glitches. When there are, we fix it or complain to someone who can. Generally speaking, problems get resolved fairly quickly.
In the other case, there are a couple of hundred mappings from domain names like .COM, .UK, .NET, .FR into the IP addresses of name servers authoritative for these names. Someone else pointed out that the information involve is around 60 KB in all. Please convince me that the world's ISPs are not capable of managing this simple task.
Spelling out the obvious: let's say that VBCnet started referring our customers to the wrong name server to resolve names in .COM. How many minutes would it be before the phones began ringing off the hook? I can assure you that we would fix it really fast, and take steps to make sure that we didn't screw up again.
-- Jim Dixon VBCnet GB Ltd http://www.vbc.net tel +44 117 929 1316 fax +44 117 927 2015
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOq/kbBRIXzEQLahvEQI+6wCgiiEdWjITchTh0nM/5kb95ilYWwYAoIXg ZgTwPi6yCAl500LYyhK8R8iK =5MsO -----END PGP SIGNATURE-----
-- Jim Dixon VBCnet GB Ltd http://www.vbc.net tel +44 117 929 1316 fax +44 117 927 2015
On Wed, Mar 14, 2001 at 10:53:04PM +0000, Jim Dixon had this to say:
I think that in the real world if several different registries offered the same top level domain and this resulted in any ambiguity, no one would use the top level domain. The market would sort out any ambiguity very very quickly.
_I_ think you give the market much more credit than it deserves. But that's just based on my own limited experience. *shrug* -- Scott Francis scott@ [work:] v i r t u a l i s . c o m Systems Analyst darkuncle@ [home:] d a r k u n c l e . n e t PGP fingerprint 7ABF E2E9 CD54 A1A8 804D 179A 8802 0FBA CB33 CCA7 illum oportet crescere me autem minui
On Wed, Mar 14, 2001 at 09:13:17PM +0000, Jim Dixon had this to say:
Spelling out the obvious: let's say that VBCnet started referring our customers to the wrong name server to resolve names in .COM. How many minutes would it be before the phones began ringing off the hook? I can assure you that we would fix it really fast, and take steps to make sure that we didn't screw up again.
problem arises when individuals or organizations _purposefully_ subvert nameserver resolution. This entire thread has not been about the possibility of 'accidental' collisions, but more about who has the right to be the One True foo.com - if there are two entities each claiming that right, who do you believe, and why? How do you define 'wrong' as quoted above when both destinations claim to be right, and only a court can settle their differences? If you arbitrarily choose, the entity you excluded, and probably some segment of your customers, will be very unhappy with you for 'censoring' or otherwise 'choosing' for them where 'foo.com' traffic will go, rather than allowing them to choose themselves. The real problem here, the one that needs to be stopped before it can start, is the possibility of more than one correct answer to any given question "where does this domain point to?" No matter _who_ you ask, you should _always_ receive the same unique answer. The Internet in its current incarnation REQUIRES globally unique addressing. As soon as you have more than one Correct Answer, things begin to break, and lawyers come eagerly knocking. -- Scott Francis scott@ [work:] v i r t u a l i s . c o m Systems Analyst darkuncle@ [home:] d a r k u n c l e . n e t PGP fingerprint 7ABF E2E9 CD54 A1A8 804D 179A 8802 0FBA CB33 CCA7 illum oportet crescere me autem minui
On Wed, 14 Mar 2001, Scott Francis wrote:
On Wed, Mar 14, 2001 at 09:13:17PM +0000, Jim Dixon had this to say:
Spelling out the obvious: let's say that VBCnet started referring our customers to the wrong name server to resolve names in .COM. How many minutes would it be before the phones began ringing off the hook? I can assure you that we would fix it really fast, and take steps to make sure that we didn't screw up again.
problem arises when individuals or organizations _purposefully_ subvert nameserver resolution.
If you own your network and are free to direct packets where you would like them to go, rather it be to the DoC rootservers, the ORSC root servers, or to blackhole new.net servers, how is it possible to "subvert" nameserver resolution?
On Thu, Mar 15, 2001 at 01:10:31PM -0800, Patrick Greenwell had this to say:
Spelling out the obvious: let's say that VBCnet started referring our customers to the wrong name server to resolve names in .COM. How many minutes would it be before the phones began ringing off the hook? I can assure you that we would fix it really fast, and take steps to make sure that we didn't screw up again.
problem arises when individuals or organizations _purposefully_ subvert nameserver resolution.
If you own your network and are free to direct packets where you would like them to go, rather it be to the DoC rootservers, the ORSC root servers, or to blackhole new.net servers, how is it possible to "subvert" nameserver resolution?
The same way people have learned to make sure that a search for "Anna Kournikova" (for instance) returns, say, 200 records that are sites/pages that have nothing whatever to do with Anna Kournikova, and a whole LOT to do with bringing in cash to the sites in question. If there is money to be made (which there is), people will ALWAYS find a way to exploit inconsistencies in the system, unless it is NOT ALLOWED. See my reply to Jim Dixon - if a query for domain.xxx returns one site in one root zone, and another site in another zone, either site is likely to sue the alternate zone operator and/or the other site for infringement, improper business practice or whatever they can manage in order to get the hits going to the other site. Sad as it may be, there will always be a contingent of folks that look to their lawyer as a tool to steal things from others. If we allow a loophole, it _will_ be exploited. Solution: do not allow inconsistencies in the root, and multiple roots will always allow for inconsistencies. -- Scott Francis scott@ [work:] v i r t u a l i s . c o m Systems Analyst darkuncle@ [home:] d a r k u n c l e . n e t PGP fingerprint 7ABF E2E9 CD54 A1A8 804D 179A 8802 0FBA CB33 CCA7 illum oportet crescere me autem minui
On Thu, Mar 15, 2001 at 03:07:30PM -0800, Scott Francis wrote:
The same way people have learned to make sure that a search for "Anna Kournikova" (for instance) returns, say, 200 records that are sites/pages that have nothing whatever to do with Anna Kournikova, and a whole LOT to do with bringing in cash to the sites in question.
This is self-defeating in the end; if your search site doesn't work, people will stop using it. If they stop using it, the advertising dollars will stop rolling in. Thus, it's in the best interest of the owner of the search site to fix the problem. Hence why people are flocking to the latest best technology they can find, such as Google.
If there is money to be made (which there is), people will ALWAYS find a way to exploit inconsistencies in the system, unless it is NOT ALLOWED. See my reply
Understand that anytime you choose to have the law prohibit something, you are eliminating choice at the point of a gun. You are telling people that if they choose to believe differently from you, you are willing to set into motion a chain of events that can only end in one of two ways: either they eventually give in at some point in the process, or they get shot. This is worth it if you're talking about prohibiting behavior that hurts people, but is it really worth it for disagreeing with you about business models?
participants (5)
-
Jim Dixon -
Patrick Greenwell -
Scott Francis -
Shawn McMahon -
Timothy R. McKee