misunderstanding scale (was: Ipv4 end, its fake.)
Millions of IPs don't matter in the face of X billions of people, and XX-XXX billions of devices - and this is just the near term estimate. (And don't forget utilization efficiency - Millions of IPs is not millions of customers served.) Do IPv6. /TJ On Mar 22, 2014 3:09 AM, "Bryan Socha" <bryan@digitalocean.com> wrote:
As someone growing in the end of ipv4, its all fake. Sure, the rirs
will
run out, but that's boring. Don't believe the fake auction sites. Fair price of IP at the end is $1 for bad Rep $2 for barely used, $3 for no spam and $4 for legacy. Stop the inflation. Millions of IPS exist, there is no shortage and don't lie for rirs with IPS left.
Fair point. There are some situations that do need more than most, but aren't they the ones that should be on ipv6 already??????? I know a few are shouldn't I be on ipv6 and that's fair too. I'm plqnnning some speaking engagements to cover that. Its not blind and ignoring. On Mar 22, 2014 4:36 AM, "TJ" <trejrco@gmail.com> wrote:
Millions of IPs don't matter in the face of X billions of people, and XX-XXX billions of devices - and this is just the near term estimate. (And don't forget utilization efficiency - Millions of IPs is not millions of customers served.)
Do IPv6. /TJ
On Mar 22, 2014 3:09 AM, "Bryan Socha" <bryan@digitalocean.com> wrote:
As someone growing in the end of ipv4, its all fake. Sure, the rirs
will
run out, but that's boring. Don't believe the fake auction sites. Fair price of IP at the end is $1 for bad Rep $2 for barely used, $3 for no spam and $4 for legacy. Stop the inflation. Millions of IPS exist, there is no shortage and don't lie for rirs with IPS left.
So two things here, Bryan... First, there may be those that do not require IPv6 due to size. So what is YOUR big plan to connect all those on IPv4 to the rest of the IPv6 world that has dropped IPv4 addresses. Second, as a DO customer, I am now beginning to understand the culture and ideology over IPv6 at DO. IPv6 has been asked about since at least 2012 with initial promises of 'Q3 2012 the 'Q4, now no one even wants to respond. With everyone else bringing native IPv6 on board, I see people starting to leave unless you change. Additional support on my feeling of DO and IPv6, is DO's stance of directly not even allowing IPv6 tunnels to HE, SiXXs, or any of the other providers by specifically teliing them not to allow connections from your IPv4 address space. Good luck on your IPv4 ride when none of your customers have anyone else to talk to. Robert Apologies to all other list members for the somewhat off topic rant. On 03/22/2014 05:25 AM, Bryan Socha wrote:
Fair point. There are some situations that do need more than most, but aren't they the ones that should be on ipv6 already???????
I know a few are shouldn't I be on ipv6 and that's fair too. I'm plqnnning some speaking engagements to cover that. Its not blind and ignoring. On Mar 22, 2014 4:36 AM, "TJ" <trejrco@gmail.com> wrote:
Millions of IPs don't matter in the face of X billions of people, and XX-XXX billions of devices - and this is just the near term estimate. (And don't forget utilization efficiency - Millions of IPs is not millions of customers served.)
Do IPv6. /TJ
On Mar 22, 2014 3:09 AM, "Bryan Socha" <bryan@digitalocean.com> wrote:
As someone growing in the end of ipv4, its all fake. Sure, the rirs will run out, but that's boring. Don't believe the fake auction sites. Fair price of IP at the end is $1 for bad Rep $2 for barely used, $3 for no spam and $4 for legacy. Stop the inflation. Millions of IPS exist, there is no shortage and don't lie for rirs with IPS left.
On 03/22/2014 08:47 AM, Robert Webb wrote:
First, there may be those that do not require IPv6 due to size.
It is a mistake to believe that the only reason to add IPv6 to your network is size. Adding IPv6 to your network _now_ is the right decision because at some point in the not-too-distant future it will be the dominant network technology, and you don't want to get left behind. Doug
On 22/03/2014 16:29, Doug Barton wrote:
It is a mistake to believe that the only reason to add IPv6 to your network is size. Adding IPv6 to your network _now_ is the right decision because at some point in the not-too-distant future it will be the dominant network technology, and you don't want to get left behind.
not wanting to rain on anyone's parade, but people have been claiming this since the days of IPng. Granted, we're a couple of years after IANA runout and two RIRs are also in post-runout phase, but the level of pain associated with continued deployment of ipv4-only services is still nowhere near the point that ipv6 can be considered a viable alternative. Nick
On Mar 22, 2014, at 10:16 AM, Nick Hilliard <nick@foobar.org> wrote:
On 22/03/2014 16:29, Doug Barton wrote:
It is a mistake to believe that the only reason to add IPv6 to your network is size. Adding IPv6 to your network _now_ is the right decision because at some point in the not-too-distant future it will be the dominant network technology, and you don't want to get left behind.
not wanting to rain on anyone's parade, but people have been claiming this since the days of IPng. Granted, we're a couple of years after IANA runout and two RIRs are also in post-runout phase, but the level of pain associated with continued deployment of ipv4-only services is still nowhere near the point that ipv6 can be considered a viable alternative.
Nick
We've always told everyone the pain would be starting in the runout phase. Not immediately like a wall, but gradually. Some people I know are already experiencing scarcity itches. One or two, some uncomfortable burning sensations. This will ramp up over time. ISPs around you will get their last blocks from ARIN or other RIRs as the last RIRs exhaust soon; then the ISP blocks will be gone. Timescales for each of these phases will be months. There will be M&A or open market recovery of currently unused space for a while longer. With consumers seeing the inevitable slowly increasing markups in price for the new resources. Then the serious global pain starts... It is true that a head in the sand was effective for 15 years. But you'd better pull it out now. Each of these phases is well understood *and we're here now*... -george william herbert george.herbert@gmail.com Sent from Kangphone
* Nick Hilliard
the level of pain associated with continued deployment of ipv4-only services is still nowhere near the point that ipv6 can be considered a viable alternative.
This depends on who you're asking; as a blanket statement it's demonstrably false: For the likes of T-Mobile USA¹ and Facebook², or even myself³, IPv6-only isn't just an «alternative». It's «happening». [1] http://www.dslreports.com/shownews/TMobile-Goes-IPv6-Only-on-Android-44-Devi... [2] https://www.dropbox.com/s/doazzo5ygu3idna/WorldIPv6Congress-IPv6_LH%20v2.pdf [3] http://www.ipspace.net/IPv6-Only_Data_Centers Tore
On 22/03/2014 18:50, Tore Anderson wrote:
* Nick Hilliard
the level of pain associated with continued deployment of ipv4-only services is still nowhere near the point that ipv6 can be considered a viable alternative.
This depends on who you're asking; as a blanket statement it's demonstrably false: For the likes of T-Mobile USA¹ and Facebook², or even myself³, IPv6-only isn't just an «alternative». It's «happening».
FB, T-mobile and you are all using ipv6->ipv4 protocol translators because ipv6-only services are not a viable alternative at the moment. The advantage that using ipv6 gives in these deployment scenarios is that it scales beyond the amount of address space available from rfc1918. As a side effect, it also makes native end-to-end ipv6 connectivity pleasant. Sadly, ipv4 address availability continues to be necessary at the same run rate as before, except in situations where CGN is a possibility. Nick
[1] http://www.dslreports.com/shownews/TMobile-Goes-IPv6-Only-on-Android-44-Devi... [2] https://www.dropbox.com/s/doazzo5ygu3idna/WorldIPv6Congress-IPv6_LH%20v2.pdf [3] http://www.ipspace.net/IPv6-Only_Data_Centers
Tore
On Sat, 22 Mar 2014, Nick Hilliard wrote:
FB, T-mobile and you are all using ipv6->ipv4 protocol translators because ipv6-only services are not a viable alternative at the moment.
Using IPv6 internally is different from being able to use IPv6 end-to-end. 6<->4 translators will be needed to reach the IPv4-only chunks of the Internet. I don't think anyone is disputing that. Traffic that can go IPv6 end-to-end can do so.
The advantage that using ipv6 gives in these deployment scenarios is that it scales beyond the amount of address space available from rfc1918. As a side effect, it also makes native end-to-end ipv6 connectivity pleasant.
Sadly, ipv4 address availability continues to be necessary at the same run rate as before, except in situations where CGN is a possibility.
I think the expectation is that the utilization of those translators will plateau at some point, and then tail off as end-users go dual-stack or v6 only. Large/highly visible chunks of the Internet pushing IPv6 adoption helps get people toward the long-term goal of turning down those translators. Eventually those remaining pockets of IPv4ness will have to sit behind 4<->6 translators to be able to speak with the rest of the Internet. CGN also comes with lots of downside that customers are likely to find unpleasant. For some operators, customer (dis)satisfaction might be the driver that ultimately forces them to deploy IPv6. jms
On 22/03/2014 19:35, Justin M. Streiner wrote:
CGN also comes with lots of downside that customers are likely to find unpleasant. For some operators, customer (dis)satisfaction might be the driver that ultimately forces them to deploy IPv6.
don't believe for a moment that v6 to v4 protocol translation is any less ugly than CGN. Nick
On Sat, 22 Mar 2014, Nick Hilliard wrote:
On 22/03/2014 19:35, Justin M. Streiner wrote:
CGN also comes with lots of downside that customers are likely to find unpleasant. For some operators, customer (dis)satisfaction might be the driver that ultimately forces them to deploy IPv6.
don't believe for a moment that v6 to v4 protocol translation is any less ugly than CGN.
True, but the ugliness of NAT64 and friends will decrease over time as more people go v6. The ugliness of IPv4 in general, and CGN/LSN will likely increase over time as people have to jump through more NAT hoops to reach an increasingly ugly/fragmented IPv4 Internet. jms
Le 22/03/2014 23:49, Nick Hilliard a écrit :
On 22/03/2014 19:35, Justin M. Streiner wrote:
CGN also comes with lots of downside that customers are likely to find unpleasant. For some operators, customer (dis)satisfaction might be the driver that ultimately forces them to deploy IPv6. don't believe for a moment that v6 to v4 protocol translation is any less ugly than CGN. Shared view. mh
Nick
On Sat, Mar 22, 2014 at 8:19 PM, Randy Bush <randy@psg.com> wrote:
don't believe for a moment that v6 to v4 protocol translation is any less ugly than CGN.
it can be stateless
You're smarter than that. -Bill -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
* William Herrin
On Sat, Mar 22, 2014 at 8:19 PM, Randy Bush <randy@psg.com> wrote:
don't believe for a moment that v6 to v4 protocol translation is any less ugly than CGN.
it can be stateless
You're smarter than that.
https://tools.ietf.org/html/rfc6145 https://tools.ietf.org/html/draft-ietf-softwire-map-t-05 https://tools.ietf.org/html/draft-anderson-siit-dc-00 Tore
On Mon, Mar 24, 2014 at 2:56 PM, Tore Anderson <tore@fud.no> wrote:
* William Herrin
On Sat, Mar 22, 2014 at 8:19 PM, Randy Bush <randy@psg.com> wrote:
don't believe for a moment that v6 to v4 protocol translation is any less ugly than CGN.
it can be stateless
You're smarter than that.
https://tools.ietf.org/html/rfc6145 https://tools.ietf.org/html/draft-ietf-softwire-map-t-05 https://tools.ietf.org/html/draft-anderson-siit-dc-00
And all those IPv4 addresses for the 1:1 translation required by the stateless version are coming from where exactly? And then only for the v6 hosts you've configured in the v6 address range for which v4 translation is allowed (no SLAAC!). Like I told Randy: you're smarter than that. -Bill -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Mon, Mar 24, 2014 at 6:46 PM, Randy Bush <randy@psg.com> wrote:
And all those IPv4 addresses for the 1:1 translation required by the stateless version are coming from where exactly?
maybe you should read the documents
I did. They were abstruse beyond even the normal level for RFCs but I made it through. You propose stateless NAT64 as an viable alternative to CGN. The question stands: where are you planning to get the extra IPv4 addresses for the static 1:1 mapping? -Bill -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Mon, Mar 24, 2014 at 7:37 PM, Randy Bush <randy@psg.com> wrote:
You propose stateless NAT64 as an viable alternative to CGN.
where do i do that?
Nick Hilliard: "don't believe for a moment that v6 to v4 protocol translation is any less ugly than CGN." Your reply (verbosity added for clarity): "[Sure it is! Unlike where folks solve their problem with CGN, v6 to v4 protocol translation] can be stateless."
The question stands: where are you planning to get the extra IPv4 addresses for the static 1:1 mapping?
maybe look at the +P in A+P
Nah, I'm done following bread crumbs for the day. Explain yourself or don't. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
You propose stateless NAT64 as an viable alternative to CGN. ^^^ where do i do that? Nick Hilliard
ahh. i see your error. i am not nick hilliard. he's the cute one.
Your reply (verbosity added for clarity): "[Sure it is! Unlike where folks solve their problem with CGN, v6 to v4 protocol translation] can be stateless."
again, you put words in my mouth which were not there. i did not say v6 to v4 translation.
Nah, I'm done following bread crumbs for the day.
cool. then we can all go back to reality and whet people actually said. bye randy
FYI He tells everyone they¹re cute. Don¹t buy his tricks, he doesn¹t call back the next morning. ;) Ps. Take it easy on each other. It¹s the beginning of spring.. Head outside.. Go have a beer.. Smoke a joint.. What I am getting at is.. It¹s possible you guys should relax and realize that in the grand scheme of things a lot of this really doesn¹t matter. Go be humans beings in the world, the internet and this flame thread will still be here as it has been for generations (internet generations, anyways..) Just my .02 WOOOOOSAHHHHHHHHHHHHHHHH On 3/24/14, 4:53 PM, "Randy Bush" <randy@psg.com> wrote:
You propose stateless NAT64 as an viable alternative to CGN. ^^^ where do i do that? Nick Hilliard
ahh. i see your error. i am not nick hilliard. he's the cute one.
Your reply (verbosity added for clarity): "[Sure it is! Unlike where folks solve their problem with CGN, v6 to v4 protocol translation] can be stateless."
again, you put words in my mouth which were not there. i did not say v6 to v4 translation.
Nah, I'm done following bread crumbs for the day.
cool. then we can all go back to reality and whet people actually said.
bye
randy
On Mon, Mar 24, 2014 at 8:05 PM, Warren Bailey <wbailey@satelliteintelligencegroup.com> wrote:
FYI He tells everyone they¹re cute. Don¹t buy his tricks, he doesn¹t call back the next morning.
Ps. Take it easy on each other. It¹s the beginning of spring.. Head outside..
Spring!? Snow is in tonight's forecast here in Virginia. Ah well. Ultima Online beckons. It's always spring in Sosaria. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Mar 22, 2014, at 3:49 PM, Nick Hilliard <nick@foobar.org> wrote:
On 22/03/2014 19:35, Justin M. Streiner wrote:
CGN also comes with lots of downside that customers are likely to find unpleasant. For some operators, customer (dis)satisfaction might be the driver that ultimately forces them to deploy IPv6.
don't believe for a moment that v6 to v4 protocol translation is any less ugly than CGN.
Nick
Well, IMHO, it’s slightly less ugly. CGN will usually be a second layer of NAT imposed on an already NAT’d connection. At least with NAT64, you’re usually dealing with a single layer of translation. Owen
On 03/22/2014 10:16 AM, Nick Hilliard wrote:
On 22/03/2014 16:29, Doug Barton wrote:
It is a mistake to believe that the only reason to add IPv6 to your network is size. Adding IPv6 to your network _now_ is the right decision because at some point in the not-too-distant future it will be the dominant network technology, and you don't want to get left behind.
not wanting to rain on anyone's parade, but people have been claiming this since the days of IPng.
Hyperbole of the past doesn't negate the reality of the future. :) The IPng folks did a lot of good things, and they made a lot of mistakes. For me personally the "not-to-distant future" part of the above paragraph is new, I have not (until recently) said to people that you'll need IPv6 *soon*, but I have consistently said to people that "You will need IPv6 eventually, so the sooner you start planning for it and moving forward the better off you'll be."
Granted, we're a couple of years after IANA runout and two RIRs are also in post-runout phase,
Another way to say that would be, "Things have been progressing exactly as predicted starting around say, 2005 or so." That's when I first got really enthusiastic about the IPv4 scarcity/promote IPv6 issues. Things have been playing out basically the way that they were predicted to when Tony Hain came to me (when I was IANA manager) with the first draft of his IPv4 runout projections.
but the level of pain associated with continued deployment of ipv4-only services is still nowhere near the point that ipv6 can be considered a viable alternative.
With respect I think you're ignoring some pretty important facts. Not the least of which is the level of pressure that's been taken off of IPv4 runout by the large providers (referenced elsewhere in the thread) who have already moved to IPv6. I think you're also ignoring the fact that at this point unless you can afford to buy substantial address space on the darkish-grey market it's basically impossible to launch a new Internet enterprise of any real scale on IPv4. More importantly I'm confused/dismayed by your language, "still nowhere near the point that ipv6 can be considered a viable alternative." Even though the major content networks already have well-established IPv6 networks, referring to IPv6 as "an alternative" is thinking about the problem in the wrong way. As we all know, phases of technology adoption generally follow this model: All IPv4 Some IPv6, mostly IPv4 Roughly half and half Mostly IPv6, some IPv4 All IPv6 We're still in phase 2 now, but the other phases ARE coming. IPv4 addresses are a finite resource, and as the years go on there will simply not be enough to go around. (Arguably we've already passed that point, but things like CGN are going to let us slide along for a little longer.) So at this point IPv6 is not "an alternative," it's a complement to IPv4. "Doing" IPv6 now means that you'll be ready far in advance of the point when you no longer have a choice. Doug
On 23/03/2014 03:00, Doug Barton wrote:
Hyperbole of the past doesn't negate the reality of the future. :)
the past and present hyperbole continues to grate.
With respect I think you're ignoring some pretty important facts. Not the least of which is the level of pressure that's been taken off of IPv4 runout by the large providers (referenced elsewhere in the thread) who have already moved to IPv6.
it depends where you are in the world. Growing markets in China seem to have spurred on a good deal of development in terms of ipv6-only access, although getting hard data on this is difficult. We've seen a lot less of this in the ripe service region because the access markets peaked several years ago in many (but not all) countries.
I think you're also ignoring the fact that at this point unless you can afford to buy substantial address space on the darkish-grey market it's basically impossible to launch a new Internet enterprise of any real scale on IPv4.
yep, it is now very difficult for new market entrants in growing access markets. Africa in particular will be especially hosed from the point of view of ipv4 address availability in the long term, given its overall assignment of 6x /8s.
More importantly I'm confused/dismayed by your language, "still nowhere near the point that ipv6 can be considered a viable alternative." Even though the major content networks already have well-established IPv6 networks
A small number of the major content networks have done the internet proud by proving that enabling ipv6 does not substantially break things. But they are low hanging fruit and ultimately only a handful of companies; none of them has plans to disable ipv4 any time soon.
So at this point IPv6 is not "an alternative," it's a complement to IPv4. "Doing" IPv6 now means that you'll be ready far in advance of the point when you no longer have a choice.
yep, agreed - doing ipv6 now is a sensible business proposition. But it needs to be tempered with the realisation that for nearly all networks, ipv6 is complementary to ipv4 and not a replacement; nor will it become a replacement until the time that people feel that adding A records to their hostnames is unnecessary. Nick
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 3/23/2014 9:13 AM, Nick Hilliard wrote:
yep, agreed - doing ipv6 now is a sensible business proposition. But it needs to be tempered with the realisation that for nearly all networks, ipv6 is complementary to ipv4 and not a replacement; nor will it become a replacement until the time that people feel that adding A records to their hostnames is unnecessary.
Absolutely concur -- it's a really hard sell to enterprises in the U.S. for any compelling reason, at least right now, why they should take great pains (ad it would be *great* pain) to move to IPv6 while their IPv4 networks work just fine. Also, IPv6 introduces some serious security concerns, and until they are properly addressed, they will be a serious barrier to even considering it. $.02, - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMvCwEACgkQKJasdVTchbJUkwD/eWydkUd7DE7XD9V5ETTENzsa fjuzzOR5l+t/0wE0EPYBANVVCYSBoFA7XeD5twSGDZcO+nvCK6BDwlRju9W+5iH5 =FBBN -----END PGP SIGNATURE-----
On Mar 23, 2014 11:27 AM, "Paul Ferguson" <fergdawgster@mykolab.com> wrote:
Also, IPv6 introduces some serious security concerns, and until they are properly addressed, they will be a serious barrier to even considering it.
And that is pure FUD. The sorts of security risks with IPv6 are mostly in the same sorts of categories as those with IPv4 and have appropriate mitigations available. Moreover, by not enabling and controlling IPv6 on their networks, an operator is actually markedly more vulnerable to IPv6 attacks, not less. Scott
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 3/23/2014 2:27 PM, Timothy Morizot wrote:
On Mar 23, 2014 11:27 AM, "Paul Ferguson" <fergdawgster@mykolab.com <mailto:fergdawgster@mykolab.com>> wrote:
Also, IPv6 introduces some serious security concerns, and until they are properly addressed, they will be a serious barrier to even considering it.
And that is pure FUD. The sorts of security risks with IPv6 are mostly in the same sorts of categories as those with IPv4 and have appropriate mitigations available. Moreover, by not enabling and controlling IPv6 on their networks, an operator is actually markedly more vulnerable to IPv6 attacks, not less.
Only if end-points are unaware of dual-stack capabilities. Also, neighbor discovery, for example, can be dangerous (admittedly, so can ARP spoofing in IPv4). And aside from the spoofable ability of ND, robust DHCPv6 is needed for enterprises for sheer operational continuity. And that's only a "half" example. I haven't even mentioned spam management in v6, which will become a nightmare if people have been relying on IP BL's or similar. - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMvVfcACgkQKJasdVTchbLv0AEAhd/IkA19ssgDW/R+YDWe6YTQ YRnWIWwiNM+79NuF1EcBAKuMyULkR2hUXdVO7B/IprgpJxrHtzU0mYdTqJJLgnV1 =1iFc -----END PGP SIGNATURE-----
On Mar 23, 2014 4:45 PM, "Paul Ferguson" <fergdawgster@mykolab.com> wrote:
Also, neighbor discovery, for example, can be dangerous (admittedly, so can ARP spoofing in IPv4). And aside from the spoofable ability of ND, robust DHCPv6 is needed for enterprises for sheer operational continuity.
Yes. As I said, same general sorts of risks for the most part as in IPv4. Details differ, but same general types. My point was that it's mostly FUD to wave the flag of scary new security weaknesses with no mitigations in IPv6. It's the same general sort of first hop and link security issues that exist in IPv4 with similar mitigations. Not identical, but not radically different or new either. And yes, I can't imagine any reason a large enterprise would use SLAAC instead of DHCPv6. We're certainly using the latter. But we have robust DHCPv6 available, so I don't understand why you think that's a weakness.
I haven't even mentioned spam management in v6, which will become a nightmare if people have been relying on IP BL's or similar.
Uh-huh. We've had our Internet mail gateways dual-stacked for a year and a half now. There have certainly been bumps and challenges along the way. I wouldn't want to imply it's been a cakewalk. But it hasn't been some sort of insurmountable challenge. And my organization is extremely security conscious and highly visible. You'll pardon my skepticism over claims that unspecified security weaknesses make it impossible to do what we have done and are continuing to do. Scott
On Mar 24, 2014, at 6:37 AM, Timothy Morizot <tmorizot@gmail.com> wrote:
You'll pardon my skepticism over claims that unspecified security weaknesses make it impossible to do what we have done and are continuing to do.
All this unfilterable ICMP makes for interesting times - I've already run across ND storms caused remotely (deliberately, IMHO). Insane policies such as /64s for p2p link addresses don't help, either. And the consonance of the English letters 'B', 'C', 'D', & 'E' when spoken aloud is quite likely to prove a major security issue, IMHO. Time for folks to adopt the phonetic alphabet, if they absolutely must communicate verbally. IPv6 has all the security issues associated with IPv4, plus a few new ones which are unique to IPv6. Denying the latter doesn't make them go away. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
On Monday, March 24, 2014 01:37:52 AM Timothy Morizot wrote:
Yes. As I said, same general sorts of risks for the most part as in IPv4. Details differ, but same general types. My point was that it's mostly FUD to wave the flag of scary new security weaknesses with no mitigations in IPv6. It's the same general sort of first hop and link security issues that exist in IPv4 with similar mitigations. Not identical, but not radically different or new either.
While the mitigations may not exist yet (like proper firewalls in CPE to protect GUA'ed devices in the home), it still a good idea to bring the risks to light so folk can think about how to get them fixed. Mark.
On Mon, Mar 24, 2014 at 1:51 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:
On Monday, March 24, 2014 01:37:52 AM Timothy Morizot wrote:
Yes. As I said, same general sorts of risks for the most part as in IPv4. Details differ, but same general types. My point was that it's mostly FUD to wave the flag of scary new security weaknesses with no mitigations in IPv6. It's the same general sort of first hop and link security issues that exist in IPv4 with similar mitigations. Not identical, but not radically different or new either.
While the mitigations may not exist yet (like proper firewalls in CPE to protect GUA'ed devices in the home), it still a good idea to bring the risks to light so folk can think about how to get them fixed.
While I don't really disagree with that statement, I'm not entirely sure what CPE firewalls and home devices have to do with enterprise deployments, the topic I was discussing. We've been actively working this for the past three years now and have yet to encounter an IPv6 specific enterprise risk for which no appropriate mitigation exists. That's why I called out the assertion that security weaknesses in IPv6 were *preventing* enterprise deployments as FUD. And until someone specifically names some major unmitigated IPv6-only security weakness blocking enterprise deployment instead of vague hand-waving or lists of security risks (as opposed to weaknesses) with well-defined mitigations, I'll stand by that statement. Scott
On Monday, March 24, 2014 02:42:07 PM Timothy Morizot wrote:
While I don't really disagree with that statement, I'm not entirely sure what CPE firewalls and home devices have to do with enterprise deployments, the topic I was discussing. We've been actively working this for the past three years now and have yet to encounter an IPv6 specific enterprise risk for which no appropriate mitigation exists. That's why I called out the assertion that security weaknesses in IPv6 were *preventing* enterprise deployments as FUD. And until someone specifically names some major unmitigated IPv6-only security weakness blocking enterprise deployment instead of vague hand-waving or lists of security risks (as opposed to weaknesses) with well-defined mitigations, I'll stand by that statement.
Agree - the security issues for deploying IPv6 in the enterprise are not that dissimilar from the concerns in the home in as far as assigning GUA's to enterprise printers, staff laptops, surveillance cameras, e.t.c., is concerned. This is not necessarily an issue of IPv6. It's more of an issue having a direct connetion to the Internet without NAT (a.k.a security by obscurity, false sense of security, e.t.c.), and what that means for the host's security. Mark.
On Mar 23, 2014, at 2:45 PM, Paul Ferguson <fergdawgster@mykolab.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 3/23/2014 2:27 PM, Timothy Morizot wrote:
On Mar 23, 2014 11:27 AM, "Paul Ferguson" <fergdawgster@mykolab.com <mailto:fergdawgster@mykolab.com>> wrote:
Also, IPv6 introduces some serious security concerns, and until they are properly addressed, they will be a serious barrier to even considering it.
And that is pure FUD. The sorts of security risks with IPv6 are mostly in the same sorts of categories as those with IPv4 and have appropriate mitigations available. Moreover, by not enabling and controlling IPv6 on their networks, an operator is actually markedly more vulnerable to IPv6 attacks, not less.
Only if end-points are unaware of dual-stack capabilities.
Also, neighbor discovery, for example, can be dangerous (admittedly, so can ARP spoofing in IPv4). And aside from the spoofable ability of ND, robust DHCPv6 is needed for enterprises for sheer operational continuity.
DHCPv6 is no less robust in my experience than DHCPv4. ARP and ND have mostly equivalent issues.
And that's only a "half" example.
I haven't even mentioned spam management in v6, which will become a nightmare if people have been relying on IP BL's or similar.
IP reputation didn’t really scale to IPv4 and was only practical because we were willing to toss out vast swaths of hosts just because they were unfortunately behind the same NATed address as some host that did something wrong some time. So far, it’s proven to be the worst possible solution to SPAM except for all the others. Nonetheless, yes, we’re going to have to come up with a better way in IPv6. OTOH, we will also have better end-to-end accountability in IPv6, so that might actually help make new solutions more feasible. Owen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 It is unsettling to see such dismissive attitudes. I'll leave it as an exercise for the remainder of... everywhere to figure out why there is resistance to v6 migration, and it isn't "just because" people can't be bothered. Your customers are your compasses. And as Randy Bush always like to say (paraphrased), "I encourage my competitors to dismiss customer concerns over IPv6 migration." Cheers, - - ferg On 3/24/2014 6:18 PM, Owen DeLong wrote:
On Mar 23, 2014, at 2:45 PM, Paul Ferguson <fergdawgster@mykolab.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 3/23/2014 2:27 PM, Timothy Morizot wrote:
On Mar 23, 2014 11:27 AM, "Paul Ferguson" <fergdawgster@mykolab.com <mailto:fergdawgster@mykolab.com>> wrote:
Also, IPv6 introduces some serious security concerns, and until they are properly addressed, they will be a serious barrier to even considering it.
And that is pure FUD. The sorts of security risks with IPv6 are mostly in the same sorts of categories as those with IPv4 and have appropriate mitigations available. Moreover, by not enabling and controlling IPv6 on their networks, an operator is actually markedly more vulnerable to IPv6 attacks, not less.
Only if end-points are unaware of dual-stack capabilities.
Also, neighbor discovery, for example, can be dangerous (admittedly, so can ARP spoofing in IPv4). And aside from the spoofable ability of ND, robust DHCPv6 is needed for enterprises for sheer operational continuity.
DHCPv6 is no less robust in my experience than DHCPv4.
ARP and ND have mostly equivalent issues.
And that's only a "half" example.
I haven't even mentioned spam management in v6, which will become a nightmare if people have been relying on IP BL's or similar.
IP reputation didn’t really scale to IPv4 and was only practical because we were willing to toss out vast swaths of hosts just because they were unfortunately behind the same NATed address as some host that did something wrong some time.
So far, it’s proven to be the worst possible solution to SPAM except for all the others. Nonetheless, yes, we’re going to have to come up with a better way in IPv6.
OTOH, we will also have better end-to-end accountability in IPv6, so that might actually help make new solutions more feasible.
Owen
- -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMw3kQACgkQKJasdVTchbLrmwEAkjajKru+lEgOO1U1i5c/AEQR /r8+H3dzeI+IyAKQAu8A/i0HEds8D3iyFnwKzLrUBwqP+Avt51BMW0+f67E4xmsX =vlZZ -----END PGP SIGNATURE-----
I can easily answer that one as a holder of v4 space at a commercial entity. The end user does not feel any compelling reason to move to ipv6 if they have enough v4 space. I can't give my employer a solid business case of why they need to make the IPv6 transition. They already hold enough v4 space and are putting more and more servers behind virtual IPs on boxes like the F5 so they are actually gaining on the v4 space issue. They see no economic reason to add an additional layer of complexity to their network where it is already pretty expensive to find savvy staff. Having to find v6 savvy staff is even more challenging. Even if the network guys are up to speed on v6 (admittedly a lot of the junior guys are not) the server and storage guys have a hard time wrapping their minds completely around ipv4. As soon as they see an economic reason to move toward a v6 deployment I am sure they will do so. The major cost is time not money. The engineering staff has quite enough to keep them busy without looking for projects with no ROI for the near future. As soon as ipv6 users cannot reach ipv4 sites, they will need an ipv6 presence. It is very much a chicken and egg problem. Ipv6 users need to reach ipv4 sites and the fact that they can makes it unnecessary for the ipv4 sites move to ipv6. Most commercial entities that are not in the gaming and multimedia do not feel any performance hit on v4 to v6 so there is no current pain point for the current ipv4 holders unless they are experiencing the need for more address space. The commercial users that have been around a long time typically have pretty large allocations (/24 or better) and the majority of them do not need that many public facing addresses. The thing that will push them toward a v6 infrastructure is having most of their customers on ipv6 and their being some performance penalty that they see for being ipv4 only. We are doing some lab testing on v6 and trying to get more experience for the junior guys but there are lots of legacy stuff and lots of old code that is not v6 aware. That stuff is slowly going away but there is no real push for that to happen. Running the v6 infrastructure in parallel with the v4 infrastructure does not gain anyone very much, unfortunately they will have to run in parallel for quite some time. Another issue is having all of their global MPLS carriers and Internet service providers supplying dual stack capability on those circuits. There is just not enough v6 traffic to make the case for dedicated access circuits supporting just ipv6. Steven Naslund Chicago IL
It is unsettling to see such dismissive attitudes.
I'll leave it as an exercise for the remainder of... everywhere to figure out why there is resistance to v6 migration, and it isn't "just because" people can't be bothered.
Your customers are your compasses. And as Randy Bush always like to say (paraphrased), "I encourage my competitors to dismiss customer concerns over IPv6 migration."
On 3/24/14 10:17 PM, "Naslund, Steve" <SNaslund@medline.com> wrote:
I can easily answer that one as a holder of v4 space at a commercial entity. The end user does not feel any compelling reason to move to ipv6 if they have enough v4 space.
I can't give my employer a solid business case of why they need to make the IPv6 transition.
You may not need to yet. But it would be a good idea to know how long it would take you to deploy IPv6. Then think about when IPv6 will be cheaper than IPv4. (See the poll from NANOG60 for what others think about this: http://www.wleecoyote.com/blog/lightningpoll.htm Hint: 2017-2018) It might be a good idea to finish in time to save money. Oh, and if the enterprise cares about latency, IPv6 is better. (NANOG60: https://www.nanog.org/meetings/abstract?id=2281)
They already hold enough v4 space and are putting more and more servers behind virtual IPs on boxes like the F5 so they are actually gaining on the v4 space issue. They see no economic reason to add an additional layer of complexity to their network where it is already pretty expensive to find savvy staff. Having to find v6 savvy staff is even more challenging. Even if the network guys are up to speed on v6 (admittedly a lot of the junior guys are not) the server and storage guys have a hard time wrapping their minds completely around ipv4.
I bet your staff isn't savvy on lots of things they have to do. I don't know why IPv6 scares people so much. Story: "So, will you be providing training on IS-IS?" "You'll get exactly the same training you got on OSPF when you started." ". . ." Lee
I'll leave it as an exercise for the remainder of... everywhere to figure out why there is resistance to v6 migration, and it isn't "just because" people can't be bothered. I'm sure there are numerous enterprises in the same shape I am in, with significant equipment investment in non-quite-ipv6-ready gear, and insufficient technology refresh capex monies to get ipv6-ready capacity-equivalent replacements. Cisco 6500/7600 even with Sup720 has issues, and I know of a number of networks still running Sup2 on 6500/7600 or even older (including some gear in my own network, where I still have old gear, older even than I'm willing to admit publicly, serving in core roles; I just decommissioned a failing Extreme Summit 1i
On 03/24/2014 09:39 PM, Paul Ferguson wrote: this past Saturday, and still have two more in core roles, doing Layer 3 IPv4 in one case). I know I'm not alone. While much of this gear may be fully depreciated, the cost of the forklift upgrade is major, and the gear is not the biggest part of the cost. Repairs are not anywhere near as draining on the capex budget as complete chassis upgrades are, and so we keep old gear running because it's what we can afford to do. So capex is a big part of it; but then there's training costs and the opex of dealing with a new-to-us technology. Just my very-late-to-the-party opinion, and not likely to change anything at all, but in hindsight it seems we might have been better off with ipv4.1 instead of ipv6, which, IMO, just simply bit off too much in one bite. Much like how the Fountainhead project at DG got eclipsed by the much less ambitious Eagle, and never really went anywhere due to its pie-in-the-sky goals, when all the customers really wanted was a 32-bit Eclipse, which Eagle provided. (Tracy Kidder, "The Soul of a New Machine" which should be on every tech's must-read list). Yeah, I know, too late to matter, as ipv6 is here and here to stay. But the transition could have been smoother and less traumatic to equipment vendors' customers. At least that's my opinion and experience, your mileage may vary.
On 03/24/2014 06:18 PM, Owen DeLong wrote:
DHCPv6 is no less robust in my experience than DHCPv4.
ARP and ND have mostly equivalent issues.
This depends a lot on what you mean by 'robust' Now, I have dealt with NAT, and I see IPv6 as a technology with the potential to make my life less unpleasant. I really want IPv6 to succeed. However, DHCPv6 isn't anywhere near as useful for me, as someone who normally deals with IPs that don't change, as DHCPv4 is. With DHCPv4, my customers all get an address based on their mac that doesn't change if their box is re-installed. I configure this on the DHCP server, and the customer can run whatever dhcp client they like on whatever OS they like and they get the same IP every time. With DHCPv6 there is a time-based identifier that is added to the mac that makes it impossible, as far as I can tell, to give the customer a consistent IP across OS wipes without doing significant client configuration. There are many ways to skin this cat; stateless autoconfig looks like it mostly works, but privacy extensions seem to be the default in many places; outgoing IPv6 from those random addresses will trip my BCP38 filters. That, and reading the standard, it sure doesn't sound like consistency was a goal, even though it seems fairly consistent experimentally. there's a lot of "generally" and "may" in the text about what it adds to the mac in order to get the local identifier. It might make sense to just give everyone their own vlan and their own /64; that would, of course, bring its own problems and complexities (namely that I've gotta have the capability to deal with more customers than I can have native vlans - not impossible to get around, but significant added complexity.) I suppose I can also just keep DHCPv4 around, and if folks want IPv6, well, they have to wire down the address themselves. That's how I'm doing it now.
On 3/26/2014 12:55 PM, Luke S. Crawford wrote:
However, DHCPv6 isn't anywhere near as useful for me, as someone who normally deals with IPs that don't change, as DHCPv4 is.
My favorite is the RA thing. Years ago I decided that stupid DSLAMs were better than smart ones, so I generally utilize 1 vlan per customer with q-in-q and let the router handle all security. This meant I didn't have the usual breakage smart DSLAMs had with IPv6. Ideally, the router would run passive and not send regular RA updates. However, that isn't always viable with all clients. Sending out regular announcements and replicating them to all the vlans is extremely inefficient. Jack
On Wed, 26 Mar 2014, Luke S. Crawford wrote:
On 03/24/2014 06:18 PM, Owen DeLong wrote:
DHCPv6 is no less robust in my experience than DHCPv4.
ARP and ND have mostly equivalent issues.
This depends a lot on what you mean by 'robust'
Now, I have dealt with NAT, and I see IPv6 as a technology with the potential to make my life less unpleasant. I really want IPv6 to succeed.
However, DHCPv6 isn't anywhere near as useful for me, as someone who normally deals with IPs that don't change, as DHCPv4 is.
With DHCPv4, my customers all get an address based on their mac that doesn't change if their box is re-installed. I configure this on the DHCP server, and the customer can run whatever dhcp client they like on whatever OS they like and they get the same IP every time.
With DHCPv6 there is a time-based identifier that is added to the mac that makes it impossible, as far as I can tell, to give the customer a consistent IP across OS wipes without doing significant client configuration.
This is stupidity of the DHCPv6 client/OS implementation. They should use DUID type 3 (DUID-LL) by default, not DUID type 1 (DUID-LLT). This can be circumvented by setting the default to type 3, but... Regards, Janos Mohacsi
On Wed, Mar 26, 2014 at 10:55:03AM -0700, Luke S. Crawford wrote:
There are many ways to skin this cat; stateless autoconfig looks like it mostly works, but privacy extensions seem to be the default in many places; outgoing IPv6 from those random addresses will trip my BCP38 filters.
Your what-now? You do realise SLAAC works entirely within a single /64, which shouldn't be difficult to decide is either routable or not in one hit, right? - Matt -- Q: Why do Marxists only drink herbal tea? A: Because proper tea is theft. -- Chris Suslowicz, in the Monastery
On 03/26/2014 03:49 PM, Matt Palmer wrote:
On Wed, Mar 26, 2014 at 10:55:03AM -0700, Luke S. Crawford wrote:
There are many ways to skin this cat; stateless autoconfig looks like it mostly works, but privacy extensions seem to be the default in many places; outgoing IPv6 from those random addresses will trip my BCP38 filters.
Your what-now? You do realise SLAAC works entirely within a single /64, which shouldn't be difficult to decide is either routable or not in one hit, right?
If you give every customer their own vlan and /64, sure. That can be done, and there are many advantages to doing it that way. But it's quite a bit more complex than my current setup. The way I'm setup now, I've got an IPv4 address block on a vlan, and an IPv6/64 on the same vlan. I have many customers on that vlan. Each customer has one (or more) IPv4 /32 addresses and one IPv6 /128 addresses. (if the customer wants more IPv6, we just route a /64 to the /128 they are allowed.) There are firewall rules that only allow appropriate packets in and out of the interface. These rules are important for privacy as well as preventing spoofing; they prevent sniffing of most traffic bound for other guests. This is in production on many of my hosts, and because I give every user both an IPv4 and an IPv6 address, this mostly works. My setup scripts wire down both the v4 and v6 addresses before I hand it off to the user; if the user wants re-install, well, they can wire down the IPv6 address by hand if they want it, and IPv4 works regardless. It is valid to say that I'm trying to use IPv6 the way I use IPv4, and perhaps that is the wrong thing to do. Perhaps IPv6 needs to be thought of in a different way from IPv4; Perhaps in IPv6, a /64 should be the smallest block I give to a user, and the smallest block I filter on, and I just need to eat the network complexity costs inherent to giving each user a vlan. My original comment and complaint, though, was in response to the assertion that DHCPv6 is as robust as DHCPv4. My point is that DHCPv6 does not fill the role that DHCPv4 fills, if you care about tying an IP to a MAC and you want that connection to persist across OS installs by customers.
On Mar 26, 2014 6:27 PM, "Luke S. Crawford" <lsc@prgmr.com> wrote:
My original comment and complaint, though, was in response to the assertion that DHCPv6 is as robust as DHCPv4. My point is that DHCPv6 does not fill the role that DHCPv4 fills, if you care about tying an IP to a MAC and you want that connection to persist across OS installs by customers.
You're right. DHCPv6 is more robust than DHCPv4. At least those of us in the enterprise space appreciate a client identifier that doesn't change when the hardware changes. And v6 doesn't work the same as v4 so you will expend more effort trying to force it to fit a v4 model. Scott
On Wed, Mar 26, 2014 at 06:52:53PM -0500, Timothy Morizot wrote:
On Mar 26, 2014 6:27 PM, "Luke S. Crawford" <lsc@prgmr.com> wrote:
My original comment and complaint, though, was in response to the assertion that DHCPv6 is as robust as DHCPv4. My point is that DHCPv6 does not fill the role that DHCPv4 fills, if you care about tying an IP to a MAC and you want that connection to persist across OS installs by customers.
You're right. DHCPv6 is more robust than DHCPv4. At least those of us in the enterprise space appreciate a client identifier that doesn't change when the hardware changes.
No, it is LESS robust, because the client identifier changes when the SOFTWARE changes. Around here, software changes MUCH more often than hardware. Heck, even a dual-boot scenario breaks the client identifier stability. Worse yet, DHCPv6 has created a scenario where a client's IPv4 connectivity and IPv6 connectivity break under /different/ scenarios, causing difficult-to-troubleshoot half-connectivity issues when either the hardware is replaced or the software is reloaded.
On Mar 26, 2014, at 5:50 PM, Chuck Anderson <cra@WPI.EDU> wrote:
On Wed, Mar 26, 2014 at 06:52:53PM -0500, Timothy Morizot wrote:
On Mar 26, 2014 6:27 PM, "Luke S. Crawford" <lsc@prgmr.com> wrote:
My original comment and complaint, though, was in response to the assertion that DHCPv6 is as robust as DHCPv4. My point is that DHCPv6 does not fill the role that DHCPv4 fills, if you care about tying an IP to a MAC and you want that connection to persist across OS installs by customers.
You're right. DHCPv6 is more robust than DHCPv4. At least those of us in the enterprise space appreciate a client identifier that doesn't change when the hardware changes.
No, it is LESS robust, because the client identifier changes when the SOFTWARE changes. Around here, software changes MUCH more often than hardware. Heck, even a dual-boot scenario breaks the client identifier stability. Worse yet, DHCPv6 has created a scenario where a client's IPv4 connectivity and IPv6 connectivity break under /different/ scenarios, causing difficult-to-troubleshoot half-connectivity issues when either the hardware is replaced or the software is reloaded.
Any client whose DUID changes on software re-install has a very poor choice of default DUID and should be configurable for a better choice of DUID. That is not DHCPv6’s fault. DHCPv6 is perfectly capable of behaving as you wish. Blaming the protocol for poor implementation choices by your (or your client’s) vendors is a little odd in my opinion. Owen
No, it is LESS robust, because the client identifier changes when the SOFTWARE changes. Around here, software changes MUCH more often than hardware. Heck, even a dual-boot scenario breaks the client identifier stability. Worse yet, DHCPv6 has created a scenario where a client's IPv4 connectivity and IPv6 connectivity break under /different/ scenarios, causing difficult-to-troubleshoot half-connectivity issues when either the hardware is replaced or the software is reloaded.
Any client whose DUID changes on software re-install has a very poor choice of default DUID and should be configurable for a better choice of DUID. That is not DHCPv6�s fault.
It is reality. DHCPv6 needs to take reality into account. DHCPv6 as defined in RFC 3315 does not offer client MAC address at all (thus making the job more difficult for a number of organizations). All I've seen so far indicates that this was a deliberate choice by the DHCPv6 designers, and in my opinion a very poor one. Fortunately we now have RFC 6939 (DHCPv6 Client Link-Layer Address Option), and we're waiting for vendors to implement this. That solves one half of the problem. The other half is to actually let the DHCPv6 lease be based directly on the MAC address. The language in RFC 3315, as I read it, makes this difficult or impossible. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
It is reality. DHCPv6 needs to take reality into account.
One modest attempt to do so is dhcpy6d at https://dhcpy6d.ifw-dresden.de. Still work in progress and might not fit into every environment but helps some others. Regards -- Henri Wahl IT Department Leibniz-Institut fuer Festkoerper- u. Werkstoffforschung Dresden tel: (03 51) 46 59 - 797 email: h.wahl@ifw-dresden.de http://www.ifw-dresden.de Nagios status monitor Nagstamon: http://nagstamon.ifw-dresden.de DHCPv6 server dhcpy6d: http://dhcpy6d.ifw-dresden.de IFW Dresden e.V., Helmholtzstrasse 20, D-01069 Dresden VR Dresden Nr. 1369 Vorstand: Prof. Dr. Juergen Eckert, Dr. h.c. Dipl.-Finw. Rolf Pfrengle -- Henri Wahl IT Department Leibniz-Institut fuer Festkoerper- u. Werkstoffforschung Dresden tel: (03 51) 46 59 - 797 email: h.wahl@ifw-dresden.de http://www.ifw-dresden.de Nagios status monitor Nagstamon: http://nagstamon.ifw-dresden.de DHCPv6 server dhcpy6d: http://dhcpy6d.ifw-dresden.de IFW Dresden e.V., Helmholtzstrasse 20, D-01069 Dresden VR Dresden Nr. 1369 Vorstand: Prof. Dr. Juergen Eckert, Dr. h.c. Dipl.-Finw. Rolf Pfrengle
On Mar 27, 2014, at 12:52 AM, sthaug@nethelp.no wrote:
No, it is LESS robust, because the client identifier changes when the SOFTWARE changes. Around here, software changes MUCH more often than hardware. Heck, even a dual-boot scenario breaks the client identifier stability. Worse yet, DHCPv6 has created a scenario where a client's IPv4 connectivity and IPv6 connectivity break under /different/ scenarios, causing difficult-to-troubleshoot half-connectivity issues when either the hardware is replaced or the software is reloaded.
Any client whose DUID changes on software re-install has a very poor choice of default DUID and should be configurable for a better choice of DUID. That is not DHCPv6’s fault.
It is reality. DHCPv6 needs to take reality into account.
DHCPv6 as defined in RFC 3315 does not offer client MAC address at all (thus making the job more difficult for a number of organizations).
Yes it does… What do you think “Link Layer Address” (RFC 3315, Section 9.1 Type 3) is? From RFC-3315 Section 9.4, it seems pretty clear that is exactly what this is intended to be. True, it includes an additional 16 bits of media type, but I don’t see that as being a problem.
All I've seen so far indicates that this was a deliberate choice by the DHCPv6 designers, and in my opinion a very poor one. Fortunately we now have RFC 6939 (DHCPv6 Client Link-Layer Address Option), and we're waiting for vendors to implement this. That solves one half of the problem.
Yes and no. At the time RFC3315 was written, network cards changed independent of motherboards on a regular basis and this fact was a source of great consternation for DHCPv4 operators. Over time, that changed AFTER RFC3315 was written, but if you read section 9.4, it seems pretty clear that this change was anticipated by the authors and that DUID-LL was intended for the situation we have today. Clients failing to implement DUID-LL as defined in RFC-3315 can hardly be blamed on DHCPv6.
The other half is to actually let the DHCPv6 lease be based directly on the MAC address. The language in RFC 3315, as I read it, makes this difficult or impossible.
Reread section 9.4… It seems not only possible, but recommended from my reading. The problem isn’t that the MAC address isn’t allowed. The problem is that the clients aren’t properly using permanent MAC addresses as DUID. Owen
DHCPv6 as defined in RFC 3315 does not offer client MAC address at all (thus making the job more difficult for a number of organizations).
Yes it does…
What do you think “Link Layer Address” (RFC 3315, Section 9.1 Type 3) is? From RFC-3315 Section 9.4, it seems pretty clear that is exactly what this is intended to be. True, it includes an additional 16 bits of
media type,
- I cannot a priori know which DUID type a particular client will use. Of the three DUID types in RFC 3315 section 9.1, type 1 and 3 include link layer address while type 2 does not. - As has already been pointed out, the same physical hardware may use different DUID types when booted with different operating systems. - The language in RFC 3315 is pretty explicit in saying that a server *must* treat the DUID as an opaque value - in other words, you are not allowed to "inspect" it in any way to find the presumed MAC address and take any action based on the MAC address.
All I've seen so far indicates that this was a deliberate choice by the DHCPv6 designers, and in my opinion a very poor one. Fortunately we now have RFC 6939 (DHCPv6 Client Link-Layer Address Option), and we're waiting for vendors to implement this. That solves one half of the problem.
Yes and no.
At the time RFC3315 was written, network cards changed independent of motherboards on a regular basis and this fact was a source of great consternation for DHCPv4 operators. Over time, that changed AFTER RFC3315 was written, but if you read section 9.4, it seems pretty clear that this change was anticipated by the authors and that DUID-LL was intended for the situation we have today.
I think understand the well-meant intentions of the RFC 3315 authors. However, my claim is that the actual end result for IPv6 leaves us in a *worse* situation than for IPv4. And one which, among others, makes it very difficult to correlate IPv4 and IPv6 leases (something which I have no need for today, but which I could easily see a need for in the future). Steinar Haug, Nethelp consulting, sthaug@nethelp.no
On Thu, 2014-03-27 at 05:34 -0700, Owen DeLong wrote:
What do you think “Link Layer Address” (RFC 3315, Section 9.1 Type 3) is? From RFC-3315 Section 9.4, it seems pretty clear that is exactly what this is intended to be. True, it includes an additional 16 bits of media type, but I don’t see that as being a problem.
Though to be fair 3315 also says that the DUID should be treated as an opaque blob, not parsed and bits extracted from it. From section 9: "Clients and servers MUST treat DUIDs as opaque values and MUST only compare DUIDs for equality. Clients and servers MUST NOT in any other way interpret DUIDs." Regarding section 9.4, which you refer to: 3315 only uses MACs to *construct* useful DUIDs, not as a means of communicating MACs to clients or servers. Also, an operator cannot RELY on getting a MAC address in a DUID. DUID's *are* different and *do* require new ways of doing things. People will work it out. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882 Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A
On Mar 27, 2014, at 1:55 PM, Karl Auer <kauer@biplane.com.au> wrote:
On Thu, 2014-03-27 at 05:34 -0700, Owen DeLong wrote:
What do you think “Link Layer Address” (RFC 3315, Section 9.1 Type 3) is? From RFC-3315 Section 9.4, it seems pretty clear that is exactly what this is intended to be. True, it includes an additional 16 bits of media type, but I don’t see that as being a problem.
Though to be fair 3315 also says that the DUID should be treated as an opaque blob, not parsed and bits extracted from it. From section 9:
"Clients and servers MUST treat DUIDs as opaque values and MUST only compare DUIDs for equality. Clients and servers MUST NOT in any other way interpret DUIDs."
Regarding section 9.4, which you refer to: 3315 only uses MACs to *construct* useful DUIDs, not as a means of communicating MACs to clients or servers. Also, an operator cannot RELY on getting a MAC address in a DUID.
DUID's *are* different and *do* require new ways of doing things. People will work it out.
Right… The comment wasn’t about getting the Mac address, the comment was about having a DUID that remains the same across reboots and software installations. Using LL (type 3) DUIDs should accomplish that. Linking your IPv4 DHCP System ID and your IPv6 DHCP System ID is a completely different problem which I don’t see much practical purpose for other than by the hostname which could easily be handled in the DDNS registration process. Owen
On Mar 26, 2014, at 4:25 PM, Luke S. Crawford <lsc@prgmr.com> wrote:
On 03/26/2014 03:49 PM, Matt Palmer wrote:
On Wed, Mar 26, 2014 at 10:55:03AM -0700, Luke S. Crawford wrote:
There are many ways to skin this cat; stateless autoconfig looks like it mostly works, but privacy extensions seem to be the default in many places; outgoing IPv6 from those random addresses will trip my BCP38 filters.
Your what-now? You do realise SLAAC works entirely within a single /64, which shouldn't be difficult to decide is either routable or not in one hit, right?
If you give every customer their own vlan and /64, sure. That can be done, and there are many advantages to doing it that way. But it's quite a bit more complex than my current setup.
The way I'm setup now, I've got an IPv4 address block on a vlan, and an IPv6/64 on the same vlan. I have many customers on that vlan. Each customer has one (or more) IPv4 /32 addresses and one IPv6 /128 addresses. (if the customer wants more IPv6, we just route a /64 to the /128 they are allowed.) There are firewall rules that only allow appropriate packets in and out of the interface. These rules are important for privacy as well as preventing spoofing; they prevent sniffing of most traffic bound for other guests.
Why not just use private VLAN layer 2 controls for the privacy you describe? Yes, you risk customer A spoofing customer B, but is that really a problem in your environment? Really? If so, one could argue you might want to consider getting a better class of customers. Owen
On 03/26/2014 11:14 PM, Owen DeLong wrote:
Why not just use private VLAN layer 2 controls for the privacy you describe?
The technology I know of is what cisco calls 'protected ports' - My understanding is that those simply mean you can't pass traffic to or from other 'protected ports' - I use that capability when, say, putting a bunch of IPMIs on a private network, it works great, as if one of the IPMI ports is trying to talk to another, something is very wrong and it gets blocked. They are commonly used in the dedicated server hosting world to do what you are describing, but they have a big downside when being used on the public side; customer 1 can't talk to customer 2. Now, this isn't usually a big deal, except in one very common case; what if one entity buys two hosts? now those two hosts can't talk to oneanother. This is a very common problem for dedicated hosting providers (and why I give my dedicated hosts a vlan and a routed subnet, wasting IPv4.) For my virtuals, though, I have a much more clever "switch" as it's just some software running in the Dom0, so at least in the IPv4 world, filtering just their /32 in and out is a much better solution.
Yes, you risk customer A spoofing customer B, but is that really a problem in your environment? Really? If so, one could argue you might want to consider getting a better class of customers.
You wouldn't feel uncomfortable if some other company could come in and not only spoof your IP, but receive the return traffic? Keep in mind that they could do this in a way that is quite difficult to detect or trace, if they were clever about it. I may trust my provider, to a certain extent, but I certainly don't trust everyone who gives my provider money.
On 3/27/2014 12:19 PM, Luke S. Crawford wrote:
This is a very common problem for dedicated hosting providers (and why I give my dedicated hosts a vlan and a routed subnet, wasting IPv4.)
Implement what some DSL access providers do. Unnumbered interfaces with /32 routing to the vlan. The last I checked, I think a J can even get the /32 route from radius when using autoconfig with radius auth. We did similar things with IPv6, as well. proxy-arp/proxy-nd to handle the cross talk. IOS 12.1 7206 confirmed. No autoconf, but static subinterfaces for each vlan (q-in-q supported or atm), unnumbered to loopback. DHCPv4 and static routing works. IPv6 had issues, but could handle static /64 per subint. ASR/J MX, autoconfig w/ radius backend, manual subint/unit, or combination. DHCPv4 confirmed, static host routes confirmed. IPv6 not confirmed. Radius static host route establishment not confirmed. Still testing. Jack
On Mar 26, 2014, at 10:55 AM, Luke S. Crawford <lsc@prgmr.com> wrote:
On 03/24/2014 06:18 PM, Owen DeLong wrote:
DHCPv6 is no less robust in my experience than DHCPv4.
ARP and ND have mostly equivalent issues.
This depends a lot on what you mean by 'robust'
Now, I have dealt with NAT, and I see IPv6 as a technology with the potential to make my life less unpleasant. I really want IPv6 to succeed.
However, DHCPv6 isn't anywhere near as useful for me, as someone who normally deals with IPs that don't change, as DHCPv4 is.
With DHCPv4, my customers all get an address based on their mac that doesn't change if their box is re-installed. I configure this on the DHCP server, and the customer can run whatever dhcp client they like on whatever OS they like and they get the same IP every time.
Other than it being based on DUID instead of MAC (which, btw, DUID can be based on MAC), this is also possible in DHCP6.
With DHCPv6 there is a time-based identifier that is added to the mac that makes it impossible, as far as I can tell, to give the customer a consistent IP across OS wipes without doing significant client configuration.
Nope. Not true.
There are many ways to skin this cat; stateless autoconfig looks like it mostly works, but privacy extensions seem to be the default in many places; outgoing IPv6 from those random addresses will trip my BCP38 filters. That, and reading the standard, it sure doesn't sound like consistency was a goal, even though it seems fairly consistent experimentally. there's a lot of "generally" and "may" in the text about what it adds to the mac in order to get the local identifier.
Why would your BCP38 filters be filtering down below the prefix level? The random addresses all still have the same 64 bit prefix. For non-privacy addresses, it’s very clear… 64 bit mac is just used. 48 bit mac is OR’d with 0x0200 0000 0000 and then split at the OUI/ESI boundary (24 bits) where 0xfffe is inserted. Thus 1234.5678.abcd would become 1234.56ff.fe78.abcd and 0123.4567.89ab would become 0323.45ff.fe67.89ab. For privacy addresses, this is kind of all over the map and multiple different algorithms with different entropic properties are proposed. Worse, Micr0$0ft doesn’t conform to the standard at all and, instead, uses no entropy to provide an address that is different per prefix, but the same every time for the same prefix.
It might make sense to just give everyone their own vlan and their own /64; that would, of course, bring its own problems and complexities (namely that I've gotta have the capability to deal with more customers than I can have native vlans - not impossible to get around, but significant added complexity.)
I don’t see the point of that.
I suppose I can also just keep DHCPv4 around, and if folks want IPv6, well, they have to wire down the address themselves. That's how I'm doing it now.
That seems unnecessarily difficult. Owen
It might make sense to just give everyone their own vlan and their own /64; that would, of course, bring its own problems and complexities (namely that I've gotta have the capability to deal with more customers than I can have native vlans - not impossible to get around, but significant added complexity.)
I don’t see the point of that.
why not? After carefully considering everything you have told me, this sounds like the way forward to do it the "IPv6 way" - privacy IPs would work fine, and I could filter every port such that only packets from that /64 were allowed out and only addresses to that /64 would be allowed in. Nobody would be able to spoof or listen in on their neighbor; yeah, my router would have to send a lot of RAs, but routers that handle the amount of traffic my customers send are cheap. I have a lot of customers, sure, but they are small. Sure, it's going to cost me in routing complexity, but it looks like the only thing I can do that will actually solve my problems and use IPv6 the way IPv6 is expecting to be used. I'd then have to figure out how to make their ipv4 /32 work, but I can think of several possibilities that might work. If nothing else, I could give them one interface for IPv6 and one for IPv4, and leave the IPv4 interface the current system.
On Sun, Mar 23, 2014 at 04:27:16PM -0500, Timothy Morizot wrote:
On Mar 23, 2014 11:27 AM, "Paul Ferguson" <fergdawgster@mykolab.com> wrote:
Also, IPv6 introduces some serious security concerns, and until they are properly addressed, they will be a serious barrier to even considering it.
And that is pure FUD. The sorts of security risks with IPv6 are mostly in the same sorts of categories as those with IPv4 and have appropriate mitigations available. Moreover, by not enabling and controlling IPv6 on their networks, an operator is actually markedly more vulnerable to IPv6 attacks, not less.
Scott
Yo, Tim/Scott. Seems you have not been keeping up. http://go6.si/wp-content/uploads/2011/11/DREN-6-Slo-IPv6Summit-2011.pdf points out several unique problems w/ IPv6 and in deployments where there are ZERO IPv4 equivalents. Ferg is paranoid, but it doesn;t mean they are not out to get him/IPv6. /bill
On Mar 23, 2014 4:45 PM, <bmanning@vacation.karoshi.com> wrote:
Yo, Tim/Scott. Seems you have not been keeping up.
http://go6.si/wp-content/uploads/2011/11/DREN-6-Slo-IPv6Summit-2011.pdf
points out several unique problems w/ IPv6 and in deployments
where
there are ZERO IPv4 equivalents. Ferg is paranoid, but it doesn;t mean they are not out to get him/IPv6.
Seriously? That's the best you can come up? A three year old presentation? The RA and ND vulnerabilities are just the IPv6 versions of ARP floods and similar attacks. They are well-understood and long mitigated. On the other hand, if you have an IPv4 only network with lots of IPv6 capable devices on it and someone compromises a host to start sending out RAs, what exactly is your defense posture? My comments represent reality. Your security posture is much worse in an IPv4 only configuration than if you enable and control IPv6. Scott
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 3/23/2014 3:56 PM, Timothy Morizot wrote:
My comments represent reality. Your security posture is much worse in an IPv4 only configuration than if you enable and control IPv6.
Says you. On the other hand, there are beaucoup enterprise networks unwilling to consider to moving to v6 until there are management, control, administrative, and security issues addressed. You can continue to deride our issues, and make derisive comments until your heart's content, but it does not change reality. And on that, it will be the last I say on the matter on NANOG. Best & Cheers, - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMvbI4ACgkQKJasdVTchbK0igD+JF+M3DRoRz5wIJFo+tLV5dFF KuoOPKOQYJ8Vpf32aMsA/2ccs9CDrbq5hatw+LkL8/CHafTbOWGkhdYfjv7Q6ghM =HeCa -----END PGP SIGNATURE-----
On Mar 23, 2014 6:21 PM, "Paul Ferguson" <fergdawgster@mykolab.com> wrote:
Says you.
And many others. My comments were actually reiterating what I commonly see presented today.
On the other hand, there are beaucoup enterprise networks unwilling to consider to moving to v6 until there are management, control, administrative, and security issues addressed.
Whereas there are other enterprise networks, including mine, who are actively deploying IPv6 and have been for a number of years now. So unless you can come up with something truly novel that we haven't already dealt with, I'll stick by my use of FUD.
You can continue to deride our issues, and make derisive comments until your heart's content, but it does not change reality.
I wasn't aware that calling out FUD was derisive, but whatever. Cheers, Scott
"I wasn't aware that calling out FUD was derisive, but whatever." It's derisive because you completely dismiss a huge security issue that, given the state of IPv6 adoption, a great majority of companies are facing. Calling it FUD is completely wrong because it *is* a legitimate security issue for most businesses. Sure, you've got the few who have been able to properly plan for and secure their networks against the increased attack surface of IPv6, but again...most companies haven't. Slinging false proclamations of FUD is as harmful as FUD itself. On Sun, Mar 23, 2014 at 4:49 PM, Timothy Morizot <tmorizot@gmail.com> wrote:
On Mar 23, 2014 6:21 PM, "Paul Ferguson" <fergdawgster@mykolab.com> wrote:
Says you.
And many others. My comments were actually reiterating what I commonly see presented today.
On the other hand, there are beaucoup enterprise networks unwilling to consider to moving to v6 until there are management, control, administrative, and security issues addressed.
Whereas there are other enterprise networks, including mine, who are actively deploying IPv6 and have been for a number of years now. So unless you can come up with something truly novel that we haven't already dealt with, I'll stick by my use of FUD.
You can continue to deride our issues, and make derisive comments until your heart's content, but it does not change reality.
I wasn't aware that calling out FUD was derisive, but whatever.
Cheers,
Scott
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
On Mar 23, 2014 7:24 PM, "Mike Hale" <eyeronic.design@gmail.com> wrote:
It's derisive because you completely dismiss a huge security issue that, given the state of IPv6 adoption, a great majority of companies are facing.
The original assertion was that there are unaddressed security weaknesses in IPv6 itself preventing its adoption. At least that's the way I read it. And that assertion is mostly FUD.
Calling it FUD is completely wrong because it *is* a legitimate security issue for most businesses. Sure, you've got the few who have been able to properly plan for and secure their networks against the increased attack surface of IPv6, but again...most companies haven't.
Well, it's hardly a few at this point, unless by few you simply mean a minority. But it's a numerous and growing minority. Moreover, the acknowledgement that enterprises have been able to properly plan and deploy IPv6 while appropriately mitigating the security risks shows the claim that there are security weaknesses in IPv6 preventing its adoption is false. Now admittedly if an enterprise hasn't done any security planning or assessments then they aren't ready to deploy IPv6. But there's nothing inherent to IPv6 stopping them. Scott
"unless by few you simply mean a minority" Which I do. "appropriately mitigating the security risks shows the claim that there are security weaknesses in IPv6 preventing its adoption is false." No. It doesn't. It's not the sole reason, but it's a huge factor to consider. "But there's nothing inherent to IPv6 stopping them." There is because it doubles your attack surface at the very least. At the worst, it increases it exponentially since suddenly all your internal devices (that were never configured to be public-facing) are suddenly accessible from everywhere. None of this isn't preventable, by the way. There are a myriad of solutions that can and do mitigate these risks. But to simply dismiss the security considerations is, I think, incredibly naïve and unrealistic. On Sun, Mar 23, 2014 at 5:41 PM, Timothy Morizot <tmorizot@gmail.com> wrote:
On Mar 23, 2014 7:24 PM, "Mike Hale" <eyeronic.design@gmail.com> wrote:
It's derisive because you completely dismiss a huge security issue that, given the state of IPv6 adoption, a great majority of companies are facing.
The original assertion was that there are unaddressed security weaknesses in IPv6 itself preventing its adoption. At least that's the way I read it. And that assertion is mostly FUD.
Calling it FUD is completely wrong because it *is* a legitimate security issue for most businesses. Sure, you've got the few who have been able to properly plan for and secure their networks against the increased attack surface of IPv6, but again...most companies haven't.
Well, it's hardly a few at this point, unless by few you simply mean a minority. But it's a numerous and growing minority. Moreover, the acknowledgement that enterprises have been able to properly plan and deploy IPv6 while appropriately mitigating the security risks shows the claim that there are security weaknesses in IPv6 preventing its adoption is false.
Now admittedly if an enterprise hasn't done any security planning or assessments then they aren't ready to deploy IPv6. But there's nothing inherent to IPv6 stopping them.
Scott
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
On Mar 23, 2014 7:54 PM, "Mike Hale" <eyeronic.design@gmail.com> wrote:
"unless by few you simply mean a minority" Which I do.
Then that's fine. But there are numerous enterprises in that minority and it includes some pretty large enterprises. My own enterprise organization has more than 600 sites, 100k employees, and thousands of contractors.
"appropriately mitigating the security risks shows the claim that there are security weaknesses in IPv6 preventing its adoption is false." No. It doesn't. It's not the sole reason, but it's a huge factor to consider.
Logic 101? If security-conscious enterprises have successfully implemented IPv6 while mitigating the security risks, then there aren't any inherent security weaknesses preventing its adoption by enterprises. A non-FUD statement would be that we've assessed our infrastructure and preparedness for IPv6 and aren't yet in a position where we can safely deploy IPv6. A FUD statement is the assertion that there are inherent security weaknesses in the protocol preventing enterprises from deploying it.
There is because it doubles your attack surface at the very least. At the worst, it increases it exponentially since suddenly all your internal devices (that were never configured to be public-facing) are suddenly accessible from everywhere.
It's an IPv6 world. Your attack surface has already expanded whether or not you deploy IPv6. In fact, an enterprise will be making itself increasingly vulnerable to IPv6 attacks by refusing to deploy it than by securely enabling and controlling the protocol. And if an enterprise doesn't have firewalls in place, then their devices are already accessible. NAT44 doesn't provide any meaningful security protection. If you have firewalls with appropriate policies, then it's silly to claim your internal devices are suddenly accessible from everywhere. My organization is particularly strict at our perimeter. Everything is default deny in both directions for both protocols and we very carefully open holes. We also allow very little unproxied access to the Internet. (DNS, SMTP, and HTTP/HTTPS being the most common services provided in our Internet access points.)
None of this isn't preventable, by the way. There are a myriad of solutions that can and do mitigate these risks. But to simply dismiss the security considerations is, I think, incredibly naïve and unrealistic.
Nowhere have I dismissed security considerations for either IPv4 or IPv6. I've simply pointed out that it really isn't any harder to plan and manage for v6 than for v4. And we currently live in a dual-protocol Internet. Simply pretending that if you don't enable IPv6, you're somehow immune from IPv6 threats is naive. Scott
[] It seems to me that the only thing that really matters in v6 wars for enterprise is whether their content side has a v6 face. Who really cares whether they migrate away from v4 so long as they make their outward facing content (eg web, etc) available over v6? That's really the key. Mike
On Mar 23, 2014 8:44 PM, "Michael Thomas" <mike@mtcc.com> wrote:
It seems to me that the only thing that really matters in v6 wars for enterprise is whether their content side has a v6 face. Who really cares whether they migrate away from v4 so long as they make their outward facing content (eg web, etc) available over v6? That's really the key.
It doesn't really matter to anyone else. Since I work on the enterprise side rather than the ISP side, I'm arguing that it's really important for the enterprise itself. I'm old enough to have been around when our enterprise had x.25, local Netware, Lanmanager, and Microsoft networks. Everything eventually converged to IP because interoperability both internally and across the Internet is a really important factor. Incompatibility carries an ever increasing cost. Moreover, since most things have IPv6 enabled by default these days, most enterprises who believe they are IPv4 only are deluding themselves. So from a security perspective, they really need to be planning and managing IPv6 internally as well. Scott
"then there aren't any inherent security weaknesses preventing its adoption by enterprises." You're right. There's not an inherent security weakness in the protocol. The increased risk is due to the increase in your attack surface (IMHO). "Your attack surface has already expanded whether or not you deploy IPv6." Not so. If I don't enable IPv6 on my hosts, the attacker can yammer away via IPv6 all day long with no result. "And if an enterprise doesn't have firewalls in place, then their devices are already accessible." For those devices that have publicly routable IP addresses, sure. "My organization is particularly strict at our perimeter" Then sir, you're in a fortunate and small group. "I've simply pointed out that it really isn't any harder to plan and manage for v6 than for v4" Except it is. I get your point that there aren't any additional vulnerabilities in v6 than they are in v4. My point is that it's a lot more work. And as someone who's facing this issue right now, I promise you...it's a lot more work. I'm not saying it's not worth the effort nor that it's unnecessary...but to imply that securing v6 is an easy step up from securing v4 is inaccurate. "Simply pretending that if you don't enable IPv6, you're somehow immune from IPv6 threats is naïve." No. If I turn off v6 in my kernel, I am absolutely immune from native v6 threats. I'm happy to be proven wrong if you can show me a case where this isn't so. Mark: Everything you've said is correct. But my point is simply that there *are* security considerations when deploying v6, and they're bigger than some rare and esoteric bug that's only exploitable when all the stars align. With v6, a simple misconfiguration can open up every single host directly to the outside. The same simply isn't true with NAT where you have to explicitly define inbound rules. Again...I'm not saying these considerations are insurmountable. I'm not saying you shouldn't deploy v6 because of potential security holes. But to sound dismissive of those security considerations involved with deploying v6 is very counterproductive. On Sun, Mar 23, 2014 at 6:25 PM, Timothy Morizot <tmorizot@gmail.com> wrote:
On Mar 23, 2014 7:54 PM, "Mike Hale" <eyeronic.design@gmail.com> wrote:
"unless by few you simply mean a minority" Which I do.
Then that's fine. But there are numerous enterprises in that minority and it includes some pretty large enterprises. My own enterprise organization has more than 600 sites, 100k employees, and thousands of contractors.
"appropriately mitigating the security risks shows the claim that there are security weaknesses in IPv6 preventing its adoption is false." No. It doesn't. It's not the sole reason, but it's a huge factor to consider.
Logic 101? If security-conscious enterprises have successfully implemented IPv6 while mitigating the security risks, then there aren't any inherent security weaknesses preventing its adoption by enterprises. A non-FUD statement would be that we've assessed our infrastructure and preparedness for IPv6 and aren't yet in a position where we can safely deploy IPv6. A FUD statement is the assertion that there are inherent security weaknesses in the protocol preventing enterprises from deploying it.
There is because it doubles your attack surface at the very least. At the worst, it increases it exponentially since suddenly all your internal devices (that were never configured to be public-facing) are suddenly accessible from everywhere.
It's an IPv6 world. Your attack surface has already expanded whether or not you deploy IPv6. In fact, an enterprise will be making itself increasingly vulnerable to IPv6 attacks by refusing to deploy it than by securely enabling and controlling the protocol.
And if an enterprise doesn't have firewalls in place, then their devices are already accessible. NAT44 doesn't provide any meaningful security protection. If you have firewalls with appropriate policies, then it's silly to claim your internal devices are suddenly accessible from everywhere. My organization is particularly strict at our perimeter. Everything is default deny in both directions for both protocols and we very carefully open holes. We also allow very little unproxied access to the Internet. (DNS, SMTP, and HTTP/HTTPS being the most common services provided in our Internet access points.)
None of this isn't preventable, by the way. There are a myriad of solutions that can and do mitigate these risks. But to simply dismiss the security considerations is, I think, incredibly naïve and unrealistic.
Nowhere have I dismissed security considerations for either IPv4 or IPv6. I've simply pointed out that it really isn't any harder to plan and manage for v6 than for v4. And we currently live in a dual-protocol Internet. Simply pretending that if you don't enable IPv6, you're somehow immune from IPv6 threats is naive.
Scott
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
On Mar 23, 2014 8:44 PM, "Mike Hale" <eyeronic.design@gmail.com> wrote:
"Your attack surface has already expanded whether or not you deploy IPv6." Not so. If I don't enable IPv6 on my hosts, the attacker can yammer away via IPv6 all day long with no result.
I suppose it depends on the size of your enterprise. But in one our size, despite all the controls we have in place, there is no way we could ever be assured that IPv6 was disabled on every single endpoint everywhere. So you absolutely need IPv6 enabled at your perimeter so you can see what's going in and out. And the more you're able to deploy it internally the better you're able to control it. The odds are if you're an enterprise of any size and you're simply depending on disabling IPv6 for protection, then you're probably more vulnerable than you think. Moreover, most enterprises have significant quantities of Windows clients and servers deployed. While you can alter the registry to completely disable IPv6, it's not a configuration that's supported by Microsoft. All their security and regression tests is done in v4 only, dual-stacked, and v6-only networks, but never with IPv6 disabled entirely. And given that since Vista/Server 2008 their network stack was rewritten to be entirely IPv6 (using v4 mapped addresses for ipv4 support), I'm not sure that placing your hosts in an untested configuration improves your security profile. Moreover it's known to break some things in unpleasant ways. That includes HyperV clustering and Exchange 2010 services. (My own organization ran into the Exchange issue.) So it's may very well be that you can't completely disable IPv6 on hosts and, even if you do, it may make your security profile markedly worse.
For those devices that have publicly routable IP addresses, sure.
If there's no firewall and an enterprise is depending on NAT44 alone to protect internal devices, then using an RFC1918 address is no protection. NAT traversal is old hat. It's the firewall that prevents access to/from internal devices, not whether or not they have publicly routable addresses. That's true for IPv4 and IPv6.
"My organization is particularly strict at our perimeter" Then sir, you're in a fortunate and small group.
In can be a pain sometimes. By law, we have some pretty strict security requirements.
"I've simply pointed out that it really isn't any harder to plan and manage for v6 than for v4" Except it is. I get your point that there aren't any additional vulnerabilities in v6 than they are in v4. My point is that it's a lot more work. And as someone who's facing this issue right now, I promise you...it's a lot more work. I'm not saying it's not worth the effort nor that it's unnecessary...but to imply that securing v6 is an easy step up from securing v4 is inaccurate.
I don't think I ever said it was easy. IPv4 security isn't easy to do right. But if you're doing v4 right and have the processes in place to support it, it's not all that much harder to do it for IPv6. And one of my hats has been the IPv6 transition technical lead for my organization since 2011 so I feel your pain. I do mostly rely on our cybersecurity subgroup lead on the security side, but have to keep abreast of security issues myself.
"Simply pretending that if you don't enable IPv6, you're somehow immune from IPv6 threats is naïve." No. If I turn off v6 in my kernel, I am absolutely immune from native v6 threats. I'm happy to be proven wrong if you can show me a case where this isn't so.
On any given single host, sure. Until that host is compromised and v6 is enabled. But my point was that it's virtually impossible to ensure that's the case across the board for every endpoint device on an enterprise network of any size. And depending on the OS or software used, doing so might just break things or make your system less secure by placing it in an untested state. An OS running in a completely untested state must be assumed to have unknown regressions and security vulnerabilities. And if anyone doesn't believe what I've written about Microsoft operating systems, simply check Technet or ask them. They are completely open and forthright about it. Scott
I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security. A globally routable address does not necessarily mean globally accessible. Any enterprise that cares a wit about network security is going to have a firewall. If you are relying on NAT to protect hosts that have private addresses then you are already in a world of hurt so it won't matter much that IPv6 increases your attack surface because it is already pretty weak. In fact the enterprises running v4 better worry there first. They don't have to worry about the v6 stack too much because their network is not routing v6 yet so are only vulnerable within the network borders or subnets. I think even residential users mostly know that a private address does not make you safe. The same tools that protect your v4 machine are still necessary to protect a v6 machine. In fact, just because I have an IPv6 allocation does not mean I have to allow the world to route to them. There is no reason that a proxy cannot be used on the v6 space you have internally and there is no reason I can't point an entire address range at the outside interface of my firewall. The only difference here is that my firewall no longer has to NAT addresses. Thinking of NAT as a security mechanism is not viable for either address space. An enterprise with a respectable firewall can easily choose to allow or disallow access to any range of addresses that they wish so I don't see much difference between IPv6 and IPv4. I would think in most enterprise models you would have a group of addresses that can be reached from the outside world according to some policy (the DMZ or public NATs in v4 world) and the remainder only have access outbound according to policy (your private space behind your NAT v4 addresses in that world). I don't see how v6 massively changes things for the enterprise and the residential user can easily be protected behind a simple consumer firewall. As far as printers being a more dangerous attack vector than computers, I definitely don't buy that argument. It does not change in v4 or v6. Assuming that both stacks are vulnerable to attack I would be less worried about the printer because I am not aware of any of my printers running malware in v4. I think the PC platform being much more complex and having many more interfaces for active programming like DLLs, Java, ActiveX, etc, are much more the threat. I personally have not seen a DDoS attack launched by printers (they may exist but I am not aware of them). If I was going to design an attack for a printer, I would think that data theft would be the most dangerous. I have wondered about multifunction printers emailing print data to someone but I have never seen that yet. Steven Naslund Chicago IL On Mar 23, 2014 8:44 PM, "Mike Hale" <eyeronic.design@gmail.com> wrote:
"Your attack surface has already expanded whether or not you deploy IPv6." Not so. If I don't enable IPv6 on my hosts, the attacker can yammer away via IPv6 all day long with no result. .
On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve <SNaslund@medline.com> wrote:
I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security.
Hi Steve, It is your privilege to believe this and to practice it in the networks you operate. Many of the folks you would have deploy IPv6 do not agree. They take comfort in the mathematical impossibility of addressing an internal host from an outside packet that is not part of an ongoing session. These folks find that address-overloaded NAT provides a valuable additional layer of security. Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
not to mention the cost in readdressing your entire network when you change an upstream provider. Nat was a fix to a problem of lack of addresses, however, the use of private address space 10/8, 192.168/16 has allowed many to enjoy a simple network addressing scheme. I have and will continue to deploy IPV6, however the ease and simplicity of IPv4 cannot and should not be overlooked. Ipv6 requires a complete reeducation of they way we look at routing and the core of the network. I will not be trolling here, I prefer to troll off the Florida straits for large fish instead. .. -------- Original message -------- From: William Herrin Date:03/24/2014 12:27 PM (GMT-05:00) To: "Naslund, Steve" Cc: NANOG list Subject: Re: misunderstanding scale On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve <SNaslund@medline.com> wrote:
I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security.
Hi Steve, It is your privilege to believe this and to practice it in the networks you operate. Many of the folks you would have deploy IPv6 do not agree. They take comfort in the mathematical impossibility of addressing an internal host from an outside packet that is not part of an ongoing session. These folks find that address-overloaded NAT provides a valuable additional layer of security. Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Mon, Mar 24, 2014 at 11:36 AM, Alexander Lopez <alex.lopez@opsys.com>wrote:
not to mention the cost in readdressing your entire network when you change an upstream provider.
Nat was a fix to a problem of lack of addresses, however, the use of private address space 10/8, 192.168/16 has allowed many to enjoy a simple network addressing scheme.
Which is, of course, precisely the use case that ULA and NPTv6 (RFC 6296, not to be confused with a non-existent NAT66) addresses....
I doubt that many residential customers will be readdressing their networks except for us geeks. Most of them are going to be using CPE that grabs an address via DHCP for the WAN interface and then does an IPv6 DHCP PD with the /64 it gets from the service provider. The customer sees nothing at all. It is plug and play. In IPv6 the concept of manual addressing is strongly discouraged so the issue of readdressing networks should be improved not made more difficult. Private address space assignments might be simple to you but grandma and my sister in law, not so much. They just plug in their gear and don't worry about addresses. In the corporate world, there is nothing stopping you from keeping your ipv4 private addressing going for a long time. In fact, I think that is what most companies will do. If you want IPv6 internally, then have at it and please use DHCP. Steven Naslund
On Mon, Mar 24, 2014 at 11:36 AM, Alexander Lopez <alex.lopez@opsys.com<mailto:alex.lopez@opsys.com>> wrote: not to mention the cost in readdressing your entire network when you change an upstream provider.
Nat was a fix to a problem of lack of addresses, however, the use of private address space 10/8, 192.168/16 has allowed many to enjoy a simple network addressing scheme.
Which is, of course, precisely the use case that ULA and NPTv6 (RFC 6296, not to be confused with a non-existent NAT66) addresses....
On Mar 24, 2014, at 9:36 AM, Alexander Lopez <alex.lopez@opsys.com> wrote:
not to mention the cost in readdressing your entire network when you change an upstream provider.
Nat was a fix to a problem of lack of addresses, however, the use of private address space 10/8, 192.168/16 has allowed many to enjoy a simple network addressing scheme.
This is easily and better solved in IPv6 using provider independent addressing which is readily available.
Ipv6 requires a complete reeducation of they way we look at routing and the core of the network.
I wouldn’t say complete, but significant. Owen
On Mar 24, 2014, at 9:36 AM, Alexander Lopez <alex.lopez@opsys.com> wrote:
not to mention the cost in readdressing your entire network when you change an upstream provider.
Nat was a fix to a problem of lack of addresses, however, the use of private address space 10/8, 192.168/16 has allowed many to enjoy a simple network addressing scheme.
This is easily and better solved in IPv6 using provider independent addressing which is readily available. <rant> Yes but the number of people needing just a /64 will far outnumber the one requesting a /48.
I would say that the majority of users today and for the future will not require a /48, but will simply use the allocation given to them by their upstream. Many today do not multi-home and how many SMB customers just use a single Public IP behind a NAT device? It is easy for us on this list to use or request PIA, but what about the 10 person office? It is late and I am just rambling, but even with DHCP(4and6) changing IP networks is not a trivial thing. Not hard, but it will require a lot more planning than what many do today of simply changing the WAN IP address and some records in the DNS (if needed) <OldGuyComplainingAboutHowGoodThingsWereBackInTheDay> I am not saying anything that is new to members of this group, I guess I am just venting a bit of frustration. </OldGuyComplainingAboutHowGoodThingsWereBackInTheDay> </rant>
Ipv6 requires a complete reeducation of they way we look at routing and the core of the network.
I wouldn't say complete, but significant.
Owen
In message <f0ca01f52b274d13ad84dbfe6aad2bd1@BN1PR04MB250.namprd04.prod.outlook .com>, Alexander Lopez writes:
On Mar 24, 2014, at 9:36 AM, Alexander Lopez <alex.lopez@opsys.com> wrote:
not to mention the cost in readdressing your entire network when you change an upstream provider.
Nat was a fix to a problem of lack of addresses, however, the use of private address space 10/8, 192.168/16 has allowed many to enjoy a simple network addressing scheme.
This is easily and better solved in IPv6 using provider independent addressing which is readily available. <rant> Yes but the number of people needing just a /64 will far outnumber the one requesting a /48.
My bet is the number needing more that a single /64 will exceed the number needing just a /64. Most phones really need two /64 for tethering and currently there are lots of kludges to work around only one being available.
I would say that the majority of users today and for the future will not require a /48, but will simply use the allocation given to them by their upstream.
Many today do not multi-home and how many SMB customers just use a single Public IP behind a NAT device?
How many would multi-home if it was a standard feature built into all CPE devices? Cable + DSL? Homenet is designing for all home CPE devices to support multi-homing. Plug in CPE from ISP 1 and CPE from ISP 2 and it will just work. How many don't get a realistic choice of multiple addresses?
It is easy for us on this list to use or request PIA, but what about the 10 person office?
It is late and I am just rambling, but even with DHCP(4and6) changing IP networks is not a trivial thing. Not hard, but it will require a lot more planning than what many do today of simply changing the WAN IP address and some records in the DNS (if needed)
<OldGuyComplainingAboutHowGoodThingsWereBackInTheDay> I am not saying anything that is new to members of this group, I guess I am just venting a bit of frustration. </OldGuyComplainingAboutHowGoodThingsWereBackInTheDay> </rant>
Ipv6 requires a complete reeducation of they way we look at routing and the core of the network.
I wouldn't say complete, but significant.
Owen
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Tue, 25 Mar 2014 16:31:17 +1100, Mark Andrews said:
My bet is the number needing more that a single /64 will exceed the number needing just a /64. Most phones really need two /64 for tethering and currently there are lots of kludges to work around only one being available.
As a data point, cerowrt (an openwrt fork) will ask upstream for a /60 or /56 via dhcp-pd, and then burn a /64 for each logical subnet. On a WNDR3800, it can burn 9 /64s out of the box, and more if you start doing VLAN stuff...
On Mar 24, 2014, at 10:12 PM, Alexander Lopez <alex.lopez@opsys.com> wrote:
On Mar 24, 2014, at 9:36 AM, Alexander Lopez <alex.lopez@opsys.com> wrote:
not to mention the cost in readdressing your entire network when you change an upstream provider.
Nat was a fix to a problem of lack of addresses, however, the use of private address space 10/8, 192.168/16 has allowed many to enjoy a simple network addressing scheme.
This is easily and better solved in IPv6 using provider independent addressing which is readily available. <rant> Yes but the number of people needing just a /64 will far outnumber the one requesting a /48.
Businesses? I doubt it.
I would say that the majority of users today and for the future will not require a /48, but will simply use the allocation given to them by their upstream.
Perhaps, but I don’t see that being just one subnet for anyone at all likely to have a concern about renumbering.
Many today do not multi-home and how many SMB customers just use a single Public IP behind a NAT device?
Those wouldn’t really have a problem renumbering their network.
It is easy for us on this list to use or request PIA, but what about the 10 person office?
I’ve done so for several. It’s not hard or expensive. Owen
It is late and I am just rambling, but even with DHCP(4and6) changing IP networks is not a trivial thing. Not hard, but it will require a lot more planning than what many do today of simply changing the WAN IP address and some records in the DNS (if needed)
We tried: http://tools.ietf.org/wg/6renum In particular, you may want to read http://tools.ietf.org/html/rfc6879 when planning and renumbering IPv6; it's intended to save you pain later. Lee
On Mar 24, 2014, at 12:21, William Herrin <bill@herrin.us> wrote:
On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve <SNaslund@medline.com> wrote:
I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security.
Many of the folks you would have deploy IPv6 do not agree. They take comfort in the mathematical impossibility of addressing an internal host from an outside packet that is not part of an ongoing session. These folks find that address-overloaded NAT provides a valuable additional layer of security.
Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement.
NAT i s not required for the above. Any firewall can stop incoming packets unless they are part of an established session. NAT doesn't add much of anything, especially given that you can have one-to-one NAT. -- TTFN, patrick
On Mon, Mar 24, 2014 at 1:05 PM, Patrick W. Gilmore <patrick@ianai.net> wrote:
On Mar 24, 2014, at 12:21, William Herrin <bill@herrin.us> wrote:
Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement.
NAT i s not required for the above. Any firewall can stop incoming packets unless they are part of an established session. NAT doesn't add much of anything, especially given that you can have one-to-one NAT.
Hi Patrick, What sort of traction are you getting from that argument with enterprise security folks who object to deploying IPv6 because of NAT? Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Mar 24, 2014, at 13:17 , William Herrin <bill@herrin.us> wrote:
On Mon, Mar 24, 2014 at 1:05 PM, Patrick W. Gilmore <patrick@ianai.net> wrote:
On Mar 24, 2014, at 12:21, William Herrin <bill@herrin.us> wrote:
Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement.
NAT i s not required for the above. Any firewall can stop incoming packets unless they are part of an established session. NAT doesn't add much of anything, especially given that you can have one-to-one NAT.
Hi Patrick,
What sort of traction are you getting from that argument with enterprise security folks who object to deploying IPv6 because of NAT?
The _good_ security people complain about deploying NAT in v4 or v6, because they don't think it is "security". What sort of traction do you get with security people when you tell them NAT == "security in depth"? If you mean "do people who get hired by $CORPORATION and do not know anything about security get upset when you tell them something they did not know?" The answer is "frequently, yes". I'm not sure what that has to do with the discussion at hand, though. -- TTFN, patrick
On Mar 24, 2014, at 5:05 PM, "Patrick W. Gilmore" <patrick@ianai.net> wrote:
On Mar 24, 2014, at 12:21, William Herrin <bill@herrin.us> wrote:
On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve <SNaslund@medline.com> wrote:
I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security.
Many of the folks you would have deploy IPv6 do not agree. They take comfort in the mathematical impossibility of addressing an internal host from an outside packet that is not part of an ongoing session. These folks find that address-overloaded NAT provides a valuable additional layer of security.
Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement.
It's unfortunate that it is the way it is, but many enterprise people have this ingrained in them - they don't want to be connected to the internet except for a few exceptions. Just the fact that they can't ping their machines gives them a warm and fuzzy. In a run-of-the-mill default NAT setup, you can deploy a network printer with no security and nobody from the internet can print to it. It's default deny, even without setting anything else up, by virtue of not being on the internet and not having an address. I know there are ways to subvert a NAT but that applies to perimeter and host firewalls too. IPv6 global numbers are great for those of us that actually want to connect to the internet, but enterprise people with rfc1918 numbering have gotten used to being disconnected, and while most of us know that it's trivial to firewall IPv6, it's still a big jump from using a NAT/proxy to being 'on the internet'. It's even more complex if it's only halfway and there are two different protocols to manage. People will always resist change, and in this case, why should they change when it's only going to make their job harder? Makes sense to me, but I wish it weren't that way. They will probably just find ways to proxy and NAT IPv6 too, so that it fits the IPv4 model with 'private' addresses. Just look at what's been happening with UDP floods. It's scared people enough that some are just blocking certain UDP ports or UDP completely. I imagine we will soon see some big IPv6 specific attacks that result in crashing hosts/routers, and that will just make people resist it harder, because why would they want that headache? I think in a lot of situations, unless their business is networking specifically, the network is considered good enough if you can browse (most) webpages. For IPv6 only sites, that could be accomplished with a web proxy setting on all the desktops. It's not really right, it's inefficient, error prone and bunch of other things, but that doesn't mean people won't do it. They do all this today with v4 anyway, so if anything, the 'wrong way' is easier there since they're used to doing it. There has to be some big compelling reason to convince people that global addressing is the right way. We all know the reasons but they're obviously not good enough for enterprise security people. -Laszlo
NAT i s not required for the above. Any firewall can stop incoming packets unless they are part of an established session. NAT doesn't add much of anything, especially given that you can have one-to-one NAT.
-- TTFN, patrick
On Mar 24, 2014, at 10:35 AM, Laszlo Hanyecz <laszlo@heliacal.net> wrote:
On Mar 24, 2014, at 5:05 PM, "Patrick W. Gilmore" <patrick@ianai.net> wrote:
On Mar 24, 2014, at 12:21, William Herrin <bill@herrin.us> wrote:
On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve <SNaslund@medline.com> wrote:
I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security.
Many of the folks you would have deploy IPv6 do not agree. They take comfort in the mathematical impossibility of addressing an internal host from an outside packet that is not part of an ongoing session. These folks find that address-overloaded NAT provides a valuable additional layer of security.
Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement.
It's unfortunate that it is the way it is, but many enterprise people have this ingrained in them - they don't want to be connected to the internet except for a few exceptions. Just the fact that they can't ping their machines gives them a warm and fuzzy. In a run-of-the-mill default NAT setup, you can deploy a network printer with no security and nobody from the internet can print to it. It's default deny, even without setting anything else up, by virtue of not being on the internet and not having an address. I know there are ways to subvert a NAT but that applies to perimeter and host firewalls too. IPv6 global numbers are great for those of us that actually want to connect to the internet, but enterprise people with rfc1918 numbering have gotten used to being disconnected, and while most of us know that it's trivial to firewall IPv6, it's still a big jump from using a NAT/proxy to being 'on the internet'. It's even more complex if it's only halfway and there are two different protocols to manage.
This mindset is why so many printers are delivering copies of everything printed to $badguy without the knowledge of many IT departments. You may not be able to print to it, but really, if you had access to a random printer somewhere, how many people would really want to print to it? In my experience, having had such a device on line as an experiment for several years, it’s a very small number. In more than 5 years with such a device on line with no NAT, no packet filter, nothing, only 3 print jobs came in from unauthorized users. Lots of other things were done to the printer to try and get it to do various things a printer just shouldn’t do. Now, just having the printer behind NAT doesn’t prevent that, because likely someone who has access to the printer inside the organization will download some piece of malware that reprograms the printer as desired, eliminating the need to compromise the printer through the NAT.
People will always resist change, and in this case, why should they change when it's only going to make their job harder? Makes sense to me, but I wish it weren't that way. They will probably just find ways to proxy and NAT IPv6 too, so that it fits the IPv4 model with 'private' addresses.
I suppose it’s possible, but I think, so far, education actually seems to be making progress. Please don’t give up hope yet. Owen
On Mar 24, 2014, at 9:21 AM, William Herrin <bill@herrin.us> wrote:
On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve <SNaslund@medline.com> wrote:
I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security.
Hi Steve,
It is your privilege to believe this and to practice it in the networks you operate.
Many of the folks you would have deploy IPv6 do not agree. They take comfort in the mathematical impossibility of addressing an internal host from an outside packet that is not part of an ongoing session. These folks find that address-overloaded NAT provides a valuable additional layer of security.
Which impossibility has been disproven multiple times.
Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement.
Actually, there are multiple implementations of transparent proxies available for IPv6. NAT isn’t the same thing at all. If you want to make your life difficult in IPv6, you can. Nobody prevents you from doing so. It is discouraged and non-sensical, but quite possible at this point. Owen
On Mon, Mar 24, 2014 at 8:02 PM, Owen DeLong <owen@delong.com> wrote:
On Mar 24, 2014, at 9:21 AM, William Herrin <bill@herrin.us> wrote:
On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve <SNaslund@medline.com> wrote:
I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security.
Hi Steve,
It is your privilege to believe this and to practice it in the networks you operate.
Many of the folks you would have deploy IPv6 do not agree. They take comfort in the mathematical impossibility of addressing an internal host from an outside packet that is not part of an ongoing session. These folks find that address-overloaded NAT provides a valuable additional layer of security.
Which impossibility has been disproven multiple times.
Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement.
Actually, there are multiple implementations of transparent proxies available for IPv6. NAT isn't the same thing at all.
If you want to make your life difficult in IPv6, you can. Nobody prevents you from doing so. It is discouraged and non-sensical, but quite possible at this point.
Owen
Right. fc00::/7 exists. If you want to emulate your internal use of 10.0.0.0/8 plus NAT (or, proxies or load balancers or whatever) in your IPv6 implementation go ahead. Putting in some robust filtering that if the fc00::/7 ever appears outside the internal gateway the traffic goes poof should be as easy as the equivalents for 10, 172.16, 192.168 ... -- -george william herbert george.herbert@gmail.com
On Mar 24, 2014, at 8:52 PM, George Herbert <george.herbert@gmail.com> wrote:
On Mon, Mar 24, 2014 at 8:02 PM, Owen DeLong <owen@delong.com> wrote:
On Mar 24, 2014, at 9:21 AM, William Herrin <bill@herrin.us> wrote:
On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve <SNaslund@medline.com> wrote:
I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security.
Hi Steve,
It is your privilege to believe this and to practice it in the networks you operate.
Many of the folks you would have deploy IPv6 do not agree. They take comfort in the mathematical impossibility of addressing an internal host from an outside packet that is not part of an ongoing session. These folks find that address-overloaded NAT provides a valuable additional layer of security.
Which impossibility has been disproven multiple times.
Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement.
Actually, there are multiple implementations of transparent proxies available for IPv6. NAT isn’t the same thing at all.
If you want to make your life difficult in IPv6, you can. Nobody prevents you from doing so. It is discouraged and non-sensical, but quite possible at this point.
Owen
Right. fc00::/7 exists. If you want to emulate your internal use of 10.0.0.0/8 plus NAT (or, proxies or load balancers or whatever) in your IPv6 implementation go ahead. Putting in some robust filtering that if the fc00::/7 ever appears outside the internal gateway the traffic goes poof should be as easy as the equivalents for 10, 172.16, 192.168 …
More accurately fd00::/8. fc00::/8 was reserved for ULA coordinated which failed to gain consensus. While IETF did set aside the /7, only fd00::/8 has a legitimate documented purpose. Owen
In message <7B6AF6E9-905A-4D14-B54F-8F244AFCFCEE@delong.com>, Owen DeLong write s:
On Mar 24, 2014, at 8:52 PM, George Herbert <george.herbert@gmail.com> wrote:
On Mon, Mar 24, 2014 at 8:02 PM, Owen DeLong <owen@delong.com> wrote:
On Mar 24, 2014, at 9:21 AM, William Herrin <bill@herrin.us> wrote:
On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve
<SNaslund@medline.com> wrote:
I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security.
Hi Steve,
It is your privilege to believe this and to practice it in the networks you operate.
Many of the folks you would have deploy IPv6 do not agree. They take comfort in the mathematical impossibility of addressing an internal host from an outside packet that is not part of an ongoing session. These folks find that address-overloaded NAT provides a valuable additional layer of security.
Which impossibility has been disproven multiple times.
Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement.
Actually, there are multiple implementations of transparent proxies available for IPv6. NAT isn't the same thing at all.
If you want to make your life difficult in IPv6, you can. Nobody prevents you from doing so. It is discouraged and non-sensical, but quite possible at this point.
Owen
Right. fc00::/7 exists. If you want to emulate your internal use of 10.0.0.0/8 plus NAT (or, proxies or load balancers or whatever) in your IPv6 implementation go ahead. Putting in some robust filtering that if the fc00::/7 ever appears outside the internal gateway the traffic goes poof should be as easy as the equivalents for 10, 172.16, 192.168 ...
More accurately fd00::/8. fc00::/8 was reserved for ULA coordinated which failed to gain consensus. While IETF did set aside the /7, only fd00::/8 has a legitimate documented purpose.
And if you are going to filter fc00::/7 is more future proof.
Owen -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Sun, Mar 23, 2014 at 10:07 PM, Naslund, Steve <SNaslund@medline.com>wrote:
As far as printers being a more dangerous attack vector than computers, I definitely don't buy that argument. It does not change in v4 or v6.
Printers are not merely "attack vectors"; they are targets. It only makes sense to describe them solely as potential vectors, if the printer is connected to the LAN the real target is connected to. In which situation: they are equally dangerous. But: there are more hackers that can leverage a computer using generic scripts than can mess with a vulnerable printer, using specialized attacks. Assuming that both stacks are vulnerable to attack I would be less worried
about the printer because I am not aware of any of my printers running malware in v4. I think the PC platform being much more
This is what makes printers more dangerous. Users have no idea what code is running on their printer. It is the perfect place for an attacker to patch the firmware: hole up, and setup their backdoor VPN, proxy, or tunnel, because it's on 24x7 -- rarely replaced, almost never updated --- no antimalware software.
complex and having many more interfaces for active programming like DLLs, Java, ActiveX, etc, are much more the threat. I personally have
The complexity of the available middleware and 3rd party APIs has little to do with what kinds of attacks can be launched from a compromised printer being used to stage attacks; once the device is compromised, the intruder will bring the minimal software they need. You're talking about APIs that greatly expand the attack surface of some computer software. But it does not matter; if the socket protocol used by the printer was not designed with security in mind. One good vulnerability is enough. More known vulnerabilities doesn't make it more dangerous after it is compromised, it just makes it that much more impossible to harden. With the printer --- there is little attention to vulnerabilities, so chances are patches are not even available.
not seen a DDoS attack launched by printers (they may exist but I am
You haven't seen any chargen or snmp activity at all?? DDoS reflection using clumsy appliance defaults is among the most popular attacks to be facilitated by printers.
not aware of them). If I was going to design an attack for a printer, I would think that data theft would be the most dangerous. I have
The most likely use of compromising a printer (following DDoS -- which doesn't require breaking in) is to provide a covert backdoor for staging further compromise attempts or man-in-the-middle attacks. The computer has more data storage, so it is privvy to more confidential information and contents of network traffic from the computer is likely to be the ultimate target. But it just takes one Man-in-the-middle against a LAN computer, with malware covertly injected to a webpage, for a compromised printer to breach a computer.
wondered about multifunction printers emailing print data to someone but I have never seen that yet.
Maybe. Is an intruder going to go through the trouble to compromise a printer -- just to misdirect printouts? Probably not. But this requires profiling the intruder versus information at risk -- They want computing power, banking information, SSNs: usernames/passwords. Typically stuff you will never find on printouts --- particularly within an org whose staff are aware that documents sent to network printers go over the LAN unencrypted, and therefore: your printouts should never contain that kind of information.
Steven Naslund Chicago IL
"Your attack surface has already expanded whether or not you deploy IPv6." Not so. If I don't enable IPv6 on my hosts, the attacker can yammer away via IPv6 all day long with no result.
If that were true, yes. The reality is that to make that a true statement, you would have to modify it to: “If I specifically disable IPv6 on every single one of my hosts well enough that a compromised host cannot have IPv6 turned back on, the attacker can yammer away via IPv6 all day long with no result.” Best of luck achieving that with any operating system newer than, say, Windows ME.
"And if an enterprise doesn't have firewalls in place, then their devices are already accessible." For those devices that have publicly routable IP addresses, sure.
Even for those that do not. It’s actually not that hard to craft a sequence of packets that can get past a NAT if you have even one compromised host somewhere behind the NAT.
"I've simply pointed out that it really isn't any harder to plan and manage for v6 than for v4" Except it is. I get your point that there aren't any additional vulnerabilities in v6 than they are in v4. My point is that it's a lot more work. And as someone who's facing this issue right now, I promise you...it's a lot more work. I'm not saying it's not worth the effort nor that it's unnecessary...but to imply that securing v6 is an easy step up from securing v4 is inaccurate.
It’s a little more work, but it doesn’t have to be a lot more work to achieve roughly the same security posture in IPv6 that you have in IPv4. It is, actually, a fairly easy step up in most cases. A little bit of a learning curve, but otherwise, most of the mitigation strategies are very similar and take about the same amount of effort. The difference comes from the fact that you’re facing all of the IPv6 stuff at once where you built the IPv4 mitigations over many years as vulnerabilities were discovered.
"Simply pretending that if you don't enable IPv6, you're somehow immune from IPv6 threats is naïve." No. If I turn off v6 in my kernel, I am absolutely immune from native v6 threats. I'm happy to be proven wrong if you can show me a case where this isn't so.
Is it so thoroughly turned off that a compromised host can’t modprobe it back on? If not, then absolutely immune is an interesting statement. Are you sure you have done that on every single host that has any ability whatsoever to get onto your network, including whatever laptop a vendor might bring into a wireless network or conference room? Whatever networks service technicians might plug their devices into? etc.? You can’t just not turn on IPv6… You have to actively turn it off on absolutely every single device everywhere in order to achieve what you claim.
Everything you've said is correct. But my point is simply that there *are* security considerations when deploying v6, and they're bigger than some rare and esoteric bug that's only exploitable when all the stars align. With v6, a simple misconfiguration can open up every single host directly to the outside. The same simply isn't true with NAT where you have to explicitly define inbound rules.
It is, actually… You don’t have to explicitly define inbound rules to open up all the hosts. True, the attacker doesn’t have quite the easy ability to target each host specifically, but there are lots of ways to attack hosts behind a NAT that happen to be kind enough to initiate outbound sessions. With many firewalls, there are even ways to exploit interesting artifacts of the way certain “savings” are implemented in the NAT table process that allow you to create sessions that don’t exactly match the outbound traffic. Owen
On Monday, March 24, 2014 02:41:00 AM Timothy Morizot wrote:
The original assertion was that there are unaddressed security weaknesses in IPv6 itself preventing its adoption. At least that's the way I read it. And that assertion is mostly FUD.
The risks have less to do with IPv6, and more to do with the fact that boxes that lived on RFC 1918 behind NAT44 "security gateways" may now, very possibly, be given a GUA address that now exposes them directly to the Interweb. Mark.
In message <CAN3um4wnMPW=BQ6ec_=NH-Ua50Nn3QL9T+NXdo-ADNzCJHKQYQ@mail.gmail.com> , Mike Hale writes:
"I wasn't aware that calling out FUD was derisive, but whatever." It's derisive because you completely dismiss a huge security issue that, given the state of IPv6 adoption, a great majority of companies are facing.
Calling it FUD is completely wrong because it *is* a legitimate security issue for most businesses. Sure, you've got the few who have been able to properly plan for and secure their networks against the increased attack surface of IPv6, but again...most companies haven't.
Slinging false proclamations of FUD is as harmful as FUD itself.
And there are security issues with IPv4 but no one is saying don't deploy IPv4 because there are security issues. There are security issues with just about everything. Most of them are rare and have mitigations. Saying there are security issues without enumerating them is FUD. There is a security issue with DHCP, there is no authentication of the server. For 99.99% of sites this is a non issue. For those where it is a issue there are mitigation strategies. This doesn't stop it being a security issue.
On Sun, Mar 23, 2014 at 4:49 PM, Timothy Morizot <tmorizot@gmail.com> wrote:
On Mar 23, 2014 6:21 PM, "Paul Ferguson" <fergdawgster@mykolab.com> wrote:
Says you.
And many others. My comments were actually reiterating what I commonly see presented today.
On the other hand, there are beaucoup enterprise networks unwilling to consider to moving to v6 until there are management, control, administrative, and security issues addressed.
Whereas there are other enterprise networks, including mine, who are actively deploying IPv6 and have been for a number of years now. So unless you can come up with something truly novel that we haven't already dealt with, I'll stick by my use of FUD.
You can continue to deride our issues, and make derisive comments until your heart's content, but it does not change reality.
I wasn't aware that calling out FUD was derisive, but whatever.
Cheers,
Scott
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Mar 23, 2014, at 5:24 PM, Mike Hale <eyeronic.design@gmail.com> wrote:
"I wasn't aware that calling out FUD was derisive, but whatever." It's derisive because you completely dismiss a huge security issue that, given the state of IPv6 adoption, a great majority of companies are facing.
I would say that calling it FUD was fair game in this case. Ferg claimed it was a “new unrelated attack”. In reality, it’s pretty much the same attack as most ARP attacks that exist in IPv4 and there are well known mitigations just as in IPv4 with similar difficulties and tradeoffs in their deployment. Sure, having 18 quintillion host addresses on a subnet vs. <254 creates some differences in the scale at which some of these attacks can be carried out, but that’s more a matter of scale than a matter of radically different attack surface.
Calling it FUD is completely wrong because it *is* a legitimate security issue for most businesses. Sure, you've got the few who have been able to properly plan for and secure their networks against the increased attack surface of IPv6, but again...most companies haven’t.
It’s no more legitimate than the similar issues in IPv4. IPv6 doesn’t actually present a significantly increased attack surface, it presents a very similar attack surface. The shape is a little different in some of the details, but the overall size and shape is pretty similar to IPv4.
Slinging false proclamations of FUD is as harmful as FUD itself.
I wouldn’t say that either set of statements was 100% FUD or 100% non-FUD. I will say that vendors making hay out of IPv6 vulnerabilities as if they were novel or different from existing wide-spread IPv4 vulnerabilities in order to increase profits or reduce demands for IPv6 in their products is a fairly common practice that has been far more harmful than any IPv6 attack surface overall. Owen
On Sun, Mar 23, 2014 at 4:49 PM, Timothy Morizot <tmorizot@gmail.com> wrote:
On Mar 23, 2014 6:21 PM, "Paul Ferguson" <fergdawgster@mykolab.com> wrote:
Says you.
And many others. My comments were actually reiterating what I commonly see presented today.
On the other hand, there are beaucoup enterprise networks unwilling to consider to moving to v6 until there are management, control, administrative, and security issues addressed.
Whereas there are other enterprise networks, including mine, who are actively deploying IPv6 and have been for a number of years now. So unless you can come up with something truly novel that we haven't already dealt with, I'll stick by my use of FUD.
You can continue to deride our issues, and make derisive comments until your heart's content, but it does not change reality.
I wasn't aware that calling out FUD was derisive, but whatever.
Cheers,
Scott
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
On Sun, 23 Mar 2014 16:21:50 -0700, Paul Ferguson said:
On the other hand, there are beaucoup enterprise networks unwilling to consider to moving to v6 until there are management, control, administrative, and security issues addressed.
The problem is that for many of those enterprises, the actual understanding of those issues even in the v4 arena is tenuous at best. You know - the same sort of beancounters and auditors with checklists that insist on NAT and won't allow a stateful firewall, or worry about ND attacks but don't check if you have anything in place to defeat ARP flooding....
On Mar 22, 2014, at 10:16 AM, Nick Hilliard <nick@foobar.org> wrote:
On 22/03/2014 16:29, Doug Barton wrote:
It is a mistake to believe that the only reason to add IPv6 to your network is size. Adding IPv6 to your network _now_ is the right decision because at some point in the not-too-distant future it will be the dominant network technology, and you don't want to get left behind.
not wanting to rain on anyone's parade, but people have been claiming this since the days of IPng. Granted, we're a couple of years after IANA runout and two RIRs are also in post-runout phase, but the level of pain associated with continued deployment of ipv4-only services is still nowhere near the point that ipv6 can be considered a viable alternative.
Nick
True. However, if you wait until that point to start deploying IPv6, you’re in for a LOT of pain during that protracted emergency transition phase you just volunteered for. OTOH, if you implement IPv6 in parallel to your IPv4 from this point forward, there’s very little additional pain and retrofitting your IPv4 can proceed at some pace until complete. After that, you can turn off IPv4 as soon as you don’t need it any more and enjoy the show while everyone else plays catchup. Owen
First, there may be those that do not require IPv6 due to size. So what is YOUR big plan to connect all those on IPv4 to the rest of the IPv6 world that has dropped IPv4 addresses.
We'll be offering v6 standard really soon. It's growth that got in the way both from employee bandwidth and overrunning the point where certain routers couldn't handle doing more than v4 anymore. Both have been sorted out and we're very close, only 1 obscure junos bug we're vetting the impact. Once it's repaired or worked around we'll be launching the public beta.
Second, as a DO customer, I am now beginning to understand the culture and ideology over IPv6 at DO. IPv6 has been asked about since at least 2012 with initial promises of 'Q3 2012 the 'Q4, now no one even wants to respond. With everyone else bringing native IPv6 on board, I see people starting to leave unless you change.
You'll be very surprised at how much care, effort and loss of sleep has gone into it.
Additional support on my feeling of DO and IPv6, is DO's stance of directly not even allowing IPv6 tunnels to HE, SiXXs, or any of the other providers by specifically teliing them not to allow connections from your IPv4 address space.
There is tens of thousands of active tunnels to us right now and I have no clue what your referring to here. If you have more information on someone not allowed to run a tunnel to us, please get that information to me asap. Some datacenters are directly peered to HE to get better tunnel performance and we are exactly the opposite of your statement. Bryan
Additional support on my feeling of DO and IPv6, is DO's stance of directly not even allowing IPv6 tunnels to HE, SiXXs, or any of the other providers by specifically teliing them not to allow connections from your IPv4 address space.
Say *what*? I've got HE tunnels into DO, purely because they won't get their finger out and offer native v6, but the rest of the service currently outweighs the hassle of tunneling. If this is going to get blocked, I'll be reversing the migration of my existing VPS services elsewhere *into* DO, and starting to look for yet-another provider :( I've already had a rather strange conversation with SIXXS where they swore seven ways from Sunday I couldn't have a tunnel because DO already offer native v6, despite sending them numerous official statements to the contrary, but trying to reason with SIXXS is always "interesting"... Regards, Tim.
In order for IPv6 to truly work, everyone needs to be moving towards IPv6. Maintaining dual protocols for the entire internet is problematic, wasteful, and horribly inefficient at best. Bottom line, the internet outgrew IPv4 almost 30 years ago and we’ve been using various hacks like NAT as a sort of IPv4 life-support ever since. Ask any doctor about the prospects for a patient on life support for years at a time and they will probably laugh at you. Patients rarely survive more than a few days on life support, let alone weeks, months, or even years. Yes, we’ve done really well with internet life support. So well that many have been lulled into a false sense of safety believing that these extreme measures can be continued indefinitely and scaled well beyond their breaking points. There is little visibility into the escalating cost and complexity of these measures and even less awareness of the relative ease of deploying IPv6 compared to most of these mechanisms. Owen On Mar 22, 2014, at 2:25 AM, Bryan Socha <bryan@digitalocean.com> wrote:
Fair point. There are some situations that do need more than most, but aren't they the ones that should be on ipv6 already???????
I know a few are shouldn't I be on ipv6 and that's fair too. I'm plqnnning some speaking engagements to cover that. Its not blind and ignoring. On Mar 22, 2014 4:36 AM, "TJ" <trejrco@gmail.com> wrote:
Millions of IPs don't matter in the face of X billions of people, and XX-XXX billions of devices - and this is just the near term estimate. (And don't forget utilization efficiency - Millions of IPs is not millions of customers served.)
Do IPv6. /TJ
On Mar 22, 2014 3:09 AM, "Bryan Socha" <bryan@digitalocean.com> wrote:
As someone growing in the end of ipv4, its all fake. Sure, the rirs
will
run out, but that's boring. Don't believe the fake auction sites. Fair price of IP at the end is $1 for bad Rep $2 for barely used, $3 for no spam and $4 for legacy. Stop the inflation. Millions of IPS exist, there is no shortage and don't lie for rirs with IPS left.
I agree with "one" thing herein....
In order for IPv6 to truly work, everyone needs to be moving towards IPv6.
Yep, chicken and the egg. I agree. We built an IPv6 "native" network - no tunneling - no customers to speak of ... didn't even bother to start IPv6 peering on it.
Maintaining dual protocols for the entire internet is problematic, wasteful, and horribly inefficient at best. Bottom line, the internet outgrew IPv4 almost 30 years ago and weve been using various hacks like NAT as a sort of IPv4 life-support ever since.
30 years - oh, come on now - maybe it outgrown on someone's EBITDA chart they handed an investor. At least a couple of decades of exaggeration in that number.
Ask any doctor about the prospects for a patient on life support for years at a time and they will probably laugh at you. Patients rarely survive more than a few days on life support, let alone weeks, months, or even years.
Yes, weve done really well with internet life support. So well that many have been lulled into a false sense of safety believing that these extreme measures can be continued indefinitely and scaled well beyond their breaking points.
There is little visibility into the escalating cost and complexity of these measures and even less awareness of the relative ease of deploying IPv6 compared to most of these mechanisms.
Sorry Owen - bad analogy - unlike a person, IPv4 won't die because it can't accommodate more - here's a reality analogy for you. In the Internet Casino, all the Internet black jack tables are full. All seats taken. The players don't want to play with the new blue chip IPv6 currency. So the house simply raises IPv4 green chip minimum limit for a seat. An there you have it, how much is someone willing to pay for space in the Internet casino. Well, it's much more than free and probably close to the dollar level in the presentation by Lee Howard at an ARIN meeting (I think it was in Barbados or maybe I have that meeting place wrong and it was NANOG) ... Well, $40/month per IP address will be the pain level for all customers to finally cash-in the IPv4 chips and move to IPv6. While the world is not capitalistic, the USA is. Just because it works in Sweden doesn't mean it's ready to work here (Health Care). So what percentage of web pages are my USA customers reading in foreign languages ? Gee, the world doesn't need more IPv4 space to make an english page available to reach a US customer. Not much when they move their language base of users to IPv6 they will find they have plenty of IPv4 space left over. And what percentage of my customer base needs to put up IPv6 web pages ? Not many most of the world can't afford our goods - so that leaves a small percentage of US sites that need IPv6 and probably already have begun that in place. Thus far, IPv6 has been the "Field of Dreams" .... those of us who have built it, we know they have not yet come (the IPv6 customers). That's all this discussion is really about is "when will they come". I know the core of the Internet will be IPv4 for many years. All one has to do is talk to a few customer to find out that they are in no hurry. It's a no-brainer, because , none of us charges a customer more than than lunch money for an IPv4 address. Now, if you tell me all the porn site owners were great net citizens, ready to move to IPv6 and shut off IPv4 access, well then I can see things moving along much faster. Bob Evans Founder/CTO Fiber Internet Center
Owen
On Mar 22, 2014, at 2:25 AM, Bryan Socha <bryan@digitalocean.com> wrote:
Fair point. There are some situations that do need more than most, but aren't they the ones that should be on ipv6 already???????
I know a few are shouldn't I be on ipv6 and that's fair too. I'm plqnnning some speaking engagements to cover that. Its not blind and ignoring. On Mar 22, 2014 4:36 AM, "TJ" <trejrco@gmail.com> wrote:
Millions of IPs don't matter in the face of X billions of people, and XX-XXX billions of devices - and this is just the near term estimate. (And don't forget utilization efficiency - Millions of IPs is not millions of customers served.)
Do IPv6. /TJ
On Mar 22, 2014 3:09 AM, "Bryan Socha" <bryan@digitalocean.com> wrote:
As someone growing in the end of ipv4, its all fake. Sure, the rirs
will
run out, but that's boring. Don't believe the fake auction sites. Fair price of IP at the end is $1 for bad Rep $2 for barely used, $3 for no spam and $4 for legacy. Stop the inflation. Millions of IPS exist, there is no shortage and don't lie for rirs with IPS left.
On Mon, Mar 24, 2014 at 9:12 PM, Bob Evans <bob@fiberinternetcenter.com>wrote:
Thus far, IPv6 has been the "Field of Dreams" .... those of us who have built it, we know they have not yet come (the IPv6 customers). That's all this discussion is really about is "when will they come".
I know the core of the Internet will be IPv4 for many years. All one has to do is talk to a few customer to find out that they are in no hurry. It's a no-brainer, because , none of us charges a customer more than than lunch money for an IPv4 address.
While I will agree that it has taken longer than some of us thought / expected I don't believe you can say no-one is coming. My home (Comcast) & my phone (T-Mo) get native IPv6, automatically, no extra charge - no special request - no special equipment. Our "4g" hotspots are all dual-stack. We recently got a new Verizon (landline) circuit for a job-site - came with a /48 automatically. The carriers drive this part of the boat - and some of them are doing so quite nicely (finally). Not all, but some of the biggest have done the most work == more eyeballs. The content side is doing better as well; again - not all, but the big ones are good wins. The customers, the normal people that is, don't know or care. We know that. On the "enterprise side" there is of course the cost & burden of dealing with the "legacy" network that still, largely, works as they expect. And in the govt it is even worse, despite some "mandates" to the contrary. But that too will shift over time - and needn't hold up anyone else's plans. And when people who do care have IPv6 at home/on their phone they will start to push that into said enterprises ... like I am doing :). /TJ
On 3/24/14 9:12 PM, "Bob Evans" <bob@FiberInternetCenter.com> wrote:
I agree with "one" thing herein....
In order for IPv6 to truly work, everyone needs to be moving towards IPv6.
Yep, chicken and the egg. I agree. We built an IPv6 "native" network - no tunneling - no customers to speak of ... didn't even bother to start IPv6 peering on it.
How would there be traffic if you have no peering?
An there you have it, how much is someone willing to pay for space in the Internet casino. Well, it's much more than free and probably close to the dollar level in the presentation by Lee Howard at an ARIN meeting (I think it was in Barbados or maybe I have that meeting place wrong and it was NANOG) ... Well, $40/month per IP address will be the pain level for all customers to finally cash-in the IPv4 chips and move to IPv6.
I wish it was Barbados! NANOG56. http://www.nanog.org/meetings/nanog56/presentations/Wednesday/wed.general.h oward.24.wmv
Thus far, IPv6 has been the "Field of Dreams" .... those of us who have built it, we know they have not yet come (the IPv6 customers). That's all this discussion is really about is "when will they come".
Some of us have quite a few IPv6 customers: http://www.worldipv6launch.org/measurements/ And we see significant traffic from those users. :-)
I know the core of the Internet will be IPv4 for many years. All one has to do is talk to a few customer to find out that they are in no hurry. It's a no-brainer, because , none of us charges a customer more than than lunch money for an IPv4 address.
Depends on what you mean by "core." For some values of "core," the Internet is already dual-stack.
Now, if you tell me all the porn site owners were great net citizens, ready to move to IPv6 and shut off IPv4 access, well then I can see things moving along much faster.
Feel free to offer them a discount for dual-stack, and a deeper discount for IPv6-only. Unfortunately, I don't know any porn site operators, so I haven't been able to have conversations with them about the economics of IPv6. Lee
Bob Evans CTO
On 3/24/14 9:12 PM, "Bob Evans" <bob@FiberInternetCenter.com> wrote:
I agree with "one" thing herein....
In order for IPv6 to truly work, everyone needs to be moving towards IPv6.
Yep, chicken and the egg. I agree. We built an IPv6 "native" network - no tunneling - no customers to speak of ... didn't even bother to start IPv6 peering on it.
How would there be traffic if you have no peering?
4 IPv6 transits and a handful of customers. Today, we only provide fiber service to businesses. Tiny traffic - no IPv6 peering at IX locations.
An there you have it, how much is someone willing to pay for space in the Internet casino. Well, it's much more than free and probably close to the dollar level in the presentation by Lee Howard at an ARIN meeting (I think it was in Barbados or maybe I have that meeting place wrong and it was NANOG) ... Well, $40/month per IP address will be the pain level for all customers to finally cash-in the IPv4 chips and move to IPv6.
I wish it was Barbados! NANOG56. http://www.nanog.org/meetings/nanog56/presentations/Wednesday/wed.general.h oward.24.wmv
Thanks Lee, I was hunting for that link.
Thus far, IPv6 has been the "Field of Dreams" .... those of us who have built it, we know they have not yet come (the IPv6 customers). That's all this discussion is really about is "when will they come".
Some of us have quite a few IPv6 customers: http://www.worldipv6launch.org/measurements/ And we see significant traffic from those users. :-)
Maybe my isolation in silicon valley causes me to have a different IPv6 experience. Not much IPv6 happening here. I heard Google my have topped over 2% traffic that is IPv6. Significant ? Not from where I am sitting.
I know the core of the Internet will be IPv4 for many years. All one has to do is talk to a few customer to find out that they are in no hurry. It's a no-brainer, because , none of us charges a customer more than than lunch money for an IPv4 address.
Depends on what you mean by "core." For some values of "core," the Internet is already dual-stack.
Now, if you tell me all the porn site owners were great net citizens, ready to move to IPv6 and shut off IPv4 access, well then I can see things moving along much faster.
Feel free to offer them a discount for dual-stack, and a deeper discount for IPv6-only. Unfortunately, I don't know any porn site operators, so I haven't been able to have conversations with them about the economics of IPv6.
We give away the IPv6 to every business on a second port - to make their life easy and encourage them to play with it. Unfortunately, few try it at all. Bob
Lee
Thus far, IPv6 has been the "Field of Dreams" .... those of us who have built it, we know they have not yet come (the IPv6 customers). That's all this discussion is really about is "when will they come".
Some of us have quite a few IPv6 customers: http://www.worldipv6launch.org/measurements/ And we see significant traffic from those users. :-)
Maybe my isolation in silicon valley causes me to have a different IPv6 experience. Not much IPv6 happening here. I heard Google my have topped over 2% traffic that is IPv6. Significant ? Not from where I am sitting.
There’s actually lots of IPv6 happening in Silicon Valley. I’ve been running IPv6 for years and so has my employer. Your Google data is old… They’re well over 4% and it’s been doubling about every 3-6 months, so I’d expect to see upwards of 16% by the end of the year, but remember, that’s traffic that chose IPv6 based on happy eyeballs and doesn’t represent all traffic that could have gone IPv6 or even all traffic that would have gone best over IPv6. If Micr0$0ft would publish the stats of native vs. teredo from the xbox one, I bet we’d have a better idea of what percentage of folks are running IPv6 for real. I think it’s a lot more than you seem to believe. Of the major consumer providers in the area, AT&T and SPRINT Wireless are the only ones I’m aware of that are completely unable to do IPv6. Even some of the smaller residential providers are now doing some IPv6 and I hear rumors that some AT&T DSL and uVerse customers can now get IPv6.
We give away the IPv6 to every business on a second port - to make their life easy and encourage them to play with it. Unfortunately, few try it at all.
We make IPv6 available to all of our customers on the same port which seems to make their life even easier and many of our customers are using it. Perhaps this is food for thought. Owen
On Tue, 25 Mar 2014 09:55:21 -0400, Lee Howard said:
Some of us have quite a few IPv6 customers: http://www.worldipv6launch.org/measurements/ And we see significant traffic from those users. :-)
I'm actually glad to see that we're no longer on the first page of that list. ;)
Oh btw, how many ipv4s are you hording with zero justification to keep them? I was unpopular during apricot for not liking the idea of no liability leasing of v4. I don't like this artificial v4 situation every eyeball network created. Why is v4 a commodity and asset? Where is the audits. I can justify my 6 /14s, can you still? On Mar 22, 2014 4:36 AM, "TJ" <trejrco@gmail.com> wrote:
Millions of IPs don't matter in the face of X billions of people, and XX-XXX billions of devices - and this is just the near term estimate. (And don't forget utilization efficiency - Millions of IPs is not millions of customers served.)
Do IPv6. /TJ
On Mar 22, 2014 3:09 AM, "Bryan Socha" <bryan@digitalocean.com> wrote:
As someone growing in the end of ipv4, its all fake. Sure, the rirs
will
run out, but that's boring. Don't believe the fake auction sites. Fair price of IP at the end is $1 for bad Rep $2 for barely used, $3 for no spam and $4 for legacy. Stop the inflation. Millions of IPS exist, there is no shortage and don't lie for rirs with IPS left.
On Mar 22, 2014 2:32 AM, "Bryan Socha" <bryan@digitalocean.com> wrote:
Oh btw, how many ipv4s are you hording with zero justification to keep them? I was unpopular during apricot for not liking the idea of no liability leasing of v4. I don't like this artificial v4 situation every eyeball network created. Why is v4 a commodity and asset? Where is the audits. I can justify my 6 /14s, can you still?
You seem to be missing something, it is called Metcalfe's Law, google it. There is no long-term solution for you using ipv4 and me using ipv6. To derive value from the internet, we all need to be on one technology that supports end to end communication for us all. CB
On Mar 22, 2014 4:36 AM, "TJ" <trejrco@gmail.com> wrote:
Millions of IPs don't matter in the face of X billions of people, and XX-XXX billions of devices - and this is just the near term estimate. (And don't forget utilization efficiency - Millions of IPs is not millions of customers served.)
Do IPv6. /TJ
On Mar 22, 2014 3:09 AM, "Bryan Socha" <bryan@digitalocean.com> wrote:
As someone growing in the end of ipv4, its all fake. Sure, the rirs
will
run out, but that's boring. Don't believe the fake auction sites. Fair price of IP at the end is $1 for bad Rep $2 for barely used, $3 for no spam and $4 for legacy. Stop the inflation. Millions of IPS exist, there is no shortage and don't lie for rirs with IPS left.
On Sat, Mar 22, 2014 at 11:30 AM, Bryan Socha <bryan@digitalocean.com> wrote:
Oh btw, how many ipv4s are you hording with zero justification to keep them? I was unpopular during apricot for not liking the idea of no liability leasing of v4. I don't like this artificial v4 situation every eyeball network created. Why is v4 a commodity and asset? Where is the audits. I can justify my 6 /14s, can you still?
Oh I so agree with this one. But alas yes, IPv4's days are counted and I doubt there's any turning back. As a NA myself, I see day on day where smaller ISPs are forced to dish out large network blocks (/16s) to be able to have access to large unefficiently planned broadband networks in order to service PPPoE terminations (at least, here in ZA). These ISPs are forced to 'hand out' /16 networks for the large telco's to distribute to their respective BRAS devices.... Meanwhile, the ISP does not even have 20K customers - nevermind the fact that more than likely 50% of that customer base is not even 'always' connected... It's due to waisting like this, that the shortage is there and that other players with legitimate requirements (such as going provider independant) cannot obtain address space. And it is continueing to this very day. I'm definately all for proper audits, stricter audits, and more importantly the releasing of unused address space back to the respective registries. -- Regards, Chris Knipe
On Sat, 22 Mar 2014, Bryan Socha wrote:
Oh btw, how many ipv4s are you hording with zero justification to keep them? I was unpopular during apricot for not liking the idea of no liability leasing of v4. I don't like this artificial v4 situation every eyeball network created. Why is v4 a commodity and asset? Where is the audits. I can justify my 6 /14s, can you still?
That ship sailed a long time time ago. Can some IPv4 space be recovered by 'auditing' consumers of IPv4? Possibly. Does the amount of space that would be recovered justify the effort (economic, administrative, legal, technical)? No. IPv6 is the way to go. All of these 'Hail Mary' options for 'saving' IPv4 really are pointless. Don't forget that IPv4, in the form we know it, was never intended to go into production. It's a lab experiment that grew legs and got out of its cage. jms
On Mar 22, 2014 4:36 AM, "TJ" <trejrco@gmail.com> wrote:
Millions of IPs don't matter in the face of X billions of people, and XX-XXX billions of devices - and this is just the near term estimate. (And don't forget utilization efficiency - Millions of IPs is not millions of customers served.)
Do IPv6. /TJ
On Mar 22, 2014 3:09 AM, "Bryan Socha" <bryan@digitalocean.com> wrote:
As someone growing in the end of ipv4, its all fake. Sure, the rirs
will
run out, but that's boring. Don't believe the fake auction sites. Fair price of IP at the end is $1 for bad Rep $2 for barely used, $3 for no spam and $4 for legacy. Stop the inflation. Millions of IPS exist, there is no shortage and don't lie for rirs with IPS left.
On Sat, Mar 22, 2014 at 10:33 AM, Justin M. Streiner <streiner@cluebyfour.org> wrote:
All of these 'Hail Mary' options for 'saving' IPv4 really are pointless.
Hi Justin, IPv4 is like the U.S. Penny. It'll be useless long before it goes away. And right now it's far from useless. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Sat, 22 Mar 2014, William Herrin wrote:
On Sat, Mar 22, 2014 at 10:33 AM, Justin M. Streiner <streiner@cluebyfour.org> wrote:
All of these 'Hail Mary' options for 'saving' IPv4 really are pointless.
IPv4 is like the U.S. Penny. It'll be useless long before it goes away. And right now it's far from useless.
Bill: Interesting analogy, but it misses the larger point. The larger point is that the ongoing effort to squeeze more mileage out of IPv4 will soon [1] outweigh the mileage we (collectively) get out of it. IMHO, that effort is better invested in preparing for and deplying IPv6. Things like LSN/CGN are stop-gaps that result in performance problems for people behind them, and aren't terribly useful for people who need to run inbound services. Shaking down entities (to the extent that they can be shaken down) that have chunks of IPv4 they're not currently using doesn't change the end-game for IPv4. I'm not saying that there aren't challenges to deploying IPv6. There are. Like many of the people on this list, I run a network, and I'm familiar with many of those challenges. If a network makes a conscious decision *not* to deploy IPv6, that is certainly their choice, and they will have to live with the consequences and will have to justify that decision to their customers. [1] - For varying values of "soon". jms
On Saturday, March 22, 2014 05:54:06 PM Justin M. Streiner wrote:
Interesting analogy, but it misses the larger point. The larger point is that the ongoing effort to squeeze more mileage out of IPv4 will soon [1] outweigh the mileage we (collectively) get out of it. IMHO, that effort is better invested in preparing for and deplying IPv6. Things like LSN/CGN are stop-gaps that result in performance problems for people behind them, and aren't terribly useful for people who need to run inbound services. Shaking down entities (to the extent that they can be shaken down) that have chunks of IPv4 they're not currently using doesn't change the end-game for IPv4.
And to keep into perspective, the fact that a good portion of the registry community have run out of IPv4 space to allocate. A number of existing and new ISP's are going to find that getting IPv6 going is probably a better solution than keeping IPv4 alive (many will learn this the hard way). Heck, it won't surprise me if some popular OTT and social networking providers "force" the IPv6 issue since democracy isn't often the best way to get something like this done. In such a case, where you are still pushing the case for IPv4, how do you envisage things will look on your side when everybody else you want to talk to is either on IPv6, or frantically getting it turned up? Do you reckon anyone will have time to help you troubleshoot patchy (for example) IPv4 connectivity when all the focus is on IPv6? AFRINIC still have lots of IPv4 space. I'm not sure that gives operators in that region any advantage over anyone else, if the rest of the world is active on IPv6, i.e., while it may be easier to justify a /8 of IPv4 and get it from a registry that still has space, you're likely doing yourself a disservice in taking this route (and spending all the time and energy numbering out of that /8), because that /8 won't be very helpful if the most of the rest of the Internet is letting IPv4 go. Mark.
In such a case, where you are still pushing the case for IPv4, how do you envisage things will look on your side when everybody else you want to talk to is either on IPv6, or frantically getting it turned up? Do you reckon anyone will have time to help you troubleshoot patchy (for example) IPv4 connectivity when all the focus is on IPv6?
I've put that concern on my calendar for sometime around 2025. People have been saying switch to IPv6 now Now NOW for about a decade, and you can only cry wolf so many times. My servers do IPv6 through a tunnel from HE (thanks!) where the performance is only somewhat worse than the native v4, and my home cable has v6 that mostly works, but the key term there is mostly. (The ISP had a fairly bad internal routing bug which apparently nobody noticed until I tracked down why my v6 connectivity was flaky, and I happened to know some senior people at the ISP who could understand what I was telling them about their internal routers.) We've just barely started to move from the era of free IPv4 to the one where you have to buy it, and from everyhing I see, there is vast amounts of space that will be available once people realize they can get real money for it. The prices cited a couple of messages back seem to be in the ballpark. It will be a long time before the price of v4 rises high enough to make it worth the risk of going v6 only. R's, John
On Saturday, March 22, 2014 09:57:04 PM John Levine wrote:
We've just barely started to move from the era of free IPv4 to the one where you have to buy it, and from everyhing I see, there is vast amounts of space that will be available once people realize they can get real money for it. The prices cited a couple of messages back seem to be in the ballpark. It will be a long time before the price of v4 rises high enough to make it worth the risk of going v6 only.
New ISP's are born everyday. Some of them will be able to have a "Buy an ISP that has IPv4" or "Buy IPv4 space from known brokers" line item in their budget as part of their launch plans. Most won't. Mark.
It will be a long time before the price of v4 rises high enough to make it worth the risk of going v6 only.
New ISP's are born everyday.
Some of them will be able to have a "Buy an ISP that has IPv4" or "Buy IPv4 space from known brokers" line item in their budget as part of their launch plans.
Most won't.
In Africa, I suppose, but here in North America, the few remaining ISPs that aren't part of giant cable or phone companies are hanging on by their teeth. Also, although it is fashionable to say how awful CGN is, the users don't seem to mind it at all. R's, John
On Sunday, March 23, 2014 07:10:37 AM John Levine wrote:
In Africa, I suppose, but here in North America, the few remaining ISPs that aren't part of giant cable or phone companies are hanging on by their teeth.
Incidentally, this doesn't apply to Africa today, because AFRINIC still have lots of IPv4 space to feed any new entrant to their heart's content. I have mates in Asia-Pac, North America and Europe that will be the ones sweating if they are a new start-up. A friend recently started a mobile operation in Malaysia two years ago. You can imagine the problem they are having rolling out and scaling their 3G/3G data service. And if AFRINIC do run out of their IPv4 space, I can almost guarantee you that any new start-ups in Africa will NOT be able to have "IPv4 acquisition" line items in their budget.
Also, although it is fashionable to say how awful CGN is, the users don't seem to mind it at all.
Users won't complain until the CGN starts to do bad things to their traffic, like run out of Layer 4 ports per IP address due to increasing connectedness of applications, add delay to applications getting network, CGN failure, traffic tromboning e.t.c. Operators of CGN's will cry at some point. It's different for different operators, as some are happy throwing millions of CGN $$ at the problem. Mark.
In message <20140323051037.94159.qmail@joyce.lan>, "John Levine" writes:
It will be a long time before the price of v4 rises high enough to make it worth the risk of going v6 only.
New ISP's are born everyday.
Some of them will be able to have a "Buy an ISP that has IPv4" or "Buy IPv4 space from known brokers" line item in their budget as part of their launch plans.
Most won't.
In Africa, I suppose, but here in North America, the few remaining ISPs that aren't part of giant cable or phone companies are hanging on by their teeth.
Also, although it is fashionable to say how awful CGN is, the users don't seem to mind it at all.
Basically because none of them have ever been on the Internet proper where they can connect to their home machines from wherever they are in the world directly. If you don't know what it should be like you don't complain when you are not getting it. ISP's have done a good job of brain washing their customers into thinking that they shouldn't be able to run services from home. That all their machines shouldn't have a globally unique address that is theoritically reachable from everywhere. That NAT is normal and desiriable. I was at work last week and because I have IPv6 at both ends I could just log into the machines at home as easily as if I was there. When I'm stuck using a IPv4 only service on the road I have to jump through lots of hoops to reach the internal machines. Mark
R's, John
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Sunday, March 23, 2014 06:57:26 PM Mark Andrews wrote:
ISP's have done a good job of brain washing their customers into thinking that they shouldn't be able to run services from home. That all their machines shouldn't have a globally unique address that is theoritically reachable from everywhere. That NAT is normal and desiriable.
I was at work last week and because I have IPv6 at both ends I could just log into the machines at home as easily as if I was there. When I'm stuck using a IPv4 only service on the road I have to jump through lots of hoops to reach the internal machines.
I expect this to change little in the enterprise space. I think use of ULA and NAT66 will be one of the things enterprises will push for, because how can a printer have a public IPv6 address that is reachable directly from the Internet, despite the fact that there is a properly configured firewall at the perimetre offering half-decent protection? Mark.
On Mar 23, 2014 1:11 PM, "Mark Tinka" <mark.tinka@seacom.mu> wrote:
On Sunday, March 23, 2014 06:57:26 PM Mark Andrews wrote:
I was at work last week and because I have IPv6 at both ends I could just log into the machines at home as easily as if I was there. When I'm stuck using a IPv4 only service on the road I have to jump through lots of hoops to reach the internal machines.
I expect this to change little in the enterprise space. I think use of ULA and NAT66 will be one of the things enterprises will push for, because how can a printer have a public IPv6 address that is reachable directly from the Internet, despite the fact that there is a properly configured firewall at the perimetre offering half-decent protection?
That is what a firewall is for. Drop new inbound connections, allow related, and allow outbound. Then you allow specific IP/ports to have inbound traffic. You may also only allow outbound traffic for specific ports, or from your proxy.
On Sunday, March 23, 2014 08:27:57 PM Philip Dorr wrote:
That is what a firewall is for. Drop new inbound connections, allow related, and allow outbound. Then you allow specific IP/ports to have inbound traffic. You may also only allow outbound traffic for specific ports, or from your proxy.
How many enterprise installations do you know that favour firewall use for NAT rather than actual firewalling? Mark.
On Sun, Mar 23, 2014 at 11:27 AM, Philip Dorr <tagno25@gmail.com> wrote:
On Mar 23, 2014 1:11 PM, "Mark Tinka" <mark.tinka@seacom.mu> wrote:
On Sunday, March 23, 2014 06:57:26 PM Mark Andrews wrote:
I was at work last week and because I have IPv6 at both ends I could just log into the machines at home as easily as if I was there. When I'm stuck using a IPv4 only service on the road I have to jump through lots of hoops to reach the internal machines.
I expect this to change little in the enterprise space. I think use of ULA and NAT66 will be one of the things enterprises will push for, because how can a printer have a public IPv6 address that is reachable directly from the Internet, despite the fact that there is a properly configured firewall at the perimetre offering half-decent protection?
That is what a firewall is for. Drop new inbound connections, allow related, and allow outbound. Then you allow specific IP/ports to have inbound traffic. You may also only allow outbound traffic for specific ports, or from your proxy.
i would say the more appropriate place for this policy is the printer, not a firewall. For example, maybe a printer should only be ULA or LLA by default. i would hate for people to think that a middle box is required, when the best place to provide security is in the host. Other layers are needed as required, but it is sad that we don't look to the host it self as a first step. CB
On Sunday, March 23, 2014 09:05:54 PM Cb B wrote:
i would say the more appropriate place for this policy is the printer, not a firewall. For example, maybe a printer should only be ULA or LLA by default.
i would hate for people to think that a middle box is required, when the best place to provide security is in the host. Other layers are needed as required, but it is sad that we don't look to the host it self as a first step.
I would support adding security at the host-level, especially because with a centralized firewall, internal infrastructure is usually left wide open to internal staff, with trust being the rope we all hang on to to keep things running. However, if pratical running of the Internet has taught us anything, host-based firewalling (especially in purpose- specific devices like printers, Tv sets, IP phones, IP cameras, e.t.c.) is a long way away from what you can get with a centralized firewall appliance. Do I like it? No. I run a simple packet filter (IPfw) on my MacBook - it does what I need. But we know Joe and Jane won't want things they can't click; and even though they had things they could click, they don't want to have to understand all these geeky things about their computers. Mark.
On Sun, Mar 23, 2014 at 12:13 PM, Mark Tinka <mark.tinka@seacom.mu> wrote:
On Sunday, March 23, 2014 09:05:54 PM Cb B wrote:
i would say the more appropriate place for this policy is the printer, not a firewall. For example, maybe a printer should only be ULA or LLA by default.
i would hate for people to think that a middle box is required, when the best place to provide security is in the host. Other layers are needed as required, but it is sad that we don't look to the host it self as a first step.
I would support adding security at the host-level, especially because with a centralized firewall, internal infrastructure is usually left wide open to internal staff, with trust being the rope we all hang on to to keep things running.
However, if pratical running of the Internet has taught us anything, host-based firewalling (especially in purpose- specific devices like printers, Tv sets, IP phones, IP cameras, e.t.c.) is a long way away from what you can get with a centralized firewall appliance.
Do I like it? No. I run a simple packet filter (IPfw) on my MacBook - it does what I need. But we know Joe and Jane won't want things they can't click; and even though they had things they could click, they don't want to have to understand all these geeky things about their computers.
Mark.
Mark, i think we are largely on the same page. I believe that "home firewalls" in the residential broadband space are likely the most insecure part of the entire internet. They are very rarely updated with software and frequently ship with terrible terrible bugs, much worse than what we have seen in Windows for the last 10 years. For example, http://tools.cisco.com/security/center/mcontent/CiscoSecurityAdvisory/cisco-... Why try to hack all the devices in your home when the hackers can simply crack your CPE / firewall / router and own all your traffic, reset your DNS server to a malware box, ..... I am sure this community knows there are many many more problems just like this one in CPE. I don't see a lot of accountability or change in this space, yet people believe these firewalls help. My hope is that folks stop equating firewalls with security, when the first step is to secure the host, accountability is with the host, then layer other tools as needed. CB
On Sunday, March 23, 2014 09:24:35 PM Cb B wrote:
My hope is that folks stop equating firewalls with security, when the first step is to secure the host, accountability is with the host, then layer other tools as needed.
I couldn't agree more. As an example, your home PC (whose OS wasn't updated in months because the wife and kids can't be asked) is hit via HTTP in a way your CPE firewall couldn't prevent. It is then used to re-attack other appliances in your home that have poor software with no security features. CPE firewalls won't do anything about that. I support vendors of all kinds (Tv's, microwaves, STB's, home theatre systems, video game consoles, e.t.c.) to include some kind of localized security features that augment what a CPE firewall can offer. This will be even more critical, I think, to getting homes and offices to accept the use of GUA's on the LAN, if we have any hopes of finally getting rid of NAT with IPv6, at the scale we have it in IPv4. Mark.
Hi all, Le 23/03/2014 20:13, Mark Tinka a écrit :
On Sunday, March 23, 2014 09:05:54 PM Cb B wrote:
i would say the more appropriate place for this policy is the printer, not a firewall. For example, maybe a printer should only be ULA or LLA by default.
I would support adding security at the host-level, especially because with a centralized firewall, internal infrastructure is usually left wide open to internal staff, with trust being the rope we all hang on to to keep things running.
When speaking of IPv6 deployment, I routinely hear about host security. I feel like it should be stated that this is *in no way* an IPv6 issue. May the device be ULA, LLA, GUA or RFC1918-addressed, the device is at risk anyway. If this is the only argument for delaying IPv6 deployment, this sounds more like FUD to me ;-) Denis
On Sunday, March 23, 2014 09:35:31 PM Denis Fondras wrote:
When speaking of IPv6 deployment, I routinely hear about host security. I feel like it should be stated that this is *in no way* an IPv6 issue. May the device be ULA, LLA, GUA or RFC1918-addressed, the device is at risk anyway.
If this is the only argument for delaying IPv6 deployment, this sounds more like FUD to me ;-)
I guess it's no surprise that host security is not an IPv4 or IPv6 issue. It's just that with IPv4, the majority of unclean and unupdated hosts have been living behind NAT44. In an ideal IPv6 world, all hosts have GUA's, and in this case, host security becomes a bigger problem, because now the host is directly accessible without a NAT66 in between (we hope). Mark.
On Mon, 2014-03-24 at 08:38 +0200, Mark Tinka wrote:
In an ideal IPv6 world, all hosts have GUA's, and in this case, host security becomes a bigger problem, because now the host is directly accessible without a NAT66 in between (we hope).
The mantras from my training courses: Addressable is not the same as accessible; routable is not the same as routed. Just because you give every host a globally routable address doesn't mean you have to route them. Just because you route them doesn't mean you have to forward all traffic to or from them. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882 Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A
On Monday, March 24, 2014 09:00:46 AM Karl Auer wrote:
The mantras from my training courses: Addressable is not the same as accessible; routable is not the same as routed.
Just because you give every host a globally routable address doesn't mean you have to route them. Just because you route them doesn't mean you have to forward all traffic to or from them.
Agree, but also practically, there is a higher likelihood that a good majority of deployments (enterprise, home of wholesale backbones) will be reasonably more accessible over time, not less. You know the new mantras of this day - any computing or communications device is only as good as its connectivity. Mark.
On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer <kauer@biplane.com.au> wrote:
Addressable is not the same as accessible; routable is not the same as routed.
Indeed. However, all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer <kauer@biplane.com.au> wrote:
Addressable is not the same as accessible; routable is not the same as routed.
Indeed. However, all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two.
Yet there is significant value to providing uniqueness in address space, a property that is incredibly useful. The proponents of this sort of "in depth" "defense" typically view NAT as a way to protect their networks, which it does, in some limited sense, from being addressable from the outside world. The problem is that it has broken one of the key design principles in IPv4, and so we've had to suffer for years under broken NAT regimes and workarounds and other folly. This is overall a bad thing for the Internet, and for the development of future protocols and applications. Time to give up two layers of meaningless security for the riches offered by the vastness of the new address space. If this job were easy, anyone could do it. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Mon, Mar 24, 2014 at 8:31 AM, Joe Greco <jgreco@ns.sol.net> wrote:
all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two.
Time to give up two layers of meaningless security for the riches offered by the vastness of the new address space.
Hi Joe, You'd expect folks to give up two layers of security at exactly the same time as they're absorbing a new network protocol with which they're yet unskilled? Does that make sense to you from a risk-management standpoint? -Bill -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Mon, Mar 24, 2014 at 8:31 AM, Joe Greco <jgreco@ns.sol.net> wrote:
all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two.
Time to give up two layers of meaningless security for the riches offered by the vastness of the new address space.
Hi Joe,
You'd expect folks to give up two layers of security at exactly the same time as they're absorbing a new network protocol with which they're yet unskilled? Does that make sense to you from a risk-management standpoint?
Actually, yes, it does. Using the product as intended is substantially less risky than trying to figure out how to use some sort of proxy or gateway functionality to emulate NAT, and then screwing that up. If you're afraid that you're insufficiently competent, help for hire is available, as are two levels of firewalling, which isn't really a bad idea anyways. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Mon, 24 Mar 2014 13:13:43 -0400, William Herrin said:
You'd expect folks to give up two layers of security at exactly the same time as they're absorbing a new network protocol with which they're yet unskilled? Does that make sense to you from a risk-management standpoint?
The problem is that the two layers of "security" that they're "giving up" are made from the same fabric as the Emperor's new clothes....
On 3/24/14 10:37 AM, Valdis.Kletnieks@vt.edu wrote:
On Mon, 24 Mar 2014 13:13:43 -0400, William Herrin said:
You'd expect folks to give up two layers of security at exactly the same time as they're absorbing a new network protocol with which they're yet unskilled? Does that make sense to you from a risk-management standpoint? The problem is that the two layers of "security" that they're "giving up" are made from the same fabric as the Emperor's new clothes.... Made of neutrinos for which nobody is exactly sure have mass.
Mike
On Mon, Mar 24, 2014 at 1:37 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Mon, 24 Mar 2014 13:13:43 -0400, William Herrin said:
You'd expect folks to give up two layers of security at exactly the same time as they're absorbing a new network protocol with which they're yet unskilled? Does that make sense to you from a risk-management standpoint?
The problem is that the two layers of "security" that they're "giving up" are made from the same fabric as the Emperor's new clothes....
Howdy, In an environment of increasing breaches despite massive attention and expenditure on cyber security, you'll find that giving up any layer of security is a very hard sell. You'll find convincing folks to deploy new technologies which demand that they give up a layer of security an even harder sell. And of course everybody likes to be told that they're an idiot by someone whose explanation of the error in their reasoning consists of restating the claim of error in the form of a metaphor. But don't let me dissuade you from trying. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Yes, that is exactly what IPv6 expects of us. The only surprising part is by all indications the IPv6 designers did not think this would be a problem. -----Original Message----- From: William Herrin [mailto:bill@herrin.us] Sent: Monday, March 24, 2014 1:14 PM To: Joe Greco Cc: nanog@nanog.org Subject: Re: misunderstanding scale On Mon, Mar 24, 2014 at 8:31 AM, Joe Greco <jgreco@ns.sol.net> wrote:
all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two.
Time to give up two layers of meaningless security for the riches offered by the vastness of the new address space.
Hi Joe, You'd expect folks to give up two layers of security at exactly the same time as they're absorbing a new network protocol with which they're yet unskilled? Does that make sense to you from a risk-management standpoint? -Bill -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On 03/24/2014 09:20 AM, William Herrin wrote:
On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer <kauer@biplane.com.au> wrote:
Addressable is not the same as accessible; routable is not the same as routed. Indeed. However, all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two.
A distinction without a difference, IMHO. Either I can send you an incoming SYN or I can't. The real battle here, IMHO, is to get the next gen CPE vendors to do the right thing. NANOG folks ought to be keeping tabs on the Homenet working group and then DEMAND that any CPE support its security, etc, baselines. Mike
On Mon, Mar 24, 2014 at 12:28 PM, Michael Thomas <mike@mtcc.com> wrote:
On 03/24/2014 09:20 AM, William Herrin wrote:
On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer <kauer@biplane.com.au> wrote:
Addressable is not the same as accessible; routable is not the same as routed.
Indeed. However, all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two.
A distinction without a difference, IMHO. Either I can send you an incoming SYN or I can't.
Hi Mike, You can either press the big red button and fire the nukes or you can't, so what difference how many layers of security are involved with the "Football?" I say this with the utmost respect, but you must understand the principle of defense in depth in order to make competent security decisions for your organization. Smart people disagree on the details but the principle is not only iron clad, it applies to all forms of security, not just IP network security. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Hi Mike,
You can either press the big red button and fire the nukes or you can't, so what difference how many layers of security are involved with the "Football?"
I say this with the utmost respect, but you must understand the principle of defense in depth in order to make competent security decisions for your organization. Smart people disagree on the details but the principle is not only iron clad, it applies to all forms of security, not just IP network security.
The problem here is that what's actually going on is that you're now enshrining as a "security" device a hacky, ill-conceived workaround for a lack of flexibility/space/etc in IPv4. NAT was not designed to act as a security feature. If you want more layers of security, put a second firewall into your design. Don't perpetuate horrid IPv4 hacks that were necessary for specific reasons into IPv6 where those hacks are no longer needed. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Mon, Mar 24, 2014 at 9:25 AM, Joe Greco <jgreco@ns.sol.net> wrote:
I say this with the utmost respect, but you must understand the principle of defense in depth in order to make competent security decisions for your organization. Smart people disagree on the details but the principle is not only iron clad, it applies to all forms of security, not just IP network security.
The problem here is that what's actually going on is that you're now enshrining as a "security" device a hacky, ill-conceived workaround for a lack of flexibility/space/etc in IPv4. NAT was not designed to act as a security feature.
Hi Joe, That would be one of those "details" on which smart people disagree. In this case, I think you're wrong. Modern NAT superseded the transparent proxies and bastion hosts of the '90s because it does the same security job a little more smoothly. And proxies WERE designed to act as a security feature.
You'd expect folks to give up two layers of security at exactly the same time as they're absorbing a new network protocol with which they're yet unskilled? Does that make sense to you from a risk-management standpoint?
Actually, yes, it does. Using the product as intended is substantially less risky than trying to figure out how to use some sort of proxy or gateway functionality to emulate NAT, and then screwing that up.
What sort of traction are you getting from that argument when you speak with enterprise security folks? Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On 3/24/14 1:37 PM, "William Herrin" <bill@herrin.us> wrote:
On Mon, Mar 24, 2014 at 9:25 AM, Joe Greco <jgreco@ns.sol.net> wrote:
I say this with the utmost respect, but you must understand the principle of defense in depth in order to make competent security decisions for your organization. Smart people disagree on the details but the principle is not only iron clad, it applies to all forms of security, not just IP network security.
The problem here is that what's actually going on is that you're now enshrining as a "security" device a hacky, ill-conceived workaround for a lack of flexibility/space/etc in IPv4. NAT was not designed to act as a security feature.
Hi Joe,
That would be one of those "details" on which smart people disagree. In this case, I think you're wrong. Modern NAT superseded the transparent proxies and bastion hosts of the '90s because it does the same security job a little more smoothly. And proxies WERE designed to act as a security feature.
What kinds of devices are we talking about here? Are we talking about the default NAT on a home network router, or an enterprise-level NAT operating on a firewall? The NAT on home gateways may be a full-cone NAT. This allows easier setup of online gaming, for instance, or other applications where an inbound SYN is required. This provides no security, since as soon as a connection is established, all traffic is allowed. Even restricted cone NATs provide little protection, just a bit of guessing that even a human could manage. If we're talking about an enterprise firewall, then I don't understand--we're talking about a firewall. If it implements a symmetric NAT in addition to a stateful firewall, then it's implementing the same function twice. But, hey, it's your network, if security-through-obscurity is one of your defense in depth layers, that's fine. You may use NPT66 with ULA; that function is defined. Lee
On Mon, Mar 24, 2014 at 2:23 PM, Lee Howard <Lee@asgard.org> wrote:
On 3/24/14 1:37 PM, "William Herrin" <bill@herrin.us> wrote:
That would be one of those "details" on which smart people disagree. In this case, I think you're wrong. Modern NAT superseded the transparent proxies and bastion hosts of the '90s because it does the same security job a little more smoothly. And proxies WERE designed to act as a security feature.
What kinds of devices are we talking about here? Are we talking about the default NAT on a home network router, or an enterprise-level NAT operating on a firewall?
Hi Lee, I don't see NAT as a deployment issue for residential networks. Most folks just hook their computer up to whatever CPE the vendor sends them without any further attention.
If we're talking about an enterprise firewall, then I don't understand--we're talking about a firewall. If it implements a symmetric NAT in addition to a stateful firewall, then it's implementing the same function twice. But, hey, it's your network, if security-through-obscurity is one of your defense in depth layers, that's fine.
"Obscurity" offers one or more defense layers. If you disagree, post your passwords here. Unaddressibility is a second defense layer. Stateful firewalling is a third. You observe that all three are accomplished by the same lines of code in the firewall. The firewall doesn't exist in a void. It's part of a system. That system is configured with unroutable addresses or it isn't. It has many public addresses or it doesn't. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On 3/24/14 2:38 PM, "William Herrin" <bill@herrin.us> wrote:
On Mon, Mar 24, 2014 at 2:23 PM, Lee Howard <Lee@asgard.org> wrote:
On 3/24/14 1:37 PM, "William Herrin" <bill@herrin.us> wrote:
That would be one of those "details" on which smart people disagree. In this case, I think you're wrong. Modern NAT superseded the transparent proxies and bastion hosts of the '90s because it does the same security job a little more smoothly. And proxies WERE designed to act as a security feature.
What kinds of devices are we talking about here? Are we talking about the default NAT on a home network router, or an enterprise-level NAT operating on a firewall?
Hi Lee,
I don't see NAT as a deployment issue for residential networks. Most folks just hook their computer up to whatever CPE the vendor sends them without any further attention.
If we're talking about an enterprise firewall, then I don't understand--we're talking about a firewall. If it implements a symmetric NAT in addition to a stateful firewall, then it's implementing the same function twice. But, hey, it's your network, if security-through-obscurity is one of your defense in depth layers, that's fine.
"Obscurity" offers one or more defense layers. If you disagree, post your passwords here.
One that is largely mocked by security professionals. However, ULA can do this.
Unaddressibility is a second defense layer.
I offered ULA+NPT66. I don't recommend it, but it has been described as working, and provides addresses which are not globally reachable.
Stateful firewalling is a third.
We agree. Lee
On Mon, Mar 24, 2014 at 12:37 PM, William Herrin <bill@herrin.us> wrote:
What sort of traction are you getting from that argument when you speak with enterprise security folks?
Actually, I never even had to make the argument in our enterprise. Our cybersecurity organization already knew that overall NAT reduced rather than enhanced network security and had a deeper real understanding of security defense in depth than I did. I never had to convince anyone that NAT wasn't a security feature. It sounds like we have so many enterprises that do security poorly because many don't even understand the basics. Scott
On Mon, Mar 24, 2014 at 8:25 AM, Joe Greco <jgreco@ns.sol.net> wrote:
Bill Herrin wrote:
I say this with the utmost respect, but you must understand the
principle of defense in depth in order to make competent security decisions for your organization. Smart people disagree on the details but the principle is not only iron clad, it applies to all forms of security, not just IP network security.
The problem here is that what's actually going on is that you're now enshrining as a "security" device a hacky, ill-conceived workaround for a lack of flexibility/space/etc in IPv4. NAT was not designed to act as a security feature.
If you want more layers of security, put a second firewall into your design. Don't perpetuate horrid IPv4 hacks that were necessary for specific reasons into IPv6 where those hacks are no longer needed.
With 24 million small businesses in the US alone, that's way too many
apples.
Precisely. Repeat after me. NAT is not a security feature. Period. It offers no meaningful protection. We've known how to bypass NATs almost from the moment they were developed. Defense in depth has nothing to do with NAT. In our enterprise deployment, it involves two layers of heterogeneous firewalls (protecting multiple security zones from the internal network and the Internet), IPS/IDS, web filters, mail filters, and an active CSIRC monitoring, analyzing, and responding to threats and attacks. If you're an enterprise and don't have something similar in place, then you have no security defense in depth. Thanks goodness our Cybersecurity organization actually comprehends real computer and network security instead of promoting snake oil. Scott
it involves two layers of heterogeneous firewalls (protecting multiple ^^^^^^^^^^^^^
Ugh. Knew I was forgetting something. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On 3/24/14 10:08 AM, William Herrin wrote:
On Mon, Mar 24, 2014 at 12:28 PM, Michael Thomas <mike@mtcc.com> wrote:
On 03/24/2014 09:20 AM, William Herrin wrote:
On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer <kauer@biplane.com.au> wrote:
Addressable is not the same as accessible; routable is not the same as routed. Indeed. However, all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two. A distinction without a difference, IMHO. Either I can send you an incoming SYN or I can't. Hi Mike,
You can either press the big red button and fire the nukes or you can't, so what difference how many layers of security are involved with the "Football?"
I say this with the utmost respect, but you must understand the principle of defense in depth in order to make competent security decisions for your organization. Smart people disagree on the details but the principle is not only iron clad, it applies to all forms of security, not just IP network security.
The point here is that your "depth" is the same with or without nat. The act of address translation does not alter its routability, it's the firewall rules that say "no incoming SYN's without an existing connection state", etc. That, and always has been, the business end of firewalls. The other thing about v6 is that counting on addressibility in any way shape or form is a fool's errand: hosts want desperately to number their interfaces with whatever GUA's they can given RA's, etc. So you may think you're only giving out ULA's, but I wouldn't count on that from a security perspective. v6 is not like DHCPv4 even a little in that respect: if the hosts can get a GUA, they will configure it and use it. Mike
I think it would be just as easy to claim that breaking the end-to-end model is more of a security concern that lack of NAT. Having the NAT is essentially condoning a permanent man-in-the-middle. A lot of customers do believe that NAT adds to their security. I would advise them however that it probably offers a lot less than they think. It is a very common technique get an inside computer to establish a connection out to a bad host. That's how most of the malware today works (through the "extra layer of defense that NAT provides),so I am not seeing how much worse IPv6 would make things. If you are going to allow inbound connections to your internal machines from anywhere you are unsecure. How hard is it to block inbound connections with a firewall? If the user cannot accomplish that then there is not much we can do to save them. I suppose NAT could add some sort of minimal additional assurance but if you cannot pull off a simple firewall or routing policy you are already unable to adequately secure your network. I see no technical reason that someone could not implement a transparent proxy whether it is v4 or v6. It does not really violate the end-to-end model because the proxy connects to the remote system and the local system connects to the proxy so there really is not an end-to-end connection as much as there are two separate connections. For that matter, is there really a technical reason that you could not do a NAT if you wanted to with IPv6? All we are really talking about here is replacing one address with another. Could you not get something similar by translating a routable IPv6 address to a link local address? I don't think I would want to but I suppose you could if you are really married to NAT and private addressing. I, for one, will not miss NAT very much. I have seen quite a few misconfigured NATs and holes being punched through firewalls because applications don't like NATs to believe that they are at least as much trouble as they are worth as a security feature. Steven Naslund -----Original Message----- From: William Herrin [mailto:bill@herrin.us] Sent: Monday, March 24, 2014 11:21 AM To: Karl Auer Cc: nanog@nanog.org Subject: Re: misunderstanding scale On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer <kauer@biplane.com.au> wrote:
Addressable is not the same as accessible; routable is not the same as routed.
Indeed. However, all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Mar 24, 2014, at 9:20 AM, William Herrin <bill@herrin.us> wrote:
On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer <kauer@biplane.com.au> wrote:
Addressable is not the same as accessible; routable is not the same as routed.
Indeed. However, all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two.
That is, frankly, so gross an oversimplification as to be not only misleading, but outright inaccurate in many cases. When considering defense in depth, layer thickness counts as much or more than number of layers. unroutable and unaddressable (which NAT and RFC-1918 arguably don’t actually provide in reality) are roughly equivalent to a slide-lock on a screen door in front of a stateful inspection bank vault door in front of an unrouted iron-bar day-door inside the vault. I would argue that the value added by the screen door and its associated slide lock is near zero in the total equation. Further, since the reality is that NAT and RFC-1918 can be exploited by the attackers to help hide their identity and obscure their activities, they are actually not added depth, but in fact erode the actual security. Further, since it is such a widely held misperception that they provide security, there’s probably a certain amount of negative impact due to the complacency and lack of vigilance that creates as well. Owen
On Mon, Mar 24, 2014 at 1:38 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:
On Sunday, March 23, 2014 09:35:31 PM Denis Fondras wrote:
When speaking of IPv6 deployment, I routinely hear about host security. I feel like it should be stated that this is *in no way* an IPv6 issue. May the device be ULA, LLA, GUA or RFC1918-addressed, the device is at risk anyway.
If this is the only argument for delaying IPv6 deployment, this sounds more like FUD to me ;-)
I guess it's no surprise that host security is not an IPv4 or IPv6 issue.
It's just that with IPv4, the majority of unclean and unupdated hosts have been living behind NAT44.
In an ideal IPv6 world, all hosts have GUA's, and in this case, host security becomes a bigger problem, because now the host is directly accessible without a NAT66 in between (we hope).
NAT traversal is and has long been fairly trivial. NAT and RFC1918 provides no meaningful host protection whatsoever and never has. The only thing that limits direct access to internal networks is a stateful firewall. (Well, IPS can also drop packets.) That's true for IPv4 and for IPv6. So an enterprise relying n NAT44 and RFC1918 for internal host protection instead of a stateful firewall already has no meaningful security in place. There's no way for IPv6 to make things any worse other than puncturing the delusion under which they are currently operating. Scott
On Monday, March 24, 2014 02:56:13 PM Timothy Morizot wrote:
NAT traversal is and has long been fairly trivial. NAT and RFC1918 provides no meaningful host protection whatsoever and never has. The only thing that limits direct access to internal networks is a stateful firewall. (Well, IPS can also drop packets.) That's true for IPv4 and for IPv6. So an enterprise relying n NAT44 and RFC1918 for internal host protection instead of a stateful firewall already has no meaningful security in place.
Don't disagree with you there. I'm saying many an enterprise (small and large) as well as homes operate this way. There is a lot of unlearning to do. The whole issue is that a number of enterprises "may" only feel safe if IPv6 comes with NAT66, probably on top (or not on top) of a stateful IPv6 firewall. We need to think about how to re-train the enterprise, if we don't want to repeat the erasure of the end-to-end model, second time around. Mark.
If they have a stateful IPv6 firewall (which they should and which most firewall vendors support), they already have what they need to prevent their internal systems from being accessible from the outside. If you are an enterprise and you don't have a stateful firewall, you are in trouble from a security standpoint whether you run v4 or v6. If you cannot configure a stateful firewall to block connections being initiated from outside, you are not qualified to be working with the firewall, v4 or v6 does not matter. If someone is relying on NAT in case their firewall is misconfigured, they have major issues with security. In the home, I am not sure what the major issue is there either. How many CPE devices have you seen that do not implement basic firewall functionality? People may not use them correctly but that is no more an issue with v6 than it is with v4. Most CPE even comes out of the box blocking inbound connections by default. Steve -----Original Message----- From: Mark Tinka [mailto:mark.tinka@seacom.mu] Sent: Monday, March 24, 2014 11:35 AM To: Timothy Morizot Cc: NANOG list Subject: Re: misunderstanding scale
Don't disagree with you there.
I'm saying many an enterprise (small and large) as well as homes operate this way. There is a lot of unlearning to do.
The whole issue is that a number of enterprises "may" only feel safe if IPv6 comes with NAT66, probably on top (or not on top) of a stateful IPv6 firewall.
We need to think about how to re-train the enterprise, if we don't want to repeat the erasure of the end-to-end model, second time around.
Mark.
On 2014-03-24, "Naslund, Steve" <SNaslund@medline.com> wrote:
If they have a stateful IPv6 firewall (which they should and which most firewall vendors support), they already have what they need to prevent their internal systems from being accessible from the outside. If you are an enterprise and you don't have a stateful firewall, you are in trouble from a security standpoint whether you run v4 or v6. If you cannot configure a stateful firewall to block connections being initiated from outside, you are not qualified to be working with the firewall, v4 or v6 does not matter. If someone is relying on NAT in case their firewall is misconfigured, they have major issues with security.
In the home, I am not sure what the major issue is there either. How many CPE devices have you seen that do not implement basic firewall functionality? People may not use them correctly but that is no more an issue with v6 than it is with v4. Most CPE even comes out of the box blocking inbound connections by default.
Tell that to our little D-Link AP/router with stateless filters only for v6, and broken config options that make it impossible to apply even that to a tunnel interface (HE). I agree with you on pushing v6 adoption and that the at the root of it you should have a stateful firewall be it v4 or v6, but: - if this thread is any indication and as per your first paragraph, way too many orgs are depending on NAT as a security feature and v6 is exposing that weakness in their posture - home CPE implementations are largely crap, and good luck getting a decent portion of them supporting (functional) stateful v6 firewalls
Steve
-- Hugo
-----Original Message----- From: Mark Tinka [mailto:mark.tinka@seacom.mu] Sent: Monday, March 24, 2014 11:35 AM To: Timothy Morizot Cc: NANOG list Subject: Re: misunderstanding scale
Don't disagree with you there.
I'm saying many an enterprise (small and large) as well as homes operate this way. There is a lot of unlearning to do.
The whole issue is that a number of enterprises "may" only feel safe if IPv6 comes with NAT66, probably on top (or not on top) of a stateful IPv6 firewall.
We need to think about how to re-train the enterprise, if we don't want to repeat the erasure of the end-to-end model, second time around.
Mark.
-- Hugo Slabbert Network Specialist Phone: 604.606.4448 Email: hslabbert@stargate.ca Stargate Connections Inc. http://www.stargate.ca
On Mar 23, 2014, at 11:38 PM, Mark Tinka <mark.tinka@seacom.mu> wrote:
On Sunday, March 23, 2014 09:35:31 PM Denis Fondras wrote:
When speaking of IPv6 deployment, I routinely hear about host security. I feel like it should be stated that this is *in no way* an IPv6 issue. May the device be ULA, LLA, GUA or RFC1918-addressed, the device is at risk anyway.
If this is the only argument for delaying IPv6 deployment, this sounds more like FUD to me ;-)
I guess it's no surprise that host security is not an IPv4 or IPv6 issue.
It's just that with IPv4, the majority of unclean and unupdated hosts have been living behind NAT44.
In an ideal IPv6 world, all hosts have GUA's, and in this case, host security becomes a bigger problem, because now the host is directly accessible without a NAT66 in between (we hope).
Mark.
Bzzzt… But thanks for playing. An IPv6 host with a GUA behind a stateful firewall with default deny is every bit as secure as an iPv4 host with an RFC-1918 address behind a NAT44 gateway. Owen
Exactly right. In fact that is generous because the v6 host having a stateful firewall has a real protocol aware firewall (and often bundled IDS/IPS capability) not just a NAT to protect him. The NAT provides almost no security once a single host behind the NAT is compromised and makes an outbound connection. Bang, instant VPN connection to the internal network. A perimeter defense relying on NAT is a house of cards that only needs one nick for the whole thing to come down. Lots and lots of enterprises count on a hard perimeter and almost nothing behind it so once I am in behind your NAT, you are unlikely to notice it until something real bad happens. That is the state of most enterprise network security today. C'mon guys how many Botnets and DDoS attacks do we need to see coming from home computers that are almost all behind NATs to realize that NAT is not a security feature. For you service providers out there, how many of your residential customers behind your NAT do you think are compromised in some way. If you can find a large enterprise that has not one piece of malware running on a single workstation, I will be surprised. With so many BYODs and laptops going in and out of your NAT perimeter there is no way you can assert that nothing behind your NAT is compromised. At least with v6 we can have a better idea of where a rogue connection is coming from. Look at it this way. If I see an attack coming from behind your NAT, I'm gonna deny all traffic coming from your NAT block until you assure me you have it fixed because I have no way of knowing which host it is coming from. Now your whole network is unreachable. If you have a compromised GUA host I can block only him. Better for both of us, no? How about a single host spamming behind your NAT blocking your entire corporate public network from email services? Anyone ever see that one. Ipv6 GUAs allow us to use fly swatters instead of sledgehammers to deal with that. Maybe GUAs will convince (scare) more enterprise users to actually treat the internal network as an environment that needs to be secured as well. We can only hope. Steven Naslund
Bzzzt... But thanks for playing.
An IPv6 host with a GUA behind a stateful firewall with default deny is every bit as secure as an iPv4 host with an RFC-1918 address behind a NAT44 gateway.
Owen
On Tue, 25 Mar 2014 02:47:31 -0000, "Naslund, Steve" said:
Lots and lots of enterprises count on a hard perimeter and almost nothing behind it so once I am in behind your NAT, you are unlikely to notice it until something real bad happens. That is the state of most enterprise network security today.
"All of ARPA's protection has, by design, left the internal AT&T machines untested--a sort of crunchy shell around a soft, chewy center. We run security scans..." ches Fri Apr 20 07:46:11 EDT 1990 http://www.cheswick.com/ches/papers/gateway.pdf For the Beloit College class of 2014, the Internet has always had a soft chewy center....
-----Original Message----- From: Naslund, Steve [mailto:SNaslund@medline.com] Sent: Monday, March 24, 2014 10:48 PM To: Owen DeLong; mark.tinka@seacom.mu Cc: nanog@nanog.org Subject: RE: misunderstanding scale
Look at it this way. If I see an attack coming from behind your NAT, I'm gonna deny all traffic coming from your NAT block until you assure me you have it fixed because I have no way of knowing which host it is coming from. Now your whole network is unreachable. If you have a compromised GUA host I can block only him. Better for both of us, no?
That is assuming that the infected piece does not request another address in the /64, and that the person blocking at the target end blocks a /128 instead of the /64.
How about a single host spamming behind your NAT blocking your entire corporate public network from email services? Anyone ever see that one. Ipv6 GUAs allow us to use fly swatters instead of sledgehammers to deal with that.
I don't want to try to even think about SMTP on IPv6. Reputation of email servers as well as the whole thought process of spam control rely on a list of IP address. IPv6 adds an entirely new aspect to it.
Maybe GUAs will convince (scare) more enterprise users to actually treat the internal network as an environment that needs to be secured as well. We can only hope.
Most enterprise admins, segment their BYOD (wifi) network from the production network. Some will even use a different WAN ip for the wifi network or in the minimum block outbound request to well known services ports. I generally see where the only outbound connections allowed are http and https. All other ports are blocked.
Steven Naslund
Bzzzt... But thanks for playing.
An IPv6 host with a GUA behind a stateful firewall with default deny is every bit as secure as an iPv4 host with an RFC-1918 address behind a NAT44 gateway.
I can't argue there.....
Owen
I don't want to try to even think about SMTP on IPv6. Reputation of email servers as well as the whole thought process of spam control rely on a list of IP address.
IPv6 adds an entirely new aspect to it.
Really? It ain't that hard. Who in this list is going to set up generic PTRs for all your v6 space? Good luck shoving 2^64 addresses in a zone file, so you're doing it programmatically; quick show up of hands for anybody actually doing generic v6 PTRs? So, we're doing PTRs on an as-needed basis, e.g. router interface primary addresses (for traceroute prettiness), mail servers, etc. You try sending me email on v6 without a PTR, you're going to have to make a pretty damned convincing case for why I should accept mail from you. If you want to do address-based reputations for v6 similar to v4, my guess is that it will start to aggregate to at least the /64 boundary (i.e. if you have a spambot in your /64, that block starts to get a bad reputation and any other hosts in that block are less likely to have their mail accepted). So, there's risk of collateral damage, but no more (and probably less) than the v4 equivalent where any hosts sitting NAT'd behind a single IP are blacklisted. In this v6 equivalent, you could probably even get away with whitelisting a single, trusted IP in that /64 while the remainder of the /64 has a bad rep. If you mean that e.g. you have a spambot that's using SLAAC and so can/will bounce around to different GUAs all over the place and so get around blacklisting, I would venture aggregating at the /64 level should take care of that; each additional IP within that block that's found to be spamming adds another hit to the block's reputation. IP addresses and sender reputation do form a part of spam identification, but TBH so far I'm only seeing ways in which GUA helps *improve* the granularity at which those tools can be applied in order to reduce false positives. Granted, I haven't yet considered IP-based RBLs in v6 extensively, so I'm open to insights on this. -- Hugo On 2014-03-25, Alexander Lopez <alex.lopez@opsys.com> wrote:
-----Original Message----- From: Naslund, Steve [mailto:SNaslund@medline.com] Sent: Monday, March 24, 2014 10:48 PM To: Owen DeLong; mark.tinka@seacom.mu Cc: nanog@nanog.org Subject: RE: misunderstanding scale
Look at it this way. If I see an attack coming from behind your NAT, I'm gonna deny all traffic coming from your NAT block until you assure me you have it fixed because I have no way of knowing which host it is coming from. Now your whole network is unreachable. If you have a compromised GUA host I can block only him. Better for both of us, no?
That is assuming that the infected piece does not request another address in the /64, and that the person blocking at the target end blocks a /128 instead of the /64.
How about a single host spamming behind your NAT blocking your entire corporate public network from email services? Anyone ever see that one. Ipv6 GUAs allow us to use fly swatters instead of sledgehammers to deal with that.
I don't want to try to even think about SMTP on IPv6. Reputation of email servers as well as the whole thought process of spam control rely on a list of IP address.
IPv6 adds an entirely new aspect to it.
Maybe GUAs will convince (scare) more enterprise users to actually treat the internal network as an environment that needs to be secured as well. We can only hope.
Most enterprise admins, segment their BYOD (wifi) network from the production network. Some will even use a different WAN ip for the wifi network or in the minimum block outbound request to well known services ports.
I generally see where the only outbound connections allowed are http and https. All other ports are blocked.
Steven Naslund
Bzzzt... But thanks for playing.
An IPv6 host with a GUA behind a stateful firewall with default deny is every bit as secure as an iPv4 host with an RFC-1918 address behind a NAT44 gateway.
I can't argue there.....
Owen
If you want to do address-based reputations for v6 similar to v4, my guess is that it will start to aggregate to at least the /64 boundary ...
It says a lot about the state of the art that people are still making uninformed guesses like this, non ironically. On the one hand /64 is too coarse, because there are hosting providers that put multiple customers in a single /64. If you filter at that granularity, you'll get a lot of false positives and collateral damage. (When asked why they did something that dumb, they've tended to blame equipment vendors.) On the other hand, /64 is much too fine. Roadrunner assigns my cable connection a /50*, so even if you're aggregating at /64, there are now 16K different incarnations of me to block, instead of the one in IPv4. Businesses typically get a /48 so they have 64K incarnations. It would be nice if there were an efficient and reliable way to ask networks what their customer suballocation size is, but there isn't, so you have to hope rwhois will work and be fast enough, or guess, often guessing wrong. There also isn't any agreed way to publish DNSBLs with variable size ranges other than rsync'ing the whole file. IANA has handed out /12s to the RIRs, so each of those is 2^52 /64s, a number that's way out in the absurd-o-sphere. Large mail providers all agree that v6 senders need to follow good mail discipline, but are far from agreeing what that means. It certainly means proper rDNS, but does it mean SPF? DKIM on all the mail? TLS on the connections? At this point, I don't know and neither does anyone else. Fortunately we have at least another decade of full IPv4 mail connectivity to figure it out. For anyone who points out that v6 mail works now, you're right, it does, but that's only because botnets don't use it yet other than occasionally by accident on dual stacked hosts so the amount of spam is much lower than on ipv4 and there isn't much address hopping. With any luck they never will, since bot mail still works OK for them on v4, but if they do, and they start doing address hopping, it'll be really ugly. R's, John * - yes, it's a /50, their rwhois says so. And I know because whenever my modem reboots, it assigns me a /64 more or less at random from that /50 even though they tell me it's supposed to keep giving me the same one. See prior comments about mostly working.
On 3/25/14, 11:23 AM, John Levine wrote:
Large mail providers all agree that v6 senders need to follow good mail discipline, but are far from agreeing what that means. It certainly means proper rDNS, but does it mean SPF? DKIM on all the mail? TLS on the connections? At this point, I don't know and neither does anyone else. Fortunately we have at least another decade of full IPv4 mail connectivity to figure it out.
So, what's everyone's feelings about a rather large provider who blocks IPv6 e-mail that has no RDNS, even though the sending domain has SPF records allowing the block, and proper DKIM set up? *looks directly at Google* Nothing like poorly thought out policy to break a rather successful IPv6 roll-out for multiple customers. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On Tue, Mar 25, 2014 at 1:43 PM, Brielle Bruns <bruns@2mbit.com> wrote:
On 3/25/14, 11:23 AM, John Levine wrote:
Large mail providers all agree that v6 senders need to follow good mail discipline, but are far from agreeing what that means. It certainly means proper rDNS, but does it mean SPF? DKIM on all the mail? TLS on the connections? At this point, I don't know and neither does anyone else. Fortunately we have at least another decade of full IPv4 mail connectivity to figure it out.
So, what's everyone's feelings about a rather large provider who blocks IPv6 e-mail that has no RDNS, even though the sending domain has SPF records allowing the block, and proper DKIM set up?
*looks directly at Google*
Nothing like poorly thought out policy to break a rather successful IPv6 roll-out for multiple customers.
Just an anecdotal observation.... what G appears to be doing is flagging emails, received over IPv6, that are below a certain size threshold. I have zero problems sending bulk emails (discussions lists), over IPv6, to G end users, but I do see consistent problems sending small mgmt alerts (i.e. monit/munin) over IPv6 to G. -Jim P.
In article <5331C054.8040801@2mbit.com> you write:
On 3/25/14, 11:23 AM, John Levine wrote:
Large mail providers all agree that v6 senders need to follow good mail discipline, but are far from agreeing what that means. It certainly means proper rDNS, but does it mean SPF? DKIM on all the mail? TLS on the connections? At this point, I don't know and neither does anyone else. Fortunately we have at least another decade of full IPv4 mail connectivity to figure it out.
So, what's everyone's feelings about a rather large provider who blocks IPv6 e-mail that has no RDNS, even though the sending domain has SPF records allowing the block, and proper DKIM set up?
*looks directly at Google*
I think this would be a good time to fix your mail server setup. You're never going to get much v6 mail delivered without rDNS, because receivers won't even look at your mail to see if it's authenticated. CenturyLink is reasonably technically clued so it shouldn't be impossible to get them to fix it. R's, John
On 3/25/14, 11:56 AM, John Levine wrote:
I think this would be a good time to fix your mail server setup. You're never going to get much v6 mail delivered without rDNS, because receivers won't even look at your mail to see if it's authenticated.
CenturyLink is reasonably technically clued so it shouldn't be impossible to get them to fix it.
Nothing wrong with my mail server setup, except the lack of RDNS. Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition. That would be like outright refusing mail unless it had both SPF and DKIM on every single message. Sure, great in theory, does not work in reality and will result in lost mail from legit sources. Already spoken to CenturyLink about RDNS for ipv6 - won't have rdns until native IPv6. Currently, IPv6 seems to be delivered for those who want it, via 6rd. And, frankly, I'm not going to get in a fight with CenturyLink over IPv6 RDNS, considering that I am thankful that they are even offering IPv6 when other large providers aren't even trying to do so to their residential and small business customers. It is very easy for some to forget that not everyone has a gigabit fiber connection to their homes with ARIN assigned IPv4/IPv6 blocks announced over BGP. Some of us actually have to make do with (sometimes very) limited budgets and what the market is offering us and has made available. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Isn't this just a local policy issue with handling DMARC? I know for sure at least one other (very large) organization that (also) rejects messages which do not have an rDNS entry, and it is a local DMARC policy. - - ferg On 3/25/2014 1:57 PM, Brielle Bruns wrote:
On 3/25/14, 11:56 AM, John Levine wrote:
I think this would be a good time to fix your mail server setup. You're never going to get much v6 mail delivered without rDNS, because receivers won't even look at your mail to see if it's authenticated.
CenturyLink is reasonably technically clued so it shouldn't be impossible to get them to fix it.
Nothing wrong with my mail server setup, except the lack of RDNS. Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition.
That would be like outright refusing mail unless it had both SPF and DKIM on every single message.
Sure, great in theory, does not work in reality and will result in lost mail from legit sources.
Already spoken to CenturyLink about RDNS for ipv6 - won't have rdns until native IPv6. Currently, IPv6 seems to be delivered for those who want it, via 6rd.
And, frankly, I'm not going to get in a fight with CenturyLink over IPv6 RDNS, considering that I am thankful that they are even offering IPv6 when other large providers aren't even trying to do so to their residential and small business customers.
It is very easy for some to forget that not everyone has a gigabit fiber connection to their homes with ARIN assigned IPv4/IPv6 blocks announced over BGP. Some of us actually have to make do with (sometimes very) limited budgets and what the market is offering us and has made available.
- -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMx8VQACgkQKJasdVTchbJkBgD+PeCiFIefgXhmcsyIiqHAdiNX slrBbBk3/edq9yiAsPAA/0zwEwPqfFTyjYvChdgMyC09aSDOFeGT8vf6HZzMCPDt =OHTl -----END PGP SIGNATURE-----
DMARC says nothing about rDNS, and given how late in the game DMARC comes, it seems like an odd place to enforce rDNS. Local policy, sure; local DMARC policy, wait what? Elizabeth On 3/25/14, 2:12 PM, "Paul Ferguson" <fergdawgster@mykolab.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Isn't this just a local policy issue with handling DMARC? I know for sure at least one other (very large) organization that (also) rejects messages which do not have an rDNS entry, and it is a local DMARC policy.
- - ferg
On 3/25/2014 1:57 PM, Brielle Bruns wrote:
On 3/25/14, 11:56 AM, John Levine wrote:
I think this would be a good time to fix your mail server setup. You're never going to get much v6 mail delivered without rDNS, because receivers won't even look at your mail to see if it's authenticated.
CenturyLink is reasonably technically clued so it shouldn't be impossible to get them to fix it.
Nothing wrong with my mail server setup, except the lack of RDNS. Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition.
That would be like outright refusing mail unless it had both SPF and DKIM on every single message.
Sure, great in theory, does not work in reality and will result in lost mail from legit sources.
Already spoken to CenturyLink about RDNS for ipv6 - won't have rdns until native IPv6. Currently, IPv6 seems to be delivered for those who want it, via 6rd.
And, frankly, I'm not going to get in a fight with CenturyLink over IPv6 RDNS, considering that I am thankful that they are even offering IPv6 when other large providers aren't even trying to do so to their residential and small business customers.
It is very easy for some to forget that not everyone has a gigabit fiber connection to their homes with ARIN assigned IPv4/IPv6 blocks announced over BGP. Some of us actually have to make do with (sometimes very) limited budgets and what the market is offering us and has made available.
- -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlMx8VQACgkQKJasdVTchbJkBgD+PeCiFIefgXhmcsyIiqHAdiNX slrBbBk3/edq9yiAsPAA/0zwEwPqfFTyjYvChdgMyC09aSDOFeGT8vf6HZzMCPDt =OHTl -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 3/25/2014 2:38 PM, Elizabeth Zwicky wrote:
Local policy, sure; local DMARC policy, wait what?
My goof. Apparently just local policy sans DMARC. - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMyDgoACgkQKJasdVTchbL+RAD+K6ERAs2vZQjhgaa+1qsOKtdS aTJsVwQZxfgKsC32c7kA/iGuDoLnN4bZAXkls/Jx+jhTFtoBKD3yZsM6zBzKmw6v =HwGn -----END PGP SIGNATURE-----
The usefulness of reverse DNS in IPv6 is dubious. Maybe the idea is to cause enough pain that eventually you fold and get them to host your email too. -Laszlo On Mar 25, 2014, at 8:57 PM, Brielle Bruns <bruns@2mbit.com> wrote:
On 3/25/14, 11:56 AM, John Levine wrote:
I think this would be a good time to fix your mail server setup. You're never going to get much v6 mail delivered without rDNS, because receivers won't even look at your mail to see if it's authenticated.
CenturyLink is reasonably technically clued so it shouldn't be impossible to get them to fix it.
Nothing wrong with my mail server setup, except the lack of RDNS. Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition.
That would be like outright refusing mail unless it had both SPF and DKIM on every single message.
Sure, great in theory, does not work in reality and will result in lost mail from legit sources.
Already spoken to CenturyLink about RDNS for ipv6 - won't have rdns until native IPv6. Currently, IPv6 seems to be delivered for those who want it, via 6rd.
And, frankly, I'm not going to get in a fight with CenturyLink over IPv6 RDNS, considering that I am thankful that they are even offering IPv6 when other large providers aren't even trying to do so to their residential and small business customers.
It is very easy for some to forget that not everyone has a gigabit fiber connection to their homes with ARIN assigned IPv4/IPv6 blocks announced over BGP. Some of us actually have to make do with (sometimes very) limited budgets and what the market is offering us and has made available.
-- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On Tue, Mar 25, 2014 at 5:33 PM, Laszlo Hanyecz <laszlo@heliacal.net> wrote:
The usefulness of reverse DNS in IPv6 is dubious. Maybe the idea is to cause enough pain that eventually you fold and get them to host your email too.
Heh, I say the same things about DMARC where a lot of the major proponents offer alternative messaging capabilities. -Jim P.
On 3/25/14, 3:33 PM, Laszlo Hanyecz wrote:
The usefulness of reverse DNS in IPv6 is dubious. Maybe the idea is to cause enough pain that eventually you fold and get them to host your email too.
Well, like I said, there is nothing wrong with using rdns as part of a score in how legit a message is. Knock off a point or two in Spamassassin, add a few points back because there is SPF records, and another one or two for DKIM... Google is obviously doing some intelligent filtering on their end to handle incoming spam - why take such a drastic move against rdns when you already do heuristics that can factor it in without risking losing legit mail? I just finished moving two customers from Google hosted mail to Office 365 hosted Exchange. Even with all the odd quirks and issues that 365 has from time to time, I'm still getting better feedback from my customers. So... no, I'd sooner shut down my mail services then go with Google mail hosting for my primary e-mail address. But, that's just my opinion. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
Laszlo Hanyecz <laszlo@heliacal.net> wrote:
The usefulness of reverse DNS in IPv6 is dubious.
For most systems yes, but you might as well have it if you are manually allocating server addresses. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Faeroes: Variable 4, becoming southeast 5 or 6. Moderate or rough. Fair. Good.
In article <5331EDAB.8000303@2mbit.com> you write:
On 3/25/14, 11:56 AM, John Levine wrote:
I think this would be a good time to fix your mail server setup. You're never going to get much v6 mail delivered without rDNS, because receivers won't even look at your mail to see if it's authenticated.
CenturyLink is reasonably technically clued so it shouldn't be impossible to get them to fix it.
Nothing wrong with my mail server setup, except the lack of RDNS. Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition.
"It would be inconvenient for me to make this change, therefore everyone else should change instead." Don't hold your breath. R's, John
On Tue, Mar 25, 2014 at 02:57:15PM -0600, Brielle Bruns wrote:
Nothing wrong with my mail server setup, except the lack of RDNS. Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition.
Lack of rDNS means either (a) there is something temporarily wrong with rDNS/DNS or (b) it's a spam source or (c) someone doesn't know how to set up rDNS/DNS for a mail server. Over the past decade, (b) has been the answer to about five or six 9's (depending on how I crunch the numbers), so deferring on that alone is not only sensible, but quite clearly a best practice. If it turns out that it looks like (b) but is actually (a), then as long as the DNS issue clears up before SMTP retries stop, mail is merely delayed, not rejected. And although *sometimes* it's (c), why would I want to accept mail from a server run by people who don't grasp basic email server operation best practices? (Doubly so since long experience strongly suggests people that botch this will very likely botch other things as well, some of which can result in negative outcomes *for me* if I accomodate them.) Of all the things that we need to do in order to make our mail servers play nice with the rest of the world, DNS/rDNS (and HELO) are among the simplest and easiest. ---rsk p.s. I also reject on mismatched and generic rDNS. Real mail servers have real names, so if [generic] you insist on making yours look like a bot, I'll believe you and treat it like one.
The OP doesn't have control over the reverse DNS on the AT&T 6rd. Spam crusades aside, it can be seen as just another case of 'putting people in their place', reinforcing that your end user connection is lesser and doesn't entitle to you to participate in the internet with the big boys. How does one dare run a 'server' without being a member of a RIR? One would hope that with IPv6 this would change, but the attitude of looking down on end subscribers has been around forever. As seen in the other thread being discussed here, people are already looking for ways to block end users from participating. -Laszlo On Mar 25, 2014, at 10:38 PM, Rich Kulawiec <rsk@gsp.org> wrote:
On Tue, Mar 25, 2014 at 02:57:15PM -0600, Brielle Bruns wrote:
Nothing wrong with my mail server setup, except the lack of RDNS. Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition.
Lack of rDNS means either (a) there is something temporarily wrong with rDNS/DNS or (b) it's a spam source or (c) someone doesn't know how to set up rDNS/DNS for a mail server. Over the past decade, (b) has been the answer to about five or six 9's (depending on how I crunch the numbers), so deferring on that alone is not only sensible, but quite clearly a best practice. If it turns out that it looks like (b) but is actually (a), then as long as the DNS issue clears up before SMTP retries stop, mail is merely delayed, not rejected. And although *sometimes* it's (c), why would I want to accept mail from a server run by people who don't grasp basic email server operation best practices? (Doubly so since long experience strongly suggests people that botch this will very likely botch other things as well, some of which can result in negative outcomes *for me* if I accomodate them.)
Of all the things that we need to do in order to make our mail servers play nice with the rest of the world, DNS/rDNS (and HELO) are among the simplest and easiest.
---rsk
p.s. I also reject on mismatched and generic rDNS. Real mail servers have real names, so if [generic] you insist on making yours look like a bot, I'll believe you and treat it like one.
On Tue, 25 Mar 2014 19:07:16 -0400, Laszlo Hanyecz <laszlo@heliacal.net> wrote:
One would hope that with IPv6 this would change, but the attitude of looking down on end subscribers has been around forever.
And for damn good reasons (read: foolish and easy to trick into becoming a spam source.) Granted, "enterprise" players are only slightly less foolish and easy to hack. My inbox being proof hosting providers cannot police their idiot users. ISPs will need to continue the "evil" practice of blocking outbound port 25. --Ricky
In article <3D7D0845-CB25-4C05-8FAB-F5728C8602DD@heliacal.net> you write:
The OP doesn't have control over the reverse DNS on the AT&T 6rd.
Ah, OK, you're saying that their IPv6 isn't ready for prime time.
One would hope that with IPv6 this would change, but the attitude of looking down on end subscribers has been around forever.
It has nothing to do with looking down on "subscribers" and everything to do with practicality. When 99,9% of mail sent directly from consumer IP ranges is botnet spam, and I think that's a reasonable estimate, we have better things to do than to spend a lot of our money expensively filtering that spam for the benefit of the GWL who is too cool to relay through a mail server with a real name. R's, John
In message <20140325233557.6311.qmail@joyce.lan>, "John Levine" writes:
In article <3D7D0845-CB25-4C05-8FAB-F5728C8602DD@heliacal.net> you write:
The OP doesn't have control over the reverse DNS on the AT&T 6rd.
Ah, OK, you're saying that their IPv6 isn't ready for prime time.
One would hope that with IPv6 this would change, but the attitude of looking down on end subscribers has been around forever.
It has nothing to do with looking down on "subscribers" and everything to do with practicality. When 99,9% of mail sent directly from consumer IP ranges is botnet spam, and I think that's a reasonable estimate, we have better things to do than to spend a lot of our money expensively filtering that spam for the benefit of the GWL who is too cool to relay through a mail server with a real name.
Or he could just not like NSL and the fact the ISP's are required to abide by them. If people want their email going through where it can be snooped apon that is their perogative. Just don't force people to have to use I-WILL-SNOOP-ISP!!!
R's, John
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Or he could just not like NSL and the fact the ISP's are required to abide by them. If people want their email going through where it can be snooped apon that is their perogative. Just don't force people to have to use I-WILL-SNOOP-ISP!!!
Who said anything about being required to use your ISP's mail server? I don't think I have, ever. You need to use one with a static IP and reasonable rDNS, which could be anywhere. Also, if the snoops are interested enough in you to drop an NSL on your ISP, you have worse problems than running your own mail server will solve. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
In message <alpine.BSF.2.00.1403252016070.6500@joyce.lan>, "John R. Levine" writes:
Or he could just not like NSL and the fact the ISP's are required to abide by them. If people want their email going through where it can be snooped apon that is their perogative. Just don't force people to have to use I-WILL-SNOOP-ISP!!!
Who said anything about being required to use your ISP's mail server? I don't think I have, ever. You need to use one with a static IP and reasonable rDNS, which could be anywhere.
There you go forcing people to jump through unnecessary hoops to send email. No you do not need a static address to send email. No you do not need a PTR record to send email. None of this is REQUIRED. It is forced on people by a cartel of email providers.
Also, if the snoops are interested enough in you to drop an NSL on your ISP, you have worse problems than running your own mail server will solve.
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
None of this is REQUIRED. It is forced on people by a cartel of email providers.
It must be nice to live in world where there is so little spam and other mail abuse that you don't have to do any of the anti-abuse things that real providers in the real world have to do. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Tue, Mar 25, 2014 at 10:45:00PM -0400 Quoting John R. Levine (johnl@iecc.com):
None of this is REQUIRED. It is forced on people by a cartel of email providers.
It must be nice to live in world where there is so little spam and other mail abuse that you don't have to do any of the anti-abuse things that real providers in the real world have to do.
What is a real provider? And what in the email specifications tells us that the email needs and solutions of any one individual, as long as they are following protocol (which I'm quite convinced Mark is) are "unreal"? There are scalability issues that single out the mega-class providers as something special. But those are no reason to go around debating the realness of other email handling organisations. Also, the accept/reject policies of email recipients are subject to individual evaluation and implementation at each MX host. Attempts at describing the state of email as other than that are false and should be discarded[0]. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Content: 80% POLYESTER, 20% DACRONi ... The waitress's UNIFORM sheds TARTAR SAUCE like an 8" by 10" GLOSSY ... [0] I'm sorry for the wording here, I just had to recall a paraphrased instruction from when Sweden had a psyops defence organisation. "Varje meddelande om att motståndet skall uppges är falskt."
It must be nice to live in world where there is so little spam and other mail abuse that you don't have to do any of the anti-abuse things that real providers in the real world have to do.
What is a real provider? And what in the email specifications tells us that the email needs and solutions of any one individual, as long as they are following protocol (which I'm quite convinced Mark is) are "unreal"?
A real provider is one that provides mail for real users, as opposed to someone who plays RFC language lawyer games. I only have a few dozen users, but I can assure you I use a whole lot of different filtering approaches including DNSBLs to keep my users' mailboxes usable. I must say it's pretty amusing that someone who works for the organization that published the original DNSBL seems to be ranting against them. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Wed, Mar 26, 2014 at 03:35:48PM -0400 Quoting John R. Levine (johnl@iecc.com):
It must be nice to live in world where there is so little spam and other mail abuse that you don't have to do any of the anti-abuse things that real providers in the real world have to do.
What is a real provider? And what in the email specifications tells us that the email needs and solutions of any one individual, as long as they are following protocol (which I'm quite convinced Mark is) are "unreal"?
A real provider is one that provides mail for real users, as opposed to someone who plays RFC language lawyer games. I only have a few dozen users, but I can assure you I use a whole lot of different filtering approaches including DNSBLs to keep my users' mailboxes usable.
Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is -- the necessity to stick to protocol is not under debate)
I must say it's pretty amusing that someone who works for the organization that published the original DNSBL seems to be ranting against them.
The ability to change ones mind when circumstances change is usually seen as advantageous. Why not here? -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 This is a NO-FRILLS flight -- hold th' CANADIAN BACON!!
Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is --
I know a lot of people who run a lot of mail systems, and let's just say you're so far out in the long tail we need a telescope to see you. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Thu, Mar 27, 2014 at 10:32:42AM -0400 Quoting John R. Levine (johnl@iecc.com):
Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is --
I know a lot of people who run a lot of mail systems, and let's just say you're so far out in the long tail we need a telescope to see you.
I will not debate with people who resort to humiliation techniques when questioned. <PLONK> -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I feel like a wet parking meter on Darvon!
Composed on a virtual keyboard, please forgive typos.
On Mar 29, 2014, at 3:15, Måns Nilsson <mansaxel@besserwisser.org> wrote: Quoting John R. Levine (johnl@iecc.com):
Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is --
I know a lot of people who run a lot of mail systems, and let's just say you're so far out in the long tail we need a telescope to see you.
I will not debate with people who resort to humiliation techniques when questioned.
I will not argue whether you were humiliated as that is something only you can decide. However, John was still factually correct. No big deal, lots of people are humiliated by facts. Although I admit I didn't find the quote above terribly humiliating myself. Also, realize that John has already done more to stop spam in his career then you and your thousand closest friends ever will. (E.g. Look up abuse.net.) Again not humiliation, just a fact. Feel free to plonk me as well. I won't be humiliated. :-) -- TTFN, patrick
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Sat, Mar 29, 2014 at 11:06:11AM -0400 Quoting Patrick W. Gilmore (patrick@ianai.net):
Composed on a virtual keyboard, please forgive typos.
On Mar 29, 2014, at 3:15, Måns Nilsson <mansaxel@besserwisser.org> wrote: Quoting John R. Levine (johnl@iecc.com):
Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is --
I know a lot of people who run a lot of mail systems, and let's just say you're so far out in the long tail we need a telescope to see you.
I will not debate with people who resort to humiliation techniques when questioned.
I will not argue whether you were humiliated as that is something only you can decide.
The puny attempt at "master suppression technique"[0] was identified as such and countermeasures were launched. No damage done.
However, John was still factually correct. No big deal, lots of people are humiliated by facts. Although I admit I didn't find the quote above terribly humiliating myself.
You have a point. Further, I do not debate the truth in the statement. My personal email system IS small -- I did even state that -- but that does not mean I do not run larger systems for others, nor does it mean that the general public should dismiss my ideas and only listen to people who brag about their acquaintances. There are other much more compelling reasons not to do as I say.
Also, realize that John has already done more to stop spam in his career then you and your thousand closest friends ever will. (E.g. Look up abuse.net.) Again not humiliation, just a fact.
Feel free to plonk me as well. I won't be humiliated. :-)
I won't. There is a clear divide between politely pointing out facts and abusing facts to tell people that their opinion does not matter. And, for the record, I do not support spamming in any form. But the mitigation techniques MUST NOT impose undue constraints on the legitimate use of e-mail, even when it is not vetted by passing it through big insecure monitored US webmail providers. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Vote for ME -- I'm well-tapered, half-cocked, ill-conceived and TAX-DEFERRED! [0] http://en.wikipedia.org/wiki/Master_suppression_techniques
On Mar 30, 2014, at 16:40 , Måns Nilsson <mansaxel@besserwisser.org> wrote:
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Sat, Mar 29, 2014 at 11:06:11AM -0400 Quoting Patrick W. Gilmore (patrick@ianai.net):
On Mar 29, 2014, at 3:15, Måns Nilsson <mansaxel@besserwisser.org> wrote: Quoting John R. Levine (johnl@iecc.com):
Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is --
I know a lot of people who run a lot of mail systems, and let's just say you're so far out in the long tail we need a telescope to see you.
I will not debate with people who resort to humiliation techniques when questioned.
I will not argue whether you were humiliated as that is something only you can decide.
The puny attempt at "master suppression technique"[0] was identified as such and countermeasures were launched. No damage done.
I was serious. Your reaction .. well, I shouldn't say anything more lest you call me puny again. (What were you saying about humiliation techniques? Glad to see you would never be hypocritical.)
However, John was still factually correct. No big deal, lots of people are humiliated by facts. Although I admit I didn't find the quote above terribly humiliating myself.
You have a point. Further, I do not debate the truth in the statement. My personal email system IS small -- I did even state that -- but that does not mean I do not run larger systems for others, nor does it mean that the general public should dismiss my ideas and only listen to people who brag about their acquaintances. There are other much more compelling reasons not to do as I say.
You misunderstand. Or perhaps I did? I read John's statement to be in reference to your stance, i.e. running without spam filters. Not that your server is small. John can clarify if he likes. But either way, running without spam filters is beyond unusual these days. My personal server is run with very few filters, all of which REJECT or accept and send to a box I read. I have no "spam folder". So while I am not as far down the tail as you are, I am definitely out of the mainstream. The only reason I mention that is so you don't go researching for another reason to "identify" my comments as anything except exactly what they say.
Also, realize that John has already done more to stop spam in his career then you and your thousand closest friends ever will. (E.g. Look up abuse.net.) Again not humiliation, just a fact.
Feel free to plonk me as well. I won't be humiliated. :-)
I won't. There is a clear divide between politely pointing out facts and abusing facts to tell people that their opinion does not matter.
And, for the record, I do not support spamming in any form. But the mitigation techniques MUST NOT impose undue constraints on the legitimate use of e-mail, even when it is not vetted by passing it through big insecure monitored US webmail providers.
I like your use of MUST. However, I think you'll find your definition of "undue" and most of the rest of the Internet's is vastly different. -- TTFN, patrick
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Mon, Mar 31, 2014 at 12:17:19AM -0400 Quoting Patrick W. Gilmore (patrick@ianai.net):
On Mar 30, 2014, at 16:40 , Måns Nilsson <mansaxel@besserwisser.org> wrote:
Subject: Re: why IPv6 isn't ready for prime time, SMTP edition Date: Sat, Mar 29, 2014 at 11:06:11AM -0400 Quoting Patrick W. Gilmore (patrick@ianai.net):
On Mar 29, 2014, at 3:15, Måns Nilsson <mansaxel@besserwisser.org> wrote: Quoting John R. Levine (johnl@iecc.com):
Ergo, ad hominem. Please quit doing that. As a side note I happen to run my own mail server without spam filters -- it works for me. I might not be the norm, but then again, is there really a norm? (A norm that transcends SMTP RFC reach, that is --
I know a lot of people who run a lot of mail systems, and let's just say you're so far out in the long tail we need a telescope to see you.
I will not debate with people who resort to humiliation techniques when questioned.
I will not argue whether you were humiliated as that is something only you can decide.
The puny attempt at "master suppression technique"[0] was identified as such and countermeasures were launched. No damage done.
I was serious. Your reaction .. well, I shouldn't say anything more lest you call me puny again. (What were you saying about humiliation techniques? Glad to see you would never be hypocritical.)
My apologies. I was not refering to your statement -- if that was not clear I should most certainly have written more clearly.
However, John was still factually correct. No big deal, lots of people are humiliated by facts. Although I admit I didn't find the quote above terribly humiliating myself.
You have a point. Further, I do not debate the truth in the statement. My personal email system IS small -- I did even state that -- but that does not mean I do not run larger systems for others, nor does it mean that the general public should dismiss my ideas and only listen to people who brag about their acquaintances. There are other much more compelling reasons not to do as I say.
You misunderstand. Or perhaps I did?
I read John's statement to be in reference to your stance, i.e. running without spam filters. Not that your server is small.
I read "you handle no big amount of e-mail and I know people who do and therefore you should STFU and not bother us with your silly ideas about following standards" in Johns message, and while that might seen like one of many interpretations of what was written, it is an interpretation I hope to be not so far out on the insulted fringe so as to be silly.
John can clarify if he likes. But either way, running without spam filters is beyond unusual these days.
Indeed.
My personal server is run with very few filters, all of which REJECT or accept and send to a box I read. I have no "spam folder". So while I am not as far down the tail as you are, I am definitely out of the mainstream. The only reason I mention that is so you don't go researching for another reason to "identify" my comments as anything except exactly what they say.
Oh, I'm not hoping to pick a fight. Bad move to pick fights with people that function as mediators.
Also, realize that John has already done more to stop spam in his career then you and your thousand closest friends ever will. (E.g. Look up abuse.net.) Again not humiliation, just a fact.
Feel free to plonk me as well. I won't be humiliated. :-)
I won't. There is a clear divide between politely pointing out facts and abusing facts to tell people that their opinion does not matter.
And, for the record, I do not support spamming in any form. But the mitigation techniques MUST NOT impose undue constraints on the legitimate use of e-mail, even when it is not vetted by passing it through big insecure monitored US webmail providers.
I like your use of MUST.
However, I think you'll find your definition of "undue" and most of the rest of the Internet's is vastly different.
I'm fully aware of that. The clear separation between network and application that is at the core of IP is easily compromised by the best intentions. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I selected E5 ... but I didn't hear "Sam the Sham and the Pharoahs"!
On 3/25/14, 5:35 PM, John Levine wrote:
In article<3D7D0845-CB25-4C05-8FAB-F5728C8602DD@heliacal.net> you write:
The OP doesn't have control over the reverse DNS on the AT&T 6rd. Ah, OK, you're saying that their IPv6 isn't ready for prime time.
One would hope that with IPv6 this would change, but the attitude of looking down on end subscribers has been around forever. It has nothing to do with looking down on "subscribers" and everything to do with practicality. When 99,9% of mail sent directly from consumer IP ranges is botnet spam, and I think that's a reasonable estimate, we have better things to do than to spend a lot of our money expensively filtering that spam for the benefit of the GWL who is too cool to relay through a mail server with a real name.
I'm sure you are as vocal about outright rejecting messages for lack of SPF (even if softfail) and lack of DKIM as you are about requiring rDNS? Or perhaps making TLS mandatory, outright rejecting cleartext. Seems like the logical next step... Maybe too much overkill though, right? Hard to define when you cross over that line. Last time I checked, there is no RFC that states that using SMTP transport is mandatory with the originator having rDNS (ipv4/ipv6). It may be SUGGESTED or RECOMMENDED, but not MANDATORY or REQUIRED. It is an arbitrary decision made by each mail provider. Obviously, Google will do whatever they want, which is within their right. Doesn't mean though, that I can't express my disgust/annoyance in them doing it and for the added hassle it causes me. ------- I hope you understand where I'm coming from, John. I'm a huge supporter of IPv6 deployment - and have been using every opportunity I have had at my disposal to bring it to my end users, and make them excited about it too. The problem is, it blows my cred and rep with my end users when on day one of getting them set up and fully running on IPv6, they can't e-mail the local school district, or their business partners, because the other end uses Google mail. It makes me look like an idiot, and they start questioning why should they waste time/money on getting to be IPv6 ready. These kind of issues are things we are trying to avoid, but seem to be shooting ourselves in the foot on, even if unintentionally. Everything is a tradeoff, and in this case, I don't believe the tradeoff is worth the hassle it can cause. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
In an attempt to get this thread back on topic: * Does Google require rDNS for IPv4 mail sources? If so, doing so for IPv6 shouldn't be a surprise. Your current provider's inability to support rDNS for IPv6 is not a protocol failure, it is a provider failure. If not, is there an additional operational reason for them to do so in IPv6? ... and in that case, I'd come to the same end result, provider-failure. ... ? /TJ
On 3/25/14, 7:58 PM, TJ wrote:
In an attempt to get this thread back on topic: * Does Google require rDNS for IPv4 mail sources?
After a quick test here, Google did not reject the mail from an IPv4 address that did not have rDNS.
If so, doing so for IPv6 shouldn't be a surprise. Your current provider's inability to support rDNS for IPv6 is not a protocol failure, it is a provider failure.
If not, is there an additional operational reason for them to do so in IPv6? ... and in that case, I'd come to the same end result, provider-failure.
... ?
Google willing to accept collateral damage for IPv6 mailing hosts, but too severe of collateral damage for IPv4 ones that would affect too many customers? Like I said in a previous response, if you are going to make rdns a requirement, why not make SPF and DKIM mandatory as well? -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On 3/25/2014 10:25 PM, Brielle Bruns wrote:
Like I said in a previous response, if you are going to make rdns a requirement, why not make SPF and DKIM mandatory as well?
many ISPs ALREADY require rDNS. So making that standard official for IPv6 is isn't asking for much! It is a NATURAL progression. As I mentioned in a previous message, i think IPv6 should go farther and require FCrDNS, with the host name ending with the sender's actual real domain so that proper identity is conveyed. (then when a spammer uses a "throwaway domain" or known spammy domain... as the domain at the end of the rDNS, they have only themselves to blame when the message is rejected!) SPF is somewhat "dead"... because it breaks e-mail forwarding situations. Anyone who blocks on a bad SFP is going to have significant FPs. And by the time you've dialed down the importance of SPF to prevent FPs (either by the receiver not making too big of a deal about ir, or the sender using a NOT strict SFP), it then becomes impotent. About the only good usage of SPF is to change a domain's record to "strict" in situations where some e-mail on that domain is being "picked on" by a "joe job" where their address is forged into MANY spams over a period of time. (not just the occasional hit that everyone gets). otherwise, SPF is worthless. Maybe we should require DKIM for IPv6, too? But what I suggested about FCrDNS seems like a 1st step to me. -- Rob McEwen +1 (478) 475-9032
On Tue, 25 Mar 2014 22:51:11 -0400, Rob McEwen said:
On 3/25/2014 10:25 PM, Brielle Bruns wrote:
Like I said in a previous response, if you are going to make rdns a requirement, why not make SPF and DKIM mandatory as well?
many ISPs ALREADY require rDNS. So making that standard official for IPv6 is isn't asking for much! It is a NATURAL progression.
There's still a lot of ancient mail servers out there in v4 land, that were set up before PTRs were pseudo-required by most places, so we end up cutting them some slack under a grandfather clause. There's probably less than a dozen ASNs that have mailservers that speak IPv6 that were deployed before requring PTRs became common, so they have much less of an excuse not to do so....
Maybe we could give everyone globally unique numbers and end to end connectivity. Then maybe the users themselves can send email directly to each other without going through this ESP cartel. -Laszlo On Mar 26, 2014, at 2:51 AM, Rob McEwen <rob@invaluement.com> wrote:
On 3/25/2014 10:25 PM, Brielle Bruns wrote:
Like I said in a previous response, if you are going to make rdns a requirement, why not make SPF and DKIM mandatory as well?
many ISPs ALREADY require rDNS. So making that standard official for IPv6 is isn't asking for much! It is a NATURAL progression. As I mentioned in a previous message, i think IPv6 should go farther and require FCrDNS, with the host name ending with the sender's actual real domain so that proper identity is conveyed. (then when a spammer uses a "throwaway domain" or known spammy domain... as the domain at the end of the rDNS, they have only themselves to blame when the message is rejected!)
SPF is somewhat "dead"... because it breaks e-mail forwarding situations. Anyone who blocks on a bad SFP is going to have significant FPs. And by the time you've dialed down the importance of SPF to prevent FPs (either by the receiver not making too big of a deal about ir, or the sender using a NOT strict SFP), it then becomes impotent. About the only good usage of SPF is to change a domain's record to "strict" in situations where some e-mail on that domain is being "picked on" by a "joe job" where their address is forged into MANY spams over a period of time. (not just the occasional hit that everyone gets). otherwise, SPF is worthless.
Maybe we should require DKIM for IPv6, too? But what I suggested about FCrDNS seems like a 1st step to me.
-- Rob McEwen +1 (478) 475-9032
On 3/25/14, 6:24 PM, Brielle Bruns wrote:
The problem is, it blows my cred and rep with my end users when on day one of getting them set up and fully running on IPv6, they can't e-mail the local school district, or their business partners, because the other end uses Google mail. It makes me look like an idiot, and they start questioning why should they waste time/money on getting to be IPv6 ready.
I don't quite see how this is anything to do with IPv6. If you set up an IPv4 mail server with no reverse DNS, your mail would be rejected by many servers, too. And there are certainly plenty of providers who won't let you configure the reverse DNS of an IPv4 address. Your provider assigned you an IP address with no reverse DNS, and you set up a mail server on that IP address. Most people would say that was unreliable even before knowing you're talking about IPv6 instead of IPv4. <shrug> -- Robert L Mathews, Tiger Technologies, http://www.tigertech.net/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 3/25/2014 7:03 PM, Robert L Mathews wrote:
On 3/25/14, 6:24 PM, Brielle Bruns wrote:
The problem is, it blows my cred and rep with my end users when on day one of getting them set up and fully running on IPv6, they can't e-mail the local school district, or their business partners, because the other end uses Google mail. It makes me look like an idiot, and they start questioning why should they waste time/money on getting to be IPv6 ready.
I don't quite see how this is anything to do with IPv6.
If you set up an IPv4 mail server with no reverse DNS, your mail would be rejected by many servers, too. And there are certainly plenty of providers who won't let you configure the reverse DNS of an IPv4 address.
Your provider assigned you an IP address with no reverse DNS, and you set up a mail server on that IP address. Most people would say that was unreliable even before knowing you're talking about IPv6 instead of IPv4. <shrug>
Also, please do *not* expect folks to toss anti-spam measures out the window just because they might move to v6. That would be naive. - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMyNqkACgkQKJasdVTchbLmvgEA14CAn9T40qTwPwWMksDxMptb tROSknvz1UftBJNZqrsA+wfqdNtseWZinWAlGIs7AnaIsWb+A21iQovv0rRW1Nny =Wdwe -----END PGP SIGNATURE-----
On 3/25/14, 8:08 PM, Paul Ferguson wrote:
Also, please do*not* expect folks to toss anti-spam measures out the window just because they might move to v6.
That would be naive.
Of course not, been spending the last few months trying to adapt my own anti-spam measures to work properly for IPv6, as well as trying to figure out how to handle IPv6 listings in the AHBL's DNSbl. Its frustrating, but a necessity. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On 3/25/14, 8:03 PM, Robert L Mathews wrote:
I don't quite see how this is anything to do with IPv6.
It does when you've got the job of trying to convince people who know nothing about how the internet works why they should invest time in something new. Unless, I'm wrong in that we're trying to encourage people to go dual stacked and not be solely dependent on IPv4...
If you set up an IPv4 mail server with no reverse DNS, your mail would be rejected by many servers, too. And there are certainly plenty of providers who won't let you configure the reverse DNS of an IPv4 address.
Yup, there are, and i've been on those providers in the past that did not consider IPv4 rdns important either. Google does not outright reject mail from hosts with no IPv4 rdns, from what my quick test a moment ago showed.
Your provider assigned you an IP address with no reverse DNS, and you set up a mail server on that IP address. Most people would say that was unreliable even before knowing you're talking about IPv6 instead of IPv4. <shrug>
Considering at the time of the deployment, I had no inclination that Google had enacted this policy, you can imagine my surprise, esp. after having said customer on an IPv4 addr previously that had no rdns either, and was sending mail to gmail fine. Call it unreliable all you want, there's more then a few mail servers out there with no rdns on both IPv4 and IPv6. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On 3/25/2014 9:24 PM, Brielle Bruns wrote:
Last time I checked, there is no RFC that states that using SMTP transport is mandatory with the originator having rDNS (ipv4/ipv6). It may be SUGGESTED or RECOMMENDED, but not MANDATORY or REQUIRED. It is an arbitrary decision made by each mail provider.
For IPv6, FCrDNS... using NOT "dynamic formatted" host names... and with the host name ending in the sender's main domain... *should* be mandatory. And +1 THOUSAND for everything that John Levine said in his last few messages! Additionally... [addressing this topic in general from here on, not talking specifically to Brielle...] I have a unique perspective on this... as I manage an anti-spam blacklist which blacklists many of the snowshoe spammers and "can-spam complient" spammers whose practices are 100% legal, and who are not sending to a single caught-you-red-handed honeypot trap. Many of them abuse blackhat and grayhat ESPs. Unfortunately, in some instanaces, that "abuse" is symbiotic ("wink wink"), where the blackhat ESP will know that a sender's practices are extremly suspect (or worse), but will look the other way in exchange for much needed revenue. In fact, with the worldwide economy still in somewhat of a drag for about the 6th year in the row, I'm seeing evidences that *some* ESPs are lowering their standards a little to even more accommodate this crap. Some once-proud ESP who claimed they never do this, are in fact doing it. Still, a HUGE deterrent is getting their IP reputation "soiled"up on senderbase.org and getting on many blacklists. That becomes a "safety net" that keeps some of these ESPs from going off the deep end. And, again, I'm on the front lines dealing with this everyday. Therefore, SCARCITY of IPv4 IPs... is a FEATURE.. NOT a bug when it comes to keeping ESPs under control. And it also gives hosters/datacenters motivation to likewise "police" potential customers because the hoster or datacenter is left with the damage long after they've kicked a spammer off of their network. ALL of that would "unravel"... ALL OF IT!!!!! ... if we all started using IPv6 for sending authenticated mail. (workstations sending mail to their own mail server could send via IPv6 all they wanted to.. that wouldn't be a problem at all) But if all or most MTAs switched to IPv6, it would be a nightmare and what is sad is that MANY people reading this message are STILL going to GREATLY underestimate my warning after reading this. There are, unfortunately, many poeple who won't listen to reason and logic and require a real world nightmare before they "believe"... much like a 2-year-old who doesn't believe his parents' warning to not touch a hot stove... until AFTER he touches it. But we don't all have that luxury, do we? IPv6 is a spammer's dream! But REQUIRING FCrDNS for IPv6 ... using a NOT "dynamic formatted" host name... and with the host name ending in the sender's main domain... would go a long way towards mitigating these problems as then there would be more "truth in sending" as the rDNS would then properly convey both reputation and identity to the sender. I wish that could becomes a universal IPv6 SMTP standard... yesterday! PS - but even then, I'm told that there may be issues with overrunning DNS caches should spammers send each spam from a unique IP.... and slowing down of processing of mail when rDNS lookups happen on each individual IP. To go back over the "root problem" that I never mentioned, a spammer would send out a million spams, each from a unique IP address, without even having that large of an IPv6 allocation. IPv6 MTAs is NOT something to be "rushed into". Anyone promoting rushing into that... is not very well informed. (to put it nicely).. or they are a spammer who can't wait for all the fun to commence. -- Rob McEwen
I'm sure you are as vocal about outright rejecting messages for lack of SPF (even if softfail) and lack of DKIM as you are about requiring rDNS?
Interesting guess, but completely wrong.
Or perhaps making TLS mandatory, outright rejecting cleartext.
Not until we have SMTP DANE.
Seems like the logical next step... Maybe too much overkill though, right? Hard to define when you cross over that line.
It's up to you. If you want people to accept your mail, you can send it the way they tell you to send it, since they are doing you a favor by accepting it all. If you just want to complain, I guess you post to nanog instead. R's, John
On Tue, Mar 25, 2014 at 11:35:57PM -0000, John Levine wrote:
It has nothing to do with looking down on "subscribers" and everything to do with practicality. When 99,9% of mail sent directly from consumer IP ranges is botnet spam, and I think that's a reasonable estimate, [...]
Data point: it's an extremely reasonable estimate. If anything, though, it's an underestimate: the actual rate has several more 9's in it. And if the sending host (a) has generic rDNS and/or (b) fingerprints as Windows, then it approaches 100% so closely as to not be worth arguing about. There is no point in performing any checks other than these on SMTP connections from such hosts. There is no reason to permit the conversation to continue to the DATA stage and to scrutinize the message contents. These actions are both wasteful and superfluous. The only correct action to take at this point is to issue an SMTP reject and end the conversation. It's a pity that this is true. But a decade-plus after the botnet problem became well-known, I can't name an ISP which has developed and deployed an effective mitigation strategy against them. So far it's been band-aids (blocking port 25) and PR (press conferences and initiatives and task forces etc.). ("botnet takedowns" are meaningless fluff and merely fodder for self-congratulatory press conferences. All those systems in the botnet are still compromised. All those systems are still vulnerable to the same attack vectors that resulted in their initial compromise. And quite likely before the ink is dry on the accompanying press release, other botnet operations will harvest them for use in their own operations. Meet the new boss, same as the old boss.) ---rsk
Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition. And your opinion is just another one. Someone else has a different one. Resulting in the mess email is now. You won't believe the crap I read in bounces (it also gives a funny insight into the email chain/setup of a company).
Email security (against spam) should be fixed. Properly. Fine grained complaining should be possible (to the sender and all intermittent parties, as well as external parties). Make some RFCs that work please. David Hofstee Deliverability Management MailPlus B.V. Netherlands (ESP) -----Oorspronkelijk bericht----- Van: Brielle Bruns [mailto:bruns@2mbit.com] Verzonden: Tuesday, March 25, 2014 9:57 PM Aan: nanog@nanog.org Onderwerp: Re: why IPv6 isn't ready for prime time, SMTP edition On 3/25/14, 11:56 AM, John Levine wrote:
I think this would be a good time to fix your mail server setup. You're never going to get much v6 mail delivered without rDNS, because receivers won't even look at your mail to see if it's authenticated.
CenturyLink is reasonably technically clued so it shouldn't be impossible to get them to fix it.
Nothing wrong with my mail server setup, except the lack of RDNS. Lacking reverse should be one of many things to consider with rejecting e-mails, but should not be the only condition. That would be like outright refusing mail unless it had both SPF and DKIM on every single message. Sure, great in theory, does not work in reality and will result in lost mail from legit sources. Already spoken to CenturyLink about RDNS for ipv6 - won't have rdns until native IPv6. Currently, IPv6 seems to be delivered for those who want it, via 6rd. And, frankly, I'm not going to get in a fight with CenturyLink over IPv6 RDNS, considering that I am thankful that they are even offering IPv6 when other large providers aren't even trying to do so to their residential and small business customers. It is very easy for some to forget that not everyone has a gigabit fiber connection to their homes with ARIN assigned IPv4/IPv6 blocks announced over BGP. Some of us actually have to make do with (sometimes very) limited budgets and what the market is offering us and has made available. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On Tue, 25 Mar 2014, John Levine wrote:
It says a lot about the state of the art that people are still making uninformed guesses like this, non ironically.
Yep, SMTP and the whole spam fighting part of the Internet, isn't ready for IPv6. This is not IPv6 fault. I have repeatedly tried to get people interested in methods of making it possible for ISPs to publish their "per-customer" allocation size, so far without any success. Most of the time I seem to get "we did it a certain way for IPv4, it works, we don't want to change it" from people. IPv6 changes things. Lots of things. There will be a lot of work to catch up. It's too bad that the part of the ecosystem that fights spam have woken up so late. -- Mikael Abrahamsson email: swmike@swm.pp.se
On 2014-03-25, Mikael Abrahamsson <swmike@swm.pp.se> sent:
I have repeatedly tried to get people interested in methods of making it possible for ISPs to publish their "per-customer" allocation size, so far without any success. Most of the time I seem to get "we did it a certain way for IPv4, it works, we don't want to change it" from people.
So it's yet another chicken-and-egg problem to add to the pile for IPv6. Mail ops don't care because IPv6 isn't here, net ops delay IPv6 because mail isn't ready for it? This seems like to sort of problem that Mailops or MAAWG should be hammering out. There's a great opportunity to get some good BCP documents out there on "Here's how to do email in IPv6" before deployment goes past the point of no return. Spamhaus has had a fair amount of success with getting ISPs to participate in things like the PBL. Why not establish something similar for allocation sizes in IPv6? -- Chip Marshall <chip@2bithacker.net> http://2bithacker.net/
On Tue, Mar 25, 2014 at 12:51 PM, Mikael Abrahamsson <swmike@swm.pp.se>wrote:
On Tue, 25 Mar 2014, John Levine wrote:
It says a lot about the state of the art that people are still making uninformed guesses like this, non ironically.
I have repeatedly tried to get people interested in methods of making it possible for ISPs to publish their "per-customer" allocation size, so far without any success. Most of the time I seem to get "we did it a certain way for IPv4, it works, we don't want to change it" from people.
[snip] I would suggest the formation of an "IPv6 SMTP Server operator's club," with a system for enrolling certain IP address source ranges as "Active mail servers", active IP addresses and SMTP domain names under the authority of a member. And certain internet domain names as "Active SMTP domains" authorized to originate mail for specific SMTP servers. And some agreed upon operational policies, such as implementation of TLS using a certificate signed by the CA or a recognized SMTP club.... appropriate processing of abuse requests, and prompt administrator attention in the event of an abuse complaint or other mail issue. With replacement of de-facto default accept with de-facto default deny. E.g. If you didn't bother joining one of the whitelisting clubs we subscribe to and enrolling your mail server. The expectation should become "Nobody on the internet is going to accept mail from you" Spam was a major problem with IPv4..... With IPv6 we have an opportunity to set expectations that allow us to eliminate ad-hoc dedicated SMTP servers friendly to spammers, as an internet phenomenon.
IPv6 changes things. Lots of things. There will be a lot of work to catch up. It's too bad that the part of the ecosystem that fights spam have woken up so late.
-- Mikael Abrahamsson email: swmike@swm.pp.se
-- -JH
I would suggest the formation of an "IPv6 SMTP Server operator's club," with a system for enrolling certain IP address source ranges as "Active mail servers", active IP addresses and SMTP domain names under the authority of a member.
Surely you don't think this is a new idea. R's, John
On 25 Mar 2014 22:55:19 -0400, "John R. Levine" said:
I would suggest the formation of an "IPv6 SMTP Server operator's club," with a system for enrolling certain IP address source ranges as "Active mail servers", active IP addresses and SMTP domain names under the authority of a member.
Surely you don't think this is a new idea.
It can't be - it's listed on this very old page: http://www.rhyolite.com/anti-spam/you-might-be.html
On Tue, Mar 25, 2014 at 9:55 PM, John R. Levine <johnl@iecc.com> wrote:
I would suggest the formation of an "IPv6 SMTP Server operator's club,"
with a system for enrolling certain IP address source ranges as "Active
Surely you don't think this is a new idea.
Would it make it more unique; if I suggested creation of a new distributed Cryptocurrency something like 'MAILCoin' to track the memberships in the club and handle voting out of abusive mail servers: in a distributed manner, to ensure that no court could ever mandate that a certain IP address be accepted into the club? Not necessarily. But I haven't yet heard of any meaningful attempt to implement something like that. Obviously with IPv4; way too many "legacy" mail servers exist that will never bother to implement new protocols and practice improvements ---- even basic things, such as SMTP rejecting invalid recipients instead of sending unsolicited bounce replies to senders (forged by spammers).
R's, John
-- -JH
You only need Hotmail, Gmail, Yahoo on board and everyone will follow... They might even be able to dictate new SMTP RFCs. David Hofstee Deliverability Management MailPlus B.V. Netherlands (ESP) -----Oorspronkelijk bericht----- Van: Jimmy Hess [mailto:mysidia@gmail.com] Verzonden: Wednesday, March 26, 2014 4:17 AM Aan: John R. Levine CC: NANOG list Onderwerp: Re: why IPv6 isn't ready for prime time, SMTP edition On Tue, Mar 25, 2014 at 9:55 PM, John R. Levine <johnl@iecc.com> wrote:
I would suggest the formation of an "IPv6 SMTP Server operator's club,"
with a system for enrolling certain IP address source ranges as "Active
Surely you don't think this is a new idea.
Would it make it more unique; if I suggested creation of a new distributed Cryptocurrency something like 'MAILCoin' to track the memberships in the club and handle voting out of abusive mail servers: in a distributed manner, to ensure that no court could ever mandate that a certain IP address be accepted into the club? Not necessarily. But I haven't yet heard of any meaningful attempt to implement something like that. Obviously with IPv4; way too many "legacy" mail servers exist that will never bother to implement new protocols and practice improvements ---- even basic things, such as SMTP rejecting invalid recipients instead of sending unsolicited bounce replies to senders (forged by spammers).
R's, John
-- -JH
Would it make it more unique; if I suggested creation of a new distributed Cryptocurrency something like 'MAILCoin' to track the memberships in the club and handle voting out of abusive mail servers: in a distributed manner, to ensure that no court could ever mandate that a certain IP address be accepted into the club?
Not necessarily. But I haven't yet heard of any meaningful attempt to implement something like that. Obviously with IPv4; way too many "legacy" mail servers exist that will never bother to implement new protocols and practice improvements ---- even basic things, such as SMTP rejecting invalid recipients instead of sending unsolicited bounce replies to senders (forged by spammers).
How about something much simpler? We already are aware of bandwidth caps at service providers, there could just as well be email caps. How hard would it be to ask your customer how many emails we should expect them to send in a day? We don't need to be precise about it, just within an order of magnitude. For example, I could say that a residential user should not be over 750 a day and for a commercial user you could find out their projection and add to it to allow a reasonable headroom. Now, the service provider is protecting us from pwned systems within their network. If I get a residential customer asking for 100,000 emails per day I just might have some questions for them. It also seems that it would be easy for the service provider to send an alert to the customer telling them that they have hit their cap and make it easy for them to lift the cap if the traffic is actually legitimate. If they are lifting their cap too often you could investigate or run their outbound email through some type of filtering solution to see how it scores. Now, the providers that implement that system could be allowed to send me email and the ones that don't can't send me email. If this was adopted widely, it would put a lot of pressure on the service provider to get on-board. In that case your filters do not need to be that granular. This is not a spam proof solution but would cut down on the very high volume abusers. It also helps deal with the service providers that condone that sort of stuff and will punish them because you are going to lose customers fast if email from that provider is generally not accepted. Maybe if we start scoring against the originating service provider, instead of address blocks and stop accepting email from them, they might do something about the high volume offenders. Steven Naslund Chicago IL
How about something much simpler? We already are aware of bandwidth caps at service providers, there could just as well be email caps. How hard would it be to ask your customer how many emails we should expect them to send in a day?
Once again, I encourage my competitors to follow your advice. R's, John PS: There are plenty of giant botnets that only send a trickle of mail from each infected host, but the aggregate amount is enormous.
On Wed, Mar 26, 2014 at 4:16 AM, Jimmy Hess <mysidia@gmail.com> wrote:
Would it make it more unique; if I suggested creation of a new distributed Cryptocurrency something like 'MAILCoin' to track the memberships in the club and handle voting out of abusive mail servers: in a distributed manner, to ensure that no court could ever mandate that a certain IP address be accepted into the club?
"voting out" - in today's world we need to assume that spammers and other criminals have vastly more resources than what may be considered (sort of) good guys. For the same mechanism a CPU-bound cryptocurrency is not likely to succeed. -- Matthias
On Tue, Mar 25, 2014 at 10:16:37PM -0500, Jimmy Hess wrote:
Would it make it more unique; if I suggested creation of a new distributed Cryptocurrency something like 'MAILCoin' [...]
This is attempt to splash a few drops of water on the people who own the oceans. It won't work, for the same reasons that the last 1,723 very similar proposals won't work. ---rsk
On 3/25/2014 10:51 PM, Jimmy Hess wrote:
I would suggest the formation of an "IPv6 SMTP Server operator's club,"
That comes across too much like the failed FUSSP ideas. What happens when spammers try to get onboard? Who is the arbitrator? How fast could they react? And then you have legit senders who get infections or compromised accounts? Or what about a hoster who gets one bad-apple customer. This isn't so simple! Not so black & white. Yet if we instead focus on "truthful labeling of identity", then established e-mail reputation systems and established blacklists which have spent YEARS fine tuning these things... can be best prepared to sort these things about based on the reputation of the domain at the end of a sender's FCrDNS. Then the free market will properly choose the best blacklists that block the most spam with the least FPs... and the "politics" of some club won't be a negative factor. NOTE: antispam blacklists don't effectively work like men with their feet on a desk smoking cigars asking, 'should we block this sender'... 'should we whitelist this sender'... the spammers are ORDER OF MAGNITUDES faster than that! And then you'd have too many legit orgs that happen to be small.. that would be effectively blacklisted by not being able to get "into the club". i would be a nightmare! -- Rob McEwen +1 (478) 475-9032
On Tue, Mar 25, 2014 at 10:08 PM, Rob McEwen <rob@invaluement.com> wrote:
On 3/25/2014 10:51 PM, Jimmy Hess wrote:
I would suggest the formation of an "IPv6 SMTP Server operator's club,"
That comes across too much like the failed FUSSP ideas. What happens when spammers try to get onboard? Who is the arbitrator? How fast could
This is when you fall to other mechanisms, BUT you still raised the bar -- even if the spammers could get onboard -- your first choice of deny-by-default did have to fail first for that specific spammer.
they react? And then you have legit senders who get infections or compromised accounts? Or what about a hoster who gets one bad-apple
Again. Perfection not claimed. There is no one cure.
reputation systems and established blacklists which have spent YEARS fine tuning these things... can be best prepared to sort these things about based on the reputation of the domain at the end of a sender's
So-called fine-tuned reputation systems and established blacklists seriously need help. They spent years fine-tuning those things, BUT none of them work that well, either, well; they mostly work --- except on occasion when they do not.
'should we whitelist this sender'... the spammers are ORDER OF MAGNITUDES faster than that! And then you'd have too many legit orgs that happen to be small.. that would be effectively blacklisted by not being able to get "into the club". i would be a nightmare!
Organization size not a criteria. Only agreeing to follow whatever basic rules would be agreed upon, inclusive of mutual support and cooperation to address spam issues... Small legit orgs need the support more than anyone! Remember why FcRDNS works so well in the first place? Many spamming IPs are not intended to be mail servers in the first place. If the spammer was not running malicious code; there would be no SMTP client on that server. On the other hand... FcRDNS includes additional IPs that are also not intended to be mail servers. Requiring a Declarative assertion "This server IP address is definitely intended to originate messages to remote sites" Effectively limits spammers from just setting up a mail server on any random IP, by adding another pre-requisite on top of rDNS settings. -- -JH
On 03/25/2014 10:51 PM, Jimmy Hess wrote:
[snip]
I would suggest the formation of an "IPv6 SMTP Server operator's club," with a system for enrolling certain IP address source ranges as "Active mail servers", active IP addresses and SMTP domain names under the authority of a member.
... As has been mentioned, this is old hat. There is only one surefire way of doing away with spam for good, IMO. No one is currently willing to do it, though. That way? Make e-mail cost; have e-postage. No, I don't want it either. But where is the pain point for spam where this becomes less painful? If an enduser gets a bill for sending several thousand e-mails because they got owned by a botnet they're going to do something about it; get enough endusers with this problem and you'll get a class-action suit against OS vendors that allow the problem to remain a problem; you can get rid of the bots. This will trim out a large part of spam, and those hosts that insist on sending unsolicited bulk e-mail will get billed for it. That would also eliminate a lot of traffic on e-mail lists, too, if the subscribers had to pay the costs for each message sent to a list; I wonder what the cost would be for each post to a list the size of this one. If spam ceases to be profitable, it will stop. Of course, I reserve the right to be wrong, and this might all just be a pipe dream. (and yes, I've thought about what sort of billing infrastructure nightmare this could be.....)
Maybe you should focus on delivering email instead of refusing it. Or just keep refusing it and trying to bill people for it, until you make yourself irrelevant. The ISP based email made more sense when most end users - the people that we serve - didn't have persistent internet connections. Today, most users are always connected, and can receive email directly to our own computers, without a middle man. With IPv6 it's totally feasible since unique addressing is no longer a problem - there's no reason why every user can't have their own MTA. The problem is that there are many people who are making money off of email - whether it's the sending of mail or the blocking of it - and so they're very interested in breaking direct email to get 'the users' to rely on them. It should be entirely possible to build 'webmail' into home user CPEs or dedicated mailbox appliances, and let everyone deal with their own email delivery. The idea of having to pay other people to host email for you is as obsolete as NAT-for-security, and this IPv6 SMTP thread is basically covering the same ground. It boils down to: we have an old crappy system that works, and we don't want to change, because we've come to rely on the flaws of it and don't want them fixed. In the email case, people have figured out how to make money doing it, so they certainly want to keep their control over it. -Laszlo On Mar 26, 2014, at 2:07 PM, Lamar Owen <lowen@pari.edu> wrote:
On 03/25/2014 10:51 PM, Jimmy Hess wrote:
[snip]
I would suggest the formation of an "IPv6 SMTP Server operator's club," with a system for enrolling certain IP address source ranges as "Active mail servers", active IP addresses and SMTP domain names under the authority of a member.
...
As has been mentioned, this is old hat.
There is only one surefire way of doing away with spam for good, IMO. No one is currently willing to do it, though.
That way? Make e-mail cost; have e-postage. No, I don't want it either. But where is the pain point for spam where this becomes less painful? If an enduser gets a bill for sending several thousand e-mails because they got owned by a botnet they're going to do something about it; get enough endusers with this problem and you'll get a class-action suit against OS vendors that allow the problem to remain a problem; you can get rid of the bots. This will trim out a large part of spam, and those hosts that insist on sending unsolicited bulk e-mail will get billed for it. That would also eliminate a lot of traffic on e-mail lists, too, if the subscribers had to pay the costs for each message sent to a list; I wonder what the cost would be for each post to a list the size of this one. If spam ceases to be profitable, it will stop.
Of course, I reserve the right to be wrong, and this might all just be a pipe dream. (and yes, I've thought about what sort of billing infrastructure nightmare this could be.....)
This is totally ignoring a few facts. A: That the overwhelming majority of users don't have the slightest idea what an MTA is, why they would want one, or how to install/configure one. ISP/ESP hosted email is prevalent only partially to do with technical reasons and a lot to do with technical apathy on the part of the user base at large. Web hosting is the same way. A dedicated mailbox appliance would be another cost to the user that they would not understand why they need, and thus would not want. In a hypothetical tech-utopia, where everyone was fluent in bash (or powershell, take your pick), and read RFCs over breakfast instead of the newspaper, this would be an excellent solution. Meanwhile, in reality, technology frightens most people, and they are more than happy to pay someone else to deal with it for them. B: The relevant technical reason can be summarized as "good luck getting a residential internet connection with a static IP" (If your response includes the words "dynamic DNS" then please see point A) (Also I'm just going to briefly touch the fact that this doesn't address spam as a problem at all, and in fact would make that problem overwhelmingly worse, as MTAs would be expected to accept mail from everywhere, and we obviously can't trust end user devices or ISP CPE to be secure against intrusion) Scott Buettner Front Range Internet Inc NOC Engineer On 3/26/2014 8:33 AM, Laszlo Hanyecz wrote:
Maybe you should focus on delivering email instead of refusing it. Or just keep refusing it and trying to bill people for it, until you make yourself irrelevant. The ISP based email made more sense when most end users - the people that we serve - didn't have persistent internet connections. Today, most users are always connected, and can receive email directly to our own computers, without a middle man. With IPv6 it's totally feasible since unique addressing is no longer a problem - there's no reason why every user can't have their own MTA. The problem is that there are many people who are making money off of email - whether it's the sending of mail or the blocking of it - and so they're very interested in breaking direct email to get 'the users' to rely on them. It should be entirely possible to build 'webmail' into home user CPEs or dedicated mailbox appliances, and let everyone deal with their own email delivery. The idea of having to pay other people to host email for you is as obsolete as NAT-for-security, and this IPv6 SMTP thread is basically covering the same ground. It boils down to: we have an old crappy system that works, and we don't want to change, because we've come to rely on the flaws of it and don't want them fixed. In the email case, people have figured out how to make money doing it, so they certainly want to keep their control over it.
-Laszlo
On Mar 26, 2014, at 2:07 PM, Lamar Owen <lowen@pari.edu> wrote:
On 03/25/2014 10:51 PM, Jimmy Hess wrote:
[snip]
I would suggest the formation of an "IPv6 SMTP Server operator's club," with a system for enrolling certain IP address source ranges as "Active mail servers", active IP addresses and SMTP domain names under the authority of a member.
...
As has been mentioned, this is old hat.
There is only one surefire way of doing away with spam for good, IMO. No one is currently willing to do it, though.
That way? Make e-mail cost; have e-postage. No, I don't want it either. But where is the pain point for spam where this becomes less painful? If an enduser gets a bill for sending several thousand e-mails because they got owned by a botnet they're going to do something about it; get enough endusers with this problem and you'll get a class-action suit against OS vendors that allow the problem to remain a problem; you can get rid of the bots. This will trim out a large part of spam, and those hosts that insist on sending unsolicited bulk e-mail will get billed for it. That would also eliminate a lot of traffic on e-mail lists, too, if the subscribers had to pay the costs for each message sent to a list; I wonder what the cost would be for each post to a list the size of this one. If spam ceases to be profitable, it will stop.
Of course, I reserve the right to be wrong, and this might all just be a pipe dream. (and yes, I've thought about what sort of billing infrastructure nightmare this could be.....)
Scott, You are exactly right, in the current environment the things I'm suggesting seem unrealistic. My point is that it doesn't have to work the way it does today, with the webmail providers, the mail originators and the spam warriors all scratching each others' backs. There has been a LOT of work done to make webmail easy and everything else practically impossible, even if you do know how it works. What if Google, Apple, Sony or some other household brand, sold a TV with local mail capabilities, instead of pushing everyone to use their hosted services? If it doesn't work because we are blocking it on purpose, customers would demand that we make it work. Since this isn't a well known option today, casual (non tech) users don't know that they should be demanding it. As far as why someone would want an MTA, it doesn't take long to explain the benefits of having control over your own email instead of having a third party reading it all. The problem is that instead users are told they can't have it. MTAs are built into every user operating system and they would work just fine if the email community wasn't going out of their way to exclude them. The lack of rDNS is just one of the many ways to identify and discriminate against end users who haven't bought their way into the club. Spam is not a big problem for everyone. It's at a different scale for individuals and for large sites with many users. -Laszlo On Mar 26, 2014, at 2:58 PM, Scott Buettner <sbuettner@frii.net> wrote:
This is totally ignoring a few facts.
A: That the overwhelming majority of users don't have the slightest idea what an MTA is, why they would want one, or how to install/configure one. ISP/ESP hosted email is prevalent only partially to do with technical reasons and a lot to do with technical apathy on the part of the user base at large. Web hosting is the same way. A dedicated mailbox appliance would be another cost to the user that they would not understand why they need, and thus would not want. In a hypothetical tech-utopia, where everyone was fluent in bash (or powershell, take your pick), and read RFCs over breakfast instead of the newspaper, this would be an excellent solution. Meanwhile, in reality, technology frightens most people, and they are more than happy to pay someone else to deal with it for them.
B: The relevant technical reason can be summarized as "good luck getting a residential internet connection with a static IP"
(If your response includes the words "dynamic DNS" then please see point A)
(Also I'm just going to briefly touch the fact that this doesn't address spam as a problem at all, and in fact would make that problem overwhelmingly worse, as MTAs would be expected to accept mail from everywhere, and we obviously can't trust end user devices or ISP CPE to be secure against intrusion)
Scott Buettner Front Range Internet Inc NOC Engineer
On 3/26/2014 8:33 AM, Laszlo Hanyecz wrote:
Maybe you should focus on delivering email instead of refusing it. Or just keep refusing it and trying to bill people for it, until you make yourself irrelevant. The ISP based email made more sense when most end users - the people that we serve - didn't have persistent internet connections. Today, most users are always connected, and can receive email directly to our own computers, without a middle man. With IPv6 it's totally feasible since unique addressing is no longer a problem - there's no reason why every user can't have their own MTA. The problem is that there are many people who are making money off of email - whether it's the sending of mail or the blocking of it - and so they're very interested in breaking direct email to get 'the users' to rely on them. It should be entirely possible to build 'webmail' into home user CPEs or dedicated mailbox appliances, and let everyone deal with their own email delivery. The idea of having to pay other people to host email for you is as obsolete as NAT-for-security, and this IPv6 SMTP thread is basically covering the same ground. It boils down to: we have an old crappy system that works, and we don't want to change, because we've come to rely on the flaws of it and don't want them fixed. In the email case, people have figured out how to make money doing it, so they certainly want to keep their control over it.
-Laszlo
On Mar 26, 2014, at 2:07 PM, Lamar Owen <lowen@pari.edu> wrote:
On 03/25/2014 10:51 PM, Jimmy Hess wrote:
[snip]
I would suggest the formation of an "IPv6 SMTP Server operator's club," with a system for enrolling certain IP address source ranges as "Active mail servers", active IP addresses and SMTP domain names under the authority of a member.
...
As has been mentioned, this is old hat.
There is only one surefire way of doing away with spam for good, IMO. No one is currently willing to do it, though.
That way? Make e-mail cost; have e-postage. No, I don't want it either. But where is the pain point for spam where this becomes less painful? If an enduser gets a bill for sending several thousand e-mails because they got owned by a botnet they're going to do something about it; get enough endusers with this problem and you'll get a class-action suit against OS vendors that allow the problem to remain a problem; you can get rid of the bots. This will trim out a large part of spam, and those hosts that insist on sending unsolicited bulk e-mail will get billed for it. That would also eliminate a lot of traffic on e-mail lists, too, if the subscribers had to pay the costs for each message sent to a list; I wonder what the cost would be for each post to a list the size of this one. If spam ceases to be profitable, it will stop.
Of course, I reserve the right to be wrong, and this might all just be a pipe dream. (and yes, I've thought about what sort of billing infrastructure nightmare this could be.....)
What if Google, Apple, Sony or some other household brand, sold a TV with local mail capabilities, instead of pushing everyone to use their hosted services?
It would suck, because real users check their mail from their desktops, their laptops, and their phones. Your TV would not have the sophisticated mail sorting, archiving, and searching of the large mail systems. And, of course, when its cheap SSD flaked, you'd lose all your saved mail. I swear, this whole conversation feels like I've fallen through a wormhole into 1998.
In article <911CEC5C-2011-4C8D-9CC1-89DF2B4CB2C1@heliacal.net> you write:
Maybe you should focus on delivering email instead of refusing it
Since there is at least an order of magnitude more spam than real mail, I'll just channel Randy Bush and encourage my competitors to take your advice. R's, John
That way? Make e-mail cost; have e-postage.
Gee, I wondered how long it would take for this famous bad idea to reappear. I wrote a white paper ten years ago explaining why e-postage is a bad idea, and there is no way to make it work. Nothing of any importance has changed since then. http://www.taugh.com/epostage.pdf R's, John PS: Yes, I've heard of Bitcoins.
On 03/26/2014 12:59 PM, John Levine wrote:
That way? Make e-mail cost; have e-postage. Gee, I wondered how long it would take for this famous bad idea to reappear.
I wrote a white paper ten years ago explaining why e-postage is a bad idea, and there is no way to make it work. Nothing of any importance has changed since then.
And I remember reading this ten years ago. And I also remember thinking at the time that you missed one very important angle, and that is that the typical ISP has the technical capability to bill based on volume of traffic already, and could easily bill per-byte for any traffic with 'e-mail properties' like being on certain ports or having certain characteristics. Yeah, I'm well aware of the technical issues with that; I never said it was a good idea, but what is the alternative? I agree (and agreed ten years ago) with your assessment that the technical hurdles are large, but I disagree that they're completely insurmountable. At some point somebody is going to have to make an outgoing connection on port 25, and that would be the point of billing for the originating host. I don't like it, and I don't think it's a good idea, but the fact of the matter is that as long as spam is profitable there is going to be spam. Every technical anti-spam technique yet developed has a corresponding anti-anti-spam technique (bayesian filters? easy-peasy, just load Hamlet or the Z80 programmer's manual or somesuch as invisible text inside your e-mail, something I've seen in the past week (yes, I got a copy of the text for Zilog's Z80 manual inside spam this past week!). DNS BL's got you stopped? easy peasy, do a bit of address hopping.) The only way to finally and fully stop spam is financial motivation, there is no 'final' technical solution to spam; I and all my users wish there were.
Lamar Owen <lowen@pari.edu> wrote:
the typical ISP has the technical capability to bill based on volume of traffic already, and could easily bill per-byte for any traffic with 'e-mail properties' like being on certain ports or having certain characteristics.
Who do I send the bill to for mail traffic from 41.0.0.0/8 ? Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Lundy, Fastnet, Irish Sea: Northwest veering east 4 or 5, occasionally 6 later in Irish Sea. Moderate or rough. Showers. Good, occasionally moderate.
On 03/26/2014 01:38 PM, Tony Finch wrote:
Who do I send the bill to for mail traffic from 41.0.0.0/8 ? Tony.
You don't. Their upstream(s) in South Africa would bill them for outgoing e-mail. Postage, at least for physical mail, is paid by the sender at the point of ingress to the postal network. Yes, there are ways of gaming physical mail, but they are rarely actually used; the challenge of an e-mail version of such a system would be making it dirt simple and relatively resistant to gaming; or at least making gaming the system more expensive than using the system. And let me reiterate: I don't like the idea, and I don't even think it is a good idea. But how else do we make spamming unprofitable? I'd love to see a real solution, but it just isn't here yet.
Lamar Owen <lowen@pari.edu> wrote:
On 03/26/2014 01:38 PM, Tony Finch wrote:
Who do I send the bill to for mail traffic from 41.0.0.0/8 ? Tony.
You don't. Their upstream(s) in South Africa would bill them for outgoing e-mail.
You mean Nigeria. So how do I get compensated for dealing with the junk they send me? Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Thames, Dover, Wight, Portland, Plymouth: North 4 or 5, becoming variable 3 or 4, then east 4 or 5 later. Slight or moderate, but rough in southwest Plymouth. Rain or showers. Good, occasionally moderate.
On 03/26/2014 01:38 PM, Tony Finch wrote:
Who do I send the bill to for mail traffic from 41.0.0.0/8 ? Tony.
You don't. Their upstream(s) in South Africa would bill them for outgoing e-mail.
You mean Nigeria. So how do I get compensated for dealing with the junk they send me?
I am Mrs. Mariam Abacha with TEN MILLION DOLLARS in blocked mail payments in a bank account. I apologize for contacting you this way but it is urgent that your assistance be applied to repatriating those funds.
On Wednesday, March 26, 2014 08:26:14 PM Lamar Owen wrote:
You don't. Their upstream(s) in South Africa would bill them for outgoing e-mail.
<nit> Not all of 41/8 is served by South Africa :-). </nit> Mark.
On Thu, Mar 27, 2014 at 3:38 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:
<nit> Not all of 41/8 is served by South Africa :-). </nit>
<nit> But a significant portion of it routes through London :-) </nit> *cough *cough co.tz to co.za, etc., etc. -Jim P.
On Thursday, March 27, 2014 09:48:09 AM Jim Popovitch wrote:
<nit> But a significant portion of it routes through London :-) </nit>
*cough *cough co.tz to co.za, etc., etc.
Perhaps, but that does not mean it's all served by South African ISP's. The London trombone is a separate issue. Mark.
And I also remember thinking at the time that you missed one very important angle, and that is that the typical ISP has the technical capability to bill based on volume of traffic already, and could easily bill per-byte for any traffic with 'e-mail properties' like being on certain ports or having certain characteristics. Yeah, I'm well aware of the technical issues with that; I never said it was a good idea, but what is the alternative?
Where do you expect them to send the bill? R's, John PS: The alternative is to deal directly with spam issues, rather than replacing them with even worse e-postage issues. One of the things I pointed out in that white paper is that as soon as you have real money involved, you're going to have a whole new set of frauds and scams that are likely to be worse than the ones you thought you were solving.
On 03/26/2014 01:42 PM, John Levine wrote:
And I also remember thinking at the time that you missed one very important angle, and that is that the typical ISP has the technical capability to bill based on volume of traffic already, and could easily bill per-byte for any traffic with 'e-mail properties' like being on certain ports or having certain characteristics. Yeah, I'm well aware of the technical issues with that; I never said it was a good idea, but what is the alternative? Where do you expect them to send the bill?
The entity with whom they already have a business relationship. Basically, if I'm an ISP I would bill each of my customers, with whom I already have a business relationship, for e-mail traffic. Do this as close to the edge as possible. And yes, I know, it will happen just about as soon as all edge networks start applying BCP38. I'm well aware of the limitations and challenges, but I'm also well aware of how ungainly and broken current anti-spam measures are.
One of the things I pointed out in that white paper is that as soon as you have real money involved, you're going to have a whole new set of frauds and scams that are likely to be worse than the ones you thought you were solving. Yes, and this is the most challenging aspect.
Again, I'm not saying e-postage is a good idea (because I don't think it is), but the fact of the matter is, like any other crime, as long as e-mail unsolicited commercial e-mail is profitable it will be done. So, what other ways are there to make unsolicited commercial e-mail unprofitable?
Lamar Owen <lowen@pari.edu> wrote:
The entity with whom they already have a business relationship. Basically, if I'm an ISP I would bill each of my customers, with whom I already have a business relationship, for e-mail traffic. Do this as close to the edge as possible.
Ooh, excellent, so I can deliver loads of spam to them and charge them for it! Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Biscay: Northwest 4 or 5, becoming variable 4. Moderate or rough. Rain or showers. Good, occasionally moderate.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 3/26/2014 11:45 AM, Lamar Owen wrote:
So, what other ways are there to make unsolicited commercial e-mail unprofitable?
Well, perhaps not by punishing legitimate SMTP senders who have done nothing wrong. Don't get me wrong -- I already *pay* to send mail. I migrated all of my personal e-mail off of free webmail platforms some time ago to a paid service (e.g. "If you are not paying for a service, you are the product."). - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMzJ50ACgkQKJasdVTchbItSQD8DKy1yGJ68b4yNgl0ttoGMjHs RtLTqY6vunNnzgvcXlUBAMLeosoLBKQTcjYkZAYnLqObjXJU4EZQN60vjI0C+FUY =exPx -----END PGP SIGNATURE-----
On March 26, 2014 at 16:59 johnl@iecc.com (John Levine) wrote:
I wrote a white paper ten years ago explaining why e-postage is a bad idea, and there is no way to make it work. Nothing of any importance has changed since then.
It's a fine white paper, I just read it again. But it does tend to make the best the enemy of the good. I remember during the metered bandwidth arguments many years ago people asserting similarly that it was (practically) impossible to implement, would just anger people, was full of holes (hey I can't completely control my bandwidth usage, some outsider could run it up!), etc. Yet, here we are in a world of (mobile) bandwidth caps etc. Big money has a way of focusing efforts. I actually think we're just not quite there yet as horrid as spam is. This is what I alluded to in my previous message. The next leg will be when the line between "spam" as in questionable content and commercial "ham" grows fuzzier and fuzzier. There are for examplee about 1,000 Fortune 1,000 companies, many of which can name any of us legitimate business contacts. And many of them have dozens if not hundreds of sub-divisions (e.g., insurance brokers) who also would qualify as not spam under commonly accepted definitons (and CAN-SPAM.) And they will be motivated by the same things which motivated spammers: (nearly) Free access to our eyeballs, push technology. My guess is the next generation solution won't be motivated by end-users being overwhelmed though that will be cited. It will be motivated by the opportunity to outcapitalize access to our eyeballs as they realize no one is reading the thousands of pieces of ham per day, let alone the spam. This is independent of reputation and similar identity services as a filter: They're all legitimate! Every one of the 5,000 messages you got that day were perfectly legitimate, anyone you ever gave your credit card to for example. Anyhow, obviously I can go on and on, it's a complex subject. But I think the solutions will be driven by the creation of economics around the problem, just as they often are in real life. And a lot of the leakage can be mitigated merely by big men with big sticks once money is a factor, rather than magic algorithms (though they will help of course.) -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Wed, Mar 26, 2014 at 9:59 AM, John Levine <johnl@iecc.com> wrote:
That way? Make e-mail cost; have e-postage.
Gee, I wondered how long it would take for this famous bad idea to reappear.
I wrote a white paper ten years ago explaining why e-postage is a bad idea, and there is no way to make it work. Nothing of any importance has changed since then.
http://www.taugh.com/epostage.pdf
R's, John
PS: Yes, I've heard of Bitcoins.
Good lord. I love your page about how a micropayment handling system would have to be so immense it couldn't possibly be built, because otherwise someone would have built one by now. The numbers you list in your argument against a micropayment system being able to function are a fraction of the number of transactions Facebook deals with in updating newsfeeds for the billion+ users on their system.[0] You're postulating needing something 100x the size of the credit card processing system, which does 100,000,000 transactions/day. Facebook's presentation talks about doing billions *per second*, which if I do the math right, puts it conservatively at almost 900,000x the scale of the credit card processing system; certainly well beyond the threshold of what you considered necessary to handle email micropayment transactions. I suspect your notion of "Creating a transaction system large enough for e-postage would be prohibitively expensive." is no longer true. Matt [0] https://www.usenix.org/conference/nsdi13/technical-sessions/presentation/nis...
The numbers you list in your argument against a micropayment system being able to function are a fraction of the number of transactions Facebook deals with in updating newsfeeds for the billion+ users on their system.[0]
... which is completely irrelevant because they don't have a double spending problem. Sheesh. It's easy to scale up stuff that is trivially parallelizable.* Also, I wrote that ten years ago. Add an extra zero or two to the numbers if you want, but it doesn't make any difference. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly * - a term of art, look it up
On Sat, Mar 29, 2014 at 7:40 PM, John R. Levine <johnl@iecc.com> wrote:
The numbers you list in your argument against a micropayment
system being able to function are a fraction of the number of transactions Facebook deals with in updating newsfeeds for the billion+ users on their system.[0]
... which is completely irrelevant because they don't have a double spending problem. Sheesh. It's easy to scale up stuff that is trivially parallelizable.*
Apparently, in the intervening 10 years since you wrote that, you might have missed some advances in the state of the art in computer science. http://arxiv.org/abs/0802.0832v1 I quote from the abstract: " Contrary to the commonly held belief that this is fundamentally impossible, we propose several solutions that do achieve a reasonable level of double spending prevention" I suggest you update your 'commonly held belief' that the double spending problem is intractable. ;)
Also, I wrote that ten years ago. Add an extra zero or two to the numbers if you want, but it doesn't make any difference.
Perhaps the number of zeroes doesn't make a difference; but solving the double spending problem would seem to play a much bigger role in making a difference to your conclusion from ten years ago. Note that one of the concepts around the double spending problem is that of offline spending being able to happen in massively large scale in very short time before the network is rejoined; however, in the case of email, that situation is largely a dead end; if you're not online, you're not going to be making very many mail connections. What may have been seen as impossible ten years ago may now be completely feasible. ^_^;
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
* - a term of art, look it up
Thanks! Matt
" Contrary to the commonly held belief that this is fundamentally impossible, we propose several solutions that do achieve a reasonable level of double spending prevention"
Yes, that's Bitcoin's claim to fame.
Perhaps the number of zeroes doesn't make a difference; but solving the double spending problem would seem to play a much bigger role in making a difference to your conclusion from ten years ago. Note that one of the concepts around the double spending problem is that of offline spending being able to happen in massively large scale in very short time before the network is rejoined; however, in the case of email, that situation is largely a dead end; if you're not online, you're not going to be making very many mail connections.
If you actually care about this, you might consider what would happen to the Bitcoin blockchain if it were attacked with millions of double spending transactions. This paper claims it can't prevent double spending, only prevent overspending by a factor of 100, which may be of theoretical interest but isn't of much practical use. We already know how to do approximate bulk counting. Oh, and on the last page, they think that hashcash works, to limit transaction rates. Anyway, if you reread my paper from a decade ago, the bank problem is only one of many problems with e-postage, each of which is fatal. R's, John
On Sat, 29 Mar 2014 18:05:39 -0700, Matthew Petach said:
system, which does 100,000,000 transactions/day. Facebook's presentation talks about doing billions *per second*, which if I
Fortunately for Facebook, they don't have to worry about double-spending problems, and you don't have to worry that much about authentication and security, because you control both ends of the transaction. It's easy to scale when you don't have to worry about the hard parts.
On Wed, 26 Mar 2014 10:07:22 -0400, Lamar Owen said:
it; get enough endusers with this problem and you'll get a class-action suit against OS vendors that allow the problem to remain a problem; you can get rid of the bots.
You *do* realize that the OS vendor can't really do much about users who click on stuff they shouldn't, or reply to phishing emails, or most of the other ways people *actually* get pwned these days? Hint: Microsoft *tried* to fix this with UAC. The users rioted.
You *do* realize that the OS vendor can't really do much about users who click on stuff they shouldn't, or reply to phishing emails, or most of the other ways people *actually* get pwned these days? Hint: Microsoft *tried* to fix this with UAC. The users rioted. Yep, I do realize that and I do remember the UAC 'riots.' But the OS vendor can make links that are clicked run in a sandbox and make said sandbox robust. A user clicking on an e-mail link should not be able to
On 03/26/2014 02:59 PM, Valdis.Kletnieks@vt.edu wrote: pwn the system. Period. Most of the phishing e-mails I've sent don't have a valid reply-to, from, or return-path; replying to them is effectively impossible, and the linked/attached/inlined payload is the attack vector.
On 03/26/2014 03:56 PM, Lamar Owen wrote:
Most of the phishing e-mails I've sent don't have a valid reply-to, from, or return-path; replying to them is effectively impossible, and the linked/attached/inlined payload is the attack vector.
Blasted spellcheck.... Now that everybody has had a good laugh; I've not 'sent' *any* phishing e-mails, but I have *seen* plenty. Argh.
LoL Spellcheck… Helping you correctly spell the incorrect word every time. Owen On Mar 26, 2014, at 1:03 PM, Lamar Owen <lowen@pari.edu> wrote:
On 03/26/2014 03:56 PM, Lamar Owen wrote:
Most of the phishing e-mails I've sent don't have a valid reply-to, from, or return-path; replying to them is effectively impossible, and the linked/attached/inlined payload is the attack vector.
Blasted spellcheck.... Now that everybody has had a good laugh; I've not 'sent' *any* phishing e-mails, but I have *seen* plenty. Argh.
On Mar 26, 2014, at 7:07 AM, Lamar Owen <lowen@pari.edu> wrote:
On 03/25/2014 10:51 PM, Jimmy Hess wrote:
[snip]
I would suggest the formation of an "IPv6 SMTP Server operator's club," with a system for enrolling certain IP address source ranges as "Active mail servers", active IP addresses and SMTP domain names under the authority of a member.
...
As has been mentioned, this is old hat.
There is only one surefire way of doing away with spam for good, IMO. No one is currently willing to do it, though.
That way? Make e-mail cost; have e-postage. No, I don't want it either. But where is the pain point for spam where this becomes less painful? If an enduser gets a bill for sending several thousand e-mails because they got owned by a botnet they're going to do something about it; get enough endusers with this problem and you'll get a class-action suit against OS vendors that allow the problem to remain a problem; you can get rid of the bots. This will trim out a large part of spam, and those hosts that insist on sending unsolicited bulk e-mail will get billed for it. That would also eliminate a lot of traffic on e-mail lists, too, if the subscribers had to pay the costs for each message sent to a list; I wonder what the cost would be for each post to a list the size of this one. If spam ceases to be profitable, it will stop.
Of course, I reserve the right to be wrong, and this might all just be a pipe dream. (and yes, I've thought about what sort of billing infrastructure nightmare this could be.....)
Actually, a variant on that that might be acceptable… Make e-postage a deposit-based thing. If the recipient has previously white-listed you or marks your particular message as “desired”, then you get your postage back. If not, then your postage is put into the recipients e-postage account to offset the cost of their emails. Thoughts? Owen
Actually, a variant on that that might be acceptable� Make e-postage a deposit-based thing. If the recipient has previously white-listed you or marks your particular message as �desired�, then you get your postage back. If not, then your postage is put into the recipients e-postage account to offset the cost of their emails.
Thoughts?
You could have bought the patent on this WKBI on eBay last year: http://www.ebay.com/itm/251279133681 When I was running the ASRG, I set up a wiki where we could keep a taxonomy of anti-spam techniques, so we could save time and just point people at it when they reinvent them. It's still there, contributions of anything we've missed are still welcome: http://wiki.asrg.sp.am/wiki/Attention_bonds R's, John PS: Well Known Bad Idea
On March 26, 2014 at 22:25 owen@delong.com (Owen DeLong) wrote:
Actually, a variant on that that might be acceptable� Make e-postage a deposit-based thing. If the recipient has previously white-listed you or marks your particular message as �desired�, then you get your postage back. If not, then your postage is put into the recipients e-postage account to offset the cost of their emails.
Thoughts?
It's a fine idea but too complicated. Look, the (paper) post office doesn't say "oh, you WANTED that mail, ok, then we'll return the cost of postage to the sender!" Why? Because if they did that people would game the system, THEY'D SPAM! And it would take way too much bookkeeping and fraud identification etc. Let's take a deep breath and re-examine the assumptions: Full scale spammers send on the order of one billion msgs per day. Which means if I gave your account 1M free msgs/day and could reasonably assure that you can't set up 1,000 such accts then you could not operate as a spammer. Who can't operate with 1M msgs/day? Well, maybe Amazon or similar. But as I said earlier MAYBE THEY SHOULD PAY ALSO! We really need to get over the moral component of spam content (and senders' intentions) and see it for what it is: A free ride anyone would take if available. Ok, a million free per acct might be too high but whatever, we can all go into committee and do studies and determine what the right number should be. I'd tend towards some sort of sliding scale myself, 100K/day free, 1M/day for $1, 10M/day for $100, 100M/day for $10K, etc. Something like that. Why would it work? Because that's how human society works. People who are willing to pay their $10K/mo will demand something be done about freeloaders, enforcement has to be part of the cost overhead. And it'd create an economy for hunting down miscreants. There really is none now, outside of the higher profile DDoS or phishing sort of activities. I claim it wouldn't take much of this to shut down spammers. P.S. And in my vision accepting only email with valid e-postage would be voluntary though I suppose that might be "voluntary" at the provider level. For example someone like gmail at some point (of successful implementation of this scheme) might decide to just block invalid e-postage because hey your gmail acct is free! Let someone else sell you rules you prefer like controlling acceptance of invalid e-postage yourself. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Mar 27, 2014, at 11:15 AM, Barry Shein <bzs@world.std.com> wrote:
On March 26, 2014 at 22:25 owen@delong.com (Owen DeLong) wrote:
Actually, a variant on that that might be acceptable… Make e-postage a deposit-based thing. If the recipient has previously white-listed you or marks your particular message as “desired”, then you get your postage back. If not, then your postage is put into the recipients e-postage account to offset the cost of their emails.
Thoughts?
It's a fine idea but too complicated.
Look, the (paper) post office doesn't say "oh, you WANTED that mail, ok, then we'll return the cost of postage to the sender!"
Why? Because if they did that people would game the system, THEY'D SPAM!
How would they benefit from that? SPAM — Pay, say $0.10/message. Then Claim you wanted the SPAM, get your $0.10/message back for each SPAM you sent to yourself. Or, claim you didn’t want the SPAM and get $0.05/message for each message you received while the original provider keeps the other $0.05.
And it would take way too much bookkeeping and fraud identification etc.
Please explain in detail where the fraud potential comes in. By my interpretation, you’d have to somehow get more back than you deposited (not really possible) in order to profit from sending SPAM this way.
Let's take a deep breath and re-examine the assumptions:
Full scale spammers send on the order of one billion msgs per day.
Which means if I gave your account 1M free msgs/day and could reasonably assure that you can't set up 1,000 such accts then you could not operate as a spammer.
Not sure how you enforce these user account requirements or how you avoid duplicative accounts.
Who can't operate with 1M msgs/day?
Well, maybe Amazon or similar.
But as I said earlier MAYBE THEY SHOULD PAY ALSO!
I, for one, don’t want my Amazon prices increased by a pseudo-tax on the fact that they do a large volume of email communications with their customers. They have enough problems trying to get IPv6 deployed without adding this to their list of problems.
We really need to get over the moral component of spam content (and senders' intentions) and see it for what it is: A free ride anyone would take if available.
I disagree. I see it as a form of theft of service that only immoral thieves would take if available.
Ok, a million free per acct might be too high but whatever, we can all go into committee and do studies and determine what the right number should be.
I'd tend towards some sort of sliding scale myself, 100K/day free, 1M/day for $1, 10M/day for $100, 100M/day for $10K, etc. Something like that.
Why would it work?
Because that's how human society works.
People who are willing to pay their $10K/mo will demand something be done about freeloaders, enforcement has to be part of the cost overhead.
But who charges these fees and how do they enforce those charges against miscreants that are sending from stolen hosts, bots, fraudulent IP addresses, etc.?
And it'd create an economy for hunting down miscreants.
So you’ve got a set of thieves who are stealing services to send vast volumes of email and you want to solve that problem by charging them more for those services that they are stealing (and, by the way, also charging some legitimate users as well). My guess is that the spammers are going to keep stealing and the people now being taxed for something that used to be free are going to object.
P.S. And in my vision accepting only email with valid e-postage would be voluntary though I suppose that might be "voluntary" at the provider level. For example someone like gmail at some point (of successful implementation of this scheme) might decide to just block invalid e-postage because hey your gmail acct is free! Let someone else sell you rules you prefer like controlling acceptance of invalid e-postage yourself.
Well, here we get a hint at how you envision this working. There are lots of details that need to be solved in the implementation of such a scheme and I think the devil is prevalent among them. Owen
On Thu, 27 Mar 2014, Owen DeLong wrote:
On Mar 27, 2014, at 11:15 AM, Barry Shein <bzs@world.std.com> wrote:
Please explain in detail where the fraud potential comes in.
Spammer uses his botnet of zombie machines to send email from each of them to his own domain using the user's legitimate email address as From:. Spammer says it was unsolicited and keeps the full $.10/email that victim users have deposited into this escrow thing. Sounds a lot more profitable than regular spam. -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667 ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
On Mar 27, 2014, at 1:38 PM, Brandon Ross <bross@pobox.com> wrote:
On Thu, 27 Mar 2014, Owen DeLong wrote:
On Mar 27, 2014, at 11:15 AM, Barry Shein <bzs@world.std.com> wrote:
Please explain in detail where the fraud potential comes in.
Spammer uses his botnet of zombie machines to send email from each of them to his own domain using the user's legitimate email address as From:. Spammer says it was unsolicited and keeps the full $.10/email that victim users have deposited into this escrow thing.
Sounds a lot more profitable than regular spam.
You say this like having a tax on running a botted computer on the internet would be a bad thing. I agree that it would provide a bit of profit to the spammers for a very short period of time, but I bet it would get a lot of bots fixed pretty quick. Owen
On Thu, 27 Mar 2014, Owen DeLong wrote:
On Mar 27, 2014, at 1:38 PM, Brandon Ross <bross@pobox.com> wrote:
On Thu, 27 Mar 2014, Owen DeLong wrote:
On Mar 27, 2014, at 11:15 AM, Barry Shein <bzs@world.std.com> wrote:
Please explain in detail where the fraud potential comes in.
Spammer uses his botnet of zombie machines to send email from each of them to his own domain using the user's legitimate email address as From:. Spammer says it was unsolicited and keeps the full $.10/email that victim users have deposited into this escrow thing.
Sounds a lot more profitable than regular spam.
You say this like having a tax on running a botted computer on the internet would be a bad thing.
Heh, perhaps not...
I agree that it would provide a bit of profit to the spammers for a very short period of time, but I bet it would get a lot of bots fixed pretty quick.
I don't think so. The motivations to continue to game the system are much stronger under this scheme because the profits are immediate and direct. A spammer no longer has to just hope that the advertising, phishing or whatever they are up to is acted upon by the user, instead they get a somewhat immediate cash payout that's not dependent on the user. -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667 ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
On Mar 28, 2014, at 5:27 AM, Brandon Ross <bross@pobox.com> wrote:
On Thu, 27 Mar 2014, Owen DeLong wrote:
On Mar 27, 2014, at 1:38 PM, Brandon Ross <bross@pobox.com> wrote:
On Thu, 27 Mar 2014, Owen DeLong wrote:
On Mar 27, 2014, at 11:15 AM, Barry Shein <bzs@world.std.com> wrote:
Please explain in detail where the fraud potential comes in.
Spammer uses his botnet of zombie machines to send email from each of them to his own domain using the user's legitimate email address as From:. Spammer says it was unsolicited and keeps the full $.10/email that victim users have deposited into this escrow thing.
Sounds a lot more profitable than regular spam.
You say this like having a tax on running a botted computer on the internet would be a bad thing.
Heh, perhaps not...
I agree that it would provide a bit of profit to the spammers for a very short period of time, but I bet it would get a lot of bots fixed pretty quick.
I don't think so. The motivations to continue to game the system are much stronger under this scheme because the profits are immediate and direct. A spammer no longer has to just hope that the advertising, phishing or whatever they are up to is acted upon by the user, instead they get a somewhat immediate cash payout that's not dependent on the user.
This assumes a different economic model of SPAM that I have been lead to believe exists. My understanding is that the people sending the SPAM get paid immediately and that the people paying them to send it are the ones hoping that the advertising/phishing/etc. are acted on. Owen
On Fri, 28 Mar 2014, Owen DeLong wrote:
This assumes a different economic model of SPAM that I have been lead to believe exists.
My understanding is that the people sending the SPAM get paid immediately and that the people paying them to send it are the ones hoping that the advertising/phishing/etc. are acted on.
Fine, then the people paying the people who do the spamming have more of an incentive to pay higher rates and more spammers. It doesn't really matter how may layers of abstraction there are, the point is that the main motivator has become more attractive. -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667 ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
On Mar 28, 2014, at 6:30 AM, Brandon Ross <bross@pobox.com> wrote:
On Fri, 28 Mar 2014, Owen DeLong wrote:
This assumes a different economic model of SPAM that I have been lead to believe exists.
My understanding is that the people sending the SPAM get paid immediately and that the people paying them to send it are the ones hoping that the advertising/phishing/etc. are acted on.
Fine, then the people paying the people who do the spamming have more of an incentive to pay higher rates and more spammers. It doesn't really matter how may layers of abstraction there are, the point is that the main motivator has become more attractive.
Perhaps… But I’m not convinced. Today we have more than sufficient motivation to continue to game the system and virtually no incentive to make the system less open to gaming. While I agree this would increase economic incentives to game the system slightly, it would also add some rather strong incentives to improve security and make the process of gaming much harder. Perhaps this isn’t a good solution, but it certainly cannot be argued that what we are doing so far is working. Owen
On Fri, 28 Mar 2014 06:22:32 -0700, Owen DeLong said:
This assumes a different economic model of SPAM that I have been lead to believe exists.
My understanding is that the people sending the SPAM get paid immediately and that the people paying them to send it are the ones hoping that the advertising/ phishing/etc. are acted on.
Only because we haven't given them a way to monetize it immediately.
You say this like having a tax on running a botted computer on the internet would be a bad thing.
I agree that it would provide a bit of profit to the spammers for a very short period of time, but I bet it would get a lot of bots fixed pretty quick.
What would actually happen is that the users would refuse to pay their ISPs for their bot mail, the ISPs would refuse to pay the recipients, and the whole thing would collapse. Like I said in my decade old white paper, the problems when real money are involved will be worse than the ones they purport to solve. On the other hand, if you plan to go ahead with this WKBI, I'll let Phil Raymond know. He'd love to do something with that patent. R's, John
On March 27, 2014 at 12:14 owen@delong.com (Owen DeLong) wrote:
On Mar 27, 2014, at 11:15 AM, Barry Shein <bzs@world.std.com> wrote:
On March 26, 2014 at 22:25 owen@delong.com (Owen DeLong) wrote:
Actually, a variant on that that might be acceptable� Make e-postage a deposit-based thing. If the recipient has previously white-listed you or marks your particular message as �desired�, then you get your postage back. If not, then your postage is put into the recipients e-postage account to offset the cost of their emails.
Thoughts?
It's a fine idea but too complicated.
Look, the (paper) post office doesn't say "oh, you WANTED that mail, ok, then we'll return the cost of postage to the sender!"
Why? Because if they did that people would game the system, THEY'D SPAM!
How would they benefit from that?
From what, being able to send free paper mail? I think that would be considered a benefit by most junk mail advertisers. But see next...
SPAM � Pay, say $0.10/message. Then Claim you wanted the SPAM, get your $0.10/message back for each SPAM you sent to yourself. Or, claim you didn�t want the SPAM and get $0.05/message for each message you received while the original provider keeps the other $0.05.
And it would take way too much bookkeeping and fraud identification etc.
Please explain in detail where the fraud potential comes in.
By my interpretation, you�d have to somehow get more back than you deposited (not really possible) in order to profit from sending SPAM this way.
Well, it's advertising, so they do. Advertising is a valuable commodity. Free advertising is particularly valuable, ROI with I close to zero. Look, we can get lost in metaphors, but the point is that by the time the post office gets your mail to your doorstep virtually all the cost is sunk. So offering to not charge you because you wanted that mail makes no sense, right?
Let's take a deep breath and re-examine the assumptions:
Full scale spammers send on the order of one billion msgs per day.
Which means if I gave your account 1M free msgs/day and could reasonably assure that you can't set up 1,000 such accts then you could not operate as a spammer.
Not sure how you enforce these user account requirements or how you avoid duplicative accounts.
If you want to attach e-postage you have to go get some and that can be a contract which says you don't do that, if you have multiple accounts you split it among your accounts or buy more. And if you do what you describe you understand that it is criminal fraud. Click Agree [ ] before proceeding, or similar.
Who can't operate with 1M msgs/day?
Well, maybe Amazon or similar.
But as I said earlier MAYBE THEY SHOULD PAY ALSO!
I, for one, don�t want my Amazon prices increased by a pseudo-tax on the fact that they do a large volume of email communications with their customers. They have enough problems trying to get IPv6 deployed without adding this to their list of problems.
That assumes that spam is free for them, and you. Including "free" as in "stealing your time". Also, companies like Amazon probably wouldn't mind being able to out-capitalize spammers and others in competing for your eyeballs. They could probably put a price on that. They're well aware that when they send you an email that says that some new book related to one you bought is available that the ad is surrounded by dozens if not hundreds of spam messages and likely you'll delete them all without reading. So that's already a cost to them in terms of wasted advertising effort and lost sales. I'd say we need to ask Amazon et al whether they'd see it as an economic plus if by paying a small amount of e-postage they could wipe out or seriously reduce all the chaff? Would that be a net positive or net negative to their bottom line? Although I can certainly understand skepticism about whether this approach would deliver effectively I don't think the business case, the dollar value of reducing spam significantly, is disputable. You'd always rather be the only billboard on the highway rather than just one in a hundred. Even if it costs you more (obviously up to a point.)
We really need to get over the moral component of spam content (and senders' intentions) and see it for what it is: A free ride anyone would take if available.
I disagree. I see it as a form of theft of service that only immoral thieves would take if available.
How can it be a theft of service if we're not charging anything? Well, if they use others' resources it's a theft of those resources, such as botnets, is that what you mean? But by morality I mean that we tend to define spam in terms of generally agreed to be undesirable email content such as questionable herbal cures or other apparent fraud or near-fraud -- I dunno, maybe someone hiring a spammer really believes their herbal hair re-growth tonic works. I assert that the line is getting fuzzier all the time. Even if the product is completely legitimate and maybe there's some business relationship someone can draw it doesn't mean I like being pummeled with hundreds of ads per day (some of that is projection, remember.) But, just as importantly, the people who want to send me an ad would like to see me pummeled with less junk so maybe I pay attention to their ad or communication. Heck, I alreadly almost never read email from what appears to be my bank because it's just too much time and effort to verify that it's legitimate. It'd be just as much effort under this, perhaps, but at least maybe I won't feel like I'm desperately trying to sort through 300 msgs that came in while I was asleep.
Ok, a million free per acct might be too high but whatever, we can all go into committee and do studies and determine what the right number should be.
I'd tend towards some sort of sliding scale myself, 100K/day free, 1M/day for $1, 10M/day for $100, 100M/day for $10K, etc. Something like that.
Why would it work?
Because that's how human society works.
People who are willing to pay their $10K/mo will demand something be done about freeloaders, enforcement has to be part of the cost overhead.
But who charges these fees and how do they enforce those charges against miscreants that are sending from stolen hosts, bots, fraudulent IP addresses, etc.?
I think it would have some parallels to selling SSL certificates, as a business model. Sending from stolen hosts etc doesn't help them unless they have also broken into your e-postage stash. Which might happen of course but at that point we've reduced it to something like using your user SSL cert. For example if you had to enter a passphrase (other methods are possible) to enable mail sending with e-postage from your email client, to decrypt your e-postage cert, then they'd have to get into that also, not just use your cycles. That's possible but it's another hill for them to climb. Since you probably would value your e-postage at the very least there should be a little widget on your screen (or similar) with something like you have used 323 out of an allocation of 300,000 this month and if that suddenly says 32,323 out of 300,000 and you can't imagine why maybe you'll do something, call someone, some recommended response could be laid out like if that's way out of line then click here. That's not that different from how modern Windows systems pop-up a dialogue which says "XYZ wants to use administrator privilege to install software". That is, encourage the user to be aware of how much email they are sending and give them some reasonable course of action if something doesn't look right. Think of bandwidth caps on mobile phones. If you hit your cap and you don't have a clue why you become interested. If it's due to a virus or similar, even a misbehaving app you downloaded (it happens), you are interested because you're now being charged for bandwidth or whatever happens when you exceed your cap. One reason few are currently interested in their system being botted is because they don't hit a cap, nothing really happens. And there's certainly little support infrastructure to help them fix the problem. If there was some money on the table, like with mobile phone caps, then perhaps there would be some infrastructure for that. Right now there's just excuses from ISPs et al that if someone gets botted oh well, block them or something, or in many cases do nothing because you don't want to annoy a paying customer and it just would increase your support costs when they call demanding to speak to someone. If there were a profitable e-postage infrastructure whose livelihood depended on all this working then maybe that wouldn't be the case.
And it'd create an economy for hunting down miscreants.
So you�ve got a set of thieves who are stealing services to send vast volumes of email and you want to solve that problem by charging them more for those services that they are stealing (and, by the way, also charging some legitimate users as well).
My guess is that the spammers are going to keep stealing and the people now being taxed for something that used to be free are going to object.
I think you're skipping the point about how they'd have to successfully attach e-postage to every piece of email they sent from your system. So it's not the resources, it's the authorization which we're trying to control. Right now every piece of email they send from your botted system is the same as any email you'd send. If there were some sort of e-postage system with some basic security and tracking that becomes much more difficult for the spammer. Or they can use your system to send out a million msgs with no e-postage which, one hopes, will be rejected by receiving systems without delivery, much like fraudulent DKIM or SPF credentials. Which, one hopes, won't be profitable for them any more.
P.S. And in my vision accepting only email with valid e-postage would be voluntary though I suppose that might be "voluntary" at the provider level. For example someone like gmail at some point (of successful implementation of this scheme) might decide to just block invalid e-postage because hey your gmail acct is free! Let someone else sell you rules you prefer like controlling acceptance of invalid e-postage yourself.
Well, here we get a hint at how you envision this working. There are lots of details that need to be solved in the implementation of such a scheme and I think the devil is prevalent among them.
I agree, but I hope my efforts indicate it's not entirely half-baked or off the cuff. I don't think it's inherently much more difficult than the SSL certificate ecology thought it has some differences. And it introduces some actual economy in fighting fraud because fraud becomes more like counterfeiting money or real life postage stamps, someone loses money, someone is getting a free ride, and there's money at that point to investigate and prosecute just like we do with counterfeiting. One problem with the current anti-spam economy is that it doesn't particularly encourage fighting spam. If someone makes a living selling anti-spam software or appliances the sudden and complete disappearance of spam is not really good news, unless it's entirely due to their product. But I mean putting spammers out of business big-time. In my model it is good news, it means the model is working so keep buying that e-postage because it's the only thing keeping the barbarians outside the gates.
Owen
-- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Mar 27, 2014, at 10:31 PM, Barry Shein <bzs@world.std.com> wrote:
On March 27, 2014 at 12:14 owen@delong.com (Owen DeLong) wrote:
On Mar 27, 2014, at 11:15 AM, Barry Shein <bzs@world.std.com> wrote:
On March 26, 2014 at 22:25 owen@delong.com (Owen DeLong) wrote:
Actually, a variant on that that might be acceptable… Make e-postage a deposit-based thing. If the recipient has previously white-listed you or marks your particular message as “desired”, then you get your postage back. If not, then your postage is put into the recipients e-postage account to offset the cost of their emails.
Thoughts?
It's a fine idea but too complicated.
Look, the (paper) post office doesn't say "oh, you WANTED that mail, ok, then we'll return the cost of postage to the sender!"
Why? Because if they did that people would game the system, THEY'D SPAM!
How would they benefit from that?
From what, being able to send free paper mail? I think that would be considered a benefit by most junk mail advertisers. But see next...
SPAM — Pay, say $0.10/message. Then Claim you wanted the SPAM, get your $0.10/message back for each SPAM you sent to yourself. Or, claim you didn’t want the SPAM and get $0.05/message for each message you received while the original provider keeps the other $0.05.
And it would take way too much bookkeeping and fraud identification etc.
Please explain in detail where the fraud potential comes in.
By my interpretation, you’d have to somehow get more back than you deposited (not really possible) in order to profit from sending SPAM this way.
Well, it's advertising, so they do.
Advertising is a valuable commodity. Free advertising is particularly valuable, ROI with I close to zero.
But it’s only free if you send it to yourself and then approve it. Any message you send to someone else who doesn’t want it isn’t free.
So offering to not charge you because you wanted that mail makes no sense, right?
But this isn’t a charge for the post office and by the time you’re connected to the internet, the cost of receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments. This is an effort to provide a financial disincentive for spamming.
Let's take a deep breath and re-examine the assumptions:
Full scale spammers send on the order of one billion msgs per day.
Which means if I gave your account 1M free msgs/day and could reasonably assure that you can't set up 1,000 such accts then you could not operate as a spammer.
Not sure how you enforce these user account requirements or how you avoid duplicative accounts.
If you want to attach e-postage you have to go get some and that can be a contract which says you don't do that, if you have multiple accounts you split it among your accounts or buy more. And if you do what you describe you understand that it is criminal fraud. Click Agree [ ] before proceeding, or similar.
Because spammers are all on the up and up and never commit fraud in order to send their SPAM, right?
Who can't operate with 1M msgs/day?
Well, maybe Amazon or similar.
But as I said earlier MAYBE THEY SHOULD PAY ALSO!
I, for one, don’t want my Amazon prices increased by a pseudo-tax on the fact that they do a large volume of email communications with their customers. They have enough problems trying to get IPv6 deployed without adding this to their list of problems.
That assumes that spam is free for them, and you. Including "free" as in "stealing your time”.
No, it assumes that most of the messages I get from Amazon are NOT SPAM. The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn’t mind seeing them forced to pay me for those messages, but I certainly don’t want to see them paying for every message they send.
We really need to get over the moral component of spam content (and senders' intentions) and see it for what it is: A free ride anyone would take if available.
I disagree. I see it as a form of theft of service that only immoral thieves would take if available.
How can it be a theft of service if we're not charging anything?
I didn’t authorize the spammer to use my computer, systems, disk, network, etc. They simply did so without my authorization. If I had a cost effective way to identify them, track them down, and hold them accountable for this, I would gladly do so.
Well, if they use others' resources it's a theft of those resources, such as botnets, is that what you mean?
Botnets, my mail server, my disk storage, my network, etc. where my mail is processed… All of the above.
But by morality I mean that we tend to define spam in terms of generally agreed to be undesirable email content such as questionable herbal cures or other apparent fraud or near-fraud -- I dunno, maybe someone hiring a spammer really believes their herbal hair re-growth tonic works.
I define SPAM not in terms of content, but in the nature of the relationship between the sender and the recipient. If the recipient has no relationship with the sender and doesn’t want to receive the sender’s message, then in most cases, it’s SPAM.
I assert that the line is getting fuzzier all the time.
Yep. If you try to define it on content, the fuzz grows out of control.
Even if the product is completely legitimate and maybe there's some business relationship someone can draw it doesn't mean I like being pummeled with hundreds of ads per day (some of that is projection, remember.)
If you ask the sender to stop and they don’t, then their further messages are SPAM. If you can’t find the sender in order to ask them to stop, then their messages are fraudulent SPAM.
But, just as importantly, the people who want to send me an ad would like to see me pummeled with less junk so maybe I pay attention to their ad or communication.
The spammers would like to see you pummeled with less “junk” so you can pay attention to their ad, too. Difference is in your definition of “junk” vs. their definition of “junk”.
Heck, I alreadly almost never read email from what appears to be my bank because it's just too much time and effort to verify that it's legitimate.
I just bank with banks that don’t have enough customers to be attractive to spammers… Saves a lot of effort. Also makes for a nicer relationship with the bank. The tellers mostly know who I am and I’m treated like a customer instead of an inconvenience.
It'd be just as much effort under this, perhaps, but at least maybe I won't feel like I'm desperately trying to sort through 300 msgs that came in while I was asleep.
I wish I could get it down to 300.
So you’ve got a set of thieves who are stealing services to send vast volumes of email and you want to solve that problem by charging them more for those services that they are stealing (and, by the way, also charging some legitimate users as well).
My guess is that the spammers are going to keep stealing and the people now being taxed for something that used to be free are going to object.
I think you're skipping the point about how they'd have to successfully attach e-postage to every piece of email they sent from your system.
Why would you assume that once they bot a system, they would be unable to steal the e-postage from said system?
So it's not the resources, it's the authorization which we're trying to control.
Right now every piece of email they send from your botted system is the same as any email you'd send.
I’m not really seeing how this would make a difference in that.
If there were some sort of e-postage system with some basic security and tracking that becomes much more difficult for the spammer.
Given how most bots become bots, I tend to doubt it. They just have to keystroke log your MUA in a two-step process instead of the one-step process of days of yore. Further, since they’re sending lots and lots of the same spam with identical envelope contents and the only differences are in the SMTP exchange, not the internal contents of the envelope, a replay attack against the same postage would seem pretty trivial.
Or they can use your system to send out a million msgs with no e-postage which, one hopes, will be rejected by receiving systems without delivery, much like fraudulent DKIM or SPF credentials.
Which, one hopes, won't be profitable for them any more.
P.S. And in my vision accepting only email with valid e-postage would be voluntary though I suppose that might be "voluntary" at the provider level. For example someone like gmail at some point (of successful implementation of this scheme) might decide to just block invalid e-postage because hey your gmail acct is free! Let someone else sell you rules you prefer like controlling acceptance of invalid e-postage yourself.
Well, here we get a hint at how you envision this working. There are lots of details that need to be solved in the implementation of such a scheme and I think the devil is prevalent among them.
I agree, but I hope my efforts indicate it's not entirely half-baked or off the cuff.
Intrigued, but not convinced. Owen
On March 28, 2014 at 00:06 owen@delong.com (Owen DeLong) wrote:
Advertising is a valuable commodity. Free advertising is particularly valuable, ROI with I close to zero.
But it�s only free if you send it to yourself and then approve it. Any message you send to someone else who doesn�t want it isn�t free.
I thought the suggestion was that a recipient (email, or by analogy postal) could indicate they wanted an email which would cancel the postage attached, that is, no charge to sender if they wanted it. So if a spammer or junk mailer could, say, trick you into accepting mail in those schemes then they get free advertising, no postage anyhow. We're getting lost in the metaphors methinks.
So offering to not charge you because you wanted that mail makes no sense, right?
But this isn�t a charge for the post office and by the time you�re connected to the internet, the cost of receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments.
FIRST: There's a typo/thinko in my sentence! Should be: So offering to not charge THE SENDER because THE RECIPIENT wanted that mail makes no sense, right? SECOND: In response, someone has to scale resources to match volume. But maybe my typo/thinko confused this because you know that, sorry.
This is an effort to provide a financial disincentive for spamming.
Did I say that or you? I agree! Possibly with myself. Which judging by my just previous comments is not always a given.
If you want to attach e-postage you have to go get some and that can be a contract which says you don't do that, if you have multiple accounts you split it among your accounts or buy more. And if you do what you describe you understand that it is criminal fraud. Click Agree [ ] before proceeding, or similar.
Because spammers are all on the up and up and never commit fraud in order to send their SPAM, right?
I'm trying to create an economics around enforcement. But it's helpful to convince the relatively honest public that what you describe is a serious crime tantamount to counterfeiting. And we don't want to be in a situation like we were in 1996 where we were debating whether Spam is even a crime. Enforcement is your usual avoidance, detection, recovery, sort of affair. But there has to be an economics pushing it or it gets mostly ignored (except for people complaining about spam.) Compare and contrast for example spamming vs RIAA style enforcement of copyright violations. Spamming? The occasional shutdown of a botnet tho those may be more motivated by DDoS and phishing. Copyright? Megaupload, wham, Bit torrents, wham, site takedowns, RIAA lawsuits, wham wham wham. Lawyers, guns, and money. What's the difference? Clear monied interests in the latter.
Who can't operate with 1M msgs/day?
Well, maybe Amazon or similar.
But as I said earlier MAYBE THEY SHOULD PAY ALSO!
I, for one, don�t want my Amazon prices increased by a pseudo-tax on the fact that they do a large volume of email communications with their customers. They have enough problems trying to get IPv6 deployed without adding this to their list of problems.
That assumes that spam is free for them, and you. Including "free" as in "stealing your time�.
No, it assumes that most of the messages I get from Amazon are NOT SPAM.
And I'm arguing we need to change our attitudes on this. This whole idea that because the recipient wants it it isn't "spam" is wearing thin. Just like my analogy with the post office, they wouldn't deliver mail for free just because the recipient wanted it. It's a fundamentally broken idea and spam is its bastard offspring.
The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn�t mind seeing them forced to pay me for those messages, but I certainly don�t want to see them paying for every message they send.
The vast majority of paper mail I get from my bank accounts is useful and informative and often legally important. But every one of them has postage attached. But maybe there could be some way to reverse charges like you can with fedex and similar. When you sign up with Amazon et al you also enter your (free) e-postage cert (whatever, some cookie) giving them permission to charge against it for some list of mutually agreeable emailings like order confirms and maybe even marketing materials. There are some implementation details involved but it doesn't strike me as a crazy idea.
We really need to get over the moral component of spam content (and senders' intentions) and see it for what it is: A free ride anyone would take if available.
I disagree. I see it as a form of theft of service that only immoral thieves would take if available.
How can it be a theft of service if we're not charging anything?
I didn�t authorize the spammer to use my computer, systems, disk, network, etc. They simply did so without my authorization. If I had a cost effective way to identify them, track them down, and hold them accountable for this, I would gladly do so.
Do you mean sending (making you a bot) or receiving spam? I'm saying the notion of who you did authorize to send you email is getting fuzzier and fuzzier and may no longer be a completely useful distinction. That should have been predictable. Create a fuzzy hurtle and it will get hurtled. Accept that "it's not spam if I have a business relationship with the sender" and that "business relationship" definition will get stretched. For example, Buy an auto insurance policy from Liberty Mutual and you just gave permission for every Liberty Mutual insurance agent in the world to hawk you life insurance, home owner's insurance, etc etc etc. over email. I don't think merely tightening the definition fixes that. Money talks, bull**** walks. The main reason dump trucks filled with paper mail don't back up to your house every morning is because that would cost the SENDERs too much real money, so they have to focus and target. But email? That's free, for all practical purposes.
Well, if they use others' resources it's a theft of those resources, such as botnets, is that what you mean?
Botnets, my mail server, my disk storage, my network, etc. where my mail is processed� All of the above.
But by morality I mean that we tend to define spam in terms of generally agreed to be undesirable email content such as questionable herbal cures or other apparent fraud or near-fraud -- I dunno, maybe someone hiring a spammer really believes their herbal hair re-growth tonic works.
I define SPAM not in terms of content, but in the nature of the relationship between the sender and the recipient. If the recipient has no relationship with the sender and doesn�t want to receive the sender�s message, then in most cases, it�s SPAM.
Yeah, well, if you ever get an unexpected email (truly) from Bank of America for example offering great CD rates and can't imagine why they sent it have a ball calling the FTC and filing a CAN-SPAM violation. Maybe something would happen, I can't say for sure. But I suspect they'd round file it because hey that's BANK OF AMERICA not SPAMMERS and you're just a KOOK! Extrapolate to any company the FTC has heard of and respects. That's what I mean by a moralistic component. But if BoA was fudging their postal meters and the post office noticed it'd be Book 'Em Dan-O before the next commercial break.
I assert that the line is getting fuzzier all the time.
Yep. If you try to define it on content, the fuzz grows out of control.
Even if the product is completely legitimate and maybe there's some business relationship someone can draw it doesn't mean I like being pummeled with hundreds of ads per day (some of that is projection, remember.)
If you ask the sender to stop and they don�t, then their further messages are SPAM.
In theory. Ever try to enforce that if you got a subsequent email? Particularly against a well known company? No. Because no one has even tried (oh there must be one I suppose.)
If you can�t find the sender in order to ask them to stop, then their messages are fraudulent SPAM.
I've read CAN-SPAM.
But, just as importantly, the people who want to send me an ad would like to see me pummeled with less junk so maybe I pay attention to their ad or communication.
The spammers would like to see you pummeled with less �junk� so you can pay attention to their ad, too. Difference is in your definition of �junk� vs. their definition of �junk�.
Well, the difference I'm advocating is that Amazon (e.g.) can pay real do-re-mi for postage, the spammers can't. Beyond that I don't really need a definition of "spam" per se, at least that's what's hoped. We the people just have to make sure that anyone sending me an email follows the e-postage rules. No spammer can afford to pay even minimal e-postage. The best they can hope for is to fraud any e-postage system. Viola, it removes the moral judgement component of whether or not I really wanted this email. Or reduces the issue probably into the noise. (some elision...)
So you�ve got a set of thieves who are stealing services to send vast volumes of email and you want to solve that problem by charging them more for those services that they are stealing (and, by the way, also charging some legitimate users as well).
My guess is that the spammers are going to keep stealing and the people now being taxed for something that used to be free are going to object.
I think you're skipping the point about how they'd have to successfully attach e-postage to every piece of email they sent from your system.
Why would you assume that once they bot a system, they would be unable to steal the e-postage from said system?
I think we can make that too difficult. But at least we'd have a trail in that case, like when the user's e-postage meter runs out and they can't send any more email this month and might pursue that if unexpected.
So it's not the resources, it's the authorization which we're trying to control.
Right now every piece of email they send from your botted system is the same as any email you'd send.
I�m not really seeing how this would make a difference in that.
Make it difficult to use your e-postage meter even if they get some (virus) software on to your system. For example, maybe you have to enter a passphrase to enable the e-postage meter with an idle-timeout, or any similar method, we've all seen many. Heck you could use a USB or similar dongle which has to be plugged in to send email. Sure, people would leave them in, until their e-postage meter was run out unexpectedly and they can't send any more email for the rest of the month, or actually would have to buy further allocation for real $$$.
If there were some sort of e-postage system with some basic security and tracking that becomes much more difficult for the spammer.
Given how most bots become bots, I tend to doubt it. They just have to keystroke log your MUA in a two-step process instead of the one-step process of days of yore.
Further, since they�re sending lots and lots of the same spam with identical envelope contents and the only differences are in the SMTP exchange, not the internal contents of the envelope, a replay attack against the same postage would seem pretty trivial.
But now it's running down your e-postage meter. And it's positively id'd on the receiving end, it has your e-postage meter id on it. It does add a lot of hoops to jump through and evade.
Or they can use your system to send out a million msgs with no e-postage which, one hopes, will be rejected by receiving systems without delivery, much like fraudulent DKIM or SPF credentials.
Which, one hopes, won't be profitable for them any more.
P.S. And in my vision accepting only email with valid e-postage would be voluntary though I suppose that might be "voluntary" at the provider level. For example someone like gmail at some point (of successful implementation of this scheme) might decide to just block invalid e-postage because hey your gmail acct is free! Let someone else sell you rules you prefer like controlling acceptance of invalid e-postage yourself.
Well, here we get a hint at how you envision this working. There are lots of details that need to be solved in the implementation of such a scheme and I think the devil is prevalent among them.
I agree, but I hope my efforts indicate it's not entirely half-baked or off the cuff.
Intrigued, but not convinced.
That's progress! And I thank you! Many in this community hear the word "e-postage" and just mentally shut down.
Owen
-- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Mar 28, 2014, at 2:15 PM, Barry Shein <bzs@world.std.com> wrote:
On March 28, 2014 at 00:06 owen@delong.com (Owen DeLong) wrote:
Advertising is a valuable commodity. Free advertising is particularly valuable, ROI with I close to zero.
But it’s only free if you send it to yourself and then approve it. Any message you send to someone else who doesn’t want it isn’t free.
I thought the suggestion was that a recipient (email, or by analogy postal) could indicate they wanted an email which would cancel the postage attached, that is, no charge to sender if they wanted it.
Yes, but you’d have to say “I wanted this” effectively after receiving and opening the mail, knowing what was inside, not before.
So if a spammer or junk mailer could, say, trick you into accepting mail in those schemes then they get free advertising, no postage anyhow.
Sure, but how would they trick you into saying “I wanted this advertising” once you’ve actually seen that it is advertising.
We're getting lost in the metaphors methinks.
I don’t think so, I think we’re having differing visions of how it would work in detail.
So offering to not charge you because you wanted that mail makes no sense, right?
But this isn’t a charge for the post office and by the time you’re connected to the internet, the cost of receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments.
FIRST: There's a typo/thinko in my sentence!
Should be:
So offering to not charge THE SENDER because THE RECIPIENT wanted that mail makes no sense, right?
SECOND:
In response, someone has to scale resources to match volume.
But maybe my typo/thinko confused this because you know that, sorry.
Yes, but those costs are essentially already sunk in existing internet access. The cost of transmission is already paid by all parties involved. This wouldn’t be intended to subsidize that. The reason for splitting the postage between the recipient and the recipient ISP was to aid in recovery of the costs of administering the postage process.
This is an effort to provide a financial disincentive for spamming.
Did I say that or you? I agree!
Possibly with myself. Which judging by my just previous comments is not always a given.
I said it, but I’m glad we are in agreement.
If you want to attach e-postage you have to go get some and that can be a contract which says you don't do that, if you have multiple accounts you split it among your accounts or buy more. And if you do what you describe you understand that it is criminal fraud. Click Agree [ ] before proceeding, or similar.
Because spammers are all on the up and up and never commit fraud in order to send their SPAM, right?
I'm trying to create an economics around enforcement.
But it's helpful to convince the relatively honest public that what you describe is a serious crime tantamount to counterfeiting.
Yes, that would be very helpful.
And we don't want to be in a situation like we were in 1996 where we were debating whether Spam is even a crime.
Sadly, we seem to be in a situation where we have no good legal definition of the crime and where the criminal definition of SPAM has been so badly watered down by regulators as to neuter any attempts to regulate it out of existence or prosecute it criminally. Worse, even if it is a crime in jurisdiction A, it becomes very difficult to prosecute a spammer in jurisdiction B for sending SPAM to a recipient in jurisdiction A.
Enforcement is your usual avoidance, detection, recovery, sort of affair. But there has to be an economics pushing it or it gets mostly ignored (except for people complaining about spam.)
Yep.
Compare and contrast for example spamming vs RIAA style enforcement of copyright violations.
I would not say that RIAA is the shining example to emulate, but, yes for this particular concept, I think you have the right idea.
No, it assumes that most of the messages I get from Amazon are NOT SPAM.
And I'm arguing we need to change our attitudes on this.
This whole idea that because the recipient wants it it isn't "spam" is wearing thin.
Please present your definition of SPAM. I don’t see how a shipping notification, a transaction receipt, etc. could possibly be considered SPAM.
Just like my analogy with the post office, they wouldn't deliver mail for free just because the recipient wanted it.
That postage is already being paid for email… You pay for internet access and so do the spammers, so the idea that your proposed e-postage is a payment related to the delivery of the mail is absurd from the beginning.
The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn’t mind seeing them forced to pay me for those messages, but I certainly don’t want to see them paying for every message they send.
The vast majority of paper mail I get from my bank accounts is useful and informative and often legally important.
But every one of them has postage attached.
Yes, but you aren’t paying the USPS a fee for you to have a mailbox that the mailman drives by whether you receive mail or not and neither is your bank. I certainly don’t want to start double-paying for spam (or legitimate email for that matter). Further, if someone sends me something I don’t want, I can mark it “refused, return to sender” and the post office is obliged to do so and I don’t pay anything for it.
I didn’t authorize the spammer to use my computer, systems, disk, network, etc. They simply did so without my authorization. If I had a cost effective way to identify them, track them down, and hold them accountable for this, I would gladly do so.
Do you mean sending (making you a bot) or receiving spam?
Receiving.
I'm saying the notion of who you did authorize to send you email is getting fuzzier and fuzzier and may no longer be a completely useful distinction.
How so? If I actually signed up with you to receive your mail, then I opted in and you have my permission on record. If I bought something from you, then I signed up to receive emails RELATED TO THAT TRANSACTION and you have that permission on record. If I checked the box to receive other emails from you, then you have that permission on record. If you don’t have my permission on record, then you don’t have my permission. Seems pretty simple and clear and predictable to me. Now, you might be able to get my retroactive permission by paying to ask, and if I agree, your “permission fee” is refunded. OTOH, if I say “no”, then you don’t get your money back.
That should have been predictable. Create a fuzzy hurtle and it will get hurtled.
I’m not seeing the fuzziness you claim is present.
Accept that "it's not spam if I have a business relationship with the sender" and that "business relationship" definition will get stretched.
See above. I have a _MUCH_ narrower definition of what should be accepted.
For example, Buy an auto insurance policy from Liberty Mutual and you just gave permission for every Liberty Mutual insurance agent in the world to hawk you life insurance, home owner's insurance, etc etc etc. over email.
No, I didn’t. See above.
I define SPAM not in terms of content, but in the nature of the relationship between the sender and the recipient. If the recipient has no relationship with the sender and doesn’t want to receive the sender’s message, then in most cases, it’s SPAM.
Yeah, well, if you ever get an unexpected email (truly) from Bank of America for example offering great CD rates and can't imagine why they sent it have a ball calling the FTC and filing a CAN-SPAM violation.
If such a thing happened and it actually came from BofA, then, yes, it would. However, BofA is smart enough to keep such SPAMvertising at arms length and you have to track down the spammer that actually sent the email under contract to BofA, not BofA themselves. It would be nice if CAN-SPAM were expanded to affect the advertiser and/or advertised product instead of just the entity actually sending the SPAM, but so far, that has not happened.
Maybe something would happen, I can't say for sure.
But I suspect they'd round file it because hey that's BANK OF AMERICA not SPAMMERS and you're just a KOOK!
No, more likely they’d review the headers and point out to me that there’s no evidence it was actually sent BY BofA, because most likely it wasn’t sent by BofA, but by someone they may or may not have contracted.
Extrapolate to any company the FTC has heard of and respects.
Really more a matter of how those companies keep their SPAM at arms length and circumvent the intent of the law than their reputation with the FTC.
That's what I mean by a moralistic component.
But if BoA was fudging their postal meters and the post office noticed it'd be Book 'Em Dan-O before the next commercial break.
Indeed, the mailing agency that BofA hires to send out their postal spam pays full postage and can’t really avoid that. But postage is related to the cost of delivering the mail. What you are proposing as e-postage isn’t.
I assert that the line is getting fuzzier all the time.
Yep. If you try to define it on content, the fuzz grows out of control.
Even if the product is completely legitimate and maybe there's some business relationship someone can draw it doesn't mean I like being pummeled with hundreds of ads per day (some of that is projection, remember.)
If you ask the sender to stop and they don’t, then their further messages are SPAM.
In theory.
Ever try to enforce that if you got a subsequent email?
Particularly against a well known company?
No. Because no one has even tried (oh there must be one I suppose.)
See above.
If you can’t find the sender in order to ask them to stop, then their messages are fraudulent SPAM.
I've read CAN-SPAM.
I wasn’t specifically talking about CAN-SPAM, but it does include provisions like this, yes.
But, just as importantly, the people who want to send me an ad would like to see me pummeled with less junk so maybe I pay attention to their ad or communication.
The spammers would like to see you pummeled with less “junk” so you can pay attention to their ad, too. Difference is in your definition of “junk” vs. their definition of “junk”.
Well, the difference I'm advocating is that Amazon (e.g.) can pay real do-re-mi for postage, the spammers can’t.
I think you underestimate the available budget for SPAMming.
Beyond that I don't really need a definition of "spam" per se, at least that's what's hoped.
We the people just have to make sure that anyone sending me an email follows the e-postage rules.
Now you need to ask, am I going to pay a fee to participate actively in the IETF or the policy development process at ARIN for each and every message I send?
No spammer can afford to pay even minimal e-postage.
You are dreaming.
The best they can hope for is to fraud any e-postage system.
More than likely they will be able to do so, yes.
Viola, it removes the moral judgement component of whether or not I really wanted this email.
True, but it also creates many negative unintended consequences.
Or reduces the issue probably into the noise.
Unlikely to reduce any issue, IMHO.
Why would you assume that once they bot a system, they would be unable to steal the e-postage from said system?
I think we can make that too difficult.
But at least we'd have a trail in that case, like when the user's e-postage meter runs out and they can't send any more email this month and might pursue that if unexpected.
Not sure how that constitutes a trail so much as an increased workload for the users and their ISPs. Might help reduce the bots, but I tend to doubt it.
So it's not the resources, it's the authorization which we're trying to control.
Right now every piece of email they send from your botted system is the same as any email you'd send.
I’m not really seeing how this would make a difference in that.
Make it difficult to use your e-postage meter even if they get some (virus) software on to your system.
For example, maybe you have to enter a passphrase to enable the e-postage meter with an idle-timeout, or any similar method, we've all seen many.
That’s what key loggers are for. You can’t protect a booted system from itself. Dreaming that you can is kind of amusing.
Heck you could use a USB or similar dongle which has to be plugged in to send email.
That might work, but how long before those are compromised?
Sure, people would leave them in, until their e-postage meter was run out unexpectedly and they can't send any more email for the rest of the month, or actually would have to buy further allocation for real $$$.
Actually, rolling code dongles that simulate keyboards for authentication codes might be a good choice here… Hit the button each time you need to enter postage. That might actually be a secure solution. But you’re still left with the chilling effect on voluntary participation in governance and other activities through email.
If there were some sort of e-postage system with some basic security and tracking that becomes much more difficult for the spammer.
Given how most bots become bots, I tend to doubt it. They just have to keystroke log your MUA in a two-step process instead of the one-step process of days of yore.
Further, since they’re sending lots and lots of the same spam with identical envelope contents and the only differences are in the SMTP exchange, not the internal contents of the envelope, a replay attack against the same postage would seem pretty trivial.
But now it's running down your e-postage meter.
How so? I’m just replaying the original e-postage. Reusing the same stamp over and over again as it were.
And it's positively id'd on the receiving end, it has your e-postage meter id on it.
Yes, the spammer is able to use one of my stamps a few million times and then what?
It does add a lot of hoops to jump through and evade.
Not really, no.
That's progress!
And I thank you! Many in this community hear the word "e-postage" and just mentally shut down.
Meh… I try to keep an open mind. Owen
On March 29, 2014 at 08:28 owen@delong.com (Owen DeLong) wrote:
So if a spammer or junk mailer could, say, trick you into accepting mail in those schemes then they get free advertising, no postage anyhow.
Sure, but how would they trick you into saying �I wanted this advertising� once you�ve actually seen that it is advertising.
I dunno, but they trick people all the time, isn't that what the entire phishing industry is based on? I guess the real point is that this idea that one would be sorting through their email saying don't charge for this one I want it, charge for this one, I don't, etc is not a good idea. As I said earlier what might work is when you sign up for some email (list, advertising, customer account) you can also enter some sort of cookie which the sender can use to charge against your epostage quota. But I think it introduces all sorts of complexities for not much gain. Needs more thinking, including "is this really a problem that needs to be solved?"
We're getting lost in the metaphors methinks.
I don�t think so, I think we�re having differing visions of how it would work in detail.
Well, that's always the problem at some point. Lacking a specific, detailed proposal one tries to work out how it might work, look for inherent flaws in the idea, show stoppers. This is basically brainstorming.
So offering to not charge you because you wanted that mail makes no sense, right?
But this isn�t a charge for the post office and by the time you�re connected to the internet, the cost of receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments.
FIRST: There's a typo/thinko in my sentence!
Should be:
So offering to not charge THE SENDER because THE RECIPIENT wanted that mail makes no sense, right?
SECOND:
In response, someone has to scale resources to match volume.
But maybe my typo/thinko confused this because you know that, sorry.
Yes, but those costs are essentially already sunk in existing internet access. The cost of transmission is already paid by all parties involved. This wouldn�t be intended to subsidize that. The reason for splitting the postage between the recipient and the recipient ISP was to aid in recovery of the costs of administering the postage process.
What about the costs of anti-spam technology? And all the other problems spam incurs? I thought that's why we were here. (trying to elide a lot...)
Please present your definition of SPAM. I don�t see how a shipping notification, a transaction receipt, etc. could possibly be considered SPAM.
My whole point is I don't WANT to have a definition of spam, except as a bad memory. I'm trying to figure out how to change the ecology/economics so spam is difficult, a minor problem.
Just like my analogy with the post office, they wouldn't deliver mail for free just because the recipient wanted it.
That postage is already being paid for email� You pay for internet access and so do the spammers, so the idea that your proposed e-postage is a payment related to the delivery of the mail is absurd from the beginning.
Again, we're talking about spam and the harm it does, the costs it incurs. And phishing etc. That's sort of like saying my car can drive down the road perfectly well with some gasoline etc, why do I need to pay taxes for police?
The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn�t mind seeing them forced to pay me for those messages, but I certainly don�t want to see them paying for every message they send.
The vast majority of paper mail I get from my bank accounts is useful and informative and often legally important.
But every one of them has postage attached.
Yes, but you aren�t paying the USPS a fee for you to have a mailbox that the mailman drives by whether you receive mail or not and neither is your bank. I certainly don�t want to start double-paying for spam (or legitimate email for that matter).
Recipients wouldn't pay in my scheme. If you mean that legitimate senders have to pay and somehow recover that cost, well, we all pay for police and other security. Security is often like that. When you pay for a prison you pay to house prisoners, any benefit to you is at best abstract (they're not on the streets etc.)
Further, if someone sends me something I don�t want, I can mark it �refused, return to sender� and the post office is obliged to do so and I don�t pay anything for it.
This is probably getting off-track, but are you sure about that with the USPS? You can mark it NSA (no such addressee) or NFA (no forwarding address) or NSA/NFA or even put a forwarding address which may or may not do anything since the recipient is supposed to set that up with the post office (e.g., when they move.) But I never heard of taking all my junk mail for example and handing it back to a letter carrier saying "Here, I don't want this!" I think they'd say "throw it in the trash!"
I didn�t authorize the spammer to use my computer, systems, disk, network, etc. They simply did so without my authorization. If I had a cost effective way to identify them, track them down, and hold them accountable for this, I would gladly do so.
Do you mean sending (making you a bot) or receiving spam?
Receiving.
Well, truth be told you didn't really authorize many people who send you email to use your resources. So we're back to the definition of spam problem. Which is exactly what I'm trying to get away from.
I'm saying the notion of who you did authorize to send you email is getting fuzzier and fuzzier and may no longer be a completely useful distinction.
How so? If I actually signed up with you to receive your mail, then I opted in and you have my permission on record. If I bought something from you, then I signed up to receive emails RELATED TO THAT TRANSACTION and you have that permission on record. If I checked the box to receive other emails from you, then you have that permission on record. If you don�t have my permission on record, then you don�t have my permission. Seems pretty simple and clear and predictable to me.
Now, you might be able to get my retroactive permission by paying to ask, and if I agree, your �permission fee� is refunded. OTOH, if I say �no�, then you don�t get your money back.
"Related to that transaction"? Is that in CAN-SPAM? Where did that limitation come from? How is that defined? You mean when Network Solutions bombards me with email about each new TLD they're violating CAN-SPAM? I never asked for that. I do have some domains with them, I think they're using that for a "legitimate business relationship". Legitimate businesses (perhaps other than NetSol :-) do tend to restrain themselves and know recipients might get annoyed if they overdo their welcome and opt-out or even block them entirely. An example of the line getting fuzzy is when my frequent flyer sources (airlines etc) constantly hawk credit cards at me under the excuse that I'll get 50,000 free miles or some such. So it sort of sounds related to the frequent flyer program. But I think they're just hawking Amex cards and getting a commission for each one they sell.
That should have been predictable. Create a fuzzy hurtle and it will get hurtled.
I�m not seeing the fuzziness you claim is present.
Accept that "it's not spam if I have a business relationship with the sender" and that "business relationship" definition will get stretched.
See above. I have a _MUCH_ narrower definition of what should be accepted.
Wait. Are we talking about what you think should be ok, or what the current law (as it were, but CAN-SPAM for example) thinks is ok, or what common practice seems to think is ok, or how it should work under the regime I'm describing? As I said, I'm trying to come up with a spam-definition-neutral approach.
For example, Buy an auto insurance policy from Liberty Mutual and you just gave permission for every Liberty Mutual insurance agent in the world to hawk you life insurance, home owner's insurance, etc etc etc. over email.
No, I didn�t. See above.
Again, I think CAN-SPAM etc would agree with my description within reason.
I define SPAM not in terms of content, but in the nature of the relationship between the sender and the recipient. If the recipient has no relationship with the sender and doesn�t want to receive the sender�s message, then in most cases, it�s SPAM.
Yeah, well, if you ever get an unexpected email (truly) from Bank of America for example offering great CD rates and can't imagine why they sent it have a ball calling the FTC and filing a CAN-SPAM violation.
If such a thing happened and it actually came from BofA, then, yes, it would.
And I'm saying good luck getting whoever it is enforces CAN-SPAM to agree, unless it just happens to be on their radar for some reason.
However, BofA is smart enough to keep such SPAMvertising at arms length and you have to track down the spammer that actually sent the email under contract to BofA, not BofA themselves. It would be nice if CAN-SPAM were expanded to affect the advertiser and/or advertised product instead of just the entity actually sending the SPAM, but so far, that has not happened.
There are limits to Agency Law. You can't hire someone to break the law and then say it's entirely their problem. Well, there are all sorts of hard cases, but laying it out sometimes surprises people (like, yes you can be held responsible for the actions of a hired bodyguard, even if their behavior was way out of line. They sell insurance for that kind of thing.)
Maybe something would happen, I can't say for sure.
But I suspect they'd round file it because hey that's BANK OF AMERICA not SPAMMERS and you're just a KOOK!
No, more likely they�d review the headers and point out to me that there�s no evidence it was actually sent BY BofA, because most likely it wasn�t sent by BofA, but by someone they may or may not have contracted.
Well, now we're really just moving the goalpost and changing the scenario.
Extrapolate to any company the FTC has heard of and respects.
Really more a matter of how those companies keep their SPAM at arms length and circumvent the intent of the law than their reputation with the FTC.
That's what I mean by a moralistic component.
But if BoA was fudging their postal meters and the post office noticed it'd be Book 'Em Dan-O before the next commercial break.
Indeed, the mailing agency that BofA hires to send out their postal spam pays full postage and can�t really avoid that.
But postage is related to the cost of delivering the mail. What you are proposing as e-postage isn�t.
Of course it is. If your email won't be accepted without proper postage attached then that's the cost of having your email delivered. Just because the work can't be expressed in Newtons over Distance doesn't mean it's not valuable. Ok, I think a lot of the rest of this could be answered by: It would be interesting to ask a spammer or ex-spammer what they thought about the scheme. Beyond that we're just guessing as to whether what's proposed would alter their behavior. And I gotta go eat some lunch! -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
But I think it introduces all sorts of complexities for not much gain. Needs more thinking, including "is this really a problem that needs to be solved?"
Don't forget "Vanquish was a complete failure, so why would this be any different?" and "do I want Phil Raymond to sue me for violating the patent on this exact scheme?" R's, John PS: You must have met him at one of the spam conferences. I met him a few times.
On March 29, 2014 at 22:37 johnl@iecc.com (John Levine) wrote:
But I think it introduces all sorts of complexities for not much gain. Needs more thinking, including "is this really a problem that needs to be solved?"
Don't forget "Vanquish was a complete failure, so why would this be any different?" and "do I want Phil Raymond to sue me for violating the patent on this exact scheme?"
That was a specific reply by me to a specific suggestion of a mechanism refunding e-postage to the sender if one wanted an e-mail or leaving the charge if not. As I said I think it's overly complex in implementation and not of much benefit. I don't see where Vanquish does any of this from the product site tho I could look at the patents, they might cover more than they used in products of course. HOWEVER: a) If you really were referring to the context of that remark, refunding postage to desired senders, not much problem since I don't see that as useful anyhow. b) If there's some broader context, well, patents can get licensed and otherwise negotiated so I don't know why anyone would be suing anyone. This reminds me of when I was working on a Rock & Roll 50th Anniversary site and we'd put up materials licensed for use by the site. And I'd get this non-stop stream of YOU WILL GET SUED! emails from people who merely visited the site, many DEMANDING we immediately produce proof to them that the material was properly licensed or take it down IMMEDIATELY! And they would be CHECKING! etc. Some would even phone the office and scream at me. None were owners or had any interest in the materials which, as I said, were all properly licensed. There was never any actual problem, not a hint. Gratuitous anecdote: The only (very tiny, funny) problem we ever had was when Elvis Presley Enterprises (which is, yes, that Elvis Presley) printed up T-shirts using some of our slogans which we clearly marked as TM. I sent them a letter offering a $0 license to print as many T-shirts as they like if they just mentioned us in their ads in some friendly way once in a while...LET'S TALK! I mean, hey, this is Elvis Presley Enterprises! Respect to The King. I got back this amazing letter from what must have been a strip mall lawyer, the stationery was truly cheesy (it had logs on it, some sort of good ol' boy western theme I guess), asserting that we had no rights in those slogans because we were NOT in the T-shirt/Apparel business (i.e., USPTO category.) I dropped the matter because it was just too silly to even respond to and figured if it ever seemed to make a difference I'd worry about it. They didn't seem to be selling too many of those T-shirts anyhow, and now they'd been informed and had acknowledged notice which is half the game. Nothing came of it. Not much came of the site either, unfortunately tho I did get to meet a lot of interesting people. Bo Diddley called me once to tell me how great he thought it all was and could he help!
R's, John
PS: You must have met him at one of the spam conferences. I met him a few times.
Maybe, I'm looking at his picture and his face doesn't ring a bell but he seems to be here in the Boston area so if there were a mutual interest I suppose a meeting would be easy enough. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Don't forget "Vanquish was a complete failure, so why would this be any different?" and "do I want Phil Raymond to sue me for violating the patent on this exact scheme?"
That was a specific reply by me to a specific suggestion of a mechanism refunding e-postage to the sender if one wanted an e-mail or leaving the charge if not.
As I said I think it's overly complex in implementation and not of much benefit.
I don't see where Vanquish does any of this from the product site tho I could look at the patents, they might cover more than they used in products of course.
Really, this is a WKBI from 1997. Look at the patent if you don't believe me. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
On March 29, 2014 at 22:34 johnl@iecc.com (John R. Levine) wrote:
Don't forget "Vanquish was a complete failure, so why would this be any different?" and "do I want Phil Raymond to sue me for violating the patent on this exact scheme?"
That was a specific reply by me to a specific suggestion of a mechanism refunding e-postage to the sender if one wanted an e-mail or leaving the charge if not.
As I said I think it's overly complex in implementation and not of much benefit.
I don't see where Vanquish does any of this from the product site tho I could look at the patents, they might cover more than they used in products of course.
Really, this is a WKBI from 1997. Look at the patent if you don't believe me.
I don't know what "WKBI" means and google turns up nothing. I'll guess "Well Known Bad Idea"? Since I said that I found the idea described above uninteresting I wonder what is a "WKBI" from 1997? The idea I rejected? Also, I remember ideas being shot down on the ASRG (Anti-Spam Research Group) list primarily because they would take ten years to gain acceptance. Over ten years ago. Maybe they were bad ideas for other reasons. Some certainly were. But there's this tone of off-the-cuff dismissal, oh that would take TEN YEARS to gain traction, or that's a WKBI, which I don't find convincing. I read your paper, for example, and said it's a nice paper. But I don't find it compelling to the degree you seem to want it to be because it mostly makes a bunch of assumptions about how an e-postage system would work and proceeds to argue that the particular model you describe (and some variants) creates impossible or impractical hurdles. But what if it worked differently? At some point you're just reacting to the term "e-postage" and whatever it happens to mean to you, right? You can't really say you've exhaustively worked out every possibility which might be labelled "e-postage". Only a particular interpretation, a fairly specific model, or a few. When people talked of "virtual currency" over the years, often arguing that it's too hard a problem, how many described bitcoin with its cryptographic mining etc? Bitcoin might well be a lousy solution. But there it is nonetheless, and despite the pile of papers which argued that this sort of thing was impossible or nearly so. Note: Yes, I can also argue that Bitcoin is not truly a virtual currency. Sometimes a problem is like the Gordian Knot of ancient lore which no one could untie. And then Alexander The Great swung his sword and the crowds cried "cheat!" but he then became King of Asia just as prophesized.
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
-- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
When people talked of "virtual currency" over the years, often arguing that it's too hard a problem, how many described bitcoin with its cryptographic mining etc?
None, but it shouldn't be hard to look at the way bitcoin works and realize why it'd be phenomenally ill suited for e-postage, just for technical reasons. I told Satoshi so in 2009. R's, John PS: Sometimes a WKBI really is a WKBI.
On March 30, 2014 at 04:47 johnl@iecc.com (John Levine) wrote:
When people talked of "virtual currency" over the years, often arguing that it's too hard a problem, how many described bitcoin with its cryptographic mining etc?
None, but it shouldn't be hard to look at the way bitcoin works and realize why it'd be phenomenally ill suited for e-postage, just for technical reasons. I told Satoshi so in 2009.
I wasn't suggesting bitcoin was a model for e-postage, only that a lot of papers were written saying systems like bitcoin were more or less impossible (usually based on the double-spending problem.) But bitcoin seems to have gained quite a bit of traction nonetheless though it may well still be a bad idea. The problem is the world is a very sloppy place and tends to function in spite of proofs that "bumblebees can't fly" etc. when there's a need.
R's, John
PS: Sometimes a WKBI really is a WKBI.
-- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On 3/30/14, 10:03 AM, Barry Shein wrote:
The problem is the world is a very sloppy place and tends to function in spite of proofs that "bumblebees can't fly" etc. when there's a need.
which is fortunately, mythology based on catastrophically bad modeling so your analogy is spot on.
R's, John
PS: Sometimes a WKBI really is a WKBI.
On 3/30/2014 12:11 AM, Barry Shein wrote:
I don't know what "WKBI" means and google turns up nothing. I'll guess "Well Known Bad Idea"?
Since I said that I found the idea described above uninteresting I wonder what is a "WKBI" from 1997? The idea I rejected?
Also, I remember ideas being shot down on the ASRG (Anti-Spam Research Group) list primarily because they would take ten years to gain acceptance.
Over ten years ago.
Maybe they were bad ideas for other reasons. Some certainly were.
But there's this tone of off-the-cuff dismissal, oh that would take TEN YEARS to gain traction, or that's a WKBI, which I don't find convincing.
I read your paper, for example, and said it's a nice paper.
But I don't find it compelling to the degree you seem to want it to be because it mostly makes a bunch of assumptions about how an e-postage system would work and proceeds to argue that the particular model you describe (and some variants) creates impossible or impractical hurdles.
But what if it worked differently?
At some point you're just reacting to the term "e-postage" and whatever it happens to mean to you, right? Imagine living in a world where this system is implemented. Then imagine ways to break it. The first thing I can think of is money laundering through hundreds of source and destination email accounts. The second is stolen identities or credit cards where the money doesn't exist to begin with (Who pays when this happens?)
Third is administrative overhead. Banks/paypal/exchanges/someone is going to want a cut for each transaction, and they deserve one since they're going to end up tracking all of them and need to be able to reverse charges when something goes wrong. But then you have a central point of failure and central monitoring point so you want to involve multiple exchanges, banks, etc. Then you've got a dictatorship somewhere who says they want an extra $0.03 tacked on to each transaction, only it's not $0.03 it's <insert famously unstable currency here> so any mail that goes to that country has to have custom rules that fluctuate multiple times a day. Then there is my mom, who knows just enough about computers to send cat pictures and forward me chain letters. She'll not understand that email costs something now, or how to re-up her email account when it runs out. The administrative burden will either fall to me or her ISP, and each phone call to the ISP probably costs them $$ because they must pay a live human to walk someone through email.
You can't really say you've exhaustively worked out every possibility which might be labelled "e-postage". Only a particular interpretation, a fairly specific model, or a few.
When people talked of "virtual currency" over the years, often arguing that it's too hard a problem, how many described bitcoin with its cryptographic mining etc?
Bitcoin might well be a lousy solution. But there it is nonetheless, and despite the pile of papers which argued that this sort of thing was impossible or nearly so.
Note: Yes, I can also argue that Bitcoin is not truly a virtual currency.
Sometimes a problem is like the Gordian Knot of ancient lore which no one could untie. And then Alexander The Great swung his sword and the crowds cried "cheat!" but he then became King of Asia just as prophesized.
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
The answer is that you can't do this to SMTP. Nobody will ever have the answers to all the questions involved with adding cost transactions to the protocol. The only way to do this is to reboot with a new protocol that people start to adopt, and the only way they'll do that is if it's markedly better than the old way. You have to remember some people when given the choice of paying for email or accepting 10 spams/day will opt for accepting a little spam. The good news is, with email consolidated into 5 or so large providers and most people using webmail or exchange, you've got an opportunity to change the backend. Not much software has to be modified, but you do need those large providers to buy-in to the idea.
On Mar 29, 2014, at 1:31 PM, Barry Shein <bzs@world.std.com> wrote:
On March 29, 2014 at 08:28 owen@delong.com (Owen DeLong) wrote:
So if a spammer or junk mailer could, say, trick you into accepting mail in those schemes then they get free advertising, no postage anyhow.
Sure, but how would they trick you into saying “I wanted this advertising” once you’ve actually seen that it is advertising.
I dunno, but they trick people all the time, isn't that what the entire phishing industry is based on?
I guess the real point is that this idea that one would be sorting through their email saying don't charge for this one I want it, charge for this one, I don't, etc is not a good idea.
I was envisioning a system more where you white-listed your known contacts up front, then only needed to say “refund this one and add to white-list” or “refund this one” when confronted with one that wasn’t already white-listed that you didn’t feel was spam.
We're getting lost in the metaphors methinks.
I don’t think so, I think we’re having differing visions of how it would work in detail.
Well, that's always the problem at some point. Lacking a specific, detailed proposal one tries to work out how it might work, look for inherent flaws in the idea, show stoppers.
This is basically brainstorming.
Yep… Wasn’t a criticism, merely an effort to home in on a more accurate problem description for the communications failures so we weren’t trying to solve the incorrect cause.
So offering to not charge you because you wanted that mail makes no sense, right?
But this isn’t a charge for the post office and by the time you’re connected to the internet, the cost of receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments.
FIRST: There's a typo/thinko in my sentence!
Should be:
So offering to not charge THE SENDER because THE RECIPIENT wanted that mail makes no sense, right?
SECOND:
In response, someone has to scale resources to match volume.
But maybe my typo/thinko confused this because you know that, sorry.
Yes, but those costs are essentially already sunk in existing internet access. The cost of transmission is already paid by all parties involved. This wouldn’t be intended to subsidize that. The reason for splitting the postage between the recipient and the recipient ISP was to aid in recovery of the costs of administering the postage process.
What about the costs of anti-spam technology? And all the other problems spam incurs? I thought that's why we were here.
Reality is those costs are pretty much sunk at this point as well, mostly embedded into the price of internet access and mail services as they exist today. Sure, there might be some long term reductions in those costs if this worked out, but at what relative price?
Please present your definition of SPAM. I don’t see how a shipping notification, a transaction receipt, etc. could possibly be considered SPAM.
My whole point is I don't WANT to have a definition of spam, except as a bad memory.
I'm trying to figure out how to change the ecology/economics so spam is difficult, a minor problem.
I get what you want, but I don’t see it as a solution due to the negative consequences described elsewhere in the thread.
Just like my analogy with the post office, they wouldn't deliver mail for free just because the recipient wanted it.
That postage is already being paid for email… You pay for internet access and so do the spammers, so the idea that your proposed e-postage is a payment related to the delivery of the mail is absurd from the beginning.
Again, we're talking about spam and the harm it does, the costs it incurs. And phishing etc.
That's sort of like saying my car can drive down the road perfectly well with some gasoline etc, why do I need to pay taxes for police?
I often find myself wondering exactly that… Usually after trying to get some service or other that the police are supposed to be providing. Nonetheless, I get your point. OTOH, the city council, as a body, doesn’t pay taxes for police. Neither does the city, which owns quite a fleet of vehicles. So, what is your equivalent in this regime to the “tax exempt organization”?
The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn’t mind seeing them forced to pay me for those messages, but I certainly don’t want to see them paying for every message they send.
The vast majority of paper mail I get from my bank accounts is useful and informative and often legally important.
But every one of them has postage attached.
Yes, but you aren’t paying the USPS a fee for you to have a mailbox that the mailman drives by whether you receive mail or not and neither is your bank. I certainly don’t want to start double-paying for spam (or legitimate email for that matter).
Recipients wouldn't pay in my scheme.
OK, turn it around and you aren’t paying a separate fee for the mailman to drive by your place each day to see if you have any outgoing mail, either.
If you mean that legitimate senders have to pay and somehow recover that cost, well, we all pay for police and other security. Security is often like that. When you pay for a prison you pay to house prisoners, any benefit to you is at best abstract (they're not on the streets etc.)
I don’t pay the USPS any separate taxes to support the postal inspectors. That’s rolled up into the postage.
Further, if someone sends me something I don’t want, I can mark it “refused, return to sender” and the post office is obliged to do so and I don’t pay anything for it.
This is probably getting off-track, but are you sure about that with the USPS?
Yes. For most mail, you can. Third Class and Bulk, not so much, they’ll tell you to throw it away. I don’t pay anything for that, either. If I really want to get rid of a junk mailer (at least one who is dumb enough to send me postage-paid reply mechanisms), I’ll package up a brick, attach the reply label they provided and send it off. (lead weights, shot-bags, etc. can also be effective candidates). I’ve only used this tactic a few times, but it’s never taken more than two heavy replies to get the flow of crap to stop abruptly.
You can mark it NSA (no such addressee) or NFA (no forwarding address) or NSA/NFA or even put a forwarding address which may or may not do anything since the recipient is supposed to set that up with the post office (e.g., when they move.)
Yep. They’ll take it back and either forward it if they can or send it to the dead letter office.
But I never heard of taking all my junk mail for example and handing it back to a letter carrier saying "Here, I don't want this!" I think they'd say "throw it in the trash!”
Specifically doesn’t work with third-class and bulk. They are the only exceptions.
I didn’t authorize the spammer to use my computer, systems, disk, network, etc. They simply did so without my authorization. If I had a cost effective way to identify them, track them down, and hold them accountable for this, I would gladly do so.
Do you mean sending (making you a bot) or receiving spam?
Receiving.
Well, truth be told you didn't really authorize many people who send you email to use your resources.
If I wanted the email, then I retroactively authorize(d) them, authorized them by implication, or authorized them through other mechanisms.
So we're back to the definition of spam problem.
Again, I don’t see that as a hard problem.
Which is exactly what I'm trying to get away from.
I’m aware of that. However, I don’t see you getting around several rather nasty unintended consequences that way.
I'm saying the notion of who you did authorize to send you email is getting fuzzier and fuzzier and may no longer be a completely useful distinction.
How so? If I actually signed up with you to receive your mail, then I opted in and you have my permission on record. If I bought something from you, then I signed up to receive emails RELATED TO THAT TRANSACTION and you have that permission on record. If I checked the box to receive other emails from you, then you have that permission on record. If you don’t have my permission on record, then you don’t have my permission. Seems pretty simple and clear and predictable to me.
Now, you might be able to get my retroactive permission by paying to ask, and if I agree, your “permission fee” is refunded. OTOH, if I say “no”, then you don’t get your money back.
"Related to that transaction"? Is that in CAN-SPAM? Where did that limitation come from? How is that defined?
Forget current law. I’m talking about the criteria I would want to set if we were to overhaul the system and do this right.
You mean when Network Solutions bombards me with email about each new TLD they're violating CAN-SPAM? I never asked for that. I do have some domains with them, I think they're using that for a "legitimate business relationship”.
No, I never brought CAN-SPAM into this, that’s your idea. I’m talking about the criteria that could easily be used to define SPAM consistently in a way that isn’t fuzzy, doesn’t have the problems currently created by CAN-SPAM (a law written by spammers for spammers), etc.
Legitimate businesses (perhaps other than NetSol :-) do tend to restrain themselves and know recipients might get annoyed if they overdo their welcome and opt-out or even block them entirely.
An example of the line getting fuzzy is when my frequent flyer sources (airlines etc) constantly hawk credit cards at me under the excuse that I'll get 50,000 free miles or some such. So it sort of sounds related to the frequent flyer program.
And by allowing the user to do one of: Whitelist the airline Accept each message they want (refunded, others airline pays) Decline all messages (airline pays) You could decide for yourself which messages from the airline you don’t consider SPAM, with the added benefit that you get a small amount of money for each message you don’t actively claim isn’t SPAM.
But I think they're just hawking Amex cards and getting a commission for each one they sell.
Of course they are, and I would not mark any of those messages as “accepted” and it would cost them for each one they sent.
That should have been predictable. Create a fuzzy hurtle and it will get hurtled.
I’m not seeing the fuzziness you claim is present.
Accept that "it's not spam if I have a business relationship with the sender" and that "business relationship" definition will get stretched.
See above. I have a _MUCH_ narrower definition of what should be accepted.
Wait. Are we talking about what you think should be ok, or what the current law (as it were, but CAN-SPAM for example) thinks is ok, or what common practice seems to think is ok, or how it should work under the regime I'm describing?
How it should work under the alternative regime I am describing.
As I said, I'm trying to come up with a spam-definition-neutral approach.
I know, but I believe that approach to be fundamentally flawed and I am trying very hard to propose an alternative I believe could be more functional.
For example, Buy an auto insurance policy from Liberty Mutual and you just gave permission for every Liberty Mutual insurance agent in the world to hawk you life insurance, home owner's insurance, etc etc etc. over email.
No, I didn’t. See above.
Again, I think CAN-SPAM etc would agree with my description within reason.
I’m sure it would, but I’m not talking about CAN-SPAM and I’m not sure why you brought it into the discussion.
I define SPAM not in terms of content, but in the nature of the relationship between the sender and the recipient. If the recipient has no relationship with the sender and doesn’t want to receive the sender’s message, then in most cases, it’s SPAM.
Yeah, well, if you ever get an unexpected email (truly) from Bank of America for example offering great CD rates and can't imagine why they sent it have a ball calling the FTC and filing a CAN-SPAM violation.
If such a thing happened and it actually came from BofA, then, yes, it would.
And I'm saying good luck getting whoever it is enforces CAN-SPAM to agree, unless it just happens to be on their radar for some reason.
CAN-SPAM is a rathole. Please drop it. It’s not furthering our discussion.
However, BofA is smart enough to keep such SPAMvertising at arms length and you have to track down the spammer that actually sent the email under contract to BofA, not BofA themselves. It would be nice if CAN-SPAM were expanded to affect the advertiser and/or advertised product instead of just the entity actually sending the SPAM, but so far, that has not happened.
There are limits to Agency Law. You can't hire someone to break the law and then say it's entirely their problem.
Ah, but BofA didn’t hire them to break the law. BofA hired them to send the SPAM to the list they promised BofA was entirely opt-in users who chose to receive their mails. The fact that they lied to BofA means BofA doesn’t have any liability. The fact that BofA profits from this lie without consequences means that BofA has no incentive to go after them for a refund or avoid using their services in the future.
Well, there are all sorts of hard cases, but laying it out sometimes surprises people (like, yes you can be held responsible for the actions of a hired bodyguard, even if their behavior was way out of line. They sell insurance for that kind of thing.)
Sure, but the spammers happily cover BofA’s ass contractually and then say “oops” or “we lied” or whatever they have to in order to get BofA off the hook. Then, nobody gets punished and business as usual.
Maybe something would happen, I can't say for sure.
But I suspect they'd round file it because hey that's BANK OF AMERICA not SPAMMERS and you're just a KOOK!
No, more likely they’d review the headers and point out to me that there’s no evidence it was actually sent BY BofA, because most likely it wasn’t sent by BofA, but by someone they may or may not have contracted.
Well, now we're really just moving the goalpost and changing the scenario.
No, I’m pointing out how organizations like BofA actually do this and you’re talking about some fictitious scenario that doesn’t happen in real life. Yes, BofA and SPAM-Inc. move the goalpost and change the scenario, but that’s also why most telco-contracted backhoe operating companies have numbers in their name… Ho-Co #1 cut someone’s fiber, so they sold their substantial assets to Ho-Co #2 for a song to pay their legal fees, then went chapter 13 before the case could make it to court.
Extrapolate to any company the FTC has heard of and respects.
Really more a matter of how those companies keep their SPAM at arms length and circumvent the intent of the law than their reputation with the FTC.
That's what I mean by a moralistic component.
But if BoA was fudging their postal meters and the post office noticed it'd be Book 'Em Dan-O before the next commercial break.
Indeed, the mailing agency that BofA hires to send out their postal spam pays full postage and can’t really avoid that.
But postage is related to the cost of delivering the mail. What you are proposing as e-postage isn’t.
Of course it is. If your email won't be accepted without proper postage attached then that's the cost of having your email delivered.
No, that’s a protection racket/extortion scheme. I’m talking about the cost of moving the mail from point A to point B. You’re talking about the cost of not having my nice email meet with an accident on the information superhighway.
Just because the work can't be expressed in Newtons over Distance doesn't mean it's not valuable.
See above.
Ok, I think a lot of the rest of this could be answered by:
It would be interesting to ask a spammer or ex-spammer what they thought about the scheme.
LoL
Beyond that we're just guessing as to whether what's proposed would alter their behavior.
True, but first we have to get past “would the community accept it generally” and I think your proposal (and probably mine) fail the smell test there. If it can’t get implemented, it doesn’t matter how much the spammers would hate it.
And I gotta go eat some lunch!
Bon apetit. Owen
On March 29, 2014 at 23:26 owen@delong.com (Owen DeLong) wrote:
On Mar 29, 2014, at 1:31 PM, Barry Shein <bzs@world.std.com> wrote:
On March 29, 2014 at 08:28 owen@delong.com (Owen DeLong) wrote:
So if a spammer or junk mailer could, say, trick you into accepting mail in those schemes then they get free advertising, no postage anyhow.
Sure, but how would they trick you into saying �I wanted this advertising� once you�ve actually seen that it is advertising.
I dunno, but they trick people all the time, isn't that what the entire phishing industry is based on?
I guess the real point is that this idea that one would be sorting through their email saying don't charge for this one I want it, charge for this one, I don't, etc is not a good idea.
I was envisioning a system more where you white-listed your known contacts up front, then only needed to say �refund this one and add to white-list� or �refund this one� when confronted with one that wasn�t already white-listed that you didn�t feel was spam.
Introducing a refunding system adds a lot of complexity for not much advantage. Think through the mechanics of this whitelisting system, i.e., the bookkeeping and msgs back and forth. (eliding some stuff we mostly agree on)
What about the costs of anti-spam technology? And all the other problems spam incurs? I thought that's why we were here.
Reality is those costs are pretty much sunk at this point as well, mostly embedded into the price of internet access and mail services as they exist today. Sure, there might be some long term reductions in those costs if this worked out, but at what relative price?
What about the "attention" costs, when nobody for example looks at an Amazon mail or even a useful msg from their bank because they're too busy deleting everything that isn't absolute top-priority (like from a relative or lover.) They're just swamped. Anyhow, I guess either spam is a big problem or it isn't. Everything I say is based on the premise that spam is a big problem. If it isn't then we are truly wasting our time here.
Please present your definition of SPAM. I don�t see how a shipping notification, a transaction receipt, etc. could possibly be considered SPAM.
My whole point is I don't WANT to have a definition of spam, except as a bad memory.
I'm trying to figure out how to change the ecology/economics so spam is difficult, a minor problem.
I get what you want, but I don�t see it as a solution due to the negative consequences described elsewhere in the thread.
Well, if you don't see spam as much of a problem then surely most anti-spam proposals are going to seem too costly, right?
That's sort of like saying my car can drive down the road perfectly well with some gasoline etc, why do I need to pay taxes for police?
I often find myself wondering exactly that� Usually after trying to get some service or other that the police are supposed to be providing.
Nonetheless, I get your point. OTOH, the city council, as a body, doesn�t pay taxes for police. Neither does the city, which owns quite a fleet of vehicles. So, what is your equivalent in this regime to the �tax exempt organization�?
Maybe I haven't had enough coffee yet but I truly don't understand what you're asking here.
Recipients wouldn't pay in my scheme.
OK, turn it around and you aren�t paying a separate fee for the mailman to drive by your place each day to see if you have any outgoing mail, either.
You must live in some low-density population area, here in Boston the letter carriers won't take outgoing mail. I tried one day and the guy just sneered "put it in a box, that's all I'd do with it!" Obviously there are people emptying those mailboxes but it's...where are we going with this?
If you mean that legitimate senders have to pay and somehow recover that cost, well, we all pay for police and other security. Security is often like that. When you pay for a prison you pay to house prisoners, any benefit to you is at best abstract (they're not on the streets etc.)
I don�t pay the USPS any separate taxes to support the postal inspectors. That�s rolled up into the postage.
Further, if someone sends me something I don�t want, I can mark it �refused, return to sender� and the post office is obliged to do so and I don�t pay anything for it.
This is probably getting off-track, but are you sure about that with the USPS?
Yes. For most mail, you can. Third Class and Bulk, not so much, they�ll tell you to throw it away. I don�t pay anything for that, either.
Ok, nothing stops you in this scheme from returning an email to the sender. Maybe it could even be made free, probably just like any Mailer-Daemon bounce. What I don't think is a good idea is the sender getting their postage back. That's a lot of bookkeeping and I don't see any reason to bother.
If I really want to get rid of a junk mailer (at least one who is dumb enough to send me postage-paid reply mechanisms), I�ll package up a brick, attach the reply label they provided and send it off. (lead weights, shot-bags, etc. can also be effective candidates). I�ve only used this tactic a few times, but it�s never taken more than two heavy replies to get the flow of crap to stop abruptly.
I believe the USPS now throws those away. The return postage only covers a first-class letter or whatever.
You can mark it NSA (no such addressee) or NFA (no forwarding address) or NSA/NFA or even put a forwarding address which may or may not do anything since the recipient is supposed to set that up with the post office (e.g., when they move.)
Yep. They�ll take it back and either forward it if they can or send it to the dead letter office.
If it's first-class mail, that's one reason first-class costs more.
But I never heard of taking all my junk mail for example and handing it back to a letter carrier saying "Here, I don't want this!" I think they'd say "throw it in the trash!�
Specifically doesn�t work with third-class and bulk. They are the only exceptions.
Big exception since that's almost all of what bulk paper mailers use!
"Related to that transaction"? Is that in CAN-SPAM? Where did that limitation come from? How is that defined?
Forget current law. I�m talking about the criteria I would want to set if we were to overhaul the system and do this right.
I think it's very important to eliminate any definition of spam from the system. That's just a rat hole. You stop spam by making it too expensive for spammers to operate in any effective manner. True story: I remember when I was about 16 years old I went into this place in Greenwich Village, still there I believe, "The Cafe Wha?". They didn't serve alcohol so it was someplace a 16 year old could get out of the rain and hear some live music. At the door was a guy with a coffee can, "Cover Charge: 25c" Even way back then 25c wasn't much money, about the price of a couple of packs of gum. I asked the guy: Why a 25c cover charge? He said: It keeps out the riff-raff. It keeps out the RIFF-RAFF???? 25 CENTS? He yelled back: YOU'D BE SURPRISED! Well, surely he knew his business. We're trying to keep out the riff-raff while not overburdening the honest. Maybe I should dub this the "Cafe Wha? Proposal" in their honor.
You mean when Network Solutions bombards me with email about each new TLD they're violating CAN-SPAM? I never asked for that. I do have some domains with them, I think they're using that for a "legitimate business relationship�.
No, I never brought CAN-SPAM into this, that�s your idea. I�m talking about the criteria that could easily be used to define SPAM consistently in a way that isn�t fuzzy, doesn�t have the problems currently created by CAN-SPAM (a law written by spammers for spammers), etc.
Permission to speak frankly: You want a moral component, you want this to identify the good from the bad. You keep coming back to that. I LONG AGO STOPPED CARING! I just want the spam to stop. And I think when you make that leap and let go of the moral or judgemental aspect solutions start to appear. I don't want to make better people out of spammers. I don't want to put them behind bars. I don't want to punish them. I don't want to reward the righteous (except by default, less spam!) I just want to put spammers out of business! I want to change the ecology so it makes it impossible for them to operate in any effective manner. I keep saying "effective" because sure you might get the occasional spam anyhow, particularly in the beginning as they try to save their business model, but I want to run them out of town.
Legitimate businesses (perhaps other than NetSol :-) do tend to restrain themselves and know recipients might get annoyed if they overdo their welcome and opt-out or even block them entirely.
An example of the line getting fuzzy is when my frequent flyer sources (airlines etc) constantly hawk credit cards at me under the excuse that I'll get 50,000 free miles or some such. So it sort of sounds related to the frequent flyer program.
And by allowing the user to do one of:
Whitelist the airline Accept each message they want (refunded, others airline pays) Decline all messages (airline pays)
Whitelist shmitelist. You're turning this into a two-way system with active feedback which is EXACTLY what I say is to be avoided.
You could decide for yourself which messages from the airline you don�t consider SPAM, with the added benefit that you get a small amount of money for each message you don�t actively claim isn�t SPAM.
Easier to just toss the ones you don't want. Think this thru, you really want to look at each msg and decide if it's spam or not and if so perform some function...? Sure, some people do that sometimes, report spam, but really life is too short. I say put the spammers out of business.
But I think they're just hawking Amex cards and getting a commission for each one they sell.
Of course they are, and I would not mark any of those messages as �accepted� and it would cost them for each one they sent.
Active feedback, bookkeeping, unnecessary.
As I said, I'm trying to come up with a spam-definition-neutral approach.
I know, but I believe that approach to be fundamentally flawed and I am trying very hard to propose an alternative I believe could be more functional.
Ya know, I can't go thru these supposed fundamental flaws one by one, show they arise from misunderstandings etc, and then come back to "I believe your approach to be fundamentally flawed". Doesn't leave me much to respond to.
Ah, but BofA didn�t hire them to break the law. BofA hired them to send the SPAM to the list they promised BofA was entirely opt-in users who chose to receive their mails. The fact that they lied to BofA means BofA doesn�t have any liability. The fact that BofA profits from this lie without consequences means that BofA has no incentive to go after them for a refund or avoid using their services in the future.
Actually, that's not true, speak to someone who understands agency law. BoA might be able to in turn sue them for breaching a contract but BoA can still be held liable. Those aren't mutually exclusive. Really, that's agency law 101. I realize people think about it for a minute and say "that's ridiculous!" but that's exactly how it works. And why business liability insurance covers events like that, or should. Intent is not a factor which tends to be the source of a lot of "folk" law beliefs like this.
Well, there are all sorts of hard cases, but laying it out sometimes surprises people (like, yes you can be held responsible for the actions of a hired bodyguard, even if their behavior was way out of line. They sell insurance for that kind of thing.)
Sure, but the spammers happily cover BofA�s ass contractually and then say �oops� or �we lied� or whatever they have to in order to get BofA off the hook. Then, nobody gets punished and business as usual.
Review agency law. BoA can be held liable. BoA can in turn sue the spammer, if they like, to recover. That avoids precisely what you're suggesting, transferring liability to a judgement-proof entity. Yes that can still be done in many cases but not as you describe. But why are we here exactly?
Maybe something would happen, I can't say for sure.
But I suspect they'd round file it because hey that's BANK OF AMERICA not SPAMMERS and you're just a KOOK!
No, more likely they�d review the headers and point out to me that there�s no evidence it was actually sent BY BofA, because most likely it wasn�t sent by BofA, but by someone they may or may not have contracted.
Well, now we're really just moving the goalpost and changing the scenario.
No, I�m pointing out how organizations like BofA actually do this and you�re talking about some fictitious scenario that doesn�t happen in real life.
Yes, BofA and SPAM-Inc. move the goalpost and change the scenario, but that�s also why most telco-contracted backhoe operating companies have numbers in their name� Ho-Co #1 cut someone�s fiber, so they sold their substantial assets to Ho-Co #2 for a song to pay their legal fees, then went chapter 13 before the case could make it to court.
Chapter 13 is personal bankruptcy.
Of course it is. If your email won't be accepted without proper postage attached then that's the cost of having your email delivered.
No, that�s a protection racket/extortion scheme.
Oh c'mon, then so is every other situation where you have to pay for something, including credentials. Are SSL certs a protection racket/extortion scheme?
Ok, I think a lot of the rest of this could be answered by:
It would be interesting to ask a spammer or ex-spammer what they thought about the scheme.
LoL
I'm serious! I wouldn't consider investing a dime without talking to some spammers or ex-spammers of note. There're a few of them who'd probably be glad to talk for some prison canteen credits. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Fri, Mar 28, 2014 at 4:15 PM, Barry Shein <bzs@world.std.com> wrote:
On March 28, 2014 at 00:06 owen@delong.com (Owen DeLong) wrote: [snip] I thought the suggestion was that a recipient (email, or by analogy postal) could indicate they wanted an email which would cancel the postage attached, that is, no charge to sender if they wanted it.
So if a spammer or junk mailer could, say, trick you into accepting mail in those schemes then they get free advertising, no postage anyhow.
*Postage schemes as proposed with end users email clients 'attaching postage' simply not workable Not in IPv4. Not in IPv6. Not in IPng Not in any conceivable future version of IP. *Believe end users being served by mail servers WON'T tolerate postage, or the extra difficulty in configuring their email client, even from a free service. Spam is a serious problem, and different mail users don't agree on exactly what messages are spam, BUT from end users' perspective: they all tend to agree that it is their provider's job to have made all the spam go away, but delivered all goodmail with 100% accuracy. Moreover, mail users expect, this should be 100% transparent, requiring no extra work from the mail user. Confirming that a message was OKAY, or that it was spam is definitely outside the compass of your average mail user. Therefore.... it would almost definitely be e-mail mailbox providers footing the bill on behalf of their subscribers in any 'charge postage' scheme that ever had a reasonable chance of working. Must be completely transparent to end users. Any treatment for spam ultimately needs to have some conceivable way of being implemented to be less harmful and annoying than the disease. Therefore: Must not have any significant burdens for at least 95% of legitimate users, and the burden of the 5% of legitimate users must be low and worth it. Email hosting providers still just have to use the flat rate monthly service fee to recover their costs, AND costs have to be low enough that free mail providers can still work -- supported by advertising : users will revolt against SP, if there are extra charges. Therefore "Postage must be optional". Perhaps, by separating mail into multiple classes, and requiring postage only for certain classes. Such as "Unpostaged Email" --- Extreme spam filtering, likely deliverability issues (what we have today) "Bulk Class Email" --- subject to reduced spam filtering, reduced postage, Only available to authorized SMTP senders. "First class Email" --- Intended for private correspondence, greater postage, reduced spam filtering "Priority Email" --- Intended for extremely urgent messages, high postage, for time sensitive matters very little or no spam filtering. And the process by which SMTP operators could reach agreement to charge each other for traffic, and on what rate should be standard, is difficult to conceive..... Postage would incentivize SMTP operators: to scrutinize users' traffic and limit abuse or excessive mail outflow from any one user. But who could say... that a particularly lucrative spam campaign won't come from the spammer attached with the proper postage?
In theory SMTP providers could do this... exchange postage between SMTP operators and completely hide it from end users, but the problem is it requires agreement... and consistent rules, otherwise e-mail perhaps becomes too expensive: or not sufficiently predictably inexpensive. Now.... if SMTP providers charge each other postage... postage SPENT should be offset by postage RECEIVED. When e-mail conversations are mostly symmetrical --- for example: two users e-mailing each other, then the ratio of messages OUT to messages IN should be pretty close to 1.0, or at least not 1000 to 1; Which means.... the two SMTP servers could charge each other postage, but the postage spent is offset by postage received. This would be different for commercial bulk mailers ("legitimate" or otherwise), AND as a result --- they would pay. Shifting some costs back from sender to receiver of the message. And... perhaps the commercial mailers _should_ bear costs. As commercial mailings create support costs (when false positive'd by spam filters), And... additional storage cost (before the user downloads their message from their POP3 mailbox). Also large-scale bulk mail consumes bandwidth, memory, and processing power. So... how could it work technically... One possibility: a SMTP server proves postage deposited, by each presenting a cryptocurrency wallet address in the HELO banner and the 250 reply; for the smtp transaction to proceed, the sending server needs to be challenged to prove it has the balance to pay --- and challenged then to provide the signed transaction in the form of a "Temporary deposit". Probably through SMTP Extension verbs. For example: "250 Hello: new SMTP server at IP address Xyz. Before you can start sending me mail, except to abuse or postmaster, or clearly marked BULK class mail: you need to introduce yourself with an AUTH message and provide a Base64 signed transaction paying out a minimum of a $0.002 deposit. to unique address [blahblah]. Deposit forfeit if not used to send First class Email within 48 hours, or upon any abuse complaint. After this SMTP server receives confirmation of your deposit; this SMTP server will track your balance by your IP address, and you will be allowed to send mail from this IP, as long as your balance is not negative. The cost of postage will be subtracted from your deposit. Note, that every time you place a new deposit, $0.0001 will be subtracted as an introduction fee. Every future SMTP connection you make to this server is $0.000001 times the number of simultaneous connections. After the introduction, The first 100 valid recipients and the first 10 invalid recipients or 500 kilobytes of First class traffic per SMTP IP address are free for the first 100 times you connect to my SMTP port. Beyond this, every time you present a RCPT TO with an invalid e-mail address, or address with an unauthorized recipient domain, $0.0005 will be deducted. Every time you present a RCPT TO, $0.000001 will be be immediately deducted. Every time you complete DATA stage, the charge will be $0.000001 times the number of RCPT TO lines for successfully accepted recipients every 1 Kilobyte after the first 250 Kilobytes of message data received. If the entire delivery fails due to a connection timeout, only 1 recipient is charged for received data. SPECIAL MAIL CLASSES: Bulk Solicited Mail - 1/1000 the normal postage rate per recipient for first 250Kb. - Identify by specifying 'Precedence: Bulk' in the message header. Must prepay the standard postage for the first 1000 recipients. Excess postage refunded after no spam complaints for 48 hours. Priority Mail - 10000x the normal postage rate per recipient. - Charged if Subject line contains the word PRIORITY or the message contains a X-Priority, Importance, or X-Priority Header indicating high priority. Urgent Mail - 100000x the normal postage rate per recipient. - Subject line contains the word URGENT, or the message contains a Disposition-Notification-To or Return-Receipt-To header or the message contains a X-Priority, Importance, or X-Priority Header indicating high priority, " So there may be a $0.002 cost to send a 250 Kilobyte message to 1000 recipients. Or $0.10 to send to 100000 local recipients. In the event of a user sending mail to a free mailing list, well.... The mailing list provider is likely to require whatever fee is needed to offset the number of members in the mailing list. We're getting lost in the metaphors methinks.
-- -JH
Look at it this way. If I see an attack coming from behind your NAT, I'm gonna deny all traffic coming from your NAT block until you assure me you have it fixed because I have no way of knowing which host it is coming from. Now your whole network is unreachable. If you have a compromised GUA host I can block only him. Better for both of us, no?
That is assuming that the infected piece does not request another address in the /64, and that the person blocking at the target end blocks a /128 instead of the /64.
I suppose that's possible and you could respond to that by blocking more addresses or the entire /64 if you want. The difference is that by seeing the actual address of the remote system you get to decide rather than blocking an entire corporate network. It would be trivial to program a rule that if multiple addresses in the block are offending we escalate to a bigger block.
How about a single host spamming behind your NAT blocking your entire corporate public network from email services? Anyone ever see that one. Ipv6 GUAs allow us to use fly swatters instead of sledgehammers to deal with that.
I don't want to try to even think about SMTP on IPv6. Reputation of email servers as well as the whole thought process of spam control rely on a list of IP address.
Yes, addresses that do not accurately represent the single system causing the problem.
IPv6 adds an entirely new aspect to it.
Well, if you mean the entirely new aspect is a list of hex addresses instead of dotted decimal addresses I guess so. I personally would rather have a list of actual end system addresses than a list of addresses that represent a mail server and several thousand other innocent devices behind a NAT. Might be easier to tell the system owner which system is compromised than to call a large company and tell them one of their systems is compromised. It would also be nice to be able to allow legitimate email to a business partner while blocking his compromised system only.
Maybe GUAs will convince (scare) more enterprise users to actually treat the internal network as an environment that needs to be secured as well. We can only hope.
Most enterprise admins, segment their BYOD (wifi) network from the production network. Some will even use a different WAN ip for the wifi network or in the minimum block outbound request to well known services ports.
If they knew anything about security they would but I thought we were talking about the same guys that use NAT to secure their networks.
I generally see where the only outbound connections allowed are http and https. All other ports are blocked.
Maybe on the BYOD only networks but very few companies actually segregate the BYOD devices from the general wifi access in a sophisticated way. Just look at how many wifi vendors actually support that well and how many companies can actually tell a corporate owned wifi device from a BYOD device. To do that correctly requires something like a good machine certificate process and complex stuff like 802.1x and TLS, most don't have it. Good luck with allowing only http and https and nothing else. My wifi users happen to like to be able to use IP softphones, have web conferences, and do lots of other stuff that uses more than those two protocols. Steven Naslund Chicago IL
IPv6 adds an entirely new aspect to it.
Well, if you mean the entirely new aspect is a list of hex addresses instead of dotted decimal addresses I guess so. I personally would rather have a list of actual end system addresses than a list of addresses that represent a mail server and several thousand other innocent devices behind a NAT. Might be easier to tell the system owner which system is compromised than to call a large company and tell them one of their systems is compromised. It would also be nice to be able to allow legitimate email to a business partner while blocking his compromised system only.
I thin the new dimension is that a spammer today who manages to snag a /8 has 16.7 million addresses to play with. Even if he forces you to add each and every one to your list, that’s a few megabytes for a VERY large IPv4 block. OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6 block, has more than 18 quintillion addresses and there’s not a computer on the planet with enough memory (or probably not even enough disk space) to store that block list. Sometimes scale is everything. host-based reputation lists scale easily to 3.2 billion host addresses. IPv6, not so easily. Owen
On Wed, Mar 26, 2014 at 6:31 AM, Owen DeLong <owen@delong.com> wrote:
OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6 block, has more than 18 quintillion addresses and there's not a computer on the planet with enough memory (or probably not even enough disk space) to store that block list.
It only takes a single entry if you do not store /128s but that /64. Yes, RBL lookups do not currently know how to handle this, but there are a couple of good proposals around on how to do it. This would also reduce the risks from cache depletion attacks via DNSxL lookups to IPv4 levels. Sometimes scale is everything. host-based reputation lists scale easily to
3.2 billion host addresses. IPv6, not so easily.
As soon as we get away from host-centric-view to a network-block-view, things get pretty straightforward. -- Matthias
It only takes a single entry if you do not store /128s but that /64. Yes, RBL lookups do not currently know how to handle this, but there are a couple of good proposals around on how to do it.
Sigh. See previous note on wny aggregating on /64 won't work.
This would also reduce the risks from cache depletion attacks via DNSxL lookups to IPv4 levels.
Sigh. See previous note on wny aggregating on /64 won't work. R's, John
If you can figure out how to store an address and a mask you can have any size entry you want. Just like a routing table. This is not insurmountable. Steven Naslund Chicago IL
OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6 block, has more than 18 quintillion addresses and there's not a computer on the planet with enough memory (or probably not even enough disk space) to store that block list.
It only takes a single entry if you do not store /128s but that /64. Yes, RBL lookups do not currently know how to handle this, but there are a couple of good proposals around on how to do it. This would also reduce the risks from cache depletion attacks via DNSxL lookups to IPv4 levels. Sometimes scale is everything. host-based reputation lists scale easily to
3.2 billion host addresses. IPv6, not so easily.
As soon as we get away from host-centric-view to a network-block-view, things get pretty straightforward. -- Matthias
On Mar 26, 2014, at 3:18 AM, Matthias Leisi <matthias@leisi.net> wrote:
On Wed, Mar 26, 2014 at 6:31 AM, Owen DeLong <owen@delong.com> wrote:
OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6 block, has more than 18 quintillion addresses and there's not a computer on the planet with enough memory (or probably not even enough disk space) to store that block list.
It only takes a single entry if you do not store /128s but that /64. Yes, RBL lookups do not currently know how to handle this, but there are a couple of good proposals around on how to do it.
Then the spammers will grab /48s instead of /64s. Lather, rinse, repeat. Admittedly, /48s are only 65,536 RBL entries per, but I still think that address-based reputations are a losing battle in an IPv6 world unless we provide some way for providers to hint at block sizes. After all, if you start blocking a /64, what if it’s a /64 shared by thousands of hosting customers at one provider offering virtuals?
This would also reduce the risks from cache depletion attacks via DNSxL lookups to IPv4 levels.
Yes and no.
Sometimes scale is everything. host-based reputation lists scale easily to
3.2 billion host addresses. IPv6, not so easily.
As soon as we get away from host-centric-view to a network-block-view, things get pretty straightforward.
Except where they don’t. Owen
On Thu, Mar 27, 2014 at 6:17 AM, Owen DeLong <owen@delong.com> wrote:
It only takes a single entry if you do not store /128s but that /64. Yes, RBL lookups do not currently know how to handle this, but there are a couple of good proposals around on how to do it.
Then the spammers will grab /48s instead of /64s. Lather, rinse, repeat.
Admittedly, /48s are only 65,536 RBL entries per, but I still think that address-based reputations are a losing battle in an IPv6 world unless we provide some way for providers to hint at block sizes.
That's why I believe having varying levels of granularity is the best trade off between cache friendliness, administrative effort and implementation complexity, independent on whether it's "default deny" or "default accept". We either need to solve (or reduce the impact of) the DNS cache issue or we need to solve the fixed-range issue. Or IP-based reputation as we know it today is more or less dropped from the anti-spam toolset when it comes to IPv6. -- Matthias
On 2014-03-26, Owen DeLong <owen@delong.com> sent:
Then the spammers will grab /48s instead of /64s. Lather, rinse, repeat.
Admittedly, /48s are only 65,536 RBL entries per, but I still think that address-based reputations are a losing battle in an IPv6 world unless we provide some way for providers to hint at block sizes.
After all, if you start blocking a /64, what if it’s a /64 shared by thousands of hosting customers at one provider offering virtuals?
It was brought to my attention in a parallel thread on Mailop that such a mechanism does exist for allowing ISP to hint about the size of customer allocations, at least in the RIPE database: http://www.ripe.net/ripe/docs/ripe-513 So how do we make this universal and get ISPs to use it? If we know customer sizes, it becomes much easier to do reputation on a per-customer basis, which is probably granular enough for a lot of cases. -- Chip Marshall <chip@2bithacker.net> http://2bithacker.net/
On March 26, 2014 at 22:17 owen@delong.com (Owen DeLong) wrote:
Then the spammers will grab /48s instead of /64s. Lather, rinse, repeat.
Hang on, do spammers "grab" address blocks? Ok, I'm sure it happens, this is not an existence proof. But is that really a significant characterization of their behavior? That they go to an RIR or ISP and get an address block allocation? I mean post-Ralsky (almost obscure historical spam reference.) It seems like ALL the spam I see is purloined resources: botnets, unauthorized use of (usually misconfigured) mail servers, web software holes, free sites in general (such as google groups but also those "community" free sites), etc. I suppose this is the place where someone just says: "Yes, Barry, it is" and considers the matter settled but it sure doesn't match my experience. We block a lot of /24s (like about 150,000 right now) and even a few larger chunks but not because they're owned by spammers but because they're repeatedly ABUSED by spammers. But unfortunately they're just about always owned by people/companies who believe they're legitimate but just can't seem to keep the spammers from abusing them over and over. And the chance of ham from them is so slight that one just blocks them wholesale. Well, maybe for the purpose of this discussion it's the same thing, how do you block blocks which are being abused or you want to block for whatever reason. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6 block, has more than 18 quintillion addresses and there�s not a computer on the planet with enough memory (or probably not even enough disk space) to store that block list.
Sometimes scale is everything. host-based reputation lists scale easily to 3.2 billion host addresses. IPv6, not so easily.
Quite right. If I were a spammer or an ESP who wanted to listwash, I could easily use a different IP addres for every single message I sent. R's, John
On 3/26/2014 12:09 PM, John Levine wrote:
OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6 block, has more than 18 quintillion addresses and there�s not a computer on the planet with enough memory (or probably not even enough disk space) to store that block list.
Sometimes scale is everything. host-based reputation lists scale easily to 3.2 billion host addresses. IPv6, not so easily. Quite right. If I were a spammer or an ESP who wanted to listwash, I could easily use a different IP addres for every single message I sent.
Which isn't too bad for the spam block lists, as they will usually escalate and block /64 and shorter anyways. It will be problematic for handling something like CBL, though. DHCP shifted occasionally, but not as often as IPv6 privacy addresses can. The botnet world is where the problems will arise, and not just for spam. It becomes even more problematic, as you don't know if you have multiple bots in a /64 (individual handouts via DHCPv6) or a single bot shifting within a /64 assignment, or given some layouts, perhaps shifting within a /48 assignment. Jack
Quite right. If I were a spammer or an ESP who wanted to listwash, I could easily use a different IP addres for every single message I sent. R's, John Week before last I saw this in great detail, with nearly 100,000 messages sent to our users per day from probably the same spammer (lots of similarities, including an image payload with invisible anti-bayesian text and a .in TLD) where no two messages came from the same IP. It did all come from the same hosting provider, though, and at least for now
On 03/26/2014 01:09 PM, John Levine wrote: that hoster's whole address space (all twenty blocks, varying between a /23 and a /17) is in my border router's deny acl for incoming on port 25. At least for now; I did send an e-mail out to the abuse contact, waited 72 hours, then but the blocks in the incoming acl. This hoster was adding rwhois entries for each /32 allocated (yes, IPv4 /32) and they had different NIC handles. I'll probably wait a month, then pull the acl to see if it starts back up. Oh, and each and every /32 that sent mail had fully proper DNS, including PTR etc. Spamassassin's score was well in the 'ham' category for all of those messages. IP reputation lists are one weapon in the arsenal, but not nearly as effective as one would like. There is no technical magic bullet that I've seen work over the long haul. But that's not really on-topic for NANOG.
John Levine <johnl@iecc.com> wrote:
If I were a spammer or an ESP who wanted to listwash, I could easily use a different IP addres for every single message I sent.
Until mail servers start rate-limiting the number of different addresses that are used :-) You can do something like the following in Exim, which limits IPv6 senders to 16 addresses per /64 per day. defer hosts = <; 2000::/4 ratelimit = 16 / 1d / per_conn /\ unique=$sender_host_address /\ ${mask:$sender_host_address/64} Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Shannon, Rockall: Southerly 5 or 6 at first in west, otherwise variable 3 or 4, becoming northeasterly 4 or 5. Moderate or rough. Showers. Good, occasionally moderate.
On (2014-03-23 20:09 +0200), Mark Tinka wrote:
I expect this to change little in the enterprise space. I think use of ULA and NAT66 will be one of the things enterprises will push for, because how can a printer have a public IPv6 address that is reachable directly from the Internet, despite the fact that there is a properly configured firewall at the perimetre offering half-decent protection?
Or IT isn't buying the 'renumbering is easy' argument, for any non-trivial size company even figuring how where exactly can be IP addresses punched out statically would be expensive and long process. If you are pushing for customer to use your PA in their LAN, I'm guessing net-result is you should never reclaim those addresses after customer leaves, since chances are, some customers won't renumber, but will 1:1 NAT your PA to new operator PA, and your next customer with this block will complain about reachability problems to this other customer. But at least we can hope it'll be 1:1 NAT + ULA, which I would suggest to my enterprise customers who won't want to get PI or become LIR. -- ++ytti
On Sunday, March 23, 2014 08:35:48 PM Saku Ytti wrote:
Or IT isn't buying the 'renumbering is easy' argument, for any non-trivial size company even figuring how where exactly can be IP addresses punched out statically would be expensive and long process. If you are pushing for customer to use your PA in their LAN, I'm guessing net-result is you should never reclaim those addresses after customer leaves, since chances are, some customers won't renumber, but will 1:1 NAT your PA to new operator PA, and your next customer with this block will complain about reachability problems to this other customer.
In all fairness, I'm not so sure, as operators, that we want to push our PA space as assignments to customers in IPv6- land. Yes, it makes sense, but then again, it's not hard for enterprises to obtain PI space from $favorite_registry. Yes, that will pollute the routing table and potentially mean your customer can run away from you at any time. But IPv6 is so vast, and as you rightly point out, Saku, it might be unreasonable for us to expect the enterprise to renumber when they churn and take their business elsewhere. It, physically, is a lot of work. So while I have lots of /56's and /48's to assign to customers from my /32, I'm not sure I want to actively encourage it, unless as a last resort. Of course, assigning this to broadband users makes more sense, as use is generally temporary and well controlled. Mark.
In message <201403232009.47085.mark.tinka@seacom.mu>, Mark Tinka writes:
On Sunday, March 23, 2014 06:57:26 PM Mark Andrews wrote:
ISP's have done a good job of brain washing their customers into thinking that they shouldn't be able to run services from home. That all their machines shouldn't have a globally unique address that is theoritically reachable from everywhere. That NAT is normal and desiriable.
I was at work last week and because I have IPv6 at both ends I could just log into the machines at home as easily as if I was there. When I'm stuck using a IPv4 only service on the road I have to jump through lots of hoops to reach the internal machines.
I expect this to change little in the enterprise space. I think use of ULA and NAT66 will be one of the things enterprises will push for, because how can a printer have a public IPv6 address that is reachable directly from the Internet, despite the fact that there is a properly configured firewall at the perimetre offering half-decent protection?
Mark.
Can I suggest that you re-read what I said. I did not say "WILL BE REACHABLE". I said "THEORETICALLY REACHABLE". I also said "GLOBAL UNIQUE" address not "PUBLIC ADDRESS". The point is one should be able to get addresses with these properties. It's your decision about whether to use all the properties the addresses have. As for printers directly reachable from anywhere, why not. We do have the technology to authenticate requests regardless of the IP address the request originates from. Whether that is built into your printer or not is a purchasing decision. I see nothing wrong with being able to print out something from the other side of the world for someone else to pick up. The cost to do this shoudn't amount to more than a couple of cents in the printer's price as it is all one off engineering. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Sunday, March 23, 2014 08:39:51 PM Mark Andrews wrote:
Can I suggest that you re-read what I said. I did not say "WILL BE REACHABLE". I said "THEORETICALLY REACHABLE". I also said "GLOBAL UNIQUE" address not "PUBLIC ADDRESS".
The point is one should be able to get addresses with these properties. It's your decision about whether to use all the properties the addresses have.
I was agreeing with you, not speaking against you, Mark.
As for printers directly reachable from anywhere, why not. We do have the technology to authenticate requests regardless of the IP address the request originates from. Whether that is built into your printer or not is a purchasing decision. I see nothing wrong with being able to print out something from the other side of the world for someone else to pick up. The cost to do this shoudn't amount to more than a couple of cents in the printer's price as it is all one off engineering.
That question was rhetorical - everybody on this list already knows the answer :-). Mark.
On 23/03/2014 18:39, Mark Andrews wrote:
As for printers directly reachable from anywhere, why not.
because in practice it's an astonishingly stupid idea. Here's why: chargen / other small services ssh www buffer overflows open smtp relays weak, default or non existent passwords information leakage from non-protected services and so forth. Nothing wrong with global reachability, don't get me wrong - and if I thought for a pico-second that printers or any other connectible device took even the most basic steps at handling security fundamentals, I might even be ok about the idea. But they don't: printer drivers and interface firmware are written by people whose only ability is relaying eps and pcl files from one socket to another and pumping their code full of rage-inducing bloatware, the only purpose of which is to serve the blind whims of idiotic product managers who derive a sadistic satisfaction from ensuring that their products interfere as much as humanly possible with the process of committing ink and toner to paper. Security management doesn't even get a look in. 12 months after market debut, printer firmware updates cease forever for that particular model, and the inevitable result is a line-rate bot spewing obnoxious crap until the day that the device is thrown on to the scrap heap that it deserved when it was first unpacked. Exactly the same principal applies to pretty much any consumer device, although I admit that printers are worse offenders than most. We can all agree that what's needed here is full consumer choice and the ability to address things globally, should one desire to do so. In practice, default deny is more sensible approach to handling the reality of connecting devices to a public network. Nick
In message <532F42AA.9000604@foobar.org>, Nick Hilliard writes:
On 23/03/2014 18:39, Mark Andrews wrote:
As for printers directly reachable from anywhere, why not.
because in practice it's an astonishingly stupid idea. Here's why:
chargen / other small services ssh www buffer overflows open smtp relays weak, default or non existent passwords information leakage from non-protected services
and so forth.
Nothing wrong with global reachability, don't get me wrong - and if I thought for a pico-second that printers or any other connectible device took even the most basic steps at handling security fundamentals, I might even be ok about the idea.
But they don't: printer drivers and interface firmware are written by people whose only ability is relaying eps and pcl files from one socket to another and pumping their code full of rage-inducing bloatware, the only purpose of which is to serve the blind whims of idiotic product managers who derive a sadistic satisfaction from ensuring that their products interfere as much as humanly possible with the process of committing ink and toner to paper. Security management doesn't even get a look in.
12 months after market debut, printer firmware updates cease forever for that particular model, and the inevitable result is a line-rate bot spewing obnoxious crap until the day that the device is thrown on to the scrap heap that it deserved when it was first unpacked.
Exactly the same principal applies to pretty much any consumer device, although I admit that printers are worse offenders than most.
We can all agree that what's needed here is full consumer choice and the ability to address things globally, should one desire to do so. In practice, default deny is more sensible approach to handling the reality of connecting devices to a public network.
Nick
Actually all you have stated in that printer vendors need to clean up their act and not that one shouldn't expect to be able to expose a printer to the world. It isn't hard to do this correctly. It also does not cost much on a per device basis. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On 23/03/2014 21:02, Mark Andrews wrote:
Actually all you have stated in that printer vendors need to clean up their act and not that one shouldn't expect to be able to expose a printer to the world. It isn't hard to do this correctly.
perish the thought - and I look forward to the day that vendors write secure software which is impregnable to all vulnerabilities past and present. When that happens, I'll cast away my default deny configurations and advise other people to do the same. Until then, though, I hope you understand why I suggest that default deny is no less sensible a precaution than locking the front door in a busy city. Nick
On Sun, Mar 23, 2014 at 10:31:57PM +0000, Nick Hilliard wrote:
On 23/03/2014 21:02, Mark Andrews wrote:
Actually all you have stated in that printer vendors need to clean up their act and not that one shouldn't expect to be able to expose a printer to the world. It isn't hard to do this correctly.
perish the thought - and I look forward to the day that vendors write secure software which is impregnable to all vulnerabilities past and present. When that happens, I'll cast away my default deny configurations and advise other people to do the same.
Until then, though, I hope you understand why I suggest that default deny is no less sensible a precaution than locking the front door in a busy city.
Nick
Hum.. perhaps a poor analogy. Tokyo is a busy city, yet I know quite a few people who don;t lock their doors there. Redondo Beach is quite a bit less busy, but -everyone- locks their doors and anything else of value. Its the culture of ethics of the individiual, not the density of individuals. /bill
In message <532F60DD.3030302@foobar.org>, Nick Hilliard writes:
On 23/03/2014 21:02, Mark Andrews wrote:
Actually all you have stated in that printer vendors need to clean up their act and not that one shouldn't expect to be able to expose a printer to the world. It isn't hard to do this correctly.
perish the thought - and I look forward to the day that vendors write secure software which is impregnable to all vulnerabilities past and present. When that happens, I'll cast away my default deny configurations and advise other people to do the same.
And there you go putting stricter requirements on printers that you don't put on laptop, servers. None of us would put any machines on the net if they had to meet your printer's requirements.
Until then, though, I hope you understand why I suggest that default deny is no less sensible a precaution than locking the front door in a busy city.
Nick
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Mon, Mar 24, 2014 at 10:15:27AM +1100, Mark Andrews wrote:
In message <532F60DD.3030302@foobar.org>, Nick Hilliard writes:
On 23/03/2014 21:02, Mark Andrews wrote:
Actually all you have stated in that printer vendors need to clean up their act and not that one shouldn't expect to be able to expose a printer to the world. It isn't hard to do this correctly.
perish the thought - and I look forward to the day that vendors write secure software which is impregnable to all vulnerabilities past and present. When that happens, I'll cast away my default deny configurations and advise other people to do the same.
And there you go putting stricter requirements on printers that you don't put on laptop, servers. None of us would put any machines on the net if they had to meet your printer's requirements.
To be fair, laptops and servers today tend to have better baseline security than printers today, and laptops and servers tend to have a better patch release and patch management support than printers. That isn't to say that printers (and other similar devices *cough*Residential CPE*cough*) couldn't be made to be at least as secure, out-of-the-box and ongoing, as today's laptops and servers, but that isn't the case today, and I'm not aware of anything on the horizon that would encourage a swift change in the current trajectory for those devices. On a completely unrelated topic, anyone else looking forward to XPocalypse next month? - Matt (A pragmatic proponent of the end-to-end principle) -- School never taught ME anything at all, except that there are even more morons out there than I would have dreamed, and many of them like to beat up people smaller than they are. -- SeaWasp in RASFW
Not necessarily. Printers generally run unattended, printers generally are not rebooted periodically for updates (assuring malware can continue to run), printers generally are not updated even periodically, printers generally have almost no logging that could be reviewed, printers are generally "managed" by the Level 1 Help Desk types whose concern is 99.999% availability to the exclusion of everything else and a host of other things. IMHO there's not much comparison because of what they do, how they are (mis)managed and (not) monitored. But since vendors (and our employers) usually do their utmost to maximize profit while minimizing expense, nothing will change unless there is a user uproar. And that uproar for printers is generally a clamoring for more features, not less risk.
And there you go putting stricter requirements on printers that you don't put on laptop, servers. None of us would put any machines on the net if they had to meet your printer's requirements.
On Monday, March 24, 2014 01:15:27 AM Mark Andrews wrote:
And there you go putting stricter requirements on printers that you don't put on laptop, servers. None of us would put any machines on the net if they had to meet your printer's requirements.
Because, at the very least, a laptop or server can run a stateless packet filter to keep out pokes at ports that may be running by default, but have no business being queried over the network. Mark.
On 24/03/2014 06:47, Mark Tinka wrote:
Because, at the very least, a laptop or server can run a stateless packet filter to keep out pokes at ports that may be running by default, but have no business being queried over the network.
once upon a time, they didn't have host firewalls or packet filters, which was why we ended up with: https://isc.sans.edu/diary/Survival+Time+on+the+Internet/4721 Nick
On Monday, March 24, 2014 06:02:11 PM Nick Hilliard wrote:
once upon a time, they didn't have host firewalls or packet filters, which was why we ended up with:
https://isc.sans.edu/diary/Survival+Time+on+the+Internet/ 4721
:-). Mark.
On Sunday, March 23, 2014 11:02:13 PM Mark Andrews wrote:
Actually all you have stated in that printer vendors need to clean up their act and not that one shouldn't expect to be able to expose a printer to the world. It isn't hard to do this correctly. It also does not cost much on a per device basis.
Well, all consumer device vendors, really... Mark.
On Mar 23, 2014, at 11:09 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:
On Sunday, March 23, 2014 06:57:26 PM Mark Andrews wrote:
ISP's have done a good job of brain washing their customers into thinking that they shouldn't be able to run services from home. That all their machines shouldn't have a globally unique address that is theoritically reachable from everywhere. That NAT is normal and desiriable.
I was at work last week and because I have IPv6 at both ends I could just log into the machines at home as easily as if I was there. When I'm stuck using a IPv4 only service on the road I have to jump through lots of hoops to reach the internal machines.
I expect this to change little in the enterprise space. I think use of ULA and NAT66 will be one of the things enterprises will push for, because how can a printer have a public IPv6 address that is reachable directly from the Internet, despite the fact that there is a properly configured firewall at the perimetre offering half-decent protection?
Mark.
So ULA the printers (if you must). That doesn’t create a need for ULA on anything that talks to the internet, nor does it create a requirement to do NPT or NAT66. Owen
On 03/24/2014 06:05 PM, Owen DeLong wrote:
So ULA the printers (if you must).
That doesn’t create a need for ULA on anything that talks to the internet, nor does it create a requirement to do NPT or NAT66.
From a security perspective, I wouldn't trust my printer to not number itself with a GUA. Unlike v4 with DHCP, any kind of glitch causing leakage of RA's-bearing-Global-prefixes (i'm sure there is a Greek Tragedy written about this) will cause it to number the interface with that prefix. You can argue that's misconfiguration and I wouldn't disagree, but it's just way to easy for the (printer) host to do, and it wouldn't be very apparent to anything but the host (printer). I'm not entirely sure what the whole answer is to this. We're still talking about raw ip addresses here, so somebody would have to know the GUA the printer numbered itself to. Naming autodiscovery doesn't currently traverse subnets, though homenet and others are trying to relax that. Some sort of logic like "if I can't add my address to dns then don't listen to incoming requests on my gua" might be helpful, but as I said... people interested in this really should pay attention to the homenet working group which is charged, for better or worse, to sort a lot of this out. Mike
On Mar 23, 2014, at 4:57 PM, Mark Andrews <marka@isc.org> wrote:
Basically because none of them have ever been on the Internet proper where they can connect to their home machines from wherever they are in the world directly. If you don't know what it should be like you don't complain when you are not getting it.
It's ironic that those of us that do understand this are mostly the same ones saying that it's ok to give 'the users' NAT. The reality is that some (many/most/all?) of our 'users' are probably smarter than us and they just get around it with VPNs/tunnels just like we do. Just because they aren't complaining directly to us, doesn't mean they are satisfied. Every gamer with a console is basically screwed - they have to jump through hoops trying to figure out how to forward ports or whatever else, because these home routers all give them NAT. We can probably argue cause/effect on this, but it's all tied together - those routers wouldn't have had to do NAT if they could somehow request unique numbers for each device.. but now carriers are doing that same NAT internally, because hey, 'the users' are already used to it anyway, from having done it on their home gateways. It's not that the users are ok with NAT, or that they prefer it, it's just all they can get. IPv6 is far from perfect, but it's a direct answer to the resource exhaustion problem. It seems unlikely that IPv4 will ever be dropped, but it can be made largely irrelevant by building out IPv6 networks. As far as the enterprise side of things, many of the people working in that area today have likely never known any other kind of network except the NAT kind. A lot of these guys say things like 'private ip' and 'public ip' - they've have this ingrained in them for the past 15+ years, and the idea of real internet is scary. I'm not sure how this problem of education is addressed, and it might sound stupid, but it's a real problem. The other side of things is that some software vendors with large market share are doing their own share of actively trying to undermine IPv6 deployment in subtle ways. You can read RFC6555 for the details. Just as an example, on Mac OS, users accessing a dual stack website from a dual stack host may not ever actually take the IPv6 path, so if there are people auditing how many clients are using v4 vs v6 they would get skewed results. I know everyone has their own parameters that define what's worth it and what's not, but I think most people's lives would be made easier by embracing IPv6. -Laszlo
ISP's have done a good job of brain washing their customers into thinking that they shouldn't be able to run services from home. That all their machines shouldn't have a globally unique address that is theoritically reachable from everywhere. That NAT is normal and desiriable.
I was at work last week and because I have IPv6 at both ends I could just log into the machines at home as easily as if I was there. When I'm stuck using a IPv4 only service on the road I have to jump through lots of hoops to reach the internal machines.
Mark
R's, John
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Sunday, March 23, 2014 08:30:21 PM Laszlo Hanyecz wrote:
As far as the enterprise side of things, many of the people working in that area today have likely never known any other kind of network except the NAT kind. A lot of these guys say things like 'private ip' and 'public ip' - they've have this ingrained in them for the past 15+ years, and the idea of real internet is scary. I'm not sure how this problem of education is addressed, and it might sound stupid, but it's a real problem.
And to add to that, those of us that will welcome GUA IPv6 addresses in the home now have to find CPE that has decent firewall infrastructure that won't impact performance. Modern CPE do have some firewall features, but there is tons of emphasis on NAT and port forwarding. I'd hate to see CPE vendors focusing on NAT66 instead of proper firewall services that can scale with traffic. Mark.
On Mar 22, 2014, at 10:10 PM, John Levine <johnl@iecc.com> wrote:
It will be a long time before the price of v4 rises high enough to make it worth the risk of going v6 only.
New ISP's are born everyday.
Some of them will be able to have a "Buy an ISP that has IPv4" or "Buy IPv4 space from known brokers" line item in their budget as part of their launch plans.
Most won't.
In Africa, I suppose, but here in North America, the few remaining ISPs that aren't part of giant cable or phone companies are hanging on by their teeth.
Also, although it is fashionable to say how awful CGN is, the users don't seem to mind it at all.
R's, John
That depends on the level of service the users are already accustomed to. The generally piss-poor average level of service in the US may not be as noticeably impacted by CGN as better services. It also depends on the class of user. I know that I would pretty much be unable to continue subscribing to any provider that stuck me behind a CGN. It would be interesting to get visibility into the opt-out rate for Verizon’s “Address Sharing” announcement. Owen
On Sat, Mar 22, 2014 at 07:57:04PM -0000, John Levine wrote:
In such a case, where you are still pushing the case for IPv4, how do you envisage things will look on your side when everybody else you want to talk to is either on IPv6, or frantically getting it turned up? Do you reckon anyone will have time to help you troubleshoot patchy (for example) IPv4 connectivity when all the focus is on IPv6?
I've put that concern on my calendar for sometime around 2025.
People have been saying switch to IPv6 now Now NOW for about a decade, and you can only cry wolf so many times.
You've got to remember what happened to the boy who cried wolf, though. He eventually got eaten. The difference here, though, is that the people crying wolf in *this* fairy tale are already safely up the IPv6 tree. It's the people who aren't listening who are going to get eaten. - Matt
IPv4 has already been trading around $10/address. So the prices quoted a while back don’t make much sense to me. Further, could you please quantify “vast”? How many /8 equivalents in a “vast number”? Until they ran out, APNIC was issuing approximately 1.5 /8s per month. How long, exactly, do you expect 3.2 billion unicast addresses to provide enough addressing for 6.8+ billion people? Owen On Mar 22, 2014, at 12:57 PM, John Levine <johnl@iecc.com> wrote:
In such a case, where you are still pushing the case for IPv4, how do you envisage things will look on your side when everybody else you want to talk to is either on IPv6, or frantically getting it turned up? Do you reckon anyone will have time to help you troubleshoot patchy (for example) IPv4 connectivity when all the focus is on IPv6?
I've put that concern on my calendar for sometime around 2025.
People have been saying switch to IPv6 now Now NOW for about a decade, and you can only cry wolf so many times. My servers do IPv6 through a tunnel from HE (thanks!) where the performance is only somewhat worse than the native v4, and my home cable has v6 that mostly works, but the key term there is mostly. (The ISP had a fairly bad internal routing bug which apparently nobody noticed until I tracked down why my v6 connectivity was flaky, and I happened to know some senior people at the ISP who could understand what I was telling them about their internal routers.)
We've just barely started to move from the era of free IPv4 to the one where you have to buy it, and from everyhing I see, there is vast amounts of space that will be available once people realize they can get real money for it. The prices cited a couple of messages back seem to be in the ballpark. It will be a long time before the price of v4 rises high enough to make it worth the risk of going v6 only.
R's, John
How long, exactly, do you expect 3.2 billion unicast addresses to provide enough addressing for 6.8+ billion people?
Oh, I'd say a decade. Like I said, I have IPv6 on my server and my home broadband, which mostly works, with the emphasis on the mostly.
We've just barely started to move from the era of free IPv4 to the one where you have to buy it, and from everyhing I see, there is vast amounts of space that will be available once people realize they can get real money for it. The prices cited a couple of messages back seem to be in the ballpark. It will be a long time before the price of v4 rises high enough to make it worth the risk of going v6 only.
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
On Sat, Mar 22, 2014 at 11:54 AM, Justin M. Streiner <streiner@cluebyfour.org> wrote:
On Sat, 22 Mar 2014, William Herrin wrote:
On Sat, Mar 22, 2014 at 10:33 AM, Justin M. Streiner <streiner@cluebyfour.org> wrote:
All of these 'Hail Mary' options for 'saving' IPv4 really are pointless.
IPv4 is like the U.S. Penny. It'll be useless long before it goes away. And right now it's far from useless.
Interesting analogy, but it misses the larger point. The larger point is that the ongoing effort to squeeze more mileage out of IPv4 will soon [1] outweigh the mileage we (collectively) get out of it.
Hi Justin, That's what I hear. Interesting thing though: it hasn't happened yet. IANA ran out of /8's and it didn't happen. The RIRs dropped to high-conservation mode on their final allocations and it didn't happen. How could that be? In completely unrelated news, placard-bearing lunatics on the streets of New York City report that The End Is Nigh... for most of the last century. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Sat, 22 Mar 2014, William Herrin wrote:
That's what I hear. Interesting thing though: it hasn't happened yet. IANA ran out of /8's and it didn't happen. The RIRs dropped to high-conservation mode on their final allocations and it didn't happen. How could that be?
I never said that things would get bad the instant that IANA ran out of space or your friendly neighborhood RIR reached the trigger point for their IPv4 exhaustion plans. Different RIRs have different consumption rates. There are also different pain points for different networks. A large .edu that has a big enough chunk of legacy IPv4 space to meet their needs for the next several years is in a different place than a large eyeball network that is deploying LSN/CGN to stretch what they have left because they can't go back to the well to get more. A large content/hosting provider who has customers that have different Internet reachability requirements where LSN/CGN doesn't help much has yet another different set of business drivers and pain points.
In completely unrelated news, placard-bearing lunatics on the streets of New York City report that The End Is Nigh... for most of the last century.
I put my sandwich board away a long time ago. I'm too busy working on deploying IPv6 ;) jms
On Mar 22, 2014, at 12:36 PM, William Herrin <bill@herrin.us> wrote:
On Sat, Mar 22, 2014 at 11:54 AM, Justin M. Streiner <streiner@cluebyfour.org> wrote:
On Sat, 22 Mar 2014, William Herrin wrote:
On Sat, Mar 22, 2014 at 10:33 AM, Justin M. Streiner <streiner@cluebyfour.org> wrote:
All of these 'Hail Mary' options for 'saving' IPv4 really are pointless.
IPv4 is like the U.S. Penny. It'll be useless long before it goes away. And right now it's far from useless.
Interesting analogy, but it misses the larger point. The larger point is that the ongoing effort to squeeze more mileage out of IPv4 will soon [1] outweigh the mileage we (collectively) get out of it.
Hi Justin,
That's what I hear. Interesting thing though: it hasn't happened yet. IANA ran out of /8's and it didn't happen. The RIRs dropped to high-conservation mode on their final allocations and it didn't happen. How could that be?
I disagree with your assertion that it hasn’t happened. It _IS_ happening. The cost of maintaining IPv4 is already going up and the increases will continue to become more dramatic over time. Owen
Let’s assume, for a moment, that there are 32 /8s out there that could be reclaimed. Let’s further assume that renumbering out of a /8 takes, on average, about 18 months. (That’s moving almost 1,000,000 customers per month on average, potentially). Even if we got all 32 /8 equivalents back over the next 18 months, it would only buy us approximately 2 years of additional IPv4 life-span when divvied up among APNIC, RIPE, etc. The IPv4 situation is not artificial. IPv4 is being maintained well past its useful life at great cost. Owen On Mar 22, 2014, at 2:30 AM, Bryan Socha <bryan@digitalocean.com> wrote:
Oh btw, how many ipv4s are you hording with zero justification to keep them? I was unpopular during apricot for not liking the idea of no liability leasing of v4. I don't like this artificial v4 situation every eyeball network created. Why is v4 a commodity and asset? Where is the audits. I can justify my 6 /14s, can you still? On Mar 22, 2014 4:36 AM, "TJ" <trejrco@gmail.com> wrote:
Millions of IPs don't matter in the face of X billions of people, and XX-XXX billions of devices - and this is just the near term estimate. (And don't forget utilization efficiency - Millions of IPs is not millions of customers served.)
Do IPv6. /TJ
On Mar 22, 2014 3:09 AM, "Bryan Socha" <bryan@digitalocean.com> wrote:
As someone growing in the end of ipv4, its all fake. Sure, the rirs
will
run out, but that's boring. Don't believe the fake auction sites. Fair price of IP at the end is $1 for bad Rep $2 for barely used, $3 for no spam and $4 for legacy. Stop the inflation. Millions of IPS exist, there is no shortage and don't lie for rirs with IPS left.
participants (70)
-
Alexander Lopez -
Barry Shein -
bmanning@vacation.karoshi.com -
Bob Evans -
Brandon Ross -
Brielle Bruns -
Bryan Socha -
Cb B -
Chip Marshall -
Chris Knipe -
Chuck Anderson -
Denis Fondras -
Dobbins, Roland -
Doug Barton -
Elizabeth Zwicky -
Eric Wieling -
George Herbert -
George William Herbert
-
Henri Wahl -
hslabbert@stargate.ca -
Jack Bates -
Jim Popovitch -
Jimmy Hess -
Joe Greco -
joel jaeggli -
John Levine -
John R. Levine
-
Justin M. Streiner -
Karl Auer -
Lamar Owen -
Laszlo Hanyecz -
Lee Howard -
Luke S. Crawford -
MailPlus| David Hofstee -
Mark Andrews -
Mark Tinka -
Matt Palmer -
Matthew Petach -
Matthias Leisi -
Michael Hallgren -
Michael Thomas -
Mikael Abrahamsson -
Mike Hale -
Mohacsi Janos -
Måns Nilsson -
Naslund, Steve -
Nick Hilliard -
Owen DeLong -
Patrick W. Gilmore -
Paul Ferguson -
Philip Dorr -
Randy Bush -
Ray -
Rich Kulawiec -
Ricky Beam -
Rob McEwen -
Robert Drake -
Robert L Mathews -
Robert Webb -
Saku Ytti -
Scott Buettner -
sthaug@nethelp.no -
Tim Franklin -
Timothy Morizot -
TJ -
Tony Finch -
Tore Anderson -
Valdis.Kletnieks@vt.edu -
Warren Bailey -
William Herrin