wet-behind-the-ears whippersnapper seeking advice on building a nationwide network
Wow this turned into a very long post.... On 09/16/2011 01:10 PM, hasserw@hushmail.com wrote:
Mr hasserw@husmail.com, the net is big enough for many forms of networks and competition to exist. The fact that you write from a hushmail address is intriguing to me. That may have kept others from answering entirely. Using ones real name/personal e-mail address builds a reputation. It also helps if you've posted other threads in the past. Looking over my post history (both replies and threads i started), one will see a progression of learning and participation. I don't recall seeing any posts from you in the past. As such, it may not have been wise to burst onto the scene and say "please to do my homework for me". Contributing to a few threads, starting a couple of your own (on a more specific subject) and saying "this is what I'm planning to do, here is what I've researched, please tell me if I'm doing it horribly wrong" is a good way to start in any community. I had high hopes for the thread you had started, but am disappointed by the somewhat juvenile response that you sent. I believe you killed off the opportunity for some excellent discussion. So I'm starting another one, in the event people are ignoring the previous thread. Plus my title is cooler! I did learn some things from that thread (such as nsrc.org). Thank you for posting those links and inspiring the title of this thread Bill. In my case, I have knowledge (through consuming way too much *NOG lists and other resources). However all of my experience is in data center/enterprise LAN networking. WAN experience is limited to default BGP route delivery or statically configured links. So I have never built an ISP network before. I want to join the community, and as such am seeking advice before I blindly go off and end up being one of "those" AS. :) Here is what I am doing and how I plan to go about doing it. Feedback most welcome. Please be critical but polite. :) The previous thread mentioned business plan. That's absolutely critical. Competing on delivering the Internet is foolish at this point in the game. I'm giving net access away for free, and making money off of hyper localized advertising). I'm also using existing co location facilities and networks. Looking over my linked in profile will demonstrate my existing expertise on the business and tech side of both online and hyper local advertising, and large scale, distributed server operations. However I'm currently not experienced on the network build out side. I figured the only way to get the level of experience I want, is to build a service provider network. I'm in the process of building out a backbone network across the United States. Starting off small (3 points of presence: 600 West 7th st Los Angeles, 60 hudson NYC , 324 E 11th KC MO). In two cases I'm leveraging existing relationships with strong WAN engineers who will be receiving some equity in my startup, in one I'm a new customer off the street and doing everything myself other then the basic colo services (net drop, power, cooling, security, smart hands). This backbone network will be used to terminate regional wireless networks. The wireless networks are being funded by the communities that the network serves through direct donations and by hyper localized advertising sales. So here we go with technical nuts/bolts of the plan (as bill so eloquently put it): "I am going to presume OSS and fully depricated kit to keep your costs down and to boost your learning skills." Something like that. 1) Obtain ASN from ARIN (using LOA from existing upstream relationships). 2) Obtain ipv6 space from ARIN (inquired about getting space and ran into some issues. need to speak with my co founder and get details. evidently getting brand new v6 space for a brand new network is fairly difficult. for now may just announce a /48 from he.net. ) Yes I did come up with a sub netting plan for the entire United States out of a single /48. It's quite ingenious really. More details on request if anyone wants them. 3) Announce prefixes from initial point of presence locations for availability / traffic engineering reasons. Using a mix of Quagga on Linux virtual machiens, pfSense on dell servers and Cisco gear. So more or less the steps that Bill mentioned in his response. It was somewhat tongue in cheek, but also quite accurate. I'm bootstrapping with personal funds / gear at the moment. However I believe it can be "done right". I also have a fair amount of gear I've been obtaining over the past few years with the specific intent of building an ISP. The business plan has evolved over time. It's now at a rather mature point, and it's time to get my hands dirty. Whew. Sorry for the long post. Hopefully folks will read it. :)
I wonder what would happen if a new ARIN member requested an IPv4 block of say a /16 for a new business? Or even a smaller block. I don't know what the current ARIN rules are but RIPE will currently give out six months worth of space. Now, in six months, I don't expect there to be any left anyway, so what will likely be all the v4 you ever get. Very soon it'll be nigh on impossible for new entrants to the ISP business to get their own v4 space. -- Leigh ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
On 09/16/2011 02:58 PM, Leigh Porter wrote:
Hah. True. I actually don't want any v4 space at all. I'm fine with using provider space for my minimal v4 needs. However I believe if I had existing v4 space, that v6 space would be easier to obtain.
Very soon it'll be nigh on impossible for new entrants to the ISP business to get their own v4 space.
Indeed. In my case, I'm perfectly happy with v6 space. Can have very minimal v4 space for the time being. Google/netflix/facebook are reachable on v6. This is the vast majority of the net traffic. I can do large scale nat for v4 only content. One aspect of my network, will be operational transparency. So as much as possible will be viewable in real time. This includes v4/v6 traffic statistics. Also we do plan to expand into Europe and Asia. We are starting in the US first due to the relationships we have already established. If anyone is interested in supporting our activities in Europe, please let me know. By our/we, I mean http://freenetworkfoundation.org/ (that's the non profit piece. the advertising part is separate but will help fund the non profit piece). Lots of dual use work being done.
On Sep 17, 2011, at 3:01 AM, Charles N Wyble wrote:
One aspect of my network, will be operational transparency. So as much as possible will be viewable in real time. This includes v4/v6 traffic statistics.
These books are required reading, IMHO: <http://www.amazon.com/Practical-BGP-Russ-White/dp/0321127005/> <http://www.amazon.com/Router-Security-Strategies-Securing-Network/dp/1587053365/> <http://www.amazon.com/Network-Flow-Analysis-Michael-Lucas/dp/1593272030/> Also, see the following: <https://files.me.com/roland.dobbins/c07vk1> <https://files.me.com/roland.dobbins/y4ykq0> <https://files.me.com/roland.dobbins/prguob> <https://files.me.com/roland.dobbins/k4zw3x> <https://files.me.com/roland.dobbins/dweagy> <https://files.me.com/roland.dobbins/9i8xwl> <https://files.me.com/roland.dobbins/m4g34u> <https://files.me.com/roland.dobbins/679xji> <https://files.me.com/roland.dobbins/l53gjr> ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde
On Fri, Sep 16, 2011 at 07:58:30PM +0000, Leigh Porter wrote:
a new entrant in the ARIN service region would have to meet the allocation criteria as specified in current policy. Same w/ any RIR. If the RIPE region policy is to hand out a six month supply, thats wonderful! (you mean if I state my six month need is a /28, RIPE will allocate that to me? I thunk there was a floor on min allocation size!) Which was why I mentioned address brokers. It will be possible to get IPv4 space after the RIR pools are exausted by leasing space from someone who has it. That has been the case since -prior- to any RIR coming to existance. Case in point, COMCAST leases IP space to its clients/customers.... as does ATT, VSN, TW, ad-nausa. Some brokers will not restrict what their clients can do w/ the space - unlike the brokers listed above. /bill
On 09/16/2011 03:09 PM, Randy Carpenter wrote:
As an ISP, ARIN will not give you any space if you are new. You have to already have an equivalent amount of space from another provider. I think it is really stupid, and encourages wasting IP space, but that is what the current policy is.
Ah yes. I believe that is the problem we ran into. Where would I find more information about this? Is https://www.arin.net/policy/nrpm.html the best place? Am I considered an LIR if I simply run an access network and don't hand out space to 3rd parties for re assignment? (BTW should I be asking these type of questions here, or on an arin list?)
As an ISP, ARIN will not give you any space if you are new. You have to already have an equivalent amount of space from another provider.
does arin *really* still have that amazing barrier to market entry? arin claims to be a shining example of industry self-governance. to me, this barrier to entry looks far more like industry self-protection from new entrants. and before anyone starts bleeding about the routing table, to me that sounds like you fear new entrants forcing you to make a small upgrade to your protected business as usual. randy
Yes. If you want PI space, you have to start off with PA space, utilize it, and then apply for PI space and an AS #, with contracts demonstrating your intention to multihome. Then, you have to *migrate* off the PA space and surrender it back to the 'owner'. You cannot get further PI allocations until you've done this.
On Sat, Sep 17, 2011 at 12:06, Joel jaeggli <joelja@bogus.com> wrote:
.
The ARIN community is easily it's own worst enemy.
Not to mention the difficulty of actually getting a provider to let you announce their PA IP space to other providers if you already are / want multihoming. I just got turned down by one of mine just yesterday for that. I'm looking at having to keep a T1 at my office with one of my existing providers that is going away due to footprint issues (Windstream will sell connectivity, but requires the ip space to be localized, even if originated by customer, so don't move or expand or anything) just to be able to announce their number space because H.E. and my other providers refuses to do it outright. I'm fairly fed up with the bunch at this point, and probably going to cancel most of my current providers once I get my own space just out of spite. Forcing PA space for multihoming before a minimum threshold is understandable, but trying to obtain said PA space can be an exercise in futility, which is amusing in a perverse way, because some of the providers are the same employeers of people advocating for exactly that design in PPML et al. Which is especially annoying coming from a provider that happily did this for customers so its not like I don't understand the issues etc. -Blake
On Sep 17, 2011 10:41 AM, "Randy Bush" <randy@psg.com> wrote:
+1 I will echo my displeasure with the idea that you can only get a lot if you already have a lot. This mess is enough to make cgn look appealing... One more reason we can all do ourselves a favor by moving to ipv6, remove the number scarcity issue and associated baggage of begging for numbers Cb
On Sep 17, 2011, at 5:05 PM, Randy Bush wrote:
Randy - If you wish to propose an alternative which accomplishes the mission in a different manner, feel free to do so. The community has every opportunity and right to accomplish unique Internet number administration as it sees fit. /John John Curran President and CEO ARIN
On Sep 17, 2011, at 5:23 PM, Randy Bush wrote:
I actually agree with you that it could be done with less people, if you want to do away with the policies altogether and the biannual meetings discussing the same, the need for elections for an ARIN AC and meetings, the coordination with the other RIRs and ICANN, and the engagement with organizations such as ISOC, IGF, and ITU. We will be talking about the costs of running ARIN on the last day of the ARIN meeting in Philly in case you want more details on the cost side of the equation and the value delivered. /John John Curran President and CEO ARIN
rick adams was right. this could be done very minimally with some software and maybe six to ten folk to back it up.
gedanken experiment. instead of frelling up whois, printing comic books, and playing weenie regulators, design and describe an rir with a sign on the door which says "internet number bookkeeper," has a high level of automation, two sw engs to maintain it, two support people, two people to shovel paper and a small bit of money, and one to post overly aggressive defensive messages on nanog. and you still owe me a copy of my alleged posting(s) to ppml. randy
On Saturday 17 Sep 2011 22:37:46 Randy Bush wrote:
one to post overly aggressive defensive messages on nanog
I am not convinced that Mr. Bush is best placed to comment on this particular issue. -- The only thing worse than e-mail disclaimers...is people who send e-mail to lists complaining about them
On Sep 18, 2011, at 10:24 AM, Randy Bush wrote:
Randy is perfectly right in expressing his concerns about the registry system that we've built (as long as its on a mailing list which supports the topic), since we're doing a function on behalf of the entire Internet community and spending everyone's money in the process. While it may not matter to him a bit, I'll defend his (and anyone's else right) to critique the quality and cost effectiveness of the job we're doing. /John John Curran President and CEO ARIN
thanks. :) i suspect some folk may be missing a few clues here. first is that you and i have been friends since the late '80s. second is that i was a founding board member of arin. and third, there is the concept of the loyal opposition. i just think that we, as a culture, have let things get waaaay out of whack. john is paid to defend the status grow. randy
On Sep 18, 2011, at 10:49 AM, Randy Bush wrote:
i just think that we, as a culture, have let things get waaaay out of whack. john is paid to defend the status grow.
I like that: "status grow". It seems pretty clear to me that, as humans, we're not very good at organizational contraction. We're much better at expanding scope, even until it produces undesirable consequences. Competition is a friend in such scenarios, when it's allowed... As are revolutions, when competition is not allowed. In John's case (on behalf of ARIN as is befitting his role) he welcomes change as long as it's funneled through the ARIN-managed channels. In other words, change is welcome as long as it reinforces ARIN's role as facilitator. Unfortunately, the gauntlet of "policy weenies" that influence ARIN don't necessarily represent the "community" as they might claim - they represent themselves, their ideologies, etc. So if you want the ARIN system to change, it's your choice whether to engage within that system or outside it. Neither seems very useful to me; we can just ignore ARIN as alternatives emerge, and ARIN can catch up or not. Which, astoundingly, leads to an operational comment / question: As IPv4 trading is already taking place, what are you (as operators) planning to do when asked to route prefixes that have been bought/sold? Will you accept alternative (whois) registry sources? Will you accept legal documentation proving ownership and/or right-to-use, as an alternative to registry validation? Cheers, -Benson
On Sep 18, 2011, at 3:09 PM, Randy Bush wrote:
I don't disagree...
and, as far as i know, they are registering transfers from sale of ip assets.
Apparently true for some. But I'm told of others that have bought legacy IPv4 prefixes with no intention of updating whois at this time - no desire to enter into a relationship with ARIN and be subjected to existing "policy", for instance. I can't speak for their rationale beyond this. But I do believe that several of them will try to get their prefix routed, at some point. Cheers, -Benson
so your point is that your friends at depository.com will be attractive to ip address space buyers because they will offer a less religious rsa. and the question is whether the ops community will believe their whois and install a separate rpki trust root for them? could be. but i would not want to have that as my business plan. randy, who is all for a less religious rsa
On Sep 18, 2011, at 15:51, Randy Bush <randy@psg.com> wrote:
For instance, yes. I'm also wondering if the ops community will accept other sources of proof such as legal documents (or something else?), in lieu of Whois records from an RIR, Depository, or elsewhere.
could be. but i would not want to have that as my business plan.
randy, who is all for a less religious rsa
You wouldn't bet on ARIN being religious for the foreseeable future? ;) Or, you wouldn't bet on the ops community embracing alternatives? Cheers, -Benson
On Sep 18, 2011 1:08 PM, "Benson Schliesser" <bensons@queuefull.net> wrote:
such as legal documents (or something else?), in lieu of Whois records from an RIR, Depository, or elsewhere.
Or, you wouldn't bet on the ops community embracing alternatives?
Cheers, -Benson
Call me optimistic but .... ipv6 does not have these issues... For anyone making STRATEGIC choices about ipv4 investments... beware of sharks in these waters, not just the cgn pains Are we having fun yet? Cb
On Sun, 18 Sep 2011 13:17:57 PDT, Cameron Byrne said:
For many of us (especiially the ones who have ipv6 deployed already), the problem isn't *our* strategic choices, the problem is the less-than-strategic choices made by the network owning the other end of the connection. If we're ready to talk over IPv6, but the other end instead decides to try to talk to us over a NAT444 or from a prefix that's got sketchy history, there really isn't much we can do about it.
On 9/18/11 1:08 PM, Benson Schliesser wrote:
I wouldn't embrace abandoning whois. Its usefulness is far more than just the prefix "owner" and their ISP. In fact, you may end up with a registry of these as the new bogon space that everyone should filter. If I saw abuse or other garbage from some block that did not exist in whois, I'm not going to care to go search for some BS legal document to find out who the responsible party is. Or worse, I find it and the involved parties claim it's privileged information and refuse to disclose it. ~Seth
On Sep 18, 2011, at 3:36 PM, Benson Schliesser wrote:
ARIN maintains the registry according to the policies in the region. These are policies are developed by the community at large, recommended for adoption by the ARIN AC, and ratified by the ARIN Board. All transfer requests which meet the policies get approved and updated in the registry. ARIN does turn down transfer requests which don't meet policy, and this potential is often understood and covered in proposed sale documents for IP address blocks. FYI, /John John Curran President and CEO ARIN
On Sep 19, 2011, at 3:34 AM, Randy Bush wrote:
Randy - We try to collect and publish statistics for the majority of registry operations, and this includes transfer requests. The number of transfer requests and number approved are in the monthly stats: https://www.arin.net/knowledge/statistics/index.html We do not have reason codes for denials of registration requests since in many cases there are are multiple criteria and a failed request is effectively "did not meet any of the available policy criteria.' Your second question is harder to answer, since it is quite possible that a transfer request to a party which doesn't qualify results in a subsequent request to a party that does. We are, of course, quite capable of blindly approving all transfer requests, but the community policy would have to direct us to do so since existing policy directs us to only approve transfers to parties that have documented need. One has to presume that this is how the operator community wishes ARIN to operate or that that they'd establish policies otherwise. FYI, /John John Curran President and CEO ARIN
On Sep 18, 2011, at 2:53 PM, Benson Schliesser wrote:
In John's case (on behalf of ARIN as is befitting his role) he welcomes change as long as it's funneled through the ARIN-managed channels. In other words, change is welcome as long as it reinforces ARIN's role as facilitator.
Benson - By "ARIN-managed channels", do you mean via mechanisms that were established by those elected by the ARIN membership"? I do indeed believe that efforts to change ARIN should be directed to through the channels that are overseen by member-elected ARIN Advisory Council and member-elected ARIN Board of Trustees. E.g., if you want to change ARIN policies, then there is the ARIN PDP (Policy Development Process) which is open to anyone and driven by the ARIN Advisory Council. The process is well documented and allows input from the entire community including public polls of support for policy changes by both onsite remote participants of the Public Policy Meeting (PPM). Similarly, if you want to change the scope of ARIN's mission or fees or our operational tasking, you can talk to the members of the Board of Trustees who are unpaid volunteers elected by the ARIN membership. Engaging from "within the system" definitely means working via channels that operate or are defined by member-elected bodies of the system. I don't think you could have any meaningful self-governance in any model without this occurring (but would welcome examples of good models of governance if you have any counter-examples) However, your statement that I only welcome change funneled through "ARIN-managed channels" is incorrect, as I have made it quite plain on multiple occasions that the structure of the Internet number registry system itself is not necessarily a discussion that should be held within the existing structure (e.g. RIRs and ICANN), but might also be appropriately held external to the existing structure (such as by operator forums or the Internet Governance Forum). I believe that the community is must always be able to engage in multi-stakeholder self-governance discussions, and that does not imply ARIN having any unique role in facilitation. Such a perspective (of welcoming discussion in any forum) is perfectly befitting my role at ARIN and not in conflict as you seem to imply, as my job is to make sure that the mission of community-led Internet number resource management is fulfilled, not the promotion any specific organizational model for accomplishing the task. FYI, /John John Curran President and CEO ARIN
On Sep 18, 2011, at 21:20, John Curran <jcurran@arin.net> wrote:
For what it's worth, I agree that ARIN has a pretty good governance structure. (With the exception of NomCom this year, which is shamefully unbalanced.) That hasn't stopped it from becoming an ideological anachronism. Or from becoming interested in self-preservation. It's only natural for such organizations. And despite this, I do encourage folks here to participate in PPML. It's the only way ARIN will get more perspective. (Though, admittedly it is a bit like banging ones own head against the wall...)
Are you suggesting that ARIN policy or procedure might change as a direct result of discussion in e.g. IGF? Or perhaps here on NANOG? Cheers, -Benson
On Sep 19, 2011, at 12:57 AM, Benson Schliesser wrote:
No. What I am noting is that there are even venues available for those who wish to completely restructure the Internet number registry system from the outside, i.e. taking a revolutionary as opposed to evolutionary approach to change. FYI, /John John Curran President and CEO ARIN
Hi, Paul. On Sep 20, 2011, at 11:43, Paul Vixie <vixie@isc.org> wrote:
My understanding is that the NomCom consists of 7 people. Of those, 2 come from the board and 2 come from the AC. Together, those 4 members of the existing establishment choose the remaining 3 NomCom members. In the past, there was at least the appearance of random selection for some of the NomCom members. But in any case, due to its composition, the NomCom has the appearance of a body biased in favor of the existing establishment. Please correct any misunderstanding that I might have. Otherwise, I encourage an update to the structure of future NomComs. Cheers, -Benson
Benson Schliesser <bensons@queuefull.net> writes:
Hi, Paul.
sorry for the delay. i'll include the entirety of this short thread.
can you explain what it was about prior nomcoms that gave the appearance of random selection? to the best of my knowledge, including knowledge i gained as chair of the 2008 ARIN NomCom, we've been doing it the same way for quite a while now. so i do not understand your reference to "at least the appearance of random selection" in the past. since ARIN members-in-good-standing elect the board and advisory council, and also make up three of the four seats of the nominations committee, i do not share your view on "bias" as expressed above. i think it shows that ARIN is clearly governed by its members -- which is as it should be. by your two references to "the existing establishment" do you intend to imply that ARIN's members don't currently have the establishment that they want, or that they could not change this establishment if they wanted to, or that ARIN's members are themselves part of "the existing establishment" in some way that's bad? ARIN's bylaws firmly place control of ARIN into the hands of its members. if you think that's the wrong approach, i'm curious to hear your reasoning and your proposed alternative. -- Paul Vixie KI6YSY
Hi, Paul. On Sep 22, 2011, at 8:03 PM, Paul Vixie wrote:
Earlier this year I received the following from ARIN member services: "This year the NomCom charter was changed by the Board. In the past the 3 Member volunteers were selected at random. This year the 3 volunteers will be chosen by the 4 current members of the NomCom (2 from the Board 2 from the AC)" The above quote was sent to me in response to a query I made, inquiring how the NomCom would be chosen in 2011. It is consistent with what I was told in 2010, when I was chosen to be part of the 2010 NomCom. At that time I was told that Member volunteers were chosen randomly. During my NomCom tenure, however, it was suggested to me privately that there was very little randomness involved in the selection process; I was told that individuals were specifically chosen for NomCom. I don't know what to make of this disparity, honestly, which is why I referenced "the appearance of random selection".
The NomCom acts as a filter, of sorts. It chooses the candidates that the membership will see. The fact that the NomCom is so closely coupled with the existing leadership has an unfortunate appearance that suggests a bias. I'm unable to say whether the bias exists, is recognized, and/or is reflected in the slate of candidates. But it seems like an easy enough thing to avoid. As for my use of "existing establishment": I'm of the impression that a relatively small group of individuals drive ARIN, that most ARIN members don't actively participate. I have my own opinions on why this is, but they aren't worth elaborating at this time - in fact, I suspect many ARIN members here on NANOG can speak for themselves if they wanted to. In any case, this is just my impression. If you would rather share some statistics on member participation, election fairness, etc, then such facts might be more useful.
One of ARIN's governance strengths is the availability of petition at many steps, including for candidates rejected by the NomCom. Likewise, as you noted, leaders are elected by the membership. For these reasons I previously noted that "ARIN has a pretty good governance structure" and I continue to think so. It could be improved by increased member involvement, as well as broader involvement from the community. (For instance, policy petitions should include responses from the entire affected community, not just PPML.) But my criticisms should be interpreted as constructive, and are not an indictment of the whole approach. Cheers, -Benson
On Thu, 22 Sep 2011 21:05:51 -0500 Benson Schliesser <bensons@queuefull.net> wrote:
yow. i should have remembered this, you'd think.
suggested to you privately by arin staff?
you seem to mean that the appearance of bias would be easy to avoid, then.
i think our participation level in elections is quite high and i'll ask for details and see them published here.
thanks for saying so. -- Paul Vixie
Paul (and NANOG readers, because Paul actually already knows this), With my parliamentarian hat on: A nominating committee's essential function is to ensure that a minimum number of qualified, vetted individuals are placed on the slate of candidates for election. it should never be a gating function; it is an important safeguard to allow the nomination of qualified individuals outside the nominating committee and "from the floor" before votes are cast. In the corporate world, nominating committees, for good or bad, have become instruments for rigorously constraining the slate of candidates for executive offices. The practice has become so common and widespread that many assume it is proper in all situations (much in the same way that the US Congress' standing rules modifying the "table" motion have caused the public to believe incorrectly that "tabling an issue" is the same as "postponing it indefinitely"; tabling correctly means the issue will be moved to a later time in the current meeting. Although organizations may decide for themselves how a nominating committee will operate, it is inconsistent with the general principles of parliamentary process -- whichever standard you choose, Robert's, Sturgis, or another -- for all candidates to be forced to pass through the gauntlet of the nominating committee. In a perfect world, the nominating committee assists with preparations for elections, finds suitable candidates (at least one for every vacant position) and possibly identifies and cultivates future leadership for the organization. More than my two cents' worth, but I got involved in parliamentary process exactly because of misunderstandings and misapplications like what I think may be happening here. I'll be happy to explain further, if needed or desired. I now return you to the more traditional discussions for this mailing list. ;-) Jim -- James N. Duncan, CISSP Manager, Juniper Networks Security Incident Response Team (Juniper SIRT) E-mail: jduncan@juniper.net Mobile: +1 919 608 0748 PGP key fingerprint: E09E EA55 DA28 1399 75EB D6A2 7092 9A9C 6DC3 1821 ----- Original Message ----- From: Paul Vixie [mailto:vixie@isc.org] Sent: Friday, September 23, 2011 12:57 AM To: nanog@nanog.org <nanog@nanog.org> Subject: Re: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network On Thu, 22 Sep 2011 21:05:51 -0500 Benson Schliesser <bensons@queuefull.net> wrote:
yow. i should have remembered this, you'd think.
suggested to you privately by arin staff?
you seem to mean that the appearance of bias would be easy to avoid, then.
i think our participation level in elections is quite high and i'll ask for details and see them published here.
thanks for saying so. -- Paul Vixie
On Sep 23, 2011, at 1:40 AM, Jim Duncan wrote:
Although organizations may decide for themselves how a nominating committee will operate, it is inconsistent with the general principles of parliamentary process -- whichever standard you choose, Robert's, Sturgis, or another -- for all candidates to be forced to pass through the gauntlet of the nominating committee.
Jim - I agree with you in principle regarding the NomCom's essential function, but note that your requirement that the Nominating Committee pass _all_ candidates minimally qualified is not the only valid approach. In the case of ARIN, the NomCom process provides a sufficient number of qualified qualified candidates but is specifically not required to provide all such candidates <https://www.arin.net/participate/elections/nomcom_faqs.html> The protection of the parliamentary representation principle that you allude to (i.e. the freedom for members of an organization to choose its own leadership) to is instead provided via a petition process. This mechanism provides a comparable safeguard by allowing anyone to be added to the ballot if they desire such and can show some support in the community for their candidacy. Note that ARIN's initial Bylaws only provided for direct selection of new Board members by the ARIN Board from a list of candidates chosen by the ARIN AC. In subsequent years, this was changed to be a separate NomCom, and a petition process requiring support of 15% of the electorate was added. The petition threshold was then lowered to 5% of the electorate, and then again recently lowered to be now 2% of the electorate. The ARIN Board has reviewed the election process in each of the recent years to see if any further changes are required. Further evolution of this process is quite possible, and discussion here (or on an ARIN mailing list) will help inform the ARIN Board about the community views on this matter. Thanks! /John John Curran President and CEO ARIN
On Sep 23, 2011, at 12:57 AM, Paul Vixie wrote:
Paul - Information regarding ARIN's last election is online here: <https://www.arin.net/announcements/2010/20101019_ElectionWinners.html> I've attached the relevant section regarding participation, and it should be noted that more than 12% of the potential electorate voted in last year's election. This is typical turnout for our elections, and while I have been told anecdotally that this is relatively high turnout for membership organization, I do not have hard data points for comparison at this time. I would encourage all NANOG members to confirm their designated member representatives with ARIN (i.e. the official organizational contacts) and vote (or if someone else in your organization encourage them to do so) in the upcoming ARIN election for the ARIN Advisory Council and the ARIN Board of Trustee positions. FYI, /John John Curran President and CEO ARIN === From <https://www.arin.net/announcements/2010/20101019_ElectionWinners.html> 2010 VOTER STATISTICS 3,690 ARIN members as of 21 September 2010 2,834 Eligible voters* as of 21 September 2010 *ARIN members in good standing with properly registered Designated Member Representatives on record 1 January 2010 355 unique member organizations cast a ballot in the Board of Trustees election. 356 unique member organizations cast a ballot in the Advisory Council election. 364 unique member organizations cast a ballot in either the Board of Trustees or Advisory Council election
The NomCom acts as a filter, of sorts. It chooses the candidates that the membership will see. The fact that the NomCom is so closely coupled with the existing leadership has an unfortunate appearance that suggests a bias. I'm unable to say whether the bias exists, is recognized, and/or is reflected in the slate of candidates. But it seems like an easy enough thing to avoid.
This statement ignores the existence of the petition process and the relatively low threshold required to get a candidate not approved or selected by the nomcom onto the ballot if there is even a very limited desire to do so.
As for my use of "existing establishment": I'm of the impression that a relatively small group of individuals drive ARIN, that most ARIN members don't actively participate. I have my own opinions on why this is, but they aren't worth elaborating at this time - in fact, I suspect many ARIN members here on NANOG can speak for themselves if they wanted to. In any case, this is just my impression. If you would rather share some statistics on member participation, election fairness, etc, then such facts might be more useful.
My inclination is that the lack of participation generally indicates that the majority are not upset by the way ARIN is doing things. I know that the beginning of my participation in ARIN was the result of my deciding that some of the ways ARIN was doing things needed changing.
OK, so you are aware of the petition process after all. That makes your statement at the top of this message somewhat perplexing. I agree that increased member participation would be a good thing. I do not believe that including petition responses from people who aren't willing to join PPML even if it's just long enough to support the petition in question would be useful. It takes almost no effort to join PPML, support a petition, and then leave PPML if you are that determined not to participate. Further, I think that it is reasonable to expect at least a modicum of participation in the policy process in order to participate in the petition process. Requiring supporters to be on PPML at the time they support the petition seems like a reasonable threshold to me. Finally, absent some mechanism such as requiring a PPML subscription, it might be somewhat difficult to avoid petition stuffing. Owen
Randy is right that ARIN has missed a step here. It is unfortunate that there is no tool in existence that would test conformance of a whois server, and with hindsight, it would have been a good idea for ARIN to sponsor such a tool on one of the open source repo sites like github or googlecode. Instead, various people have encoded bits of the knowledge of how whois should work, into their own private and closed source systems so nobody, including ARIN, has a good way to test conformance of any system changes that they make. We can only hope that in future, protocol definitions and protocol testing tools will be developed in a more open fashion so that there is, in fact, an issue tracker where anyone can open a ticket and complain about something that appears to be a bug. I don't think ARIN should be doing issue tracking like this, or closed source development, when there are so many open source tools available. Bitbucket and Codeplex are another couple that come to mind. -- Michael Dillon On 18 September 2011 07:49, Randy Bush <randy@psg.com> wrote:
All of the speculation and comment on this thread has been something to watch, but, it's not actually all that accurate. https://www.arin.net/policy/nrpm.html#four2 NRPM 4.2 provides several ways in which an ISP can qualify for space As has been mentioned in this thread, efficiently using a PA allocation from an upstream provider is one such mechanism. (4.2.2.1, 4.2.2.2). However, if you can show an immediate need for a /22 or more within the next 30 days (not particularly hard if you are building an ISP), you can qualify under 4.2.1.6 without any prior utilization. I know of a number of ISPs that have obtained their initial allocations in this manner. Owen
----- Original Message -----
I have a small ISP customer who is not multi-homed, and is using about a /21 and a half of space, and is expanding. Their upstream is refusing to give them more space, so they wanted to get their own, and give back the space to the upstream, with the possible exception of a small block for their servers, which would be very difficult to renumber. We explained this all, and the response we got from ARIN was that we needed to have a full /20 from the upstream, at which time we could easily get a /20 of new space. In order to qualify for the immediate need, we would need to show need for the entire /20, of which we would need to fully utilize (renumber into) within 30 days. That is not even remotely possible. The problem with this whole thing is that I have no less than 4 ISPs that are in almost the same boat. -Randy
On Sep 17, 2011, at 2:13 PM, Randy Carpenter wrote:
I have a small ISP customer who is not multi-homed, and is using about a /21 and a half of space, and is expanding. Their upstream is refusing to give them more space, so they wanted to get their own, and give back the space to the upstream, with the possible exception of a small block for their servers, which would be very difficult to renumber. We explained this all, and the response we got from ARIN was that we needed to have a full /20 from the upstream, at which time we could easily get a /20 of new space. In order to qualify for the immediate need, we would need to show need for the entire /20, of which we would need to fully utilize (renumber into) within 30 days. That is not even remotely possible.
The problem with this whole thing is that I have no less than 4 ISPs that are in almost the same boat.
Randy - If that policy is an issue for many of your customers, can you please come up with an alternative policy for consideration by the community? Thanks! /John John Curran President and CEO ARIN
Unfortunately, this is prohibitively expensive. They are small rural telcos who are connected to a collective state-wide fiber network. Any second provider would could an order of magnitude (or more) more than what they have, and would likely be delivered over the same fiber network anyway.
Noted, and planned :-) -Randy
On 09/17/2011 06:52 PM, Randy Carpenter wrote:
Um.... really? You can't find anyone out there who would give you an LOA? No friendly ISP? I'm getting LOA from a buddy of mine that administers a couple existing ISP networks. It's not that difficult in my opinion. I mean does it have to be a wireline upstream provider? Or can it just be any AS who is friendly? I guess it's different for me as this is a green field deployment and I expect to peer all over the United States at dozens of POPS. As opposed to being a more traditional access network provider in a particular geographic region.
I look forward to those discussions. I'm kind of intrigued by policy now, after starting this process. At first I was a bit irritated but now after John/Owen posted links and comments, it's a walk in the park. Just waiting on an LOA from my buddy and I should be able to get that ASN and associated /32. -- Charles N Wyble charles@knownelement.com @charlesnw on twitter http://blog.knownelement.com Building alternative,global scale,secure, cost effective bit moving platform for tomorrows alternate default free zone.
Where I live in rural America, I would not be surprised that someone who wanted to start an ISP might only be able to cost-justify one upstream. When one Internet T-1 is $1,200/month, getting a second T-1 for that price from another provider just to get an AS or PI is definitely cost-prohibitive and may go against their business plan. Our own company has just one upstream provider (from geographically diverse POPs), our state's telecom coop, and to multi-home solely to meet ARIN's policy doesn't make sense. Fortunately we were using enough address space to meet the /20 requirement. Charles, if you wrote a policy that allowed smaller ISPs to obtain a PI without the multihoming requirement if they demonstrated that multihoming was burdensome, I would support it at arin-ppml. Frank -----Original Message----- From: Charles N Wyble [mailto:charles@knownelement.com] Sent: Sunday, September 18, 2011 12:58 AM To: nanog@nanog.org Subject: Re: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network On 09/17/2011 06:52 PM, Randy Carpenter wrote:
Um.... really? You can't find anyone out there who would give you an LOA? No friendly ISP? I'm getting LOA from a buddy of mine that administers a couple existing ISP networks. It's not that difficult in my opinion. I mean does it have to be a wireline upstream provider? Or can it just be any AS who is friendly? I guess it's different for me as this is a green field deployment and I expect to peer all over the United States at dozens of POPS. As opposed to being a more traditional access network provider in a particular geographic region.
I look forward to those discussions. I'm kind of intrigued by policy now, after starting this process. At first I was a bit irritated but now after John/Owen posted links and comments, it's a walk in the park. Just waiting on an LOA from my buddy and I should be able to get that ASN and associated /32. -- Charles N Wyble charles@knownelement.com @charlesnw on twitter http://blog.knownelement.com Building alternative,global scale,secure, cost effective bit moving platform for tomorrows alternate default free zone.
I'll happily 'multihome' anybody over a GRE tunnel if it helps ;-) -- Leigh ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
I understand that tunneling meets the letter of the ARIN policy, but I'll make the bold assumption that wasn't the spirit of the policy when it was written. Maybe the policy needs to be amended to clarify that. Frank -----Original Message----- From: Leigh Porter [mailto:leigh.porter@ukbroadband.com] Sent: Sunday, September 18, 2011 6:37 PM To: frnkblk@iname.com; 'Charles N Wyble'; nanog@nanog.org Subject: RE: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network
I'll happily 'multihome' anybody over a GRE tunnel if it helps ;-) -- Leigh ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
On 09/18/2011 08:25 PM, Frank Bulk wrote:
I understand that tunneling meets the letter of the ARIN policy, but I'll make the bold assumption that wasn't the spirit of the policy when it was written. Maybe the policy needs to be amended to clarify that.
Well that would be a shame in my opinion. When one is boot strapping a network, it's very useful to have an ASN/PI space. Especially for v6. If one starts with a "real" upstream and a multihomed via tunnel, is that really so bad? I don't think it is. I am now very fascinated with the policy around all this. I didn't think my thread would touch off this passionate discussion. I've only gotten a few really useful response (from John/Owen/Roland) which come to think of it, is about what I would expect. I was hoping for more technical responses. Go gripe on the ARIN lists if you really truly want policy changes. I greatly appreciate the clarification of policy and relevant docs etc. Seems really straightforward to me now. Now let's get back to technical / nuts and bolts discussion of building an ISP shall we? -- Charles N Wyble charles@knownelement.com @charlesnw on twitter http://blog.knownelement.com Building alternative,global scale,secure, cost effective bit moving platform for tomorrows alternate default free zone.
On Sep 18, 2011, at 6:51 PM, Charles N Wyble wrote:
As someone who has authored the occasional ARIN policy, I will say that I believe ARIN policy is intentionally agnostic about underlying physical and logical topology of your network beyond those aspects defined in the policy. I do not believe that there was any intention to preclude tunnels and that if there had been, the policy authors and/or the community would have been perfectly capable of adding language to express that intent. As such, no, I don't believe that the use of tunnels is outside of the spirit of the policy as it is written. Owen
I should have made myself more clear -- the policy amendment would make clear that multihoming requires only one facilities-based connection and that the other connections could be fulfilled via tunnels. This may be heresy for some. Frank -----Original Message----- From: Antonio Querubin [mailto:tony@lavanauts.org] Sent: Sunday, September 18, 2011 9:27 PM To: Frank Bulk Cc: 'Leigh Porter'; 'Charles N Wyble'; nanog@nanog.org Subject: RE: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network On Sun, 18 Sep 2011, Frank Bulk wrote:
I think this is a bad idea and I suspect would slow IPv6 deployment. Potential latency issues aside, is there a technical (not political) reason for doing so? Antonio Querubin e-mail: tony@lavanauts.org xmpp: antonioquerubin@gmail.com
On Sun, 18 Sep 2011, Frank Bulk wrote:
That's not multihoming. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On 9/19/2011 6:02 PM, Jon Lewis wrote:
Really? Lets try these and see how you do: 1) One IP connection via a T-1. Second IP connection via GRE tunnel carried on first. 2) One IP connection via a T-1 that doesn't have transit, only peering with providers B and C. IP connections via two GRE tunnels to providers B and C. 3) One IP connection via MPLS over T-1. Second IP connection via different MPLS virtual circuit over the same T-1. 4) One IP connection via Frame Relay over T-1. Second IP connection via Frame Relay over the same T-1. 5) One IP connection via a T-1. Second IP connection via a different T-1 that is multiplexed on the same DS3. 6) One IP connection via a T-1. Second IP connection via a different T-1 that is on separate physical pairs, but in the same cable bundle. Matthew Kaufman
you left out one connection via a chevy full of hollerith cards and the second a canoe full of 7 track tape in waterproof containers. we now return you to the real internet, where we invent new usefull things occasionally but try to refrain from redefining well-understood terms on a daily basis (unless we are in marketing). randy
On 9/19/2011 8:32 PM, Randy Bush wrote:
you left out one connection via a chevy full of hollerith cards and the second a canoe full of 7 track tape in waterproof containers.
They certainly have different loss characteristics, even if you don't get unique routing policy out of it. Matthew Kaufman
----- Original Message -----
From: "Randy Bush" <randy@psg.com>
you left out one connection via a chevy full of hollerith cards and the second a canoe full of 7 track tape in waterproof containers.
That's "a station wagon full of magtape". Henry would be disappointed. Cheers, -- jra * See also http://www.merit.edu/mail.archives/nanog/msg15422.html -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
On Tue, 20 Sep 2011 05:32:04 +0200, Randy Bush said:
you left out one connection via a chevy full of hollerith cards and the second a canoe full of 7 track tape in waterproof containers.
Does anybody actually *have* a functional 7 track drive? I remember seeing a story on PBS (may have been a Nova episode) where they discussed the fact that NASA had literally thousands of 7 track tapes of telemetry data and no way to read them because their last 7 track drive had died, and IBM had no 7 track read/write heads left either... (I admit we still have a rack of 9-track tapes in ez-loader seals in our tape library, though we got rid of our last IBM 3420 about a decade ago. I think most of them are tapes we've lost track of ownership info, and don't dare dispose of in case the owner turns up.. ;)
given that as 729 maxes out at 800cpi there are probably slightly kinky ways to attack the problem, e.g. someone doing it with disk packs. http://chrisfenton.com/cray-1-digital-archeology/ there's still plenty of equipment that can wrap 1/2" tape around a spindle. On 9/19/11 21:14 , Valdis.Kletnieks@vt.edu wrote:
*This message was transferred with a trial version of CommuniGate(r) Pro*
Does anybody actually *have* a functional 7 track drive?
The folks restoring at least one IBM 1401 probably have several. http://ibm-1401.info/ Other than replacing a lot of older tab shop hardware, a primary function for may 1401s was to do card reading and printing for jobs submitted on 7 track tape to 7094s.
On Tue, Sep 20, 2011 at 01:22:43AM -0400, Barton F Bruce wrote:
A few (dozen) years ago, I was treated to a interesting demonstration where a coworker poured an oily fluid containing tiny metallic flakes on a patch of tape. The "bits" on the tape could be clearly seen by the naked eye, and could be decoded (ever so slowly!) using a magnifying glass. -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
Randy Bush wrote:
Yep. The method I was taught (IBM) was to loop the tape into the 'developing' solution container and see-saw it back and forth to make sure the mag. particles were distributed. Pull it out and wait until the medium evaporated. Lay it down and carefully place 'scotch-tape' over the record. Pull the scotch tape up and re-tape it to a white, blank, "punched card". I still have the adjustable magnifier with the bit areas marked on the reticle. --Michael
Once upon a time, Henry Yen <henry@AegisInfoSys.com> said:
Dad has a little magnifying glass above a tray of metallic particles with a slot below that. He could pull a tape through the slot, tap the device, and the particles would line up with the bits. Of course, he also still has his NASA-issued slide rule still in his desk at work. :-) -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
On September 20, 2011 at 02:00 henry@AegisInfoSys.com (Henry Yen) wrote:
Magnetic Tape Developer, you can still buy it (see link below). I remember playing with the stuff back in the days when punch cards were still your friend. I suppose it wouldn't be that hard to make your own but I think the liquid was a fast-drying light solvent or CFC, not oily, so it'd dry, you could read it, and then shake/wipe/dust it off. It was supposedly handy for recovering physically mangled tapes, it wasn't that rare for a tape to just get jammed in a drive and get so crumpled it wouldn't go thru a drive any more and you didn't have a backup tho usually at that point you dug out the original punch cards and re-created the data set or whatever, had the data re-keyed (that means punched back onto punchcards, or even key-to-tape, from its pencil+paper source) because using tape developer would be too expensive in terms of people-hours. Or you just applied to law school and hoped for the best. http://www.cardserv.asia/joomla/index.php?option=com_content&view=article&id=21&Itemid=10 or http://tinyurl.com/6kak4o7 -b
It's worse than that. I spent a little time working at NASA LaRC, and even if you had a functional drive, the tapes are mostly garbage (we had tens of thousands of 9 track spools that had spent decades in rooms with no temp or humidity controls). No point in trying to read data from a tape that's shedding the layer of magnetic material. We were not unique. Jamie
Valdis.Kletnieks@vt.edu writes:
Does anybody actually *have* a functional 7 track drive?
Maybe the people running <http://www.cray-cyber.org> have one. (If you ever come to Munich, try to visit this museum.) Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jenslink@guug.de | ------------------- | -------------------------------------------------------------------------
On Mon, 19 Sep 2011, Matthew Kaufman wrote:
The ARIN NRPM actually defines it: 2.7. Multihomed An organization is multihomed if it receives full-time connectivity from more than one ISP and has one or more routing prefixes announced by at least two of its upstream ISPs. IMO, "full-time connectivity" would mean a leased line, ethernet, or even wireless connection, but not a GRE or other tunnel (which is entirely dependent on other connectivity). i.e. if you have a leased line connection to ISP-A, and a tunnel over that connection to ISP-B, and either A or your leased line fail, then you're down. That's not multihoming. Some of the scenarios you suggested are pretty unusual and would have to be considered on a case by case basis. i.e. a shared T1 to some common point over which you peer with 2 providers? I'd argue in that case, whoever provides or terminates the T1 in that case is your one transit provider, and again, you're really not multihomed...unless its your T1 and your router at the remote side, and that router has ethernet to the two providers...then that router is multihomed, and though most of your network is not, I'd argue that you have satisfied the requirement for being multihomed. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Sep 20, 2011, at 5:01 AM, Jon Lewis wrote:
Why would you say that a GRE or other tunnel is not full-time connectivity? I have full-time GRE tunnels to two ISPs and they do actually constitute multihoming under the ARIN interpretation of NRPM 2.7.
i.e. if you have a leased line connection to ISP-A, and a tunnel over that connection to ISP-B, and either A or your leased line fail, then you're down. That's not multihoming.
In my case, I have full-time circuits to two entities that provide very limited IPv4 services. I use those two connections to route GRE tunnels to routers in colocation facilities. My AS consists of the routers in the colocation facilities combined with the routers at my primary location and the networks to which they are attached. The GRE tunnels provide OSPF and iBGP routing to the routers at my primary location and my prefixes are anchored on the routers at the primary location. The colo routers provide the eBGP border connectivity to the upstream routers at each of the colos. In what way is this not multihoming? Now, let's look at some alternatives... If I have only a single router at my primary location, is it still multihoming? I would say yes. Perhaps less reliable, but, that is not ARIN's concern. If I have only a single physical link over which the multiple tunnels are connected, am I still receiving full time connectivity from two providers over the multiple tunnels? Yes, actually, I am. Again, it's not as reliable, but, reliability is not ARIN's concern.
Some of the scenarios you suggested are pretty unusual and would have to be considered on a case by case basis. i.e. a shared T1 to some common point over which you peer with 2 providers? I'd argue in that case, whoever provides or terminates the T1 in that case is your one transit provider, and again, you're really not multihomed...unless its your T1 and your router at the remote side, and that router has ethernet to the two providers...then that router is multihomed, and though most of your network is not, I'd argue that you have satisfied the requirement for being multihomed.
I think you are delving much deeper into the internals of someones network than it is customary for ARIN to do in order to pass judgment on whether or not it is multihomed. Owen
On Sep 20, 2011, at 2:54 PM, Owen DeLong wrote:
In the way that you are apparently incapable of reading what was written. Jon very clearly states that if the GRE tunnel goes over the same physical infrastructure, it is not multihoming. Then you go on to explain how you have two physical lines. I'd tell you to stop trolling, but I honestly wonder if you are trolling. -- TTFN, patrick
Once upon a time, Patrick W. Gilmore <patrick@ianai.net> said:
In the way that you are apparently incapable of reading what was written. Jon very clearly states that if the GRE tunnel goes over the same physical infrastructure, it is not multihoming. Then you go on to explain how you have two physical lines.
Devil's advocate: if you have links to two carriers, but they are delivered via the same LEC on the same fiber, are you multihomed? What about if you have two LECs at your facility, but the two circuits share a common path elsewhere (outside of your knowledge)? -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
On Sep 20, 2011, at 3:18 PM, Chris Adams wrote:
Fair question. As a customer, if your two transit circuits are in the same conduit, I do not consider that redundant. However, I believe the spirit of the NRPM is clear. Two circuits in the same conduit would qualify, one circuit with two BGP sessions does not. As has been famously and repeatedly mentioned here and just about everywhere else John is subscribed, ARIN is a VERY open organization. If you disagree with the NRPM, or even with an interpretation of it, feel free to offer up new language that would better fit your view. If the community agrees, POOF!, you have a new rule. -- TTFN, patrick
On Tue, Sep 20, 2011 at 4:05 PM, Patrick W. Gilmore <patrick@ianai.net>wrote:
"full time connection to two or more providers" should be satisfied when the network involved has (or has contracted for and will have) two or more connections that are diverse from each other at ANY point in their path between the end network location or locations and the far end BGP peers, whether or not the two or more connections are exposed to one or more common points of failure, as long as their are any failure modes for which one connection can provide protection against that failure mode somewhere in the other connection. Whew :) I am sure someone can say it better! -Dorn
On Tue, 20 Sep 2011 16:13:57 EDT, Dorn Hetzel said:
I'm reading your statement as if you got the logic backwards - because this doesn't rule out "pipe from one provider and tunnel across same pipe to another provider, because the tunnel is diverse after it emerges from the first provider's pipe. But since you know *up front* that the two connections have fate sharing, it's not clear that it's "good enough" multihoming to count as two *real* full time connections.
As long as there is *A* failure mode? Hmm. <invents a movie-plot failure mode involving crazed ninjas with katanas loose in a switch room at one provider>. Yep, it's unlikely crazed ninjas will attack the switch rooms at both providers. I'm pretty sure what you intended to say there isn't what I read it as...
----- Original Message -----
From: "Valdis Kletnieks" <Valdis.Kletnieks@vt.edu>
I too am a Schneier fan. But terrorists watch movies, too. Cheers, -- jr 'Once is happenstance...' a -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
I think people tend to go overboard in the planning phases for something like this. I remember rumors of a certain large ISP getting along fine for several years installing routers with a password like "getsmein". There are plenty of groups that publish guidelines on ISP configuration as well as a wealth of books on the subject. You'll just have to start out with the basics and learn as you go. I'm not sure you can get a magic bullet from a mailing list though. 2011/9/20 Jay Ashworth <jra@baylink.com>
On Tue, Sep 20, 2011 at 04:13:57PM -0400, Dorn Hetzel wrote:
The GRE tunnel configuration being discussed in this thread passes this test. Consider the following: ISP #1 has transit connections to upstream A and B. ISP #2 has transit connections to upstream C and D ISP 1 and ISP 2 peer. Customer gets a connection to ISP #1 and runs BGP, and, over that connection, establishes a GRE tunnel to ISP #2, and runs BGP over that also. I assume your last clause requires that each connection provide protection against a failure more in the other connection (not just that one of the two provide protection against a failure mode on the other). This is satisfied. In my example: ISP #1 provides protection against ISP #2 having a complete meltdown. ISP #2 provides protection against ISP #1 losing both its upstream connections. -- Brett
On Tue, Sep 20, 2011 at 5:19 PM, Brett Frankenberger <rbf+nanog@panix.com>wrote:
Yes, that is what I was trying to say, that there are at least k providers, k>=2, and that at least 2 of those k providers offer at least some redundancy for some possible failure modes in the other provider. Your example is especially plausible if it happens that the router from which ISP #1 provides me service is the same router, or at least close in the same POP, to the router from which they peer with ISP#2. ISP#1 might then have a complete backbone meltdown, but retain their local peering session with ISP#2, which would allow me to still reach my tunnel endpoint in ISP#2 and the BGP session resulting. -Dorn
On 9/20/11 1:05 PM, Patrick W. Gilmore wrote:
Totally disagree. If I have a metro ethernet circuit and can see both my transit providers over the same circuit, that's clearly multihoming. As is a single DS3 over which I run two T-1s to different providers. Or two ATM or Frame Relay VCs. Matthew Kaufman
This has deviated so far from a useful technical discussion, it isn't even amusing anymore. From http://www.nanog.org/mailinglist/ Our pre-posting guide for messages to the NANOG e-mail list: Does my email have operational/technical content? ANSWER: NO. Would I be interested in reading this email? ANSWER: YES, obviously (unless it wasn't me posting it.) I am also the guy at work who everyone avoids because I am the annoying talker who never shuts up. I often get confused when people just walk off in the middle of a "conversation" (ie: when I won't shut the hell up and/or let anyone else talk.) Would 10,000 other Internet engineers want to read this? NO. STOP. -bill ps. Those who chime in with a witty comment or yet another opinion just when the thread seems to be slowing down are just as guilty as the ones who keep it doing by writing paragraph after paragraph "refuting" what the others have said. (When neither side has an inkling of wanting to acquiesce to the other side.) ObGodwin: Hitler. Can we be done now?
My apologies to all. I was hoping the conversation would be of an operational nature. I deleted the vast majority of messages in the thread as they weren't relevant. If anyone wants I can post smaller scope subject threads. Or a summary of the operationally relevant bits in the thread. Bret Palsson <bret@getjive.com> wrote: Thank you! 112 Emails on this subject, I am sick of it.
On Tue, 20 Sep 2011, Chris Adams wrote:
I'd say you are. End users frequently don't know the layout of their carrier's networks, and I certainly wouldn't expect ARIN to be interested in that level of detail. What's next? Are you going to ask if I'd require that your router have dual power supplies from different UPS's, or that if they don't have dual power, you have a router per transit connection? It's a shame ARIN's auditors don't hang out here (or if they do, that they don't jump in and end these sorts of "what if" circle-jerks). It's a simple enough question...have they already seen applications for IP/ASN resources where the applicant was required to be multihomed and their connectivity was one leased line and a GRE tunnel with BGP to a second provider. Was the request approved? How many providers will even provision such a service? ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Sep 20, 2011, at 2:02 PM, Jon Lewis wrote:
I know for a fact that ARIN has received and approved such requests. I do not know whether ARIN was aware of the exact details of the underlying topology in question at the time they approved the request or not. I was a consultant filling out the applications for my clients at the time. It wasn't quite exactly what you describe, it was 2 GRE tunnels to different providers over a tail circuit from a third provider. As long as you can show transit and/or peering with two ASNs (usually through a peering contract or letter of intent from the peer/transit provider), ARIN considers you to be multihomed for policy purposes. The underlying physical or logical mechanisms by which you reach those two (or more) neighbor ASNs are not ARIN's concern. Owen
----- Original Message -----
From: "Chris Adams" <cmadams@hiwaay.net>
What about if you have two LECs at your facility, but the two circuits share a common path elsewhere (outside of your knowledge)?
p=1.0, *even* if you're paying for guaranteed physical diversity. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
On Sun, Sep 18, 2011 at 8:25 PM, Frank Bulk <frnkblk@iname.com> wrote:
I understand that tunneling meets the letter of the ARIN policy, but I'll make the bold assumption that wasn't the spirit of the policy when it was written. Maybe the policy needs to be amended to clarify that.
ARIN is not in a position to judge the technical merits of a certain network design. Tunneling may be ill-advised, but that's the network operator's choice. The choice of using tunnelling does not mean that they no longer will need IP addressing, or that they are not multihomed anymore.
----- Original Message -----
From: "Randy Carpenter" <rcarpen@network1.net>
And worse, it violates best practices[1] rather thoroughly. Cheers, -- jra [1]Never expand to anything smaller than twice what you have now. -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
On Sep 17, 2011, at 1:41 PM, Randy Bush wrote:
Randy - I have absolutely no doubt that there are sufficient folks participating in NANOG to get nearly any policy desired through the ARIN policy process. To the extent that folks don't care to learn the current policies and participate in the policy development process, they end up supporting the current policies through their inaction. /John John Curran President and CEO ARIN
On Sep 17, 2011, at 5:19 PM, Randy Bush wrote:
Attached; this doesn't count your commentary of ARIN policies on other mailing lists, as it would be more numerous but less productive. In any case, we've fully left the realm of operational matters and scope of the NANOG list. /John Begin forwarded message:
People have been bleating about routing tables sizes for years and everything has been fine. You could argue that the bleating has helped keep the size down of course, perhaps it has. -- Leigh ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
On Fri, 16 Sep 2011, Randy Carpenter wrote:
If you go to ARIN, day one, and ask for address space, they have no way of determining if your request is justified, beyond whatever pie-in-the-sky guesses and growth projections you give them. You're asking for address space, sight unseen, in this case. That would be like someone going to a bank and asking for a loan, with no documentation, collateral, or anything else to give the bank confidence that they'll pay the loan back. That's why the slow-start model has been used, particularly for v4 space. If you started off by getting PA space from one or more of your upstreams, then there should be additional documentation to back up your request (SWIP entries, RWHOIS data, etc). When I still worked in the ISP world, the startup I worked for started off with PA space, and then grew into PI space, and handed the PA space back to their upstreams as it was vacated. I had no problems getting subsequent PI blocks because our documentation was in order. jms
On 09/16/2011 04:34 PM, Justin M. Streiner wrote:
Alright. This seems fair. Easy enough to get some big chunks of v6 space from up streams and then justify the PI space. I shall have to do that then. -- Charles N Wyble charles@knownelement.com @charlesnw on twitter http://blog.knownelement.com Building alternative,global scale,secure, cost effective bit moving platform for tomorrows alternate default free zone.
The documentation isn't the pain. The renumbering is, *especially* if you're running a service provider network: 'Dear dedicated server customer, we're taking away your IPs, please don't be angry with us even though it will cost you untold hours of work to hunt down all the tiny implications of renumbering. Never mind the lost business it might cause if you miss something.' 'Dear internet access user who happens to run a bunch of IPSEC tunnels: Have fun fixing all your tunnels! Don't worry, we'll figure out an off-hours time that works for everyone, and that makes all the pain go away, right? You won't harbor any resentment, right?' (Wow, that comes off more bitter than I expected...) Oh well... Since new IPv4 allocations are fast approaching the same scarcity as unobtanium, I guess it's too late to worry about it now. Anyways, apparently IPv6 fixes all of this, or something. Nathan
On 9/16/2011 12:58 PM, Leigh Porter wrote:
I wonder what would happen if a new ARIN member requested an IPv4 block of say a /16 for a new business? Or even a smaller block. I don't know what the current ARIN rules are but RIPE will currently give out six months worth of space. Now, in six months, I don't expect there to be any left anyway, so what will likely be all the v4 you ever get.
Very soon it'll be nigh on impossible for new entrants to the ISP business to get their own v4 space.
Isn't that the point? Matthew Kaufman
On 09/19/2011 10:40 PM, Matthew Kaufman wrote:
That's what I'm thinking. :) I don't plan on requesting any v4 space from ARIN. Just using provider space for the small v4 traffic needs. -- Charles N Wyble charles@knownelement.com @charlesnw on twitter http://blog.knownelement.com Building alternative,global scale,secure, cost effective bit moving platform for tomorrows alternate default free zone.
On Sep 16, 2011, at 3:45 PM, Charles N Wyble wrote:
2) Obtain ipv6 space from ARIN (inquired about getting space and ran into some issues. need to speak with my co founder and get details. evidently getting brand new v6 space for a brand new network is fairly difficult. for now may just announce a /48 from he.net. )
Charles - Criteria for new IPv6 allocations is here: https://www.arin.net/policy/nrpm.html#six51, and includes meeting any of one the following: • Having a previously justified IPv4 ISP allocation from ARIN or one of its predecessor registries, or; • Currently being IPv6 Multihomed or immediately becoming IPv6 Multihomed and using an assigned valid global AS number, or; • By providing a reasonable plan detailing assignments to other organizations or customers for one, two and five year periods, with a minimum of 50 assignments within 5 years. I'm not certain how this is "fairly difficult", but can have someone from the ARIN Registration Services helpdesk contact you to work through your circumstances. (please contact me directly if that's desired.) FYI, /John John Curran President and CEO ARIN
On Sep 17, 2011, at 11:19 AM, John Curran wrote:
And it is about to get even easier under 2011-3 when it is implemented: https://www.arin.net/policy/proposals/2011_3.html Owen
On 09/17/2011 01:19 PM, John Curran wrote:
Thanks for the link.
• Having a previously justified IPv4 ISP allocation from ARIN or one of its predecessor registries, or;
Sure.
• Currently being IPv6 Multihomed or immediately becoming IPv6 Multihomed and using an assigned valid global AS number, or;
That is our goal. I have two upstreams who are ready to peer with me once I obtain an ASN.
• By providing a reasonable plan detailing assignments to other organizations or customers for one, two and five year periods, with a minimum of 50 assignments within 5 years.
We submitted a numbering / subnet plan with our application, and stated we intended to multihome. Essentially we are trying to get both ASN and IP space at the same time. Bit of a chicken and egg problem perhaps. Time to secure those letters of authorization and get that ASN. I think once we have that, the process should move forward pretty rapidly.
I'm not certain how this is "fairly difficult", but can have someone from the ARIN Registration Services helpdesk contact you to work through your circumstances. (please contact me directly if that's desired.)
I may take you up on that. Thanks for the offer to assist. I'll read over the doc you sent and the sections Owen mentioned. I think I just didn't have enough information on the process. Looks like this will be very straightforward.
participants (43)
-
Alexander Harrowell -
Antonio Querubin -
Barry Shein -
Barton F Bruce -
Benson Schliesser -
Bill P -
Blake Dunlap -
bmanning@vacation.karoshi.com -
Bret Palsson -
Brett Frankenberger -
Cameron Byrne -
Charles N Wyble -
Chris Adams -
Christopher Morrow -
Dobbins, Roland -
Dorn Hetzel -
Frank Bulk -
Henry Yen -
Jamie Bowden -
Jay Ashworth -
Jens Link -
Jim Duncan -
Jimmy Hess -
Joel jaeggli -
John Curran -
Jon Lewis -
Justin M. Streiner -
Keegan Holley -
Leigh Porter -
Matthew Kaufman -
Michael Dillon -
Michael Painter -
Michael Sinatra -
Nathan Eisenberg -
Owen DeLong -
Patrick W. Gilmore -
Paul Vixie -
Randy Bush -
Randy Carpenter -
Robert Bonomi -
Roy -
Seth Mattinen -
Valdis.Kletnieks@vt.edu