Fwd: RPKI Pilot Participant Notice

2012-09-05 Thread Randy Bush
can you find the fatal flaw? [ hint: how does an isp in phnom penh validate my route? ] randy --- Begin Message --- Our records indicate that you have requested and received access to ARIN's RPKI Pilot. ARIN is preparing to release our production RPKI hosted solution in mid to late September of

Re: 91.201.64.0/22 hijacked?

2012-09-05 Thread Georgios Theodoridis
I was wondering if there is a repository with references of prefix hijack cases. We would like to use such information for a BGP anomaly detection analysis that we are carrying out in our research centre. Unfortunately, apart from the well known cases (Youtube-Pakistan case in 2008 and the China

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Daniel Taylor
On 09/04/2012 03:52 PM, Michael Thomas wrote: On 09/04/2012 09:34 AM, Daniel Taylor wrote: If you are sending direct SMTP on behalf of your domain from essentially random locations, how are we supposed to pick you out from spammers that do the same? Use DKIM. You say that like it's a lower

Re: Blocking MX query

2012-09-05 Thread David Barak
On Sep 4, 2012, at 11:45 PM, Suresh Ramasubramanian wrote: > > So - now with ipv6 you're going to see "hi, my toto highly > computerized toilet is trying to make outbound port 25 connections to > gmail" > > http://www.telecoms.com/48734/vodafone-and-ibm-team-up-on-connected-home-appliances/ >

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Henry Stryker
On 09/05/12 05:56 , Daniel Taylor wrote: >> Use DKIM. > You say that like it's a lower bar than setting up a fixed SMTP server > and using that. > Besides, doesn't DKIM break on mailing lists? Not only that, but a majority of spam I receive lately has a valid DKIM signature. They are adaptive, li

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Izaac
On Wed, Sep 05, 2012 at 07:50:12AM -0700, Henry Stryker wrote: > Not only that, but a majority of spam I receive lately has a valid DKIM > signature. They are adaptive, like cockroaches. This is why tcp port 25 filtering is totally effective and will remain so forever. Definitely worth breaking

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Michael Thomas
On 09/05/2012 05:56 AM, Daniel Taylor wrote: On 09/04/2012 03:52 PM, Michael Thomas wrote: On 09/04/2012 09:34 AM, Daniel Taylor wrote: If you are sending direct SMTP on behalf of your domain from essentially random locations, how are we supposed to pick you out from spammers that do the same

Re: Level 3 BGP Advertisements

2012-09-05 Thread Marc Storck
>Just for kicks, I tried using a .0.0/16 and .255.255/16 adress for stuff >in IOS (configured it as loopback and tried to establish bgp sessions >etc), that didn't work so well. I don't remember exactly what the problem >was, but I did indeed run into problems. LU-CIX uses .255 and .0 for their r

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Greg Ihnen
On Wed, Sep 5, 2012 at 11:11 AM, Izaac wrote: > On Wed, Sep 05, 2012 at 07:50:12AM -0700, Henry Stryker wrote: > > Not only that, but a majority of spam I receive lately has a valid DKIM > > signature. They are adaptive, like cockroaches. > > This is why tcp port 25 filtering is totally effectiv

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Sean Harlow
On Sep 5, 2012, at 11:11, Izaac wrote: > This is why tcp port 25 filtering is totally effective and will remain so > forever. Definitely worth breaking basic function principles of a > global communications network over which trillions of dollars of commerce > occur. Two things to note: 1. Rest

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Sean Harlow
On Sep 5, 2012, at 11:46, Greg Ihnen wrote: > But as someone pointed out further back on this thread people who want to > have their mail servers available to people who are on the other side of > port 25 filtering just use the alternate ports. So then what does filtering > port 25 accomplish? Th

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Michael Thomas
On 09/05/2012 07:50 AM, Henry Stryker wrote: Not only that, but a majority of spam I receive lately has a valid DKIM signature. They are adaptive, like cockroaches. The "I" part of DKIM is "Identified". That's all it promises. It's a feature, not a bug, that spammers use it. Mike

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Michael Thomas
On 09/05/2012 08:49 AM, Sean Harlow wrote: 2. The reason port 25 blocks remain effective is that there really isn't a bypass. In the Maginot Line sense, manifestly. Mike

Re: RPKI Pilot Participant Notice

2012-09-05 Thread Mark Kosters
On 9/5/12 3:26 AM, "Randy Bush" wrote: >can you find the fatal flaw? > >[ hint: how does an isp in phnom penh validate my route? ] > >randy Hi Randy Your question is a bit cryptic. Could you be more specific about your concern? Thanks, Mark

Tata Equinix

2012-09-05 Thread Morgan Miskell
Anyone on the list from Tata that can help address a Tata Equinix Ashburn issue? -- Morgan A. Miskell CaroNet Data Centers 704-643-8330 x206 The information contained in this e-mail is confidential and is intended only fo

Re: RPKI Pilot Participant Notice

2012-09-05 Thread Richard Barnes
I think Randy meant to imply that requiring anyone that wants to actually use the RPKI to make a legal agreement with ARIN might not be the best way to encourage deployment. On Wed, Sep 5, 2012 at 2:56 PM, Mark Kosters wrote: > On 9/5/12 3:26 AM, "Randy Bush" wrote: > >>can you find the fatal f

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Henry Stryker
On 09/05/12 09:13 , Michael Thomas wrote: > The "I" part of DKIM is "Identified". That's all it promises. It's a > feature, not a bug, that spammers use it. Which is why DKIM does not really address any concerns. The spammers have reduced its value. I am retired now, but do run my own mail serve

Re: RPKI Pilot Participant Notice

2012-09-05 Thread Christopher Morrow
On Wed, Sep 5, 2012 at 3:05 PM, Richard Barnes wrote: > I think Randy meant to imply that requiring anyone that wants to > actually use the RPKI to make a legal agreement with ARIN might not be define 'use'... o 'stick their objects into the repo' sure a contract sounds good o 'access the re

Re: RPKI Pilot Participant Notice

2012-09-05 Thread Gary Buhrmaster
On Wed, Sep 5, 2012 at 7:24 PM, Christopher Morrow wrote: . > a closer (by me) reading of: > " In order to access the > production RPKI TAL, you will first have to agree to ARIN's Relying > Party Agreement before the TAL will be emailed to you. To request the > TAL after the production release

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Daniel Taylor
On 09/05/2012 10:19 AM, Michael Thomas wrote: On 09/05/2012 05:56 AM, Daniel Taylor wrote: On 09/04/2012 03:52 PM, Michael Thomas wrote: On 09/04/2012 09:34 AM, Daniel Taylor wrote: If you are sending direct SMTP on behalf of your domain from essentially random locations, how are we supposed

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Michael Thomas
On 09/05/2012 12:50 PM, Daniel Taylor wrote: On 09/05/2012 10:19 AM, Michael Thomas wrote: On 09/05/2012 05:56 AM, Daniel Taylor wrote: On 09/04/2012 03:52 PM, Michael Thomas wrote: On 09/04/2012 09:34 AM, Daniel Taylor wrote: If you are sending direct SMTP on behalf of your domain from ess

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Daniel Taylor
On 09/05/2012 03:01 PM, Michael Thomas wrote: On 09/05/2012 12:50 PM, Daniel Taylor wrote: On 09/05/2012 10:19 AM, Michael Thomas wrote: On 09/05/2012 05:56 AM, Daniel Taylor wrote: On 09/04/2012 03:52 PM, Michael Thomas wrote: On 09/04/2012 09:34 AM, Daniel Taylor wrote: If you are sendin

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Izaac
On Wed, Sep 05, 2012 at 11:46:34AM -0400, Greg Ihnen wrote: > On Wed, Sep 5, 2012 at 11:11 AM, Izaac wrote: > > On Wed, Sep 05, 2012 at 07:50:12AM -0700, Henry Stryker wrote: > > > signature. They are adaptive, like cockroaches. > > > > This is why tcp port 25 filtering is totally effective and w

Re: RPKI Pilot Participant Notice

2012-09-05 Thread Danny McPherson
On Sep 5, 2012, at 3:32 PM, Gary Buhrmaster wrote: > > My interpretation was what Randy implied, and that ARIN > wants an agreement with everyone who gets a (presumably > unique to the agreement) TAL to protect ARIN. That would > seem like a lot of overhead to maintain to me (since as I recall >

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Joe St Sauver
Izaac commented: #I suspect your ISP is also stripping tags. Let's try it out #again: # # You can tell that tcp port 25 filtering is a highly effective spam # mitigation technique because spam levels have declined in direct # proportion to their level of deployment. Today, we barely see

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Izaac
On Tue, Sep 04, 2012 at 03:45:32PM -0400, William Herrin wrote: > That's what firewalls *are for* Jay. They intentionally break > end-to-end for communications classified by the network owner as > undesirable. Whether a particular firewall employs NAT or not is > largely beside the point here. Eith

Re: RPKI Pilot Participant Notice

2012-09-05 Thread Randy Bush
>> [ hint: how does an isp in phnom penh validate my route? ] > Your question is a bit cryptic. moi? :) > Could you be more specific about your concern? essentially, as the rirs have resisted iana being the root ta, the arin tal is necessary for anyone to validate anything which dependa on the

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Cutler James R
On Sep 5, 2012, at 5:12 PM, Izaac wrote: > >Since tcp25 filtering has been so successful, we should deploy > filters for everything except tcp80 and tcp443 and maaaybe tcp21 -- > but NAT already does so much to enhance the user experience there > already. And what with ISP customers us

Akamai Peering Tech

2012-09-05 Thread Kris Amy
Hi All, If there is an Akamai peering tech around could they contact me off-list regarding a BGP session which has been bouncing for a while. Cheers, Kris

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread William Herrin
On Wed, Sep 5, 2012 at 5:12 PM, Izaac wrote: > I suspect your ISP is also stripping tags. Let's try it out > again: > >You can tell that tcp port 25 filtering is a highly effective spam >mitigation technique because spam levels have declined in direct >proportion to their level of de

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread John Levine
In article <5047a2ea.8010...@hup.org> you write: >On 09/05/12 09:13 , Michael Thomas wrote: >> The "I" part of DKIM is "Identified". That's all it promises. It's a >> feature, not a bug, that spammers use it. > >Which is why DKIM does not really address any concerns. The spammers >have reduced its

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread John Levine
>Well, if you've got proper forward and reverse DNS, and your portable >SMTP server identifies itself properly, and you are using networks that >don't filter outbound port 25, AND you have DKIM configured correctly >and aren't using it for a situation for which it is inappropriate, then >you'll

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread valdis . kletnieks
On 05 Sep 2012 23:07:07 -, "John Levine" said: > Not really. Large mail system like Gmail and Yahoo have a pretty good > map of the IPv4 address space. If you're sending from a residential > DSL or cable modem range, they'll likely reject any mail you send > directly no matter what you do. W

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Jimmy Hess
On 9/4/12, Jay Ashworth wrote: > It is regularly alleged, on this mailing list, that NAT is bad *because it > violates the end-to-end principle of the Internet*, where each host is a > full-fledged host, able to connect to any other host to perform > transactions. Both true. and NAT inherently br

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Sean Harlow
On Sep 5, 2012, at 19:07, John Levine wrote: > Not really. Large mail system like Gmail and Yahoo have a pretty good > map of the IPv4 address space. If you're sending from a residential > DSL or cable modem range, they'll likely reject any mail you send > directly no matter what you do. While

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Jimmy Hess
On 9/5/12, Sean Harlow wrote: > While I've clearly been on the side of "don't expect this to work", "why do > you have your laptop set up like that?", and defending the default-blocking > behavior on outbound, this is not true at least for Gmail. I have a test > Asterisk box which I've been real

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Masataka Ohta
Jimmy Hess wrote: > NAT would fall under design flaw, because it breaks end-to-end > connectivity, such that there is no longer an administrative choice > that can be made to restore it (other than redesign with NAT > removed). The end to end transparency can be restored easily, if an administra

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread valdis . kletnieks
On Thu, 06 Sep 2012 13:08:29 +0900, Masataka Ohta said: > The end to end transparency can be restored easily, if an > administrator wishes so, with UPnP capable NAT and modified > host transport layer. How does the *second* host behind the NAT that wants to use global port 7719 do it? pgpgNE8JD

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Masataka Ohta
(2012/09/06 13:15), valdis.kletni...@vt.edu wrote: > On Thu, 06 Sep 2012 13:08:29 +0900, Masataka Ohta said: > >> The end to end transparency can be restored easily, if an >> administrator wishes so, with UPnP capable NAT and modified >> host transport layer. > > How does the *second* host behind

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Owen DeLong
On Sep 5, 2012, at 21:08 , Masataka Ohta wrote: > Jimmy Hess wrote: > >> NAT would fall under design flaw, because it breaks end-to-end >> connectivity, such that there is no longer an administrative choice >> that can be made to restore it (other than redesign with NAT >> removed). > > The

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Cameron Byrne
On Wed, Sep 5, 2012 at 9:39 PM, Owen DeLong wrote: > > On Sep 5, 2012, at 21:08 , Masataka Ohta > wrote: > >> Jimmy Hess wrote: >> >>> NAT would fall under design flaw, because it breaks end-to-end >>> connectivity, such that there is no longer an administrative choice >>> that can be made to re

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Masataka Ohta
Owen DeLong wrote: >> then, if transport layer of the host is modified to perform >> reverse translation (information for the translation can be >> obtained through UPnP): >> >> (local IP, global port) <-> (global IP, global port) >> >> Now, NAT is transparent to application layer. > Never m

Re: The End-To-End Internet (was Re: Blocking MX query)

2012-09-05 Thread Måns Nilsson
Subject: Re: The End-To-End Internet (was Re: Blocking MX query) Date: Wed, Sep 05, 2012 at 06:56:36PM -0400 Quoting William Herrin (b...@herrin.us): > Thing is, spam levels *are* down a good 20% in the last couple years, > that being about the time ISPs began doing this. More, 20% *is* in > rou