NANOG Digest V1 #737
NANOG Digest
owner-nanog-digest at trapdoor.merit.edu
Tue May 29 10:28:56 UTC 2001
NANOG Digest Tuesday, May 29 2001 Volume 01 : Number 737
In this issue:
RE: VPN Solution (WAS: ORBS (Re: Scanning))
Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
Re: Possible solution? (e-mail parcel vs. FTP)
Re: EMAIL != FTP
Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
Re: VPN Solution (WAS: ORBS (Re: Scanning))
Layer4 Re: VPN Solution (WAS: ORBS (Re: Scanning))
Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
RE: Layer4 Re: VPN Solution (WAS: ORBS (Re: Scanning))
Re: EMAIL != FTP
Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
Re: Mitch tries to defend his open relay again (was Re: ORBS (Re:Scanning))
Re: ORBS (Re: Scanning)
Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
RE: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
Re: VPN Solution (WAS: ORBS (Re: Scanning))
Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
QOS or more bandwidth
RE: QOS or more bandwidth
Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
See the end of this message for information about the nanog-digest
list, including (un)subscription instructions.
----------------------------------------------------------------------
Date: Mon, 28 May 2001 01:03:01 -0700
From: "Craig Holland" <cholland at yahoo-inc.com>
Subject: RE: VPN Solution (WAS: ORBS (Re: Scanning))
The Altiga/CiscoVPN3000 series allows you to do split tunneling. You give
it a list of networks, and it drops this on the client when it connects.
The client will check the list, and if the network is there, will send the
packets through the tunnel. Works great for users who have a LAN printer
but still want remote access.
craig
- -----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]On Behalf Of
Patrick W. Gilmore
Sent: Sunday, May 27, 2001 10:25 PM
To: nanog at nanog.org
Subject: VPN Solution (WAS: ORBS (Re: Scanning))
At 06:58 PM 5/27/2001 -0700, Owen DeLong wrote:
>Roaming staff usually needs some form of VPN access, anyway, and even if
>they don't, this is a great use for one. Put a VPN client on the roamer's
>computer (Linux, Mac, and Windows 9x/NT/ME/2k all have IPSEC capable
clients
>available), then use the VPN to get back to the mail relay. If the mail
>relay is behind the VPN tunnel termination point at the server end, then
>it should only accept mail for relay from valid VPN clients. As such,
>you solve the roaming staff problem without an open relay. VPN boxes
>like Ravlin and Nokia Crypto Cluster are cheap enough today that I would
>consider it a valid cost of doing business if you don't have a better
>solution.
I have an "operational" question. (SURPRISE! :)
VPN solutions are getting inexpensive. However, they are sometimes far
from optimal.
The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every*
packet from the end user machine to the VPN end-point, not just selected
packets (like with SSH tunneling).
This can cause extremely poor performance for some roaming users. For
instance, someone in Sydney with a home office in New York trying to get to
a Sydney web server suddenly has to make two round trips to New York, just
to cross town. Considering trans-pacific fiber congestion and other
problems, this can make the VPN nearly unusable.
Of course, you could tell the user to turn off the VPN, but you try to
explain to a typical end user when he should and should not have the VPN
turned on, or that he cannot send mail while browsing the web, or things
like that.
So, does anyone know of a VPN that does selective forwarding like SSH
tunneling?
>Owen
TTFN,
patrick
------------------------------
Date: Mon, 28 May 2001 04:36:38 -0400 (EDT)
From: Mitch Halmu <mitch at netside.net>
Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
On Sun, 27 May 2001, J.D. Falk wrote:
> On 05/27/01, Mitch Halmu <mitch at netside.net> wrote:
>
> > Is there a rule that, except for local dial-in, we cannot offer the same
> > services to a client located in a part of the world that we dont't have
> > a dial-in POP as we offer to our local clients? Why shouldn't such clients
> > be able to get their dial-in somewhere and the rest of their services from
> > somewhere else? That includes using a remote SMTP server in the same way
> > a local user can, period.
>
> You have to balance that desire against your users' generally
> unspoken requirement that your service be functioning, usable,
> and able to deliver mail to its' final destination. If this
> were any other kind of service that commonly requires user
> authentication (accounting, data storage, etc.) there wouldn't
> even be a question.
The service is functional, usable, and able to deliver mail to those
destinations your organization or the other overseas rival gang have no
control over. Some users left because of the blockade. Others stayed,
because they understand the reasoning posted at http://www.dotcomeon.com
That *should* worry you. It shows that most Joe users hate Big Brother.
> And seriously, Mitch, when was the last time that you heard a
> new argument for why you should close your relay? Since you're
> obviously unwilling to do so, what's the point of bringing it
> up again and again?
>
> --
> J.D. Falk SILENCE IS FOO!
> <jdfalk at cybernothing.org>
I didn't bring it up this time, you did, and even changed the topic.
Vixie himself posted a request for comments on this also (twice, uh oh),
and I haven't seen any replies. Perhaps others are afraid? I resisted
the temptation to answer, although you can imagine I had a lot to say
to your boss (btw, I did put on a shirt and shoes just to write these
lines ;)
I did reply once to this message, since it's been addressed to me, and
my private post bounces from your network. It seems you still cannot
answer the top paragraph intelligently.
So here's the essence of my reasoning: your approach to combat spamming
and your methods of enforcement are wrong. You employ the same argument
to restrict relays as used against lawful gun owners by those that want
to take them away. You are unwilling to go after the actual spammers, and
instead punish network owners for someone else's client deeds. Well, that
won't fly in America. There is your legal precedent in spirit.
I am in favor of explicit federal legislation regulating this aspect of
electronic communications. Then we'll all know exactly what's legal and
what's not, and the playing field becomes level again for all. That would
likely put you out of a job, I'm afraid...
FOO!
- --Mitch
NetSide
------------------------------
Date: Mon, 28 May 2001 11:39:45 +0200 (CEST)
From: Sabri Berisha <sabri at bit.nl>
Subject: Re: Possible solution? (e-mail parcel vs. FTP)
On Fri, 25 May 2001, E.B. Dreger wrote:
Hi,
> Methinks that it's proxy time. Why not hack the popular MTAs so that they
> take attachments, spool them in a Web-accessible directory, then modify
> the message.
I've given some thinking to this subject, however I thought of the
following objections:
- - users do no longer have it under control (ie don't have the choice to
mail/put on web) anymore;
- - confidential information *could* be stored unwantingly lang online
on the other side, it might be a good solution to give the cluefull users
a choice: ie with an extra header:
X-No-Attachment-Stealing: yes
or something like that.
- --
/* Sabri Berisha CCNA,BOFH,+iO O.O speaking for just myself
* Join HAL!!: www.HAL2001.org ____oOo_U_oOo____ http://www.bit.nl/~sabri
* For the exceedingly thick-headed, experience is the only way to learn.
* Sam Thomas - NANOG */
------------------------------
Date: Mon, 28 May 2001 11:42:03 +0200 (CEST)
From: Sabri Berisha <sabri at bit.nl>
Subject: Re: EMAIL != FTP
On Sat, 26 May 2001, Mitch Halmu wrote:
> Being blackholed by New Zealanders should be an insignificant threat
> to US-based networks. If it starts being a noticeable problem, you
> have a serious national security breach.
If someone at an internet exchange outside your control starts announcing
your netblocks, you have the same issue..
I see your point but I don't think its an argument; there are thousands of
possibilities to harm a nationwide network.
- --
/* Sabri Berisha CCNA,BOFH,+iO O.O speaking for just myself
* Join HAL!!: www.HAL2001.org ____oOo_U_oOo____ http://www.bit.nl/~sabri
* For the exceedingly thick-headed, experience is the only way to learn.
* Sam Thomas - NANOG */
------------------------------
Date: Mon, 28 May 2001 11:38:53 +0100 (BST)
From: "Stephen J. Wilcox" <steve at opaltelecom.co.uk>
Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
> > > Is there a rule that, except for local dial-in, we cannot offer the same
> > > services to a client located in a part of the world that we dont't have
Auth-SMTP?
> control over. Some users left because of the blockade. Others stayed,
> because they understand the reasoning posted at http://www.dotcomeon.com
heh, personal vendetta or what! (for the record i would have left)
> That *should* worry you. It shows that most Joe users hate Big Brother.
or arent really following the technical reasoning and arguments..
> I didn't bring it up this time, you did, and even changed the topic.
> Vixie himself posted a request for comments on this also (twice, uh oh),
did he turn you down for a job or something? said something bad about your
mother?
> I did reply once to this message, since it's been addressed to me, and
> my private post bounces from your network. It seems you still cannot
you could get a hotmail account until you become a fully functional
provider?
> So here's the essence of my reasoning: your approach to combat spamming
> and your methods of enforcement are wrong. You employ the same argument
> to restrict relays as used against lawful gun owners by those that want
> to take them away. You are unwilling to go after the actual spammers, and
> instead punish network owners for someone else's client deeds. Well, that
> won't fly in America. There is your legal precedent in spirit.
guns aside, how can you go after spammers? the internet is global and
anonymous. you're getting strangely patriotic over the discussion on open
relays, surprised theres no mp3 of star spangled banner attached..
> I am in favor of explicit federal legislation regulating this aspect of
> electronic communications. Then we'll all know exactly what's legal and
> what's not, and the playing field becomes level again for all. That would
> likely put you out of a job, I'm afraid...
good plan, one small flaw; not sure on the exact figures but theres many
o.r servers outside the US, especially asia.. and much of the spam i
receive is not of US origin, and not being in the US i wouldnt have to
honour any such legislation. so tell me, how will US federal law improve
on ORBS/MAPS other than you'd be able to start sending email directly to
Vixie again! (you could always setup another - closed - mail server if you
insist on o.r. for roaming users to get around MAPS/ORBS)
Interesting as this thread may be (sarc), is there actually any topical
discussion going on here or are a few individuals publicly airing their
problems at the expense of my Inbox?
.. suggest someone either contributes or we give up this thread!!!
Steve
------------------------------
Date: Mon, 28 May 2001 13:45:06 +0100
From: "David Howe" <DaveHowe at gmx.co.uk>
Subject: Re: VPN Solution (WAS: ORBS (Re: Scanning))
> The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every*
> packet from the end user machine to the VPN end-point, not just selected
> packets (like with SSH tunneling).
If you want a commercial solution that does selective tunnelling - the
FW-1 addin (VPN-1) exports a "topography" file to the client at setup; this
really consists of a list of subnets that the VPN will handle, and is set at
the server side. anything not on the topography list goes out via the dialup
adaptor or network card as normal.
------------------------------
Date: Mon, 28 May 2001 07:37:00 -0700
From: Jon Mansey <jon at interpacket.net>
Subject: Layer4 Re: VPN Solution (WAS: ORBS (Re: Scanning))
Does anyone know of a way to put layer 4 switching in front of a VPN
client such that (for example) email and nntp dont get tunnelled
while everything else does, or vice-versa?
We're probably talking Windows software here I know......
Jon.
> > The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every*
>> packet from the end user machine to the VPN end-point, not just selected
>> packets (like with SSH tunneling).
> If you want a commercial solution that does selective tunnelling - the
>FW-1 addin (VPN-1) exports a "topography" file to the client at setup; this
>really consists of a list of subnets that the VPN will handle, and is set at
>the server side. anything not on the topography list goes out via the dialup
>adaptor or network card as normal.
------------------------------
Date: Mon, 28 May 2001 12:29:04 -0400
From: Adam Rothschild <asr at latency.net>
Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
On Mon, May 28, 2001 at 04:36:38AM -0400, Mitch Halmu wrote:
> The service is functional, usable, and able to deliver mail to those
> destinations your organization or the other overseas rival gang have
> no control over. Some users left because of the blockade. Others
> stayed, because they understand the reasoning posted at
> http://www.dotcomeon.com
>
> That *should* worry you.
No, what worries me is that you realize you're running an open SMTP
relay for no real reason other than stubbornness, and outright refuse
to fix it, even though it's widely regarded as an irresponsible
operational practice.
Please quit whining and close it up already. Thanks!
- -a
------------------------------
Date: Mon, 28 May 2001 09:54:29 -0700
From: Roeland Meyer <rmeyer at mhsc.com>
Subject: RE: Layer4 Re: VPN Solution (WAS: ORBS (Re: Scanning))
> From: Jon Mansey [mailto:jon at interpacket.net]
> Sent: Monday, May 28, 2001 7:37 AM
>
> Does anyone know of a way to put layer 4 switching in front of a VPN
> client such that (for example) email and nntp dont get tunnelled
> while everything else does, or vice-versa?
Depending on requirements, isn't the whole idea to put the email into the
tunnel? That's why this thread came up in the first place. BTW, SSH
tunneling can drop every packet through the tunnel with a forward-all
config. it isn't even very hard and can be done with a Win client, using
F-Secure. In fact, sometimes that works, when PPTP doesn't, in
Windows-hostile environments (*nix bigots sometimes do everything they can
to screw up Win machines). However, none of it works when port 22 is blocked
by the firewall.
> We're probably talking Windows software here I know......
>
> > > The VPN solutions I have used (e.g. Bay Networks, MS
> PPTP) send *every*
> >> packet from the end user machine to the VPN end-point,
> not just selected
> >> packets (like with SSH tunneling).
> > If you want a commercial solution that does selective
> tunnelling - the
> >FW-1 addin (VPN-1) exports a "topography" file to the client
> at setup; this
> >really consists of a list of subnets that the VPN will
> handle, and is set at
> >the server side. anything not on the topography list goes
> out via the dialup
> >adaptor or network card as normal.
------------------------------
Date: Mon, 28 May 2001 13:45:51 -0400
From: Steve Sobol <sjsobol at NorthShoreTechnologies.net>
Subject: Re: EMAIL != FTP
Mitch Halmu wrote:
> Or ORBS could take sides in an international conflict and do it themselves.
> I'm not the only one that said they blackhole for political reasons, or
> that they are extremists. No sooner were those words uttered, someone
> from Calcutta, India [202.86.168.81 - caltiger.com] decided to remind us
> that, besides the atomic bomb, they now have connected computers too.
How is caltiger.com related to ORBS?
- --
Tired of Earthlink? Get JustTheNet!
Nationwide Dialup, ISDN, DSL, ATM, Frame Relay, T-1, T-3, and more.
EARTHLINK AMNESTY PROGRAM: Buy a year, get two months free
More info coming soon to http://JustThe.net, or e-mail me!
B!ff: K3wl, w3'v3 r00t3D da N at vy... 0h CrAp, INC0M!Ng $%^NO CARRIER
------------------------------
Date: Mon, 28 May 2001 13:47:47 -0400
From: Steve Sobol <sjsobol at NorthShoreTechnologies.net>
Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
Mitch Halmu wrote:
> The service is functional, usable, and able to deliver mail to those
> destinations your organization or the other overseas rival gang have no
> control over. Some users left because of the blockade. Others stayed,
> because they understand the reasoning posted at http://www.dotcomeon.com
>
> That *should* worry you. It shows that most Joe users hate Big Brother.
If use of the blackhole lists was mandatory, I would say that that last
statment has some validity.
Since it's completely optional, the statement has no validity.
- --
Tired of Earthlink? Get JustTheNet!
Nationwide Dialup, ISDN, DSL, ATM, Frame Relay, T-1, T-3, and more.
EARTHLINK AMNESTY PROGRAM: Buy a year, get two months free
More info coming soon to http://JustThe.net, or e-mail me!
B!ff: K3wl, w3'v3 r00t3D da N at vy... 0h CrAp, INC0M!Ng $%^NO CARRIER
------------------------------
Date: Mon, 28 May 2001 13:49:22 -0400
From: Steve Sobol <sjsobol at NorthShoreTechnologies.net>
Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re:Scanning))
"Stephen J. Wilcox" wrote:
> > > > Is there a rule that, except for local dial-in, we cannot offer the same
> > > > services to a client located in a part of the world that we dont't have
>
> Auth-SMTP?
As I said to Roeland Meyer, it's a good solution and all but
eliminates the roaming user problem.
- --
Tired of Earthlink? Get JustTheNet!
Nationwide Dialup, ISDN, DSL, ATM, Frame Relay, T-1, T-3, and more.
EARTHLINK AMNESTY PROGRAM: Buy a year, get two months free
More info coming soon to http://JustThe.net, or e-mail me!
B!ff: K3wl, w3'v3 r00t3D da N at vy... 0h CrAp, INC0M!Ng $%^NO CARRIER
------------------------------
Date: Mon, 28 May 2001 13:52:57 -0400
From: Steve Sobol <sjsobol at NorthShoreTechnologies.net>
Subject: Re: ORBS (Re: Scanning)
Mitch Halmu wrote:
> Is there a rule that, except for local dial-in, we cannot offer the same
> services to a client located in a part of the world that we dont't have
> a dial-in POP as we offer to our local clients? Why shouldn't such clients
> be able to get their dial-in somewhere and the rest of their services from
> somewhere else? That includes using a remote SMTP server in the same way
> a local user can, period.
You *can* do all that. I prefer SMTP AUTH to POP-before-SMTP because PbS
leaves
a small vulnerability on your mail server - very small, but it exists
nonetheless.
But many providers use PbS too.
If this whole issue cropped up because you wanted to provide roaming
access
to your mail servers, those are two very widely-implemented solutions.
If you
want, I can even offer some help getting it set up as I have had a
longstanding
policy of offering relay-closing help at no charge to ISPs who need it.
The
only requirement is that you be running an MTA that I'm familiar with.
- --
Tired of Earthlink? Get JustTheNet!
Nationwide Dialup, ISDN, DSL, ATM, Frame Relay, T-1, T-3, and more.
EARTHLINK AMNESTY PROGRAM: Buy a year, get two months free
More info coming soon to http://JustThe.net, or e-mail me!
B!ff: K3wl, w3'v3 r00t3D da N at vy... 0h CrAp, INC0M!Ng $%^NO CARRIER
------------------------------
Date: Mon, 28 May 2001 11:21:46 -0700
From: "J.D. Falk" <jdfalk at cybernothing.org>
Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
On 05/28/01, Mitch Halmu <mitch at netside.net> wrote:
> So here's the essence of my reasoning: your approach to combat spamming
> and your methods of enforcement are wrong. You employ the same argument
> to restrict relays as used against lawful gun owners by those that want
> to take them away. You are unwilling to go after the actual spammers, and
> instead punish network owners for someone else's client deeds. Well, that
> won't fly in America. There is your legal precedent in spirit.
The core problem with your reasoning is that you consider any
site's refusal of your mail to be "enforcement," presumably
some type of punishment, while most of the folks who deny your
mail see it as security. They are protecting themselves from
the people that YOU have allowed to abuse your mail server.
They don't know or care who you are, who your users are, or
what your reasons for allowing that abuse might be.
I don't expect you to admit to being wrong this late in the
thread, but please, think about that difference for a while,
even if you disagree with it.
> I am in favor of explicit federal legislation regulating this aspect of
> electronic communications. Then we'll all know exactly what's legal and
> what's not, and the playing field becomes level again for all. That would
> likely put you out of a job, I'm afraid...
It is the fervent wish of every sane anti-spammer (and yes, I
know, there's a lot who aren't sane) that we could stop doing
this work entirely.
Oh, and you appear to be mistaken about which organizations I
am currently involved with. I will endeavor to ensure that
all relevant web sties are updated.
- --
J.D. Falk SILENCE IS FOO!
<jdfalk at cybernothing.org>
------------------------------
Date: Mon, 28 May 2001 15:21:21 -0400 (EDT)
From: <up at 3.am>
Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
On Mon, 28 May 2001, J.D. Falk wrote:
> On 05/28/01, Mitch Halmu <mitch at netside.net> wrote:
>
> > So here's the essence of my reasoning: your approach to combat spamming
> > and your methods of enforcement are wrong. You employ the same argument
> > to restrict relays as used against lawful gun owners by those that want
> > to take them away. You are unwilling to go after the actual spammers, and
This is nonsense...most of us "go after the actual spammers" as best as we
can and the law permits us. If you supply plastic explosives to
terrorists with no checks, you may not be directly responsible for their
actions, but you are certainly part of the problem. If you have an open
relay, you are a big part of the spam problem, whether you like it or not.
> > instead punish network owners for someone else's client deeds. Well, that
> > won't fly in America. There is your legal precedent in spirit.
What does "america" have to do with it? Open relays are all over the
place, and a big PITA. Refusing your mail is *my* right, as owner of my
network; and also my responsibility. Of course it is your "right" to have
an open relay if you like, just don't expect everyone else to accept
email from it.
> The core problem with your reasoning is that you consider any
> site's refusal of your mail to be "enforcement," presumably
> some type of punishment, while most of the folks who deny your
> mail see it as security. They are protecting themselves from
> the people that YOU have allowed to abuse your mail server.
> They don't know or care who you are, who your users are, or
> what your reasons for allowing that abuse might be.
I would argue that it's both "enforcement" and security. I know MAPS has
to argue otherwise in court, but let's face it, incentive is alot of what
it's about.
James Smallacombe PlantageNet, Inc. CEO and Janitor
up at 3.am http://3.am
=========================================================================
------------------------------
Date: Mon, 28 May 2001 16:43:08 -0400 (EDT)
From: John Fraizer <nanog at Overkill.EnterZone.Net>
Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
OK folks. Please. Leave poor Mitch alone and maybe he'll realize that
this ISN'T the forum for him and go away.
If you want a huge laugh, (and want to give ole Mitch the /. or NANOG
effect) go check out http://www.netside.net/sys.html
"Network and Communications
NetSide is connected directly to the Internet backbone via a high speed
point-to-point full T1 link (1.544 Mbps) into the MCI backbone (at Pompano
Beach). A Cisco 4000 router is used to direct the in-house Ethernet TCP/IP
network traffic to and from the Internet. To help reduce the network load
and improve performance, two Ethernet 10-BaseT interfaces, connected to
separate AT&T StarLAN 10 hubs (with blinking lights :-) forming in effect
subnets, are used on the servers. Each subnet connects to a different
Ethernet port on the Cisco router."
That's some FAT pipe you have there Mitch. What EVER do you do with your
spare bandwidth? heheheh And your network just blows me away. I love the
"To help reduce the network load" part. Where's the load? You've got
serious issues if you can't pass a DS1 worth of traffic without your net
melting.
"Emergency Provisions
Besides redundant servers, NetSide is also prepared to operate in
emergency conditions, such as city-wide power failures as experienced
during Hurricane Andrew. Housed in a solid concrete block structure, we
don't expect heavy storm damage to occur. Our fiber rack (for telephone
and data lines) has 3 rows of battery backup rated for 8 hours of
continuous operation. NetSide owns 2 emergency generators: an extended-run
heavy-duty Coleman Powermate Vantage (14HP 2cyl electric start gas engine
- - 7000W), and a portable medium-duty Dayton (5HP gas engine - 2200W)."
Wow! So, you've got enough generator to power the lights, soda machine
and coffee maker. You gonna invite all the customers to your site and sit
around and watch the servers not run drinking soda and coffee? Sounds
like fun.
Mitch. You're an END USER. Sure, you sell dialup access. You couldn't
do much more with that big FAT DS1 you've got. You're an END
USER.
9 border3-fddi-0.PompanoBeach.cw.net (204.70.92.19) [3561] 62.524 ms 60.403 ms 63.456 ms
10 netside-corporation.PompanoBeach.cw.net (204.70.95.18) [3561] 166.477 ms 198.570 ms 117.225 ms
11 205.159.140.2 (205.159.140.2) [3561] 195.153 ms * 194.081 ms
You see, if you were a real network operator:
(1) That would be more than a DS1.
(2) The last hop wouldn't show up with the ASN of your upstream.
(3) The last hop would RESOLVE in in-addr.
NetSide Corporation (NET-NETSIDE)
P.O.Box 403895
Miami Beach, FL 33140
US
Netname: NETSIDE
Netblock: 205.159.140.0 - 205.159.140.255
Maintainer: NETS
Coordinator:
Halmu, Mircea L. (MLH3-ARIN) admin at NETSIDE.NET
305-531-1995
Record last updated on 29-Oct-1998.
Database last updated on 26-May-2001 22:57:19 EDT.
It might be a good idea to register some in-addr resolution servers for
that block there Mitch.
...Then again, why would we expect you to run any other portion of your
operation any more professionally than you run your mailserver?
I tell you what. You rate right up there in my book.
Open Relay: 1,000,000,000 points
Big FAT T1: 10,000,000 points
Broken in-addr.arpa: 5,999,550 points
HUBS not SWITCHES: 99,999,999,999 TILT! TILT! TILT!
- ---
John Fraizer
EnterZone, Inc
------------------------------
Date: Mon, 28 May 2001 16:54:51 -0400
From: "Vivien M." <vivienm at dyndns.org>
Subject: RE: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]On Behalf Of
> John Fraizer
> Sent: May 28, 2001 4:43 PM
> To: Mitch Halmu
> Cc: nanog at nanog.org
> Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS
> (Re: Scanning))
[note: the thing below was quoted by John from Mitch's site]
> point-to-point full T1 link (1.544 Mbps) into the MCI backbone (at Pompano
That's the problem with Mitch, then. He must have gotten stuck in some type
of time warp (or cool cryogenics), if he hasn't noticed that the "MCI"
backbone was sold to Cable & Wireless nearly three years ago now (IIRC).
Give the man a break... if he just woke up from an extended deep sleep or
something, then it's no surprise that he still wants to run his mail server
the way people ran mail servers five years ago.
Vivien
- --
Vivien M.
vivienm at dyndns.org
Assistant System Administrator
Dynamic DNS Network Services
http://www.dyndns.org/
------------------------------
Date: Mon, 28 May 2001 22:07:06 +0100 (BST)
From: "Stephen J. Wilcox" <steve at opaltelecom.co.uk>
Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
I dont generally participate in flame especially where its cruel
pointless and at someone elses expense
but thanks John for the laugh!
You forgot to mention the main server, a Sun Sparcstation 10 with dual
75Mhz CPU.. (they have FIVE in total).. complete with 19" Trinitron
monitors.. and running the all powerful Solaris 2.4 and 2.5.1 augmented
with GNU, perl and python. Its even kitted up with a 64-port serial card
for the sparc and microcom modems which is able to support a huge 33.6k
dialup pool....
Altho I'm confused at how 'Netside offers a full uncensored usenet feed'
with only '18Gb of dedicated news storage' and not to mention the T1
capacity problem? ... Good job they have TWO starlan hubs!!
... i need to lie down, my sides hurt ...
On Mon, 28 May 2001, John Fraizer wrote:
>
>
> OK folks. Please. Leave poor Mitch alone and maybe he'll realize that
> this ISN'T the forum for him and go away.
>
> If you want a huge laugh, (and want to give ole Mitch the /. or NANOG
> effect) go check out http://www.netside.net/sys.html
>
>
> "Network and Communications
> NetSide is connected directly to the Internet backbone via a high speed
> point-to-point full T1 link (1.544 Mbps) into the MCI backbone (at Pompano
> Beach). A Cisco 4000 router is used to direct the in-house Ethernet TCP/IP
> network traffic to and from the Internet. To help reduce the network load
> and improve performance, two Ethernet 10-BaseT interfaces, connected to
> separate AT&T StarLAN 10 hubs (with blinking lights :-) forming in effect
> subnets, are used on the servers. Each subnet connects to a different
> Ethernet port on the Cisco router."
>
>
> That's some FAT pipe you have there Mitch. What EVER do you do with your
> spare bandwidth? heheheh And your network just blows me away. I love the
> "To help reduce the network load" part. Where's the load? You've got
> serious issues if you can't pass a DS1 worth of traffic without your net
> melting.
>
>
> "Emergency Provisions
> Besides redundant servers, NetSide is also prepared to operate in
> emergency conditions, such as city-wide power failures as experienced
> during Hurricane Andrew. Housed in a solid concrete block structure, we
> don't expect heavy storm damage to occur. Our fiber rack (for telephone
> and data lines) has 3 rows of battery backup rated for 8 hours of
> continuous operation. NetSide owns 2 emergency generators: an extended-run
> heavy-duty Coleman Powermate Vantage (14HP 2cyl electric start gas engine
> - 7000W), and a portable medium-duty Dayton (5HP gas engine - 2200W)."
>
> Wow! So, you've got enough generator to power the lights, soda machine
> and coffee maker. You gonna invite all the customers to your site and sit
> around and watch the servers not run drinking soda and coffee? Sounds
> like fun.
>
> Mitch. You're an END USER. Sure, you sell dialup access. You couldn't
> do much more with that big FAT DS1 you've got. You're an END
> USER.
>
> 9 border3-fddi-0.PompanoBeach.cw.net (204.70.92.19) [3561] 62.524 ms 60.403 ms 63.456 ms
> 10 netside-corporation.PompanoBeach.cw.net (204.70.95.18) [3561] 166.477 ms 198.570 ms 117.225 ms
> 11 205.159.140.2 (205.159.140.2) [3561] 195.153 ms * 194.081 ms
>
>
> You see, if you were a real network operator:
>
> (1) That would be more than a DS1.
> (2) The last hop wouldn't show up with the ASN of your upstream.
> (3) The last hop would RESOLVE in in-addr.
>
>
> NetSide Corporation (NET-NETSIDE)
> P.O.Box 403895
> Miami Beach, FL 33140
> US
>
> Netname: NETSIDE
> Netblock: 205.159.140.0 - 205.159.140.255
> Maintainer: NETS
>
> Coordinator:
> Halmu, Mircea L. (MLH3-ARIN) admin at NETSIDE.NET
> 305-531-1995
>
> Record last updated on 29-Oct-1998.
> Database last updated on 26-May-2001 22:57:19 EDT.
>
> It might be a good idea to register some in-addr resolution servers for
> that block there Mitch.
>
> ...Then again, why would we expect you to run any other portion of your
> operation any more professionally than you run your mailserver?
>
> I tell you what. You rate right up there in my book.
>
> Open Relay: 1,000,000,000 points
> Big FAT T1: 10,000,000 points
> Broken in-addr.arpa: 5,999,550 points
> HUBS not SWITCHES: 99,999,999,999 TILT! TILT! TILT!
>
>
> ---
> John Fraizer
> EnterZone, Inc
>
>
>
- --
Stephen J. Wilcox
IP Services Manager, Opal Telecom
http://www.opaltelecom.co.uk/
Tel: 0161 222 2000
Fax: 0161 222 2008
------------------------------
Date: Mon, 28 May 2001 15:43:18 -0600
From: Andy Bradford <bradipo at xmission.com>
Subject: Re: VPN Solution (WAS: ORBS (Re: Scanning))
Thus said "Patrick W. Gilmore" on Mon, 28 May 2001 01:24:58 EDT:
> The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every*
> packet from the end user machine to the VPN end-point, not just selected
> packets (like with SSH tunneling).
This should be configureable, if it isn't then maybe it's time for a
switch in protocols/software. :-)
> So, does anyone know of a VPN that does selective forwarding like SSH
> tunneling?
FreeS/Wan does this by default. Only traffic defined by the tunnel
security association is encrypted, the rest goes through untouched.
Very optimal. :-) I don't believe this is specific to FreeS/Wan either,
as most IPSEC implementations I have seen do something similar.
(including hardware solutions).
Andy
[-----------[system uptime]--------------------------------------------]
3:43pm up 19 days, 18:20, 6 users, load average: 1.00, 1.01, 1.00
------------------------------
Date: Mon, 28 May 2001 23:50:48 -0400
From: Valdis.Kletnieks at vt.edu
Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
On Mon, 28 May 2001 22:07:06 BST, "Stephen J. Wilcox" said:
> Altho I'm confused at how 'Netside offers a full uncensored usenet feed'
> with only '18Gb of dedicated news storage' and not to mention the T1
> capacity problem? ... Good job they have TWO starlan hubs!!
It's obvious.. it's a 1995 feed. We're talking a COMPLETE time warp here.
------------------------------
Date: 28 May 2001 23:17:46 -0700
From: Sean Donelan <sean at donelan.com>
Subject: QOS or more bandwidth
While its generally more effective to add more bandwidth than rationing
it with QOS, with the recent downturn in capital markets will QOS become
more popular? If your budget for bandwidth has been cut, I'm not sure
people will have any budget for QOS either. But what QOS features are
included in the standard product offerings?
------------------------------
Date: Tue, 29 May 2001 03:19:27 -0400 (EDT)
From: Frank Coluccio <fcoluccio at dticonsulting.com>
Subject: RE: QOS or more bandwidth
>>>But what QOS features are included in the standard product offerings?<<<
Most competitive vendors now provide native and upgrade provisions for QoS
in one form or another. The problems most often encountered revolve around
multi-vendor cos/qos feature implementation incompatibilities. The "least
common denominator features" that are needed for basic interworking usually
do not extend to 'differentiating' features that vendors like to hold close
to the vest, such as prioritization and cos/qos features. Not without much
grief, in any event. It forces one to seriously consider single vendor
solutions. fwiw.
- ------Original Message------
From: Sean Donelan <sean at donelan.com>
To: nanog at merit.edu
Sent: May 29, 2001 6:17:46 AM GMT
Subject: QOS or more bandwidth
While its generally more effective to add more bandwidth than rationing
it with QOS, with the recent downturn in capital markets will QOS become
more popular? If your budget for bandwidth has been cut, I'm not sure
people will have any budget for QOS either. But what QOS features are
included in the standard product offerings?
------------------------------
Date: Tue, 29 May 2001 03:58:25 -0400 (EDT)
From: Mitch Halmu <mitch at netside.net>
Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
On Mon, 28 May 2001 Valdis.Kletnieks at vt.edu wrote:
> On Mon, 28 May 2001 22:07:06 BST, "Stephen J. Wilcox" said:
> > Altho I'm confused at how 'Netside offers a full uncensored usenet feed'
> > with only '18Gb of dedicated news storage' and not to mention the T1
> > capacity problem? ... Good job they have TWO starlan hubs!!
>
> It's obvious.. it's a 1995 feed. We're talking a COMPLETE time warp here.
It's a 1995 page which hasn't been updated in ages. I didn't even remember
it was still live. But at least it proves NetSide was around in those times.
Let's see, I have a copy of a uu.net active file, dated Jan 6, 1996. At that
time, they were the norm. It contains 13090 lines. You do the math. File URL
http://www.dotcomeon.com/active.uunet
I responded to Wilcox and Fraizer in private. Their bashful posts serve
to illustrate exactly why such people cannot dictate policy to others.
There is one lesson to learn from this. We have reached a stage where
the rights of an individual or entity to existence in cyberspace need to
be protected under the law. You may take the lead in applying democratic
principles that follow the real world laws, or the legislature will do
it ad hoc.
- --Mitch
NetSide
------------------------------
Date: Tue, 29 May 2001 06:28:42 -0400 (EDT)
From: John Fraizer <nanog at Overkill.EnterZone.Net>
Subject: Re: Mitch tries to defend his open relay again (was Re: ORBS (Re: Scanning))
On Tue, 29 May 2001, Mitch Halmu wrote:
> I responded to Wilcox and Fraizer in private. Their bashful posts serve
> to illustrate exactly why such people cannot dictate policy to others.
Mitch,
If you desire to reply to me in private, might I suggest that you do it from a mailserver that isn't listed in MAPS...
May 28 18:19:11 Overkill sendmail[8797]: f4SMJBu08797: ruleset=check_rcpt, arg1=<nanog at Overkill.EnterZone.Net>, relay=[205.159
.140.2], reject=553 5.3.0 <nanog at Overkill.EnterZone.Net>... Open spam relay - see http://www.mail-abuse.org/rss/
May 28 18:19:12 Overkill sendmail[8797]: f4SMJBu08797: from=<mitch at netside.net>, size=6370, class=0, nrcpts=0, proto=ESMTP, da
emon=MTA, relay=[205.159.140.2]
May 29 05:33:39 Overkill sendmail[26337]: f4T9Xcu26337: ruleset=check_rcpt, arg1=<nanog at Overkill.EnterZone.Net>, relay=[205.15
9.140.2], reject=553 5.3.0 <nanog at Overkill.EnterZone.Net>... Open spam relay - see http://www.mail-abuse.org/rss/
May 29 05:33:39 Overkill sendmail[26337]: f4T9Xcu26337: from=<mitch at netside.net>, size=1439, class=0, nrcpts=0, proto=ESMTP, d
aemon=MTA, relay=[205.159.140.2]
- ---
John Fraizer
EnterZone, Inc
------------------------------
End of NANOG Digest V1 #737
***************************
To unsubscribe from the nanog-digest mailing list, send mail to
majordomo at merit.edu with the following command in the body:
unsubscribe nanog-digest
Questions about the list may be sent to nanog-digest-owner at merit.edu.
More information about the NANOG
mailing list