who offers cheap (personal) 1U colo?

And in fact, there are technical reasons as well. Downstream IP
transmission on a cable plant uses any arbitrary channel; if there's a
lot of downstream traffic, just displace the Home Gerbil Channel or
some such and allocate more bandwidth to IP. Upstream traffic uses the
band below channel 1, and it's not easy to add more unless you split
the tree and put in another fiber node. This is done for the sake of
the repeaters -- the downstream repeaters are fed by a high-pass
filter, and the upstream repeaters are fed by a low-pass filter. If
too many people are fielding home servers, it affects everyone.

    --Steve Bellovin, http://www.research.att.com/~smb

Thus spake "Steven M. Bellovin" <smb@research.att.com>

And in fact, there are technical reasons as well. Downstream IP
transmission on a cable plant uses any arbitrary channel; if there's a
lot of downstream traffic, just displace the Home Gerbil Channel or
some such and allocate more bandwidth to IP. Upstream traffic uses the
band below channel 1, and it's not easy to add more unless you split
the tree and put in another fiber node. This is done for the sake of
the repeaters -- the downstream repeaters are fed by a high-pass
filter, and the upstream repeaters are fed by a low-pass filter. If
too many people are fielding home servers, it affects everyone.

So DOCSIS has a technical limitation which may or may not apply. This is
reasonable justification for limiting upstream bandwidth, not for specifying
that users can't run servers. If users can run servers effectively in the
limited available upstream bandwidth, then there is no _technical_ reason to
prevent them.

Other last-mile technologies provide symmetric bandwidth yet providers still
prohibit servers; this is clearly a business issue, not a technical one.

S

Stephen Sprunk "Stupid people surround themselves with smart
CCIE #3723 people. Smart people surround themselves with
K5SSS smart people who disagree with them." --Aaron Sorkin

I think people are being sloppy about saying no servers on certain types
of networks.

I think the actual requirement is for a long-term end-to-end identifier
for systems, and maybe even network users, before they can do certain
activities on the network so you can trace or block the system. Systems
without long-term unique end-to-end identifiers would only be able to do
a limited number of things because they are essentially fungible.

Neither the location nor type of access media is important.

A student in a college dorm room with an uncontrolled DHCP address may not
be able to run a server, even though they have more than enough symetric
Gig-ethernet bandwidth and you know what dorm it is physically located
because all student servers look alike. On the other hand, a mobile
server on a US Navy ship on a 1200 baud radio connection with a fixed
address would be permitted to run a server even though you may have no
idea where in the world the ship is physically located today because
you could identify which server it was. (server clusters acting as a
single system doesn't change this.)

If you want to spend about $50/month for a static IP address for your DSL
line, then the question becomes should you be able to send mail
directly from your home server with a static IP address on a DSL line
until abused? No need to buy another box, find a colo or figure out
how to remotely administer another system or tunnel to it to send mail.

I think the actual requirement is for a long-term end-to-end identifier
for systems, and maybe even network users, before they can do certain
activities on the network so you can trace or block the system. Systems

Now my question becomes....Is this an identifier that other providers can
use to trace the machine, or only for the local isp. I look at it this
way. If I'm the provider I don't really care what username they are, I can
determine their location by the logs. Sure they may be a DSL, but they
will at some point request an address. When they request an address I have
their circuit ID and I can at least narrow it down to a house or
apartment.

A student in a college dorm room with an uncontrolled DHCP address may not
be able to run a server, even though they have more than enough symetric
Gig-ethernet bandwidth and you know what dorm it is physically located
because all student servers look alike. On the other hand, a mobile

This is a topic I get very soap-boxish about. I have too many problems
with providers who don't understand the college student market. I can
think of one university who requires students to login through a web
portal before giving them a routable address. This is such a waste of
time for both parties. Sure it makes tracking down the abusers much
easier, but is it worth the time and effort to manage? This is a very
legitimate idea for public portals in common areas, but not in dorm rooms.
In a dorm room situation or an apartment situation, you again know the
physical port the DHCP request came in on. You then know which room that
port is connected to and you therefore have a general idea of who the
abuser is. So whats the big deal if you turn off the ports to the room
until the users complain and the problem is resolved?

I guess this requires very detailed cable map databases and is something
some providers are relunctant to develop. Scary thought.....

Andrew

I think this is hinting at another larger issue. The fact that so many
ISPs are filtering services and controlling what a user can and can't do.
I know several providers who block SMTP outbound at their border for
anything thats not their mail box or a registered mail host. Sure this
stops spam complaints but if I'm paying for service I'm wanting raw
access, not some censored service. I had major issues with a small ISP
who decided they would firewall all of their customers and
filter in/out ports. It got to the point I couldn't even send or receive
files with individuals using that ISP. Finally I ended up building a VPN
through their firewall to conduct business.

As far as SMTP goes, in the past I've allowed mail into my machine from
anywhere for my domain, then I'd relay my outbound mail through my
providers SMTP box just to bypass all the stupid blacklists. I don't mind
the idea of having to register my servers with my isp or some future
regulatory board but that becomes rediculous when I'm constantly changing
my home network/lab.

Andrew

Thus spake "Sean Donelan" <sean@donelan.com>

> So DOCSIS has a technical limitation which may or may not apply. This

is

> reasonable justification for limiting upstream bandwidth, not for

specifying

> that users can't run servers. If users can run servers effectively in

the

> limited available upstream bandwidth, then there is no _technical_

reason to

> prevent them.

I think people are being sloppy about saying no servers on certain types
of networks.

Sloppy? IMHO it's completely intentional. Most consumer/residential AUPs
explicitly ban running any sort of server -- you have to pay more for that
"privledge".

I think the actual requirement is for a long-term end-to-end identifier
for systems, and maybe even network users, before they can do certain
activities on the network so you can trace or block the system. Systems
without long-term unique end-to-end identifiers would only be able to do
a limited number of things because they are essentially fungible.

You're talking about the complete death of anonymity... This also touches
on a fundamental problem with IP -- its addresses are both locators and
identifiers.

If you want to spend about $50/month for a static IP address for your DSL
line, then the question becomes should you be able to send mail
directly from your home server with a static IP address on a DSL line
until abused? No need to buy another box, find a colo or figure out
how to remotely administer another system or tunnel to it to send mail.

Some ISPs block or intercept all outbound traffic on port 25 unless you
register your mail server (for free). Given the amount of spam coming from
virus-infected PCs these days, I have a tough time arguing with that.

S

Stephen Sprunk "Stupid people surround themselves with smart
CCIE #3723 people. Smart people surround themselves with
K5SSS smart people who disagree with them." --Aaron Sorkin

Actually, you're forgetting what I think is the biggest reason for doing
this: before the user registers via the web-based DHCP thing, they are shown
the AUP and have to say they agree to it. If you just leave straight IP
connections available in rooms, and people violate the AUP, they can QUITE
credibly argue "But I never read this AUP". The web-based DHCP registration
system prevents that.

Other advantages would be
A) It prevents students (or at least, all but the most clueful) from taking
multiple IPs and having hubs and such in their rooms
B) It makes it very easy to track what MAC address/IP address is which
person, as you yourself admitted. Sure, this system requires a bit of effort
to set up initially (though I think open source implementations are easily
available), but afterwards, you don't need to have your most clueful network
engineer dig through to try and figure out which room is what IP. If you
lower the clue level required to operate an abuse desk, I would argue you
improve its efficiency in many cases...
C) It avoids issues of changing ports. Let's say I'm in room 101, and my
friend Bob is in room 102. I take my laptop to Bob's room and plug it into
the network and go and do something dumb... If you hunt down my MAC address
to a particular port, it looks like Bob is the AUP violator. If you have a
registration system, you know that this MAC address belongs to me, not Bob.

Oh, and what about wireless networks? I have my nice 802.11b card, how do
you propose to track that without MAC registration (or hackish VPN systems,
which are also deployed in some campuses)?

[Note: most of the argument above assumes that people are not clueful enough
to change their MAC address, of course... And I would argue that most
college students are too busy getting drunk or saturating networks with P2P
software to figure this out]

Vivien

Andrew Dorsett wrote:

A student in a college dorm room with an uncontrolled DHCP address may not
be able to run a server, even though they have more than enough symetric
Gig-ethernet bandwidth and you know what dorm it is physically located
because all student servers look alike. On the other hand, a mobile

This is a topic I get very soap-boxish about. I have too many problems
with providers who don't understand the college student market. I can
think of one university who requires students to login through a web
portal before giving them a routable address. This is such a waste of
time for both parties. Sure it makes tracking down the abusers much
easier, but is it worth the time and effort to manage? This is a very
legitimate idea for public portals in common areas, but not in dorm rooms.
In a dorm room situation or an apartment situation, you again know the
physical port the DHCP request came in on. You then know which room that
port is connected to and you therefore have a general idea of who the
abuser is. So whats the big deal if you turn off the ports to the room
until the users complain and the problem is resolved?

I guess this requires very detailed cable map databases and is something
some providers are relunctant to develop. Scary thought.....

Andrew

I'm curious about the concept of "College Student Market". We have several thousand students in our dorms who only have two choices for Internet service - our dedicated Ethernet or their dial-up (which they would have to pay for). We firewall them, packet shape them and don't pay much attention when they saturate their router. Housing has a choice to use campus services or go outside for Internet service - a much more expensive choice considering the amount they pay the campus.

We respond to complaints about abusers on the ResNet by first disabling the port. This is considered a strike against the resident for an AUP violation. In theory, three strikes and they're out.

After we upgrade the ResNet equipment, we're planning on 802.1x authentication on the port. I'm toying with suggesting certificates so we can simply revoke a cert if someone is a serious abuser which could (in theory) deny their workstation (laptop in most cases) access to the campus network. The problem with this idea is the amount of overhead required to manage the certificate infrastructure.

As to the question of "is it worth the time and effort to manage", I think yes. When the SQL Slammer worm hit last year, I put blocks at the border and blocks between subnets to contain the problem as best I could for two reasons (well, could be more but this is all I'm going to point out):
1 - Maintaining the usability of the campus network.
2 - Protecting the Internet in general from us.

How many ISP's care about either? How many won't do either because it would affect their bottom line?

Back to the original topic. We have a fairly good cable map. We can track DHCP and can even black hole a MAC address so it can't get an address. Why would we want a user to authenticate to the network? It adds accountability and a little more paranoia that if they do something they shouldn't, they'll get caught and we'll turn them off.

Remember: If you ask a student about their Internet access, you'll hear that it's free and they shouldn't be restricted as to what they can do.

Ken

This is a topic I get very soap-boxish about. I have too many problems
with providers who don't understand the college student market. I can
think of one university who requires students to login through a web
portal before giving them a routable address. This is such a waste of
time for both parties. Sure it makes tracking down the abusers much
easier, but is it worth the time and effort to manage? This is a very

In the UK it certainly does. To absolve ourselves of liability for
misuse 'net access must be from an 'identifiable' user. This is part of
our institution-wide security policy.

legitimate idea for public portals in common areas, but not in dorm rooms.
In a dorm room situation or an apartment situation, you again know the
physical port the DHCP request came in on. You then know which room that
port is connected to and you therefore have a general idea of who the
abuser is. So whats the big deal if you turn off the ports to the room
until the users complain and the problem is resolved?

That's all very well if you have switches which can do DHCP option 82
but most educational institutions have strict budgets to work to, which
may involve reuse of older kit which was previously used for core
academic purposes.

I guess this requires very detailed cable map databases and is something
some providers are relunctant to develop. Scary thought.....

I'd say having a login system which identifies the user is considerably
less difficult than maintaining a very extensive database of cable
patches which will inevitably get out of date (think replacement of dead
switches...) within a very short timeframe.

It's much easier to index an abuse report from an IP directly to a
username, there's less room for argument and error. Functionally, this
is the way most broadband access networks are run anyway,
username/password gets you the PPPoA or PPPoE session.

W

Thus spake "Steven M. Bellovin" <smb@research.att.com>
> filter, and the upstream repeaters are fed by a low-pass filter. If
> too many people are fielding home servers, it affects everyone.

So DOCSIS has a technical limitation which may or may not apply. This is
reasonable justification for limiting upstream bandwidth, not for specifying
that users can't run servers. If users can run servers effectively in the
limited available upstream bandwidth, then there is no _technical_ reason to
prevent them.

how are 'servers' (smtp/web/ftp/imap) different than the existing P2P
apps? Wouldn't a cable provider, if the decision was based on upstream
bandwidth sharing alone, care MORE about P2P than 'servers' ?

Other last-mile technologies provide symmetric bandwidth yet providers still
prohibit servers; this is clearly a business issue, not a technical one.

Correct, or so it would seem... the cable modem providers can charge you
more for a 'business class' service, which allows 'servers' to be hosted.

--Chris
(formerly chris@uu.net)

Christopher L. Morrow wrote:

how are 'servers' (smtp/web/ftp/imap) different than the existing P2P
apps? Wouldn't a cable provider, if the decision was based on upstream
bandwidth sharing alone, care MORE about P2P than 'servers' ?

But the decision is a business decision, because you can make "businesses" pay more for something that can run servers.
And it�s harder to kludge smtp/http/etc. to work where servers are not permitted as p2p works by default.

Pete

Thus spake "Vivien M." <vivienm@dyndns.org>

Actually, you're forgetting what I think is the biggest reason for doing
this: before the user registers via the web-based DHCP thing, they
are shown the AUP and have to say they agree to it. If you just leave
straight IP connections available in rooms, and people violate the AUP,
they can QUITE credibly argue "But I never read this AUP". The
web-based DHCP registration system prevents that.

Students have an existing legal relationship with the school; they can be
required to accept the AUP in writing at some point during the enrollment
process.

Other advantages would be
A) It prevents students (or at least, all but the most clueful) from

taking

multiple IPs and having hubs and such in their rooms

There's nothing inherently wrong with that.

B) It makes it very easy to track what MAC address/IP address is which
person, as you yourself admitted. Sure, this system requires a bit of

effort

to set up initially (though I think open source implementations are easily
available), but afterwards, you don't need to have your most clueful

network

engineer dig through to try and figure out which room is what IP. If you
lower the clue level required to operate an abuse desk, I would argue you
improve its efficiency in many cases...

Tracking an IP address to a particular switch port via ARP and bridging
tables is straightforward; however this relies on detailed cabling plant
data.

C) It avoids issues of changing ports. Let's say I'm in room 101, and my
friend Bob is in room 102. I take my laptop to Bob's room and plug it
into the network and go and do something dumb... If you hunt down my
MAC address to a particular port, it looks like Bob is the AUP violator.
If you have a registration system, you know that this MAC address
belongs to me, not Bob.

Or, if you use 802.1x, you can skip the MAC registration and identify the
user directly each time he logs in.

Oh, and what about wireless networks? I have my nice 802.11b card,
how do you propose to track that without MAC registration (or hackish
VPN systems, which are also deployed in some campuses)?

802.1x

S

Stephen Sprunk "Stupid people surround themselves with smart
CCIE #3723 people. Smart people surround themselves with
K5SSS smart people who disagree with them." --Aaron Sorkin

Thus spake "Christopher L. Morrow" <christopher.morrow@mci.com>

> So DOCSIS has a technical limitation which may or may not apply. This

is

> reasonable justification for limiting upstream bandwidth, not for

specifying

> that users can't run servers. If users can run servers effectively in

the

> limited available upstream bandwidth, then there is no _technical_

reason to

> prevent them.

how are 'servers' (smtp/web/ftp/imap) different than the existing P2P
apps? Wouldn't a cable provider, if the decision was based on upstream
bandwidth sharing alone, care MORE about P2P than 'servers' ?

I don't know how common this is, but my ISP's AUP considers P2P apps to be
"servers" and thus banned. I don't use file-sharing apps so this doesn't
really affect me, but I'm betting my SIP phone is technically a violation
too.

S

Stephen Sprunk "Stupid people surround themselves with smart
CCIE #3723 people. Smart people surround themselves with
K5SSS smart people who disagree with them." --Aaron Sorkin

Stephen Sprunk wrote:

Thus spake "Vivien M." <vivienm@dyndns.org>

Actually, you're forgetting what I think is the biggest reason for doing
this: before the user registers via the web-based DHCP thing, they
are shown the AUP and have to say they agree to it. If you just leave
straight IP connections available in rooms, and people violate the AUP,
they can QUITE credibly argue "But I never read this AUP". The
web-based DHCP registration system prevents that.

Students have an existing legal relationship with the school; they can be
required to accept the AUP in writing at some point during the enrollment
process.

It all comes down to how you view the people on your network--students,
faculty, administrators, subscribers, whatever. If they are
"customers" you take one set of views and one way of solving problems.

If you see them as "lusers", to take another.

Experiment ... go to a college dorm that's wired, plug your laptop or PC in, start using the net. Assumption here of course is you're not a student there. Nine times out of ten you wont' be challenged and you'll be allowed to use the network. Students also often have friends over that use their systems.

Thus you can't assume that every user is a student or faculty.

credibly argue "But I never read this AUP". The web-based DHCP registration
system prevents that.

Ok, I'll give that one to you. Got me there hehehe Though now we are
making the AUP a part of the freshman orientation session so there are no
excuses. Plus they agree to it when they place the installation cd in
their drive (if they use the installation cd which many don't)

A) It prevents students (or at least, all but the most clueful) from taking
multiple IPs and having hubs and such in their rooms

That's protected by port security. Just limit them to one mac address per
port. So only the last machine transmitting will get the reply. Works
quite well, shut me down for a few days a few years ago when it was first
turned on.

B) It makes it very easy to track what MAC address/IP address is which
person, as you yourself admitted. Sure, this system requires a bit of effort
to set up initially (though I think open source implementations are easily
available), but afterwards, you don't need to have your most clueful network
engineer dig through to try and figure out which room is what IP. If you
lower the clue level required to operate an abuse desk, I would argue you
improve its efficiency in many cases...

See this is not something that requires a clueful engineer. Only requires
the clueful engineer to create a script that does it all automatically.
In fact I've seen the web interface to the whole system. VERY nice. Even
tracks changes, so I can tell if the user pulled the cables, swapped
ports, did bad stuff and then swapped them back to place the blame on the
roommate. I can enter the IP in question and time period and it will then
tell me the mac address in question, then it will automatically look up
the cable database to return the room, and then it will return the names
of the individuals living in the rooms. I argue that the username system
has significant problems which can lead to denial of service. What
happens when your radius box goes offline? This is what caused me to turn
against the offending university. Their authentication box wouldn't stay
online and so I'd have to cross my fingers after a reboot to hope that
I could get back on the network.

C) It avoids issues of changing ports. Let's say I'm in room 101, and my
friend Bob is in room 102. I take my laptop to Bob's room and plug it into
the network and go and do something dumb... If you hunt down my MAC address
to a particular port, it looks like Bob is the AUP violator. If you have a
registration system, you know that this MAC address belongs to me, not Bob.

True true that can happen, but again if I log changes I can tell that
someone unplugged their computer and so when Bob gets turned in the
judicial system will be able to question what occured...They know it may
not be him thats guilty but hopefully he will turn in the offender.

Oh, and what about wireless networks? I have my nice 802.11b card, how do
you propose to track that without MAC registration (or hackish VPN systems,
which are also deployed in some campuses)?

As for wireless, well yeah we require you to register the mac off your
wireless nic. Only macs that are in the database are allowed access.
Sure you can spoof someone elses legitmate mac, but thats a different
story. At least I have someone I can blame and let him try to deny it
through the judicial system.

Andrew

They may have legal relationship with the school but internet service can
be considered to be an added service that there is not available until you
actually ask for it.

This is like parking - there are always some rules and regulations for
when you use school garage (usually written on the wall or available from
parking attendent), if you dont use the garage and park your car somewhere
else (or don't have car at all), you don't have to bother with parking rules.

Same for internet access - students don't have to use school internet access,
they can buy internet access from some other ISP or they might not have a
computer at all. But if they use internet access, they accept rules regarding
it - i.e. AUP.

Andrew Dorsett [3/15/2004 8:26 AM] :

That's protected by port security. Just limit them to one mac address per
port. So only the last machine transmitting will get the reply. Works
quite well, shut me down for a few days a few years ago when it was first
turned on.

Most common or garden wireless APs / broadband routers will let you clone the mac address, so this is not exactly difficult to get around

And what is wrong with setting up a hub or something in a dormroom? I find it quite convenient to leave both my PC and a laptop running on my desk, for various reasons (too many open terminals and windows is one of them ...)

  srs

<quote who="Michael Loftis">

Experiment ... go to a college dorm that's wired, plug your laptop or PC
in, start using the net.

Nine times out of ten you wont' be challenged and you'll be
allowed to use the network.

Has it been a while since you've been on a resnet? They're bad, but most
all "ResNet's" I know of are now implementing some sort of MAC/DHCP combo
at the very least.

That might have been true a couple years ago but recent DMCA notices and
Worm activity have /forced/ (often by their upstream) ResNet's to clean up
their act.

I don't think our ResNet is a shining example of excellence by any stretch
but they know who is registered behind each port/ip/mac address which
gives you a pretty good idea of who is on your network.

I won't comment on what leaves the ResNet on port 25 and what leaves the
network with no prayer of ever routing back. *cough* That's a whole
'nother issue for them to deal with, and at some point soon, I think they
will.

-davidu (speaking only for himself)

Suresh Ramasubramanian wrote:

And what is wrong with setting up a hub or something in a dormroom? I find it quite convenient to leave both my PC and a laptop running on my desk, for various reasons (too many open terminals and windows is one of them ...)

I've been trying to figure out what is wrong with that too.

At my ex-employers, on of the things they did right is encourage
study groups, and with multi-occupant suites, several stations
(including one or more printers, plotters, and such) was normal.

Most of the residence halls had hubs or small switches available for
check-out.

Is it the contention that each student should only use one pencil?