[nycbug-talk] IPv6 NY-US Roll Call

Fri Apr 6 18:34:29 EDT 2007

Hi,

First of Isaac, nice writeup, I also tend to hear that in Japan they
have quite some advanced usages already of the Internet in general. We
are just getting left out in the cold in the rest of the world with it
because in the western countries the companies want to earn money from
you and as long as they can sell the old crap, why would they try and
sell the new crap? They can in a couple of years make loads of money off
all the problems that will occur when IPv4 does become harder to get and
when tools suddenly have to talk IPv6 because people are having to use
it they can charge very well for it, as it also has to happen in a
hurry. In other words folks: brush up on your IPv6 skills and in a
couple of years you will be consulting the big companies who are giving
you money to help them out of their misery.

<SixXS hat on>

Anyway, somebody pointed me to this thread as the person noted that
there where a couple of FUD's trying to be spread. And as this is
publically archived, I would like to avoid any confusion and clarify
what is being said wrongly. Of course, like always, if you have any
questions never ever hesitate to contact SixXS using: info at sixxs.net
As clearly detailed on http://www.sixxs.net/contact/

I tend to type long elaborate messages and yes they are all PGP signed
so that context can't be removed or words twisted.

As it is a long reply, here is a (long ;) summary:
* SixXS != OCCAID
* SixXS does allow IRC, but people who just want IPv6 to hide on
  the internet are out of luck: whois.sixxs.net shows your IPv4.
* There is no IRC channel for SixXS (except noc.sixxs.net which is
  for monitoring purposes and is +m with only a bot saying stuff).
* IRC servers and shell servers are indeed not allowed. Simple rule.
* Abusing the service isn't either, just like any other ISP asks you
  to be a good netizen and to behave.
* It works and is stable.
* If you want to define your own rules/requirements: pay for it.
* Read the FAQ.
* Of course info at sixxs.net for questions/comments/flames.

Here goes, oh for replyers, use [..] cut's there is a lot of useless
text in there. Replying to the summary is also an option of course, but
do mind it doesn't capture the whole wording.

Miles Nordin wrote:
[..]
> The alternative now is SixXS, which gets transit from OCCAID but has
> lots of automation for serving Interweb users.  Unfortunately they
> also have fewer pops.

SixXS doesn't only get transit, OCCAID, or actually a couple of ISP's
that do that for OCCAID, host the PoPs. They take care of the machine,
the power, upgrading it, connectivity, everything. They *pay* for it.

SixXS merely provisions (read: configure) the tunnels on those machines.
How the PoP routes the traffic, what policies apply, how it is used etc
all that is based on how the owner of the PoP, in this case OCCAID,
defines it. If they say "let everybody DDoS the world", then the SixXS
tools simply ignore that. We most would not accept such a PoP
application though as we have an interest in the better good of the
Internet and to provide a solid base for people to actually use IPv6.

[..]
> OCCAID, and their new partners SixXS, seem to be generally technically
> competent, but they have crippling layer 10 issues.  It is stuffed
> full of those people who claim they want to be ``apolitical'' and then
> run their organization like some kind of pathetic nerd mafia.
> problems like:
> 
>  o SixXS problems
> 
>    o AUP forbids irc clients

Not true and I really wonder why you think that. First of all there is
no "SixXS AUP" (only the Belnet PoP has one). We do expect people to be
good Internet citizens, but one is expected to do that for all Internet
services that I know of.
See also: http://www.sixxs.net/faq/sixxs/?faq=aup

Also a quick google(sixxs irc) will reveal to you:
http://www.sixxs.net/faq/misc/?faq=irc

Which clearly shows that we even have special agreements in place with
the two largest (EFnet & IRCnet) and arranged I-lines with them
specifically so that people can use IPv6 IRC. None of the servers are
hosted in address space provided by SixXS though. The operators of those
services have special permission to host them and generally have a 24/7
team standby to resolve DDoS issues and other strange attacks.

BUT: We don't see a major reason for people to use it especially for
that. You clearly have IPv4, otherwise you could not have an
IPv6-in-IPv4 tunnel, so we do hint that people should be using that instead.

>    o AUP forbids irc servers
> 
>    o AUP forbids shell servers even when not used for irc

This really is solely because of the simple nature that those services
exist solely for one reason: Hiding on IRC and thus causing trouble.
Which is something we don't like, as when people are able to hide, they
will DDoS our services, and thus hurt a lot of people, instead of the
annoying person hiding behind it. Do note that we do publish, in
whois.sixxs.net, the IPv4 endpoint of every user and with even a slight
breeze of an abuse ticket we will terminate the account, of course after
verifying the facts naturally. If you want to have an IRC server, go to
one of the many "IRC Shell Hosting" companies who have "bulletproof"
services etc blabla. They tend to have you pay for them btw.

If you really have a 'shell service' which is not meant for IRC, can you
explain what that service entails? I checked, but you clearly never
signed up to SixXS and never send an email either. As such, are you sure
that what you think you read is really what you think you read?

from http://www.sixxs.net/contact/ in a big green box:
"In case you are having issues with our services, don't hesitate to
contact us."

Just so that you know....

>    o a series of kiddie-heuristic harassment tests when you sign up
>      (``the ten easy steps to ipv6!'')

Those "10 easy steps" (http://www.sixxs.net/faq/account/?faq=10steps)
are very easy and seem to be followed by a lot of people. Nothing in
there is actually against the 'kiddies'. The portion that is against the
kiddies though is that they have to provide their real information. Just
like when you sign up to an ADSL service or a colo etc. You are also
held fully accountable for any traffic that flows from the delegations
that get assigned to you, just like with your normal ISP.

>    o horror stories from many people who try to use them.  If they cut
>      you off, they always cut you off first and ``inform'' you later
>      or not at all.  One guy said they kept deleting his account
>      because they didn't believe the name he gave sounded real enough
>      (it was his real name).

Which part of "One signup per person" is unclear?
Can you also show which person didn't provide his real name and got
rejected? "Kept deleting" sounds weird too, you really don't get a
second account and deletion only works once.

Also, if we have clearly indicated to somebody to *NOT* use our service
for IRC servers and then they signup as somebody else and start using it
anyway for IRC servers, then what should we do? Ask *again* to not do
it? Indeed, they then nicely get terminated.

Services provided are on a best basis, nobody pays for it (and there is
no option to pay for it btw), if you are a good net citizen all will
work fine, just as a couple of thousand people are already experiencing
for the last 5 years nearly, and that is only the portion that it was
called SixXS. IPng.nl was already in the air 2 years before that and we
merged it into SixXS to provide a better and larger service for the
users who actually want to use, not abuse, IPv6.

>  o OCCAID/SixXS problems I've had in the past

Only covering SixXS, I don't know how OCCAID does/runs this thus can't
say anything about that. I suggest that you ask them about it.

>    o putting mailing lists under ``emergency moderation'' when they
>      feel embarassed by the discussion

There is no SixXS mailinglist, unless somebody has something up that I
don't know about, but then what would it have to do with SixXS? There is
info at sixxs.net and there is a Forum which is free for everybody to post
on when you have an account. And of course, not to forget, the ticket
system.

>    o offering better support to ``insiders'' on an unpublished irc
>      channel and worse support to people on the mailing list, then
>      banning and klining people from that channel if they're
>      insufficiently sycophantic

There is no IRC channel for SixXS and there is no 'secret' channel
either. Unless you mean a specific channel which covers all kinds of
operational networking concepts which is about routing in the internet
(IPv4 and IPv6) and resolving it, but that has totally no relation
whatsoever to SixXS. There is #noc.sixxs.net on IRCNet of course, but
that is a moderated channel where only a bot speaks to say how many
requests are in the queue and which pops are broken, in the cases that
they are broken.

>    o AUP forbids so-called ``DNS spam'' which is any DNS reverse
>      lookup that spells an English phrase or sounds excessively cute.
>      I guess this is another anti-irc thing, but I'm not happy about
>      indignities like this and don't think it's in the spirit of the
>      Internet, and I really bristle at the idea of passing on a
>      restriction like that to _my_ users.

The FAQ mentions it, there is no AUP. If you don't like that rule, then
don't use the service. Over the years having this little rule in place
has saved us from a lot of problems. Ever since we introduced this rule
somewhere in 2000 at IPng.nl and at first started warning people, later
disabling them when they did it anyway, DDoSses started to stop and now
they nearly don't occur anymore.

We could have allowed all of this and then went the www.ipng.org.uk way:
http://216.239.59.104/search?q=cache:1lPla2CNyLYJ:ipng.org.uk/+%22IPng.org.uk%22&hl=en&ct=clnk&cd=1
aka "DDoSSed to death". This regulation avoided this and that way we
can still provide a service to people. Note that the IPng.org.uk folks
gave up only after a couple of months of 'operation', I only found out
that they even existed, with more or less a similar name to our IPng.nl
when there suddenly where messages of help and cries flying around that
they where turning it off unless they found something to do about it.

Clearly you know what DDoS does to your network, and you have had to,
according to wikipedia, change ISP's because you where a DDoS target. So
why should we, as a free (gratuit, free as in beer) provider allow you
to attracked it and then let *OUR* systems get hurt by it?

> so, if you can live with that, SixXS is the way to go.  I can't stand
> them

You clearly seem to have a more personal issue then than anything else.
If you want to talk about it, try info at sixxs.net. No pun intended.

What is soooo difficult of coming up with a decent hostname that you
actually use!? I really never have somebody do a ssh to a host like:
my.mother.did.nasty.things.with.your.father.and.that.is.why.you.exist.org
Unless you alias that locally of course. It is useless and was never the
intention of the DNS in the first place.

Cute URL's to read up on:
http://www.dnsspam.nl
http://www.sixxs.net/faq/sixxs/?faq=dnsspam

There used to be http://spamcalc.net with even more information, also
specifically on the subject how IRC Networks take care of them.

Personally I enjoy it much more in coming up with good punny short
names, see http://unfix.org/projects/network/ For people in theology, or
who simply read the bible once; purgatory is my 'gateway', 'heaven' is a
Linux box, while hell is the Windows box. Heaven/paradise/eden are used
for storage as they have lots of beautiful content (cam pix :). Limbo is
a laptop, which is in a complete state of flux. Magrathea (per HHGTTG)
is a BSD box which does "make world" a lot (to put in on topic for this
list a bit ;)

I know people using demonolatry to name their hosts, using the name of
the demon who watches the gates to hell as the name of their gateway
etc. Those things are way more creative then a stupid sentence, which
doesn't reflect what the hostname is nor it's function, but is only used
to show penis length on the Internet. IMHO the higher the spamcalc the
more you have to compensate for something.

> but I will probably sign up soon to get back some kind of
> censored politicized v6 (albeit without BGP now).

Why do you have a need for BGP? Do you have your own ASN? Do you have
multiple circuits to the Internet? Do you have a prefix to announce?
If not, then why BGP, as it for sure isn't helping connectivity for a
bit for you in that case. So please any arguments?

I have to note that we did have an idea of adding BGP to the various
PoPs, then allowing people to make a tunnel to multiple PoPs and then
allowing them to announce their /48 to the PoP. Aggregation would still
block the prefix to be globally visible though but it would allow for
some backup/failover in the odd case that the PoP breaks. But that is
something for the todo-list, which is quite long and involves other
things which are more or less more important and useful to fix up,
especially as the PoPs usually simply work(tm).

> We'll see how long
> it takes them to find an excuse to boot some guy who posts on public
> mailing lists that he has major problems with their attitude.

The problem I have with your writings is the simple fact that what you
write is wrong, and even worse it doesn't contain any arguments, not
even false ones. It is good though that you wrote it in public and
fortunately that somebody attended it to me so that I can actually
answer those false claims. I think they call it "slander" what you are
trying to do, or was it "libel"? Oh well, dunno, I am no lawyer and that
is also not what this is about. Clarification is a good thing though so
that other people do not read this wrongly.

> A year ago I reported the ``DNS spam'' to Declan's politech list.

I googled and found the rather odd message, again containing no real
arguments. You reported there that OCCAID had taken a decision that on
THEIR network (thus not yours) to apply a certain policy.
Simple solution: if you don't like it -> don't use it.

> Hurricane Electric tunnels are, for me, not even worth looking at,
> because they block irc.  I'm not spending $600/mo on Internet so I can
> put up with this T-Online/Verizon port blocking bullshit.

HOLD ON. So you are spending money for IPv4, but require your IPv6 to be
perfect and for free? Come on, that is laughable.

> I *will*
> pay for IPv6, but this second-class interweb crap completely defeats
> the purpose of an experimental protocol.

Then PAY for it. Go to NTT, C&W, and a lot of other ISP's who can
provide it to you.

For the ARIN region, take your pick:
http://www.sixxs.net/tools/grh/dfp/arin/

Call them up and ask what they can do for you.

As for HE.net itself, I have outed enough nastyness about that already:
http://lists.cluenet.de/pipermail/ipv6-ops/2007-March/001024.html
note that that message actually contains arguments, next to them being
valid too, and I cc'd them so they have a easy chance to respond,
unfortunately they are never at home.

[..]
>    some people make a big deal about ``native'' v6, meaning v6 over
>    the Ethernet cable.  Not having tunnels definitely makes routing
>    problems easier to track down, but I really don't think it's faster
>    or intangibly ``better'' somehow.  The problem is when the two ends
>    of the tunnel are far apart.  The tunnel should only be a couple ms
>    long, not spanning countries or oceans, so routing is still close
>    to optimal.  It's the rtt, not the tunnel itself, that sucks.

Correct, as long as you simply TRY to make it native wherever possible.
When it is not possible, then at least try to keep the tunnel inside ASN
bounds or only hop over one ASN. In case of end-sites though, one can
drop this rule as it can be quite hard to get things arranged and setup
with the IPv4 provider as they simply haven't get around to it.

> 2. bad neighbor ISP's (cough *Abliene* cough) that fuck up the v6
>    routing table.  with OCCAID I had packets crossing the Atlantic
>    twice to get to Hurricane Electric.  stupid.  OCCAID blamed HE and
>    said they were doing something wrong and ignoring OCCAID's
>    complaints.  Who knows what the real story is.

The true story: Abilene doesn't peer with commericial entities (they are
changing this though, finally) as such the only way to get their
prefixes is using either a rogue NREN who does pass it on or through one
of the commercial transits. As for HE.net<->OCCAID, see the link above.

> 3. not maintaining your v6 well.  If your site depends on some
>    ``tunnel broker'' with a dynamic address on your end, then
>    inevitably the broker machine gets rebooted a couple times a month
>    and loses your site's state.

Over generalization, but I understood that some tunnel brokers indeed do
that. SixXS PoPs tend to keep on running for months on and are very
stable. If they where not stable we would not let users on them.
Also note that GRH (http://www.sixxs.net/tools/grh/) and a number of
other tools are in place to monitor that the routing to the rest of the
Internet is actually working and yes we actively pursue problems, track
them down and get them fixed.

>  If your tunnel broker client is buggy
>    and crashes, or isn't running at all, then your v6 goes down for
>    weeks until someone notices.

Problems can be reported and they will be fixed, at least for SixXS that
works. Although it is run as best-effort we tend to try and keep it up
24/7 and have adequate monitoring and fixups in place. No guarantees
though; if you want an SLA, go to an ISP and pay for it.

[..]
>      a> There's no demand, cause, well, why'd you *want* ipv6.
> 
> I'll pay you $50 extra per month for v6 right now.  I want it so I can
> reach and be reached by v6-centric friends in Germany (and apparently
> also Japan).

Ever wondered where most CCC people get their IPv6 from? :)

And of course all of that said, in case people do want to really start
using IPv6 and testing it out, join the club of a lot of other people
going before you, who have no issue with being good netizens and simply
join up, it is free as in beer and free as in speech too. Enjoy.

Lastly, in case of questions/comments/flames etc, as long as you use
arguments, don't hesitate to actually send them on to info at sixxs.net.

Thanks & Greets,
 Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 311 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20070406/3fcd976c/attachment.bin>