guideline for name-based web hosting justification

[Mury]

That's what I was subtly getting at.

On Tue, 12 Sep 2000 dan at netrail.net wrote:

> Oh come on. ARIN has not actual legal authority of any kind. It operates
> across national borders, and is subject to no laws regulating it's powers.
> It's only true ability is to convince providers to route only those
> addresses it assigns. Given this, it has all the authority it needs to
> retrieve unused blocks.
> 
> 
> Daniel Golding
> Director of R&D    "I'm not evil. I'm just drawn that way"
> NetRail, Inc.              
> 1-888-NetRail
> 
> On Tue, 12 Sep 2000, Mury wrote:
> 
> > 
> > > > Instead of putting the clamps on the ISPs why not focus on:
> > > > 
> > > > 1) Reclaiming unused IP space to hold us out a little longer
> > > 
> > > That's already being done, but there's a big problem.  ARIN doesn't have
> > > authority over the major offenders (legacy /8s and /16s).  The AC has had
> > > long, involved discussions about how is best to do this, and we're working
> > > on it.  For example, our first goal is to re-claim address space of
> > > companies that have gone out of business.  If you have some ideas on how we
> > > can do this we'd _love_ to hear them.
> > 
> > I'm not sure where ARIN gets it's authority.  Maybe the father of the
> > Internet wants to save his creation and support a law giving ARIN the
> > authority.  Seriously, where does ARIN receive it's authority from?  Why
> > hasn't it been given the authority to reclaim unused space from legacy
> > allocations?
> > 
> > Maybe ARIN would like to clearly publish a list of those offenders and
> > send them a nice letter asking them to comply with current allocation
> > policies.  If they don't want to cooperate, I suppose we could call the
> > media and/or Null route their IPs until they want to play by the same
> > rules we all need to.
> > 
> > > > 2) Push a plan to get better client server technology out there, and once
> > > > it is out there get people using it.  As an rotten example, but feeling
> > > > one is needed, what if the top 10 most popular sites had a message pop up
> > > > that informed people if they were using an old browser and encouraged them
> > > > to upgrade.
> > > 
> > > Yuck!
> > > 
> > > I mean, it's an idea, but I see where you're going...
> > 
> > Actually from the recent contributions to the list it appears as though
> > the HTTP/1.0 issues are far less a problem than I first perceived.  I
> > would however like to see some real statistics.
> > 
> > > > I'm not bitching just to bitch.  I'm looking out for my ecommerce
> > > > customers.  90% of my revenue comes from businesses.  If I don't watch out
> > > > for their bottom line, they sure the hell aren't going to look out for
> > > > mine.  If I switch them to a name-based system, before the world is ready
> > > > for it and they lose hits do to software incompatibilites, or don't notice
> > > > that their traffic died, or they can't see how effective a commercial was
> > > > by using real-time accounting stats, or one of my customers gets DOSed and
> > > > I can't control the traffic at my core routers or at my upstream so I have
> > > > to take everyone down because they all share an IP, they are going to host
> > > > with someone who cheats the system and gets them an IP.
> > > 
> > > Those are legitimate gripes.
> > > 
> > > Can we come up with reasonable solutions to them?
> > 
> > Well, what is the realistic possibility of making that "policy" a
> > "guideline?"  Give ISPs 6 months to essentially self-comply.  If web
> > hosting IP usage drops a significant percentage, then we declare a
> > success.  
> > 
> > If usage does not drop, have a policy ready with more details.  What
> > exactly constitutes an exception?  Obviously secure servers are an
> > exception, but what about bandwidth based accounting, or high bandwidth
> > sites (and if so, where is the line drawn?)
> > 
> > I realize I might be living in a dream world thinking most ISPs will
> > rapidly change if not forced to, but it's not an impossible task to
> > convince them either.  It's actually easy to configure multiple sites to
> > one IP than to multiple IPs.
> > 
> > I really don't know.  I'd personally rather spend my time and money trying
> > to get back massive chunks of unused IPs from those knowingly or
> > unknowingly abusing them, and wait for technologies to mature a little
> > more before cracking down on web hosting IPs.
> > 
> > > No, you aren't the only one, but at the same time, there were a huge number
> > > of people at the last ARIN meeting who were in support of this policy,
> > > however most of them have been silent through most of this (perhaps because
> > > they feel they already made their feelings known at the last meeting).
> > > 
> > > And as far as being labled a trouble-maker, I know plenty of people who have
> > > been far more vocal about ARIN policy than you and have had no problem
> > > getting address space.  Please don't spread the mis-conception that ARIN is
> > > anything other than an objective organization.  It isn't true and it makes
> > > everyone's life much more difficult in getting support for the organization.
> > 
> > Oh, if I thought that were true, I wouldn't be writing this or previous
> > emails.  I obviously don't think ARIN is going to treat my allocations
> > differently than the next person.  I'm just guessing as to why others
> > emailed only me and not the group.
> > 
> > > > If eliminate multiple IPs I'm unsure how to:
> > > > 
> > > > 1) Address the HTTP/1.0 issues in an acceptable clean fashion
> > > 
> > > See other discussions; the issue of legacy browsers IMO is a red herring. 
> > > It exists, but it's really small.
> > 
> > Is sure seems that way.  I'd still like to see *real* statistics.
> > 
> > > > 2) Do real time web accounting.  Remember we buy bandwidth by the Mbit, so
> > > > we need to sell it by the Mbit
> > > 
> > > Doing bandwidth (as opposed to bytes transfered per period of time) billing
> > > is tough, although it sounds like more and more vendors are starting to sell
> > > equipment that handles this.
> > > 
> > > > 3) Provide controls against DOS attacks.  No we don't host porn sites
> > > 
> > > But those are the money-makers! :-)
> > > 
> > > Seriously, I understand the DOS issue all too well, and it does need to be
> > > addressed.  Not sure how to at this point, except to say that this policy is
> > > really targeted towards the bottom-of-the-line web hosting accounts.  If you
> > > have a customer who has a lot of traffic, pays you a lot of money and can't
> > > afford to be off the air then it makes perfect sense to have him on a
> > > dedicated IP (I think at least).
> > 
> > Well, that doesn't totally work.  Because if someone on the main IP gets
> > attacked I have to shut all sites down on that IP, so it's not just a
> > matter of keeping my one big customer up, it's a matter of keeping 1000
> > sites up that only pay $50/month but adds up to $50,000.00/month in
> > total.  When everyone has their own IP, you can simply Null route their IP
> > if trouble starts. 
> > 
> > In all fairness, I only have to do this a handful of times per year, but
> > the times I have it has probably saved me hours if not days of down time.  
> > There is no way to predict if www.photos.com, www.ilikeredmeat.com,
> > www.gotochurch.com is going to be the one that gets attacked.
> > 
> > This issue is not a massive one.
> > 
> > > > 4) Provide secure server certificates
> > > 
> > > That qualifies as an exception.
> > > 
> > > > 5) Provide database support from server to server.  I'm not a programmer
> > > > any more so I don't know how big an issue it is, but my programmer told me
> > > > it would be a mess
> > > 
> > > Not sure exactly what you're trying to do with server to server DB support
> > > (more to the point why it would be a problem).
> > 
> > If your backend hosting databases reside on different computers than your
> > hosting does, you probably are going to have issues with name based
> > hosting.  However, I am far enough out of this arena personally to be able
> > to explain why.
> > 
> > Once again this is a relatively small issue, at least for us.  Most of our
> > databases do reside on the hosting server.
> > 
> > > > Actually I think the policy would make a wonderful "Guideline".  It
> > > > shouldn't affect IP allocation, but it should be encouraged at this time.
> > > 
> > > That's actually been proposed on another list, although I'm really not sure
> > > if that would affect what people do.  Anybody else have thoughts?
> > > 
> > > > 
> > > > As someone pointed out.  Apparently HTTP/1.0 can support name based
> > > > hosting.  I was unaware of this.
> > > > 
> > > > And if that truely is the case, I would like to see some numbers.  I would
> > > > have guessed ARIN would know this before instituting a policy.  Perhaps
> > > > they would like to share.
> > > 
> > > The numbers we got came from our members.  I believe Gene had some extensive
> > > data.
> > 
> > Gene, do you want to share that data with the list?
> > 
> > > > Alec, I understand your and ARIN's points.  However if a "policy" is going
> > > > to be created and enforced I think we some of these issues need to be
> > > > better addressed and defined so legit ISPs don't have to wait over a
> > > > month to get new IP space and go through a process of defending web
> > > > hosting IP space.
> > > 
> > > Which is why we really need more participation.  Fortunately this policy
> > > change has brought more of it forward, but as I said above we need a better
> > > way to tally opinions in a fair manner...
> > 
> > Someone sent me an email suggesting a poll on your web site using handles
> > as an ID so only members could vote, and they could only vote once.
> > 
> > As a side note, from the lack of participation in this list it appears
> > that either:
> > 
> > 1) Not many ISPs are subscribed to this list
> > 2) They aren't receiving the messages
> > 3) They are too busy to care, or
> > 4) I'm one of only about 10-20 people that feel strongly about this policy
> > 
> > Whatever the case is, I have a business to run, and I've said my
> > peace.  I can't stick up for the rest of them.
> > 
> > For all the reasons I've stated I think this policy is both too undefined
> > in that it lacks the explanations of exceptions (currently it looks like
> > exceptions would be left up to the discretion of the individual staff
> > person working on the account), and that it is premature.
> > 
> > For the record, I tried to participate.
> > 
> > Mury
> > GoldenGate Internet Services
> > 
>