[arin-ppml] Draft Policy ARIN-2019-2: Waiting List Block Size Restriction

[Ronald F. Guilmette]

In message <B742CDE3-E6CC-482C-8930-F6057D2999F7 at netconsonance.com>, 
Jo Rhett <jrhett at netconsonance.com> wrote:

>> If I have a web server that's configured to serve up pages for 1,000
>> different web sites, and I get a DMCA complaint about one in particular,
>> I can disable that one alone.
>
>And if you have 1,000 customers using the same source IP (A) how do you
>identify which customer is causing abuse complaints with outbound
>sessions

Well, lemme see here.  (Abuse is actually something that I do know a bit
about, so I think that I may be able to address this, perhaps even to
your satisfaction.)

Before I can answer the question, I need some information:  Are you allowing
all of these 1,000 client people to access a shell prompt and/or run their
own arbitrary binaries on the specific machine to which you have assigned
the single IP address in question?

If so, then yea, you will likely be hard-pressed to figure out which one
of those 1,000 suspect persons is the actual miscrant.  (But in this case,
adequate logs may actually help.)

This is sort of a good argument to not sell shell accounts to people that
you have no real basis to trust, or if you do, to give each one its own
unique IP address.  But the IP addresses that you dole out to such folks
could be IPv6, and most of the people you are likely to come across that
just want a shell someplace will likely be OK with that.  They don't
really need an IPv4 address unless they plan to run a server of some sort,
and you can make special accomodations for those few.  Most can get IPv6.

For abusive behavior that (somehow) arises from the activities of people
who DO NOT have shell acounts and who DO NOT have the ability to run
arbitrary binaries on your hardware, I can't give you a general answer.
You would have to give me at leat some vague hint or clue as to how
such "abuse" might arise in such a context.  Then I could answer.  But
as it stands, the question is rather amorphous.  It's like asking how you
can prevent anything bad from happenig to you when and if you walk into
a dark alley on a moonless night.  I can't provide a general answer.
You might be attacked by a crazed dentist who might try to give you an
impromptu root canal.  In that case my advice would be clear:  If at all
posible, keep your mouth shut. :-)

>and (B) just one could cause outages for the others by
>consuming all the ports by a badly written script/plugin or deliberate
>abuse.

It's an interesting point, and one that I'll have to resarch.

I use FreeDSD, when I can, and on that, at least, there are quite a lot of
options available to the sysadmin for limiting resource usage, e.g. per-
user limits on memory usage, and various kinds thereof (e.g. swap, stack,
etc.).  What you've just asked about is just another rather obvious way
that one user could hog resources at the expense of all others, and I would
hope that FreeBSD, at least, would provide some way that root could place
per-user limits on maximum port usage, you know, in oredr to avoid exactly
such situations.  But maybe not.  I'll have to look into it.  I do believe
that FreeBSD supports per-user limits of number of sockets, and that may
effectively and in practice work out to the same thing.

Certainly if you have rambunctious college students that you are allowing
to have shell accounts on your servers, then you had best first be sure
that your OS is capable of limiting any damage they can do (and specifically
any and all trivial resource exhaustion ploys).  But I think that's an almost
entirely orthoginal question to the question of how you distribute or use
your IPv4 addresses.  (And by the way, one of the first programs that I
ever wrote simply recursed on itself, ad infinitum.  I can't clearly recall
anymore, but I do believe that RSTS/E was able to survive that however.)

>Finally, there are a number of poorly written laws that require that
>unique IPs be given to each customer.

WHOA!  Really??  I'd *really* like to have a look at THOSE!  Can you
provide citations?  I had no idea that any legislators anywhere on earth
had gotten this deep into trying to micro-manage the Internet.  (Not that
I wouldn't put it past them to try!)

>Whether or not the technology
>could support it, the legal framework a business has to operate in may not.

Well, I agree that that is certainly a whole separate kettle of fish, if
indeed there are any such laws (e.g. requiring one IP address per user).

I ernestly would like to have a look at those, if you can point me at them.
Mostly, I'd just like to see how they define the term "user"... as in the
thing to which a unique IP address must be assigned.  But it would also be
facinating to see how they define the term "IP address".  Would an IPv6
address fit the bill?  If so, then problem solved, right?

>> Is this not self-evident?
>
>It is not. And again, you are being insulting to people based on your
>own ignorance and in this case a fairly basic misunderstanding of how IP
>works.

I fail to see how anything I have said could be even remotely misconstrued
as being in any way insulting.  But as I have also said, if there is some
consensus on that point, I'll act accordingly, and apologize if warranted.


Regards,
rfg