[arin-ppml] Draft Policy ARIN-2019-2: Waiting List Block Size Restriction

hostmaster at uneedus.com hostmaster at uneedus.com
Sun Mar 3 02:25:23 EST 2019 

Strictly speaking, the laws talked about do not REQUIRE each customer have 
his/her own IP address, but from a practical point of view, giving each 
customer his/her own IP address is the easiest way to comply with these 
laws.

Examples include CALEA, which starts at 42 USC 1002.  This law requires 
certain parties including internet access providers to provide under court 
order the content of communications upon service of a Court Order. 
Effectively, this is a wiretap.  Without each customer connection having 
its own unique address, it is nearly impossible to comply with this law. A 
wiretap order can be obtained against a website, and the law requires the 
communication operator to deliver to the government JUST the communication 
of the subject of the order.  In the case of shared hosting, without a 
unique identifer such as an IP address, it would be very difficult to 
comply with the order and redirect a copy of their communications to the 
government that does not contain the communications of all your customers.

The other well known example is the DMCA. which is at 17 USC 512 et seq. 
It requires disabling or taking down content that someone swears is 
violating their copyright, or the operator becomes responsible for the 
infringement.

If all the websites are hosted by a single server instance on the same 
machine, of course this can be easily done by the operator by simply 
knowing the URL of the content.  However, not all shared hosting happens 
that way.  Those with high demand content might be hosted on a dedicated 
server that is leased to another party.  For less demanding content, an 
instance of the webserver running on a shared server might instead be 
used.  In any case, each person leasing a server or webserver instance 
controls completely what websites they choose to support.  If the IP is 
shared as suggested, all the DMCA notices are going to be directed to the 
owner of the server, who will not without engaging in a logging operation 
know which instance (and therefore which customer) is hosting the 
offending content.  By keeping each customer on his/her own IP address, 
the owner will know which customer is responsible since the report will 
contain the IP.  In fact, SWIP helps with this, as the owner can identify 
the contact for each customer in SWIP to the world at large and allow the 
DMCA reports to go directly to the customer, bypassing owner involvement.

While this is the not the most efficient use of address space, it remains 
the easiest way to identify customers - by giving them each their own IP. 
This is done in most internet access contracts, unless the provider uses 
CGNAT because they do not have enough addresses for all its customers. 
Even in the case of CGNAT, if they receive a CALEA order, they will move 
that customer off the CGNAT and onto a dedicated IP so they can comply 
with the Court Order.

The other thing I disagree with is your suggestion that clients should be 
on IPv6 and servers on IPv4.  In fact, without the use of translation 
technology, the two protocols cannot directly talk to each other.  If you 
want the clients to speak IPv6, ideally there needs to be servers with 
IPv6 addresses for those to talk to.  Same with IPv4.  Both sides need to 
speak the same version, or have some kind of translation technology 
between them.  This is an additional expense that some choose not to have.

I agree the future of the internet is IPv6.  Of course that applies to 
BOTH clients and servers.

Albert Erdmann
Network Administrator
Paradise On Line Inc.

On Sat, 2 Mar 2019, Ronald F. Guilmette wrote:

>
> In message <B742CDE3-E6CC-482C-8930-F6057D2999F7 at netconsonance.com>,
> Jo Rhett <jrhett at netconsonance.com> wrote:
>
>>> If I have a web server that's configured to serve up pages for 1,000
>>> different web sites, and I get a DMCA complaint about one in particular,
>>> I can disable that one alone.
>>
>> And if you have 1,000 customers using the same source IP (A) how do you
>> identify which customer is causing abuse complaints with outbound
>> sessions
>
> Well, lemme see here.  (Abuse is actually something that I do know a bit
> about, so I think that I may be able to address this, perhaps even to
> your satisfaction.)
>
> Before I can answer the question, I need some information:  Are you allowing
> all of these 1,000 client people to access a shell prompt and/or run their
> own arbitrary binaries on the specific machine to which you have assigned
> the single IP address in question?
>
> If so, then yea, you will likely be hard-pressed to figure out which one
> of those 1,000 suspect persons is the actual miscrant.  (But in this case,
> adequate logs may actually help.)
>
> This is sort of a good argument to not sell shell accounts to people that
> you have no real basis to trust, or if you do, to give each one its own
> unique IP address.  But the IP addresses that you dole out to such folks
> could be IPv6, and most of the people you are likely to come across that
> just want a shell someplace will likely be OK with that.  They don't
> really need an IPv4 address unless they plan to run a server of some sort,
> and you can make special accomodations for those few.  Most can get IPv6.
>
> For abusive behavior that (somehow) arises from the activities of people
> who DO NOT have shell acounts and who DO NOT have the ability to run
> arbitrary binaries on your hardware, I can't give you a general answer.
> You would have to give me at leat some vague hint or clue as to how
> such "abuse" might arise in such a context.  Then I could answer.  But
> as it stands, the question is rather amorphous.  It's like asking how you
> can prevent anything bad from happenig to you when and if you walk into
> a dark alley on a moonless night.  I can't provide a general answer.
> You might be attacked by a crazed dentist who might try to give you an
> impromptu root canal.  In that case my advice would be clear:  If at all
> posible, keep your mouth shut. :-)
>
>> and (B) just one could cause outages for the others by
>> consuming all the ports by a badly written script/plugin or deliberate
>> abuse.
>
> It's an interesting point, and one that I'll have to resarch.
>
> I use FreeDSD, when I can, and on that, at least, there are quite a lot of
> options available to the sysadmin for limiting resource usage, e.g. per-
> user limits on memory usage, and various kinds thereof (e.g. swap, stack,
> etc.).  What you've just asked about is just another rather obvious way
> that one user could hog resources at the expense of all others, and I would
> hope that FreeBSD, at least, would provide some way that root could place
> per-user limits on maximum port usage, you know, in oredr to avoid exactly
> such situations.  But maybe not.  I'll have to look into it.  I do believe
> that FreeBSD supports per-user limits of number of sockets, and that may
> effectively and in practice work out to the same thing.
>
> Certainly if you have rambunctious college students that you are allowing
> to have shell accounts on your servers, then you had best first be sure
> that your OS is capable of limiting any damage they can do (and specifically
> any and all trivial resource exhaustion ploys).  But I think that's an almost
> entirely orthoginal question to the question of how you distribute or use
> your IPv4 addresses.  (And by the way, one of the first programs that I
> ever wrote simply recursed on itself, ad infinitum.  I can't clearly recall
> anymore, but I do believe that RSTS/E was able to survive that however.)
>
>> Finally, there are a number of poorly written laws that require that
>> unique IPs be given to each customer.
>
> WHOA!  Really??  I'd *really* like to have a look at THOSE!  Can you
> provide citations?  I had no idea that any legislators anywhere on earth
> had gotten this deep into trying to micro-manage the Internet.  (Not that
> I wouldn't put it past them to try!)
>
>> Whether or not the technology
>> could support it, the legal framework a business has to operate in may not.
>
> Well, I agree that that is certainly a whole separate kettle of fish, if
> indeed there are any such laws (e.g. requiring one IP address per user).
>
> I ernestly would like to have a look at those, if you can point me at them.
> Mostly, I'd just like to see how they define the term "user"... as in the
> thing to which a unique IP address must be assigned.  But it would also be
> facinating to see how they define the term "IP address".  Would an IPv6
> address fit the bill?  If so, then problem solved, right?
>
>>> Is this not self-evident?
>>
>> It is not. And again, you are being insulting to people based on your
>> own ignorance and in this case a fairly basic misunderstanding of how IP
>> works.
>
> I fail to see how anything I have said could be even remotely misconstrued
> as being in any way insulting.  But as I have also said, if there is some
> consensus on that point, I'll act accordingly, and apologize if warranted.
>
>
> Regards,
> rfg
> _______________________________________________
> ARIN-PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
>

More information about the ARIN-PPML mailing list