Re: Refuse een assignment because it 'cannot' be routed?
To continue that (cute | silly | pick-your-choice) analogy... => I only want a fixed frontdoor (1 fixed IP address), but I am trying to force => my landlord into letting me have it without paying tripple rent, by asking => the government (RIPE) to give me a building permission to install more => doors. Not because I want more doors, but to keep the landlord from moving => my single door every day :) => = =Hi, = = Hmm... this analogy isn't correct. RIPE is not the government in this. =RIPE, or your local LIR can give you a door (address assignment), but =you still need to get a permit from the local counsil to place it =(Getting your service provider to actually route it). = =One of the things your local LIR may require before selling you a door =is having a permit. Buying the door somewhere else (RIPE) does not =automagically entitle you to a permit. ...what we are seeing in reality, though, is something like the "government" (the RIPE NCC) coming back with a question about the colour and style of the door. And - depending on your answer - either going ahead issuing a _permanent_ permit for e.g. an Ethernet- or leased-line-style door ("static"), but limiting the validity of the permit for an xDSL- style or dial-up door to as long as you, or someone from your family, happens stay at home ("dynamic"). As soon as you go to work, or even worse - take a couple of days off, duhh!!! - you have to submit another application for installing a door. And, the "government", suggests to the manufaturers of the doors (and/or to the landlord), to give you a call on the phone every, say, 8 hours, to confirm that you haven't left for shopping (physicly) or turned to RTFM (virtually/mentally logging off). That's exactly what happens to me, back home, with my ADSL link being dropped every 8 hours by the ISP *on purpose*, because the NCC sort of "suggests" to the ISPs to use dial-up ratio mechanisms for 24x7 xDSL, flat rate billing. Very clever, indeed, in particular when someone tries to do stuff that is security-aware. But I have beaten that one to death before (technology independence of assignment rules). Sigh... Wilfried. _________________________________:_____________________________________ Wilfried Woeber : e-mail: Woeber@CC.UniVie.ac.at UniVie Computer Center - ACOnet : Tel: +43 1 4277 - 140 33 Universitaetsstrasse 7 : Fax: +43 1 4277 - 9 140 A-1010 Vienna, Austria, Europe : RIPE-DB: WW144, PGP keyID 0xF0ACB369 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Träume darf man nicht verbieten, sonst werden sie Wirklichkeit...
To continue that (cute | silly | pick-your-choice) analogy...
=> I only want a fixed frontdoor (1 fixed IP address), but I am trying to for ce => my landlord into letting me have it without paying tripple rent, by asking => the government (RIPE) to give me a building permission to install more => doors. Not because I want more doors, but to keep the landlord from moving => my single door every day :) => = =Hi, = = Hmm... this analogy isn't correct. RIPE is not the government in this. =RIPE, or your local LIR can give you a door (address assignment), but =you still need to get a permit from the local counsil to place it =(Getting your service provider to actually route it). = =One of the things your local LIR may require before selling you a door =is having a permit. Buying the door somewhere else (RIPE) does not =automagically entitle you to a permit.
...what we are seeing in reality, though, is something like the "government" (the RIPE NCC) coming back with a question about the colour and style of the door. And - depending on your answer - either going ahead issuing a _permanent_ permit for e.g. an Ethernet- or leased-line-style door ("static"), but limiting the validity of the permit for an xDSL- style or dial-up door to as long as you, or someone from your family, happens stay at home ("dynamic"). As soon as you go to work, or even worse - take a couple of days off, duhh!!! - you have to submit another application for installing a door.
Hi, As I said before, RIPE is not the government in this. The permit mentioned in the example above is the willingnes of your provider to actually route the traffic to you. If you can convince your provider's LIR to allocate you some IP space, _AND_ you can convince them to route it to you then RIPE won't object as long as the proper forms have been filled in. Using dynamic IP space for residential dial up users makes sence for most appications. Giving every computer out there a static IP address even though it's turned off, or not connected to the internet 98% of the time just doesn't make sence.
And, the "government", suggests to the manufaturers of the doors (and/or to the landlord), to give you a call on the phone every, say, 8 hours, to confirm that you haven't left for shopping (physicly) or turned to RTFM (virtually/mentally logging off).
That's exactly what happens to me, back home, with my ADSL link being dropped every 8 hours by the ISP *on purpose*, because the NCC sort of "suggests" to the ISPs to use dial-up ratio mechanisms for 24x7 xDSL, flat rate billing.
Very clever, indeed, in particular when someone tries to do stuff that is security-aware.
Like what? Almost anything is possible from behind a dynamic IP address. If you want to run services then get a commercial account from your provider, or find a provider that will allocate you static IP space. - marcel
<snip analogy about renting a house> <snip part about dhcp for dialup which imho is not relevant>
Very clever, indeed, in particular when someone tries to do stuff that is security-aware.
Like what? Almost anything is possible from behind a dynamic IP address.
I want to connect, from home, to a server behind my company's firewall. The firewall only allows connections based on source ip address. Our firewall admin cannot be persuaded to open it up for the whole /19 or whatever my isp uses for its dhcp pool.
If you want to run services then get a commercial account from your provider, or find a provider that will allocate you static IP space.
This is the problem that caused me to start this discussion: in my area there is no broadband (cable/dsl) provider offering static ip for a reasonable price. If I get a 'commercial' account I need to pay 4(!) times as much as I would for a 'noncommercial' account *per month*; I do not consider this reasonable, even if it does include a bunch of other things I do not want (router etc.). So by posting here, I hoped to find some arguments to use in convincing the ISPs in my area. Regulation from RIPE [NCC] would have been nice... alas. Suggestions are still welcome :) Have a nice weekend, Herbert
<snip analogy about renting a house> <snip part about dhcp for dialup which imho is not relevant>
Very clever, indeed, in particular when someone tries to do stuff that is security-aware.
Like what? Almost anything is possible from behind a dynamic IP address.
I want to connect, from home, to a server behind my company's firewall. The firewall only allows connections based on source ip address. Our firewall admin cannot be persuaded to open it up for the whole /19 or whatever my isp uses for its dhcp pool.
Hi, And rightly so. Opening up a secure server to an IP number outside of your direct sphere of influence is asking for trouble, and leads to security nightmares. I'm surprised he'd be willing to open it up to a /32 from outside.
If you want to run services then get a commercial account from your provider, or find a provider that will allocate you static IP space.
This is the problem that caused me to start this discussion: in my area there is no broadband (cable/dsl) provider offering static ip for a reasonable price. If I get a 'commercial' account I need to pay 4(!) times as much as I would for a 'noncommercial' account *per month*; I do not consider this reasonable, even if it does include a bunch of other things I do not want (router etc.).
So by posting here, I hoped to find some arguments to use in convincing the ISPs in my area. Regulation from RIPE [NCC] would have been nice... alas.
This would seem like a clasic case of the wrong solution for a simple problem.
Suggestions are still welcome :)
There are a lot of VPN products out there, some better then others. Setting up a jump host outside the firewall may also be a sollution to your problems. I suggest that you contact your local security officer for possible sollutions. Regards, - marcel
participants (3)
-
Anne Marcel Roorda -
Herbert Baerten -
Wilfried Woeber, UniVie/ACOnet