However a lot of people are asking, why not a /64?  Quoted below is the sort of answer you’re likely to receive on NANOG, by one Mark Smith:

There are a variety of scenarios where customers, including residential, will benefit from having multiple subnets. They may wish to separate the wired and wireless segments, to prevent multicast IPTV from degrading wireless performance. They may wish to segregate the children/family PC from the adult PC network or SOHO network, allowing the subnet boundary to be an additional Internet access policy enforcement point. They’ll need separate subnets if they wish to use a different link layer technology, such as LoWPAN. They may wish to setup a separate subnet to act as a DMZ for Internet facing devices, such as a local web server for sharing photos with relatives. Game consoles may be put in a separate subnet to ensure file transfers don’t interfere with game traffic latency, using the subnet ID as a QoS classifier.

This answer is quite simply unrealistic. It’s the answer of a typical geek with no sense of perspective as to what the average consumer wants. It’s the opinion of what Mark Smith the network engineer and geek would want.

In the real world, most consumers of domestic internet services have absolutely no concept of IP addresses let alone subnetting, VLANs, segregation or quality of service. Most domestic networks are a single flat subnet with NAT to a single IP address and no servers that would require port forwarding, and rarely an IPTV system, but those are usually setup to use special triple-play routers configured by the ISP. Most domestic users just want to be able to plug stuff in and have it work.

Now, people will argue that there are more IPv6 addresses than there are atoms in the world. However that argument isn’t as good when you are assigning 1,208,925,819,614,629,500,000,000 IP addresses for just 2 or 3 devices. It’s a grossly inefficient waste no matter what you say. Not to mention that if you’re one of the big cable or DSL providers with millions of customers, it makes much more sense. Each barely used /48 that you throw out contains 256 /64′s.

As such, I personally am inclined to go for the default of a /64 per customer, but allow for a /48 should they need it. There is absolutely no point in issuing a /48 subnet to someone who is never ever going to use it… it’s just laziness, which is what got us into the current situation with IPv4 in the first place.

• 20 users on 24Mb ADSL sharing just 1Mb of bandwidth.
• All other users sharing 30Mb of bandwidth on old 20CN 8Mb ADSL.
• Added in enhanced care for all users at £8 a go.
• Forgot monthly broadband line rental charges at £7.90 a go.
• Will charge us for bandwidth across the 21CN network, plus charges for 3km of fibre across the London Docklands and we have to provide the BRAS – but yet they still have the balls to charge us £24k a year just for the privilege of doing business with the almighty BT Wholesale. Seriously, noone can explain what this charge is for given that they have separate charges for both bandwidth and fibre.

When I entered the correct figures into their shitty little price sheet, added in all the things they forgot, it came to a whopping £26 per user before any profit margin is added.

By comparison, Be/Fluidata is charging a non-recurring £3k to setup a simple crossconnect in any London Telehouse, and then all we pay are simple line charges depending on the product used, the average one of which is £16 per month.

It’s quite clear that BT Wholesale is not interested in providing any sort of service to other service providers. The ridiculous ordering/faults system, the outright denial of clear area-wide faults and now these ridiculous and quite arbitrary charges for access to their so-called 21st Century Network that still doesn’t properly support IPv6 are all very telling.

Yes.. that is a grand total of 43 seconds from reporting the fault to BT Wholesale rejecting it. This was even reported via KBD, which lets you confirm that the user has already attempted to replace his router, cables, filters and even tried from the test socket. 43 seconds is not enough time for most people to type that long-winded reply about SFI appointments, let alone for BT to run the necessary diagnostics to determine if there is a fault or not.

At my place of work we have suspected that BT was doing this for a long time as all too often, and 9 times out of 10 blatently obvious faults are rejected with the message “not due to a network fault”. Now I have a handful of faults, some where it was customer some, but some where there was genuine faults such as the DSLAM being faulty where BT has denied anything being wrong and cleared the fault in less than a minute.

Is it any wonder that people think their ISPs are incompetant and BT can do no wrong? It’s because when BT has a fault they have the ability to actually go and look at the DSLAM and see for themselves. When anyone else has a fault, they have to rely on the BT Wholesale broadband diagnostics systems which are quite frankly, half assed and go down more often than a thai hooker.

This is what happens when someone has a monopoly but are mandated to supply wholesaler services to others to make it look like they don’t have a monopoly. Their own service is perfect and can do no wrong, while all those wholesalers can scream and shout and cry about the godawful service they’re being given.

Bandwidth Throttling

One oft-protested behavior of various ISP’s is the throttling – that is, limiting – of bandwith at certain times or for certain uses.

Yes, some ISPs shape the bandwidth supplied to the customer. There’s good reason for this however. Residential broadband connections are contended services. That means that you share that bandwidth along with a number of other people. In the UK, the standard contention ratio for residential users is 50:1. If bandwidth is not shaped, then just one customer abusing Bittorrent to download pirate movies or games or music can use up all the bandwidth of 50, leaving those other customers shit out of luck. You’ll also note that the only people who ever complain about shaping are those pirating content.

Imagine that the bandwidth is a 3 lane motorway. If everyone behaves, we can all drive down the motorway at reasonable speeds, occasionally going faster where possible. However, if one driver in an articulated lorry starts swerving all over the road, everyone else has to slow down and be late. Bandwidth shaping is done to preserve the use of the road for everyone.

Deceptive Speed Claims

Examine the fine print on most ISP commercials, and you will likely find that the promised Internet speed (say, 10MBPS) has the words “up to” in front of it. As it turns out, this is often a clever means of dodging the truth about the actual speeds you are likely to receive.

Again, the service is contended. If you have an 8Mb 50:1 service, you are sharing that 8Mb with potentially up to 50 other people. There’s also the technology involved; ADSL is distance limited so the further away from the telephone exchange you are the lower it will connect at. “Upto 8Mb” covers all of this in two words. You get what you pay for and at £20-25 a month, no ISP could guarantee what this writer is demanding. Let me break it down:

1. ADSL line, up to 8Mb 50:1 – £11.90/month
2. Link to ADSL network to cover a single user on 8Mb 50:1 – £1400/month
3. 8Mb bandwidth – £176.00/month
4. Upstream circuit links – 2x£2,500/month

Never mind the infrastructure required to deliver such a service, servers for providing DNS and email, datacentre space, cooling and electricity and so on – but to give you your 8Mb ADSL without it being shared with anyone would cost somewhere in the region of £6,500 per month to have their own dedicated ISP not shared with anyone else. NOT £25. It’s only by sharing infrastrucure and bandwidth with other customers that cheap broadband actually becomes economical. If you want a dedicated guaranteed 8Mb circuit, feel free to go talk to your ISP – they’ll quote you a figure probably somewhere between £10,000 to £12,000 a year, plus probably a £15,000 install.

Targeted Advertising

Increasingly, some of the most passionate complaints against ISPs have involved privacy concerns. A case in point is Charter’s decision in 2008 to begin tracking its users’ search behavior and using them to insert ads into their results.

Never mind that the example screenshot given is from Google, highlighting Google’s own advertising which has absoloutely nothing to do with whatever ISP you are using to connect with; the article in question successfully gives a single example of a single large ISP abusing the Phorm advertising system. As far as I am aware the only other ISP to consider using this system is BT in the UK, and they were smacked down for being in breach of privacy laws.

This is tarring all ISPs with the same brush for the sake of a one or two bad apples.

ISP Wiretapping

2007’s Communications Assistance for Law Enforcement Act mandated that all ISPs enable the feds to “wiretap” Internet transmissions in much the same way they do phone calls.

Note the word “mandated”. That’s not your ISP screwing you over – that’s your government. Most ISPs have this capability anyway in order to comply with court orders or police investigations. Do you really want to be responsible for some 3 year old getting raped by a pedophile because it was made illegal for ISPs to help catch sick fucks just so you could download your pirate movies without having to worry that someone might be watching you because the police told them to?

Ad-Filled “Website Not Found” Pages

Always on the lookout for new sources of revenue (however small), some ISPs have taken to displaying ads in their error pages.

Some ISPs do this, however the good ones will give you a source of opting out, and as this is usually DNS based if you don’t like it you can always either setup your own DNS server or use OpenDNS.

Deep Packet Inspection

Another serious gripe privacy advocates have with ISPs is what is known as “deep packet inspection.”

That would because privacy advocates don’t actually understand DPI, which looks for patterns in order to recognize traffic types. The actual content cannot usually be observed, but it can also log when someone is for example, using Bittorrent. These boxes are usually used to packet shape your traffic (see “bandwidth throttling” above), but are also extraordinarily expensive – usually only affordable by quite large ISPs. But wait! There’s more…

However, it is also been used by ISPs to police copyright infringement by detecting when someone is or may be downloading songs or movies – and some ISPs go a step further by turning this information over to inquiring record labels.

And so we get to the real crux of the issue that the author has with DPI – pirating movies and music! Of course, if you’re not doing anything illegal then DPI really isn’t something you have to worry about. Damn you pesky ISPs! Conforming with the letter of the law and trying to prevent yourselves from being used to commit illegal activties! Grr and much fist-shaking and so on.

Packet Spoofing/Forgery

Comcast engaged in what is known as “packet spoofing” (or packet forgery) by interrupting file transfers with bogus packets that killed any P2P downloads a user happened to be engaging in.

One ISP does something that contravenes the way that TCP/IP is supposed to work and we all get tarred with the same brush again. I can assure you that few if any ISPs that have any sort of technical savvy would even consider doing this. Comcast are the only ISP known to have deployed this system as it far too heavy handed – affecting both legitimate and illegitimate traffic. It also opens the ISP up to a certain amount of liability for having demonstrated that they can block certain traffic types, for then not blocking other traffic types such as viruses or spam, which happily leads me to the next point in this ignorant article.

Inadequate Virus/Spyware Protection

ISP’s have also come under fire for charging high subscriber fees without adequately protecting consumers from spyware, viruses and other forms of online fraud.

As I think I’ve already demonstrated, most ISPs are not charging “high subscriber fees”, and in one sentence the author of this article has demonstrated his complete ignorance of any of the previously mentioned technologies. If you want your ISP to prevent you from idiotically downloading a virus and running it, they have to install what is known as an IDP, or Intrusion-Detection-Prevention device. What is an IDP? Basically, it’s a Deep-Packet Inspection device configured to look for viruses, trojans, spyware and known hacks. It would then have to use Packet Spoofing to block your attempt to download that virus. So the author wants us to protect him from viruses without actually using any of the known technologies to do so. Does he want us to send someone around to his house to operate his computer for him or what?

Generally speaking, service agreements between you and your ISP indemnify them from responsibility for any damage or losses caused by spyware or viruses you get infected with on their network.

…because we all know that it’s the pesky ISP forcing viruses and spyware onto your computer. Out in reality-world (as opposed to this crack-smoking monkey of an author’s fantasy world), 9 times out of 10 virus and spyware infections are because the user actively downloaded that cute new screensaver of the puppies doing barrel rolls and installed it, and that screensaver was actually a shell for a massive spyware infection. Or the user received an email from King Mambatu who wanted his help to move $9,843,699 dollars out of the Bank of Nambia and needed him to open this harmless attachment to get the process started. Yup, all the ISPs fault that is. This couldn’t possibly be the reason why ISPs have had to indemnify themselves against protecting you from viruses and spyware because a certain section of society wouldn’t sue them into oblivion with frivolous lawsuits over their own stupidity or that when they do offer antivirus or antispam services on email, that the technology cannot guarantee that it will catch everything.

Sneaky Fees

MSNBC reports on a telling example back in 2006, when a a $2-$3 per month federal tax on DSL users was taken off the books. But rather than lowering its subscriber fees by $2-$3, Verizon thought better of it and kept fees the same by adding a “supplier surcharge” fee.

It’s hardly a sneaky fee if it’s listed on the bill. It might be sneaky for the muppets who don’t bother to read their bills, which is rather disturbing seeing as this is written by someone calling himself “Bill Shrink Guy”.

I won’t deny that doing such a thing isn’t disreputable, but the real issue here is to make sure you read all your bills and ensure you understand what you’re paying for. If your gas supplier suddenly adds a “Boiler Maintenance” surcharge to your bill and you pay it without question, you’re an idiot.

Recently I had to setup several Mikrotik RouterOS to ZyXEL VPNs and through I would document how it’s done.

First, a quick diagram to explain the setup we’re going to cover. Just imagine that the 10.0.0.0/24 network in the middle is in fact the internet.

We’ll configure the ZyXEL’s “public” address as 10.0.0.1 and the RB’s as 10.0.0.2.

First, the ZyXEL. It’s an older ZyXEL 652H, but the same settings apply to almost all of the VPN enabled ZyXEL devices. Create the VPN as you normally would on the ZyXEL, ensuring to use subnet’s for your local and remote networks, as well the IP addressess of the ZyXEL and Mikrotik for the Peer IDs:

And under advanced:

Now, on RouterOS we start by configuring the policy for this VPN. This is the equivelent of the first page of the ZyXEL configuration. Open the IP->IPsec window in WinBox, and create a new policy as follows:

Next, switch to the “Peers” tab and create a new peer, using the public address of the ZyXEL as the address:

There’s a few confusing extras here that don’t appear on the ZyXEL.

• Proposal Check – Determines how proposed lifetimes are handled. Setting this to “Obey” is the most flexible as it will make RouterOS conform to whatever the remote site proposes.
• DH Group – Mikrotik use the actual algorithm names as opposed to the normal “DH1″ or “DH2″. The table below shows the mapping between these:
  

  Diffie-Hellman Group	Name	Reference
  Group 1	768 bit MODP group	RFC2409
  Group 2	1024 bits MODP group	RFC2409
  Group 3	EC2N group on GP(2^155)	RFC2409
  Group 4	EC2N group on GP(2^185)	RFC2409
  Group 5	1536 bits MODP group	RFC3526

  Note: I was not able to get group 2 to work. It results in a proposal mis-match error.

• Generate Policy – Appears to dynamically generate the policies depending on what details have been supplied by the remote side. May be of use for dynamic VPNs.
• Lifebytes – Session will be reconnected after X bytes have been encrypted. Best to leave this alone.
• DPD – Mikrotik do not offer any explanation for this, other than that experiments on the official forums seem to confirm that it only appears works with other RouterOS devices.  Juniper’s documentation explains that it stands for “Dead Peer Detection”.

There’s one last step after this. In RouterOS, NAT is performed before IPsec takes place. This means that any general masquerade or 1:1 NAT rules will take place before the VPN is reached, and the now NAT’d addresses will not be directed across the VPN. To avoid this we need to add a NAT rule at the very top of the table:

By placing this rule at the top of the NAT table under IP->Firewall, when a packet is directed from the RouterOS LAN towards the VPN destination subnet, the “accept” action will cause the NAT table to stop processing, and thus never reach any other NAT rules.

There is no way to force RouterOS to establish the connection other than by sending traffic.It’s also important to note that v4.0 of RouterOS appears to suffer from a bug that causes the VPN to establish but not correctly route traffic across it.

The court documents detail how Louis Vuitton notified the ISP no less than 15 times – giving them ample opportunity and evidence to terminate the customer. Instead the ISP allowed that customer to juggles his sites around on different domain names and IP addresses and continue to sell the fake goods. The ISP was found guilty because they were complacent in allowing a customer to use their service to break the law. They tried to claim safe harbour under the DMCA act, however here we are exactly 2 years after the initial filing and the websites listed in the initial claim are still operating in Akanoc IP space.

It’s a tricky line for ISPs to cross. In my day to day work, I receive notices of copyright infringement from the MPAA/RIAA every week – but how are we supposed to act? We do not have the technology to actively monitor accused customers as the equipment required ranges into the tens of thousands to the hundreds of thousands of dollars. The MPAA/RIAA provide scant evidence – evidence which has been shown in the past to be very, very incorrect at times. We do what we can under UK law, notify the customer that we have received an infringement notice and notify the MPAA/RIAA that the customer has been warned.

The UK government wants to make deep packet inspection boxes mandatory for all ISPs, without regard to the cost  (which will cripple any medium-to-small service provider, if not put them out of business) and on top of that they appear to think that these boxes can log everything and anything regardless of software or encryption – there isn’t a DPI box yet which can monitor Second Life traffic… but that’s what the UK government is expecting ISPs to do.

However, this is missing a key point in this case in California: The ISP in question was provided with verifiable evidence that thier customer was selling fake, knockoff and illegal goods – and they declined to act on it (and in fact are still declining to act upon it to this day). Other ISPs spend a great deal of time and money ensuring that they are reacting to spam issues and hacked servers being used to host fake paypal logins. Akanoc Solutions Inc. took an active decision in deciding to not enforce their rights to terminate an obviously fraudulent customer and allowed them to continue in their business. They deserve everything they got.

You don’t pay for them once and keep them forever. If it’s a .com, you most likely have to renew it every year and it’s a lot like your Time magazine subscription: If you don’t pay the bill, you stop receiving the service.

Your ISP will send you an email around 30 days before it’s due to expire, letting you know how to renew it. This is standard practice – although some will send you a letter in addition, but beware the so called “Domain Registry of America” as they are a domain name renewal scam company.

Ignore the notice and your domain will expire. And if you did exactly that, please do not then phone your ISP and scream at them for not calling you about your domain expiring. Most of all, don’t complain that they should have phoned you over your piddling $7.99 domain name. You realise that to phone every customer every day about every expiring domain name that they’d have to hire a half-dozen extra bodies and charge you about 50 bucks for your cheapass domain renewal?

Furthermore, don’t then bitch about how important said domain is to your business, how you’re losing email, and then refuse for 3 days to send in confirmation of your wish to renewal by fax or email. You do realise they don’t really care if you spend your 8 bucks with them or not? Really, they’re hoping you DO stall for a few more days because then your domain is going into redemption and is going to cost you a hundred bucks to get back.

Oh, you just sent a support ticket bitching about how you opened a ticket 9 months ago asking them to keep renewing it indefinitely? They really, really like how you ignored the reply to that ticket clearly stating that they couldn’t do that and you would have to follow procedure which was to follow the instructions in the email sent 30 days before the domain was due to expire.

You’re going to take your business elsewhere? Why would they care? Your current account is worth about 100 bucks a year revenue to them, and you cost them around 400-500 in support. They also happen to know that a number of other local suppliers including a Cisco Gold Partner have told you to go elsewhere when your contracts came up for renewal because you’re such a god awful customer.

Don’t you realise that calling your suppliers names and generally acting like a 4 year old having a temper tantrum does not exactly endear the staff to your plight? You realise that it makes them much more likely to not volunteer information and to strictly enforce their company policies?

Didn’t think so… that’s why it’s 3 days later and your domain name still hasn’t been renewed.

View Source: http://www.potato-people.com/code/misctools/spamhausdrop.phps

Download: http://www.potato-people.com/code/misctools/spamhausdrop.tar.gz