Fibre and static IP

[Malcolm Loades]

As I look out of my window a fibre cable is being installed in my road
for https://www.toob.co.uk I've enquired and they do not provide as
standard, nor even for extra money, a static IP address!

Is this normal for fibre providers? I'm really surprised at a company
offering 900Mbps both down and up not offering a static IP. Surely,
some of the most interested users will be business users whose need for
a static IP is almost a given.

Malcolm

[Chris Green]

Malcolm Loades <dev...@loades.net> wrote:
> As I look out of my window a fibre cable is being installed in my road
> for https://www.toob.co.uk I've enquired and they do not provide as
> standard, nor even for extra money, a static IP address!
>

Do they actually know what a static IP is?

> Is this normal for fibre providers? I'm really surprised at a company
> offering 900Mbps both down and up not offering a static IP. Surely,
> some of the most interested users will be business users whose need for
> a static IP is almost a given.
>

In reality you may find you get the same IP all the time though and
there are ways of managing a 'not very often changing' IP.

Also, I guess IPV6 is more likely available with a new installation
and then you have an IP for every device round your home fixed for as
long as you like.

--
Chris Green
·

[Malcolm Loades]

On 29/06/2021 11:45, Chris Green wrote:
> Malcolm Loades <dev...@loades.net> wrote:
>> As I look out of my window a fibre cable is being installed in my road
>> for https://www.toob.co.uk I've enquired and they do not provide as
>> standard, nor even for extra money, a static IP address!
>>
> Do they actually know what a static IP is?
>

I hope so! They wrote "I can confirm we only provide a dynamic IP
address." in reply to my question.

>> Is this normal for fibre providers? I'm really surprised at a company
>> offering 900Mbps both down and up not offering a static IP. Surely,
>> some of the most interested users will be business users whose need for
>> a static IP is almost a given.
>>
> In reality you may find you get the same IP all the time though and
> there are ways of managing a 'not very often changing' IP.

>DDNS services may be OK for use connecting to an ftp server but of no
help if you run a mailserver.

> Also, I guess IPV6 is more likely available with a new installation
> and then you have an IP for every device round your home fixed for as
> long as you like.

Malcolm

[Graham J]

A reputable supplier will offer a static IP, perhaps at a small cost.

I suspect a static IP is of more use to hobbyists, in terms of access to
resources in the home. It may also be true of small one-person
businesses working from home. But any larger business with a real need
- such as as small ISP -- will be funding its own fibre internet
connection and not relying on the likes of toob. Probably it will also
be looking at diverse routing for reliability, decent UPS and backup
generator, and the like. Other business will be using cloud-based
services for email and the like, so access from anywhere will be
straightforward.


--
Graham J

[David Wade]

Malcolm,
Many of the newer entrants to the market are using carrier grade NAT so
not only do you not get a static IP address, you don't even get a
routable IP address so you can't even use a Dynamic DNS.

Its reported that at least in some locations "toob" does provide
routable public addresses...

https://forums.thinkbroadband.com/otherisp/4675486-toob-fttp-in-southampton.html

Dave
G4UGM

[Theo]

I think the issue might be that many of the fibre providers are newcomers,
who didn't buy up big blocks of IPv4 addresses in 1990s and 2000s. IPv4
addresses are now exhausted, and so the newer providers can only acquire
relatively small blocks of IPs (often random collections of /24s). To
conserve them that means dynamic IPs and CGNAT.

The question you should be asking is what size of IPv6 address prefix they
provide, because that's going to be the only way to get a stable address for
incoming traffic in future.

Theo

[Andy Burns]

Malcolm Loades wrote:

> As I look out of my window a fibre cable is being installed in my road
> for https://www.toob.co.uk  I've enquired and they do not provide as
> standard, nor even for extra money, a static IP address!

Not even for the £50/month business service?

[Abandoned_Trolley]

>
> Malcolm,
> Many of the newer entrants to the market are using carrier grade NAT so
> not only do you not get a static IP address, you don't even get a
> routable IP address so you can't even use a Dynamic DNS.
>
> Its reported that at least in some locations "toob" does provide
> routable public addresses...
>
> https://forums.thinkbroadband.com/otherisp/4675486-toob-fttp-in-southampton.html
>
>
> Dave
> G4UGM

And if there were any truth in the oft repeated claims about us running
out of IPV4 addresses then they would all be doing it.

AT

[Abandoned_Trolley]

On 29/06/2021 12:02, Malcolm Loades wrote:
>> DDNS services may be OK for use connecting to an ftp server but of no
> help if you run a mailserver.

I am not completely sure that's true.

I run a mail server too, but when I go to the DNS management page to
edit the "MX" record it demands a domain name - NOT an IP address.

So, I enter "mail.mydomain.uk" in the box, and to get the thing to work
I need to separately enter "mail.mydomain.uk" as an "A" record so that
it knows what I am talking about.

I am guessing that these dynamic IP changing tools manipulate the "A"
record so its possible that you could get it to work.

AT

[Abandoned_Trolley]

>
> The question you should be asking is what size of IPv6 address prefix they
> provide, because that's going to be the only way to get a stable address for
> incoming traffic in future.
>
> Theo
>

You might like to think so, but when I recently asked the TalkTalk
Business Broadband gang about this I was told that they "do not support
IPV6"

[Theo]

Abandoned_Trolley <fr...@fred-smith.uk> wrote:
> I am guessing that these dynamic IP changing tools manipulate the "A"
> record so its possible that you could get it to work.

There is a difference between getting it to work and getting people to
receive your mail. If you run a mailserver from a dynamic IP pool:

1. Recipients are more likely to detect that and decide your messages are
spam. Blackhole lists commonly used by mailservers record dynamic IP
ranges.

2. You probably don't have the correct reverse DNS, which is another flag
that recipients use to assume you're a spammer

3. You may end up on an IP that's been blacklisted because a previous user
has been doing bad things. You can't practically fix that, because you
might get shifted onto a different IP tomorrow.


It's getting increasingly difficult to run a small mailserver and get your
mail reliably received. You may need to use a third party service to handle
your outgoing mail.

Theo

[Theo]

Abandoned_Trolley <fr...@fred-smith.uk> wrote:
>
> You might like to think so, but when I recently asked the TalkTalk
> Business Broadband gang about this I was told that they "do not support
> IPV6"

TT are a 'legacy' ISP and as such hold a large pile of IPv4 addresses
(acquired via Pipex, Tiscali, AOL, etc etc). I'm not very surprised they
CBA to support modern networking...

Theo

[Brian Gregory]

On 29/06/2021 11:20, Malcolm Loades wrote:

When I had one I found I could cope with a dynamic IPv4 address without
to much trouble. It was dynamic IPv6 address that's a total pain in the
$*!# if you want to do anything complicated and want to run dual stack.

Nevertheless I'm inclined to agree that not being able to provide a
static IP is pretty pathetic.

--
Brian Gregory (in England).

[Brian Gregory]

On 30/06/2021 10:20, Abandoned_Trolley wrote:
> And if there were any truth in the oft repeated claims about us running
> out of IPV4 addresses then they would all be doing it.

In many parts of the world they are all doing it.

There is plenty of truth in it. The only way to get more IPv4 addresses
is to pay someone else who was greedy earlier on to sell theirs.

[Graham J]

That's no surprise ....


--
Graham J

[David Wade]

Amazon bought 4 million at $27 each:-

http://www.southgatearc.org/news/2020/october/sale-of-amateur-radio-amprnet-tcp-ip-addresses.htm#:~:text=In%20mid%2D2019%20a%20block,%2427%20for%20each%20IPv4%20address.

<short version>
https://tinyurl.com/43ts9s8n

Dave

[Andy Burns]

Brian Gregory wrote:

> not being able to provide a static IP is pretty pathetic.

Doesn't seem to do any harm to virgin for domestic customers.

[Abandoned_Trolley]

I am not sure what your point is - VM provide static IP addresses for
business customers.

[Graham J]

Theo wrote:
> Abandoned_Trolley <fr...@fred-smith.uk> wrote:
>> I am guessing that these dynamic IP changing tools manipulate the "A"
>> record so its possible that you could get it to work.
>
> There is a difference between getting it to work and getting people to
> receive your mail. If you run a mailserver from a dynamic IP pool:
>
> 1. Recipients are more likely to detect that and decide your messages are
> spam. Blackhole lists commonly used by mailservers record dynamic IP
> ranges.
>
> 2. You probably don't have the correct reverse DNS, which is another flag
> that recipients use to assume you're a spammer
>
> 3. You may end up on an IP that's been blacklisted because a previous user
> has been doing bad things. You can't practically fix that, because you
> might get shifted onto a different IP tomorrow.

This raises a more general question about IP addresses from a dynamic pool.

Any reputable mail server will check the IP address of a client wishing
to connect to it, irrespective of whether it is to send or receive; and
will block all connection attempts if that IP address is on a blacklist.

So anybody who gets a dynamic connection through CGNAT (so this includes
all mobile users, and I imagine many fibre users) will be unable to
connect to that mail server. The block is applied in the firewall
protecting the mail server, so it denies access to HTTPS traffic for
webmail, and POP3, IMAP, and SMTP traffic from a mail client.

So the person who uses a laptop or mobile in the office where it
connects via the LAN will be able to connect to the mail server, but if
that person goes on the road, or to another location where the
connection is through the 3G/4G/5G system, or (perhaps at a customer's
house) is through a domestic DSL service then the connection could fail.
Further, it will fail in a way that does not give the poor user any
idea as to why.

One possible solution is for the user to connect through a VPN. But
this then raises the possibility that any reputable VPN service provider
may also block traffic from IP addresses shown in blacklists.

Clearly a unique static IPv6 address issued to every internet connection
could solve the problem. This in principle would allow individuals
sending spam to be identified and blocked by their connection provider.
My guess is that would lead to a class of service providers who were
known for not checking what their customers send; thereby ensuring that
a whole population of users is blocked by reputable mail servers.

But generally, I can't see a sensible solution.



--
Graham J

[Abandoned_Trolley]

> The question you should be asking is what size of IPv6 address prefix they
> provide, because that's going to be the only way to get a stable address for
> incoming traffic in future.
>
> Theo
>

and the other 2 questions we should be asking ourselves are ...

Why do most ISPs find it necessary to issue domestic customers with
globally routable addresses in the first place ?


And if IPV6 is the solution to so many problems then why is its market
penetration so poor - after more than 20 years since its first
implementation ?



--
random signature text inserted here

[Andy Burns]

Yes, but not domestic customers.

We don't seem to have an answer to the question of whether Toob supply
static IPs to business customers, if they do, then they don't deserve
singling-out for criticism by following the same policy that Virgin does.

[Chris Green]

Surely the solution for many users (me included, it's what I do) is to
use a hosting provider's 'smart host'. In my case I have many of my
domains hosted at TsoHost and to send and receive mail from my home
machine (which runs an SMTP server) it goes via TsoHost's smart host.

It costs very little and almost any sort of hosting provider will have a
mail smart host which *will* accept mail from your home machine even
if its IP changes etc.

--
Chris Green
·

[Theo]

Graham J <nob...@nowhere.co.uk> wrote:
> This raises a more general question about IP addresses from a dynamic pool.
>
> Any reputable mail server will check the IP address of a client wishing
> to connect to it, irrespective of whether it is to send or receive; and
> will block all connection attempts if that IP address is on a blacklist.
>
> So anybody who gets a dynamic connection through CGNAT (so this includes
> all mobile users, and I imagine many fibre users) will be unable to
> connect to that mail server. The block is applied in the firewall
> protecting the mail server, so it denies access to HTTPS traffic for
> webmail, and POP3, IMAP, and SMTP traffic from a mail client.

...

> But generally, I can't see a sensible solution.

This is for outgoing SMTP servers. In other words if I open a connection to
your mailserver and say I have an email for you, if I'm on a dynamic IP
you're likely to assume I'm part of a botnet/etc and reject the message.

If the message is coming from mailserver.company.com then that IP has a good
reputation (stable, not a source of spam, etc) and is then allowed.

The solution is therefore for users on the road to relay traffic through a
server on a stable IP. Which is what a lot of people do, using their
company mailserver, their ISP mailserver or smtp.gmail.com

The issue for a company is that they can't run this mailserver on a dynamic
IP and if that's all their ISP gives them, they have to outsource this email
function. Which is what a lot of companies do anyway. Running your own
email servers is a bit of a dying breed, and this is one of the reasons.

Theo

[Theo]

Abandoned_Trolley <fr...@fred-smith.co.uk> wrote:
>
> and the other 2 questions we should be asking ourselves are ...
>
> Why do most ISPs find it necessary to issue domestic customers with
> globally routable addresses in the first place ?

Because some protocols are point to point - some games for example - and
suffer if the users aren't on public IPs (eg extra latency).

> And if IPV6 is the solution to so many problems then why is its market
> penetration so poor - after more than 20 years since its first
> implementation ?

Because incumbents are sitting on pools of legacy IPv4s so are quite happy
thankyouverymuch, and see no reason in investing in something that doesn't
provide revenue. Meanwhile upstarts pay through the nose for their IPs, if
they can get any, and so are at a competitive disadvantage. Which suits the
incumbents just fine.

IPv6 traffic is about 35% of Google's traffic worldwide, and the UK has 33%
adoption. Which is not nothing.

Theo

[Bob Eager]

On Thu, 01 Jul 2021 12:44:49 +0100, Theo wrote:

> Because incumbents are sitting on pools of legacy IPv4s so are quite
> happy thankyouverymuch, and see no reason in investing in something that
> doesn't provide revenue. Meanwhile upstarts pay through the nose for
> their IPs, if they can get any, and so are at a competitive
> disadvantage. Which suits the incumbents just fine.

One problem has been companies with large IPv4 blocks who then merge.
They can't be arsed to re-engineer their networks to bring all the *used*
IPs into one block.

Think DEC/Compaq/HP. I bet HP are sitting on something like two /16s.

[Andy Burns]

Abandoned_Trolley wrote:

> Why do most ISPs find it necessary to issue domestic customers with
> globally routable addresses in the first place ?

Because that's the whole fucking point of the Internet?

[Tweed]

How many companies are going to continue to run their own mail server on
site? Everywhere you look mail servers are going to the cloud, along with
many other things. This isn’t a statement that this js a good thing, simply
an observation that it is happening,

[Abandoned_Trolley]

>
> Because that's the whole fucking point of the Internet?
>

so what's the "whole fucking point" of NAT ?

[Tweed]

Abandoned_Trolley <fr...@fred-smith.uk> wrote:
>
>>
>> Because that's the whole fucking point of the Internet?
>>
>
>
> so what's the "whole fucking point" of NAT ?
>

There is no point to NAT other than it being a bodge around. It has a
useful by product of being a poor firewall, but it is very easy to
implement a firewall without resorting to NAT. When I first started with
tcp/ip >30 years ago nobody had ever heard of NAT and every machine had a
publicly routeable address. This is still the case where I work.

[Andy Burns]

> When I first started with
> tcp/ip >30 years ago nobody had ever heard of NAT and every machine had a
> publicly routeable address. This is still the case where I work.

I gave back to JANET a whole PI class C. When it was last advertised to
the 'net in about 1998, it had a non-NAT firewall and a massive 56kbps
of bandwidth on a nailed-up modem connection ...

[Graham J]

Theo wrote:

[snip]

>
> The solution is therefore for users on the road to relay traffic through a
> server on a stable IP. Which is what a lot of people do, using their
> company mailserver, their ISP mailserver or smtp.gmail.com

The problem is that users on the road get IP addresses from mobile
suppliers, and it is these addresses that are drawn from a pool and may
previously have been compromised and so blacklisted. So their company
mailserver or their ISP mailserver will block the incoming traffic.

I suspect gmail does not check the source address for traffic wanting
access to their mail server - which probably explains why so much spam
traffic coms from gmail adrresses.


--
Graham J

[Graham J]

Chris Green wrote:

[snip]

>>
>> But generally, I can't see a sensible solution.
>>
> Surely the solution for many users (me included, it's what I do) is to
> use a hosting provider's 'smart host'. In my case I have many of my
> domains hosted at TsoHost and to send and receive mail from my home
> machine (which runs an SMTP server) it goes via TsoHost's smart host.
>
> It costs very little and almost any sort of hosting provider will have a
> mail smart host which *will* accept mail from your home machine even
> if its IP changes etc.

You've misunderstood the problem. If your home machine gets its IP
address from a pool, there will come a time when that address has
previously been compromised and will be blacklisted. At that point
TsoHost of whoever you choose to handle your email will block traffic
from your home machine.

This isn't a theoretical risk.

I know of a farm office where the only possible internet connection is
via 4G, so there is a 4G router serving all the machines at that site.
The IP addresses issued to that router vary and have included:

148.252.129.150 = Vodafone
213.205.192.12 = EE
148.252.129.101 = Vodafone
194.37.96.155 = M247-LTD-Manchester
90.207.139.54 = BSKYB-BROADBAND-AS
213.205.192.66 = EE

All of which have been blacklisted at some point. Curiously the 4G
service is bought from an EE reseller so I don't understand why the IP
addresses appear to be associated with several different companies.

The farm's domain is hosted by Zen, and Zen's firewall has blocked
access to these addresses, so the Zen mail server is inaccessible.

I have talked to other reputable mail hosting services and they all
explain that they check the source IP address of incoming traffic so
they also would apply the same blocking rules.




--
Graham J

[Chris Green]

Graham J <nob...@nowhere.co.uk> wrote:
> Chris Green wrote:
>
> [snip]
>
> >>
> >> But generally, I can't see a sensible solution.
> >>
> > Surely the solution for many users (me included, it's what I do) is to
> > use a hosting provider's 'smart host'. In my case I have many of my
> > domains hosted at TsoHost and to send and receive mail from my home
> > machine (which runs an SMTP server) it goes via TsoHost's smart host.
> >
> > It costs very little and almost any sort of hosting provider will have a
> > mail smart host which *will* accept mail from your home machine even
> > if its IP changes etc.
>
> You've misunderstood the problem. If your home machine gets its IP
> address from a pool, there will come a time when that address has
> previously been compromised and will be blacklisted. At that point
> TsoHost of whoever you choose to handle your email will block traffic
> from your home machine.
>

No they won't, I have a TsoHost account and password, they accept my
mail (from anywhere) on the basis of me logging in with my username
and password. (That's an SMTP login)

--
Chris Green
·

[Graham J]

I am surprised. It does explain some of the the problems a customer had
with TsoHost which led him to move to a more reputable service.

My point is that your username and password don't achieve anything if
your IP address is blocked at the firewall that protects the mail server.


--
Graham J

[Tweed]

Why would a provider that uses authenticated smtp want to block by IP
address?

[Theo]

Graham J <nob...@nowhere.co.uk> wrote:
> I am surprised. It does explain some of the the problems a customer had
> with TsoHost which led him to move to a more reputable service.
>
> My point is that your username and password don't achieve anything if
> your IP address is blocked at the firewall that protects the mail server.

Your IP is only likely to be blocked at the firewall if it's a source of
actual abuse (DDOS etc). Which happens very rarely.

Most servers operate greylisting, which means they will engage you in
conversation but are free to say 'nope'. Which is typically what happens if
they see a message they don't like, with being on one of the blackhole lists
part of the overall spam scoring.

Theo

[Chris Green]

But it isn't blocked, the SMTP server has a secure SASL/TLS encrypted
login. TsoHost do check that passwords are reasonably secure. It's
like an open ssh interface (which TsoHost also have), they take
measures to minimise abuse and DOS attacks, it's like any 'open'
interface.

I have another account at Gandi Internet that works in exactly the
same way, as far as I'm aware most ISP/hosting providers have a
smarthost that works this way.

--
Chris Green
·

[Roderick Stewart]

On Thu, 1 Jul 2021 19:57:22 +0100, Graham J <nob...@nowhere.co.uk>
wrote:

>Chris Green wrote:
>
>[snip]
>
>>>
>>> But generally, I can't see a sensible solution.
>>>
>> Surely the solution for many users (me included, it's what I do) is to
>> use a hosting provider's 'smart host'. In my case I have many of my
>> domains hosted at TsoHost and to send and receive mail from my home
>> machine (which runs an SMTP server) it goes via TsoHost's smart host.
>>
>> It costs very little and almost any sort of hosting provider will have a
>> mail smart host which *will* accept mail from your home machine even
>> if its IP changes etc.
>
>You've misunderstood the problem. If your home machine gets its IP
>address from a pool, there will come a time when that address has
>previously been compromised and will be blacklisted. At that point
>TsoHost of whoever you choose to handle your email will block traffic
>from your home machine.
>
>This isn't a theoretical risk.

Indeed it's not. During a stint I once did on a tech support helpdesk
I would occasionally have to deal with it. A customer would be unable
to reach a particular website and enquired if we (the ISP) were
blocking it. Of course we were not (because we didn't), but on the
assumption that the customer's current IP address may have been used
by a previous customer for something that the website didn't like, we
would change it for them and all would be well.

Rod.

[Chris Green]

Yes, I think that's pretty typical, using fail2ban (or the SMTP
equivalent) and taking other measures to minimise abuse.

--
Chris Green
·

[Chris Green]

... but the block on the IP address almost certainly won't be
permanent, it will be blocked for long enough that the customer (or
abuser) will give up but the block will be cleared eventually.

--
Chris Green
·

[Graham J]

Chris Green wrote:

[snip]

>>
> ... but the block on the IP address almost certainly won't be
> permanent, it will be blocked for long enough that the customer (or
> abuser) will give up but the block will be cleared eventually.

True. But the temporary block will be in place for a few days at least.
Not what you want when your need is to send an email within the next
half-hour or sooner.


--
Graham J

[David Rance]

On Wed, 30 Jun 2021 11:03:04 Theo wrote:

>Abandoned_Trolley <fr...@fred-smith.uk> wrote:
>> I am guessing that these dynamic IP changing tools manipulate the "A"
>> record so its possible that you could get it to work.
>
>There is a difference between getting it to work and getting people to
>receive your mail. If you run a mailserver from a dynamic IP pool:
>

From my own experiences:

>1. Recipients are more likely to detect that and decide your messages are
>spam. Blackhole lists commonly used by mailservers record dynamic IP
>ranges.

Correct.

>
>2. You probably don't have the correct reverse DNS, which is another flag
>that recipients use to assume you're a spammer

Correct.

I used a dynamic IP as a third mail address at one time and it resulted
in all my IP addresses (including the two static ones) being blacklisted
by some servers, notably the gmx ones. It took a long time to work out
what was happening. They traced back the dynamic IP to my domain name
and blacklisted the domain name. I found out that it was the blacklist
operated by Cisco (can't remember what it's called) that was causing the
trouble.

David

--
David Rance writing from Caversham, Reading, UK

[Malcolm Loades]

On 29/06/2021 11:20, Malcolm Loades wrote:
> As I look out of my window a fibre cable is being installed in my road
> for https://www.toob.co.uk I've enquired and they do not provide as
> standard, nor even for extra money, a static IP address!
>

The primary reason for wanting a static IP is that I run my own
mailserver. There are quite few posts in this thread suggesting that
that can be unreliable. I honestly can't recall ever having sent mail
which was not delivered. The usually difficult recipients gmail, yahoo,
office365 etc. haven't been a barrier.

I have reverse DNS pointing to my domain. I have an SPF record which
includes my static IP address plus DKIM and DMARC records. And, of
course, my IP is not on any blacklist since only I can ever use it (only
true so long as I'm not stupid enough to allow my machine to be
compromised).

Malcolm

[Roderick Stewart]

It can last long enough for the customer to become sufficiently pissed
off to call their ISP, who they see as responsible for everything that
happens to the internet, and to their computer. From their point of
view, something isn't working and they don't know why, so what else
are they to do?

Rod.

[Brian Gregory]

On 30/06/2021 23:43, David Wade wrote:
> On 30/06/2021 11:28, Brian Gregory wrote:
>> On 30/06/2021 10:20, Abandoned_Trolley wrote:
>>> And if there were any truth in the oft repeated claims about us
>>> running out of IPV4 addresses then they would all be doing it.
>>
>> In many parts of the world they are all doing it.
>>
>> There is plenty of truth in it. The only way to get more IPv4
>> addresses is to pay someone else who was greedy earlier on to sell
>> theirs.
>>
>
> Amazon bought 4 million at $27 each:-
>
> http://www.southgatearc.org/news/2020/october/sale-of-amateur-radio-amprnet-tcp-ip-addresses.htm#:~:text=In%20mid%2D2019%20a%20block,%2427%20for%20each%20IPv4%20address.
>
>
> <short version>
> https://tinyurl.com/43ts9s8n

Yes.

https://ipv4marketgroup.com/ipv4-pricing/

--
Brian Gregory (in England).