2 out of 10 pool.sks-keyservers.net not responding to pings

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

2 out of 10 pool.sks-keyservers.net not responding to pings

Daniel Kahn Gillmor-7
From where i sit, 2 out of 10 of the servers returned by
pool.sks-keyservers.net are not responding to ICMP echo requests (pings):

 193.174.13.74  (pgpkeys.pca.dfn.de)
 94.46.216.2    (sks.5coluna.com)

Given that the machines do respond to http requests, i wonder why they
don't respond to ICMP echo requests.  enabling ICMP echo responses on
these hosts would make for much simpler network diagnostics.

Is there a general consensus that keyservers in the well-connected pool
should (or should not) provide ICMP echo responses?

I'd like to suggest that they should, but i'd be interested in hearing
arguments to the contrary as well.

        --dkg


_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (918 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 2 out of 10 pool.sks-keyservers.net not responding to pings

Robert J. Hansen-3
On 11/29/10 3:55 PM, Daniel Kahn Gillmor wrote:
> I'd like to suggest that they should, but i'd be interested in hearing
> arguments to the contrary as well.

Many keyserver operators run under the aegis of larger networks, and are
beholden to the decisions made by network administrators above them.
Some networks block ping (usually because of claims that ping is a
security concern).

I don't like the idea of the community adopting a SHOULD -- even
informally -- when a large fraction of the community will lack all
ability to conform with the SHOULD.

_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: 2 out of 10 pool.sks-keyservers.net not responding to pings

David Shaw
In reply to this post by Daniel Kahn Gillmor-7
On Nov 29, 2010, at 3:55 PM, Daniel Kahn Gillmor wrote:

> From where i sit, 2 out of 10 of the servers returned by
> pool.sks-keyservers.net are not responding to ICMP echo requests (pings):
>
> 193.174.13.74  (pgpkeys.pca.dfn.de)
> 94.46.216.2    (sks.5coluna.com)
>
> Given that the machines do respond to http requests, i wonder why they
> don't respond to ICMP echo requests.  enabling ICMP echo responses on
> these hosts would make for much simpler network diagnostics.
>
> Is there a general consensus that keyservers in the well-connected pool
> should (or should not) provide ICMP echo responses?

Many sites block ping wholesale.  Rather than ping, why not use a GET or HEAD request to see if a server is up or not?  It's heavier-weight than a ping, to be sure, but since the thing being tested for is whether the keyserver is up or not, a HTTP request will give you a much more useful answer than ping which can only tell you if the box is powered on and has an IP address.

David


_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: 2 out of 10 pool.sks-keyservers.net not responding to pings

Daniel Kahn Gillmor-7
In reply to this post by Robert J. Hansen-3
On 11/29/2010 04:03 PM, Robert J. Hansen wrote:
> Many keyserver operators run under the aegis of larger networks, and are
> beholden to the decisions made by network administrators above them.
> Some networks block ping (usually because of claims that ping is a
> security concern).

i've heard these claims about ping, and i confess i've never properly
understood them, particularly for hosts with services operating on
well-known ports.

> I don't like the idea of the community adopting a SHOULD -- even
> informally -- when a large fraction of the community will lack all
> ability to conform with the SHOULD.

i don't understand this sentiment; if we think this is reasonable, it's
entirely acceptable to say so, even when not everyone can follow
through.  Moreover, if we think this is actually preferable, then
presumably we'd like to help our fellow keyserver operators get it
working where possible.  A clearly worded explanation of why this is
useful for the SKS network and a general endorsement of the practice
would be helpful for keyserver operators dealing with reasonable network
administrators.  (no, i don't know a way to help keyserver operators
deal with unreasonable network administrators)

I feel the same way about offering HKP access on port 80, for example,
and about encouraging the deployment of a reasonable webform for the
index.  Would you object to a community endorsement of these practices
on the grounds that not everyone is capable of implementing them?

        --dkg


_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (918 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 2 out of 10 pool.sks-keyservers.net not responding to pings

Jonathan Wiltshire
In reply to this post by Daniel Kahn Gillmor-7
On Mon, Nov 29, 2010 at 03:55:17PM -0500, Daniel Kahn Gillmor wrote:
> From where i sit, 2 out of 10 of the servers returned by
> pool.sks-keyservers.net are not responding to ICMP echo requests (pings):
>
>  193.174.13.74  (pgpkeys.pca.dfn.de)
>  94.46.216.2    (sks.5coluna.com)
>
> Given that the machines do respond to http requests, i wonder why they
> don't respond to ICMP echo requests.  enabling ICMP echo responses on
> these hosts would make for much simpler network diagnostics.

Hmm. A number of sites, my workplace included, block ICMP packets as a
matter of course. Ping isn't really a reliable test of a functioning SKS
server anyhow, it just means the box is up. I'd rather see a test checking
that a host responds to the SKS request port; that seems much more robust.

> Is there a general consensus that keyservers in the well-connected pool
> should (or should not) provide ICMP echo responses?
>
> I'd like to suggest that they should, but i'd be interested in hearing
> arguments to the contrary as well.

It may not be in the power of the server admin, and even if it is I don't
think it's our place to impose conditions of this nature. The server admin
is probably ignoring ICMP for a reason, misguided or not, and the core
functionality of SKS doesn't rely on ICMP echo requests so it's not really
any of our business.


--
Jonathan Wiltshire

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 2 out of 10 pool.sks-keyservers.net not responding to pings

Robert J. Hansen-3
In reply to this post by Daniel Kahn Gillmor-7
On 11/29/10 5:00 PM, Daniel Kahn Gillmor wrote:
> i've heard these claims about ping, and i confess i've never properly
> understood them, particularly for hosts with services operating on
> well-known ports.

Doesn't matter.  Whether the policies are wise or foolish doesn't change
the fact these policies exist.

> i don't understand this sentiment; if we think this is reasonable, it's
> entirely acceptable to say so, even when not everyone can follow
> through.

You're not proposing the community deem it reasonable, though -- the
community already seems to agree that it is reasonable.

You're proposing the community deem it ought be conformed with if at all
possible -- and there we part ways.

SHOULD is a loaded word.  It means, "if you fail to conform with this
part of the spec you should have a darned compelling reason."  I don't
think we're at that point with respect to the ICMP issue.  It seems to
be pretty clearly a MAY.

_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: 2 out of 10 pool.sks-keyservers.net not responding to pings

Joseph Oreste Bruni-2
In reply to this post by Jonathan Wiltshire

On Nov 29, 2010, at 3:02 PM, Jonathan Wiltshire wrote:

> Ping isn't really a reliable test of a functioning SKS
> server anyhow, it just means the box is up.


Not even that: It just means that something with that IP address replied. Your SKS server's IP address could be front-ended with a reverse proxy (e.g., to implement SSL). If the proxy responds to ICMP-ECHO you know nothing about the actual SKS server.



_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel