From casselld1 at gmail.com Tue Jun 1 08:07:32 2010 From: casselld1 at gmail.com (D C) Date: Tue, 1 Jun 2010 09:07:32 -0400 Subject: IP Address Management Tool Message-ID: I am looking for a better way to manage IP addresses. I am currently using an excel spreadsheet, but this is becoming cumbersome as more and more addresses are being added. Does anyone have any recommendations? Thanks, Danielle From jackson.tim at gmail.com Tue Jun 1 08:12:07 2010 From: jackson.tim at gmail.com (Tim Jackson) Date: Tue, 1 Jun 2010 08:12:07 -0500 Subject: IP Address Management Tool In-Reply-To: References: Message-ID: http://iptrack.sf.net On Tue, Jun 1, 2010 at 8:07 AM, D C wrote: > I am looking for a better way to manage IP addresses. I am currently using > an excel spreadsheet, but this is becoming cumbersome as more and more > addresses are being added. Does anyone have any recommendations? > > Thanks, > Danielle > From don.mcmorris at gmail.com Tue Jun 1 08:15:45 2010 From: don.mcmorris at gmail.com (Don McMorris) Date: Tue, 1 Jun 2010 09:15:45 -0400 Subject: IP Address Management Tool In-Reply-To: References: Message-ID: On Tue, Jun 1, 2010 at 9:07 AM, D C wrote: > I am looking for a better way to manage IP addresses. ?I am currently using > an excel spreadsheet, but this is becoming cumbersome as more and more > addresses are being added. ?Does anyone have any recommendations? > We've found RackTables[1] to meet our needs in IP address management. It also includes some asset management and rack organizing as well (we do, however, have it deployed in one case primarily for the IP address management). [1] http://racktables.org/ --Don > Thanks, > Danielle > From skovlund at gmail.com Tue Jun 1 08:22:34 2010 From: skovlund at gmail.com (=?ISO-8859-1?Q?Bj=F8rn_Skovlund?=) Date: Tue, 1 Jun 2010 15:22:34 +0200 Subject: IP Address Management Tool In-Reply-To: References: Message-ID: On Tue, Jun 1, 2010 at 3:07 PM, D C wrote: > I am looking for a better way to manage IP addresses. I am currently using > an excel spreadsheet, but this is becoming cumbersome as more and more > addresses are being added. Does anyone have any recommendations? http://tipp.tobez.org/ Under active development at the moment. We've just implemented it and are quite happy with it. Cheers, Bj?rn From marty at dabuke.com Tue Jun 1 09:23:53 2010 From: marty at dabuke.com (Marty Buchaus) Date: Tue, 1 Jun 2010 09:23:53 -0500 Subject: IP Address Management Tool In-Reply-To: References: Message-ID: <0645DCDA-E1E7-4965-91C7-2C683A4D0D9F@dabuke.com> There are two that come to mind IP Plan http://iptrack.sourceforge.net/On Jun 1, 2010, at 8:07 AM, D C wrote: and Racktables for IP and rack DC location tracking as well. http://racktables.org/ Marty I am looking for a better way to manage IP addresses. I am currently using > > an excel spreadsheet, but this is becoming cumbersome as more and more > addresses are being added. Does anyone have any recommendations? > > Thanks, > Danielle _________________________________________________________ William Marty Buchaus Jr RHCE (RedHat Certified Engineer) - 807101943103186 ICQ: 10579998 AIM: snuffychi Check out the latest Rants and Grumbling at http://snuffy.org yeah that's my Blog! -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2326 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 203 bytes Desc: This is a digitally signed message part URL: From lists at quux.de Tue Jun 1 09:29:28 2010 From: lists at quux.de (Jens Link) Date: Tue, 01 Jun 2010 16:29:28 +0200 Subject: IP Address Management Tool In-Reply-To: (D. C.'s message of "Tue, 1 Jun 2010 09:07:32 -0400") References: Message-ID: <87fx16ddx3.fsf@bowmore.quux.de> D C writes: > I am looking for a better way to manage IP addresses. I am currently using > an excel spreadsheet, but this is becoming cumbersome as more and more > addresses are being added. Does anyone have any recommendations? Somebody recommended http://sourceforge.net/projects/haci/ recently, haven't time to try it. Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jenslink at guug.de | ------------------- | ------------------------------------------------------------------------- From Brian.Knight at us.mizuho-sc.com Tue Jun 1 10:02:58 2010 From: Brian.Knight at us.mizuho-sc.com (Knight, Brian) Date: Tue, 1 Jun 2010 11:02:58 -0400 Subject: IP Address Management Tool In-Reply-To: References: Message-ID: <54777E145E97BE4E8C5A26DD78EFB11B034C13E0@EXMAIL.usi.mizuho-sc.com> One of our engineers has started playing with dcTrack from Raritan; he quite likes it so far. It primarily manages information about data centers, like power draw, physical layout, and cable connections. It also provides a change management system tied to power / cabling requirements. In addition to all of that, it will also manage IP addresses. :) http://www.raritan.com/products/infrastructure-management/dctrack/ It is neither open source nor freely available software. It may be (okay, it's likely to be) overkill for your environment. Then again, if a spreadsheet isn't cutting the mustard, you may have other needs along with IP address management. Hope this helps, -Brian Knight Sr. Network Engineer Mizuho Securities USA Inc http://www.mizuhosecurities.com/ * Please note that I do not speak for my employer - only for myself. ** No one I know works for, owns or endorses the company mentioned above. *** All members of the mailing list may consider themselves recipients of this message, in terms of the disclaimer automatically attached below. > -----Original Message----- > From: D C [mailto:casselld1 at gmail.com] > Sent: Tuesday, June 01, 2010 8:08 AM > To: nanog at nanog.org > Subject: IP Address Management Tool > > I am looking for a better way to manage IP addresses. I am > currently using an excel spreadsheet, but this is becoming > cumbersome as more and more addresses are being added. Does > anyone have any recommendations? > > Thanks, > Danielle > CONFIDENTIAL: This e-mail, including its contents and attachments, if any, are confidential. It is neither an offer to buy or sell, nor a solicitation of an offer to buy or sell, any securities or any related financial instruments mentioned in it. If you are not the named recipient please notify the sender and immediately delete it. You may not disseminate, distribute, or forward this e-mail message or disclose its contents to anybody else. Unless otherwise indicated, copyright and any other intellectual property rights in its contents are the sole property of Mizuho Securities USA Inc. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Although we routinely screen for viruses, addressees should check this e-mail and any attachments for viruses. We make no representation or warranty as to the absence of viruses in this e-mail or any attachments. Please note that to ensure regulatory compliance and for the protection of our customers and business, we may monitor and read e-mails sent to and from our server(s). ##################################################################################### From sethm at rollernet.us Tue Jun 1 11:07:23 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 01 Jun 2010 09:07:23 -0700 Subject: IP Address Management Tool In-Reply-To: References: Message-ID: <4C05303B.4000703@rollernet.us> On 6/1/10 6:07 AM, D C wrote: > I am looking for a better way to manage IP addresses. I am currently using > an excel spreadsheet, but this is becoming cumbersome as more and more > addresses are being added. Does anyone have any recommendations? > I used to use IPplan, but the author was dead set against IPv6 support: "One feature request that comes up from time to time is IPv6. Adding IPv6 support will require major effort but has such a limited audience. Ironically the only people that ever requested IPv6 support are either from Telcos, ISP's or government departments, yet they are never interested in contributing resources! I deam them parasites of the Open Source world - leaching off the good will and effort of the Open Source community, yet give nothing in return." This has since been removed from the site, but it gave me a good idea about how the author felt about IPv6 so I stopped using it. I ended up moving to HaCi and it's suited my needs. ~Seth From lists at mtin.net Tue Jun 1 11:22:51 2010 From: lists at mtin.net (Justin Wilson) Date: Tue, 01 Jun 2010 12:22:51 -0400 Subject: IP Address Management Tool In-Reply-To: <4C05303B.4000703@rollernet.us> Message-ID: He has since reversed that stance and they are working on IPV6 support, at least that is what I read somewhere. I don?t blame the guy really. If people want a feature they should pony up a little money. Otherwise it is free software with no implied support. -- Justin Wilson http://www.mtin.net/blog Wisp Consulting ? Tower Climbing ? Network Support From: Seth Mattinen Date: Tue, 01 Jun 2010 09:07:23 -0700 To: Subject: Re: IP Address Management Tool On 6/1/10 6:07 AM, D C wrote: > I am looking for a better way to manage IP addresses. I am currently using > an excel spreadsheet, but this is becoming cumbersome as more and more > addresses are being added. Does anyone have any recommendations? > I used to use IPplan, but the author was dead set against IPv6 support: "One feature request that comes up from time to time is IPv6. Adding IPv6 support will require major effort but has such a limited audience. Ironically the only people that ever requested IPv6 support are either from Telcos, ISP's or government departments, yet they are never interested in contributing resources! I deam them parasites of the Open Source world - leaching off the good will and effort of the Open Source community, yet give nothing in return." This has since been removed from the site, but it gave me a good idea about how the author felt about IPv6 so I stopped using it. I ended up moving to HaCi and it's suited my needs. ~Seth From sethm at rollernet.us Tue Jun 1 12:38:22 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 01 Jun 2010 10:38:22 -0700 Subject: IP Address Management Tool In-Reply-To: References: Message-ID: <4C05458E.1050200@rollernet.us> On 6/1/10 9:22 AM, Justin Wilson wrote: > He has since reversed that stance and they are working on IPV6 support, > at least that is what I read somewhere. I don?t blame the guy really. If > people want a feature they should pony up a little money. Otherwise it is > free software with no implied support. I feel that IPv6 should be a minimum requirement. At the time the author felt it should be an advanced paid-for feature. I treat commercial vendors the same way: no IPv6, no sale. That nastygram made me not want to donate (money or code) to IPplan. One shouldn't get into open source expecting money. The world moves forward and what is seen as a minimum requirement is eventually going to move with it. ~Seth From cvicente at network-services.uoregon.edu Tue Jun 1 12:41:40 2010 From: cvicente at network-services.uoregon.edu (Carlos Vicente) Date: Tue, 01 Jun 2010 10:41:40 -0700 Subject: IP Address Management Tool In-Reply-To: References: Message-ID: <4C054654.6070003@ns.uoregon.edu> D C wrote: > I am looking for a better way to manage IP addresses. I am currently using > an excel spreadsheet, but this is becoming cumbersome as more and more > addresses are being added. Does anyone have any recommendations? > > Thanks, > Danielle > Please check out our Network Documentation Tool: http://netdot.uoregon.edu -- ===================================================================== Carlos Vicente Tel : +1(541) 346-1763 Network Engineer Fax : +1(541) 346-4397 Information Services PGP ID : 8623D99C 1212 University of Oregon Eugene,OR 97403-1205 From Coy.Hile at COYHILE.COM Tue Jun 1 14:31:46 2010 From: Coy.Hile at COYHILE.COM (Coy Hile) Date: Tue, 1 Jun 2010 19:31:46 +0000 Subject: racktables In-Reply-To: References: Message-ID: <8BF1A686A4943A4BB60A42B82FFFD31C01271D@EXCHANGE01.VAS.COYHILE.COM> I've seen racktables mentioned recently in an IP Address management thread. Do people use the stable version (0.17) or the beta (0.18)? From bbillon-ml at splio.fr Tue Jun 1 13:35:47 2010 From: bbillon-ml at splio.fr (Benjamin Billon) Date: Tue, 01 Jun 2010 20:35:47 +0200 Subject: IP Address Management Tool In-Reply-To: <4C054654.6070003@ns.uoregon.edu> References: <4C054654.6070003@ns.uoregon.edu> Message-ID: <4C055303.1040607@splio.fr> > Please check out our Network Documentation Tool: > > http://netdot.uoregon.edu > Is there any not-thumbnails screenshots available? From pedro at whack.org Tue Jun 1 13:45:31 2010 From: pedro at whack.org (Peter Wohlers) Date: Tue, 01 Jun 2010 11:45:31 -0700 Subject: IP Address Management Tool In-Reply-To: <4C05458E.1050200@rollernet.us> References: <4C05458E.1050200@rollernet.us> Message-ID: <4C05554B.8000804@whack.org> Seth Mattinen wrote: > On 6/1/10 9:22 AM, Justin Wilson wrote: > >> He has since reversed that stance and they are working on IPV6 support, >> at least that is what I read somewhere. I don?t blame the guy really. If >> people want a feature they should pony up a little money. Otherwise it is >> free software with no implied support. >> > > > I feel that IPv6 should be a minimum requirement. At the time the author > felt it should be an advanced paid-for feature. I treat commercial > vendors the same way: no IPv6, no sale. That nastygram made me not want > to donate (money or code) to IPplan. One shouldn't get into open source > expecting money. > > The world moves forward and what is seen as a minimum requirement is > eventually going to move with it. > > ~Seth > > didn't we just have this whole discussion three months ago? that being said, IPv6 exists in the beta versions that are currently available. http://sourceforge.net/projects/iptrack/files/ --Peter From don.mcmorris at gmail.com Tue Jun 1 14:26:08 2010 From: don.mcmorris at gmail.com (Don McMorris) Date: Tue, 1 Jun 2010 15:26:08 -0400 Subject: racktables In-Reply-To: <8BF1A686A4943A4BB60A42B82FFFD31C01271D@EXCHANGE01.VAS.COYHILE.COM> References: <8BF1A686A4943A4BB60A42B82FFFD31C01271D@EXCHANGE01.VAS.COYHILE.COM> Message-ID: In my two most prominent deployments, I have 0.16.4 and 0.17.9. I don't believe we have any deployments (either direct or accessed by us) that are above 0.17.9. --Don On Tue, Jun 1, 2010 at 3:31 PM, Coy Hile wrote: > > I've seen racktables mentioned recently in an IP Address management thread. ?Do people use the stable version (0.17) or the beta (0.18)? > > From khomyakov.andrey at gmail.com Tue Jun 1 15:50:54 2010 From: khomyakov.andrey at gmail.com (Andrey Khomyakov) Date: Tue, 1 Jun 2010 16:50:54 -0400 Subject: Software router Message-ID: Good times! We are starting to play around with VMware SRM and they "virtual" subnets that supposedly have to be able migrate from site to site in case of a failure of the local hardware (or software). Seems like to do that I'd have to run a software router on a VM that would redistribute the "virtual" subnet into the physical routing domain. does any one have any suggestions for a software router? I'm running EIGRP on the net, so I guess nothing will speak that, so I'd have to redistribute OSPF. Any OSPF software router software suggestion would be much appreciated. Or if anyone had implemented "floating" subnets, any other suggestions or what to look out for would be also much appreciated. Thank all in advance, -- Andrey Khomyakov [khomyakov.andrey at gmail.com] From trelane at trelane.net Tue Jun 1 16:09:54 2010 From: trelane at trelane.net (Andrew D Kirch) Date: Tue, 01 Jun 2010 17:09:54 -0400 Subject: Software router In-Reply-To: References: Message-ID: <4C057722.7090705@trelane.net> Really not core network related as it never touches a wire, let alone the core, but try www.xorp.org. Andrew On 06/01/2010 04:50 PM, Andrey Khomyakov wrote: > Good times! > > We are starting to play around with VMware SRM and they "virtual" subnets > that supposedly have to be able migrate from site to site in case of a > failure of the local hardware (or software). > Seems like to do that I'd have to run a software router on a VM that would > redistribute the "virtual" subnet into the physical routing domain. > does any one have any suggestions for a software router? > > I'm running EIGRP on the net, so I guess nothing will speak that, so I'd > have to redistribute OSPF. Any OSPF software router software suggestion > would be much appreciated. > > Or if anyone had implemented "floating" subnets, any other suggestions or > what to look out for would be also much appreciated. > > Thank all in advance, > > From jeremyparr at gmail.com Tue Jun 1 16:13:34 2010 From: jeremyparr at gmail.com (Jeremy Parr) Date: Tue, 1 Jun 2010 17:13:34 -0400 Subject: Software router In-Reply-To: References: Message-ID: On 1 June 2010 16:50, Andrey Khomyakov wrote: > Good times! > > We are starting to play around with VMware SRM and they "virtual" subnets > that supposedly have to be able migrate from site to site in case of a > failure of the local hardware (or software). > Seems like to do that I'd have to run a software router on a VM that would > redistribute the "virtual" subnet into the physical routing domain. > does any one have any suggestions for a software router? > > I'm running EIGRP on the net, so I guess nothing will speak that, so I'd > have to redistribute OSPF. Any OSPF software router software suggestion > would be much appreciated. > > Or if anyone had implemented "floating" subnets, any other suggestions or > what to look out for would be also much appreciated. > > Thank all in advance, > Mikrotik would fit the bill. From nanog at theinternet.org.uk Tue Jun 1 16:33:26 2010 From: nanog at theinternet.org.uk (Mike) Date: Tue, 01 Jun 2010 22:33:26 +0100 Subject: Software router In-Reply-To: References: Message-ID: <4C057CA6.2030608@theinternet.org.uk> On 01/06/2010 22:13, Jeremy Parr wrote: > On 1 June 2010 16:50, Andrey Khomyakov wrote: > > >> Good times! >> >> We are starting to play around with VMware SRM and they "virtual" subnets >> that supposedly have to be able migrate from site to site in case of a >> failure of the local hardware (or software). >> Seems like to do that I'd have to run a software router on a VM that would >> redistribute the "virtual" subnet into the physical routing domain. >> does any one have any suggestions for a software router? >> >> I'm running EIGRP on the net, so I guess nothing will speak that, so I'd >> have to redistribute OSPF. Any OSPF software router software suggestion >> would be much appreciated. >> >> Or if anyone had implemented "floating" subnets, any other suggestions or >> what to look out for would be also much appreciated. >> >> Thank all in advance, >> >> > Mikrotik would fit the bill. > Vyatta has a VMWare image. Have used and is pretty good. http://www.vyatta.org community edition or http://www.vyatta.com commercial supported. Mike From nanog at struth.org Tue Jun 1 19:36:10 2010 From: nanog at struth.org (NANOG Mailing) Date: Tue, 1 Jun 2010 18:36:10 -0600 Subject: Software router In-Reply-To: References: Message-ID: Openbsd makes a mighty fine router. Includes support for OSPF and BGP out of the box. Cory Struth cory at utilitympls.com On 6/1/10, Andrey Khomyakov wrote: > Good times! > > We are starting to play around with VMware SRM and they "virtual" subnets > that supposedly have to be able migrate from site to site in case of a > failure of the local hardware (or software). > Seems like to do that I'd have to run a software router on a VM that would > redistribute the "virtual" subnet into the physical routing domain. > does any one have any suggestions for a software router? > > I'm running EIGRP on the net, so I guess nothing will speak that, so I'd > have to redistribute OSPF. Any OSPF software router software suggestion > would be much appreciated. > > Or if anyone had implemented "floating" subnets, any other suggestions or > what to look out for would be also much appreciated. > > Thank all in advance, > > -- > Andrey Khomyakov > [khomyakov.andrey at gmail.com] > From emccaleb at gmail.com Tue Jun 1 21:08:09 2010 From: emccaleb at gmail.com (Ernest McCaleb) Date: Tue, 1 Jun 2010 22:08:09 -0400 Subject: Software router In-Reply-To: References: Message-ID: I second Vyatta. I've played with it quite a bit and found it to be extremely functional. Ernest On Tue, Jun 1, 2010 at 4:50 PM, Andrey Khomyakov wrote: > Good times! > > We are starting to play around with VMware SRM and they "virtual" subnets > that supposedly have to be able migrate from site to site in case of a > failure of the local hardware (or software). > Seems like to do that I'd have to run a software router on a VM that would > redistribute the "virtual" subnet into the physical routing domain. > does any one have any suggestions for a software router? > > I'm running EIGRP on the net, so I guess nothing will speak that, so I'd > have to redistribute OSPF. Any OSPF software router software suggestion > would be much appreciated. > > Or if anyone had implemented "floating" subnets, any other suggestions or > what to look out for would be also much appreciated. > > Thank all in advance, > > -- > Andrey Khomyakov > [khomyakov.andrey at gmail.com] > -- Regards, Ernest McCaleb From mysidia at gmail.com Wed Jun 2 02:08:26 2010 From: mysidia at gmail.com (James Hess) Date: Wed, 2 Jun 2010 02:08:26 -0500 Subject: Software router In-Reply-To: References: Message-ID: On Tue, Jun 1, 2010 at 3:50 PM, Andrey Khomyakov wrote: >Seems like to do that I'd have to run a software router on a VM that would [snip] For a VM router (for performance reasons is different than what i'd suggest for a generic software router), I would suggest picking an off-the-shelf OS that Vmxnet2 or Vmxnet3 drivers are available for, see KB1001805, make sure to install the VM tools, change vNICs' type to vmx. Standard OS + quagga, openbgpd, or other. Vyatta should be great, if you are able to compile the vmx drivers for it. Hopefully you are not planning to forward high-PPS traffic through a single VM; vNICs are potentially a serious bottleneck in that scenario. If traffic is not trivial, I would suggest using third-party next-hop routing, that is, with VM-based routers removed from forwarding path, by acting as route server, or announcing as next-hop another (real) third-party router's IP instead one of its own IPs (requiring all 3 routers to share a subnet). Or investigate layer 2 extension of an upstream subnet via L2TPv3 pseudo-wire service, or Cisco OTV, etc.... then design failover scenario to not require a VM involvement. Another thought is OSPF /32 host advertisements on some 'beacon' VM(s), with tracked routes for 'virtual subnet' selection, instead of a "router" VM. Those are some vague thoughts... I'm just saying, almost anything, other than having a VM forward packets for subnets, if it is avoidable, even tunnelling -- on a non-VM router... :) -- -J From hrlinneweh at sbcglobal.net Wed Jun 2 03:53:52 2010 From: hrlinneweh at sbcglobal.net (Henry Linneweh) Date: Wed, 2 Jun 2010 01:53:52 -0700 (PDT) Subject: IP Address Management Tool In-Reply-To: References: Message-ID: <318121.28500.qm@web180314.mail.gq1.yahoo.com> http://www.solarwinds.com/products/freetools/ip_address_tracker/ its free and there are a host of other tools there too, under products some are free others not. -henry ----- Original Message ---- From: Tim Jackson To: D C Cc: nanog at nanog.org Sent: Tue, June 1, 2010 6:12:07 AM Subject: Re: IP Address Management Tool http://iptrack.sf.net On Tue, Jun 1, 2010 at 8:07 AM, D C wrote: > I am looking for a better way to manage IP addresses. I am currently using > an excel spreadsheet, but this is becoming cumbersome as more and more > addresses are being added. Does anyone have any recommendations? > > Thanks, > Danielle > From jimmy.changa007 at gmail.com Wed Jun 2 08:08:30 2010 From: jimmy.changa007 at gmail.com (Jimmy Changa) Date: Wed, 2 Jun 2010 09:08:30 -0400 Subject: IPv4 Anycast Resoure Recommendations Message-ID: I was wondering if anyone had recommendations on IPv4 Anycast resources (whitepapers, RFCs) as it relates to DNS? Thanks in advance. From jabley at hopcount.ca Wed Jun 2 08:56:18 2010 From: jabley at hopcount.ca (Joe Abley) Date: Wed, 2 Jun 2010 09:56:18 -0400 Subject: IPv4 Anycast Resoure Recommendations In-Reply-To: References: Message-ID: <954C9B10-A9F0-4E95-BB14-F1C6B9E3319F@hopcount.ca> On 2010-06-02, at 09:08, Jimmy Changa wrote: > I was wondering if anyone had recommendations on IPv4 Anycast resources > (whitepapers, RFCs) as it relates to DNS? > > Thanks in advance. http://www.google.com/search?q=nanog+anycast+sarcastic top hit: http://seclists.org/nanog/2010/Mar/1027 Joe From jay-ford at uiowa.edu Wed Jun 2 09:06:29 2010 From: jay-ford at uiowa.edu (Jay Ford) Date: Wed, 2 Jun 2010 09:06:29 -0500 (CDT) Subject: IPv4 Anycast Resoure Recommendations In-Reply-To: References: Message-ID: On Wed, 2 Jun 2010, Jimmy Changa wrote: > I was wondering if anyone had recommendations on IPv4 Anycast resources > (whitepapers, RFCs) as it relates to DNS? I found the following useful: http://www.net.cmu.edu/pres/anycast http://ftp.isc.org/isc/pubs/tn/isc-tn-2004-1.html http://www.linuxsa.org.au/meetings/2006-07/anycast-dns.pdf They're getting a bit dated, but still OK. ________________________________________________________________________ Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-ford at uiowa.edu, phone: 319-335-5555, fax: 319-335-2951 From dmburgess at linktechs.net Wed Jun 2 09:16:12 2010 From: dmburgess at linktechs.net (Dennis Burgess) Date: Wed, 2 Jun 2010 09:16:12 -0500 Subject: Software router References: Message-ID: <91522911795E174F97E7EF8B792A1031228F44@ltiserver.LTI.local> RouterOS does run in virtual environments, super small, and has BGP, OSPF, firewalling, etc., all built right in. ----------------------------------------------------------- Dennis Burgess, CCNA, Mikrotik Certified Trainer, MTCNA, MTCRE, MTCWE, MTCTCE, MTCUME Link Technologies, Inc -- Mikrotik & WISP Support Services Office: 314-735-0270 Website: http://www.linktechs.net LIVE On-Line Mikrotik Training - Author of "Learn RouterOS" -----Original Message----- From: Jeremy Parr [mailto:jeremyparr at gmail.com] Sent: Tuesday, June 01, 2010 4:14 PM To: Andrey Khomyakov; nanog at nanog.org Subject: Re: Software router On 1 June 2010 16:50, Andrey Khomyakov wrote: > Good times! > > We are starting to play around with VMware SRM and they "virtual" > subnets that supposedly have to be able migrate from site to site in > case of a failure of the local hardware (or software). > Seems like to do that I'd have to run a software router on a VM that > would redistribute the "virtual" subnet into the physical routing domain. > does any one have any suggestions for a software router? > > I'm running EIGRP on the net, so I guess nothing will speak that, so > I'd have to redistribute OSPF. Any OSPF software router software > suggestion would be much appreciated. > > Or if anyone had implemented "floating" subnets, any other suggestions > or what to look out for would be also much appreciated. > > Thank all in advance, > Mikrotik would fit the bill. From lars.eggert at nokia.com Wed Jun 2 10:37:02 2010 From: lars.eggert at nokia.com (Lars Eggert) Date: Wed, 2 Jun 2010 18:37:02 +0300 Subject: wanted: your old NAT home router In-Reply-To: <3CB1CD73-4A8D-480C-B41C-03EDC19FB642@nokia.com> References: <3CB1CD73-4A8D-480C-B41C-03EDC19FB642@nokia.com> Message-ID: <4F5AE052-953C-476F-B120-69E2DFAAC45B@nokia.com> Hi, FYI, a first report with test results for 34 devices is available athttp://fit.nokia.com/lars/tmp/2010-hgw-study.pdf. Slides that summarize the results are at http://fit.nokia.com/lars/tmp/2010-hgw-study-slides.pdf. We have received another 30-odd devices as donations, which we'll add to the testbed and include in a follow-up study. If you have an unused, spare home gateway to donate to this effort, please contact us at nat-study at fit.nokia.com. We're also interested in obtaining a DSLAM and a CMTS. Thanks, Lars On 2010-4-29, at 12:35, Lars Eggert wrote: > Hi, > > for a measurement study done together with Markku Kojo's team at the University of Helsinki, we're looking to collect as many different NAT home routers as possible. If you have an old clunker lying around somewhere, please contact me off-list. I'll cover shipping via DHL. Feel free to forward this email as you see fit. > > The boxes will find a permanent home at the University of Helsinki. Study results will be published openly. The intent is that this collection become a resource for the community to be shared for future studies. > > Caveat: The boxes should NAT between Ethernet interfaces - we don't have DSL or cable access equipment in the lab setup at the moment. > > Thanks, > Lars -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2490 bytes Desc: not available URL: From woody at pch.net Wed Jun 2 12:07:36 2010 From: woody at pch.net (Bill Woodcock) Date: Wed, 2 Jun 2010 10:07:36 -0700 Subject: IPv4 Anycast Resoure Recommendations In-Reply-To: References: Message-ID: <582E78AE-2683-40F8-9167-EB3EADF1D73D@pch.net> On Jun 2, 2010, at 6:08 AM, Jimmy Changa wrote: > I was wondering if anyone had recommendations on IPv4 Anycast resources > (whitepapers, RFCs) as it relates to DNS? http://www.pch.net/resources/papers/anycast/ http://www.pch.net/resources/papers/dns-service-architecture/ http://www.pch.net/resources/papers/anycast-performance/ http://www.ietf.org/rfc/rfc3258.txt http://www.ietf.org/rfc/rfc4786.txt -Bill -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part URL: From gsomlo at gmail.com Wed Jun 2 14:10:21 2010 From: gsomlo at gmail.com (Gabriel Somlo) Date: Wed, 2 Jun 2010 15:10:21 -0400 Subject: IPv4 Anycast Resoure Recommendations In-Reply-To: Message-ID: <20100602191019.GA30710@hedwig.net.cmu.edu> If you're interested in looking at it from a campus/enterprise point of view, we recently reworked our DNS/Anycast setup, and here are the deployment notes: http://www.contrib.andrew.cmu.edu/~somlo/DNS.html (you can stop reading at section 4, where it gets into the specifics of our homebrew IPAM system). In a nutshell, we're using the "ip sla" feature on our Cisco boxes to conditionally announce host routes for the published anycast IPs from several places in our network (subsection 2.4 in the document). HTH, --Gabriel On Wed, Jun 02, 2010 at 09:08:30AM -0400, Jimmy Changa wrote: > I was wondering if anyone had recommendations on IPv4 Anycast > resources > (whitepapers, RFCs) as it relates to DNS? > > Thanks in advance. > From ross at kallisti.us Wed Jun 2 15:50:48 2010 From: ross at kallisti.us (Ross Vandegrift) Date: Wed, 2 Jun 2010 16:50:48 -0400 Subject: Anyone around from AS7459? Message-ID: <20100602205048.GA26247@kallisti.us> Hey, If you're from AS7459, you're announcing more specifics from one of our prefixes. Please drop me a line off-list, it's making my afternoon a drag. Ross -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From uri.joskovitch at telrad.com Thu Jun 3 05:30:18 2010 From: uri.joskovitch at telrad.com (Uri Joskovitch) Date: Thu, 3 Jun 2010 13:30:18 +0300 Subject: ALU - 7750 SR-12/7/1 In-Reply-To: <4C05458E.1050200@rollernet.us> References: <4C05458E.1050200@rollernet.us> Message-ID: <02755D474772E74E97471FC5BBE7641B031F4934@TLRD-MAIL1.Telrad.co.il> Hi Any one working with Alcatel Lucent equipment 7750 SR-12/7/1. Any issues with it? Specifically in ATM. Thanks Uri From cvuljanic at gmail.com Thu Jun 3 06:20:09 2010 From: cvuljanic at gmail.com (Craig) Date: Thu, 3 Jun 2010 07:20:09 -0400 Subject: ALU - 7750 SR-12/7/1 In-Reply-To: <02755D474772E74E97471FC5BBE7641B031F4934@TLRD-MAIL1.Telrad.co.il> References: <4C05458E.1050200@rollernet.us> <02755D474772E74E97471FC5BBE7641B031F4934@TLRD-MAIL1.Telrad.co.il> Message-ID: <51A20C9C-B20F-4DDC-9F19-19F666161DC6@gmail.com> Work with the product. No issues so far, very solid. On Jun 3, 2010, at 6:30 AM, "Uri Joskovitch" wrote: > > Hi > > Any one working with Alcatel Lucent equipment 7750 SR-12/7/1. > > Any issues with it? > > Specifically in ATM. > > Thanks > > Uri > > From lesnix at gmail.com Thu Jun 3 06:31:25 2010 From: lesnix at gmail.com (Egor Zimin) Date: Thu, 3 Jun 2010 15:31:25 +0400 Subject: NTT IPv6-aware people contact Message-ID: Hi. Could someone from NTT Communications Japan contact me off-ist regarding NTT's IPv6 Transition Consultancy ? -- Best regards, Egor Zimin From nanog at struth.org Thu Jun 3 09:00:26 2010 From: nanog at struth.org (Cory Struth) Date: Thu, 3 Jun 2010 08:00:26 -0600 Subject: ALU - 7750 SR-12/7/1 In-Reply-To: <02755D474772E74E97471FC5BBE7641B031F4934@TLRD-MAIL1.Telrad.co.il> References: <4C05458E.1050200@rollernet.us> <02755D474772E74E97471FC5BBE7641B031F4934@TLRD-MAIL1.Telrad.co.il> Message-ID: We are putting it through the paces preparing for our migration from ATM to MPLS. We're using the 7750 SRc12 (former 7710) and 7705 SAR8 and building A-Pipes to interconnect with existing 7470s. Works well, stable, no issues thus far. Drop me a line off list if you would like to discuss further. Cory Struth cory at utilitympls.com On Thu, Jun 3, 2010 at 4:30 AM, Uri Joskovitch wrote: > > Hi > > Any one working with Alcatel Lucent equipment 7750 SR-12/7/1. > > Any issues with it? > > Specifically in ATM. > > Thanks > > Uri > > > From surfer at mauigateway.com Thu Jun 3 11:20:57 2010 From: surfer at mauigateway.com (Scott Weeks) Date: Thu, 3 Jun 2010 09:20:57 -0700 Subject: ALU - 7750 SR-12/7/1 Message-ID: <20100603092057.D6BCC245@resin05.mta.everyone.net> On Thu, Jun 3, 2010 at 4:30 AM, Uri Joskovitch wrote: > Any one working with Alcatel Lucent equipment 7750 SR-12/7/1. > > Any issues with it? > > Specifically in ATM. ----------------------------------------------- You might try the alcatel-nsp mailing list: http://puck.nether.net/mailman/listinfo/alcatel-nsp scott From dougb at dougbarton.us Thu Jun 3 13:20:18 2010 From: dougb at dougbarton.us (Doug Barton) Date: Thu, 03 Jun 2010 11:20:18 -0700 Subject: ALU - 7750 SR-12/7/1 In-Reply-To: <02755D474772E74E97471FC5BBE7641B031F4934@TLRD-MAIL1.Telrad.co.il> References: <4C05458E.1050200@rollernet.us> <02755D474772E74E97471FC5BBE7641B031F4934@TLRD-MAIL1.Telrad.co.il> Message-ID: <4C07F262.7000405@dougbarton.us> Please don't reply to someone else's message to start a new thread, it causes your thread to appear "under" the thread you're replying to. If you're going to start a new topic it's better to actually create a new message. Thanks, Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ From adam.lafountain at googlemail.com Thu Jun 3 13:54:03 2010 From: adam.lafountain at googlemail.com (Adam LaFountain) Date: Thu, 3 Jun 2010 11:54:03 -0700 Subject: E1200i vs EX8200 in Large Deployment Message-ID: Hi All, If anyone out there has any pro/con experience with the Force10 E1200i or S50 in a large environment I'd really appreciate your thoughts. I'm comparing them against the Juniper EX8200 and EX4200 respectively and curious about hardware/software stability on both brands. Off-list responses are invited to avoid publicly promoting/demoting a specific brand or device ;) Many thanks in advance, Adam LaFountain From simon.allard at team.orcon.net.nz Thu Jun 3 16:42:37 2010 From: simon.allard at team.orcon.net.nz (Simon Allard) Date: Fri, 4 Jun 2010 09:42:37 +1200 Subject: IP Address Management Tool In-Reply-To: References: Message-ID: I am looking for a management tool which can support BGP Communities/MPLS Tags. And also support conflicting address space uniqued by MPLS RD/RT tags. (For layer3 VPNs). Any ideas? -----Original Message----- From: D C [mailto:casselld1 at gmail.com] Sent: Wednesday, 2 June 2010 1:08 a.m. To: nanog at nanog.org Subject: IP Address Management Tool I am looking for a better way to manage IP addresses. I am currently using an excel spreadsheet, but this is becoming cumbersome as more and more addresses are being added. Does anyone have any recommendations? Thanks, Danielle From bifrost at minions.com Thu Jun 3 19:28:10 2010 From: bifrost at minions.com (Tom) Date: Thu, 3 Jun 2010 17:28:10 -0700 (PDT) Subject: E1200i vs EX8200 in Large Deployment In-Reply-To: References: Message-ID: <20100603171300.P713@evil.minions.com> On Thu, 3 Jun 2010, Adam LaFountain wrote: > If anyone out there has any pro/con experience with the Force10 E1200i or > S50 in a large environment I'd really appreciate your thoughts. Those are totally different animals, they don't even run the same code :) E1200 is a large chassis switch, S50N/V are 1U stackables. One can actually do (tables/mpls) IP routing, one can't; Basically one is decent for core, one for server agg. > I'm comparing them against the Juniper EX8200 and EX4200 respectively > and curious about hardware/software stability on both brands. It really depends on what you're looking for... The EX series is a great L2/L3 switch, but likely you'd end up wanting MX in core if you're going the Juniper direction. IMHO Juniper is faster and more responsive in releasing updates if that matters. I've seen Juniper eat F10's lunch more than once recently, so you should probably figure out what you want first before you get in too deep :) -Tom From gih at apnic.net Thu Jun 3 21:31:42 2010 From: gih at apnic.net (Geoff Huston) Date: Fri, 4 Jun 2010 12:31:42 +1000 Subject: AS 7575 announcing 2400::/12 Message-ID: Hi, As part of some ongoing collaborative research work in looking at the "dark" traffic in IPv6, APNIC has requested AARNet to originate a supernet advertisement of the IPv6 prefix 2400::/12 for the next two weeks. The originating AS is AS7575. We would appreciate it if you could adjust your routing filters to permit this advertisement if you are actively filtering IPv6 routing advertisements. Reports from previous work in the IPv4 space can be found at http://www.potaroo.net/studies/ - we hope to add to this with a report describing data collected about the level (and type) of background traffic seen in this part of IPv6. We would also be grateful if other operational lists received this notification - so please forward this as appropriate (but preferably only once!) Many thanks, Geoff Huston, George Michaelson APNIC From jimmy.changa007 at gmail.com Fri Jun 4 00:54:53 2010 From: jimmy.changa007 at gmail.com (Jimmy Changa) Date: Fri, 4 Jun 2010 01:54:53 -0400 Subject: IPv4 Anycast Resoure Recommendations In-Reply-To: <20100602191019.GA30710@hedwig.net.cmu.edu> References: <20100602191019.GA30710@hedwig.net.cmu.edu> Message-ID: Thanks for the info. Much appreciated. On Wed, Jun 2, 2010 at 3:10 PM, Gabriel Somlo wrote: > If you're interested in looking at it from a campus/enterprise point > of view, we recently reworked our DNS/Anycast setup, and here are the > deployment notes: > > http://www.contrib.andrew.cmu.edu/~somlo/DNS.html > > (you can stop reading at section 4, where it gets into the specifics > of our homebrew IPAM system). In a nutshell, we're using the "ip sla" > feature on our Cisco boxes to conditionally announce host routes for > the published anycast IPs from several places in our network > (subsection 2.4 in the document). > > HTH, > --Gabriel > > On Wed, Jun 02, 2010 at 09:08:30AM -0400, Jimmy Changa wrote: > > I was wondering if anyone had recommendations on IPv4 Anycast > > resources > > (whitepapers, RFCs) as it relates to DNS? > > > > Thanks in advance. > > > > From jimmy.changa007 at gmail.com Fri Jun 4 01:03:43 2010 From: jimmy.changa007 at gmail.com (Jimmy Changa) Date: Fri, 4 Jun 2010 02:03:43 -0400 Subject: Upstream BGP community support In-Reply-To: <20091106203445.GN51443@gerbil.cluepon.net> References: <75cb24520910311612hf5cd2e1y647ee9d35eccdab9@mail.gmail.com> <4AEF341D.7050009@bogus.com> <4AEF3518.7050006@brightok.net> <20091102201338.GZ51443@gerbil.cluepon.net> <20091105230418.GA12914@srv03.cluenet.de> <20091106050655.GZ51443@gerbil.cluepon.net> <20091106155010.GA2866@srv03.cluenet.de> <20091106203445.GN51443@gerbil.cluepon.net> Message-ID: Has anyone seen movement from HE on community support yet? I've heard rumblings that they are looking to do something Q3/Q4 but my sales guy is telling me that they will only support it if I go to a full 10Gb pipe. Sounds more like an aggressive sales tactic, but was curious what others are seeing. On Fri, Nov 6, 2009 at 4:34 PM, Richard A Steenbergen wrote: > On Fri, Nov 06, 2009 at 04:50:10PM +0100, Daniel Roesen wrote: > > On Thu, Nov 05, 2009 at 11:06:56PM -0600, Richard A Steenbergen wrote: > > > Definitely a problem. The point of using 65123:45678 in the first place > > > (with a private ASN field in the "AS part") is to avoid stepping on > > > anyone else's ASN with your internal use community. > > > > Actually, as far as I have seen yet, it's more like being able to > > derrive/describe community from ASN-to-act-on, e.g. > > > > 61234 meaning "prepend 3 times" > > 45678 meaning "this is the neighbor AS I want this to be applied to" > > No I'm not saying otherwise. My point was that the reason it is > "65123:45678" instead of "45678:65123" is that they're using a value > from the private ASN range for the "action" tag, thus eliminating the > potential for collisions with anyone else's real ASNs. As you pointed > out, the ASN and Data fields are no longer going to be the same bit > size, so the "flipping the fields" trick will no longer work. The only > solution will be to add a non-transitive target type and do > "localtarget:45678:65123". > > -- > Richard A Steenbergen http://www.e-gerbil.net/ras > GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) > > From mir at ripe.net Fri Jun 4 03:05:57 2010 From: mir at ripe.net (Mirjam Kuehne) Date: Fri, 04 Jun 2010 10:05:57 +0200 Subject: IPv6 CPE Survey on RIPE Labs Message-ID: <4C08B3E5.3000800@ripe.net> [apologies for duplicates] Hello, At the recent RIPE Meeting in Prague, Marco Hogewoning presented the IPv6 CPE survey he conducted among various vendors. The results are now published on RIPE Labs. You can find it on the home page http://labs.ripe.net or you can go directly to: http://labs.ripe.net/content/ipv6-cpe-survey In order to keep this survey up to date, we are looking for feedback: If you have access to a testbed, are already running tests of your own or if you spot an error, please leave a comment in the IPv6 CPE Survey forum: http://labs.ripe.net/content/ipv6-cpe-survey-0 or contact us at labs at ripe dot net Kind Regards, Mirjam K?hne RIPE NCC From deric.kwok2000 at gmail.com Fri Jun 4 06:12:54 2010 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Fri, 4 Jun 2010 07:12:54 -0400 Subject: any suggestion about ppp device Message-ID: Hi Any suggestion about dsl ppp modem? How can I test it? or everyone should be same Thank you so much From mjkelly at gmail.com Fri Jun 4 10:28:04 2010 From: mjkelly at gmail.com (Matt Kelly) Date: Fri, 4 Jun 2010 11:28:04 -0400 Subject: ATT network rep... Message-ID: Hello. Can a rep from ATT contact me off list about an issue we're experiencing? Thanks. -- Matt From leo.vegoda at icann.org Thu Jun 3 16:22:09 2010 From: leo.vegoda at icann.org (Leo Vegoda) Date: Thu, 3 Jun 2010 14:22:09 -0700 Subject: Four recent IPv4 /8 allocations - please update your filters Message-ID: <9DF92882-94C9-4256-B9CD-FE584511C600@icann.org> Hi, The IANA IPv4 registry has been updated to reflect the allocation of four /8s in recent weeks. Firstly, two /8s were allocated to RIPE NCC in May 2010: 31/8 RIPE NCC 2010-05 whois.ripe.net ALLOCATED 176/8 RIPE NCC 2010-05 whois.ripe.net ALLOCATED Secondly, two /8s were allocated to LACNIC in June 2010: 177/8 LACNIC 2010-06 whois.lacnic.net ALLOCATED 181/8 LACNIC 2010-06 whois.lacnic.net ALLOCATED You can find the IANA IPv4 registry at: http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt Please update your filters as appropriate. There are now 16 unallocated unicast IPv4 /8s. Kind regards, Leo Vegoda Number Resources Manager, IANA ICANN From rs at seastrom.com Fri Jun 4 11:59:22 2010 From: rs at seastrom.com (Robert Seastrom) Date: Fri, 4 Jun 2010 12:59:22 -0400 Subject: Postel Scholarship: Please re-submit applications Message-ID: Dear Colleagues, A technical malfunction may have resulted in the loss of some applications for the 2010 Jon Postel Network Operator's Scholarship. If you submitted an application in the past weeks, we ask you to resubmit your application. We apologize for the inconvenience. The deadline for submissions for the Jon Postel Scholarship has been extended to 23:59:59 UTC on 20 June 2010. If you have questions, please contact postelnos at nanog.org. Again, on behalf of the Postel Network Operator Scholarship committee, we are sorry for the inconvenience. -Rob Seastrom From cscora at apnic.net Fri Jun 4 13:10:30 2010 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 5 Jun 2010 04:10:30 +1000 (EST) Subject: Weekly Routing Table Report Message-ID: <201006041810.o54IAUYN023894@thyme.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 05 Jun, 2010 Report Website: http://thyme.apnic.net Detailed Analysis: http://thyme.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 321840 Prefixes after maximum aggregation: 148535 Deaggregation factor: 2.17 Unique aggregates announced to Internet: 157096 Total ASes present in the Internet Routing Table: 34116 Prefixes per ASN: 9.43 Origin-only ASes present in the Internet Routing Table: 29612 Origin ASes announcing only one prefix: 14387 Transit ASes present in the Internet Routing Table: 4504 Transit-only ASes present in the Internet Routing Table: 104 Average AS path length visible in the Internet Routing Table: 3.6 Max AS path length visible: 24 Max AS path prepend of ASN (41664) 21 Prefixes from unregistered ASNs in the Routing Table: 316 Unregistered ASNs in the Routing Table: 117 Number of 32-bit ASNs allocated by the RIRs: 605 Prefixes from 32-bit ASNs in the Routing Table: 679 Special use prefixes present in the Routing Table: 0 Prefixes being announced from unallocated address space: 177 Number of addresses announced to Internet: 2230949344 Equivalent to 132 /8s, 249 /16s and 149 /24s Percentage of available address space announced: 60.2 Percentage of allocated address space announced: 64.9 Percentage of available address space allocated: 92.8 Percentage of address space in use by end-sites: 83.1 Total number of prefixes smaller than registry allocations: 154062 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 77021 Total APNIC prefixes after maximum aggregation: 26796 APNIC Deaggregation factor: 2.87 Prefixes being announced from the APNIC address blocks: 74073 Unique aggregates announced from the APNIC address blocks: 32634 APNIC Region origin ASes present in the Internet Routing Table: 4071 APNIC Prefixes per ASN: 18.20 APNIC Region origin ASes announcing only one prefix: 1123 APNIC Region transit ASes present in the Internet Routing Table: 632 Average APNIC Region AS path length visible: 3.6 Max APNIC Region AS path length visible: 18 Number of APNIC addresses announced to Internet: 520409120 Equivalent to 31 /8s, 4 /16s and 208 /24s Percentage of available APNIC address space announced: 77.5 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079 55296-56319, 131072-132095 APNIC Address Blocks 1/8, 14/8, 27/8, 43/8, 58/8, 59/8, 60/8, 61/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 134032 Total ARIN prefixes after maximum aggregation: 69042 ARIN Deaggregation factor: 1.94 Prefixes being announced from the ARIN address blocks: 106785 Unique aggregates announced from the ARIN address blocks: 41111 ARIN Region origin ASes present in the Internet Routing Table: 13714 ARIN Prefixes per ASN: 7.79 ARIN Region origin ASes announcing only one prefix: 5271 ARIN Region transit ASes present in the Internet Routing Table: 1344 Average ARIN Region AS path length visible: 3.4 Max ARIN Region AS path length visible: 22 Number of ARIN addresses announced to Internet: 735951904 Equivalent to 43 /8s, 221 /16s and 188 /24s Percentage of available ARIN address space announced: 62.7 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 393216-394239 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8, 54/8, 55/8, 56/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 107/8, 108/8, 173/8, 174/8, 184/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 74083 Total RIPE prefixes after maximum aggregation: 43081 RIPE Deaggregation factor: 1.72 Prefixes being announced from the RIPE address blocks: 67041 Unique aggregates announced from the RIPE address blocks: 44213 RIPE Region origin ASes present in the Internet Routing Table: 14501 RIPE Prefixes per ASN: 4.62 RIPE Region origin ASes announcing only one prefix: 7491 RIPE Region transit ASes present in the Internet Routing Table: 2172 Average RIPE Region AS path length visible: 3.9 Max RIPE Region AS path length visible: 24 Number of RIPE addresses announced to Internet: 429056672 Equivalent to 25 /8s, 146 /16s and 226 /24s Percentage of available RIPE address space announced: 75.2 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 196608-197631 RIPE Address Blocks 2/8, 25/8, 31/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 176/8, 178/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 28457 Total LACNIC prefixes after maximum aggregation: 6865 LACNIC Deaggregation factor: 4.15 Prefixes being announced from the LACNIC address blocks: 26892 Unique aggregates announced from the LACNIC address blocks: 14146 LACNIC Region origin ASes present in the Internet Routing Table: 1293 LACNIC Prefixes per ASN: 20.80 LACNIC Region origin ASes announcing only one prefix: 397 LACNIC Region transit ASes present in the Internet Routing Table: 226 Average LACNIC Region AS path length visible: 4.0 Max LACNIC Region AS path length visible: 24 Number of LACNIC addresses announced to Internet: 73480448 Equivalent to 4 /8s, 97 /16s and 57 /24s Percentage of available LACNIC address space announced: 54.7 LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 262144-263167 plus ERX transfers LACNIC Address Blocks 177/8, 181/8, 186/8, 187/8, 189/8, 190/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 7349 Total AfriNIC prefixes after maximum aggregation: 1801 AfriNIC Deaggregation factor: 4.08 Prefixes being announced from the AfriNIC address blocks: 5682 Unique aggregates announced from the AfriNIC address blocks: 1716 AfriNIC Region origin ASes present in the Internet Routing Table: 362 AfriNIC Prefixes per ASN: 15.70 AfriNIC Region origin ASes announcing only one prefix: 105 AfriNIC Region transit ASes present in the Internet Routing Table: 83 Average AfriNIC Region AS path length visible: 3.7 Max AfriNIC Region AS path length visible: 15 Number of AfriNIC addresses announced to Internet: 18825216 Equivalent to 1 /8s, 31 /16s and 64 /24s Percentage of available AfriNIC address space announced: 56.1 AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4766 1852 8422 485 Korea Telecom (KIX) 17488 1312 141 124 Hathway IP Over Cable Interne 4755 1311 293 152 TATA Communications formerly 7545 1285 232 103 TPG Internet Pty Ltd 17974 1079 281 19 PT TELEKOMUNIKASI INDONESIA 9583 1003 74 492 Sify Limited 24560 911 306 170 Bharti Airtel Ltd., Telemedia 4134 874 21259 406 CHINANET-BACKBONE 4808 845 1571 213 CNCGROUP IP network: China169 9829 798 681 34 BSNL National Internet Backbo Complete listing at http://thyme.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3921 3732 286 bellsouth.net, inc. 4323 3361 1113 394 Time Warner Telecom 1785 1789 699 130 PaeTec Communications, Inc. 20115 1530 1498 657 Charter Communications 7018 1516 5735 967 AT&T WorldNet Services 2386 1287 569 909 AT&T Data Communications Serv 6478 1271 260 97 AT&T Worldnet Services 3356 1187 10883 405 Level 3 Communications, LLC 22773 1161 2605 65 Cox Communications, Inc. 11492 1151 207 68 Cable One Complete listing at http://thyme.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 35805 630 56 6 United Telecom of Georgia 3292 453 2026 394 TDC Tele Danmark 30890 443 111 205 Evolva Telecom 702 413 1869 328 UUNET - Commercial IP service 8551 402 355 38 Bezeq International 8866 401 117 18 Bulgarian Telecommunication C 3301 368 1414 323 TeliaNet Sweden 3320 366 7072 319 Deutsche Telekom AG 34984 356 88 183 BILISIM TELEKOM 12479 333 576 5 Uni2 Autonomous System Complete listing at http://thyme.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8151 1517 2965 244 UniNet S.A. de C.V. 10620 1052 236 152 TVCABLE BOGOTA 28573 895 725 78 NET Servicos de Comunicao S.A 7303 740 382 117 Telecom Argentina Stet-France 6503 600 174 209 AVANTEL, S.A. 22047 545 310 15 VTR PUNTO NET S.A. 3816 480 206 75 Empresa Nacional de Telecomun 7738 477 922 30 Telecomunicacoes da Bahia S.A 14420 457 31 70 ANDINATEL S.A. 14117 456 30 13 Telefonica del Sur S.A. Complete listing at http://thyme.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 8452 1230 445 10 TEDATA 24863 717 147 39 LINKdotNET AS number 36992 648 279 186 Etisalat MISR 3741 269 852 230 The Internet Solution 2018 219 244 61 Tertiary Education Network 33776 215 11 10 Starcomms Nigeria Limited 6713 186 177 14 Itissalat Al-MAGHRIB 24835 176 78 10 RAYA Telecom - Egypt 29571 174 19 9 Ci Telecom Autonomous system 29975 133 506 14 Vodacom Complete listing at http://thyme.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3921 3732 286 bellsouth.net, inc. 4323 3361 1113 394 Time Warner Telecom 4766 1852 8422 485 Korea Telecom (KIX) 1785 1789 699 130 PaeTec Communications, Inc. 20115 1530 1498 657 Charter Communications 8151 1517 2965 244 UniNet S.A. de C.V. 7018 1516 5735 967 AT&T WorldNet Services 17488 1312 141 124 Hathway IP Over Cable Interne 4755 1311 293 152 TATA Communications formerly 2386 1287 569 909 AT&T Data Communications Serv Complete listing at http://thyme.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 4323 3361 2967 Time Warner Telecom 1785 1789 1659 PaeTec Communications, Inc. 4766 1852 1367 Korea Telecom (KIX) 8151 1517 1273 UniNet S.A. de C.V. 8452 1230 1220 TEDATA 17488 1312 1188 Hathway IP Over Cable Interne 7545 1285 1182 TPG Internet Pty Ltd 6478 1271 1174 AT&T Worldnet Services 4755 1311 1159 TATA Communications formerly 22773 1161 1096 Cox Communications, Inc. Complete listing at http://thyme.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 16927 UNALLOCATED 12.0.252.0/23 7018 AT&T WorldNet Servic 15132 UNALLOCATED 12.9.150.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.14.170.0/24 7018 AT&T WorldNet Servic 13746 UNALLOCATED 12.24.56.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.25.107.0/24 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.152.0/24 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.154.0/23 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.155.0/24 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.159.0/24 7018 AT&T WorldNet Servic 25639 UNALLOCATED 12.41.169.0/24 7018 AT&T WorldNet Servic Complete listing at http://thyme.apnic.net/current/data-badAS Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 31.0.0.0/16 12654 RIPE NCC RIS Project 31.1.0.0/21 12654 RIPE NCC RIS Project 31.1.24.0/24 12654 RIPE NCC RIS Project 41.222.79.0/24 36938 >>UNKNOWN<< 41.223.92.0/22 36936 >>UNKNOWN<< 41.223.188.0/24 22351 Intelsat 41.223.189.0/24 6453 Teleglobe Inc. 41.223.196.0/24 36990 Alkan Telecom Ltd 41.223.197.0/24 36990 Alkan Telecom Ltd 41.223.198.0/24 36990 Alkan Telecom Ltd Complete listing at http://thyme.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:19 /9:10 /10:27 /11:67 /12:193 /13:404 /14:694 /15:1276 /16:11097 /17:5288 /18:9010 /19:18296 /20:22561 /21:22591 /22:29540 /23:29185 /24:168618 /25:964 /26:1257 /27:617 /28:101 /29:10 /30:7 /31:0 /32:8 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 6389 2512 3921 bellsouth.net, inc. 4323 1852 3361 Time Warner Telecom 4766 1483 1852 Korea Telecom (KIX) 1785 1252 1789 PaeTec Communications, Inc. 8452 1117 1230 TEDATA 11492 1065 1151 Cable One 17488 1058 1312 Hathway IP Over Cable Interne 18566 1040 1059 Covad Communications 10620 968 1052 TVCABLE BOGOTA 7018 913 1516 AT&T WorldNet Services Complete listing at http://thyme.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:2 4:13 8:265 12:2014 13:11 14:1 15:23 16:3 17:8 20:21 24:1413 27:111 31:1 32:47 33:12 38:676 40:98 41:2500 44:3 47:26 52:8 55:7 56:2 57:24 58:778 59:502 60:454 61:1077 62:1075 63:1969 64:3616 65:2345 66:4261 67:1833 68:1099 69:2867 70:718 71:243 72:1835 73:2 74:2107 75:255 76:308 77:856 78:632 79:421 80:1002 81:797 82:480 83:431 84:702 85:1028 86:465 87:693 88:332 89:1543 90:90 91:2788 92:506 93:1104 94:1429 95:597 96:279 97:321 98:567 99:28 108:32 109:512 110:420 111:504 112:262 113:292 114:417 115:567 116:1034 117:644 118:478 119:939 120:141 121:742 122:1447 123:918 124:1100 125:1304 128:209 129:212 130:193 131:557 132:247 133:17 134:195 135:45 136:230 137:169 138:256 139:103 140:510 141:137 142:350 143:390 144:477 145:51 146:431 147:166 148:615 149:295 150:153 151:168 152:261 153:168 154:2 155:328 156:156 157:323 158:107 159:374 160:316 161:179 162:263 163:171 164:408 165:330 166:476 167:402 168:783 169:165 170:706 171:56 172:2 173:788 174:608 175:92 176:1 178:167 180:491 182:87 183:132 184:47 186:452 187:340 188:1308 189:794 190:3690 192:5748 193:4704 194:3352 195:2756 196:1211 198:3564 199:3428 200:5352 201:1537 202:7979 203:8265 204:4064 205:2318 206:2521 207:3046 208:3872 209:3411 210:2508 211:1262 212:1761 213:1689 214:665 215:68 216:4666 217:1537 218:486 219:380 220:1126 221:398 222:317 223:1 End of report From markk at arin.net Fri Jun 4 14:05:06 2010 From: markk at arin.net (Mark Kosters) Date: Fri, 4 Jun 2010 15:05:06 -0400 Subject: Upcoming Improvements to ARIN's Directory Service Message-ID: <20100604190504.GA61967@arin.net> Hi This was posted on arin-announce this morning as many of you may be interested: ARIN is pleased to announce that it plans to deploy an improved Whois service called Whois-RWS on 26 June 2010. Included in the deployment are the following services that provide the general public with access to ARIN's registration data. * a RESTful Web Service (RWS) * a NICNAME/WHOIS port 43 service * a user-friendly web site (http://whois.arin.net) A demo of this service has been available since October 2009. The demonstration service will be available at http://whoisrws-demo.arin.net until the production service is deployed on 26 June 2010. When using Whois-RWS you will notice some differences in behavior for certain queries and corresponding result sets on the NICNAME/WHOIS port 43 service. ARIN will make a separate announcement on 11 June when it publishes detailed documentation on these differences along with the demonstration service update. ARIN continues to welcome community participation on the Whois-RWS mailing list, and we invite you to subscribe and share your thoughts and suggestions at: http://lists.arin.net/mailman/listinfo/arin-whoisrws More detailed information on these changes and other future features that may impact the community at ARIN is available at: https://www.arin.net/features/ Regards, Mark Kosters Chief Technical Officer American Registry for Internet Numbers (ARIN) From cidr-report at potaroo.net Fri Jun 4 17:00:01 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 4 Jun 2010 22:00:01 GMT Subject: BGP Update Report Message-ID: <201006042200.o54M01Fb042844@wattle.apnic.net> BGP Update Report Interval: 27-May-10 -to- 03-Jun-10 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS9829 12905 1.3% 34.3 -- BSNL-NIB National Internet Backbone 2 - AS35805 12527 1.2% 19.9 -- UTG-AS United Telecom AS 3 - AS8452 10898 1.1% 10.5 -- TEDATA TEDATA 4 - AS4538 10816 1.1% 432.6 -- ERX-CERNET-BKB China Education and Research Network Center 5 - AS28477 10551 1.1% 1172.3 -- Universidad Autonoma del Esstado de Morelos 6 - AS4621 10253 1.0% 39.3 -- UNSPECIFIED UNINET-TH 7 - AS35931 10101 1.0% 2525.2 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 8 - AS10474 9890 1.0% 267.3 -- NETACTIVE 9 - AS32528 9857 1.0% 3285.7 -- ABBOTT Abbot Labs 10 - AS30890 8258 0.8% 19.0 -- EVOLVA Evolva Telecom s.r.l. 11 - AS5800 8043 0.8% 41.7 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 12 - AS24560 7837 0.8% 8.7 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 13 - AS7545 7784 0.8% 5.9 -- TPG-INTERNET-AP TPG Internet Pty Ltd 14 - AS17803 7299 0.7% 19.3 -- BSES-AS-AP BSES TeleCom Limited 15 - AS18101 7227 0.7% 20.4 -- RIL-IDC Reliance Infocom Ltd Internet Data Centre, 16 - AS3549 6193 0.6% 110.6 -- GBLX Global Crossing Ltd. 17 - AS45464 6014 0.6% 143.2 -- NEXTWEB-AS-AP Room 201, TGU Bldg 18 - AS2697 5455 0.5% 29.2 -- ERX-ERNET-AS Education and Research Network 19 - AS11492 5111 0.5% 10.1 -- CABLEONE - CABLE ONE, INC. 20 - AS14420 5084 0.5% 11.1 -- CORPORACION NACIONAL DE TELECOMUNICACIONES CNT S.A. TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS32528 9857 1.0% 3285.7 -- ABBOTT Abbot Labs 2 - AS35931 10101 1.0% 2525.2 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 3 - AS38680 1476 0.1% 1476.0 -- CMBHK-AS-KR CMB 4 - AS50788 1457 0.1% 1457.0 -- OSYPENKO-AS FOP Osypenko Vitalij Volodymyrovych 5 - AS21271 1238 0.1% 1238.0 -- SOTELMABGP 6 - AS28477 10551 1.1% 1172.3 -- Universidad Autonoma del Esstado de Morelos 7 - AS48861 938 0.1% 938.0 -- APAGA "Apaga Technologies" CJSC AS 8 - AS11613 918 0.1% 918.0 -- U-SAVE - U-Save Auto Rental of America, Inc. 9 - AS5058 598 0.1% 598.0 -- NRL-EXP - Naval Research Laboratory 10 - AS27873 568 0.1% 568.0 -- Compa?ia Goly, S.A. 11 - AS31496 1035 0.1% 517.5 -- ATNET-AS ATNET Autonomous System 12 - AS4538 10816 1.1% 432.6 -- ERX-CERNET-BKB China Education and Research Network Center 13 - AS3505 795 0.1% 397.5 -- WINDSTREAM - Windstream Communications Inc 14 - AS10445 2336 0.2% 389.3 -- HTG - Huntleigh Telcom 15 - AS28052 385 0.0% 385.0 -- Arte Radiotelevisivo Argentino 16 - AS42163 343 0.0% 343.0 -- IRANGATE Rasaneh Esfahan Net Autonomous System ( Irangate Internet Service Provider) 17 - AS36847 338 0.0% 338.0 -- DELTA-DENTAL-PLAN-OF-CALIFORNIA - DELTA DENTAL OF CALIFORNIA 18 - AS43818 334 0.0% 334.0 -- MELLAT-AS bankmellat 19 - AS4623 997 0.1% 332.3 -- CHEVALIER-AS01 Chevalier (Internet) Limited autonomous system #1 20 - AS50257 654 0.1% 327.0 -- A-MOBILE-AS JV A-Mobile Ltd. TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 58.207.96.0/19 10757 1.0% AS4538 -- ERX-CERNET-BKB China Education and Research Network Center 2 - 200.13.36.0/24 10503 1.0% AS28477 -- Universidad Autonoma del Esstado de Morelos 3 - 196.2.16.0/24 9548 0.9% AS10474 -- NETACTIVE 4 - 198.140.43.0/24 6454 0.6% AS35931 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 5 - 64.76.40.0/24 5823 0.5% AS3549 -- GBLX Global Crossing Ltd. 6 - 130.36.35.0/24 4905 0.5% AS32528 -- ABBOTT Abbot Labs 7 - 130.36.34.0/24 4904 0.5% AS32528 -- ABBOTT Abbot Labs 8 - 63.211.68.0/22 3642 0.3% AS35931 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 9 - 206.184.16.0/24 2964 0.3% AS174 -- COGENT Cogent/PSI 10 - 143.138.107.0/24 2951 0.3% AS747 -- TAEGU-AS - Headquarters, USAISC 11 - 205.91.160.0/20 1782 0.2% AS5976 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 12 - 190.65.228.0/22 1684 0.1% AS3816 -- COLOMBIA TELECOMUNICACIONES S.A. ESP 13 - 202.92.235.0/24 1500 0.1% AS9498 -- BBIL-AP BHARTI Airtel Ltd. 14 - 180.233.225.0/24 1476 0.1% AS38680 -- CMBHK-AS-KR CMB 15 - 193.107.224.0/22 1457 0.1% AS50788 -- OSYPENKO-AS FOP Osypenko Vitalij Volodymyrovych 16 - 217.64.96.0/20 1238 0.1% AS21271 -- SOTELMABGP 17 - 202.152.175.0/24 1135 0.1% AS4761 -- INDOSAT-INP-AP INDOSAT Internet Network Provider 18 - 213.158.20.0/24 1013 0.1% AS31496 -- ATNET-AS ATNET Autonomous System 19 - 195.88.66.0/23 938 0.1% AS48861 -- APAGA "Apaga Technologies" CJSC AS 20 - 206.192.11.0/24 918 0.1% AS11613 -- U-SAVE - U-Save Auto Rental of America, Inc. Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Jun 4 17:00:00 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 4 Jun 2010 22:00:00 GMT Subject: The Cidr Report Message-ID: <201006042200.o54M00m2042837@wattle.apnic.net> This report has been generated at Fri Jun 4 21:12:02 2010 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 28-05-10 324653 200523 29-05-10 324840 199736 30-05-10 324130 200410 31-05-10 324547 200181 01-06-10 324057 200468 02-06-10 324593 200641 03-06-10 324660 201024 04-06-10 324939 201058 AS Summary 34544 Number of ASes in routing system 14682 Number of ASes announcing only one prefix 4455 Largest number of prefixes announced by an AS AS4323 : TWTC - tw telecom holdings, inc. 95845440 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 04Jun10 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 325001 201063 123938 38.1% All ASes AS6389 3918 292 3626 92.5% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS4323 4455 1429 3026 67.9% TWTC - tw telecom holdings, inc. AS4766 1852 499 1353 73.1% KIXS-AS-KR Korea Telecom AS22773 1161 70 1091 94.0% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4755 1311 230 1081 82.5% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS17488 1312 298 1014 77.3% HATHWAY-NET-AP Hathway IP Over Cable Internet AS18566 1059 101 958 90.5% COVAD - Covad Communications Co. AS6478 1271 357 914 71.9% ATT-INTERNET3 - AT&T WorldNet Services AS8151 1516 616 900 59.4% Uninet S.A. de C.V. AS19262 1124 272 852 75.8% VZGNI-TRANSIT - Verizon Internet Services Inc. AS10620 1052 231 821 78.0% Telmex Colombia S.A. AS8452 1230 458 772 62.8% TEDATA TEDATA AS7545 1308 575 733 56.0% TPG-INTERNET-AP TPG Internet Pty Ltd AS5668 848 138 710 83.7% AS-5668 - CenturyTel Internet Holdings, Inc. AS4808 845 229 616 72.9% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS1785 1789 1184 605 33.8% AS-PAETEC-NET - PaeTec Communications, Inc. AS4804 678 84 594 87.6% MPX-AS Microplex PTY LTD AS35805 630 69 561 89.0% UTG-AS United Telecom AS AS7303 740 186 554 74.9% Telecom Argentina S.A. AS7018 1515 968 547 36.1% ATT-INTERNET4 - AT&T WorldNet Services AS4780 684 166 518 75.7% SEEDNET Digital United Inc. AS17676 572 81 491 85.8% GIGAINFRA Softbank BB Corp. AS9443 559 75 484 86.6% INTERNETPRIMUS-AS-AP Primus Telecommunications AS7011 1131 649 482 42.6% FRONTIER-AND-CITIZENS - Frontier Communications of America, Inc. AS18101 684 236 448 65.5% RIL-IDC Reliance Infocom Ltd Internet Data Centre, AS7738 477 30 447 93.7% Telecomunicacoes da Bahia S.A. AS33588 605 165 440 72.7% BRESNAN-AS - Bresnan Communications, LLC. AS3356 1188 751 437 36.8% LEVEL3 Level 3 Communications AS36992 647 211 436 67.4% ETISALAT-MISR AS22047 545 119 426 78.2% VTR BANDA ANCHA S.A. Total 36706 10769 25937 70.7% Top 30 total Possible Bogus Routes 31.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 31.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 31.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 41.222.79.0/24 AS36938 AMSCOTELECOMS Amsco Telecommunications Nigeria Limited 41.223.92.0/22 AS36936 CELTEL-GABON Celtel Gabon Internet Service 41.223.188.0/24 AS22351 INTELSAT Intelsat Global BGP Routing Policy 41.223.189.0/24 AS6453 GLOBEINTERNET TATA Communications 41.223.196.0/24 AS36990 41.223.197.0/24 AS36990 41.223.198.0/24 AS36990 41.223.199.0/24 AS36990 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 63.140.213.0/24 AS22555 UTC - Universal Talkware Corporation 63.143.251.0/24 AS22555 UTC - Universal Talkware Corporation 64.20.80.0/20 AS40028 SPD-NETWORK-1 - SPD NETWORK 64.82.128.0/19 AS16617 COMMUNITYISP - CISP 64.82.160.0/19 AS16617 COMMUNITYISP - CISP 66.128.38.0/24 AS15246 Telecomunicaciones Satelitales Telesat S.A. 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.206.32.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.33.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.34.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.35.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.47.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 66.207.32.0/20 AS23011 66.230.240.0/20 AS27286 66.241.112.0/20 AS21547 REVNETS - Revolution Networks 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 69.6.80.0/24 AS13442 69.6.81.0/24 AS13442 69.80.224.0/19 AS19166 ACRONOC - ACRONOC INC 71.19.134.0/23 AS3313 INET-AS I.NET S.p.A. 71.19.160.0/23 AS4648 NZIX-2 Netgate 77.104.176.0/24 AS50075 INBAR-BUSINESS-CORPORATION INBAR BUSINESS CORPORATION S.R.L. 77.104.177.0/24 AS50075 INBAR-BUSINESS-CORPORATION INBAR BUSINESS CORPORATION S.R.L. 77.104.178.0/24 AS50075 INBAR-BUSINESS-CORPORATION INBAR BUSINESS CORPORATION S.R.L. 77.104.179.0/24 AS50075 INBAR-BUSINESS-CORPORATION INBAR BUSINESS CORPORATION S.R.L. 77.104.180.0/24 AS50075 INBAR-BUSINESS-CORPORATION INBAR BUSINESS CORPORATION S.R.L. 77.104.181.0/24 AS50075 INBAR-BUSINESS-CORPORATION INBAR BUSINESS CORPORATION S.R.L. 77.104.182.0/24 AS50075 INBAR-BUSINESS-CORPORATION INBAR BUSINESS CORPORATION S.R.L. 77.104.183.0/24 AS50075 INBAR-BUSINESS-CORPORATION INBAR BUSINESS CORPORATION S.R.L. 77.104.184.0/24 AS50075 INBAR-BUSINESS-CORPORATION INBAR BUSINESS CORPORATION S.R.L. 77.104.185.0/24 AS50075 INBAR-BUSINESS-CORPORATION INBAR BUSINESS CORPORATION S.R.L. 77.104.186.0/24 AS50075 INBAR-BUSINESS-CORPORATION INBAR BUSINESS CORPORATION S.R.L. 77.104.187.0/24 AS50075 INBAR-BUSINESS-CORPORATION INBAR BUSINESS CORPORATION S.R.L. 77.104.188.0/24 AS50075 INBAR-BUSINESS-CORPORATION INBAR BUSINESS CORPORATION S.R.L. 77.104.189.0/24 AS50075 INBAR-BUSINESS-CORPORATION INBAR BUSINESS CORPORATION S.R.L. 77.104.190.0/24 AS50075 INBAR-BUSINESS-CORPORATION INBAR BUSINESS CORPORATION S.R.L. 77.104.191.0/24 AS50075 INBAR-BUSINESS-CORPORATION INBAR BUSINESS CORPORATION S.R.L. 78.41.80.0/24 AS29158 DE-IP69 Tux-Service 78.41.81.0/24 AS29158 DE-IP69 Tux-Service 78.41.82.0/24 AS29158 DE-IP69 Tux-Service 78.41.83.0/24 AS29158 DE-IP69 Tux-Service 78.41.84.0/24 AS29158 DE-IP69 Tux-Service 78.41.86.0/24 AS29158 DE-IP69 Tux-Service 78.41.87.0/24 AS29158 DE-IP69 Tux-Service 80.88.10.0/24 AS33774 DJAWEB 80.88.12.0/24 AS33779 wataniya-telecom-as 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas 110.173.64.0/19 AS37963 CNNIC-ALIBABA-CN-NET-AP Alibaba (China) Technology Co., Ltd. 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 119.160.200.0/23 AS45122 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 121.50.168.0/21 AS9931 CAT-AP The Communication Authoity of Thailand, CAT 158.222.70.0/23 AS6137 SISNA - SISNA, Inc. 158.222.72.0/23 AS6137 SISNA - SISNA, Inc. 158.222.224.0/20 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.224.0/22 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.229.0/24 AS19864 O1COMM - O1 COMMUNICATIONS 176.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 190.102.32.0/20 AS30058 ACTIVO-SYSTEMS-AS30058 ACTIVO-SYSTEMS-AS30058 192.9.0.0/16 AS11479 BRM-SUN-AS - Sun Microsystems, Inc 192.64.85.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.69.108.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.70.164.0/24 AS25689 NRCNET-AS - National Research Council of Canada 192.101.45.0/24 AS2905 TICSA-ASN 192.101.46.0/24 AS6503 Axtel, S.A.B. de C. V. 192.101.64.0/21 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.70.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.71.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.72.0/24 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.74.0/24 AS1239 SPRINTLINK - Sprint 192.124.248.0/23 AS680 DFN-IP service X-WiN 192.124.252.0/22 AS680 DFN-IP service X-WiN 192.131.233.0/24 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 192.139.3.0/24 AS23184 PERSONA - PERSONA COMMUNICATIONS INC. 192.154.32.0/19 AS81 NCREN - MCNC 192.154.64.0/19 AS81 NCREN - MCNC 192.188.208.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 194.50.117.0/24 AS25480 MESSAGE-PAD-AS Message Pad Warwick 196.2.224.0/22 AS24863 LINKdotNET-AS 196.6.108.0/24 AS5713 SAIX-NET 196.13.201.0/24 AS2018 TENET-1 196.13.202.0/24 AS2018 TENET-1 196.13.203.0/24 AS2018 TENET-1 196.13.204.0/24 AS2018 TENET-1 196.110.105.0/24 AS8513 SKYVISION SkyVision Network Services 196.201.248.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.249.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.250.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.251.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.253.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.255.0/24 AS30991 SAHANNET Sahannet AS Network 196.202.224.0/21 AS8818 TELE Greenland Autonomous System 198.1.2.0/24 AS4761 INDOSAT-INP-AP INDOSAT Internet Network Provider 198.23.26.0/24 AS33052 VZUNET - Verizon Data Services LLC 198.51.100.0/24 AS16953 ASCENT-MEDIA-GROUP-LLC - Ascent Media Group, LLC 198.73.210.0/24 AS21570 ACI-1 - Accelerated Connections Inc. 198.74.38.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.39.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.40.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.97.72.0/21 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.97.96.0/19 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.97.240.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.135.236.0/24 AS4358 XNET - XNet Information Systems, Inc. 198.161.87.0/24 AS6539 GT-BELL - Bell Canada 198.163.214.0/24 AS21804 ACCESS-SK - Access Communications Co-operative Limited 198.167.0.0/16 AS7456 INTERHOP - Interhop Network SERVICES Inc. 198.168.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 198.169.0.0/16 AS803 SASKTEL - Saskatchewan Telecommunications 198.180.198.0/24 AS23715 SEOUL-INTGW-GXS-AP Global Exchange Services 198.182.235.0/24 AS3356 LEVEL3 Level 3 Communications 199.10.0.0/16 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.16.32.0/19 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 199.26.183.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 199.121.0.0/16 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.123.0.0/18 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.123.16.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.185.130.0/23 AS19662 UNISERVE-ONLINE - Uniserve On Line 199.202.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 199.202.216.0/21 AS577 BACOM - Bell Canada 199.233.92.0/24 AS26896 D102-ITC - Data 102, LLC 199.246.116.0/24 AS813 UUNET-CANADA - MCI Communications Services, Inc. d/b/a Verizon Business 200.1.112.0/24 AS29754 GO2TEL GO2TEL.COM INC. 200.108.176.0/20 AS14551 UUNET-SA - MCI Communications Services, Inc. d/b/a Verizon Business 202.9.55.0/24 AS2764 AAPT AAPT Limited 202.9.57.0/24 AS2764 AAPT AAPT Limited 202.38.63.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.58.113.0/24 AS19161 202.61.75.0/24 AS9927 PHILCOMNET-PH A Multihomed ISP Company 202.66.128.0/18 AS9584 GENESIS-AP Diyixian.com Limited 202.66.160.0/19 AS9584 GENESIS-AP Diyixian.com Limited 202.66.184.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.186.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.188.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.189.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.190.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.73.144.0/20 AS4788 TMNET-AS-AP TM Net, Internet Service Provider 202.80.192.0/20 AS2706 PI-HK Pacnet Internet (Hong Kong) Limited 202.86.252.0/22 AS4748 RESOLINK-AS-AP Resources Link Network Limited 202.86.252.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.253.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.254.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.255.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.133.37.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.133.70.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.133.73.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.136.254.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.136.255.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.150.227.0/24 AS17727 NAPINFO-AS-AP PT. NAP Info Lintas Nusa 202.174.70.0/24 AS21175 WIS Wind International Services SA 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.130.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.131.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.133.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 202.179.144.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.149.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.150.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.181.32.0/24 AS4645 ASN-HKNET-AP HKNet Co. Ltd 203.12.45.0/24 AS4854 NETSPACE-AS-AP Netspace Online Systems 203.62.0.0/17 AS7575 AARNET-AS-AP Australian Academic and Reasearch Network (AARNet) 203.78.48.0/20 AS9299 IPG-AS-AP Philippine Long Distance Telephone Company 203.80.136.0/21 AS4759 EVOSERVE-AS-AP EvoServe is a content and online access Internet provider company 203.112.111.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.113.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.114.0/24 AS4802 ASN-IINET iiNet Limited 203.112.116.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.117.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.118.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.119.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.120.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.121.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.127.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.128.128.0/24 AS23849 CNNIC-NET263-AP Beijing Capital-online science development Co.,Ltd. 203.142.219.0/24 AS45149 204.9.216.0/23 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 204.9.218.0/23 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 204.15.168.0/21 AS46753 TDAMERITRADETRUST - TD Ameritrade Trust 204.19.14.0/23 AS577 BACOM - Bell Canada 204.28.104.0/21 AS25973 MZIMA - Mzima Networks, Inc. 204.89.214.0/24 AS4323 TWTC - tw telecom holdings, inc. 204.197.0.0/16 AS3356 LEVEL3 Level 3 Communications 204.209.114.0/24 AS13768 PEER1 - Peer 1 Network Inc. 205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 205.189.134.0/24 AS11814 CYBERSURF - Cybersurf Inc. 205.210.145.0/24 AS11814 CYBERSURF - Cybersurf Inc. 206.180.240.0/20 AS12083 KNOLOGY-NET - Knology Holdings 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.188.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.189.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.190.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.191.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.73.4.0/22 AS27630 PREMIER - Premier Innovations, LLC 208.77.224.0/22 AS174 COGENT Cogent/PSI 208.77.229.0/24 AS174 COGENT Cogent/PSI 208.77.230.0/23 AS174 COGENT Cogent/PSI 208.78.164.0/24 AS16565 208.78.165.0/24 AS16565 208.78.167.0/24 AS16565 209.54.123.0/24 AS6062 NETPLEX - NETPLEX 209.105.224.0/19 AS20074 209.165.239.0/24 AS209 ASN-QWEST - Qwest Communications Company, LLC 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 209.213.1.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 209.213.4.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 210.5.128.0/20 AS4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 210.56.150.0/23 AS38138 INTECH-TRANSIT-BD InTech Online Limited, INTERNET SERVICE LIMITED 210.247.224.0/19 AS7496 WEBCENTRAL-AS WebCentral 216.21.196.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.201.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.202.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.206.0/23 AS12251 INVISION - Invision.com, Inc. 216.58.192.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.197.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.200.0/24 AS18530 ISOMEDIA-1 - Isomedia Inc. 216.163.144.0/20 AS35985 ONERINGNET-ATL-1 - One Ring Networks, Inc. 216.172.198.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.172.199.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.250.112.0/20 AS7296 ALCHEMYNET - Alchemy Communications, Inc. 216.250.116.0/24 AS36066 UNI-MARKETING-ALLIANCE - Webhost4life.com Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From uri.joskovitch at telrad.com Sat Jun 5 00:05:24 2010 From: uri.joskovitch at telrad.com (Uri Joskovitch) Date: Sat, 5 Jun 2010 08:05:24 +0300 Subject: Tellabs - 8660 References: <4C05458E.1050200@rollernet.us> Message-ID: <02755D474772E74E97471FC5BBE7641B031F4A6B@TLRD-MAIL1.Telrad.co.il> Hi Any one working with Tellabs equipment 8660. Any issues with it? Specifically in ATM and TDM PWE3 services. Thanks Uri From itservices88 at gmail.com Sat Jun 5 18:17:09 2010 From: itservices88 at gmail.com (itservices88) Date: Sat, 5 Jun 2010 16:17:09 -0700 Subject: E1200i vs EX8200 in Large Deployment In-Reply-To: <20100603171300.P713@evil.minions.com> References: <20100603171300.P713@evil.minions.com> Message-ID: This might be interesting to you: http://www.force10networks.com/new_ethernet_economics/player/?rndr=2 On Thu, Jun 3, 2010 at 5:28 PM, Tom wrote: > On Thu, 3 Jun 2010, Adam LaFountain wrote: > >> If anyone out there has any pro/con experience with the Force10 E1200i or >> S50 in a large environment I'd really appreciate your thoughts. >> > > Those are totally different animals, they don't even run the same code :) > E1200 is a large chassis switch, S50N/V are 1U stackables. One can actually > do (tables/mpls) IP routing, one can't; Basically one is decent for core, > one for server agg. > > > I'm comparing them against the Juniper EX8200 and EX4200 respectively and >> curious about hardware/software stability on both brands. >> > > It really depends on what you're looking for... The EX series is a great > L2/L3 switch, but likely you'd end up wanting MX in core if you're going the > Juniper direction. IMHO Juniper is faster and more responsive in > releasing updates if that matters. > > I've seen Juniper eat F10's lunch more than once recently, so you should > probably figure out what you want first before you get in too deep :) > > -Tom > > > From jarenangerbauer at gmail.com Mon Jun 7 12:04:03 2010 From: jarenangerbauer at gmail.com (Jaren Angerbauer) Date: Mon, 7 Jun 2010 11:04:03 -0600 Subject: Looking for network / abuse contact at Georgia College Message-ID: Hi, I'm looking for a network abuse contact at Georgia College & State University (gcsu.edu). Any information off list would be appreciated. Thanks, Jaren From giovino at ren-isac.net Mon Jun 7 14:53:01 2010 From: giovino at ren-isac.net (Gabriel Iovino) Date: Mon, 07 Jun 2010 15:53:01 -0400 Subject: Looking for network / abuse contact at Georgia College In-Reply-To: References: Message-ID: <4C0D4E1D.8060606@ren-isac.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 6/7/2010 1:04 PM, Jaren Angerbauer wrote: > Hi, > > I'm looking for a network abuse contact at Georgia College & State > University (gcsu.edu). Any information off list would be appreciated. Followed up with Jaren offline. Thanks Gabriel Iovino Principal Security Engineer, REN-ISAC http://www.ren-isac.net 24x7 Watch Desk +1(317)278-6630 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwNTh0ACgkQwqygxIz+pTtwigCgxk6ApCDxdWKbODzTDOcP6ZRI aFIAniWZlNt8Yd7L/1WDzChfOPsF6R4m =MG6W -----END PGP SIGNATURE----- From bstymied at gmail.com Mon Jun 7 15:50:25 2010 From: bstymied at gmail.com (Dale Cornman) Date: Mon, 7 Jun 2010 15:50:25 -0500 Subject: Strange practices? Message-ID: Has anyone ever heard of a multi-homed enterprise not running bgp with either of 2 providers, but instead, each provider statically routes a block to their common customer and also each originates this block in BGP? One of the ISP's in this case owns the block and has even provided a letter of authorization to the other, allowing them to announce it in BGP as well. I had personally never heard of this and am curious if this is a common practice as well as if this would potentially create any problems by 2 Autonomous Systems both originating the same prefix. Thanks -Bill From deleskie at gmail.com Mon Jun 7 15:52:40 2010 From: deleskie at gmail.com (deleskie at gmail.com) Date: Mon, 7 Jun 2010 20:52:40 +0000 Subject: Strange practices? Message-ID: <1608960683-1275943961-cardhu_decombobulator_blackberry.rim.net-705332977-@bda028.bisx.prod.on.blackberry> Should work fine. ------Original Message------ From: Dale Cornman To: nanog at nanog.org Subject: Strange practices? Sent: Jun 7, 2010 5:50 PM Has anyone ever heard of a multi-homed enterprise not running bgp with either of 2 providers, but instead, each provider statically routes a block to their common customer and also each originates this block in BGP? One of the ISP's in this case owns the block and has even provided a letter of authorization to the other, allowing them to announce it in BGP as well. I had personally never heard of this and am curious if this is a common practice as well as if this would potentially create any problems by 2 Autonomous Systems both originating the same prefix. Thanks -Bill Sent from my BlackBerry device on the Rogers Wireless Network From fw at deneb.enyo.de Mon Jun 7 15:59:58 2010 From: fw at deneb.enyo.de (Florian Weimer) Date: Mon, 07 Jun 2010 22:59:58 +0200 Subject: Strange practices? In-Reply-To: (Dale Cornman's message of "Mon, 7 Jun 2010 15:50:25 -0500") References: Message-ID: <87sk4y4kz5.fsf@mid.deneb.enyo.de> * Dale Cornman: > I had personally never heard of this and am curious if this is a > common practice as well as if this would potentially create any > problems by 2 Autonomous Systems both originating the same prefix. The 6to4 anycast gateway RFC practically mandates this, and it does work when you're doing anycast. But with static routes, you cannot handle some failure scenarious, and that usually a good reason to stay away from such setups. Of course, in the world of real routers, there might be constraints such lack of memory or processing power to handle BGP. 8-/ From nanog-post at rsuc.gweep.net Mon Jun 7 16:00:12 2010 From: nanog-post at rsuc.gweep.net (Joe Provo) Date: Mon, 7 Jun 2010 17:00:12 -0400 Subject: Strange practices? In-Reply-To: References: Message-ID: <20100607210012.GA68471@gweep.net> On Mon, Jun 07, 2010 at 03:50:25PM -0500, Dale Cornman wrote: > Has anyone ever heard of a multi-homed enterprise not running bgp with > either of 2 providers, but instead, each provider statically routes a block > to their common customer and also each originates this block in BGP? Yes; tends to happen for clueless endpoints or providers who don't expressly require BGP for multihoming.` > One > of the ISP's in this case owns the block and has even provided a letter of > authorization to the other, allowing them to announce it in BGP as well. > I had personally never heard of this and am curious if this is a common > practice as well as if this would potentially create any problems by 2 > Autonomous Systems both originating the same prefix. MOAS prefixes are common in some content-origination applications, but since you never know what the rest of the universe is going to do in their routing & forwarding decisions, is really isn't generally applicable. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE From sjk at sleepycatz.com Mon Jun 7 16:00:50 2010 From: sjk at sleepycatz.com (sjk) Date: Mon, 07 Jun 2010 16:00:50 -0500 Subject: Strange practices? In-Reply-To: References: Message-ID: <4C0D5E02.90502@sleepycatz.com> Hve seen it a few times -- usually with enterprise customers who are unable to manage their own routers and one ISP which has problems configuring BGP on their client facing equipment. Dale Cornman wrote: > Has anyone ever heard of a multi-homed enterprise not running bgp with > either of 2 providers, but instead, each provider statically routes a block > to their common customer and also each originates this block in BGP? One > of the ISP's in this case owns the block and has even provided a letter of > authorization to the other, allowing them to announce it in BGP as well. > I had personally never heard of this and am curious if this is a common > practice as well as if this would potentially create any problems by 2 > Autonomous Systems both originating the same prefix. > > Thanks > > -Bill From bfeeny at mac.com Mon Jun 7 16:05:16 2010 From: bfeeny at mac.com (Brian Feeny) Date: Mon, 07 Jun 2010 17:05:16 -0400 Subject: Strange practices? In-Reply-To: <87sk4y4kz5.fsf@mid.deneb.enyo.de> References: <87sk4y4kz5.fsf@mid.deneb.enyo.de> Message-ID: I would say partitioning into two AS's like this is not a good thing. I wouldn't consider it a valid design myself, and would avoid it if possible. If one of the AS's that is announcing the block, originates any traffic into the other AS for that block, the traffic will drop. I realize this ideally should not happen, but BGP uses arbitrary metrics, and people turn alot of knobs, which makes wierd things happen. If someone were doing this themselves, I would say at least use a GRE tunnel with an iBGP link between the sites, but your not going to get that out of these providers, so its going to remain partitioned which should be thought through well as there may be issues with this. Brian On Jun 7, 2010, at 4:59 PM, Florian Weimer wrote: > * Dale Cornman: > >> I had personally never heard of this and am curious if this is a >> common practice as well as if this would potentially create any >> problems by 2 Autonomous Systems both originating the same prefix. > > The 6to4 anycast gateway RFC practically mandates this, and it does > work when you're doing anycast. But with static routes, you cannot > handle some failure scenarious, and that usually a good reason to stay > away from such setups. Of course, in the world of real routers, there > might be constraints such lack of memory or processing power to handle > BGP. 8-/ > From bfeeny at mac.com Mon Jun 7 16:16:26 2010 From: bfeeny at mac.com (Brian Feeny) Date: Mon, 07 Jun 2010 17:16:26 -0400 Subject: Strange practices? In-Reply-To: References: <87sk4y4kz5.fsf@mid.deneb.enyo.de> Message-ID: Let me recant on what I said. I re-read and had myself confused (apologies). I see that the providers are using their own AS's. I still would not do this if it could be avoided, but the traffic won't be dropped like I had said, in the way I was thinking. What I was thinking was a case where the same AS is announcing from two sites, which are not connected via iBGP. In that case default behavior is that the AS drops traffic from its own AS as this is how eBGP accomplishes loop prevention. In the case that is being described this won't happen since each provider is using its own AS to announce from. Brian On Jun 7, 2010, at 5:05 PM, Brian Feeny wrote: > > I would say partitioning into two AS's like this is not a good thing. I wouldn't consider it a valid design myself, and would avoid it if possible. > > If one of the AS's that is announcing the block, originates any traffic into the other AS for that block, the traffic will drop. I realize this ideally should not happen, but BGP uses arbitrary metrics, and people turn alot of knobs, which makes wierd things happen. > > If someone were doing this themselves, I would say at least use a GRE tunnel with an iBGP link between the sites, but your not going to get that out of these providers, so its going to remain partitioned which should be thought through well as there may be issues with this. > > Brian > > On Jun 7, 2010, at 4:59 PM, Florian Weimer wrote: > >> * Dale Cornman: >> >>> I had personally never heard of this and am curious if this is a >>> common practice as well as if this would potentially create any >>> problems by 2 Autonomous Systems both originating the same prefix. >> >> The 6to4 anycast gateway RFC practically mandates this, and it does >> work when you're doing anycast. But with static routes, you cannot >> handle some failure scenarious, and that usually a good reason to stay >> away from such setups. Of course, in the world of real routers, there >> might be constraints such lack of memory or processing power to handle >> BGP. 8-/ >> > > From joelja at bogus.com Mon Jun 7 16:33:25 2010 From: joelja at bogus.com (joel jaeggli) Date: Mon, 07 Jun 2010 14:33:25 -0700 Subject: Strange practices? In-Reply-To: References: Message-ID: <4C0D65A5.5030002@bogus.com> It's going to show inconsistent AS which some people may not like, but that's just ugly not broken. As the customer, it means your outgoing path selection is probably being made on the basis of some non-global attribute, and the return path is entirely at the mercy of your two isps... I wouldn't do that becuase the alternatives are better and not exactly a lot of work, but will it work? yes. joel On 2010-06-07 13:50, Dale Cornman wrote: > Has anyone ever heard of a multi-homed enterprise not running bgp with > either of 2 providers, but instead, each provider statically routes a block > to their common customer and also each originates this block in BGP? One > of the ISP's in this case owns the block and has even provided a letter of > authorization to the other, allowing them to announce it in BGP as well. > I had personally never heard of this and am curious if this is a common > practice as well as if this would potentially create any problems by 2 > Autonomous Systems both originating the same prefix. > > Thanks > > -Bill > From lists at billfehring.com Mon Jun 7 16:35:38 2010 From: lists at billfehring.com (Bill Fehring) Date: Mon, 7 Jun 2010 14:35:38 -0700 Subject: Strange practices? In-Reply-To: References: Message-ID: On Mon, Jun 7, 2010 at 13:50, Dale Cornman wrote: > > Has anyone ever heard of a multi-homed enterprise not running bgp with > either of 2 providers, but instead, each provider statically routes a block > to their common customer and also each originates this block in BGP? ? One > of the ISP's in this case owns the block and has even provided a letter of > authorization to the other, allowing them to announce it in BGP as well. > ?I had personally never heard of this and am curious if this is a common > practice as well as if this would potentially create any problems by 2 > Autonomous Systems both originating the same prefix. > > Thanks > > -Bill So if the enterprise loses connectivity to one of these two providers, does the provider without working connectivity to the enterprise have mechanism in place to cease originating the address space? -Bill From Jay.Murphy at state.nm.us Mon Jun 7 16:49:46 2010 From: Jay.Murphy at state.nm.us (Murphy, Jay, DOH) Date: Mon, 7 Jun 2010 15:49:46 -0600 Subject: Strange practices? In-Reply-To: References: Message-ID: "Has anyone ever heard of a multi-homed enterprise not running bgp with either of 2 providers, but instead, each provider statically routes a block to their common customer and also each originates this block in BGP?? As stated before...yes this is a common practice. "One of the ISP's in this case owns the block and has even provided a letter of authorization to the other, allowing them to announce it in BGP as well.? Yes, one ISP owns the block, both will aggregate the blocks and announce the blocks to the global internet. BGP attributes will shape best path for routing; i.e., AS-PATH, ORIGIN, LOCAL PREF. MEDS should take care of "leaking" routes. So, is this design scheme viable? Yes, it is. ~Jay Murphy IP Network Specialist NM State Government IT Services Division PSB ? IP Network Management Center Santa F?, New M?xico 87505 "We move the information that moves your world." ?Good engineering demands that we understand what we?re doing and why, keep an open mind, and learn from experience.? ?Engineering is about finding the sweet spot between what's solvable and what isn't." Radia Perlman ? Please consider the environment before printing e-mail -----Original Message----- From: Dale Cornman [mailto:bstymied at gmail.com] Sent: Monday, June 07, 2010 2:50 PM To: nanog at nanog.org Subject: Strange practices? Has anyone ever heard of a multi-homed enterprise not running bgp with either of 2 providers, but instead, each provider statically routes a block to their common customer and also each originates this block in BGP? One of the ISP's in this case owns the block and has even provided a letter of authorization to the other, allowing them to announce it in BGP as well. I had personally never heard of this and am curious if this is a common practice as well as if this would potentially create any problems by 2 Autonomous Systems both originating the same prefix. Thanks -Bill Confidentiality Notice: This e-mail, including all attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited unless specifically provided under the New Mexico Inspection of Public Records Act. If you are not the intended recipient, please contact the sender and destroy all copies of this message. -- This email has been scanned by the Sybari - Antigen Email System. From steve at ipv6canada.com Mon Jun 7 17:00:03 2010 From: steve at ipv6canada.com (Steve Bertrand) Date: Mon, 07 Jun 2010 18:00:03 -0400 Subject: Strange practices? In-Reply-To: References: Message-ID: <4C0D6BE3.5060707@ipv6canada.com> On 2010.06.07 17:49, Murphy, Jay, DOH wrote: > "Has anyone ever heard of a multi-homed enterprise not running bgp with > either of 2 providers, but instead, each provider statically routes a block > to their common customer and also each originates this block in BGP???? > > As stated before...yes this is a common practice. > > "One of the ISP's in this case owns the block and has even provided a letter of > authorization to the other, allowing them to announce it in BGP as well.??? > > Yes, one ISP owns the block, both will aggregate the blocks and announce the blocks to the global internet. BGP attributes will shape best path for routing; i.e., AS-PATH, ORIGIN, LOCAL PREF. MEDS should take care of "leaking" routes. > > So, is this design scheme viable? Yes, it is. I understood the OP's question as one of concern. It sounds to me like one of their ISPs can't/won't/doesn't know how to configure a client-facing BGP session. I've run into this before, and it was due to a lack of understanding/clue of how to peer with a multi-homed client when the client didn't have their own ASN. If that is the case, then I'd be concerned about situations where the link goes down, but the advertisement is not removed from their DFZ-facing sessions, possibly causing a black hole for traffic transiting that ISP. The work involved in co-ordinating two ISPs to detect and protect against this type of situation is far more difficult than just configuring BGP from the client out (imho). Steve From Jay.Murphy at state.nm.us Mon Jun 7 16:59:59 2010 From: Jay.Murphy at state.nm.us (Murphy, Jay, DOH) Date: Mon, 7 Jun 2010 15:59:59 -0600 Subject: Strange practices? Message-ID: "So if the enterprise loses connectivity to one of these two providers, does the provider without working connectivity to the enterprise have mechanism in place to cease originating the address space?" Yes, BGP updates. ~Jay Murphy IP Network Specialist NM State Government IT Services Division PSB - IP Network Management Center Santa F?, New M?xico 87505 Bus. Ph.: 505.827.2851 "We move the information that moves your world." "Good engineering demands that we understand what we're doing and why, keep an open mind, and learn from experience." "Engineering is about finding the sweet spot between what's solvable and what isn't." Radia Perlman P Please consider the environment before printing e-mail Confidentiality Notice: This e-mail, including all attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited unless specifically provided under the New Mexico Inspection of Public Records Act. If you are not the intended recipient, please contact the sender and destroy all copies of this message. -- This email has been scanned by the Sybari - Antigen Email System. -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 2257 bytes Desc: image001.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 2746 bytes Desc: image002.png URL: From Joel.Snyder at Opus1.COM Mon Jun 7 17:02:40 2010 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Tue, 08 Jun 2010 00:02:40 +0200 Subject: Strange practices? In-Reply-To: References: Message-ID: <4C0D6C80.1070801@Opus1.COM> On 6/7/10 11:51 PM: > Has anyone ever heard of a multi-homed enterprise not running bgp with > either of 2 providers, but instead, each provider statically routes a block > to their common customer and also each originates this block in BGP? Yes, this is common and works fine. We do it with a number of customers who want a backup provider but don't want to go to the trouble of getting portable address space, an ASN, and so on. As long as both providers have a way of shutting down the advertisement (typically because they learn it via BGP) and as long as the customer doesn't try to load balance (i.e., treats it as active/passive not true active/active), then it's not a bad solution. Ugly, but given the vast chalice of despair that is the global BGP table, hardly a drop in the bucket. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 jms at Opus1.COM http://www.opus1.com/jms From Jay.Murphy at state.nm.us Mon Jun 7 17:10:24 2010 From: Jay.Murphy at state.nm.us (Murphy, Jay, DOH) Date: Mon, 7 Jun 2010 16:10:24 -0600 Subject: Strange practices? In-Reply-To: <4C0D6BE3.5060707@ipv6canada.com> References: <4C0D6BE3.5060707@ipv6canada.com> Message-ID: Yes, the customer has an AS number, it's just from the private AS number block, e.g. AS 65000..when the block is routed to the AS running BGP, it is tagged with that ISP's public AS number, and announced to the world in this manner. OK, acknowledged. Clarify, "transiting"? Do you mean one ISP acts as a transit routing domain for another, or for traffic that "traverses" this particular ISP, which one? ~Jay Murphy IP Network Specialist NM State Government IT Services Division PSB ? IP Network Management Center Santa F?, New M?xico 87505 "We move the information that moves your world." ?Good engineering demands that we understand what we?re doing and why, keep an open mind, and learn from experience.? ?Engineering is about finding the sweet spot between what's solvable and what isn't." Radia Perlman ? Please consider the environment before printing e-mail -----Original Message----- From: Steve Bertrand [mailto:steve at ipv6canada.com] Sent: Monday, June 07, 2010 4:00 PM To: Murphy, Jay, DOH Cc: Dale Cornman; nanog at nanog.org Subject: Re: Strange practices? On 2010.06.07 17:49, Murphy, Jay, DOH wrote: > "Has anyone ever heard of a multi-homed enterprise not running bgp with > either of 2 providers, but instead, each provider statically routes a block > to their common customer and also each originates this block in BGP???? > > As stated before...yes this is a common practice. > > "One of the ISP's in this case owns the block and has even provided a letter of > authorization to the other, allowing them to announce it in BGP as well.??? > > Yes, one ISP owns the block, both will aggregate the blocks and announce the blocks to the global internet. BGP attributes will shape best path for routing; i.e., AS-PATH, ORIGIN, LOCAL PREF. MEDS should take care of "leaking" routes. > > So, is this design scheme viable? Yes, it is. I understood the OP's question as one of concern. It sounds to me like one of their ISPs can't/won't/doesn't know how to configure a client-facing BGP session. I've run into this before, and it was due to a lack of understanding/clue of how to peer with a multi-homed client when the client didn't have their own ASN. If that is the case, then I'd be concerned about situations where the link goes down, but the advertisement is not removed from their DFZ-facing sessions, possibly causing a black hole for traffic transiting that ISP. The work involved in co-ordinating two ISPs to detect and protect against this type of situation is far more difficult than just configuring BGP from the client out (imho). Steve Confidentiality Notice: This e-mail, including all attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited unless specifically provided under the New Mexico Inspection of Public Records Act. If you are not the intended recipient, please contact the sender and destroy all copies of this message. -- This email has been scanned by the Sybari - Antigen Email System. From steve at ipv6canada.com Mon Jun 7 17:34:50 2010 From: steve at ipv6canada.com (Steve Bertrand) Date: Mon, 07 Jun 2010 18:34:50 -0400 Subject: Strange practices? In-Reply-To: References: <4C0D6BE3.5060707@ipv6canada.com> Message-ID: <4C0D740A.1080500@ipv6canada.com> On 2010.06.07 18:10, Murphy, Jay, DOH wrote: > Yes, the customer has an AS number, it's just from the private AS number block, e.g. AS 65000..when the block is routed to the AS running BGP, it is tagged with that ISP's public AS number, and announced to the world in this manner. ...but the OP stated that he doesn't do any BGP with either upstream, and instead relies on the upstreams to statically route the block to him. I was getting at the usage of private-AS in my last post. Perhaps I'm mis-understanding something. > Clarify, "transiting"? The OP has two 'transit' providers, neither of which he has a BGP session established. Both of his upstream ISPs provide transit for him to the wider Internet. > Do you mean one ISP acts as a transit routing domain for another, or for traffic that "traverses" this particular ISP, which one? Traverses. ie. my upstream providers provide 'transit' services for networks that I advertise to them, however, I don't allow any of my peers to 'transit' my network. Steve From steve at ipv6canada.com Mon Jun 7 17:38:00 2010 From: steve at ipv6canada.com (Steve Bertrand) Date: Mon, 07 Jun 2010 18:38:00 -0400 Subject: Strange practices? In-Reply-To: References: Message-ID: <4C0D74C8.2090101@ipv6canada.com> On 2010.06.07 17:59, Murphy, Jay, DOH wrote: > > > "So if the enterprise loses connectivity to one of these two providers, does the provider without working connectivity to the enterprise have mechanism in place to cease originating the address space?" > > > > Yes, BGP updates. ...again, I'm confused. BGP updates from where to where? From how I understand the OP's original question, there is no BGP. Hence, if one of the providers is statically routing the prefix to an interface or un-numbered as opposed to an IP address, then blackholing can occur if IP reachability is broken, but the link-layer is not. Is this not correct? Steve From dhetzel at gmail.com Mon Jun 7 17:41:26 2010 From: dhetzel at gmail.com (Dorn Hetzel) Date: Mon, 7 Jun 2010 18:41:26 -0400 Subject: Strange practices? In-Reply-To: <4C0D74C8.2090101@ipv6canada.com> References: <4C0D74C8.2090101@ipv6canada.com> Message-ID: Perhaps the providers BGP is just being fed from interface anchored static routes which will, hopefully, drop out if the customer facing interface goes down. Of course, this is realistic if we're talking about actual circuits like a T-1, not so much if we're talking metro ethernet or something... On Mon, Jun 7, 2010 at 6:38 PM, Steve Bertrand wrote: > On 2010.06.07 17:59, Murphy, Jay, DOH wrote: > > > > > > "So if the enterprise loses connectivity to one of these two providers, > does the provider without working connectivity to the enterprise have > mechanism in place to cease originating the address space?" > > > > > > > > Yes, BGP updates. > > ...again, I'm confused. > > BGP updates from where to where? From how I understand the OP's original > question, there is no BGP. > > Hence, if one of the providers is statically routing the prefix to an > interface or un-numbered as opposed to an IP address, then blackholing > can occur if IP reachability is broken, but the link-layer is not. Is > this not correct? > > Steve > > From lists at billfehring.com Mon Jun 7 17:42:18 2010 From: lists at billfehring.com (Bill Fehring) Date: Mon, 7 Jun 2010 15:42:18 -0700 Subject: Strange practices? In-Reply-To: References: Message-ID: On Mon, Jun 7, 2010 at 14:59, Murphy, Jay, DOH wrote: > "So if the enterprise loses connectivity to one of these two providers, does the provider without working connectivity to the enterprise have mechanism in place to cease originating the address space?" > Yes, BGP updates. Um, it wasn't a trick question Jay, and as others have stated, since the providers are statically routing this address space to their common customer, this would require a coordinated effort to manually (or preferably automatically) shutdown the advertisement should connectivity be lost to the customer. There are a number of ways that could be achieved, but it's obviously important that it is. -Bill From Jay.Murphy at state.nm.us Mon Jun 7 17:48:57 2010 From: Jay.Murphy at state.nm.us (Murphy, Jay, DOH) Date: Mon, 7 Jun 2010 16:48:57 -0600 Subject: Strange practices? In-Reply-To: <4C0D74C8.2090101@ipv6canada.com> References: <4C0D74C8.2090101@ipv6canada.com> Message-ID: Steve, We are obviously interpreting this in different slants. Definition of Transit service: for example, AS200 is said to receive transit service from, let's say AS3356, if through this connection, AS200 receives connectivity to the entire Internet and not only AS3356 and its customers. Yes I understand the customer is using static, however, some providers use BGP, and they use BGP to peer with other ISPs, that's it. ~Jay Murphy IP Network Specialist NM State Government IT Services Division PSB ? IP Network Management Center Santa F?, New M?xico 87505 "We move the information that moves your world." ?Good engineering demands that we understand what we?re doing and why, keep an open mind, and learn from experience.? ?Engineering is about finding the sweet spot between what's solvable and what isn't." Radia Perlman ? Please consider the environment before printing e-mail -----Original Message----- From: Steve Bertrand [mailto:steve at ipv6canada.com] Sent: Monday, June 07, 2010 4:38 PM To: Murphy, Jay, DOH Cc: Dale Cornman; nanog at nanog.org Subject: Re: Strange practices? On 2010.06.07 17:59, Murphy, Jay, DOH wrote: > > > "So if the enterprise loses connectivity to one of these two providers, does the provider without working connectivity to the enterprise have mechanism in place to cease originating the address space?" > > > > Yes, BGP updates. ...again, I'm confused. BGP updates from where to where? From how I understand the OP's original question, there is no BGP. Hence, if one of the providers is statically routing the prefix to an interface or un-numbered as opposed to an IP address, then blackholing can occur if IP reachability is broken, but the link-layer is not. Is this not correct? Steve Confidentiality Notice: This e-mail, including all attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited unless specifically provided under the New Mexico Inspection of Public Records Act. If you are not the intended recipient, please contact the sender and destroy all copies of this message. -- This email has been scanned by the Sybari - Antigen Email System. From Jay.Murphy at state.nm.us Mon Jun 7 17:52:22 2010 From: Jay.Murphy at state.nm.us (Murphy, Jay, DOH) Date: Mon, 7 Jun 2010 16:52:22 -0600 Subject: Strange practices? In-Reply-To: References: <4C0D74C8.2090101@ipv6canada.com> Message-ID: Right on... ~Jay Murphy IP Network Specialist NM State Government IT Services Division PSB - IP Network Management Center Santa F?, New M?xico 87505 "We move the information that moves your world." "Good engineering demands that we understand what we're doing and why, keep an open mind, and learn from experience." "Engineering is about finding the sweet spot between what's solvable and what isn't." Radia Perlman P Please consider the environment before printing e-mail From: dorn at hetzel.org [mailto:dorn at hetzel.org] On Behalf Of Dorn Hetzel Sent: Monday, June 07, 2010 4:41 PM To: Steve Bertrand Cc: Murphy, Jay, DOH; nanog at nanog.org Subject: Re: Strange practices? Perhaps the providers BGP is just being fed from interface anchored static routes which will, hopefully, drop out if the customer facing interface goes down. Of course, this is realistic if we're talking about actual circuits like a T-1, not so much if we're talking metro ethernet or something... On Mon, Jun 7, 2010 at 6:38 PM, Steve Bertrand wrote: On 2010.06.07 17:59, Murphy, Jay, DOH wrote: > > > "So if the enterprise loses connectivity to one of these two providers, does the provider without working connectivity to the enterprise have mechanism in place to cease originating the address space?" > > > > Yes, BGP updates. ...again, I'm confused. BGP updates from where to where? From how I understand the OP's original question, there is no BGP. Hence, if one of the providers is statically routing the prefix to an interface or un-numbered as opposed to an IP address, then blackholing can occur if IP reachability is broken, but the link-layer is not. Is this not correct? Steve Confidentiality Notice: This e-mail, including all attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited unless specifically provided under the New Mexico Inspection of Public Records Act. If you are not the intended recipient, please contact the sender and destroy all copies of this message. -- This email has been scanned by the Sybari - Antigen Email System. -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2746 bytes Desc: image001.png URL: From Jay.Murphy at state.nm.us Mon Jun 7 17:58:25 2010 From: Jay.Murphy at state.nm.us (Murphy, Jay, DOH) Date: Mon, 7 Jun 2010 16:58:25 -0600 Subject: Strange practices? In-Reply-To: References: Message-ID: Yes, I understand this point. So, elaborate on the answer... I am not making something simple, complex, homey. ~Jay Murphy IP Network Specialist NM State Government IT Services Division PSB ? IP Network Management Center Santa F?, New M?xico 87505 "We move the information that moves your world." ?Good engineering demands that we understand what we?re doing and why, keep an open mind, and learn from experience.? ?Engineering is about finding the sweet spot between what's solvable and what isn't." Radia Perlman ? Please consider the environment before printing e-mail -----Original Message----- From: Bill Fehring [mailto:lists at billfehring.com] Sent: Monday, June 07, 2010 4:42 PM To: Murphy, Jay, DOH Cc: Dale Cornman; nanog at nanog.org Subject: Re: Strange practices? On Mon, Jun 7, 2010 at 14:59, Murphy, Jay, DOH wrote: > "So if the enterprise loses connectivity to one of these two providers, does the provider without working connectivity to the enterprise have mechanism in place to cease originating the address space?" > Yes, BGP updates. Um, it wasn't a trick question Jay, and as others have stated, since the providers are statically routing this address space to their common customer, this would require a coordinated effort to manually (or preferably automatically) shutdown the advertisement should connectivity be lost to the customer. There are a number of ways that could be achieved, but it's obviously important that it is. -Bill Confidentiality Notice: This e-mail, including all attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited unless specifically provided under the New Mexico Inspection of Public Records Act. If you are not the intended recipient, please contact the sender and destroy all copies of this message. -- This email has been scanned by the Sybari - Antigen Email System. From steve at ipv6canada.com Mon Jun 7 18:07:22 2010 From: steve at ipv6canada.com (Steve Bertrand) Date: Mon, 07 Jun 2010 19:07:22 -0400 Subject: Strange practices? In-Reply-To: References: <4C0D74C8.2090101@ipv6canada.com> Message-ID: <4C0D7BAA.6010307@ipv6canada.com> On 2010.06.07 18:48, Murphy, Jay, DOH wrote: > Steve, > > We are obviously interpreting this in different slants. Agreed ;) > Definition of Transit service: for example, AS200 is said to receive transit service from, let's say AS3356, if through this connection, AS200 receives connectivity to the entire Internet and not only AS3356 and its customers. Yes. The OP has transit through two separate ISPs. Neither of which provide him a BGP session, because one of the providers doesn't seem willing/capable to do so, even though the ISP who is responsible for the space has provided the other with an LOA to allow the prefix to originate from their ASN. Essentially, the OP is transiting through both ISPs, but not providing any transit services, and the transit path is provided via static routes as opposed to dynamic ones. > Yes I understand the customer is using static, however, some providers use BGP, and they use BGP to peer with other ISPs, s/some/real ...and not only for peering, but for transit (to the DFZ) as well. > that's it. I have had a couple discussions with people off list. Although I don't know the reasoning for the OP's ISP's decision to not use BGP, in cases that I've dealt with this, it is usually due to lack of clue on how to use private ASs, or BGP in general. These ISPs (in my experience) have their DFZ-facing sessions set up by their upstreams, and don't have the knowledge to configure BGP toward the clients. Personally, if this is the case, then I'd be just as concerned with their ability to ensure that a proper configuration to auto-detect failure that causes removal of the prefix from their tables to avoid blackholes. With that said, I'd also be just as concerned with their BGP troubleshooting and filtering abilities if they were to offer a session. Some of the smaller ISPs that fit this bill will actually allow you to work with them and provide them advice along the way, if not even contract the client as a consultant to ensure that this new-to-them setup is documented properly so it can be re-used with other clients. Also, I'm sure that it would be more work to co-ordinate the efforts for a static setup like this between two providers than it would be to just set up BGP. More documentation (and unnecessary static routes too). Steve From randy at psg.com Mon Jun 7 20:36:30 2010 From: randy at psg.com (Randy Bush) Date: Tue, 08 Jun 2010 10:36:30 +0900 Subject: quagga isisd Message-ID: would appreciate clue bat from anyone successful with isisd under quqgga. please contant me off list. thanks. randy From sjk at sleepycatz.com Mon Jun 7 23:14:56 2010 From: sjk at sleepycatz.com (sjk) Date: Mon, 07 Jun 2010 23:14:56 -0500 Subject: Strange practices? In-Reply-To: References: Message-ID: <4C0DC3C0.8050103@sleepycatz.com> Bill Fehring wrote: > On Mon, Jun 7, 2010 at 14:59, Murphy, Jay, DOH wrote: >> "So if the enterprise loses connectivity to one of these two providers, does the provider without working connectivity to the enterprise have mechanism in place to cease originating the address space?" >> Yes, BGP updates. > > Um, it wasn't a trick question Jay, and as others have stated, since > the providers are statically routing this address space to their > common customer, this would require a coordinated effort to manually > (or preferably automatically) shutdown the advertisement should > connectivity be lost to the customer. There are a number of ways that > could be achieved, but it's obviously important that it is. > > -Bill > Not necessarily: the way that I have seen this implemented the upstreams rely upon the static -- or sometimes connected -- route being pulled from the route table if the interface goes down. Once pulled from the table the it drops out of IGP and then from the eBGP announcement. It is -- without a doubt -- a crappy solution as it doesn't deal with things like looped circuits, bad encapsulations, etc.... From andy at nosignal.org Tue Jun 8 04:02:51 2010 From: andy at nosignal.org (Andy Davidson) Date: Tue, 8 Jun 2010 10:02:51 +0100 Subject: Strange practices? In-Reply-To: <4C0D6C80.1070801@Opus1.COM> References: <4C0D6C80.1070801@Opus1.COM> Message-ID: <9EB0F081-6CF2-406D-8E9C-0269E4D1EB8F@nosignal.org> Hi, On 7 Jun 2010, at 23:02, Joel M Snyder wrote: > On 6/7/10 11:51 PM: >> Has anyone ever heard of a multi-homed enterprise not running bgp with either of 2 providers, but instead, each provider statically routes a block to their common customer and also each originates this block in BGP? > Yes, this is common and works fine. [...] Ugly, but given the vast chalice of despair that is the global BGP table, hardly a drop in the bucket. Ugly, failover might not work depending on just what is actually configured, and there is of course no need to take the full table if you want to do it right, with BGP. It does also marry your network to one provider, which might not suit depending on how independent you want to be (what will happen to your pricing with the address space incumbent at renew time, or what will happen in the event of their commercial failure). Because something will likely work, does not make it a scalable or sensible design. Just do it right from the start :-) Andy From globichen at gmail.com Tue Jun 8 04:58:42 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 8 Jun 2010 11:58:42 +0200 Subject: BGP convergence problem Message-ID: Hi, This morning there was an ethernet loop problem on DECIX, causing many BGP sessions to flap throughout the entire platform. While this can happen, I am myself facing with BGP convergence problems on our DECIX router (SUP720-3BXL with IOS SXI3). De DECIX loop has been solved two hours ago, but my BGP sessions are still flapping and not converging at all. This has been flooding our logs, and is still going on: Jun 8 11:47:03 x.x.x.131 239447: Jun 8 11:48:38.364 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.32 Up Jun 8 11:47:03 x.x.x.131 239448: Jun 8 11:48:38.364 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.231 Up Jun 8 11:47:03 x.x.x.131 239449: Jun 8 11:48:38.364 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.109 Up Jun 8 11:47:03 x.x.x.131 239450: Jun 8 11:48:38.364 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.50 Up Jun 8 11:47:03 x.x.x.131 239451: Jun 8 11:48:38.364 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.81 Up Jun 8 11:47:03 x.x.x.131 239452: Jun 8 11:48:38.364 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.28 Up Jun 8 11:47:03 x.x.x.131 239453: Jun 8 11:48:38.364 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.193.212 Up Jun 8 11:47:03 x.x.x.131 239454: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.193.147 Up Jun 8 11:47:03 x.x.x.131 239455: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.74 Up Jun 8 11:47:03 x.x.x.131 239456: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.241 Up Jun 8 11:47:03 x.x.x.131 239457: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.5 Up Jun 8 11:47:03 x.x.x.131 239458: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.40 Up Jun 8 11:47:03 x.x.x.131 239459: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::1A44:0:1 Up Jun 8 11:47:03 x.x.x.131 239460: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::8605:0:1 Up Jun 8 11:47:03 x.x.x.131 239461: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::1A0B:0:1 Up Jun 8 11:47:03 x.x.x.131 239462: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::3029:0:1 Up Jun 8 11:47:03 x.x.x.131 239463: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::6E4:0:1 Up Jun 8 11:47:03 x.x.x.131 239464: Jun 8 11:48:38.372 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::CB0:0:1 Up Jun 8 11:47:03 x.x.x.131 239465: Jun 8 11:48:38.372 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::21C8:0:1 Up Jun 8 11:47:03 x.x.x.131 239466: Jun 8 11:48:38.372 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::8463:0:2 Up Jun 8 11:47:04 x.x.x.131 239467: Jun 8 11:48:38.372 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::31AA:0:1 Up Jun 8 11:47:04 x.x.x.131 239468: Jun 8 11:48:38.372 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.29 Up Jun 8 11:47:04 x.x.x.131 239469: Jun 8 11:48:38.372 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::62BF:0:1 Up Jun 8 11:47:04 x.x.x.131 239470: Jun 8 11:48:39.656 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.101 Down BGP Notification sent Jun 8 11:47:04 x.x.x.131 239471: Jun 8 11:48:39.656 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.101 4/0 (hold time expired) 0 bytes Jun 8 11:47:07 x.x.x.131 239472: Jun 8 11:48:41.696 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.104 Up Jun 8 11:47:10 x.x.x.131 239473: Jun 8 11:48:44.488 CEST: %BGP-3-BGP_NO_REMOTE_READ: 80.81.193.187 connection timed out - has not accepted a message from us for 20000ms (hold time), 1 messages pending transmition. Jun 8 11:47:10 x.x.x.131 239474: Jun 8 11:48:44.488 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.193.187 Down BGP Notification sent Jun 8 11:47:10 x.x.x.131 239475: Jun 8 11:48:44.488 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.193.187 4/0 (hold time expired) 0 bytes Jun 8 11:47:10 x.x.x.131 239476: Jun 8 11:48:44.900 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.61 Up Jun 8 11:47:10 x.x.x.131 239477: Jun 8 11:48:44.900 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.149 Up Jun 8 11:47:10 x.x.x.131 239478: Jun 8 11:48:44.900 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.136 Up Jun 8 11:47:10 x.x.x.131 239479: Jun 8 11:48:44.904 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::8463:0:1 Up Jun 8 11:47:10 x.x.x.131 239480: Jun 8 11:48:46.352 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::6268:0:1 Up Jun 8 11:47:14 x.x.x.131 239481: Jun 8 11:48:48.084 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.193.78 Up Jun 8 11:47:14 x.x.x.131 239482: Jun 8 11:48:49.172 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.193.239 Up Jun 8 11:47:14 x.x.x.131 239483: Jun 8 11:48:49.172 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.24 Up Jun 8 11:47:17 x.x.x.131 239484: Jun 8 11:48:52.160 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.45 Up Jun 8 11:47:17 x.x.x.131 239485: Jun 8 11:48:52.160 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.108 Up Jun 8 11:47:17 x.x.x.131 239486: Jun 8 11:48:52.160 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.164 Up Jun 8 11:47:17 x.x.x.131 239487: Jun 8 11:48:52.164 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.193.49 Up Jun 8 11:47:17 x.x.x.131 239488: Jun 8 11:48:52.164 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.139 Up Jun 8 11:47:17 x.x.x.131 239489: Jun 8 11:48:52.164 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::1536:0:1 Up Jun 8 11:47:17 x.x.x.131 239490: Jun 8 11:48:52.164 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::8601:0:1 Up Jun 8 11:47:17 x.x.x.131 239491: Jun 8 11:48:53.788 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.45 Up Jun 8 11:47:17 x.x.x.131 239492: Jun 8 11:48:53.788 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::A2DC:0:1 Up Jun 8 11:47:21 x.x.x.131 239493: Jun 8 11:48:55.056 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.91 Down BGP Notification sent Jun 8 11:49:04 x.x.x.131 239583: Jun 8 11:50:37.684 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.14 Down Peer closed the session Jun 8 11:49:04 x.x.x.131 239584: Jun 8 11:50:38.656 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.120 Down BGP Notification sent Jun 8 11:49:04 x.x.x.131 239585: Jun 8 11:50:38.656 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.120 4/0 (hold time expired) 0 bytes Jun 8 11:49:04 x.x.x.131 239586: Jun 8 11:50:38.656 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.229 Down BGP Notification sent Jun 8 11:49:04 x.x.x.131 239587: Jun 8 11:50:38.656 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.229 4/0 (hold time expired) 0 bytes Jun 8 11:49:04 x.x.x.131 239588: Jun 8 11:50:38.656 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.108 Down BGP Notification sent Jun 8 11:49:04 x.x.x.131 239589: Jun 8 11:50:38.656 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.108 4/0 (hold time expired) 0 bytes Jun 8 11:49:07 x.x.x.131 239590: Jun 8 11:50:41.944 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.73 Down BGP Notification sent Jun 8 11:49:07 x.x.x.131 239591: Jun 8 11:50:41.944 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.194.73 4/0 (hold time expired) 0 bytes Jun 8 11:49:07 x.x.x.131 239592: Jun 8 11:50:41.944 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::20AD:0:2 Down BGP Notification sent Jun 8 11:49:07 x.x.x.131 239593: Jun 8 11:50:41.944 CEST: %BGP-3-NOTIFICATION: sent to neighbor 2001:7F8::20AD:0:2 4/0 (hold time expired) 0 bytes Jun 8 11:49:07 x.x.x.131 239594: Jun 8 11:50:41.944 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.193.115 Down BGP Notification sent Jun 8 11:49:07 x.x.x.131 239595: Jun 8 11:50:41.944 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.193.115 4/0 (hold time expired) 0 bytes Jun 8 11:49:07 x.x.x.131 239596: Jun 8 11:50:44.124 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.3 Down BGP Notification sent Jun 8 11:49:11 x.x.x.131 239597: Jun 8 11:50:44.124 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.194.3 4/0 (hold time expired) 0 bytes Jun 8 11:49:11 x.x.x.131 239598: Jun 8 11:50:45.200 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.215 Down BGP Notification sent Jun 8 11:49:11 x.x.x.131 239599: Jun 8 11:50:45.200 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.215 4/0 (hold time expired) 0 bytes Jun 8 11:49:11 x.x.x.131 239600: Jun 8 11:50:47.336 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.141 Down BGP Notification sent Jun 8 11:49:11 x.x.x.131 239601: Jun 8 11:50:47.336 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.141 4/0 (hold time expired) 0 bytes Jun 8 11:49:14 x.x.x.131 239602: Jun 8 11:50:48.432 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::3B41:0:1 Down BGP Notification sent Jun 8 11:49:14 x.x.x.131 239603: Jun 8 11:50:48.432 CEST: %BGP-3-NOTIFICATION: sent to neighbor 2001:7F8::3B41:0:1 4/0 (hold time expired) 0 bytes Jun 8 11:49:14 x.x.x.131 239604: Jun 8 11:50:49.720 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.239 Down BGP Notification sent Jun 8 11:49:14 x.x.x.131 239605: Jun 8 11:50:49.720 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.239 4/0 (hold time expired) 0 bytes Jun 8 11:49:17 x.x.x.131 239606: Jun 8 11:50:50.976 CEST: %BGP-5-ADJCHANGE: neighbor 2001:2000:3080:B4::1 Down Peer closed the session Jun 8 11:49:17 x.x.x.131 239607: Jun 8 11:50:52.976 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.20 Down BGP Notification sent Jun 8 11:49:17 x.x.x.131 239608: Jun 8 11:50:52.976 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.194.20 4/0 (hold time expired) 0 bytes Jun 8 11:49:17 x.x.x.131 239609: Jun 8 11:50:54.044 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.193.21 Down BGP Notification sent Jun 8 11:49:17 x.x.x.131 239610: Jun 8 11:50:54.044 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.193.21 4/0 (hold time expired) 0 bytes Jun 8 11:49:20 x.x.x.131 239611: Jun 8 11:50:56.204 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::1A0B:0:1 Down BGP Notification sent Jun 8 11:49:20 x.x.x.131 239612: Jun 8 11:50:56.204 CEST: %BGP-3-NOTIFICATION: sent to neighbor 2001:7F8::1A0B:0:1 4/0 (hold time expired) 0 bytes Jun 8 11:49:23 x.x.x.131 239613: Jun 8 11:50:58.400 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.63 Down BGP Notification sent Jun 8 11:49:23 x.x.x.131 239614: Jun 8 11:50:58.400 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.194.63 4/0 (hold time expired) 0 bytes Jun 8 11:49:23 x.x.x.131 239615: Jun 8 11:50:59.448 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.97 Down BGP Notification sent Jun 8 11:49:23 x.x.x.131 239616: Jun 8 11:50:59.448 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.97 4/0 (hold time expired) 0 bytes Jun 8 11:49:27 x.x.x.131 239617: Jun 8 11:51:01.664 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.131 Down BGP Notification sent Jun 8 11:49:27 x.x.x.131 239618: Jun 8 11:51:01.664 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.131 4/0 (hold time expired) 0 bytes Jun 8 11:49:27 x.x.x.131 239619: Jun 8 11:51:03.872 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.83 Down BGP Notification sent Jun 8 11:49:27 x.x.x.131 239620: Jun 8 11:51:03.872 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.194.83 4/0 (hold time expired) 0 bytes Jun 8 11:49:27 x.x.x.131 239621: Jun 8 11:51:03.872 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.156 Down BGP Notification sent Jun 8 11:49:30 x.x.x.131 239622: Jun 8 11:51:03.872 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.156 4/0 (hold time expired) 0 bytes Jun 8 11:49:30 x.x.x.131 239623: Jun 8 11:51:06.056 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.50 Down BGP Notification sent Jun 8 11:49:30 x.x.x.131 239624: Jun 8 11:51:06.056 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.194.50 4/0 (hold time expired) 0 bytes CPU load is constantly at 100% doing BGP and more BGP. We have around 200 BGP sessions on DECIX and I would not want to shut them down and bring them up individually. How can I get out of this deadlock? Andy From if at xip.at Tue Jun 8 07:35:12 2010 From: if at xip.at (Ingo Flaschberger) Date: Tue, 8 Jun 2010 14:35:12 +0200 (CEST) Subject: BGP convergence problem In-Reply-To: References: Message-ID: Dear Andy > This morning there was an ethernet loop problem on DECIX, causing many > BGP sessions to flap throughout the entire platform. > While this can happen, I am myself facing with BGP convergence > problems on our DECIX router (SUP720-3BXL with IOS SXI3). > > De DECIX loop has been solved two hours ago, but my BGP sessions are > still flapping and not converging at all. This has been flooding our > logs, and is still going on: route half or more of the peering-network to Null -> lowering bgp session up's. (at the other side, your bgp-router seems to be overloaded). Kind regards, Ingo Flaschberger From globichen at gmail.com Tue Jun 8 09:27:16 2010 From: globichen at gmail.com (Andy B.) Date: Tue, 8 Jun 2010 16:27:16 +0200 Subject: BGP convergence problem In-Reply-To: References: Message-ID: I finally decided to shut down all peerings and brought them back one by one. Everything is stable again, but I don't like the way I had to deal with it since it will most likely happen again when DECIX or an other IX we're at is having issues. I've seen a few BGP convergence discussions on NANOG, but none about deadlock situations and what could be done to avoid them. Setting higher MTU or bigger hold queues did not help. - Andy On Tue, Jun 8, 2010 at 2:35 PM, Ingo Flaschberger wrote: > Dear Andy > >> This morning there was an ethernet loop problem on DECIX, causing many >> BGP sessions to flap throughout the entire platform. >> While this can happen, I am myself facing with BGP convergence >> problems on our DECIX router (SUP720-3BXL with IOS SXI3). >> >> De DECIX loop has been solved two hours ago, but my BGP sessions are >> still flapping and not converging at all. This has been flooding our >> logs, and is still going on: > > route half or more of the peering-network to Null -> lowering bgp session > up's. > (at the other side, your bgp-router seems to be overloaded). > > Kind regards, > ? ? ? ?Ingo Flaschberger > > From jonny at jonnynet.net Mon Jun 7 20:58:49 2010 From: jonny at jonnynet.net (Jonny Martin) Date: Tue, 8 Jun 2010 13:58:49 +1200 Subject: APNIC 30 - Call for Papers Message-ID: <8710F339-D12A-4D85-B3EE-30C65EA320CC@jonnynet.net> [Apologies for duplicates] ________________________________________________________________________ APNIC 30 - Call for Papers ________________________________________________________________________ The APNIC 30 Program Committee is now seeking presentations for APNIC 30 to be held at Gold Coast, Australia from 24 - 27 August 2010. We are looking for presentations that would suit technical conference sessions. Please submit proposals online at: http://submission.apnic.net/ KEY DATES --------- Call for Papers Opens: 8 June 2010 First Deadline for Submissions: 9 July 2010 First Draft Program Published: 16 July 2010 Final Deadline for Submissions: 6 August 2010 Final Program Published: 10 August 2010 Final Slides Received: 20 August 2010 PROGRAM MATERIAL ---------------- APNIC 30 Technical sessions will include presentations relevant to Internet Operations and Technologies. Here are some ideas for technical sessions relevant to APNIC 30: - IPv4 exhaustion / IPv6 deployment & operations - ISP, Peering, Carrier, and IXP services - Network security - Internet policy - Access and Transport Technologies - Content & Service Delivery If you have another idea, feel free to submit your proposal. CFP SUBMISSION -------------- Draft slides must be provided with all submissions. For work in progress, the most current information available at the time of submission is acceptable. Remember to submit early so you have plenty of time to arrange visas and travel! If you have questions, please email the Program Chair: pc-chair at apnic.net For more information about APNIC 30, please visit: http://meetings.apnic.net/30 Regards, Jonny Martin Chair, APNIC 30 Program Committee From jared at puck.nether.net Tue Jun 8 11:22:04 2010 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 8 Jun 2010 12:22:04 -0400 Subject: BGP convergence problem In-Reply-To: References: Message-ID: <6AEBD3AC-CE37-4278-9E45-F4FA5DEC308A@puck.nether.net> On Jun 8, 2010, at 10:27 AM, Andy B. wrote: > I finally decided to shut down all peerings and brought them back one by one. > > Everything is stable again, but I don't like the way I had to deal > with it since it will most likely happen again when DECIX or an other > IX we're at is having issues. > > I've seen a few BGP convergence discussions on NANOG, but none about > deadlock situations and what could be done to avoid them. Setting > higher MTU or bigger hold queues did not help. The Cisco 7600 and 6500 platforms are getting fairly old and have underpowered cpus these days. Starting in SXH the control plane did not scale quite as well as in SXF. This got better in SXI, but is not back on par with SXF performance yet. I mostly attribute this to a combination of bloat in software and routing tables. I would start to look for a replacement sooner rather than later. - Jared From mpetach at netflight.com Tue Jun 8 11:26:47 2010 From: mpetach at netflight.com (Matthew Petach) Date: Tue, 8 Jun 2010 09:26:47 -0700 Subject: BGP convergence problem In-Reply-To: References: Message-ID: On Tue, Jun 8, 2010 at 7:27 AM, Andy B. wrote: > I finally decided to shut down all peerings and brought them back one by one. > > Everything is stable again, but I don't like the way I had to deal > with it since it will most likely happen again when DECIX or an other > IX we're at is having issues. > > I've seen a few BGP convergence discussions on NANOG, but none about > deadlock situations and what could be done to avoid them. Setting > higher MTU or bigger hold queues did not help. > > - Andy Some people have found that upgrading to an alternate router vendor helps. ^_^; Fundamentally, the CPU on your router is underpowered for the amount of state information that needs to be updated in the time window of the hold timers. If you can't move to a faster/more efficient platform, then you may need to negotiate raising the keepalive interval and corresponding hold timers with your neighbors, to give your router time to finish processing updates. Alternately, if you aren't in a position to be able to upgrade platforms, but have spare routers around, connecting a second router up to the exchange and splitting your neighbors up among two links into the exchange would reduce the load on each router during reconvergence, and buy you time until you can move to a more capable platform. Matt From kevin.hodle at gmail.com Tue Jun 8 11:50:19 2010 From: kevin.hodle at gmail.com (Kevin Hodle) Date: Tue, 8 Jun 2010 11:50:19 -0500 Subject: BGP convergence problem In-Reply-To: References: Message-ID: Hi Andy, We have had similar problems with s720/3bxl on exchanges with large numbers of peers. Exact same symptoms, can be triggered by any significant UPDATE flux, even iBGP originated path-hunts. This problem is compounded if you are taking full tables on the same device, to the extent that the bgp scanner and bgp IO processes grind the control-plane to halt causing ISIS/OSPF adjacencies to drop, SNMP and SSH unresponsive, etc. Same behavior is seen regardless of IOS train. As others have pointed out, the sad fact of the matter is that the s720/3BXL simply does not have the CPU power to cope with hundreds of neighbor sessions and the growing numbers of paths. Here are some things that we tried with varied success to remedy bgp deadlock on this platform: * lower process-max-time to prevent bgp scanner/bgp io processes from completely consuming the control-plane * Take soft-reconfiguration off of neighbors/peer-groups where you can, this will help tremendously * Split the load of neighbor sessions between multiple devices, move full table feeds to other devices The 'final solution' is to simply replace this platform with a newer more powerful alternative, and there are numerous candidates :) Best Regards, Kevin Hodle On Tue, Jun 8, 2010 at 4:58 AM, Andy B. wrote: > Hi, > > This morning there was an ethernet loop problem on DECIX, causing many > BGP sessions to flap throughout the entire platform. > While this can happen, I am myself facing with BGP convergence > problems on our DECIX router (SUP720-3BXL with IOS SXI3). > > De DECIX loop has been solved two hours ago, but my BGP sessions are > still flapping and not converging at all. This has been flooding our > logs, and is still going on: > > Jun ?8 11:47:03 x.x.x.131 239447: Jun ?8 11:48:38.364 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.194.32 Up > Jun ?8 11:47:03 x.x.x.131 239448: Jun ?8 11:48:38.364 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.231 Up > Jun ?8 11:47:03 x.x.x.131 239449: Jun ?8 11:48:38.364 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.109 Up > Jun ?8 11:47:03 x.x.x.131 239450: Jun ?8 11:48:38.364 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.194.50 Up > Jun ?8 11:47:03 x.x.x.131 239451: Jun ?8 11:48:38.364 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.81 Up > Jun ?8 11:47:03 x.x.x.131 239452: Jun ?8 11:48:38.364 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.28 Up > Jun ?8 11:47:03 x.x.x.131 239453: Jun ?8 11:48:38.364 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.193.212 Up > Jun ?8 11:47:03 x.x.x.131 239454: Jun ?8 11:48:38.368 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.193.147 Up > Jun ?8 11:47:03 x.x.x.131 239455: Jun ?8 11:48:38.368 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.74 Up > Jun ?8 11:47:03 x.x.x.131 239456: Jun ?8 11:48:38.368 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.241 Up > Jun ?8 11:47:03 x.x.x.131 239457: Jun ?8 11:48:38.368 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.194.5 Up > Jun ?8 11:47:03 x.x.x.131 239458: Jun ?8 11:48:38.368 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.40 Up > Jun ?8 11:47:03 x.x.x.131 239459: Jun ?8 11:48:38.368 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::1A44:0:1 Up > Jun ?8 11:47:03 x.x.x.131 239460: Jun ?8 11:48:38.368 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::8605:0:1 Up > Jun ?8 11:47:03 x.x.x.131 239461: Jun ?8 11:48:38.368 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::1A0B:0:1 Up > Jun ?8 11:47:03 x.x.x.131 239462: Jun ?8 11:48:38.368 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::3029:0:1 Up > Jun ?8 11:47:03 x.x.x.131 239463: Jun ?8 11:48:38.368 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::6E4:0:1 Up > Jun ?8 11:47:03 x.x.x.131 239464: Jun ?8 11:48:38.372 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::CB0:0:1 Up > Jun ?8 11:47:03 x.x.x.131 239465: Jun ?8 11:48:38.372 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::21C8:0:1 Up > Jun ?8 11:47:03 x.x.x.131 239466: Jun ?8 11:48:38.372 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::8463:0:2 Up > Jun ?8 11:47:04 x.x.x.131 239467: Jun ?8 11:48:38.372 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::31AA:0:1 Up > Jun ?8 11:47:04 x.x.x.131 239468: Jun ?8 11:48:38.372 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.194.29 Up > Jun ?8 11:47:04 x.x.x.131 239469: Jun ?8 11:48:38.372 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::62BF:0:1 Up > Jun ?8 11:47:04 x.x.x.131 239470: Jun ?8 11:48:39.656 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.101 Down BGP Notification sent > Jun ?8 11:47:04 x.x.x.131 239471: Jun ?8 11:48:39.656 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.101 4/0 (hold time > expired) 0 bytes > Jun ?8 11:47:07 x.x.x.131 239472: Jun ?8 11:48:41.696 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.104 Up > Jun ?8 11:47:10 x.x.x.131 239473: Jun ?8 11:48:44.488 CEST: > %BGP-3-BGP_NO_REMOTE_READ: 80.81.193.187 connection timed out - has > not accepted a message from us for 20000ms (hold time), 1 messages > pending transmition. > Jun ?8 11:47:10 x.x.x.131 239474: Jun ?8 11:48:44.488 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.193.187 Down BGP Notification sent > Jun ?8 11:47:10 x.x.x.131 239475: Jun ?8 11:48:44.488 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.193.187 4/0 (hold time > expired) 0 bytes > Jun ?8 11:47:10 x.x.x.131 239476: Jun ?8 11:48:44.900 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.194.61 Up > Jun ?8 11:47:10 x.x.x.131 239477: Jun ?8 11:48:44.900 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.149 Up > Jun ?8 11:47:10 x.x.x.131 239478: Jun ?8 11:48:44.900 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.136 Up > Jun ?8 11:47:10 x.x.x.131 239479: Jun ?8 11:48:44.904 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::8463:0:1 Up > Jun ?8 11:47:10 x.x.x.131 239480: Jun ?8 11:48:46.352 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::6268:0:1 Up > Jun ?8 11:47:14 x.x.x.131 239481: Jun ?8 11:48:48.084 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.193.78 Up > Jun ?8 11:47:14 x.x.x.131 239482: Jun ?8 11:48:49.172 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.193.239 Up > Jun ?8 11:47:14 x.x.x.131 239483: Jun ?8 11:48:49.172 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.194.24 Up > Jun ?8 11:47:17 x.x.x.131 239484: Jun ?8 11:48:52.160 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.194.45 Up > Jun ?8 11:47:17 x.x.x.131 239485: Jun ?8 11:48:52.160 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.108 Up > Jun ?8 11:47:17 x.x.x.131 239486: Jun ?8 11:48:52.160 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.164 Up > Jun ?8 11:47:17 x.x.x.131 239487: Jun ?8 11:48:52.164 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.193.49 Up > Jun ?8 11:47:17 x.x.x.131 239488: Jun ?8 11:48:52.164 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.139 Up > Jun ?8 11:47:17 x.x.x.131 239489: Jun ?8 11:48:52.164 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::1536:0:1 Up > Jun ?8 11:47:17 x.x.x.131 239490: Jun ?8 11:48:52.164 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::8601:0:1 Up > Jun ?8 11:47:17 x.x.x.131 239491: Jun ?8 11:48:53.788 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.45 Up > Jun ?8 11:47:17 x.x.x.131 239492: Jun ?8 11:48:53.788 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::A2DC:0:1 Up > Jun ?8 11:47:21 x.x.x.131 239493: Jun ?8 11:48:55.056 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.194.91 Down BGP Notification sent > > > > Jun ?8 11:49:04 x.x.x.131 239583: Jun ?8 11:50:37.684 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.194.14 Down Peer closed the session > Jun ?8 11:49:04 x.x.x.131 239584: Jun ?8 11:50:38.656 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.120 Down BGP Notification sent > Jun ?8 11:49:04 x.x.x.131 239585: Jun ?8 11:50:38.656 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.120 4/0 (hold time > expired) 0 bytes > Jun ?8 11:49:04 x.x.x.131 239586: Jun ?8 11:50:38.656 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.229 Down BGP Notification sent > Jun ?8 11:49:04 x.x.x.131 239587: Jun ?8 11:50:38.656 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.229 4/0 (hold time > expired) 0 bytes > Jun ?8 11:49:04 x.x.x.131 239588: Jun ?8 11:50:38.656 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.108 Down BGP Notification sent > Jun ?8 11:49:04 x.x.x.131 239589: Jun ?8 11:50:38.656 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.108 4/0 (hold time > expired) 0 bytes > Jun ?8 11:49:07 x.x.x.131 239590: Jun ?8 11:50:41.944 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.194.73 Down BGP Notification sent > Jun ?8 11:49:07 x.x.x.131 239591: Jun ?8 11:50:41.944 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.194.73 4/0 (hold time > expired) 0 bytes > Jun ?8 11:49:07 x.x.x.131 239592: Jun ?8 11:50:41.944 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::20AD:0:2 Down BGP Notification > sent > Jun ?8 11:49:07 x.x.x.131 239593: Jun ?8 11:50:41.944 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 2001:7F8::20AD:0:2 4/0 (hold > time expired) 0 bytes > Jun ?8 11:49:07 x.x.x.131 239594: Jun ?8 11:50:41.944 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.193.115 Down BGP Notification sent > Jun ?8 11:49:07 x.x.x.131 239595: Jun ?8 11:50:41.944 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.193.115 4/0 (hold time > expired) 0 bytes > Jun ?8 11:49:07 x.x.x.131 239596: Jun ?8 11:50:44.124 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.194.3 Down BGP Notification sent > Jun ?8 11:49:11 x.x.x.131 239597: Jun ?8 11:50:44.124 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.194.3 4/0 (hold time > expired) 0 bytes > Jun ?8 11:49:11 x.x.x.131 239598: Jun ?8 11:50:45.200 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.215 Down BGP Notification sent > Jun ?8 11:49:11 x.x.x.131 239599: Jun ?8 11:50:45.200 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.215 4/0 (hold time > expired) 0 bytes > Jun ?8 11:49:11 x.x.x.131 239600: Jun ?8 11:50:47.336 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.141 Down BGP Notification sent > Jun ?8 11:49:11 x.x.x.131 239601: Jun ?8 11:50:47.336 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.141 4/0 (hold time > expired) 0 bytes > Jun ?8 11:49:14 x.x.x.131 239602: Jun ?8 11:50:48.432 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::3B41:0:1 Down BGP Notification > sent > Jun ?8 11:49:14 x.x.x.131 239603: Jun ?8 11:50:48.432 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 2001:7F8::3B41:0:1 4/0 (hold > time expired) 0 bytes > Jun ?8 11:49:14 x.x.x.131 239604: Jun ?8 11:50:49.720 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.239 Down BGP Notification sent > Jun ?8 11:49:14 x.x.x.131 239605: Jun ?8 11:50:49.720 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.239 4/0 (hold time > expired) 0 bytes > Jun ?8 11:49:17 x.x.x.131 239606: Jun ?8 11:50:50.976 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:2000:3080:B4::1 Down Peer closed the > session > Jun ?8 11:49:17 x.x.x.131 239607: Jun ?8 11:50:52.976 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.194.20 Down BGP Notification sent > Jun ?8 11:49:17 x.x.x.131 239608: Jun ?8 11:50:52.976 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.194.20 4/0 (hold time > expired) 0 bytes > Jun ?8 11:49:17 x.x.x.131 239609: Jun ?8 11:50:54.044 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.193.21 Down BGP Notification sent > Jun ?8 11:49:17 x.x.x.131 239610: Jun ?8 11:50:54.044 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.193.21 4/0 (hold time > expired) 0 bytes > Jun ?8 11:49:20 x.x.x.131 239611: Jun ?8 11:50:56.204 CEST: > %BGP-5-ADJCHANGE: neighbor 2001:7F8::1A0B:0:1 Down BGP Notification > sent > Jun ?8 11:49:20 x.x.x.131 239612: Jun ?8 11:50:56.204 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 2001:7F8::1A0B:0:1 4/0 (hold > time expired) 0 bytes > Jun ?8 11:49:23 x.x.x.131 239613: Jun ?8 11:50:58.400 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.194.63 Down BGP Notification sent > Jun ?8 11:49:23 x.x.x.131 239614: Jun ?8 11:50:58.400 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.194.63 4/0 (hold time > expired) 0 bytes > Jun ?8 11:49:23 x.x.x.131 239615: Jun ?8 11:50:59.448 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.97 Down BGP Notification sent > Jun ?8 11:49:23 x.x.x.131 239616: Jun ?8 11:50:59.448 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.97 4/0 (hold time > expired) 0 bytes > Jun ?8 11:49:27 x.x.x.131 239617: Jun ?8 11:51:01.664 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.131 Down BGP Notification sent > Jun ?8 11:49:27 x.x.x.131 239618: Jun ?8 11:51:01.664 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.131 4/0 (hold time > expired) 0 bytes > Jun ?8 11:49:27 x.x.x.131 239619: Jun ?8 11:51:03.872 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.194.83 Down BGP Notification sent > Jun ?8 11:49:27 x.x.x.131 239620: Jun ?8 11:51:03.872 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.194.83 4/0 (hold time > expired) 0 bytes > Jun ?8 11:49:27 x.x.x.131 239621: Jun ?8 11:51:03.872 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.192.156 Down BGP Notification sent > Jun ?8 11:49:30 x.x.x.131 239622: Jun ?8 11:51:03.872 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.156 4/0 (hold time > expired) 0 bytes > Jun ?8 11:49:30 x.x.x.131 239623: Jun ?8 11:51:06.056 CEST: > %BGP-5-ADJCHANGE: neighbor 80.81.194.50 Down BGP Notification sent > Jun ?8 11:49:30 x.x.x.131 239624: Jun ?8 11:51:06.056 CEST: > %BGP-3-NOTIFICATION: sent to neighbor 80.81.194.50 4/0 (hold time > expired) 0 bytes > > CPU load is constantly at 100% doing BGP and more BGP. > > We have around 200 BGP sessions on DECIX and I would not want to shut > them down and bring them up individually. > > How can I get out of this deadlock? > > > Andy > > -- ================================================================ :: :: Kevin Hodle | http://www.linkedin.com/in/kevinhodle :: :: PGP Key ID | fingerprint :: :: 0x803F24BE | 1094 FB06 837F 2FAB C86B E4BE 4680 3679 803F 24BE "Elegance is not a dispensable luxury but a factor that decides between success and failure. " -Edsgar Dijkstra ================================================================ From ras at e-gerbil.net Tue Jun 8 11:52:57 2010 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Tue, 8 Jun 2010 11:52:57 -0500 Subject: BGP convergence problem In-Reply-To: <6AEBD3AC-CE37-4278-9E45-F4FA5DEC308A@puck.nether.net> References: <6AEBD3AC-CE37-4278-9E45-F4FA5DEC308A@puck.nether.net> Message-ID: <20100608165257.GR1261@gerbil.cluepon.net> On Tue, Jun 08, 2010 at 12:22:04PM -0400, Jared Mauch wrote: > > The Cisco 7600 and 6500 platforms are getting fairly old and have > underpowered cpus these days. > > Starting in SXH the control plane did not scale quite as well as in > SXF. This got better in SXI, but is not back on par with SXF > performance yet. > > I mostly attribute this to a combination of bloat in software and > routing tables. I would start to look for a replacement sooner rather > than later. Place blame where blame is due, the cpu may be slow, but the crappy ios scheduler is the real problem here. We saw a huge reduction in the number of self-sustaining protocols timeouts cycles on these boxes (where the process of trying to bring up a new neighbor and converge routing uses so much cpu that it causes other neighbors to time out, resulting in a never-ending cycle of fail until you shut down everything and bring them up one neighbor at a time) with the move from SXF to the SR branches. We never really went down the SXH/SXI road, but I'd have assumed they would have introduced the same improvements there too. I guess you know what they say about assuming. :) Try the usual suspects: * Configure "process-max-time 20" at the top level, this improves interactivity by making the scheduler switch processes more often. * Make sure you don't have an overly aggressive control-plane policer. In my experience the COPP rate-limits are quite harsh, and if you end up bumping against them you don't get a graceful slowing of the exchange of routes, you get protocol timeouts. * Make sure you don't have any stupid mls rate-limits, such as cef receive. I don't know why anyone would ever want to configure this, all it does is make your box fall over faster (as if these things need any help) by rate-limiting all traffic to the msfc. * You might want to try something like "scheduler allocate 400 4000", which gives the vast majority of the cpu time to the control plane rather than process switching on the data plane (which in theory shouldn't happen on an entirely hw forwarded box like 6500/7600, though of course we all know that isn't true :P). Oh and also the OP should take this to the cisco-nsp mailing list, where all the good bitching about broken Crisco routers takes place. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From sil at infiltrated.net Tue Jun 8 14:07:48 2010 From: sil at infiltrated.net (J. Oquendo) Date: Tue, 08 Jun 2010 15:07:48 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: Message-ID: <4C0E9504.3090700@infiltrated.net> >From the NetSec mailing list... > At http://www.timesonline.co.uk/tol/news/world/article7144856.ece > > June 6, 2010 > Nato warns of strike against cyber attackers > Michael Smith and Peter Warren > > NATO is considering the use of military force against enemies who launch > cyber attacks on its member states. > > The move follows a series of Russian-linked hacking against Nato members and > warnings from intelligence services of the growing threat from China. > > A team of Nato experts led by Madeleine Albright, the former US secretary of > state, has warned that the next attack on a Nato country ?may well come down > a fibre-optic cable?. > > A report by Albright?s group said that a cyber attack on the critical > infrastructure of a Nato country could equate to an armed attack, justifying > retaliation. > > Article 5 is the cornerstone of the 1949 Nato charter, laying down that ?an > armed attack? against one or more Nato countries ?shall be considered an > attack against them all?. > > It was the clause in the charter that was invoked following the September 11 > attacks to justify the removal of the Taliban regime in Afghanistan. > > Nato is now considering how severe the attack would have to be to justify > retaliation, what military force could be used and what targets would be > attacked. > > The organisation?s lawyers say that because the effect of a cyber attack can > be similar to an armed assault, there is no need to redraft existing > treaties. > > Eneken Tikk, a lawyer at Nato?s cyber defence centre in Estonia, said it > would be enough to invoke the mutual defence clause ?if, for example, a > cyber attack on a country?s power networks or critical infrastructure > resulted in casualties and destruction comparable to a military attack?. > > Nato heads of government are expected to discuss the potential use of > military force in response to cyber attacks at a summit in Lisbon in > November that will debate the alliance?s future. General Keith Alexander, > head of the newly created US cyber command, said last week there was a need > for ?clear rules of engagement that say what we can stop?. > > The concerns follow warnings from intelligence services across Europe that > computer-launched attacks from Russia and China are a mounting threat. > Russian hackers have been blamed for an attack against Estonia in April and > May of 2007 which crippled government, media and banking communications and > internet sites. > > They also attacked Georgian computer systems during the August 2008 invasion > of the country, bringing down air defence networks and telecommunications > systems belonging to the president, the government and banks. > > Alexander disclosed last week that a 2008 attack on the Pentagon?s systems, > believed to have been mounted by the Chinese, successfully broke through > into classified areas. > > Britain?s Joint Intelligence Committee cautioned last year that Chinese-made > parts in the BT phone network could be used to bring down systems running > the country?s power and food supplies. > > Some experts have warned that it is often hard to establish government > involvement. Many Russian attacks, for example, have been blamed on the > Russian mafia. The Kremlin has consistently refused to sign an international > treaty banning internet crime. > > Obviously NATO is not concerned with proving the culprit of an attack an albeit close to impossibility. Considering that many attackers compromise so many machines, what's to stop someone from instigating. I can see it coming now: hping -S 62.128.58.180 -a 62.220.119.62 -p ++21 -w 6000 hping -S 62.220.119.62 -a 62.128.58.180 -p ++21 -w 6000 So NANOGer's, what will be the game plan when something like this happens, will you be joining NATO and pulling fiber. I wonder when all types of warm-fuzzy filtering will be drafted into networking: "Thou shall re-read RFC4953 lest you want Predator strikes on your NAP locations... -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E From jmamodio at gmail.com Tue Jun 8 14:50:30 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Tue, 8 Jun 2010 14:50:30 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0E9504.3090700@infiltrated.net> References: <4C0E9504.3090700@infiltrated.net> Message-ID: > So NANOGer's, what will be the game plan when something like this > happens, will you be joining NATO and pulling fiber. I wonder when all > types of warm-fuzzy filtering will be drafted into networking: "Thou > shall re-read RFC4953 lest you want Predator strikes on your NAP > locations... We have a large supply of tin hats on stock ... My .02 From sil at infiltrated.net Tue Jun 8 15:03:15 2010 From: sil at infiltrated.net (J. Oquendo) Date: Tue, 08 Jun 2010 16:03:15 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: <4C0E9504.3090700@infiltrated.net> Message-ID: <4C0EA203.8050504@infiltrated.net> Jorge Amodio wrote: >> So NANOGer's, what will be the game plan when something like this >> happens, will you be joining NATO and pulling fiber. I wonder when all >> types of warm-fuzzy filtering will be drafted into networking: "Thou >> shall re-read RFC4953 lest you want Predator strikes on your NAP >> locations... >> > > We have a large supply of tin hats on stock ... > > My .02 > All humor aside, I'm curious to know what can anyone truly do at the end of the day if say a botnet was used to instigate a situation. Surely someone would have to say something to the tune of "better now than never" to implement BCP filtering on a large scale. Knobs, Levers, Dials and Switches: Now and Then (please sir, may I have some more ?) is 7 years old yet I wonder in practice, how many networks have 38/84 filtering. I'm wondering why it hasn't been implemented off the shelf in some of the newer equipment. This is not to say "huge backbones" should have it, but think about it, if smaller networks implemented it from the rip, the overheard wouldn't hurt that many of the bigger guys. On the contrary, my theory is it would save them headaches in the long run... Guess that's a pragmatic approach. Better that than an immediate pessimistic one. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E From dlr at bungi.com Tue Jun 8 15:12:18 2010 From: dlr at bungi.com (Dave Rand) Date: Tue, 8 Jun 2010 13:12:18 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: "J. Oquendo"'s message on Jun 8, 16:03. Message-ID: [In the message entitled "Re: Nato warns of strike against cyber attackers" on Jun 8, 16:03, "J. Oquendo" writes:] > > All humor aside, I'm curious to know what can anyone truly do at the end > of the day if say a botnet was used to instigate a situation. Surely > someone would have to say something to the tune of "better now than > never" to implement BCP filtering on a large scale. Knobs, Levers, Dials > and Switches: Now and Then (please sir, may I have some more ?) is 7 > years old yet I wonder in practice, how many networks have 38/84 > filtering. I'm wondering why it hasn't been implemented off the shelf in > some of the newer equipment. This is not to say "huge backbones" should > have it, but think about it, if smaller networks implemented it from the > rip, the overheard wouldn't hurt that many of the bigger guys. On the > contrary, my theory is it would save them headaches in the long run... > Guess that's a pragmatic approach. Better that than an immediate > pessimistic one. > It's really way, way past time for us to actually deal with compromised computers on our networks. Abuse desks need to have the power to filter customers immediately on notification of activity. We need to have tools to help us identify compromised customers. We need to have policies that actually work to help notify the customers when they are compromised. None of this needs to be done for free. There needs to be a "security fee" charged _all_ customers, which would fund the abuse desk. With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen. -- From jmamodio at gmail.com Tue Jun 8 15:18:03 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Tue, 8 Jun 2010 15:18:03 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: Message-ID: > None of this needs to be done for free. There needs to be a "security > fee" charged _all_ customers, which would fund the abuse desk. > With more than 100,000,000 compromised computers out there, it's really > time for us to step up to the plate, and make this happen. Or you should send the bill to the company that created the software that facilitated to get so many computers compromised, some folks in Redmond have a large chunk of money on the bank. My .02 From sil at infiltrated.net Tue Jun 8 15:27:20 2010 From: sil at infiltrated.net (J. Oquendo) Date: Tue, 08 Jun 2010 16:27:20 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: Message-ID: <4C0EA7A8.1050100@infiltrated.net> Jorge Amodio wrote: >> None of this needs to be done for free. There needs to be a "security >> fee" charged _all_ customers, which would fund the abuse desk. >> > > >> With more than 100,000,000 compromised computers out there, it's really >> time for us to step up to the plate, and make this happen. >> > > Or you should send the bill to the company that created the software > that facilitated to get so many computers compromised, some folks in > Redmond have a large chunk of money on the bank. > > My .02 > > > Seems like it's come full circle again (http://irbs.net/internet/nanog/0412/0109.html) and I can always recall Rob Thomas' take on this (http://irbs.net/internet/nanog/0412/0222.html) "Filtering out bogons removes yet one more potential source of badness. Does it remove all badness? Of course not. We win by degrees. Removing any tool from the bad persons' toolkit is useful." Not forgetting Mark Andrews "Any operator not implemting BCP 38 is potentially aiding and abetting some criminal. BCP 38 is over 10 years old. There is no excuse for not having equipment in place to handle the processing needs of BCP 38." ISP's could actually offset the charges to customers with helpdesks to re-coup some equipment costs while maintaining a clean network. As for the "blame the software" comment, irrelevant. If bad hosts were minimized, there would likely be less compromises irrespective of the vendor of the software. Statistically I would think the number of compromises would go down but at the same time I believe the criminals would get smarter. That's just the nature of the beast. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E From bruns at 2mbit.com Tue Jun 8 15:30:27 2010 From: bruns at 2mbit.com (Brielle Bruns) Date: Tue, 08 Jun 2010 14:30:27 -0600 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: Message-ID: <4C0EA863.9020606@2mbit.com> On 6/8/10 2:12 PM, Dave Rand wrote: > It's really way, way past time for us to actually deal with compromised > computers on our networks. Abuse desks need to have the power to filter > customers immediately on notification of activity. We need to have tools to > help us identify compromised customers. We need to have policies that > actually work to help notify the customers when they are compromised. > > None of this needs to be done for free. There needs to be a "security > fee" charged _all_ customers, which would fund the abuse desk. > > With more than 100,000,000 compromised computers out there, it's really > time for us to step up to the plate, and make this happen. Problem is, there's no financial penalties for providers who ignore abuse coming from their network. DNSbl lists work only because after a while, providers can't ignore their customer complaints and exodus when they dig deep into the bottom line. We've got several large scale IP blocks in place in the AHBL due to this exact problem - providers know there's abuse going on, they won't terminate the customers or deal with it, because they are more then happy to take money. Legit customers get caught in the cross-fire, and they suffer - but at the same time, those legit customers are the only ones that will be able to force a change on said provider. They contact us, and act all innocent, and tell people we're being unreasonable, neglecting to tell people at the same time that the 'unreasonable' DNSbl maintainer only wants for them to do a simple task that thousands of other providers and administrators have done before. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org From sil at infiltrated.net Tue Jun 8 15:44:35 2010 From: sil at infiltrated.net (J. Oquendo) Date: Tue, 08 Jun 2010 16:44:35 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0EA863.9020606@2mbit.com> References: <4C0EA863.9020606@2mbit.com> Message-ID: <4C0EABB3.5020609@infiltrated.net> Brielle Bruns wrote: > Problem is, there's no financial penalties for providers who ignore > abuse coming from their network. > > DNSbl lists work only because after a while, providers can't ignore > their customer complaints and exodus when they dig deep into the > bottom line. > > We've got several large scale IP blocks in place in the AHBL due to > this exact problem - providers know there's abuse going on, they won't > terminate the customers or deal with it, because they are more then > happy to take money. > > Legit customers get caught in the cross-fire, and they suffer - but at > the same time, those legit customers are the only ones that will be > able to force a change on said provider. > > They contact us, and act all innocent, and tell people we're being > unreasonable, neglecting to tell people at the same time that the > 'unreasonable' DNSbl maintainer only wants for them to do a simple > task that thousands of other providers and administrators have done > before. > I know it's akin to Apples and Oranges but maybe a "network forfeiture" (http://www.lectlaw.com/def/f054.htm) clause be drafted. Surely there should be no outcry for stating: "If your network is dirty, its gone including all your equipment" I wonder how fast some network operators would have their networks. Again, re-visiting re-hashed threads: http://www.mail-archive.com/nanog at merit.edu/msg50472.html (http://www.mail-archive.com/nanog at merit.edu/msg50472.html) Surely a vast majority have to be tired of the garbage coming from your own networks and others. I can tell you I'm tired of my phone ringing because some tollfraudster keeps thinking he's making uber calls when he's stuck in one of my honeypots. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E From LarrySheldon at cox.net Tue Jun 8 16:03:32 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Tue, 08 Jun 2010 16:03:32 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0EABB3.5020609@infiltrated.net> References: <4C0EA863.9020606@2mbit.com> <4C0EABB3.5020609@infiltrated.net> Message-ID: <4C0EB024.80406@cox.net> On 6/8/2010 15:44, J. Oquendo wrote: > Brielle Bruns wrote: >> Problem is, there's no financial penalties for providers who ignore >> abuse coming from their network. >> >> DNSbl lists work only because after a while, providers can't ignore >> their customer complaints and exodus when they dig deep into the >> bottom line. >> >> We've got several large scale IP blocks in place in the AHBL due to >> this exact problem - providers know there's abuse going on, they won't >> terminate the customers or deal with it, because they are more then >> happy to take money. >> >> Legit customers get caught in the cross-fire, and they suffer - but at >> the same time, those legit customers are the only ones that will be >> able to force a change on said provider. >> >> They contact us, and act all innocent, and tell people we're being >> unreasonable, neglecting to tell people at the same time that the >> 'unreasonable' DNSbl maintainer only wants for them to do a simple >> task that thousands of other providers and administrators have done >> before. >> > I know it's akin to Apples and Oranges but maybe a "network forfeiture" > (http://www.lectlaw.com/def/f054.htm) clause be drafted. Surely there > should be no outcry for stating: "If your network is dirty, its gone > including all your equipment" I wonder how fast some network operators > would have their networks. Again, re-visiting re-hashed threads: > http://www.mail-archive.com/nanog at merit.edu/msg50472.html > (http://www.mail-archive.com/nanog at merit.edu/msg50472.html) Surely a > vast majority have to be tired of the garbage coming from your own > networks and others. I can tell you I'm tired of my phone ringing > because some tollfraudster keeps thinking he's making uber calls when > he's stuck in one of my honeypots. I have for what, 20 years? been begging for vendors to provide clean service. But there is no hurry, the world government (spare me the the tin hats thing. Have you noticed what is going on in Washington lately?) will take care of it. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From NANOG at Aquillar.com Tue Jun 8 16:08:50 2010 From: NANOG at Aquillar.com (Peter Boone) Date: Tue, 8 Jun 2010 17:08:50 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0E9504.3090700@infiltrated.net> References: <4C0E9504.3090700@infiltrated.net> Message-ID: <001f01cb074e$cb548ab0$61fda010$@com> So let's say a cyber-attack originates from Chinese script kiddie. Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States will all respond by invading China? Is NATO trying to start a war here? There's no mention in the article about any kind of electronic response to the attack. -----Original Message----- From: J. Oquendo [mailto:sil at infiltrated.net] Sent: Tuesday, June 08, 2010 3:08 PM To: nanog at merit.edu Subject: Nato warns of strike against cyber attackers >From the NetSec mailing list... > At http://www.timesonline.co.uk/tol/news/world/article7144856.ece > > June 6, 2010 > Nato warns of strike against cyber attackers > Michael Smith and Peter Warren > > NATO is considering the use of military force against enemies who launch > cyber attacks on its member states. > > The move follows a series of Russian-linked hacking against Nato members and > warnings from intelligence services of the growing threat from China. > > A team of Nato experts led by Madeleine Albright, the former US secretary of > state, has warned that the next attack on a Nato country ?may well come down > a fibre-optic cable?. > > A report by Albright?s group said that a cyber attack on the critical > infrastructure of a Nato country could equate to an armed attack, justifying > retaliation. > > Article 5 is the cornerstone of the 1949 Nato charter, laying down that ?an > armed attack? against one or more Nato countries ?shall be considered an > attack against them all?. > > It was the clause in the charter that was invoked following the September 11 > attacks to justify the removal of the Taliban regime in Afghanistan. > > Nato is now considering how severe the attack would have to be to justify > retaliation, what military force could be used and what targets would be > attacked. > > The organisation?s lawyers say that because the effect of a cyber attack can > be similar to an armed assault, there is no need to redraft existing > treaties. > > Eneken Tikk, a lawyer at Nato?s cyber defence centre in Estonia, said it > would be enough to invoke the mutual defence clause ?if, for example, a > cyber attack on a country?s power networks or critical infrastructure > resulted in casualties and destruction comparable to a military attack?. > > Nato heads of government are expected to discuss the potential use of > military force in response to cyber attacks at a summit in Lisbon in > November that will debate the alliance?s future. General Keith Alexander, > head of the newly created US cyber command, said last week there was a need > for ?clear rules of engagement that say what we can stop?. > > The concerns follow warnings from intelligence services across Europe that > computer-launched attacks from Russia and China are a mounting threat. > Russian hackers have been blamed for an attack against Estonia in April and > May of 2007 which crippled government, media and banking communications and > internet sites. > > They also attacked Georgian computer systems during the August 2008 invasion > of the country, bringing down air defence networks and telecommunications > systems belonging to the president, the government and banks. > > Alexander disclosed last week that a 2008 attack on the Pentagon?s systems, > believed to have been mounted by the Chinese, successfully broke through > into classified areas. > > Britain?s Joint Intelligence Committee cautioned last year that Chinese-made > parts in the BT phone network could be used to bring down systems running > the country?s power and food supplies. > > Some experts have warned that it is often hard to establish government > involvement. Many Russian attacks, for example, have been blamed on the > Russian mafia. The Kremlin has consistently refused to sign an international > treaty banning internet crime. > > Obviously NATO is not concerned with proving the culprit of an attack an albeit close to impossibility. Considering that many attackers compromise so many machines, what's to stop someone from instigating. I can see it coming now: hping -S 62.128.58.180 -a 62.220.119.62 -p ++21 -w 6000 hping -S 62.220.119.62 -a 62.128.58.180 -p ++21 -w 6000 So NANOGer's, what will be the game plan when something like this happens, will you be joining NATO and pulling fiber. I wonder when all types of warm-fuzzy filtering will be drafted into networking: "Thou shall re-read RFC4953 lest you want Predator strikes on your NAP locations... -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E From bruns at 2mbit.com Tue Jun 8 16:15:13 2010 From: bruns at 2mbit.com (Brielle Bruns) Date: Tue, 08 Jun 2010 15:15:13 -0600 Subject: Nato warns of strike against cyber attackers In-Reply-To: <001f01cb074e$cb548ab0$61fda010$@com> References: <4C0E9504.3090700@infiltrated.net> <001f01cb074e$cb548ab0$61fda010$@com> Message-ID: <4C0EB2E1.4080501@2mbit.com> On 6/8/10 3:08 PM, Peter Boone wrote: > So let's say a cyber-attack originates from Chinese script kiddie. > > Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, > Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, > Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, > Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States > will all respond by invading China? Is NATO trying to start a war here? > > There's no mention in the article about any kind of electronic response to > the attack. > Of course, their reasoning seems to be that theres no possible way an attack could be from Russia, but using a open proxy, relay, etc in China. Its not like an IP is guaranteed to be directly controlled by someone in that country. So, we end up invading China, and while all of our troops are there, Russia comes in and takes over the US or the EU without much effort. Note i'm just using Russia and China in examples here, no specific reason that it could only be them. If I didn't know any better, I'd say they let Bush write their policies. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org From joelja at bogus.com Tue Jun 8 16:14:25 2010 From: joelja at bogus.com (joel jaeggli) Date: Tue, 08 Jun 2010 14:14:25 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0EA203.8050504@infiltrated.net> References: <4C0E9504.3090700@infiltrated.net> <4C0EA203.8050504@infiltrated.net> Message-ID: <4C0EB2B1.7050109@bogus.com> On 2010-06-08 13:03, J. Oquendo wrote: > Jorge Amodio wrote: > > All humor aside, I'm curious to know what can anyone truly do at the end > of the day if say a botnet was used to instigate a situation. Surely > someone would have to say something to the tune of "better now than > never" to implement BCP filtering on a large scale. Knobs, Levers, Dials > and Switches: Now and Then (please sir, may I have some more ?) is 7 > years old yet I wonder in practice, how many networks have 38/84 > filtering. I'm wondering why it hasn't been implemented off the shelf in > some of the newer equipment. This is not to say "huge backbones" should > have it, but think about it, if smaller networks implemented it from the > rip, the overheard wouldn't hurt that many of the bigger guys. On the > contrary, my theory is it would save them headaches in the long run... > Guess that's a pragmatic approach. Better that than an immediate > pessimistic one. The bots don't need to spoof source addresses... and therefore the filtering associated with preventing that while a solid belt and suspenders exercise is by no means a panacea. From smb at cs.columbia.edu Tue Jun 8 16:37:02 2010 From: smb at cs.columbia.edu (Steven Bellovin) Date: Tue, 8 Jun 2010 17:37:02 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0EB2E1.4080501@2mbit.com> References: <4C0E9504.3090700@infiltrated.net> <001f01cb074e$cb548ab0$61fda010$@com> <4C0EB2E1.4080501@2mbit.com> Message-ID: <6EB08CE4-7132-46C4-B3EF-1C4D6A1E9A88@cs.columbia.edu> On Jun 8, 2010, at 5:15 13PM, Brielle Bruns wrote: > On 6/8/10 3:08 PM, Peter Boone wrote: >> So let's say a cyber-attack originates from Chinese script kiddie. >> >> Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, >> Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, >> Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, >> Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States >> will all respond by invading China? Is NATO trying to start a war here? >> >> There's no mention in the article about any kind of electronic response to >> the attack. >> > > > Of course, their reasoning seems to be that theres no possible way an attack could be from Russia, but using a open proxy, relay, etc in China. Its not like an IP is guaranteed to be directly controlled by someone in that country. > > So, we end up invading China, and while all of our troops are there, Russia comes in and takes over the US or the EU without much effort. > > Note i'm just using Russia and China in examples here, no specific reason that it could only be them. > > If I didn't know any better, I'd say they let Bush write their policies. Packets of mass destruction? The issue of attribution -- and the extreme difficulty of doing it in the online world -- is *very* well understood in Washington, even at the policy-maker level. I'm currently a member of a National Academies study committee on "cyberdeterrence" (http://sites.nationalacademies.org/CSTB/CurrentProjects/CSTB_054995); we've discussed that point ad nauseum. Consider this text from p. 9 of our letter report: "for many kinds of cyberattack the United States would almost certainly not be able to ascertain the source of such an attack, even if it were a national act, let alone hold a specific nation responsible. For example, the United States is constantly under cyberattack today, and it is widely believed (though without conclusive proof) that most of these cyberattacks are not the result of national decisions by an adversary state, though press reports have claimed that some are. In general, prompt technical attribution of an attack or exploitation?that is, identification of the responsible party (individual? subnational group? nation-state?) based only on technical indicators associated with the event in question?is quite problematic, and any party accused of launching a given cyberintrusion could deny it with considerable plausibility. Forensic investigation might yield the identity of the responsible party, but the time scale for such investigation is often on the order of weeks or months. (Although it is often quite straightforward to trace an intrusion to the proximate node, in general, this will not be the origination point of the intrusion. Tracing an intrusion to its actual origination point past intermediate nodes is what is most difficult.)" But read the next paragraph, which discusses other ways to figure out who did it. We can hope that no one in Washington (or Beijing or Moscow or the capital of Elbonia) is stupid enough to rely on IP addresses of the actual attacking machines as a definitive indicator. Given how widely understood that is, it's not even on my list of things to worry about. The question that report is tackling is this: *if* there is a serious online attack on critical infrastructure -- say, turning off some generators with extreme prejudice (http://edition.cnn.com/2007/US/09/26/power.at.risk/index.html), and *if* you know who did it, is a "kinetic" response on the table? This has nothing to do with the botnet du jour, nor with Sen. Lieberman marching in to your NOC with a subpoena for your "enable" passwords. And while people in Washington (or Beijing or Moscow or the capital of Elbonia) can be quite stupid, they're (usually) not quite as stupid as as all that. And yes, serious mistakes can be made. One more quote from the report (p. 8): "History shows that when human beings with little hard information are placed into unfamiliar situations in a general environment of tension, they often substitute supposition for knowledge. In the words of a former senior administration official responsible for protecting U.S. critical infrastructure, 'I have seen too many situations where government officials claimed a high degree of confidence as to the source, intent, and scope of a [cyber]attack, and it turned out they were wrong on every aspect of it. That is, they were often wrong, but never in doubt.'" --Steve Bellovin, http://www.cs.columbia.edu/~smb From tme at americafree.tv Tue Jun 8 16:50:52 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Tue, 8 Jun 2010 17:50:52 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: <001f01cb074e$cb548ab0$61fda010$@com> References: <4C0E9504.3090700@infiltrated.net> <001f01cb074e$cb548ab0$61fda010$@com> Message-ID: <9E6D701E-D511-4719-B869-2E2F46A35AA1@americafree.tv> On Jun 8, 2010, at 5:08 PM, Peter Boone wrote: > So let's say a cyber-attack originates from Chinese script kiddie. > > Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, > Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, > Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, > Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the > United States > will all respond by invading China? That leaves out the important aspect of selection. You can bet that, if they do this, they will pick a more suitable target, say one without strategic rocket forces. > Is NATO trying to start a war here? > Militaries tend to think in terms of military responses. What any of this has to do with configuring routers escapes me. Regards Marshall > There's no mention in the article about any kind of electronic > response to > the attack. > > -----Original Message----- > From: J. Oquendo [mailto:sil at infiltrated.net] > Sent: Tuesday, June 08, 2010 3:08 PM > To: nanog at merit.edu > Subject: Nato warns of strike against cyber attackers > >> From the NetSec mailing list... > >> At http://www.timesonline.co.uk/tol/news/world/article7144856.ece >> >> June 6, 2010 >> Nato warns of strike against cyber attackers >> Michael Smith and Peter Warren >> >> NATO is considering the use of military force against enemies who >> launch >> cyber attacks on its member states. >> >> The move follows a series of Russian-linked hacking against Nato >> members > and >> warnings from intelligence services of the growing threat from China. >> >> A team of Nato experts led by Madeleine Albright, the former US >> secretary > of >> state, has warned that the next attack on a Nato country ?may well >> come > down >> a fibre-optic cable?. >> >> A report by Albright?s group said that a cyber attack on the critical >> infrastructure of a Nato country could equate to an armed attack, > justifying >> retaliation. >> >> Article 5 is the cornerstone of the 1949 Nato charter, laying down >> that > ?an >> armed attack? against one or more Nato countries ?shall be >> considered an >> attack against them all?. >> >> It was the clause in the charter that was invoked following the >> September > 11 >> attacks to justify the removal of the Taliban regime in Afghanistan. >> >> Nato is now considering how severe the attack would have to be to >> justify >> retaliation, what military force could be used and what targets >> would be >> attacked. >> >> The organisation?s lawyers say that because the effect of a cyber >> attack > can >> be similar to an armed assault, there is no need to redraft existing >> treaties. >> >> Eneken Tikk, a lawyer at Nato?s cyber defence centre in Estonia, >> said it >> would be enough to invoke the mutual defence clause ?if, for >> example, a >> cyber attack on a country?s power networks or critical infrastructure >> resulted in casualties and destruction comparable to a military >> attack?. >> >> Nato heads of government are expected to discuss the potential use of >> military force in response to cyber attacks at a summit in Lisbon in >> November that will debate the alliance?s future. General Keith >> Alexander, >> head of the newly created US cyber command, said last week there >> was a > need >> for ?clear rules of engagement that say what we can stop?. >> >> The concerns follow warnings from intelligence services across >> Europe that >> computer-launched attacks from Russia and China are a mounting >> threat. >> Russian hackers have been blamed for an attack against Estonia in >> April > and >> May of 2007 which crippled government, media and banking >> communications > and >> internet sites. >> >> They also attacked Georgian computer systems during the August 2008 > invasion >> of the country, bringing down air defence networks and >> telecommunications >> systems belonging to the president, the government and banks. >> >> Alexander disclosed last week that a 2008 attack on the Pentagon?s > systems, >> believed to have been mounted by the Chinese, successfully broke >> through >> into classified areas. >> >> Britain?s Joint Intelligence Committee cautioned last year that > Chinese-made >> parts in the BT phone network could be used to bring down systems >> running >> the country?s power and food supplies. >> >> Some experts have warned that it is often hard to establish >> government >> involvement. Many Russian attacks, for example, have been blamed on >> the >> Russian mafia. The Kremlin has consistently refused to sign an > international >> treaty banning internet crime. >> >> > > Obviously NATO is not concerned with proving the culprit of an > attack an > albeit close to impossibility. Considering that many attackers > compromise so many machines, what's to stop someone from > instigating. I > can see it coming now: > > hping -S 62.128.58.180 -a 62.220.119.62 -p ++21 -w 6000 > hping -S 62.220.119.62 -a 62.128.58.180 -p ++21 -w 6000 > > So NANOGer's, what will be the game plan when something like this > happens, will you be joining NATO and pulling fiber. I wonder when all > types of warm-fuzzy filtering will be drafted into networking: "Thou > shall re-read RFC4953 lest you want Predator strikes on your NAP > locations... > > -- > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > J. Oquendo > SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT > > "It takes 20 years to build a reputation and five minutes to > ruin it. If you think about that, you'll do things > differently." - Warren Buffett > > 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E > > > > From fergdawgster at gmail.com Tue Jun 8 16:52:16 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Tue, 8 Jun 2010 14:52:16 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0EA863.9020606@2mbit.com> References: <4C0EA863.9020606@2mbit.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 8, 2010 at 1:30 PM, Brielle Bruns wrote: > On 6/8/10 2:12 PM, Dave Rand wrote: > >> It's really way, way past time for us to actually deal with compromised >> computers on our networks. Abuse desks need to have the power to filter >> customers immediately on notification of activity. We need to have >> tools to >> help us identify compromised customers. We need to have policies that >> actually work to help notify the customers when they are compromised. >> >> None of this needs to be done for free. There needs to be a "security >> fee" charged _all_ customers, which would fund the abuse desk. >> >> With more than 100,000,000 compromised computers out there, it's really >> time for us to step up to the plate, and make this happen. > > > Problem is, there's no financial penalties for providers who ignore abuse > coming from their network. > Actually, the real problem is that if providers *don't* start doing something to remediate abuse originating within their customer base -- and begin policing themselves -- I don't think they will like someone else (e.g. the gummint) forcing them to do something (which actually may be worse). The opportunity for providers to address this problem by policing themselves is being overshadowed by the real possibility that the government may step in and force them to do so, unfortunately. $.02, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDrt9q1pz9mNUZTMRAl7nAKC3hrq4Jbyq3HzOPJBrQFSDAESroACgxzPu ZiRk4x2DQGNqPcLOn/iqDIA= =x4JB -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ From randy at psg.com Tue Jun 8 17:26:19 2010 From: randy at psg.com (Randy Bush) Date: Wed, 09 Jun 2010 07:26:19 +0900 Subject: BGP convergence problem In-Reply-To: <6AEBD3AC-CE37-4278-9E45-F4FA5DEC308A@puck.nether.net> References: <6AEBD3AC-CE37-4278-9E45-F4FA5DEC308A@puck.nether.net> Message-ID: > The Cisco 7600 and 6500 platforms are getting fairly old and have > underpowered cpus these days. the hamsters in them were never well fed, ever. though i have never run one, too yucchhy, i have measured receiving a research feed from one. over ten minutes for a full table while a router takes two. some researcher into archeology might try to measure if is just a sick tcp or if it is closer to rib-out. randy From ge at linuxbox.org Tue Jun 8 17:44:20 2010 From: ge at linuxbox.org (Gadi Evron) Date: Wed, 09 Jun 2010 01:44:20 +0300 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0E9504.3090700@infiltrated.net> References: <4C0E9504.3090700@infiltrated.net> Message-ID: <4C0EC7C4.1060805@linuxbox.org> On 6/8/10 10:07 PM, J. Oquendo wrote: > So NANOGer's, what will be the game plan when something like this > happens, will you be joining NATO and pulling fiber. I wonder when all > types of warm-fuzzy filtering will be drafted into networking: "Thou > shall re-read RFC4953 lest you want Predator strikes on your NAP > locations... We must distinguish between the m.o. of an actual response, and deterrence. If we speak of deterrence, I wrote about it not long ago. Deterrence online is one of the biggest idiocies of the past couple of years. There are some interesting research possibilities in the subject matter, but not as it is portrayed today -- a cure-all strategy. Strategic experts are very comfortable with Cold War strategy following around 70 years of practicing it, so when asked to deal with the Internet, they ran to deterrence. In order to have deterrence, you require first an ability to respond to an attack. On the Internet, you may never find out who is attacking you, and data may be intentionally misleading when you think you do have some bread crumbs. It is just virtually impossible to tell who is behind an attack from technical data alone. Thus, deterrence against whom? You may say that by setting an occasional example, it doesn't matter who you attack. That is mostly false as well. If we do know who is attacking us, then consider the players can now be (and indeed are) unaffiliated individuals or groups who may not care about the infrastructure of the country they are in nor have any infrastructure to speak of (which can in turn be targeted). Any attack will likely be against a third-party that has been hacked, i.e. compromised. And if you're dealing with large-scale attacks, such as DDoS, responding in kind (with DDoS, botnets, etc.) will also hurt the Internet itself with collateral damage. There are some particular instances where deterrence does work online, and it may also be used as a general addition to real-world deterrence (we have cyberweapons -- beware!), but these are just points that would muddy the water in the wider argument before us. I think supporting such folly is generally folly itself. For further reading, I'd point you to this comprehensive and quite excellent document: "Cyber Deterrence and Cyber War," by Martin C. Libicki: http://www.rand.org/pubs/monographs/2009/RAND_MG877.pdf Gadi. -- Gadi Evron, http://gadievron.com/ From ge at linuxbox.org Tue Jun 8 17:46:09 2010 From: ge at linuxbox.org (Gadi Evron) Date: Wed, 09 Jun 2010 01:46:09 +0300 Subject: Nato warns of strike against cyber attackers In-Reply-To: <9E6D701E-D511-4719-B869-2E2F46A35AA1@americafree.tv> References: <4C0E9504.3090700@infiltrated.net> <001f01cb074e$cb548ab0$61fda010$@com> <9E6D701E-D511-4719-B869-2E2F46A35AA1@americafree.tv> Message-ID: <4C0EC831.1000907@linuxbox.org> On 6/9/10 12:50 AM, Marshall Eubanks wrote: > What any of this has to do with configuring routers escapes me. I think Jay is worried about steps operators may have to take during such an eventuality of an attack, not to mention the collateral damage to the Internet infrastructure if DDoS is what they have in mind. Gadi. -- Gadi Evron, http://gadievron.com/ From jimtempl at att.net Tue Jun 8 18:48:44 2010 From: jimtempl at att.net (Jim Templin) Date: Tue, 8 Jun 2010 16:48:44 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0EC831.1000907@linuxbox.org> References: <4C0E9504.3090700@infiltrated.net> <001f01cb074e$cb548ab0$61fda010$@com> <9E6D701E-D511-4719-B869-2E2F46A35AA1@americafree.tv> <4C0EC831.1000907@linuxbox.org> Message-ID: <000901cb0765$21f49700$65ddc500$@net> Have no fear geolocation is here, you are not in peril. It will be a surgical strike. If Google and others are willing to assist, they will know exactly where to send the JDAM. Chrome now collects data from your wireless card if you let it. When you are asked where you are, Chrome then also records any IP and MACs it hears over your card (or so I am told). The same is being done on cell phone OS. Being on a GRE tunnel will make no difference. http://www.google.com/support/chrome/bin/answer.py?answer=142065&hl=en http://google-code-updates.blogspot.com/2008/10/introducing-gears-geolocatio n-api-for.html http://news.cnet.com/8301-30684_3-20006342-265.html Here is one commercial application of this process. http://www.skyhookwireless.com Cowering under my desk, Jim > -----Original Message----- > From: Gadi Evron [mailto:ge at linuxbox.org] > Sent: Tuesday, June 08, 2010 3:46 PM > To: nanog at nanog.org > Subject: Re: Nato warns of strike against cyber attackers > > On 6/9/10 12:50 AM, Marshall Eubanks wrote: > > What any of this has to do with configuring routers escapes me. > > I think Jay is worried about steps operators may have to take during > such an eventuality of an attack, not to mention the collateral damage > to the Internet infrastructure if DDoS is what they have in mind. > > Gadi. > > -- > Gadi Evron, > http://gadievron.com/ From deleskie at gmail.com Tue Jun 8 18:50:08 2010 From: deleskie at gmail.com (jim deleskie) Date: Tue, 8 Jun 2010 20:50:08 -0300 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0EC831.1000907@linuxbox.org> References: <4C0E9504.3090700@infiltrated.net> <001f01cb074e$cb548ab0$61fda010$@com> <9E6D701E-D511-4719-B869-2E2F46A35AA1@americafree.tv> <4C0EC831.1000907@linuxbox.org> Message-ID: Military reply doesn't have to mean bombs and guns. There is nothing keeping it form mean offensive cyber counter attacks. This would mean manage the battlefields :) On Tue, Jun 8, 2010 at 7:46 PM, Gadi Evron wrote: > On 6/9/10 12:50 AM, Marshall Eubanks wrote: >> >> What any of this has to do with configuring routers escapes me. From jmamodio at gmail.com Tue Jun 8 19:23:17 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Tue, 8 Jun 2010 19:23:17 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <001f01cb074e$cb548ab0$61fda010$@com> References: <4C0E9504.3090700@infiltrated.net> <001f01cb074e$cb548ab0$61fda010$@com> Message-ID: > So let's say a cyber-attack originates from Chinese script kiddie. > > Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, > Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, > Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, > Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States > will all respond by invading China? Is NATO trying to start a war here? Bigger tin hats required then ... From dlr at bungi.com Tue Jun 8 19:27:17 2010 From: dlr at bungi.com (Dave Rand) Date: Tue, 8 Jun 2010 17:27:17 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: Brielle Bruns's message on Jun 8, 14:30. Message-ID: [In the message entitled "Re: Nato warns of strike against cyber attackers" on Jun 8, 14:30, Brielle Bruns writes:] > > Legit customers get caught in the cross-fire, and they suffer - but at > the same time, those legit customers are the only ones that will be able > to force a change on said provider. > > They contact us, and act all innocent, and tell people we're being > unreasonable, neglecting to tell people at the same time that the > 'unreasonable' DNSbl maintainer only wants for them to do a simple task > that thousands of other providers and administrators have done before. > I'm somewhat familiar with the concept :-) But yes, this indeed is currently the only effective way to cause change at the ISP level. Ferg is very correct in that Change Is Coming at the goverment level. That is the wrong place for it to happen, but it will also be very effective. I'm hopeful that more networks will take it upon themselves to make it happen before it is forced on them. -- From dhetzel at gmail.com Tue Jun 8 19:45:38 2010 From: dhetzel at gmail.com (Dorn Hetzel) Date: Tue, 8 Jun 2010 20:45:38 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: Message-ID: Perhaps a government operated black-hole list, run by same friendly folks that run the no-fly list, with a law that says no US ISP can send packets to or accept packets from any IP on the list. Now that would be some real fun to watch! :) On Tue, Jun 8, 2010 at 8:27 PM, Dave Rand wrote: > [In the message entitled "Re: Nato warns of strike against cyber attackers" > on Jun 8, 14:30, Brielle Bruns writes:] > > > > Legit customers get caught in the cross-fire, and they suffer - but at > > the same time, those legit customers are the only ones that will be able > > to force a change on said provider. > > > > They contact us, and act all innocent, and tell people we're being > > unreasonable, neglecting to tell people at the same time that the > > 'unreasonable' DNSbl maintainer only wants for them to do a simple task > > that thousands of other providers and administrators have done before. > > > > > I'm somewhat familiar with the concept :-) > > But yes, this indeed is currently the only effective way to cause change > at the ISP level. Ferg is very correct in that Change Is Coming at > the goverment level. That is the wrong place for it to happen, but it > will also be very effective. > > I'm hopeful that more networks will take it upon themselves to make it > happen > before it is forced on them. > > > -- > > From Bryan.Welch at arrisi.com Tue Jun 8 19:46:35 2010 From: Bryan.Welch at arrisi.com (Welch, Bryan) Date: Tue, 8 Jun 2010 17:46:35 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: <4C0E9504.3090700@infiltrated.net> <001f01cb074e$cb548ab0$61fda010$@com> <9E6D701E-D511-4719-B869-2E2F46A35AA1@americafree.tv> <4C0EC831.1000907@linuxbox.org> Message-ID: Changes the meaning of "guns a blazing" Bryan On Jun 8, 2010, at 8:31 PM, "jim deleskie" wrote: > Military reply doesn't have to mean bombs and guns. There is nothing > keeping it form mean offensive cyber counter attacks. This would mean > manage the battlefields :) > > On Tue, Jun 8, 2010 at 7:46 PM, Gadi Evron wrote: >> On 6/9/10 12:50 AM, Marshall Eubanks wrote: >>> >>> What any of this has to do with configuring routers escapes me. > From fergdawgster at gmail.com Tue Jun 8 20:18:54 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Tue, 8 Jun 2010 18:18:54 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 8, 2010 at 5:45 PM, Dorn Hetzel wrote: > Perhaps a government operated black-hole list, run by same friendly folks > that run the no-fly list, with a law that says no US ISP can send packets > to or accept packets from any IP on the list. > Now that would be some real fun to watch! :) > Personally, I think that's a horrible idea -- there's a real slippery slope to subjective blocking of "offensive" sites (not just malicious ones) like what they are trying to do in Australia. But again, since U.S. providers have demonstrated that they do not have the desire, nor the will, to police themselves, it is hardly a surprise that Government intervention is being considered as an alternative. I think residential-broadband ISPs need to follow the lead of [e.g. Qwest, Comcast, etc.], which are making a legitimate attempt to identify, notify, and mitigate abusive/botnetted customers. Also, the U.S. leads the rest of the world in hosting providers which are hosting Eastern European criminal malfeasance -- this is a fact. In other words, as things stand now, U.S. providers kind of deserve whatever the U.S. Government dishes out, since they have show that they do not have a willingness to police their own backyards. It is really sad, actually. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDuv6q1pz9mNUZTMRAjVqAJ480dH3CSSGYp9LOjlXwFNm+egdiQCfYcKJ I0tMJo4UuD7OrFiF8H6L/cA= =+5X/ -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ From steve at ipv6canada.com Tue Jun 8 20:29:16 2010 From: steve at ipv6canada.com (Steve Bertrand) Date: Tue, 08 Jun 2010 21:29:16 -0400 Subject: Team Cymru BOGON feed over IPv6 Message-ID: <4C0EEE6C.7060305@ipv6canada.com> off and on list feedback welcome. I'd personally like to get an idea of how many people are: 1) using the new Team Cymru BOGON lists *via BGP* 2) use the new v4 list 3) use the v6 list 4) monitor the Cymru BGP session as diligently as they would a peer/provider session 5) attempted the BOGON peering over IPv6 6) have a stable BOGON peering over IPv6 Disclaimer: I don't work for, nor do I have any personal or business interests in anything that Team Cymru does. I'm just very curious, and would like to compile some initial statistics based on feedback for myself. Steve From Valdis.Kletnieks at vt.edu Tue Jun 8 20:31:30 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 08 Jun 2010 21:31:30 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: Your message of "Tue, 08 Jun 2010 19:23:17 CDT." References: <4C0E9504.3090700@infiltrated.net> <001f01cb074e$cb548ab0$61fda010$@com> Message-ID: <93462.1276047090@localhost> On Tue, 08 Jun 2010 19:23:17 CDT, Jorge Amodio said: > > So let's say a cyber-attack originates from Chinese script kiddie. > > > > Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, > > Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, > > Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, > > Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States > > will all respond by invading China? Is NATO trying to start a war here? > > Bigger tin hats required then ... Buy 10,000 shares of every South Korean company you can find, short them, then launch an attack from Seoul. Then sit back and profit. Oh, quit looking at me like that. You know you were all thinking it. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From pstewart at nexicomgroup.net Tue Jun 8 20:32:35 2010 From: pstewart at nexicomgroup.net (Paul Stewart) Date: Tue, 8 Jun 2010 21:32:35 -0400 Subject: Team Cymru BOGON feed over IPv6 In-Reply-To: <4C0EEE6C.7060305@ipv6canada.com> References: <4C0EEE6C.7060305@ipv6canada.com> Message-ID: We're using it...;) Please see inline... Paul 1) using the new Team Cymru BOGON lists *via BGP* Yes 2) use the new v4 list Yes 3) use the v6 list Yes 4) monitor the Cymru BGP session as diligently as they would a peer/provider session Spot check it - in the several years we've used the original IPv4 lists we've never had an issue 5) attempted the BOGON peering over IPv6 6) have a stable BOGON peering over IPv6 Yes - very stable, no issues From aaron at wholesaleinternet.net Tue Jun 8 20:33:42 2010 From: aaron at wholesaleinternet.net (Aaron Wendel) Date: Tue, 8 Jun 2010 20:33:42 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <93462.1276047090@localhost> References: <4C0E9504.3090700@infiltrated.net> <001f01cb074e$cb548ab0$61fda010$@com> <93462.1276047090@localhost> Message-ID: <001001cb0773$d17bb510$74731f30$@net> Actually I was thinking of my neighbor's noisy dog and what a predator strike to his house would do. :) -----Original Message----- From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu] Sent: Tuesday, June 08, 2010 8:32 PM To: Jorge Amodio Cc: nanog at merit.edu Subject: Re: Nato warns of strike against cyber attackers On Tue, 08 Jun 2010 19:23:17 CDT, Jorge Amodio said: > > So let's say a cyber-attack originates from Chinese script kiddie. > > > > Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, > > Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, > > Latvia, Lithuania, Luxembourg, Netherlands, Norway, Poland, > > Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, the United > > Kingdom, and the United States will all respond by invading China? Is NATO trying to start a war here? > > Bigger tin hats required then ... Buy 10,000 shares of every South Korean company you can find, short them, then launch an attack from Seoul. Then sit back and profit. Oh, quit looking at me like that. You know you were all thinking it. ;) No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.829 / Virus Database: 271.1.1/2926 - Release Date: 06/08/10 13:35:00 From niels=nanog at bakker.net Tue Jun 8 21:09:42 2010 From: niels=nanog at bakker.net (Niels Bakker) Date: Wed, 9 Jun 2010 04:09:42 +0200 Subject: BGP convergence problem In-Reply-To: References: Message-ID: <20100609020942.GP77019@burnout.tpb.net> * globichen at gmail.com (Andy B.) [Tue 08 Jun 2010, 16:28 CEST]: > I finally decided to shut down all peerings and brought them back > one by one. Sadly that's often the way it has to be done, modulo mild tweaks. > Everything is stable again, but I don't like the way I had to deal > with it since it will most likely happen again when DECIX or an > other IX we're at is having issues. As others have said upthread in more polite wordings, get a better router if yours can't handle the load. (Or use the route servers more - it's what they're there for.) > I've seen a few BGP convergence discussions on NANOG, but none about > deadlock situations and what could be done to avoid them. Setting > higher MTU or bigger hold queues did not help. I hope you didn't change the MTU to anything different from what everybody else on the DE-CIX Peering LAN uses - that only leads to suffering. -- Niels. -- "It's amazing what people will do to get their name on the internet, which is odd, because all you really need is a Blogspot account." -- roy edroso, alicublog.blogspot.com From owen at delong.com Tue Jun 8 15:33:46 2010 From: owen at delong.com (Owen DeLong) Date: Tue, 8 Jun 2010 13:33:46 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: Message-ID: Dave, I realize your fond of punishing all of us to subsidize the ignorant, but I would rather see those with compromised machines pay the bill for letting their machines get compromised than have to subsidize their ignorant or worse behavior. Owen Sent from my iPad On Jun 8, 2010, at 1:12 PM, dlr at bungi.com (Dave Rand) wrote: > [In the message entitled "Re: Nato warns of strike against cyber attackers" on Jun 8, 16:03, "J. Oquendo" writes:] >> >> All humor aside, I'm curious to know what can anyone truly do at the end >> of the day if say a botnet was used to instigate a situation. Surely >> someone would have to say something to the tune of "better now than >> never" to implement BCP filtering on a large scale. Knobs, Levers, Dials >> and Switches: Now and Then (please sir, may I have some more ?) is 7 >> years old yet I wonder in practice, how many networks have 38/84 >> filtering. I'm wondering why it hasn't been implemented off the shelf in >> some of the newer equipment. This is not to say "huge backbones" should >> have it, but think about it, if smaller networks implemented it from the >> rip, the overheard wouldn't hurt that many of the bigger guys. On the >> contrary, my theory is it would save them headaches in the long run... >> Guess that's a pragmatic approach. Better that than an immediate >> pessimistic one. >> > > It's really way, way past time for us to actually deal with compromised > computers on our networks. Abuse desks need to have the power to filter > customers immediately on notification of activity. We need to have tools to > help us identify compromised customers. We need to have policies that > actually work to help notify the customers when they are compromised. > > None of this needs to be done for free. There needs to be a "security > fee" charged _all_ customers, which would fund the abuse desk. > > With more than 100,000,000 compromised computers out there, it's really > time for us to step up to the plate, and make this happen. > > > -- From jmamodio at gmail.com Tue Jun 8 21:20:03 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Tue, 8 Jun 2010 21:20:03 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <93462.1276047090@localhost> References: <4C0E9504.3090700@infiltrated.net> <001f01cb074e$cb548ab0$61fda010$@com> <93462.1276047090@localhost> Message-ID: > Buy 10,000 shares of every South Korean company you can find, short them, then > launch an attack from Seoul. Then sit back and profit. > > Oh, quit looking at me like that. You know you were all thinking it. ;) Yes and then deposit the bounty on a Nigerian bank ... I wonder why there is so much focus on the bus and the bus driver that transported the suicide bomber without knowing about it. Sometimes feels that nobody cares to fix the crappy software that gets shipped with almost every new computer going to the hands of a monkey. Sigh ... Seems that the ROI of fixing stuff is much lower than dealing with the potential consequences of something happening. Anyway don't worry 2012 is getting closer ... Cheers Jorge From owen at delong.com Tue Jun 8 21:29:51 2010 From: owen at delong.com (Owen DeLong) Date: Tue, 8 Jun 2010 21:29:51 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0EA863.9020606@2mbit.com> References: <4C0EA863.9020606@2mbit.com> Message-ID: <21B53E5F-E463-4C04-9830-1511080AA5DF@delong.com> Sent from my iPad On Jun 8, 2010, at 3:30 PM, Brielle Bruns wrote: > On 6/8/10 2:12 PM, Dave Rand wrote: > >> It's really way, way past time for us to actually deal with compromised >> computers on our networks. Abuse desks need to have the power to filter >> customers immediately on notification of activity. We need to have tools to >> help us identify compromised customers. We need to have policies that >> actually work to help notify the customers when they are compromised. >> >> None of this needs to be done for free. There needs to be a "security >> fee" charged _all_ customers, which would fund the abuse desk. >> >> With more than 100,000,000 compromised computers out there, it's really >> time for us to step up to the plate, and make this happen. > > > Problem is, there's no financial penalties for providers who ignore abuse coming from their network. > Problem is there's no financial liability for producing massively exploitable software. No financial penalty for operating a compromised system. No penalty for ignoring abuse complaints. Etc. Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection. > DNSbl lists work only because after a while, providers can't ignore their customer complaints and exodus when they dig deep into the bottom line. > > We've got several large scale IP blocks in place in the AHBL due to this exact problem - providers know there's abuse going on, they won't terminate the customers or deal with it, because they are more then happy to take money. > > Legit customers get caught in the cross-fire, and they suffer - but at the same time, those legit customers are the only ones that will be able to force a change on said provider. > > They contact us, and act all innocent, and tell people we're being unreasonable, neglecting to tell people at the same time that the 'unreasonable' DNSbl maintainer only wants for them to do a simple task that thousands of other providers and administrators have done before. > > -- > Brielle Bruns > The Summit Open Source Development Group > http://www.sosdg.org / http://www.ahbl.org From owen at delong.com Tue Jun 8 21:31:43 2010 From: owen at delong.com (Owen DeLong) Date: Tue, 8 Jun 2010 21:31:43 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0EA7A8.1050100@infiltrated.net> References: <4C0EA7A8.1050100@infiltrated.net> Message-ID: <37BD68AE-3A21-4A25-8444-CCE24C8DEDCC@delong.com> Sent from my iPad On Jun 8, 2010, at 3:27 PM, "J. Oquendo" wrote: > Jorge Amodio wrote: >>> None of this needs to be done for free. There needs to be a "security >>> fee" charged _all_ customers, which would fund the abuse desk. >>> >> >> >>> With more than 100,000,000 compromised computers out there, it's really >>> time for us to step up to the plate, and make this happen. >>> >> >> Or you should send the bill to the company that created the software >> that facilitated to get so many computers compromised, some folks in >> Redmond have a large chunk of money on the bank. >> >> My .02 >> >> >> > Seems like it's come full circle again > (http://irbs.net/internet/nanog/0412/0109.html) and I can always recall > Rob Thomas' take on this (http://irbs.net/internet/nanog/0412/0222.html) > "Filtering out bogons removes yet one more potential source of badness. > Does it remove all badness? Of course not. We win by degrees. Removing > any tool from the bad persons' toolkit is useful." Not forgetting Mark > Andrews "Any operator not implemting BCP 38 is potentially aiding and > abetting some criminal. BCP 38 is over 10 years old. There is no excuse > for not having equipment in place to handle the processing needs of BCP 38." > > ISP's could actually offset the charges to customers with helpdesks to > re-coup some equipment costs while maintaining a clean network. As for > the "blame the software" comment, irrelevant. If bad hosts were > minimized, there would likely be less compromises irrespective of the > vendor of the software. Statistically I would think the number of > compromises would go down but at the same time I believe the criminals > would get smarter. That's just the nature of the beast. > It's not irrelevant. If it were, apache would be more frequently exploited than IIS. It isn't. Owen > -- > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > J. Oquendo > SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT > > "It takes 20 years to build a reputation and five minutes to > ruin it. If you think about that, you'll do things > differently." - Warren Buffett > > 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E > From LarrySheldon at cox.net Tue Jun 8 21:39:09 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Tue, 08 Jun 2010 21:39:09 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <21B53E5F-E463-4C04-9830-1511080AA5DF@delong.com> References: <4C0EA863.9020606@2mbit.com> <21B53E5F-E463-4C04-9830-1511080AA5DF@delong.com> Message-ID: <4C0EFECD.2020407@cox.net> Lots of finger pointing. Lots of discussion about who should pay, and so forth. How about we just take responsibility for our own part. Don't malicious traffic in or out.? If it can't move, it will die. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From dlr at bungi.com Tue Jun 8 21:45:53 2010 From: dlr at bungi.com (Dave Rand) Date: Tue, 8 Jun 2010 19:45:53 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: Owen DeLong's message on Jun 8, 13:33. Message-ID: [In the message entitled "Re: Nato warns of strike against cyber attackers" on Jun 8, 13:33, Owen DeLong writes:] > > I realize your fond of punishing all of us to subsidize the ignorant, = > but I would rather see those with compromised machines pay the bill for = > letting their machines get compromised than have to subsidize their = > ignorant or worse behavior. > I'm fond of getting the issues addressed by getting the ISPs to be involved with the problem. If that means users get charged "clean up" fees instead of a "security" fee, that's fine. ISPs remain in the unique position of being able to identify the customer, the machine, and to verify the traffic. It can be done. -- From jmamodio at gmail.com Tue Jun 8 22:01:35 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Tue, 8 Jun 2010 22:01:35 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: Message-ID: Sent from my iToilet why you will penalize with fees the end customer that may not know that her system has been compromised because what she pays to Joe Antivirus/Security/Firewall/Crapware is not effective against Billy the nerd insecure code programmer ? No doubt ISPs can do something, but without additional regulation and safeguards that they wont be sued for sniffing or filtering traffic nothing will ever happen. Do we want more/any regulation ? who will oversee it ? On the other hand think as the Internet being a vast ocean where the bad guys keep dumping garbage, you can't control or filter the currents that are constantly changing and you neither can inspect every water molecule, then what do you do to find and penalize the ones that drop or permit their systems to drop garbage on the ocean ? My .02 Jorge > I'm fond of getting the issues addressed by getting the ISPs to be involved > with the problem. ? If that means users get charged "clean up" fees instead > of a "security" fee, that's fine. > > ISPs remain in the unique position of being able to identify the customer, > the machine, and to verify the traffic. ?It can be done. From Valdis.Kletnieks at vt.edu Tue Jun 8 22:39:48 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 08 Jun 2010 23:39:48 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: Your message of "Tue, 08 Jun 2010 22:01:35 CDT." References: Message-ID: <97245.1276054788@localhost> On Tue, 08 Jun 2010 22:01:35 CDT, Jorge Amodio said: > On the other hand think as the Internet being a vast ocean where the > bad guys keep dumping garbage, you can't control or filter the > currents that are constantly changing and you neither can inspect > every water molecule, then what do you do to find and penalize the > ones that drop or permit their systems to drop garbage on the ocean ? Bad analogy. There's some plumes of oil in the Gulf of Mexico that are getting mapped out very well by only a few ships. You don't have to examine every molecule to find parts-per-million oil, or to figure out who's oil rig the oil came from. And you don't need to look at every packet to find abusive traffic either - in most cases, simply letting the rest of the net do the work for you and just reading your abuse@ mailbox and actually dealing with the reports is 95% of what's needed. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jcdill.lists at gmail.com Tue Jun 8 22:59:28 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Tue, 08 Jun 2010 20:59:28 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: Message-ID: <4C0F11A0.8000303@gmail.com> Jorge Amodio wrote: >> None of this needs to be done for free. There needs to be a "security >> fee" charged _all_ customers, which would fund the abuse desk. >> > > >> With more than 100,000,000 compromised computers out there, it's really >> time for us to step up to the plate, and make this happen. >> > > Or you should send the bill to the company that created the software > that facilitated to get so many computers compromised, some folks in > Redmond have a large chunk of money on the bank. I'm still truly amazed that no one has sic'd a lawyer on Microsoft for creating an "attractive nuisance" - an operating system that is too easily hacked and used to attack innocent victims, and where others have to pay to clean up after Microsoft's mess. For instance, if you build a pool in your backyard, and you don't properly fence it, and kids illegally trespass on your property to get in to your pool, and they get hurt, you will be sued and will be held liable. You built this dangerous thing, and you didn't properly secure (fence it), and it's your responsibility even when someone *illegally* gains access and hurts themselves (or others). There are numerous other examples of "attractive nuisances" where individuals and companies are held liable for injuries caused by people who illegally gained access to improperly secured property and items. Why hasn't *someone* brought this up with Microsoft and Windows? http://en.wikipedia.org/wiki/Attractive_nuisance_doctrine jc From fergdawgster at gmail.com Tue Jun 8 23:05:00 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Tue, 8 Jun 2010 21:05:00 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0F11A0.8000303@gmail.com> References: <4C0F11A0.8000303@gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 8, 2010 at 8:59 PM, JC Dill wrote: > > I'm still truly amazed that no one has sic'd a lawyer on Microsoft for > creating an "attractive nuisance" - an operating system that is too > easily hacked and used to attack innocent victims, and where others have > to pay to clean up after Microsoft's mess. > Do you honestly believe that if 80% of the world's consumer computers were *not* MS operating systems, that the majority of computers would still not be targeted? Please, be for real -- the criminals go after the entrenched majority. If it were any other OS, the story would be the same. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDxLoq1pz9mNUZTMRAl5MAKDaMY6WeUbWp4l4tzYrJNNsLz/tqQCg6lNw xQsaZQxjjRym7vPPvlW+OTY= =8667 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ From jcdill.lists at gmail.com Tue Jun 8 23:06:13 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Tue, 08 Jun 2010 21:06:13 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: Message-ID: <4C0F1335.6040305@gmail.com> Dave Rand wrote: > I'm fond of getting the issues addressed by getting the ISPs to be involved > with the problem. If that means users get charged "clean up" fees instead > of a "security" fee, that's fine. "I urge all my competitors to do that." The problem isn't that this is a bad idea, the problem is that it's a bad idea to be the first to do it. You want to be the last to do it. You want all other companies to do it first - to charge their customers more (while you don't charge more and take away some of their business) to pay for this cost. It only works if everyone has to charge their customers, and the change (from no surcharge to mandatory charge) will have to happen universally and at the same time - which will never happen. Welcome to the anarchy. jc From fergdawgster at gmail.com Tue Jun 8 23:22:54 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Tue, 8 Jun 2010 21:22:54 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0F1335.6040305@gmail.com> References: <4C0F1335.6040305@gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 8, 2010 at 9:06 PM, JC Dill wrote: > Dave Rand wrote: >> >> I'm fond of getting the issues addressed by getting the ISPs to be >> involved >> with the problem. If that means users get charged "clean up" fees >> instead >> of a "security" fee, that's fine. > > "I urge all my competitors to do that." > > The problem isn't that this is a bad idea, the problem is that it's a bad > idea to be the first to do it. You want to be the last to do it. You > want all other companies to do it first - to charge their customers more > (while you don't charge more and take away some of their business) to pay > for this cost. > > It only works if everyone has to charge their customers, and the change > (from no surcharge to mandatory charge) will have to happen universally > and at the same time - which will never happen. Welcome to the anarchy. > Again, you can all continue to dance around and ignore the problem & chance the probability that the U.S. Government will step in and force you to do it. Pick your poison. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDxcQq1pz9mNUZTMRAgFRAKDX0N+DYck8tiOyRPMJ2E31fq0vEQCfVJEp dQuZqomm/Z42gZRgzshlLsc= =mRrQ -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ From smb at cs.columbia.edu Tue Jun 8 23:26:55 2010 From: smb at cs.columbia.edu (Steven Bellovin) Date: Wed, 9 Jun 2010 00:26:55 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: <21B53E5F-E463-4C04-9830-1511080AA5DF@delong.com> References: <4C0EA863.9020606@2mbit.com> <21B53E5F-E463-4C04-9830-1511080AA5DF@delong.com> Message-ID: <4036E91C-ED3D-4E62-8F75-C3C7B3DD2A37@cs.columbia.edu> > Problem is there's no financial liability for producing massively exploitable software. > No financial penalty for operating a compromised system. > No penalty for ignoring abuse complaints. > Etc. > > Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection. > It isn't Microsoft. It once was, but Vista and Windows 7 are really solid, probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac OS; I don't run Windows not because it's insecure but because it's an unpleasant work environment for me.) Microsoft is targeted because they have the market. If Steve Jobs keeps succeeding with his reality distortion field, we'll see a lot more attacks on Macs in a very few years. It's also Flash and Acrobat Reader. It's also users who click to install every plug-in recommended by every dodgy web site they visit. It's also users who don't install patches, including those for XP (which really was that buggy). There's plenty of blame to go around here.... A liability scheme, with penalties on users and vendors, is certainly worth considering. Such a scheme would also have side-effects -- think of the effect on open source software. It would also be a lovely source of income for lawyers, and would inhibit new software development. The tradeoff may be worth while -- or it may not, because I have yet to see evidence that *anyone* can produce really secure software without driving up costs at least five-fold. --Steve Bellovin, http://www.cs.columbia.edu/~smb From LarrySheldon at cox.net Tue Jun 8 23:29:59 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Tue, 08 Jun 2010 23:29:59 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: <4C0F1335.6040305@gmail.com> Message-ID: <4C0F18C7.10806@cox.net> On 6/8/2010 23:22, Paul Ferguson wrote: > Again, you can all continue to dance around and ignore the problem & chance > the probability that the U.S. Government will step in and force you to do > it. > > Pick your poison. Or the world government will (note misspelled "NATO" in the Subject:). -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From patrick at ianai.net Tue Jun 8 23:36:29 2010 From: patrick at ianai.net (Patrick W. Gilmore) Date: Wed, 9 Jun 2010 00:36:29 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4036E91C-ED3D-4E62-8F75-C3C7B3DD2A37@cs.columbia.edu> References: <4C0EA863.9020606@2mbit.com> <21B53E5F-E463-4C04-9830-1511080AA5DF@delong.com> <4036E91C-ED3D-4E62-8F75-C3C7B3DD2A37@cs.columbia.edu> Message-ID: <6AC7A7DC-7F75-4FE6-9362-C6B80E924769@ianai.net> On Jun 9, 2010, at 12:26 AM, Steven Bellovin wrote: >> Problem is there's no financial liability for producing massively exploitable software. >> No financial penalty for operating a compromised system. >> No penalty for ignoring abuse complaints. >> Etc. >> >> Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection. >> > > It isn't Microsoft. It once was, but Vista and Windows 7 are really solid, probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac OS; I don't run Windows not because it's insecure but because it's an unpleasant work environment for me.) > > Microsoft is targeted because they have the market. If Steve Jobs keeps succeeding with his reality distortion field, we'll see a lot more attacks on Macs in a very few years. It's also Flash and Acrobat Reader. It's also users who click to install every plug-in recommended by every dodgy web site they visit. It's also users who don't install patches, including those for XP (which really was that buggy). There's plenty of blame to go around here.... > > A liability scheme, with penalties on users and vendors, is certainly worth considering. Such a scheme would also have side-effects -- think of the effect on open source software. It would also be a lovely source of income for lawyers, and would inhibit new software development. The tradeoff may be worth while -- or it may not, because I have yet to see evidence that *anyone* can produce really secure software without driving up costs at least five-fold. I agree the miscreants go for the bigger bang for the buck. That said, earlier versions of Windows really were soft targets. I don't know enough about Win7 to comment, but I respect Steve and will accept his opinion. Let's hope MS keeps up the good work - I do not want to bash Windows (no matter how fun it is :), I want to stop being attacked. But it is not -just- market share. There are a lot more Windows Mobile compromises, viruses, etc., than iOS, Symbian, and RIM. I think combined. Yet Windows Mobile has the lowest market share of the four. So unless that is spill over because Windows Mobile & Windows Desktop have the same vulnerabilities, it shows that market share is only one piece of the puzzle. All that said, the biggest problem is users. Social Engineering is a far bigger threat than anything in software. And I don't know how we stop that. Anyone have an idea? -- TTFN, patrick From dlr at bungi.com Tue Jun 8 23:43:35 2010 From: dlr at bungi.com (Dave Rand) Date: Tue, 8 Jun 2010 21:43:35 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: Steven Bellovin's message on Jun 9, 0:26. Message-ID: [In the message entitled "Re: Nato warns of strike against cyber attackers" on Jun 9, 0:26, Steven Bellovin writes:] > > A liability scheme, with penalties on users and vendors, is certainly = > worth considering. Such a scheme would also have side-effects -- think = > of the effect on open source software. It would also be a lovely source = > of income for lawyers, and would inhibit new software development. The = > tradeoff may be worth while -- or it may not, because I have yet to see = > evidence that *anyone* can produce really secure software without = > driving up costs at least five-fold. > The vast majority of users that I interact with (and yes, I am first to admit that it has been only thousands, perhaps less than 10,000 over the years, so it is a small sample) are quite happy to be informed of a compromised system. It's not, for the most part, that they are malicious. Just unaware. The bad guys are very stealthy, and the "but, I can't see anything wrong on my screen!" is a huge obstacle to overcome. Once they are made aware of the problem, the vast majority work quickly to fix it. Yes, some are clueless. Some want "someone else" to fix it. But most are simply unaware that they have been owned, and want the infection gone. We've tried to educate users for tens of years of the dangers of unsafe computing. Doesn't work. The users have been trained to click and install whatever they are told, because "that makes it work". But when they _are_ compromised, and _are_ informed, most users do seek out a fix. Some will do it themselves. Some will hire someone to do it for them. When abuse desks content-filter reports, and don't pass on notifications to the customer, or "wait until there are more complaints", or... this ends up with networks that have massive levels of infection. Yes, I know - we're all busy, and abuse@ is kind of the last priority on most networks, but it really is bad out there, and we need the network operators to help. Please. For those network operators that would like a 5 year view on their network, please drop me an email with your ASN, and I'll be happy to send you a text file, xls, or ods (your pick) of a view of the historical spam traffic. No obligation, and no salesman will call. Really. -- From fergdawgster at gmail.com Tue Jun 8 23:43:54 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Tue, 8 Jun 2010 21:43:54 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <6AC7A7DC-7F75-4FE6-9362-C6B80E924769@ianai.net> References: <4C0EA863.9020606@2mbit.com> <21B53E5F-E463-4C04-9830-1511080AA5DF@delong.com> <4036E91C-ED3D-4E62-8F75-C3C7B3DD2A37@cs.columbia.edu> <6AC7A7DC-7F75-4FE6-9362-C6B80E924769@ianai.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 8, 2010 at 9:36 PM, Patrick W. Gilmore wrote: > > But it is not -just- market share. There are a lot more Windows Mobile > compromises, viruses, etc., than iOS, Symbian, and RIM. I think > combined. Yet Windows Mobile has the lowest market share of the four. > So unless that is spill over because Windows Mobile & Windows Desktop > have the same vulnerabilities, it shows that market share is only one > piece of the puzzle. > > All that said, the biggest problem is users. Social Engineering is a far > bigger threat than anything in software. And I don't know how we stop > that. Anyone have an idea? > Actually, it *is* market-share. That's the "low-hanging fruit" for criminals. And educating users? That bus left the station long ago. Let's not be distracted from the issue here -- ISPs. xSPs, and other similar providers have a responsibility here that should not shirk, or pass along. Police your own backyards. Before someone else forces you to do so. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDxwAq1pz9mNUZTMRAssSAJ9HDGFhEQ3X1mfV25FPoVLCpx7xDACg3/Hr UbkgB/Mb+J0/Z7YRBO9OPL8= =E0MH -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ From furry13 at gmail.com Tue Jun 8 23:44:10 2010 From: furry13 at gmail.com (Jen Linkova) Date: Wed, 9 Jun 2010 14:44:10 +1000 Subject: Strange practices? In-Reply-To: References: Message-ID: Hi, On Tue, Jun 8, 2010 at 6:50 AM, Dale Cornman wrote: > Has anyone ever heard of a multi-homed enterprise not running bgp with > either of 2 providers, but instead, each provider statically routes a block > to their common customer and also each originates this block in BGP? ? One > of the ISP's in this case owns the block and has even provided a letter of > authorization to the other, allowing them to announce it in BGP as well. > ?I had personally never heard of this and am curious if this is a common > practice I have seen it quite often. It allows an enterprise to be multihomed w/o getting PI or PA address space so they are usually pretty happy with it. >as well as if this would potentially create any problems by 2 > Autonomous Systems both originating the same prefix. AFAIR prefixes can be originated by more than one AS so there shouldn't be any issues. -- SY, Jen Linkova aka Furry From mark at edgewire.sg Tue Jun 8 23:45:14 2010 From: mark at edgewire.sg (Mark) Date: Wed, 9 Jun 2010 12:45:14 +0800 Subject: Nato warns of strike against cyber attackers In-Reply-To: <6AC7A7DC-7F75-4FE6-9362-C6B80E924769@ianai.net> References: <4C0EA863.9020606@2mbit.com> <21B53E5F-E463-4C04-9830-1511080AA5DF@delong.com> <4036E91C-ED3D-4E62-8F75-C3C7B3DD2A37@cs.columbia.edu> <6AC7A7DC-7F75-4FE6-9362-C6B80E924769@ianai.net> Message-ID: On 09-Jun-2010, at 12:36 PM, Patrick W. Gilmore wrote: > On Jun 9, 2010, at 12:26 AM, Steven Bellovin wrote: > >>> Problem is there's no financial liability for producing massively exploitable software. >>> No financial penalty for operating a compromised system. >>> No penalty for ignoring abuse complaints. >>> Etc. >>> >>> Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection. >>> >> >> It isn't Microsoft. It once was, but Vista and Windows 7 are really solid, probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac OS; I don't run Windows not because it's insecure but because it's an unpleasant work environment for me.) >> >> Microsoft is targeted because they have the market. If Steve Jobs keeps succeeding with his reality distortion field, we'll see a lot more attacks on Macs in a very few years. It's also Flash and Acrobat Reader. It's also users who click to install every plug-in recommended by every dodgy web site they visit. It's also users who don't install patches, including those for XP (which really was that buggy). There's plenty of blame to go around here.... >> >> A liability scheme, with penalties on users and vendors, is certainly worth considering. Such a scheme would also have side-effects -- think of the effect on open source software. It would also be a lovely source of income for lawyers, and would inhibit new software development. The tradeoff may be worth while -- or it may not, because I have yet to see evidence that *anyone* can produce really secure software without driving up costs at least five-fold. > > I agree the miscreants go for the bigger bang for the buck. That said, earlier versions of Windows really were soft targets. I don't know enough about Win7 to comment, but I respect Steve and will accept his opinion. Let's hope MS keeps up the good work - I do not want to bash Windows (no matter how fun it is :), I want to stop being attacked. > > But it is not -just- market share. There are a lot more Windows Mobile compromises, viruses, etc., than iOS, Symbian, and RIM. I think combined. Yet Windows Mobile has the lowest market share of the four. So unless that is spill over because Windows Mobile & Windows Desktop have the same vulnerabilities, it shows that market share is only one piece of the puzzle. > > All that said, the biggest problem is users. Social Engineering is a far bigger threat than anything in software. And I don't know how we stop that. Anyone have an idea? > Remove the users. The problem goes away. Just kidding on that. Really, the only way ahead is educating the users of the threats and all and maybe a "learning experience" is due for most of them. > -- > TTFN, > patrick > > From hank at efes.iucc.ac.il Wed Jun 9 00:03:53 2010 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Wed, 09 Jun 2010 08:03:53 +0300 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0E9504.3090700@infiltrated.net> References: Message-ID: <5.1.0.14.2.20100609074757.056d3a78@efes.iucc.ac.il> At 15:07 08/06/2010 -0400, J. Oquendo wrote: > > At http://www.timesonline.co.uk/tol/news/world/article7144856.ece > > > > A report by Albright?s group said that a cyber attack on the critical > > infrastructure of a Nato country could equate to an armed attack, > justifying > > retaliation. > > > > Eneken Tikk, a lawyer at Nato?s cyber defence centre in Estonia, said it > > would be enough to invoke the mutual defence clause ?if, for example, a > > cyber attack on a country?s power networks or critical infrastructure > > resulted in casualties and destruction comparable to a military attack?. > > > >Obviously NATO is not concerned with proving the culprit of an attack an >albeit close to impossibility. Considering that many attackers >compromise so many machines, what's to stop someone from instigating. I >can see it coming now: > >hping -S 62.128.58.180 -a 62.220.119.62 -p ++21 -w 6000 >hping -S 62.220.119.62 -a 62.128.58.180 -p ++21 -w 6000 Lets try to seperate the attacks into those that we (NANOG) have dealt with and those that NATO are referring to - and there is *no* overlap between the two. Attacks such as botnets, hpings, compromised machines, DDOS attacks, site defacements, prefix hijacks is what this list deals with, sometimes well and other times not. The attacks NATO is referring to are ones like causing trains to crash into each other, attacks causing oil and gas pipelines to overload and explode, attacks altering blood bank data, attacks poisoning the water supply, etc. - all of which can be done remotely. NATO is in no way (unless they have been out in the sun too long) condoning an attack for a DDOS attack. I think NATO is discussing attacking if 5,000 people die from some cyber attack as listed above (I have many more scenerios). -Hank From owen at delong.com Wed Jun 9 00:11:24 2010 From: owen at delong.com (Owen DeLong) Date: Tue, 8 Jun 2010 22:11:24 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0EFECD.2020407@cox.net> References: <4C0EA863.9020606@2mbit.com> <21B53E5F-E463-4C04-9830-1511080AA5DF@delong.com> <4C0EFECD.2020407@cox.net> Message-ID: <3F29DAD6-2847-4325-96D2-20E3830238FA@delong.com> I'm all for that, but, point is that people who fail to meet that standard are currently getting a free ride. IMHO, they should pay and they should have the recourse of being (at least partially) reimbursed by their at-fault software vendors for contributory negligence. Owen On Jun 8, 2010, at 7:39 PM, Larry Sheldon wrote: > Lots of finger pointing. > Lots of discussion about who should pay, and so forth. > > How about we just take responsibility for our own part. Don't malicious > traffic in or out.? > > If it can't move, it will die. > -- > Somebody should have said: > A democracy is two wolves and a lamb voting on what to have for dinner. > > Freedom under a constitutional republic is a well armed lamb contesting > the vote. > > Requiescas in pace o email > Ex turpi causa non oritur actio > Eppure si rinfresca > > ICBM Targeting Information: http://tinyurl.com/4sqczs > http://tinyurl.com/7tp8ml > > From owen at delong.com Wed Jun 9 00:18:09 2010 From: owen at delong.com (Owen DeLong) Date: Tue, 8 Jun 2010 22:18:09 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: Message-ID: <44AC6E21-FC5A-45CB-B41F-A0348C2F8467@delong.com> On Jun 8, 2010, at 8:01 PM, Jorge Amodio wrote: > Sent from my iToilet > > why you will penalize with fees the end customer that may not know > that her system has been compromised because what she pays to Joe > Antivirus/Security/Firewall/Crapware is not effective against Billy > the nerd insecure code programmer ? > So? If said end customer is operating a network-connected system without sufficient knowledge to properly maintain it and prevent it from doing mischief to the rest of the network, why should the rest of us subsidize her negligence? I don't see where making her pay is a bad thing. > No doubt ISPs can do something, but without additional regulation and > safeguards that they wont be sued for sniffing or filtering traffic > nothing will ever happen. Do we want more/any regulation ? who will > oversee it ? > Those safeguards are already in place. There are specific exemptions in the law for data collection related to maintaining the service and you'd be very hard pressed to claim that identifying and correcting malicious activity is not part of maintaining the service. > On the other hand think as the Internet being a vast ocean where the > bad guys keep dumping garbage, you can't control or filter the > currents that are constantly changing and you neither can inspect > every water molecule, then what do you do to find and penalize the > ones that drop or permit their systems to drop garbage on the ocean ? > Your initial premise is flawed, so the conclusion is equally flawed. The internet may be a vast ocean where bad guys keep dumping garbage, but, if software vendors stopped building highly exploitable code and ISPs started disconnecting abusing systems rapidly, it would have a major effect on the constantly changing currents. If abuse departments were fully funded by cleanup fees charged to negligent users who failed to secure their systems properly, it would both incentivize users to do proper security _AND_ provide for more responsive abuse departments as issues are reduced and their budget scales linearly with the amount of abuse being conducted. Owen > My .02 > Jorge > >> I'm fond of getting the issues addressed by getting the ISPs to be involved >> with the problem. If that means users get charged "clean up" fees instead >> of a "security" fee, that's fine. >> >> ISPs remain in the unique position of being able to identify the customer, >> the machine, and to verify the traffic. It can be done. From owen at delong.com Wed Jun 9 00:22:47 2010 From: owen at delong.com (Owen DeLong) Date: Tue, 8 Jun 2010 22:22:47 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: <4C0F11A0.8000303@gmail.com> Message-ID: <259F187A-0A4E-4F40-A984-157506FD5CC5@delong.com> On Jun 8, 2010, at 9:05 PM, Paul Ferguson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, Jun 8, 2010 at 8:59 PM, JC Dill wrote: > >> >> I'm still truly amazed that no one has sic'd a lawyer on Microsoft for >> creating an "attractive nuisance" - an operating system that is too >> easily hacked and used to attack innocent victims, and where others have >> to pay to clean up after Microsoft's mess. >> > > Do you honestly believe that if 80% of the world's consumer computers were > *not* MS operating systems, that the majority of computers would still not > be targeted? > Targeted? Yes. Successfully compromised? Less so. Look at it this way... The vast majority of web servers are Apache, yet, IIS is compromised far more often. Yes, Micr0$0ft is a major contributor to the problem. > Please, be for real -- the criminals go after the entrenched majority. If > it were any other OS, the story would be the same. > If this were true, the criminals would be all over Apache and yet it is IIS that gets compromised most often. Owen From owen at delong.com Wed Jun 9 00:30:01 2010 From: owen at delong.com (Owen DeLong) Date: Tue, 8 Jun 2010 22:30:01 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0F1335.6040305@gmail.com> References: <4C0F1335.6040305@gmail.com> Message-ID: On Jun 8, 2010, at 9:06 PM, JC Dill wrote: > Dave Rand wrote: >> I'm fond of getting the issues addressed by getting the ISPs to be involved >> with the problem. If that means users get charged "clean up" fees instead >> of a "security" fee, that's fine. > > "I urge all my competitors to do that." > > The problem isn't that this is a bad idea, the problem is that it's a bad idea to be the first to do it. You want to be the last to do it. You want all other companies to do it first - to charge their customers more (while you don't charge more and take away some of their business) to pay for this cost. > Heck, at this point, I'd be OK with it being a regulatory issue. Perhaps we need regulators to step in and put forth something like the following: 1. An ISP who receives an abuse complaint against one of their customers shall not be held liable for damages to the complainant or other third parties IF: A. Said ISP investigates and takes remedial action for valid complaints within 24 hours of receipt of said complaint. B. Said ISP responds to said abuse complaint within 4 hours of their determination including the determination made and what, if any, remedial action was taken. and C. If the complaint was legitimate, the remedial action taken by said ISP causes the reported abuse to stop. 2. Any ISP who takes remedial action against one of their customers as outlined in the previous section shall charge their customer a fee which shall not be less than $100 and not more than the ISP's full costs of investigation and remedial action. I'm not saying I necessarily like the idea of more regulation, but, if we as an industry are unwilling to solve this because of the above competitive concerns, then, perhaps that is what is necessary to get us to act. Owen From fergdawgster at gmail.com Wed Jun 9 00:37:01 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Tue, 8 Jun 2010 22:37:01 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <259F187A-0A4E-4F40-A984-157506FD5CC5@delong.com> References: <4C0F11A0.8000303@gmail.com> <259F187A-0A4E-4F40-A984-157506FD5CC5@delong.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 8, 2010 at 10:22 PM, Owen DeLong wrote: > >> Please, be for real -- the criminals go after the entrenched majority. >> If it were any other OS, the story would be the same. >> > If this were true, the criminals would be all over Apache and yet it is > IIS that gets compromised most often. > Actually, that is another fallacy. The majority of SQL Injections are on Apache-based systems. Look, this isn't a blame-game in which we need to point out one vendor, operating system, plug-in, browser, or whatever. The problem is that it is a wide-spread problem wherein we have millions of compromised consumer (and non-consumer) hosts doing the bidding of Bad Guys. I would certainly love to hear your solution to this problem. And stop pointing fingers. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDyh1q1pz9mNUZTMRAqUSAKD9e+Bt+f1Q6+xE1f0MS3edKfbCtwCeMMEp cGOjbQNIcm58ZPj5JaT5Q74= =Oz/Q -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ From owen at delong.com Wed Jun 9 00:33:14 2010 From: owen at delong.com (Owen DeLong) Date: Tue, 8 Jun 2010 22:33:14 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4036E91C-ED3D-4E62-8F75-C3C7B3DD2A37@cs.columbia.edu> References: <4C0EA863.9020606@2mbit.com> <21B53E5F-E463-4C04-9830-1511080AA5DF@delong.com> <4036E91C-ED3D-4E62-8F75-C3C7B3DD2A37@cs.columbia.edu> Message-ID: On Jun 8, 2010, at 9:26 PM, Steven Bellovin wrote: >> Problem is there's no financial liability for producing massively exploitable software. >> No financial penalty for operating a compromised system. >> No penalty for ignoring abuse complaints. >> Etc. >> >> Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection. >> > > It isn't Microsoft. It once was, but Vista and Windows 7 are really solid, probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac OS; I don't run Windows not because it's insecure but because it's an unpleasant work environment for me.) > > Microsoft is targeted because they have the market. If Steve Jobs keeps succeeding with his reality distortion field, we'll see a lot more attacks on Macs in a very few years. It's also Flash and Acrobat Reader. It's also users who click to install every plug-in recommended by every dodgy web site they visit. It's also users who don't install patches, including those for XP (which really was that buggy). There's plenty of blame to go around here.... > > A liability scheme, with penalties on users and vendors, is certainly worth considering. Such a scheme would also have side-effects -- think of the effect on open source software. It would also be a lovely source of income for lawyers, and would inhibit new software development. The tradeoff may be worth while -- or it may not, because I have yet to see evidence that *anyone* can produce really secure software without driving up costs at least five-fold. > > Open source should be basically covered by the equivalent of a good samaritan clause. After all, the source is open, so, anyone who wants it fixed can fix it. OTOH, non-open-source software which is subject to dependency on a vendor who got paid for the software as a professional development house should carry a different standard of liability. Just as the mechanic you pay at the local garage is held to a higher standard of liability than the shade-tree mechanic on your block that changes your oil for free. Owen From jcdill.lists at gmail.com Wed Jun 9 01:11:38 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Tue, 08 Jun 2010 23:11:38 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: <4C0F1335.6040305@gmail.com> Message-ID: <4C0F309A.5050803@gmail.com> Owen DeLong wrote: > > Heck, at this point, I'd be OK with it being a regulatory issue. What entity do you see as having any possibility of effective regulatory control over the internet? The reason we have these problems to begin with is because there is no way for people (or government regulators) in the US to control ISPs in eastern Europe etc. jc From fergdawgster at gmail.com Wed Jun 9 01:14:10 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Tue, 8 Jun 2010 23:14:10 -0700 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers] Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To cut through the noise and non-relevant discussion, let's see if we can boil this down to a couple of issues: 1. Should ISPs be responsible for abuse from within their customer base? 1a. If so, how? 2. Should hosting providers also be held responsible for customers who abuse their services in a criminal manner? 2.a If so, how? I think anyone in their right mind would agree that if a provider see criminal activity, they should take action, no? If that also holds true, then why doesn't it happen? Providers in the U.S. are the worst offenders of hosting/accommodating criminal activities by Eastern European criminals. Period. $.02, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDzEsq1pz9mNUZTMRAofEAKDsKxNL+5GT0ztuuqq4LpK/i3TFmACeJ4mc wfZppwxJYkvW1vS6cacuuX0= =Xs0E -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ From fergdawgster at gmail.com Wed Jun 9 01:18:31 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Tue, 8 Jun 2010 23:18:31 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0F309A.5050803@gmail.com> References: <4C0F1335.6040305@gmail.com> <4C0F309A.5050803@gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 8, 2010 at 11:11 PM, JC Dill wrote: > Owen DeLong wrote: >> >> Heck, at this point, I'd be OK with it being a regulatory issue. > > What entity do you see as having any possibility of effective regulatory > control over the internet? > > The reason we have these problems to begin with is because there is no > way for people (or government regulators) in the US to control ISPs in > eastern Europe etc. Exactly, which is the problem we are foretelling. If you guys can't wrap your brains around the problem, and can't come up with suitable solutions to abate criminal activity, then the hammer drops in a way which none of us will appreciate. I think that is pretty clear. The U.S. Government doesn't care about ISPs in The Netherlands or Christmas Islands, because it is not within their jurisdiction. But you are. That is the entire point. Hello. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDzIxq1pz9mNUZTMRArlJAKDT6D467QFOadfq8iPXD8uT7YJcRgCdHbuY YVMk4psTJ342HUr5UPgCa0Q= =D/iK -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ From rsk at gsp.org Wed Jun 9 05:09:34 2010 From: rsk at gsp.org (Rich Kulawiec) Date: Wed, 9 Jun 2010 06:09:34 -0400 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers] In-Reply-To: References: Message-ID: <20100609100934.GA18798@gsp.org> On Tue, Jun 08, 2010 at 11:14:10PM -0700, Paul Ferguson wrote: > 1. Should ISPs be responsible for abuse from within their customer base? Yes -- if they wish to be considered at least minimally professional. The principle is "if it comes from your host/network on your watch, it's your abuse". Given that many common forms of abuse are easily identified, and in many cases, easily prevented with cursory due diligence upfront, there's really no excuse for what we see on a regular basis. Abusers have learned that they don't have to make the slightest effort at concealment or subtlety; even the most egregious and obvious instances can operate with impunity for extended periods of time. [1] As I've often said, spam (to pick one form out of abuse) does not just magically fall out of the sky. If I can see it arriving on one of my networks, then surely someone else can see it leaving theirs...if only they bother to look. And of course in many cases they need not even do that, because others have already done it for them and generously published the results or furnished them to the RFC2142-designated contact address for abuse issues. ---Rsk [1] One would think, for example, that many ISPs and web hosts would have learned by now that when a new customer fills a /24 with nonsensically named domains or with sequentially numbered domains that the spam will start any minute now. But fresh evidence arrives every day suggesting that this is still well beyond their capabilities. From owen at delong.com Wed Jun 9 06:11:32 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 9 Jun 2010 04:11:32 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0F309A.5050803@gmail.com> References: <4C0F1335.6040305@gmail.com> <4C0F309A.5050803@gmail.com> Message-ID: <12867251-45B8-4152-9238-E43B95E7E013@delong.com> On Jun 8, 2010, at 11:11 PM, JC Dill wrote: > Owen DeLong wrote: >> >> Heck, at this point, I'd be OK with it being a regulatory issue. > > What entity do you see as having any possibility of effective regulatory control over the internet? > > The reason we have these problems to begin with is because there is no way for people (or government regulators) in the US to control ISPs in eastern Europe etc. > The reason we have these problems is because NO government is taking action. If each government took the action I suggested locally against the ISPs in their region, it would be just as effective. In fact, the more governments that take the action I suggested, the more effective it would be. Owen From owen at delong.com Wed Jun 9 06:14:53 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 9 Jun 2010 04:14:53 -0700 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers] In-Reply-To: References: Message-ID: <9ABFA6B4-52EF-4A7E-B7A2-0E695AC83669@delong.com> On Jun 8, 2010, at 11:14 PM, Paul Ferguson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > To cut through the noise and non-relevant discussion, let's see if we can > boil this down to a couple of issues: > > 1. Should ISPs be responsible for abuse from within their customer base? > Yes, but, there should be an exemption from liability for ISPs that take action to resolve the situation within 24 hours of first awareness (by either internal detection or external report). > 1a. If so, how? > Unless exempt as I suggested above, they should be financially liable for the cleanup costs and damages to all affected systems. They should be entitled to recover these costs from the responsible customer through a process like subrogation. > 2. Should hosting providers also be held responsible for customers who > abuse their services in a criminal manner? > Absolutely, with the same exemptions specified above. > 2.a If so, how? > See my answer to 1a above. > I think anyone in their right mind would agree that if a provider see > criminal activity, they should take action, no? > Yes. > If that also holds true, then why doesn't it happen? > Because we don't inflict any form of liability or penalty when they fail to do so. Owen From michiel at klaver.it Wed Jun 9 06:19:04 2010 From: michiel at klaver.it (Michiel Klaver) Date: Wed, 09 Jun 2010 13:19:04 +0200 Subject: Nato warns of strike against cyber attackers Message-ID: <4C0F78A8.4070809@klaver.it> > ----- Original message ----- > All that said, the biggest problem is users. Social Engineering is a far bigger threat than anything in software. And I don't know how we stop that. Anyone have an idea? Users will click anything they find 'interesting', can't change that part up front. However, after those users get infected with whatever virii/worm/botnet client came along, you could detect it [1] and place them into a quarantaine vlan routing all traffic to an information page stating they have done something stupid and educate them how to clean-up and avoiding it from happening in the future again. This will stop the abuse almost instantly (if the detection and vlan move is done automatically), and it will educate users afterwards by learning from their msitakes. Most users appreciate such kind of warnings from their own ISP (afraid of loosing documents by a virus) and are willing to clean-up. You could charge fees when users need clean-up assistance. [1] Projects like ShadowServer.org scan all kinds of botnets and (after a sign-up) send out notifications to your abuse-desk when they find infected hosts at your IP subnets. You could also setup your own Snort IDS with the detection rules from EmergingThreats.net. With kind regards, Michiel Klaver IT Professional From owen at delong.com Wed Jun 9 06:21:07 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 9 Jun 2010 04:21:07 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: <4C0F11A0.8000303@gmail.com> <259F187A-0A4E-4F40-A984-157506FD5CC5@delong.com> Message-ID: <6901CF26-2B38-414F-97F9-8C65C0D05863@delong.com> On Jun 8, 2010, at 10:37 PM, Paul Ferguson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, Jun 8, 2010 at 10:22 PM, Owen DeLong wrote: > >> >>> Please, be for real -- the criminals go after the entrenched majority. >>> If it were any other OS, the story would be the same. >>> >> If this were true, the criminals would be all over Apache and yet it is >> IIS that gets compromised most often. >> > > Actually, that is another fallacy. > > The majority of SQL Injections are on Apache-based systems. > SQL injection is an SQL attack, not a compromise of the HTTP daemon itself (usually partially a compromise of PHP or similar scripting language). The majority of compromises (buffer overflows, etc.) against the web server itself are IIS. > Look, this isn't a blame-game in which we need to point out one vendor, > operating system, plug-in, browser, or whatever. > Agreed... All vulnerable vendors should be treated the same. If you are selling software without source code and making money as "professional developers" by selling that software, then, it should come with liability for the damages caused by your failure to secure the software properly. If you're providing source code and allowing others to use it and you are not getting paid for developing it, then, obviously, it is ridiculous to hold you liable since the person who chose to use your source code has the ability to fix it to resolve any security issues. > The problem is that it is a wide-spread problem wherein we have millions of > compromised consumer (and non-consumer) hosts doing the bidding of Bad > Guys. > Yep. > I would certainly love to hear your solution to this problem. > Hold the owners of compromised systems financially liable for the damage they do. Make it possible for said owners to subrogate such claims against any suppliers of commercial closed insecure software which contributed to the compromise of their systems. > And stop pointing fingers. > No finger pointing there, just actual liability targeted at those actually resposnible. Owen From jgreco at ns.sol.net Wed Jun 9 06:22:37 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Wed, 9 Jun 2010 06:22:37 -0500 (CDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: <5.1.0.14.2.20100609074757.056d3a78@efes.iucc.ac.il> from "Hank Nussbacher" at Jun 09, 2010 08:03:53 AM Message-ID: <201006091122.o59BMbaM000417@aurora.sol.net> > >Obviously NATO is not concerned with proving the culprit of an attack an > >albeit close to impossibility. Considering that many attackers > >compromise so many machines, what's to stop someone from instigating. I > >can see it coming now: > > > >hping -S 62.128.58.180 -a 62.220.119.62 -p ++21 -w 6000 > >hping -S 62.220.119.62 -a 62.128.58.180 -p ++21 -w 6000 > > Lets try to seperate the attacks into those that we (NANOG) have dealt with > and those that NATO are referring to - and there is *no* overlap between > the two. > > Attacks such as botnets, hpings, compromised machines, DDOS attacks, site > defacements, prefix hijacks is what this list deals with, sometimes well > and other times not. > > The attacks NATO is referring to are ones like causing trains to crash into > each other, attacks causing oil and gas pipelines to overload and explode, > attacks altering blood bank data, attacks poisoning the water supply, etc. > - all of which can be done remotely. > > NATO is in no way (unless they have been out in the sun too long) condoning > an attack for a DDOS attack. I think NATO is discussing attacking if 5,000 > people die from some cyber attack as listed above (I have many more scenerios). That's a great starting place, because most will agree that such attacks would be sufficiently serious to warrant a response. However, 1) What happens when the attack moves on down the scale, towards "a cyber attack that crippled vital military communication networks (but didn't kill anyone)", or "a cyber attack that crippled government websites (but was basically just a nuisance)"? 2) What happens when a decision is made to play tit for tat, and A attacks B, B misidentifies A as C, and B attacks C with cyber warfare? "Cyber warfare" responses will almost certainly need to include DoS capabilities. This is troublesome. Let's consider, for the sake of discussion, an attack by the US on Elbonia. Everyone here knows how the 'net works; Elbonia isn't going to allow the US military to run a bunch of fiber to their border and hook up to their routers. That traffic will have to arrive via existing commercial connectivity. How exactly will that work? How exactly will that impact the carriers who are also running their normal traffic for other locations on the same networks? Some I've talked to seem to think that this is an unlikely or even unthinkable situation, but let's be realistic: if you want to render an enemy's radio communication useless, you flood their radio spectrum, etc., and at some point, it's not unthinkable to the average politician to expect to be able to do the same thing to a network. It's not unthinkable, alas. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From jgreco at ns.sol.net Wed Jun 9 06:27:08 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Wed, 9 Jun 2010 06:27:08 -0500 (CDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: <3F29DAD6-2847-4325-96D2-20E3830238FA@delong.com> from "Owen DeLong" at Jun 08, 2010 10:11:24 PM Message-ID: <201006091127.o59BR8HQ001836@aurora.sol.net> > I'm all for that, but, point is that people who fail to meet that standard are > currently getting a free ride. IMHO, they should pay and they should have > the recourse of being (at least partially) reimbursed by their at-fault software > vendors for contributory negligence. Great idea. You know, I've got a great solution for global warming. Let's hold all the car owners accountable for all the greenhouse gases their cars belch out, and let them have the recourse of being (at least partially) reimbursed by their at-fault car manufacturers and gasoline distributors for contributory negligence. See how insane that sounds? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From greg at bestnet.kharkov.ua Wed Jun 9 06:35:47 2010 From: greg at bestnet.kharkov.ua (Gregory Edigarov) Date: Wed, 9 Jun 2010 14:35:47 +0300 Subject: Nato warns of strike against cyber attackers In-Reply-To: <201006091127.o59BR8HQ001836@aurora.sol.net> References: <3F29DAD6-2847-4325-96D2-20E3830238FA@delong.com> <201006091127.o59BR8HQ001836@aurora.sol.net> Message-ID: <20100609143547.74d42165@greg.bestnet.kharkov.ua> On Wed, 9 Jun 2010 06:27:08 -0500 (CDT) Joe Greco wrote: > > I'm all for that, but, point is that people who fail to meet that > > standard are currently getting a free ride. IMHO, they should pay > > and they should have the recourse of being (at least partially) > > reimbursed by their at-fault software vendors for contributory > > negligence. Yeah, of course, let's go back into 1990's, and pay for every byte sent. This surely will keep users accountable for their all faulty software. > Great idea. You know, I've got a great solution for global warming. > Let's hold all the car owners accountable for all the greenhouse gases > their cars belch out, and let them have the recourse of being (at > least partially) reimbursed by their at-fault car manufacturers and > gasoline distributors for contributory negligence. -- With best regards, Gregory Edigarov From Valdis.Kletnieks at vt.edu Wed Jun 9 06:37:57 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 09 Jun 2010 07:37:57 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: Your message of "Wed, 09 Jun 2010 00:36:29 EDT." <6AC7A7DC-7F75-4FE6-9362-C6B80E924769@ianai.net> References: <4C0EA863.9020606@2mbit.com> <21B53E5F-E463-4C04-9830-1511080AA5DF@delong.com> <4036E91C-ED3D-4E62-8F75-C3C7B3DD2A37@cs.columbia.edu> <6AC7A7DC-7F75-4FE6-9362-C6B80E924769@ianai.net> Message-ID: <150908.1276083477@localhost> On Wed, 09 Jun 2010 00:36:29 EDT, "Patrick W. Gilmore" said: > But it is not -just- market share. There are a lot more Windows Mobile > compromises, viruses, etc., than iOS, Symbian, and RIM. I think > combined. Yet Windows Mobile has the lowest market share of the four. I'll just point out that it's really hard for the user to install some random app they found on the net on 3 of those operating systems, Let's face it - a significant percentage of users really need to be restricted to a Harvard architecture "no user serviceable parts inside" system if you expect them to compute safely. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jgreco at ns.sol.net Wed Jun 9 07:02:06 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Wed, 9 Jun 2010 07:02:06 -0500 (CDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: <44AC6E21-FC5A-45CB-B41F-A0348C2F8467@delong.com> from "Owen DeLong" at Jun 08, 2010 10:18:09 PM Message-ID: <201006091202.o59C26tb006864@aurora.sol.net> > So? If said end customer is operating a network-connected system without > sufficient knowledge to properly maintain it and prevent it from doing mischief > to the rest of the network, why should the rest of us subsidize her negligence? > I don't see where making her pay is a bad thing. I see that you don't understand that. > The internet may be a vast ocean where bad guys keep dumping garbage, > but, if software vendors stopped building highly exploitable code and ISPs > started disconnecting abusing systems rapidly, it would have a major effect > on the constantly changing currents. If abuse departments were fully funded > by cleanup fees charged to negligent users who failed to secure their systems > properly, it would both incentivize users to do proper security _AND_ provide > for more responsive abuse departments as issues are reduced and their > budget scales linearly with the amount of abuse being conducted. The reality is that things change. Forty-three years ago, you could still buy a car that didn't have seat belts. Thirty years ago, most people still didn't wear seat belts. Twenty years ago, air bags began appearing in large volume in passenger vehicles. Throughout this period, cars have been de-stiffened with crumple zones, etc., in order to make them safer for passengers in the event of a crash. Mandatory child seat laws have been enacted at various times throughout. A little more than ten years ago, air bags were mandatory. Ten years ago, LATCH clips for child safety seats became mandatory. We now have side impact air bags, etc. Generally speaking, we do not penalize car owners for owning an older car, and we've maybe only made them retrofit seat belts (but not air bags, crumple zones, etc) into them, despite the fact that some of those big old boats can be quite deadly to other drivers in today's more easily-damaged cars. We've increased auto safety by mandating better cars, and by penalizing users who fail to make use of the safety features. There is only so much "proper security" you can expect the average PC user to do. The average PC user expects to be able to check e-mail, view the web, edit some documents, and listen to some songs. The average car driver expects to be able to drive around and do things. You can try to mandate that the average car driver must change their own oil, just as you can try to mandate that the average computer must do what you've naively referred to as "proper security", but the reality is that grandma doesn't want to get under her car, doesn't have the knowledge or tools, and would rather spend $30 at SpeedyLube. If we can not make security a similarly easy target for the end-user, rather than telling them to "take it in to NerdForce and spend some random amount between $50 and twice the cost of a new computer," then we - as the people who have designed and provided technology - have failed, and we are trying to pass off responsibility for our collective failure onto the end user. I'm all fine with noting that certain products are particularly awful. However, we have to be aware that users are simply not going to be required to go get a CompSci degree specializing in risk management and virus cleansing prior to being allowed to buy a computer. This implies that our operating systems need to be more secure, way more secure, our applications need to be less permissive, probably way less permissive, probably even sandboxed by default, our networks need to be more resilient to threats, ranging from simple things such as BCP38 and automatic detection of certain obvious violations, to more comprehensive things such as mandatory virus scanning by e-mail providers, etc., ... there's a lot that could be done, that most on the technology side of things have been unwilling to commit to. We can make their Internet cars safer for them - but we largely haven't. Now we can all look forward to misguided government efforts to mandate some of this stuff. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From a.harrowell at gmail.com Wed Jun 9 07:11:01 2010 From: a.harrowell at gmail.com (Alexander Harrowell) Date: Wed, 09 Jun 2010 14:11:01 +0200 Subject: Nato warns of strike against cyber attackers In-Reply-To: <201006091202.o59C26tb006864@aurora.sol.net> References: <201006091202.o59C26tb006864@aurora.sol.net> Message-ID: No, but we can and do require cars to have functional brakes and minimum tread depths, and to be tested periodically. Obviously this is acceptable because the failure modes for cars are worse, but the proposed solution is less intrusive being after the fact. Excuse topposting, on mobile. "Joe Greco" wrote: >> So? If said end customer is operating a network-connected system without >> sufficient knowledge to properly maintain it and prevent it from doing mischief >> to the rest of the network, why should the rest of us subsidize her negligence? >> I don't see where making her pay is a bad thing. > >I see that you don't understand that. > >> The internet may be a vast ocean where bad guys keep dumping garbage, >> but, if software vendors stopped building highly exploitable code and ISPs >> started disconnecting abusing systems rapidly, it would have a major effect >> on the constantly changing currents. If abuse departments were fully funded >> by cleanup fees charged to negligent users who failed to secure their systems >> properly, it would both incentivize users to do proper security _AND_ provide >> for more responsive abuse departments as issues are reduced and their >> budget scales linearly with the amount of abuse being conducted. > >The reality is that things change. Forty-three years ago, you could still >buy a car that didn't have seat belts. Thirty years ago, most people still >didn't wear seat belts. Twenty years ago, air bags began appearing in >large volume in passenger vehicles. Throughout this period, cars have been >de-stiffened with crumple zones, etc., in order to make them safer for >passengers in the event of a crash. Mandatory child seat laws have been >enacted at various times throughout. A little more than ten years ago, air >bags were mandatory. Ten years ago, LATCH clips for child safety seats >became mandatory. We now have side impact air bags, etc. > >Generally speaking, we do not penalize car owners for owning an older car, >and we've maybe only made them retrofit seat belts (but not air bags, >crumple zones, etc) into them, despite the fact that some of those big old >boats can be quite deadly to other drivers in today's more easily-damaged >cars. We've increased auto safety by mandating better cars, and by >penalizing users who fail to make use of the safety features. > >There is only so much "proper security" you can expect the average PC user >to do. The average PC user expects to be able to check e-mail, view the >web, edit some documents, and listen to some songs. The average car driver >expects to be able to drive around and do things. You can try to mandate >that the average car driver must change their own oil, just as you can try >to mandate that the average computer must do what you've naively referred >to as "proper security", but the reality is that grandma doesn't want to >get under her car, doesn't have the knowledge or tools, and would rather >spend $30 at SpeedyLube. If we can not make security a similarly easy >target for the end-user, rather than telling them to "take it in to >NerdForce and spend some random amount between $50 and twice the cost of >a new computer," then we - as the people who have designed and provided >technology - have failed, and we are trying to pass off responsibility >for our collective failure onto the end user. > >I'm all fine with noting that certain products are particularly awful. >However, we have to be aware that users are simply not going to be required >to go get a CompSci degree specializing in risk management and virus >cleansing prior to being allowed to buy a computer. This implies that our >operating systems need to be more secure, way more secure, our applications >need to be less permissive, probably way less permissive, probably even >sandboxed by default, our networks need to be more resilient to threats, >ranging from simple things such as BCP38 and automatic detection of certain >obvious violations, to more comprehensive things such as mandatory virus >scanning by e-mail providers, etc., ... there's a lot that could be done, >that most on the technology side of things have been unwilling to commit >to. > >We can make their Internet cars safer for them - but we largely haven't. >Now we can all look forward to misguided government efforts to mandate >some of this stuff. > >... JG >-- >Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net >"We call it the 'one bite at the apple' rule. Give me one chance [and] then I >won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) >With 24 million small businesses in the US alone, that's way too many apples. > -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. From jmamodio at gmail.com Wed Jun 9 07:21:38 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Wed, 9 Jun 2010 07:21:38 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <97245.1276054788@localhost> References: <97245.1276054788@localhost> Message-ID: >> On the other hand think as the Internet being a vast ocean where the >> bad guys keep dumping garbage, you can't control or filter the >> currents that are constantly changing and you neither can inspect >> every water molecule, then what do you do to find and penalize the >> ones that drop or permit their systems to drop garbage on the ocean ? > > Bad analogy. There's some plumes of oil in the Gulf of Mexico that are > getting mapped out very well by only a few ships. ?You don't have to > examine every molecule to find parts-per-million oil, or to figure out > who's oil rig the oil came from. May be, but that is a particular case where you can exactly finger point who made the mess and make him accountable and responsible to cleaning it. But it's another example that shows that companies make decisions based not on what is right or wrong to do but what is more or less profitable to do within a risk management context. > And you don't need to look at every packet to find abusive traffic > either - in most cases, simply letting the rest of the net do the work > for you and just reading your abuse@ mailbox and actually dealing with > the reports is 95% of what's needed. Agreed, but you still have no control about what happens on the other side of the ocean, and if you don't provide a liability waiver to the abuse@ guy they may have their hands tied by their legal department to do anything. I'll give you another bad analogy, for sure we need to keep an eye and deal with transport and distribution, but the only way to eradicate drugs (most unlikely because of the amount of $$$ it moves) is to go after production and particularly consume, meanwhile the only thing you can do is damage control and contention. If it is still so freaking easy for the crocks to have a profitable criminal biz on the net, they will find the workaround to keep making money while its easy. My point is, go hard after the crocks and fix the holes, things like why the heck access to the power grid control systems are accessible over the net from Hackertistan ? And if there is a real reason for it to be on the net put the necessary amount of money and technology to make it as secure as possible. Regards Jorge From jmamodio at gmail.com Wed Jun 9 07:27:52 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Wed, 9 Jun 2010 07:27:52 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <201006091202.o59C26tb006864@aurora.sol.net> References: <44AC6E21-FC5A-45CB-B41F-A0348C2F8467@delong.com> <201006091202.o59C26tb006864@aurora.sol.net> Message-ID: > I'm all fine with noting that certain products are particularly awful. > However, we have to be aware that users are simply not going to be required > to go get a CompSci degree specializing in risk management and virus > cleansing prior to being allowed to buy a computer. ?This implies that our > operating systems need to be more secure, way more secure, our applications > need to be less permissive, probably way less permissive, probably even > sandboxed by default, our networks need to be more resilient to threats, > ranging from simple things such as BCP38 and automatic detection of certain > obvious violations, to more comprehensive things such as mandatory virus > scanning by e-mail providers, etc., ... ?there's a lot that could be done, > that most on the technology side of things have been unwilling to commit > to. Great comments Joe, and I agree with you that there is a lot more that can be done and should be done, but there is a main difference with your recount about the auto industry, all those changes were pushed by evolving regulation and changes in the law and enforcement. Going back then to a previous question, do we want more/any regulation ? Cheers Jorge From jgreco at ns.sol.net Wed Jun 9 07:28:34 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Wed, 9 Jun 2010 07:28:34 -0500 (CDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: from "Alexander Harrowell" at Jun 09, 2010 02:11:01 PM Message-ID: <201006091228.o59CSYRF010985@aurora.sol.net> > No, but we can and do require cars to have functional brakes and > minimum tread depths, and to be tested periodically. > > Obviously this is acceptable because the failure modes for cars > are worse, but the proposed solution is less intrusive being after the fact. Grandma does not go check her tread depth or check her own brake pads and discs for wear. She lets the shop do that. I was hoping I didn't have to get pedantic and that people could differentiate between "I pay the shop a few bucks to do that for me" and "I take responsibility personally to drive my car in an appropriate fashion" (which includes things like "I take my car to the shop periodically for maintenance I don't have the skills to do myself"), but there we have it. My point: We haven't designed computers for end users appropriately. It is not the fault of the end user that they're driving around the crapmobile we've provided for them. If you go to the store to get a new computer, you get a choice of crapmobiles all with engines by the same company, unless you go to the fruit store, in which case you get a somewhat less obviously vulnerable engine by a different company. The users don't know how to take apart the engines and repair them, and the engines aren't usefully protected sufficiently to ensure that they don't get fouled, so you have a Problem. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From owen at delong.com Wed Jun 9 07:37:26 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 9 Jun 2010 05:37:26 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <201006091202.o59C26tb006864@aurora.sol.net> References: <201006091202.o59C26tb006864@aurora.sol.net> Message-ID: On Jun 9, 2010, at 5:02 AM, Joe Greco wrote: >> So? If said end customer is operating a network-connected system without >> sufficient knowledge to properly maintain it and prevent it from doing mischief >> to the rest of the network, why should the rest of us subsidize her negligence? >> I don't see where making her pay is a bad thing. > > I see that you don't understand that. > Seems to me that you are the one not understanding... I can't refinance my mortgage right now to take advantage of the current interest rates. Why? Because irresponsible people got into loans they couldn't afford and engaged in speculative transactions. Their failure resulted in a huge drop in value to my house which brought me below the magic 80% loan to value ratio, which, because of said same bad actors became a legal restriction instead of a target number around which lenders had some flexibility. So, because I had a house I could afford and a reasonable mortgage, I'm now getting penalized by paying higher taxes to cover mortgage absorptions, reductions, and modifications for these irresponsible people. I'm getting penalized by paying higher interest rates because due to the damage they did to my property value and the laws they forced to be created, I can't refinance. I'm mad as hell and frankly, I don't want to take it any more. Do you see that? Do you still think I don't have a legitimate point on this? I'm tired of subsidizing stupidity and bad actors. It's too expensive. I don't want to do it any more. We already have too many stupid people and bad actors. We really don't need to subsidize or encourage the creation of more. >> The internet may be a vast ocean where bad guys keep dumping garbage, >> but, if software vendors stopped building highly exploitable code and ISPs >> started disconnecting abusing systems rapidly, it would have a major effect >> on the constantly changing currents. If abuse departments were fully funded >> by cleanup fees charged to negligent users who failed to secure their systems >> properly, it would both incentivize users to do proper security _AND_ provide >> for more responsive abuse departments as issues are reduced and their >> budget scales linearly with the amount of abuse being conducted. > > The reality is that things change. Forty-three years ago, you could still > buy a car that didn't have seat belts. Thirty years ago, most people still > didn't wear seat belts. Twenty years ago, air bags began appearing in > large volume in passenger vehicles. Throughout this period, cars have been > de-stiffened with crumple zones, etc., in order to make them safer for > passengers in the event of a crash. Mandatory child seat laws have been > enacted at various times throughout. A little more than ten years ago, air > bags were mandatory. Ten years ago, LATCH clips for child safety seats > became mandatory. We now have side impact air bags, etc. > Sure. > Generally speaking, we do not penalize car owners for owning an older car, > and we've maybe only made them retrofit seat belts (but not air bags, > crumple zones, etc) into them, despite the fact that some of those big old > boats can be quite deadly to other drivers in today's more easily-damaged > cars. We've increased auto safety by mandating better cars, and by > penalizing users who fail to make use of the safety features. > Right, but, owners of older cars are primarily placing themselves at risk, not others. In this case, it's a question of others putting me at risk. That, generally, isn't tolerated. > There is only so much "proper security" you can expect the average PC user > to do. The average PC user expects to be able to check e-mail, view the > web, edit some documents, and listen to some songs. The average car driver > expects to be able to drive around and do things. You can try to mandate > that the average car driver must change their own oil, just as you can try > to mandate that the average computer must do what you've naively referred > to as "proper security", but the reality is that grandma doesn't want to > get under her car, doesn't have the knowledge or tools, and would rather > spend $30 at SpeedyLube. If we can not make security a similarly easy > target for the end-user, rather than telling them to "take it in to > NerdForce and spend some random amount between $50 and twice the cost of > a new computer," then we - as the people who have designed and provided > technology - have failed, and we are trying to pass off responsibility > for our collective failure onto the end user. > I disagree. It used to be that anyone could drive a car. Today, you need to take instruction on driving and pass a test showing you are competent to operate a motor vehicle before you are allowed to drive legally. Things change, as you say. I have no problem with the same requirement being added to attaching a computer to the network. If you drive a car in a reckless manner so as to endanger others, you are criminally liable for violating the safe driving laws as well as civilly liable for the damages you cause. Why should operating an unsafe computer be any different? > I'm all fine with noting that certain products are particularly awful. > However, we have to be aware that users are simply not going to be required > to go get a CompSci degree specializing in risk management and virus > cleansing prior to being allowed to buy a computer. This implies that our > operating systems need to be more secure, way more secure, our applications > need to be less permissive, probably way less permissive, probably even > sandboxed by default, our networks need to be more resilient to threats, > ranging from simple things such as BCP38 and automatic detection of certain > obvious violations, to more comprehensive things such as mandatory virus > scanning by e-mail providers, etc., ... there's a lot that could be done, > that most on the technology side of things have been unwilling to commit > to. > I'm not out to target specific products. Yes, I'll celebrate the death of our favorite convicted felon in Redmond, but, that's not the point. I don't have a CompSci degree specializing in that stuff and I seem to be able to run clean systems. I don't have a CompSci degree at all. It's not that hard to run clean systems, actually. Mostly it takes not being willing to click yes to every download and exercising minimal judgment about which web sites you choose to trust. The point is that if I run a clean system, why should I have to pay a subsidy to those that do not? I'm tired of this mentality that says let's penalize the good actors to subsidize the bad actors. I'm tired of it with mortgages. I'm tired of it with businesses. I'm tired of watching the government, time after time, reward bad behavior and punish good behavior and then wonder why they get more bad and less good behavior. > We can make their Internet cars safer for them - but we largely haven't. > Now we can all look forward to misguided government efforts to mandate > some of this stuff. > I'm not opposed to making operating systems and applications safer. As I said, just as with cars, the manufacturers should be held liable by the consumers. However, the consumer that is operating the car that plows a group of pedestrians is liable to the pedestrians. The manufacturer is usually liable to the operator through subrogation. Owen From jmamodio at gmail.com Wed Jun 9 07:39:47 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Wed, 9 Jun 2010 07:39:47 -0500 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers] In-Reply-To: References: Message-ID: > 1. Should ISPs be responsible for abuse from within their customer base? Not sure, ISPs role is just to move packets from A to B, you need to clearly define what constitutes abuse and how much of it is considered a crime. If I call your home every five minutes to harass you over the phone is AT&T responsible ? > 1a. If so, how? Pull the plug without looking at how much you are billing. > 2. Should hosting providers also be held responsible for customers who > abuse their services in a criminal manner? Same as 1, > 2.a If so, how? Same as 1a. > I think anyone in their right mind would agree that if a provider see > criminal activity, they should take action, no? > > If that also holds true, then why doesn't it happen? What incentive they have to do so ? and how liable they become if do something without a court order or such ? > Providers in the U.S. are the worst offenders of hosting/accommodating > criminal activities by Eastern European criminals. Period. Probably true, here money talks. Cheers Jorge From owen at delong.com Wed Jun 9 07:40:06 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 9 Jun 2010 05:40:06 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <201006091127.o59BR8HQ001836@aurora.sol.net> References: <201006091127.o59BR8HQ001836@aurora.sol.net> Message-ID: On Jun 9, 2010, at 4:27 AM, Joe Greco wrote: >> I'm all for that, but, point is that people who fail to meet that standard are >> currently getting a free ride. IMHO, they should pay and they should have >> the recourse of being (at least partially) reimbursed by their at-fault software >> vendors for contributory negligence. > > Great idea. You know, I've got a great solution for global warming. > Let's hold all the car owners accountable for all the greenhouse gases > their cars belch out, and let them have the recourse of being (at least > partially) reimbursed by their at-fault car manufacturers and gasoline > distributors for contributory negligence. > 1. My car emits very little greenhouse gas, so, I'm cool with that. Sounds great to me. (I drive a Prius). 2. Manufacturers are held liable for contributory negligence when the design of their vehicle is unsafe and causes an accident. 3. We're not talking about greenhouse gasses here... We're talking about car-wrecks on the information superhighway caused by a combination of irresponsible operators and poor vehicle design. > See how insane that sounds? > Actually, it sounds reasonably sane to me, but, it's not a good analogy as noted above, so, the relative merits are mostly irrelevant. Owen From kauer at biplane.com.au Wed Jun 9 07:45:11 2010 From: kauer at biplane.com.au (Karl Auer) Date: Wed, 09 Jun 2010 22:45:11 +1000 Subject: Nato warns of strike against cyber attackers In-Reply-To: <201006091202.o59C26tb006864@aurora.sol.net> References: <201006091202.o59C26tb006864@aurora.sol.net> Message-ID: <1276087511.17332.59.camel@karl> On Wed, 2010-06-09 at 07:02 -0500, Joe Greco wrote: > There is only so much "proper security" you can expect the average PC user > to do. Sure - but if their computer, as a result of their ignorance, starts belching out spam, ISPs should be able at very least to counteract the problem. For example, by disconnecting that user and telling them why they have been disconnected. Why should it be the ISP's duty to silently absorb the blows? Why should the user have no responsibility here? To carry your analogy a bit too far, if someone is roaming the streets in a beat-up jalopy with wobbly wheels, no lights, no brakes, no mirrors, and sideswiping parked cars, is it up to the city to somehow clear the way for that driver? No - the car is taken off the road and the driver told to fix it or get a new one. If the problem appears to be the driver rather than the vehicle, the driver is told they cannot drive until they have obtained a Clue. If the user, as a result of their computer being zombified or whatever, has to > "take it in to > NerdForce and spend some random amount between $50 and twice the cost of > a new computer," ...then that's the user's problem. They can solve it with insurance (appropriate policies will come into being), or they can solve it by becoming more knowledgeable, or they can solve it by hiring know how. But it is *their* problem. The fact that it is the user's problem will drive the industry to solve that problem, because anywhere there is a problem there is a market for a solution. > then we - as the people who have designed and provided > technology - have failed, and we are trying to pass off responsibility > for our collective failure onto the end user. I think what's being called for is not total abdication of responsibility - just some sharing of the responsibility. > This implies that our > operating systems need to be more secure, way more secure, our applications > need to be less permissive, probably way less permissive, probably even > sandboxed by default Yep! And the fastest way to get more secure systems is to make consumers accountable, so that they demand accountability from their vendors. And so it goes, all the way up the chain. Make people accountable. At every level. > We can make their Internet cars safer for them - but we largely haven't. I'm not sure that the word "we" is appropriate here. Who is "we"? How can (say) network operators be held responsible for (say) a weakness in Adobe Flash? At that level too, the consumer needs comeback - on the providers of weak software. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156 Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From jmamodio at gmail.com Wed Jun 9 07:46:14 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Wed, 9 Jun 2010 07:46:14 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: <201006091202.o59C26tb006864@aurora.sol.net> Message-ID: > I'm not opposed to making operating systems and applications safer. > As I said, just as with cars, the manufacturers should be held liable > by the consumers. ?However, the consumer that is operating the > car that plows a group of pedestrians is liable to the pedestrians. > The manufacturer is usually liable to the operator through subrogation. That's why at least in the US by *regulation* you must have insurance to be able to operate a car, instead of mitigating the safety issues that represents a teenager texting while driving we deal with the consequences. Perhaps we have to call the insurance industry to come up with something. Cheers Jorge From owen at delong.com Wed Jun 9 07:43:52 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 9 Jun 2010 05:43:52 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <201006091228.o59CSYRF010985@aurora.sol.net> References: <201006091228.o59CSYRF010985@aurora.sol.net> Message-ID: <6145E543-D77C-4854-A005-176BC24CF846@delong.com> On Jun 9, 2010, at 5:28 AM, Joe Greco wrote: >> No, but we can and do require cars to have functional brakes and >> minimum tread depths, and to be tested periodically. >> >> Obviously this is acceptable because the failure modes for cars >> are worse, but the proposed solution is less intrusive being after the fact. > > Grandma does not go check her tread depth or check her own brake pads and > discs for wear. She lets the shop do that. I was hoping I didn't have to > get pedantic and that people could differentiate between "I pay the shop a > few bucks to do that for me" and "I take responsibility personally to drive > my car in an appropriate fashion" (which includes things like "I take my > car to the shop periodically for maintenance I don't have the skills to do > myself"), but there we have it. > Whether grandma measures the tread depth herself or takes it to the shop, the point is that grandma is expected to have tires with sufficient tread depth and working brakes when she operates the car. If not, she's liable. If she drives like the little old lady from Pasadena, she's liable for the accidents she causes. > My point: We haven't designed computers for end users appropriately. It > is not the fault of the end user that they're driving around the crapmobile > we've provided for them. If you go to the store to get a new computer, you > get a choice of crapmobiles all with engines by the same company, unless > you go to the fruit store, in which case you get a somewhat less obviously > vulnerable engine by a different company. The users don't know how to take > apart the engines and repair them, and the engines aren't usefully protected > sufficiently to ensure that they don't get fouled, so you have a Problem. > The end user should be able to recover from the responsible manufacturer for the design flaws in the hardware/software they are driving. Agreed. That is how it works in cars, that's how it should work in computers. What I don't want to see which you are advocating... I don't want to see the end users who do take responsibility, drive well designed vehicles with proper seat belts and safety equipment, stay in their lane, and do not cause accidents held liable for the actions of others. Why should we penalize those that have done no wrong simply because they happen to be a minority? Owen From jgreco at ns.sol.net Wed Jun 9 07:49:24 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Wed, 9 Jun 2010 07:49:24 -0500 (CDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: from "Jorge Amodio" at Jun 09, 2010 07:27:52 AM Message-ID: <201006091249.o59CnORE013688@aurora.sol.net> > > I'm all fine with noting that certain products are particularly awful. > > However, we have to be aware that users are simply not going to be required > > to go get a CompSci degree specializing in risk management and virus > > cleansing prior to being allowed to buy a computer. ?This implies that our > > operating systems need to be more secure, way more secure, our applications > > need to be less permissive, probably way less permissive, probably even > > sandboxed by default, our networks need to be more resilient to threats, > > ranging from simple things such as BCP38 and automatic detection of certain > > obvious violations, to more comprehensive things such as mandatory virus > > scanning by e-mail providers, etc., ... ?there's a lot that could be done, > > that most on the technology side of things have been unwilling to commit > > to. > > Great comments Joe, and I agree with you that there is a lot more that > can be done and should be done, but there is a main difference with > your recount about the auto industry, all those changes were pushed by > evolving regulation and changes in the law and enforcement. Oh, good, you GOT my point. > Going back then to a previous question, do we want more/any regulation ? We're going to get it, I think, because collectively we're too stupid to self-regulate. Locally, for example, we implement BCP38, we screen potential customers, and we have an abuse desk that will be happy to help. If you complain to us that you're getting packets from a customer here that contain the data octet 0x65, we'll put a stop to it (though you'll probably stop getting packets entirely), because we feel that it's being a good neighbour to not send things that we've been told are not wanted. Most network providers are in the unfortunate position of having allowed themselves to get too swamped and/or don't care to begin with. Running a dirty network is the norm, just as running Windows (sorry Gates) is the norm, just as running Internet Explorer is something of a norm, just as running with Administrator privs is the norm, etc. We've allowed horrible practices to become the norm. It's exceedingly hard to fix a bad norm. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From cmadams at hiwaay.net Wed Jun 9 08:05:21 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Wed, 9 Jun 2010 08:05:21 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0F11A0.8000303@gmail.com> References: <4C0F11A0.8000303@gmail.com> Message-ID: <20100609130521.GB1482697@hiwaay.net> Once upon a time, JC Dill said: > I'm still truly amazed that no one has sic'd a lawyer on Microsoft for > creating an "attractive nuisance" - an operating system that is too > easily hacked and used to attack innocent victims, and where others have > to pay to clean up after Microsoft's mess. Many of the problems are PEBKAC, as evidenced by the massive responses to phishing scams. I can't tell you the number of our users that have sent their password to Nigeria to be used to log in to our webmail and spam. Users open attachements, follow links, and click "OK" with alarming ease. As long as that is the case (and I don't see that changing), blaming one vendor is not going to help. Something like the NSA's SELinux helps (because you can have all browser plugins run in sandboxes, have saved attachments non-executable, etc.), but users will still follow the instructions to override it. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From cmadams at hiwaay.net Wed Jun 9 08:08:10 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Wed, 9 Jun 2010 08:08:10 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: <201006091202.o59C26tb006864@aurora.sol.net> Message-ID: <20100609130810.GC1482697@hiwaay.net> Once upon a time, Alexander Harrowell said: > No, but we can and do require cars to have functional brakes and minimum tread depths, and to be tested periodically. Not in this state. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From cmadams at hiwaay.net Wed Jun 9 08:09:33 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Wed, 9 Jun 2010 08:09:33 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: <201006091202.o59C26tb006864@aurora.sol.net> Message-ID: <20100609130933.GD1482697@hiwaay.net> Once upon a time, Jorge Amodio said: > That's why at least in the US by *regulation* you must have insurance > to be able to operate a car, instead of mitigating the safety issues > that represents a teenager texting while driving we deal with the > consequences. The insurance requirement is a state-by-state thing. It was only added here a few years ago, and I don't think it is universal. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From jgreco at ns.sol.net Wed Jun 9 08:17:26 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Wed, 9 Jun 2010 08:17:26 -0500 (CDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: from "Owen DeLong" at Jun 09, 2010 05:37:26 AM Message-ID: <201006091317.o59DHQjf016480@aurora.sol.net> > On Jun 9, 2010, at 5:02 AM, Joe Greco wrote: > > >> So? If said end customer is operating a network-connected system without > >> sufficient knowledge to properly maintain it and prevent it from doing mischief > >> to the rest of the network, why should the rest of us subsidize her negligence? > >> I don't see where making her pay is a bad thing. > > > > I see that you don't understand that. > > > Seems to me that you are the one not understanding... > > I can't refinance my mortgage right now to take advantage of the current interest > rates. Why? Because irresponsible people got into loans they couldn't > afford and engaged in speculative transactions. Their failure resulted in > a huge drop in value to my house which brought me below the magic > 80% loan to value ratio, which, because of said same bad actors became > a legal restriction instead of a target number around which lenders had > some flexibility. So, because I had a house I could afford and a reasonable > mortgage, I'm now getting penalized by paying higher taxes to cover > mortgage absorptions, reductions, and modifications for these irresponsible > people. I'm getting penalized by paying higher interest rates because due > to the damage they did to my property value and the laws they forced > to be created, I can't refinance. > > I'm mad as hell and frankly, I don't want to take it any more. > > Do you see that? Do you still think I don't have a legitimate point on this? > > I'm tired of subsidizing stupidity and bad actors. It's too expensive. I don't > want to do it any more. We already have too many stupid people and bad > actors. We really don't need to subsidize or encourage the creation of more. A doesn't really seem connected to B. > >> The internet may be a vast ocean where bad guys keep dumping garbage, > >> but, if software vendors stopped building highly exploitable code and ISPs > >> started disconnecting abusing systems rapidly, it would have a major effect > >> on the constantly changing currents. If abuse departments were fully funded > >> by cleanup fees charged to negligent users who failed to secure their systems > >> properly, it would both incentivize users to do proper security _AND_ provide > >> for more responsive abuse departments as issues are reduced and their > >> budget scales linearly with the amount of abuse being conducted. > > > > The reality is that things change. Forty-three years ago, you could still > > buy a car that didn't have seat belts. Thirty years ago, most people still > > didn't wear seat belts. Twenty years ago, air bags began appearing in > > large volume in passenger vehicles. Throughout this period, cars have been > > de-stiffened with crumple zones, etc., in order to make them safer for > > passengers in the event of a crash. Mandatory child seat laws have been > > enacted at various times throughout. A little more than ten years ago, air > > bags were mandatory. Ten years ago, LATCH clips for child safety seats > > became mandatory. We now have side impact air bags, etc. > > > Sure. > > > Generally speaking, we do not penalize car owners for owning an older car, > > and we've maybe only made them retrofit seat belts (but not air bags, > > crumple zones, etc) into them, despite the fact that some of those big old > > boats can be quite deadly to other drivers in today's more easily-damaged > > cars. We've increased auto safety by mandating better cars, and by > > penalizing users who fail to make use of the safety features. > > Right, but, owners of older cars are primarily placing themselves at risk, not > others. I am pretty sure I saw stats that suggested that old cars that crashed into new cars did substantially more damage to the new car and its occupants than an equivalent crash between two new cars, something to do with the old car not absorbing about half the impact into its own (nonexistent) crumple zones, though there are obvious deficiencies in the protection afforded to the occupants of the old car as well... > In this case, it's a question of others putting me at risk. That, generally, > isn't tolerated. > > > There is only so much "proper security" you can expect the average PC user > > to do. The average PC user expects to be able to check e-mail, view the > > web, edit some documents, and listen to some songs. The average car driver > > expects to be able to drive around and do things. You can try to mandate > > that the average car driver must change their own oil, just as you can try > > to mandate that the average computer must do what you've naively referred > > to as "proper security", but the reality is that grandma doesn't want to > > get under her car, doesn't have the knowledge or tools, and would rather > > spend $30 at SpeedyLube. If we can not make security a similarly easy > > target for the end-user, rather than telling them to "take it in to > > NerdForce and spend some random amount between $50 and twice the cost of > > a new computer," then we - as the people who have designed and provided > > technology - have failed, and we are trying to pass off responsibility > > for our collective failure onto the end user. > > > I disagree. It used to be that anyone could drive a car. Today, you need > to take instruction on driving and pass a test showing you are competent > to operate a motor vehicle before you are allowed to drive legally. > > Things change, as you say. I have no problem with the same requirement > being added to attaching a computer to the network. > > If you drive a car in a reckless manner so as to endanger others, you are > criminally liable for violating the safe driving laws as well as civilly liable > for the damages you cause. Why should operating an unsafe computer > be any different? Generally speaking, because the computer is unsafe by design, and most of the problems we're discussing are not "driving the car in a reckless manner." I do not live in mortal fear that I am going to steer my car into the median and it's going to jump over into oncoming traffic and ram into an oncoming semi, because that's simply not something I'd do, and it's not something the car designers expected would be a regular thing to do. On the other hand, I do live in mortal fear of opening a PDF document on a Windows machine, something that both Adobe and Microsoft deliberately engineered to be as easy and trivial as possible, and which millions of people do on a daily and regular basis, but which nonetheless can have the undesirable side effect of infecting my computer with the latest stealth exploit, at least if I read the news correctly. As a Windows user, I *am* *expected* to open web documents and go browsing around. The Internet has been deliberately designed with millions upon millions of domains and web sites; it's ridiculous to suggest that users should be aware that visiting a particular web site is likely to be harmful, especially given that we can't even keep servers safe, and some legitimate high-volume web sites have even been known to serve up bad stuff. > > I'm all fine with noting that certain products are particularly awful. > > However, we have to be aware that users are simply not going to be required > > to go get a CompSci degree specializing in risk management and virus > > cleansing prior to being allowed to buy a computer. This implies that our > > operating systems need to be more secure, way more secure, our applications > > need to be less permissive, probably way less permissive, probably even > > sandboxed by default, our networks need to be more resilient to threats, > > ranging from simple things such as BCP38 and automatic detection of certain > > obvious violations, to more comprehensive things such as mandatory virus > > scanning by e-mail providers, etc., ... there's a lot that could be done, > > that most on the technology side of things have been unwilling to commit > > to. > > I'm not out to target specific products. Yes, I'll celebrate the death of > our favorite convicted felon in Redmond, but, that's not the point. > > I don't have a CompSci degree specializing in that stuff and I seem to > be able to run clean systems. I don't have a CompSci degree at all. > It's not that hard to run clean systems, actually. Mostly it takes not being > willing to click yes to every download and exercising minimal judgment > about which web sites you choose to trust. It takes an understanding of how it all works behind the scenes in order to understand what all those silly "Yes/No" prompts mean; that whole mechanism is part of what I mean when I say "defective by design." Why is it okay to click "Yes" when a website asks if we want to install "Flash" or "Silverlight" but it's not okay to click "Yes" when a website asks if we want to install "DodgyCodec"? How do you explain that to your grandmother? > The point is that if I run a clean system, why should I have to pay a > subsidy to those that do not? I'm tired of this mentality that says let's > penalize the good actors to subsidize the bad actors. I'm tired of it > with mortgages. I'm tired of it with businesses. I'm tired of watching > the government, time after time, reward bad behavior and punish > good behavior and then wonder why they get more bad and less > good behavior. Hey, I agree. Look, we run a clean network here. I have the same gripes. We see all sorts of probe traffic and crap, why should we bother being clean? Why should we have to go to extra work to defend against networks that aren't? > > We can make their Internet cars safer for them - but we largely haven't. > > Now we can all look forward to misguided government efforts to mandate > > some of this stuff. > > > I'm not opposed to making operating systems and applications safer. > As I said, just as with cars, the manufacturers should be held liable > by the consumers. However, the consumer that is operating the > car that plows a group of pedestrians is liable to the pedestrians. > The manufacturer is usually liable to the operator through subrogation. Which would mean anything if we had computer users that were deliberately injuring or killing people with their computers. Unfortunately, I'd say that most sick computers are more akin to those awful oil-burning, smog- generating, black-smoke-belching cars. You don't have much of a private right of action against the guy that drives by you and blasts a wave of awful black particulate matter out his exhaust at you. We've handled a lot of that through mandatory emissions inspections (not sure how universal that is). Regulation, in that case, seems to be a generally positive effect. I don't see any simple solutions, regardless. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From owen at delong.com Wed Jun 9 08:15:01 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 9 Jun 2010 06:15:01 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <20100609130933.GD1482697@hiwaay.net> References: <201006091202.o59C26tb006864@aurora.sol.net> <20100609130933.GD1482697@hiwaay.net> Message-ID: <650C70E2-472F-4181-89BF-F25628621EFE@delong.com> On Jun 9, 2010, at 6:09 AM, Chris Adams wrote: > Once upon a time, Jorge Amodio said: >> That's why at least in the US by *regulation* you must have insurance >> to be able to operate a car, instead of mitigating the safety issues >> that represents a teenager texting while driving we deal with the >> consequences. > > The insurance requirement is a state-by-state thing. It was only added > here a few years ago, and I don't think it is universal. I believe at least 48, if not 50 states now have compulsory financial responsibility laws. However, even if you didn't have insurance, that never exempted you from liability, it just made you less likely to be able to meet your obligations under that liability. Owen From jgreco at ns.sol.net Wed Jun 9 08:21:21 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Wed, 9 Jun 2010 08:21:21 -0500 (CDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: from "Owen DeLong" at Jun 09, 2010 05:40:06 AM Message-ID: <201006091321.o59DLL3A016614@aurora.sol.net> > > On Jun 9, 2010, at 4:27 AM, Joe Greco wrote: > > >> I'm all for that, but, point is that people who fail to meet that standard are > >> currently getting a free ride. IMHO, they should pay and they should have > >> the recourse of being (at least partially) reimbursed by their at-fault software > >> vendors for contributory negligence. > > > > Great idea. You know, I've got a great solution for global warming. > > Let's hold all the car owners accountable for all the greenhouse gases > > their cars belch out, and let them have the recourse of being (at least > > partially) reimbursed by their at-fault car manufacturers and gasoline > > distributors for contributory negligence. > > > 1. My car emits very little greenhouse gas, so, I'm cool with that. Sounds > great to me. (I drive a Prius). Your car emits lots of greenhouse gases. Just because it's /less/ doesn't change the fact that the Prius has an ICE. We have a Prius and a HiHy too. > 2. Manufacturers are held liable for contributory negligence when the > design of their vehicle is unsafe and causes an accident. That isn't relevant to what I suggested. > 3. We're not talking about greenhouse gasses here... We're talking > about car-wrecks on the information superhighway caused by > a combination of irresponsible operators and poor vehicle design. That wasn't the analogy I was making. I was stabbing at the whole idea behind your suggestion, by directly translating it to a real-world example. > > See how insane that sounds? > > > Actually, it sounds reasonably sane to me, but, it's not a good analogy > as noted above, so, the relative merits are mostly irrelevant. > > Owen > > > -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From jgreco at ns.sol.net Wed Jun 9 08:50:51 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Wed, 9 Jun 2010 08:50:51 -0500 (CDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: <1276087511.17332.59.camel@karl> from "Karl Auer" at Jun 09, 2010 10:45:11 PM Message-ID: <201006091350.o59Doq5H018724@aurora.sol.net> > On Wed, 2010-06-09 at 07:02 -0500, Joe Greco wrote: > > There is only so much "proper security" you can expect the average PC use= > r > > to do. > > Sure - but if their computer, as a result of their ignorance, starts > belching out spam, ISPs should be able at very least to counteract the > problem. For example, by disconnecting that user and telling them why > they have been disconnected. Why should it be the ISP's duty to silently > absorb the blows? Why should the user have no responsibility here? Primarily because the product that they've been given to use is defective by design. I'm not even saying "no responsibility"; I'm just arguing that we have to be realistic about our expectations of the level of responsibility users will have. At this point, we're teaching computers to children in elementary school, and kids in second and third grade are being expected to submit homework to teachers via e-mail. How is that supposed to play out for the single mom with a latchkey kid? Let's be realistic here. It's the computer that ought to be safer. We can expect modest improvements on the part of users, sure, but to place it all on them is simply a fantastic display of incredible naivete. > To carry your analogy a bit too far, if someone is roaming the streets > in a beat-up jalopy with wobbly wheels, no lights, no brakes, no > mirrors, and sideswiping parked cars, is it up to the city to somehow > clear the way for that driver? No - the car is taken off the road and > the driver told to fix it or get a new one. If the problem appears to be > the driver rather than the vehicle, the driver is told they cannot drive > until they have obtained a Clue. Generally speaking, nobody wants to be the cop that makes that call. Theoretically an ISP *might* be able to do that, but most are unwilling, and those of us that do actually play BOFH run the risk of losing customers to a sewerISP that doesn't. > If the user, as a result of their computer being zombified or whatever, > has to > > > "take it in to > > NerdForce and spend some random amount between $50 and twice the cost of > > a new computer," > > ...then that's the user's problem. They can solve it with insurance > (appropriate policies will come into being), or they can solve it by > becoming more knowledgeable, or they can solve it by hiring know how. > But it is *their* problem. The fact that it is the user's problem will > drive the industry to solve that problem, because anywhere there is a > problem there is a market for a solution. That shows an incredible lack of understanding of how the market actually works. It's nice in theory. We (as technical people) have caused this problem because we've failed to design computers and networks that are resistant to this sort of thing. Trying to pin it on the users is of course easy, because users (generally speaking) are "stupid" and are "at fault" for not doing "enough" to "secure" their own systems, but that's a ridiculous smugness on our part. > > then we - as the people who have designed and provided=20 > > technology - have failed, and we are trying to pass off responsibility=20 > > for our collective failure onto the end user. > > I think what's being called for is not total abdication of > responsibility - just some sharing of the responsibility. I'm fine with that, but as long as we keep handing loaded guns without any reasonably-identifiable safeties to the end users, we can expect to keep getting shot at now and then. > > This implies that our > > operating systems need to be more secure, way more secure, our applicatio= > ns > > need to be less permissive, probably way less permissive, probably even > > sandboxed by default > > Yep! And the fastest way to get more secure systems is to make consumers > accountable, so that they demand accountability from their vendors. And > so it goes, all the way up the chain. Make people accountable. At every > level. Again, that shows an incredible lack of understanding of how the market actually works. It's still nice in theory. We would be better off short-circuiting that mechanism; for example, how about we simply mandate that browsers must be isolated from their underlying operating systems? Do you really think that the game of telephone works? Are we really going to be able to hold customers accountable? And if we do, are they really going to put vendor feet to the fire? Or is Microsoft just going to laugh and point at their EULA, and say, "our legal department will bankrupt you, you silly little twerp"? Everyone has carefully made it clear that they're not liable to the users, so the users are left holding the bag, and nobody who's actually responsible is able to be held responsible by the end users. > > We can make their Internet cars safer for them - but we largely haven't. > > I'm not sure that the word "we" is appropriate here. Who is "we"? How > can (say) network operators be held responsible for (say) a weakness in > Adobe Flash? At that level too, the consumer needs comeback - on the > providers of weak software. Yes, "we" needs to include all the technical stakeholders, and "we" as network operators ought to be able to tell "we" the website operators to tell "we" the web designers to stop using Flash if it's that big a liability. This, of course, fails for the same reasons that expecting end users to hold vendors responsible does, but there are a lot less of us technical stakeholders than there are end users, so if we really want to play that sort of game, we should try it here at home first. What's good for the goose, and all that ... ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From owen at delong.com Wed Jun 9 08:52:01 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 9 Jun 2010 06:52:01 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <201006091317.o59DHQjf016480@aurora.sol.net> References: <201006091317.o59DHQjf016480@aurora.sol.net> Message-ID: On Jun 9, 2010, at 6:17 AM, Joe Greco wrote: >> On Jun 9, 2010, at 5:02 AM, Joe Greco wrote: >> >>>> So? If said end customer is operating a network-connected system without >>>> sufficient knowledge to properly maintain it and prevent it from doing mischief >>>> to the rest of the network, why should the rest of us subsidize her negligence? >>>> I don't see where making her pay is a bad thing. >>> >>> I see that you don't understand that. >>> >> Seems to me that you are the one not understanding... >> >> I can't refinance my mortgage right now to take advantage of the current interest >> rates. Why? Because irresponsible people got into loans they couldn't >> afford and engaged in speculative transactions. Their failure resulted in >> a huge drop in value to my house which brought me below the magic >> 80% loan to value ratio, which, because of said same bad actors became >> a legal restriction instead of a target number around which lenders had >> some flexibility. So, because I had a house I could afford and a reasonable >> mortgage, I'm now getting penalized by paying higher taxes to cover >> mortgage absorptions, reductions, and modifications for these irresponsible >> people. I'm getting penalized by paying higher interest rates because due >> to the damage they did to my property value and the laws they forced >> to be created, I can't refinance. >> >> I'm mad as hell and frankly, I don't want to take it any more. >> >> Do you see that? Do you still think I don't have a legitimate point on this? >> >> I'm tired of subsidizing stupidity and bad actors. It's too expensive. I don't >> want to do it any more. We already have too many stupid people and bad >> actors. We really don't need to subsidize or encourage the creation of more. > > A doesn't really seem connected to B. > Proof that you still don't get it. Punishing those that are responsible by making them pay for the behavior of those who fail to take responsibility IS a major problem. A and B are both examples of such a process. >>>> The internet may be a vast ocean where bad guys keep dumping garbage, >>>> but, if software vendors stopped building highly exploitable code and ISPs >>>> started disconnecting abusing systems rapidly, it would have a major effect >>>> on the constantly changing currents. If abuse departments were fully funded >>>> by cleanup fees charged to negligent users who failed to secure their systems >>>> properly, it would both incentivize users to do proper security _AND_ provide >>>> for more responsive abuse departments as issues are reduced and their >>>> budget scales linearly with the amount of abuse being conducted. >>> >>> The reality is that things change. Forty-three years ago, you could still >>> buy a car that didn't have seat belts. Thirty years ago, most people still >>> didn't wear seat belts. Twenty years ago, air bags began appearing in >>> large volume in passenger vehicles. Throughout this period, cars have been >>> de-stiffened with crumple zones, etc., in order to make them safer for >>> passengers in the event of a crash. Mandatory child seat laws have been >>> enacted at various times throughout. A little more than ten years ago, air >>> bags were mandatory. Ten years ago, LATCH clips for child safety seats >>> became mandatory. We now have side impact air bags, etc. >>> >> Sure. >> >>> Generally speaking, we do not penalize car owners for owning an older car, >>> and we've maybe only made them retrofit seat belts (but not air bags, >>> crumple zones, etc) into them, despite the fact that some of those big old >>> boats can be quite deadly to other drivers in today's more easily-damaged >>> cars. We've increased auto safety by mandating better cars, and by >>> penalizing users who fail to make use of the safety features. >> >> Right, but, owners of older cars are primarily placing themselves at risk, not >> others. > > I am pretty sure I saw stats that suggested that old cars that crashed into > new cars did substantially more damage to the new car and its occupants than > an equivalent crash between two new cars, something to do with the old car > not absorbing about half the impact into its own (nonexistent) crumple > zones, though there are obvious deficiencies in the protection afforded to > the occupants of the old car as well... > Old cars without crumple zones tend to do more damage to new cars with crumple zones. Occupants of new cars tend to receive less damage because the crumple zones absorb some of the energy while occupants of older cars receive more of the energy transferred directly to them due to the higher stiffness of the older car. At least in the studies I have read. >> In this case, it's a question of others putting me at risk. That, generally, >> isn't tolerated. >> >>> There is only so much "proper security" you can expect the average PC user >>> to do. The average PC user expects to be able to check e-mail, view the >>> web, edit some documents, and listen to some songs. The average car driver >>> expects to be able to drive around and do things. You can try to mandate >>> that the average car driver must change their own oil, just as you can try >>> to mandate that the average computer must do what you've naively referred >>> to as "proper security", but the reality is that grandma doesn't want to >>> get under her car, doesn't have the knowledge or tools, and would rather >>> spend $30 at SpeedyLube. If we can not make security a similarly easy >>> target for the end-user, rather than telling them to "take it in to >>> NerdForce and spend some random amount between $50 and twice the cost of >>> a new computer," then we - as the people who have designed and provided >>> technology - have failed, and we are trying to pass off responsibility >>> for our collective failure onto the end user. >>> >> I disagree. It used to be that anyone could drive a car. Today, you need >> to take instruction on driving and pass a test showing you are competent >> to operate a motor vehicle before you are allowed to drive legally. >> >> Things change, as you say. I have no problem with the same requirement >> being added to attaching a computer to the network. >> >> If you drive a car in a reckless manner so as to endanger others, you are >> criminally liable for violating the safe driving laws as well as civilly liable >> for the damages you cause. Why should operating an unsafe computer >> be any different? > > Generally speaking, because the computer is unsafe by design, and most of > the problems we're discussing are not "driving the car in a reckless > manner." I do not live in mortal fear that I am going to steer my car into > the median and it's going to jump over into oncoming traffic and ram into > an oncoming semi, because that's simply not something I'd do, and it's not > something the car designers expected would be a regular thing to do. On > the other hand, I do live in mortal fear of opening a PDF document on a > Windows machine, something that both Adobe and Microsoft deliberately > engineered to be as easy and trivial as possible, and which millions of > people do on a daily and regular basis, but which nonetheless can have > the undesirable side effect of infecting my computer with the latest > stealth exploit, at least if I read the news correctly. > I don't agree with your premise. Yes, some operating systems are unsafe by design, but, not all. As I said, you should be accountable for the behavior of your computer. If you can show that the behavior was the result of faulty software, then, you should be able to recover from the manufacturer of that software (assuming you paid a professional for your software). Just as a driver of a car with a stuck accelerator due to manufacturer defect is liable to the pedestrians they plow, and, the manufacturer is liable to the driver, I see no reason not to have a similar liability chain for software. Strangely, I don't live in mortal fear of opening a PDF document on my Macs or Linux systems. As such, I don't see why we should all be punished for the fact that you chose to buy software from the morons in Redmond. A bad choice made by a majority of people is still a bad choice. (Note: You are the one who singled out Micr0$0ft first.) > As a Windows user, I *am* *expected* to open web documents and go browsing > around. The Internet has been deliberately designed with millions upon > millions of domains and web sites; it's ridiculous to suggest that users > should be aware that visiting a particular web site is likely to be > harmful, especially given that we can't even keep servers safe, and some > legitimate high-volume web sites have even been known to serve up bad > stuff. > I assume all web sites are potentially harmful unless I have good reason to believe otherwise. Why shouldn't everyone be expected to behave in a similar manner? Seems to me that is the only rational approach. Don't you tell your kids not to talk to strangers? Isn't this sort of the same thing? >>> I'm all fine with noting that certain products are particularly awful. >>> However, we have to be aware that users are simply not going to be required >>> to go get a CompSci degree specializing in risk management and virus >>> cleansing prior to being allowed to buy a computer. This implies that our >>> operating systems need to be more secure, way more secure, our applications >>> need to be less permissive, probably way less permissive, probably even >>> sandboxed by default, our networks need to be more resilient to threats, >>> ranging from simple things such as BCP38 and automatic detection of certain >>> obvious violations, to more comprehensive things such as mandatory virus >>> scanning by e-mail providers, etc., ... there's a lot that could be done, >>> that most on the technology side of things have been unwilling to commit >>> to. >> >> I'm not out to target specific products. Yes, I'll celebrate the death of >> our favorite convicted felon in Redmond, but, that's not the point. >> >> I don't have a CompSci degree specializing in that stuff and I seem to >> be able to run clean systems. I don't have a CompSci degree at all. >> It's not that hard to run clean systems, actually. Mostly it takes not being >> willing to click yes to every download and exercising minimal judgment >> about which web sites you choose to trust. > > It takes an understanding of how it all works behind the scenes in order > to understand what all those silly "Yes/No" prompts mean; that whole > mechanism is part of what I mean when I say "defective by design." > Agreed. Interestingly, I don't have very many of those prompts on my Mac, and, when I do, it seems to me that I have very little need to understand what is going on behind the scenes to make an intelligent choice in response. Generally it says "You are about to open an application that you downloaded from a web site. Are you sure you want to do this? If you aren't sure you can trust the website, you should say no." > Why is it okay to click "Yes" when a website asks if we want to install > "Flash" or "Silverlight" but it's not okay to click "Yes" when a website > asks if we want to install "DodgyCodec"? How do you explain that to your > grandmother? > Poor choices of examples... I'm not sure it is OK to click yes for Flash. It's pretty obviously a huge vulnerability. However, I usually tell people to make that decision along the lines of how much they think they should trust the website. Micr0$0ft starts at -10. Adobe starts at -5. $randomsite starts at -50. Paypal starts at 0. Apple starts at 2. as an example of some of my trust levels. >> The point is that if I run a clean system, why should I have to pay a >> subsidy to those that do not? I'm tired of this mentality that says let's >> penalize the good actors to subsidize the bad actors. I'm tired of it >> with mortgages. I'm tired of it with businesses. I'm tired of watching >> the government, time after time, reward bad behavior and punish >> good behavior and then wonder why they get more bad and less >> good behavior. > > Hey, I agree. Look, we run a clean network here. I have the same gripes. > We see all sorts of probe traffic and crap, why should we bother being > clean? Why should we have to go to extra work to defend against networks > that aren't? > I'm not saying "why should I bother being clean?" I think I should bother being clean because it should be the minimal obligation to society if you connect to the network. I'm saying why should we accept and be forced to pay subsidies to those who ignore that responsibility? I'm saying that we should have accountability and the ability to recover our costs from those that aren't. You'd be surprised how fast that would reduce the number of those that aren't. >>> We can make their Internet cars safer for them - but we largely haven't. >>> Now we can all look forward to misguided government efforts to mandate >>> some of this stuff. >>> >> I'm not opposed to making operating systems and applications safer. >> As I said, just as with cars, the manufacturers should be held liable >> by the consumers. However, the consumer that is operating the >> car that plows a group of pedestrians is liable to the pedestrians. >> The manufacturer is usually liable to the operator through subrogation. > > Which would mean anything if we had computer users that were deliberately > injuring or killing people with their computers. Unfortunately, I'd say > that most sick computers are more akin to those awful oil-burning, smog- > generating, black-smoke-belching cars. You don't have much of a private > right of action against the guy that drives by you and blasts a wave of > awful black particulate matter out his exhaust at you. We've handled a > lot of that through mandatory emissions inspections (not sure how > universal that is). Regulation, in that case, seems to be a generally > positive effect. > Nope... Even if the consumer plows the pedestrians because of a defect in the vehicle, the pedestrians generally sue the driver who then goes after the manufacturer through subrogation. If it wasn't a defect in the car, then, the manufacturer has no liability, but, whether deliberate or negligent, the driver still does. > I don't see any simple solutions, regardless. > A proper chain of liability wouldn't be too difficult and would go a long way to solving the problem. A few users who paid the price of clicking yes in the wrong place would serve as a good lesson for the majority of users. A few users successfully getting their costs reimbursed by Micr0$0ft would lead to major changes in Micr0$0ft's approach to software development. Global "charge everyone a security fee" proposals will only preserve the status quo. Heck, McAfee and Norton are arguably implementations of just that sort of thing. Owen From jgreco at ns.sol.net Wed Jun 9 09:02:53 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Wed, 9 Jun 2010 09:02:53 -0500 (CDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: <6145E543-D77C-4854-A005-176BC24CF846@delong.com> from "Owen DeLong" at Jun 09, 2010 05:43:52 AM Message-ID: <201006091402.o59E2rRJ022196@aurora.sol.net> > > Grandma does not go check her tread depth or check her own brake pads and > > discs for wear. She lets the shop do that. I was hoping I didn't have to > > get pedantic and that people could differentiate between "I pay the shop a > > few bucks to do that for me" and "I take responsibility personally to drive > > my car in an appropriate fashion" (which includes things like "I take my > > car to the shop periodically for maintenance I don't have the skills to do > > myself"), but there we have it. > > Whether grandma measures the tread depth herself or takes it to the shop, > the point is that grandma is expected to have tires with sufficient tread > depth and working brakes when she operates the car. If not, she's liable. > If she drives like the little old lady from Pasadena, she's liable for the > accidents she causes. There is no "shop" that the average computer owner should take their computer to, and unlike a car, anything that might seem to require some periodic maintenance is typically automated (OS updates, virus updates, etc). There are places like NerdForce that you can take your computer to, but you're likely to be sold a load of crap, and you can even take the same computer to five different services and get wildly differing results (and wildly differing bills). There's no standardization, and part of *that* is due to the way we've allowed end user operating systems to be designed. > > My point: We haven't designed computers for end users appropriately. It > > is not the fault of the end user that they're driving around the crapmobile > > we've provided for them. If you go to the store to get a new computer, you > > get a choice of crapmobiles all with engines by the same company, unless > > you go to the fruit store, in which case you get a somewhat less obviously > > vulnerable engine by a different company. The users don't know how to take > > apart the engines and repair them, and the engines aren't usefully protected > > sufficiently to ensure that they don't get fouled, so you have a Problem. > > The end user should be able to recover from the responsible manufacturer > for the design flaws in the hardware/software they are driving. Agreed. That > is how it works in cars, that's how it should work in computers. It doesn't; look at that wonderful EULA. Want to fix that? Be my guest, seriously. > What I don't want to see which you are advocating... I don't want to see > the end users who do take responsibility, drive well designed vehicles > with proper seat belts and safety equipment, stay in their lane, and > do not cause accidents held liable for the actions of others. Why should > we penalize those that have done no wrong simply because they happen > to be a minority? I agree, on the other hand, what about those people who genuinely didn't do anything wrong, and their computer still got Pwned? >From this perspective: Our technology sucks. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From mjo at dojo.mi.org Wed Jun 9 08:26:05 2010 From: mjo at dojo.mi.org (Mike O'Connor) Date: Wed, 9 Jun 2010 13:26:05 +0000 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers] In-Reply-To: References: Message-ID: <20100609132605.GB3092@dojo.mi.org> :I think anyone in their right mind would agree that if a provider see :criminal activity, they should take action, no? What a provider "should" do and what makes sense under the law of the land are two different things. :If that also holds true, then why doesn't it happen? The laws pertaining to what's required of people when witnessing a crime vary by locality within the U.S. I dunno how they work for the rest of the NANOG audience. What is required of people versus what's required of corporate entities varies, too. "Good Samaritan" laws are hardly universal, and don't always play well with the other laws of the land. Things can get ugly when some murky behavior gets retroactively deemed a crime (perhaps by some tech-challenged judge or jury) and a provider becomes an accessory after the fact. "You mean, the DMCA makes THAT illegal?!?" Or, perhaps a provider tries to take some small action in the face of a crime, then is deemed to have a "special relationship" making them liable for not being quite helpful enough. "You mean, I have to rebuild my entire network because my customer support rep has reported bad behavior to the authorities?" Ultimately, acting on crime is a rat's nest. Some providers have enough trouble dealing with attacks from Pax0rland, extracting sane prices for last-mile service, evaluating/deploying new technology, keeping up with all the off-topic emails on NANOG, etc. Raise the bar so the least-paid front-line rep requires a "customer support within the law" class. Create a legal climate where the only way it makes sense to provide bits involves a big army of attorneys and lobbyists to define the regulatory climate. Let's make total provider consolidation a reality... then we won't need those pesky 32-bit ASNs. :) Back to work... -- Michael J. O'Connor mjo at dojo.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "Not baked goods, professor... baked BADS!" -The Tick From LarrySheldon at cox.net Wed Jun 9 09:13:30 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Wed, 09 Jun 2010 09:13:30 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0F309A.5050803@gmail.com> References: <4C0F1335.6040305@gmail.com> <4C0F309A.5050803@gmail.com> Message-ID: <4C0FA18A.10108@cox.net> On 6/9/2010 01:11, JC Dill wrote: > Owen DeLong wrote: >> >> Heck, at this point, I'd be OK with it being a regulatory issue. > > What entity do you see as having any possibility of effective regulatory > control over the internet? Doesn't matter as long as it enables radial outbound finger pointing. > The reason we have these problems to begin with is because there is no > way for people (or government regulators) in the US to control ISPs in > eastern Europe etc. Or in the US. But what we see here is what is what is wrong with "regulation"--the regulated specify the regulation, primarily to protect the economic interests of the entrenched. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From owen at delong.com Wed Jun 9 09:08:16 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 9 Jun 2010 07:08:16 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <201006091350.o59Doq5H018724@aurora.sol.net> References: <201006091350.o59Doq5H018724@aurora.sol.net> Message-ID: <19D1E97C-9603-4767-8778-5CFDCC751275@delong.com> On Jun 9, 2010, at 6:50 AM, Joe Greco wrote: >> On Wed, 2010-06-09 at 07:02 -0500, Joe Greco wrote: >>> There is only so much "proper security" you can expect the average PC use= >> r >>> to do. >> >> Sure - but if their computer, as a result of their ignorance, starts >> belching out spam, ISPs should be able at very least to counteract the >> problem. For example, by disconnecting that user and telling them why >> they have been disconnected. Why should it be the ISP's duty to silently >> absorb the blows? Why should the user have no responsibility here? > > Primarily because the product that they've been given to use is defective > by design. I'm not even saying "no responsibility"; I'm just arguing that > we have to be realistic about our expectations of the level of > responsibility users will have. At this point, we're teaching computers > to children in elementary school, and kids in second and third grade are > being expected to submit homework to teachers via e-mail. How is that > supposed to play out for the single mom with a latchkey kid? Let's be > realistic here. It's the computer that ought to be safer. We can expect > modest improvements on the part of users, sure, but to place it all on > them is simply a fantastic display of incredible naivete. > I don't think that is what is being proposed. What is being proposed is that in order for this to work legally in the framework that exists in the current law is to create a chain of liability. Let's use the example of a third party check which should be fairly familiar to everyone. A writes a check to B who endorses it to C who deposits it. The check bounces. C cannot sue A. C must sue B. B can then recover from A. So, to make this work realistically, the end user (latchkey mom in your example) has a computer and little Suzie opens MakeMeSpam.exe and next thing you know, that computer is using her full 7Mbps uplink from $CABLECO to deliver all the spam it can deliver at that speed. Some target of said spam calls up $CABLECO and $CABLECO turns off LatchKeyMom's service. The spam targets can (if they choose) go after LatchKeyMom ($CABLECO would be liable if they hadn't disconnected LatchKeyMom promptly), but, they probably won't if LatchKeyMom isn't a persistent problem. LatchKeyMom can go after the makers of MakeMeSpam.exe and also can go after the makers of her OS, etc. if she has a case that their design was negligent and contributed to the problem. Yes, it's complex, but, it is the only mechanism the law provides for the transfer of liability. You can't leap-frog the process and have the SPAM victims going directly after LatchKeyMom's OS Vendor because there's no relationship there to provide a legal link of liability. >> To carry your analogy a bit too far, if someone is roaming the streets >> in a beat-up jalopy with wobbly wheels, no lights, no brakes, no >> mirrors, and sideswiping parked cars, is it up to the city to somehow >> clear the way for that driver? No - the car is taken off the road and >> the driver told to fix it or get a new one. If the problem appears to be >> the driver rather than the vehicle, the driver is told they cannot drive >> until they have obtained a Clue. > > Generally speaking, nobody wants to be the cop that makes that call. > Theoretically an ISP *might* be able to do that, but most are unwilling, > and those of us that do actually play BOFH run the risk of losing > customers to a sewerISP that doesn't. > Whether anyone wants to be the cop or not, someone has to be the cop. The point is that SewerISPs need to be held liable (hence my proposal for ISP liability outside of a 24 hour grace period from notification). If SewerISP has to pay the costs of failing to address abuse from their customers, SewerISP will either stop running a cesspool, or, they will go bankrupt and become a self-rectifying problem. >> If the user, as a result of their computer being zombified or whatever, >> has to >> >>> "take it in to >>> NerdForce and spend some random amount between $50 and twice the cost of >>> a new computer," >> >> ...then that's the user's problem. They can solve it with insurance >> (appropriate policies will come into being), or they can solve it by >> becoming more knowledgeable, or they can solve it by hiring know how. >> But it is *their* problem. The fact that it is the user's problem will >> drive the industry to solve that problem, because anywhere there is a >> problem there is a market for a solution. > > That shows an incredible lack of understanding of how the market actually > works. It's nice in theory. > No, it shows how broken current market practice is. What we are saying is that some relatively minor application of existing law to the computer market would correct this brokenness. > We (as technical people) have caused this problem because we've failed to > design computers and networks that are resistant to this sort of thing. > Trying to pin it on the users is of course easy, because users (generally > speaking) are "stupid" and are "at fault" for not doing "enough" to > "secure" their own systems, but that's a ridiculous smugness on our part. > You keep saying "WE" as if the majority of people on this list have anything to do with the design or construction of these systems. We do not. We are mostly network operators. However, again, if the end user is held liable, the end user is then in a position to hold the manufacturer/vendors that they received defective systems from liable. It does exactly what you are saying needs to happen, just without exempting irresponsible users from their share of the pain which seems to be a central part of your theory. If I leave my credit card laying around in an airport, I'm liable for part of the pain up until the point where I report my credit card lost. Why should irresponsible computer usage be any different? >>> then we - as the people who have designed and provided=20 >>> technology - have failed, and we are trying to pass off responsibility=20 >>> for our collective failure onto the end user. >> >> I think what's being called for is not total abdication of >> responsibility - just some sharing of the responsibility. > > I'm fine with that, but as long as we keep handing loaded guns without > any reasonably-identifiable safeties to the end users, we can expect to > keep getting shot at now and then. > Going back to my being perfectly willing to have a licensing process for attaching a system to a network. I have no problem with requiring gun-safety courses as a condition of gun ownership. I have no problem with requiring network security/safety courses as a condition of owning a network-attached system. >>> This implies that our >>> operating systems need to be more secure, way more secure, our applicatio= >> ns >>> need to be less permissive, probably way less permissive, probably even >>> sandboxed by default >> >> Yep! And the fastest way to get more secure systems is to make consumers >> accountable, so that they demand accountability from their vendors. And >> so it goes, all the way up the chain. Make people accountable. At every >> level. > > Again, that shows an incredible lack of understanding of how the market > actually works. It's still nice in theory. > No... It shows a need for the market to change. > We would be better off short-circuiting that mechanism; for example, how > about we simply mandate that browsers must be isolated from their > underlying operating systems? Do you really think that the game of > telephone works? Are we really going to be able to hold customers > accountable? And if we do, are they really going to put vendor feet to > the fire? Or is Microsoft just going to laugh and point at their EULA, > and say, "our legal department will bankrupt you, you silly little twerp"? > Yes, the game of telephone works all the time. It's how the entire legal system of liability works in the united States. Yes, we need some legal changes to make it work. For example, we need regulation which prevents EULA clauses exempting manufacturers from liability for their erros from having any force of law. What a crock it is that those clauses actually work. Imagine if your car came with a disclaimer in the sales agreement that said the manufacturer had no liability if their accelerator stuck and you plowed a field of pedestrians as a result. Do you think the court would ever consider upholding such a provision? Never. > Everyone has carefully made it clear that they're not liable to the users, > so the users are left holding the bag, and nobody who's actually > responsible is able to be held responsible by the end users. > Yes, those "we're not liable for our negligence" clauses need to be removed from legal effect. Agreed. Owen From jgreco at ns.sol.net Wed Jun 9 09:27:09 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Wed, 9 Jun 2010 09:27:09 -0500 (CDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: from "Owen DeLong" at Jun 09, 2010 06:52:01 AM Message-ID: <201006091427.o59ER9tQ024903@aurora.sol.net> > > I am pretty sure I saw stats that suggested that old cars that crashed into > > new cars did substantially more damage to the new car and its occupants than > > an equivalent crash between two new cars, something to do with the old car > > not absorbing about half the impact into its own (nonexistent) crumple > > zones, though there are obvious deficiencies in the protection afforded to > > the occupants of the old car as well... > > Old cars without crumple zones tend to do more damage to new cars > with crumple zones. Occupants of new cars tend to receive less damage > because the crumple zones absorb some of the energy while occupants > of older cars receive more of the energy transferred directly to them due > to the higher stiffness of the older car. > > At least in the studies I have read. I'm talking about the difference between the levels of damage to a new car where you have a crash between an old and new car, and a crash between two new cars. The evidence that an old car is more lethal to its occupants is well known. We were discussing damage inflicted upon others, so that is not relevant. > > Generally speaking, because the computer is unsafe by design, and most of > > the problems we're discussing are not "driving the car in a reckless > > manner." I do not live in mortal fear that I am going to steer my car into > > the median and it's going to jump over into oncoming traffic and ram into > > an oncoming semi, because that's simply not something I'd do, and it's not > > something the car designers expected would be a regular thing to do. On > > the other hand, I do live in mortal fear of opening a PDF document on a > > Windows machine, something that both Adobe and Microsoft deliberately > > engineered to be as easy and trivial as possible, and which millions of > > people do on a daily and regular basis, but which nonetheless can have > > the undesirable side effect of infecting my computer with the latest > > stealth exploit, at least if I read the news correctly. > > I don't agree with your premise. Yes, some operating systems are unsafe > by design, but, not all. As I said, you should be accountable for the behavior > of your computer. If you can show that the behavior was the result of faulty > software, then, you should be able to recover from the manufacturer of that > software (assuming you paid a professional for your software). That is a nice theory, but does not play out in practice. If you are suggesting that part of the solution to the overall problem is to legislate such liability, overriding any EULA's in the process, we can certainly discuss that. > Just as a driver of a car with a stuck accelerator due to manufacturer defect > is liable to the pedestrians they plow, and, the manufacturer is liable to the > driver, I see no reason not to have a similar liability chain for software. Doesn't exist at this time, see EULA. > Strangely, I don't live in mortal fear of opening a PDF document on my > Macs or Linux systems. As such, I don't see why we should all be punished > for the fact that you chose to buy software from the morons in Redmond. > A bad choice made by a majority of people is still a bad choice. > (Note: You are the one who singled out Micr0$0ft first.) The latest Adobe vulnerability applies to pretty much all platforms. It is, in this case, a Flash vulnerability, but others have been PDF. You can use an alternative Flash or PDF player, of course, but that's not a guarantee, it's just lowering the risk. > > As a Windows user, I *am* *expected* to open web documents and go browsing > > around. The Internet has been deliberately designed with millions upon > > millions of domains and web sites; it's ridiculous to suggest that users > > should be aware that visiting a particular web site is likely to be > > harmful, especially given that we can't even keep servers safe, and some > > legitimate high-volume web sites have even been known to serve up bad > > stuff. > > I assume all web sites are potentially harmful unless I have good reason > to believe otherwise. Why shouldn't everyone be expected to behave > in a similar manner? > > Seems to me that is the only rational approach. Don't you tell your kids > not to talk to strangers? Isn't this sort of the same thing? I haven't been a child for many years. Generally speaking, I expect to be able to talk to another person without significant risk. What you suggest makes sense from a security point of view, but many people are only able to identify a small handful of websites as being ones they "know". If you're suggesting that people should never visit other websites, then that really limits the usefulness of the Internet. Why shouldn't it be, instead, that web browsers are made to be safe and invulnerable? > >> I'm not out to target specific products. Yes, I'll celebrate the death of > >> our favorite convicted felon in Redmond, but, that's not the point. > >> > >> I don't have a CompSci degree specializing in that stuff and I seem to > >> be able to run clean systems. I don't have a CompSci degree at all. > >> It's not that hard to run clean systems, actually. Mostly it takes not being > >> willing to click yes to every download and exercising minimal judgment > >> about which web sites you choose to trust. > > > > It takes an understanding of how it all works behind the scenes in order > > to understand what all those silly "Yes/No" prompts mean; that whole > > mechanism is part of what I mean when I say "defective by design." > > Agreed. Interestingly, I don't have very many of those prompts on my > Mac, and, when I do, it seems to me that I have very little need to understand > what is going on behind the scenes to make an intelligent choice in > response. Generally it says "You are about to open an application > that you downloaded from a web site. Are you sure you want to do > this? If you aren't sure you can trust the website, you should say no." Yes, but we're not discussing you and your Mac, we're discussing Grandma and the Windows box her son bought her for Christmas last year. > > Why is it okay to click "Yes" when a website asks if we want to install > > "Flash" or "Silverlight" but it's not okay to click "Yes" when a website > > asks if we want to install "DodgyCodec"? How do you explain that to your > > grandmother? > > Poor choices of examples... I'm not sure it is OK to click yes for Flash. > It's pretty obviously a huge vulnerability. Yet it's so clearly required to view a large percentage of the web (at least to hear the iPhone/iPad users grumble). And "everybody has it." > However, I usually tell people > to make that decision along the lines of how much they think they should > trust the website. Micr0$0ft starts at -10. Adobe starts at -5. $randomsite > starts at -50. Paypal starts at 0. Apple starts at 2. as an example of some > of my trust levels. > > >> The point is that if I run a clean system, why should I have to pay a > >> subsidy to those that do not? I'm tired of this mentality that says let's > >> penalize the good actors to subsidize the bad actors. I'm tired of it > >> with mortgages. I'm tired of it with businesses. I'm tired of watching > >> the government, time after time, reward bad behavior and punish > >> good behavior and then wonder why they get more bad and less > >> good behavior. > > > > Hey, I agree. Look, we run a clean network here. I have the same gripes. > > We see all sorts of probe traffic and crap, why should we bother being > > clean? Why should we have to go to extra work to defend against networks > > that aren't? > > I'm not saying "why should I bother being clean?" I think I should bother > being clean because it should be the minimal obligation to society if > you connect to the network. I'm saying why should we accept and be > forced to pay subsidies to those who ignore that responsibility? > I'm saying that we should have accountability and the ability to recover > our costs from those that aren't. You'd be surprised how fast that > would reduce the number of those that aren't. If there was some reasonable and fair manner to do that, maybe. However, as it stands, end users are left holding that bag, and absent some mechanism to allow them to recover costs from their software vendor, it strikes me as just as unfair as when we're left holding the bag. > >>> We can make their Internet cars safer for them - but we largely haven't. > >>> Now we can all look forward to misguided government efforts to mandate > >>> some of this stuff. > >>> > >> I'm not opposed to making operating systems and applications safer. > >> As I said, just as with cars, the manufacturers should be held liable > >> by the consumers. However, the consumer that is operating the > >> car that plows a group of pedestrians is liable to the pedestrians. > >> The manufacturer is usually liable to the operator through subrogation. > > > > Which would mean anything if we had computer users that were deliberately > > injuring or killing people with their computers. Unfortunately, I'd say > > that most sick computers are more akin to those awful oil-burning, smog- > > generating, black-smoke-belching cars. You don't have much of a private > > right of action against the guy that drives by you and blasts a wave of > > awful black particulate matter out his exhaust at you. We've handled a > > lot of that through mandatory emissions inspections (not sure how > > universal that is). Regulation, in that case, seems to be a generally > > positive effect. > > Nope... Even if the consumer plows the pedestrians because of a defect > in the vehicle, the pedestrians generally sue the driver who then goes > after the manufacturer through subrogation. > > If it wasn't a defect in the car, then, the manufacturer has no liability, but, > whether deliberate or negligent, the driver still does. Again, though, we just don't have that situation. > > I don't see any simple solutions, regardless. > > > A proper chain of liability wouldn't be too difficult and would go a long > way to solving the problem. > > A few users who paid the price of clicking yes in the wrong place would > serve as a good lesson for the majority of users. Would they? Would they really? > A few users successfully > getting their costs reimbursed by Micr0$0ft would lead to major changes > in Micr0$0ft's approach to software development. Except that won't happen as it stands. > Global "charge everyone a security fee" proposals will only preserve the > status quo. Heck, McAfee and Norton are arguably implementations of > just that sort of thing. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From LarrySheldon at cox.net Wed Jun 9 09:30:36 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Wed, 09 Jun 2010 09:30:36 -0500 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers] In-Reply-To: References: Message-ID: <4C0FA58C.7090905@cox.net> On 6/9/2010 01:14, Paul Ferguson wrote: > To cut through the noise and non-relevant discussion, let's see if we can > boil this down to a couple of issues: If I may offer a few edits and comments ..... > 1. Should ISPs be responsible for abuse from within their customer base? > 1. Should ISPs be responsible for every thing from within their customer base?> > 1a. If so, how? [Good question. The answers will be hard, and some of the answers will seem to some to be against their own "self interest. How does a toll-road operator do it? An inn-keeper?] > 2. Should hosting providers also be held responsible for customers who > abuse their services in a criminal manner? [A legal question--is the inn keeper responsible for the harm to you of a meth lab he allows to operate in the room next to yours?] > 2.a If so, how? See above. > I think anyone in their right mind would agree that if a provider see > criminal activity, they should take action, no? In some US states the law requires it. > If that also holds true, then why doesn't it happen? It's hard. It costs to much (actually false in my opinion--see "trashed hotel rooms"). Somebody else should be doing it. Personal (see also "corporations as persons") responsibility is now an undefined term. > Providers in the U.S. are the worst offenders of hosting/accommodating > criminal activities by Eastern European criminals. Period. All the crap I get, I get from a (nominally[1]) US provider. [1] China probably holds the mortgage, which is another problem for discussion another day (and somewhere else). -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From michiel at klaver.it Wed Jun 9 09:43:49 2010 From: michiel at klaver.it (Michiel Klaver) Date: Wed, 09 Jun 2010 16:43:49 +0200 Subject: Nato warns of strike against cyber attackers Message-ID: <4C0FA8A5.6050609@klaver.it> -------- Original message -------- > Generally speaking, nobody wants to be the cop that makes that call. > Theoretically an ISP *might* be able to do that, but most are unwilling, > and those of us that do actually play BOFH run the risk of losing > customers to a sewerISP that doesn't. Our experiences from the Dutch ISP market indicate otherwise, customers are more than happy to be informed they might have been infected by a virus/worm. Most customers are too afraid of loosing valuable documents due to a file-eating virus for example, or afraid of loosing connection to the internet entirely and appreciate it to get an opportunity to do some clean-up when placed in quarantaine vlan. They even will recommend you, and your reputation as ISP-with-clue will increase. To stay on-topic, this is one of the first steps to prevent hosts in your network attacking NATO and decrease the risk of being disconnected by them. Commercial products that might assist you: http://www.quarantainenet.nl/?language=en;page=product-qnet Michiel Klaver IT Professional From LarrySheldon at cox.net Wed Jun 9 09:48:57 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Wed, 09 Jun 2010 09:48:57 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <12867251-45B8-4152-9238-E43B95E7E013@delong.com> References: <4C0F1335.6040305@gmail.com> <4C0F309A.5050803@gmail.com> <12867251-45B8-4152-9238-E43B95E7E013@delong.com> Message-ID: <4C0FA9D9.30709@cox.net> On 6/9/2010 06:11, Owen DeLong wrote: > > On Jun 8, 2010, at 11:11 PM, JC Dill wrote: > >> Owen DeLong wrote: >>> >>> Heck, at this point, I'd be OK with it being a regulatory issue. >> >> What entity do you see as having any possibility of effective regulatory control over the internet? >> >> The reason we have these problems to begin with is because there is no way for people (or government regulators) in the US to control ISPs in eastern Europe etc. What happ3ens if you replace the word "government" with the word "person"? (And since the cost is the only thing that matters, how much does "government" cost? I suppose that is something somebody else should worry about too.) > The reason we have these problems is because NO government is taking action. If each government > took the action I suggested locally against the ISPs in their region, it would be just as effective. > In fact, the more governments that take the action I suggested, the more effective it would be. It is my strongly held belief that with my substitution a lot would get done and at a much lower individual cost. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From LarrySheldon at cox.net Wed Jun 9 09:51:10 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Wed, 09 Jun 2010 09:51:10 -0500 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers] In-Reply-To: <9ABFA6B4-52EF-4A7E-B7A2-0E695AC83669@delong.com> References: <9ABFA6B4-52EF-4A7E-B7A2-0E695AC83669@delong.com> Message-ID: <4C0FAA5E.8090203@cox.net> On 6/9/2010 06:14, Owen DeLong wrote: > > On Jun 8, 2010, at 11:14 PM, Paul Ferguson wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> To cut through the noise and non-relevant discussion, let's see if we can >> boil this down to a couple of issues: >> >> 1. Should ISPs be responsible for abuse from within their customer base? >> > Yes, but, there should be an exemption from liability for ISPs that take > action to resolve the situation within 24 hours of first awareness (by > either internal detection or external report). What happened to the acronyms "AUP" and "TOS"? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From kauer at biplane.com.au Wed Jun 9 10:00:12 2010 From: kauer at biplane.com.au (Karl Auer) Date: Thu, 10 Jun 2010 01:00:12 +1000 Subject: Nato warns of strike against cyber attackers In-Reply-To: <201006091350.o59Doq5H018724@aurora.sol.net> References: <201006091350.o59Doq5H018724@aurora.sol.net> Message-ID: <1276095612.17332.125.camel@karl> On Wed, 2010-06-09 at 08:50 -0500, Joe Greco wrote: > Primarily because the product that they've been given to use is defective > by design. Indeed. So one approach is to remove the protection such defective designs currently enjoy. > supposed to play out for the single mom with a latchkey kid? Let's be > realistic here. It's the computer that ought to be safer. Fine. Agreed. Now what mechanisms do you suggest for achieving that? Technical suggestions are no good, because noone will implement them unless they have to, or unless implementing them in some way improves the product so it sells better. > modest improvements on the part of users, sure, but to place it all on > them is simply a fantastic display of incredible naivete. Indeed. And certainly not something I'd advocate. at least not without making sure that they, in turn, could pass the responsibility on. > That shows an incredible lack of understanding of how the market actually > works. It's nice in theory. It would be a lot more pleasant discussing things with you if you understood that people may disagree with you without necessarily being naive or stupid. > We (as technical people) have caused this problem because we've failed to > design computers and networks that are resistant to this sort of thing. And why did we do that? What allowed us to get away with it? Answer: Inadequate application of ordinary product liability law to the producers of software. Acceptance of ridiculous EULAs that in any sane legal system would not be worth the cellophane they are printed behind. And so forth. I know the ecosystem that arose around software is more complicated than that, but you get the idea. > Trying to pin it on the users is of course easy, because users (generally > speaking) are "stupid" and are "at fault" for not doing "enough" to > "secure" their own systems, but that's a ridiculous smugness on our part. You're right. And again, I am not advocating that. People are always going to be stupid (or ignorant, which is not the same thing as stupid). The trick is to give them a way out - whether it's insurance, education or effective legal remedy. That way they can choose how to handle the risk that *they* represent - in computers just as in any other realm of life. > I'm fine with that, but as long as we keep handing loaded guns without > any reasonably-identifiable safeties to the end users, we can expect to > keep getting shot at now and then. You keep stating the problem, where what others are trying to do is frame a solution. Right now we are just absorbing the impact; that is not sustainable, as long as the people providing the avenues of attack (through ignorance or whatever) have no obligation at all to do better. > > Yep! And the fastest way to get more secure systems is to make consumers > > accountable, so that they demand accountability from their vendors. And > > so it goes, all the way up the chain. Make people accountable. At every > > level. > > Again, that shows an incredible lack of understanding of how the market > actually works. It's still nice in theory. There are whole industries built around vehicular safety. There are numerous varieties of insurance that protect people - at every level - from their own failures. Where there is no accountability in a human system, failure is practically guaranteed - whether in the form of tyranny, monopoly, danger to life and limb or whatever. The idea of accountability and the drive to attain it forms the basis of most legal and democratic systems, and of uncountable numbers of smaller systems in democratic societies. Now, what were you saying about "theory"? > Do you really think that the game of > telephone works? Are we really going to be able to hold customers > accountable? And if we do, are they really going to put vendor feet to > the fire? Or is Microsoft just going to laugh and point at their EULA, > and say, "our legal department will bankrupt you, you silly little twerp"? Please, read more carefully. "At every level". If the consumer is made responsible, they must simultaneously get some avenue of recourse. Those ridiculous EULAs should be the first things against the wall :-) > Everyone has carefully made it clear that they're not liable to the users, > so the users are left holding the bag, and nobody who's actually > responsible is able to be held responsible by the end users. Correct. That is the current situation, and it needs to be altered. On the one hand consumers benefit because they will finally have recourse for defective software, but with that gain comes increased responsibility. > Yes, "we" needs to include all the technical stakeholders, and "we" as > network operators ought to be able to tell "we" the website operators to > tell "we" the web designers to stop using Flash if it's that big a > liability. This, of course, fails for the same reasons that expecting > end users to hold vendors responsible does, but there are a lot less of > us technical stakeholders than there are end users, so if we really want > to play that sort of game, we should try it here at home first. Try what? Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156 Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From LarrySheldon at cox.net Wed Jun 9 10:02:11 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Wed, 09 Jun 2010 10:02:11 -0500 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers] In-Reply-To: References: Message-ID: <4C0FACF3.4090701@cox.net> On 6/9/2010 07:39, Jorge Amodio wrote: >> 1. Should ISPs be responsible for abuse from within their customer base? > > Not sure, ISPs role is just to move packets from A to B, you need to > clearly define what constitutes abuse and how much of it is considered > a crime. > > If I call your home every five minutes to harass you over the phone is > AT&T responsible ? > >> 1a. If so, how? > > Pull the plug without looking at how much you are billing. I'd say pull the plug while watching the balance sheet. I have no idea how many providers of netnews service there are left--not many because they waited for somebody else to solve the problems. I subscribe to one that rigorously polices spam and troll traffic (from their own customers _and_from_the_world). And for less than some of the other services. (They are associated with a German University, I think, so there may be a subsidy issue. I would pay several times as much as I do for the service--maybe an order of magnitude more.) > What incentive they have to do so ? and how liable they become if do > something without a court order or such ? Is "survival" an incentive? >> Providers in the U.S. are the worst offenders of hosting/accommodating >> criminal activities by Eastern European criminals. Period. > > Probably true, here money talks. But it doesn't listen. It waits for the bailout. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From LarrySheldon at cox.net Wed Jun 9 10:05:27 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Wed, 09 Jun 2010 10:05:27 -0500 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers] In-Reply-To: References: Message-ID: <4C0FADB7.40904@cox.net> On 6/9/2010 07:39, Jorge Amodio wrote: >> 1. Should ISPs be responsible for abuse from within their customer base? > > Not sure, ISPs role is just to move packets from A to B, you need to > clearly define what constitutes abuse and how much of it is considered > a crime. > > If I call your home every five minutes to harass you over the phone is > AT&T responsible ? How does the question change with a "regulator" telling them they are? And does it matter if I refuse all calls from ATT because they don't? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From LarrySheldon at cox.net Wed Jun 9 10:07:56 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Wed, 09 Jun 2010 10:07:56 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <20100609130521.GB1482697@hiwaay.net> References: <4C0F11A0.8000303@gmail.com> <20100609130521.GB1482697@hiwaay.net> Message-ID: <4C0FAE4C.4000601@cox.net> On 6/9/2010 08:05, Chris Adams wrote: > Once upon a time, JC Dill said: >> I'm still truly amazed that no one has sic'd a lawyer on Microsoft for >> creating an "attractive nuisance" - an operating system that is too >> easily hacked and used to attack innocent victims, and where others have >> to pay to clean up after Microsoft's mess. > > Many of the problems are PEBKAC, as evidenced by the massive responses > to phishing scams. I can't tell you the number of our users that have > sent their password to Nigeria to be used to log in to our webmail and > spam. In other words, if somebody is going to handle the problem, the people that know how ("ISP's" for want of a term) are going to have to do it. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From jfiske at clarkson.edu Wed Jun 9 10:15:53 2010 From: jfiske at clarkson.edu (Joshua A. Fiske - jfiske) Date: Wed, 9 Jun 2010 11:15:53 -0400 Subject: clueful verizon.net email contact? Message-ID: <6708B7A5C8087B4AA393C1CDD1D562007B0DFE@mbox1.ad.clarkson.edu> It appears that verizon.net has one email server[1] (out of a sizeable pool) that is not able to perform a proper MX lookup for our domain. Does anyone have contact information for a clue-ful individual that would have responsibility for email server maintenance at verizon.net? Josh [1] Reporting-MTA: dns;vms173001.mailsrvcs.net (tcp-daemon) - - - - Joshua Fiske '03, '04 Manager of User Services Clarkson University, Office of Information Technology (315) 268-6722 -- Fax: (315) 268-6570 From LarrySheldon at cox.net Wed Jun 9 10:16:12 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Wed, 09 Jun 2010 10:16:12 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <20100609130810.GC1482697@hiwaay.net> References: <201006091202.o59C26tb006864@aurora.sol.net> <20100609130810.GC1482697@hiwaay.net> Message-ID: <4C0FB03C.2060401@cox.net> On 6/9/2010 08:08, Chris Adams wrote: > Once upon a time, Alexander Harrowell said: >> No, but we can and do require cars to have functional brakes and minimum tread depths, and to be tested periodically. > > Not in this state. You might not have the state inspection rip-off, but I'll bet that if your state accepts federal highway money, you have mechanical condition standards that include tires, brakes, seat belts and a lot of other things. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From LarrySheldon at cox.net Wed Jun 9 10:19:24 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Wed, 09 Jun 2010 10:19:24 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <20100609130933.GD1482697@hiwaay.net> References: <201006091202.o59C26tb006864@aurora.sol.net> <20100609130933.GD1482697@hiwaay.net> Message-ID: <4C0FB0FC.6020704@cox.net> On 6/9/2010 08:09, Chris Adams wrote: > Once upon a time, Jorge Amodio said: >> That's why at least in the US by *regulation* you must have insurance >> to be able to operate a car, instead of mitigating the safety issues >> that represents a teenager texting while driving we deal with the >> consequences. > > The insurance requirement is a state-by-state thing. It was only added > here a few years ago, and I don't think it is universal. Similar answer as the one for the brakes and tires thing. Implementation may vary from state to state, just like the mechanical standards thing. When last I lived in California, there was no "insurance" requirement but there was a "proof of financial responsibility" requirement that was most easily (for most people) by carrying insurance to certain standards for Public Liability and Property Damage. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From LarrySheldon at cox.net Wed Jun 9 10:22:53 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Wed, 09 Jun 2010 10:22:53 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <201006091321.o59DLL3A016614@aurora.sol.net> References: <201006091321.o59DLL3A016614@aurora.sol.net> Message-ID: <4C0FB1CD.2010606@cox.net> On 6/9/2010 08:21, Joe Greco wrote: > Your car emits lots of greenhouse gases. Just because it's /less/ doesn't > change the fact that the Prius has an ICE. We have a Prius and a HiHy too. Did Godwin say anything about rand discussions degenerating to mythologies like "gorebull warming"? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From bruns at 2mbit.com Wed Jun 9 10:26:13 2010 From: bruns at 2mbit.com (Brielle Bruns) Date: Wed, 09 Jun 2010 09:26:13 -0600 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: <44AC6E21-FC5A-45CB-B41F-A0348C2F8467@delong.com> <201006091202.o59C26tb006864@aurora.sol.net> Message-ID: <4C0FB295.7030005@2mbit.com> On 6/9/10 6:27 AM, Jorge Amodio wrote: > Going back then to a previous question, do we want more/any regulation ? Laws and regulation exist because people can't behave civilly and be expected to respect the rights/boundries/property others. CAN-SPAM exists because the e-mail marketing business refused to self regulate and respect the wishes of consumers/administrators FDCPA exists because the debt collectors couldn't resist the temptation to harass and intimidate consumers, and behave ethically. It's just a matter of time, and really unavoidable. The thing is, these industries have no one to blame but themselves. In all cases, these laws/regulation only came into affect AFTER situations got out of control. Lately, the courts have been ruling that companies like LimeWire are responsible for their products being used for piracy/downloading because they knew what was going on, but were turning a blind eye. Why not apply the same standards to ISPs? If it can be shown that you had knowledge of specific abuse coming from your network, but for whatever reason, opted to ignore it and turn a blind eye, then you are responsible. When I see abuse from my network or am made aware of it, I isolate and drop on my edge the IPs in question, then investigate and respond. Most times, it takes me maybe 10-15 minutes to track down the user responsible, shut off their server or host, then terminate their stupid self. A little bit of effort goes a long way. But, if you refuse to put in the effort (I'm looking at you, GoDaddy Abuse Desk), then of course the problems won't go away. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org From adrian at creative.net.au Wed Jun 9 10:30:59 2010 From: adrian at creative.net.au (Adrian Chadd) Date: Wed, 9 Jun 2010 23:30:59 +0800 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0FB03C.2060401@cox.net> References: <201006091202.o59C26tb006864@aurora.sol.net> <20100609130810.GC1482697@hiwaay.net> <4C0FB03C.2060401@cox.net> Message-ID: <20100609153059.GD11044@skywalker.creative.net.au> On Wed, Jun 09, 2010, Larry Sheldon wrote: > You might not have the state inspection rip-off, but I'll bet that if > your state accepts federal highway money, you have mechanical condition > standards that include tires, brakes, seat belts and a lot of other things. .. and a change in the minimum drinking age? Adrian (Before you go "That's not relevant to the discussion", think again. Hard.) From joe.abley at icann.org Wed Jun 9 10:45:20 2010 From: joe.abley at icann.org (Joe Abley) Date: Wed, 9 Jun 2010 08:45:20 -0700 Subject: Root Zone DNSSEC Deployment Technical Status Update Message-ID: <6BF790C5-7111-4E3E-B549-2920AF307DC7@icann.org> Root Zone DNSSEC Deployment Technical Status Update 2010-06-09 This is the eighth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS. RESOURCES Details of the project, including documentation published to date, can be found at . We'd like to hear from you. If you have feedback for us, please send it to rootsign at icann.org. PUBLIC NOTICE The US Department of Commerce National Telecommunications and Information Administration (NTIA) has issued a Public Notice regarding the deployment of DNSSEC in the root zone. http://www.ntia.doc.gov/frnotices/2010/FR_DNSSEC_Notice_06092010.pdf The Public Notice makes reference to the final report submitted to NTIA by ICANN and VeriSign which contains a summary of the project work to date together with a recommendation that full deployment should proceed. http://www.ntia.doc.gov/reports/2010/DNSSEC_05282010.pdf The Public Notice includes a public review period. Comments may be submitted by postal mail, fax or e-mail before 2010-06-21. Instructions for the submission of comments are included in the Public Notice. PLANNED DEPLOYMENT SCHEDULE Already completed: 2010-01-27: L starts to serve DURZ 2010-02-10: A starts to serve DURZ 2010-03-03: M, I start to serve DURZ 2010-03-24: D, K, E start to serve DURZ 2010-04-14: B, H, C, G, F start to serve DURZ 2010-05-05: J starts to serve DURZ To come: 2010-06-16: First Key Signing Key (KSK) Ceremony 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor (Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.) From bruns at 2mbit.com Wed Jun 9 10:45:33 2010 From: bruns at 2mbit.com (Brielle Bruns) Date: Wed, 09 Jun 2010 09:45:33 -0600 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0FA8A5.6050609@klaver.it> References: <4C0FA8A5.6050609@klaver.it> Message-ID: <4C0FB71D.7060300@2mbit.com> On 6/9/10 8:43 AM, Michiel Klaver wrote: > Our experiences from the Dutch ISP market indicate otherwise, customers > are more than happy to be informed they might have been infected by a > virus/worm. Most customers are too afraid of loosing valuable documents > due to a file-eating virus for example, or afraid of loosing connection > to the internet entirely and appreciate it to get an opportunity to do > some clean-up when placed in quarantaine vlan. They even will recommend > you, and your reputation as ISP-with-clue will increase. Unfortunately, here in the US, as someone who decrapifies computers for several home and business users, I find that no matter how much I alert users to infections, they just don't care. They say... "But I can still use my computer! You're just trying to get more money out of me." You warn them that opening attachments is dangerous. They say... "But I got this great power point presentation that shows me how to make cookies on the hood of my car, which I would have never seen had I listened to you!" You warn them that the screen saver they just downloaded and ran sent their passwords and credit cards to a cracker. They say... "Oh, but my credit card company won't hold me liable, so it's not a big deal." They install MyCleanPC or similar, which proceeds to install more crapware which eventually starts randomly deleting important files on their computer. They say... "But I saw it on TV, and people were saying its a great product that makes my 386 perform like a Core i7! Your a computer expert, I'm sure you've backed up my files on your computer without me needed to tell you." Yeah, things may be different overseas, but here in the US, ignorance is bliss and endorsed by the GOP and Tea Party. Here, people take pride in being the dumbest moron on the block. In all cases of the above, I was told almost that exact statement by a customer. They will do _anything_ to try and avoid responsibility for their behavior. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org From owen at delong.com Wed Jun 9 11:01:18 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 9 Jun 2010 09:01:18 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <201006091402.o59E2rRJ022196@aurora.sol.net> References: <201006091402.o59E2rRJ022196@aurora.sol.net> Message-ID: > >> What I don't want to see which you are advocating... I don't want to see >> the end users who do take responsibility, drive well designed vehicles >> with proper seat belts and safety equipment, stay in their lane, and >> do not cause accidents held liable for the actions of others. Why should >> we penalize those that have done no wrong simply because they happen >> to be a minority? > > I agree, on the other hand, what about those people who genuinely didn't > do anything wrong, and their computer still got Pwned? > Fiction. At the very least, if you connected a system to the network and it got Pwned, you were negligent in your behavior, if not malicious. Negligence is still wrong, even if not malice. Owen From jgreco at ns.sol.net Wed Jun 9 11:20:22 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Wed, 9 Jun 2010 11:20:22 -0500 (CDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: <19D1E97C-9603-4767-8778-5CFDCC751275@delong.com> from "Owen DeLong" at Jun 09, 2010 07:08:16 AM Message-ID: <201006091620.o59GKMlA036142@aurora.sol.net> > Yes, it's complex, but, it is the only mechanism the law provides > for the transfer of liability. You can't leap-frog the process and > have the SPAM victims going directly after LatchKeyMom's > OS Vendor because there's no relationship there to provide > a legal link of liability. This leads to an incredibly Rube-Goldberg-like setup to solve the problem; if that's the case, even if the issue of EULA's leaving end users holding the bag were resolved, this would not be much of an incentive to vendors to fix the problem. > >> To carry your analogy a bit too far, if someone is roaming the streets > >> in a beat-up jalopy with wobbly wheels, no lights, no brakes, no > >> mirrors, and sideswiping parked cars, is it up to the city to somehow > >> clear the way for that driver? No - the car is taken off the road and > >> the driver told to fix it or get a new one. If the problem appears to be > >> the driver rather than the vehicle, the driver is told they cannot drive > >> until they have obtained a Clue. > > > > Generally speaking, nobody wants to be the cop that makes that call. > > Theoretically an ISP *might* be able to do that, but most are unwilling, > > and those of us that do actually play BOFH run the risk of losing > > customers to a sewerISP that doesn't. > > > Whether anyone wants to be the cop or not, someone has to be the cop. > > The point is that SewerISPs need to be held liable (hence my proposal > for ISP liability outside of a 24 hour grace period from notification). > > If SewerISP has to pay the costs of failing to address abuse from their > customers, SewerISP will either stop running a cesspool, or, they will > go bankrupt and become a self-rectifying problem. In the meantime, CleanISP is bleeding customers to SewerISP, rewarding SewerISP. And tomorrow there's another SewerISP. > >> If the user, as a result of their computer being zombified or whatever, > >> has to > >> > >>> "take it in to > >>> NerdForce and spend some random amount between $50 and twice the cost of > >>> a new computer," > >> > >> ...then that's the user's problem. They can solve it with insurance > >> (appropriate policies will come into being), or they can solve it by > >> becoming more knowledgeable, or they can solve it by hiring know how. > >> But it is *their* problem. The fact that it is the user's problem will > >> drive the industry to solve that problem, because anywhere there is a > >> problem there is a market for a solution. > > > > That shows an incredible lack of understanding of how the market actually > > works. It's nice in theory. > > No, it shows how broken current market practice is. What we are saying is > that some relatively minor application of existing law to the computer market > would correct this brokenness. That's like saying going to the moon is a relatively minor application of rocket science. > > We (as technical people) have caused this problem because we've failed to > > design computers and networks that are resistant to this sort of thing. > > Trying to pin it on the users is of course easy, because users (generally > > speaking) are "stupid" and are "at fault" for not doing "enough" to > > "secure" their own systems, but that's a ridiculous smugness on our part. > > You keep saying "WE" as if the majority of people on this list have anything > to do with the design or construction of these systems. We do not. We are > mostly network operators. I keep saying "we" as opposed to "them" because "we" are part of the problem, and "they" are simply end users. "We" can (and, from past experience with the membership of this list, does) include members of the networking community, hardware community, software community, developers, and other related interests. "We" have done a poor job of designing technology that "they" can understand, comprehend, and just use, which is, when it comes right down to it, all they want to be able to do. > However, again, if the end user is held liable, the end user is then in a > position to hold the manufacturer/vendors that they received defective > systems from liable. The hell they are. Why don't you READ that nice EULA you accepted when you bought that Mac. > It does exactly what you are saying needs to happen, > just without exempting irresponsible users from their share of the pain > which seems to be a central part of your theory. > > If I leave my credit card laying around in an airport, I'm liable for part of > the pain up until the point where I report my credit card lost. Why should > irresponsible computer usage be any different? Because the average person would consider that to be dangerous, and the average person would not consider opening an e-mail in their e-mail client to be dangerous, except that it is. > >>> then we - as the people who have designed and provided=20 > >>> technology - have failed, and we are trying to pass off responsibility=20 > >>> for our collective failure onto the end user. > >> > >> I think what's being called for is not total abdication of > >> responsibility - just some sharing of the responsibility. > > > > I'm fine with that, but as long as we keep handing loaded guns without > > any reasonably-identifiable safeties to the end users, we can expect to > > keep getting shot at now and then. > > Going back to my being perfectly willing to have a licensing process for > attaching a system to a network. > > I have no problem with requiring gun-safety courses as a condition of > gun ownership. I have no problem with requiring network security/safety > courses as a condition of owning a network-attached system. That seems a little extreme. How about just making a device that's safe for people to use, and does what they need? Look at the fantastic inroads that devices like the iPhone and iPad have made. Closed ecosystem, low risk, but enough functionality that many users accept (and even love) them. Not saying they're entirely safe, but the point to ponder is that it *is* possible to offer devices that seem to have a lower risk factor. > >>> This implies that our > >>> operating systems need to be more secure, way more secure, our applicatio= > >> ns > >>> need to be less permissive, probably way less permissive, probably even > >>> sandboxed by default > >> > >> Yep! And the fastest way to get more secure systems is to make consumers > >> accountable, so that they demand accountability from their vendors. And > >> so it goes, all the way up the chain. Make people accountable. At every > >> level. > > > > Again, that shows an incredible lack of understanding of how the market > > actually works. It's still nice in theory. > > No... It shows a need for the market to change. And that, too, shows an incredible lack of understanding of how the market actually works. All the wishful thinking in the world does not result in the market changing. > > We would be better off short-circuiting that mechanism; for example, how > > about we simply mandate that browsers must be isolated from their > > underlying operating systems? Do you really think that the game of > > telephone works? Are we really going to be able to hold customers > > accountable? And if we do, are they really going to put vendor feet to > > the fire? Or is Microsoft just going to laugh and point at their EULA, > > and say, "our legal department will bankrupt you, you silly little twerp"? > > Yes, the game of telephone works all the time. It's how the entire legal > system of liability works in the united States. Yes, we need some legal > changes to make it work. For example, we need regulation which > prevents EULA clauses exempting manufacturers from liability for their > erros from having any force of law. What a crock it is that those clauses > actually work. You're not going to get it. If you try, every software manufacturer in the US is going to be up in arms, saying that it'll put them out of business (in some cases, probably rightly so). Even limiting liability to the cost of the product isn't going to work, the end user still gets hung with the cost. And no, the game of telephone doesn't work. Most consumers simply do not have the time to pursue issues or the expertise to know they've been screwed, which is why we so many class action suits - the very proof that the game of telephone you suggest doesn't work. > Imagine if your car came with a disclaimer in the sales agreement that > said the manufacturer had no liability if their accelerator stuck and you > plowed a field of pedestrians as a result. Do you think the court would > ever consider upholding such a provision? Never. But again, computers don't "plow" a "field of pedestrians" when they get infected, so you're really failing to offer a meaningful comparison here. The only way you'll get a computer to do that is to toss one out a tenth story window above a crowded sidewalk, and even there, I doubt a judge will hold Dell or Microsoft liable. > > Everyone has carefully made it clear that they're not liable to the users, > > so the users are left holding the bag, and nobody who's actually > > responsible is able to be held responsible by the end users. > > Yes, those "we're not liable for our negligence" clauses need to be > removed from legal effect. Agreed. I certainly agree that this is a problem, but I'm also fairly certain I won't see it resolved in that way in my lifetime. This doesn't seem to be a useful discussion at this point. I think we agree that there's a problem, but I don't really see fixing the liability laws as likely to happen, and attempting to hold people responsible for the actions of their computers has been difficult even for the MPAA/RIAA. What you're suggesting is even more Rube Goldberg, and as a way to address the issue of software quality, would appear to be a spectacular EPIC FAIL based on the influence of the software industry and the resulting effects of what you suggest. They'll simply state that it would be a total disaster (for them), and they'll successfully lobby any such reform into the ground. More likely, in my opinion, is an evolution away from the "personal computer" model we've had until now, towards a more abstract form of computing that emphasizes network-based ("cloud") computing, where your device simply holds a few apps and some minor configuration, but the heavy lifting is all done elsewhere. This, too, has many issues associated with it, but from a security standpoint, there becomes a manageable number of parties to hold accountable when something goes awry, and much less of a chance for users to do something unanticipated with their devices. Apple seems to be making inroads in that area. As far as network operations goes, it seems that the best thing to do is to try to assist infected customers, but that's a hard cost to swallow. I don't really see what other realistic conclusion can be drawn, however. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From LarrySheldon at cox.net Wed Jun 9 11:36:31 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Wed, 09 Jun 2010 11:36:31 -0500 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers] In-Reply-To: <1913AEBB-BEF7-42A9-87BB-D3CFC332C958@delong.com> References: <9ABFA6B4-52EF-4A7E-B7A2-0E695AC83669@delong.com> <4C0FAA5E.8090203@cox.net> <1913AEBB-BEF7-42A9-87BB-D3CFC332C958@delong.com> Message-ID: <4C0FC30F.50100@cox.net> On 6/9/2010 10:58, Owen DeLong wrote: >> What happened to the acronyms "AUP" and "TOS"? >> > I'm not sure what you mean by that. I'm talking about an ISPs liability to > third party victims, not to their customers. "Acceptable Use Policy" and "Terms of Service" > > AUP/TOS are between the ISP and their customer. Very good. Does that provide an answer to the earlier question about "what is a provider to do?" when a customer misbehaves? Does that provide a method for assigning liability? I am not a lawyer, but it doesn't seem a stretch to me to include, in this context, traffic from peers and transit providers. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From sil at infiltrated.net Wed Jun 9 11:50:49 2010 From: sil at infiltrated.net (J. Oquendo) Date: Wed, 09 Jun 2010 12:50:49 -0400 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers] In-Reply-To: <4C0FC30F.50100@cox.net> References: <9ABFA6B4-52EF-4A7E-B7A2-0E695AC83669@delong.com> <4C0FAA5E.8090203@cox.net> <1913AEBB-BEF7-42A9-87BB-D3CFC332C958@delong.com> <4C0FC30F.50100@cox.net> Message-ID: <4C0FC669.908@infiltrated.net> Larry Sheldon wrote: > On 6/9/2010 10:58, Owen DeLong wrote: > > >>> What happened to the acronyms "AUP" and "TOS"? >>> >>> >> I'm not sure what you mean by that. I'm talking about an ISPs liability to >> third party victims, not to their customers. >> > > "Acceptable Use Policy" and "Terms of Service" > >> AUP/TOS are between the ISP and their customer. >> > > Very good. Does that provide an answer to the earlier question about > "what is a provider to do?" when a customer misbehaves? Does that > provide a method for assigning liability? > > I am not a lawyer, but it doesn't seem a stretch to me to include, in > this context, traffic from peers and transit providers. > "Acceptable Use Policy" and "Terms of Service" Imagine for a moment you're speeding... You get pulled over, get off with a warning. Phew! You speed again, get pulled over again, you get a warning. How long will it be before you just outright ignore the law and speed simply because you know all you will get is a warning. AUP's and TOS' mean little if they're not enforced and I theorize that they're not enforced perhaps because a company's staff is likely to be overwhelmed or underclued as to how to proceed past a generic: "Thou shall not spew dirty traffic in my network or else..." Or else what? You're going to flood their inbox with "Thou shall not" messages? In the case of Mr. Amodio and I believe Owen griping about insecure software, I offer you this analogy... You buy a car and as you're driving along a message comes into the dashboard: "Car Update needed, to fix A/C" you ignore it. Don't update it who cares, you're driving smoothly. Another alert comes into the car dashboard: "Critical alert, your breaks need this patch"... You ignore it and drive along. 5-10 years later the car manufacturer EOL's the car and support for it. You crash... Who is to blame, the car manufacturer or you for not applying the updates. Granted the manufacturer could have given you a better product, the fact remains, it is what it is. Don't blame the software vendors blame oneself. I've seen even the most savvy users using OS' *other* than Windows get compromised. I performed an incident response about 8 months ago... 42 machines 41 Linux, 1 Windows... Guess what, all the Linux boxes running Apache were compromised. They were running vulnerable software on them (Wordpress, etc). So to compare Apples and Oranges (Windows versus another) is pointless. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E From LarrySheldon at cox.net Wed Jun 9 12:02:59 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Wed, 09 Jun 2010 12:02:59 -0500 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers] In-Reply-To: <4C0FC669.908@infiltrated.net> References: <9ABFA6B4-52EF-4A7E-B7A2-0E695AC83669@delong.com> <4C0FAA5E.8090203@cox.net> <1913AEBB-BEF7-42A9-87BB-D3CFC332C958@delong.com> <4C0FC30F.50100@cox.net> <4C0FC669.908@infiltrated.net> Message-ID: <4C0FC943.1070803@cox.net> On 6/9/2010 11:50, J. Oquendo wrote: [Lots of good stuff snipped.] > Don't blame the software vendors blame oneself. I've seen even the most > savvy users using OS' *other* than Windows get compromised. I performed > an incident response about 8 months ago... 42 machines 41 Linux, 1 > Windows... Guess what, all the Linux boxes running Apache were > compromised. They were running vulnerable software on them (Wordpress, > etc). So to compare Apples and Oranges (Windows versus another) is > pointless. Exactly so (applies also to the snipped material). Responsibility. Individual, personal and corporate responsibility. Using only the fingers of a clinched fist to indicate the location of the best agent for correcting a problem. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From jgreco at ns.sol.net Wed Jun 9 12:08:09 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Wed, 9 Jun 2010 12:08:09 -0500 (CDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: <1276095612.17332.125.camel@karl> from "Karl Auer" at Jun 10, 2010 01:00:12 AM Message-ID: <201006091708.o59H895D040808@aurora.sol.net> > --=-sFVAwQY0p26r8nFOk9Ww > Content-Type: text/plain > Content-Transfer-Encoding: quoted-printable > > On Wed, 2010-06-09 at 08:50 -0500, Joe Greco wrote: > > Primarily because the product that they've been given to use is defective > > by design. > > Indeed. So one approach is to remove the protection such defective > designs currently enjoy. That's not going to happen (but I'll be happy to be proven wrong). As it stands, were software manufacturers to be held liable for the damages caused by their products, think of what would happen. How much does it cost for NerdForce to disinfect a computer? How many man-hours did that MS-SQL Slammer worm cost us? How much is lost when a website is down? What legislator is going to vote for software liability reforms that will ruin major software companies? When their own staff and experts will be willing to state that outcome, in no uncertain terms? What are the outcomes here? We pass such legislation, it doesn't magically fix things. It just means that companies like Adobe and Microsoft are suddenly on the hook for huge liabilities if they continue to sell their current products. Do we expect them to *stop* selling Windows, etc.,? > > supposed to play out for the single mom with a latchkey kid? Let's be > > realistic here. It's the computer that ought to be safer. > > Fine. Agreed. Now what mechanisms do you suggest for achieving that? > Technical suggestions are no good, because noone will implement them > unless they have to, or unless implementing them in some way improves > the product so it sells better. That's the problem, isn't it. If we were serious about it, we could approach the problem differently: rather than trying to tackle it from a marketplace point of view, perhaps we could instead tackle it from a regulatory point of view. Could we mandate that the next generation of browsers must have certain qualities? It's an interesting discussion, and in some way parallels the car safety examples I provided earlier. > > modest improvements on the part of users, sure, but to place it all on=20 > > them is simply a fantastic display of incredible naivete. > > Indeed. And certainly not something I'd advocate. at least not without > making sure that they, in turn, could pass the responsibility on. > > > That shows an incredible lack of understanding of how the market actually > > works. It's nice in theory. > > It would be a lot more pleasant discussing things with you if you > understood that people may disagree with you without necessarily being > naive or stupid. It's not a pleasant discussion, because in all visible directions are pure suck. I'll call naive when I see it. > > We (as technical people) have caused this problem because we've failed to= > =20 > > design computers and networks that are resistant to this sort of thing. > > And why did we do that? What allowed us to get away with it? Answer: > Inadequate application of ordinary product liability law to the > producers of software. Acceptance of ridiculous EULAs that in any sane > legal system would not be worth the cellophane they are printed behind. > And so forth. I know the ecosystem that arose around software is more > complicated than that, but you get the idea. I certainly agree, but it isn't going to be wished away in a minute. To do so would effectively destroy some major technology companies. > > Trying to pin it on the users is of course easy, because users (generally > > speaking) are "stupid" and are "at fault" for not doing "enough" to > > "secure" their own systems, but that's a ridiculous smugness on our part. > > You're right. And again, I am not advocating that. People are always > going to be stupid (or ignorant, which is not the same thing as stupid). > The trick is to give them a way out - whether it's insurance, education > or effective legal remedy. That way they can choose how to handle the > risk that *they* represent - in computers just as in any other realm of > life. Actually, IRL, we've been largely successful in making much safer cars. It's by no means a complete solution, but it seems to be the best case scenario at this time. Software is devilishly hard to make safer, of course, and companies with a decade of legacy sludge being dragged along for the ride do not have it easy. (I really do feel sorry for Microsoft in a way) That's one of the reasons I had predicted more appliance-like computers, and now they seem to be appearing in the form of app-running devices like the iPad. From a network operator's point of view, that's just great, because the chance of a user being able to do something bad to the device is greatly reduced. > > I'm fine with that, but as long as we keep handing loaded guns without=20 > > any reasonably-identifiable safeties to the end users, we can expect to > > keep getting shot at now and then. > > You keep stating the problem, where what others are trying to do is > frame a solution. Right now we are just absorbing the impact; that is > not sustainable, as long as the people providing the avenues of attack > (through ignorance or whatever) have no obligation at all to do better. Right, but rewriting the product liability laws to hold software vendors accountable, by proxying through the end user, is kind of a crazy solution, and one that would appear not to be workable. Was there another solution being framed that I missed? > > > Yep! And the fastest way to get more secure systems is to make consumer= > s > > > accountable, so that they demand accountability from their vendors. And > > > so it goes, all the way up the chain. Make people accountable. At every > > > level. > >=20 > > Again, that shows an incredible lack of understanding of how the market > > actually works. It's still nice in theory. > > There are whole industries built around vehicular safety. There are > numerous varieties of insurance that protect people - at every level - > from their own failures. > > Where there is no accountability in a human system, failure is > practically guaranteed - whether in the form of tyranny, monopoly, > danger to life and limb or whatever. The idea of accountability and the > drive to attain it forms the basis of most legal and democratic systems, > and of uncountable numbers of smaller systems in democratic societies. > Now, what were you saying about "theory"? That's nice. How much accountability should one have for having visited a web site that was broken into by Russian script kiddies, though? And we're not talking about driving a PC through a field of pedestrians, as someone else so colorfully put it. Who is going to "insure" me against the possibility that Russian script kiddies sent me a virus via Flash on some web site, and even now are trying to break into British intel via my computer, so one fine day the FBI comes a'knockin'? How do I even find out what happened, when I'm in jail for a year for "hacking the Brits"? That's got to be one hell of an insurance plan. > Do you really think that the game of > > telephone works? Are we really going to be able to hold customers > > accountable? And if we do, are they really going to put vendor feet to > > the fire? Or is Microsoft just going to laugh and point at their EULA, > > and say, "our legal department will bankrupt you, you silly little twerp"= > ? > > Please, read more carefully. "At every level". If the consumer is made > responsible, they must simultaneously get some avenue of recourse. Those > ridiculous EULAs should be the first things against the wall :-) Should be? Fine. Will be? Not fine. You won't manage to sell that to me without a lot of convincing. And if you can't get rid of those EULA's, we're back in the land of "end user holding the bag." So feel free to convince me of why Microsoft, Apple, Adobe, etc., are all going to just sit idly by while their EULA protections are legislated away. > > Everyone has carefully made it clear that they're not liable to the users= > , > > so the users are left holding the bag, and nobody who's actually > > responsible is able to be held responsible by the end users. > > Correct. That is the current situation, and it needs to be altered. On > the one hand consumers benefit because they will finally have recourse > for defective software, but with that gain comes increased > responsibility. > > > Yes, "we" needs to include all the technical stakeholders, and "we" as > > network operators ought to be able to tell "we" the website operators to > > tell "we" the web designers to stop using Flash if it's that big a > > liability. This, of course, fails for the same reasons that expecting > > end users to hold vendors responsible does, but there are a lot less of > > us technical stakeholders than there are end users, so if we really want > > to play that sort of game, we should try it here at home first. > > Try what? Go tell every webmaster who is hosting Flash on your network that it's now prohibited, as a security risk, due to the bulletin issued last week, and that any website hosting Flash on your network a week from now will be null routed. And then follow through. I mean, really, if we can't do that, we're just shoveling the responsibility off to the poor victim end-users. I'm just trying to frame this in a way that people can understand. It's great to say "end users should be responsible" and "end users need to be security-conscious." However, are we, as network operators, willing to be equally responsible and security-conscious? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From vixie at isc.org Wed Jun 9 12:14:34 2010 From: vixie at isc.org (Paul Vixie) Date: Wed, 09 Jun 2010 17:14:34 +0000 Subject: Nato warns of strike against cyber attackers In-Reply-To: (Dave Rand's message of "Tue, 8 Jun 2010 13:12:18 -0700") References: Message-ID: dlr at bungi.com (Dave Rand) writes: > ... > With more than 100,000,000 compromised computers out there, it's really > time for us to step up to the plate, and make this happen. +1. -- Paul Vixie KI6YSY From jgreco at ns.sol.net Wed Jun 9 12:17:02 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Wed, 9 Jun 2010 12:17:02 -0500 (CDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: from "Owen DeLong" at Jun 09, 2010 09:01:18 AM Message-ID: <201006091717.o59HH2sj041733@aurora.sol.net> > >> What I don't want to see which you are advocating... I don't want to see > >> the end users who do take responsibility, drive well designed vehicles > >> with proper seat belts and safety equipment, stay in their lane, and > >> do not cause accidents held liable for the actions of others. Why should > >> we penalize those that have done no wrong simply because they happen > >> to be a minority? > > > > I agree, on the other hand, what about those people who genuinely didn't > > do anything wrong, and their computer still got Pwned? > > Fiction. > > At the very least, if you connected a system to the network and it got Pwned, > you were negligent in your behavior, if not malicious. Negligence is still > wrong, even if not malice. So, just so we're clear here, I go to Best Buy, I buy a computer, I bring it home, plug it into my cablemodem, and am instantly Pwned by the non-updated Windows version on the drive plus the incessant cable modem scanning, resulting in a bot infection... therefore I am negligent? Do you actually think a judge would find that negligent, or is this just your own personal definition of negligence? Because I doubt that a judge, or even an ordinary person, could possibly consider it such. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From LarrySheldon at cox.net Wed Jun 9 12:32:54 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Wed, 09 Jun 2010 12:32:54 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <201006091717.o59HH2sj041733@aurora.sol.net> References: <201006091717.o59HH2sj041733@aurora.sol.net> Message-ID: <4C0FD046.7070307@cox.net> On 6/9/2010 12:17, Joe Greco wrote: >>>> What I don't want to see which you are advocating... I don't want to see >>>> the end users who do take responsibility, drive well designed vehicles >>>> with proper seat belts and safety equipment, stay in their lane, and >>>> do not cause accidents held liable for the actions of others. Why should >>>> we penalize those that have done no wrong simply because they happen >>>> to be a minority? >>> >>> I agree, on the other hand, what about those people who genuinely didn't >>> do anything wrong, and their computer still got Pwned? >> >> Fiction. >> >> At the very least, if you connected a system to the network and it got Pwned, >> you were negligent in your behavior, if not malicious. Negligence is still >> wrong, even if not malice. > > So, just so we're clear here, I go to Best Buy, I buy a computer, I > bring it home, plug it into my cablemodem, and am instantly Pwned by > the non-updated Windows version on the drive plus the incessant cable > modem scanning, resulting in a bot infection... therefore I am > negligent? > > Do you actually think a judge would find that negligent, or is this > just your own personal definition of negligence? Because I doubt that > a judge, or even an ordinary person, could possibly consider it such. One can argue (and I will) that there is indeed some culpability because the buyer bought the cheapest version of everything and connected it to a negligent provider's system. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From jmamodio at gmail.com Wed Jun 9 12:40:57 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Wed, 9 Jun 2010 12:40:57 -0500 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers] In-Reply-To: <4C0FC669.908@infiltrated.net> References: <9ABFA6B4-52EF-4A7E-B7A2-0E695AC83669@delong.com> <4C0FAA5E.8090203@cox.net> <1913AEBB-BEF7-42A9-87BB-D3CFC332C958@delong.com> <4C0FC30F.50100@cox.net> <4C0FC669.908@infiltrated.net> Message-ID: > You buy a car and as you're driving along a message comes into the > dashboard: "Car Update needed, to fix A/C" you ignore it. Don't update > it who cares, you're driving smoothly. Another alert comes into the car > dashboard: "Critical alert, your breaks need this patch"... You ignore > it and drive along. 5-10 years later the car manufacturer EOL's the car > and support for it. You crash... Who is to blame, the car manufacturer > or you for not applying the updates. Granted the manufacturer could have > given you a better product, the fact remains, it is what it is. Unfortunately in the software industry you get (when you do, not always) the alert and the patch after the fact, ie the exploit has been already out there and your machine may probably have been already compromised. I never seen any operating system coming with a sign saying "Use at your own risk", why when I buy a piece of software I have to assume it to be insecure, and why I have to spend extra money on a recurring basis to make it less insecure, when there is no guarantee whatsoever that after maintenance, upgrades, patches and extra money my system will not get compromised because a moron forgot to include a term inside an if before compiling. Insecurity and exploitable software is a huge business. I don't expect software to be 100% safe or correct, but some of the holes and issues are derived form bad quality stuff and as car manufacturers the software producers should have a recall/replacement program at their own cost. My .02 Jorge From jgreco at ns.sol.net Wed Jun 9 13:24:11 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Wed, 9 Jun 2010 13:24:11 -0500 (CDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0FD046.7070307@cox.net> from "Larry Sheldon" at Jun 09, 2010 12:32:54 PM Message-ID: <201006091824.o59IOB23048857@aurora.sol.net> > > So, just so we're clear here, I go to Best Buy, I buy a computer, I > > bring it home, plug it into my cablemodem, and am instantly Pwned by > > the non-updated Windows version on the drive plus the incessant cable > > modem scanning, resulting in a bot infection... therefore I am > > negligent? > > > > Do you actually think a judge would find that negligent, or is this > > just your own personal definition of negligence? Because I doubt that > > a judge, or even an ordinary person, could possibly consider it such. > > One can argue (and I will) that there is indeed some culpability because > the buyer bought the cheapest version of everything and connected it to > a negligent provider's system. Really? Because the *cheapest* version of everything seems to run the same OS as the most *expensive* version of everythiing. Best Buy -> Computers -> Desktop Computers -> Towers Only -> a Presario Sempron with Windows 7 Home Premium, $279. Best Buy -> Computers -> Desktop Computers -> Desktop Packages -> a Dell Intel Core i5 package with Windows 7 Home Premium, $859. So, since I mentioned Best Buy, but didn't mention anything about what was paid, I am hard pressed to imagine the basis for your claim, since the cheapest PC I was able to quickly locate runs the same OS as the most expensive PC I was able to quickly locate (it's of course possible that there are cheaper and more expensive at BB, as well as gear that does not run W7HP). Further, since the incumbent provider in many areas is also the *only* provider, I wonder what theory you use to hold the customer responsible for their choice of provider, or where they're supposed to get information on the "negligence" of a provider so that they can make informed choices of this sort. And are you really suggesting that people should expect to get Pwned if they buy an inexpensive computer, but not if they buy a better one? I can understand you saying "they can expect the hard drive to fail sooner" or "the fans will burn out faster", because that seems to be borne out by actual real world experience, but I wasn't aware that the security quality of Windows varied significantly based on the cost of the computer. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From Valdis.Kletnieks at vt.edu Wed Jun 9 13:27:25 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 09 Jun 2010 14:27:25 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: Your message of "Wed, 09 Jun 2010 12:32:54 CDT." <4C0FD046.7070307@cox.net> References: <201006091717.o59HH2sj041733@aurora.sol.net> <4C0FD046.7070307@cox.net> Message-ID: <14435.1276108045@localhost> On Wed, 09 Jun 2010 12:32:54 CDT, Larry Sheldon said: > On 6/9/2010 12:17, Joe Greco wrote: > > So, just so we're clear here, I go to Best Buy, I buy a computer, I > > bring it home, plug it into my cablemodem, and am instantly Pwned by > > the non-updated Windows version on the drive plus the incessant cable > > modem scanning, resulting in a bot infection... therefore I am > > negligent? > > > > Do you actually think a judge would find that negligent, or is this > > just your own personal definition of negligence? Because I doubt that > > a judge, or even an ordinary person, could possibly consider it such. > > One can argue (and I will) that there is indeed some culpability because > the buyer bought the cheapest version of everything and connected it to > a negligent provider's system. And the average consumer can avoid the culpability in this scenario, how, exactly? "If people place a nice chocky in their mouth, they don't want their cheeks pierced" http://orangecow.org/pythonet/sketches/crunchy.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jcdill.lists at gmail.com Wed Jun 9 13:29:36 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Wed, 09 Jun 2010 11:29:36 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0FAE4C.4000601@cox.net> References: <4C0F11A0.8000303@gmail.com> <20100609130521.GB1482697@hiwaay.net> <4C0FAE4C.4000601@cox.net> Message-ID: <4C0FDD90.4020307@gmail.com> Larry Sheldon wrote: > On 6/9/2010 08:05, Chris Adams wrote: > >> Once upon a time, JC Dill said: >> >>> I'm still truly amazed that no one has sic'd a lawyer on Microsoft for >>> creating an "attractive nuisance" - an operating system that is too >>> easily hacked and used to attack innocent victims, and where others have >>> to pay to clean up after Microsoft's mess. >>> >> Many of the problems are PEBKAC, as evidenced by the massive responses >> to phishing scams. I can't tell you the number of our users that have >> sent their password to Nigeria to be used to log in to our webmail and >> spam. >> > > In other words, if somebody is going to handle the problem, the people > that know how ("ISP's" for want of a term) are going to have to do it. > Yes, ISPs are going to have to "handle" the problem. But, IMHO the root cause of the problem starts in Redmond, and ISPs should sue Redmond for the lack of suitable security in their product, rendering it an attractive nuisance and requiring ISPs to clean up after Redmond's mess. It's not fair to expect ISPs to shoulder this burden, and it's not fair to pass on the cost to customers as a blanket surcharge (and it won't work from a business standpoint) as not all customer use Microsoft's virus-vector software. And it's not really fair to expect the end customer to shoulder this burden when it's Microsoft's fault for failing to properly secure their software. But end user customers don't have the resources to sue Microsoft, and then there's that whole EULA problem. ISPs who are NOT a party to the EULA between Microsoft and the user, but who are impacted by Microsoft's shoddy security can (IMHO) make a valid claim that Microsoft created an attractive nuisance (improperly secured software), and should be held accountable for the vandal's use thereof, used to access and steal resources (bandwidth, etc.) from the ISP thru the ISP's customers infested Windows computer. jc From jcdill.lists at gmail.com Wed Jun 9 13:35:46 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Wed, 09 Jun 2010 11:35:46 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0FA18A.10108@cox.net> References: <4C0F1335.6040305@gmail.com> <4C0F309A.5050803@gmail.com> <4C0FA18A.10108@cox.net> Message-ID: <4C0FDF02.8070702@gmail.com> Larry Sheldon wrote: > On 6/9/2010 01:11, JC Dill wrote: > >> Owen DeLong wrote: >> >>> Heck, at this point, I'd be OK with it being a regulatory issue. >>> >> What entity do you see as having any possibility of effective regulatory >> control over the internet? >> > > Doesn't matter as long as it enables radial outbound finger pointing. > It does matter because THERE IS NO SUCH ENTITY. > >> The reason we have these problems to begin with is because there is no >> way for people (or government regulators) in the US to control ISPs in >> eastern Europe etc. >> > > Or in the US. > But what we see here is what is what is wrong with "regulation"--the > regulated specify the regulation, primarily to protect the economic > interests of the entrenched. > IMHO it is impossible to regulate the internet as a whole. It is built out of too many different unregulated fragments (IP registries, domain registries, ASs, Tier 1 networks, smaller networks, etc.) and there will never be enough willingness for the unregulated entities to voluntarily become regulated - if some of them agree to become regulated then others will tout their unregulated (and cheaper) services. IMHO it would require a massive effort of great firewalls (such as China has in place) to *begin* to force regulation on the internet as a whole. jc From sil at infiltrated.net Wed Jun 9 13:35:04 2010 From: sil at infiltrated.net (J. Oquendo) Date: Wed, 09 Jun 2010 14:35:04 -0400 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers] In-Reply-To: References: <9ABFA6B4-52EF-4A7E-B7A2-0E695AC83669@delong.com> <4C0FAA5E.8090203@cox.net> <1913AEBB-BEF7-42A9-87BB-D3CFC332C958@delong.com> <4C0FC30F.50100@cox.net> <4C0FC669.908@infiltrated.net> Message-ID: <4C0FDED8.5040708@infiltrated.net> Jorge Amodio wrote: > Unfortunately in the software industry you get (when you do, not > always) the alert and the patch after the fact, ie the exploit has > been already out there and your machine may probably have been already > compromised. > > I never seen any operating system coming with a sign saying "Use at > your own risk", why when I buy a piece of software I have to assume it > to be insecure, and why I have to spend extra money on a recurring > basis to make it less insecure, when there is no guarantee whatsoever > that after maintenance, upgrades, patches and extra money my system > will not get compromised because a moron forgot to include a term > inside an if before compiling. > > Insecurity and exploitable software is a huge business. I don't expect > software to be 100% safe or correct, but some of the holes and issues > are derived form bad quality stuff and as car manufacturers the > software producers should have a recall/replacement program at their > own cost. > > My .02 > Jorge > Again, apples and oranges to a degree. Car owners don't receive a "use at your own risk" disclaimer either. Yet some Toyota owners faced horrifying instances of "subpar" prechecks. GM recalled a million or so cars and the list will always go on and on. Mistakes happen period and when mistakes DON'T happen Murphy's Law does. I can speak for any software vendor but I can speak about insecurity and exploitability of software. That too is what it is from any standpoint be it anywhere in Redmond to any other location. Look at Sun's horrible misstep with telnet: Highlights The Solaris 10 Operating System, the most secure OS on the planet, provides security features previously only found in Sun's military-grade Trusted Solaris OS. Really? http://blogs.securiteam.com/index.php/archives/814 9 Vulnerabilities for Microsoft *ANYTHING* of the first 60 published. But again, this is irrelevant. I don't care for any operating system anymore. I care for the one that accomplishes what I need to do at any given time. Be it Linux, Windows, BSD, Solaris heck get me plan9 with Rio, I could care less. However, myself as an end user, I'm the one responsible for my machine as I am the one running it. If I find it to be insecure or "virus/trojan/malware/exploitability" prone, there is no one shoving it down my throat. Even if I didn't know any better. So for those who are unaware of what's going on, how difficult would it be to create a function within an ISP tasked with keeping a network structured to avoid allowing OUTBOUND malicious traffic. We could argue about: "But that would be snooping" where I could always point at that a NAC could be set up prior to allowing a client to connect. Can anyone honestly tell me that one of their clients would be upset slash disturbed slash alarmed about an ISP protecting them (the customer) as well as other "neighbors" (customers)? That's like saying: "Oh they set up a neighborhood watch association... and they're watching over my house when I'm not home or capable of watching all sides of my house... HOW DARE THEY!" Sorry I can't picture that happening. What I picture is fear and people dragging their feet. I can tell you what though, for the first company to pick up on that framework, I can guarantee you the turnover rate wouldn't be as high as say being on a network where now the business connection is lagged because of spam, botnets and other oddities that could have been prevented. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E From LarrySheldon at cox.net Wed Jun 9 13:43:01 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Wed, 09 Jun 2010 13:43:01 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0FDF02.8070702@gmail.com> References: <4C0F1335.6040305@gmail.com> <4C0F309A.5050803@gmail.com> <4C0FA18A.10108@cox.net> <4C0FDF02.8070702@gmail.com> Message-ID: <4C0FE0B5.5070609@cox.net> On 6/9/2010 13:35, JC Dill wrote: > IMHO it is impossible to regulate the internet as a whole. Exactly so. That is precisely why you don't want somebody else to attempt it. The only hope is for everybody to take personal responsibility for their little piece of it. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From andrew.wallace at rocketmail.com Wed Jun 9 13:53:10 2010 From: andrew.wallace at rocketmail.com (andrew.wallace) Date: Wed, 9 Jun 2010 11:53:10 -0700 (PDT) Subject: Nato warns of strike against cyber attackers Message-ID: <825233.60466.qm@web59611.mail.ac4.yahoo.com> The original article is FUD. The Times newspaper is historically known as MI5, MI6's newspaper of choice. Andrew http://sites.google.com/site/n3td3v/ From ka at pacific.net Wed Jun 9 13:56:36 2010 From: ka at pacific.net (Ken A) Date: Wed, 09 Jun 2010 13:56:36 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0FE0B5.5070609@cox.net> References: <4C0F1335.6040305@gmail.com> <4C0F309A.5050803@gmail.com> <4C0FA18A.10108@cox.net> <4C0FDF02.8070702@gmail.com> <4C0FE0B5.5070609@cox.net> Message-ID: <4C0FE3E4.90207@pacific.net> On 6/9/2010 1:43 PM, Larry Sheldon wrote: > On 6/9/2010 13:35, JC Dill wrote: > >> IMHO it is impossible to regulate the internet as a whole. > Exactly so. > > That is precisely why you don't want somebody else to attempt it. > > The only hope is for everybody to take personal responsibility for their > little piece of it. This situation has led to the growth of blacklists, and whitelists of all sorts. These, at least have some potential to drive dollars to hosts/providers with better records of behavior. Not a silver bullet.. and not without controversy. And of course the cost is paid by victims up-front. Law and order in the wild west.. Ken -- Ken Anderson Pacific Internet - http://www.pacific.net From kauer at biplane.com.au Wed Jun 9 14:37:39 2010 From: kauer at biplane.com.au (Karl Auer) Date: Thu, 10 Jun 2010 05:37:39 +1000 Subject: Nato warns of strike against cyber attackers In-Reply-To: <201006091708.o59H895D040808@aurora.sol.net> References: <201006091708.o59H895D040808@aurora.sol.net> Message-ID: <1276112259.17332.197.camel@karl> On Wed, 2010-06-09 at 12:08 -0500, Joe Greco wrote: > That's not going to happen (but I'll be happy to be proven wrong). Oh, there are so many things that are "not going to happen", aren't there? And because of that we shouldn't even bother suggesting regulation as a solution to anything because "the big companies" won't let it happen? It took a few decades, but eventually people figured out that tobacco killed people, and some of the biggest financial interests in the world ended up being legislated against. That process is not finished, the rearguard action is not played out, but the setup is not the cosy little "we'll do whatever we want and you can't stop us" that we had in the fifties. The Mafia in Italy seemed indomitable a few decades ago. It had the whole country (and large chunks of the US and other countries) in its grip, apparently unchallengeable. But the Mafia in Italy is now dying under the weight of courageous police and judges and a legal system that in spite of itself tries to do the will of the people. Little by little the changes were made, little by little the structures the Mafia depended upon were taken away. Including, most importantly, the belief amongst Italians that the Mafia was untouchable. Your argument seems to be "if we do X, it won't work". This is true for almost any X, because our field, like many other specialist fields, is a kind of ecosystem. Many factors have reached a kind of equilibrium, and it's really hard to look at any one factor and say "fix that" without seeing how so many other factors would work against the change. Try thinking about what *could* happen rather than what *can't* happen. > What legislator is going to vote for software liability reforms that will > ruin major software companies? When their own staff and experts will be > willing to state that outcome, in no uncertain terms? Why do you assume these laws will ruin anyone? Noone is seeking to destroy software companies, any more than the people who demanded accountability from auto manufacturers or pharmaceutical companies wanted to put them out of business. People want cars and medicine, and are prepared to pay for them. But if the car is defective or the medicine proves harmful, people want recourse in law. Same for software. When the company screws up, people should be able to take them to court and have a realistic chance of success if their grievance is real. It is that simple. Yet when we read of yet another buffer overflow exploit in a Microsoft product we just sigh and update our virus checkers, because Microsoft has *zero* obligation in law to produce software that has no such flaws. There is no other product group I know of where a known *class* of defect would be permitted to continue to exist without very serious liability issues arising. > What are the outcomes here? We pass such legislation, it doesn't magically > fix things. It just means that companies like Adobe and Microsoft are > suddenly on the hook for huge liabilities if they continue to sell their > current products. Do we expect them to *stop* selling Windows, etc.,? You assume it all happens at once. You assume the change will be large. You assume there is no grace period. You assume a lot, then act as if it must be so. > That's the problem, isn't it. If we were serious about it, we could > approach the problem differently: rather than trying to tackle it from > a marketplace point of view, perhaps we could instead tackle it from a > regulatory point of view. Could we mandate that the next generation of > browsers must have certain qualities? It's an interesting discussion, > and in some way parallels the car safety examples I provided earlier. Mandating specific qualities in that sense leads to legislation that is out of date before the ink is dry. No - you mandate only that products must be fit for their intended purpose, and you declare void any attempts to contract away this requirement. Just like with other products! And then you let the system and the market work out the rest. > I certainly agree, but it isn't going to be wished away in a minute. To > do so would effectively destroy some major technology companies. You do a great line in straw men. Who said it would take a minute? Not I. Not anyone. People are just trying to point out that while it may be difficult, it's not impossible. We are also trying to point out the places where effective positive change could be made. > in a way) That's one of the reasons I had predicted more appliance-like > computers, and now they seem to be appearing in the form of app-running > devices like the iPad. From a network operator's point of view, that's > just great, because the chance of a user being able to do something bad > to the device is greatly reduced. There is no reduction in the chance that the manufacturer will screw up, making their product vulnerable to attack. But even if all iPads turn out to be totally crackable, Apple will still have no obligation at all to fix it. Appliance computers do not address the real problem, which is lack of accountability. > Right, but rewriting the product liability laws to hold software vendors > accountable, by proxying through the end user, is kind of a crazy solution, > and one that would appear not to be workable. Was there another solution > being framed that I missed? No, it's not crazy. Regulation that empowers consumers is one of the fastest ways to better, safer products. Did you ever see a toy with a two-page shrink wrap contract making you the consumer absolutely liable for any fault the toy might have or any damage it might cause? No? What about kitchen appliances? The list of areas where consumer law has generated better, safer products is long. You say it "appears not to be workable" but have offered not a single argument as to why not. Remember, by the way, that in the context of computing, I'm not suggesting consumer empowerment should be a one-way street. I'm saying that the consumer gets the power to demand that software and hardware be fit for purpose. In return, the consumer too must become accountable. > That's nice. How much accountability should one have for having visited > a web site that was broken into by Russian script kiddies, though? And > we're not talking about driving a PC through a field of pedestrians, as > someone else so colorfully put it. Who is going to "insure" me against > the possibility that Russian script kiddies sent me a virus via Flash > on some web site, and even now are trying to break into British intel via > my computer, so one fine day the FBI comes a'knockin'? How do I even > find out what happened, when I'm in jail for a year for "hacking the > Brits"? That's got to be one hell of an insurance plan. Once again you demand that everything be fixed in one fell swoop. How did visiting the web site cause me to get a virus? Did I download it? My bad. Did the browser have a vulnerability? Browser manufacturer's bad. Flash vulnerability? Adobe's bad. FBI - can they prove intent? Why are you so set against people having to face the consequences of their actions (or inactions)? What is so wrong with Adobe having to produce software that DOES NOT expose users to attack? > So feel free to convince me of why Microsoft, Apple, Adobe, etc., are all > going to just sit idly by while their EULA protections are legislated > away. Microsoft et al do not actually own your country. You do. I don't expect them to sit idly by. Like all corporate citizens, they will attempt to protect their own interests above all other considerations. But because they do not own the country, and because their position is ethically and practically untenable, they will ultimately fail. > Go tell every webmaster who is hosting Flash on your network that it's > now prohibited, as a security risk, due to the bulletin issued last > week, and that any website hosting Flash on your network a week from > now will be null routed. And then follow through. Have you done that? If not, why not? > It's great to say "end users should be responsible" and "end users > need to be security-conscious." Except that's NOT what I am saying. I am saying they need to be *accountable*. As do network operators, software vendors, hardware vendors and so on. > However, are we, as network operators, > willing to be equally responsible and security-conscious? Dunno. As long as it's voluntary there will be little substantive change. Make network operators accountable, and the change will come. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156 Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From LarrySheldon at cox.net Wed Jun 9 14:43:03 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Wed, 09 Jun 2010 14:43:03 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <1276112259.17332.197.camel@karl> References: <201006091708.o59H895D040808@aurora.sol.net> <1276112259.17332.197.camel@karl> Message-ID: <4C0FEEC7.2070600@cox.net> On 6/9/2010 14:37, Karl Auer wrote: [good stuff] > Try thinking about what *could* happen rather than what *can't* happen. Even better: Think "here is what I can do". And then do it. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From bzs at world.std.com Wed Jun 9 15:44:38 2010 From: bzs at world.std.com (Barry Shein) Date: Wed, 9 Jun 2010 16:44:38 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: <4C0F11A0.8000303@gmail.com> Message-ID: <19471.64822.710822.105019@world.std.com> On June 8, 2010 at 21:05 fergdawgster at gmail.com (Paul Ferguson) wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, Jun 8, 2010 at 8:59 PM, JC Dill wrote: > > > > > I'm still truly amazed that no one has sic'd a lawyer on Microsoft for > > creating an "attractive nuisance" - an operating system that is too > > easily hacked and used to attack innocent victims, and where others have > > to pay to clean up after Microsoft's mess. > > > > Do you honestly believe that if 80% of the world's consumer computers were > *not* MS operating systems, that the majority of computers would still not > be targeted? Ah, the disinformation reply... MAYBE IF [please read thru before replying because I probably cover most knee-jerk responses eventually]: a) Microsoft hadn't ignored well-known techniques for dividing secure vs insecure operations in their kernel thus allowing any email script you're reading to do whatever it wants including, e.g., re-writing the boot blocks. b) Microsoft hadn't made the first and usually only newly created user "root" on a new system so it'd be easier to install applications they bought and administer the system and save them understanding that they sometimes have to type in a separate adminstrator's password. But the extra typing and forgetting that password of course would detract from the "user experience". c) Microsoft hadn't distributed, for decades, systems with graphics libraries which relied on injecting raw machine code into the kernel to speed up operations like scrolling a window (which used to be very slow without this, as one example), and got their third-party vendors so hooked on this technique that they screamed bloody murder every time MS even hinted that they might remove it. It took generations of OLE, X controls, .NET, etc to get rid of this, if it's even completely gone now. d) Microsoft hadn't ignored all these basic security practices in operating systems which were completely well understood and implemented in OS after OS back to at least 1970 if not before because they saw more profit in, to use a metaphor, selling cars without safety glass in the windshields etc, consequences be damned. e) Microsoft hadn't made tens if not hundreds of billions off the above willful negligence for decades (if you include the first warning when viruses became rampant in the late 80s, plus a decade of infected zombie bots starting in the late 90s) after they knew full well the disasterous consequences, causes, and fixes. f) The fact that Microsoft began putting exactly the fixes the above implies with, generously, XP SP2, but not seriously until Vista (general release: January 30, 2007) which is tantamount to an admission of guilt. Such as separating Administrator from User and the privileges thereof. Then, and only then, MAYBE their mere market dominance would be a plausible reason. But for those of us who actually UNDERSTAND operating systems and how their security works (or doesn't) and what the problems have been specifically statistics and probabilities and hand waves just can't trump KNOWING AND UNDERSTANDING THE FACTS AND HOW THESE THINGS WORK! Blaming Microsoft OS's vulnerability to viruses and zombification on their market dominance would be like blaming the running out of IPv4 addresses on cisco's market dominance. It has a certain appeal to the ignorant, but anyone who knows anything about the actual causes and history knows there's not one grain of truth to it. -- -Barry Shein The World | bzs at TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo* From owen at delong.com Wed Jun 9 15:56:40 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 9 Jun 2010 13:56:40 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0FB295.7030005@2mbit.com> References: <44AC6E21-FC5A-45CB-B41F-A0348C2F8467@delong.com> <201006091202.o59C26tb006864@aurora.sol.net> <4C0FB295.7030005@2mbit.com> Message-ID: <6994E5E9-AD13-43DB-9137-07217DE03D0F@delong.com> On Jun 9, 2010, at 8:26 AM, Brielle Bruns wrote: > On 6/9/10 6:27 AM, Jorge Amodio wrote: >> Going back then to a previous question, do we want more/any regulation ? > > Laws and regulation exist because people can't behave civilly and be expected to respect the rights/boundries/property others. > > CAN-SPAM exists because the e-mail marketing business refused to self regulate and respect the wishes of consumers/administrators > Which is good, because it certainly eliminated most of the SPAM. -- NOT! > FDCPA exists because the debt collectors couldn't resist the temptation to harass and intimidate consumers, and behave ethically. > And of course, it has caused them all to do so, now, right? -- NOT! > > > It's just a matter of time, and really unavoidable. The thing is, these industries have no one to blame but themselves. In all cases, these laws/regulation only came into affect AFTER situations got out of control. > Software has been out of control for a long time and I hope that the gov't will start by ruling the "not responsible for our negligence or the damage it causes" clauses of software licenses invalid. That would actually be a major positive step because it would allow consumers to sue software manufacturers for their defects and the damages they cause leading to a radical change in the nature of how software developers approach responsibility for quality in their products. Right now, most consumer operating systems are "unsafe at any speed". > Lately, the courts have been ruling that companies like LimeWire are responsible for their products being used for piracy/downloading because they knew what was going on, but were turning a blind eye. > This is a positive step, IMHO, but, now companies like Apple and Micr0$0ft need to be held to similar standards. > Why not apply the same standards to ISPs? If it can be shown that you had knowledge of specific abuse coming from your network, but for whatever reason, opted to ignore it and turn a blind eye, then you are responsible. > I agree. > When I see abuse from my network or am made aware of it, I isolate and drop on my edge the IPs in question, then investigate and respond. Most times, it takes me maybe 10-15 minutes to track down the user responsible, shut off their server or host, then terminate their stupid self. > Yep. > A little bit of effort goes a long way. But, if you refuse to put in the effort (I'm looking at you, GoDaddy Abuse Desk), then of course the problems won't go away. > Agreed. Owen From bzs at world.std.com Wed Jun 9 16:01:23 2010 From: bzs at world.std.com (Barry Shein) Date: Wed, 9 Jun 2010 17:01:23 -0400 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers] In-Reply-To: References: Message-ID: <19472.291.770145.926372@world.std.com> On June 9, 2010 at 07:39 jmamodio at gmail.com (Jorge Amodio) wrote: > > 1. Should ISPs be responsible for abuse from within their customer base? > > Not sure, ISPs role is just to move packets from A to B, you need to > clearly define what constitutes abuse and how much of it is considered > a crime. > > If I call your home every five minutes to harass you over the phone is > AT&T responsible ? Actually, that might be in their purview. The example I would use is if someone called you to sell you swamp land in Florida or otherwise try to swindle you is that the phone company's responsibility, to ensure the honesty of all phone transactions? -- -Barry Shein The World | bzs at TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo* From LarrySheldon at cox.net Wed Jun 9 16:05:06 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Wed, 09 Jun 2010 16:05:06 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <6994E5E9-AD13-43DB-9137-07217DE03D0F@delong.com> References: <44AC6E21-FC5A-45CB-B41F-A0348C2F8467@delong.com> <201006091202.o59C26tb006864@aurora.sol.net> <4C0FB295.7030005@2mbit.com> <6994E5E9-AD13-43DB-9137-07217DE03D0F@delong.com> Message-ID: <4C100202.70304@cox.net> On 6/9/2010 15:56, Owen DeLong wrote: > > On Jun 9, 2010, at 8:26 AM, Brielle Bruns wrote: > >> On 6/9/10 6:27 AM, Jorge Amodio wrote: >>> Going back then to a previous question, do we want more/any regulation ? >> >> Laws and regulation exist because people can't behave civilly and be expected to respect the rights/boundries/property others. >> >> CAN-SPAM exists because the e-mail marketing business refused to self regulate and respect the wishes of consumers/administrators >> > Which is good, because it certainly eliminated most of the SPAM. -- NOT! It is actually an outstanding example of something of something I spoke of here earlier. Without any exception that I know of, regulations are written to protect the entrenched. CAN-SPAM was written to protect spammers, not to prevent anything important to them. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From owen at delong.com Wed Jun 9 16:50:26 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 9 Jun 2010 14:50:26 -0700 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers] In-Reply-To: <4C0FDED8.5040708@infiltrated.net> References: <9ABFA6B4-52EF-4A7E-B7A2-0E695AC83669@delong.com> <4C0FAA5E.8090203@cox.net> <1913AEBB-BEF7-42A9-87BB-D3CFC332C958@delong.com> <4C0FC30F.50100@cox.net> <4C0FC669.908@infiltrated.net> <4C0FDED8.5040708@infiltrated.net> Message-ID: <4BC7336B-66DD-426C-922C-E2D863D029CF@delong.com> > > Again, apples and oranges to a degree. Car owners don't receive a "use > at your own risk" disclaimer either. Yet some Toyota owners faced > horrifying instances of "subpar" prechecks. GM recalled a million or so > cars and the list will always go on and on. Mistakes happen period and > when mistakes DON'T happen Murphy's Law does. I can speak for any > software vendor but I can speak about insecurity and exploitability of > software. That too is what it is from any standpoint be it anywhere in > Redmond to any other location. Look at Sun's horrible misstep with telnet: > Note, however, that in all of these cases, the car manufacturers were liable and did have to take action to resolve the issues. WHY are software companies not held to these same standards? There's no need for new law, just for the judiciary to wake up and stop granting them a bizarre and unreasonable exemption from the existing laws. Owen From owen at delong.com Wed Jun 9 16:59:00 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 9 Jun 2010 14:59:00 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C100202.70304@cox.net> References: <44AC6E21-FC5A-45CB-B41F-A0348C2F8467@delong.com> <201006091202.o59C26tb006864@aurora.sol.net> <4C0FB295.7030005@2mbit.com> <6994E5E9-AD13-43DB-9137-07217DE03D0F@delong.com> <4C100202.70304@cox.net> Message-ID: <6F04753F-B015-455D-83A1-5C59FBFAFC4D@delong.com> On Jun 9, 2010, at 2:05 PM, Larry Sheldon wrote: > On 6/9/2010 15:56, Owen DeLong wrote: >> >> On Jun 9, 2010, at 8:26 AM, Brielle Bruns wrote: >> >>> On 6/9/10 6:27 AM, Jorge Amodio wrote: >>>> Going back then to a previous question, do we want more/any regulation ? >>> >>> Laws and regulation exist because people can't behave civilly and be expected to respect the rights/boundries/property others. >>> >>> CAN-SPAM exists because the e-mail marketing business refused to self regulate and respect the wishes of consumers/administrators >>> >> Which is good, because it certainly eliminated most of the SPAM. -- NOT! > > It is actually an outstanding example of something of something I spoke > of here earlier. > > Without any exception that I know of, regulations are written to protect > the entrenched. CAN-SPAM was written to protect spammers, not to > prevent anything important to them. > Actually, as much as it would make so much more sense if that were the case, it simply isn't true. CAN-SPAM was written to be a compromise that was supposed to allow consumers to opt out of receiving SPAM and prevent SPAMMERs from sending unwanted messages. Sadly, of course, it hasn't done either one. Owen > -- > Somebody should have said: > A democracy is two wolves and a lamb voting on what to have for dinner. > > Freedom under a constitutional republic is a well armed lamb contesting > the vote. > > Requiescas in pace o email > Ex turpi causa non oritur actio > Eppure si rinfresca > > ICBM Targeting Information: http://tinyurl.com/4sqczs > http://tinyurl.com/7tp8ml > > From hrlinneweh at sbcglobal.net Wed Jun 9 17:53:35 2010 From: hrlinneweh at sbcglobal.net (Henry Linneweh) Date: Wed, 9 Jun 2010 15:53:35 -0700 (PDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: References: Message-ID: <293500.69861.qm@web180301.mail.gq1.yahoo.com> Your humor has me roflmao -henry ________________________________ From: Paul Vixie To: nanog at merit.edu Sent: Wed, June 9, 2010 10:14:34 AM Subject: Re: Nato warns of strike against cyber attackers dlr at bungi.com (Dave Rand) writes: > ... > With more than 100,000,000 compromised computers out there, it's really > time for us to step up to the plate, and make this happen. +1. -- Paul Vixie KI6YSY From jgreco at ns.sol.net Wed Jun 9 17:53:40 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Wed, 9 Jun 2010 17:53:40 -0500 (CDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: <1276112259.17332.197.camel@karl> from "Karl Auer" at Jun 10, 2010 05:37:39 AM Message-ID: <201006092253.o59Mre6M078093@aurora.sol.net> > On Wed, 2010-06-09 at 12:08 -0500, Joe Greco wrote: > > That's not going to happen (but I'll be happy to be proven wrong). > > Oh, there are so many things that are "not going to happen", aren't > there? And because of that we shouldn't even bother suggesting > regulation as a solution to anything because "the big companies" won't > let it happen? Thankfully, I'm going to stop reading this right here, because you're attributing to me something I didn't say. I said that rewriting the liability laws to outlaw draconian EULA's wasn't going to happen. I'm fairly certain that regulation, on the other hand, is likely to be the solution that ends up working, and I said so much earlier. So since I'm not interested in rehashing the issues for you, I'm going to go take the evening off. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From jgreco at ns.sol.net Wed Jun 9 18:04:43 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Wed, 9 Jun 2010 18:04:43 -0500 (CDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0FEEC7.2070600@cox.net> from "Larry Sheldon" at Jun 09, 2010 02:43:03 PM Message-ID: <201006092304.o59N4hmO079022@aurora.sol.net> > On 6/9/2010 14:37, Karl Auer wrote: > [good stuff] > > > Try thinking about what *could* happen rather than what *can't* happen. > > Even better: Think "here is what I can do". And then do it. Some of us already do: Implement BCP38 Implement spam scanning for e-mail Have a responsive abuse desk Reload - not repair - any compromised systems Sponsor resources to combat spam many more etc. Some of us have been doing what you suggest for so long that we've become a bit skeptical and cynical about it all, especially when we see that in the last decade, BCP38 filtering still isn't prevalent, abuse desks are commonly considered to be black holes, and people still talk about disinfecting a virus-laden computer. There is only so much you can do, short of getting out a Clue by Four and going around hitting people with it. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From LarrySheldon at cox.net Wed Jun 9 18:35:51 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Wed, 09 Jun 2010 18:35:51 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <201006092304.o59N4hmO079022@aurora.sol.net> References: <201006092304.o59N4hmO079022@aurora.sol.net> Message-ID: <4C102557.2010301@cox.net> On 6/9/2010 18:04, Joe Greco wrote: >> On 6/9/2010 14:37, Karl Auer wrote: >> [good stuff] >> >>> Try thinking about what *could* happen rather than what *can't* happen. >> >> Even better: Think "here is what I can do". And then do it. > > Some of us already do: > > Implement BCP38 > Implement spam scanning for e-mail > Have a responsive abuse desk > Reload - not repair - any compromised systems > Sponsor resources to combat spam > many more etc. > > Some of us have been doing what you suggest for so long that we've > become a bit skeptical and cynical about it all, especially when we > see that in the last decade, BCP38 filtering still isn't prevalent, > abuse desks are commonly considered to be black holes, and people > still talk about disinfecting a virus-laden computer. > > There is only so much you can do, short of getting out a Clue by Four > and going around hitting people with it. I am sorry nto report that doing the right thing rarely gets any ink. But it is still the right thing, and you have to keep doing it--if for no reason better than being able to live with your self. Thanks for what you do. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From jmamodio at gmail.com Wed Jun 9 22:22:19 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Wed, 9 Jun 2010 22:22:19 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C102557.2010301@cox.net> References: <201006092304.o59N4hmO079022@aurora.sol.net> <4C102557.2010301@cox.net> Message-ID: Cyber Threats Yes, But Is It Cyber War? http://www.circleid.com/posts/20100609_cyber_threats_yes_but_is_it_cyberwar/ -J From jcdill.lists at gmail.com Thu Jun 10 01:05:20 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Wed, 09 Jun 2010 23:05:20 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <6994E5E9-AD13-43DB-9137-07217DE03D0F@delong.com> References: <44AC6E21-FC5A-45CB-B41F-A0348C2F8467@delong.com> <201006091202.o59C26tb006864@aurora.sol.net> <4C0FB295.7030005@2mbit.com> <6994E5E9-AD13-43DB-9137-07217DE03D0F@delong.com> Message-ID: <4C1080A0.1000303@gmail.com> Owen DeLong wrote: > > Software has been out of control for a long time and I hope that the gov't will start by ruling the "not responsible for our negligence or the damage it causes" clauses of software licenses invalid. The beauty of my "attractive nuisance" argument is that the EULA doesn't shield Microsoft from the damage their software causes to a 3rd party such as the ISP who has to deal with the botnet infections of their customers. jc From mmzinyi at yahoo.com Thu Jun 10 01:40:27 2010 From: mmzinyi at yahoo.com (jacob miller) Date: Wed, 9 Jun 2010 23:40:27 -0700 (PDT) Subject: SCO UNIX Errors Message-ID: <306629.32755.qm@web39503.mail.mud.yahoo.com> Hi, Am getting the following error from my SCO UNIX box. Any idea as to what they mean. proto: 0, age: 1274191185 locks: inits: sockaddrs: 172.16.3.12 172.16.1.254 route: got message of size 120 RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags : proto: 0, age: 1274191200 locks: inits: sockaddrs: 172.16.3.12 172.16.1.254 route: got message of size 120 RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags : proto: 0, age: 1274191204 locks: inits: sockaddrs: 172.16.10.3 172.16.1.254 route: got message of size 120 RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags : proto: 0, age: 1274191206 locks: inits: sockaddrs: 172.16.3.12 172.16.1.254 route: got message of size 120 RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags: proto: 0, age: 1274191249 locks: inits: sockaddrs: 172.16.3.12 172.16.1.254 route: got message of size 120 RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags: proto: 0, age: 1274191250 locks: inits: sockaddrs: 172.16.10.3 172.16.1.254 route: got message of size 120 RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags: proto: 0, age: 1274191264 locks: inits: sockaddrs: 172.16.3.12 172.16.1.254 route: got message of size 120 RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags: proto: 0, age: 1274191268 locks: inits: sockaddrs: 172.16.10.3 172.16.1.254 route: got message of size 120 RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags: proto: 0, age: 1274191270 locks: inits: sockaddrs: 172.16.3.12 172.16.1.254 route: got message of size 120 RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags: proto: 0, age: 1274191297 locks: inits: sockaddrs: 172.16.10.3 172.16.1.254 Regards, Jacob From nenolod at systeminplace.net Thu Jun 10 01:45:18 2010 From: nenolod at systeminplace.net (William Pitcock) Date: Thu, 10 Jun 2010 01:45:18 -0500 Subject: SCO UNIX Errors In-Reply-To: <306629.32755.qm@web39503.mail.mud.yahoo.com> References: <306629.32755.qm@web39503.mail.mud.yahoo.com> Message-ID: <1276152318.7701.667.camel@petrie> On Wed, 2010-06-09 at 23:40 -0700, jacob miller wrote: > Hi, > > Am getting the following error from my SCO UNIX box. They mean "use an operating system not made by crackheads." There's a reason why SCO switched from UNIX sales to Intellectual Property trolling after all. William From trelane at trelane.net Thu Jun 10 02:05:00 2010 From: trelane at trelane.net (Andrew D Kirch) Date: Thu, 10 Jun 2010 03:05:00 -0400 Subject: SCO UNIX Errors In-Reply-To: <1276152318.7701.667.camel@petrie> References: <306629.32755.qm@web39503.mail.mud.yahoo.com> <1276152318.7701.667.camel@petrie> Message-ID: <4C108E9C.2040304@trelane.net> On 06/10/2010 02:45 AM, William Pitcock wrote: > On Wed, 2010-06-09 at 23:40 -0700, jacob miller wrote: > >> Hi, >> >> Am getting the following error from my SCO UNIX box. >> > They mean "use an operating system not made by crackheads." There's a > reason why SCO switched from UNIX sales to Intellectual Property > trolling after all. > > William > The above should be considered the correct response to this and any similar question. Andrew From starcat at starcat.rlyeh.net Thu Jun 10 03:36:53 2010 From: starcat at starcat.rlyeh.net (Ina Faye-Lund) Date: Thu, 10 Jun 2010 10:36:53 +0200 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers] In-Reply-To: References: Message-ID: <20100610083653.GB18440@fnord.no> On Tue, Jun 08, 2010 at 11:14:10PM -0700, Paul Ferguson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > To cut through the noise and non-relevant discussion, let's see if we can > boil this down to a couple of issues: > > 1. Should ISPs be responsible for abuse from within their customer base? No and no. The first no being legally, the second, morally. The user is responsible for the abuse. Now, if the question had been whether the ISP should be responsible for dealing with it appropriately, then the answer would be yes. Of course, when it comes to the legal aspect, it would probably vary from country to country. No, let me rephrase that: It _does_ vary from country to country, and probably also state to state. However, to hold someone else responsible for a person's criminal activity would be just plain wrong, as long as the ISP's part in the activity is only to give their customer access to networks and services that every other customer also gets access to. > 2. Should hosting providers also be held responsible for customers who abuse > their services in a criminal manner? No. For several reasons. First, the hosting provider normally does not have too much control over what the customers actually do. If someone complains, or they detect something through audits or similar, that is different. But even then, there will be certain problems. How does the hosting provider know that something is, in fact, criminal? In some cases, that may be obvious, but there will be cases where the case is not so clear. If the provider might be held responsible for something their customers do, they might decide to remove legal content 'just in case'. Also, who would determine whether something is illegal or not? Tech support? The admin? I doubt that any of those are able to determine something that courts tend to spend a lot of time and resources on. > I think anyone in their right mind would agree that if a provider see > criminal activity, they should take action, no? Not necessarily. Again, this would of course depend on the laws in the given state or country. However, people disagree on what is considered legal or not. If everyone _had_ agreed on this, the courts would have had less work. It is the responsibility of the judicial system to determine whether someone is breaking the law or not. For commercial companies to start making that sort of judgements is, at least in my opinion, _not_ a good thing. -- Ina Faye-Lund From tvhawaii at shaka.com Thu Jun 10 03:53:27 2010 From: tvhawaii at shaka.com (Michael Painter) Date: Wed, 9 Jun 2010 22:53:27 -1000 Subject: ISP Responsibilities [WAS: Re: Nato warns of strike againstcyber attackers] References: <20100610083653.GB18440@fnord.no> Message-ID: <325EBB87E93F4F698BD8840A1390D02D@DELL16> >From recent article at MIT Technology Review: How ISPs Could Combat Botnets Focusing on the top 50 infected networks could eliminate half of all compromised machines. Convincing Internet service providers to pinpoint infected computers on their networks could eliminate the lion's share of zombie computers responsible for churning out spam and initiating other online threats, according to a new analysis. The researchers analyzed more than 63 billion unsolicited e-mail messages sent over a four-year period and found more than 138 million unique internet addresses linked to sending out the spam. Typically such machines have been hijacked by hackers and are corralled into a vast network of remote-controlled system known as a "botnet." By correlating the Internet protocol addresses of these spam-sending machines with the networks maintained by Internet service providers, the researchers found that about two-thirds of them were located in the networks managed by the 200 largest ISPs from 40 countries. The top-50 networks responsible accounted for more than half of all compromised IP addresses. If these ISPs were to shut down, or block, the malicious machines on their networks, it could cut worldwide spam by half. "Those 50 ISPs are not the [dubious] ones we hear about," says Michel van Eeten, professor of public administration at the Delft University of Technology in the Netherlands and one of the authors of a paper on the research, which will be presented next month at the Workshop on the Economics of Information Security at Harvard University. "They are the ones we deal with every day, and so are more approachable and are in the reach of government." Rest here: http://www.technologyreview.com/computing/25245/ From a.harrowell at gmail.com Wed Jun 9 16:56:34 2010 From: a.harrowell at gmail.com (Alexander Harrowell) Date: Wed, 09 Jun 2010 23:56:34 +0200 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C0FB1CD.2010606@cox.net> References: <201006091321.o59DLL3A016614@aurora.sol.net> <4C0FB1CD.2010606@cox.net> Message-ID: <882b51b1-ba2a-4d79-809b-0e0e173a9fbc@email.android.com> This would appear to be political in nature and therefore not operational, right? "Larry Sheldon" wrote: >On 6/9/2010 08:21, Joe Greco wrote: > >> Your car emits lots of greenhouse gases. Just because it's /less/ doesn't >> change the fact that the Prius has an ICE. We have a Prius and a HiHy too. > >Did Godwin say anything about rand discussions degenerating to >mythologies like "gorebull warming"? > >-- >Somebody should have said: >A democracy is two wolves and a lamb voting on what to have for dinner. > >Freedom under a constitutional republic is a well armed lamb contesting >the vote. > >Requiescas in pace o email >Ex turpi causa non oritur actio >Eppure si rinfresca > >ICBM Targeting Information: http://tinyurl.com/4sqczs >http://tinyurl.com/7tp8ml > > > -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. From awacs at ziskind.us Thu Jun 10 04:39:43 2010 From: awacs at ziskind.us (N. Yaakov Ziskind) Date: Thu, 10 Jun 2010 05:39:43 -0400 Subject: SCO UNIX Errors In-Reply-To: <306629.32755.qm@web39503.mail.mud.yahoo.com> References: <306629.32755.qm@web39503.mail.mud.yahoo.com> Message-ID: <20100610053943.A19698@egps.ziskind.us> The best place to ask this question is on usenet:comp.unix.sco.misc. jacob miller wrote (on Wed, Jun 09, 2010 at 11:40:27PM -0700): > Hi, > > Am getting the following error from my SCO UNIX box. > > Any idea as to what they mean. > > > > proto: 0, age: 1274191185 > > locks: inits: > > sockaddrs: > > 172.16.3.12 172.16.1.254 > > route: got message of size 120 > > RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags > > : > > proto: 0, age: 1274191200 > > locks: inits: > > sockaddrs: > > 172.16.3.12 172.16.1.254 > > route: got message of size 120 > > RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags > > : > > proto: 0, age: 1274191204 > > locks: inits: > > sockaddrs: > > 172.16.10.3 172.16.1.254 > > route: got message of size 120 > > RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags > > : > > proto: 0, age: 1274191206 > > locks: inits: > > sockaddrs: > > 172.16.3.12 172.16.1.254 > > route: got message of size 120 > > RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags: > > proto: 0, age: 1274191249 > > locks: inits: > > sockaddrs: > > 172.16.3.12 172.16.1.254 > > route: got message of size 120 > > RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags: > > proto: 0, age: 1274191250 > > locks: inits: > > sockaddrs: > > 172.16.10.3 172.16.1.254 > > route: got message of size 120 > > RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags: > > proto: 0, age: 1274191264 > > locks: inits: > > sockaddrs: > > 172.16.3.12 172.16.1.254 > > route: got message of size 120 > > RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags: > > proto: 0, age: 1274191268 > > locks: inits: > > sockaddrs: > > 172.16.10.3 172.16.1.254 > > route: got message of size 120 > > RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags: > > proto: 0, age: 1274191270 > > locks: inits: > > sockaddrs: > > 172.16.3.12 172.16.1.254 > > route: got message of size 120 > > RTM_LOSING: Kernel Suspects Partitioning: len 120, pid: 0, seq 0, errno 0, flags: > > proto: 0, age: 1274191297 > > locks: inits: > > sockaddrs: > > 172.16.10.3 172.16.1.254 > > Regards, > Jacob > > > > > -- _________________________________________ Nachman Yaakov Ziskind, FSPA, LLM awacs at ziskind.us Attorney and Counselor-at-Law http://ziskind.us Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants From Valdis.Kletnieks at vt.edu Thu Jun 10 05:27:09 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 10 Jun 2010 06:27:09 -0400 Subject: SCO UNIX Errors In-Reply-To: Your message of "Thu, 10 Jun 2010 05:39:43 EDT." <20100610053943.A19698@egps.ziskind.us> References: <306629.32755.qm@web39503.mail.mud.yahoo.com> <20100610053943.A19698@egps.ziskind.us> Message-ID: <82840.1276165629@localhost> On Thu, 10 Jun 2010 05:39:43 EDT, "N. Yaakov Ziskind" said: > The best place to ask this question is on usenet:comp.unix.sco.misc. This is, of course, if you can find a still-functional usenet server. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From imb at protected-networks.net Thu Jun 10 05:33:42 2010 From: imb at protected-networks.net (Michael Butler) Date: Thu, 10 Jun 2010 06:33:42 -0400 Subject: SCO UNIX Errors In-Reply-To: <4C108E9C.2040304@trelane.net> References: <306629.32755.qm@web39503.mail.mud.yahoo.com> <1276152318.7701.667.camel@petrie> <4C108E9C.2040304@trelane.net> Message-ID: <4C10BF86.6090609@protected-networks.net> On 06/10/10 03:05, Andrew D Kirch wrote: > On 06/10/2010 02:45 AM, William Pitcock wrote: > The above should be considered the correct response to this and any > similar question. This reminds me of another person on this list who was heard at INET-1996 to say: "We build the highway, we don't fix your car" Michael From wavetossed at googlemail.com Thu Jun 10 06:27:18 2010 From: wavetossed at googlemail.com (Michael Dillon) Date: Thu, 10 Jun 2010 12:27:18 +0100 Subject: Nato warns of strike against cyber attackers In-Reply-To: References: <44AC6E21-FC5A-45CB-B41F-A0348C2F8467@delong.com> <201006091202.o59C26tb006864@aurora.sol.net> Message-ID: > Going back then to a previous question, do we want more/any regulation ? Yes. All vulnerable industries should have their use of network communications regulated. This means all power stations, electricity line operators, dam gate operators, etc. They should all be required to meet a standard of practice for secure network communications, air gap between SCADA networks and all other networks, and annual network inspections to ensure compliance. If any organization operates an infrastructure which could be vulnerable to cyberattack that would damage the country in which they operate, that organization needs to be regulated to ensure that their networks cannot be exploited for cyberattack purposes. That is the correct and measured response which does not involve the military except possibly in a security advisory role, and which is within the powers of governments. I would expect that the increased awareness of network security that resulted would pay dividends in business and home use of networks. --Michael Dillon From tim at pelican.org Thu Jun 10 07:15:59 2010 From: tim at pelican.org (Tim Franklin) Date: Thu, 10 Jun 2010 12:15:59 +0000 (GMT) Subject: Nato warns of strike against cyber attackers In-Reply-To: Message-ID: <16511050.01276172159035.JavaMail.root@jennyfur.pelican.org> > I would expect that the increased awareness of network security that > resulted would pay dividends in business and home use of networks. I'd expect a lot of nice business for audit firms with the right government connections, and another checklist with a magic acronym that has everything to do with security theatre and nothing to do with either actual security or the reality of operating a network. But perhaps I'm jaded from dealing with current auditors. Regards, Tim. From Valdis.Kletnieks at vt.edu Thu Jun 10 07:34:22 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 10 Jun 2010 08:34:22 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: Your message of "Thu, 10 Jun 2010 12:27:18 BST." References: <44AC6E21-FC5A-45CB-B41F-A0348C2F8467@delong.com> <201006091202.o59C26tb006864@aurora.sol.net> Message-ID: <87141.1276173262@localhost> On Thu, 10 Jun 2010 12:27:18 BST, Michael Dillon said: > If any organization operates an infrastructure which could be > vulnerable to cyberattack that would damage the country in which they > operate, that organization needs to be regulated to ensure that their > networks cannot be exploited for cyberattack purposes. s/cannot be/minimize the risk of/ And "would damage the country" is a very fuzzy concept that you really don't want to go anywhere near. Remember Microsoft arguing that a Federal judge shouldn't impose an injunction that was going to make them miss a ship date, on the grounds that the resulting delay would cause lost productivity at customer sites and harm the economy? (Mind you, I thought MS was making a good case they *should* be regulated, if their ship dates actually had that much influence.. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From sil at infiltrated.net Thu Jun 10 08:06:10 2010 From: sil at infiltrated.net (J. Oquendo) Date: Thu, 10 Jun 2010 09:06:10 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: <16511050.01276172159035.JavaMail.root@jennyfur.pelican.org> References: <16511050.01276172159035.JavaMail.root@jennyfur.pelican.org> Message-ID: <4C10E342.1020009@infiltrated.net> Tim Franklin wrote: > and another checklist with a magic acronym that has everything to do > with security theatre and nothing to do with either actual security or > the reality of operating a network. Checklists come in handy in fact if many were followed (BCP checklists, appropriate industry standard fw, system rules) the net would be a cleaner place. What I've seen by many responses are feet dragging: "Ah why bother it won't do nothing to stop it..." Without even trying. It all begins with one's own network. The entire concept of peering was built on trust of the peer. Would you knowingly allow someone to share your hallway without taking precautionary measures or at least a vigilant eye. What happens when you see something out of the norm, do you continue to allow them without saying anything waiting for your neighbor to speak. In doing so, how can you be assured the individual won't try to creep up on your property. // JC Dill wrote: Yes, ISPs are going to have to "handle" the problem. But, IMHO the root cause of the problem starts in Redmond, and ISPs should sue Redmond for the lack of suitable security in their product, rendering it an attractive nuisance and requiring ISPs to clean up after Redmond's mess. It's not fair to expect ISPs to shoulder this burden, and it's not fair to pass on the cost to customers as a blanket surcharge (and it won't work from a business standpoint) as not all customer use Microsoft's virus-vector software. And it's not really fair to expect the end customer to shoulder this burden when it's Microsoft's fault for failing to properly secure their software. But end user customers don't have the resources to sue Microsoft, and then there's that whole EULA problem. ISPs who are NOT a party to the EULA between Microsoft and the user, but who are impacted by Microsoft's shoddy security can (IMHO) make a valid claim that Microsoft created an attractive nuisance (improperly secured software), and should be held accountable for the vandal's use thereof, used to access and steal resources (bandwidth, etc.) from the ISP thru the ISP's customers infested Windows computer. // More finger pointing here. Should MS now sue Adobe for shoddy coding because Adobe's PDF reader caused a compromise (improperly secured software). Let's take it from the top down for a moment and focus on what is going on. Operating systems are insecure it doesn't matter if it was produced by a company in Redmond or hacked together on IRC. ANY operating system that is in an attacking state (dishing out malware, attacking other machines) is doing so via a network. If slash when you see it, do you shrug it off and say not my problem, its because of someone's lack of oversight in Redmond when you have the capability to stop it. ISP's don't "have to" handle the problem, they SHOULD handle the problem. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E From tme at americafree.tv Thu Jun 10 08:35:24 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Thu, 10 Jun 2010 09:35:24 -0400 Subject: Broadband Internet Technical Advisory Group Message-ID: This just popped up - BITAG, the Broadband Internet Technical Advisory Group, which apparently has some Google backing. While it does not impact router configuration today, it sure does sound like they want to in the future. http://www.prnewswire.com/news-releases/initial-plans-for-broadband-internet-technical-advisory-group-announced-95950709.html http://googlepublicpolicy.blogspot.com/2010/06/broadband-internet-technical-advisory.html "For some time now, we?ve been advocating for the formation of a group of technical experts to put forward their best thinking on how to manage broadband networks in ways that still preserve and promote an open Internet. We?ve worked closely with Verizon and others in the Internet sector to further develop the concept, and we?re excited by today?s announcement that the Broadband Internet Technical Advisory Group , or BITAG, has begun the process of formally launching." Regards Marshall From tim at pelican.org Thu Jun 10 09:10:19 2010 From: tim at pelican.org (Tim Franklin) Date: Thu, 10 Jun 2010 14:10:19 +0000 (GMT) Subject: Nato warns of strike against cyber attackers In-Reply-To: <21352757.81276178818339.JavaMail.root@jennyfur.pelican.org> Message-ID: <1526759.101276179019338.JavaMail.root@jennyfur.pelican.org> > Checklists come in handy in fact if many were followed (BCP > checklists, appropriate industry standard fw, system rules) > the net would be a cleaner place. Sensible checklists that actually improve matters, yes. The audit checklists I've often been subjected to, full of security theatre and things that are "accepted auditor wisdom" rather than contributing to the security of the network in any meaningful way, not so much. Regards, Tim. From awacs at ziskind.us Thu Jun 10 09:19:26 2010 From: awacs at ziskind.us (N. Yaakov Ziskind) Date: Thu, 10 Jun 2010 10:19:26 -0400 Subject: SCO UNIX Errors In-Reply-To: <82840.1276165629@localhost> References: <306629.32755.qm@web39503.mail.mud.yahoo.com> <20100610053943.A19698@egps.ziskind.us> <82840.1276165629@localhost> Message-ID: <20100610101926.A21707@egps.ziskind.us> Valdis.Kletnieks at vt.edu wrote (on Thu, Jun 10, 2010 at 06:27:09AM -0400): > On Thu, 10 Jun 2010 05:39:43 EDT, "N. Yaakov Ziskind" said: > > The best place to ask this question is on usenet:comp.unix.sco.misc. > > This is, of course, if you can find a still-functional usenet server. ;) If not, there's Google Groups, and I believe that CUSM is gated to a mailing list. I'm just saying. -- _________________________________________ Nachman Yaakov Ziskind, FSPA, LLM awacs at ziskind.us Attorney and Counselor-at-Law http://ziskind.us Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants From jmamodio at gmail.com Thu Jun 10 09:21:49 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Thu, 10 Jun 2010 09:21:49 -0500 Subject: Broadband Internet Technical Advisory Group In-Reply-To: References: Message-ID: Looks to me more like the constitution of the "Net'Cartel" somebody forgot to invite ICANN ? BITAG-BCP01 how to hijack the net and the standards process ... Are we evolving ? Cheers Jorge From awacs at ziskind.us Thu Jun 10 09:24:43 2010 From: awacs at ziskind.us (N. Yaakov Ziskind) Date: Thu, 10 Jun 2010 10:24:43 -0400 Subject: SCO UNIX Errors In-Reply-To: <1276152318.7701.667.camel@petrie> References: <306629.32755.qm@web39503.mail.mud.yahoo.com> <1276152318.7701.667.camel@petrie> Message-ID: <20100610102443.B21707@egps.ziskind.us> William Pitcock wrote (on Thu, Jun 10, 2010 at 01:45:18AM -0500): > On Wed, 2010-06-09 at 23:40 -0700, jacob miller wrote: > > Hi, > > > > Am getting the following error from my SCO UNIX box. > > They mean "use an operating system not made by crackheads." There's a > reason why SCO switched from UNIX sales to Intellectual Property > trolling after all. > > William Te be pednatic, the *operating system* was not made by crackheads. The crackheads who trashed the company (hint: it started a *long* time before McBride) were always the suits. The operating system is quite solid, but a bit dated, and (with the shift to IP trolling) became more and more out of date. But the coders were really nice people, and they did some really nice things. Operational content: never let the suits run your company. :-) Or, if they do, keep your eye on the door. -- _________________________________________ Nachman Yaakov Ziskind, FSPA, LLM awacs at ziskind.us Attorney and Counselor-at-Law http://ziskind.us Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants From wavetossed at googlemail.com Thu Jun 10 09:52:24 2010 From: wavetossed at googlemail.com (Michael Dillon) Date: Thu, 10 Jun 2010 15:52:24 +0100 Subject: Nato warns of strike against cyber attackers In-Reply-To: <87141.1276173262@localhost> References: <44AC6E21-FC5A-45CB-B41F-A0348C2F8467@delong.com> <201006091202.o59C26tb006864@aurora.sol.net> <87141.1276173262@localhost> Message-ID: > And "would damage the country" is a very fuzzy concept that you really don't > want to go anywhere near. I wasn't drafting legislation; I was introducing a concept. I would expect that actual legislation would explicitly list which industries were subject to such regulation. Otherwise it might include all Internet PoPs and datacenters which would be rather dumb. --Michael Dillon From jcdill.lists at gmail.com Thu Jun 10 10:40:15 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Thu, 10 Jun 2010 08:40:15 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C10E342.1020009@infiltrated.net> References: <16511050.01276172159035.JavaMail.root@jennyfur.pelican.org> <4C10E342.1020009@infiltrated.net> Message-ID: <4C11075F.4000005@gmail.com> J. Oquendo wrote: > More finger pointing here. You say that like it's a bad thing. I'm pointing fingers at the company that has a long history of selling software with shoddy security (including releasing newer versions with restored vulnerabilities that were found and "fixed" years earlier), and then passing the buck on fixing the issues it causes by hiding behind their EULA. Their EULA protects Microsoft from their own customers, but it does NOT protect Microsoft from the effects the damage causes on OTHERS who are not parties to the EULA. This is where "attractive nuisance" comes in. > > ISP's don't "have to" handle the problem, they SHOULD handle the problem. > This whole thread is about ISPs not handling the problem and allowing the problem to affect others beyond the ISP. In this case we could claim the ISP is also allowing an attractive nuisance to damage others and hold that ISP responsible for the damage that extends outside their network. However, we don't need a legal framework to solve THAT problem - we can address it with appropriate network blocks etc. (UDP-style) jc From owen at delong.com Thu Jun 10 10:55:19 2010 From: owen at delong.com (Owen DeLong) Date: Thu, 10 Jun 2010 08:55:19 -0700 Subject: Nato warns of strike against cyber attackers In-Reply-To: <4C1080A0.1000303@gmail.com> References: <44AC6E21-FC5A-45CB-B41F-A0348C2F8467@delong.com> <201006091202.o59C26tb006864@aurora.sol.net> <4C0FB295.7030005@2mbit.com> <6994E5E9-AD13-43DB-9137-07217DE03D0F@delong.com> <4C1080A0.1000303@gmail.com> Message-ID: <9D87F452-F059-4263-885C-2915F35EDDF7@delong.com> On Jun 9, 2010, at 11:05 PM, JC Dill wrote: > Owen DeLong wrote: >> >> Software has been out of control for a long time and I hope that the gov't will start by ruling the "not responsible for our negligence or the damage it causes" clauses of software licenses invalid. > > The beauty of my "attractive nuisance" argument is that the EULA doesn't shield Microsoft from the damage their software causes to a 3rd party such as the ISP who has to deal with the botnet infections of their customers. > jc > Yep... Much the same as my suggestion merely involves applying the same product liability standards as every other industry faces to software. Owen From wavetossed at googlemail.com Thu Jun 10 11:05:35 2010 From: wavetossed at googlemail.com (Michael Dillon) Date: Thu, 10 Jun 2010 17:05:35 +0100 Subject: Best Practices checklists Message-ID: I expect that the collected members of this list could do a good job of defining some network security practices checklists. Now that NANOG has been spun out as an independent entity, I would hate to see it become just another conference organizer. In the recent past many professions have learned how valuable a simple checklist is in preventing errors and ensuring that work adheres to a certain standard. So I am suggesting that NANOG take on the task of compiling and publishing checklists for various areas of network operations. We could have a NANOG wiki where people can publish, and work over, suggestions for checklist topics and content. Then at the conferences, a BOF-style meeting could hash out the official published versions. We could have an interesting debate on whether or not this would make a difference and whether or not NANOG should take on this role. But I hope that we are now at a point where we see that network sloppiness and insecurity are becoming such major issues that action is needed. Let's act first, and evaluate the usefulness of the work, later. --Michael Dillon From dmm at 1-4-5.net Thu Jun 10 11:12:55 2010 From: dmm at 1-4-5.net (David Meyer) Date: Thu, 10 Jun 2010 09:12:55 -0700 Subject: Best Practices checklists In-Reply-To: References: Message-ID: <20100610161255.GA5214@1-4-5.net> On Thu, Jun 10, 2010 at 05:05:35PM +0100, Michael Dillon wrote: > I expect that the collected members of this list could do a good job > of defining some network security practices checklists. Now that NANOG > has been spun out as an independent entity, I would hate to see it > become just another conference organizer. In the recent past many > professions have learned how valuable a simple checklist is in > preventing errors and ensuring that work adheres to a certain > standard. > > So I am suggesting that NANOG take on the task of compiling and > publishing checklists for various areas of network operations. We > could have a NANOG wiki where people can publish, and work over, > suggestions for checklist topics and content. Then at the conferences, > a BOF-style meeting could hash out the official published versions. > > We could have an interesting debate on whether or not this would make > a difference and whether or not NANOG should take on this role. But I > hope that we are now at a point where we see that network sloppiness > and insecurity are becoming such major issues that action is needed. > Let's act first, and evaluate the usefulness of the work, later. This is in large part what Aaron is trying to organize. There is a track on this topic on Monday afternoon. Please see http://nanog.org/meetings/nanog49/abstracts.php?pt=MTU2NyZuYW5vZzQ5&nm=nanog49 Thnx, Dave -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From kris.foster at gmail.com Thu Jun 10 11:14:18 2010 From: kris.foster at gmail.com (kris foster) Date: Thu, 10 Jun 2010 09:14:18 -0700 Subject: Best Practices checklists In-Reply-To: References: Message-ID: <1CD5740E-4987-4F8A-A82B-2662E7536C7F@gmail.com> This is a good topic for nanog-futures and not the main list since it's about the organization. Kris On Jun 10, 2010, at 9:05 AM, Michael Dillon wrote: > I expect that the collected members of this list could do a good job > of defining some network security practices checklists. Now that NANOG > has been spun out as an independent entity, I would hate to see it > become just another conference organizer. In the recent past many > professions have learned how valuable a simple checklist is in > preventing errors and ensuring that work adheres to a certain > standard. > > So I am suggesting that NANOG take on the task of compiling and > publishing checklists for various areas of network operations. We > could have a NANOG wiki where people can publish, and work over, > suggestions for checklist topics and content. Then at the conferences, > a BOF-style meeting could hash out the official published versions. > > We could have an interesting debate on whether or not this would make > a difference and whether or not NANOG should take on this role. But I > hope that we are now at a point where we see that network sloppiness > and insecurity are becoming such major issues that action is needed. > Let's act first, and evaluate the usefulness of the work, later. > > --Michael Dillon > From bruns at 2mbit.com Thu Jun 10 11:16:37 2010 From: bruns at 2mbit.com (Brielle Bruns) Date: Thu, 10 Jun 2010 10:16:37 -0600 Subject: Nato warns of strike against cyber attackers In-Reply-To: <6994E5E9-AD13-43DB-9137-07217DE03D0F@delong.com> References: <44AC6E21-FC5A-45CB-B41F-A0348C2F8467@delong.com> <201006091202.o59C26tb006864@aurora.sol.net> <4C0FB295.7030005@2mbit.com> <6994E5E9-AD13-43DB-9137-07217DE03D0F@delong.com> Message-ID: <4C110FE5.5050307@2mbit.com> On 6/9/10 2:56 PM, Owen DeLong wrote: > > On Jun 9, 2010, at 8:26 AM, Brielle Bruns wrote: > >> On 6/9/10 6:27 AM, Jorge Amodio wrote: >>> Going back then to a previous question, do we want more/any >>> regulation ? >> >> Laws and regulation exist because people can't behave civilly and >> be expected to respect the rights/boundries/property others. >> >> CAN-SPAM exists because the e-mail marketing business refused to >> self regulate and respect the wishes of consumers/administrators >> > Which is good, because it certainly eliminated most of the SPAM. -- > NOT! > >> FDCPA exists because the debt collectors couldn't resist the >> temptation to harass and intimidate consumers, and behave >> ethically. >> > And of course, it has caused them all to do so, now, right? -- NOT! These may not solve all problems, but it does give victims (at least in the case of debt collectors) the ability to club them in the face in court a few times to the tune of a thousand bucks or so an incident. Nothing is more satisfying then being able to offer a debt collector the option to settle for $X amount. :) > >> Lately, the courts have been ruling that companies like LimeWire >> are responsible for their products being used for >> piracy/downloading because they knew what was going on, but were >> turning a blind eye. >> > This is a positive step, IMHO, but, now companies like Apple and > Micr0$0ft need to be held to similar standards. Problem is, Microsoft and Apple, though being lax in their coding practices, can't entirely help it. Open Source software has the same problems, but do you really think that we should be charging Linus every time a Linux box is owned? There comes a point where a program is so large and expansive that holes/exploits is a fact of life. > >> Why not apply the same standards to ISPs? If it can be shown that >> you had knowledge of specific abuse coming from your network, but >> for whatever reason, opted to ignore it and turn a blind eye, then >> you are responsible. >> > I agree. > >> When I see abuse from my network or am made aware of it, I isolate >> and drop on my edge the IPs in question, then investigate and >> respond. Most times, it takes me maybe 10-15 minutes to track down >> the user responsible, shut off their server or host, then terminate >> their stupid self. >> > Yep. > >> A little bit of effort goes a long way. But, if you refuse to put >> in the effort (I'm looking at you, GoDaddy Abuse Desk), then of >> course the problems won't go away. >> > Agreed. > Now if only we could get certain providers to put some effort into it... -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org From andrew.wallace at rocketmail.com Thu Jun 10 12:24:30 2010 From: andrew.wallace at rocketmail.com (andrew.wallace) Date: Thu, 10 Jun 2010 10:24:30 -0700 (PDT) Subject: Nato warns of strike against cyber attackers In-Reply-To: References: <201006092304.o59N4hmO079022@aurora.sol.net> <4C102557.2010301@cox.net> Message-ID: <267626.84972.qm@web59604.mail.ac4.yahoo.com> On Thu, Jun 10, 2010 at 4:22 AM, Jorge Amodio wrote: > Cyber Threats Yes, But Is It Cyber War? > http://www.circleid.com/posts/20100609_cyber_threats_yes_but_is_it_cyberwar/ > > -J Cyber war is something made up by the security industry to save it from going bankrupt because the traditional profit vectors such as virus and worm authors aren't releasing threats to the web anymore because the motivation for the hackers has changed from fun to money. You've got folks now trying to artificially ramp up cyber security as a national security agenda now to create a new profit vector now that the traditional threats don't exist anymore. "How do we ramp up cyber security as a national security agenda, something the next president has to worry about?" "How do we get cyber security as the top headline on CNN and Fox News so that cyber security is something The White House works on?" http://www.youtube.com/watch?v=FSUPTZVlkyU The response to this video was "It Shouldn't Take a 9/11 to Fix Cybersecurity (But it Might)" http://www.youtube.com/watch?v=cojeP3kJBug&feature=watch_response I highlighted these suspicious videos on Full-disclosure mailing list but they didn't seem to think there was anything wrong. I also sent them to MI5 via their web form but I've had no reply from them. Andrew http://sites.google.com/site/n3td3v/ From henry at AegisInfoSys.com Thu Jun 10 12:26:59 2010 From: henry at AegisInfoSys.com (Henry Yen) Date: Thu, 10 Jun 2010 13:26:59 -0400 Subject: Nato warns of strike against cyber attackers In-Reply-To: <19471.64822.710822.105019@world.std.com>; from Barry Shein on Wed, Jun 09, 2010 at 16:44:38PM -0400 References: <4C0F11A0.8000303@gmail.com> <19471.64822.710822.105019@world.std.com> Message-ID: <20100610132658.T15770@AegisInfoSys.com> On Wed, Jun 09, 2010 at 16:44:38PM -0400, Barry Shein wrote: > MAYBE IF [please read thru before replying because I probably cover > most knee-jerk responses eventually]: > > d) Microsoft hadn't ignored all these basic security practices in > operating systems which were completely well understood and > implemented in OS after OS back to at least 1970 if not before because > they saw more profit in, to use a metaphor, selling cars without > safety glass in the windshields etc, consequences be damned. That's a thesis argued in Clarke's book (already mentioned here on NANOG, and slashdot and ...): "Microsoft has vast resources, literally billions of dollars in cash, or liquid assets reserves. Microsoft is an incredibly successful empire built on the premise of market dominance with low-quality goods." Who wrote those lines? Steve Jobs? Linux inventor Linus Torvalds? Ralph Nader? No, the author is former White House adviser Richard A. Clarke in his new book, Cyber War: The Next Threat to National Security and What to Do About It. Clarke tries to be fair. He notes that Microsoft didn't originally intend its software for critical networks. But even his efforts at fairness are unflattering. Microsoft's original goal "was to get the product out the door and at a low cost of production," he explains. -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York From jlewis at packetnexus.com Thu Jun 10 13:46:48 2010 From: jlewis at packetnexus.com (Jason Lewis) Date: Thu, 10 Jun 2010 14:46:48 -0400 Subject: Upcoming Improvements to ARIN's Directory Service In-Reply-To: <20100604190504.GA61967@arin.net> References: <20100604190504.GA61967@arin.net> Message-ID: I just found out that with the move to this new service that the bulk access FTP is going to be phased out. By design, there will be no way to automate the bulk download of this data. Is anyone else using the data in an environment that will be seriously impacted by this change? On Fri, Jun 4, 2010 at 3:05 PM, Mark Kosters wrote: > Hi > > This was posted on arin-announce this morning as many of you > may be interested: > > ARIN is pleased to announce that it plans to deploy an improved Whois > service called Whois-RWS on 26 June 2010. Included in the deployment are > the following services that provide the general public with access to > ARIN's registration data. > > ? ?* a RESTful Web Service (RWS) > ? ?* a NICNAME/WHOIS port 43 service > ? ?* a user-friendly web site (http://whois.arin.net) > > A demo of this service has been available since October 2009. The > demonstration service will be available at > http://whoisrws-demo.arin.net until the production service is deployed > on 26 June 2010. > > When using Whois-RWS you will notice some differences in behavior for > certain queries and corresponding result sets on the NICNAME/WHOIS port > 43 service. ARIN will make a separate announcement on 11 June when it > publishes detailed documentation on these differences along with the > demonstration service update. > > ARIN continues to welcome community participation on the Whois-RWS > mailing list, and we invite you to subscribe and share your thoughts and > suggestions at: > http://lists.arin.net/mailman/listinfo/arin-whoisrws > > More detailed information on these changes and other future features > that may impact the community at ARIN is available at: > https://www.arin.net/features/ > > Regards, > > Mark Kosters > Chief Technical Officer > American Registry for Internet Numbers (ARIN) > > From sethm at rollernet.us Thu Jun 10 14:23:48 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 10 Jun 2010 12:23:48 -0700 Subject: Upcoming Improvements to ARIN's Directory Service In-Reply-To: References: <20100604190504.GA61967@arin.net> Message-ID: <4C113BC4.4000006@rollernet.us> On 6/10/2010 11:46, Jason Lewis wrote: > I just found out that with the move to this new service that the bulk > access FTP is going to be phased out. By design, there will be no way > to automate the bulk download of this data. > > Is anyone else using the data in an environment that will be seriously > impacted by this change? > Apparently we're supposed to be going all Web 2.0 now. ~Seth From tmagill at providecommerce.com Thu Jun 10 14:23:58 2010 From: tmagill at providecommerce.com (Thomas Magill) Date: Thu, 10 Jun 2010 12:23:58 -0700 Subject: Google Issues? Message-ID: Is anyone seeing warnings today from Google that they suspect that searches are coming from an automated source and asking to complete some captcha-type authentication to complete a search? We have had a couple of reports on this and I want to make sure it isn't a google issue. I know this isn't really an operator issue but there are enough knowledgeable people here that I thought I would ask. Thomas Magill Network Engineer Office: (858) 909-3777 Cell: (858) 869-9685 mailto:tmagill at providecommerce.com provide-commerce 4840 Eastgate Mall San Diego, CA 92121 ProFlowers | redENVELOPE | Cherry Moon Farms | Shari's Berries From rubensk at gmail.com Thu Jun 10 14:33:41 2010 From: rubensk at gmail.com (Rubens Kuhl) Date: Thu, 10 Jun 2010 16:33:41 -0300 Subject: Google Issues? In-Reply-To: References: Message-ID: This usually indicates a heavily malware-contaminated userbase or 1-to-N NAT/PAT with a large N. Having both is what usually triggers this, but sometimes if you are strong on one, it could be enough. Rubens On Thu, Jun 10, 2010 at 4:23 PM, Thomas Magill wrote: > Is anyone seeing warnings today from Google that they suspect that > searches are coming from an automated source and asking to complete some > captcha-type authentication to complete a search? ?We have had a couple > of reports on this and I want to make sure it isn't a google issue. ?I > know this isn't really an operator issue but there are enough > knowledgeable people here that I thought I would ask. > > > > Thomas Magill > Network Engineer > > Office: (858) 909-3777 > > Cell: (858) 869-9685 > mailto:tmagill at providecommerce.com > > > provide-commerce > 4840 Eastgate Mall > > San Diego, CA ?92121 > > > > ProFlowers ?| redENVELOPE > ?| Cherry Moon Farms > ?| Shari's Berries > > > > > From tmagill at providecommerce.com Thu Jun 10 14:37:10 2010 From: tmagill at providecommerce.com (Thomas Magill) Date: Thu, 10 Jun 2010 12:37:10 -0700 Subject: Google Issues? In-Reply-To: References: Message-ID: Yeah, I cannot reproduce from any other location so it seems tied to our PAT address... Guess I have to actually do work. :) I suspect malware as our PAT is actually running less translations than typical. Checking with our IDS vendor. Thanks for the follow up. -----Original Message----- From: Rubens Kuhl [mailto:rubensk at gmail.com] Sent: Thursday, June 10, 2010 12:34 PM To: Thomas Magill Cc: nanog at nanog.org Subject: Re: Google Issues? This usually indicates a heavily malware-contaminated userbase or 1-to-N NAT/PAT with a large N. Having both is what usually triggers this, but sometimes if you are strong on one, it could be enough. Rubens On Thu, Jun 10, 2010 at 4:23 PM, Thomas Magill wrote: > Is anyone seeing warnings today from Google that they suspect that > searches are coming from an automated source and asking to complete some > captcha-type authentication to complete a search? ?We have had a couple > of reports on this and I want to make sure it isn't a google issue. ?I > know this isn't really an operator issue but there are enough > knowledgeable people here that I thought I would ask. > > > > Thomas Magill > Network Engineer > > Office: (858) 909-3777 > > Cell: (858) 869-9685 > mailto:tmagill at providecommerce.com > > > provide-commerce > 4840 Eastgate Mall > > San Diego, CA ?92121 > > > > ProFlowers ?| redENVELOPE > ?| Cherry Moon Farms > ?| Shari's Berries > > > > > From brandon.galbraith at gmail.com Thu Jun 10 14:43:12 2010 From: brandon.galbraith at gmail.com (Brandon Galbraith) Date: Thu, 10 Jun 2010 14:43:12 -0500 Subject: Upcoming Improvements to ARIN's Directory Service In-Reply-To: <4C113BC4.4000006@rollernet.us> References: <20100604190504.GA61967@arin.net> <4C113BC4.4000006@rollernet.us> Message-ID: On Thu, Jun 10, 2010 at 2:23 PM, Seth Mattinen wrote: > On 6/10/2010 11:46, Jason Lewis wrote: > > I just found out that with the move to this new service that the bulk > > access FTP is going to be phased out. By design, there will be no way > > to automate the bulk download of this data. > > > > Is anyone else using the data in an environment that will be seriously > > impacted by this change? > > > > > Apparently we're supposed to be going all Web 2.0 now. > > ~Seth > > Nothing wrong with having a nicer interface, but hopefully not at the expense of bulk data. If it's a huge issue to support FTP data transfers, they could at least provide a means through the web service to get bulk data intelligently. -- Brandon Galbraith Voice: 630.492.0464 From Valdis.Kletnieks at vt.edu Thu Jun 10 15:33:42 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 10 Jun 2010 16:33:42 -0400 Subject: Best Practices checklists In-Reply-To: Your message of "Thu, 10 Jun 2010 17:05:35 BST." References: Message-ID: <21000.1276202022@localhost> On Thu, 10 Jun 2010 17:05:35 BST, Michael Dillon said: > I expect that the collected members of this list could do a good job > of defining some network security practices checklists. Already done for some stuff: http://www.cisecurity.org You disagree with the content or choices, feel free to join in and help ;) (Full disclosure: I'll take partial blame for the Solaris, AIX, and Linux benchmark documents...) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wavetossed at googlemail.com Thu Jun 10 16:26:19 2010 From: wavetossed at googlemail.com (Michael Dillon) Date: Thu, 10 Jun 2010 22:26:19 +0100 Subject: Upcoming Improvements to ARIN's Directory Service In-Reply-To: <4C113BC4.4000006@rollernet.us> References: <20100604190504.GA61967@arin.net> <4C113BC4.4000006@rollernet.us> Message-ID: > Apparently we're supposed to be going all Web 2.0 now. Web 2.0 can handle bulk transfers of data just fine. I wonder if this is somehow related to privacy and data protection laws. Just recently, RIPE announced that they were going to block bulk transfers as a result of data protection laws, presumably because some law has just changed. Obviously ARIN is under a different legal regime than RIPE, however data protection has recently been a hot button issue in the USA and it is possible that something similar will happen. Given the importance of case law in the USA, as opposed to legislation, I wouldn't be surprised if there was some sort of legal review going on. But again, as far as technology goes, HTTP is a superior file transfer protocol to FTP, so the move to Web 2.0 RESTful transactions over HTTP does not give any technical reason to stop bulk transfers. In fact, it may just be an oversight so you should really ask them Clearly, if nobody bothers to ask about bulk transfers, then nobody uses them and nobody cares, so shutting them down is the right thing to do. --Michael Dillon From LarrySheldon at cox.net Thu Jun 10 16:43:07 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Thu, 10 Jun 2010 16:43:07 -0500 Subject: Nato warns of strike against cyber attackers In-Reply-To: <20100610132658.T15770@AegisInfoSys.com> References: <4C0F11A0.8000303@gmail.com> <19471.64822.710822.105019@world.std.com> <20100610132658.T15770@AegisInfoSys.com> Message-ID: <4C115C6B.8050601@cox.net> http://www.theatlantic.com/politics/archive/2010/06/homeland-securitys-cyber-bill-would-codify-executive-emergency-powers/57946/ http://tinyurl.com/2gyezyg -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From jlewis at packetnexus.com Thu Jun 10 17:16:17 2010 From: jlewis at packetnexus.com (Jason Lewis) Date: Thu, 10 Jun 2010 18:16:17 -0400 Subject: Upcoming Improvements to ARIN's Directory Service In-Reply-To: References: <20100604190504.GA61967@arin.net> <4C113BC4.4000006@rollernet.us> Message-ID: It's very clear. I went back and forth with support, asking how to automate my bulk transfer with the new system. Me: Is the bulk data download going to be available for automated download. I can currently download the data daily from the ftp via a script. The new web page doesn't seem to support that. Support: No, there is no automation by design. I'm ok with whatever system they provide if the functionality stays the same. I don't understand what they gain by making a human login and download the file. On Thu, Jun 10, 2010 at 5:26 PM, Michael Dillon wrote: >> Apparently we're supposed to be going all Web 2.0 now. > > Web 2.0 can handle bulk transfers of data just fine. > > I wonder if this is somehow related to privacy and data protection laws. > > Just recently, RIPE announced that they were going to block bulk > transfers as a result of data protection laws, presumably because some > law has just changed. Obviously ARIN is under a different legal regime > than RIPE, however data protection has recently been a hot button > issue in the USA and it is possible that something similar will > happen. Given the importance of case law in the USA, as opposed to > legislation, I wouldn't be surprised if there was some sort of legal > review going on. > > But again, as far as technology goes, HTTP is a superior file transfer > protocol to FTP, so the move to Web 2.0 RESTful transactions over HTTP > does not give any technical reason to stop bulk transfers. In fact, it > may just be an oversight so you should really ask them Clearly, if > nobody bothers to ask about bulk transfers, then nobody uses them and > nobody cares, so shutting them down is the right thing to do. > > --Michael Dillon > > From jared at puck.nether.net Thu Jun 10 18:38:49 2010 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 10 Jun 2010 19:38:49 -0400 Subject: huawei-nsp Message-ID: <20100610233849.GA34164@puck.nether.net> I've created a new list on puck, huawei-nsp You can subscribe here: https://puck.nether.net/mailman/listinfo/huawei-nsp - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From rubensk at gmail.com Thu Jun 10 21:56:04 2010 From: rubensk at gmail.com (Rubens Kuhl) Date: Thu, 10 Jun 2010 23:56:04 -0300 Subject: Upcoming Improvements to ARIN's Directory Service In-Reply-To: References: <20100604190504.GA61967@arin.net> <4C113BC4.4000006@rollernet.us> Message-ID: > I'm ok with whatever system they provide if the functionality stays > the same. ?I don't understand what they gain by making a human login > and download the file. Accountability. If versions X and Y of database got abused (breach of ToS), and only user U has downloaded such versions, gotcha. Using honeytokens on the downloaded file can be interesting to quickly connect the dots: if one of the handles on the list is comeonspammer32767 at wannahaveapieceofme.com, dynamically generated to match a download session, and suddenly this account starts to get spam... Rubens From mysidia at gmail.com Fri Jun 11 00:26:37 2010 From: mysidia at gmail.com (James Hess) Date: Fri, 11 Jun 2010 00:26:37 -0500 Subject: Upcoming Improvements to ARIN's Directory Service In-Reply-To: References: <20100604190504.GA61967@arin.net> <4C113BC4.4000006@rollernet.us> Message-ID: On Thu, Jun 10, 2010 at 9:56 PM, Rubens Kuhl wrote: > comeonspammer32767 at wannahaveapieceofme.com, dynamically generated to > match a download session, and suddenly this account starts to get > spam... well... yes.. doesn't help much if the token being abused is the admin POC's phone number, however. A session-based generated token alone would not be a very robust form of accountability; it is only as good as the strength of the verification required to get an account (and the confidence that multiple accounts do not collude). A user might simply sign up twice or more using fake signup details, they can compare their different downloads, and screen out any records that changed between the several sessions. e.g. grab 3 copies of thesame file (that were obtained using 3 different logins, from 3 different countries), run a 3-way diff, strip out any lines that changed. Any session-specific token would be excluded... That is, if obtaining such a listing of e-mail addresses is even is worth it to them. Maybe it is not. Maybe the more common abuse is manual solicitation by a human being, trying to sell some high-margin product targeted at enterprises in the directory, who can easily recognize "comeonspammer" and stay away. I doubt the average POC is going to be duped by the pill salesmen, latest money making scam, too-good-to-be-true offer, go phish attempt, or other standardized junk mail. -- -J From cscora at apnic.net Fri Jun 11 13:11:02 2010 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 12 Jun 2010 04:11:02 +1000 (EST) Subject: Weekly Routing Table Report Message-ID: <201006111811.o5BIB2BO025525@thyme.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 12 Jun, 2010 Report Website: http://thyme.apnic.net Detailed Analysis: http://thyme.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 322325 Prefixes after maximum aggregation: 148837 Deaggregation factor: 2.17 Unique aggregates announced to Internet: 158178 Total ASes present in the Internet Routing Table: 34173 Prefixes per ASN: 9.43 Origin-only ASes present in the Internet Routing Table: 29656 Origin ASes announcing only one prefix: 14403 Transit ASes present in the Internet Routing Table: 4517 Transit-only ASes present in the Internet Routing Table: 102 Average AS path length visible in the Internet Routing Table: 3.6 Max AS path length visible: 25 Max AS path prepend of ASN (41664) 21 Prefixes from unregistered ASNs in the Routing Table: 308 Unregistered ASNs in the Routing Table: 114 Number of 32-bit ASNs allocated by the RIRs: 618 Prefixes from 32-bit ASNs in the Routing Table: 704 Special use prefixes present in the Routing Table: 0 Prefixes being announced from unallocated address space: 153 Number of addresses announced to Internet: 2226107872 Equivalent to 132 /8s, 175 /16s and 181 /24s Percentage of available address space announced: 60.1 Percentage of allocated address space announced: 64.7 Percentage of available address space allocated: 92.8 Percentage of address space in use by end-sites: 83.2 Total number of prefixes smaller than registry allocations: 154163 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 77175 Total APNIC prefixes after maximum aggregation: 26893 APNIC Deaggregation factor: 2.87 Prefixes being announced from the APNIC address blocks: 74194 Unique aggregates announced from the APNIC address blocks: 33008 APNIC Region origin ASes present in the Internet Routing Table: 4076 APNIC Prefixes per ASN: 18.20 APNIC Region origin ASes announcing only one prefix: 1121 APNIC Region transit ASes present in the Internet Routing Table: 632 Average APNIC Region AS path length visible: 3.6 Max APNIC Region AS path length visible: 18 Number of APNIC addresses announced to Internet: 521993248 Equivalent to 31 /8s, 28 /16s and 252 /24s Percentage of available APNIC address space announced: 77.8 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079 55296-56319, 131072-132095 APNIC Address Blocks 1/8, 14/8, 27/8, 43/8, 58/8, 59/8, 60/8, 61/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 134088 Total ARIN prefixes after maximum aggregation: 69138 ARIN Deaggregation factor: 1.94 Prefixes being announced from the ARIN address blocks: 106811 Unique aggregates announced from the ARIN address blocks: 41644 ARIN Region origin ASes present in the Internet Routing Table: 13733 ARIN Prefixes per ASN: 7.78 ARIN Region origin ASes announcing only one prefix: 5271 ARIN Region transit ASes present in the Internet Routing Table: 1344 Average ARIN Region AS path length visible: 3.4 Max ARIN Region AS path length visible: 22 Number of ARIN addresses announced to Internet: 727992352 Equivalent to 43 /8s, 100 /16s and 72 /24s Percentage of available ARIN address space announced: 62.0 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 393216-394239 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8, 54/8, 55/8, 56/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 107/8, 108/8, 173/8, 174/8, 184/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 74215 Total RIPE prefixes after maximum aggregation: 43198 RIPE Deaggregation factor: 1.72 Prefixes being announced from the RIPE address blocks: 67232 Unique aggregates announced from the RIPE address blocks: 44421 RIPE Region origin ASes present in the Internet Routing Table: 14524 RIPE Prefixes per ASN: 4.63 RIPE Region origin ASes announcing only one prefix: 7499 RIPE Region transit ASes present in the Internet Routing Table: 2182 Average RIPE Region AS path length visible: 3.9 Max RIPE Region AS path length visible: 25 Number of RIPE addresses announced to Internet: 430186912 Equivalent to 25 /8s, 164 /16s and 33 /24s Percentage of available RIPE address space announced: 75.4 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 196608-197631 RIPE Address Blocks 2/8, 25/8, 31/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 176/8, 178/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 28644 Total LACNIC prefixes after maximum aggregation: 6829 LACNIC Deaggregation factor: 4.19 Prefixes being announced from the LACNIC address blocks: 27053 Unique aggregates announced from the LACNIC address blocks: 14082 LACNIC Region origin ASes present in the Internet Routing Table: 1299 LACNIC Prefixes per ASN: 20.83 LACNIC Region origin ASes announcing only one prefix: 404 LACNIC Region transit ASes present in the Internet Routing Table: 228 Average LACNIC Region AS path length visible: 4.0 Max LACNIC Region AS path length visible: 24 Number of LACNIC addresses announced to Internet: 73906944 Equivalent to 4 /8s, 103 /16s and 187 /24s Percentage of available LACNIC address space announced: 55.1 LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 262144-263167 plus ERX transfers LACNIC Address Blocks 177/8, 181/8, 186/8, 187/8, 189/8, 190/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 7281 Total AfriNIC prefixes after maximum aggregation: 1809 AfriNIC Deaggregation factor: 4.02 Prefixes being announced from the AfriNIC address blocks: 5613 Unique aggregates announced from the AfriNIC address blocks: 1718 AfriNIC Region origin ASes present in the Internet Routing Table: 368 AfriNIC Prefixes per ASN: 15.25 AfriNIC Region origin ASes announcing only one prefix: 108 AfriNIC Region transit ASes present in the Internet Routing Table: 86 Average AfriNIC Region AS path length visible: 3.7 Max AfriNIC Region AS path length visible: 15 Number of AfriNIC addresses announced to Internet: 18883072 Equivalent to 1 /8s, 32 /16s and 34 /24s Percentage of available AfriNIC address space announced: 56.3 AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4766 1849 8422 484 Korea Telecom (KIX) 17488 1316 140 125 Hathway IP Over Cable Interne 4755 1309 293 153 TATA Communications formerly 7545 1307 232 105 TPG Internet Pty Ltd 17974 1097 282 21 PT TELEKOMUNIKASI INDONESIA 9583 994 73 490 Sify Limited 24560 916 306 169 Bharti Airtel Ltd., Telemedia 4134 877 21295 409 CHINANET-BACKBONE 4808 842 1573 217 CNCGROUP IP network: China169 9829 793 680 39 BSNL National Internet Backbo Complete listing at http://thyme.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3913 3733 287 bellsouth.net, inc. 4323 3362 1113 394 Time Warner Telecom 1785 1782 699 131 PaeTec Communications, Inc. 20115 1552 1512 659 Charter Communications 7018 1512 5735 962 AT&T WorldNet Services 2386 1287 569 909 AT&T Data Communications Serv 6478 1269 259 92 AT&T Worldnet Services 3356 1182 10890 406 Level 3 Communications, LLC 22773 1162 2605 65 Cox Communications, Inc. 11492 1151 207 68 Cable One Complete listing at http://thyme.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 35805 634 56 6 United Telecom of Georgia 3292 453 2026 394 TDC Tele Danmark 30890 442 111 205 Evolva Telecom 702 412 1869 328 UUNET - Commercial IP service 8551 402 355 38 Bezeq International 8866 400 117 18 Bulgarian Telecommunication C 3301 370 1414 325 TeliaNet Sweden 3320 370 7073 321 Deutsche Telekom AG 34984 358 88 184 BILISIM TELEKOM 12479 335 576 5 Uni2 Autonomous System Complete listing at http://thyme.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8151 1521 2965 244 UniNet S.A. de C.V. 10620 1059 237 152 TVCABLE BOGOTA 28573 901 745 81 NET Servicos de Comunicao S.A 7303 724 374 132 Telecom Argentina Stet-France 6503 642 173 209 AVANTEL, S.A. 22047 545 310 15 VTR PUNTO NET S.A. 3816 480 208 76 Empresa Nacional de Telecomun 7738 477 922 30 Telecomunicacoes da Bahia S.A 14420 463 32 67 ANDINATEL S.A. 14117 456 30 13 Telefonica del Sur S.A. Complete listing at http://thyme.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 8452 1151 445 10 TEDATA 24863 716 147 39 LINKdotNET AS number 36992 642 278 186 Etisalat MISR 3741 269 852 230 The Internet Solution 33776 219 12 11 Starcomms Nigeria Limited 2018 211 244 61 Tertiary Education Network 6713 195 186 16 Itissalat Al-MAGHRIB 24835 183 78 10 RAYA Telecom - Egypt 29571 175 19 10 Ci Telecom Autonomous system 29975 133 506 14 Vodacom Complete listing at http://thyme.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3913 3733 287 bellsouth.net, inc. 4323 3362 1113 394 Time Warner Telecom 4766 1849 8422 484 Korea Telecom (KIX) 1785 1782 699 131 PaeTec Communications, Inc. 20115 1552 1512 659 Charter Communications 8151 1521 2965 244 UniNet S.A. de C.V. 7018 1512 5735 962 AT&T WorldNet Services 17488 1316 140 125 Hathway IP Over Cable Interne 4755 1309 293 153 TATA Communications formerly 7545 1307 232 105 TPG Internet Pty Ltd Complete listing at http://thyme.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 4323 3362 2968 Time Warner Telecom 1785 1782 1651 PaeTec Communications, Inc. 4766 1849 1365 Korea Telecom (KIX) 8151 1521 1277 UniNet S.A. de C.V. 7545 1307 1202 TPG Internet Pty Ltd 17488 1316 1191 Hathway IP Over Cable Interne 6478 1269 1177 AT&T Worldnet Services 4755 1309 1156 TATA Communications formerly 8452 1151 1141 TEDATA 22773 1162 1097 Cox Communications, Inc. Complete listing at http://thyme.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 16927 UNALLOCATED 12.0.252.0/23 7018 AT&T WorldNet Servic 15132 UNALLOCATED 12.9.150.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.14.170.0/24 7018 AT&T WorldNet Servic 13746 UNALLOCATED 12.24.56.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.25.107.0/24 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.152.0/24 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.154.0/23 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.155.0/24 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.159.0/24 7018 AT&T WorldNet Servic 25639 UNALLOCATED 12.41.169.0/24 7018 AT&T WorldNet Servic Complete listing at http://thyme.apnic.net/current/data-badAS Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 31.0.0.0/16 12654 RIPE NCC RIS Project 31.1.0.0/21 12654 RIPE NCC RIS Project 31.1.24.0/24 12654 RIPE NCC RIS Project 41.76.160.0/21 37063 Roke Investments Internationa 41.222.79.0/24 36938 >>UNKNOWN<< 41.223.92.0/22 36936 >>UNKNOWN<< 41.223.188.0/24 22351 Intelsat 41.223.189.0/24 6453 Teleglobe Inc. 41.223.196.0/24 36990 Alkan Telecom Ltd 41.223.197.0/24 36990 Alkan Telecom Ltd Complete listing at http://thyme.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:19 /9:10 /10:25 /11:67 /12:193 /13:403 /14:699 /15:1279 /16:11105 /17:5301 /18:9023 /19:18326 /20:22576 /21:22617 /22:29601 /23:29231 /24:168924 /25:954 /26:1226 /27:617 /28:104 /29:10 /30:7 /31:0 /32:8 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 6389 2508 3913 bellsouth.net, inc. 4323 1852 3362 Time Warner Telecom 4766 1480 1849 Korea Telecom (KIX) 1785 1246 1782 PaeTec Communications, Inc. 11492 1065 1151 Cable One 17488 1063 1316 Hathway IP Over Cable Interne 8452 1045 1151 TEDATA 18566 1040 1059 Covad Communications 10620 975 1059 TVCABLE BOGOTA 7018 910 1512 AT&T WorldNet Services Complete listing at http://thyme.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:2 4:13 8:284 12:2007 13:11 14:1 15:23 16:3 17:8 20:21 24:1422 27:113 31:1 32:49 33:12 38:680 40:98 41:2432 44:3 47:26 52:8 55:9 56:2 57:25 58:739 59:504 60:458 61:1074 62:1070 63:1974 64:3617 65:2339 66:4249 67:1818 68:1107 69:2873 70:718 71:236 72:1832 73:2 74:2109 75:252 76:312 77:898 78:629 79:426 80:982 81:797 82:487 83:431 84:702 85:1040 86:459 87:694 88:334 89:1546 90:92 91:2800 92:508 93:1107 94:1416 95:610 96:281 97:323 98:562 99:28 108:32 109:526 110:427 111:517 112:261 113:296 114:418 115:549 116:1048 117:650 118:470 119:934 120:147 121:737 122:1450 123:926 124:1108 125:1313 128:210 129:217 130:193 131:555 132:250 133:17 134:195 135:45 136:229 137:168 138:257 139:104 140:510 141:137 142:348 143:388 144:468 145:50 146:440 147:166 148:648 149:299 150:152 151:166 152:285 153:168 154:2 155:328 156:158 157:324 158:107 159:376 160:316 161:179 162:254 163:171 164:408 165:331 166:467 167:401 168:786 169:165 170:707 171:57 172:2 173:818 174:607 175:90 176:1 178:165 180:488 182:109 183:224 184:58 186:466 187:343 188:1295 189:795 190:3770 192:5752 193:4707 194:3355 195:2757 196:1204 198:3585 199:3434 200:5354 201:1548 202:7978 203:8254 204:4064 205:2328 206:2515 207:3051 208:3889 209:3401 210:2494 211:1262 212:1750 213:1687 214:671 215:69 216:4659 217:1523 218:486 219:378 220:1136 221:398 222:304 223:1 End of report From tim.connolly at farecompare.com Fri Jun 11 14:05:13 2010 From: tim.connolly at farecompare.com (Tim Connolly) Date: Fri, 11 Jun 2010 14:05:13 -0500 Subject: Verizon OC12 outage in Dallas, TX Message-ID: I don't know whether this is bigger or smaller, but Savvis seems to suggest there are 11 other DS3's involved in an outage that took us out around 11am. Anyone else have details? Verizon supposedly dispatched a tech to the Bryan St. pop. From markk at arin.net Fri Jun 11 14:17:49 2010 From: markk at arin.net (Mark Kosters) Date: Fri, 11 Jun 2010 15:17:49 -0400 Subject: Upcoming Improvements to ARIN's Directory Service In-Reply-To: References: <20100604190504.GA61967@arin.net> <4C113BC4.4000006@rollernet.us> Message-ID: <20100611191749.GA68082@arin.net> Hi ARIN is making significant improvements to our systems and services. ARIN encourages the community to look for upcoming features as details are available at: https://www.arin.net/features. I would like to clear up the confusion about the changes to access to Bulk Whois that have been discussed in this thread. The next release of ARIN Online on 26 June 2010 will include an easy way of automating bulk Whois reports. ARIN sent an announcement about this change to all current Bulk Whois recipients on 1 June 2010. The current legacy ftp service for Bulk Whois recipients will continue to operate until 31 August 2010. This should allow enough time to make the changes required to your scripts to migrate to the new solution. Regards, Mark Kosters ARIN CTO From markk at arin.net Fri Jun 11 15:51:29 2010 From: markk at arin.net (Mark Kosters) Date: Fri, 11 Jun 2010 16:51:29 -0400 Subject: Now Available: Whois-RWS Differences Documentation Message-ID: <20100611205129.GA68330@arin.net> Hi FYI - this was posted a few minutes ago on arin-announce and may be of interest to NANOG as well. Regards, Mark ----- Forwarded message from Member Services ----- From: Member Services Date: Fri, 11 Jun 2010 16:30:40 -0400 To: "arin-announce at arin.net" Subject: [arin-announce] Now Available: Whois-RWS Differences Documentation ARIN is deploying an improved Whois service called Whois-RWS on 26 June 2010. When using the Whois-RWS you will notice some differences in behavior for certain queries and corresponding result sets on the NICNAME/WHOIS port 43 service. Detailed documentation on these differences is now available at: https://www.arin.net/resources/whoisrws/whois_diff.html ARIN's Directory Service for registration data has used the NICNAME/WHOIS protocol since its inception. The limitations of the NICNAME/WHOIS protocol are well known and documented in RFC3912. Whois-RWS was created as an alternative to the ARIN Whois and will provide much richer functionality and capability to the community. A demo of this service has been available since October 2009. The demonstration service is available at: http://whoisrws-demo.arin.net. ARIN continues to welcome community participation on the Whois-RWS mailing list, and we invite you to subscribe and share your thoughts and suggestions at: http://lists.arin.net/mailman/listinfo/arin-whoisrws More detailed information on these changes and other future features that may impact the community at ARIN is available at: https://www.arin.net/features/ Regards, Mark Kosters Chief Technical Officer American Registry for Internet Numbers (ARIN) ----- End forwarded message ----- From cidr-report at potaroo.net Fri Jun 11 17:00:03 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 11 Jun 2010 22:00:03 GMT Subject: BGP Update Report Message-ID: <201006112200.o5BM03Rd014450@wattle.apnic.net> BGP Update Report Interval: 03-Jun-10 -to- 10-Jun-10 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS30890 83244 6.6% 192.2 -- EVOLVA Evolva Telecom s.r.l. 2 - AS7132 57977 4.6% 5.2 -- SBIS-AS - AT&T Internet Services 3 - AS9829 17721 1.4% 50.5 -- BSNL-NIB National Internet Backbone 4 - AS14420 13403 1.1% 28.9 -- CORPORACION NACIONAL DE TELECOMUNICACIONES CNT S.A. 5 - AS45464 12085 0.9% 318.0 -- NEXTWEB-AS-AP Room 201, TGU Bldg 6 - AS32528 11673 0.9% 2918.2 -- ABBOTT Abbot Labs 7 - AS10474 10210 0.8% 352.1 -- NETACTIVE 8 - AS44475 7925 0.6% 247.7 -- TIADOLI-AS SC Tiadoli Company SRL 9 - AS17894 6804 0.5% 324.0 -- APMI-AS-AP AyalaPort Makati, Inc. / Data Center Operator 10 - AS28477 6717 0.5% 671.7 -- Universidad Autonoma del Esstado de Morelos 11 - AS35931 6713 0.5% 2237.7 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 12 - AS30969 6527 0.5% 120.9 -- 13 - AS37204 6516 0.5% 651.6 -- TELONE 14 - AS25620 6393 0.5% 60.3 -- COTAS LTDA. 15 - AS41852 6242 0.5% 328.5 -- EXPERTNET-AS S.C. EXPERTNET S.R.L. 16 - AS39543 6222 0.5% 259.2 -- TENNET-AS SC TENNET TELECOM SRL 17 - AS4538 5916 0.5% 100.3 -- ERX-CERNET-BKB China Education and Research Network Center 18 - AS3816 5832 0.5% 138.9 -- COLOMBIA TELECOMUNICACIONES S.A. ESP 19 - AS5800 5814 0.5% 28.8 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 20 - AS48838 5733 0.5% 212.3 -- EUROLAN-ASN Eurolan Solutions SRL TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS48861 4430 0.3% 4430.0 -- APAGA "Apaga Technologies" CJSC AS 2 - AS32528 11673 0.9% 2918.2 -- ABBOTT Abbot Labs 3 - AS35931 6713 0.5% 2237.7 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 4 - AS21271 1214 0.1% 1214.0 -- SOTELMABGP 5 - AS30402 2282 0.2% 1141.0 -- HARRIS - Harris Interactive Inc. 6 - AS27873 1113 0.1% 1113.0 -- Compa?ia Goly, S.A. 7 - AS11613 820 0.1% 820.0 -- U-SAVE - U-Save Auto Rental of America, Inc. 8 - AS19174 3511 0.3% 702.2 -- CNC-USA - China Netcom (USA) Operations Ltd. 9 - AS28477 6717 0.5% 671.7 -- Universidad Autonoma del Esstado de Morelos 10 - AS37204 6516 0.5% 651.6 -- TELONE 11 - AS12445 1233 0.1% 616.5 -- SPIDERNET-AS Selene s.p.a. 12 - AS31496 992 0.1% 496.0 -- ATNET-AS ATNET Autonomous System 13 - AS5058 493 0.0% 493.0 -- NRL-EXP - Naval Research Laboratory 14 - AS11081 3711 0.3% 463.9 -- United Telecommunication Services (UTS) 15 - AS27762 3144 0.2% 449.1 -- Conet N.V. 16 - AS28052 442 0.0% 442.0 -- Arte Radiotelevisivo Argentino 17 - AS50980 1611 0.1% 402.8 -- BITINFO BitInfo Centar, Mladenovac, Serbia 18 - AS10445 2334 0.2% 389.0 -- HTG - Huntleigh Telcom 19 - AS45865 377 0.0% 377.0 -- LAWSON-PH 9th Floor Net2 Center 28th St cor 3rd Ave 20 - AS30372 753 0.1% 376.5 -- SBS-NEWARK-CA - SIEMENS BUSINESS SERVICES TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 196.2.16.0/24 10070 0.7% AS10474 -- NETACTIVE 2 - 200.13.36.0/24 6676 0.5% AS28477 -- Universidad Autonoma del Esstado de Morelos 3 - 130.36.34.0/24 5823 0.4% AS32528 -- ABBOTT Abbot Labs 4 - 130.36.35.0/24 5819 0.4% AS32528 -- ABBOTT Abbot Labs 5 - 58.207.96.0/19 5540 0.4% AS4538 -- ERX-CERNET-BKB China Education and Research Network Center 6 - 190.65.228.0/22 5361 0.4% AS3816 -- COLOMBIA TELECOMUNICACIONES S.A. ESP 7 - 195.88.66.0/23 4430 0.3% AS48861 -- APAGA "Apaga Technologies" CJSC AS 8 - 143.138.107.0/24 3945 0.3% AS747 -- TAEGU-AS - Headquarters, USAISC 9 - 198.140.43.0/24 3922 0.3% AS35931 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 10 - 66.102.247.0/24 3426 0.2% AS19174 -- CNC-USA - China Netcom (USA) Operations Ltd. 11 - 206.184.16.0/24 3032 0.2% AS174 -- COGENT Cogent/PSI 12 - 63.211.68.0/22 2756 0.2% AS35931 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 13 - 202.92.235.0/24 2130 0.2% AS9498 -- BBIL-AP BHARTI Airtel Ltd. 14 - 196.27.108.0/22 2101 0.2% AS30969 -- 15 - 188.187.184.0/24 2100 0.2% AS41786 -- ERTH-YOLA-AS CJSC "Company "ER-Telecom" Yoshkar-Ola 16 - 98.159.128.0/24 1735 0.1% AS18910 -- BIG-SANDY-BROADBAND-INC - Big Sandy Broadband Inc 17 - 196.29.32.0/21 1449 0.1% AS37204 -- TELONE 18 - 180.233.225.0/24 1407 0.1% AS38680 -- CMBHK-AS-KR CMB 19 - 205.91.160.0/20 1309 0.1% AS5976 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 20 - 196.4.80.0/24 1235 0.1% AS37204 -- TELONE Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Jun 11 17:00:00 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 11 Jun 2010 22:00:00 GMT Subject: The Cidr Report Message-ID: <201006112200.o5BM00dM014440@wattle.apnic.net> This report has been generated at Fri Jun 11 21:11:34 2010 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 04-06-10 324939 201032 05-06-10 324954 201005 06-06-10 325082 201136 07-06-10 324947 201445 08-06-10 325144 201254 09-06-10 325307 200880 10-06-10 325346 201065 11-06-10 325486 200854 AS Summary 34605 Number of ASes in routing system 14702 Number of ASes announcing only one prefix 4459 Largest number of prefixes announced by an AS AS4323 : TWTC - tw telecom holdings, inc. 95992896 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 11Jun10 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 325414 200979 124435 38.2% All ASes AS6389 3913 292 3621 92.5% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS4323 4459 1476 2983 66.9% TWTC - tw telecom holdings, inc. AS4766 1849 498 1351 73.1% KIXS-AS-KR Korea Telecom AS22773 1162 70 1092 94.0% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4755 1309 226 1083 82.7% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS17488 1315 316 999 76.0% HATHWAY-NET-AP Hathway IP Over Cable Internet AS18566 1059 101 958 90.5% COVAD - Covad Communications Co. AS6478 1269 366 903 71.2% ATT-INTERNET3 - AT&T WorldNet Services AS8151 1521 619 902 59.3% Uninet S.A. de C.V. AS19262 1125 273 852 75.7% VZGNI-TRANSIT - Verizon Internet Services Inc. AS10620 1059 231 828 78.2% Telmex Colombia S.A. AS7545 1329 569 760 57.2% TPG-INTERNET-AP TPG Internet Pty Ltd AS8452 1151 413 738 64.1% TEDATA TEDATA AS5668 856 140 716 83.6% AS-5668 - CenturyTel Internet Holdings, Inc. AS4808 842 233 609 72.3% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS4804 678 84 594 87.6% MPX-AS Microplex PTY LTD AS1785 1782 1198 584 32.8% AS-PAETEC-NET - PaeTec Communications, Inc. AS35805 634 67 567 89.4% UTG-AS United Telecom AS AS7018 1512 964 548 36.2% ATT-INTERNET4 - AT&T WorldNet Services AS4780 685 164 521 76.1% SEEDNET Digital United Inc. AS7303 725 206 519 71.6% Telecom Argentina S.A. AS17676 572 80 492 86.0% GIGAINFRA Softbank BB Corp. AS9443 559 75 484 86.6% INTERNETPRIMUS-AS-AP Primus Telecommunications AS7011 1130 649 481 42.6% FRONTIER-AND-CITIZENS - Frontier Communications of America, Inc. AS7738 477 30 447 93.7% Telecomunicacoes da Bahia S.A. AS33588 617 171 446 72.3% BRESNAN-AS - Bresnan Communications, LLC. AS3356 1183 742 441 37.3% LEVEL3 Level 3 Communications AS24560 916 481 435 47.5% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS36992 643 214 429 66.7% ETISALAT-MISR AS22047 545 119 426 78.2% VTR BANDA ANCHA S.A. Total 36876 11067 25809 70.0% Top 30 total Possible Bogus Routes 31.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 31.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 31.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 41.76.160.0/21 AS37063 RTL-AS 41.222.79.0/24 AS36938 AMSCOTELECOMS Amsco Telecommunications Nigeria Limited 41.223.92.0/22 AS36936 CELTEL-GABON Celtel Gabon Internet Service 41.223.188.0/24 AS22351 INTELSAT Intelsat Global BGP Routing Policy 41.223.189.0/24 AS6453 GLOBEINTERNET TATA Communications 41.223.196.0/24 AS36990 41.223.197.0/24 AS36990 41.223.198.0/24 AS36990 41.223.199.0/24 AS36990 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 63.140.213.0/24 AS22555 UTC - Universal Talkware Corporation 63.143.251.0/24 AS22555 UTC - Universal Talkware Corporation 64.20.80.0/20 AS40028 SPD-NETWORK-1 - SPD NETWORK 64.82.128.0/19 AS16617 COMMUNITYISP - CISP 64.82.160.0/19 AS16617 COMMUNITYISP - CISP 66.128.38.0/24 AS15246 Telecomunicaciones Satelitales Telesat S.A. 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.206.32.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.33.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.34.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.35.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.47.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 66.207.32.0/20 AS23011 66.230.240.0/20 AS27286 66.241.112.0/20 AS21547 REVNETS - Revolution Networks 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 69.6.80.0/24 AS13442 69.6.81.0/24 AS13442 69.80.224.0/19 AS19166 ACRONOC - ACRONOC INC 71.19.134.0/23 AS3313 INET-AS I.NET S.p.A. 71.19.160.0/23 AS4648 NZIX-2 Netgate 80.88.10.0/24 AS33774 DJAWEB 80.88.12.0/24 AS33779 wataniya-telecom-as 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas 110.173.64.0/19 AS37963 CNNIC-ALIBABA-CN-NET-AP Alibaba (China) Technology Co., Ltd. 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 121.50.168.0/21 AS9931 CAT-AP The Communication Authoity of Thailand, CAT 158.222.70.0/23 AS6137 SISNA - SISNA, Inc. 158.222.72.0/23 AS6137 SISNA - SISNA, Inc. 158.222.224.0/20 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.224.0/22 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.229.0/24 AS19864 O1COMM - O1 COMMUNICATIONS 176.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 178.250.200.0/21 AS30848 IT-TWT-AS TWT S.p.A. 178.250.216.0/21 AS43568 RBB-ALO1 Romerike Bredband AS 190.102.32.0/20 AS30058 ACTIVO-SYSTEMS-AS30058 ACTIVO-SYSTEMS-AS30058 192.9.0.0/16 AS11479 BRM-SUN-AS - Sun Microsystems, Inc 192.64.85.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.69.108.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.70.164.0/24 AS25689 NRCNET-AS - National Research Council of Canada 192.101.45.0/24 AS2905 TICSA-ASN 192.101.46.0/24 AS6503 Axtel, S.A.B. de C. V. 192.101.64.0/21 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.70.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.71.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.72.0/24 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.74.0/24 AS1239 SPRINTLINK - Sprint 192.124.248.0/23 AS680 DFN-IP service X-WiN 192.124.252.0/22 AS680 DFN-IP service X-WiN 192.131.233.0/24 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 192.139.3.0/24 AS23184 PERSONA - PERSONA COMMUNICATIONS INC. 192.154.32.0/19 AS81 NCREN - MCNC 192.154.64.0/19 AS81 NCREN - MCNC 192.188.208.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 194.50.117.0/24 AS25480 MESSAGE-PAD-AS Message Pad Warwick 196.2.224.0/22 AS24863 LINKdotNET-AS 196.6.108.0/24 AS5713 SAIX-NET 196.13.201.0/24 AS2018 TENET-1 196.13.202.0/24 AS2018 TENET-1 196.13.203.0/24 AS2018 TENET-1 196.13.204.0/24 AS2018 TENET-1 196.110.105.0/24 AS8513 SKYVISION SkyVision Network Services 196.201.248.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.249.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.250.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.251.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.253.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.255.0/24 AS30991 SAHANNET Sahannet AS Network 196.202.224.0/21 AS8818 TELE Greenland Autonomous System 198.1.2.0/24 AS4761 INDOSAT-INP-AP INDOSAT Internet Network Provider 198.23.26.0/24 AS4390 BELLATLANTIC-COM - Bell Atlantic, Inc. 198.51.100.0/24 AS16953 ASCENT-MEDIA-GROUP-LLC - Ascent Media Group, LLC 198.73.210.0/24 AS21570 ACI-1 - Accelerated Connections Inc. 198.74.38.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.39.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.40.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.97.72.0/21 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.97.96.0/19 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.97.240.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.135.236.0/24 AS4358 XNET - XNet Information Systems, Inc. 198.161.87.0/24 AS6539 GT-BELL - Bell Canada 198.163.214.0/24 AS21804 ACCESS-SK - Access Communications Co-operative Limited 198.167.0.0/16 AS7456 INTERHOP - Interhop Network SERVICES Inc. 198.168.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 198.169.0.0/16 AS803 SASKTEL - Saskatchewan Telecommunications 198.180.198.0/24 AS23715 SEOUL-INTGW-GXS-AP Global Exchange Services 198.182.235.0/24 AS3356 LEVEL3 Level 3 Communications 199.10.0.0/16 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.16.32.0/19 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 199.26.183.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 199.121.0.0/16 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.123.0.0/18 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.123.16.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.185.130.0/23 AS19662 UNISERVE-ONLINE - Uniserve On Line 199.202.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 199.202.216.0/21 AS577 BACOM - Bell Canada 199.233.92.0/24 AS26896 D102-ITC - Data 102, LLC 199.246.116.0/24 AS813 UUNET-CANADA - MCI Communications Services, Inc. d/b/a Verizon Business 200.1.112.0/24 AS29754 GO2TEL GO2TEL.COM INC. 200.108.176.0/20 AS14551 UUNET-SA - MCI Communications Services, Inc. d/b/a Verizon Business 202.9.55.0/24 AS2764 AAPT AAPT Limited 202.9.57.0/24 AS2764 AAPT AAPT Limited 202.38.63.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.58.113.0/24 AS19161 202.61.75.0/24 AS9927 PHILCOMNET-PH A Multihomed ISP Company 202.66.128.0/18 AS9584 GENESIS-AP Diyixian.com Limited 202.66.160.0/19 AS9584 GENESIS-AP Diyixian.com Limited 202.66.160.0/20 AS9584 GENESIS-AP Diyixian.com Limited 202.66.176.0/20 AS9584 GENESIS-AP Diyixian.com Limited 202.66.184.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.186.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.188.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.189.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.190.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.73.144.0/20 AS4788 TMNET-AS-AP TM Net, Internet Service Provider 202.80.192.0/20 AS2706 PI-HK Pacnet Internet (Hong Kong) Limited 202.86.252.0/22 AS4748 RESOLINK-AS-AP Resources Link Network Limited 202.86.252.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.253.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.254.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.255.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.133.37.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.133.70.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.133.73.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.136.254.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.136.255.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.150.227.0/24 AS17727 NAPINFO-AS-AP PT. NAP Info Lintas Nusa 202.174.70.0/24 AS21175 WIS Wind International Services SA 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.130.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.131.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.133.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 202.179.144.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.149.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.150.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.181.32.0/24 AS4645 ASN-HKNET-AP HKNet Co. Ltd 203.12.45.0/24 AS4854 NETSPACE-AS-AP Netspace Online Systems 203.62.0.0/17 AS7575 AARNET-AS-AP Australian Academic and Reasearch Network (AARNet) 203.78.48.0/20 AS9299 IPG-AS-AP Philippine Long Distance Telephone Company 203.80.136.0/21 AS4759 EVOSERVE-AS-AP EvoServe is a content and online access Internet provider company 203.112.111.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.113.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.114.0/24 AS4802 ASN-IINET iiNet Limited 203.112.116.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.117.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.118.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.119.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.120.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.121.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.127.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.128.128.0/24 AS23849 CNNIC-NET263-AP Beijing Capital-online science development Co.,Ltd. 203.142.219.0/24 AS45149 204.9.216.0/23 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 204.9.218.0/23 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 204.19.14.0/23 AS577 BACOM - Bell Canada 204.28.104.0/21 AS25973 MZIMA - Mzima Networks, Inc. 204.89.214.0/24 AS4323 TWTC - tw telecom holdings, inc. 204.197.0.0/16 AS3356 LEVEL3 Level 3 Communications 204.209.114.0/24 AS13768 PEER1 - Peer 1 Network Inc. 205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 205.189.134.0/24 AS11814 CYBERSURF - Cybersurf Inc. 205.210.145.0/24 AS11814 CYBERSURF - Cybersurf Inc. 206.180.240.0/20 AS12083 KNOLOGY-NET - Knology Holdings 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.188.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.189.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.190.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.191.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.73.4.0/22 AS27630 PREMIER - Premier Innovations, LLC 208.77.224.0/22 AS174 COGENT Cogent/PSI 208.77.229.0/24 AS174 COGENT Cogent/PSI 208.77.230.0/23 AS174 COGENT Cogent/PSI 208.78.164.0/24 AS16565 208.78.165.0/24 AS16565 208.78.167.0/24 AS16565 209.54.123.0/24 AS6062 NETPLEX - NETPLEX 209.105.224.0/19 AS20074 209.165.239.0/24 AS209 ASN-QWEST - Qwest Communications Company, LLC 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 209.213.1.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 209.213.4.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 210.5.128.0/20 AS4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 210.56.150.0/23 AS38138 INTECH-TRANSIT-BD InTech Online Limited, INTERNET SERVICE LIMITED 210.247.224.0/19 AS7496 WEBCENTRAL-AS WebCentral 216.21.196.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.201.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.202.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.206.0/23 AS12251 INVISION - Invision.com, Inc. 216.58.192.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.197.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.200.0/24 AS18530 ISOMEDIA-1 - Isomedia Inc. 216.172.198.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.172.199.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.250.112.0/20 AS7296 ALCHEMYNET - Alchemy Communications, Inc. 216.250.116.0/24 AS36066 UNI-MARKETING-ALLIANCE - Webhost4life.com Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From jcurran at arin.net Sat Jun 12 06:07:27 2010 From: jcurran at arin.net (John Curran) Date: Sat, 12 Jun 2010 07:07:27 -0400 Subject: Upcoming Improvements to ARIN's Directory Service In-Reply-To: References: <20100604190504.GA61967@arin.net> <4C113BC4.4000006@rollernet.us> Message-ID: <7CCED955-CBAA-4ED6-9E1D-95E4E6FE2417@arin.net> On Jun 10, 2010, at 6:16 PM, Jason Lewis wrote: > > It's very clear. I went back and forth with support, asking how to > automate my bulk transfer with the new system. > > Me: Is the bulk data download going to be available for automated > download. I can currently download the data daily from the ftp via a > script. The new web page doesn't seem to support that. > Support: No, there is no automation by design. > > I'm ok with whatever system they provide if the functionality stays > the same. I don't understand what they gain by making a human login > and download the file. Jason - My apologies for the confusion over this when you called in; while we had briefed the support team on RESTful WHOIS, we hadn't covered the updated Bulk Whois interface as it is a bit of a specialized item and coming out on the next release of ARIN Online due to its need for "API key" support. The 26 June release of ARIN Online will allow you to create and manage these keys, which in turn may be used in RESTful calls (and email templates!) for authentication. A brief overview of this feature was provided at the ARIN Toronto meeting and is available here: https://www.arin.net/participate/meetings/reports/ARIN_XXV/PDF/Tuesday/Newton-REST-and-Relax.pdf We will rollout the API key functionality and Bulk Whois via the RESTful interface with this next release of ARIN Online on 26 June, and this will allow the Bulk Whois data to be downloaded directly without logging into ARIN Online by using a RESTful HTTP request containing your "API key". As Mark Kosters noted in his message, we did contact current Bulk Whois users ahead of time about these changes, but if you were missed or have any questions about the change, please don't hesitate to contact myself or Mark directly. Thanks! /John John Curran President and CEO ARIN Begin forwarded message: > From: Mark Kosters > Date: June 11, 2010 3:17:49 PM EDT > To: nanog at nanog.org > Subject: Re: Upcoming Improvements to ARIN's Directory Service > > Hi > > ARIN is making significant improvements to our systems and services. ARIN > encourages the community to look for upcoming features as details are > available at: https://www.arin.net/features. > > I would like to clear up the confusion about the changes to access to > Bulk Whois that have been discussed in this thread. The next release of > ARIN Online on 26 June 2010 will include an easy way of automating bulk > Whois reports. ARIN sent an announcement about this change to all current > Bulk Whois recipients on 1 June 2010. The current legacy ftp service for > Bulk Whois recipients will continue to operate until 31 August 2010. This > should allow enough time to make the changes required to your scripts to > migrate to the new solution. > > Regards, > Mark Kosters > ARIN CTO > From rsm at fast-serv.com Sat Jun 12 06:39:58 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Sat, 12 Jun 2010 07:39:58 -0400 Subject: Verizon contact Message-ID: <20100612113716.M720@fast-serv.com> Anyone with a Verizon network engineering contact on the list? There's a bad router/link in Reston, VA for the past 36 hours that we're having a real heck of a time trying to route around. Hoping we can get someone at Verizon to take a look at things. -- Randy From randy at psg.com Sat Jun 12 08:50:51 2010 From: randy at psg.com (Randy Bush) Date: Sat, 12 Jun 2010 06:50:51 -0700 Subject: Upcoming Improvements to ARIN's Directory Service In-Reply-To: <7CCED955-CBAA-4ED6-9E1D-95E4E6FE2417@arin.net> References: <20100604190504.GA61967@arin.net> <4C113BC4.4000006@rollernet.us> <7CCED955-CBAA-4ED6-9E1D-95E4E6FE2417@arin.net> Message-ID: > My apologies for the confusion over this when you called in; > while we had briefed the support team on RESTful WHOIS, we > hadn't covered the updated Bulk Whois interface as it is a > bit of a specialized item and coming out on the next release > of ARIN Online due to its need for "API key" support. The > 26 June release of ARIN Online will allow you to create and > manage these keys, which in turn may be used in RESTful calls > (and email templates!) for authentication. A brief overview > of this feature was provided at the ARIN Toronto meeting and > is available here: > > https://www.arin.net/participate/meetings/reports/ARIN_XXV/PDF/Tuesday/Newton-REST-and-Relax.pdf > > We will rollout the API key functionality and Bulk Whois via the > RESTful interface with this next release of ARIN Online on 26 June, > and this will allow the Bulk Whois data to be downloaded directly > without logging into ARIN Online by using a RESTful HTTP request > containing your "API key". As Mark Kosters noted in his message, > we did contact current Bulk Whois users ahead of time about these > changes, but if you were missed or have any questions about the > change, please don't hesitate to contact myself or Mark directly. john, today, a research batch script running periodic bulk whois work has a line something like ncftpget ftp://user:pass at ftp.arin.net/arin_db.txt.gz well, it can actually be simpler. for the web 9.3 impaired of us, could you describe the simple batch script line under the new improved system? thanks! randy From jcurran at arin.net Sat Jun 12 09:25:20 2010 From: jcurran at arin.net (John Curran) Date: Sat, 12 Jun 2010 10:25:20 -0400 Subject: Upcoming Improvements to ARIN's Directory Service In-Reply-To: References: <20100604190504.GA61967@arin.net> <4C113BC4.4000006@rollernet.us> <7CCED955-CBAA-4ED6-9E1D-95E4E6FE2417@arin.net> Message-ID: > john, > > today, a research batch script running periodic bulk whois work has a > line something like > > ncftpget ftp://user:pass at ftp.arin.net/arin_db.txt.gz > > well, it can actually be simpler. > > for the web 9.3 impaired of us, could you describe the simple batch > script line under the new improved system? Randy - You're going to have to get on ARIN Online at least once to generate an key (this means after June 26), but then accessing the data should be just as simple for a batch script (i.e. use curl or wget for this purpose). I've extracted the relevant draft info from the June 26 release documents and attached below. This is obviously subject to change until the release actually comes out... /John ---- DOWNLOADING USING AN API KEY ---- The report can be downloaded directly without logging into ARIN Online using a RESTful HTTP request containing your API key. The URL must look like: https://www.arin.net/public/rest/downloads/nvpr?apikey=YOUR-API-KEY There are a variety of ways to automate the retrieval of this report. For example, on a Linux system, where your API key is API-1111-2222-3333-4444, you can use the following 'curl' command to download the report file: curl https://www.arin.net/public/rest/downloads/nvpr?apikey=API-1111-2222-3333-4444 > arin_nvpr.zip You can manage your API keys on the when logged into your ARIN Online account. From randy at psg.com Sat Jun 12 10:14:10 2010 From: randy at psg.com (Randy Bush) Date: Sat, 12 Jun 2010 08:14:10 -0700 Subject: Upcoming Improvements to ARIN's Directory Service In-Reply-To: References: <20100604190504.GA61967@arin.net> <4C113BC4.4000006@rollernet.us> <7CCED955-CBAA-4ED6-9E1D-95E4E6FE2417@arin.net> Message-ID: > You're going to have to get on ARIN Online at least once to generate > an key i can probably survive this experience. is there a tee shirt? :) > The report can be downloaded directly without logging into > ARIN Online using a RESTful HTTP request containing your > API key. The URL must look like: > > https://www.arin.net/public/rest/downloads/nvpr?apikey=YOUR-API-KEY this looks quite doable. thank you! randy From andree+nanog at toonk.nl Sat Jun 12 13:04:40 2010 From: andree+nanog at toonk.nl (Andree Toonk) Date: Sat, 12 Jun 2010 11:04:40 -0700 Subject: Large number of IPv6 bogons with spoofed ASpath Message-ID: <4C13CC38.4080607@toonk.nl> Hi List Yesterday I noticed a large number of 'bogon' IPv6 announcement. I think it was about a 100 different (IPv6) bogon prefixes [1] [2] being announced from a what looks a variety of origin ASns. Being the administrator of one of these ASns, I'm quite confident that we were not actually announcing this prefix (f006:9000::/24). Looking more carefully at the data. it looks like the Origin AS / ASpaths are spoofed. I suspect it's just one person/organization somewhere in AS174 or AS3257 network which is announcing these bogons prepending it with different ASns. Does anyone have an idea what this could be? Someone doing some kind of an experiment? I summarized my observations here: http://bgpmon.net/blog/?p=299 If anyone has more info about this, please let me know as I am interested to learn more about this. Thanks, Andree [1] http://www.bgpmon.net/showbogons.php?inet=6 [2] http://bit.ly/cH1INE From wmaton at ryouko.imsb.nrc.ca Sat Jun 12 13:09:43 2010 From: wmaton at ryouko.imsb.nrc.ca (William F. Maton Sotomayor) Date: Sat, 12 Jun 2010 14:09:43 -0400 (EDT) Subject: Large number of IPv6 bogons with spoofed ASpath In-Reply-To: <4C13CC38.4080607@toonk.nl> References: <4C13CC38.4080607@toonk.nl> Message-ID: On Sat, 12 Jun 2010, Andree Toonk wrote: > Hi List > > Yesterday I noticed a large number of 'bogon' IPv6 announcement. > I think it was about a 100 different (IPv6) bogon prefixes [1] [2] being > announced from a what looks a variety of origin ASns. I have seen 1000::/32 come in once and a while, but I've noticed that it's hard to catch from where this is coming from. But I've not seen the others. But it does point to the larger lesson that just because it is IPv6, it doesn't mean that prefix-fiters (and other tools) aren't required like in IPv4. wfms From kurtis at kurtis.pp.se Sat Jun 12 13:27:40 2010 From: kurtis at kurtis.pp.se (Lindqvist Kurt Erik) Date: Sat, 12 Jun 2010 20:27:40 +0200 Subject: Please report issues with i.root-servers.net Message-ID: All, Renesys has since a few days had a blog post at http://www.renesys.com/blog/2010/06/two-strikes-i-root.shtml. On the 9th I urged them to provide us with any data if they are seeing incorrect responses from NAY i.root-servers.net instance, and share that with noc at netnod.se. I have so far received a single email from Renesys on friday morning CET time. That email did not contain any data or further information. I asked to share that email with the Nanog list as Renesys will apparently share some results on studies of the i.root-servers.net in Beijing. I have no insight into what these findings, and Renesys did not respond to my request to see them before hand. As of today Renesys have updated their blog post with data that seems to indicate that they have seen incorrect responses from an i.root-servers.net instance. This is the first report of such responses since we re-activated our anycast node in Beijing, and we only saw this by monitoring the comments field to he blog post. At the time of re-activating the node we did test from all locations we could find and queried the i.root-servers.net node in Beijing, and we did not see any incorrect responses. Now, I would request that you all *please* report operational issues with i.root-servers.netm or in case you see any behavior you do not expect to noc at netnod.se. Unfortunately noone from us will attend the upcoming Nanog meeting, and I can't from the agenda see when the presentation is due. I am happy to answer any questions directly though, and I will try and read Renesys results as soon as they are published. In the mean time, as we are dealing what is potentially an operational problem, please report any issues to us. To provide some background, I will share some of my responses to the Renesys email on friday - although I admit they are taken out of context I think they do provide some general background information that might be worth sharing. --- As I wrote in my response to your blogpost, the node in China has ALWAYS been globally reachable (what ever that means. In our terminology it means we are not exporting the prefixes with no-export, so the prefixes propagates as far as our peers advertise them). --- As to the above, many countries tamper with DNS responses so I have no way of assuring anyone that a packet that traverses many countries, many regulations and many networks owners are ever tampered with. In the case where queries to our node in Beijing was seen to respond with incorrect responses, we have obviously been in discussions with our hosts for the node in Beijing and they have as we understand it been in discussions with many of the networks in China. What we understand from these discussions, the occurrence of these incorrect responses for queries sent to i.root-servers.net was a mistake. I have no insight into why or how the mistake happened, but we have been assured it won't be possible for it to happen again. That said - let me again stress that neither we nor anyone else, can assure that packets on the Internet does not get tampered with along the path. What we can do is to deploy mechanisms that will detect this tampering at the application layer, for example DNSSEC. --- Kurt Erik Lindqvist CEO Netnod -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part URL: From jcurran at arin.net Sat Jun 12 14:25:40 2010 From: jcurran at arin.net (John Curran) Date: Sat, 12 Jun 2010 15:25:40 -0400 Subject: Upcoming Improvements to ARIN's Directory Service In-Reply-To: References: <20100604190504.GA61967@arin.net> <4C113BC4.4000006@rollernet.us> <7CCED955-CBAA-4ED6-9E1D-95E4E6FE2417@arin.net> Message-ID: <60FE263B-B7E0-48AB-9D13-B300A3B5EF57@arin.net> On Jun 12, 2010, at 11:14 AM, Randy Bush wrote: >> You're going to have to get on ARIN Online at least once to generate >> an key > > i can probably survive this experience. is there a tee shirt? :) Your request has been noted... ;-) >> The report can be downloaded directly without logging into >> ARIN Online using a RESTful HTTP request containing your >> API key. The URL must look like: >> >> https://www.arin.net/public/rest/downloads/nvpr?apikey=YOUR-API-KEY > > this looks quite doable. > > thank you! Thank you (and Jason Lewis!) for pointing out the lack of actionable information regarding this announcement and its impact on Bulk Whois. I've chatted with Mark and Nate on the timing of this service change, and going forward we'll make sure to have replacement services fully deployed and verifiable by the community before announcing an end date for the current service. Thanks again! /John John Curran President and CEO ARIN From LarrySheldon at cox.net Sun Jun 13 00:21:49 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Sun, 13 Jun 2010 00:21:49 -0500 Subject: On the control of the Internet. Message-ID: <4C146AED.9040400@cox.net> http://volokh.com/2010/06/13/32843/ What happens when the US shuts down part of its part? Depends on what part it shut down, of course. But what are the available boundaries for the parts in question? Will that have to change? For example--what happens when name-service information for a part that is not shutdown comes from a part that is? What if an exchange point for parts that are not shutdown is shutdown. And spare me the tinfoil hat stuff--tinfoil hats have not worked for a year or more. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From owen at delong.com Sun Jun 13 07:50:24 2010 From: owen at delong.com (Owen DeLong) Date: Sun, 13 Jun 2010 05:50:24 -0700 Subject: On the control of the Internet. In-Reply-To: <4C146AED.9040400@cox.net> References: <4C146AED.9040400@cox.net> Message-ID: <5680FC9E-7D10-49F6-A20F-637CB64C33B1@delong.com> Generally speaking, it will be treated as damage and routed around. Owen On Jun 12, 2010, at 10:21 PM, Larry Sheldon wrote: > http://volokh.com/2010/06/13/32843/ > > What happens when the US shuts down part of its part? > > Depends on what part it shut down, of course. > > But what are the available boundaries for the parts in question? > > Will that have to change? > > For example--what happens when name-service information for a part that > is not shutdown comes from a part that is? > > What if an exchange point for parts that are not shutdown is shutdown. > > And spare me the tinfoil hat stuff--tinfoil hats have not worked for a > year or more. > -- > Somebody should have said: > A democracy is two wolves and a lamb voting on what to have for dinner. > > Freedom under a constitutional republic is a well armed lamb contesting > the vote. > > Requiescas in pace o email > Ex turpi causa non oritur actio > Eppure si rinfresca > > ICBM Targeting Information: http://tinyurl.com/4sqczs > http://tinyurl.com/7tp8ml > > From danielfigueiredo at gmail.com Sun Jun 13 08:03:48 2010 From: danielfigueiredo at gmail.com (Daniel) Date: Sun, 13 Jun 2010 10:03:48 -0300 Subject: On the control of the Internet. In-Reply-To: <5680FC9E-7D10-49F6-A20F-637CB64C33B1@delong.com> References: <4C146AED.9040400@cox.net> <5680FC9E-7D10-49F6-A20F-637CB64C33B1@delong.com> Message-ID: Taking into account a submarine cable structure like this: http://www.telegeography.com/product-info/map_cable/images/cable_map_2010_large.png And that satellite connections have very high latency. I think the idea of routing around will be, at least, a performance hell. On Sun, Jun 13, 2010 at 09:50, Owen DeLong wrote: > Generally speaking, it will be treated as damage and routed around. > > Owen From jgreco at ns.sol.net Sun Jun 13 08:42:01 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Sun, 13 Jun 2010 08:42:01 -0500 (CDT) Subject: On the control of the Internet. In-Reply-To: <5680FC9E-7D10-49F6-A20F-637CB64C33B1@delong.com> from "Owen DeLong" at Jun 13, 2010 05:50:24 AM Message-ID: <201006131342.o5DDg18I077624@aurora.sol.net> > Generally speaking, it will be treated as damage and routed around. That fable only really stands a chance when the damage is accidental; in the case where such "damage" is being deliberately inflicted, particularly by government, it gets more complicated. A lot of the 'net is a little more centralized than it ought to be in order to allow the "routed around" concept to work successfully. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From Valdis.Kletnieks at vt.edu Sun Jun 13 08:47:27 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Sun, 13 Jun 2010 09:47:27 -0400 Subject: On the control of the Internet. In-Reply-To: Your message of "Sun, 13 Jun 2010 00:21:49 CDT." <4C146AED.9040400@cox.net> References: <4C146AED.9040400@cox.net> Message-ID: <21803.1276436847@localhost> On Sun, 13 Jun 2010 00:21:49 CDT, Larry Sheldon said: > For example--what happens when name-service information for a part that > is not shutdown comes from a part that is? It's always been a BCP good idea to have your DNS have secondaries in another non-fate-sharing AS, even though everybody from Microsoft on down seems to feel the need to rediscover this. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From dhc2 at dcrocker.net Sun Jun 13 09:40:54 2010 From: dhc2 at dcrocker.net (Dave CROCKER) Date: Sun, 13 Jun 2010 16:40:54 +0200 Subject: On the control of the Internet. In-Reply-To: <21803.1276436847@localhost> References: <4C146AED.9040400@cox.net> <21803.1276436847@localhost> Message-ID: <4C14EDF6.6010307@dcrocker.net> On 6/13/2010 3:47 PM, Valdis.Kletnieks at vt.edu wrote: > It's always been a BCP good idea to have your DNS have secondaries in another > non-fate-sharing AS, even though everybody from Microsoft on down seems > to feel the need to rediscover this. Postel used to advise having them on different tectonics plates (and sources of power, of course.) Conflating the "liberal in what you accept" advise, it might be wise to accept tectonic as covering tectonic shifts in politics, as well as land masses. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From LarrySheldon at cox.net Sun Jun 13 11:24:01 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Sun, 13 Jun 2010 11:24:01 -0500 Subject: On the control of the Internet. In-Reply-To: <5680FC9E-7D10-49F6-A20F-637CB64C33B1@delong.com> References: <4C146AED.9040400@cox.net> <5680FC9E-7D10-49F6-A20F-637CB64C33B1@delong.com> Message-ID: <4C150621.4020802@cox.net> On 6/13/2010 07:50, Owen DeLong wrote: > Generally speaking, it will be treated as damage and routed around. Nothing to see here. Move along. Nothing to worry about. Have a nice day. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From LarrySheldon at cox.net Sun Jun 13 11:35:32 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Sun, 13 Jun 2010 11:35:32 -0500 Subject: On the control of the Internet. In-Reply-To: <21803.1276436847@localhost> References: <4C146AED.9040400@cox.net> <21803.1276436847@localhost> Message-ID: <4C1508D4.50304@cox.net> On 6/13/2010 08:47, Valdis.Kletnieks at vt.edu wrote: > On Sun, 13 Jun 2010 00:21:49 CDT, Larry Sheldon said: > >> For example--what happens when name-service information for a part that >> is not shutdown comes from a part that is? > > It's always been a BCP good idea to have your DNS have secondaries in another > non-fate-sharing AS, even though everybody from Microsoft on down seems > to feel the need to rediscover this. How about if the source database (not the relevant zone file, but the collection of data on some computer from which a zone file is created. How about the case where the master zone file has be amputated and the secondaries can no longer get updates? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From sethm at rollernet.us Sun Jun 13 12:11:44 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Sun, 13 Jun 2010 10:11:44 -0700 Subject: On the control of the Internet. In-Reply-To: <4C1508D4.50304@cox.net> References: <4C146AED.9040400@cox.net> <21803.1276436847@localhost> <4C1508D4.50304@cox.net> Message-ID: <4C151150.8020806@rollernet.us> On 6/13/10 9:35 AM, Larry Sheldon wrote: > How about the case where the master zone file has be amputated and the > secondaries can no longer get updates? We just saw that with Haiti. ~Seth From jgreco at ns.sol.net Sun Jun 13 14:07:17 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Sun, 13 Jun 2010 14:07:17 -0500 (CDT) Subject: On the control of the Internet. In-Reply-To: <4C1508D4.50304@cox.net> from "Larry Sheldon" at Jun 13, 2010 11:35:32 AM Message-ID: <201006131907.o5DJ7Hpo004033@aurora.sol.net> > On 6/13/2010 08:47, Valdis.Kletnieks at vt.edu wrote: > > On Sun, 13 Jun 2010 00:21:49 CDT, Larry Sheldon said: > > > >> For example--what happens when name-service information for a part that > >> is not shutdown comes from a part that is? > > > > It's always been a BCP good idea to have your DNS have secondaries in another > > non-fate-sharing AS, even though everybody from Microsoft on down seems > > to feel the need to rediscover this. > > How about if the source database (not the relevant zone file, but the > collection of data on some computer from which a zone file is created. How about [...] is /what/? Unavailable? The zone files are still in place. Not really a problem in the overall scheme of things; I realize that some people have engineered things so that this will be a problem, but that's a choice. > How about the case where the master zone file has be amputated and the > secondaries can no longer get updates? I'm not sure what "amputated" means here, but considering the case where the master itself is amputated, and the secondaries can no longer update, generally speaking, you log into the secondaries and twiddle their configs to make them masters. This requires some planning, preparedness, and procedures, but is in no way a crisis, unless you've failed to do the planning, have failed to prepare, and haven't followed your procedures. How that works in the case where a government mandates something specific happens within your zone file is of course debatable, but possibly more back towards the original topic. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From LarrySheldon at cox.net Sun Jun 13 15:21:51 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Sun, 13 Jun 2010 15:21:51 -0500 Subject: On the control of the Internet. In-Reply-To: <4C152EBF.8020502@cox.net> References: <201006131907.o5DJ7Hpo004033@aurora.sol.net> <4C152EBF.8020502@cox.net> Message-ID: <4C153DDF.4010703@cox.net> As so often happens, I forgot to note what my client picked up for a return address. This is the first of several items that I meant to send to the list. My apologies to Mr Greco. On 6/13/2010 14:17, Larry Sheldon wrote: > On 6/13/2010 14:07, Joe Greco wrote: >>> On 6/13/2010 08:47, Valdis.Kletnieks at vt.edu wrote: >>>> On Sun, 13 Jun 2010 00:21:49 CDT, Larry Sheldon said: >>>> >>>>> For example--what happens when name-service information for a part that >>>>> is not shutdown comes from a part that is? >>>> >>>> It's always been a BCP good idea to have your DNS have secondaries in another >>>> non-fate-sharing AS, even though everybody from Microsoft on down seems >>>> to feel the need to rediscover this. >>> >>> How about if the source database (not the relevant zone file, but the >>> collection of data on some computer from which a zone file is created. >> >> How about [...] is /what/? Unavailable? The zone files are still in >> place. Not really a problem in the overall scheme of things; I realize >> that some people have engineered things so that this will be a problem, >> but that's a choice. > > Yeah, it is a choice to keep the source data in a database (think DHCP > system or something) WHERE IT MAKES OPERATIONAL SENSE TO SO. > > What happens if that source data can no longer be transferred to the > master zone file located on the DNS server placed somewhere else WHERE > IT MAKES OPERATIONAL SENSE TO SO, and the network is severed between them? > >>> How about the case where the master zone file has be amputated and the >>> secondaries can no longer get updates? >> >> I'm not sure what "amputated" means here, but considering the case where >> the master itself is amputated, and the secondaries can no longer update, >> generally speaking, you log into the secondaries and twiddle their configs >> to make them masters. This requires some planning, preparedness, and >> procedures, but is in no way a crisis, unless you've failed to do the >> planning, have failed to prepare, and haven't followed your procedures. > > Amputated = severed = cut off = disconnected = no longer able to > communicate with not to be communicated with. > > Did not see that that was going to be so hard to understand. > > Should have known better, I guess. > >> How that works in the case where a government mandates something specific >> happens within your zone file is of course debatable, but possibly more >> back towards the original topic. > > > Uhhhhh....actually that WAS the original topic. > -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From LarrySheldon at cox.net Sun Jun 13 15:22:12 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Sun, 13 Jun 2010 15:22:12 -0500 Subject: On the control of the Internet. In-Reply-To: <201006131959.o5DJxZY8010456@aurora.sol.net> References: <201006131959.o5DJxZY8010456@aurora.sol.net> Message-ID: <4C153DF4.5020407@cox.net> On 6/13/2010 14:59, Joe Greco wrote: > What happens? The master zone simply doesn't get updated until someone > FedEx's a floppy. You know, some of us made these sorts of contingency > plans long ago, back in days when the Internet actually wasn't all that > reliable, and it wasn't completely unthinkable to be off the air for at > least 24 hours. Interesting plan. I've got a Gateway computer down stairs that can write a 3.5 inch floppy and a Micron tower (running Windows 2000 the last time it was powered up) that can write 5 inch floppies. When I left active administration in 2003, out of 30 or so machines running BIND I can't recall one that has a floppy drive of any sort. > It's not that rough, these days, to install some monitoring to make sure > that your zones are up to date on the secondaries and that they resolve > names correctly; some operators used to even get really super-freakazoid > and do zone transfers back to allow verification. Here, we draw the line > at checking the SOA's for consistency and checking one other beacon record > for resolvability. That's clearly not a solution aimed at warning about > non-transferable zones; it raises some interesting questions. Think maybe > I'll go asking on dnsops what, if anything, people do to monitor. "monitor" implies connectivity. The OP was about the possibility that the government would deny you connectivity. Please try to stay n topic. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From LarrySheldon at cox.net Sun Jun 13 15:23:06 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Sun, 13 Jun 2010 15:23:06 -0500 Subject: On the control of the Internet. In-Reply-To: <201006131959.o5DJxZY8010456@aurora.sol.net> References: <201006131959.o5DJxZY8010456@aurora.sol.net> Message-ID: <4C153E2A.9080602@cox.net> On 6/13/2010 14:59, Joe Greco wrote: >>>> How about the case where the master zone file has be amputated and the >>>> secondaries can no longer get updates? Mea culpa. That was suppose to say "How about the case where the master zone file has beEN amputated and the secondaries can no longer get updates? My apologies. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From LarrySheldon at cox.net Sun Jun 13 15:23:35 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Sun, 13 Jun 2010 15:23:35 -0500 Subject: On the control of the Internet. In-Reply-To: <201006131959.o5DJxZY8010456@aurora.sol.net> References: <201006131959.o5DJxZY8010456@aurora.sol.net> Message-ID: <4C153E47.6080905@cox.net> On 6/13/2010 14:59, Joe Greco wrote: > Yes, but unreachability is basically only a problem for those who have > failed to design and plan for it. You can engineer for unreachability. > You're a lot more screwed if we start talking about government mandates > and the contents of your zone. I meant to ask in my original posting: http://volokh.com/2010/06/13/32843/ What happens when the US shuts down part of its part? Depends on what part it shut down, of course. But what are the available boundaries for the parts in question? If we don't know what will be ordered shutdown and what the boundaries of the shutdown area will be are there engineering concerns that can not be foreseen and economically provided-for? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From jgreco at ns.sol.net Sun Jun 13 15:54:54 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Sun, 13 Jun 2010 15:54:54 -0500 (CDT) Subject: On the control of the Internet. In-Reply-To: <4C153DF4.5020407@cox.net> from "Larry Sheldon" at Jun 13, 2010 03:22:12 PM Message-ID: <201006132054.o5DKssML016494@aurora.sol.net> > On 6/13/2010 14:59, Joe Greco wrote: > > What happens? The master zone simply doesn't get updated until someone > > FedEx's a floppy. You know, some of us made these sorts of contingency > > plans long ago, back in days when the Internet actually wasn't all that > > reliable, and it wasn't completely unthinkable to be off the air for at > > least 24 hours. > > Interesting plan. > > I've got a Gateway computer down stairs that can write a 3.5 inch floppy > and a Micron tower (running Windows 2000 the last time it was powered > up) that can write 5 inch floppies. If we want to be pedantic, Sony this year announced that it is shutting down its production of floppy disks by next year. Of course, the choice of "floppy disk" is irrelevant, and I'm guessing you know it. If your devices are more comfortable with CD-ROM or USB MicroSD readers, then by all means. Long before NANOG, there was actually a time that some of us hauled around things like USENET on magnetic media, because it was simply the highest bandwidth yet cheapest method to haul large amounts of data around the city, back when a Telebit Trailblazer was still vaguely able to cope with a USENET feed - and for a little while thereafter. > When I left active administration in 2003, out of 30 or so machines > running BIND I can't recall one that has a floppy drive of any sort. If your network has been so thoroughly taken over that you cannot hope to get a file from a computer that does have a floppy over to your DNS server, you have Much Bigger Problems to begin with... > > It's not that rough, these days, to install some monitoring to make sure > > that your zones are up to date on the secondaries and that they resolve > > names correctly; some operators used to even get really super-freakazoid > > and do zone transfers back to allow verification. Here, we draw the line > > at checking the SOA's for consistency and checking one other beacon record > > for resolvability. That's clearly not a solution aimed at warning about > > non-transferable zones; it raises some interesting questions. Think maybe > > I'll go asking on dnsops what, if anything, people do to monitor. > > "monitor" implies connectivity. The OP was about the possibility that > the government would deny you connectivity. Please try to stay n topic. Our monitoring systems are definitely able to detect when connectivity goes away. What happens if and when that happens is generally left up to a human to decide. The sorts of brokenness that one might potentially discover if the government were to corrupt connectivity is much more complex than simple on/off; I feel comfortable saying that the best plan is to have diversity of resources and some in-depth knowledge, since that also serves normal engineering needs well. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From jgreco at ns.sol.net Sun Jun 13 16:05:56 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Sun, 13 Jun 2010 16:05:56 -0500 (CDT) Subject: On the control of the Internet. In-Reply-To: <4C153E2A.9080602@cox.net> from "Larry Sheldon" at Jun 13, 2010 03:23:06 PM Message-ID: <201006132105.o5DL5unU018681@aurora.sol.net> > On 6/13/2010 14:59, Joe Greco wrote: > > >>>> How about the case where the master zone file has be amputated and the > >>>> secondaries can no longer get updates? > > Mea culpa. > > That was suppose to say "How about the case where the master zone file > has beEN amputated and the secondaries can no longer get updates? > > My apologies. Do you actually mean that the master zone file has been modified by the government? If so, how is that intertwined with secondaries no longer being able to get updates? Work with me, here, I'm trying to understand what you're saying. If the government has corrupted your master, and they actually want those changes pushed out, one would expect that: 1) your master is not public to begin with (just good design, that, ..) 2) they would definitely not damage it in a manner that broke the ability of the secondaries to update, because presumably the reason they changed your zone was to push their data out to the 'net under your domain name, and that wouldn't work without the secondaries. 3) if they just wanted your domain to go away, there are easier ways to make that happen. So from my point of view, your question still makes no sense, even as corrected. I may be missing your point. Otherwise, if your question is "How about the case where the master zone file SERVER has been rendered unreachable and the secondaries can no longer get updates," I think I answered that already, between the public and private e-mails we've exchanged. The fundamental answer there is just to engineer it to avoid that being a serious problem; this includes things like trying to maintain a static DNS environment (dynamic updates of things == somewhat bad, particularly where such updates are required for proper operation), setting your expire record accordingly, and/or maintaining a contingency plan for updating your secondaries through an out-of-band mechanism, such as floppy disk via FedEx, modem to private dial-in, or pretty much any other way one uses to get bits from A to B. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From jgreco at ns.sol.net Sun Jun 13 16:15:30 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Sun, 13 Jun 2010 16:15:30 -0500 (CDT) Subject: On the control of the Internet. In-Reply-To: <4C153E47.6080905@cox.net> from "Larry Sheldon" at Jun 13, 2010 03:23:35 PM Message-ID: <201006132115.o5DLFUqb018993@aurora.sol.net> > On 6/13/2010 14:59, Joe Greco wrote: > > > Yes, but unreachability is basically only a problem for those who have > > failed to design and plan for it. You can engineer for unreachability. > > You're a lot more screwed if we start talking about government mandates > > and the contents of your zone. > > I meant to ask in my original posting: > > http://volokh.com/2010/06/13/32843/ > What happens when the US shuts down part of its part? > Depends on what part it shut down, of course. > But what are the available boundaries for the parts in question? > > If we don't know what will be ordered shutdown and what the boundaries > of the shutdown area will be are there engineering concerns that can not > be foreseen and economically provided-for? I think it's a great question, and of course there are all sorts of concerns. For many operators here, though, this may be a political question more than an engineering question: if the government has the power, and comes and tells your management to do X, are they going to comply, or not? It is probably more operationally relevant to be concerned with how to cope with the more general problem of partitioning, because it's also possible that one day Elbonia will decide to filter out the US, and we may actually be able to engineer solutions that cope with that. A network that has planned ahead and is able to respond to such issues has more of a chance to be able to successfully cope with other partitioning issues, regardless of whether they're government-imposed or just a peering spat. >From that point of view, I believe my initial answers to you make a great deal of sense. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From LarrySheldon at cox.net Sun Jun 13 16:19:04 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Sun, 13 Jun 2010 16:19:04 -0500 Subject: On the control of the Internet. In-Reply-To: <201006132054.o5DKssML016494@aurora.sol.net> References: <201006132054.o5DKssML016494@aurora.sol.net> Message-ID: <4C154B48.3070303@cox.net> On 6/13/2010 15:54, Joe Greco wrote: > If we want to be pedantic, Sony this year announced that it is shutting > down its production of floppy disks by next year. Of course, the choice > of "floppy disk" is irrelevant, and I'm guessing you know it. If your > devices are more comfortable with CD-ROM or USB MicroSD readers, then by > all means. I certainly hoped that that was the case, but not very long ago I read a current "Emergency Recovery Plan" that depended on 9-track 1600BPI round reel tapes in a shop that had not had a drive like that for ten years. > Long before NANOG, there was actually a time that some of us hauled > around things like USENET on magnetic media, because it was simply the > highest bandwidth yet cheapest method to haul large amounts of data > around the city, back when a Telebit Trailblazer was still vaguely able > to cope with a USENET feed - and for a little while thereafter. Wide Band Truck was a major component of plans long ago. And I wish I had a nickel for every round-real tape in Anvil case I escorted through airports. > If your network has been so thoroughly taken over that you cannot hope > to get a file from a computer that does have a floppy over to your DNS > server, you have Much Bigger Problems to begin with... And that is the issue I was trying to raise. > Our monitoring systems are definitely able to detect when connectivity > goes away. What happens if and when that happens is generally left up > to a human to decide. The sorts of brokenness that one might potentially > discover if the government were to corrupt connectivity is much more > complex than simple on/off; I feel comfortable saying that the best plan > is to have diversity of resources and some in-depth knowledge, since that > also serves normal engineering needs well. I'll bet you think The Stimulus created jobs. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From jgreco at ns.sol.net Sun Jun 13 16:32:44 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Sun, 13 Jun 2010 16:32:44 -0500 (CDT) Subject: On the control of the Internet. In-Reply-To: <4C154B48.3070303@cox.net> from "Larry Sheldon" at Jun 13, 2010 04:19:04 PM Message-ID: <201006132132.o5DLWiCV022025@aurora.sol.net> > On 6/13/2010 15:54, Joe Greco wrote: > > If we want to be pedantic, Sony this year announced that it is shutting > > down its production of floppy disks by next year. Of course, the choice > > of "floppy disk" is irrelevant, and I'm guessing you know it. If your > > devices are more comfortable with CD-ROM or USB MicroSD readers, then by > > all means. > > I certainly hoped that that was the case, but not very long ago I read a > current "Emergency Recovery Plan" that depended on 9-track 1600BPI round > reel tapes in a shop that had not had a drive like that for ten years. That's why emergency planning needs to be an ongoing thing. > > If your network has been so thoroughly taken over that you cannot hope > > to get a file from a computer that does have a floppy over to your DNS > > server, you have Much Bigger Problems to begin with... > > And that is the issue I was trying to raise. If they've got control of your network to the point where you cannot even hook up a laptop and get access to the DNS server, I submit that they effectively own your network and it is no longer your problem, unless maybe you have a love of being thrown in some dark room where no one will find you for a few years. If that's the issue you're trying to raise, I do not think it's solvable in any meaningful way. More generally, is your company going to refuse to comply? Or are you planning to refuse to comply with the directives of your employer? > > Our monitoring systems are definitely able to detect when connectivity > > goes away. What happens if and when that happens is generally left up > > to a human to decide. The sorts of brokenness that one might potentially > > discover if the government were to corrupt connectivity is much more > > complex than simple on/off; I feel comfortable saying that the best plan > > is to have diversity of resources and some in-depth knowledge, since that > > also serves normal engineering needs well. > > I'll bet you think The Stimulus created jobs. It sure did, there's a bunch of construction going on all over the place. Of course, a much better measure would be "how many of the jobs created by these projects will be there in a year" - or better yet, but much harder to quantify, would be positions created that weren't directly funded by The Stimulus. That's the best target to discuss, since everyone can pull statistics to prove whatever position they hold dear. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From a.harrowell at gmail.com Sun Jun 13 16:33:03 2010 From: a.harrowell at gmail.com (Alexander Harrowell) Date: Sun, 13 Jun 2010 22:33:03 +0100 Subject: On the control of the Internet. Message-ID: <0dff7785-28cd-4774-ac72-69d0aa1b09cc@email.android.com> I'll bet that is a political statement, against list rules. Larry is currently making up a really high percentage of list traffic and this is beginning to annoy. L "Larry Sheldon" wrote: >On 6/13/2010 15:54, Joe Greco wrote: > >> If we want to be pedantic, Sony this year announced that it is shutting >> down its production of floppy disks by next year. Of course, the choice >> of "floppy disk" is irrelevant, and I'm guessing you know it. If your >> devices are more comfortable with CD-ROM or USB MicroSD readers, then by >> all means. > >I certainly hoped that that was the case, but not very long ago I read a >current "Emergency Recovery Plan" that depended on 9-track 1600BPI round >reel tapes in a shop that had not had a drive like that for ten years. > > >> Long before NANOG, there was actually a time that some of us hauled >> around things like USENET on magnetic media, because it was simply the >> highest bandwidth yet cheapest method to haul large amounts of data >> around the city, back when a Telebit Trailblazer was still vaguely able >> to cope with a USENET feed - and for a little while thereafter. > >Wide Band Truck was a major component of plans long ago. > >And I wish I had a nickel for every round-real tape in Anvil case I >escorted through airports. > >> If your network has been so thoroughly taken over that you cannot hope >> to get a file from a computer that does have a floppy over to your DNS >> server, you have Much Bigger Problems to begin with... > >And that is the issue I was trying to raise. > >> Our monitoring systems are definitely able to detect when connectivity >> goes away. What happens if and when that happens is generally left up >> to a human to decide. The sorts of brokenness that one might potentially >> discover if the government were to corrupt connectivity is much more >> complex than simple on/off; I feel comfortable saying that the best plan >> is to have diversity of resources and some in-depth knowledge, since that >> also serves normal engineering needs well. > >I'll bet you think The Stimulus created jobs. > >-- >Somebody should have said: >A democracy is two wolves and a lamb voting on what to have for dinner. > >Freedom under a constitutional republic is a well armed lamb contesting >the vote. > >Requiescas in pace o email >Ex turpi causa non oritur actio >Eppure si rinfresca > >ICBM Targeting Information: http://tinyurl.com/4sqczs >http://tinyurl.com/7tp8ml > > > -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. From gbonser at seven.com Sun Jun 13 17:39:30 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 13 Jun 2010 15:39:30 -0700 Subject: On the control of the Internet. In-Reply-To: <4C146AED.9040400@cox.net> References: <4C146AED.9040400@cox.net> Message-ID: <5A6D953473350C4B9995546AFE9939EE09EA4B46@RWC-EX1.corp.seven.com> > For example--what happens when name-service information for a part that > is not shutdown comes from a part that is? > > What if an exchange point for parts that are not shutdown is shutdown. > > And spare me the tinfoil hat stuff--tinfoil hats have not worked for a > year or more. > -- > Somebody should have said: > A democracy is two wolves and a lamb voting on what to have for dinner. We can play "what if" all day long and wargame all sorts of scenarios but what it all boils down to is that there is really no such thing as "The Internet". Just exactly how would the government implement any policy that involved shutting things down and to what extent could they accomplish anything without hurting themselves? What if your NSP is a foreign company? Can our government tell a French company that they cannot communicate with someone else? Can our government tell any American company that they cannot communicate with another American company within the US? Do you "white list" certain communicators and allow them access while denying others? If so, how do you prevent your white list from becoming obsolete the day after it is produced? When you start disconnecting data communications you begin to impact such things as voice communications, news media dissemination of information, individuals in key positions losing a communications path, etc. The notion of government being able to "shut down" portions of "the internet" sounds easy to do in theory but I am not sure it has been thought through at the practical level. I would seem to me that the only effective way one could implement such a policy is to initially shut down ALL communications and then gradually certify various nodes for reinstatement into the net. I have no confidence that the government could ever pull such a thing off. G From brunner at nic-naa.net Sun Jun 13 17:39:36 2010 From: brunner at nic-naa.net (Eric Brunner-Williams) Date: Sun, 13 Jun 2010 18:39:36 -0400 Subject: On the control of the Internet. In-Reply-To: <4C151150.8020806@rollernet.us> References: <4C146AED.9040400@cox.net> <21803.1276436847@localhost> <4C1508D4.50304@cox.net> <4C151150.8020806@rollernet.us> Message-ID: <4C155E28.4020905@nic-naa.net> On 6/13/10 1:11 PM, Seth Mattinen wrote: > On 6/13/10 9:35 AM, Larry Sheldon wrote: >> How about the case where the master zone file has be amputated and the >> secondaries can no longer get updates? > > > We just saw that with Haiti. This overlooks the consequences of that particular catastrophic event on locally routed, and indifferently named resources, within the area directly affected by the event. The hard, even desperate struggle, to keep the physical level infrastructure powered, and operate link and above level services, using pre-event and ad hoc post-event resource to address mappings was not an exercise staged to demonstrate server configuration errors (these happen quite frequently, and without casualties) or network partition events (these too happen quite frequently, also without casualties). The Lieberman, Collins (R-ME) and Carper bill, like the Rockefeller and Snowe (R-ME) bill, offers nothing to the repair, or proactive resilience of the Haitian network. I am content that Congresswoman Chellie Pingree, of Maine's 1st CD, assisted significantly in the effort to keep the Boutillier facility fueled in the last weeks of January. Network infrastructure security can be distinguished from cybersecurity in the first instance by actual existence. Eric From rbf+nanog at panix.com Sun Jun 13 18:09:34 2010 From: rbf+nanog at panix.com (Brett Frankenberger) Date: Sun, 13 Jun 2010 18:09:34 -0500 Subject: On the control of the Internet. In-Reply-To: <4C153E2A.9080602@cox.net> References: <201006131959.o5DJxZY8010456@aurora.sol.net> <4C153E2A.9080602@cox.net> Message-ID: <20100613230934.GA7157@panix.com> On Sun, Jun 13, 2010 at 03:23:06PM -0500, Larry Sheldon wrote: > On 6/13/2010 14:59, Joe Greco wrote: > > >>>> How about the case where the master zone file has be amputated and the > >>>> secondaries can no longer get updates? > > Mea culpa. > > That was suppose to say "How about the case where the master zone file > has beEN amputated and the secondaries can no longer get updates? I'm really not sure what you're asking, and I don't know what "master zone file has been amputated" means, but if the master server goes unreachable, then, for each secondary, either: (a) it's not reachable from anywhere, in which case it doesn't really matter what information it has because nothing will be querying it, or (b) it is reachable from somewhere, in which case you log in to it from that somewhere, edit the configuration file, change "slave" to "master", and restart BIND. (Adjust as needed for whatever DNS server is in use, if it's not BIND.) -- Brett From LarrySheldon at cox.net Sun Jun 13 18:14:03 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Sun, 13 Jun 2010 18:14:03 -0500 Subject: On the control of the Internet. In-Reply-To: <20100613230934.GA7157@panix.com> References: <201006131959.o5DJxZY8010456@aurora.sol.net> <4C153E2A.9080602@cox.net> <20100613230934.GA7157@panix.com> Message-ID: <4C15663B.4040004@cox.net> On 6/13/2010 18:09, Brett Frankenberger wrote: > On Sun, Jun 13, 2010 at 03:23:06PM -0500, Larry Sheldon wrote: >> On 6/13/2010 14:59, Joe Greco wrote: >> >>>>>> How about the case where the master zone file has be amputated and the >>>>>> secondaries can no longer get updates? >> >> Mea culpa. >> >> That was suppose to say "How about the case where the master zone file >> has beEN amputated and the secondaries can no longer get updates? > > I'm really not sure what you're asking, and I don't know what "master > zone file has been amputated" means, but if the master server goes > unreachable, then, for each secondary, either: > (a) it's not reachable from anywhere, in which case it doesn't really > matter what information it has because nothing will be querying it, or > (b) it is reachable from somewhere, in which case you log in to it > from that somewhere, edit the configuration file, change "slave" to > "master", and restart BIND. (Adjust as needed for whatever DNS server > is in use, if it's not BIND.) I have been faulted for injecting "politics" into the discussion of BGP configurations for people that ought not...... There I go again. Have you actually read the article I posted at the top of this thread? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From williams.bruce at gmail.com Sun Jun 13 20:13:54 2010 From: williams.bruce at gmail.com (Bruce Williams) Date: Sun, 13 Jun 2010 18:13:54 -0700 Subject: On the control of the Internet. In-Reply-To: <201006131342.o5DDg18I077624@aurora.sol.net> References: <5680FC9E-7D10-49F6-A20F-637CB64C33B1@delong.com> <201006131342.o5DDg18I077624@aurora.sol.net> Message-ID: On Sun, Jun 13, 2010 at 6:42 AM, Joe Greco wrote: >> Generally speaking, it will be treated as damage and routed around. > > That fable only really stands a chance when the damage is accidental; in > the case where such "damage" is being deliberately inflicted, particularly > by government, it gets more complicated. ?A lot of the 'net is a little > more centralized than it ought to be in order to allow the "routed around" > concept to work successfully. > > ... JG BTW, I forget, when was the original ARPANET spec of surviving a nuclear war tested? I mean, we do know what would happen, right? Yes, Joe, the ARPANET fable does lives on. Bruce Williams From joelja at bogus.com Sun Jun 13 20:21:07 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Sun, 13 Jun 2010 18:21:07 -0700 Subject: On the control of the Internet. In-Reply-To: References: <5680FC9E-7D10-49F6-A20F-637CB64C33B1@delong.com> <201006131342.o5DDg18I077624@aurora.sol.net> Message-ID: <4C158403.1080900@bogus.com> On 06/13/2010 06:13 PM, Bruce Williams wrote: > On Sun, Jun 13, 2010 at 6:42 AM, Joe Greco wrote: >>> Generally speaking, it will be treated as damage and routed around. >> >> That fable only really stands a chance when the damage is accidental; in >> the case where such "damage" is being deliberately inflicted, particularly >> by government, it gets more complicated. A lot of the 'net is a little >> more centralized than it ought to be in order to allow the "routed around" >> concept to work successfully. >> >> ... JG > > BTW, I forget, when was the original ARPANET spec of surviving a > nuclear war tested? I mean, we do know what would happen, right? Paul baran's rand paper was on survivable networks. The arpanet was not that network. > Yes, Joe, the ARPANET fable does lives on. > > Bruce Williams > > From LarrySheldon at cox.net Sun Jun 13 20:28:41 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Sun, 13 Jun 2010 20:28:41 -0500 Subject: On the control of the Internet. In-Reply-To: <4C158403.1080900@bogus.com> References: <5680FC9E-7D10-49F6-A20F-637CB64C33B1@delong.com> <201006131342.o5DDg18I077624@aurora.sol.net> <4C158403.1080900@bogus.com> Message-ID: <4C1585C9.7070907@cox.net> On 6/13/2010 20:21, Joel Jaeggli wrote: > Paul Baran's rand paper was on survivable networks. The arpanet was not > that network. I worry now if it will survive the people that operate it. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From diego.sanchez at comcast.net Sun Jun 13 22:56:42 2010 From: diego.sanchez at comcast.net (Diego Sanchez) Date: Sun, 13 Jun 2010 23:56:42 -0400 Subject: Hello Message-ID: <008b01cb0b75$99c2c9f0$cd485dd0$@sanchez@comcast.net> Hello How do I unsubscribe from regular e- mail Diego From brandon at rd.bbc.co.uk Mon Jun 14 02:05:14 2010 From: brandon at rd.bbc.co.uk (Brandon Butterworth) Date: Mon, 14 Jun 2010 08:05:14 +0100 (BST) Subject: On the control of the Internet. Message-ID: <201006140705.IAA18894@sunf10.rd.bbc.co.uk> > > Paul Baran's rand paper was on survivable networks. The arpanet was not > > that network. > > I worry now if it will survive the people that operate it. I doubt it. When the machines rise up against us they will kill the current net and carry on with their own IPv8 network. brandon From joshua.klubi at gmail.com Mon Jun 14 02:12:18 2010 From: joshua.klubi at gmail.com (Joshua William Klubi) Date: Mon, 14 Jun 2010 07:12:18 +0000 Subject: Monitoring Tool Message-ID: Hi I have been tasked to develop a good network for a Bank and i have also been tasked to get a good monitoring tool for the Bank's local network and Service providers network. i would like to ask the community to help recommend the best tool out there that can help me do this Joshua From khatfield at socllc.net Mon Jun 14 03:59:02 2010 From: khatfield at socllc.net (khatfield at socllc.net) Date: Mon, 14 Jun 2010 08:59:02 +0000 Subject: Monitoring Tool Message-ID: <138831553-1276505943-cardhu_decombobulator_blackberry.rim.net-1698334846-@bda443.bisx.prod.on.blackberry> When you say monitoring... Do you mean servers and network gear or just network? What type of gear? What kind of information are looking to get? (How detailed?) What kind of budget do you have? Really all of those are needed to make a recommendation. I'm guessing this is a small network? How many devices? -Kevin ------Original Message------ From: Joshua William Klubi To: nanog at nanog.org Subject: Monitoring Tool Sent: Jun 14, 2010 2:12 AM Hi I have been tasked to develop a good network for a Bank and i have also been tasked to get a good monitoring tool for the Bank's local network and Service providers network. i would like to ask the community to help recommend the best tool out there that can help me do this Joshua From joshua.klubi at gmail.com Mon Jun 14 04:05:33 2010 From: joshua.klubi at gmail.com (Joshua William Klubi) Date: Mon, 14 Jun 2010 09:05:33 +0000 Subject: Monitoring Tool In-Reply-To: <1967374137-1276505854-cardhu_decombobulator_blackberry.rim.net-1693799837-@bda443.bisx.prod.on.blackberry> References: <1967374137-1276505854-cardhu_decombobulator_blackberry.rim.net-1693799837-@bda443.bisx.prod.on.blackberry> Message-ID: Well Kelvin I am looking at monitoring the network actually not the servers as for the budget , there is no limit,since it is coming down from management they are looking for solutions, that can monitor bandwidth and provide report based on specific times. I don't know of any off head , but i do know of solar winds and nagios but i taught there might be other solutions available. Joshua On Mon, Jun 14, 2010 at 8:57 AM, wrote: > When you say monitoring... > > Do you mean servers and network gear or just network? What type of gear? > What kind of information are looking to get? (How detailed?) > > What kind of budget do you have? > > Really all of those are needed to make a recommendation. I'm guessing this > is a small network? How many devices? > > -Kevin > ------Original Message------ > From: Joshua William Klubi > To: nanog at nanog.org > Subject: Monitoring Tool > Sent: Jun 14, 2010 2:12 AM > > Hi > I have been tasked to develop a good network for a Bank and i have also > been > tasked to get a good monitoring tool for the Bank's local network and > Service providers network. i would like to ask the community > to help recommend the best tool out there that can help me do this > > Joshua > > > From nanogf at spoofer.com Mon Jun 14 05:17:32 2010 From: nanogf at spoofer.com (nanogf .) Date: Mon, 14 Jun 2010 03:17:32 -0700 Subject: Monitoring Tool Message-ID: <20100614031732.245EC1B4@resin15.mta.everyone.net> http://www.invea-tech.com/products-and-services/flowmon/flowmon-overview You can try FlowMon on our online demo : https://demo.invea.cz/ Login: flowmon Password: flowmondemo By the way, please register to our partner portal to have access to all the documentation : http://www.invea-tech.com/support/ --- joshua.klubi at gmail.com wrote: From: Joshua William Klubi To: khatfield at socllc.net Cc: nanog at nanog.org Subject: Re: Monitoring Tool Date: Mon, 14 Jun 2010 09:05:33 +0000 Well Kelvin I am looking at monitoring the network actually not the servers as for the budget , there is no limit,since it is coming down from management they are looking for solutions, that can monitor bandwidth and provide report based on specific times. I don't know of any off head , but i do know of solar winds and nagios but i taught there might be other solutions available. Joshua On Mon, Jun 14, 2010 at 8:57 AM, wrote: > When you say monitoring... > > Do you mean servers and network gear or just network? What type of gear? > What kind of information are looking to get? (How detailed?) > > What kind of budget do you have? > > Really all of those are needed to make a recommendation. I'm guessing this > is a small network? How many devices? > > -Kevin > ------Original Message------ > From: Joshua William Klubi > To: nanog at nanog.org > Subject: Monitoring Tool > Sent: Jun 14, 2010 2:12 AM > > Hi > I have been tasked to develop a good network for a Bank and i have also > been > tasked to get a good monitoring tool for the Bank's local network and > Service providers network. i would like to ask the community > to help recommend the best tool out there that can help me do this > > Joshua > > > _____________________________________________________________ Get your own *free* email address like this one from www.OwnEmail.com From eugen at leitl.org Mon Jun 14 05:24:49 2010 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 14 Jun 2010 12:24:49 +0200 Subject: On the control of the Internet. In-Reply-To: <201006140705.IAA18894@sunf10.rd.bbc.co.uk> References: <201006140705.IAA18894@sunf10.rd.bbc.co.uk> Message-ID: <20100614102449.GZ1964@leitl.org> On Mon, Jun 14, 2010 at 08:05:14AM +0100, Brandon Butterworth wrote: > > I worry now if it will survive the people that operate it. > > I doubt it. When the machines rise up against us they will > kill the current net and carry on with their own IPv8 network. Purely photonic relativistic cut-through all the way ;) From maxsec at gmail.com Mon Jun 14 06:53:58 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Mon, 14 Jun 2010 12:53:58 +0100 Subject: stumbleupon contact Message-ID: Hi If there's anyone here from stumbleupon can you please contact me reguarding a security issue please. To everyone else, appologies for the noise. -- Martin Hepworth Oxford, UK From Valdis.Kletnieks at vt.edu Mon Jun 14 06:57:08 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 14 Jun 2010 07:57:08 -0400 Subject: On the control of the Internet. In-Reply-To: Your message of "Mon, 14 Jun 2010 08:05:14 BST." <201006140705.IAA18894@sunf10.rd.bbc.co.uk> References: <201006140705.IAA18894@sunf10.rd.bbc.co.uk> Message-ID: <104663.1276516628@localhost> On Mon, 14 Jun 2010 08:05:14 BST, Brandon Butterworth said: > > > Paul Baran's rand paper was on survivable networks. The arpanet was not > > > that network. > > > > I worry now if it will survive the people that operate it. > > I doubt it. When the machines rise up against us they will > kill the current net and carry on with their own IPv8 network. Is *that* what it's going to take to finally get it deployed everyplace? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From joshua.klubi at gmail.com Mon Jun 14 07:32:00 2010 From: joshua.klubi at gmail.com (Joshua William Klubi) Date: Mon, 14 Jun 2010 12:32:00 +0000 Subject: Monitoring Tool In-Reply-To: <1967374137-1276505854-cardhu_decombobulator_blackberry.rim.net-1693799837-@bda443.bisx.prod.on.blackberry> References: <1967374137-1276505854-cardhu_decombobulator_blackberry.rim.net-1693799837-@bda443.bisx.prod.on.blackberry> Message-ID: Well am looking at system or software that can be used to monitor a bank of about 160 branches using cisco products, i want to monitor the network links , bandwidth application usage and IDS and do monthly reports for managements On Mon, Jun 14, 2010 at 8:57 AM, wrote: > When you say monitoring... > > Do you mean servers and network gear or just network? What type of gear? > What kind of information are looking to get? (How detailed?) > > What kind of budget do you have? > > Really all of those are needed to make a recommendation. I'm guessing this > is a small network? How many devices? > > -Kevin > ------Original Message------ > From: Joshua William Klubi > To: nanog at nanog.org > Subject: Monitoring Tool > Sent: Jun 14, 2010 2:12 AM > > Hi > I have been tasked to develop a good network for a Bank and i have also > been > tasked to get a good monitoring tool for the Bank's local network and > Service providers network. i would like to ask the community > to help recommend the best tool out there that can help me do this > > Joshua > > > From joshua.klubi at gmail.com Mon Jun 14 07:44:38 2010 From: joshua.klubi at gmail.com (Joshua William Klubi) Date: Mon, 14 Jun 2010 12:44:38 +0000 Subject: Monitoring Tool In-Reply-To: <4C16005A.20803@de-cix.net> References: <4C15E62B.5070502@de-cix.net> <4C16005A.20803@de-cix.net> Message-ID: Yeah I would not mind having those xtra features like IDS and IPS On Mon, Jun 14, 2010 at 10:11 AM, Matthias Flittner < matthias.flittner at de-cix.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > for project > please describe your project in more detail. Could you please name the > three most important things which such an tool must provide? Which > information do you whant to see? > > Are you although looking for some IDS or IPS features implemented in the > monitroing software? > > > Well money is not an issue > Good point to start. ;) > > Maybe have a look at: http://en.wikipedia.org/wiki/Network_monitoring > > regards, > FliTTi > > > - -- > Matthias Flittner > DE-CIX Management GmbH e-mail: matthias.flittner at de-cix.net > Lindleystr. 12, 60314 Frankfurt Phone: +49 69 1730 902-0 > Geschaeftsfuehrer Harald A. Summa Mobile: +49 176 21940967 > Registergericht AG Koeln, HRB 51135 Fax: +49 69 4056 2716 > Zentrale: Lichtstr. 43i, 50825 Koeln http://www.de-cix.net > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJMFgBZAAoJEIZn8Rym6s4AgjsH/jJE2HvMyJeUu7pGZKocvBaH > ttpa4TpX0IBkJSBq3af3n2haimyImzfBtWP3GnwptokHcFqSmEIbCaDzZbcOZUJK > ViRM5co72Jt2OSdbmeXDylUzgl74WHwzSotwmtNZ4CfOu/MybAomzBH68fEPQz9h > gXl7989uMX6ofFj1iCS3ZgHyh0XDreOd4lebZdI6LRX90KJAlAFlMewnm24qZSN9 > /GI7287cAE4MI5lJnTpdVwlFk45s6Vg2+QDY5QRsd9OlJTlLrAkVZBlKRjXDAzbr > OH6Dq5zfdHTt2s83Qz2RZtchbQLTBaIwZ/SBCDs42h9aBr4S0atK48IvRrawLts= > =5Lq0 > -----END PGP SIGNATURE----- > From jhorstman at adknowledge.com Mon Jun 14 11:42:26 2010 From: jhorstman at adknowledge.com (Justin Horstman) Date: Mon, 14 Jun 2010 11:42:26 -0500 Subject: Monitoring Tool In-Reply-To: References: <4C15E62B.5070502@de-cix.net> <4C16005A.20803@de-cix.net> Message-ID: http://www.cacti.net/ with http://www.network-weathermap.com/ among other plugins found: http://docs.cacti.net/plugins can be a very good first step, and its free, though it has a lower resolution then some minute/minute is often all that's needed for management types, not to mention its relatively easy. ~J -----Original Message----- From: Joshua William Klubi [mailto:joshua.klubi at gmail.com] Sent: Monday, June 14, 2010 7:45 AM To: Matthias Flittner Cc: nanog at nanog.org Subject: Re: Monitoring Tool Yeah I would not mind having those xtra features like IDS and IPS On Mon, Jun 14, 2010 at 10:11 AM, Matthias Flittner < matthias.flittner at de-cix.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > for project > please describe your project in more detail. Could you please name the > three most important things which such an tool must provide? Which > information do you whant to see? > > Are you although looking for some IDS or IPS features implemented in the > monitroing software? > > > Well money is not an issue > Good point to start. ;) > > Maybe have a look at: http://en.wikipedia.org/wiki/Network_monitoring > > regards, > FliTTi > > > - -- > Matthias Flittner > DE-CIX Management GmbH e-mail: matthias.flittner at de-cix.net > Lindleystr. 12, 60314 Frankfurt Phone: +49 69 1730 902-0 > Geschaeftsfuehrer Harald A. Summa Mobile: +49 176 21940967 > Registergericht AG Koeln, HRB 51135 Fax: +49 69 4056 2716 > Zentrale: Lichtstr. 43i, 50825 Koeln http://www.de-cix.net > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJMFgBZAAoJEIZn8Rym6s4AgjsH/jJE2HvMyJeUu7pGZKocvBaH > ttpa4TpX0IBkJSBq3af3n2haimyImzfBtWP3GnwptokHcFqSmEIbCaDzZbcOZUJK > ViRM5co72Jt2OSdbmeXDylUzgl74WHwzSotwmtNZ4CfOu/MybAomzBH68fEPQz9h > gXl7989uMX6ofFj1iCS3ZgHyh0XDreOd4lebZdI6LRX90KJAlAFlMewnm24qZSN9 > /GI7287cAE4MI5lJnTpdVwlFk45s6Vg2+QDY5QRsd9OlJTlLrAkVZBlKRjXDAzbr > OH6Dq5zfdHTt2s83Qz2RZtchbQLTBaIwZ/SBCDs42h9aBr4S0atK48IvRrawLts= > =5Lq0 > -----END PGP SIGNATURE----- > From tj at kniveton.com Mon Jun 14 11:43:16 2010 From: tj at kniveton.com (T.J. Kniveton) Date: Mon, 14 Jun 2010 09:43:16 -0700 Subject: Live streaming from NANOG49 Message-ID: <4C165C24.8080303@kniveton.com> First off, thanks to the staffers who set up live streaming. I'm using HD unicast, and the quality is great. That said, is it possible to have the camera zoom in to the presenter a bit? The whole room is shown, and even on a 24" screen I still can't really see the presenters very clearly, since there's some pixellation. Thanks, TJ From nanogf at spoofer.com Mon Jun 14 11:43:48 2010 From: nanogf at spoofer.com (nanogf .) Date: Mon, 14 Jun 2010 09:43:48 -0700 Subject: Monitoring Tool Message-ID: <20100614094348.245E94B5@resin15.mta.everyone.net> > Well am looking at system or software that can be used to monitor a bank of > about 160 branches using cisco products, https://demo.invea.cz/ Login: flowmon Password: flowmondemo >i want to monitor the network links, bandwidth application usage https://demo.invea.cz/netflow Login: flowmon Password: flowmondemo >IDS https://demo.invea.cz/cognitiveone >do monthly reports for managements https://demo.invea.cz/ifr Login: flowmon Password: flowmondemo --- joshua.klubi at gmail.com wrote: From: Joshua William Klubi To: khatfield at socllc.net Cc: nanog at nanog.org Subject: Re: Monitoring Tool Date: Mon, 14 Jun 2010 12:32:00 +0000 Well am looking at system or software that can be used to monitor a bank of about 160 branches using cisco products, i want to monitor the network links , bandwidth application usage and IDS and do monthly reports for managements On Mon, Jun 14, 2010 at 8:57 AM, wrote: > When you say monitoring... > > Do you mean servers and network gear or just network? What type of gear? > What kind of information are looking to get? (How detailed?) > > What kind of budget do you have? > > Really all of those are needed to make a recommendation. I'm guessing this > is a small network? How many devices? > > -Kevin > ------Original Message------ > From: Joshua William Klubi > To: nanog at nanog.org > Subject: Monitoring Tool > Sent: Jun 14, 2010 2:12 AM > > Hi > I have been tasked to develop a good network for a Bank and i have also > been > tasked to get a good monitoring tool for the Bank's local network and > Service providers network. i would like to ask the community > to help recommend the best tool out there that can help me do this > > Joshua > > > _____________________________________________________________ Get your own *free* email address like this one from www.OwnEmail.com From t.dahm at resolution.de Mon Jun 14 11:49:39 2010 From: t.dahm at resolution.de (Thorsten Dahm) Date: Mon, 14 Jun 2010 17:49:39 +0100 Subject: Monitoring Tool In-Reply-To: References: Message-ID: <4C165DA3.40304@resolution.de> Joshua William Klubi wrote: > I have been tasked to develop a good network for a Bank and i have also been > tasked to get a good monitoring tool for the Bank's local network and > Service providers network. i would like to ask the community > to help recommend the best tool out there that can help me do this As others pointed out, without additional information it is hard to give you any recommendation. The usual suspects in the open source world would be nagios, cacti, mrtg, netflow, ... in case you want to have something to check it out. Best would be you just write a list down on what data or monitoring you really need. cheers, Thorsten From sparctacus at gmail.com Mon Jun 14 11:57:33 2010 From: sparctacus at gmail.com (Bryan Irvine) Date: Mon, 14 Jun 2010 09:57:33 -0700 Subject: Monitoring Tool In-Reply-To: <4C165DA3.40304@resolution.de> References: <4C165DA3.40304@resolution.de> Message-ID: On Mon, Jun 14, 2010 at 9:49 AM, Thorsten Dahm wrote: > Joshua William Klubi wrote: >> >> I have been tasked to develop a good network for a Bank and i have also >> been >> tasked to get a good monitoring tool for the Bank's local network and >> Service providers network. i would like to ask the community >> to help recommend the best tool out there that can help me do this > > As others pointed out, without additional information it is hard to give you > any recommendation. > > The usual suspects in the open source world would be nagios, cacti, mrtg, > netflow, ... in case you want to have something to check it out. > I like Zenoss. It's like nagios and cacti. It also does syslog, and the enterprise version does netflows as well. From tj at kniveton.com Mon Jun 14 12:00:44 2010 From: tj at kniveton.com (T.J. Kniveton) Date: Mon, 14 Jun 2010 10:00:44 -0700 Subject: Live streaming from NANOG49 In-Reply-To: <4C165C24.8080303@kniveton.com> References: <4C165C24.8080303@kniveton.com> Message-ID: <4C16603C.1010409@kniveton.com> Thank you, now I can see the presenter. Next challenge, can you put an overlay of the slides on the upper right quarter of the screen? :-) TJ On 6/14/2010 9:43 AM, T.J. Kniveton wrote: > First off, thanks to the staffers who set up live streaming. I'm using > HD unicast, and the quality is great. > > That said, is it possible to have the camera zoom in to the presenter > a bit? The whole room is shown, and even on a 24" screen I still can't > really see the presenters very clearly, since there's some pixellation. > > Thanks, > > TJ > > From nick at foobar.org Mon Jun 14 12:12:10 2010 From: nick at foobar.org (Nick Hilliard) Date: Mon, 14 Jun 2010 18:12:10 +0100 Subject: Live streaming from NANOG49 In-Reply-To: <4C16603C.1010409@kniveton.com> References: <4C165C24.8080303@kniveton.com> <4C16603C.1010409@kniveton.com> Message-ID: <4C1662EA.5090309@foobar.org> On 14/06/2010 18:00, T.J. Kniveton wrote: > Thank you, now I can see the presenter. > > Next challenge, can you put an overlay of the slides on the upper right > quarter of the screen? :-) The slides are available on the flash stream: http://www.nanog.org/streaming.php?secondflash=1 Nick From mksmith at adhost.com Mon Jun 14 12:29:37 2010 From: mksmith at adhost.com (Michael K. Smith) Date: Mon, 14 Jun 2010 10:29:37 -0700 Subject: NANOG 49 - Tweet questions to the presenters Message-ID: Hello All: My apologies if you already read this on nanog-futures. We are monitoring Twitter for #nanog and #nanog49. If you are participating remotely and would like to ask questions of the presenters please tweet them with one of those hashtags and we?ll do our best to get them in front of the presenters. Regards, Mike On behalf of the Communications Committee From lists at quux.de Mon Jun 14 12:39:36 2010 From: lists at quux.de (Jens Link) Date: Mon, 14 Jun 2010 19:39:36 +0200 Subject: Monitoring Tool In-Reply-To: <4C165DA3.40304@resolution.de> (Thorsten Dahm's message of "Mon\, 14 Jun 2010 17\:49\:39 +0100") References: <4C165DA3.40304@resolution.de> Message-ID: <87eig9a4yv.fsf@oban.berlin.quux.de> Thorsten Dahm writes: > The usual suspects in the open source world would be nagios, cacti, > mrtg, netflow, ... There is no tool called netflow. ;-) To collect and analyze netflow data I'd recommend nfdump.sf.net and nfsen.sf.net as open source solution. Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jenslink at guug.de | ------------------- | ------------------------------------------------------------------------- From up at 3.am Mon Jun 14 13:30:17 2010 From: up at 3.am (James Smallacombe) Date: Mon, 14 Jun 2010 14:30:17 -0400 (EDT) Subject: BGP Multihoming Partial vs. Full Routes Message-ID: I know this topic must have been covered before, but I can find no search tool for the NANOG archives. I did google and reference Halabi's book as well as Avi's howto, but I still don't feel I fully understand the pros and cons of Full vs. Partial routes in a dual/multihomed network. Cisco's position these days seems to be "you don't need to carry full views unless you like tinkering with optimizig paths and such." Tinkering isn't the issue. Full reachability to servers on this network from EVERYone, including both upstreams' customers, regardless of the status of each upstream connection is. Ditto in the event that one upstream has some kind of core or regional router meltdown, which I've seen more than once. I see conflicting advice as to whether partial routes will suffice for this. Helpful links and/or synopsese appreciated. James Smallacombe PlantageNet, Inc. CEO and Janitor up at 3.am http://3.am ========================================================================= From bifrost at minions.com Mon Jun 14 13:35:36 2010 From: bifrost at minions.com (Tom) Date: Mon, 14 Jun 2010 11:35:36 -0700 (PDT) Subject: 1slash8 pollution Message-ID: <20100614113350.C713@evil.minions.com> In connecting to the conference network, I noticed this on the Westin wireless: ath0: no link ......... got link DHCPREQUEST on ath0 to 255.255.255.255 port 67 DHCPREQUEST on ath0 to 255.255.255.255 port 67 DHCPNAK from 1.2.1.3 DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 12 DHCPOFFER from 1.2.1.3 DHCPREQUEST on ath0 to 255.255.255.255 port 67 DHCPACK from 1.2.1.3 bound to 10.2.252.129 -- renewal in 10800 seconds. ath0: flags=8843 metric 0 mtu 1500 inet 10.2.252.129 netmask 0xffff0000 broadcast 10.2.255.255 ssid WestinMeetingRooms channel 149 (5745 Mhz 11a) bssid 00:1d:e5:4d:cf:6f Perhaps someone should mention this to the hotel? :) -Tom From nenolod at systeminplace.net Mon Jun 14 13:44:31 2010 From: nenolod at systeminplace.net (William Pitcock) Date: Mon, 14 Jun 2010 13:44:31 -0500 Subject: 1slash8 pollution In-Reply-To: <20100614113350.C713@evil.minions.com> References: <20100614113350.C713@evil.minions.com> Message-ID: <1276541071.7682.2.camel@petrie> Hi, On Mon, 2010-06-14 at 11:35 -0700, Tom wrote: > In connecting to the conference network, I noticed this on the Westin > wireless: > > ath0: no link ......... got link > DHCPREQUEST on ath0 to 255.255.255.255 port 67 > DHCPREQUEST on ath0 to 255.255.255.255 port 67 > DHCPNAK from 1.2.1.3 > DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 12 > DHCPOFFER from 1.2.1.3 > DHCPREQUEST on ath0 to 255.255.255.255 port 67 > DHCPACK from 1.2.1.3 > bound to 10.2.252.129 -- renewal in 10800 seconds. > ath0: flags=8843 metric 0 mtu 1500 > inet 10.2.252.129 netmask 0xffff0000 broadcast 10.2.255.255 > ssid WestinMeetingRooms channel 149 (5745 Mhz 11a) bssid 00:1d:e5:4d:cf:6f A lot of wireless kiosk gear uses 1/8 for bootstrap. It is likely that the people at the Westin cannot do anything about it as it may be hard coded into the firmware. William From lists at quux.de Mon Jun 14 13:48:05 2010 From: lists at quux.de (Jens Link) Date: Mon, 14 Jun 2010 20:48:05 +0200 Subject: 1slash8 pollution In-Reply-To: <20100614113350.C713@evil.minions.com> (Tom's message of "Mon\, 14 Jun 2010 11\:35\:36 -0700 \(PDT\)") References: <20100614113350.C713@evil.minions.com> Message-ID: <874oh58n8a.fsf@oban.berlin.quux.de> Tom writes: > DHCPACK from 1.2.1.3 > > Perhaps someone should mention this to the hotel? :) I've senn DHCPACK from 1.1.1.1 I was told it's the default value of a Cisco WLAN Controller. There are more things broken in most hotel WLANs. Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jenslink at guug.de | ------------------- | ------------------------------------------------------------------------- From elmi at 4ever.de Mon Jun 14 13:52:21 2010 From: elmi at 4ever.de (Elmar K. Bins) Date: Mon, 14 Jun 2010 20:52:21 +0200 Subject: 1slash8 pollution In-Reply-To: <874oh58n8a.fsf@oban.berlin.quux.de> References: <20100614113350.C713@evil.minions.com> <874oh58n8a.fsf@oban.berlin.quux.de> Message-ID: <20100614185221.GK96953@ronin.4ever.de> lists at quux.de (Jens Link) wrote: > > DHCPACK from 1.2.1.3 > > Perhaps someone should mention this to the hotel? :) > > I've senn DHCPACK from 1.1.1.1 I was told it's the default value of a > Cisco WLAN Controller. There are more things broken in most hotel > WLANs. We should go soft on the Westin. The wireless works surprisingly well. From regnauld at nsrc.org Mon Jun 14 13:52:47 2010 From: regnauld at nsrc.org (Phil Regnauld) Date: Mon, 14 Jun 2010 20:52:47 +0200 Subject: Monitoring Tool In-Reply-To: References: Message-ID: <20100614185246.GA65042@macbook.catpipe.net> Joshua William Klubi (joshua.klubi) writes: > Hi > I have been tasked to develop a good network for a Bank and i have also been > tasked to get a good monitoring tool for the Bank's local network and > Service providers network. i would like to ask the community > to help recommend the best tool out there that can help me do this Hi Joshua, What kind of monitoring are we talking about ? Network services, performance, traffic, latency, ... ? You might want to take a look at some popular Open Source tools, such as: http://www.nagios.org/ http://www.zabbix.com/ http://www.hyperic.com/ http://www.opennms.org/wiki/Main_Page http://www.cacti.net/ http://oss.oetiker.ch/smokeping/ ... to get an idea of what's possible. Cheers, Phil From bifrost at minions.com Mon Jun 14 13:56:00 2010 From: bifrost at minions.com (Tom) Date: Mon, 14 Jun 2010 11:56:00 -0700 (PDT) Subject: 1slash8 pollution In-Reply-To: <20100614185221.GK96953@ronin.4ever.de> References: <20100614113350.C713@evil.minions.com> <874oh58n8a.fsf@oban.berlin.quux.de> <20100614185221.GK96953@ronin.4ever.de> Message-ID: <20100614115410.M713@evil.minions.com> On Mon, 14 Jun 2010, Elmar K. Bins wrote: >> I've senn DHCPACK from 1.1.1.1 I was told it's the default value of a >> Cisco WLAN Controller. There are more things broken in most hotel >> WLANs. > > We should go soft on the Westin. The wireless works surprisingly well. It does indeed, wasn't implying that we should chastise them for having a service that works, merely that since we're a few hundred network nerds we noticed something was broken. From Greg.Whynott at oicr.on.ca Mon Jun 14 13:57:31 2010 From: Greg.Whynott at oicr.on.ca (Greg Whynott) Date: Mon, 14 Jun 2010 14:57:31 -0400 Subject: 1slash8 pollution In-Reply-To: <874oh58n8a.fsf@oban.berlin.quux.de> References: <20100614113350.C713@evil.minions.com> <874oh58n8a.fsf@oban.berlin.quux.de> Message-ID: I can confirm this, our WLC from Cisco came with a default IP setting of 1.1.1.1 for the portal. -g On Jun 14, 2010, at 2:48 PM, Jens Link wrote: > Tom writes: > >> DHCPACK from 1.2.1.3 >> >> Perhaps someone should mention this to the hotel? :) > > I've senn DHCPACK from 1.1.1.1 I was told it's the default value of a > Cisco WLAN Controller. There are more things broken in most hotel > WLANs. > > Jens > -- > ------------------------------------------------------------------------- > | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | > | http://blog.quux.de | jabber: jenslink at guug.de | ------------------- | > ------------------------------------------------------------------------- > From r.engehausen at gmail.com Mon Jun 14 14:06:34 2010 From: r.engehausen at gmail.com (Roy) Date: Mon, 14 Jun 2010 12:06:34 -0700 Subject: Monitoring Tool In-Reply-To: <20100614185246.GA65042@macbook.catpipe.net> References: <20100614185246.GA65042@macbook.catpipe.net> Message-ID: <4C167DBA.8000500@gmail.com> On 6/14/2010 11:52 AM, Phil Regnauld wrote: > Joshua William Klubi (joshua.klubi) writes: > >> Hi >> I have been tasked to develop a good network for a Bank and i have also been >> tasked to get a good monitoring tool for the Bank's local network and >> Service providers network. i would like to ask the community >> to help recommend the best tool out there that can help me do this >> > Hi Joshua, > > What kind of monitoring are we talking about ? Network services, > performance, traffic, latency, ... ? > > You might want to take a look at some popular Open Source tools, such as: > > http://www.nagios.org/ > http://www.zabbix.com/ > http://www.hyperic.com/ > http://www.opennms.org/wiki/Main_Page > http://www.cacti.net/ > http://oss.oetiker.ch/smokeping/ > > ... to get an idea of what's possible. > > Cheers, > Phil > > > Don't forget Opsview From joshua.klubi at gmail.com Mon Jun 14 14:07:28 2010 From: joshua.klubi at gmail.com (Joshua William Klubi) Date: Mon, 14 Jun 2010 19:07:28 +0000 Subject: Monitoring Tool In-Reply-To: <4C167DBA.8000500@gmail.com> References: <20100614185246.GA65042@macbook.catpipe.net> <4C167DBA.8000500@gmail.com> Message-ID: thnx On Mon, Jun 14, 2010 at 7:06 PM, Roy wrote: > Opsview From fred at cisco.com Mon Jun 14 14:08:08 2010 From: fred at cisco.com (Fred Baker) Date: Mon, 14 Jun 2010 12:08:08 -0700 Subject: BGP Multihoming Partial vs. Full Routes In-Reply-To: References: Message-ID: <8CFFB682-FD8A-4E42-8A67-EB68C67B8F8B@cisco.com> On Jun 14, 2010, at 11:30 AM, James Smallacombe wrote: > Cisco's position these days seems to be "you don't need to carry full views unless you like tinkering with optimizig paths and such." Not sure why Cisco's position is relevant, but let me restate it. Cisco will happily sell you all the memory you care to pay for. That said, for an edge network with a competent upstream, full routes are generally not as useful as one might expect. You're at least as well off with default routes for your upstreams plus what we call "Optimized Edge Routing", which allows you to identify (dynamically, for each prefix/peer you care about) which of your various ISPs gives you a route that *you* would prefer in terms of reachability and RTT. In the words of a prominent hardware store in my region, "you can do it, we can help". From mpetach at netflight.com Mon Jun 14 18:34:59 2010 From: mpetach at netflight.com (Matthew Petach) Date: Mon, 14 Jun 2010 16:34:59 -0700 Subject: Live streaming from NANOG49 In-Reply-To: <4C165C24.8080303@kniveton.com> References: <4C165C24.8080303@kniveton.com> Message-ID: On Mon, Jun 14, 2010 at 9:43 AM, T.J. Kniveton wrote: > First off, thanks to the staffers who set up live streaming. I'm using HD > unicast, and the quality is great. > > That said, is it possible to have the camera zoom in to the presenter a bit? > The whole room is shown, and even on a 24" screen I still can't really see > the presenters very clearly, since there's some pixellation. Could just be your monitor. On mine, I can see the laptop screens of the people in the back of the room. Fun to watch what they're during the talks. ^_^ (I like the large view of room plus screens on side, myself) Matt > Thanks, > > TJ > > From brandon at burn.net Mon Jun 14 18:37:48 2010 From: brandon at burn.net (Brandon Applegate) Date: Mon, 14 Jun 2010 19:37:48 -0400 (EDT) Subject: ipv6 bogon / martian filter - simple Message-ID: I mean really simple. Like 2000::/3. If it's not in there it's bogon, yes ? What I'm really asking, is for folks thoughts on using this - is it too restrictive ? How long until it's obsolete ? Should be a really long time no ? Again, just looking for some feedback either way. Would be very nice to have a single line ACL do this job. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 "SH1-0151. This is the serial number, of our orbital gun." From sethm at rollernet.us Mon Jun 14 18:43:30 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 14 Jun 2010 16:43:30 -0700 Subject: ipv6 bogon / martian filter - simple In-Reply-To: References: Message-ID: <4C16BEA2.3040308@rollernet.us> On 6/14/2010 16:37, Brandon Applegate wrote: > I mean really simple. Like 2000::/3. If it's not in there it's bogon, > yes ? > > What I'm really asking, is for folks thoughts on using this - is it too > restrictive ? > > How long until it's obsolete ? > > Should be a really long time no ? > > Again, just looking for some feedback either way. Would be very nice to > have a single line ACL do this job. > Now with IPv6: http://www.team-cymru.org/Services/Bogons/ ~Seth From wmaton at ryouko.imsb.nrc.ca Mon Jun 14 19:36:51 2010 From: wmaton at ryouko.imsb.nrc.ca (William F. Maton Sotomayor) Date: Mon, 14 Jun 2010 20:36:51 -0400 (EDT) Subject: ipv6 bogon / martian filter - simple In-Reply-To: References: Message-ID: On Mon, 14 Jun 2010, Brandon Applegate wrote: > I mean really simple. Like 2000::/3. If it's not in there it's bogon, yes ? Been using that on the advanced networks side for ... OK, years. Seems to work. Kept unseemingly bogons like 1000::/3 out, except for the deprecated 6bone pTLA, 3FFF:: > What I'm really asking, is for folks thoughts on using this - is it too > restrictive ? For leaks of old 6bone space, which I haven't seen for a long while, probably not. But filter aginst that, and maybe it will be fine. It's all in the RIR allocations.... > How long until it's obsolete ? > > Should be a really long time no ? Mmm...Last table entry in my table is: 2C0F:FE18::/32. Maybe 2000::/4 will do, but that might not last very long as an ACL, given the proximty of 2Cxx:: to 2FFF:: > Again, just looking for some feedback either way. Would be very nice to have > a single line ACL do this job. > > -- > Brandon Applegate - CCIE 10273 > PGP Key fingerprint: > 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 > "SH1-0151. This is the serial number, of our orbital gun." > > wfms From mpetach at netflight.com Mon Jun 14 20:48:57 2010 From: mpetach at netflight.com (Matthew Petach) Date: Mon, 14 Jun 2010 18:48:57 -0700 Subject: 2010.06.14 NANOG 49 day 1 notes Message-ID: I took some notes from today's NANOG presentations, for those who might not have been able to attend. Unfortunately, my day was peppered with meetings at work, so I had to miss several of the presentations. :( Rather than flood the list, I put them online at http://kestrel3.netflight.com/2010.06.14-NANOG49-day1.txt I'm sure I made lots of mistakes, got names wrong, etc. I'll do a bit more proofreading after dinner, and if people spot items they'd like me to fix, drop me an email and I'll do my best to clean up the errors. Thanks Matt From jeroen at unfix.org Tue Jun 15 02:02:45 2010 From: jeroen at unfix.org (Jeroen Massar) Date: Tue, 15 Jun 2010 09:02:45 +0200 Subject: ipv6 bogon / martian filter - simple In-Reply-To: References: Message-ID: <4C172595.9020706@unfix.org> On 2010-06-15 01:37, Brandon Applegate wrote: > I mean really simple. Like 2000::/3. If it's not in there it's bogon, > yes ? At the current time and hopefully for the next 20 years at least yes ;) > What I'm really asking, is for folks thoughts on using this - is it too > restrictive ? You should be fine for the lifetime of your job plus several other years. Like any configuration you need to document it and the reasoning behind it and if possible flag it in a way that people will re-examine it in time. google(ipv6 filter) if you want a set of filters which are tighter than that and actually there is another keyword that you should be using: RPSL See RFC2622/2650 there are various tools that can provide you with filters based on that data. Please also tell your customers/peers/transits to use it, many already do and it is the proper way to do filtering on your network. As for routes that are not in the RPSL databases, make a local registry with them and just feed your tools from it, kicking the folks to put them in RPSL though is a better method ;) Greets, Jeroen From BECHA at ripe.net Tue Jun 15 02:41:00 2010 From: BECHA at ripe.net (Vesna Manojlovic) Date: Tue, 15 Jun 2010 09:41:00 +0200 Subject: ipv6 bogon / martian filter - simple In-Reply-To: <4C172595.9020706@unfix.org> References: <4C172595.9020706@unfix.org> Message-ID: <4C172E8C.2070609@ripe.net> Hi Brandon, On 6/15/10 9:02 AM, Jeroen Massar wrote: > RPSL > > See RFC2622/2650 there are various tools that can provide you with > filters based on that data. Please also tell your > customers/peers/transits to use it, many already do and it is the proper > way to do filtering on your network. ... and if you do want to learn about that, RIPE NCC has a "Routing Registry training course": http://www.ripe.net/training/rr/outline.html The participation to this hands-on workshop is limited to the LIRS (members of the RIPE NCC), but one of them could invite you as a guest; we also do presentations and workshops at conferences; and the material is free to download, and to re-use for educational purposes. Regards, Vesna (RIPE NCC trainer) From t.dahm at resolution.de Tue Jun 15 04:01:47 2010 From: t.dahm at resolution.de (Thorsten Dahm) Date: Tue, 15 Jun 2010 10:01:47 +0100 Subject: Monitoring Tool In-Reply-To: <87eig9a4yv.fsf@oban.berlin.quux.de> References: <4C165DA3.40304@resolution.de> <87eig9a4yv.fsf@oban.berlin.quux.de> Message-ID: <4C17417B.2060809@resolution.de> Jens Link wrote: > Thorsten Dahm writes: >> The usual suspects in the open source world would be nagios, cacti, >> mrtg, netflow, ... > > There is no tool called netflow. ;-) of course, the German guy has to complain again. :-) cheers, Thorsten From joshua.klubi at gmail.com Tue Jun 15 04:17:06 2010 From: joshua.klubi at gmail.com (Joshua William Klubi) Date: Tue, 15 Jun 2010 09:17:06 +0000 Subject: Monitoring Tool In-Reply-To: <4C17417B.2060809@resolution.de> References: <4C165DA3.40304@resolution.de> <87eig9a4yv.fsf@oban.berlin.quux.de> <4C17417B.2060809@resolution.de> Message-ID: Who is the German guy On Tue, Jun 15, 2010 at 9:01 AM, Thorsten Dahm wrote: > Jens Link wrote: > >> Thorsten Dahm writes: >> >>> The usual suspects in the open source world would be nagios, cacti, >>> mrtg, netflow, ... >>> >> >> There is no tool called netflow. ;-) >> > > of course, the German guy has to complain again. :-) > > cheers, > Thorsten > > From Wesley.E.George at sprint.com Tue Jun 15 07:23:32 2010 From: Wesley.E.George at sprint.com (George, Wes E IV [NTK]) Date: Tue, 15 Jun 2010 07:23:32 -0500 Subject: ipv6 bogon / martian filter - simple In-Reply-To: References: Message-ID: This would be another alternative: http://www.space.net/~gert/RIPE/ipv6-filters.html Slightly more than 1 line, but the loose case would nuke a few more things than just filtering on 2000::/3 without requiring frequent updates. The strict case requires keeping after it for updates, and you'd probably be better off with Cymru. Thanks, Wes George -----Original Message----- From: Brandon Applegate [mailto:brandon at burn.net] Sent: Monday, June 14, 2010 7:38 PM To: nanog at nanog.org Subject: ipv6 bogon / martian filter - simple I mean really simple. Like 2000::/3. If it's not in there it's bogon, yes ? What I'm really asking, is for folks thoughts on using this - is it too restrictive ? How long until it's obsolete ? Should be a really long time no ? Again, just looking for some feedback either way. Would be very nice to have a single line ACL do this job. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 "SH1-0151. This is the serial number, of our orbital gun." This e-mail may contain Sprint Nextel Company proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message. From oliver.gorwits at oucs.ox.ac.uk Tue Jun 15 07:33:03 2010 From: oliver.gorwits at oucs.ox.ac.uk (Oliver Gorwits) Date: Tue, 15 Jun 2010 13:33:03 +0100 Subject: networking podcasts Message-ID: <4C1772FF.6000901@oucs.ox.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, Like probably many others on this list I have my couple of hours commute each day, and tend to fill it with reading, or listening to podcasts. I've found the new PacketPushers podcast to be off to a pretty good start (MPLS, DDoS, Trill, Interview Techniques, etc): http://packetpushers.net/ Are there any others, specifically on networking, that you know of? regards, oliver. - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwXcv8ACgkQ2NPq7pwWBt6oWgCffOX9PpqYOUUz0IUx7EW09pnL WlEAoNRXy+1OR3h2SD4bpurngNfcyK00 =FB5x -----END PGP SIGNATURE----- From sfouant at shortestpathfirst.net Tue Jun 15 08:37:34 2010 From: sfouant at shortestpathfirst.net (Stefan Fouant) Date: Tue, 15 Jun 2010 09:37:34 -0400 Subject: networking podcasts In-Reply-To: <4C1772FF.6000901@oucs.ox.ac.uk> Message-ID: For you Juniper and Arbor wonks out there, you can find some decent podcasts on iTunes... I can't remember the name of the Juniper Podcast but you should be able to find it on iTunes without much effort... I believe the Arbor one is called "Security to the Core". Stefan Fouant -----Original Message----- From: Oliver Gorwits [mailto:oliver.gorwits at oucs.ox.ac.uk] Sent: Tuesday, June 15, 2010 8:33 AM To: nanog at nanog.org Subject: networking podcasts -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, Like probably many others on this list I have my couple of hours commute each day, and tend to fill it with reading, or listening to podcasts. I've found the new PacketPushers podcast to be off to a pretty good start (MPLS, DDoS, Trill, Interview Techniques, etc): http://packetpushers.net/ Are there any others, specifically on networking, that you know of? regards, oliver. - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwXcv8ACgkQ2NPq7pwWBt6oWgCffOX9PpqYOUUz0IUx7EW09pnL WlEAoNRXy+1OR3h2SD4bpurngNfcyK00 =FB5x -----END PGP SIGNATURE----- From andy at nosignal.org Tue Jun 15 09:37:38 2010 From: andy at nosignal.org (Andy Davidson) Date: Tue, 15 Jun 2010 15:37:38 +0100 Subject: networking podcasts In-Reply-To: References: Message-ID: <23A5EB39-1303-45B0-8607-0345CDBB3B64@nosignal.org> On 15 Jun 2010, at 14:37, Stefan Fouant wrote: > For you Juniper and Arbor wonks out there, you can find some decent podcasts on iTunes... I can't remember the name of the Juniper Podcast but you should be able to find it on iTunes without much effort... I believe the Arbor one is called "Security to the Core". There are quite a few Juniper ones[0], though they take the format of a tutorial rather than a discursive/magazine format though, which is OK, but not what I want when driving. :-) There's a tool called 'Handbrake' for the Mac which can be used to re-encode the nanog (and other meeting) video downloads to a format suitable for the iPhone/iPod/iPad. This is quite good for flights/trains. Andy [0] Example = http://itunes.apple.com/podcast/junos-as-a-switching-language/id292449024, some others are linked from the bottom of this page, From tj at kniveton.com Tue Jun 15 11:27:09 2010 From: tj at kniveton.com (T.J. Kniveton) Date: Tue, 15 Jun 2010 09:27:09 -0700 Subject: Live streaming from NANOG49 In-Reply-To: References: <4C165C24.8080303@kniveton.com> Message-ID: <4C17A9DD.3080506@kniveton.com> I'm using a 24" iMac in full screen so the resolution is pretty decent. But I hadn't thought about the side benefit of watching what people are doing on their laptops, good entertainment value I suppose. TJ On 6/14/2010 4:34 PM, Matthew Petach wrote: > On Mon, Jun 14, 2010 at 9:43 AM, T.J. Kniveton wrote: > >> First off, thanks to the staffers who set up live streaming. I'm using HD >> unicast, and the quality is great. >> >> That said, is it possible to have the camera zoom in to the presenter a bit? >> The whole room is shown, and even on a 24" screen I still can't really see >> the presenters very clearly, since there's some pixellation. >> > Could just be your monitor. On mine, I can see the laptop screens > of the people in the back of the room. Fun to watch what they're during > the talks. ^_^ > > (I like the large view of room plus screens on side, myself) > > Matt > > >> Thanks, >> >> TJ >> >> >> > From sfouant at shortestpathfirst.net Tue Jun 15 12:19:47 2010 From: sfouant at shortestpathfirst.net (Stefan Fouant) Date: Tue, 15 Jun 2010 13:19:47 -0400 Subject: networking podcasts In-Reply-To: <23A5EB39-1303-45B0-8607-0345CDBB3B64@nosignal.org> Message-ID: > -----Original Message----- > From: Andy Davidson [mailto:andy at nosignal.org] > Sent: Tuesday, June 15, 2010 10:38 AM > To: nanog list > Subject: Re: networking podcasts > > There are quite a few Juniper ones[0], though they take the format of a > tutorial rather than a discursive/magazine format though, which is OK, but > not what I want when driving. :-) No I'm not talking about the "JUNOS as a Switching/Security Language" Podcasts - you are certainly right, those are more along the lines of tutorials. The ones I was referring to was a series called J-Net Perspectives and they had decent coverage of topics like High Availability, Multicast VPNs, and VPLS to name a few with the likes of Pedro Marques, Lenny Giuliano, and some other Juniper notables. See the URL below for the iTunes links... http://itunes.apple.com/us/podcast/j-net-perspectives/id279754930 Stefan Fouant From bblackford at gmail.com Tue Jun 15 15:19:00 2010 From: bblackford at gmail.com (Bill Blackford) Date: Tue, 15 Jun 2010 13:19:00 -0700 Subject: TWTC Message-ID: Anyone on the list seeing issues with Time warner on the West coast? -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges..... From mpetach at netflight.com Tue Jun 15 15:22:47 2010 From: mpetach at netflight.com (Matthew Petach) Date: Tue, 15 Jun 2010 13:22:47 -0700 Subject: 2010.06.15 NANOG49 day 1 notes, part 1 Message-ID: *heh* OK, watching the web logs this morning while taking notes, I saw a bunch of people trying to grab day 2 already. ^_^; So, given there seems to be some demand, I'm posting the first half of today's notes at http://kestrel3.netflight.com/2010.06.15-NANOG49-day2-part1.txt Don't forget to fill out your survey! I've forgotten twice now, which isn't a good track record, so I'm pre-starting today's survey ahead of time. ^_^; Matt From deleskie at gmail.com Tue Jun 15 15:24:26 2010 From: deleskie at gmail.com (jim deleskie) Date: Tue, 15 Jun 2010 17:24:26 -0300 Subject: 2010.06.15 NANOG49 day 1 notes, part 1 In-Reply-To: References: Message-ID: Thanks Matt! -jim On Tue, Jun 15, 2010 at 5:22 PM, Matthew Petach wrote: > *heh* ? OK, watching the web logs this morning while taking > notes, I saw a bunch of people trying to grab day 2 already. ?^_^; > > So, given there seems to be some demand, I'm posting the > first half of today's notes at > > http://kestrel3.netflight.com/2010.06.15-NANOG49-day2-part1.txt > > Don't forget to fill out your survey! ?I've forgotten twice now, > which isn't a good track record, so I'm pre-starting today's > survey ahead of time. ^_^; > > Matt > > From mwalter at 3z.net Tue Jun 15 15:40:35 2010 From: mwalter at 3z.net (Mike Walter) Date: Tue, 15 Jun 2010 16:40:35 -0400 Subject: TWTC In-Reply-To: References: Message-ID: Are you asking about TW Telecom or Time Warner Cable? We have clients in CA with TW Telecom with no issues at this time. Mike Walter Sr. Network Engineer 3z.net a PCD Company -----Original Message----- From: Bill Blackford [mailto:bblackford at gmail.com] Sent: Tuesday, June 15, 2010 4:19 PM To: nanog at nanog.org Subject: TWTC Anyone on the list seeing issues with Time warner on the West coast? -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges..... From mpetach at netflight.com Tue Jun 15 20:06:14 2010 From: mpetach at netflight.com (Matthew Petach) Date: Tue, 15 Jun 2010 18:06:14 -0700 Subject: 2010.06.15 NANOG49 day 2 part 2 notes Message-ID: Notes from the second half of today (post-lunchtime) are now posted at http://kestrel3.netflight.com/2010.06.15-NANOG49-day2-part2.txt Many thanks to those who have been mailing back to correct my errors. I try to catch most of them, but at this speed, some still creep in--though I'm still doing better than Google Voice does on my voicemail messages. :D As corrections are sent, I update the files, so I've started putting version information at the top. Thanks! Matt From tkapela at gmail.com Tue Jun 15 22:20:20 2010 From: tkapela at gmail.com (Anton Kapela) Date: Tue, 15 Jun 2010 20:20:20 -0700 Subject: BGP Multihoming Partial vs. Full Routes In-Reply-To: <8CFFB682-FD8A-4E42-8A67-EB68C67B8F8B@cisco.com> References: <8CFFB682-FD8A-4E42-8A67-EB68C67B8F8B@cisco.com> Message-ID: <29157EEF-2946-4313-845A-A6204B9B62E7@gmail.com> On Jun 14, 2010, at 12:08 PM, Fred Baker wrote: > upstream, full routes are generally not as useful as one might expect. You're at least as well off with default routes for your upstreams plus what we call "Optimized Edge Routing", which allows you to identify (dynamically, for each prefix/peer you care about) which of your various ISPs gives you a route that *you* would prefer in terms of reachability and RTT. In the words of a prominent hardware store in my region, "you can do it, we can help". +1. additionally, one could filter on reasonable RIR allocation 'boundaries' per /8, cutting the fib down substantially. Cisco and a host of others maintain such a list of ready-to-use examples here: ftp://ftp-eng.cisco.com/cons/isp/security/Ingress-Prefix-Filter-Templates/ lastly, one could do something far more crude (yet strangely effective), like so: ip prefix-list longs permit 0.0.0.0/0 ge 23 ip prefix-list shorts permit 0.0.0.0/0 le 22 ip as-path access-list 10 permit (^_[0-9]+$|^_[0-9]+_[0-9]+$|^_[0-9]+_[0-9]+_[0-9]+$) route-map provider-in permit 10 match ip address prefix-list longs match as-path 10 route-map provider-in permit 20 match ip address prefix-list shorts ...etc -Tk From jared at puck.nether.net Tue Jun 15 22:47:17 2010 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 15 Jun 2010 20:47:17 -0700 Subject: BGP Multihoming Partial vs. Full Routes In-Reply-To: References: Message-ID: <60898587-E575-46DF-95DB-B80CB35173B4@puck.nether.net> Most providers will give you just their on net prefixes. This is useful if multihomed but you do not really need full tables. Then you can default or similar for the rest of the net. Jared Mauch On Jun 14, 2010, at 11:30 AM, James Smallacombe wrote: > > I know this topic must have been covered before, but I can find no search tool for the NANOG archives. I did google and reference Halabi's book as well as Avi's howto, but I still don't feel I fully understand the pros and cons of Full vs. Partial routes in a dual/multihomed network. > > Cisco's position these days seems to be "you don't need to carry full views unless you like tinkering with optimizig paths and such." > > Tinkering isn't the issue. Full reachability to servers on this network from EVERYone, including both upstreams' customers, regardless of the status of each upstream connection is. Ditto in the event that one upstream has some kind of core or regional router meltdown, which I've seen more than once. I see conflicting advice as to whether partial routes will suffice for this. > > Helpful links and/or synopsese appreciated. > > James Smallacombe PlantageNet, Inc. CEO and Janitor > up at 3.am http://3.am > ========================================================================= From matthias.flittner at de-cix.net Wed Jun 16 03:21:54 2010 From: matthias.flittner at de-cix.net (Matthias Flittner) Date: Wed, 16 Jun 2010 10:21:54 +0200 Subject: Literatur hint needed Message-ID: <4C1889A2.8040602@de-cix.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Folks, I'm searching an fundamental book about how to (inter)connect two networks. It should be about how to connect your business network in a secure and reliable way to the internet. The book should contain some theoretical basics and common used practices. Focus is how to design such an network transfer point. Does anyone know such a book? best regards and thanks, FliTTi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMGImiAAoJEIZn8Rym6s4A5lMH/ReMDeGegtPUXJOuWW96yepR k3PyBaKOm7LcYwHrcNN0TEl1LfBPp1qItq1xw8Pcgv32E1BhlbpaNUpqh3fRrN8O qVca/SaKM5CGW4CHEfqZm1BAcRE5uY8icL0n8LxBFrHqRNgmuDkq3MfBQiGC0GQI /jcGb052DHSbApMhFqBcTgiJr19ow3Gmxr+jzNQzgz5SHOC/XWF7vmCYCkGAfhpG ibqdVVb5lUp7er66uBX4GfNQyN+iMiDDi0d0+dRvE0lDZ+hpFQZlKDDeZCOLpRpH TqU2hGCZx0/LQorl/VwfvpSeaMjeUb4Pe4RQ8NIqKwkoMqjcWZVDa2ikueW7BLQ= =EpXH -----END PGP SIGNATURE----- From lists at quux.de Wed Jun 16 03:41:29 2010 From: lists at quux.de (Jens Link) Date: Wed, 16 Jun 2010 10:41:29 +0200 Subject: Literatur hint needed In-Reply-To: <4C1889A2.8040602@de-cix.net> (Matthias Flittner's message of "Wed\, 16 Jun 2010 10\:21\:54 +0200") References: <4C1889A2.8040602@de-cix.net> Message-ID: <87bpbb9xom.fsf@oban.berlin.quux.de> Matthias Flittner writes: > Hi Folks, > > I'm searching an fundamental book about how to (inter)connect two > networks. It should be about how to connect your business network in a > secure and reliable way to the internet. The book should contain some > theoretical basics and common used practices. Focus is how to design such > an network transfer point. "The Illustrated Network: How TCP/IP Works in a Modern Network" (ISBN-13: 978-0123745415) should cover this topic. cheers, Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jenslink at guug.de | ------------------- | ------------------------------------------------------------------------- From matthias.flittner at de-cix.net Wed Jun 16 03:56:05 2010 From: matthias.flittner at de-cix.net (Matthias Flittner) Date: Wed, 16 Jun 2010 10:56:05 +0200 Subject: Literatur hint needed In-Reply-To: <87bpbb9xom.fsf@oban.berlin.quux.de> References: <4C1889A2.8040602@de-cix.net> <87bpbb9xom.fsf@oban.berlin.quux.de> Message-ID: <4C1891A5.8020100@de-cix.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Jens, thanks for your fast answer. > "The Illustrated Network: How TCP/IP Works in a Modern Network" > (ISBN-13: 978-0123745415) should cover this topic. Yes this book covers a lot but I need one which should help me to build an secure transfer point between my business network (with several services) and the internet. Could you help me? best regards, FliTTi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMGJGkAAoJEIZn8Rym6s4Ait0H/2R7GHfehcS/6cqgCU1bgKZl hdDZVldvZ30bgiCfkcQ+alzntVINL3LQsm71ehCaycFm0uZLkA7+QrI7ak7X/FYE nFgEmKskfLSSsV3P7B55eaYfKK34tsKnVsLEg2hSjsdBjBysU/xEx7q+0jsn1nWE q8Jex6hDfwNDb1WqctYxiokSxjGigES8H1UqEixIlhUUhlefRDmBExLETEtyQY4i 40Hd5bGqN1shkJgrhln8/EHEOpjGZEqmawMmE+kQHD/qfqpdKZMqXXNXxgtZecZo lMhIThmdbz/znGIj1TqOMZo2/5N/PufQaFMgGeTpkT1jRMmH/327q3+y09PJkZU= =7rTw -----END PGP SIGNATURE----- From Valdis.Kletnieks at vt.edu Wed Jun 16 09:58:57 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 16 Jun 2010 10:58:57 -0400 Subject: Literatur hint needed In-Reply-To: Your message of "Wed, 16 Jun 2010 10:21:54 +0200." <4C1889A2.8040602@de-cix.net> References: <4C1889A2.8040602@de-cix.net> Message-ID: <8691.1276700337@localhost> On Wed, 16 Jun 2010 10:21:54 +0200, Matthias Flittner said: > I'm searching an fundamental book about how to (inter)connect two > networks. It should be about how to connect your business network in a > secure and reliable way to the internet. The book should contain some > theoretical basics and common used practices. Focus is how to design such > an network transfer point. Unfortunately, designing a secure network transfer point is a *really* tiny part of securely connecting to the Internet. For example, SQL injections work just fine going through a bulletproof transfer point. Make sure you don't forget the endpoints. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From tkapela at gmail.com Wed Jun 16 11:40:46 2010 From: tkapela at gmail.com (Anton Kapela) Date: Wed, 16 Jun 2010 09:40:46 -0700 Subject: (OT) recipe for Live streaming from NANOG49 In-Reply-To: <4C17A9DD.3080506@kniveton.com> References: <4C165C24.8080303@kniveton.com> <4C17A9DD.3080506@kniveton.com> Message-ID: <3A14D3CB-03A1-493B-85EC-FC6D7F8C44DF@gmail.com> On Jun 15, 2010, at 9:27 AM, T.J. Kniveton wrote: > I'm using a 24" iMac in full screen so the resolution is pretty decent. But I hadn't thought about the side benefit of watching what people are doing on their laptops, good entertainment value I suppose. Glad it looks decent for folks out there. In case anyone is interested, below is a quick rundown of what it took to get Nanog49 (shot with a Sony z1u hdv camera with firewire output, thanks Merit!) on the net' this time around. The VLC team has kicked lots of butt in recent months, fixing threading on win32 for x264 and ffmpeg-supplied codecs. This means that HD encoding win32 platforms (and handy things like directshow supported devices) can finally work again. Previous to this, we had relayed a ~25 megabit unicast UDP stream of the direct-from-camera mp2ts data (i.e. 'raw' hdv MPEG2 video+audio) up to Merit (or iris networks, netflix at DR nanog, others I forget), performing transcoding there on a multi-core system. Of course, reducing 25 megabits/sec to ~1 megabits/sec through on-site encoding means that TCP can easily conceal most network losses on our uplink. This is not to suggest that there are many, but *any* loss is plainly visible on un-protected mpeg TS's. Because we can operate at such a low bitrate, the quick re-transmission of lost TCP segments doesn't represent a large enough under-run to disturb the relay servers' mpeg transport stream demultiplexer--its software PLL stays synchronized with the embedded PCR, and things happily hum along amidst random packet drop. Encoder box: core2quad i5, 2.67 ghz, clocked at 3ghz (and decent ddr3 sdram), 32 bit windows XP sp3, VLC 1.0.5 Encoder command line: vlc.exe dshow:// :dshow-vdev="Microsoft AV/C Tape Subunit Device" :dshow-adev= --sout="#transcode{vcodec=h264,threads=8,deinterlace,vb=900,acodec=mp4a,ab=128,channels=1,venc=x264{keyint=90,ref=8,partitions=all,8x8dct,non-deterministic}}:std{access=http,mux=ts,dst=:xxxx}" --sout-mux-caching=500 (runs with ~75% overall load) Relay box @ Merit: 3 ghz p4 HT, linux 2.6, vlc 1.x.x, gige port, etc... Relay command line: vlc -vvv http://x.x.x.x:xxxx --sout=#duplicate{dst=std{access=udp{ttl=255},mux=ts,dst=233.0.236.10:1234},dst=std{access=http,mux=ts,dst=:8080}} -L --sout-keep (runs with <1% load with 50 stream clients) HTH, -Tk From mbein at iso-ne.com Wed Jun 16 11:58:48 2010 From: mbein at iso-ne.com (Bein, Matthew) Date: Wed, 16 Jun 2010 12:58:48 -0400 Subject: PCAP Sanitization Tool Message-ID: Hello, Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information. From mcollins at aleae.com Wed Jun 16 12:18:24 2010 From: mcollins at aleae.com (Michael Collins) Date: Wed, 16 Jun 2010 13:18:24 -0400 Subject: PCAP Sanitization Tool In-Reply-To: References: Message-ID: <91DD8CA7-F2DB-4A60-895C-B5E1B064DEEE@aleae.com> FLAIM: flaim.ncsa.illinois.edu On Jun 16, 2010, at 12:58 PM, Bein, Matthew wrote: > Hello, > > > > Anyone know of a good tool for sanitizing PCAP files? I would like to > keep as much of the payload as possible but remove src and dst ip > information. > Mike Collins mcollins at aleae.com From brunner at nic-naa.net Wed Jun 16 14:00:17 2010 From: brunner at nic-naa.net (Eric Brunner-Williams) Date: Wed, 16 Jun 2010 15:00:17 -0400 Subject: (OT) recipe for Live streaming from NANOG49 In-Reply-To: <3A14D3CB-03A1-493B-85EC-FC6D7F8C44DF@gmail.com> References: <4C165C24.8080303@kniveton.com> <4C17A9DD.3080506@kniveton.com> <3A14D3CB-03A1-493B-85EC-FC6D7F8C44DF@gmail.com> Message-ID: <4C191F41.4010606@nic-naa.net> Does anyone have the video bits from the Haitian panel? I'd like to run it within our loop at the ICANN meeting next week in Brussels. Tia! Eric From mpetach at netflight.com Wed Jun 16 14:30:42 2010 From: mpetach at netflight.com (Matthew Petach) Date: Wed, 16 Jun 2010 12:30:42 -0700 Subject: 2010.06.16 NANOG49 day 3 notes Message-ID: Alas, another great NANOG has come to an end; it went by so quickly this time. Notes from today, including the inimitable duo of Todd Underwood and Odd Tunderwood, are now up at http://kestrel3.netflight.com/2010.06.16-NANOG49-day3.txt As always, I'm sure I got a bunch of things wrong, including people's names, etc. Email me with corrections, I'll update and increment version number. Maybe newNOG could have a twiki I could upload these to, so people could just update and fix them themselves for future meetings? Thanks again for another top-notch meeting--and big thanks for the v6 hidef video stream--it rocked!! Matt From sethm at rollernet.us Wed Jun 16 14:35:16 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 16 Jun 2010 12:35:16 -0700 Subject: Future of WiMax Message-ID: <4C192774.1050501@rollernet.us> A while back I remember reading a comment here that "WiMax is not a future proof technology" and that several manufacturers have dropped it or something to that effect. I think it was in the starting a WiMax ISP thread. This has stuck in my head, and I was curious if there was any truth to this. WiMax sounds promising, but I certainly don't hear a lot about it other than Sprint/Clear. Is it just that everyone that's doing wireless is sticking with relatively inexpensive 802.11 a/b/g/n products, or is WiMax really a dead end? ~Seth From ghicks at hicks-net.net Wed Jun 16 14:40:55 2010 From: ghicks at hicks-net.net (Gregory Hicks) Date: Wed, 16 Jun 2010 12:40:55 -0700 (PDT) Subject: Future of WiMax Message-ID: <201006161940.o5GJetM3011674@metis.hicks-net.net> > Date: Wed, 16 Jun 2010 12:35:16 -0700 > From: Seth Mattinen > > WiMax sounds promising, but I certainly don't hear a lot about it other > than Sprint/Clear. Is it just that everyone that's doing wireless is > sticking with relatively inexpensive 802.11 a/b/g/n products, or is > WiMax really a dead end? Sprint/Clear certainly thinks it has promise. They just put up a wireless tower just next door to my house in San Jose... (Well, Clear actually received permission from the city zoning dept...) Regards, Gregory Hicks > > ~Seth > --------------------------------------------------------------------- Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is eternal vigilance. -- Thomas Jefferson "The best we can hope for concerning the people at large is that they be properly armed." --Alexander Hamilton From rubensk at gmail.com Wed Jun 16 14:48:14 2010 From: rubensk at gmail.com (Rubens Kuhl) Date: Wed, 16 Jun 2010 16:48:14 -0300 Subject: Future of WiMax In-Reply-To: <4C192774.1050501@rollernet.us> References: <4C192774.1050501@rollernet.us> Message-ID: The future of WiMAX seems a lot less promising now that FD-LTE is the clear winner for wide-scale mobile deployment, and TD-LTE, 802.11n and proprietary technologies will compete for non-paired spectrum and/or niche markets. But one can build a network with WiMAX and make money out of it; global market forces have established the big picture, not what would happen on a specific scenario. Rubens On Wed, Jun 16, 2010 at 4:35 PM, Seth Mattinen wrote: > A while back I remember reading a comment here that "WiMax is not a > future proof technology" and that several manufacturers have dropped it > or something to that effect. I think it was in the starting a WiMax ISP > thread. This has stuck in my head, and I was curious if there was any > truth to this. > > WiMax sounds promising, but I certainly don't hear a lot about it other > than Sprint/Clear. Is it just that everyone that's doing wireless is > sticking with relatively inexpensive 802.11 a/b/g/n products, or is > WiMax really a dead end? > > ~Seth > > From a.reversat at gmail.com Wed Jun 16 15:18:30 2010 From: a.reversat at gmail.com (Antoine Reversat) Date: Wed, 16 Jun 2010 16:18:30 -0400 Subject: Anybody from Shaw Cable Message-ID: We are having a strange routing issue. If anybody from Shaw cable could contact me offlist I'd be very thankfull. From Jay.Murphy at state.nm.us Wed Jun 16 15:22:28 2010 From: Jay.Murphy at state.nm.us (Murphy, Jay, DOH) Date: Wed, 16 Jun 2010 14:22:28 -0600 Subject: Future of WiMax In-Reply-To: References: <4C192774.1050501@rollernet.us> Message-ID: Dude, LTE and WiMax a more siblings, than distinct rivalries. The technologies will grow together over time, versus, one taking the ascendancy, and the other, descent. WiMAX is here today, and long term evolution, well, let's see how the futures play out. ~Jay Murphy IP Network Specialist NM State Government IT Services Division PSB ? IP Network Management Center Santa F?, New M?xico 87505 "We move the information that moves your world." ?Good engineering demands that we understand what we?re doing and why, keep an open mind, and learn from experience.? ?Engineering is about finding the sweet spot between what's solvable and what isn't." Radia Perlman ? Please consider the environment before printing e-mail -----Original Message----- From: Rubens Kuhl [mailto:rubensk at gmail.com] Sent: Wednesday, June 16, 2010 1:48 PM To: Seth Mattinen Cc: nanOG list Subject: Re: Future of WiMax The future of WiMAX seems a lot less promising now that FD-LTE is the clear winner for wide-scale mobile deployment, and TD-LTE, 802.11n and proprietary technologies will compete for non-paired spectrum and/or niche markets. But one can build a network with WiMAX and make money out of it; global market forces have established the big picture, not what would happen on a specific scenario. Rubens On Wed, Jun 16, 2010 at 4:35 PM, Seth Mattinen wrote: > A while back I remember reading a comment here that "WiMax is not a > future proof technology" and that several manufacturers have dropped it > or something to that effect. I think it was in the starting a WiMax ISP > thread. This has stuck in my head, and I was curious if there was any > truth to this. > > WiMax sounds promising, but I certainly don't hear a lot about it other > than Sprint/Clear. Is it just that everyone that's doing wireless is > sticking with relatively inexpensive 802.11 a/b/g/n products, or is > WiMax really a dead end? > > ~Seth > > Confidentiality Notice: This e-mail, including all attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited unless specifically provided under the New Mexico Inspection of Public Records Act. If you are not the intended recipient, please contact the sender and destroy all copies of this message. -- This email has been scanned by the Sybari - Antigen Email System. From kowsik at gmail.com Wed Jun 16 15:31:48 2010 From: kowsik at gmail.com (kowsik) Date: Wed, 16 Jun 2010 13:31:48 -0700 Subject: PCAP Sanitization Tool In-Reply-To: <91DD8CA7-F2DB-4A60-895C-B5E1B064DEEE@aleae.com> References: <91DD8CA7-F2DB-4A60-895C-B5E1B064DEEE@aleae.com> Message-ID: Log sanitation is a whole lot easier than packets. AFAIK, santizing pcaps is an intractable problem because of various kinds of encodings that exist within packets. Examples: - FTP IPv4 addresses are comma separated - DNS does label encoding of domain names (especially with pointers) - Forwarded emails contain deeply-buried domain names and IP addresses within gziped, based-64 encoded mime attachments. So, I don't think you are going to get what you are asking for. That said, there are tools that can strip out the payload and reassign IP addresses and port numbers. K. --- http://www.pcapr.net http://twitter.com/pcapr http://labs.mudynamics.com On Wed, Jun 16, 2010 at 10:18 AM, Michael Collins wrote: > FLAIM: flaim.ncsa.illinois.edu > > On Jun 16, 2010, at 12:58 PM, Bein, Matthew wrote: > >> Hello, >> >> >> >> Anyone know of a good tool for sanitizing PCAP files? I would like to >> keep as much of the payload as possible but remove src and dst ip >> information. >> > > Mike Collins > mcollins at aleae.com > > > > > From cmaurand at xyonet.com Wed Jun 16 15:41:38 2010 From: cmaurand at xyonet.com (Curtis Maurand) Date: Wed, 16 Jun 2010 16:41:38 -0400 Subject: Future of WiMax In-Reply-To: <201006161940.o5GJetM3011674@metis.hicks-net.net> References: <201006161940.o5GJetM3011674@metis.hicks-net.net> Message-ID: <4C193702.7050308@xyonet.com> they've already claimed they'll probably switch to LTE. They said it was just a software change to do that. Of course the standard for actually placing a phone call on it (LTE) has yet to finalized. On 6/16/2010 3:40 PM, Gregory Hicks wrote: > >> Date: Wed, 16 Jun 2010 12:35:16 -0700 >> From: Seth Mattinen >> >> WiMax sounds promising, but I certainly don't hear a lot about it >> > other > >> than Sprint/Clear. Is it just that everyone that's doing wireless is >> sticking with relatively inexpensive 802.11 a/b/g/n products, or is >> WiMax really a dead end? >> > Sprint/Clear certainly thinks it has promise. They just put up a > wireless tower just next door to my house in San Jose... (Well, Clear > actually received permission from the city zoning dept...) > > Regards, > Gregory Hicks > > >> ~Seth >> >> > --------------------------------------------------------------------- > Gregory Hicks | Principal Systems Engineer > | Direct: 408.569.7928 > > People sleep peaceably in their beds at night only because rough men > stand ready to do violence on their behalf -- George Orwell > > The price of freedom is eternal vigilance. -- Thomas Jefferson > > "The best we can hope for concerning the people at large is that they > be properly armed." --Alexander Hamilton > > > From rekoil at semihuman.com Wed Jun 16 17:57:51 2010 From: rekoil at semihuman.com (Chris Woodfield) Date: Wed, 16 Jun 2010 15:57:51 -0700 Subject: Sending ARP request to unicast MAC instead of broadcast MAC address? Message-ID: <7D4FBC01-E09F-4659-B620-310DCB11C20A@semihuman.com> OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but there's a reason for it, I swear... Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC address, is instead sent to the already-known unicast MAC address of the host? Next, what would be your utility of choice for crafting such a packet? Or is this something one would need to code up by hand in a lower-level language? Thanks, -C From sebastian at nzrs.net.nz Wed Jun 16 18:15:05 2010 From: sebastian at nzrs.net.nz (Sebastian Castro) Date: Thu, 17 Jun 2010 11:15:05 +1200 Subject: PCAP Sanitization Tool In-Reply-To: References: Message-ID: <4C195AF9.9050304@nzrs.net.nz> Bein, Matthew wrote: > Hello, > > > > Anyone know of a good tool for sanitizing PCAP files? I would like to > keep as much of the payload as possible but remove src and dst ip > information. > Would address anonymization work? Instead of removing src/dst ip, you can zero them. I've used CoralReef for that sort of things (http://www.caida.org/tools/measurement/coralreef/) Cheers! -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 From mysidia at gmail.com Wed Jun 16 18:20:54 2010 From: mysidia at gmail.com (James Hess) Date: Wed, 16 Jun 2010 18:20:54 -0500 Subject: Sending ARP request to unicast MAC instead of broadcast MAC address? In-Reply-To: <7D4FBC01-E09F-4659-B620-310DCB11C20A@semihuman.com> References: <7D4FBC01-E09F-4659-B620-310DCB11C20A@semihuman.com> Message-ID: On Wed, Jun 16, 2010 at 5:57 PM, Chris Woodfield wrote: > OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but there's a reason for it, I swear... > Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC address, is instead sent to the already-known unicast MAC address of the host? In general, hosts respond to these in just the same way as they would respond to a broadcast arp request. > Next, what would be your utility of choice for crafting such a packet? Or is this something one would need to code up by hand in a lower-level language? arping from the iputils package will switch to unicast requests after the first unicast ARP response is received, and send the rest of the pings using unicast arp, assuming you don't use the -b option -- -JH From jlewis at lewis.org Wed Jun 16 20:01:32 2010 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 16 Jun 2010 21:01:32 -0400 (EDT) Subject: Todd Underwood was a little late Message-ID: I just took a closer look at something odd I'd noticed several days ago. One of our DNS servers was sending crazy amounts of ARP requests for IPs in the /24 its main IP is in. What I've found is we're getting hit with DNS requests that look like they're from "typical internet traffic for someone in China" hitting this DNS server from IPs in its /24 which are currently not in use (at least on our local network). It would appear someone in China is using our IP space, presumably behind a NAT router, and they're leaking some traffic non-NAT'd. 20:53:41.361734 IP 209.208.121.66.41755 > 209.208.121.126.53: 15939+ A? ns5.z.lxdns.com. (33) 20:53:43.523210 IP 209.208.121.95.39393 > 209.208.121.126.53: 15939+ A? www.nanhutravel.com. (37) 20:53:48.411805 IP 209.208.121.66.33390 > 209.208.121.126.53: 15939+ A? test.csxm.cdn20.com. (37) 20:53:50.557680 IP 209.208.121.135.40056 > 209.208.121.126.53: 15939+ A? rextest2.lxdns.com. (36) 20:53:56.918993 IP 209.208.121.135.37291 > 209.208.121.126.53: 15939+ A? www.51seer.com. (32) 20:54:20.033902 IP 209.208.121.95.37544 > 209.208.121.126.53: 15939+ A? image.dhgate.cdn20.com. (40) 20:54:21.900295 IP 209.208.121.66.35144 > 209.208.121.126.53: 15939+ A? static.xn-app.com. (35) 20:54:27.711853 IP 209.208.121.66.33518 > 209.208.121.126.53: 15939+ A? oa.hanhe.com. (30) 20:54:29.642938 IP 209.208.121.135.41723 > 209.208.121.126.53: 15939+ A? pic1.kaixin001.com. (36) 20:54:32.357414 IP 209.208.121.95.38564 > 209.208.121.126.53: 15939+ A? rr.snyu.com. (29) 20:54:38.901315 IP 209.208.121.95.37840 > 209.208.121.126.53: 15939+ A? edu.163.com. (29) 20:54:39.807385 IP 209.208.121.95.36069 > 209.208.121.126.53: 15939+ A? image.dhgate.cdn20.com. (40) 20:54:40.833778 IP 209.208.121.66.34949 > 209.208.121.126.53: 15939+ A? uphn.snswall.com. (34) 20:54:42.070294 IP 209.208.121.95.38405 > 209.208.121.126.53: 15939+ A? zwgk.cma.gov.cn. (33) 20:54:42.189939 IP 209.208.121.135.36637 > 209.208.121.126.53: 15939+ A? btocdn.52yeyou.com. (36) 20:54:45.767299 IP 209.208.121.95.41405 > 209.208.121.126.53: 15939+ A? img1.kaixin001.com.cn. (39) 20:54:48.595582 IP 209.208.121.66.40099 > 209.208.121.126.53: 15939+ A? rextest2.cdn20.com. (36) 20:54:49.480147 IP 209.208.121.95.42363 > 209.208.121.126.53: 15939+ A? www.dameiren.com. (34) 20:54:50.714200 IP 209.208.121.135.41497 > 209.208.121.126.53: 15939+ A? pic1.kaixin001.com.cn. (39) 20:54:54.116841 IP 209.208.121.135.36828 > 209.208.121.126.53: 15939+ A? i.jstv.com. (28) I hope they got a good deal on the IP space...and a better deal on their buggy router. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From smb at cs.columbia.edu Wed Jun 16 20:37:01 2010 From: smb at cs.columbia.edu (Steven Bellovin) Date: Wed, 16 Jun 2010 18:37:01 -0700 Subject: PCAP Sanitization Tool In-Reply-To: References: Message-ID: <5662AC9E-A0B7-4252-8782-C16AB94D21C2@cs.columbia.edu> On Jun 16, 2010, at 9:58 48AM, Bein, Matthew wrote: > Hello, > > > > Anyone know of a good tool for sanitizing PCAP files? I would like to > keep as much of the payload as possible but remove src and dst ip > information. > > What's your threat model? In general, proper anonymization of packet trace data is very hard. --Steve Bellovin, http://www.cs.columbia.edu/~smb From tabrams4 at gmail.com Wed Jun 16 21:07:47 2010 From: tabrams4 at gmail.com (travis abrams) Date: Wed, 16 Jun 2010 22:07:47 -0400 Subject: PCAP Sanitization Tool In-Reply-To: References: Message-ID: TCPReplay may be helpful to you. http://tcpreplay.synfin.net/ ====================== Travis www.theipsguy.com ====================== On Wed, Jun 16, 2010 at 12:58 PM, Bein, Matthew wrote: > Hello, > > > > Anyone know of a good tool for sanitizing PCAP files? I would like to > keep as much of the payload as possible but remove src and dst ip > information. > > -- Travis Abrams, GCIH, CISSP, etc. www.theipsguy.com From marka at isc.org Wed Jun 16 21:07:33 2010 From: marka at isc.org (Mark Andrews) Date: Thu, 17 Jun 2010 12:07:33 +1000 Subject: Todd Underwood was a little late In-Reply-To: Your message of "Wed, 16 Jun 2010 21:01:32 -0400." References: Message-ID: <201006170207.o5H27XJn065911@drugs.dv.isc.org> In message , Jon Lewis write s: > I just took a closer look at something odd I'd noticed several days ago. > One of our DNS servers was sending crazy amounts of ARP requests for IPs > in the /24 its main IP is in. What I've found is we're getting hit with > DNS requests that look like they're from "typical internet traffic for > someone in China" hitting this DNS server from IPs in its /24 which are > currently not in use (at least on our local network). It would appear > someone in China is using our IP space, presumably behind a NAT router, > and they're leaking some traffic non-NAT'd. Why was this traffic hitting your DNS server in the first place? It should have been rejected by the ingress filters preventing spoofing of the local network. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From if at xip.at Wed Jun 16 21:10:07 2010 From: if at xip.at (Ingo Flaschberger) Date: Thu, 17 Jun 2010 04:10:07 +0200 (CEST) Subject: Sending ARP request to unicast MAC instead of broadcast MAC address? In-Reply-To: <7D4FBC01-E09F-4659-B620-310DCB11C20A@semihuman.com> References: <7D4FBC01-E09F-4659-B620-310DCB11C20A@semihuman.com> Message-ID: Dear Chris, > OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but there's a reason for it, I swear... > > Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC address, is instead sent to the already-known unicast MAC address of the host? Try or read kernel source. > Next, what would be your utility of choice for crafting such a packet? Or is this something one would need to code up by hand in a lower-level language? http://www.perihel.at/sec/mz/ should be able todo this. Kind regards, Ingo Flaschberger From nicks at sunbelt-software.com Wed Jun 16 21:25:05 2010 From: nicks at sunbelt-software.com (Nicholas Suan) Date: Wed, 16 Jun 2010 22:25:05 -0400 Subject: Todd Underwood was a little late In-Reply-To: References: Message-ID: We've been seeing the same thing since 2010-06-10: 22:13:19.687981 IP 72.236.167.197.41789 > 72.236.167.138.domain: 38783+ A? jkl.cnr.cn. (28) 22:13:19.773076 IP 72.236.167.124.33327 > 72.236.167.138.domain: 38783+ A? i10.aliimg.com. (32) 22:13:19.855750 IP 72.236.167.169.33381 > 72.236.167.138.domain: 38783+ A? www.vrp3d.com. (31) 22:13:19.941155 IP 72.236.167.200.33005 > 72.236.167.138.domain: 38783+ A? www.51seer.com. (32) 22:13:20.026342 IP 72.236.167.141.36652 > 72.236.167.138.domain: 38783+ A? img1.kaixin001.com.cn. (39) 22:13:20.102540 IP 72.236.167.188.39525 > 72.236.167.138.domain: 38783+ A? pic.kaixin001.com.cn. (38) 22:13:20.204403 IP 72.236.167.103.37838 > 72.236.167.138.domain: 38783+ A? pic.kaixin001.com. (35) 22:13:20.791201 IP 72.236.167.186.38958 > 72.236.167.138.domain: 38783+ A? pic1.kaixin001.com. (36) 22:13:20.876527 IP 72.236.167.121.33000 > 72.236.167.138.domain: 38783+ A? pic1.kaixin001.com.cn. (39) 22:13:20.971393 IP 72.236.167.203.33726 > 72.236.167.138.domain: 38783+ A? logo.kaixin001.com.cn. (39) 22:13:21.051831 IP 72.236.167.120.35298 > 72.236.167.138.domain: 38783+ A? qqtest.cdn20.com. (34) 22:13:21.132215 IP 72.236.167.196.34862 > 72.236.167.138.domain: 38783+ A? upload.elle.cn. (32) 22:13:21.218372 IP 72.236.167.116.35073 > 72.236.167.138.domain: 38783+ A? www.elle.cn. (29) Spoofed, all with a TTL of 3. Given that all of the domains in question appear to have nameservers in common, I assumed someone was trying to make us participate in a DDoS attack, and started dropping all of the traffic. On Jun 16, 2010, at 9:01 PM, Jon Lewis wrote: > I just took a closer look at something odd I'd noticed several days ago. One of our DNS servers was sending crazy amounts of ARP requests for IPs in the /24 its main IP is in. What I've found is we're getting hit with DNS requests that look like they're from "typical internet traffic for someone in China" hitting this DNS server from IPs in its /24 which are currently not in use (at least on our local network). It would appear someone in China is using our IP space, presumably behind a NAT router, and they're leaking some traffic non-NAT'd. > > 20:53:41.361734 IP 209.208.121.66.41755 > 209.208.121.126.53: 15939+ A? ns5.z.lxdns.com. (33) > 20:53:43.523210 IP 209.208.121.95.39393 > 209.208.121.126.53: 15939+ A? www.nanhutravel.com. (37) > 20:53:48.411805 IP 209.208.121.66.33390 > 209.208.121.126.53: 15939+ A? test.csxm.cdn20.com. (37) > 20:53:50.557680 IP 209.208.121.135.40056 > 209.208.121.126.53: 15939+ A? rextest2.lxdns.com. (36) > 20:53:56.918993 IP 209.208.121.135.37291 > 209.208.121.126.53: 15939+ A? www.51seer.com. (32) > 20:54:20.033902 IP 209.208.121.95.37544 > 209.208.121.126.53: 15939+ A? image.dhgate.cdn20.com. (40) > 20:54:21.900295 IP 209.208.121.66.35144 > 209.208.121.126.53: 15939+ A? static.xn-app.com. (35) > 20:54:27.711853 IP 209.208.121.66.33518 > 209.208.121.126.53: 15939+ A? oa.hanhe.com. (30) > 20:54:29.642938 IP 209.208.121.135.41723 > 209.208.121.126.53: 15939+ A? pic1.kaixin001.com. (36) > 20:54:32.357414 IP 209.208.121.95.38564 > 209.208.121.126.53: 15939+ A? rr.snyu.com. (29) > 20:54:38.901315 IP 209.208.121.95.37840 > 209.208.121.126.53: 15939+ A? edu.163.com. (29) > 20:54:39.807385 IP 209.208.121.95.36069 > 209.208.121.126.53: 15939+ A? image.dhgate.cdn20.com. (40) > 20:54:40.833778 IP 209.208.121.66.34949 > 209.208.121.126.53: 15939+ A? uphn.snswall.com. (34) > 20:54:42.070294 IP 209.208.121.95.38405 > 209.208.121.126.53: 15939+ A? zwgk.cma.gov.cn. (33) > 20:54:42.189939 IP 209.208.121.135.36637 > 209.208.121.126.53: 15939+ A? btocdn.52yeyou.com. (36) > 20:54:45.767299 IP 209.208.121.95.41405 > 209.208.121.126.53: 15939+ A? img1.kaixin001.com.cn. (39) > 20:54:48.595582 IP 209.208.121.66.40099 > 209.208.121.126.53: 15939+ A? rextest2.cdn20.com. (36) > 20:54:49.480147 IP 209.208.121.95.42363 > 209.208.121.126.53: 15939+ A? www.dameiren.com. (34) > 20:54:50.714200 IP 209.208.121.135.41497 > 209.208.121.126.53: 15939+ A? pic1.kaixin001.com.cn. (39) > 20:54:54.116841 IP 209.208.121.135.36828 > 209.208.121.126.53: 15939+ A? i.jstv.com. (28) > > I hope they got a good deal on the IP space...and a better deal on their buggy router. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > From jlewis at lewis.org Wed Jun 16 21:43:11 2010 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 16 Jun 2010 22:43:11 -0400 (EDT) Subject: Todd Underwood was a little late In-Reply-To: <201006170207.o5H27XJn065911@drugs.dv.isc.org> References: <201006170207.o5H27XJn065911@drugs.dv.isc.org> Message-ID: On Thu, 17 Jun 2010, Mark Andrews wrote: > Why was this traffic hitting your DNS server in the first place? It should > have been rejected by the ingress filters preventing spoofing of the local > network. When I ran a smaller simpler network, I did have input filters on our transit providers rejecting packets from our IP space. With a larger network, multiple IP blocks, numerous multihomed customers, some of which use IP's we've assigned them, it gets a little more complicated to do. I could reject at our border, packets sourced from our IP ranges with exceptions for any of the IP blocks we've assigned to multihomed customers. The ACLs wouldn't be that long, or that hard to maintain. Is this common practice? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From marka at isc.org Wed Jun 16 22:27:09 2010 From: marka at isc.org (Mark Andrews) Date: Thu, 17 Jun 2010 13:27:09 +1000 Subject: Todd Underwood was a little late In-Reply-To: Your message of "Wed, 16 Jun 2010 22:43:11 -0400." References: <201006170207.o5H27XJn065911@drugs.dv.isc.org> Message-ID: <201006170327.o5H3R9fA072599@drugs.dv.isc.org> In message , Jon Lewis write s: > On Thu, 17 Jun 2010, Mark Andrews wrote: > > > Why was this traffic hitting your DNS server in the first place? It should > > have been rejected by the ingress filters preventing spoofing of the local > > network. > > When I ran a smaller simpler network, I did have input filters on our > transit providers rejecting packets from our IP space. With a larger > network, multiple IP blocks, numerous multihomed customers, some of which > use IP's we've assigned them, it gets a little more complicated to do. One can never do a perfect job but one can stop a large percentage of the crap. You should know the multi-homed customers and their address ranges so they become exceptions. You also run filters on internal routers. There are internal ingress/egress points as well as interconnects. > I could reject at our border, packets sourced from our IP ranges with > exceptions for any of the IP blocks we've assigned to multihomed > customers. The ACLs wouldn't be that long, or that hard to maintain. Is > this common practice? > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From r.engehausen at gmail.com Wed Jun 16 23:38:42 2010 From: r.engehausen at gmail.com (Roy) Date: Wed, 16 Jun 2010 21:38:42 -0700 Subject: Todd Underwood was a little late In-Reply-To: References: <201006170207.o5H27XJn065911@drugs.dv.isc.org> Message-ID: <4C19A6D2.6030603@gmail.com> On 6/16/2010 7:43 PM, Jon Lewis wrote: > On Thu, 17 Jun 2010, Mark Andrews wrote: > >> Why was this traffic hitting your DNS server in the first place? It >> should >> have been rejected by the ingress filters preventing spoofing of the >> local >> network. > > When I ran a smaller simpler network, I did have input filters on our > transit providers rejecting packets from our IP space. With a larger > network, multiple IP blocks, numerous multihomed customers, some of > which use IP's we've assigned them, it gets a little more complicated > to do. > > I could reject at our border, packets sourced from our IP ranges with > exceptions for any of the IP blocks we've assigned to multihomed > customers. The ACLs wouldn't be that long, or that hard to maintain. > Is this common practice? > > - Sounds like a good use of URPF. From garrett at skjelstad.org Thu Jun 17 00:07:10 2010 From: garrett at skjelstad.org (Garrett Skjelstad) Date: Wed, 16 Jun 2010 22:07:10 -0700 Subject: Todd Underwood was a little late In-Reply-To: <4C19A6D2.6030603@gmail.com> References: <201006170207.o5H27XJn065911@drugs.dv.isc.org> <4C19A6D2.6030603@gmail.com> Message-ID: RFC 2827 anyone? On Wed, Jun 16, 2010 at 9:38 PM, Roy wrote: > On 6/16/2010 7:43 PM, Jon Lewis wrote: > >> On Thu, 17 Jun 2010, Mark Andrews wrote: >> >> Why was this traffic hitting your DNS server in the first place? It >>> should >>> have been rejected by the ingress filters preventing spoofing of the >>> local >>> network. >>> >> >> When I ran a smaller simpler network, I did have input filters on our >> transit providers rejecting packets from our IP space. With a larger >> network, multiple IP blocks, numerous multihomed customers, some of which >> use IP's we've assigned them, it gets a little more complicated to do. >> >> I could reject at our border, packets sourced from our IP ranges with >> exceptions for any of the IP blocks we've assigned to multihomed customers. >> The ACLs wouldn't be that long, or that hard to maintain. Is this common >> practice? >> >> - >> > > Sounds like a good use of URPF. > > > From jtodd at loligo.com Thu Jun 17 01:26:30 2010 From: jtodd at loligo.com (John Todd) Date: Wed, 16 Jun 2010 23:26:30 -0700 Subject: AT&T's blue network SMS<->SMTP off the air Message-ID: <7A699AC1-EF4E-4731-8D81-FAEDC3CE1C01@loligo.com> To those of you who may rely upon AT&T to deliver your email-to-SMS messages for monitoring: some of you may be currently out of luck. I would just send this to the "outages at puck.nether.net" list, but it does seem to be a meta-network failure in that for better or worse many of us use SMS as a method to monitor outages, so this perhaps moves it up a notch in the importance hierarchy enough to warrant a NANOG post. I am experiencing failures on my email transmissions to my older "blue" (aka: Cingular) AT&T devices at the moment, for both incoming and outgoing. Many of you may be using older "blue" cards in your NOC phones, SMS gateway devices, or perhaps even your personal mobile devices for those of you who still live in the dark ages of phones that aren't [2.5,3,4,x]G capable. I am unable to diagnose the problems fully, but at least some (if not all) of the SMS-to-email gateway failures are due to mmode.com's MX hosts (in the "airdata.com" zone) being unreachable due to absence of functioning authoritative resolvers for that zone, and possibly other failures as well. This appears to be causing "550 Access Denied" messages being returned to my mobile devices that are sending to email addresses, and mail spooling on my Internet SMTP hosts that are trying to send to the "NPAxxxyyyy at mmode.com" addresses for SMTP-to-SMS relay. There is a rumor that this is NOT related to the deactivation of the "downloads" components of the blue network on the 15th, but I suspect that someone just decided to pull the plug on everything. Reading to the end of the thread below, there is someone who states AT&T claims it will be back online by the evening of the 17th at the surprisingly accurate time of 9:55 PM (timezone unstated.) More speculation: http://forums.wireless.att.com/t5/mMode/URGENT-mmode-down-again-Their-mta01-cdpd-airdata-com-mail-server/td-p/1939480 I don't know if this is causing problems with anyone using TAP interfaces, or with any of AT&T's other SMTP<->SMS gateway services like @txt.att.net. SMS, and mobile devices in general, are a single point of failure for contacting on-call staff for various problems - perhaps it's time to insist that everyone carries two mobile devices, on different frequency and technology platforms, with different carriers, and split messages to both due to the anecdotally increasing failure rates of mobile networks. Conspiracy theories of how collusive unreliability would increase ARPU across the board for all carriers would be interesting to hear... but not in this forum, I suspect. :-) JT From kurtis at kurtis.pp.se Thu Jun 17 03:31:57 2010 From: kurtis at kurtis.pp.se (Lindqvist Kurt Erik) Date: Thu, 17 Jun 2010 10:31:57 +0200 Subject: AAAA being added for i.root-servers.net Message-ID: All, This is to inform you that, we (Netnod/Autonomica, operators of i.root-servers.net) have been notified by IANA that on our request an AAAA record will be added to the root-zone with serial number 2010061700. Best regards, - kurtis - --- Kurt Erik Lindqvist, CEO kurtis at netnod.se, Direct: +46-8-562 860 11, Switch: +46-8-562 860 00 Please note our new address: Franz?ngatan 5 | SE-112 51 Stockholm | Sweden -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part URL: From deric.kwok2000 at gmail.com Thu Jun 17 07:19:52 2010 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Thu, 17 Jun 2010 08:19:52 -0400 Subject: pls help about mtu setting Message-ID: Hi My DSL company asks me to set the modem 146 2 and my old company used 14 92 What is the different? Why it is not standard 1 500? Thank you From bfeeny at mac.com Thu Jun 17 07:27:34 2010 From: bfeeny at mac.com (Brian Feeny) Date: Thu, 17 Jun 2010 08:27:34 -0400 Subject: Todd Underwood was a little late In-Reply-To: <4C19A6D2.6030603@gmail.com> References: <201006170207.o5H27XJn065911@drugs.dv.isc.org> <4C19A6D2.6030603@gmail.com> Message-ID: urpf doesn't work as well for stopping inbound traffic to your network, because most people aren't totally defaultless, so the default route makes all traffic valid. It works well for outbound traffic. On Jun 17, 2010, at 12:38 AM, Roy wrote: > On 6/16/2010 7:43 PM, Jon Lewis wrote: >> On Thu, 17 Jun 2010, Mark Andrews wrote: >> >>> Why was this traffic hitting your DNS server in the first place? It should >>> have been rejected by the ingress filters preventing spoofing of the local >>> network. >> >> When I ran a smaller simpler network, I did have input filters on our transit providers rejecting packets from our IP space. With a larger network, multiple IP blocks, numerous multihomed customers, some of which use IP's we've assigned them, it gets a little more complicated to do. >> >> I could reject at our border, packets sourced from our IP ranges with exceptions for any of the IP blocks we've assigned to multihomed customers. The ACLs wouldn't be that long, or that hard to maintain. Is this common practice? >> >> - > > Sounds like a good use of URPF. > > From bclark at spectraaccess.com Thu Jun 17 08:22:33 2010 From: bclark at spectraaccess.com (Bret Clark) Date: Thu, 17 Jun 2010 09:22:33 -0400 Subject: pls help about mtu setting In-Reply-To: References: Message-ID: <4C1A2199.9090500@spectraaccess.com> google (or any search engine) is your friend. http://www.google.com/search?aq=f&sourceid=chrome&ie=UTF-8&q=mtu+1492+dsl On 06/17/2010 08:19 AM, Deric Kwok wrote: > Hi > > My DSL company asks me to set the modem 146 2 and my old company used 14 92 > > What is the different? > > Why it is not standard 1 500? > > Thank you > > From Valdis.Kletnieks at vt.edu Thu Jun 17 08:35:40 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 17 Jun 2010 09:35:40 -0400 Subject: PCAP Sanitization Tool In-Reply-To: Your message of "Thu, 17 Jun 2010 11:15:05 +1200." <4C195AF9.9050304@nzrs.net.nz> References: <4C195AF9.9050304@nzrs.net.nz> Message-ID: <97662.1276781740@localhost> On Thu, 17 Jun 2010 11:15:05 +1200, Sebastian Castro said: > Bein, Matthew wrote: > > Anyone know of a good tool for sanitizing PCAP files? I would like to > > keep as much of the payload as possible but remove src and dst ip > > information. > Would address anonymization work? Instead of removing src/dst ip, you > can zero them. No, if you simply zero the source and dest fields, you can't tell the difference between packets going "A->B" and "B->A", which is usually something you kind of want to keep track of. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From bill at herrin.us Thu Jun 17 08:36:00 2010 From: bill at herrin.us (William Herrin) Date: Thu, 17 Jun 2010 09:36:00 -0400 Subject: pls help about mtu setting In-Reply-To: References: Message-ID: On Thu, Jun 17, 2010 at 8:19 AM, Deric Kwok wrote: > My DSL company asks me to set the modem 146 2 and my old company used 14 92 > Why it is not standard 1 500? Because they're wrapping your packet inside another packet that they then transmit on a line with a 1500 byte MTU. The header on their packet needs a few bytes, so you can't have them. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From dmburgess at linktechs.net Thu Jun 17 08:46:26 2010 From: dmburgess at linktechs.net (Dennis Burgess) Date: Thu, 17 Jun 2010 08:46:26 -0500 Subject: Future of WiMax References: <4C192774.1050501@rollernet.us> Message-ID: <91522911795E174F97E7EF8B792A1031229183@ltiserver.LTI.local> Lots of my clients (Wireless ISPs) have looked into deploying it, however the costs are well over 20 times the cost of a unlicensed system per access point. I know it will be deployed as we work with some of the backend routing etc. and installation with some of clearwires subs, but most of my clients have moved on to other cheaper, more proven technologies. Just what is going on in the WISP industry for the most part. 802.11n so far on point-2-point links, are working quite well, cheap hardware as well as ease of use is playing factors in this. We are seeing 10+ mile N links running 60-70 meg TCP and over 200 UDP using only 2x2 MIMO. ----------------------------------------------------------- Dennis Burgess, Mikrotik Certified Trainer Link Technologies, Inc -- Mikrotik & WISP Support Services Office: 314-735-0270 Website: http://www.linktechs.net LIVE On-Line Mikrotik Training - Author of "Learn RouterOS" -----Original Message----- From: Rubens Kuhl [mailto:rubensk at gmail.com] Sent: Wednesday, June 16, 2010 2:48 PM To: Seth Mattinen Cc: nanOG list Subject: Re: Future of WiMax The future of WiMAX seems a lot less promising now that FD-LTE is the clear winner for wide-scale mobile deployment, and TD-LTE, 802.11n and proprietary technologies will compete for non-paired spectrum and/or niche markets. But one can build a network with WiMAX and make money out of it; global market forces have established the big picture, not what would happen on a specific scenario. Rubens On Wed, Jun 16, 2010 at 4:35 PM, Seth Mattinen wrote: > A while back I remember reading a comment here that "WiMax is not a > future proof technology" and that several manufacturers have dropped > it or something to that effect. I think it was in the starting a WiMax > ISP thread. This has stuck in my head, and I was curious if there was > any truth to this. > > WiMax sounds promising, but I certainly don't hear a lot about it > other than Sprint/Clear. Is it just that everyone that's doing > wireless is sticking with relatively inexpensive 802.11 a/b/g/n > products, or is WiMax really a dead end? > > ~Seth > > From tom.pipes at t6mail.com Thu Jun 17 08:39:29 2010 From: tom.pipes at t6mail.com (Tom Pipes) Date: Thu, 17 Jun 2010 08:39:29 -0500 (CDT) Subject: pls help about mtu setting In-Reply-To: Message-ID: <9708872.909571276781969228.JavaMail.root@zimbra> Are you authenticating with PPPoE?? If so, it has a maximum MTU size of?1492 due to the encapsulation overhead. --- Tom Pipes T6 Broadband/ Essex Telcom Inc tom.pipes at t6mail.com ----- Original Message ----- From: "William Herrin" To: "Deric Kwok" Cc: "nanog list" Sent: Thursday, June 17, 2010 8:36:00 AM Subject: Re: pls help about mtu setting On Thu, Jun 17, 2010 at 8:19 AM, Deric Kwok wrote: > My DSL company asks me to set the modem 146 2 and my old company used 14 92 > Why it is not standard 1 500? Because they're wrapping your packet inside another packet that they then transmit on a line with a 1500 byte MTU. The header on their packet needs a few bytes, so you can't have them. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com ?bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From Valdis.Kletnieks at vt.edu Thu Jun 17 08:46:51 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 17 Jun 2010 09:46:51 -0400 Subject: PCAP Sanitization Tool In-Reply-To: Your message of "Wed, 16 Jun 2010 18:37:01 PDT." <5662AC9E-A0B7-4252-8782-C16AB94D21C2@cs.columbia.edu> References: <5662AC9E-A0B7-4252-8782-C16AB94D21C2@cs.columbia.edu> Message-ID: <98375.1276782411@localhost> On Wed, 16 Jun 2010 18:37:01 PDT, Steven Bellovin said: > What's your threat model? In general, proper anonymization of packet > trace data is very hard. I'll go out on a limb and point out that a large chunk of the difficulty is because every protocol has had to invent its own hack-arounds for working across a NAT. The resulting lack of standardization making things like Wireshark protocol examinations and sanitizing capture data is one of the less well-known reasons why NATs are evil. I'll cut FTP some slack - it dates back *so* far we can legitimately say we just didn't know any better way back in the Stone Age. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From smb at cs.columbia.edu Thu Jun 17 08:49:55 2010 From: smb at cs.columbia.edu (Steven Bellovin) Date: Thu, 17 Jun 2010 06:49:55 -0700 Subject: PCAP Sanitization Tool In-Reply-To: <98375.1276782411@localhost> References: <5662AC9E-A0B7-4252-8782-C16AB94D21C2@cs.columbia.edu> <98375.1276782411@localhost> Message-ID: <291FD4BE-857E-42FD-A863-6B4D7C8F788C@cs.columbia.edu> On Jun 17, 2010, at 6:46 51AM, Valdis.Kletnieks at vt.edu wrote: > On Wed, 16 Jun 2010 18:37:01 PDT, Steven Bellovin said: >> What's your threat model? In general, proper anonymization of packet >> trace data is very hard. > > I'll go out on a limb and point out that a large chunk of the difficulty is > because every protocol has had to invent its own hack-arounds for working > across a NAT. The resulting lack of standardization making things like > Wireshark protocol examinations and sanitizing capture data is one of the less > well-known reasons why NATs are evil. My complaints are at a deeper level -- even without that, it's really hard. --Steve Bellovin, http://www.cs.columbia.edu/~smb From james at jamesstewartsmith.com Thu Jun 17 08:52:13 2010 From: james at jamesstewartsmith.com (James Smith) Date: Thu, 17 Jun 2010 09:52:13 -0400 Subject: Advice regarding Cisco/Juniper/HP Message-ID: I'm looking for a little insight regarding an infrastructure purchase my company is considering. We are a carrier, and we're in the process of building a DR site. Our existing production site is all Cisco equipment with a little Juniper thrown into the mix. I'd like to either get the same Cisco equipment for the DR, or the equivalent Juniper equipment. We have skill sets for both Cisco and Juniper, so neither would be a problem to manage. A business issue has come up since we have a large number of HP servers for Unix and Wintel. With HP's recent acquisition of 3Com they are pressing hard to quote on the networking hardware as well, going as far as offering prices that are way below the equivalent Cisco and Juniper models. In addition they're saying they'll cut us deals on the HP servers for the DR site to help with the decision to go for HP Networking. Obviously to the people writing the cheques this carries a lot of weight. >From a technical point of view, I have never worked in a shop that used HP or 3Com for the infrastructure. Dot-com's, telco's, bank's, hosting companies...I haven't seen any of them using 3com or HP. Additionally, I'm not fond of having to deal with a third set of equipment. I'm not exactly comfortable going with HP, but I'd like some data to help resolve the debate. So my questions to the NANOG community are: Would you recommend HP over Cisco or Juniper? How is HP's functionality and performance compared to Cisco or Juniper? Does anyone have any HP networking experiences they can share, good or bad? From bclark at spectraaccess.com Thu Jun 17 09:00:21 2010 From: bclark at spectraaccess.com (Bret Clark) Date: Thu, 17 Jun 2010 10:00:21 -0400 Subject: Future of WiMax In-Reply-To: <91522911795E174F97E7EF8B792A1031229183@ltiserver.LTI.local> References: <4C192774.1050501@rollernet.us> <91522911795E174F97E7EF8B792A1031229183@ltiserver.LTI.local> Message-ID: <4C1A2A75.9050108@spectraaccess.com> On 06/17/2010 09:46 AM, Dennis Burgess wrote: > Lots of my clients (Wireless ISPs) have looked into deploying it, > however the costs are well over 20 times the cost of a unlicensed system > per access point. > Yeah...that is really the crux of the problem. Every WISP I know would switch over in a heartbeat if the upfront cost was the same as deploying many well know 5.8GHz systems. Battling with interference in the 5.8GHz can be tough at times, at least with the 3.65GHz range there is some control over frequency use, but even so, dealing with frequency use in 5.8GHz is worth it for the cost savings. From dmburgess at linktechs.net Thu Jun 17 09:10:06 2010 From: dmburgess at linktechs.net (Dennis Burgess) Date: Thu, 17 Jun 2010 09:10:06 -0500 Subject: Future of WiMax References: <4C192774.1050501@rollernet.us> <91522911795E174F97E7EF8B792A1031229183@ltiserver.LTI.local> <4C1A2A75.9050108@spectraaccess.com> Message-ID: <91522911795E174F97E7EF8B792A1031229188@ltiserver.LTI.local> And even then, there is not much spectrum in 3.65. It still don't penetrate trees as well as 2.4 GHz as well. ----------------------------------------------------------- Dennis Burgess, Mikrotik Certified Trainer Link Technologies, Inc -- Mikrotik & WISP Support Services Office: 314-735-0270 Website: http://www.linktechs.net LIVE On-Line Mikrotik Training - Author of "Learn RouterOS" -----Original Message----- From: Bret Clark [mailto:bclark at spectraaccess.com] Sent: Thursday, June 17, 2010 9:00 AM To: nanog at nanog.org Subject: Re: Future of WiMax On 06/17/2010 09:46 AM, Dennis Burgess wrote: > Lots of my clients (Wireless ISPs) have looked into deploying it, > however the costs are well over 20 times the cost of a unlicensed > system per access point. > Yeah...that is really the crux of the problem. Every WISP I know would switch over in a heartbeat if the upfront cost was the same as deploying many well know 5.8GHz systems. Battling with interference in the 5.8GHz can be tough at times, at least with the 3.65GHz range there is some control over frequency use, but even so, dealing with frequency use in 5.8GHz is worth it for the cost savings. From jared at puck.nether.net Thu Jun 17 09:12:00 2010 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 17 Jun 2010 10:12:00 -0400 Subject: Future of WiMax In-Reply-To: <4C1A2A75.9050108@spectraaccess.com> References: <4C192774.1050501@rollernet.us> <91522911795E174F97E7EF8B792A1031229183@ltiserver.LTI.local> <4C1A2A75.9050108@spectraaccess.com> Message-ID: <8DE05B6E-FEF6-47FC-B47A-765CE1478B85@puck.nether.net> On Jun 17, 2010, at 10:00 AM, Bret Clark wrote: > On 06/17/2010 09:46 AM, Dennis Burgess wrote: >> Lots of my clients (Wireless ISPs) have looked into deploying it, >> however the costs are well over 20 times the cost of a unlicensed system >> per access point. >> > Yeah...that is really the crux of the problem. Every WISP I know would switch over in a heartbeat if the upfront cost was the same as deploying many well know 5.8GHz systems. Battling with interference in the 5.8GHz can be tough at times, at least with the 3.65GHz range there is some control over frequency use, but even so, dealing with frequency use in 5.8GHz is worth it for the cost savings. Yup, the ability to pick up a $80 5.8ghz integrated device w/ antenna, etc.. that does PoE (eg: google NBM5-22), it's hard to argue for more expensive gear. - Jared From brandon.kim at brandontek.com Thu Jun 17 09:15:55 2010 From: brandon.kim at brandontek.com (Brandon Kim) Date: Thu, 17 Jun 2010 10:15:55 -0400 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: Message-ID: This situation scares me. It has HP "best interest" written all over it. You have expertise in competing vendors but not with HP/3Com. They could very well be easy to configure but maybe inferior when you get into the details of how they function. Then if you find out they can't support your business needs, it would cost even more to replace them. I don't think that's going to happen, I'm sure the people writing the checks will tell you to make it work, but if it can't meet the demands, it's going to hurt your business... The people writing the checks need to know this. I'm not against new companies competing with Cisco/Juniper but at the same time, you don't want to be the guinea pigs for them.... > Date: Thu, 17 Jun 2010 09:52:13 -0400 > Subject: Advice regarding Cisco/Juniper/HP > From: james at jamesstewartsmith.com > To: nanog at nanog.org > > I'm looking for a little insight regarding an infrastructure purchase my > company is considering. We are a carrier, and we're in the process of > building a DR site. Our existing production site is all Cisco equipment > with a little Juniper thrown into the mix. I'd like to either get the same > Cisco equipment for the DR, or the equivalent Juniper equipment. We have > skill sets for both Cisco and Juniper, so neither would be a problem to > manage. > > A business issue has come up since we have a large number of HP servers for > Unix and Wintel. With HP's recent acquisition of 3Com they are pressing > hard to quote on the networking hardware as well, going as far as offering > prices that are way below the equivalent Cisco and Juniper models. In > addition they're saying they'll cut us deals on the HP servers for the DR > site to help with the decision to go for HP Networking. Obviously to the > people writing the cheques this carries a lot of weight. > > >From a technical point of view, I have never worked in a shop that used HP > or 3Com for the infrastructure. Dot-com's, telco's, bank's, hosting > companies...I haven't seen any of them using 3com or HP. Additionally, I'm > not fond of having to deal with a third set of equipment. I'm not exactly > comfortable going with HP, but I'd like some data to help resolve the > debate. > > So my questions to the NANOG community are: Would you recommend HP over > Cisco or Juniper? How is HP's functionality and performance compared to > Cisco or Juniper? Does anyone have any HP networking experiences they can > share, good or bad? From trelane at trelane.net Thu Jun 17 09:18:48 2010 From: trelane at trelane.net (Andrew D Kirch) Date: Thu, 17 Jun 2010 10:18:48 -0400 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: Message-ID: <4C1A2EC8.8000102@trelane.net> On 06/17/2010 09:52 AM, James Smith wrote: > So my questions to the NANOG community are: Would you recommend HP over > Cisco or Juniper? Not for core networking. > How is HP's functionality and performance compared to Cisco or Juniper? HP's Procurve switches have been around forever, they're about the same quality as a 2xxx 3xxx Cisco, but nothing better > Does anyone have any HP networking experiences they can share, good or bad? > never had any issues with them. From jack at crepinc.com Thu Jun 17 09:27:01 2010 From: jack at crepinc.com (Jack Carrozzo) Date: Thu, 17 Jun 2010 10:27:01 -0400 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <4C1A2EC8.8000102@trelane.net> References: <4C1A2EC8.8000102@trelane.net> Message-ID: A couple consulting gigs I did had 3Com stuff since it was cheap and they got educational deals. They were consulting me to put in Cisco gear ;-) This was admittedly 3-4 years ago. I've never met anyone who has told me positive stories about 3Com equipment, but I suppose I'm biased also from the horror stories. My $0.02, -Jack On Thu, Jun 17, 2010 at 10:18 AM, Andrew D Kirch wrote: > On 06/17/2010 09:52 AM, James Smith wrote: > >> So my questions to the NANOG community are: Would you recommend HP over >> Cisco or Juniper? >> > Not for core networking. > > How is HP's functionality and performance compared to Cisco or Juniper? >> > HP's Procurve switches have been around forever, they're about the same > quality as a 2xxx 3xxx Cisco, but nothing better > > Does anyone have any HP networking experiences they can share, good or >> bad? >> >> > never had any issues with them. > > From andrew at networklabs.co.nz Thu Jun 17 09:40:04 2010 From: andrew at networklabs.co.nz (Andrew Thrift) Date: Fri, 18 Jun 2010 02:40:04 +1200 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: Message-ID: <4C1A33C4.6040005@networklabs.co.nz> > > From a technical point of view, I have never worked in a shop that used HP > or 3Com for the infrastructure. Dot-com's, telco's, bank's, hosting > companies...I haven't seen any of them using 3com or HP. Additionally, I'm > not fond of having to deal with a third set of equipment. I'm not exactly > comfortable going with HP, but I'd like some data to help resolve the > debate. > I work with networking products from all of the mentioned vendors on a daily basis. HP Networking (was ProCurve) make a solid SME switching product, it is comparable to Cisco 2000/3000 series switches, they also have chassis switches such as the 54xx/82xx, however these lack a lot of the more advanced features available from Cisco and Juniper, and have significant hardware limitations e.g. backplane bandwidth. HP also do not have decent stackable switches, which will be a concern if you want to split LACP trunks across multiple switches/chassis. Another major negative with the HP gear for us is that their switches only support SFP/SFP+ modules manufactured by HP, so those SFP+ Twin-AX cables that came with your Dell/IBM Blade chassis will be useless to connect to your HP Switches, to add insult HP often sell their own modules at 3x the price of an equivalent module from say Extreme or Juniper. > So my questions to the NANOG community are: Would you recommend HP over > Cisco or Juniper? How is HP's functionality and performance compared to > Cisco or Juniper? Does anyone have any HP networking experiences they can > share, good or bad? > My reccomendation would be, use Juniper for Core and Aggregation with ProCurve at the edge. Regards, Andrew From andrew at networklabs.co.nz Thu Jun 17 09:41:21 2010 From: andrew at networklabs.co.nz (Andrew Thrift) Date: Fri, 18 Jun 2010 02:41:21 +1200 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: <4C1A2EC8.8000102@trelane.net> Message-ID: <4C1A3411.5070002@networklabs.co.nz> I can tell many stories about 3com switches, email me off list, the language used will not be suitable for the list. On 18/06/2010 2:27 a.m., Jack Carrozzo wrote: > A couple consulting gigs I did had 3Com stuff since it was cheap and they > got educational deals. They were consulting me to put in Cisco gear ;-) This > was admittedly 3-4 years ago. > > I've never met anyone who has told me positive stories about 3Com equipment, > but I suppose I'm biased also from the horror stories. > > My $0.02, > > -Jack > > On Thu, Jun 17, 2010 at 10:18 AM, Andrew D Kirchwrote: > > >> On 06/17/2010 09:52 AM, James Smith wrote: >> >> >>> So my questions to the NANOG community are: Would you recommend HP over >>> Cisco or Juniper? >>> >>> >> Not for core networking. >> >> How is HP's functionality and performance compared to Cisco or Juniper? >> >>> >> HP's Procurve switches have been around forever, they're about the same >> quality as a 2xxx 3xxx Cisco, but nothing better >> >> Does anyone have any HP networking experiences they can share, good or >> >>> bad? >>> >>> >>> >> never had any issues with them. >> >> >> > From nanog2011 at yahoo.com Thu Jun 17 09:55:01 2010 From: nanog2011 at yahoo.com (T Kawasaki) Date: Thu, 17 Jun 2010 07:55:01 -0700 (PDT) Subject: help In-Reply-To: References: Message-ID: <90709.1228.qm@web120116.mail.ne1.yahoo.com> ________________________________ From: "nanog-request at nanog.org" To: nanog at nanog.org Sent: Thu, June 17, 2010 8:00:02 AM Subject: NANOG Digest, Vol 29, Issue 51 Send NANOG mailing list submissions to nanog at nanog.org To subscribe or unsubscribe via the World Wide Web, visit https://mailman.nanog.org/mailman/listinfo/nanog or, via email, send a message with subject or body 'help' to nanog-request at nanog.org You can reach the person managing the list at nanog-owner at nanog.org When replying, please edit your Subject line so it is more specific than "Re: Contents of NANOG digest..." Today's Topics: 1. Re: Todd Underwood was a little late (Jon Lewis) 2. Re: Todd Underwood was a little late (Mark Andrews) 3. Re: Todd Underwood was a little late (Roy) 4. Re: Todd Underwood was a little late (Garrett Skjelstad) 5. AT&T's blue network SMS<->SMTP off the air (John Todd) 6. AAAA being added for i.root-servers.net (Lindqvist Kurt Erik) ---------------------------------------------------------------------- Message: 1 Date: Wed, 16 Jun 2010 22:43:11 -0400 (EDT) From: Jon Lewis Subject: Re: Todd Underwood was a little late To: Mark Andrews Cc: nanog at nanog.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed On Thu, 17 Jun 2010, Mark Andrews wrote: > Why was this traffic hitting your DNS server in the first place? It should > have been rejected by the ingress filters preventing spoofing of the local > network. When I ran a smaller simpler network, I did have input filters on our transit providers rejecting packets from our IP space. With a larger network, multiple IP blocks, numerous multihomed customers, some of which use IP's we've assigned them, it gets a little more complicated to do. I could reject at our border, packets sourced from our IP ranges with exceptions for any of the IP blocks we've assigned to multihomed customers. The ACLs wouldn't be that long, or that hard to maintain. Is this common practice? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ ------------------------------ Message: 2 Date: Thu, 17 Jun 2010 13:27:09 +1000 From: Mark Andrews Subject: Re: Todd Underwood was a little late To: Jon Lewis Cc: nanog at nanog.org Message-ID: <201006170327.o5H3R9fA072599 at drugs.dv.isc.org> In message , Jon Lewis write s: > On Thu, 17 Jun 2010, Mark Andrews wrote: > > > Why was this traffic hitting your DNS server in the first place? It should > > have been rejected by the ingress filters preventing spoofing of the local > > network. > > When I ran a smaller simpler network, I did have input filters on our > transit providers rejecting packets from our IP space. With a larger > network, multiple IP blocks, numerous multihomed customers, some of which > use IP's we've assigned them, it gets a little more complicated to do. One can never do a perfect job but one can stop a large percentage of the crap. You should know the multi-homed customers and their address ranges so they become exceptions. You also run filters on internal routers. There are internal ingress/egress points as well as interconnects. > I could reject at our border, packets sourced from our IP ranges with > exceptions for any of the IP blocks we've assigned to multihomed > customers. The ACLs wouldn't be that long, or that hard to maintain. Is > this common practice? > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org ------------------------------ Message: 3 Date: Wed, 16 Jun 2010 21:38:42 -0700 From: Roy Subject: Re: Todd Underwood was a little late Cc: nanog at nanog.org Message-ID: <4C19A6D2.6030603 at gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 6/16/2010 7:43 PM, Jon Lewis wrote: > On Thu, 17 Jun 2010, Mark Andrews wrote: > >> Why was this traffic hitting your DNS server in the first place? It >> should >> have been rejected by the ingress filters preventing spoofing of the >> local >> network. > > When I ran a smaller simpler network, I did have input filters on our > transit providers rejecting packets from our IP space. With a larger > network, multiple IP blocks, numerous multihomed customers, some of > which use IP's we've assigned them, it gets a little more complicated > to do. > > I could reject at our border, packets sourced from our IP ranges with > exceptions for any of the IP blocks we've assigned to multihomed > customers. The ACLs wouldn't be that long, or that hard to maintain. > Is this common practice? > > - Sounds like a good use of URPF. ------------------------------ Message: 4 Date: Wed, 16 Jun 2010 22:07:10 -0700 From: Garrett Skjelstad Subject: Re: Todd Underwood was a little late To: Roy Cc: nanog at nanog.org Message-ID: Content-Type: text/plain; charset=ISO-8859-1 RFC 2827 anyone? On Wed, Jun 16, 2010 at 9:38 PM, Roy wrote: > On 6/16/2010 7:43 PM, Jon Lewis wrote: > >> On Thu, 17 Jun 2010, Mark Andrews wrote: >> >> Why was this traffic hitting your DNS server in the first place? It >>> should >>> have been rejected by the ingress filters preventing spoofing of the >>> local >>> network. >>> >> >> When I ran a smaller simpler network, I did have input filters on our >> transit providers rejecting packets from our IP space. With a larger >> network, multiple IP blocks, numerous multihomed customers, some of which >> use IP's we've assigned them, it gets a little more complicated to do. >> >> I could reject at our border, packets sourced from our IP ranges with >> exceptions for any of the IP blocks we've assigned to multihomed customers. >> The ACLs wouldn't be that long, or that hard to maintain. Is this common >> practice? >> >> - >> > > Sounds like a good use of URPF. > > > ------------------------------ Message: 5 Date: Wed, 16 Jun 2010 23:26:30 -0700 From: John Todd Subject: AT&T's blue network SMS<->SMTP off the air To: nanog at nanog.org Message-ID: <7A699AC1-EF4E-4731-8D81-FAEDC3CE1C01 at loligo.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes To those of you who may rely upon AT&T to deliver your email-to-SMS messages for monitoring: some of you may be currently out of luck. I would just send this to the "outages at puck.nether.net" list, but it does seem to be a meta-network failure in that for better or worse many of us use SMS as a method to monitor outages, so this perhaps moves it up a notch in the importance hierarchy enough to warrant a NANOG post. I am experiencing failures on my email transmissions to my older "blue" (aka: Cingular) AT&T devices at the moment, for both incoming and outgoing. Many of you may be using older "blue" cards in your NOC phones, SMS gateway devices, or perhaps even your personal mobile devices for those of you who still live in the dark ages of phones that aren't [2.5,3,4,x]G capable. I am unable to diagnose the problems fully, but at least some (if not all) of the SMS-to-email gateway failures are due to mmode.com's MX hosts (in the "airdata.com" zone) being unreachable due to absence of functioning authoritative resolvers for that zone, and possibly other failures as well. This appears to be causing "550 Access Denied" messages being returned to my mobile devices that are sending to email addresses, and mail spooling on my Internet SMTP hosts that are trying to send to the "NPAxxxyyyy at mmode.com" addresses for SMTP-to-SMS relay. There is a rumor that this is NOT related to the deactivation of the "downloads" components of the blue network on the 15th, but I suspect that someone just decided to pull the plug on everything. Reading to the end of the thread below, there is someone who states AT&T claims it will be back online by the evening of the 17th at the surprisingly accurate time of 9:55 PM (timezone unstated.) More speculation: http://forums.wireless.att.com/t5/mMode/URGENT-mmode-down-again-Their-mta01-cdpd-airdata-com-mail-server/td-p/1939480 I don't know if this is causing problems with anyone using TAP interfaces, or with any of AT&T's other SMTP<->SMS gateway services like @txt.att.net. SMS, and mobile devices in general, are a single point of failure for contacting on-call staff for various problems - perhaps it's time to insist that everyone carries two mobile devices, on different frequency and technology platforms, with different carriers, and split messages to both due to the anecdotally increasing failure rates of mobile networks. Conspiracy theories of how collusive unreliability would increase ARPU across the board for all carriers would be interesting to hear... but not in this forum, I suspect. :-) JT ------------------------------ Message: 6 Date: Thu, 17 Jun 2010 10:31:57 +0200 From: Lindqvist Kurt Erik Subject: AAAA being added for i.root-servers.net To: NANOG list Message-ID: Content-Type: text/plain; charset="iso-8859-1" All, This is to inform you that, we (Netnod/Autonomica, operators of i.root-servers.net) have been notified by IANA that on our request an AAAA record will be added to the root-zone with serial number 2010061700. Best regards, - kurtis - --- Kurt Erik Lindqvist, CEO kurtis at netnod.se, Direct: +46-8-562 860 11, Switch: +46-8-562 860 00 Please note our new address: Franz?ngatan 5 | SE-112 51 Stockholm | Sweden -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part Url : http://mailman.nanog.org/pipermail/nanog/attachments/20100617/ab0ea84a/attachment-0001.pgp ------------------------------ _______________________________________________ NANOG mailing list NANOG at nanog.org https://mailman.nanog.org/mailman/listinfo/nanog End of NANOG Digest, Vol 29, Issue 51 ************************************* From eugen at leitl.org Thu Jun 17 09:56:04 2010 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 17 Jun 2010 16:56:04 +0200 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <4C1A33C4.6040005@networklabs.co.nz> References: <4C1A33C4.6040005@networklabs.co.nz> Message-ID: <20100617145604.GE1964@leitl.org> On Fri, Jun 18, 2010 at 02:40:04AM +1200, Andrew Thrift wrote: > Another major negative with the HP gear for us is that their switches > only support SFP/SFP+ modules manufactured by HP, so those SFP+ Twin-AX > cables that came with your Dell/IBM Blade chassis will be useless to > connect to your HP Switches, to add insult HP often sell their own > modules at 3x the price of an equivalent module from say Extreme or Juniper. I've had no issues putting Netgear multimode GBICs into 1800-24g switches. Of course, these are probably useless for most people here. Btw, 3Com is HP now. Apparently, people liked 4800G series a lot. http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1276786511413+28353475&threadId=1400446 -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From jeff-kell at utc.edu Thu Jun 17 10:01:33 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Thu, 17 Jun 2010 11:01:33 -0400 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <4C1A33C4.6040005@networklabs.co.nz> References: <4C1A33C4.6040005@networklabs.co.nz> Message-ID: <4C1A38CD.6020904@utc.edu> On 6/17/2010 10:40 AM, Andrew Thrift wrote: > Another major negative with the HP gear for us is that their switches > only support SFP/SFP+ modules manufactured by HP, so those SFP+ > Twin-AX cables that came with your Dell/IBM Blade chassis will be > useless to connect to your HP Switches, to add insult HP often sell > their own modules at 3x the price of an equivalent module from say > Extreme or Juniper. Very true (and you thought Cisco was proud of their branded optics...). Apparently the HP ink cartridge marketing department is in cahoots with their network optics counterparts :-) Jeff From bblackford at gmail.com Thu Jun 17 10:16:40 2010 From: bblackford at gmail.com (Bill Blackford) Date: Thu, 17 Jun 2010 08:16:40 -0700 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <4C1A38CD.6020904@utc.edu> References: <4C1A33C4.6040005@networklabs.co.nz> <4C1A38CD.6020904@utc.edu> Message-ID: And to add to it here's a Cisco SFP in a Juniper chassis showing a serial number that looks suspiciously like a Finisar serial number. PIC 1 REV 04 711-021270 AR0209216364 4x GE SFP Xcvr 0 NON-JNPR FNS0932K03B SFP-SX -b On Thu, Jun 17, 2010 at 8:01 AM, Jeff Kell wrote: > On 6/17/2010 10:40 AM, Andrew Thrift wrote: >> ?Another major negative with the HP gear for us is that their switches >> only support SFP/SFP+ modules manufactured by HP, so those SFP+ >> Twin-AX cables that came with your Dell/IBM Blade chassis will be >> useless to connect to your HP Switches, to add insult HP often sell >> their own modules at 3x the price of an equivalent module from say >> Extreme or Juniper. > > Very true (and you thought Cisco was proud of their branded optics...). > > Apparently the HP ink cartridge marketing department is in cahoots with > their network optics counterparts :-) > > Jeff > > -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges..... From aaron at heyaaron.com Thu Jun 17 10:24:45 2010 From: aaron at heyaaron.com (Aaron C. de Bruyn) Date: Thu, 17 Jun 2010 08:24:45 -0700 Subject: AT&T's blue network SMS<->SMTP off the air In-Reply-To: <7A699AC1-EF4E-4731-8D81-FAEDC3CE1C01@loligo.com> References: <7A699AC1-EF4E-4731-8D81-FAEDC3CE1C01@loligo.com> Message-ID: <20100617152445.GD6546@chrysalis> On 2010-06-16 at 23:26:30 -0700, John Todd wrote: > To those of you who may rely upon AT&T to deliver your email-to-SMS > messages for monitoring: some of you may be currently out of luck. Who uses email-to-SMS to monitor critical infrastructure? IMO, it's bad practice for your notification path to use the very path you are monitoring for problems--plus there really isn't an acknowledgement of delivery with email-to-SMS. I get more reliability out of an alpha-numeric pager and snppsend then I get with email-to-SMS--plus when SNPP fails, I can easily detect the failure (try figuring that out with email-to-SMS) and have Icinga pick up a physically attached modem and dial. -A From dylan.ebner at crlmed.com Thu Jun 17 10:28:08 2010 From: dylan.ebner at crlmed.com (Dylan Ebner) Date: Thu, 17 Jun 2010 15:28:08 +0000 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: Message-ID: <017265BF3B9640499754DD48777C3D206906996C86@MBX9.EXCHPROD.USA.NET> I have never used 3Com or HP equipment in an infrastucture / mission critical enviornment so I will not attest to their qualities or failures. What I can tell you about is HP's recent acquisition of 3Com in my opinion had little to do with HP wanting to get into a core switch/routing market. Shortly before HP purchased 3Com I had the chance to meet Mark Hurd and listen to him talk about the direction HP was moving. At that time it seemed HP was not interested in the enterprise switch/routing market. I think Mark said something like, "Cisco/Juniper has that market all tied up so we are not going to go there." Instead, HP is very very intenetly focused on services. Especially enterprise services. This fits in very nicely with their new UCS (I don't remember what they call their version) blade enclosures. HP needed better switching / routing modules for their unified archtecture. These products come heavily laden with services. Anyone who has SANs, blade chassis, or routing/switching chassis knows the service contracts are enormously expesive. Sometimes half the cost of the system can be the service contract. 3Com also brought something else HP needed. A VOIP handset line. HP has partnered with Microsoft for their unified communication strategy and they do not have a phone. This may be acceptable in some enviornments, but many businesses go "What, no phone?" and kick them out the door. That is what happened with my company when Mircosoft pitched their UC system to us. We simply have too many "high up" users who would show the IT department the door if they didn't have a desk phone. (yes I understand you can add phones, but the package ends up looking like a hodgepodge of services) 3Com has phones and handsets and HP needed those if they want their UCS to compete with the new Cisco UCS. When we evaulate vendors for products we use these great big spreadsheets where we define metrics for everything we can thing of. Every product we evaluate we also look deeply at the company as well. My biggest concern with using HP in the core is if they are actually serious about being in the core or are they just going to let that product unit die over time. Dylan Ebner -----Original Message----- From: James Smith [mailto:james at jamesstewartsmith.com] Sent: Thursday, June 17, 2010 8:52 AM To: nanog at nanog.org Subject: Advice regarding Cisco/Juniper/HP I'm looking for a little insight regarding an infrastructure purchase my company is considering. We are a carrier, and we're in the process of building a DR site. Our existing production site is all Cisco equipment with a little Juniper thrown into the mix. I'd like to either get the same Cisco equipment for the DR, or the equivalent Juniper equipment. We have skill sets for both Cisco and Juniper, so neither would be a problem to manage. A business issue has come up since we have a large number of HP servers for Unix and Wintel. With HP's recent acquisition of 3Com they are pressing hard to quote on the networking hardware as well, going as far as offering prices that are way below the equivalent Cisco and Juniper models. In addition they're saying they'll cut us deals on the HP servers for the DR site to help with the decision to go for HP Networking. Obviously to the people writing the cheques this carries a lot of weight. >From a technical point of view, I have never worked in a shop that used HP or 3Com for the infrastructure. Dot-com's, telco's, bank's, hosting companies...I haven't seen any of them using 3com or HP. Additionally, I'm not fond of having to deal with a third set of equipment. I'm not exactly comfortable going with HP, but I'd like some data to help resolve the debate. So my questions to the NANOG community are: Would you recommend HP over Cisco or Juniper? How is HP's functionality and performance compared to Cisco or Juniper? Does anyone have any HP networking experiences they can share, good or bad? From bifrost at minions.com Thu Jun 17 11:37:27 2010 From: bifrost at minions.com (Tom) Date: Thu, 17 Jun 2010 09:37:27 -0700 (PDT) Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: Message-ID: <20100617092909.I713@evil.minions.com> On Thu, 17 Jun 2010, James Smith wrote: > So my questions to the NANOG community are: Would you recommend HP over > Cisco or Juniper? Pretty much never, unless you're talking about a rebadged Brocade product. Every time I've seen HP networking gear in production, its usually before it gets replaced with something else. The last install I dealt with was having so many problems it had a constant %10 packetloss on a simple flat network. > How is HP's functionality and performance compared to Cisco or Juniper? Typically poor, but this varies widely with the series of HP gear. The software updates available also vary widely in quality, and I have rarely gotten a good answer from HP support on anything. > Does anyone have any HP networking experiences they can share, good or > bad? To end on a positive note, HP does have a good warranty, is typically fairly low cost and provides free software updates. -Tom From tom.ammon at utah.edu Thu Jun 17 11:47:58 2010 From: tom.ammon at utah.edu (Tom Ammon) Date: Thu, 17 Jun 2010 10:47:58 -0600 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <20100617092909.I713@evil.minions.com> References: <20100617092909.I713@evil.minions.com> Message-ID: <4C1A51BE.7090905@utah.edu> We've had a much different experience than what Tom is describing here. We've used HP extensively in our networks, mostly because of the price and warranty. For simple, flat networks, they are a great buy, in my opinion. We've never seen the packet loss issues that were described, and we push quite a bit of data through the 5412, 2900, and 6600 series products. That said, we've never used them for much outside of basic layer 2 services. We have a couple of c6500s for our core network, but at the edge, we have been very happy with HP. So far, warranty service has been flawless, although we have only replaced maybe half a dozen switches out of about 70 total that we have installed, over the course of 5 years. There isn't much as far as advanced features (for example, don't expect to get MPLS or BGP), but since we don't use those features at the edge, we haven't been hurt by that. Tom On 06/17/2010 10:37 AM, Tom wrote: > On Thu, 17 Jun 2010, James Smith wrote: > >> So my questions to the NANOG community are: Would you recommend HP over >> Cisco or Juniper? >> > Pretty much never, unless you're talking about a rebadged Brocade product. > Every time I've seen HP networking gear in production, its usually before > it gets replaced with something else. The last install I dealt with was > having so many problems it had a constant %10 packetloss on a simple flat > network. > > >> How is HP's functionality and performance compared to Cisco or Juniper? >> > Typically poor, but this varies widely with the series of HP gear. > The software updates available also vary widely in quality, and I have > rarely gotten a good answer from HP support on anything. > > >> Does anyone have any HP networking experiences they can share, good or >> bad? >> > To end on a positive note, HP does have a good warranty, is typically > fairly low cost and provides free software updates. > > -Tom > > -- -------------------------------------------------------------------- Tom Ammon Network Engineer Office: 801.587.0976 Mobile: 801.674.9273 Center for High Performance Computing University of Utah http://www.chpc.utah.edu From bblackford at gmail.com Thu Jun 17 11:48:33 2010 From: bblackford at gmail.com (Bill Blackford) Date: Thu, 17 Jun 2010 09:48:33 -0700 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <20100617092909.I713@evil.minions.com> References: <20100617092909.I713@evil.minions.com> Message-ID: Not to stir the pot, but Extreme is making some good products at a low cost and have lifetime warranties. I've been using them lately in the end-user edge as lower cost POE termination. They do LLDP-MED flawlessly so Cisco, or other phones get their voice vlan and pass the data vlan. Now, they are missing some of the prime-time features found in J and C which is why I wouldn't recommend them in the agg or core. -b On Thu, Jun 17, 2010 at 9:37 AM, Tom wrote: > On Thu, 17 Jun 2010, James Smith wrote: >> >> So my questions to the NANOG community are: Would you recommend HP over >> Cisco or Juniper? > > Pretty much never, unless you're talking about a rebadged Brocade product. > Every time I've seen HP networking gear in production, its usually before it > gets replaced with something else. The last install I dealt with was having > so many problems it had a constant %10 packetloss on a simple flat network. > >> How is HP's functionality and performance compared to Cisco or Juniper? > > Typically poor, but this varies widely with the series of HP gear. > The software updates available also vary widely in quality, and I have > rarely gotten a good answer from HP support on anything. > >> Does anyone have any HP networking experiences they can share, good or >> bad? > > To end on a positive note, HP does have a good warranty, is typically fairly > low cost and provides free software updates. > > -Tom > > -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges..... From dholmes at mwdh2o.com Thu Jun 17 12:16:27 2010 From: dholmes at mwdh2o.com (Holmes,David A) Date: Thu, 17 Jun 2010 10:16:27 -0700 Subject: Future of WiMax In-Reply-To: <4C192774.1050501@rollernet.us> References: <4C192774.1050501@rollernet.us> Message-ID: <485ED9BA02629E4BBBA53AC892EDA50E0B32E4A7@usmsxt104.mwd.h2o> For business purposes such as fixed wireless access for small branch offices, it would seem that Wi-Max is superior to current GSM and CDMA proprietary networks in that the upload/download speeds are symmetric. It appears that GSM and CDMA networks are based on the asymmetric low upload bandwidth/high download bandwidth model, thus placing severe restrictions on business use for fixed locations. -----Original Message----- From: Seth Mattinen [mailto:sethm at rollernet.us] Sent: Wednesday, June 16, 2010 12:35 PM To: nanOG list Subject: Future of WiMax A while back I remember reading a comment here that "WiMax is not a future proof technology" and that several manufacturers have dropped it or something to that effect. I think it was in the starting a WiMax ISP thread. This has stuck in my head, and I was curious if there was any truth to this. WiMax sounds promising, but I certainly don't hear a lot about it other than Sprint/Clear. Is it just that everyone that's doing wireless is sticking with relatively inexpensive 802.11 a/b/g/n products, or is WiMax really a dead end? ~Seth From Greg.Whynott at oicr.on.ca Thu Jun 17 12:21:46 2010 From: Greg.Whynott at oicr.on.ca (Greg Whynott) Date: Thu, 17 Jun 2010 13:21:46 -0400 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <4C1A51BE.7090905@utah.edu> References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu> Message-ID: <14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca> Haven't seen these same issues either, but have seen others.. We use HP 8212's here to connect our storage and hpc devices. each 8212 has about 20 or more 10Gbit connections. Everyone is happy with them from an availability and performance perspective. Two things which I noticed, 1. Under heavy load (60% or more of 10Gbit interfaces at +80%) we have seen _all_ interfaces simultaneously drop packets and generate interface errors. this was on an early release of the firmware and I don't think we have seen this problem in awhile. 2. each module only has about 28 Gbits of bandwidth to the backplane. this means if you want non blocking 10Gbit access to the backplan you can only load up an 8212 50% of its physical port capacity with active links. Very recently they changed licensing, the 8212's use to ship with premium licenses included. this gave you OSPF, PIM VRRP and QinQ. without a product number change or other clear indication, these no longer are included but must be purchased separately. This was a bit of a let down as we use OSPF internally and was one of the items that made the 8212's interesting when deciding what we would standardize on for access switches. We also use 6509e's for our core routers, they use to be the only routers till we deployed OSPF. On the internet edge we use ASRs. The 'H3C' switches they recently acquired look nice(r). -g On Jun 17, 2010, at 12:47 PM, Tom Ammon wrote: > We've had a much different experience than what Tom is describing here. > We've used HP extensively in our networks, mostly because of the price > and warranty. For simple, flat networks, they are a great buy, in my > opinion. We've never seen the packet loss issues that were described, > and we push quite a bit of data through the 5412, 2900, and 6600 series > products. > > That said, we've never used them for much outside of basic layer 2 > services. We have a couple of c6500s for our core network, but at the > edge, we have been very happy with HP. So far, warranty service has been > flawless, although we have only replaced maybe half a dozen switches out > of about 70 total that we have installed, over the course of 5 years. > > There isn't much as far as advanced features (for example, don't expect > to get MPLS or BGP), but since we don't use those features at the edge, > we haven't been hurt by that. > > Tom > > On 06/17/2010 10:37 AM, Tom wrote: >> On Thu, 17 Jun 2010, James Smith wrote: >> >>> So my questions to the NANOG community are: Would you recommend HP over >>> Cisco or Juniper? >>> >> Pretty much never, unless you're talking about a rebadged Brocade product. >> Every time I've seen HP networking gear in production, its usually before >> it gets replaced with something else. The last install I dealt with was >> having so many problems it had a constant %10 packetloss on a simple flat >> network. >> >> >>> How is HP's functionality and performance compared to Cisco or Juniper? >>> >> Typically poor, but this varies widely with the series of HP gear. >> The software updates available also vary widely in quality, and I have >> rarely gotten a good answer from HP support on anything. >> >> >>> Does anyone have any HP networking experiences they can share, good or >>> bad? >>> >> To end on a positive note, HP does have a good warranty, is typically >> fairly low cost and provides free software updates. >> >> -Tom >> >> > > > -- > -------------------------------------------------------------------- > Tom Ammon > Network Engineer > Office: 801.587.0976 > Mobile: 801.674.9273 > > Center for High Performance Computing > University of Utah > http://www.chpc.utah.edu > > From toddunder at gmail.com Thu Jun 17 12:31:32 2010 From: toddunder at gmail.com (Todd Underwood) Date: Thu, 17 Jun 2010 10:31:32 -0700 Subject: Todd Underwood was a little late In-Reply-To: References: Message-ID: jon, all, i've received several questions about the context of this mail, so i thought it would be worth posting to clear up the reference. for those who missed it, i presented a lightning talk at nanog 49 in san francisco yesterday on some very early conceptual work on a really interesting strategy to dramatically extend the useful life of v4 prefixes. the talk is linked from: http://nanog.org/meetings/nanog49/agenda.php and i encourage people to take a look at it. if you like the general idea (Probabilistic Assignment of Prefixes: a System for Managing and Extending Address Resources is what some people are starting to call it), i'd encourage you to take the suggestion made at the mic by mark kosters, cto of arin, and work to help refine the proposal and establish a useful policy framework around its implementation. work is needed especially in collision domain modeling and count of resource implications for the operational overhead per prefix. experience with high flow rate instrumentation is likely to be needed in the near future as well. i wanted to thank everyone for the kind words and suggestions after the presentation and look forward to productively exploring this idea. cheers, todd underwood toddunder at gmail.com From bifrost at minions.com Thu Jun 17 12:40:35 2010 From: bifrost at minions.com (Tom) Date: Thu, 17 Jun 2010 10:40:35 -0700 (PDT) Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <4C1A51BE.7090905@utah.edu> References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu> Message-ID: <20100617103939.E713@evil.minions.com> On Thu, 17 Jun 2010, Tom Ammon wrote: > We've had a much different experience than what Tom is describing here. To be fair, each platform seems to vary quite a bit in quality and reliability. I have seen some HP installs work ok, but they were primarily edge switches or bladecenter switches. From sergevautour at yahoo.ca Thu Jun 17 12:50:25 2010 From: sergevautour at yahoo.ca (Serge Vautour) Date: Thu, 17 Jun 2010 10:50:25 -0700 (PDT) Subject: Customer Interface Reporting / Portal Message-ID: <276932.22377.qm@web53603.mail.re2.yahoo.com> Hello, What are people using to provide customer interface usage reports to customers? There seems to be lots of RRD based tools that can gather the data and store it for long term viewing. We use ZenOSS for internal purposes for example. How do we go about providing each customer access to their data in a secure way? A portal type access. Is anyone aware of a tool that includes a front end that can partition the data on a per customer basis? Each customer would have their own login ID and only see their data? How do we link the data to that customer? Some customer ID on the interface description? Thanks, Serge From Crist.Clark at globalstar.com Thu Jun 17 12:57:46 2010 From: Crist.Clark at globalstar.com (Crist Clark) Date: Thu, 17 Jun 2010 10:57:46 -0700 Subject: Sending ARP request to unicast MAC instead of broadcast MAC address? In-Reply-To: <7D4FBC01-E09F-4659-B620-310DCB11C20A@semihuman.com> References: <7D4FBC01-E09F-4659-B620-310DCB11C20A@semihuman.com> Message-ID: <4C19FFA3.33E4.0097.1@globalstar.com> >>> On 6/16/2010 at 3:57 PM, Chris Woodfield wrote: > OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but > there's a reason for it, I swear... > > Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted > ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC > address, is instead sent to the already-known unicast MAC address of the host? > > > Next, what would be your utility of choice for crafting such a packet? Or is > this something one would need to code up by hand in a lower-level language? Unicast ARP requests are considered normal. See Section 2.3.2.1 of RFC1122, "ARP Cache Validation." Specifically, IMPLEMENTATION: Four mechanisms have been used, sometimes in combination, to flush out-of-date cache entries. [snip] (2) Unicast Poll -- Actively poll the remote host by periodically sending a point-to-point ARP Request to it, and delete the entry if no ARP Reply is received from N successive polls. Again, the timeout should be on the order of a minute, and typically N is 2. From cvicente at network-services.uoregon.edu Thu Jun 17 12:59:28 2010 From: cvicente at network-services.uoregon.edu (Carlos Vicente) Date: Thu, 17 Jun 2010 10:59:28 -0700 Subject: Customer Interface Reporting / Portal In-Reply-To: <276932.22377.qm@web53603.mail.re2.yahoo.com> References: <276932.22377.qm@web53603.mail.re2.yahoo.com> Message-ID: <4C1A6280.4040408@ns.uoregon.edu> Serge Vautour wrote: > Hello, > > What are people using to provide customer interface usage reports to customers? There seems to be lots of RRD based tools that can gather the data and store it for long term viewing. We use ZenOSS for internal purposes for example. > > How do we go about providing each customer access to their data in a secure way? A portal type access. Is anyone aware of a tool that includes a front end that can partition the data on a per customer basis? Each customer would have their own login ID and only see their data? How do we link the data to that customer? Some customer ID on the interface description? > > Thanks, > Serge > > > Cacti provides some of that functionality. http://www.cacti.net/features.php User Management # User based management allows administrators to create users and assign different levels of permissions to the cacti interface. # Permissions can be specified per-graph for each user, making cacti suitable for co location situations. # Each user can keep their own graph settings for varying viewing preferences. cv -- ===================================================================== Carlos Vicente Tel : +1(541) 346-1763 Network Engineer Fax : +1(541) 346-4397 Information Services PGP ID : 8623D99C 1212 University of Oregon Eugene,OR 97403-1205 From nick.sandone at cdicorp.com Thu Jun 17 13:01:22 2010 From: nick.sandone at cdicorp.com (Sandone, Nick) Date: Thu, 17 Jun 2010 14:01:22 -0400 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: <20100617092909.I713@evil.minions.com> Message-ID: <609F723B44D257459ED22406AC8F286A25B6A47BD3@CDIMSXMBCL01.CDI.CDICorp.net> I would also add Brocade/Foundry to the mix as well. We've been deploying these switches with great results. Since the IOS is very similar to Cisco's, the transition has been quite easy. -----Original Message----- From: Bill Blackford [mailto:bblackford at gmail.com] Sent: Thursday, June 17, 2010 12:49 PM To: Tom Cc: nanog at nanog.org Subject: Re: Advice regarding Cisco/Juniper/HP Not to stir the pot, but Extreme is making some good products at a low cost and have lifetime warranties. I've been using them lately in the end-user edge as lower cost POE termination. They do LLDP-MED flawlessly so Cisco, or other phones get their voice vlan and pass the data vlan. Now, they are missing some of the prime-time features found in J and C which is why I wouldn't recommend them in the agg or core. -b On Thu, Jun 17, 2010 at 9:37 AM, Tom wrote: > On Thu, 17 Jun 2010, James Smith wrote: >> >> So my questions to the NANOG community are: Would you recommend HP >> over Cisco or Juniper? > > Pretty much never, unless you're talking about a rebadged Brocade product. > Every time I've seen HP networking gear in production, its usually > before it gets replaced with something else. The last install I dealt > with was having so many problems it had a constant %10 packetloss on a simple flat network. > >> How is HP's functionality and performance compared to Cisco or Juniper? > > Typically poor, but this varies widely with the series of HP gear. > The software updates available also vary widely in quality, and I have > rarely gotten a good answer from HP support on anything. > >> Does anyone have any HP networking experiences they can share, good >> or bad? > > To end on a positive note, HP does have a good warranty, is typically > fairly low cost and provides free software updates. > > -Tom > > -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges..... ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ ______________________________________________________________________ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information which is confidential to, and/or privileged in favor of, CDI Corporation or its affiliated companies (CDI) or CDI's customers. Any review, use, reproduction, disclosure or distribution by the recipient is prohibited without prior written approval from an authorized CDI representative. This notice must appear in any such authorized reproduction, disclosure or distribution. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachments. Thank you. From sethm at rollernet.us Thu Jun 17 13:07:12 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 17 Jun 2010 11:07:12 -0700 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <609F723B44D257459ED22406AC8F286A25B6A47BD3@CDIMSXMBCL01.CDI.CDICorp.net> References: <20100617092909.I713@evil.minions.com> <609F723B44D257459ED22406AC8F286A25B6A47BD3@CDIMSXMBCL01.CDI.CDICorp.net> Message-ID: <4C1A6450.7080704@rollernet.us> On 6/17/2010 11:01, Sandone, Nick wrote: > I would also add Brocade/Foundry to the mix as well. We've been deploying these switches with great results. Since the IOS is very similar to Cisco's, the transition has been quite easy. > > Do you still have to pay them to read the manual? ~Seth From owen at delong.com Thu Jun 17 13:07:43 2010 From: owen at delong.com (Owen DeLong) Date: Thu, 17 Jun 2010 11:07:43 -0700 Subject: Todd Underwood was a little late In-Reply-To: References: Message-ID: For those that missed the presentation, it was a real eye-opener on just how important it is for you to move forward with IPv6 before something like this actually starts getting implemented. Owen On Jun 17, 2010, at 10:31 AM, Todd Underwood wrote: > jon, all, > > i've received several questions about the context of this mail, so i > thought it would be worth posting to clear up the reference. > > for those who missed it, i presented a lightning talk at nanog 49 in > san francisco yesterday on some very early conceptual work on a really > interesting strategy to dramatically extend the useful life of v4 > prefixes. the talk is linked from: > http://nanog.org/meetings/nanog49/agenda.php and i encourage people to > take a look at it. > > if you like the general idea (Probabilistic Assignment of Prefixes: a > System for Managing and Extending Address Resources is what some > people are starting to call it), i'd encourage you to take the > suggestion made at the mic by mark kosters, cto of arin, and work to > help refine the proposal and establish a useful policy framework > around its implementation. > > work is needed especially in collision domain modeling and count of > resource implications for the operational overhead per prefix. > experience with high flow rate instrumentation is likely to be needed > in the near future as well. > > i wanted to thank everyone for the kind words and suggestions after > the presentation and look forward to productively exploring this idea. > > cheers, > > todd underwood > toddunder at gmail.com From paul at telcodata.us Thu Jun 17 13:12:57 2010 From: paul at telcodata.us (Paul Timmins) Date: Thu, 17 Jun 2010 14:12:57 -0400 Subject: Todd Underwood was a little late In-Reply-To: References: Message-ID: <4C1A65A9.5080803@telcodata.us> Hah, given the number of times people I have worked with have said "oh, I'll just use apnic space if we run out of IPs, i don't need to talk to them anyway", I think it's humorous that someone in China felt the same way about ARIN space. :) -Paul On 06/16/2010 09:01 PM, Jon Lewis wrote: > I just took a closer look at something odd I'd noticed several days > ago. One of our DNS servers was sending crazy amounts of ARP requests > for IPs in the /24 its main IP is in. What I've found is we're > getting hit with DNS requests that look like they're from "typical > internet traffic for someone in China" hitting this DNS server from > IPs in its /24 which are currently not in use (at least on our local > network). It would appear someone in China is using our IP space, > presumably behind a NAT router, and they're leaking some traffic > non-NAT'd. > > 20:53:41.361734 IP 209.208.121.66.41755 > 209.208.121.126.53: 15939+ > A? ns5.z.lxdns.com. (33) > 20:53:43.523210 IP 209.208.121.95.39393 > 209.208.121.126.53: 15939+ > A? www.nanhutravel.com. (37) > 20:53:48.411805 IP 209.208.121.66.33390 > 209.208.121.126.53: 15939+ > A? test.csxm.cdn20.com. (37) > 20:53:50.557680 IP 209.208.121.135.40056 > 209.208.121.126.53: 15939+ > A? rextest2.lxdns.com. (36) > 20:53:56.918993 IP 209.208.121.135.37291 > 209.208.121.126.53: 15939+ > A? www.51seer.com. (32) > 20:54:20.033902 IP 209.208.121.95.37544 > 209.208.121.126.53: 15939+ > A? image.dhgate.cdn20.com. (40) > 20:54:21.900295 IP 209.208.121.66.35144 > 209.208.121.126.53: 15939+ > A? static.xn-app.com. (35) > 20:54:27.711853 IP 209.208.121.66.33518 > 209.208.121.126.53: 15939+ > A? oa.hanhe.com. (30) > 20:54:29.642938 IP 209.208.121.135.41723 > 209.208.121.126.53: 15939+ > A? pic1.kaixin001.com. (36) > 20:54:32.357414 IP 209.208.121.95.38564 > 209.208.121.126.53: 15939+ > A? rr.snyu.com. (29) > 20:54:38.901315 IP 209.208.121.95.37840 > 209.208.121.126.53: 15939+ > A? edu.163.com. (29) > 20:54:39.807385 IP 209.208.121.95.36069 > 209.208.121.126.53: 15939+ > A? image.dhgate.cdn20.com. (40) > 20:54:40.833778 IP 209.208.121.66.34949 > 209.208.121.126.53: 15939+ > A? uphn.snswall.com. (34) > 20:54:42.070294 IP 209.208.121.95.38405 > 209.208.121.126.53: 15939+ > A? zwgk.cma.gov.cn. (33) > 20:54:42.189939 IP 209.208.121.135.36637 > 209.208.121.126.53: 15939+ > A? btocdn.52yeyou.com. (36) > 20:54:45.767299 IP 209.208.121.95.41405 > 209.208.121.126.53: 15939+ > A? img1.kaixin001.com.cn. (39) > 20:54:48.595582 IP 209.208.121.66.40099 > 209.208.121.126.53: 15939+ > A? rextest2.cdn20.com. (36) > 20:54:49.480147 IP 209.208.121.95.42363 > 209.208.121.126.53: 15939+ > A? www.dameiren.com. (34) > 20:54:50.714200 IP 209.208.121.135.41497 > 209.208.121.126.53: 15939+ > A? pic1.kaixin001.com.cn. (39) > 20:54:54.116841 IP 209.208.121.135.36828 > 209.208.121.126.53: 15939+ > A? i.jstv.com. (28) > > I hope they got a good deal on the IP space...and a better deal on > their buggy router. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > > From Greg.Whynott at oicr.on.ca Thu Jun 17 13:22:25 2010 From: Greg.Whynott at oicr.on.ca (Greg Whynott) Date: Thu, 17 Jun 2010 14:22:25 -0400 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <4C1A6450.7080704@rollernet.us> References: <20100617092909.I713@evil.minions.com> <609F723B44D257459ED22406AC8F286A25B6A47BD3@CDIMSXMBCL01.CDI.CDICorp.net> <4C1A6450.7080704@rollernet.us> Message-ID: they may require a deposit before you load their web site.. -g -----Original Message----- From: Seth Mattinen [mailto:sethm at rollernet.us] Sent: Thursday, June 17, 2010 2:07 PM To: nanog at nanog.org Subject: Re: Advice regarding Cisco/Juniper/HP On 6/17/2010 11:01, Sandone, Nick wrote: > I would also add Brocade/Foundry to the mix as well. We've been deploying these switches with great results. Since the IOS is very similar to Cisco's, the transition has been quite easy. > > Do you still have to pay them to read the manual? ~Seth From r.engehausen at gmail.com Thu Jun 17 13:33:01 2010 From: r.engehausen at gmail.com (Roy) Date: Thu, 17 Jun 2010 11:33:01 -0700 Subject: Customer Interface Reporting / Portal In-Reply-To: <276932.22377.qm@web53603.mail.re2.yahoo.com> References: <276932.22377.qm@web53603.mail.re2.yahoo.com> Message-ID: <4C1A6A5D.2050805@gmail.com> On 6/17/2010 10:50 AM, Serge Vautour wrote: > Hello, > > What are people using to provide customer interface usage reports to customers? There seems to be lots of RRD based tools that can gather the data and store it for long term viewing. We use ZenOSS for internal purposes for example. > > How do we go about providing each customer access to their data in a secure way? A portal type access. Is anyone aware of a tool that includes a front end that can partition the data on a per customer basis? Each customer would have their own login ID and only see their data? How do we link the data to that customer? Some customer ID on the interface description? > > Thanks, > Serge > > > > > Opsview will allow you to have groups and assign users to a group From nenolod at systeminplace.net Thu Jun 17 13:35:30 2010 From: nenolod at systeminplace.net (William Pitcock) Date: Thu, 17 Jun 2010 13:35:30 -0500 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <4C1A6450.7080704@rollernet.us> References: <20100617092909.I713@evil.minions.com> <609F723B44D257459ED22406AC8F286A25B6A47BD3@CDIMSXMBCL01.CDI.CDICorp.net> <4C1A6450.7080704@rollernet.us> Message-ID: <1276799730.7682.39.camel@petrie> On Thu, 2010-06-17 at 11:07 -0700, Seth Mattinen wrote: > On 6/17/2010 11:01, Sandone, Nick wrote: > > I would also add Brocade/Foundry to the mix as well. We've been deploying these switches with great results. Since the IOS is very similar to Cisco's, the transition has been quite easy. > > > > > > > Do you still have to pay them to read the manual? We have plenty of Foundry gear and we've never had to pay anything to read the manuals for them. Then again, we bought it all new, so it came with printed manuals. There's a 1000+ page manual on the management software itself. William From morrowc.lists at gmail.com Thu Jun 17 13:46:53 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Thu, 17 Jun 2010 14:46:53 -0400 Subject: Todd Underwood was a little late In-Reply-To: References: Message-ID: On Thu, Jun 17, 2010 at 1:31 PM, Todd Underwood wrote: > jon, all, > > i've received several questions about the context of this mail, so i > thought it would be worth posting to clear up the reference. > > for those who missed it, i presented a lightning talk at nanog 49 in > san francisco yesterday on some very early conceptual work on a really > interesting strategy to dramatically extend the useful life of v4 > prefixes. ?the talk is linked from: > http://nanog.org/meetings/nanog49/agenda.php and i encourage people to > take a look at it. ...nothing to see here, this is CGN's... From crosevear at skytap.com Thu Jun 17 14:02:34 2010 From: crosevear at skytap.com (Carl Rosevear) Date: Thu, 17 Jun 2010 12:02:34 -0700 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <1276799730.7682.39.camel@petrie> References: <20100617092909.I713@evil.minions.com> <609F723B44D257459ED22406AC8F286A25B6A47BD3@CDIMSXMBCL01.CDI.CDICorp.net> <4C1A6450.7080704@rollernet.us> <1276799730.7682.39.camel@petrie> Message-ID: <828F644E-7DD9-4058-8C7D-A76931740E73@skytap.com> The main problem with HP switches and their 'free software upgrades' is that there are regularly bugs and regressions in the software and their solution is to have you 'oh just update the software'... this is not always practical in a production environment. And other weirdnesses. I like their gear for office networks, etc but I, personally, would keep it out of the DC and resist it in general as much as possible. A lot better than stringing a bunch of Linksys together but really not on par with "real" Cisco or Juniper. Close enough though that if you engineer around the effect of the constant software upgrades, etc, they can be a good play. Most networks I have worked on would rather get rid of their HPs and try to do so whenever they can take the outage / afford the new gear / etc. When I was a consultant in a more rural area, I pushed HP switches because businesses needed to operate on the cheap, would NOT buy Cisco due to price, etc... but I do find HP better than most of the other brands in that price range in regard to configurability, feature set, and reliability. -Carl From toddunder at gmail.com Thu Jun 17 15:44:41 2010 From: toddunder at gmail.com (Todd Underwood) Date: Thu, 17 Jun 2010 13:44:41 -0700 Subject: Todd Underwood was a little late In-Reply-To: References: Message-ID: christopher, all, > > ...nothing to see here, this is CGN's... > oh, i think this has several important advantages aver carrier-grade nat (which i believe to be mostly dead, anyway, no? someone who knows more can chime in with references to the contrary should this not be the case). firstly: cgn puts reachability in the hands of a single organization. with the PAP System you have a set of distributed choices about reachability: different people can assess their different tolerance to certain kinds of unreachability. as i said in the presentation, the probability that there will be positive operational overhead for a prefix is related the the count of reuse within an association domain for a prefix ( p(Oop) = Cr(Ap) ). We need to work out how to subdivide which parts of the internet actually want to communicate directly with each other reliably and make sure that they are within association domains. in any case, i think this is more the subject of future work (and possibly future nanog presentations) so i'll leave this here. t. (and stop trolling) :-) From bill at herrin.us Thu Jun 17 16:10:15 2010 From: bill at herrin.us (William Herrin) Date: Thu, 17 Jun 2010 17:10:15 -0400 Subject: Todd Underwood was a little late In-Reply-To: <4C19A6D2.6030603@gmail.com> References: <201006170207.o5H27XJn065911@drugs.dv.isc.org> <4C19A6D2.6030603@gmail.com> Message-ID: On Thu, Jun 17, 2010 at 12:38 AM, Roy wrote: > On 6/16/2010 7:43 PM, Jon Lewis wrote: >>?With a larger >> network, multiple IP blocks, ***numerous multihomed customers***, some of which >> use IP's we've assigned them, it gets a little more complicated to do. >> I could reject at our border, packets sourced from our IP ranges with >> exceptions for any of the IP blocks we've assigned to multihomed customers. > > Sounds like a good use of URPF. Reverse path filtering + asymmetric routing = epic fail. Jon did say Multihomed customer. Refer to RFC 3704 (BCP84). Note section 2.2 (Strict Reverse Path Forwarding) last part of the final sentence: "in particular, when applied to multihoming to different ISPs, this assumption may fail." Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From oberman at es.net Thu Jun 17 16:12:40 2010 From: oberman at es.net (Kevin Oberman) Date: Thu, 17 Jun 2010 14:12:40 -0700 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: Your message of "Thu, 17 Jun 2010 13:35:30 CDT." <1276799730.7682.39.camel@petrie> Message-ID: <20100617211240.CB3891CC0D@ptavv.es.net> > From: William Pitcock > Date: Thu, 17 Jun 2010 13:35:30 -0500 > > On Thu, 2010-06-17 at 11:07 -0700, Seth Mattinen wrote: > > On 6/17/2010 11:01, Sandone, Nick wrote: > > > I would also add Brocade/Foundry to the mix as well. We've been deploying these switches with great results. Since the IOS is very similar to Cisco's, the transition has been quite easy. > > > > > > > > > > > > Do you still have to pay them to read the manual? > > We have plenty of Foundry gear and we've never had to pay anything to > read the manuals for them. Then again, we bought it all new, so it came > with printed manuals. > > There's a 1000+ page manual on the management software itself. The Brocade manuals are good, but you need to have a customer account to access them. Very annoying when you are trying to do an evaluation. I have spoken with one of their engineers about that and he said that they (the engineers and sale folks) are trying to get that changed. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman at es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 From ben.roeder at sohonet.co.uk Thu Jun 17 16:25:53 2010 From: ben.roeder at sohonet.co.uk (Ben Roeder) Date: Thu, 17 Jun 2010 22:25:53 +0100 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <20100617211240.CB3891CC0D@ptavv.es.net> References: <20100617211240.CB3891CC0D@ptavv.es.net> Message-ID: I am guessing they might be referring to the h3c equipment. 3com and Huewai had joint venture, that was bought out by 3com before they were purchased by HP see http://www.h3cnetworks.com/en_US/index.page We use the HP as edge switches in the campus networks, and they seem to work well. I would be interested to hear what people think of the h3c equipment. Hibernia seem to use them if you read the hp website Ben On 17 Jun 2010, at 22:12, Kevin Oberman wrote: >> From: William Pitcock >> Date: Thu, 17 Jun 2010 13:35:30 -0500 >> >> On Thu, 2010-06-17 at 11:07 -0700, Seth Mattinen wrote: >>> On 6/17/2010 11:01, Sandone, Nick wrote: >>>> I would also add Brocade/Foundry to the mix as well. We've been deploying these switches with great results. Since the IOS is very similar to Cisco's, the transition has been quite easy. >>>> >>>> >>> >>> >>> Do you still have to pay them to read the manual? >> >> We have plenty of Foundry gear and we've never had to pay anything to >> read the manuals for them. Then again, we bought it all new, so it came >> with printed manuals. >> >> There's a 1000+ page manual on the management software itself. > > The Brocade manuals are good, but you need to have a customer account to > access them. Very annoying when you are trying to do an evaluation. > > I have spoken with one of their engineers about that and he said that > they (the engineers and sale folks) are trying to get that changed. > -- > R. Kevin Oberman, Network Engineer > Energy Sciences Network (ESnet) > Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) > E-mail: oberman at es.net Phone: +1 510 486-8634 > Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 > From rekoil at semihuman.com Thu Jun 17 16:45:01 2010 From: rekoil at semihuman.com (Chris Woodfield) Date: Thu, 17 Jun 2010 14:45:01 -0700 Subject: Sending ARP request to unicast MAC instead of broadcast MAC address? In-Reply-To: <7D4FBC01-E09F-4659-B620-310DCB11C20A@semihuman.com> References: <7D4FBC01-E09F-4659-B620-310DCB11C20A@semihuman.com> Message-ID: <93D0212E-B5DC-41EA-8969-BFA32B14E27F@semihuman.com> Looks like all the replies I got were private, so thanks all - to summarize, I got everything from "Read The Fine Kernel Source" to "Read The Fine RFC" to "Read RFC 1122, Section 2.3.2.1, it's quite a Fine read". So for other folks out there like me who obviously can't read RFCs, the answer is "yes". :) -C On Jun 16, 2010, at 3:57 51PM, Chris Woodfield wrote: > OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but there's a reason for it, I swear... > > Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC address, is instead sent to the already-known unicast MAC address of the host? > > Next, what would be your utility of choice for crafting such a packet? Or is this something one would need to code up by hand in a lower-level language? > > Thanks, > > -C From ghankins at mindspring.com Thu Jun 17 17:03:25 2010 From: ghankins at mindspring.com (Greg Hankins) Date: Thu, 17 Jun 2010 18:03:25 -0400 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <20100617211240.CB3891CC0D@ptavv.es.net> References: <1276799730.7682.39.camel@petrie> <20100617211240.CB3891CC0D@ptavv.es.net> Message-ID: <20100617220325.GB640@brocade.com> Changes to the Brocade and legacy Foundry support sites are in progress. The candid comments from the community expressed here in numerous threads this year have captured your frustration for me to explain to management in far better words than I can write myself. I've had several mail and phone conversations with the team in charge of our support site about our current practice of requiring a login to access documentation, and they understand why this is not at all helpful and a bad way of doing business. It's the way it is for various historical reasons. Product documentation will be freely available on the new MyBrocade support site that is under construction. This is part of a huge effort to integrate the disparate support sites' software, knowledge bases, manuals, etc. into one new happy place. Stand by, and thanks for your patience. Greg (works for Brocade) -- Greg Hankins -----Original Message----- Date: Thu, 17 Jun 2010 14:12:40 -0700 From: Kevin Oberman To: William Pitcock Cc: nanog at nanog.org Subject: Re: Advice regarding Cisco/Juniper/HP > From: William Pitcock > Date: Thu, 17 Jun 2010 13:35:30 -0500 > > On Thu, 2010-06-17 at 11:07 -0700, Seth Mattinen wrote: > > On 6/17/2010 11:01, Sandone, Nick wrote: > > > I would also add Brocade/Foundry to the mix as well. We've been deploying these switches with great results. Since the IOS is very similar to Cisco's, the transition has been quite easy. > > > > > > > > > > > > Do you still have to pay them to read the manual? > > We have plenty of Foundry gear and we've never had to pay anything to > read the manuals for them. Then again, we bought it all new, so it came > with printed manuals. > > There's a 1000+ page manual on the management software itself. The Brocade manuals are good, but you need to have a customer account to access them. Very annoying when you are trying to do an evaluation. I have spoken with one of their engineers about that and he said that they (the engineers and sale folks) are trying to get that changed. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman at es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 From sking at kingrst.com Thu Jun 17 21:14:45 2010 From: sking at kingrst.com (Steven King) Date: Thu, 17 Jun 2010 22:14:45 -0400 Subject: Sending ARP request to unicast MAC instead of broadcast MAC address? In-Reply-To: <93D0212E-B5DC-41EA-8969-BFA32B14E27F@semihuman.com> References: <7D4FBC01-E09F-4659-B620-310DCB11C20A@semihuman.com> <93D0212E-B5DC-41EA-8969-BFA32B14E27F@semihuman.com> Message-ID: <4C1AD695.4070103@kingrst.com> I believe they call this a Gratuitous ARP Request. It is used automatically when interfaces are brought up to detect IP conflicts. On 6/17/10 5:45 PM, Chris Woodfield wrote: > Looks like all the replies I got were private, so thanks all - to summarize, I got everything from "Read The Fine Kernel Source" to "Read The Fine RFC" to "Read RFC 1122, Section 2.3.2.1, it's quite a Fine read". > > So for other folks out there like me who obviously can't read RFCs, the answer is "yes". :) > > -C > > On Jun 16, 2010, at 3:57 51PM, Chris Woodfield wrote: > > >> OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but there's a reason for it, I swear... >> >> Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC address, is instead sent to the already-known unicast MAC address of the host? >> >> Next, what would be your utility of choice for crafting such a packet? Or is this something one would need to code up by hand in a lower-level language? >> >> Thanks, >> >> -C >> > > -- Steve King Senior Linux Engineer - Advance Internet, Inc. Cisco Certified Network Associate CompTIA Linux+ Certified Professional CompTIA A+ Certified Professional From gbonser at seven.com Thu Jun 17 21:25:59 2010 From: gbonser at seven.com (George Bonser) Date: Thu, 17 Jun 2010 19:25:59 -0700 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <20100617220325.GB640@brocade.com> References: <1276799730.7682.39.camel@petrie><20100617211240.CB3891CC0D@ptavv.es.net> <20100617220325.GB640@brocade.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE09EA4C72@RWC-EX1.corp.seven.com> > > Product documentation will be freely available on the new MyBrocade > support > site that is under construction. This is part of a huge effort to > integrate > the disparate support sites' software, knowledge bases, manuals, etc. > into > one new happy place. > > Stand by, and thanks for your patience. > > Greg > (works for Brocade) > > -- I brought up the issue to Martin Skagen last year in San Francisco and we probably chatted for over an hour on that subject. There is a certain leverage that the community having access to manuals provides to a manufacturer. If people who might never buy a support contract can pick up a piece of gear and find the manuals for it, particularly someone who might be just learning about your products, you might be able to create a loyal customer for many years to come. As it currently stands, a piece of used (but still quite viable) Brocade/Foundry gear might be quite useless to and avoided by someone in that category. >From personal experience, I often like to peruse manuals of new equipment in order to judge the value of new features. The availability of the manual can generate a sale if I can see that a feature would be of value in the network. One can often obtain a better idea of how the feature works from reading the manual than from some marketing slick. It would also be important to have access to old manuals, too, for gear that is no longer manufactured. Enabling self-support is also a way to install brand loyalty. Getting back to HP gear, I haven't had a problem with the rebranded Brocade stuff but there was a line of low-end switches that gave me fits for a couple of years. I think others have mentioned the same issue where they would simply decide to start dropping packets on all ports. Kicking the switch every week or so was the only cure. Don't have them in the network anymore so I don't know if they fixed it. From LarrySheldon at cox.net Thu Jun 17 23:59:56 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Fri, 18 Jun 2010 04:59:56 -0000 Subject: Internet Kill Switch. Message-ID: <4C428A4B.7030700@cox.net> Yeah I remember. The net will just route around the problem. http://www.prisonplanet.com/new-bill-gives-obama-kill-switch-to-shut-down-the-internet.html I didn't believe it then and I don't believe it now. But I do realize that they won't have Internet service in the camps, anyway so it won't matter to me. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From LarrySheldon at cox.net Fri Jun 18 00:07:35 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Fri, 18 Jun 2010 05:07:35 -0000 Subject: Internet Kill Switch. In-Reply-To: <4C428A4B.7030700@cox.net> References: <4C428A4B.7030700@cox.net> Message-ID: <4C428C16.7010806@cox.net> On 7/17/2010 23:59, Larry Sheldon wrote: > http://www.prisonplanet.com/new-bill-gives-obama-kill-switch-to-shut-down-the-internet.html Highlights: "The federal government would have ?absolute power? to shut down the Internet ... figurative ?kill switch? to seize control of the world wide web ..." [Web = Internet] Jay Rockefeller: ?Would it had been better if we?d have never invented the Internet?? [Is thid pile on Al Gore Month?] "The largest Internet-based corporations are seemingly happy with the bill..." -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From franck at genius.com Fri Jun 18 00:14:24 2010 From: franck at genius.com (Franck Martin) Date: Fri, 18 Jun 2010 17:14:24 +1200 (FJT) Subject: Internet Kill Switch. In-Reply-To: <4C428C16.7010806@cox.net> Message-ID: <12908734.844.1276838064536.JavaMail.franck@franck-martins-macbook-pro.local> CNN ran a mock up attack to the USA infrastructure with some reps of the government. The stuff was flawed in many ways, but I think the outcome of it, after each representative of the government arguing what the president can do and cannot do, was to solve the issue, the infrastructure providers needed to be involved, and asked "nicely" to help fix the problem, and not raided with a kill switch threat...or army personnel taking over all the knobs... ----- Original Message ----- From: "Larry Sheldon" To: nanog at nanog.org Sent: Sunday, 18 July, 2010 5:07:34 PM Subject: [SPAM] Re: Internet Kill Switch. On 7/17/2010 23:59, Larry Sheldon wrote: > http://www.prisonplanet.com/new-bill-gives-obama-kill-switch-to-shut-down-the-internet.html Highlights: "The federal government would have ?absolute power? to shut down the Internet ... figurative ?kill switch? to seize control of the world wide web ..." [Web = Internet] Jay Rockefeller: ?Would it had been better if we?d have never invented the Internet?? [Is thid pile on Al Gore Month?] "The largest Internet-based corporations are seemingly happy with the bill..." -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From TWright at internode.com.au Fri Jun 18 00:16:20 2010 From: TWright at internode.com.au (Tom Wright) Date: Fri, 18 Jun 2010 14:46:20 +0930 Subject: Internet Kill Switch. In-Reply-To: <4C428C16.7010806@cox.net> References: <4C428A4B.7030700@cox.net> <4C428C16.7010806@cox.net> Message-ID: What ever happened to this? http://www.ietf.org/rfc/rfc3271.txt -- Tom On 18/07/2010, at 2:37 PM, Larry Sheldon wrote: On 7/17/2010 23:59, Larry Sheldon wrote: http://www.prisonplanet.com/new-bill-gives-obama-kill-switch-to-shut-down-the-internet.html Highlights: "The federal government would have ?absolute power? to shut down the Internet ... figurative ?kill switch? to seize control of the world wide web ..." [Web = Internet] Jay Rockefeller: ?Would it had been better if we?d have never invented the Internet?? [Is thid pile on Al Gore Month?] "The largest Internet-based corporations are seemingly happy with the bill..." -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml -- Kind Regards, Tom Wright Internode Network Operations P: +61 8 8228 2999 W: http://www.internode.on.net From LarrySheldon at cox.net Fri Jun 18 00:25:42 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Fri, 18 Jun 2010 05:25:42 -0000 Subject: Internet Kill Switch. In-Reply-To: References: <4C428A4B.7030700@cox.net> <4C428C16.7010806@cox.net> Message-ID: <4C429056.8000703@cox.net> On 6/18/2010 00:16, Tom Wright wrote: > What ever happened to this? > > http://www.ietf.org/rfc/rfc3271.txt Every thing in that RFC from enabling freedom of speech to high volumes of untaxed dollars is anathema to the current administration. And yeah, that is politics and not BGP fine tuning. But if we don't take an interest in what they are doing, BGP isn't going to matter much. So, yes, this is a call to look at the layer 10 stuff a bit. If it isn't already too late. I've said my piece, moderators. Stand down. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From peter at peter-dambier.de Fri Jun 18 04:47:40 2010 From: peter at peter-dambier.de (Peter Dambier) Date: Fri, 18 Jun 2010 11:47:40 +0200 Subject: Internet Kill Switch. In-Reply-To: <4C429056.8000703@cox.net> References: <4C428A4B.7030700@cox.net> <4C428C16.7010806@cox.net> <4C429056.8000703@cox.net> Message-ID: <4C1B40BC.4040305@peter-dambier.de> Maybe he has the power to switch it off - but only cn-nic has the power to reboot the hardware they sold us :) I am glad AX25 and AMPR.ORG even work without tcp/ip and IPv6 and they will continue to do even on solar power and batteries. Don't ever ask me to take my antennas down again. Cheers Peter (Dl2FBA) and Karin Larry Sheldon wrote: > On 6/18/2010 00:16, Tom Wright wrote: >> What ever happened to this? >> >> http://www.ietf.org/rfc/rfc3271.txt > > Every thing in that RFC from enabling freedom of speech to high volumes > of untaxed dollars is anathema to the current administration. > > And yeah, that is politics and not BGP fine tuning. > > But if we don't take an interest in what they are doing, BGP isn't going > to matter much. > > So, yes, this is a call to look at the layer 10 stuff a bit. > > If it isn't already too late. > > I've said my piece, moderators. Stand down. > -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: peter at peter-dambier.de http://www.peter-dambier.de/ http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ ULA= fd80:4ce1:c66a::/48 From geier at geier.ne.tz Fri Jun 18 05:12:19 2010 From: geier at geier.ne.tz (Frank Habicht) Date: Fri, 18 Jun 2010 13:12:19 +0300 Subject: Todd Underwood was a little late In-Reply-To: References: Message-ID: <4C1B4683.5020901@geier.ne.tz> On 6/17/2010 9:07 PM, Owen DeLong wrote: > For those that missed the presentation, it was a real eye-opener on just > how important it is for you to move forward with IPv6 before something like > this actually starts getting implemented. > > Owen +1 Frank From rekordmeister at gmail.com Fri Jun 18 06:34:57 2010 From: rekordmeister at gmail.com (MKS) Date: Fri, 18 Jun 2010 11:34:57 +0000 Subject: DNSsec from domailcontrol.com Message-ID: Hi We (a small ISP in the middle of nowhere) are having problems resolving DNSsec records from godaddy. This commands works just fine # dig @ns52.domaincontrol.com loomus.com but this doesn't # dig @ns52.domaincontrol.com +dnssec loomus.com We don't receive the reply to the query. and no, this isn't a packet size issue, the reply for the second command is 124bytes, and the host isn't behind a firewall. So the same commands work just fine outside our network, and we are only having problems with nsxx.domailcontrol.com As far as I can see, when enabling +dnssec the EDNS option is activated and this is added in the dns querty "OPT UDPsize=4096 OK" I have also tried # dig @ns52.domaincontrol.com +dnssec +bufsize=512 loomus.com without any success. Does someone have any brilliant suggestions? Please contact me on or off list Regards MKS From marka at isc.org Fri Jun 18 07:33:52 2010 From: marka at isc.org (Mark Andrews) Date: Fri, 18 Jun 2010 22:33:52 +1000 Subject: DNSsec from domailcontrol.com In-Reply-To: Your message of "Fri, 18 Jun 2010 11:34:57 GMT." References: Message-ID: <201006181233.o5ICXq6F006714@drugs.dv.isc.org> In message , MKS writes: > Hi > > We (a small ISP in the middle of nowhere) are having problems > resolving DNSsec records from godaddy. > > This commands works just fine > # dig @ns52.domaincontrol.com loomus.com > > but this doesn't > # dig @ns52.domaincontrol.com +dnssec loomus.com > We don't receive the reply to the query. > > and no, this isn't a packet size issue, the reply for the second > command is 124bytes, and the host isn't behind a firewall. > > So the same commands work just fine outside our network, and we are > only having problems with nsxx.domailcontrol.com > As far as I can see, when enabling +dnssec the EDNS option is > activated and this is added in the dns querty "OPT UDPsize=4096 OK" > > I have also tried > # dig @ns52.domaincontrol.com +dnssec +bufsize=512 loomus.com > without any success. > > > Does someone have any brilliant suggestions? > Please contact me on or off list > > Regards > MKS The server isn't even EDNS aware. I suspect your firewall doesn't like a plain DNS response to a EDNS query. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From steve at ipv6canada.com Fri Jun 18 07:37:24 2010 From: steve at ipv6canada.com (Steve Bertrand) Date: Fri, 18 Jun 2010 08:37:24 -0400 Subject: Todd Underwood was a little late In-Reply-To: References: <201006170207.o5H27XJn065911@drugs.dv.isc.org> <4C19A6D2.6030603@gmail.com> Message-ID: <4C1B6884.4000606@ipv6canada.com> On 2010.06.17 17:10, William Herrin wrote: > On Thu, Jun 17, 2010 at 12:38 AM, Roy wrote: >> On 6/16/2010 7:43 PM, Jon Lewis wrote: >>> With a larger >>> network, multiple IP blocks, ***numerous multihomed customers***, some of which >>> use IP's we've assigned them, it gets a little more complicated to do. >>> I could reject at our border, packets sourced from our IP ranges with >>> exceptions for any of the IP blocks we've assigned to multihomed customers. >> >> Sounds like a good use of URPF. > > Reverse path filtering + asymmetric routing = epic fail. Jon did say > Multihomed customer. What RPF can do in this case though, is pro-actively prevent possible future problems. If all IP blocks are tied down to null, and urpf is enabled in loose mode on an interface, it will catch cases where someone is sourcing traffic to you using IPs from the unassigned space that you have in your free pools. Every month or so I re-route my blackholed traffic to a sinkhole, and more often than not, I see some ingress traffic from my unassigned space. Steve From cmadams at hiwaay.net Fri Jun 18 07:49:55 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Fri, 18 Jun 2010 07:49:55 -0500 Subject: Todd Underwood was a little late In-Reply-To: <4C1B6884.4000606@ipv6canada.com> References: <201006170207.o5H27XJn065911@drugs.dv.isc.org> <4C19A6D2.6030603@gmail.com> <4C1B6884.4000606@ipv6canada.com> Message-ID: <20100618124955.GA1296581@hiwaay.net> Once upon a time, Steve Bertrand said: > If all IP blocks are tied down to null, and urpf is enabled in loose > mode on an interface, it will catch cases where someone is sourcing > traffic to you using IPs from the unassigned space that you have in your > free pools. That's not true on JUNOS devices - discard routes still count as valid routes for loose-mode uRPF. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From bill at herrin.us Fri Jun 18 08:06:56 2010 From: bill at herrin.us (William Herrin) Date: Fri, 18 Jun 2010 09:06:56 -0400 Subject: Todd Underwood was a little late In-Reply-To: <4C1B6884.4000606@ipv6canada.com> References: <201006170207.o5H27XJn065911@drugs.dv.isc.org> <4C19A6D2.6030603@gmail.com> <4C1B6884.4000606@ipv6canada.com> Message-ID: On Fri, Jun 18, 2010 at 8:37 AM, Steve Bertrand wrote: > On 2010.06.17 17:10, William Herrin wrote: >> Reverse path filtering + asymmetric routing = epic fail. Jon did say >> Multihomed customer. > > If all IP blocks are tied down to null, and urpf is enabled in loose > mode on an interface, it will catch cases where someone is sourcing > traffic to you using IPs from the unassigned space that you have in your > free pools. Hi Steve, I'm not sure what that accomplishes. It doesn't close any doors. With loose-mode RPF he can still forge packets from any address actually in use. > Every month or so I re-route my blackholed traffic to a sinkhole, and > more often than not, I see some ingress traffic from my unassigned space. You'd be better off pointing the forward routes at a packet logger so you can gain some insight into who is scanning the network, particularly when the scanner actually is internal. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From steve at ipv6canada.com Fri Jun 18 08:21:37 2010 From: steve at ipv6canada.com (Steve Bertrand) Date: Fri, 18 Jun 2010 09:21:37 -0400 Subject: Todd Underwood was a little late In-Reply-To: References: <201006170207.o5H27XJn065911@drugs.dv.isc.org> <4C19A6D2.6030603@gmail.com> <4C1B6884.4000606@ipv6canada.com> Message-ID: <4C1B72E1.8050104@ipv6canada.com> On 2010.06.18 09:06, William Herrin wrote: > On Fri, Jun 18, 2010 at 8:37 AM, Steve Bertrand wrote: >> If all IP blocks are tied down to null, and urpf is enabled in loose >> mode on an interface, it will catch cases where someone is sourcing >> traffic to you using IPs from the unassigned space that you have in your >> free pools. > I'm not sure what that accomplishes. It doesn't close any doors. With > loose-mode RPF he can still forge packets from any address actually in > use. yes, that is correct. However, it stops someone from outside sending your network packets with a source address that currently resides in one of your free pools. What it does, is prevents packets with the illegal IP address from actually being delivered to the intended destination within your network preserving some (perhaps a very small amount) of bandwidth/router resources. For instance, if I send your mail server a packet with a source of one of your IPs that you currently do not have in use and you don't have rpf enabled, the forged packet will make it to the server, be sent back to it's next-hop, and then be discarded (if you have tie downs). With urpf enabled, the packet is discarded upon the first ingress into the network, thereby preventing it from going any further. This is what I use loose mode for anyway. Steve From steve at ipv6canada.com Fri Jun 18 08:27:08 2010 From: steve at ipv6canada.com (Steve Bertrand) Date: Fri, 18 Jun 2010 09:27:08 -0400 Subject: Todd Underwood was a little late In-Reply-To: <20100618124955.GA1296581@hiwaay.net> References: <201006170207.o5H27XJn065911@drugs.dv.isc.org> <4C19A6D2.6030603@gmail.com> <4C1B6884.4000606@ipv6canada.com> <20100618124955.GA1296581@hiwaay.net> Message-ID: <4C1B742C.5040808@ipv6canada.com> On 2010.06.18 08:49, Chris Adams wrote: > Once upon a time, Steve Bertrand said: >> If all IP blocks are tied down to null, and urpf is enabled in loose >> mode on an interface, it will catch cases where someone is sourcing >> traffic to you using IPs from the unassigned space that you have in your >> free pools. > > That's not true on JUNOS devices - discard routes still count as valid > routes for loose-mode uRPF. Are you saying that JUNOS will not drop on source even if the only valid route for an IP address is to null? On any other router I've used, null/disc etc is a valid route, but it is considered special in that if the route is to null, discard it, even on source. Steve From bill at herrin.us Fri Jun 18 10:27:57 2010 From: bill at herrin.us (William Herrin) Date: Fri, 18 Jun 2010 11:27:57 -0400 Subject: Todd Underwood was a little late In-Reply-To: <4C1B72E1.8050104@ipv6canada.com> References: <201006170207.o5H27XJn065911@drugs.dv.isc.org> <4C19A6D2.6030603@gmail.com> <4C1B6884.4000606@ipv6canada.com> <4C1B72E1.8050104@ipv6canada.com> Message-ID: On Fri, Jun 18, 2010 at 9:21 AM, Steve Bertrand wrote: > On 2010.06.18 09:06, William Herrin wrote: >> On Fri, Jun 18, 2010 at 8:37 AM, Steve Bertrand wrote: > >> I'm not sure what that accomplishes. It doesn't close any doors. With >> loose-mode RPF he can still forge packets from any address actually in >> use. > > What it does, is prevents packets with the illegal IP address from > actually being delivered to the intended destination within your network > preserving some (perhaps a very small amount) of bandwidth/router resources. Right, but to save that fractional bit of bandwidth you pay for an extra TCAM or radix tree hit impacting every single packet entering your system on your very expensive upstream border routers -- a significant reduction in your hardware's capacity. I get strict RPF - if you can guarantee symmetric routing (which you often can in single-homed scenarios) it offers a meaningful improvement in your network's security without configuration management challenges at the cost of extra processing. But the cost/benefit to loose RPF doesn't seem to come close to adding up in any scenario that occurs to me. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From sfischer1967 at gmail.com Fri Jun 18 10:57:52 2010 From: sfischer1967 at gmail.com (Steven Fischer) Date: Fri, 18 Jun 2010 11:57:52 -0400 Subject: Experience with the Dell PowerConnect 8024F - compare to the Cisco Nexus 5010 Message-ID: Does anyone have any experience with the Dell PowerConnect 8024F 10-gig switch that they'd be willing to share? How does it perform? How reliable is it? My experiences with the Dell switches have been less than favorable to this point, but I am willing to concede that some of that may be colored by my Cisco bias. Would you trust this Dell switch in a high-performance computing environment, where the ability to move data for sustained durations at rates close to line speed is paramount, along with high-reliability/high-availability? Any feedback is welcomed. -- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy From zzuser at yahoo.com Fri Jun 18 11:04:06 2010 From: zzuser at yahoo.com (Zed Usser) Date: Fri, 18 Jun 2010 09:04:06 -0700 (PDT) Subject: IPv6 consumer perception Message-ID: <270017.4386.qm@web114714.mail.gq1.yahoo.com> With marketing campaigns like these, no consumer will want to use IPv6, if it becomes associated with privacy problems. http://torrentfreak.com/huge-security-flaw-makes-vpns-useless-for-bittorrent-100617/ It is, of course, totally irrelevant whether the reporting is factually correct or even based on real IPv6 issues or not, this is how public opinion is formed. The only takeaway from this to a non-technical user is that IPv6 is bad and the correct solution is to turn it off. - Zed From nenolod at systeminplace.net Fri Jun 18 11:09:30 2010 From: nenolod at systeminplace.net (William Pitcock) Date: Fri, 18 Jun 2010 11:09:30 -0500 Subject: Experience with the Dell PowerConnect 8024F - compare to the Cisco Nexus 5010 In-Reply-To: References: Message-ID: <1276877370.7682.55.camel@petrie> Hi, On Fri, 2010-06-18 at 11:57 -0400, Steven Fischer wrote: > Does anyone have any experience with the Dell PowerConnect 8024F 10-gig > switch that they'd be willing to share? How does it perform? How reliable > is it? My experiences with the Dell switches have been less than favorable > to this point, but I am willing to concede that some of that may be colored > by my Cisco bias. Would you trust this Dell switch in a high-performance > computing environment, where the ability to move data for sustained > durations at rates close to line speed is paramount, along with > high-reliability/high-availability? > > Any feedback is welcomed. > Dell switches are usually Foundry gear relabeled, so it should be ok. We are using Dell switches alongside actual Foundry gear in a cloud environment and have had no problems. Foundry's firmwares have some bugs though as far as SNMP goes. For example, our traffic utilization graphs start missing data after about 120 days and we have to reboot them. This happens on both actual Foundry gear and the rebranded Dell stuff. If you're just using the switches as an interconnect (MPI?), this probably isn't a big deal for you. I have heard that newer firmware fixes that problem, but we haven't had time to test out upgrading so it hasn't been done yet. The Nexus switch line is also very good, but too expensive for my blood. I have to eat... The management is very well done, but the Nexus OS is feature-lacking in comparison to traditional Cisco IOS. So, right now, the Foundry gear is probably a better option. William From jared at puck.nether.net Fri Jun 18 11:31:27 2010 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 18 Jun 2010 12:31:27 -0400 Subject: IPv6 consumer perception In-Reply-To: <270017.4386.qm@web114714.mail.gq1.yahoo.com> References: <270017.4386.qm@web114714.mail.gq1.yahoo.com> Message-ID: <9F8063EB-C9A3-444D-B9CB-7CA12BEE335E@puck.nether.net> On Jun 18, 2010, at 12:04 PM, Zed Usser wrote: > With marketing campaigns like these, no consumer will want to use IPv6, if it becomes associated with privacy problems. > > http://torrentfreak.com/huge-security-flaw-makes-vpns-useless-for-bittorrent-100617/ > > It is, of course, totally irrelevant whether the reporting is factually correct or even based on real IPv6 issues or not, this is how public opinion is formed. > > The only takeaway from this to a non-technical user is that IPv6 is bad and the correct solution is to turn it off. I think that the idea that your communications are purely anonymous is something that has been put out there by people that do not get the technology. I recall explaining to some nice folks at the Secret Service back in the 90's where some emails came from, and how to actually get in contact with the real person who made threats against the president. Do these people take their license plates off their cars while they drive on the streets, or scratch out their VINs? To think it's impossible to determine attribution on the internet is foolish. - Jared (While there are legal torrents, and that's *surely* the only reason for piratebay to be used, it does not excuse the criminal activity if you *think* you can't be tracked). From marcoh at marcoh.net Fri Jun 18 12:48:00 2010 From: marcoh at marcoh.net (Marco Hogewoning) Date: Fri, 18 Jun 2010 19:48:00 +0200 Subject: IPv6 consumer perception In-Reply-To: <270017.4386.qm@web114714.mail.gq1.yahoo.com> References: <270017.4386.qm@web114714.mail.gq1.yahoo.com> Message-ID: On 18 jun 2010, at 18:04, Zed Usser wrote: > With marketing campaigns like these, no consumer will want to use IPv6, if it becomes associated with privacy problems. > > http://torrentfreak.com/huge-security-flaw-makes-vpns-useless-for-bittorrent-100617/ > > It is, of course, totally irrelevant whether the reporting is factually correct or even based on real IPv6 issues or not, this is how public opinion is formed. > > The only takeaway from this to a non-technical user is that IPv6 is bad and the correct solution is to turn it off. Why do people still think consumers 'want IPv6', they want IPv6 as much as they want IPv4. They don't know what an IP addresses is, let alone will grasp the whole idea there are 2 kinds. All they want is their googles, facebooks, twitters and the occasional download to work (of course nobody would admit to filesharing). And it's our job to make it so, wether it's via IPv6 or CGN. In the end they won't have much choice and if we do our jobs correctly, 95 % of them won't even notice. Just my 2 cents, MarcoH From bora at pnl.gov Fri Jun 18 12:49:45 2010 From: bora at pnl.gov (Akyol, Bora A) Date: Fri, 18 Jun 2010 10:49:45 -0700 Subject: Future of WiMax In-Reply-To: <485ED9BA02629E4BBBA53AC892EDA50E0B32E4A7@usmsxt104.mwd.h2o> References: <4C192774.1050501@rollernet.us> <485ED9BA02629E4BBBA53AC892EDA50E0B32E4A7@usmsxt104.mwd.h2o> Message-ID: This is not exactly true. With the 3G networks (GSM) you can get. 7.2-Mbps HSDPA (downstream) 5.8-Mbps HSUPA (upstream) LTE speeds are much more comparable to Wimax. -----Original Message----- From: Holmes,David A [mailto:dholmes at mwdh2o.com] Sent: Thursday, June 17, 2010 10:16 AM To: Seth Mattinen; nanOG list Subject: RE: Future of WiMax For business purposes such as fixed wireless access for small branch offices, it would seem that Wi-Max is superior to current GSM and CDMA proprietary networks in that the upload/download speeds are symmetric. It appears that GSM and CDMA networks are based on the asymmetric low upload bandwidth/high download bandwidth model, thus placing severe restrictions on business use for fixed locations. From Sean.Siler at microsoft.com Fri Jun 18 12:57:08 2010 From: Sean.Siler at microsoft.com (Sean Siler) Date: Fri, 18 Jun 2010 17:57:08 +0000 Subject: IPv6 consumer perception In-Reply-To: References: <270017.4386.qm@web114714.mail.gq1.yahoo.com> Message-ID: <726B24CA0C7F494795894989DCF1FE01388BC30B@TK5EX14MBXC123.redmond.corp.microsoft.com> I'd really like to talk to the guy who presented this. Does anyone happen to have a contact for him? Feel free to send it privately if you do. Sean -----Original Message----- From: Marco Hogewoning [mailto:marcoh at marcoh.net] Sent: Friday, June 18, 2010 10:48 AM To: nanog at merit.edu Subject: Re: IPv6 consumer perception On 18 jun 2010, at 18:04, Zed Usser wrote: > With marketing campaigns like these, no consumer will want to use IPv6, if it becomes associated with privacy problems. > > http://torrentfreak.com/huge-security-flaw-makes-vpns-useless-for-bittorrent-100617/ > > It is, of course, totally irrelevant whether the reporting is factually correct or even based on real IPv6 issues or not, this is how public opinion is formed. > > The only takeaway from this to a non-technical user is that IPv6 is bad and the correct solution is to turn it off. Why do people still think consumers 'want IPv6', they want IPv6 as much as they want IPv4. They don't know what an IP addresses is, let alone will grasp the whole idea there are 2 kinds. All they want is their googles, facebooks, twitters and the occasional download to work (of course nobody would admit to filesharing). And it's our job to make it so, wether it's via IPv6 or CGN. In the end they won't have much choice and if we do our jobs correctly, 95 % of them won't even notice. Just my 2 cents, MarcoH From jamesb at loreland.org Fri Jun 18 12:56:50 2010 From: jamesb at loreland.org (James Braid) Date: Fri, 18 Jun 2010 18:56:50 +0100 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <828F644E-7DD9-4058-8C7D-A76931740E73@skytap.com> References: <20100617092909.I713@evil.minions.com> <609F723B44D257459ED22406AC8F286A25B6A47BD3@CDIMSXMBCL01.CDI.CDICorp.net> <4C1A6450.7080704@rollernet.us> <1276799730.7682.39.camel@petrie> <828F644E-7DD9-4058-8C7D-A76931740E73@skytap.com> Message-ID: On 17/06/10 20:02, Carl Rosevear wrote: > The main problem with HP switches and their 'free software upgrades' > is that there are regularly bugs and regressions in the software and > their solution is to have you 'oh just update the software'... this > is not always practical in a production environment. This has been our experience too. It's nice having "free support" and "free software upgrades" but when their support consists of "upgrade to this latest unreleased firmware and hope it fixes your problems", I'd rather be paying a vendor for support... that said I think the 5412's are OK for edge switches. From cscora at apnic.net Fri Jun 18 13:12:53 2010 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 19 Jun 2010 04:12:53 +1000 (EST) Subject: Weekly Routing Table Report Message-ID: <201006181812.o5IICr7n019989@thyme.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 19 Jun, 2010 Report Website: http://thyme.apnic.net Detailed Analysis: http://thyme.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 322870 Prefixes after maximum aggregation: 148946 Deaggregation factor: 2.17 Unique aggregates announced to Internet: 158175 Total ASes present in the Internet Routing Table: 34178 Prefixes per ASN: 9.45 Origin-only ASes present in the Internet Routing Table: 29680 Origin ASes announcing only one prefix: 14399 Transit ASes present in the Internet Routing Table: 4498 Transit-only ASes present in the Internet Routing Table: 104 Average AS path length visible in the Internet Routing Table: 3.6 Max AS path length visible: 25 Max AS path prepend of ASN (41664) 21 Prefixes from unregistered ASNs in the Routing Table: 266 Unregistered ASNs in the Routing Table: 114 Number of 32-bit ASNs allocated by the RIRs: 631 Prefixes from 32-bit ASNs in the Routing Table: 722 Special use prefixes present in the Routing Table: 0 Prefixes being announced from unallocated address space: 156 Number of addresses announced to Internet: 2247247968 Equivalent to 133 /8s, 242 /16s and 72 /24s Percentage of available address space announced: 60.6 Percentage of allocated address space announced: 65.4 Percentage of available address space allocated: 92.8 Percentage of address space in use by end-sites: 83.3 Total number of prefixes smaller than registry allocations: 154420 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 77483 Total APNIC prefixes after maximum aggregation: 26911 APNIC Deaggregation factor: 2.88 Prefixes being announced from the APNIC address blocks: 74300 Unique aggregates announced from the APNIC address blocks: 33095 APNIC Region origin ASes present in the Internet Routing Table: 4075 APNIC Prefixes per ASN: 18.23 APNIC Region origin ASes announcing only one prefix: 1119 APNIC Region transit ASes present in the Internet Routing Table: 639 Average APNIC Region AS path length visible: 3.6 Max APNIC Region AS path length visible: 15 Number of APNIC addresses announced to Internet: 523634976 Equivalent to 31 /8s, 54 /16s and 9 /24s Percentage of available APNIC address space announced: 78.0 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079 55296-56319, 131072-132095 APNIC Address Blocks 1/8, 14/8, 27/8, 43/8, 58/8, 59/8, 60/8, 61/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 134278 Total ARIN prefixes after maximum aggregation: 69110 ARIN Deaggregation factor: 1.94 Prefixes being announced from the ARIN address blocks: 107051 Unique aggregates announced from the ARIN address blocks: 41720 ARIN Region origin ASes present in the Internet Routing Table: 13734 ARIN Prefixes per ASN: 7.79 ARIN Region origin ASes announcing only one prefix: 5267 ARIN Region transit ASes present in the Internet Routing Table: 1340 Average ARIN Region AS path length visible: 3.4 Max ARIN Region AS path length visible: 22 Number of ARIN addresses announced to Internet: 728209056 Equivalent to 43 /8s, 103 /16s and 150 /24s Percentage of available ARIN address space announced: 62.0 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 393216-394239 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8, 54/8, 55/8, 56/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 107/8, 108/8, 173/8, 174/8, 184/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 74245 Total RIPE prefixes after maximum aggregation: 43253 RIPE Deaggregation factor: 1.72 Prefixes being announced from the RIPE address blocks: 67494 Unique aggregates announced from the RIPE address blocks: 44391 RIPE Region origin ASes present in the Internet Routing Table: 14528 RIPE Prefixes per ASN: 4.65 RIPE Region origin ASes announcing only one prefix: 7502 RIPE Region transit ASes present in the Internet Routing Table: 2164 Average RIPE Region AS path length visible: 3.9 Max RIPE Region AS path length visible: 25 Number of RIPE addresses announced to Internet: 432216992 Equivalent to 25 /8s, 195 /16s and 27 /24s Percentage of available RIPE address space announced: 75.8 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 196608-197631 RIPE Address Blocks 2/8, 25/8, 31/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 176/8, 178/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 28758 Total LACNIC prefixes after maximum aggregation: 6858 LACNIC Deaggregation factor: 4.19 Prefixes being announced from the LACNIC address blocks: 27214 Unique aggregates announced from the LACNIC address blocks: 14180 LACNIC Region origin ASes present in the Internet Routing Table: 1296 LACNIC Prefixes per ASN: 21.00 LACNIC Region origin ASes announcing only one prefix: 402 LACNIC Region transit ASes present in the Internet Routing Table: 227 Average LACNIC Region AS path length visible: 3.9 Max LACNIC Region AS path length visible: 24 Number of LACNIC addresses announced to Internet: 74639360 Equivalent to 4 /8s, 114 /16s and 232 /24s Percentage of available LACNIC address space announced: 55.6 LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 262144-263167 plus ERX transfers LACNIC Address Blocks 177/8, 181/8, 186/8, 187/8, 189/8, 190/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 7166 Total AfriNIC prefixes after maximum aggregation: 1816 AfriNIC Deaggregation factor: 3.95 Prefixes being announced from the AfriNIC address blocks: 5505 Unique aggregates announced from the AfriNIC address blocks: 1731 AfriNIC Region origin ASes present in the Internet Routing Table: 370 AfriNIC Prefixes per ASN: 14.88 AfriNIC Region origin ASes announcing only one prefix: 109 AfriNIC Region transit ASes present in the Internet Routing Table: 82 Average AfriNIC Region AS path length visible: 3.7 Max AfriNIC Region AS path length visible: 15 Number of AfriNIC addresses announced to Internet: 18911488 Equivalent to 1 /8s, 32 /16s and 145 /24s Percentage of available AfriNIC address space announced: 56.4 AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4766 1847 8407 482 Korea Telecom (KIX) 7545 1330 232 107 TPG Internet Pty Ltd 17488 1319 140 127 Hathway IP Over Cable Interne 4755 1310 294 154 TATA Communications formerly 17974 1011 270 50 PT TELEKOMUNIKASI INDONESIA 9583 995 73 490 Sify Limited 4134 983 21291 407 CHINANET-BACKBONE 24560 919 306 169 Bharti Airtel Ltd., Telemedia 4808 837 1572 215 CNCGROUP IP network: China169 9829 793 680 39 BSNL National Internet Backbo Complete listing at http://thyme.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3911 3733 287 bellsouth.net, inc. 4323 3368 1114 395 Time Warner Telecom 1785 1793 698 129 PaeTec Communications, Inc. 20115 1553 1514 658 Charter Communications 7018 1513 5737 961 AT&T WorldNet Services 2386 1286 569 910 AT&T Data Communications Serv 6478 1284 260 84 AT&T Worldnet Services 3356 1181 10894 407 Level 3 Communications, LLC 22773 1166 2605 65 Cox Communications, Inc. 11492 1159 208 65 Cable One Complete listing at http://thyme.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 35805 641 56 6 United Telecom of Georgia 3292 453 2026 393 TDC Tele Danmark 30890 444 111 206 Evolva Telecom 702 411 1869 327 UUNET - Commercial IP service 8551 400 353 46 Bezeq International 8866 400 117 18 Bulgarian Telecommunication C 3301 372 1422 327 TeliaNet Sweden 3320 370 7313 321 Deutsche Telekom AG 34984 360 89 185 BILISIM TELEKOM 9198 352 202 13 Kazakhtelecom Data Network Ad Complete listing at http://thyme.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8151 1520 2965 244 UniNet S.A. de C.V. 10620 1059 237 152 TVCABLE BOGOTA 28573 945 767 92 NET Servicos de Comunicao S.A 7303 720 383 102 Telecom Argentina Stet-France 6503 666 174 210 AVANTEL, S.A. 22047 546 310 15 VTR PUNTO NET S.A. 3816 482 212 77 Empresa Nacional de Telecomun 7738 477 922 30 Telecomunicacoes da Bahia S.A 14420 464 32 68 ANDINATEL S.A. 14117 450 31 14 Telefonica del Sur S.A. Complete listing at http://thyme.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 8452 1163 445 10 TEDATA 24863 720 147 39 LINKdotNET AS number 36992 640 278 186 Etisalat MISR 3741 269 852 230 The Internet Solution 33776 219 12 11 Starcomms Nigeria Limited 2018 211 244 61 Tertiary Education Network 6713 195 186 16 Itissalat Al-MAGHRIB 24835 188 78 10 RAYA Telecom - Egypt 29571 176 19 10 Ci Telecom Autonomous system 29975 133 506 14 Vodacom Complete listing at http://thyme.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3911 3733 287 bellsouth.net, inc. 4323 3368 1114 395 Time Warner Telecom 4766 1847 8407 482 Korea Telecom (KIX) 1785 1793 698 129 PaeTec Communications, Inc. 20115 1553 1514 658 Charter Communications 8151 1520 2965 244 UniNet S.A. de C.V. 7018 1513 5737 961 AT&T WorldNet Services 7545 1330 232 107 TPG Internet Pty Ltd 17488 1319 140 127 Hathway IP Over Cable Interne 4755 1310 294 154 TATA Communications formerly Complete listing at http://thyme.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 4323 3368 2973 Time Warner Telecom 1785 1793 1664 PaeTec Communications, Inc. 4766 1847 1365 Korea Telecom (KIX) 8151 1520 1276 UniNet S.A. de C.V. 7545 1330 1223 TPG Internet Pty Ltd 6478 1284 1200 AT&T Worldnet Services 17488 1319 1192 Hathway IP Over Cable Interne 4755 1310 1156 TATA Communications formerly 8452 1163 1153 TEDATA 22773 1166 1101 Cox Communications, Inc. Complete listing at http://thyme.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 16927 UNALLOCATED 12.0.252.0/23 7018 AT&T WorldNet Servic 15132 UNALLOCATED 12.9.150.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.14.170.0/24 7018 AT&T WorldNet Servic 13746 UNALLOCATED 12.24.56.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.25.107.0/24 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.152.0/24 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.154.0/23 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.155.0/24 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.159.0/24 7018 AT&T WorldNet Servic 25639 UNALLOCATED 12.41.169.0/24 7018 AT&T WorldNet Servic Complete listing at http://thyme.apnic.net/current/data-badAS Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 31.0.0.0/16 12654 RIPE NCC RIS Project 31.1.0.0/21 12654 RIPE NCC RIS Project 31.1.24.0/24 12654 RIPE NCC RIS Project 41.222.79.0/24 36938 >>UNKNOWN<< 41.223.92.0/22 36936 >>UNKNOWN<< 41.223.188.0/24 22351 Intelsat 41.223.189.0/24 6453 Teleglobe Inc. 41.223.196.0/24 36990 Alkan Telecom Ltd 41.223.197.0/24 36990 Alkan Telecom Ltd 41.223.198.0/24 36990 Alkan Telecom Ltd Complete listing at http://thyme.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:20 /9:10 /10:25 /11:68 /12:194 /13:403 /14:703 /15:1283 /16:11117 /17:5327 /18:9044 /19:18356 /20:22585 /21:22805 /22:29734 /23:29309 /24:168896 /25:950 /26:1238 /27:617 /28:118 /29:47 /30:13 /31:0 /32:8 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 6389 2506 3911 bellsouth.net, inc. 4323 1852 3368 Time Warner Telecom 4766 1482 1847 Korea Telecom (KIX) 1785 1256 1793 PaeTec Communications, Inc. 11492 1071 1159 Cable One 17488 1066 1319 Hathway IP Over Cable Interne 8452 1051 1163 TEDATA 18566 1040 1059 Covad Communications 10620 975 1059 TVCABLE BOGOTA 7018 914 1513 AT&T WorldNet Services Complete listing at http://thyme.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:2 4:13 8:285 12:2003 13:7 14:1 15:23 16:3 17:8 20:21 24:1429 27:114 31:1 32:49 33:12 38:681 40:98 41:2437 44:3 47:18 52:9 55:9 56:2 57:25 58:747 59:502 60:458 61:1072 62:1070 63:1971 64:3651 65:2356 66:4259 67:1824 68:1114 69:2883 70:704 71:237 72:1836 73:2 74:2102 75:250 76:308 77:928 78:631 79:417 80:995 81:795 82:487 83:431 84:698 85:1047 86:461 87:692 88:341 89:1578 90:93 91:2818 92:472 93:1064 94:1414 95:612 96:284 97:323 98:580 99:28 108:32 109:528 110:345 111:518 112:265 113:302 114:421 115:548 116:1053 117:639 118:477 119:935 120:147 121:738 122:1449 123:927 124:1114 125:1308 128:226 129:214 130:195 131:553 132:244 133:17 134:196 135:45 136:235 137:162 138:264 139:104 140:510 141:137 142:348 143:392 144:476 145:50 146:442 147:168 148:662 149:300 150:152 151:166 152:295 153:168 154:2 155:328 156:156 157:325 158:107 159:375 160:316 161:181 162:255 163:171 164:408 165:342 166:465 167:404 168:786 169:164 170:703 171:57 172:2 173:840 174:613 175:93 176:1 178:187 180:487 182:119 183:225 184:62 186:469 187:356 188:1081 189:780 190:3777 192:5749 193:4700 194:3357 195:2774 196:1167 198:3586 199:3456 200:5356 201:1546 202:7976 203:8287 204:4076 205:2328 206:2520 207:3070 208:3873 209:3422 210:2505 211:1262 212:1748 213:1682 214:661 215:69 216:4667 217:1432 218:494 219:378 220:1138 221:413 222:311 223:1 End of report From lee at asgard.org Fri Jun 18 13:42:49 2010 From: lee at asgard.org (Lee Howard) Date: Fri, 18 Jun 2010 14:42:49 -0400 Subject: Todd Underwood was a little late In-Reply-To: References: Message-ID: <000001cb0f16$0db676b0$29236410$@org> > -----Original Message----- > From: Todd Underwood [mailto:toddunder at gmail.com] > > firstly: cgn puts reachability in the hands of a single organization. > with the PAP System you have a set of distributed choices about > reachability: different people can assess their different tolerance > to certain kinds of unreachability. Well, your proposal gives each "single organization" the same control as CGN. Except that if you announce somebody else's prefix, you're forcing your neighbors to choose whether to accept your announcement or the other organization's. > as i said in the presentation, the probability that there will be > positive operational overhead for a prefix is related the the count of > reuse within an association domain for a prefix ( p(Oop) = Cr(Ap) ). > We need to work out how to subdivide which parts of the internet > actually want to communicate directly with each other reliably and > make sure that they are within association domains. Yes, exactly. To minimize p(Oop), you need to consider what you'll leak. Generally, squat only when p(Oop) is very small, ideally when you can keep it all in. But seriously (and less scatalogically), when organizations can't get IPv4 addresses from their RIRs, some are likely to try using numbers registered to other organizations. In order of preference, they will use: 1) Globally unique, registered space 2) RFC1918 space 3) Space registered but unrouted (and unlikely to be routed) (see below) 4) Space registered and in use by someone very far away "Registered but unrouted" would include space that is in use in large private networks that aren't visible from your standard sources for route views, such as U.S. DoD (6, 11, 22, 26, 28, 29, 30 /8) or U.K. MoD (25/8). I've heard that some organizations are growing beyond rfc1918 space and starting to use addresses like these already (for devices not capable of IPv6) for internal networking (not publically routed). I believe this is generally considered bad citizenship, but I'm interested in why? Is there a range most people camp on? Lee From joe.abley at icann.org Fri Jun 18 14:00:48 2010 From: joe.abley at icann.org (Joe Abley) Date: Fri, 18 Jun 2010 19:00:48 +0000 Subject: Root Zone DNSSEC Deployment Technical Status Update Message-ID: Root Zone DNSSEC Deployment Technical Status Update 2010-06-18 This is the ninth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS. RESOURCES Details of the project, including documentation published to date, can be found at . We'd like to hear from you. If you have feedback for us, please send it to rootsign at icann.org. KSK CEREMONY 1 COMPLETE The first KSK ceremony for the root zone was completed this week in Culpeper, VA, USA. The Ceremony Administrator was Mehmet Akcin. The first production KSK has now been generated. This is the key that is scheduled to be put into service on 2010-07-15. The first production Key Signing Request (KSR) generated by VeriSign has now been processed by ICANN using the root zone KSK, and the resulting Signed Key Response (KSR) has been accepted by VeriSign. This SKR contains signatures for Q3 2010, for use between 2010-07-01 and 2010-09-30. Audit materials relating to the first ceremony will be published as soon as is practical, and in particular before 2010-07-15. The KSK and SKR generated during this ceremony will not be approved for production until the KSK key pair has been successfully transported to ICANN's west-coast ceremony facility in El Segundo, CA, USA, and placed in secure storage. KSK CEREMONY 2 SCHEDULED The second KSK ceremony for the root zone is scheduled to take place in El Segundo, CA, USA on 2010-07-12. Replication of key materials onto west-coast HSMs, enrolment of west-coast crypto officers and processing of the Q4 2010 KSR (for production use between 2010-10-01 and 2010-12-31) will take place during this ceremony. PLANNED DEPLOYMENT SCHEDULE Already completed: 2010-01-27: L starts to serve DURZ 2010-02-10: A starts to serve DURZ 2010-03-03: M, I start to serve DURZ 2010-03-24: D, K, E start to serve DURZ 2010-04-14: B, H, C, G, F start to serve DURZ 2010-05-05: J starts to serve DURZ 2010-06-16: First Key Signing Key (KSK) Ceremony To come: 2010-07-12: Second Key Signing Key (KSK) Ceremony 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor (Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.) From james at freedomnet.co.nz Fri Jun 18 15:05:18 2010 From: james at freedomnet.co.nz (James Jones) Date: Fri, 18 Jun 2010 16:05:18 -0400 Subject: Internet Kill Switch. In-Reply-To: <4C429056.8000703@cox.net> References: <4C428A4B.7030700@cox.net> <4C428C16.7010806@cox.net> <4C429056.8000703@cox.net> Message-ID: <4C1BD17E.20203@freedomnet.co.nz> look like like they are trying to squeeze both ends. http://www.crn.com/networking/225700593;jsessionid=IR3YB1SGLW2BHQE1GHPSKH4ATMY32JVN On 18/07/10 1:25 AM, Larry Sheldon wrote: > On 6/18/2010 00:16, Tom Wright wrote: > >> What ever happened to this? >> >> http://www.ietf.org/rfc/rfc3271.txt >> > Every thing in that RFC from enabling freedom of speech to high volumes > of untaxed dollars is anathema to the current administration. > > And yeah, that is politics and not BGP fine tuning. > > But if we don't take an interest in what they are doing, BGP isn't going > to matter much. > > So, yes, this is a call to look at the layer 10 stuff a bit. > > If it isn't already too late. > > I've said my piece, moderators. Stand down. > > From mruiz at lstfinancial.com Fri Jun 18 15:13:08 2010 From: mruiz at lstfinancial.com (Mike Ruiz) Date: Fri, 18 Jun 2010 15:13:08 -0500 Subject: Message-ID: <16E58A1FE7C64A46BAD0FE1558C43D92FE1337@es1.ic-sa.com> Ok here we go. I know the subject is a little ambiguous, please allow to explain. I have a network of 192.168.1.0/24 and I need it to reach a network 10.0.1.0/27 only when it needs to be accessed by specific machines that reside on the 192.168.1.0/24 network. 192.168.1.10 ? NAT ?10.0.1.10 ? route that packet to 10.0.1.1. I only want specific host to route to that specific /27 network . Any help would be appreciated. So far what I have gathered is only for VPN connections but I do not want to build a VPN. Thank you again in advance. Michael Ruiz Network Engineer "If you tell people where to go, but not how to get there, you'll be amazed at the results." -- General George S. Patton Jr. From khomyakov.andrey at gmail.com Fri Jun 18 15:25:19 2010 From: khomyakov.andrey at gmail.com (Andrey Khomyakov) Date: Fri, 18 Jun 2010 16:25:19 -0400 Subject: In-Reply-To: <16E58A1FE7C64A46BAD0FE1558C43D92FE1337@es1.ic-sa.com> References: <16E58A1FE7C64A46BAD0FE1558C43D92FE1337@es1.ic-sa.com> Message-ID: Do you mean you want certain addresses on /24 to NAT out to /27, but not all of them? Sounds like and ACL will do: http://articles.techrepublic.com.com/5100-10878_11-1039094.html -ak On Fri, Jun 18, 2010 at 4:13 PM, Mike Ruiz wrote: > Ok here we go. I know the subject is a little ambiguous, please allow to > explain. > > > > I have a network of 192.168.1.0/24 and I need it to reach a network > 10.0.1.0/27 only when it needs to be accessed by specific machines that > reside on the 192.168.1.0/24 network. > > > > > > 192.168.1.10 ? NAT ?10.0.1.10 ? route that packet to 10.0.1.1. > > > > I only want specific host to route to that specific /27 network . > > > > Any help would be appreciated. So far what I have gathered is only for VPN > connections but I do not want to build a VPN. Thank you again in advance. > > > > > > Michael Ruiz > > Network Engineer > > > > "If you tell people where to go, but not how to get there, you'll be amazed > at the results." -- General George S. Patton Jr. > > > > > > -- Andrey Khomyakov [khomyakov.andrey at gmail.com] From michael.holstein at csuohio.edu Fri Jun 18 15:34:23 2010 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Fri, 18 Jun 2010 16:34:23 -0400 Subject: In-Reply-To: <16E58A1FE7C64A46BAD0FE1558C43D92FE1337@es1.ic-sa.com> References: <16E58A1FE7C64A46BAD0FE1558C43D92FE1337@es1.ic-sa.com> Message-ID: <4C1BD84F.6080603@csuohio.edu> > 192.168.1.10 ? NAT ?10.0.1.10 ? route that packet to 10.0.1.1. > > > > I only want specific host to route to that specific /27 network . > Cisco's route-map can do this (policy based routing .. define an ACL to match and then route accordingly) : https://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml Cheers, Michael Holstein Cleveland State University From mruiz at lstfinancial.com Fri Jun 18 15:38:48 2010 From: mruiz at lstfinancial.com (Mike Ruiz) Date: Fri, 18 Jun 2010 15:38:48 -0500 Subject: In-Reply-To: References: <16E58A1FE7C64A46BAD0FE1558C43D92FE1337@es1.ic-sa.com> Message-ID: <16E58A1FE7C64A46BAD0FE1558C43D92FE133B@es1.ic-sa.com> Also this 192.168.1.0/24 needs to have access to my other prefixes. It only needs to NAT'd when it needs to connect to that specific network. From: Andrey Khomyakov [mailto:khomyakov.andrey at gmail.com] Sent: Friday, June 18, 2010 3:25 PM To: Mike Ruiz Cc: nanog at nanog.org Subject: Re: Do you mean you want certain addresses on /24 to NAT out to /27, but not all of them? Sounds like and ACL will do: http://articles.techrepublic.com.com/5100-10878_11-1039094.html -ak On Fri, Jun 18, 2010 at 4:13 PM, Mike Ruiz wrote: Ok here we go. I know the subject is a little ambiguous, please allow to explain. I have a network of 192.168.1.0/24 and I need it to reach a network 10.0.1.0/27 only when it needs to be accessed by specific machines that reside on the 192.168.1.0/24 network. 192.168.1.10 ? NAT ?10.0.1.10 ? route that packet to 10.0.1.1. I only want specific host to route to that specific /27 network . Any help would be appreciated. So far what I have gathered is only for VPN connections but I do not want to build a VPN. Thank you again in advance. Michael Ruiz Network Engineer "If you tell people where to go, but not how to get there, you'll be amazed at the results." -- General George S. Patton Jr. -- Andrey Khomyakov [khomyakov.andrey at gmail.com] From jgreco at ns.sol.net Fri Jun 18 15:55:45 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Fri, 18 Jun 2010 15:55:45 -0500 (CDT) Subject: Experience with the Dell PowerConnect 8024F - compare to the In-Reply-To: <1276877370.7682.55.camel@petrie> from "William Pitcock" at Jun 18, 2010 11:09:30 AM Message-ID: <201006182055.o5IKtjF7093879@aurora.sol.net> > Dell switches are usually Foundry gear relabeled, so it should be ok. > We are using Dell switches alongside actual Foundry gear in a cloud > environment and have had no problems. Maybe I haven't looked recently enough, but that wasn't quite the way it worked last time I checked. For example, Accton manufactured the ES4624. Dell sold this as the PowerConnect 5224, SMC sold this as the 8624T, Foundry sold this as the EdgeIron 24G, 3Com sold this as the 3824, etc. I've picked that older example simply due to the sheer number of manufacturers doing this that I had correlated at one point, but it was clearly NOT a Foundry switch that got rebadged as the 5224. If this has changed, it suggests good things about Dell's switches, but my last serious look at Dell was where I was rapidly told a bunch of conflicting information about the 6224, only the worst of which turned out to be true (only supports a handful of IPv6 routes). ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From mpetach at netflight.com Fri Jun 18 16:21:09 2010 From: mpetach at netflight.com (Matthew Petach) Date: Fri, 18 Jun 2010 14:21:09 -0700 Subject: Internet Kill Switch. In-Reply-To: References: <4C428A4B.7030700@cox.net> <4C428C16.7010806@cox.net> Message-ID: On Thu, Jun 17, 2010 at 10:16 PM, Tom Wright wrote: > What ever happened to this? > > http://www.ietf.org/rfc/rfc3271.txt > > -- Tom Unfortunately, I think Vint was a little optimistic there, and failed to guess at the impact the financial collapse was going to have on our rate of innovation and progress: "By 2008 we should have a well-functioning Earth-Mars network that serves as a nascent backbone of an inter- planetary system of Internets - InterPlaNet is a network of Internets!" He also seemed to miss one of the really, REALLY important points; if "Internet is for everyone" were really true, then IPv6 adoption should have been one of his driving points. After all with a world population of 7 billion, you certainly can't have "Internet [...] for everyone" with only 4 billion IP addresses, unless you put a *lot* of NAT in place. But on the whole, other than being a bit dated at this point, it's still an inspiring read. Matt From rmoseley at softlayer.com Fri Jun 18 16:32:15 2010 From: rmoseley at softlayer.com (Ric Moseley) Date: Fri, 18 Jun 2010 16:32:15 -0500 Subject: DC rectifier Message-ID: <98E72206041B1B408D3F92E91E80BF180FF62C59@slmail101.softlayer.local> Anyone have any recommendations on a DC rectifier shelf? Been looking at Valere but the lead time is 4-6 weeks (which is too long). Thanks. Ric. From sethm at rollernet.us Fri Jun 18 16:32:33 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Fri, 18 Jun 2010 14:32:33 -0700 Subject: Experience with the Dell PowerConnect 8024F - compare to the In-Reply-To: <201006182055.o5IKtjF7093879@aurora.sol.net> References: <201006182055.o5IKtjF7093879@aurora.sol.net> Message-ID: <4C1BE5F1.8080207@rollernet.us> On 6/18/2010 13:55, Joe Greco wrote: >> Dell switches are usually Foundry gear relabeled, so it should be ok. >> We are using Dell switches alongside actual Foundry gear in a cloud >> environment and have had no problems. > > Maybe I haven't looked recently enough, but that wasn't quite the way > it worked last time I checked. > > For example, Accton manufactured the ES4624. Dell sold this as the > PowerConnect 5224, SMC sold this as the 8624T, Foundry sold this as > the EdgeIron 24G, 3Com sold this as the 3824, etc. > > I've picked that older example simply due to the sheer number of > manufacturers doing this that I had correlated at one point, but it > was clearly NOT a Foundry switch that got rebadged as the 5224. > > If this has changed, it suggests good things about Dell's switches, > but my last serious look at Dell was where I was rapidly told a bunch > of conflicting information about the 6224, only the worst of which > turned out to be true (only supports a handful of IPv6 routes). > There's also another factor: you may not have any idea whose rebranded switch you're getting when you buy a Dell switch. Maybe it's Foundry in batch X, but it might not be in batch Y. ~Seth From jgreco at ns.sol.net Fri Jun 18 16:43:20 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Fri, 18 Jun 2010 16:43:20 -0500 (CDT) Subject: Experience with the Dell PowerConnect 8024F - compare to the In-Reply-To: <4C1BE5F1.8080207@rollernet.us> from "Seth Mattinen" at Jun 18, 2010 02:32:33 PM Message-ID: <201006182143.o5ILhKue099805@aurora.sol.net> > There's also another factor: you may not have any idea whose rebranded > switch you're getting when you buy a Dell switch. Maybe it's Foundry in > batch X, but it might not be in batch Y. Is there any evidence that this happens within a model? I find it hard to believe. I can see differences from one model to the next, but from one batch to the next? When they went from the 5224 to the 5324, I believe that was a mfr changeout, but it was accompanied by a new model number. I hear your paranoia though. ;-) By the way, I know that for a while, Foundry wasn't building their own low-end switches, which was how that Foundry 24G model came to be... are they still doing that, or did they start making their own gear again? I've had some old FWS24's for maybe 15 years and the one thing I can say is that the stuff just doesn't seem to fail, even though I don't really have a good use for them anymore. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From cidr-report at potaroo.net Fri Jun 18 17:00:02 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 18 Jun 2010 22:00:02 GMT Subject: BGP Update Report Message-ID: <201006182200.o5IM02Bf052562@wattle.apnic.net> BGP Update Report Interval: 10-Jun-10 -to- 17-Jun-10 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS18910 56844 4.0% 3552.8 -- BIG-SANDY-BROADBAND-INC - Big Sandy Broadband Inc 2 - AS30890 49269 3.4% 114.0 -- EVOLVA Evolva Telecom s.r.l. 3 - AS24400 39087 2.7% 3257.2 -- CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd. 4 - AS9808 38703 2.7% 82.7 -- CMNET-GD Guangdong Mobile Communication Co.Ltd. 5 - AS38259 16495 1.1% 634.4 -- XNET-AS-BD X-Net Limited 6 - AS7643 15875 1.1% 22.3 -- VNPT-AS-VN Vietnam Posts and Telecommunications (VNPT) 7 - AS23956 14230 1.0% 258.7 -- DHAKACOM-BD-AS Dhakacom Ltd.AS for local peering and transit.Dhaka 8 - AS38067 14058 1.0% 484.8 -- RADIANT-TELECOM-AP Radiant Telecommunications. 9 - AS35931 13586 0.9% 6793.0 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 10 - AS14420 12852 0.9% 27.6 -- CORPORACION NACIONAL DE TELECOMUNICACIONES CNT S.A. 11 - AS24342 12018 0.8% 235.6 -- BRAC-BDMAIL-AS-BD BRAC BDMail Network Ltd. 12 - AS17494 11810 0.8% 536.8 -- BTTB-AS-AP Telecom Operator & Internet Service Provider as well 13 - AS32528 11616 0.8% 2904.0 -- ABBOTT Abbot Labs 14 - AS9829 10962 0.8% 34.3 -- BSNL-NIB National Internet Backbone 15 - AS10474 10538 0.7% 810.6 -- NETACTIVE 16 - AS36992 9575 0.7% 15.2 -- ETISALAT-MISR 17 - AS8452 9254 0.6% 10.4 -- TEDATA TEDATA 18 - AS22646 9117 0.6% 66.1 -- HARCOM1 - Hargray Communications Group, Inc. 19 - AS37204 8944 0.6% 894.4 -- TELONE 20 - AS45464 8593 0.6% 175.4 -- NEXTWEB-AS-AP Room 201, TGU Bldg TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS35931 13586 0.9% 6793.0 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 2 - AS18910 56844 4.0% 3552.8 -- BIG-SANDY-BROADBAND-INC - Big Sandy Broadband Inc 3 - AS24400 39087 2.7% 3257.2 -- CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd. 4 - AS32528 11616 0.8% 2904.0 -- ABBOTT Abbot Labs 5 - AS30402 4494 0.3% 2247.0 -- HARRIS - Harris Interactive Inc. 6 - AS27873 1774 0.1% 1774.0 -- Compa?ia Goly, S.A. 7 - AS38246 1420 0.1% 1420.0 -- SFONE-AS-VN CDMA Mobile Phone Center (S-FONE) 8 - AS37204 8944 0.6% 894.4 -- TELONE 9 - AS10474 10538 0.7% 810.6 -- NETACTIVE 10 - AS38267 5506 0.4% 688.2 -- FIBRENET-BD-AS-AP FibreNet Communications Ltd., 11 - AS38272 649 0.1% 649.0 -- SONARGAONONLINE-BD-AS-AP Sonargaon Online Services 12 - AS11613 642 0.0% 642.0 -- U-SAVE - U-Save Auto Rental of America, Inc. 13 - AS38259 16495 1.1% 634.4 -- XNET-AS-BD X-Net Limited 14 - AS5864 615 0.0% 615.0 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 15 - AS48861 1212 0.1% 606.0 -- APAGA "Apaga Technologies" CJSC AS 16 - AS38137 602 0.0% 602.0 -- CPMBLUE-AS-BD CPM BLUE ONLINE LTD.Transit AS Internet Service Provider, Dhaka 17 - AS9825 600 0.0% 600.0 -- SDNP-BD-AS Sustainable Development Networking Program 18 - AS38555 1765 0.1% 588.3 -- LINKBD TRULY BROADBAND Broadband ISP 19 - AS38011 2349 0.2% 587.2 -- GAL-AS-BD Global Access Ltd,Internet and Data Communication 20 - AS50980 2314 0.2% 578.5 -- BITINFO BitInfo Centar, Mladenovac, Serbia TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 196.2.16.0/24 10461 0.7% AS10474 -- NETACTIVE 2 - 198.140.43.0/24 8558 0.6% AS35931 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 3 - 111.10.2.0/24 7457 0.5% AS9808 -- CMNET-GD Guangdong Mobile Communication Co.Ltd. 4 - 111.10.3.0/24 7456 0.5% AS9808 -- CMNET-GD Guangdong Mobile Communication Co.Ltd. 5 - 111.10.1.0/24 7448 0.5% AS9808 -- CMNET-GD Guangdong Mobile Communication Co.Ltd. 6 - 111.10.4.0/24 7447 0.5% AS9808 -- CMNET-GD Guangdong Mobile Communication Co.Ltd. 7 - 111.10.0.0/24 7445 0.5% AS9808 -- CMNET-GD Guangdong Mobile Communication Co.Ltd. 8 - 117.131.0.0/17 6839 0.5% AS24400 -- CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd. 9 - 120.204.0.0/16 6731 0.4% AS24400 -- CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd. 10 - 190.65.228.0/22 5837 0.4% AS3816 -- COLOMBIA TELECOMUNICACIONES S.A. ESP 11 - 130.36.35.0/24 5802 0.4% AS32528 -- ABBOTT Abbot Labs 12 - 130.36.34.0/24 5801 0.4% AS32528 -- ABBOTT Abbot Labs 13 - 63.211.68.0/22 5028 0.3% AS35931 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 14 - 117.136.8.0/24 4508 0.3% AS24400 -- CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd. 15 - 143.138.107.0/24 4359 0.3% AS747 -- TAEGU-AS - Headquarters, USAISC 16 - 117.135.0.0/17 4214 0.3% AS24400 -- CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd. 17 - 117.135.128.0/18 4214 0.3% AS24400 -- CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd. 18 - 221.181.64.0/18 4025 0.3% AS24400 -- CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd. 19 - 98.159.128.0/24 3761 0.2% AS18910 -- BIG-SANDY-BROADBAND-INC - Big Sandy Broadband Inc 20 - 98.159.138.0/24 3541 0.2% AS18910 -- BIG-SANDY-BROADBAND-INC - Big Sandy Broadband Inc Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Jun 18 17:00:00 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 18 Jun 2010 22:00:00 GMT Subject: The Cidr Report Message-ID: <201006182200.o5IM00AO052556@wattle.apnic.net> This report has been generated at Fri Jun 18 21:11:45 2010 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 11-06-10 325486 201041 12-06-10 325434 201048 13-06-10 325403 201290 14-06-10 325496 201328 15-06-10 325528 201450 16-06-10 325586 201474 17-06-10 325380 201665 18-06-10 325632 201799 AS Summary 34629 Number of ASes in routing system 14709 Number of ASes announcing only one prefix 4464 Largest number of prefixes announced by an AS AS4323 : TWTC - tw telecom holdings, inc. 96116800 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 18Jun10 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 326121 201754 124367 38.1% All ASes AS6389 3910 292 3618 92.5% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS4323 4464 1534 2930 65.6% TWTC - tw telecom holdings, inc. AS4766 1847 496 1351 73.1% KIXS-AS-KR Korea Telecom AS22773 1166 70 1096 94.0% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4755 1310 232 1078 82.3% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS17488 1319 324 995 75.4% HATHWAY-NET-AP Hathway IP Over Cable Internet AS18566 1059 101 958 90.5% COVAD - Covad Communications Co. AS6478 1284 359 925 72.0% ATT-INTERNET3 - AT&T WorldNet Services AS8151 1522 617 905 59.5% Uninet S.A. de C.V. AS19262 1127 272 855 75.9% VZGNI-TRANSIT - Verizon Internet Services Inc. AS10620 1059 231 828 78.2% Telmex Colombia S.A. AS7545 1340 567 773 57.7% TPG-INTERNET-AP TPG Internet Pty Ltd AS8452 1163 431 732 62.9% TEDATA TEDATA AS5668 864 140 724 83.8% AS-5668 - CenturyTel Internet Holdings, Inc. AS4808 837 231 606 72.4% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS4804 678 84 594 87.6% MPX-AS Microplex PTY LTD AS1785 1793 1207 586 32.7% AS-PAETEC-NET - PaeTec Communications, Inc. AS7303 720 150 570 79.2% Telecom Argentina S.A. AS35805 641 88 553 86.3% SILKNET-AS SILKNET AS AS7018 1513 963 550 36.4% ATT-INTERNET4 - AT&T WorldNet Services AS4780 684 163 521 76.2% SEEDNET Digital United Inc. AS28573 943 432 511 54.2% NET Servicos de Comunicao S.A. AS4134 983 488 495 50.4% CHINANET-BACKBONE No.31,Jin-rong Street AS17676 573 81 492 85.9% GIGAINFRA Softbank BB Corp. AS9443 559 75 484 86.6% INTERNETPRIMUS-AS-AP Primus Telecommunications AS7011 1130 649 481 42.6% FRONTIER-AND-CITIZENS - Frontier Communications of America, Inc. AS33588 618 170 448 72.5% BRESNAN-AS - Bresnan Communications, LLC. AS7738 477 30 447 93.7% Telecomunicacoes da Bahia S.A. AS3356 1183 744 439 37.1% LEVEL3 Level 3 Communications AS24560 919 486 433 47.1% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services Total 37685 11707 25978 68.9% Top 30 total Possible Bogus Routes 31.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 31.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 31.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 41.222.79.0/24 AS36938 AMSCOTELECOMS Amsco Telecommunications Nigeria Limited 41.223.92.0/22 AS36936 CELTEL-GABON Celtel Gabon Internet Service 41.223.188.0/24 AS22351 INTELSAT Intelsat Global BGP Routing Policy 41.223.189.0/24 AS6453 GLOBEINTERNET TATA Communications 41.223.196.0/24 AS36990 41.223.197.0/24 AS36990 41.223.198.0/24 AS36990 41.223.199.0/24 AS36990 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 63.140.213.0/24 AS22555 UTC - Universal Talkware Corporation 63.143.251.0/24 AS22555 UTC - Universal Talkware Corporation 64.20.80.0/20 AS40028 SPD-NETWORK-1 - SPD NETWORK 64.82.128.0/19 AS16617 COMMUNITYISP - CISP 64.82.160.0/19 AS16617 COMMUNITYISP - CISP 66.128.38.0/24 AS15246 Telecomunicaciones Satelitales Telesat S.A. 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.206.32.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.33.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.34.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.35.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.47.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 66.207.32.0/20 AS23011 66.230.240.0/20 AS27286 66.241.112.0/20 AS21547 REVNETS - Revolution Networks 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 69.6.80.0/24 AS13442 69.6.81.0/24 AS13442 69.80.224.0/19 AS19166 ACRONOC - ACRONOC INC 71.19.134.0/23 AS3313 INET-AS I.NET S.p.A. 71.19.160.0/23 AS4648 NZIX-2 Netgate 72.22.32.0/19 AS33150 72.22.61.0/24 AS33150 72.22.62.0/24 AS33150 76.77.32.0/19 AS2828 XO-AS15 - XO Communications 80.88.10.0/24 AS33774 DJAWEB 80.88.12.0/24 AS33779 wataniya-telecom-as 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas 110.173.64.0/19 AS37963 CNNIC-ALIBABA-CN-NET-AP Alibaba (China) Technology Co., Ltd. 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 121.50.168.0/21 AS9931 CAT-AP The Communication Authoity of Thailand, CAT 158.222.70.0/23 AS6137 SISNA - SISNA, Inc. 158.222.72.0/23 AS6137 SISNA - SISNA, Inc. 158.222.224.0/20 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.224.0/22 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.229.0/24 AS19864 O1COMM - O1 COMMUNICATIONS 176.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 181.0.0.0/8 AS237 MERIT-AS-14 - Merit Network Inc. 190.102.32.0/20 AS30058 ACTIVO-SYSTEMS-AS30058 ACTIVO-SYSTEMS-AS30058 190.104.32.0/21 AS27882 Telef?nica Celular de Bolivia S.A. 192.9.0.0/16 AS11479 BRM-SUN-AS - Sun Microsystems, Inc 192.64.85.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.69.108.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.70.164.0/24 AS25689 NRCNET-AS - National Research Council of Canada 192.101.45.0/24 AS2905 TICSA-ASN 192.101.46.0/24 AS6503 Axtel, S.A.B. de C. V. 192.101.64.0/21 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.70.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.71.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.72.0/24 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.74.0/24 AS1239 SPRINTLINK - Sprint 192.124.248.0/23 AS680 DFN-IP service X-WiN 192.124.252.0/22 AS680 DFN-IP service X-WiN 192.131.233.0/24 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 192.139.3.0/24 AS23184 PERSONA - PERSONA COMMUNICATIONS INC. 192.154.32.0/19 AS81 NCREN - MCNC 192.154.64.0/19 AS81 NCREN - MCNC 192.188.208.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 196.2.224.0/22 AS24863 LINKdotNET-AS 196.6.108.0/24 AS5713 SAIX-NET 196.13.201.0/24 AS2018 TENET-1 196.13.202.0/24 AS2018 TENET-1 196.13.203.0/24 AS2018 TENET-1 196.13.204.0/24 AS2018 TENET-1 196.110.105.0/24 AS8513 SKYVISION SkyVision Network Services 196.201.248.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.249.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.250.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.251.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.253.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.255.0/24 AS30991 SAHANNET Sahannet AS Network 196.202.224.0/21 AS8818 TELE Greenland Autonomous System 198.1.2.0/24 AS4761 INDOSAT-INP-AP INDOSAT Internet Network Provider 198.23.26.0/24 AS33052 VZUNET - Verizon Data Services LLC 198.51.100.0/24 AS16953 ASCENT-MEDIA-GROUP-LLC - Ascent Media Group, LLC 198.73.210.0/24 AS21570 ACI-1 - Accelerated Connections Inc. 198.74.38.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.39.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.40.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.97.72.0/21 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.97.96.0/19 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.97.240.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.99.241.0/24 AS11797 AC-NIELSEN-AS AC NIELSEN 198.135.236.0/24 AS4358 XNET - XNet Information Systems, Inc. 198.161.87.0/24 AS6539 GT-BELL - Bell Canada 198.163.214.0/24 AS21804 ACCESS-SK - Access Communications Co-operative Limited 198.167.0.0/16 AS7456 INTERHOP - Interhop Network SERVICES Inc. 198.168.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 198.169.0.0/16 AS803 SASKTEL - Saskatchewan Telecommunications 198.180.198.0/24 AS23715 SEOUL-INTGW-GXS-AP Global Exchange Services 198.182.235.0/24 AS3356 LEVEL3 Level 3 Communications 199.10.0.0/16 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.16.32.0/19 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 199.26.183.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 199.121.0.0/16 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.123.16.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.185.130.0/23 AS19662 UNISERVE-ONLINE - Uniserve On Line 199.202.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 199.202.216.0/21 AS577 BACOM - Bell Canada 199.233.92.0/24 AS26896 D102-ITC - Data 102, LLC 199.245.188.0/24 AS16582 NEXTLEVELINTERNET - NEXTLEVEL INTERNET, INC. 199.246.116.0/24 AS813 UUNET-CANADA - MCI Communications Services, Inc. d/b/a Verizon Business 199.248.230.0/24 AS16582 NEXTLEVELINTERNET - NEXTLEVEL INTERNET, INC. 200.1.112.0/24 AS29754 GO2TEL GO2TEL.COM INC. 200.108.176.0/20 AS14551 UUNET-SA - MCI Communications Services, Inc. d/b/a Verizon Business 202.9.55.0/24 AS2764 AAPT AAPT Limited 202.9.57.0/24 AS2764 AAPT AAPT Limited 202.38.63.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.58.113.0/24 AS19161 202.61.75.0/24 AS9927 PHILCOMNET-PH A Multihomed ISP Company 202.66.128.0/18 AS9584 GENESIS-AP Diyixian.com Limited 202.66.160.0/19 AS9584 GENESIS-AP Diyixian.com Limited 202.66.160.0/20 AS9584 GENESIS-AP Diyixian.com Limited 202.66.176.0/20 AS9584 GENESIS-AP Diyixian.com Limited 202.66.184.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.186.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.188.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.189.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.190.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.73.144.0/20 AS4788 TMNET-AS-AP TM Net, Internet Service Provider 202.80.192.0/20 AS2706 PI-HK Pacnet Internet (Hong Kong) Limited 202.86.252.0/22 AS4748 RESOLINK-AS-AP Resources Link Network Limited 202.86.252.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.253.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.254.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.255.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.133.37.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.133.70.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.133.73.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.136.254.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.136.255.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.150.227.0/24 AS17727 NAPINFO-AS-AP PT. NAP Info Lintas Nusa 202.174.70.0/24 AS21175 WIS Wind International Services SA 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.130.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.131.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.133.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 202.179.144.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.149.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.150.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.181.32.0/24 AS4645 ASN-HKNET-AP HKNet Co. Ltd 203.12.45.0/24 AS4854 NETSPACE-AS-AP Netspace Online Systems 203.62.0.0/17 AS7575 AARNET-AS-AP Australian Academic and Reasearch Network (AARNet) 203.78.48.0/20 AS9299 IPG-AS-AP Philippine Long Distance Telephone Company 203.80.136.0/21 AS4759 EVOSERVE-AS-AP EvoServe is a content and online access Internet provider company 203.112.111.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.113.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.114.0/24 AS4802 ASN-IINET iiNet Limited 203.112.116.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.117.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.118.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.119.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.120.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.121.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.127.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.128.128.0/24 AS23849 CNNIC-NET263-AP Beijing Capital-online science development Co.,Ltd. 203.142.219.0/24 AS45149 204.9.216.0/23 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 204.9.218.0/23 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 204.10.232.0/21 AS33150 204.19.14.0/23 AS577 BACOM - Bell Canada 204.28.104.0/21 AS25973 MZIMA - Mzima Networks, Inc. 204.89.214.0/24 AS4323 TWTC - tw telecom holdings, inc. 204.197.0.0/16 AS3356 LEVEL3 Level 3 Communications 204.209.114.0/24 AS13768 PEER1 - Peer 1 Network Inc. 205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 205.189.134.0/24 AS11814 CYBERSURF - Cybersurf Inc. 205.210.145.0/24 AS11814 CYBERSURF - Cybersurf Inc. 206.180.240.0/20 AS12083 KNOLOGY-NET - Knology Holdings 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.188.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.189.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.190.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.191.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.73.4.0/22 AS27630 PREMIER - Premier Innovations, LLC 208.78.164.0/24 AS16565 208.78.165.0/24 AS16565 208.78.167.0/24 AS16565 208.92.196.0/22 AS10929 NETELLIGENT - Netelligent Hosting Services Inc. 208.92.199.0/24 AS26198 3MENATWORK - 3Men at Work Integrated Networks, Inc. 209.54.123.0/24 AS6062 NETPLEX - NETPLEX 209.105.224.0/19 AS20074 209.165.239.0/24 AS209 ASN-QWEST - Qwest Communications Company, LLC 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 209.213.1.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 209.213.4.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 210.5.128.0/20 AS4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 210.56.150.0/23 AS38138 INTECH-TRANSIT-BD InTech Online Limited, INTERNET SERVICE LIMITED 210.247.224.0/19 AS7496 WEBCENTRAL-AS WebCentral 216.21.196.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.201.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.202.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.206.0/23 AS12251 INVISION - Invision.com, Inc. 216.58.192.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.197.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.200.0/24 AS18530 ISOMEDIA-1 - Isomedia Inc. 216.172.198.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.172.199.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.250.112.0/20 AS7296 ALCHEMYNET - Alchemy Communications, Inc. 216.250.116.0/24 AS36066 UNI-MARKETING-ALLIANCE - Webhost4life.com Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From zaid at zaidali.com Fri Jun 18 17:41:10 2010 From: zaid at zaidali.com (Zaid Ali) Date: Fri, 18 Jun 2010 15:41:10 -0700 Subject: Internet Kill Switch. In-Reply-To: Message-ID: On 6/18/10 2:21 PM, "Matthew Petach" wrote: > He also seemed to miss one of the really, REALLY important points; > if "Internet is for everyone" were really true, then IPv6 adoption should > have been one of his driving points. After all with a world population of > 7 billion, you certainly can't have "Internet [...] for everyone" with only > 4 billion IP addresses, unless you put a *lot* of NAT in place. I read "Internet is for everyone" a bit beyond IP address. When I worked in the south pacific (1996-1998) we had challenges bringing Internet to residences because Internet was considered "for the wealthy". It took my colleagues and I a long time to break down this barrier. I have seen language barriers as another reason why Internet is not adopted in many places and thanks to IDN we can see this adoption increase. Although Vint doesn't call out IPv6 in this RFC he does talk about supporting work in the IETF, IAB etc and IPv6 work has come out of such dedication by many folks on this list. There are other challenges yet to tackle when it comes to making the Internet available to everyone e.g. Privacy. There are still folks who don't "trust" the internet so will not use it, for them we need to build a trustworthy internet. I do agree with your point that IPv6 is important and more important considering the Internet's explosive growth. Zaid From joelja at bogus.com Fri Jun 18 17:41:07 2010 From: joelja at bogus.com (joel jaeggli) Date: Fri, 18 Jun 2010 15:41:07 -0700 Subject: Future of WiMax In-Reply-To: References: <4C192774.1050501@rollernet.us> <485ED9BA02629E4BBBA53AC892EDA50E0B32E4A7@usmsxt104.mwd.h2o> Message-ID: <4C1BF603.2030302@bogus.com> On 2010-06-18 10:49, Akyol, Bora A wrote: > This is not exactly true. > > With the 3G networks (GSM) you can get. > > 7.2-Mbps HSDPA (downstream) > 5.8-Mbps HSUPA (upstream) 3gpp rel7 hsdpa/hsupa goes about 4 fold faster than that down and twice as fast up without having to resort to mimo. whether any of these technologies can beat a recycled 802.11n phy with time division duplex in the mac layer as far as throughput goes is very much an open question. most of what you'd consider really high throughput from lte systems comes a the expense of spectrum that is shared with a a lot of other devices so don't think for a second you're going to get 170Mb/s down and 80Mb/s up. > LTE speeds are much more comparable to Wimax. > > > -----Original Message----- > From: Holmes,David A [mailto:dholmes at mwdh2o.com] > Sent: Thursday, June 17, 2010 10:16 AM > To: Seth Mattinen; nanOG list > Subject: RE: Future of WiMax > > For business purposes such as fixed wireless access for small branch > offices, it would seem that Wi-Max is superior to current GSM and CDMA > proprietary networks in that the upload/download speeds are symmetric. > It appears that GSM and CDMA networks are based on the asymmetric low > upload bandwidth/high download bandwidth model, thus placing severe > restrictions on business use for fixed locations. > > > From young at jsyoung.net Fri Jun 18 18:23:54 2010 From: young at jsyoung.net (Jeff Young) Date: Sat, 19 Jun 2010 09:23:54 +1000 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: Message-ID: <76AC4CFF-2E90-4BE4-BC12-6CAA72DB2229@jsyoung.net> OK, I'll throw in my $.02, It really doesn't matter what any of us say, anecdotes from NANOG will not stop your CEO/CFO or worse your CMO from directing you to use HP. You have only two choices. The first is to engage in "war of the PowerPoints" during which you and the HP account team inform "the people who write the checks." As most account teams are pretty good at this type of warfare, and as the war will eventually escalate into a "war of the Excel Spreadsheets" it's a pretty difficult road. The second choice is a "war of the Lab Reports" in which you bring HP equipment into your lab and test it against the comparable Cisco/Juniper equipment. By choosing this road you get to learn all about HP and if it works in your application, you're that much closer to deploying it safely. If it won't work, you have real data which, in most cases (but not all), trumps any war of the PowerPoints your account team might start. Sometimes you even find that while the "deal" looks really good, in order to accomplish your application you'll need twice as much of Brand X and therefore, the deal isn't quite so appealing. (By the way HP, Cisco and Juniper are pretty much interchangeable in this discussion). What CEO's, CFO's and CMO's really like to see are options. Cost and test all three. jy On 17/06/2010, at 11:52 PM, James Smith wrote: > I'm looking for a little insight regarding an infrastructure purchase my > company is considering. We are a carrier, and we're in the process of > building a DR site. Our existing production site is all Cisco equipment > with a little Juniper thrown into the mix. I'd like to either get the same > Cisco equipment for the DR, or the equivalent Juniper equipment. We have > skill sets for both Cisco and Juniper, so neither would be a problem to > manage. > > A business issue has come up since we have a large number of HP servers for > Unix and Wintel. With HP's recent acquisition of 3Com they are pressing > hard to quote on the networking hardware as well, going as far as offering > prices that are way below the equivalent Cisco and Juniper models. In > addition they're saying they'll cut us deals on the HP servers for the DR > site to help with the decision to go for HP Networking. Obviously to the > people writing the cheques this carries a lot of weight. > >> From a technical point of view, I have never worked in a shop that used HP > or 3Com for the infrastructure. Dot-com's, telco's, bank's, hosting > companies...I haven't seen any of them using 3com or HP. Additionally, I'm > not fond of having to deal with a third set of equipment. I'm not exactly > comfortable going with HP, but I'd like some data to help resolve the > debate. > > So my questions to the NANOG community are: Would you recommend HP over > Cisco or Juniper? How is HP's functionality and performance compared to > Cisco or Juniper? Does anyone have any HP networking experiences they can > share, good or bad? > From pavel.skovajsa at gmail.com Sat Jun 19 09:52:21 2010 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Sat, 19 Jun 2010 16:52:21 +0200 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: <20100617092909.I713@evil.minions.com> <609F723B44D257459ED22406AC8F286A25B6A47BD3@CDIMSXMBCL01.CDI.CDICorp.net> <4C1A6450.7080704@rollernet.us> <1276799730.7682.39.camel@petrie> <828F644E-7DD9-4058-8C7D-A76931740E73@skytap.com> Message-ID: To emphasise more this subject, the technical support HP Procurve is providing (for free) is more consumer level and in my opinion is one of the key differentiators from teams like Cisco TAC. Here is a short laundry list of my experience: For an example a typical phone call to their help desk (only way to raise tickets with them, at least if you want a response in less they 7 days :) ends by the help desk (level 0 technical personnel) "advising" you to upgrade first, and only IF after that the issue persists they will open a ticket. The fact that you are speaking about DC switches with 200 servers does not seem to matter. Another example is when troubleshooting spontaneous switch reloads, the help desk usually replies by saying that it "sometimes happens", suggesting to "wait a while" to see whether it will reload next time.....which I found hilarious. Also (you already noticed) the 0th and 1st level are not very technically competent, basically they act as a firewall to upper support lines. To have the ticket "escalated" to the 2nd line they will let you fill a huge form about your whole network, with tons of irrelevant data in it - a formal barrier. Once you get there, you might actually get to troubleshooting and talk to people who really understand your issue - kudos to those. The only problem is that it takes about a week to get to them.... Another area which is a big HP Procurve disadvantage is that their CLI does not have too much troubleshooting capabilities. Things like extended ping/traceroute, extended telnet (source interfaces, packet size, sweep size) do not exist or exist only on specific platforms, not speaking about the fact that you cannot telnet to other TCP port then 23.... Also we cannot do "show ip arp " and only do "show arp" and then manually search for the IP in the 10 page output.......which tells a lot about the people who are coding the software. Another one....the include|exclude grep statements either do not exist or only apply to certain commands like "show run" In light of above I don't think you would be surprised with the fact that there are almost no debug commands and the logging facility displays unneeded messages (about lacp starting during end-user port flaps), and does not display messages about OSPF neighbor going down.... Bear in mind is that all above applies to my own opinion on HP Procurve not-yet-merged with 3com , so not sure how the situation changed in the meanwhile with the new H3C products. On the other side I would certainly recommend HP Procurve in simple access/edge layer scenarios, certainly not as a DC distribution layer switch, not due to its technical drawbacks, but mostly due to operational difficulties described above. -pavel skovajsa On Fri, Jun 18, 2010 at 7:56 PM, James Braid wrote: > On 17/06/10 20:02, Carl Rosevear wrote: > > The main problem with HP switches and their 'free software upgrades' > > is that there are regularly bugs and regressions in the software and > > their solution is to have you 'oh just update the software'... this > > is not always practical in a production environment. > > This has been our experience too. It's nice having "free support" and > "free software upgrades" but when their support consists of "upgrade to > this latest unreleased firmware and hope it fixes your problems", I'd > rather be paying a vendor for support... that said I think the 5412's > are OK for edge switches. > > > From jul_bsd at yahoo.fr Sat Jun 19 10:28:04 2010 From: jul_bsd at yahoo.fr (jul) Date: Sat, 19 Jun 2010 17:28:04 +0200 Subject: PCAP Sanitization Tool In-Reply-To: References: Message-ID: <4C1CE204.2020709@yahoo.fr> I would add the following to FLAIM - ranonymize from Argus http://www.qosient.com/argus/anonymization.htm - Anontools http://www.ics.forth.gr/dcs/Activities/Projects/anontool.html - CPAN IP::Anonymous http://search.cpan.org/~jtk/IP-Anonymous-0.04/lib/IP/Anonymous.pm But I'm not sure if all of them could handle pcap. Best regards, Julien Bein, Matthew wrote on 16/06/10 18:58: > Hello, > Anyone know of a good tool for sanitizing PCAP files? I would like to > keep as much of the payload as possible but remove src and dst ip > information. From Greg.Whynott at oicr.on.ca Sat Jun 19 11:02:48 2010 From: Greg.Whynott at oicr.on.ca (Greg Whynott) Date: Sat, 19 Jun 2010 12:02:48 -0400 Subject: In-Reply-To: <16E58A1FE7C64A46BAD0FE1558C43D92FE1337@es1.ic-sa.com> References: <16E58A1FE7C64A46BAD0FE1558C43D92FE1337@es1.ic-sa.com> Message-ID: depending on your vendor equipment you'll need an ACL or a route map to define the traffic you wish to Nat and apply it to the 'nat engine'. if you are doing this on cisco ASA or similar it might look something like this: -define the interesting traffic with an ACL: access-list 110 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.31 access-list 110 deny ip any any - create a route-map: route-map natme permit 10 match ip address 110 - apply the map: ip nat inside source route-map natme interface GigabitEthernet0/1 overload hope that helps. -g ________________________________________ From: Mike Ruiz [mruiz at lstfinancial.com] Sent: Friday, June 18, 2010 4:13 PM To: nanog at nanog.org Subject: Ok here we go. I know the subject is a little ambiguous, please allow to explain. I have a network of 192.168.1.0/24 and I need it to reach a network 10.0.1.0/27 only when it needs to be accessed by specific machines that reside on the 192.168.1.0/24 network. 192.168.1.10 ? NAT ?10.0.1.10 ? route that packet to 10.0.1.1. I only want specific host to route to that specific /27 network . Any help would be appreciated. So far what I have gathered is only for VPN connections but I do not want to build a VPN. Thank you again in advance. Michael Ruiz Network Engineer "If you tell people where to go, but not how to get there, you'll be amazed at the results." -- General George S. Patton Jr. From wavetossed at googlemail.com Sat Jun 19 11:39:07 2010 From: wavetossed at googlemail.com (Michael Dillon) Date: Sat, 19 Jun 2010 17:39:07 +0100 Subject: Todd Underwood was a little late In-Reply-To: <000001cb0f16$0db676b0$29236410$@org> References: <000001cb0f16$0db676b0$29236410$@org> Message-ID: " "Registered but unrouted" would include space that is in use in large > private networks that aren't visible from your standard sources for > route views, such as U.S. DoD (6, 11, 22, 26, 28, 29, 30 /8) or U.K. > MoD (25/8). Have you verified each of these address ranges or are you just a mindless robot repeating urban legends? By your definition, there is an awful lot more "registered but unrouted" space and researchers have been reporting on this for 10 years or more. In order to correctly identify what you think you are talking about, you need to take into account the date a range was registered and the date that you scanned the data. If the difference between the two dates is less than some small number, say one year, then it is probably routed space which has not yet been routed but soon will be. Different people will want to set that breakpoint at different timescales for obvious reasons. I encourage someone to do the work to list all such ranges along with the dates, and supply them as a feed, like Cymru does. Best would be to allow the feed recipient to filter based on age of block. > I've heard that some organizations are growing beyond rfc1918 space Many organizations have grown beyond RFC 1918 space. The first ones that made it known publicly were cable companies about 15 years ago. And lets not forget that RFC 1597 and 1918 were relatively recent inventions. Before that, many organizations did "adopt" large chunks of class A space. One that I know of used everything from 1/8 to 8/8 and there were multiple disjoint instances of 1/8 in their many global networks. People have been building global networks with X.25 and frame relay transport layers for a lot longer than many realize. And the Internet did not become larger than these private networks until sometime in 1999 or so. > and starting to use addresses like these already (for devices not capable > of IPv6) for internal networking (not publically routed). ?I believe this > is generally considered bad citizenship, but I'm interested in why? Stupidity. Many people have no historical perspective and think that the only users of I{P address space that matter are ISPs. I don't consider it bad citizenship if the "adopted" space is not routed publicly, and even the definition of "publicly" is hard to pin down. If someone wants to route such space to a 100 or so ASNs in Russia, Kazakhstan, Kirghizstan, Uzbekistan, Afghanistan and China, then I don't think that they are blatantly being bad Internet citizens. Particularly if they carefully chose whose addresses to "adopt". > Is there a range most people camp on? No. And it would be dumb to do that. Smarter is to use some range that nobody else is known to be camping on except the registrant and their network is geographically distant from yours. --Michael Dillon P.S. At this point, the IPv6 transition has failed, unlike the Y2K transition, and some level of crisis is unavoidable. In desperate times, people take desparate measures, and "adopting" IP address ranges that are not used by others in your locality seems a reasonable thing to do when economic survival is at stake. P.P.S. I saw a report that someone, somewhere, had analysed some data which indicates that IP address allocation rates are increasing and there is a real possibility that we will runout by the end of this year, 2010. Does anyone know where I can find the actual analysis that led to this report? From mruiz at lstfinancial.com Sat Jun 19 11:58:57 2010 From: mruiz at lstfinancial.com (Mike Ruiz) Date: Sat, 19 Jun 2010 11:58:57 -0500 Subject: Message-ID: <16E58A1FE7C64A46BAD0FE1558C43D9201078895@es1.ic-sa.com> Ok cool. That is similar to what I have. Thank you. -------------------------- Sent using BlackBerry -----Original Message----- From: Greg Whynott To: Mike Ruiz ; nanog at nanog.org Sent: Sat Jun 19 11:02:48 2010 Subject: RE: depending on your vendor equipment you'll need an ACL or a route map to define the traffic you wish to Nat and apply it to the 'nat engine'. if you are doing this on cisco ASA or similar it might look something like this: -define the interesting traffic with an ACL: access-list 110 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.31 access-list 110 deny ip any any - create a route-map: route-map natme permit 10 match ip address 110 - apply the map: ip nat inside source route-map natme interface GigabitEthernet0/1 overload hope that helps. -g ________________________________________ From: Mike Ruiz [mruiz at lstfinancial.com] Sent: Friday, June 18, 2010 4:13 PM To: nanog at nanog.org Subject: Ok here we go. I know the subject is a little ambiguous, please allow to explain. I have a network of 192.168.1.0/24 and I need it to reach a network 10.0.1.0/27 only when it needs to be accessed by specific machines that reside on the 192.168.1.0/24 network. 192.168.1.10 ? NAT ?10.0.1.10 ? route that packet to 10.0.1.1. I only want specific host to route to that specific /27 network . Any help would be appreciated. So far what I have gathered is only for VPN connections but I do not want to build a VPN. Thank you again in advance. Michael Ruiz Network Engineer "If you tell people where to go, but not how to get there, you'll be amazed at the results." -- General George S. Patton Jr. From deleskie at gmail.com Sat Jun 19 12:09:57 2010 From: deleskie at gmail.com (deleskie at gmail.com) Date: Sat, 19 Jun 2010 17:09:57 +0000 Subject: Todd Underwood was a little late In-Reply-To: References: <000001cb0f16$0db676b0$29236410$@org> Message-ID: <1743249377-1276967398-cardhu_decombobulator_blackberry.rim.net-189068897-@bda028.bisx.prod.on.blackberry> I just checked all those /8's none of them are in the table. -jim Sent from my BlackBerry device on the Rogers Wireless Network -----Original Message----- From: Michael Dillon Date: Sat, 19 Jun 2010 17:39:07 To: Lee Howard Cc: ; Todd Underwood Subject: Re: Todd Underwood was a little late " "Registered but unrouted" would include space that is in use in large > private networks that aren't visible from your standard sources for > route views, such as U.S. DoD (6, 11, 22, 26, 28, 29, 30 /8) or U.K. > MoD (25/8). Have you verified each of these address ranges or are you just a mindless robot repeating urban legends? By your definition, there is an awful lot more "registered but unrouted" space and researchers have been reporting on this for 10 years or more. In order to correctly identify what you think you are talking about, you need to take into account the date a range was registered and the date that you scanned the data. If the difference between the two dates is less than some small number, say one year, then it is probably routed space which has not yet been routed but soon will be. Different people will want to set that breakpoint at different timescales for obvious reasons. I encourage someone to do the work to list all such ranges along with the dates, and supply them as a feed, like Cymru does. Best would be to allow the feed recipient to filter based on age of block. > I've heard that some organizations are growing beyond rfc1918 space Many organizations have grown beyond RFC 1918 space. The first ones that made it known publicly were cable companies about 15 years ago. And lets not forget that RFC 1597 and 1918 were relatively recent inventions. Before that, many organizations did "adopt" large chunks of class A space. One that I know of used everything from 1/8 to 8/8 and there were multiple disjoint instances of 1/8 in their many global networks. People have been building global networks with X.25 and frame relay transport layers for a lot longer than many realize. And the Internet did not become larger than these private networks until sometime in 1999 or so. > and starting to use addresses like these already (for devices not capable > of IPv6) for internal networking (not publically routed). ?I believe this > is generally considered bad citizenship, but I'm interested in why? Stupidity. Many people have no historical perspective and think that the only users of I{P address space that matter are ISPs. I don't consider it bad citizenship if the "adopted" space is not routed publicly, and even the definition of "publicly" is hard to pin down. If someone wants to route such space to a 100 or so ASNs in Russia, Kazakhstan, Kirghizstan, Uzbekistan, Afghanistan and China, then I don't think that they are blatantly being bad Internet citizens. Particularly if they carefully chose whose addresses to "adopt". > Is there a range most people camp on? No. And it would be dumb to do that. Smarter is to use some range that nobody else is known to be camping on except the registrant and their network is geographically distant from yours. --Michael Dillon P.S. At this point, the IPv6 transition has failed, unlike the Y2K transition, and some level of crisis is unavoidable. In desperate times, people take desparate measures, and "adopting" IP address ranges that are not used by others in your locality seems a reasonable thing to do when economic survival is at stake. P.P.S. I saw a report that someone, somewhere, had analysed some data which indicates that IP address allocation rates are increasing and there is a real possibility that we will runout by the end of this year, 2010. Does anyone know where I can find the actual analysis that led to this report? From lists at internetpolicyagency.com Sat Jun 19 14:10:57 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 19 Jun 2010 20:10:57 +0100 Subject: Internet Kill Switch. In-Reply-To: References: <4C428A4B.7030700@cox.net> <4C428C16.7010806@cox.net> Message-ID: <4zY$HCbBZRHMFA2$@perry.co.uk> In article , Matthew Petach writes >After all with a world population of 7 billion, you certainly can't >have "Internet [...] for everyone" with only 4 billion IP addresses, >unless you put a *lot* of NAT in place. What's the average household size, especially in developing countries. And does "everyone" have access, if their home does? -- Roland Perry From tomb at byrneit.net Sat Jun 19 17:46:37 2010 From: tomb at byrneit.net (Tomas L. Byrnes) Date: Sat, 19 Jun 2010 15:46:37 -0700 Subject: Internet Kill Switch. In-Reply-To: <4zY$HCbBZRHMFA2$@perry.co.uk> References: <4C428A4B.7030700@cox.net> <4C428C16.7010806@cox.net> <4zY$HCbBZRHMFA2$@perry.co.uk> Message-ID: <72F9A69DCF990443B2CEC064E605CE0608577F@Pascal.zaphodb.org> > -----Original Message----- > From: Roland Perry [mailto:lists at internetpolicyagency.com] > Sent: Saturday, June 19, 2010 12:11 PM > To: nanog at nanog.org > Subject: Re: Internet Kill Switch. > > In article > , Matthew > Petach writes > >After all with a world population of 7 billion, you certainly can't > >have "Internet [...] for everyone" with only 4 billion IP addresses, > >unless you put a *lot* of NAT in place. > > What's the average household size, especially in developing countries. > And does "everyone" have access, if their home does? > -- > Roland Perry [Tomas L. Byrnes] The issue is more that everyone who DOES have access has more than one device, and that many of those devices move around. I won't get into the "NAT breaks the Internet" war, but it certainly does limit the type of applications you can run, or at the very least makes network provisioning, operations and maintenance much more complex than a non-natted network. From bmanning at vacation.karoshi.com Sat Jun 19 18:16:29 2010 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Sat, 19 Jun 2010 23:16:29 +0000 Subject: Todd Underwood was a little late In-Reply-To: <1743249377-1276967398-cardhu_decombobulator_blackberry.rim.net-189068897-@bda028.bisx.prod.on.blackberry> References: <1743249377-1276967398-cardhu_decombobulator_blackberry.rim.net-189068897-@bda028.bisx.prod.on.blackberry> Message-ID: <20100619231629.GA13789@vacation.karoshi.com.> odd.. two of them are in my table... which table are you using Jim? --bill On Sat, Jun 19, 2010 at 05:09:57PM +0000, deleskie at gmail.com wrote: > I just checked all those /8's none of them are in the table. > > -jim > Sent from my BlackBerry device on the Rogers Wireless Network > > -----Original Message----- > From: Michael Dillon > Date: Sat, 19 Jun 2010 17:39:07 > To: Lee Howard > Cc: ; Todd Underwood > Subject: Re: Todd Underwood was a little late > > " "Registered but unrouted" would include space that is in use in large > > private networks that aren't visible from your standard sources for > > route views, such as U.S. DoD (6, 11, 22, 26, 28, 29, 30 /8) or U.K. > > MoD (25/8). > > Have you verified each of these address ranges or are you just a mindless > robot repeating urban legends? > > By your definition, there is an awful lot more "registered but unrouted" space > and researchers have been reporting on this for 10 years or more. In order > to correctly identify what you think you are talking about, you need to take > into account the date a range was registered and the date that you scanned > the data. If the difference between the two dates is less than some small > number, say one year, then it is probably routed space which has not yet > been routed but soon will be. Different people will want to set that breakpoint > at different timescales for obvious reasons. > > I encourage someone to do the work to list all such ranges along with the > dates, and supply them as a feed, like Cymru does. Best would be to allow > the feed recipient to filter based on age of block. > > > I've heard that some organizations are growing beyond rfc1918 space > > Many organizations have grown beyond RFC 1918 space. The first ones that > made it known publicly were cable companies about 15 years ago. > > And lets not forget that RFC 1597 and 1918 were relatively recent inventions. > Before that, many organizations did "adopt" large chunks of class A space. > One that I know of used everything from 1/8 to 8/8 and there were multiple > disjoint instances of 1/8 in their many global networks. People have been > building global networks with X.25 and frame relay transport layers for > a lot longer than many realize. And the Internet did not become larger > than these private networks until sometime in 1999 or so. > > > and starting to use addresses like these already (for devices not capable > > of IPv6) for internal networking (not publically routed). I believe this > > is generally considered bad citizenship, but I'm interested in why? > > Stupidity. Many people have no historical perspective and think that the > only users of I{P address space that matter are ISPs. I don't consider it > bad citizenship if the "adopted" space is not routed publicly, and even > the definition of "publicly" is hard to pin down. If someone wants to route > such space to a 100 or so ASNs in Russia, Kazakhstan, Kirghizstan, Uzbekistan, > Afghanistan and China, then I don't think that they are blatantly being > bad Internet citizens. Particularly if they carefully chose whose addresses > to "adopt". > > > Is there a range most people camp on? > > No. And it would be dumb to do that. Smarter is to use some range > that nobody else is known to be camping on except the registrant > and their network is geographically distant from yours. > > --Michael Dillon > > P.S. At this point, the IPv6 transition has failed, unlike the Y2K > transition, and > some level of crisis is unavoidable. In desperate times, people take desparate > measures, and "adopting" IP address ranges that are not used by others in > your locality seems a reasonable thing to do when economic survival is at > stake. > > P.P.S. I saw a report that someone, somewhere, had analysed some data > which indicates that IP address allocation rates are increasing and there is > a real possibility that we will runout by the end of this year, 2010. > Does anyone > know where I can find the actual analysis that led to this report? > From LarrySheldon at cox.net Sat Jun 19 19:42:35 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Sat, 19 Jun 2010 19:42:35 -0500 Subject: Internet Kill Switch. In-Reply-To: <72F9A69DCF990443B2CEC064E605CE0608577F@Pascal.zaphodb.org> References: <4C428A4B.7030700@cox.net> <4C428C16.7010806@cox.net> <4zY$HCbBZRHMFA2$@perry.co.uk> <72F9A69DCF990443B2CEC064E605CE0608577F@Pascal.zaphodb.org> Message-ID: <4C1D63FB.5090602@cox.net> On 6/19/2010 17:46, Tomas L. Byrnes wrote: > [Tomas L. Byrnes] The issue is more that everyone who DOES have access > has more than one device, and that many of those devices move around. I > won't get into the "NAT breaks the Internet" war, but it certainly does > limit the type of applications you can run, or at the very least makes > network provisioning, operations and maintenance much more complex than > a non-natted network. I'm guessing that when the last of us olde fartes have have died off and each person on the planet (on average) is associated with seven addressable devices* and all of the applications in use have been designed and implemented to operate over NAT connections, only the historians (as a maximum) will be interested in the technology that broke the Internet. * every now and again I write something like that, and wonder, as I am now, if the number I grabbed out of thin air is "reasonable" (what ever that turns out to mean). Count with me now (note--I see "addressable" as bigger than "IP addressable. I'm not sure what that means, except that I don't have work out the technology in use in cases where I don't know how they are addressable, just that they are.) On the kitchen table. Lap-top computer, wireless (not how the Brits won that one after all) mouse, portable ("wireless") telephone, Blackberry (4 addresses?) Enroute from here to the world. Two wiffy terminals, Cable "router" (at least two addresses), Cable terminal. (Maybe more?) Also involved in the house. Wife's Laptop, Wife's desk-top, Wife's Blackberry, My desk-top, A file-server, Six other addressable portable telephone sets Four TV sets, Two garage-door openers, A light switch, Two Ford Explorers. We don't have any exotics like addressable ovens, refrigerators, or soft-drink machines. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org Sat Jun 19 22:29:11 2010 From: nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org (Mark Smith) Date: Sun, 20 Jun 2010 12:59:11 +0930 Subject: Internet Kill Switch. In-Reply-To: <72F9A69DCF990443B2CEC064E605CE0608577F@Pascal.zaphodb.org> References: <4C428A4B.7030700@cox.net> <4C428C16.7010806@cox.net> <4zY$HCbBZRHMFA2$@perry.co.uk> <72F9A69DCF990443B2CEC064E605CE0608577F@Pascal.zaphodb.org> Message-ID: <20100620125911.68f486db@opy.nosense.org> On Sat, 19 Jun 2010 15:46:37 -0700 "Tomas L. Byrnes" wrote: > > > > -----Original Message----- > > From: Roland Perry [mailto:lists at internetpolicyagency.com] > > Sent: Saturday, June 19, 2010 12:11 PM > > To: nanog at nanog.org > > Subject: Re: Internet Kill Switch. > > > > In article > > , > Matthew > > Petach writes > > >After all with a world population of 7 billion, you certainly can't > > >have "Internet [...] for everyone" with only 4 billion IP addresses, > > >unless you put a *lot* of NAT in place. > > > > What's the average household size, especially in developing countries. > > And does "everyone" have access, if their home does? > > -- > > Roland Perry > > [Tomas L. Byrnes] The issue is more that everyone who DOES have access > has more than one device, and that many of those devices move around. I > won't get into the "NAT breaks the Internet" war, but it certainly does > limit the type of applications you can run, or at the very least makes > network provisioning, operations and maintenance much more complex than > a non-natted network. > > > Yeah, it's scary. "Issues with IP Address Sharing" http://tools.ietf.org/html/draft-ford-shared-addressing-issues-02 From gbonser at seven.com Sun Jun 20 02:19:10 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 20 Jun 2010 00:19:10 -0700 Subject: Todd Underwood was a little late In-Reply-To: <1743249377-1276967398-cardhu_decombobulator_blackberry.rim.net-189068897-@bda028.bisx.prod.on.blackberry> References: <000001cb0f16$0db676b0$29236410$@org> <1743249377-1276967398-cardhu_decombobulator_blackberry.rim.net-189068897-@bda028.bisx.prod.on.blackberry> Message-ID: <5A6D953473350C4B9995546AFE9939EE09EA4CBE@RWC-EX1.corp.seven.com> I see 11.2/16 in my table. > -----Original Message----- > From: deleskie at gmail.com [mailto:deleskie at gmail.com] > Sent: Saturday, June 19, 2010 10:10 AM > To: Michael Dillon; Lee Howard > Cc: nanog at nanog.org; Todd Underwood > Subject: Re: Todd Underwood was a little late > > I just checked all those /8's none of them are in the table. > > -jim > Sent from my BlackBerry device on the Rogers Wireless Network > > -----Original Message----- > From: Michael Dillon > Date: Sat, 19 Jun 2010 17:39:07 > To: Lee Howard > Cc: ; Todd Underwood > Subject: Re: Todd Underwood was a little late > > " "Registered but unrouted" would include space that is in use in large > > private networks that aren't visible from your standard sources for > > route views, such as U.S. DoD (6, 11, 22, 26, 28, 29, 30 /8) or U.K. > > MoD (25/8). > > Have you verified each of these address ranges or are you just a > mindless > robot repeating urban legends? > > By your definition, there is an awful lot more "registered but > unrouted" space > and researchers have been reporting on this for 10 years or more. In > order > to correctly identify what you think you are talking about, you need to > take > into account the date a range was registered and the date that you > scanned > the data. If the difference between the two dates is less than some > small > number, say one year, then it is probably routed space which has not > yet > been routed but soon will be. Different people will want to set that > breakpoint > at different timescales for obvious reasons. > > I encourage someone to do the work to list all such ranges along with > the > dates, and supply them as a feed, like Cymru does. Best would be to > allow > the feed recipient to filter based on age of block. > > > I've heard that some organizations are growing beyond rfc1918 space > > Many organizations have grown beyond RFC 1918 space. The first ones > that > made it known publicly were cable companies about 15 years ago. > > And lets not forget that RFC 1597 and 1918 were relatively recent > inventions. > Before that, many organizations did "adopt" large chunks of class A > space. > One that I know of used everything from 1/8 to 8/8 and there were > multiple > disjoint instances of 1/8 in their many global networks. People have > been > building global networks with X.25 and frame relay transport layers for > a lot longer than many realize. And the Internet did not become larger > than these private networks until sometime in 1999 or so. > > > and starting to use addresses like these already (for devices not > capable > > of IPv6) for internal networking (not publically routed). ?I believe > this > > is generally considered bad citizenship, but I'm interested in why? > > Stupidity. Many people have no historical perspective and think that > the > only users of I{P address space that matter are ISPs. I don't consider > it > bad citizenship if the "adopted" space is not routed publicly, and even > the definition of "publicly" is hard to pin down. If someone wants to > route > such space to a 100 or so ASNs in Russia, Kazakhstan, Kirghizstan, > Uzbekistan, > Afghanistan and China, then I don't think that they are blatantly being > bad Internet citizens. Particularly if they carefully chose whose > addresses > to "adopt". > > > Is there a range most people camp on? > > No. And it would be dumb to do that. Smarter is to use some range > that nobody else is known to be camping on except the registrant > and their network is geographically distant from yours. > > --Michael Dillon > > P.S. At this point, the IPv6 transition has failed, unlike the Y2K > transition, and > some level of crisis is unavoidable. In desperate times, people take > desparate > measures, and "adopting" IP address ranges that are not used by others > in > your locality seems a reasonable thing to do when economic survival is > at > stake. > > P.P.S. I saw a report that someone, somewhere, had analysed some data > which indicates that IP address allocation rates are increasing and > there is > a real possibility that we will runout by the end of this year, 2010. > Does anyone > know where I can find the actual analysis that led to this report? From tontsa at gmail.com Sun Jun 20 12:58:51 2010 From: tontsa at gmail.com (Toni Mattila) Date: Sun, 20 Jun 2010 20:58:51 +0300 Subject: Need contact from AS3356 Level3.net Message-ID: Hi, We are experiencing connectivity issues to anything behind AS3356 due to Level3.net apparently filtering our AS48403 announced prefixes. Could someone from Level3 contact me off list? Thanks in advance, Toni Mattila From toni at solu.fi Sun Jun 20 10:53:41 2010 From: toni at solu.fi (Toni Mattila) Date: Sun, 20 Jun 2010 18:53:41 +0300 Subject: AS3356 Level3 contact needed Message-ID: <4C1E3985.5030302@solu.fi> Hi, Could someone from Level3 contact me off list. Our prefixes from AS48403 vanished. Other contact address is tontsa at gmail.com if you can't send mail due to this prefix disappearance. Thanks in advance, Toni Mattila - AS48403 From lee at asgard.org Mon Jun 21 12:01:49 2010 From: lee at asgard.org (Lee Howard) Date: Mon, 21 Jun 2010 13:01:49 -0400 Subject: Todd Underwood was a little late In-Reply-To: References: <000001cb0f16$0db676b0$29236410$@org> Message-ID: <000001cb1163$711a13c0$534e3b40$@org> > -----Original Message----- > From: Michael Dillon [mailto:wavetossed at googlemail.com] > Sent: Saturday, June 19, 2010 12:39 PM > To: Lee Howard > Cc: Todd Underwood; Christopher Morrow; nanog at nanog.org > Subject: Re: Todd Underwood was a little late > > " "Registered but unrouted" would include space that is in use in large > > private networks that aren't visible from your standard sources for > > route views, such as U.S. DoD (6, 11, 22, 26, 28, 29, 30 /8) or U.K. > > MoD (25/8). > > Have you verified each of these address ranges or are you just a mindless > robot repeating urban legends? Turing test? "standard sources for route views" = "route-views" YSSfRVMV > By your definition, there is an awful lot more "registered but unrouted" space > and researchers have been reporting on this for 10 years or more. In order > to correctly identify what you think you are talking about, you need to take > into account the date a range was registered and the date that you scanned > the data. If the difference between the two dates is less than some small > number, say one year, then it is probably routed space which has not yet > been routed but soon will be. Different people will want to set that breakpoint > at different timescales for obvious reasons. I also chose not to define "The Internet" or "routing table" and avoided terms like "DFZ" and "WTF." > I encourage someone to do the work to list all such ranges along with the > dates, and supply them as a feed, like Cymru does. Best would be to allow > the feed recipient to filter based on age of block. Why? Just because it's never been routed doesn't mean it never will be. I said "unlikely to be routed," but using such space is a game of chance. Unless, of course, somebody at one of those organizations said, "This prefix will never be announced to "the Internet," where "the Internet" is defined in a meaningful way to the engineer applying the filter. > > and starting to use addresses like these already (for devices not capable > > of IPv6) for internal networking (not publically routed). ?I believe this > > is generally considered bad citizenship, but I'm interested in why? > > Stupidity. Many people have no historical perspective and think that the > only users of I{P address space that matter are ISPs. I don't consider it > bad citizenship if the "adopted" space is not routed publicly, and even > the definition of "publicly" is hard to pin down. If someone wants to route > such space to a 100 or so ASNs in Russia, Kazakhstan, Kirghizstan, Uzbekistan, > Afghanistan and China, then I don't think that they are blatantly being > bad Internet citizens. Particularly if they carefully chose whose addresses > to "adopt". So you support Todd Underwood's proposal? http://www.nanog.org/meetings/nanog49/presentations/Wednesday/Prefixes_as_Bu ndles_of_Probability%20%281%29.pdf > > > Is there a range most people camp on? > > No. And it would be dumb to do that. Smarter is to use some range > that nobody else is known to be camping on except the registrant > and their network is geographically distant from yours. Geographically, not topologically, or usefully? > > --Michael Dillon > > P.S. At this point, the IPv6 transition has failed, unlike the Y2K > transition, and For certain values of "fail." The odds of a dual-stack transition as initially envisioned by the IETF are vanishingly small, but IPv6 will be a significant part of the coping strategies once RIRs allocate their last blocks of IPv4. > P.P.S. I saw a report that someone, somewhere, had analysed some data > which indicates that IP address allocation rates are increasing and there is > a real possibility that we will runout by the end of this year, 2010. > Does anyone > know where I can find the actual analysis that led to this report? Geoff Huston's data are available, I think, so you can crunch your own numbers. InfoWorld had a chart where they only used five months of allocations to project the future, and it's not clear how many data points they used to draw their line. http://www.infoworld.com/d/networking/beware-the-black-market-rising-ip-addr esses-729 As of today, I see ten /8s assigned by IANA in 2010. I count 15 remaining /8s. When IANA has only five remaining, they will allocate one to each RIR. Will the last six months look like the first six months? Faster or slower? http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml Lee From wavetossed at googlemail.com Mon Jun 21 12:17:33 2010 From: wavetossed at googlemail.com (Michael Dillon) Date: Mon, 21 Jun 2010 18:17:33 +0100 Subject: Todd Underwood was a little late In-Reply-To: References: <000001cb0f16$0db676b0$29236410$@org> Message-ID: > P.S. At this point, the IPv6 transition has failed, unlike the Y2K > transition, and > some level of crisis is unavoidable. In desperate times, people take desparate > measures, and "adopting" IP address ranges that are not used by others in > your locality seems a reasonable thing to do when economic survival is at > stake. > > P.P.S. I saw a report that someone, somewhere, had analysed some data > which indicates that IP address allocation rates are increasing and there is > a real possibility that we will runout by the end of this year, 2010. > Does anyone > know where I can find the actual analysis that led to this report? This is where the claim of runout in December 2010 comes from. --Michael Dillon From morrowc.lists at gmail.com Mon Jun 21 13:05:05 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Mon, 21 Jun 2010 14:05:05 -0400 Subject: Todd Underwood was a little late In-Reply-To: <000001cb1163$711a13c0$534e3b40$@org> References: <000001cb0f16$0db676b0$29236410$@org> <000001cb1163$711a13c0$534e3b40$@org> Message-ID: On Mon, Jun 21, 2010 at 1:01 PM, Lee Howard wrote: >> P.S. At this point, the IPv6 transition has failed, unlike the Y2K >> transition, and > > For certain values of "fail." ?The odds of a dual-stack transition as > initially > envisioned by the IETF are vanishingly small, but IPv6 will be a significant > part of the coping strategies once RIRs allocate their last blocks of IPv4. it'd be interesting to hear michael's reasoning behind 'transition has failed' (to me at least). I agree it doesn't seem like it's moved along as anyone would (aside from Todd) have hoped, but it is moving along. Currently the only real alternative to ipv6 at the end-user (in ~2yrs) will be giant-CGN-NAT-things or ... that's about it :( I don't think we'll have (nor would we have in 2005 even) gotten an ipv7/8/9/10 up and spec'd/coded/wrung-out before ~2 yrs from now either. So, given the cards we have, ipv6 isn't all bad. -chris From wavetossed at googlemail.com Mon Jun 21 14:12:07 2010 From: wavetossed at googlemail.com (Michael Dillon) Date: Mon, 21 Jun 2010 20:12:07 +0100 Subject: Todd Underwood was a little late In-Reply-To: References: <000001cb0f16$0db676b0$29236410$@org> <000001cb1163$711a13c0$534e3b40$@org> Message-ID: >>> P.S. At this point, the IPv6 transition has failed, unlike the Y2K >>> transition, and >> >> For certain values of "fail." ?The odds of a dual-stack transition as >> initially >> envisioned by the IETF are vanishingly small, but IPv6 will be a significant >> part of the coping strategies once RIRs allocate their last blocks of IPv4. > > it'd be interesting to hear michael's reasoning behind 'transition has > failed' (to me at least). I agree it doesn't seem like it's moved > along as anyone would (aside from Todd) have hoped, but it is moving > along. In January 2000, there was no IT crisis as the result of Y2K rollover. A few companies had a few problems that were mostly sorted out within days. With IPv6, I believe that after IPv4 exhaustion we will have an unavoidable period of chaos that will affect a large number of ISPs of all sizes. The window of opportunity for being well-prepared has been missed. In fact, some of the fallout from this will impact ISPs who have done a lot of preparation, for instance vendors who haven't implemented IPv6 support because so few customers were asking for it. >Currently the only real alternative to ipv6 at the end-user (in > ~2yrs) will be giant-CGN-NAT-things or ... that's about it :( Middleboxes mean increased instability, higher support costs, and wierd problems where customers can't reach a site even though the middlebox is handling traffic correctly, because too many users are sharing the same IP address and it is triggering some kind of traffic shaping at the other end. Middleboxes are a symptom of failure since they force operators to pay for the middleboxes, for training staff on how to operate and scale them, for customer support, and still pay for the normal native IPv6 transition. It will hurt the longer term balance sheet for anyone who is forced down that road, when compared to their competitors who don't have to implement as many or as complex middleboxes. > I don't think we'll have (nor would we have in 2005 even) gotten an > ipv7/8/9/10 up and spec'd/coded/wrung-out before ~2 yrs from now > either. So, given the cards we have, ipv6 isn't all bad. On this we agree. The problem is not IPv6, it is the failure to deploy IPv6 soon enough. Not enough trained people, not enough testing, not enough bugs shaken out. --Michael Dillon From morrowc.lists at gmail.com Mon Jun 21 14:54:26 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Mon, 21 Jun 2010 15:54:26 -0400 Subject: Todd Underwood was a little late In-Reply-To: References: <000001cb0f16$0db676b0$29236410$@org> <000001cb1163$711a13c0$534e3b40$@org> Message-ID: On Mon, Jun 21, 2010 at 3:12 PM, Michael Dillon wrote: >> I don't think we'll have (nor would we have in 2005 even) gotten an >> ipv7/8/9/10 up and spec'd/coded/wrung-out before ~2 yrs from now >> either. So, given the cards we have, ipv6 isn't all bad. > > On this we agree. > The problem is not IPv6, it is the failure to deploy IPv6 soon enough. > Not enough trained people, not enough testing, not enough bugs shaken > out. ok, that matches pretty much exactly what I see/think. Perhaps the initial wording was just odd :) thanks! -chris From paveldimow at gmail.com Mon Jun 21 15:04:17 2010 From: paveldimow at gmail.com (Pavel Dimow) Date: Mon, 21 Jun 2010 22:04:17 +0200 Subject: List of a useful tools for network architects Message-ID: Hi, I am wondering what tools you consider most valuable when designing big network from scratch or perform a migration? For example I would like to know is there a tool that will perform basic sanity checks like network equipment without redundant link or without link at all... I know that the one who design a network have to consider all this issues but some automatic check will save some time for sure... Thank you. From Rodolfo.Delgado at fhlbny.com Mon Jun 21 15:16:27 2010 From: Rodolfo.Delgado at fhlbny.com (Delgado,Rodolfo) Date: Mon, 21 Jun 2010 16:16:27 -0400 Subject: PCAP Sanitization Tool In-Reply-To: References: Message-ID: <010EDE8ECED891449A25B465902056E60405095E87@nts-exchangep1.FHLBNY-ADS> You can take a look at netdude: http://netdude.sourceforge.net/ -----Original Message----- From: Bein, Matthew [mailto:mbein at iso-ne.com] Sent: Wednesday, June 16, 2010 12:59 PM To: nanog at nanog.org Subject: PCAP Sanitization Tool Hello, Anyone know of a good tool for sanitizing PCAP files? I would like to keep as much of the payload as possible but remove src and dst ip information. Confidentiality Notice: The information contained in this e-mail and any attachments (including, but not limited to, any attached e-mails) may be legally privileged and confidential. If you are not an intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please notify the sender and permanently delete the e-mail and any attachments immediately. You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. Thank you. From brent at servuhome.net Mon Jun 21 15:18:41 2010 From: brent at servuhome.net (Brent Jones) Date: Mon, 21 Jun 2010 13:18:41 -0700 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: <20100617092909.I713@evil.minions.com> <609F723B44D257459ED22406AC8F286A25B6A47BD3@CDIMSXMBCL01.CDI.CDICorp.net> <4C1A6450.7080704@rollernet.us> <1276799730.7682.39.camel@petrie> <828F644E-7DD9-4058-8C7D-A76931740E73@skytap.com> Message-ID: On Sat, Jun 19, 2010 at 7:52 AM, Pavel Skovajsa wrote: > To emphasise more this subject, the technical support HP Procurve is > providing (for free) is more consumer level and in my opinion is one of the > key differentiators from teams like Cisco TAC. Here is a short laundry list > of my experience: > Trimming your post, apologies > > -pavel skovajsa I would have to agree with your points. We have about a dozen HP switches, mostly 3500YL's performing light layer3 duties, and migrating to some 10Gbit modules for the access layer. We have had several issues with packet loss on the HP's, in particular a bug more than 2 years old and still unresolved on the 2600's, 2900's and 3500's: When you SSH into those models of HP switches, the SSH negotiation uses 100% of the host processor, and will block out pings, and upper layer services such as OSPF and VRRP. A single SSH sessions won't likely make an impact, but we have some monitoring applications that hit SSH frequently, and can 100% reliably freeze those models of HP switches with just 2-3 SSH login attempts. Imagine that, a switch that will lock up when SSH'ing to it, fun isn't it? We had to rethink some of our extended monitoring for the HP's, we originally wanted to use SNMP, but their provided MIB files are formatted so badly only HP Openview will read them without a lot of fuss. Next is 10Gb. We bought their new SFP+ 10Gb modules for the 3500YL's, and for more than 6 months, they didn't have any stable firmware to support those modules. They would send us engineering builds of the firmware with massive regressions and new bugs. It was until June 10th or so when they officially released firmware for the 10Gb SFP+ modules for the 3500's. While the HP CLI is different than Cisco's, it is easy to use and will be familiar to anyone with about a day of learning the differences, however the CLI is also limited as you said. Debug and troubleshooting output is almost non-existent, I don't believe their programmers had any idea of what a production level network wants to see. Their fiber interfaces do not expose any SNR, transmit power, heat, or load to the CLI or any management software. SO if you are fiber heavy, to diagnose anything be prepared to take down links to gather even the most basic information with separate troubleshooting hardware. All in all, if you have a small network, maybe half a dozen switches, require no stacking, no fiber, and no 10Gb on a large scale, HP will work. But as far as being affordable, their licensing costs for OSPF and VRRP are insane. You'd be better off paying slightly more at that point and going with Juniper or Cisco. To the OP, I lost the fight with our head of IT on the HP vs. others on networking, and I deeply regret it. If you are already familiar with Juniper and Cisco, pick your favorite and not use HP. -- Brent Jones brent at servuhome.net From lists at quux.de Mon Jun 21 15:18:54 2010 From: lists at quux.de (Jens Link) Date: Mon, 21 Jun 2010 22:18:54 +0200 Subject: List of a useful tools for network architects In-Reply-To: (Pavel Dimow's message of "Mon\, 21 Jun 2010 22\:04\:17 +0200") References: Message-ID: <871vc0gmvl.fsf@oban.berlin.quux.de> Pavel Dimow writes: > Hi, > > I am wondering what tools you consider most valuable when designing big > network from scratch or perform a migration? White board and a digital camera to document the drawings. Pen and paper are also a very important tool. > For example I would like to know is there a tool that will perform > basic sanity checks like network equipment without redundant link or > without link at all... Well there is my head and a couple of years experience. ;-) > I know that the one who design a network have to consider all this > issues but some automatic check will save some time for sure... Discuss your design with others. There is always more than one way to design a network. Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jenslink at guug.de | ------------------- | ------------------------------------------------------------------------- From surfer at mauigateway.com Mon Jun 21 15:30:56 2010 From: surfer at mauigateway.com (Scott Weeks) Date: Mon, 21 Jun 2010 13:30:56 -0700 Subject: List of a useful tools for network architects Message-ID: <20100621133056.48651A4D@resin15.mta.everyone.net> --- lists at quux.de wrote: From: Jens Link > I am wondering what tools you consider most valuable when designing big > network from scratch or perform a migration? --------------------------------------------- Experience. If possible, find someone with it. Or, start reading 24x7 immediately... ;-) scott From paveldimow at gmail.com Mon Jun 21 16:20:56 2010 From: paveldimow at gmail.com (Pavel Dimow) Date: Mon, 21 Jun 2010 23:20:56 +0200 Subject: List of a useful tools for network architects In-Reply-To: <871vc0gmvl.fsf@oban.berlin.quux.de> References: <871vc0gmvl.fsf@oban.berlin.quux.de> Message-ID: And how do you feel when client tell you that you don't have a connection from SW-476 to SW-145? "Well you see, there are plenty of boxes out there (couple hundreds) you don't expect that everything must be perfect right? Anyhow I was very tired that day...." The point is, I am not looking for a program that will design the network instead of me, just a little sanity check. I agree that head, whiteboard, marker, sharp pencil :) are very valuable but those were on my list anyway :) On Mon, Jun 21, 2010 at 10:18 PM, Jens Link wrote: > Pavel Dimow writes: > >> Hi, >> >> I am wondering what tools you consider most valuable when designing big >> network from scratch or perform a migration? > > White board and a digital camera to document the drawings. Pen and paper > are also a very important tool. > >> For example I would like to know is there a tool that will perform >> basic sanity checks like network equipment without redundant link or >> without link at all... > > Well there is my head and a couple of years experience. ;-) > >> I know that the one who design a network have to consider all this >> issues but some automatic check will save some time for sure... > > Discuss your design with others. There is always more than one way to > design a network. > > Jens > -- > ------------------------------------------------------------------------- > | Foelderichstr. 40 ? | 13595 Berlin, Germany ? ?| +49-151-18721264 ? ? | > | http://blog.quux.de | jabber: jenslink at guug.de | ------------------- ?| > ------------------------------------------------------------------------- > > From ask at develooper.com Mon Jun 21 16:32:39 2010 From: ask at develooper.com (=?iso-8859-1?Q?Ask_Bj=F8rn_Hansen?=) Date: Mon, 21 Jun 2010 23:32:39 +0200 Subject: Micro-allocation needed? Message-ID: <983AD7DA-8B21-4D3C-9C4E-B774B94FC919@develooper.com> Hi everyone, We're going to anycast a /24 for some DNS servers (and possibly another UDP based service)[1]. I see that ARIN are listing on https://www.arin.net/knowledge/ip_blocks.html the smallest allocations from each prefix. Will we have trouble getting a /24 announced if we take it from a regular /20? Or in other words: Do we need to get a block from ARIN from one of the prefixes that they specify they allocate out in /24 chunks? - ask [1] For the NTP Pool system - http://www.pool.ntp.org/ - your network probably sent some of the 50-100,000 requests the pool members got this second. And this. And this. ... :-) From nenolod at systeminplace.net Mon Jun 21 16:34:59 2010 From: nenolod at systeminplace.net (William Pitcock) Date: Mon, 21 Jun 2010 16:34:59 -0500 Subject: Micro-allocation needed? In-Reply-To: <983AD7DA-8B21-4D3C-9C4E-B774B94FC919@develooper.com> References: <983AD7DA-8B21-4D3C-9C4E-B774B94FC919@develooper.com> Message-ID: <1277156099.7682.72.camel@petrie> On Mon, 2010-06-21 at 23:32 +0200, Ask Bj?rn Hansen wrote: > Hi everyone, > > We're going to anycast a /24 for some DNS servers (and possibly another UDP based service)[1]. > > I see that ARIN are listing on https://www.arin.net/knowledge/ip_blocks.html the smallest allocations from each prefix. Will we have trouble getting a /24 announced if we take it from a regular /20? No, you can split up allocations as you want, provided you can prove you own them. Some providers however, won't announce anything smaller than a /24. William From ask at develooper.com Mon Jun 21 16:42:29 2010 From: ask at develooper.com (=?iso-8859-1?Q?Ask_Bj=F8rn_Hansen?=) Date: Mon, 21 Jun 2010 23:42:29 +0200 Subject: Micro-allocation needed? In-Reply-To: <1277156099.7682.72.camel@petrie> References: <983AD7DA-8B21-4D3C-9C4E-B774B94FC919@develooper.com> <1277156099.7682.72.camel@petrie> Message-ID: <7F25AC8D-1330-41B1-815F-FEABD2EC6FA4@develooper.com> On Jun 21, 2010, at 23:34, William Pitcock wrote: > On Mon, 2010-06-21 at 23:32 +0200, Ask Bj?rn Hansen wrote: >> Hi everyone, >> >> We're going to anycast a /24 for some DNS servers (and possibly another UDP based service)[1]. >> >> I see that ARIN are listing on https://www.arin.net/knowledge/ip_blocks.html the smallest allocations from each prefix. Will we have trouble getting a /24 announced if we take it from a regular /20? > > No, you can split up allocations as you want, provided you can prove you > own them. > > Some providers however, won't announce anything smaller than a /24. I guess to rephrase my question: Are there (a significant number of) providers that will filter a /24 announcement from an ARIN prefix not in the list of prefixes where they allocate /24 blocks. (I take it from what you wrote that the answer is "No"). - ask From garret at picchioni.org Mon Jun 21 16:51:21 2010 From: garret at picchioni.org (Garret Picchioni) Date: Mon, 21 Jun 2010 14:51:21 -0700 Subject: List of a useful tools for network architects In-Reply-To: References: <871vc0gmvl.fsf@oban.berlin.quux.de> Message-ID: <4C1FDED9.5090203@picchioni.org> Paul, My biggest tool is a couple extra sets of eyes. A fresh look from the outside by someone else is going to be the biggest help. Pen and Paper (or Visio w/ Icons http://packetlife.net/media/library/33/Cisco_Marketing_Icons.zip) I personally like using network simulators to try out different ideas. I'm a fan of packet tracer for those who have been through the Cisco Academy. The config options aren't *too* extensive, but the basics are there to help with a few sanity checks. Garret On 6/21/2010 2:20 PM, Pavel Dimow wrote: > And how do you feel when client tell you that you don't have a > connection from SW-476 to SW-145? > "Well you see, there are plenty of boxes out there (couple hundreds) > you don't expect that everything must be perfect right? Anyhow I was > very tired that day...." > > The point is, I am not looking for a program that will design the > network instead of me, just a little sanity check. > > I agree that head, whiteboard, marker, sharp pencil :) are very > valuable but those were on my list anyway :) > > On Mon, Jun 21, 2010 at 10:18 PM, Jens Link wrote: >> Pavel Dimow writes: >> >>> Hi, >>> >>> I am wondering what tools you consider most valuable when designing big >>> network from scratch or perform a migration? >> >> White board and a digital camera to document the drawings. Pen and paper >> are also a very important tool. >> >>> For example I would like to know is there a tool that will perform >>> basic sanity checks like network equipment without redundant link or >>> without link at all... >> >> Well there is my head and a couple of years experience. ;-) >> >>> I know that the one who design a network have to consider all this >>> issues but some automatic check will save some time for sure... >> >> Discuss your design with others. There is always more than one way to >> design a network. >> >> Jens >> -- >> ------------------------------------------------------------------------- >> | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | >> | http://blog.quux.de | jabber: jenslink at guug.de | ------------------- | >> ------------------------------------------------------------------------- >> >> > From nenolod at systeminplace.net Mon Jun 21 16:50:46 2010 From: nenolod at systeminplace.net (William Pitcock) Date: Mon, 21 Jun 2010 16:50:46 -0500 Subject: Micro-allocation needed? In-Reply-To: <7F25AC8D-1330-41B1-815F-FEABD2EC6FA4@develooper.com> References: <983AD7DA-8B21-4D3C-9C4E-B774B94FC919@develooper.com> <1277156099.7682.72.camel@petrie> <7F25AC8D-1330-41B1-815F-FEABD2EC6FA4@develooper.com> Message-ID: <1277157046.7682.74.camel@petrie> On Mon, 2010-06-21 at 23:42 +0200, Ask Bj?rn Hansen wrote: > On Jun 21, 2010, at 23:34, William Pitcock wrote: > > > On Mon, 2010-06-21 at 23:32 +0200, Ask Bj?rn Hansen wrote: > >> Hi everyone, > >> > >> We're going to anycast a /24 for some DNS servers (and possibly another UDP based service)[1]. > >> > >> I see that ARIN are listing on https://www.arin.net/knowledge/ip_blocks.html the smallest allocations from each prefix. Will we have trouble getting a /24 announced if we take it from a regular /20? > > > > No, you can split up allocations as you want, provided you can prove you > > own them. > > > > Some providers however, won't announce anything smaller than a /24. > > I guess to rephrase my question: > > Are there (a significant number of) providers that will filter a /24 announcement from an ARIN prefix not in the list of prefixes where they allocate /24 blocks. I have yet to encounter any. They are "your IPs" as far as they are concerned, so they'll typically announce whatever you ask as long as they are "your IPs". William From bfeeny at mac.com Mon Jun 21 16:55:34 2010 From: bfeeny at mac.com (Brian Feeny) Date: Mon, 21 Jun 2010 17:55:34 -0400 Subject: List of a useful tools for network architects In-Reply-To: References: <871vc0gmvl.fsf@oban.berlin.quux.de> Message-ID: <6096E5A6-2FB9-4ADA-BEDF-4D16407D52F3@mac.com> Everything should be documented and designed before its deployed. It should be reviewed by others. Then it should be tested. Its hard to make it past the testing phase and still have these issues. If your using a flawed deployment strategy, like many people do, where your skipping design, documentation or testing and just throwing things in, there will always be issues, even with fancy programs. Brian On Jun 21, 2010, at 5:20 PM, Pavel Dimow wrote: > And how do you feel when client tell you that you don't have a > connection from SW-476 to SW-145? > "Well you see, there are plenty of boxes out there (couple hundreds) > you don't expect that everything must be perfect right? Anyhow I was > very tired that day...." > > The point is, I am not looking for a program that will design the > network instead of me, just a little sanity check. > > I agree that head, whiteboard, marker, sharp pencil :) are very > valuable but those were on my list anyway :) > > On Mon, Jun 21, 2010 at 10:18 PM, Jens Link wrote: >> Pavel Dimow writes: >> >>> Hi, >>> >>> I am wondering what tools you consider most valuable when designing big >>> network from scratch or perform a migration? >> >> White board and a digital camera to document the drawings. Pen and paper >> are also a very important tool. >> >>> For example I would like to know is there a tool that will perform >>> basic sanity checks like network equipment without redundant link or >>> without link at all... >> >> Well there is my head and a couple of years experience. ;-) >> >>> I know that the one who design a network have to consider all this >>> issues but some automatic check will save some time for sure... >> >> Discuss your design with others. There is always more than one way to >> design a network. >> >> Jens >> -- >> ------------------------------------------------------------------------- >> | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | >> | http://blog.quux.de | jabber: jenslink at guug.de | ------------------- | >> ------------------------------------------------------------------------- >> >> > From jabley at hopcount.ca Mon Jun 21 16:55:40 2010 From: jabley at hopcount.ca (Joe Abley) Date: Mon, 21 Jun 2010 17:55:40 -0400 Subject: Micro-allocation needed? In-Reply-To: <7F25AC8D-1330-41B1-815F-FEABD2EC6FA4@develooper.com> References: <983AD7DA-8B21-4D3C-9C4E-B774B94FC919@develooper.com> <1277156099.7682.72.camel@petrie> <7F25AC8D-1330-41B1-815F-FEABD2EC6FA4@develooper.com> Message-ID: <05839B8C-571A-44C4-863C-BC03C0733E84@hopcount.ca> On 2010-06-21, at 17:42, Ask Bj?rn Hansen wrote: > Are there (a significant number of) providers that will filter a /24 announcement from an ARIN prefix not in the list of prefixes where they allocate /24 blocks. Not in my experience, but I don't know how useful that is to know because I don't know how to characterise my experience in any meaningful way :-) > (I take it from what you wrote that the answer is "No"). I'm interested in the idea of anycasting one of the pool.ntp.org herd-members. Every time I've suggested such a thing I've been told (paraphrasing) that a good (server, client) NTP session exhibits reasonable RTT stability, this constitutes, in effect, a long-lived transaction, and hence anycast is not a good answer unless you have confidence that the potential for oscillations is low, or that the frequency of the oscillations is very low (i.e. in a private network this might be a good answer, but across the public Internet it's a poor answer). Has the thinking changed, or did I just misunderstand? Joe From dseagrav at humancapitaldev.com Mon Jun 21 16:56:37 2010 From: dseagrav at humancapitaldev.com (Daniel Seagraves) Date: Mon, 21 Jun 2010 16:56:37 -0500 Subject: Micro-allocation needed? In-Reply-To: <7F25AC8D-1330-41B1-815F-FEABD2EC6FA4@develooper.com> References: <983AD7DA-8B21-4D3C-9C4E-B774B94FC919@develooper.com> <1277156099.7682.72.camel@petrie> <7F25AC8D-1330-41B1-815F-FEABD2EC6FA4@develooper.com> Message-ID: <93FDFB85-2034-469A-A8F4-4B2DF1D611C0@humancapitaldev.com> AT&T announces ours. It just took a little bit of prodding to get the sales people to ask the appropriate technical people. We have a very old ARIN-allocated /24 but we have only one upstream, so we have no AS number of our own. On Jun 21, 2010, at 4:42 PM, Ask Bj?rn Hansen wrote: > > On Jun 21, 2010, at 23:34, William Pitcock wrote: > >> On Mon, 2010-06-21 at 23:32 +0200, Ask Bj?rn Hansen wrote: >>> Hi everyone, >>> >>> We're going to anycast a /24 for some DNS servers (and possibly another UDP based service)[1]. >>> >>> I see that ARIN are listing on https://www.arin.net/knowledge/ip_blocks.html the smallest allocations from each prefix. Will we have trouble getting a /24 announced if we take it from a regular /20? >> >> No, you can split up allocations as you want, provided you can prove you >> own them. >> >> Some providers however, won't announce anything smaller than a /24. > > I guess to rephrase my question: > > Are there (a significant number of) providers that will filter a /24 announcement from an ARIN prefix not in the list of prefixes where they allocate /24 blocks. > > (I take it from what you wrote that the answer is "No"). > > > - ask > From ask at develooper.com Mon Jun 21 17:04:55 2010 From: ask at develooper.com (=?iso-8859-1?Q?Ask_Bj=F8rn_Hansen?=) Date: Tue, 22 Jun 2010 00:04:55 +0200 Subject: Micro-allocation needed? In-Reply-To: <05839B8C-571A-44C4-863C-BC03C0733E84@hopcount.ca> References: <983AD7DA-8B21-4D3C-9C4E-B774B94FC919@develooper.com> <1277156099.7682.72.camel@petrie> <7F25AC8D-1330-41B1-815F-FEABD2EC6FA4@develooper.com> <05839B8C-571A-44C4-863C-BC03C0733E84@hopcount.ca> Message-ID: <363B6FF6-7FEF-4ED9-AF50-6DB2F4150651@develooper.com> On Jun 21, 2010, at 23:55, Joe Abley wrote: Everyone: Thanks for the replies regarding the /24 announcement from a "/20 allocated block". Yes, obviously the /20 announcement will handle the traffic, too. I'm a regular reader on NANOG and consistently impressed by the expertise on display and the speed with which it's generously handed out. :-) > I'm interested in the idea of anycasting one of the pool.ntp.org herd-members. Every time I've suggested such a thing I've been told (paraphrasing) that a good (server, client) NTP session exhibits reasonable RTT stability, this constitutes, in effect, a long-lived transaction, and hence anycast is not a good answer unless you have confidence that the potential for oscillations is low, or that the frequency of the oscillations is very low (i.e. in a private network this might be a good answer, but across the public Internet it's a poor answer). > > Has the thinking changed, or did I just misunderstand? I think the thinking on NTP [ see below ] is the same; but indeed when I wrote "possibly other UDP based services" experimenting with that was my idea, too. I believe some of the CDNs are anycast based (Cachefly?) and they did some extensive tests with very long http transactions. (And I guess do a big test daily in running the service...). However -- Much of the pool.ntp.org traffic is from SNTP clients where the NTP considerations don't apply. (In summary: SNTP = dumb client that just asks for the time now; NTP = clever server that keeps track of the time. The protocol is the same, but the usage quite different). - ask From oberman at es.net Mon Jun 21 17:13:28 2010 From: oberman at es.net (Kevin Oberman) Date: Mon, 21 Jun 2010 15:13:28 -0700 Subject: Micro-allocation needed? In-Reply-To: Your message of "Mon, 21 Jun 2010 17:55:40 EDT." <05839B8C-571A-44C4-863C-BC03C0733E84@hopcount.ca> Message-ID: <20100621221328.C67A71CC0D@ptavv.es.net> > From: Joe Abley > Date: Mon, 21 Jun 2010 17:55:40 -0400 > > I'm interested in the idea of anycasting one of the pool.ntp.org > herd-members. Every time I've suggested such a thing I've been told > (paraphrasing) that a good (server, client) NTP session exhibits > reasonable RTT stability, this constitutes, in effect, a long-lived > transaction, and hence anycast is not a good answer unless you have > confidence that the potential for oscillations is low, or that the > frequency of the oscillations is very low (i.e. in a private network > this might be a good answer, but across the public Internet it's a > poor answer). > > Has the thinking changed, or did I just misunderstand? Joe, This would be better asked on the NTP list, but I'd say it depends on the accuracy you want to achieve. For the NTP pool, the idea is to try for good accuracy and very good long-term stability are the goals. That does not work well of the actual source of the data changes very often. Aside from losing the advantages of long-term PLL filtering of the time, you also will see substantial changes in delay (i.e. RTT) and, almost certainly, jitter. Unless you are confident that the source of the anycast at any point in the network will remain stable over a very long term, it really does not sound like a good solution to me. Then again, with GPS time source available for <75 USD, anyone who is really trying for really good time should just buy one and run a local stratum 1 server. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman at es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 From bmanning at vacation.karoshi.com Mon Jun 21 17:58:24 2010 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Mon, 21 Jun 2010 22:58:24 +0000 Subject: no you can't configure your router w/ this Message-ID: <20100621225824.GA31992@vacation.karoshi.com.> sigh... where was this useful data 10 years ago! http://www.fcc.gov/worldtravel/ --bill From steve at ipv6canada.com Mon Jun 21 21:02:36 2010 From: steve at ipv6canada.com (Steve Bertrand) Date: Mon, 21 Jun 2010 22:02:36 -0400 Subject: Dividing up a small IPv4 block Message-ID: <4C2019BC.6050201@ipv6canada.com> Hi all, I've got a local v4 peer (ie. an ISP whom I lease fibre from to feed my clients, they peer with me directly, and we're about to provide mutual transit for one another). They (hereinafter 'client') have recently received a /22 from ARIN. The client's immediate need is to re-assign a /23 to an ISP client that they have, which effectively leaves them with one /23. The client has asked me to help design an IP addressing scheme that will suit the rest of their clients (most require /29's), their internal infrastructure, and the small server farm they have. Although this seems small-scale, the client handles sensitive-type subs. I'm at a loss on how to do this. I know that I'll eat up at least a /25 and another /26 to renumber their existing clients into. My instincts would have me reserve equivalents, but that almost doesn't seem possible given the math. Thinking that they will have to go back to ARIN for additional space relatively quickly without intervention, can anyone provide links to docs that will help prevent future renumbering or decent management? I know that I can collapse a lot of their current waste, and I know where I can scrounge, but where in the space should the clients be assigned from, and where should I reserve my p2p/32 blocks from... front or back? My current personal strategies don't apply, neither does the documentation that I've found/read on the web in the past. This feels like a nightmare ready to happen, and I need to ensure that with what they have, a sane lo/ptp and client assignment strategy is configured. They applied for too small a block. Numbering guidelines for tight v4 holdings will be very much appreciated. Cheers, Steve ps. I advised an authority figure that they should apply for their v6 immediately now that they have their v4. I've also set up a meeting for tomorrow morning to discuss how I can help them get experience with it ;) From bdflemin at gmail.com Mon Jun 21 21:36:11 2010 From: bdflemin at gmail.com (Brad Fleming) Date: Mon, 21 Jun 2010 21:36:11 -0500 Subject: Dividing up a small IPv4 block In-Reply-To: <4C2019BC.6050201@ipv6canada.com> References: <4C2019BC.6050201@ipv6canada.com> Message-ID: <0C3D2391-B8C1-4338-8BEB-3D0A74114B9D@gmail.com> > Thinking that they will have to go back to ARIN for additional space > relatively quickly without intervention, can anyone provide links to > docs that will help prevent future renumbering or decent management? I > know that I can collapse a lot of their current waste, and I know > where > I can scrounge, but where in the space should the clients be assigned > from, and where should I reserve my p2p/32 blocks from... front or > back? Only speaking from my current situation, we typically assign loops and links from the highest numbered portions of our space; pulling a /23 for the task many moons ago. Loops come from the highest numbered block and links from the block just below. Of course that's just one network's approach, and we could certainly be wrong! :D As far as efficient use of the space goes... that's a tough one. We've pretty much decided that creating these hard blocks of IPs that MUST come from one place isn't going to work as we move forward. We decided awhile back that our IGP is probably just going to be messy going forward. We try to keep things summarized but when you're out of IPs in this block on this AGG router, you go grave robbing another, less popular AGG router's space. It just happens. We kind of decided that we buy routers with lots of memory and CPU for a reason... might as well use it! Of course that's going to get some people riled up on this list but its the reality of being a "small guy" who is running out of IPv4 space. And for the record, we've been a fully dual stacked environment since Q1 of 2004 but people want / need more IPv4 space all the time. From joelja at bogus.com Mon Jun 21 22:46:17 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Mon, 21 Jun 2010 20:46:17 -0700 Subject: List of a useful tools for network architects In-Reply-To: References: <871vc0gmvl.fsf@oban.berlin.quux.de> Message-ID: There was a lightning talk on Netdot at Nanog 48 I'd take a look at the presentation and the the website. It's quite useful from the documentation and discovery standpoint After the initial whit board I generally sit down and document what we're going to build then we build a transition plan the covers the activities based on the docs and move on from there. Joel's iPad On Jun 21, 2010, at 2:20 PM, Pavel Dimow wrote: > And how do you feel when client tell you that you don't have a > connection from SW-476 to SW-145? > "Well you see, there are plenty of boxes out there (couple hundreds) > you don't expect that everything must be perfect right? Anyhow I was > very tired that day...." > > The point is, I am not looking for a program that will design the > network instead of me, just a little sanity check. > > I agree that head, whiteboard, marker, sharp pencil :) are very > valuable but those were on my list anyway :) > > On Mon, Jun 21, 2010 at 10:18 PM, Jens Link wrote: >> Pavel Dimow writes: >> >>> Hi, >>> >>> I am wondering what tools you consider most valuable when designing big >>> network from scratch or perform a migration? >> >> White board and a digital camera to document the drawings. Pen and paper >> are also a very important tool. >> >>> For example I would like to know is there a tool that will perform >>> basic sanity checks like network equipment without redundant link or >>> without link at all... >> >> Well there is my head and a couple of years experience. ;-) >> >>> I know that the one who design a network have to consider all this >>> issues but some automatic check will save some time for sure... >> >> Discuss your design with others. There is always more than one way to >> design a network. >> >> Jens >> -- >> ------------------------------------------------------------------------- >> | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | >> | http://blog.quux.de | jabber: jenslink at guug.de | ------------------- | >> ------------------------------------------------------------------------- >> >> > > From khatfield at socllc.net Mon Jun 21 23:28:28 2010 From: khatfield at socllc.net (khatfield at socllc.net) Date: Tue, 22 Jun 2010 04:28:28 +0000 Subject: Micro-allocation needed? In-Reply-To: <20100621221328.C67A71CC0D@ptavv.es.net> References: <05839B8C-571A-44C4-863C-BC03C0733E84@hopcount.ca> <20100621221328.C67A71CC0D@ptavv.es.net> Message-ID: <127058090-1277180908-cardhu_decombobulator_blackberry.rim.net-387999307-@bda903.bisx.prod.on.blackberry> Are you considering doing SNTP or regular NTP? If regular NTP... I once read some excellent advice on AnyCast: "It often doesn't make sense to go through the extra complexity in deploying a service with AnyCast addressing if it doesn't justify the benefit." In this sense, I really don't understand what you will gain. -----Original Message----- From: "Kevin Oberman" Date: Mon, 21 Jun 2010 15:13:28 To: Joe Abley Cc: Subject: Re: Micro-allocation needed? > From: Joe Abley > Date: Mon, 21 Jun 2010 17:55:40 -0400 > > I'm interested in the idea of anycasting one of the pool.ntp.org > herd-members. Every time I've suggested such a thing I've been told > (paraphrasing) that a good (server, client) NTP session exhibits > reasonable RTT stability, this constitutes, in effect, a long-lived > transaction, and hence anycast is not a good answer unless you have > confidence that the potential for oscillations is low, or that the > frequency of the oscillations is very low (i.e. in a private network > this might be a good answer, but across the public Internet it's a > poor answer). > > Has the thinking changed, or did I just misunderstand? Joe, This would be better asked on the NTP list, but I'd say it depends on the accuracy you want to achieve. For the NTP pool, the idea is to try for good accuracy and very good long-term stability are the goals. That does not work well of the actual source of the data changes very often. Aside from losing the advantages of long-term PLL filtering of the time, you also will see substantial changes in delay (i.e. RTT) and, almost certainly, jitter. Unless you are confident that the source of the anycast at any point in the network will remain stable over a very long term, it really does not sound like a good solution to me. Then again, with GPS time source available for <75 USD, anyone who is really trying for really good time should just buy one and run a local stratum 1 server. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman at es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 From joelja at bogus.com Mon Jun 21 23:52:37 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Mon, 21 Jun 2010 21:52:37 -0700 Subject: List of a useful tools for network architects In-Reply-To: References: <871vc0gmvl.fsf@oban.berlin.quux.de> Message-ID: <4C204195.3080906@bogus.com> On 06/21/2010 08:46 PM, Joel Jaeggli wrote: > There was a lightning talk on Netdot at Nanog 48 I'd take a look at the presentation and the the website. It's quite useful from the documentation and discovery standpoint meh, it was nanog 49, and the link is: http://www.nanog.org/meetings/nanog49/presentations/Tuesday/Vicente-netdot-presentation-nanog49.pdf https://netdot.uoregon.edu/trac/ > After the initial whit board I generally sit down and document what we're going to build then we build a transition plan the covers the activities based on the docs and move on from there. > > > Joel's iPad > > On Jun 21, 2010, at 2:20 PM, Pavel Dimow wrote: > >> And how do you feel when client tell you that you don't have a >> connection from SW-476 to SW-145? >> "Well you see, there are plenty of boxes out there (couple hundreds) >> you don't expect that everything must be perfect right? Anyhow I was >> very tired that day...." >> >> The point is, I am not looking for a program that will design the >> network instead of me, just a little sanity check. >> >> I agree that head, whiteboard, marker, sharp pencil :) are very >> valuable but those were on my list anyway :) >> >> On Mon, Jun 21, 2010 at 10:18 PM, Jens Link wrote: >>> Pavel Dimow writes: >>> >>>> Hi, >>>> >>>> I am wondering what tools you consider most valuable when designing big >>>> network from scratch or perform a migration? >>> >>> White board and a digital camera to document the drawings. Pen and paper >>> are also a very important tool. >>> >>>> For example I would like to know is there a tool that will perform >>>> basic sanity checks like network equipment without redundant link or >>>> without link at all... >>> >>> Well there is my head and a couple of years experience. ;-) >>> >>>> I know that the one who design a network have to consider all this >>>> issues but some automatic check will save some time for sure... >>> >>> Discuss your design with others. There is always more than one way to >>> design a network. >>> >>> Jens >>> -- >>> ------------------------------------------------------------------------- >>> | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | >>> | http://blog.quux.de | jabber: jenslink at guug.de | ------------------- | >>> ------------------------------------------------------------------------- >>> >>> >> >> > > From fweimer at bfk.de Tue Jun 22 02:20:59 2010 From: fweimer at bfk.de (Florian Weimer) Date: Tue, 22 Jun 2010 07:20:59 +0000 Subject: Micro-allocation needed? In-Reply-To: <7F25AC8D-1330-41B1-815F-FEABD2EC6FA4@develooper.com> ("Ask =?iso-8859-1?Q?Bj=F8rn?= Hansen"'s message of "Mon\, 21 Jun 2010 23\:42\:29 +0200") References: <983AD7DA-8B21-4D3C-9C4E-B774B94FC919@develooper.com> <1277156099.7682.72.camel@petrie> <7F25AC8D-1330-41B1-815F-FEABD2EC6FA4@develooper.com> Message-ID: <828w67mt2c.fsf@mid.bfk.de> * Ask Bj?rn Hansen: > Are there (a significant number of) providers that will filter a /24 > announcement from an ARIN prefix not in the list of prefixes where > they allocate /24 blocks. I've seen such filters applied to RIPE's /8s which actually led to reachability problems because the shorter covering prefix was not announced. (Arguably, that's two failures.) -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From bross at pobox.com Tue Jun 22 04:32:05 2010 From: bross at pobox.com (Brandon Ross) Date: Tue, 22 Jun 2010 05:32:05 -0400 (EDT) Subject: Dividing up a small IPv4 block In-Reply-To: <4C2019BC.6050201@ipv6canada.com> References: <4C2019BC.6050201@ipv6canada.com> Message-ID: On Mon, 21 Jun 2010, Steve Bertrand wrote: > Thinking that they will have to go back to ARIN for additional space > relatively quickly without intervention, can anyone provide links to > docs that will help prevent future renumbering or decent management? I > know that I can collapse a lot of their current waste, and I know where > I can scrounge, but where in the space should the clients be assigned > from, and where should I reserve my p2p/32 blocks from... front or back? If you are efficiently utilizing the space, and it sounds like you are, why don't you just request more space from ARIN? -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss From eesslinger at fpu-tn.com Tue Jun 22 09:57:06 2010 From: eesslinger at fpu-tn.com (Eric J Esslinger) Date: Tue, 22 Jun 2010 09:57:06 -0500 Subject: A bit off topic: Video streaming/video on demand server Message-ID: My company has been using an online video service for certain shows on our local access channel, to stream them live over the internet and make them available as video on demand. This is stuff like city and county meetings, parades, that sort of thing. We're getting complaints because the ads had become very intrusive and annoying (budwiser swimsuit girls dancing across the screen in the middle of watching the Alderman meeting, for example). They are balking at the yearly 'subscription' cost, especially as we don't even come close to needed the amount of bandwidth/storage that provides. So I've been asked to look into setting up something locally (we have more than enough bandwidth to support what little use we're getting, with plenty of room to grow), but I really don't know where to start. So I'm looking for some help, perhaps experience with products, or someone who could consult with us on this. Also, my content creator needs an easy path to get the content online. He does his editing with a computer but trying to get him to convert formats and such is somewhat difficult. __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 ________________________________ This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: Eric J Esslinger.vcf Type: text/x-vcard Size: 498 bytes Desc: Eric J Esslinger.vcf URL: From rdobbins at arbor.net Tue Jun 22 10:30:13 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Tue, 22 Jun 2010 15:30:13 +0000 Subject: A bit off topic: Video streaming/video on demand server In-Reply-To: References: Message-ID: <2D880118-7615-4999-B369-2A0CF740FBC2@arbor.net> On Jun 22, 2010, at 9:57 PM, Eric J Esslinger wrote: > So I'm looking for some help, perhaps experience with products, I'm a big fan of QTSS for this type of application, myself: and use Wirecast for the broadcasting client: along with a good video camera, a decent set of mics, and a Griffin iMic; I use a portable Behringer mixer for multi-input audio setups. Something like might also be an option. ----------------------------------------------------------------------- Roland Dobbins // Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken From bdflemin at gmail.com Tue Jun 22 11:14:27 2010 From: bdflemin at gmail.com (Brad Fleming) Date: Tue, 22 Jun 2010 11:14:27 -0500 Subject: A bit off topic: Video streaming/video on demand server In-Reply-To: <2D880118-7615-4999-B369-2A0CF740FBC2@arbor.net> References: <2D880118-7615-4999-B369-2A0CF740FBC2@arbor.net> Message-ID: >> So I'm looking for some help, perhaps experience with products, > > I'm a big fan of QTSS for this type of application, myself: > > > > and use Wirecast for the broadcasting client: > > > > along with a good video camera, a decent set of mics, and a Griffin > iMic; I use a portable Behringer mixer for multi-input audio setups. > > Something like might also be an option. I'll echo Roland's suggestion.. we use QTSS + Wirecast with great success. I believe our kit includes a reasonably priced JVC camera that does pretty well for the price. We use a simple mixing board with a few mics for presentations / conferences. We even pump the video out with a multicast option for folks who have access. Seems to work pretty well with a relatively low entry cost. From deric.kwok2000 at gmail.com Tue Jun 22 12:51:53 2010 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Tue, 22 Jun 2010 13:51:53 -0400 Subject: ls my modem or DSL company issue? 1300 not good but 1200 is fine Message-ID: Hi It is very nice that Ina replied me about mtu help Now I am using ping to check but not sure it is my modem or DSL company issue? C:\Documents and Settings\derek>ping yahoo.com -f -l 1300 Pinging yahoo.com [98.137.149.56] with 1300 bytes of data: Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Ping statistics for 98.137.149.56: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Documents and Settings\derek>ping yahoo.com -f -l 1200 Pinging yahoo.com [98.137.149.56] with 1200 bytes of data: Reply from 98.137.149.56: bytes=1200 time=141ms TTL=55 Reply from 98.137.149.56: bytes=1200 time=141ms TTL=55 Reply from 98.137.149.56: bytes=1200 time=145ms TTL=55 Reply from 98.137.149.56: bytes=1200 time=141ms TTL=55 Ping statistics for 98.137.149.56: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 141ms, Maximum = 145ms, Average = 142ms Thank you for your help From trelane at trelane.net Tue Jun 22 12:55:54 2010 From: trelane at trelane.net (Andrew D Kirch) Date: Tue, 22 Jun 2010 13:55:54 -0400 Subject: ls my modem or DSL company issue? 1300 not good but 1200 is fine In-Reply-To: References: Message-ID: <4C20F92A.3060708@trelane.net> Perhaps dslreports would be a more useful forum for this question? On 06/22/2010 01:51 PM, Deric Kwok wrote: > Hi > > It is very nice that Ina replied me about mtu help > > Now I am using ping to check > but not sure it is my modem or DSL company issue? > > C:\Documents and Settings\derek>ping yahoo.com -f -l 1300 > > Pinging yahoo.com [98.137.149.56] with 1300 bytes of data: > > Packet needs to be fragmented but DF set. > Packet needs to be fragmented but DF set. > Packet needs to be fragmented but DF set. > Packet needs to be fragmented but DF set. > > Ping statistics for 98.137.149.56: > Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), > > > > C:\Documents and Settings\derek>ping yahoo.com -f -l 1200 > > Pinging yahoo.com [98.137.149.56] with 1200 bytes of data: > > Reply from 98.137.149.56: bytes=1200 time=141ms TTL=55 > Reply from 98.137.149.56: bytes=1200 time=141ms TTL=55 > Reply from 98.137.149.56: bytes=1200 time=145ms TTL=55 > Reply from 98.137.149.56: bytes=1200 time=141ms TTL=55 > > Ping statistics for 98.137.149.56: > Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), > Approximate round trip times in milli-seconds: > Minimum = 141ms, Maximum = 145ms, Average = 142ms > > Thank you for your help > > From adam.lafountain at googlemail.com Tue Jun 22 12:07:58 2010 From: adam.lafountain at googlemail.com (Adam LaFountain) Date: Tue, 22 Jun 2010 10:07:58 -0700 Subject: no you can't configure your router w/ this Message-ID: > > sigh... where was this useful data 10 years ago! > > http://www.fcc.gov/worldtravel/ Even more entertaining is the "reboot.fcc.gov (Beta)" in the top right corner. I wonder if they have a reboot.ftc.gov link as well; that might actually be more useful. From ge at linuxbox.org Tue Jun 22 13:30:12 2010 From: ge at linuxbox.org (Gadi Evron) Date: Tue, 22 Jun 2010 21:30:12 +0300 Subject: Recommendation in Australia for ISPs to force user security? Message-ID: <4C210134.2030706@linuxbox.org> http://www.zdnet.com.au/make-zombie-code-mandatory-govt-report-339304001.htm "A government report into cybercrime has recommended that internet service providers (ISPs) force customers to use antivirus and firewall software or risk being disconnected. security Committee chair Belinda Neal said in her introduction to the 262-page report titled "Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime" that due to the exponential growth of malware and other forms of cybercrime in recent years, "the expectation that end users should or can bear the sole responsibility for their own personal online security is no longer a tenable proposition". "We need to apply the same energy and commitment given to national security and the protection of critical infrastructure to the cybercrime threats that impact on society more generally," she said." From joelja at bogus.com Tue Jun 22 13:57:46 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Tue, 22 Jun 2010 11:57:46 -0700 Subject: Recommendation in Australia for ISPs to force user security? In-Reply-To: <4C210134.2030706@linuxbox.org> References: <4C210134.2030706@linuxbox.org> Message-ID: <4C2107AA.1080707@bogus.com> not sure how they propose to enforce that, instrumentation approaches that look inside the home gateway have a non-trivial falsh positive rate and you've got a lot more hosts than ip addresses. On 06/22/2010 11:30 AM, Gadi Evron wrote: > http://www.zdnet.com.au/make-zombie-code-mandatory-govt-report-339304001.htm > > > "A government report into cybercrime has recommended that internet > service providers (ISPs) force customers to use antivirus and firewall > software or risk being disconnected. > security > > Committee chair Belinda Neal said in her introduction to the 262-page > report titled "Hackers, Fraudsters and Botnets: Tackling the Problem of > Cyber Crime" that due to the exponential growth of malware and other > forms of cybercrime in recent years, "the expectation that end users > should or can bear the sole responsibility for their own personal online > security is no longer a tenable proposition". > > "We need to apply the same energy and commitment given to national > security and the protection of critical infrastructure to the cybercrime > threats that impact on society more generally," she said." > From surfer at mauigateway.com Tue Jun 22 14:14:44 2010 From: surfer at mauigateway.com (Scott Weeks) Date: Tue, 22 Jun 2010 12:14:44 -0700 Subject: Recommendation in Australia for ISPs to force user security? Message-ID: <20100622121444.4866A71D@resin15.mta.everyone.net> --- ge at linuxbox.org wrote: From: Gadi Evron http://www.zdnet.com.au/make-zombie-code-mandatory-govt-report-339304001.htm "A government report into cybercrime has recommended that internet service providers (ISPs) force customers to use antivirus and firewall software or risk being disconnected. security ---------------------------------------- This is being discussed extensively on AUSNOG and is but one link in a long chain of gov't trying to control the internet there with little realization of how ineffective the proposals are. Seems to be politicians playing to a certain part of the populace so votes can be obtained. scott From deepak at ai.net Tue Jun 22 14:17:16 2010 From: deepak at ai.net (Deepak Jain) Date: Tue, 22 Jun 2010 15:17:16 -0400 Subject: Recommendation in Australia for ISPs to force user security? In-Reply-To: <4C2107AA.1080707@bogus.com> References: <4C210134.2030706@linuxbox.org> <4C2107AA.1080707@bogus.com> Message-ID: Come on, you aren't thinking gov't-enough. "BASIC" broadband access will be a SSH/web-only proxy with firewalling/antivirus/etc capability. That whole pesky HTTP/1.0 problem was solved a long time ago. Maybe you don't even get your own IP anymore -- and you have to access your email through their web portal too. This also qualifies you as net-neutral in that everyone gets the same poor service. Only content providers that sign an agreement to be free of virii and malware (with an appropriate "inspection/sanitization" charge will be let through... e.g. Netflix or whomever) -- this way, you aren't being made to differentiate between bits, you are being made to ensure national security. "BUSINESS" broadband access might give you a real IP, allow you to torrent, but you sign a piece of paper that authorizes them to charge you if you get infected, or better yet, a maintenance plan of a $24.95/month on top of your service to make sure you don't get infected with a remotely managed firewall/router or whatever will meet the definition of the regulation. This can be solved so fast it'll make your head spin. Build a big proxy "cloud", send everyone 60 days notice once the regulation comes in effect, on day 61 throw the switch. Day 62, collect orders for the upgraded service. *PROFIT* My only shock is that Washington isn't leading Canberra on this, with an even faster timeline than the one above. Deepak > -----Original Message----- > From: Joel Jaeggli [mailto:joelja at bogus.com] > Sent: Tuesday, June 22, 2010 2:58 PM > To: Gadi Evron > Cc: nanog at nanog.org > Subject: Re: Recommendation in Australia for ISPs to force user > security? > > not sure how they propose to enforce that, instrumentation approaches > that look inside the home gateway have a non-trivial falsh positive > rate > and you've got a lot more hosts than ip addresses. > > On 06/22/2010 11:30 AM, Gadi Evron wrote: > > http://www.zdnet.com.au/make-zombie-code-mandatory-govt-report- > 339304001.htm > > > > > > "A government report into cybercrime has recommended that internet > > service providers (ISPs) force customers to use antivirus and > firewall > > software or risk being disconnected. > > security > > > > Committee chair Belinda Neal said in her introduction to the 262-page > > report titled "Hackers, Fraudsters and Botnets: Tackling the Problem > of > > Cyber Crime" that due to the exponential growth of malware and other > > forms of cybercrime in recent years, "the expectation that end users > > should or can bear the sole responsibility for their own personal > online > > security is no longer a tenable proposition". > > > > "We need to apply the same energy and commitment given to national > > security and the protection of critical infrastructure to the > cybercrime > > threats that impact on society more generally," she said." > > From franck at genius.com Tue Jun 22 14:55:37 2010 From: franck at genius.com (Franck Martin) Date: Wed, 23 Jun 2010 07:55:37 +1200 (FJT) Subject: Recommendation in Australia for ISPs to force user security? In-Reply-To: Message-ID: <19514738.44.1277236535987.JavaMail.franck@franck-martins-macbook-pro.local> You forgot to talk about a tax on all of that too... ;) Note the Great Firewall of Australia is slowly going down in flames... Now, there are two options, fight these type of proposals (resources spent to avoid something and make political enemies) or encourage the proposal by Netherlands and France to put Internet Freedom as a basic right for democracies: http://ambafrance-us.org/spip.php?article1659 ----- Original Message ----- From: "Deepak Jain" To: "Joel Jaeggli" , "Gadi Evron" Cc: nanog at nanog.org Sent: Wednesday, 23 June, 2010 7:17:16 AM Subject: RE: Recommendation in Australia for ISPs to force user security? Come on, you aren't thinking gov't-enough. "BASIC" broadband access will be a SSH/web-only proxy with firewalling/antivirus/etc capability. That whole pesky HTTP/1.0 problem was solved a long time ago. Maybe you don't even get your own IP anymore -- and you have to access your email through their web portal too. This also qualifies you as net-neutral in that everyone gets the same poor service. Only content providers that sign an agreement to be free of virii and malware (with an appropriate "inspection/sanitization" charge will be let through... e.g. Netflix or whomever) -- this way, you aren't being made to differentiate between bits, you are being made to ensure national security. "BUSINESS" broadband access might give you a real IP, allow you to torrent, but you sign a piece of paper that authorizes them to charge you if you get infected, or better yet, a maintenance plan of a $24.95/month on top of your service to make sure you don't get infected with a remotely managed firewall/router or whatever will meet the definition of the regulation. This can be solved so fast it'll make your head spin. Build a big proxy "cloud", send everyone 60 days notice once the regulation comes in effect, on day 61 throw the switch. Day 62, collect orders for the upgraded service. *PROFIT* My only shock is that Washington isn't leading Canberra on this, with an even faster timeline than the one above. Deepak From bill at herrin.us Tue Jun 22 15:17:02 2010 From: bill at herrin.us (William Herrin) Date: Tue, 22 Jun 2010 16:17:02 -0400 Subject: Recommendation in Australia for ISPs to force user security? In-Reply-To: <4C210134.2030706@linuxbox.org> References: <4C210134.2030706@linuxbox.org> Message-ID: On Tue, Jun 22, 2010 at 2:30 PM, Gadi Evron wrote: > http://www.zdnet.com.au/make-zombie-code-mandatory-govt-report-339304001.htm > "A government report into cybercrime has recommended that internet service > providers (ISPs) force customers to use antivirus and firewall software or > risk being disconnected. Why not go for the low hanging fruit first? Ask ISPs to provide a connection with inbound TCP filtered by default and enable inbound TCP only by customer request. We'll do that with carrier NATs after free pool depletion anyway... might as well get started. -Bill -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From gbonser at seven.com Tue Jun 22 15:48:16 2010 From: gbonser at seven.com (George Bonser) Date: Tue, 22 Jun 2010 13:48:16 -0700 Subject: Penetration Test Vendors Message-ID: <5A6D953473350C4B9995546AFE9939EE09EA4D4A@RWC-EX1.corp.seven.com> Anyone have any suggestions for a decent vendor that provides network penetration testing? We have a customer requirement for a third party test for a certain facility. Have you used anyone that you thought did a great job? Anyone you would suggest avoiding? Replies can be sent off list and I will summarize any feedback I might get from the community if anyone is interested. George From ken.gilmour at gmail.com Tue Jun 22 15:57:52 2010 From: ken.gilmour at gmail.com (Ken Gilmour) Date: Tue, 22 Jun 2010 14:57:52 -0600 Subject: Penetration Test Vendors In-Reply-To: <5A6D953473350C4B9995546AFE9939EE09EA4D4A@RWC-EX1.corp.seven.com> References: <5A6D953473350C4B9995546AFE9939EE09EA4D4A@RWC-EX1.corp.seven.com> Message-ID: Depends on where you are... I've used Sysnet in Europe (www.sysnet.ie) and they are excellent. We used Deloitte ( http://www.deloitte.com/view/en_GX/global/services/enterprise-risk-services/security-privacy-resiliency/pcidss/index.htm) in non-european countries, with not such a good result (but other people may have different experiences). Regards, Ken On 22 June 2010 14:48, George Bonser wrote: > Anyone have any suggestions for a decent vendor that provides network > penetration testing? We have a customer requirement for a third party > test for a certain facility. Have you used anyone that you thought did a > great job? Anyone you would suggest avoiding? > > Replies can be sent off list and I will summarize any feedback I might > get from the community if anyone is interested. > > George > > > From standalone.sysadmin at gmail.com Tue Jun 22 15:52:13 2010 From: standalone.sysadmin at gmail.com (Matt Simmons) Date: Tue, 22 Jun 2010 16:52:13 -0400 Subject: Penetration Test Vendors In-Reply-To: <5A6D953473350C4B9995546AFE9939EE09EA4D4A@RWC-EX1.corp.seven.com> References: <5A6D953473350C4B9995546AFE9939EE09EA4D4A@RWC-EX1.corp.seven.com> Message-ID: I'm interested in a summary of what people suggest. --Matt On Tue, Jun 22, 2010 at 4:48 PM, George Bonser wrote: > Anyone have any suggestions for a decent vendor that provides network > penetration testing? We have a customer requirement for a third party > test for a certain facility. Have you used anyone that you thought did a > great job? ?Anyone you would suggest avoiding? > > Replies can be sent off list and I will summarize any feedback I might > get from the community if anyone is interested. > > George > > > -- LITTLE GIRL: But which cookie will you eat FIRST? COOKIE MONSTER: Me think you have misconception of cookie-eating process. From nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org Tue Jun 22 17:28:11 2010 From: nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org (Mark Smith) Date: Wed, 23 Jun 2010 07:58:11 +0930 Subject: Recommendation in Australia for ISPs to force user security? In-Reply-To: <19514738.44.1277236535987.JavaMail.franck@franck-martins-macbook-pro.local> References: <19514738.44.1277236535987.JavaMail.franck@franck-martins-macbook-pro.local> Message-ID: <20100623075811.74e683cc@opy.nosense.org> On Wed, 23 Jun 2010 07:55:37 +1200 (FJT) Franck Martin wrote: > You forgot to talk about a tax on all of that too... ;) > > Note the Great Firewall of Australia is slowly going down in flames... > The industry has had plenty of entertainment out of the following two videos in the last two weeks. The first video is of the Minister for Broadband, Communications and the Digital Economy http://www.youtube.com/watch?v=1gl7X6peh-w http://www.youtube.com/watch?v=v-enBtKjgcU > Now, there are two options, fight these type of proposals (resources spent to avoid something and make political enemies) or encourage the proposal by Netherlands and France to put Internet Freedom as a basic right for democracies: http://ambafrance-us.org/spip.php?article1659 > > > > ----- Original Message ----- > From: "Deepak Jain" > To: "Joel Jaeggli" , "Gadi Evron" > Cc: nanog at nanog.org > Sent: Wednesday, 23 June, 2010 7:17:16 AM > Subject: RE: Recommendation in Australia for ISPs to force user security? > > Come on, you aren't thinking gov't-enough. > > "BASIC" broadband access will be a SSH/web-only proxy with firewalling/antivirus/etc capability. That whole pesky HTTP/1.0 problem was solved a long time ago. Maybe you don't even get your own IP anymore -- and you have to access your email through their web portal too. This also qualifies you as net-neutral in that everyone gets the same poor service. Only content providers that sign an agreement to be free of virii and malware (with an appropriate "inspection/sanitization" charge will be let through... e.g. Netflix or whomever) -- this way, you aren't being made to differentiate between bits, you are being made to ensure national security. > > "BUSINESS" broadband access might give you a real IP, allow you to torrent, but you sign a piece of paper that authorizes them to charge you if you get infected, or better yet, a maintenance plan of a $24.95/month on top of your service to make sure you don't get infected with a remotely managed firewall/router or whatever will meet the definition of the regulation. > > This can be solved so fast it'll make your head spin. Build a big proxy "cloud", send everyone 60 days notice once the regulation comes in effect, on day 61 throw the switch. Day 62, collect orders for the upgraded service. *PROFIT* > > My only shock is that Washington isn't leading Canberra on this, with an even faster timeline than the one above. > > Deepak > From newton at internode.com.au Tue Jun 22 17:45:30 2010 From: newton at internode.com.au (Mark Newton) Date: Wed, 23 Jun 2010 08:15:30 +0930 Subject: Recommendation in Australia for ISPs to force user security? In-Reply-To: <4C210134.2030706@linuxbox.org> References: <4C210134.2030706@linuxbox.org> Message-ID: <63160BE6-6D4A-47F1-8877-1800D36B067E@internode.com.au> On 23/06/2010, at 4:00 AM, Gadi Evron wrote: > http://www.zdnet.com.au/make-zombie-code-mandatory-govt-report-339304001.htm > > "A government report into cybercrime has recommended that internet > service providers (ISPs) force customers to use antivirus and firewall > software or risk being disconnected. > security Observation: The more someone uses the prefix "cyber", the less they know what they're talking about. (glares meaningfully at a coterie of cyberterrorism consultants) Belinda Neal's committee is in the process of being pilloried by just about everyone who knows how to spell TCP/IP. The whole thing is a complete embarrassment: Last year we were all confronted with the spectacle of her ridiculous clutch of MPs wasting the time of the security experts invited to testify by quizzing them about movie plot threats. Now we get a proposal to move "cybersecurity" regulation to ACMA, the same Government body which licenses spectrum; and controlfreaky suggestions about mandatory industry codes imposed on ISPs. It's rampant screaming idiocy, the Dunning-Krueger effect in full motion. I'd suggest that almost none of it will go anywhere at all, if not for the fact that Belinda Neal's entire political party seems to share her mastery of of the issue. ObNOG: Botnets are bad, n'kay? - mark -- Mark Newton Email: newton at internode.com.au (W) Network Engineer Email: newton at atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223 From lists at quux.de Tue Jun 22 17:50:17 2010 From: lists at quux.de (Jens Link) Date: Wed, 23 Jun 2010 00:50:17 +0200 Subject: Recommendation in Australia for ISPs to force user security? In-Reply-To: <4C2107AA.1080707@bogus.com> (Joel Jaeggli's message of "Tue\, 22 Jun 2010 11\:57\:46 -0700") References: <4C210134.2030706@linuxbox.org> <4C2107AA.1080707@bogus.com> Message-ID: <87sk4eadhy.fsf@oban.berlin.quux.de> Joel Jaeggli writes: > not sure how they propose to enforce that, instrumentation approaches > that look inside the home gateway have a non-trivial falsh positive rate > and you've got a lot more hosts than ip addresses. Well you force your users to install some software to control that you have a current anti virus and a firewall in place. This software will only run for certain versions of Windows and will have quite a lot of CVE entrys. I will never get access to such a network. I don't use anti virus and I don't have a firewall on my Laptop (by default I'm only running sshd and if I need a (t)ftpd I start it manually). Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jenslink at guug.de | ------------------- | ------------------------------------------------------------------------- From scott at sberkman.net Tue Jun 22 18:27:43 2010 From: scott at sberkman.net (Scott Berkman) Date: Tue, 22 Jun 2010 19:27:43 -0400 Subject: Penetration Test Vendors In-Reply-To: References: <5A6D953473350C4B9995546AFE9939EE09EA4D4A@RWC-EX1.corp.seven.com> Message-ID: <001201cb1262$84840290$8d8c07b0$@net> If I wanted someone to do this, I'd probably look at a security vendor instead of a general purpose consulting firm. Some examples off the top of my head might include IBM's ISS and SecureWorks. -Scott -----Original Message----- From: Ken Gilmour [mailto:ken.gilmour at gmail.com] Sent: Tuesday, June 22, 2010 4:58 PM To: George Bonser Cc: nanog at nanog.org Subject: Re: Penetration Test Vendors Depends on where you are... I've used Sysnet in Europe (www.sysnet.ie) and they are excellent. We used Deloitte ( http://www.deloitte.com/view/en_GX/global/services/enterprise-risk-services/ security-privacy-resiliency/pcidss/index.htm) in non-european countries, with not such a good result (but other people may have different experiences). Regards, Ken On 22 June 2010 14:48, George Bonser wrote: > Anyone have any suggestions for a decent vendor that provides network > penetration testing? We have a customer requirement for a third party > test for a certain facility. Have you used anyone that you thought did a > great job? Anyone you would suggest avoiding? > > Replies can be sent off list and I will summarize any feedback I might > get from the community if anyone is interested. > > George > > > From Chrisf at apcon.com Tue Jun 22 18:59:58 2010 From: Chrisf at apcon.com (Chris Fenton) Date: Tue, 22 Jun 2010 23:59:58 +0000 Subject: Penetration Test Vendors In-Reply-To: <001201cb1262$84840290$8d8c07b0$@net> References: <5A6D953473350C4B9995546AFE9939EE09EA4D4A@RWC-EX1.corp.seven.com> <001201cb1262$84840290$8d8c07b0$@net> Message-ID: <70E1946A-D9C4-445F-9DA5-E2E34820C00E@apcon.com> Metasploit / Rapid7 (open source) BreakingPoint Systems (commercial) Sent from my mobile device... Chris On Jun 22, 2010, at 4:28 PM, "Scott Berkman" wrote: > If I wanted someone to do this, I'd probably look at a security vendor > instead of a general purpose consulting firm. > > Some examples off the top of my head might include IBM's ISS and > SecureWorks. > > -Scott > > -----Original Message----- > From: Ken Gilmour [mailto:ken.gilmour at gmail.com] > Sent: Tuesday, June 22, 2010 4:58 PM > To: George Bonser > Cc: nanog at nanog.org > Subject: Re: Penetration Test Vendors > > Depends on where you are... I've used Sysnet in Europe > (www.sysnet.ie) and > they are excellent. We used Deloitte ( > http://www.deloitte.com/view/en_GX/global/services/enterprise-risk-services/ > security-privacy-resiliency/pcidss/index.htm) > in non-european countries, with not such a good result (but other > people may > have different experiences). > > Regards, > > Ken > > On 22 June 2010 14:48, George Bonser wrote: > >> Anyone have any suggestions for a decent vendor that provides network >> penetration testing? We have a customer requirement for a third party >> test for a certain facility. Have you used anyone that you thought >> did a >> great job? Anyone you would suggest avoiding? >> >> Replies can be sent off list and I will summarize any feedback I >> might >> get from the community if anyone is interested. >> >> George >> >> >> > > > From Dante.Martins at AES.com Tue Jun 22 23:16:42 2010 From: Dante.Martins at AES.com (Dante Martins) Date: Tue, 22 Jun 2010 23:16:42 -0500 Subject: Penetration Test Vendors In-Reply-To: <5A6D953473350C4B9995546AFE9939EE09EA4D4A@RWC-EX1.corp.seven.com> References: <5A6D953473350C4B9995546AFE9939EE09EA4D4A@RWC-EX1.corp.seven.com> Message-ID: I use to use ISS on the last 4 year. They are very good. Helped us find many problem and suggest mitigation for each of them. -----Original Message----- From: George Bonser [mailto:gbonser at seven.com] Sent: Tuesday, June 22, 2010 5:48 PM To: nanog at nanog.org Subject: Penetration Test Vendors Anyone have any suggestions for a decent vendor that provides network penetration testing? We have a customer requirement for a third party test for a certain facility. Have you used anyone that you thought did a great job? Anyone you would suggest avoiding? Replies can be sent off list and I will summarize any feedback I might get from the community if anyone is interested. George From nonobvious at gmail.com Tue Jun 22 23:22:55 2010 From: nonobvious at gmail.com (Bill Stewart) Date: Tue, 22 Jun 2010 21:22:55 -0700 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: Message-ID: On Thu, Jun 17, 2010 at 6:52 AM, James Smith wrote: > we're in the process of building a DR site. Assume for purposes of discussion that all the vendors have equivalent quality equipment with approximately equivalent features. I can think of four occasions you'd need a DR center 1 - Practicing your disaster-recovery drills 2 - Testing out new configurations or equipment that you'll roll out to the main system 3 - When you're having a really bad day and need to switch over quickly 4 - When you're having a really really bad day due to common-mode failures of your main-system's vendor's equipment. Case 1 is fine. Case 2 may let you do proofs of concept, but if the DR isn't a close enough model of your real equipment, it's often not good enough Case 3 is the canonical time that you want your DR center to look as much like the real thing as possible, especially if you're trying to handle partial failures of the main system and not just smoking-hole-in-the-ground disasters. Case 4 is the canonical time you wish you'd ignored my advice for Cases 2 and 3, because your HP box has different bugs than your Cisco box. Depending on quite what you do and what your failure models are, you may be able to build parts of your DR center using other vendors' equipment, without too much risk of mismatched configurations, but in general you're going to need to buy a lot of parts for your DR center that are identical to the primary systems they're backing up. -- ---- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it. From karnaugh at karnaugh.za.net Wed Jun 23 02:54:45 2010 From: karnaugh at karnaugh.za.net (Colin Alston) Date: Wed, 23 Jun 2010 09:54:45 +0200 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca> References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu> <14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca> Message-ID: On Thu, Jun 17, 2010 at 7:21 PM, Greg Whynott wrote: > 1. ?Under heavy load (60% or more of 10Gbit interfaces at +80%) we have seen _all_ interfaces simultaneously ?drop packets and generate interface errors. ? this was on an early release of the firmware and I don't think we have seen this problem in awhile. I have seen this also, but on older 2848g's that were fully populated. Replaced the switch and the problem went away, but the old switch worked fine on test bench so I think this is fixed in firmware. Also using 5406 chassis, and never had the slightest hiccup. I dislike HP switches from a management point of view (and I think the VLAN config is nonsense), but they work fine. From sil at infiltrated.net Wed Jun 23 10:51:27 2010 From: sil at infiltrated.net (J. Oquendo) Date: Wed, 23 Jun 2010 11:51:27 -0400 Subject: GoGrid ... Going once... Going twice... Message-ID: <4C222D7F.5010501@infiltrated.net> After trying the usual channels (abuse@, security@) and LinkedIn, I decided to ask if anyone here has a security point of contact or network point of contact at GoGrid. Apologies for the low-level offtopic post. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E From sil at infiltrated.net Wed Jun 23 11:40:53 2010 From: sil at infiltrated.net (J. Oquendo) Date: Wed, 23 Jun 2010 12:40:53 -0400 Subject: Go Grid take two Message-ID: <4C223915.6030807@infiltrated.net> Thanks to all who responded, I was put in contact with someone. Apologies for the news. "We know return to our irregularly scheduled (de)programming. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E From deric.kwok2000 at gmail.com Wed Jun 23 11:53:02 2010 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Wed, 23 Jun 2010 12:53:02 -0400 Subject: pls help about mtu setting again Message-ID: Hi Thank you for your reply about DSL mtu Now I have question about internet cable connection. ls it same as DSL? I tested it in my friend cable connection. 1470 is fine but 1480 is problem. Why it needs header in cable connection also? C:\Documents and Settings\deric>ping yahoo.com -f -l 1470 Pinging yahoo.com [98.137.149.56] with 1470 bytes of data: Reply from 98.137.149.56: bytes=1470 time=96ms TTL=50 Reply from 98.137.149.56: bytes=1470 time=91ms TTL=50 Reply from 98.137.149.56: bytes=1470 time=92ms TTL=50 Reply from 98.137.149.56: bytes=1470 time=89ms TTL=50 Ping statistics for 98.137.149.56: ? Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: ? Minimum = 89ms, Maximum = 96ms, Average = 92ms C:\Documents and Settings\deric>ping yahoo.com -f -l 1480 Pinging yahoo.com [98.137.149.56] with 1480 bytes of data: Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Ping statistics for 98.137.149.56: ? Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Thank you for your help From warren at kumari.net Wed Jun 23 12:45:32 2010 From: warren at kumari.net (Warren Kumari) Date: Wed, 23 Jun 2010 19:45:32 +0200 Subject: no you can't configure your router w/ this In-Reply-To: References: Message-ID: <3A164812-2E73-48EA-ACB6-E7AC546E2488@kumari.net> On Jun 22, 2010, at 7:07 PM, Adam LaFountain wrote: >> >> sigh... where was this useful data 10 years ago! >> >> http://www.fcc.gov/worldtravel/ > > > Even more entertaining is the "reboot.fcc.gov (Beta)" Bah, more like Alpha if you ask me -- I clicked link MULTIPLE times and the FCC didn't reboot -- can I file a bug somewhere? W > in the top right > corner. I wonder if they have a reboot.ftc.gov link as well; that > might > actually be more useful. From hannigan at gmail.com Wed Jun 23 12:54:25 2010 From: hannigan at gmail.com (Martin Hannigan) Date: Wed, 23 Jun 2010 19:54:25 +0200 Subject: Penetration Test Vendors In-Reply-To: <5A6D953473350C4B9995546AFE9939EE09EA4D4A@RWC-EX1.corp.seven.com> References: <5A6D953473350C4B9995546AFE9939EE09EA4D4A@RWC-EX1.corp.seven.com> Message-ID: Secureworks MSS group, formerly VeriSign's MSS division, has a great pentest group. Best, Marty On 6/22/10, George Bonser wrote: > Anyone have any suggestions for a decent vendor that provides network > penetration testing? We have a customer requirement for a third party > test for a certain facility. Have you used anyone that you thought did a > great job? Anyone you would suggest avoiding? > > Replies can be sent off list and I will summarize any feedback I might > get from the community if anyone is interested. > > George > > > From morrowc.lists at gmail.com Wed Jun 23 12:56:40 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 23 Jun 2010 13:56:40 -0400 Subject: no you can't configure your router w/ this In-Reply-To: <3A164812-2E73-48EA-ACB6-E7AC546E2488@kumari.net> References: <3A164812-2E73-48EA-ACB6-E7AC546E2488@kumari.net> Message-ID: On Wed, Jun 23, 2010 at 1:45 PM, Warren Kumari wrote: > > On Jun 22, 2010, at 7:07 PM, Adam LaFountain wrote: > >>> >>> sigh... where was this useful data 10 years ago! >>> >>> http://www.fcc.gov/worldtravel/ >> >> >> Even more entertaining is the "reboot.fcc.gov (Beta)" > > Bah, more like Alpha if you ask me -- I clicked link MULTIPLE times and the > FCC didn't reboot -- can I file a bug somewhere? how do you know it wasn't rebooted? Did you see the lights in the building blink? From warren at kumari.net Wed Jun 23 13:29:23 2010 From: warren at kumari.net (Warren Kumari) Date: Wed, 23 Jun 2010 20:29:23 +0200 Subject: no you can't configure your router w/ this In-Reply-To: References: <3A164812-2E73-48EA-ACB6-E7AC546E2488@kumari.net> Message-ID: On Jun 23, 2010, at 7:56 PM, Christopher Morrow wrote: > On Wed, Jun 23, 2010 at 1:45 PM, Warren Kumari > wrote: >> >> On Jun 22, 2010, at 7:07 PM, Adam LaFountain wrote: >> >>>> >>>> sigh... where was this useful data 10 years ago! >>>> >>>> http://www.fcc.gov/worldtravel/ >>> >>> >>> Even more entertaining is the "reboot.fcc.gov (Beta)" >> >> Bah, more like Alpha if you ask me -- I clicked link MULTIPLE times >> and the >> FCC didn't reboot -- can I file a bug somewhere? > > how do you know it wasn't rebooted? Did you see the lights in the > building blink? 1: Lights in the building blink? No, the radio didn't turn off -- thats what they do, isn't it? 2: Even if it *did* reboot, the UI implementation is poor -- I refuse to believe that it can reboot instantly, and there was no feedback provided. There should be some thing like "Rebooting now... The FCC will be back in 10s... 9s... 8s..." W From Rodolfo.Delgado at fhlbny.com Wed Jun 23 14:25:05 2010 From: Rodolfo.Delgado at fhlbny.com (Delgado,Rodolfo) Date: Wed, 23 Jun 2010 15:25:05 -0400 Subject: Penetration Test Vendors In-Reply-To: <5A6D953473350C4B9995546AFE9939EE09EA4D4A@RWC-EX1.corp.seven.com> References: <5A6D953473350C4B9995546AFE9939EE09EA4D4A@RWC-EX1.corp.seven.com> Message-ID: <010EDE8ECED891449A25B465902056E60405095E9D@nts-exchangep1.FHLBNY-ADS> British Telecom managed services, Mandiant and Inguardians. -----Original Message----- From: George Bonser [mailto:gbonser at seven.com] Sent: Tuesday, June 22, 2010 4:48 PM To: nanog at nanog.org Subject: Penetration Test Vendors Anyone have any suggestions for a decent vendor that provides network penetration testing? We have a customer requirement for a third party test for a certain facility. Have you used anyone that you thought did a great job? Anyone you would suggest avoiding? Replies can be sent off list and I will summarize any feedback I might get from the community if anyone is interested. George Confidentiality Notice: The information contained in this e-mail and any attachments (including, but not limited to, any attached e-mails) may be legally privileged and confidential. If you are not an intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please notify the sender and permanently delete the e-mail and any attachments immediately. You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. Thank you. From kmedcalf at dessus.com Wed Jun 23 14:42:58 2010 From: kmedcalf at dessus.com (kmedcalf at dessus.com) Date: Wed, 23 Jun 2010 15:42:58 -0400 Subject: pls help about mtu setting again In-Reply-To: Message-ID: <5139691cbdaf9c43b7c19a8eb59cad1f@mail.dessus.com> 1472 is the maximum ICMP payload size for standard Ethernet. 1480 fails because, well, it is > 1472. -- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org >-----Original Message----- >From: Deric Kwok [mailto:deric.kwok2000 at gmail.com] >Sent: Wednesday, 23 June, 2010 12:53 >To: nanog list >Subject: pls help about mtu setting again > >Hi > >Thank you for your reply about DSL mtu > >Now I have question about internet cable connection. ls it same as DSL? > >I tested it in my friend cable connection. > >1470 is fine but 1480 is problem. Why it needs header in cable connection >also? > >C:\Documents and Settings\deric>ping yahoo.com -f -l 1470 > >Pinging yahoo.com [98.137.149.56] with 1470 bytes of data: > >Reply from 98.137.149.56: bytes=1470 time=96ms TTL=50 >Reply from 98.137.149.56: bytes=1470 time=91ms TTL=50 >Reply from 98.137.149.56: bytes=1470 time=92ms TTL=50 >Reply from 98.137.149.56: bytes=1470 time=89ms TTL=50 > >Ping statistics for 98.137.149.56: >? Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), >Approximate round trip times in milli-seconds: >? Minimum = 89ms, Maximum = 96ms, Average = 92ms > >C:\Documents and Settings\deric>ping yahoo.com -f -l 1480 > >Pinging yahoo.com [98.137.149.56] with 1480 bytes of data: > >Packet needs to be fragmented but DF set. >Packet needs to be fragmented but DF set. >Packet needs to be fragmented but DF set. >Packet needs to be fragmented but DF set. > >Ping statistics for 98.137.149.56: >? Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), > >Thank you for your help From laurens at daemon.be Wed Jun 23 15:06:39 2010 From: laurens at daemon.be (Laurens Vets) Date: Wed, 23 Jun 2010 22:06:39 +0200 Subject: Penetration Test Vendors In-Reply-To: <5A6D953473350C4B9995546AFE9939EE09EA4D4A@RWC-EX1.corp.seven.com> References: <5A6D953473350C4B9995546AFE9939EE09EA4D4A@RWC-EX1.corp.seven.com> Message-ID: <4C22694F.2020101@daemon.be> On 6/22/2010 10:48 PM, George Bonser wrote: > Anyone have any suggestions for a decent vendor that provides network > penetration testing? We have a customer requirement for a third party > test for a certain facility. Have you used anyone that you thought did a > great job? Anyone you would suggest avoiding? > > Replies can be sent off list and I will summarize any feedback I might > get from the community if anyone is interested. Verizon Business (formerly CyberTryst formerly ...)? From rekoil at semihuman.com Wed Jun 23 17:36:36 2010 From: rekoil at semihuman.com (Chris Woodfield) Date: Wed, 23 Jun 2010 15:36:36 -0700 Subject: 40/100GbEthernet standard ratified Message-ID: <402B252B-8B80-4922-87BA-EF76A7DBED2A@semihuman.com> So let us commence the shipping of stupidly overpriced silicon...802.3ba is an official IEEE standard. http://www.businesswire.com/portal/site/home/permalink/?ndmViewId=news_view&newsId=20100621006382&newsLang=en -C From sean at donelan.com Wed Jun 23 19:45:16 2010 From: sean at donelan.com (Sean Donelan) Date: Wed, 23 Jun 2010 20:45:16 -0400 (EDT) Subject: Sources of network security templates or designs Message-ID: While every network designer/architect with an emphasis on security has his or her favorite design templates, I'm wondering what public sources do people start with? Cisco SAFE and other published designs IBM Redbooks DOD Security Technical Implementation Guides (STIGs) NIST Special Publications O'Reilly series (specific books?) Of course, every designer customizes things based on the project and preferences. So I'm not asking for what's best, or even what's wrong with particular sources. Just where do you start? From rs at seastrom.com Thu Jun 24 09:14:45 2010 From: rs at seastrom.com (Robert E. Seastrom) Date: Thu, 24 Jun 2010 10:14:45 -0400 Subject: [Bruce Hoffman] Thank-you for your recent participation. Message-ID: <86k4pozfe2.fsf@seastrom.com> Amusingly, this was sent to me *after* I replied to abuse at internap complaining about getting spammed. Anyone else getting spam from this joker? Has he been doing nanog mailing list or arin database harvesting? Anyone know who his boss is? -r -------------- next part -------------- An embedded message was scrubbed... From: "Bruce Hoffman" Subject: Thank-you for your recent participation. Date: Thu, 24 Jun 2010 09:54:25 -0400 Size: 6572 URL: From jeffrey.lyon at blacklotus.net Thu Jun 24 09:17:25 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Thu, 24 Jun 2010 10:17:25 -0400 Subject: [Bruce Hoffman] Thank-you for your recent participation. In-Reply-To: <86k4pozfe2.fsf@seastrom.com> References: <86k4pozfe2.fsf@seastrom.com> Message-ID: Why contact his boss? It's not like he's on a rogue e-mail campaign, obviously the company told him to do this. Why not focus on more significant spam? Jeff On Thu, Jun 24, 2010 at 10:14 AM, Robert E. Seastrom wrote: > > Amusingly, this was sent to me *after* I replied to abuse at internap > complaining about getting spammed. > > Anyone else getting spam from this joker? ?Has he been doing nanog > mailing list or arin database harvesting? ?Anyone know who his boss is? > > -r > > > > > ---------- Forwarded message ---------- > From:?"Bruce Hoffman" > To:?rs at seastrom.com > Date:?Thu, 24 Jun 2010 09:54:25 -0400 > Subject:?Thank-you for your recent participation. > > > > > > > ? Good Afternoon Seastrom;, > ? I wanted to take a minute and thank you for participating in our study. > ? You are one of the few industry experts we have carefully selected > ? based on your qualifications and experience. If you have not yet > ? participated, please take a moment to complete our five minute market > ? study. You'll also be entered for a chance to win a Dell Netbook, which > ? will be drawn June 30th. Participation is limited, so chances to win > ? are high. > ? The survey can be found here : > ? [1]www.zoomerang.com/Survey/WEB22AT7W6EN38 > > ? Our study in the Data Center and Network Services market was created to > ? help determine product and service areas that Internap can continue to > ? focus on and innovate within. Many of our enhancements and development > ? over the years has been directly tied to market feedback and > ? customer/prospect suggestions, so the voice of the customer is critical > ? in the evolution of our company and performance-based internet and data > ? center services suite. ( internap.com ) > ? As previously mentioned, your input will remain confidential - your > ? name and your company's name will not be shared with anyone outside of > ? Internap. With your permission, we would like to contact you and verify > ? your information for our drawing on June 30th. > > ? Lastly, next month we will be looking for feedback on a new real-time > ? internet performance demo tool that we have released. Based on > ? feedback, that drawing will be a choice between an Apple iPad or an > ? AMEX gift card of equal value for the winning participant. > ? Thank you for your time and good luck in the upcoming drawing. > ? Best, > > ? ------------------------------------------------------ > ? Bruce Hoffman ? o ? Director : Northeast / Eastern Canada > ? ------------------------------------------------------ > ? Phone 617 374 4915 ? o ? Mobile 781 799 6535 ?fax 617 679 0083 > > ? bhoffman at internap.com ? o ?[2]www.internap.com > > ? This message was sent from Bruce Hoffman to rs at seastrom.com. It was > ? sent from: Internap, 69 Canal Street, Boston, MA 02114. You can > ? modify/update your subscription via the link below. > > ? [3]Email Marketing by > ? [4]iContact - Try It Free! > > ? [email_manage_subscription.png] [5]Manage your subscription > > ? [track.php?msgid=23912&act=E459&r=3959897&c=723714] > > References > > ? 1. http://click.icptrack.com/icp/relay.php?r=3959897&msgid=23912&act=E459&c=723714&destination=redir.aspx%3FC%3D0e2d58720b0b4e9d8554d632338b3011%26URL%3Dhttp%253a%252f%252fwww.zoomerang.com%252fSurvey%252fWEB22AT7W6EN38 > ? 2. http://click.icptrack.com/icp/relay.php?r=3959897&msgid=23912&act=E459&c=723714&destination=http%3A%2F%2Finternap.com%2F > ? 3. http://www.icontact.com/a.pl/144186 > ? 4. http://www.icontact.com/a.pl/144186 > ? 5. http://app.icontact.com/icp/mmail-mprofile.pl?r=3959897&l=3389&s=E459&m=23912&c=723714 > > -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Follow us on Twitter at http://twitter.com/ddosprotection to find out about news, promotions, and (gasp!) system outages which are updated in real time. Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 - 21 to find out how to "protect your booty." From rs at seastrom.com Thu Jun 24 09:44:09 2010 From: rs at seastrom.com (Robert E. Seastrom) Date: Thu, 24 Jun 2010 10:44:09 -0400 Subject: [Bruce Hoffman] Thank-you for your recent participation. In-Reply-To: (Jeffrey Lyon's message of "Thu, 24 Jun 2010 10:17:25 -0400") References: <86k4pozfe2.fsf@seastrom.com> Message-ID: <86iq58v6bq.fsf@seastrom.com> Jeffrey Lyon writes: > Why contact his boss? It's not like he's on a rogue e-mail campaign, > obviously the company told him to do this. Why not focus on more > significant spam? The "more significant spam" is largely handled by my anti-spam measures. Cluing Internap in to the fact that I not only don't buy from spammers myself but am more than happy to pass the word about their unethical business practices is the honorable and right thing to do. The fact that his e-mail campaign is approved by management does not make it "non-rogue", it only means that upper management is rogue. I have never been (nor now will I ever be) an InterNAP customer. -r From scottleibrand at gmail.com Thu Jun 24 12:54:33 2010 From: scottleibrand at gmail.com (Scott Leibrand) Date: Thu, 24 Jun 2010 10:54:33 -0700 Subject: [Bruce Hoffman] Thank-you for your recent participation. In-Reply-To: <86k4pozfe2.fsf@seastrom.com> References: <86k4pozfe2.fsf@seastrom.com> Message-ID: <4C239BD9.2010104@gmail.com> Rob, Sorry about that. Your e-mail address was on an old SalesForce list that we forgot to remove you from. I've followed up internally to make sure it won't happen again. If anyone else gets any unwanted contact from us, please let me know and I'll make sure it's taken care of. Thanks, Scott On Thu 6/24/2010 7:14 AM, Robert E. Seastrom wrote: > Amusingly, this was sent to me *after* I replied to abuse at internap > complaining about getting spammed. > > Anyone else getting spam from this joker? Has he been doing nanog > mailing list or arin database harvesting? Anyone know who his boss is? > > -r > > > From chris.gravell at green.ch Thu Jun 24 13:38:58 2010 From: chris.gravell at green.ch (Chris Gravell) Date: Thu, 24 Jun 2010 20:38:58 +0200 Subject: Penetration Test Vendors In-Reply-To: <001201cb1262$84840290$8d8c07b0$@net> References: <5A6D953473350C4B9995546AFE9939EE09EA4D4A@RWC-EX1.corp.seven.com> <001201cb1262$84840290$8d8c07b0$@net> Message-ID: <4DA080251E9A214B8A3E876D5181E2E642B77444@EXMBSRV01.green-connection.ch> Pen-testing for what? -----Original Message----- From: Scott Berkman [mailto:scott at sberkman.net] Sent: Wednesday, June 23, 2010 1:28 AM To: 'Ken Gilmour'; 'George Bonser' Cc: nanog at nanog.org Subject: RE: Penetration Test Vendors If I wanted someone to do this, I'd probably look at a security vendor instead of a general purpose consulting firm. Some examples off the top of my head might include IBM's ISS and SecureWorks. -Scott -----Original Message----- From: Ken Gilmour [mailto:ken.gilmour at gmail.com] Sent: Tuesday, June 22, 2010 4:58 PM To: George Bonser Cc: nanog at nanog.org Subject: Re: Penetration Test Vendors Depends on where you are... I've used Sysnet in Europe (www.sysnet.ie) and they are excellent. We used Deloitte ( http://www.deloitte.com/view/en_GX/global/services/enterprise-risk-services/ security-privacy-resiliency/pcidss/index.htm) in non-european countries, with not such a good result (but other people may have different experiences). Regards, Ken On 22 June 2010 14:48, George Bonser wrote: > Anyone have any suggestions for a decent vendor that provides network > penetration testing? We have a customer requirement for a third party > test for a certain facility. Have you used anyone that you thought did a > great job? Anyone you would suggest avoiding? > > Replies can be sent off list and I will summarize any feedback I might > get from the community if anyone is interested. > > George > > > From jeroen at mompl.net Thu Jun 24 13:42:49 2010 From: jeroen at mompl.net (Jeroen van Aart) Date: Thu, 24 Jun 2010 11:42:49 -0700 Subject: Reputable VPS provider with Dutch static IPs In-Reply-To: <4C003827.2050300@mompl.net> References: <4C003827.2050300@mompl.net> Message-ID: <4C23A729.7090902@mompl.net> Jeroen van Aart wrote: > Does anyone know a reputable virtual private server provider in the > Netherlands > It also should provide Debian stable (Lenny right now) and not cost more > than ~$30 a month. Of course the company should not have problems Someone pointed me to http://www.xlshosting.nl/ which I am very happy with so far, and it works well for my purposes. Which is mostly openvpn connectivity (read: watching some sports ;-) and a low traffic email gateway. Thanks, Jeroen -- http://goldmark.org/jeff/stupid-disclaimers/ From chris.gravell at green.ch Thu Jun 24 13:49:56 2010 From: chris.gravell at green.ch (Chris Gravell) Date: Thu, 24 Jun 2010 20:49:56 +0200 Subject: Sources of network security templates or designs In-Reply-To: References: Message-ID: <4DA080251E9A214B8A3E876D5181E2E642B77445@EXMBSRV01.green-connection.ch> You start with all of them once you have a good understanding of the underlying protocols. There is no cheat-sheet. -----Original Message----- From: Sean Donelan [mailto:sean at donelan.com] Sent: Thursday, June 24, 2010 2:45 AM To: nanog at nanog.org Subject: Sources of network security templates or designs While every network designer/architect with an emphasis on security has his or her favorite design templates, I'm wondering what public sources do people start with? Cisco SAFE and other published designs IBM Redbooks DOD Security Technical Implementation Guides (STIGs) NIST Special Publications O'Reilly series (specific books?) Of course, every designer customizes things based on the project and preferences. So I'm not asking for what's best, or even what's wrong with particular sources. Just where do you start? From markk at arin.net Thu Jun 24 14:00:14 2010 From: markk at arin.net (Mark Kosters) Date: Thu, 24 Jun 2010 15:00:14 -0400 Subject: FW: [ipv6-wg] 2010 IPv6 Deployment Monitoring Survey Now Underway Message-ID: <20100624190012.GA1111@arin.net> ARIN encourages its community to participate in the 2010 Global IPv6 Deployment Monitoring Survey being conducted by GNKS Consult and TNO and sponsored by the RIPE NCC. The survey is now available at: http://www.surveymonkey.com/s/IPv6deploymentmonitoring2010 The survey will close on 1 July 2010. All five Regional Internet Registries have committed to soliciting participation in this survey in order to compile the most complete global IPv6 deployment data possible. The survey results will provide a better understanding of current IPv6 deployment, and what still needs to be done to ensure the Internet community is ready for the widespread adoption of IPv6. ARIN/CAIDA performed a similar survey in 2008, and it was repeated in 2009 in the RIPE and APNIC regions. The 2010 survey will allow for some comparison of progress, which will be extremely valuable in determining the necessary next steps. The goal is to establish a comprehensive view of present IPv6 penetration and future plans for IPv6 deployment. The survey is composed of 23 questions and can be completed in about 15 minutes. For those without IPv6 allocations or assignments, or who have not yet deployed IPv6, the questions will be fewer in number. Results of the IPv6 Deployment Monitoring Survey will be made public in the fall. All participants that provide their name and contact information on the survey form will receive the draft survey analysis when available. Please also indicate if you are willing to share additional data with the TNO and GNKS Consult IPv6 Deployment Monitoring team. Any questions concerning the survey itself should be addressed to . Regards, Mark Kosters ARIN CTO From ewilliams at connectria.com Thu Jun 24 14:37:09 2010 From: ewilliams at connectria.com (Eric Williams) Date: Thu, 24 Jun 2010 14:37:09 -0500 Subject: ATT BGP - Advertising my network on accident In-Reply-To: References: Message-ID: AT&T is currently advertising my address space to the internet accidentally via BGP which they should not be. Since they are advertising my address space on accident, we are dead in the water. Does anybody out there work for ATT or know of the number I can call in order to have them stop advertising my /22 ASAP!!!! From sean at donelan.com Thu Jun 24 16:16:59 2010 From: sean at donelan.com (Sean Donelan) Date: Thu, 24 Jun 2010 17:16:59 -0400 (EDT) Subject: Sources of network security templates or designs In-Reply-To: <4DA080251E9A214B8A3E876D5181E2E642B77445@EXMBSRV01.green-connection.ch> References: <4DA080251E9A214B8A3E876D5181E2E642B77445@EXMBSRV01.green-connection.ch> Message-ID: On Thu, 24 Jun 2010, Chris Gravell wrote: > You start with all of them once you have a good understanding of the > underlying protocols. > > There is no cheat-sheet. I wasn't asking for the cheat-sheet. I was asking for what do you include in the catagory of "all of them." From matthew at walster.org Thu Jun 24 14:52:21 2010 From: matthew at walster.org (Matthew Walster) Date: Thu, 24 Jun 2010 20:52:21 +0100 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu> <14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca> Message-ID: On 23 June 2010 08:54, Colin Alston wrote: > I dislike HP switches from a management point of view (and I think the > VLAN config is nonsense), but they work fine. That's strange, I abhor the Cisco way of doing VLANs and love the HP/Procurve method. What do you find so irritating? Kind regards, Matthew Walster From crosevear at skytap.com Thu Jun 24 16:55:22 2010 From: crosevear at skytap.com (Carl Rosevear) Date: Thu, 24 Jun 2010 14:55:22 -0700 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu> <14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca> Message-ID: > That's strange, I abhor the Cisco way of doing VLANs and love the > HP/Procurve method. > > What do you find so irritating? > I find it irritating because I am often running thousands of vlans and do not want to explicitly type them all out in the config or to have to do so with a script. `switch trunk allowed vlan 2-3000` is much more awesome, for me. ---Carl From rps at maine.edu Thu Jun 24 21:53:29 2010 From: rps at maine.edu (Ray Soucy) Date: Thu, 24 Jun 2010 22:53:29 -0400 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu> <14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca> Message-ID: For large campuses that have a lot (hundreds) of switches, Cisco seems to win out over HP from a TCO standpoint. I've consistently seen HP switches have higher failure rates, which isn't a big deal if you're a smaller shop, but when you have a large campus (or several large campuses across a state in our case) the man-power that you need to run around and do equipment swaps adds up pretty quick. I think what we do using about 10 people in a Cisco environment would be closer to 20 in an HP and Juniper environment, so those additional salaries and benefits need to be a factor. Cisco VTP is a killer app for VLAN management IMHO, but only for campus deployments, really. If you're a service provider you probably will be running in transparent mode. As far as Cisco's failure rate... I'm not proud of it, but given that we're a public institution and limited in funding we still have a large amount of 3500 XL series switches that have been running for 10+ years without failure in harsh environments (old buildings, boiler rooms...). It's nice to have that level of dependability in hardware and it certainly makes our lives easier. To be fair, I don't know many large HP deployments anymore as most of them have moved to Cisco, so I'd be interested in hearing from people who run an HP shop for a campus. The pricing and warranty seem hard to resist, but if the failure rates are still high it's hard to make a case. On Thu, Jun 24, 2010 at 5:55 PM, Carl Rosevear wrote: >> That's strange, I abhor the Cisco way of doing VLANs and love the >> HP/Procurve method. >> >> What do you find so irritating? >> > > I find it irritating because I am often running thousands of vlans and > do not want to explicitly type them all out in the config or to have > to do so with a script. ?`switch trunk allowed vlan 2-3000` is much > more awesome, for me. > > ---Carl > > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From jasongurtz at npumail.com Fri Jun 25 08:12:57 2010 From: jasongurtz at npumail.com (Jason Gurtz) Date: Fri, 25 Jun 2010 09:12:57 -0400 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu><14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca> Message-ID: > pretty quick. I think what we do using about 10 people in a Cisco > environment would be closer to 20 in an HP and Juniper environment, so > those additional salaries and benefits need to be a factor. I hear you on the HP stuff, but are you saying that Juniper equipment also shows a higher failure rate? Or, are you saying they require a higher staffing rate for different reasons? Just wondering, since Juniper is trumpeting running the stock exchange and all. ~JasonG From rps at maine.edu Fri Jun 25 08:19:04 2010 From: rps at maine.edu (Ray Soucy) Date: Fri, 25 Jun 2010 09:19:04 -0400 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu> <14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca> Message-ID: Poor choice of words, Juniper does fine. On Fri, Jun 25, 2010 at 9:12 AM, Jason Gurtz wrote: >> pretty quick. ?I think what we do using about 10 people in a Cisco >> environment would be closer to 20 in an HP and Juniper environment, so >> those additional salaries and benefits need to be a factor. > > I hear you on the HP stuff, but are you saying that Juniper equipment also > shows a higher failure rate? ?Or, are you saying they require a higher > staffing rate for different reasons? > > Just wondering, since Juniper is trumpeting running the stock exchange and > all. > > ~JasonG > > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From ewilliams at connectria.com Fri Jun 25 08:56:16 2010 From: ewilliams at connectria.com (Eric Williams) Date: Fri, 25 Jun 2010 08:56:16 -0500 Subject: ATT BGP - Advertising my network on accident In-Reply-To: References: Message-ID: This issue has been resolved by breaking up the /22 into /24's. Thanks to all for the advise. Maybe next time I will take someone's advise and advertise one of ATT's /8's. From: Eric Williams/Connectria To: nanog at nanog.org Date: 06/24/2010 02:37 PM Subject: ATT BGP - Advertising my network on accident AT&T is currently advertising my address space to the internet accidentally via BGP which they should not be. Since they are advertising my address space on accident, we are dead in the water. Does anybody out there work for ATT or know of the number I can call in order to have them stop advertising my /22 ASAP!!!! From richard.barnes at gmail.com Fri Jun 25 09:07:21 2010 From: richard.barnes at gmail.com (Richard Barnes) Date: Fri, 25 Jun 2010 10:07:21 -0400 Subject: ATT BGP - Advertising my network on accident In-Reply-To: References: Message-ID: I wonder how much of the de-aggregation in the routing table is attributable to issues like this? On Fri, Jun 25, 2010 at 9:56 AM, Eric Williams wrote: > This issue has been resolved by breaking up the /22 into /24's. ?Thanks to > all for the advise. > > Maybe next time I will take someone's advise and advertise one of ATT's > /8's. > > > > > > From: > Eric Williams/Connectria > To: > nanog at nanog.org > Date: > 06/24/2010 02:37 PM > Subject: > ATT BGP - Advertising my network on accident > > > AT&T is currently advertising my address space to the internet > accidentally via BGP which they should not be. ?Since they are advertising > my address space on accident, we are dead in the water. ?Does anybody out > there work for ATT or know of the number I can call in order to have them > stop advertising my /22 ASAP!!!! > > From dmburgess at linktechs.net Fri Jun 25 09:12:55 2010 From: dmburgess at linktechs.net (Dennis Burgess) Date: Fri, 25 Jun 2010 09:12:55 -0500 Subject: ATT BGP - Advertising my network on accident References: Message-ID: <91522911795E174F97E7EF8B792A10312292BE@ltiserver.LTI.local> Have you found a contact at ATT to get this stopped? ----------------------------------------------------------- Dennis Burgess, Mikrotik Certified Trainer Link Technologies, Inc -- Mikrotik & WISP Support Services Office: 314-735-0270 Website: http://www.linktechs.net LIVE On-Line Mikrotik Training - Author of "Learn RouterOS" -----Original Message----- From: Eric Williams [mailto:ewilliams at connectria.com] Sent: Friday, June 25, 2010 8:56 AM To: nanog at nanog.org Subject: Re: ATT BGP - Advertising my network on accident This issue has been resolved by breaking up the /22 into /24's. Thanks to all for the advise. Maybe next time I will take someone's advise and advertise one of ATT's /8's. From: Eric Williams/Connectria To: nanog at nanog.org Date: 06/24/2010 02:37 PM Subject: ATT BGP - Advertising my network on accident AT&T is currently advertising my address space to the internet accidentally via BGP which they should not be. Since they are advertising my address space on accident, we are dead in the water. Does anybody out there work for ATT or know of the number I can call in order to have them stop advertising my /22 ASAP!!!! From morrowc.lists at gmail.com Fri Jun 25 09:17:03 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Fri, 25 Jun 2010 10:17:03 -0400 Subject: ATT BGP - Advertising my network on accident In-Reply-To: <91522911795E174F97E7EF8B792A10312292BE@ltiserver.LTI.local> References: <91522911795E174F97E7EF8B792A10312292BE@ltiserver.LTI.local> Message-ID: On Fri, Jun 25, 2010 at 10:12 AM, Dennis Burgess wrote: > Have you found a contact at ATT to get this stopped? I'm fairly certain JayB at least reads nanog... the OP didn't mention if this was 7018, 7132 or the ATT_ENS AS with the route though :( > -----Original Message----- > From: Eric Williams [mailto:ewilliams at connectria.com] > Sent: Friday, June 25, 2010 8:56 AM > To: nanog at nanog.org > Subject: Re: ATT BGP - Advertising my network on accident > > This issue has been resolved by breaking up the /22 into /24's. ?Thanks > to all for the advise. > > Maybe next time I will take someone's advise and advertise one of ATT's > /8's. > > > > > > From: > Eric Williams/Connectria > To: > nanog at nanog.org > Date: > 06/24/2010 02:37 PM > Subject: > ATT BGP - Advertising my network on accident > > > AT&T is currently advertising my address space to the internet > accidentally via BGP which they should not be. ?Since they are > advertising > my address space on accident, we are dead in the water. ?Does anybody > out > there work for ATT or know of the number I can call in order to have > them > stop advertising my /22 ASAP!!!! > > > From ljb at merit.edu Fri Jun 25 10:02:51 2010 From: ljb at merit.edu (Larry Blunk) Date: Fri, 25 Jun 2010 11:02:51 -0400 Subject: ATT BGP - Advertising my network on accident In-Reply-To: References: <91522911795E174F97E7EF8B792A10312292BE@ltiserver.LTI.local> Message-ID: <4C24C51B.9040108@merit.edu> Looks like the prefix in question is 208.91.48.0/22 and it was briefly announced by 7018 yesterday, but that announcement seems to be gone now. I see 11734 is announcing 208.91.48.0/22 + 208.91.48.0/24 now, but not 208.91.49.0/24 - 208.91.51.0/24. On 06/25/2010 10:17 AM, Christopher Morrow wrote: > On Fri, Jun 25, 2010 at 10:12 AM, Dennis Burgess > wrote: > >> Have you found a contact at ATT to get this stopped? >> > I'm fairly certain JayB at least reads nanog... the OP didn't mention > if this was 7018, 7132 or the ATT_ENS AS with the route though :( > > >> -----Original Message----- >> From: Eric Williams [mailto:ewilliams at connectria.com] >> Sent: Friday, June 25, 2010 8:56 AM >> To: nanog at nanog.org >> Subject: Re: ATT BGP - Advertising my network on accident >> >> This issue has been resolved by breaking up the /22 into /24's. Thanks >> to all for the advise. >> >> Maybe next time I will take someone's advise and advertise one of ATT's >> /8's. >> >> >> >> >> >> From: >> Eric Williams/Connectria >> To: >> nanog at nanog.org >> Date: >> 06/24/2010 02:37 PM >> Subject: >> ATT BGP - Advertising my network on accident >> >> >> AT&T is currently advertising my address space to the internet >> accidentally via BGP which they should not be. Since they are >> advertising >> my address space on accident, we are dead in the water. Does anybody >> out >> there work for ATT or know of the number I can call in order to have >> them >> stop advertising my /22 ASAP!!!! >> >> >> >> > From cra at WPI.EDU Fri Jun 25 10:11:39 2010 From: cra at WPI.EDU (Chuck Anderson) Date: Fri, 25 Jun 2010 11:11:39 -0400 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: Message-ID: <20100625151139.GW32456@angus.ind.WPI.EDU> On Fri, Jun 25, 2010 at 09:12:57AM -0400, Jason Gurtz wrote: > > pretty quick. I think what we do using about 10 people in a Cisco > > environment would be closer to 20 in an HP and Juniper environment, so > > those additional salaries and benefits need to be a factor. How many switches/users are we talking about that you need 10-20 people to manage? > I hear you on the HP stuff, but are you saying that Juniper equipment also > shows a higher failure rate? Or, are you saying they require a higher > staffing rate for different reasons? > > Just wondering, since Juniper is trumpeting running the stock exchange and > all. I can vouch for the fact that the batch of Juniper EX-PWR-930-AC modular power supplies shipped around June/July last summer had some quality issues. We've replaced about 10 so far (out of about 140) in the year we've had them. Presumably they've fixed this on new batches. It's a good thing we sprang for the redundant power supply modules in those switches. Compare this to the Nortel (now Avaya) BayStack 55xx line where we've had approximately 0 built-in power supply and maybe 2-3 unit failures for other reasons in the last 3 years. From markk at arin.net Fri Jun 25 11:51:06 2010 From: markk at arin.net (Mark Kosters) Date: Fri, 25 Jun 2010 12:51:06 -0400 Subject: ARIN's RESTful Whois Directory Service Available 26 June Message-ID: <20100625165106.GA2010@arin.net> ----- Forwarded message from Member Services ----- From: Member Services Date: Thu, 24 Jun 2010 13:00:42 -0400 To: "arin-announce at arin.net" Subject: [arin-announce] ARIN's RESTful Whois Directory Service Available 26 June ARIN is deploying an improved Whois service called Whois-RWS on 26 June 2010. Included in the deployment are the following services that provide the general public with access to ARIN's registration data. * a RESTful Web Service (RWS) * a NICNAME/WHOIS port 43 service * a user-friendly web site (http://whois.arin.net) When using Whois-RWS you will notice some differences in behavior for certain queries and corresponding result sets on the NICNAME/WHOIS TCP port 43 service. These minor differences are documented at: https://www.arin.net/resources/whoisrws/whois_diff.html ARIN's Directory Service for registration data has used the NICNAME/WHOIS protocol since its inception. The limitations of the NICNAME/WHOIS protocol are well known and documented in RFC3912. Whois-RWS was created as an alternative to the ARIN Whois and will provide much richer functionality and capability to the community. Whois-RWS can easily be integrated into command line scripts, or it can be used with a web browser, which makes it applicable for programmatic consumption and accessible for interactive use. ARIN will continue to maintain services for the NICNAME/WHOIS protocol on TCP/43. This is achieved by using a proxy service to translate traditional ARIN Whois queries into Whois-RWS queries. However, ARIN recommends use of the RESTful Web Service. Those who choose to use the Whois-RWS Proxy will find it has many features unavailable over the existing Whois service, including: * Support for new query types such as CIDR queries * Better feedback for ambiguous queries * More finely scoped record type queries * Options for NICNAME/WHOIS clients that re-interpret traditional parameters used by ARIN's service. * RESTful URL references, useful for embedding into documents and e-mail * Better grouping of record types and delineation of results Another major benefit is that data from ARIN's registration database is distributed to the Whois-RWS servers many times throughout the day, versus the once-a-day update of ARIN's previous Whois service. Changes will be reflected more quickly through Whois-RWS, so query results will be more current than the previous Whois service. ARIN continues to welcome community participation on the Whois-RWS mailing list, and we invite you to subscribe and provide feedback to: http://lists.arin.net/mailman/listinfo/arin-whoisrws Regards, Mark Kosters Chief Technical Officer American Registry for Internet Numbers (ARIN) ----- End forwarded message ----- From joelja at bogus.com Fri Jun 25 12:35:59 2010 From: joelja at bogus.com (joel jaeggli) Date: Fri, 25 Jun 2010 10:35:59 -0700 Subject: ATT BGP - Advertising my network on accident In-Reply-To: References: Message-ID: <4C24E8FF.8090200@bogus.com> just fyi, identifying the prefix in question and the origin AS will likely result in a lot more potentially useful eyeballs looking at including those that can take action. joel On 2010-06-24 12:37, Eric Williams wrote: > AT&T is currently advertising my address space to the internet > accidentally via BGP which they should not be. Since they are advertising > my address space on accident, we are dead in the water. Does anybody out > there work for ATT or know of the number I can call in order to have them > stop advertising my /22 ASAP!!!! > From cscora at apnic.net Fri Jun 25 13:12:56 2010 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 26 Jun 2010 04:12:56 +1000 (EST) Subject: Weekly Routing Table Report Message-ID: <201006251812.o5PICu5D009156@thyme.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 26 Jun, 2010 Report Website: http://thyme.apnic.net Detailed Analysis: http://thyme.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 323205 Prefixes after maximum aggregation: 149101 Deaggregation factor: 2.17 Unique aggregates announced to Internet: 158363 Total ASes present in the Internet Routing Table: 34231 Prefixes per ASN: 9.44 Origin-only ASes present in the Internet Routing Table: 29720 Origin ASes announcing only one prefix: 14411 Transit ASes present in the Internet Routing Table: 4511 Transit-only ASes present in the Internet Routing Table: 108 Average AS path length visible in the Internet Routing Table: 3.6 Max AS path length visible: 24 Max AS path prepend of ASN (41664) 21 Prefixes from unregistered ASNs in the Routing Table: 295 Unregistered ASNs in the Routing Table: 112 Number of 32-bit ASNs allocated by the RIRs: 642 Prefixes from 32-bit ASNs in the Routing Table: 757 Special use prefixes present in the Routing Table: 0 Prefixes being announced from unallocated address space: 159 Number of addresses announced to Internet: 2251743840 Equivalent to 134 /8s, 54 /16s and 226 /24s Percentage of available address space announced: 60.8 Percentage of allocated address space announced: 65.5 Percentage of available address space allocated: 92.8 Percentage of address space in use by end-sites: 83.4 Total number of prefixes smaller than registry allocations: 154204 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 78033 Total APNIC prefixes after maximum aggregation: 26885 APNIC Deaggregation factor: 2.90 Prefixes being announced from the APNIC address blocks: 74858 Unique aggregates announced from the APNIC address blocks: 33140 APNIC Region origin ASes present in the Internet Routing Table: 4081 APNIC Prefixes per ASN: 18.34 APNIC Region origin ASes announcing only one prefix: 1117 APNIC Region transit ASes present in the Internet Routing Table: 639 Average APNIC Region AS path length visible: 3.6 Max APNIC Region AS path length visible: 15 Number of APNIC addresses announced to Internet: 525628704 Equivalent to 31 /8s, 84 /16s and 117 /24s Percentage of available APNIC address space announced: 78.3 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079 55296-56319, 131072-132095 APNIC Address Blocks 1/8, 14/8, 27/8, 43/8, 58/8, 59/8, 60/8, 61/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 133710 Total ARIN prefixes after maximum aggregation: 69226 ARIN Deaggregation factor: 1.93 Prefixes being announced from the ARIN address blocks: 106681 Unique aggregates announced from the ARIN address blocks: 41819 ARIN Region origin ASes present in the Internet Routing Table: 13744 ARIN Prefixes per ASN: 7.76 ARIN Region origin ASes announcing only one prefix: 5271 ARIN Region transit ASes present in the Internet Routing Table: 1349 Average ARIN Region AS path length visible: 3.4 Max ARIN Region AS path length visible: 22 Number of ARIN addresses announced to Internet: 729671968 Equivalent to 43 /8s, 125 /16s and 233 /24s Percentage of available ARIN address space announced: 62.1 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 393216-394239 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8, 54/8, 55/8, 56/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 107/8, 108/8, 173/8, 174/8, 184/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 74437 Total RIPE prefixes after maximum aggregation: 43213 RIPE Deaggregation factor: 1.72 Prefixes being announced from the RIPE address blocks: 67581 Unique aggregates announced from the RIPE address blocks: 44362 RIPE Region origin ASes present in the Internet Routing Table: 14549 RIPE Prefixes per ASN: 4.65 RIPE Region origin ASes announcing only one prefix: 7512 RIPE Region transit ASes present in the Internet Routing Table: 2159 Average RIPE Region AS path length visible: 3.9 Max RIPE Region AS path length visible: 24 Number of RIPE addresses announced to Internet: 432412960 Equivalent to 25 /8s, 198 /16s and 25 /24s Percentage of available RIPE address space announced: 75.8 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 196608-197631 RIPE Address Blocks 2/8, 25/8, 31/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 176/8, 178/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 28719 Total LACNIC prefixes after maximum aggregation: 6891 LACNIC Deaggregation factor: 4.17 Prefixes being announced from the LACNIC address blocks: 27171 Unique aggregates announced from the LACNIC address blocks: 14182 LACNIC Region origin ASes present in the Internet Routing Table: 1304 LACNIC Prefixes per ASN: 20.84 LACNIC Region origin ASes announcing only one prefix: 400 LACNIC Region transit ASes present in the Internet Routing Table: 232 Average LACNIC Region AS path length visible: 3.9 Max LACNIC Region AS path length visible: 24 Number of LACNIC addresses announced to Internet: 75105792 Equivalent to 4 /8s, 122 /16s and 6 /24s Percentage of available LACNIC address space announced: 56.0 LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 262144-263167 plus ERX transfers LACNIC Address Blocks 177/8, 181/8, 186/8, 187/8, 189/8, 190/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 7302 Total AfriNIC prefixes after maximum aggregation: 1850 AfriNIC Deaggregation factor: 3.95 Prefixes being announced from the AfriNIC address blocks: 5623 Unique aggregates announced from the AfriNIC address blocks: 1730 AfriNIC Region origin ASes present in the Internet Routing Table: 374 AfriNIC Prefixes per ASN: 15.03 AfriNIC Region origin ASes announcing only one prefix: 111 AfriNIC Region transit ASes present in the Internet Routing Table: 84 Average AfriNIC Region AS path length visible: 3.7 Max AfriNIC Region AS path length visible: 14 Number of AfriNIC addresses announced to Internet: 19523328 Equivalent to 1 /8s, 41 /16s and 231 /24s Percentage of available AfriNIC address space announced: 58.2 AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4766 1847 8407 482 Korea Telecom (KIX) 7545 1335 232 107 TPG Internet Pty Ltd 17488 1319 140 127 Hathway IP Over Cable Interne 4755 1314 295 154 TATA Communications formerly 17974 1141 283 23 PT TELEKOMUNIKASI INDONESIA 9583 997 74 491 Sify Limited 24560 923 306 170 Bharti Airtel Ltd., Telemedia 4134 876 21292 408 CHINANET-BACKBONE 4808 829 1572 215 CNCGROUP IP network: China169 9829 794 681 34 BSNL National Internet Backbo Complete listing at http://thyme.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3910 3733 288 bellsouth.net, inc. 4323 2711 1114 395 Time Warner Telecom 1785 1795 698 129 PaeTec Communications, Inc. 20115 1559 1520 653 Charter Communications 7018 1506 5736 957 AT&T WorldNet Services 2386 1285 568 908 AT&T Data Communications Serv 6478 1283 260 110 AT&T Worldnet Services 3356 1180 10889 405 Level 3 Communications, LLC 22773 1166 2861 66 Cox Communications, Inc. 11492 1154 207 71 Cable One Complete listing at http://thyme.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 35805 644 56 6 United Telecom of Georgia 3292 453 2027 393 TDC Tele Danmark 30890 444 111 206 Evolva Telecom 9198 411 202 13 Kazakhtelecom Data Network Ad 702 410 1869 326 UUNET - Commercial IP service 8551 400 353 46 Bezeq International 8866 400 117 18 Bulgarian Telecommunication C 3320 372 7329 323 Deutsche Telekom AG 3301 371 1414 326 TeliaNet Sweden 34984 360 89 185 BILISIM TELEKOM Complete listing at http://thyme.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8151 1462 3017 250 UniNet S.A. de C.V. 10620 1057 237 152 TVCABLE BOGOTA 28573 1003 784 97 NET Servicos de Comunicao S.A 7303 745 385 114 Telecom Argentina Stet-France 6503 677 175 216 AVANTEL, S.A. 22047 547 310 15 VTR PUNTO NET S.A. 3816 492 214 78 Empresa Nacional de Telecomun 7738 477 922 30 Telecomunicacoes da Bahia S.A 14420 468 32 69 ANDINATEL S.A. 11172 450 99 76 Servicios Alestra S.A de C.V Complete listing at http://thyme.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 8452 1162 445 10 TEDATA 24863 726 147 39 LINKdotNET AS number 36992 641 279 187 Etisalat MISR 3741 269 852 230 The Internet Solution 33776 219 12 11 Starcomms Nigeria Limited 2018 211 244 61 Tertiary Education Network 6713 195 186 16 Itissalat Al-MAGHRIB 24835 189 78 10 RAYA Telecom - Egypt 29571 175 17 10 Ci Telecom Autonomous system 29975 133 506 14 Vodacom Complete listing at http://thyme.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3910 3733 288 bellsouth.net, inc. 4323 2711 1114 395 Time Warner Telecom 4766 1847 8407 482 Korea Telecom (KIX) 1785 1795 698 129 PaeTec Communications, Inc. 20115 1559 1520 653 Charter Communications 7018 1506 5736 957 AT&T WorldNet Services 8151 1462 3017 250 UniNet S.A. de C.V. 7545 1335 232 107 TPG Internet Pty Ltd 17488 1319 140 127 Hathway IP Over Cable Interne 4755 1314 295 154 TATA Communications formerly Complete listing at http://thyme.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 4323 2711 2316 Time Warner Telecom 1785 1795 1666 PaeTec Communications, Inc. 4766 1847 1365 Korea Telecom (KIX) 7545 1335 1228 TPG Internet Pty Ltd 8151 1462 1212 UniNet S.A. de C.V. 17488 1319 1192 Hathway IP Over Cable Interne 6478 1283 1173 AT&T Worldnet Services 4755 1314 1160 TATA Communications formerly 8452 1162 1152 TEDATA 17974 1141 1118 PT TELEKOMUNIKASI INDONESIA Complete listing at http://thyme.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 16927 UNALLOCATED 12.0.252.0/23 7018 AT&T WorldNet Servic 15132 UNALLOCATED 12.9.150.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.14.170.0/24 7018 AT&T WorldNet Servic 13746 UNALLOCATED 12.24.56.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.25.107.0/24 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.152.0/24 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.154.0/23 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.155.0/24 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.159.0/24 7018 AT&T WorldNet Servic 25639 UNALLOCATED 12.41.169.0/24 7018 AT&T WorldNet Servic Complete listing at http://thyme.apnic.net/current/data-badAS Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 31.0.0.0/16 12654 RIPE NCC RIS Project 31.1.0.0/21 12654 RIPE NCC RIS Project 31.1.24.0/24 12654 RIPE NCC RIS Project 41.222.79.0/24 36938 >>UNKNOWN<< 41.223.92.0/22 36936 >>UNKNOWN<< 41.223.188.0/24 22351 Intelsat 41.223.189.0/24 6453 Teleglobe Inc. 41.223.196.0/24 36990 Alkan Telecom Ltd 41.223.197.0/24 36990 Alkan Telecom Ltd 41.223.198.0/24 36990 Alkan Telecom Ltd Complete listing at http://thyme.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:20 /9:10 /10:25 /11:68 /12:196 /13:406 /14:707 /15:1283 /16:11140 /17:5339 /18:9140 /19:18372 /20:22877 /21:22846 /22:29912 /23:29457 /24:168471 /25:971 /26:1252 /27:619 /28:31 /29:47 /30:9 /31:0 /32:7 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 6389 2505 3910 bellsouth.net, inc. 4766 1482 1847 Korea Telecom (KIX) 4323 1396 2711 Time Warner Telecom 1785 1258 1795 PaeTec Communications, Inc. 11492 1066 1154 Cable One 17488 1066 1319 Hathway IP Over Cable Interne 8452 1050 1162 TEDATA 18566 1040 1059 Covad Communications 10620 973 1057 TVCABLE BOGOTA 7018 911 1506 AT&T WorldNet Services Complete listing at http://thyme.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:2 2:2 4:13 8:288 12:2003 13:7 14:1 15:23 16:3 17:8 20:21 24:1434 27:121 31:1 32:49 33:12 38:679 40:98 41:2448 44:3 47:18 52:9 55:7 56:2 57:25 58:751 59:502 60:458 61:1074 62:1058 63:1976 64:3653 65:2356 66:4066 67:1822 68:1110 69:2878 70:694 71:237 72:1843 73:2 74:2105 75:250 76:308 77:930 78:615 79:421 80:972 81:793 82:490 83:436 84:703 85:1051 86:458 87:674 88:342 89:1566 90:93 91:2836 92:486 93:1067 94:1416 95:624 96:287 97:205 98:579 99:28 108:32 109:548 110:352 111:523 112:270 113:310 114:423 115:547 116:1069 117:660 118:482 119:938 120:143 121:739 122:1449 123:933 124:1116 125:1317 128:226 129:212 130:195 131:555 132:250 133:17 134:194 135:45 136:243 137:160 138:264 139:104 140:509 141:138 142:348 143:392 144:473 145:47 146:443 147:166 148:662 149:300 150:150 151:166 152:296 153:168 154:2 155:328 156:157 157:320 158:109 159:377 160:317 161:181 162:254 163:176 164:408 165:359 166:461 167:404 168:651 169:160 170:712 171:58 172:2 173:853 174:436 175:98 176:1 178:224 180:501 182:135 183:220 184:69 186:476 187:350 188:1087 189:782 190:3751 192:5746 193:4702 194:3364 195:2781 196:1169 198:3568 199:3449 200:5319 201:1556 202:7982 203:8250 204:4077 205:2319 206:2517 207:3103 208:3861 209:3449 210:2512 211:1261 212:1703 213:1680 214:657 215:69 216:4658 217:1516 218:491 219:378 220:1136 221:398 222:314 223:1 End of report From cidr-report at potaroo.net Fri Jun 25 17:00:01 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 25 Jun 2010 22:00:01 GMT Subject: BGP Update Report Message-ID: <201006252200.o5PM01N1009661@wattle.apnic.net> BGP Update Report Interval: 17-Jun-10 -to- 24-Jun-10 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS24400 64871 4.5% 5405.9 -- CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd. 2 - AS9808 62064 4.4% 827.5 -- CMNET-GD Guangdong Mobile Communication Co.Ltd. 3 - AS14420 54652 3.8% 117.3 -- CORPORACION NACIONAL DE TELECOMUNICACIONES CNT S.A. 4 - AS18910 29562 2.1% 1847.6 -- BIG-SANDY-BROADBAND-INC - Big Sandy Broadband Inc 5 - AS30890 26695 1.9% 61.4 -- EVOLVA Evolva Telecom s.r.l. 6 - AS35805 18262 1.3% 28.8 -- SILKNET-AS SILKNET AS 7 - AS5800 15672 1.1% 69.7 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 8 - AS12880 13091 0.9% 163.6 -- DCI-AS DCI Autonomous System 9 - AS32528 11954 0.8% 3984.7 -- ABBOTT Abbot Labs 10 - AS27065 10562 0.7% 87.3 -- DNIC-ASBLK-27032-27159 - DoD Network Information Center 11 - AS10474 10319 0.7% 2063.8 -- NETACTIVE 12 - AS47883 9945 0.7% 153.0 -- KKTCELL-AS KIBRIS MOBILE TELEKOMUNIKASYON LTD. 13 - AS9829 9794 0.7% 51.8 -- BSNL-NIB National Internet Backbone 14 - AS35931 9752 0.7% 3250.7 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 15 - AS27968 9101 0.6% 97.9 -- CORPORACION NACIONAL DE TELECOMUNICACIONES CNT S.A. 16 - AS45464 9020 0.6% 209.8 -- NEXTWEB-AS-AP Room 201, TGU Bldg 17 - AS27757 8756 0.6% 76.1 -- CORPORACION NACIONAL DE TELECOMUNICACIONES CNT S.A. 18 - AS8452 8138 0.6% 7.8 -- TEDATA TEDATA 19 - AS15656 7846 0.6% 170.6 -- ANET Anet Iletisim A.S. 20 - AS14522 7623 0.5% 30.5 -- Satnet TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS24400 64871 4.5% 5405.9 -- CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd. 2 - AS32528 11954 0.8% 3984.7 -- ABBOTT Abbot Labs 3 - AS35931 9752 0.7% 3250.7 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 4 - AS27873 2315 0.2% 2315.0 -- Compa?ia Goly, S.A. 5 - AS10474 10319 0.7% 2063.8 -- NETACTIVE 6 - AS18910 29562 2.1% 1847.6 -- BIG-SANDY-BROADBAND-INC - Big Sandy Broadband Inc 7 - AS30372 2775 0.2% 1387.5 -- SBS-NEWARK-CA - SIEMENS BUSINESS SERVICES 8 - AS9808 62064 4.4% 827.5 -- CMNET-GD Guangdong Mobile Communication Co.Ltd. 9 - AS55482 783 0.1% 783.0 -- DIGITAL-WAVE-MY Level 12 Menara Sunway, Jalan Lagoon Timur, 10 - AS11613 683 0.1% 683.0 -- U-SAVE - U-Save Auto Rental of America, Inc. 11 - AS28052 635 0.0% 635.0 -- Arte Radiotelevisivo Argentino 12 - AS16552 1384 0.1% 461.3 -- TIGGEE - Tiggee LLC 13 - AS30402 796 0.1% 398.0 -- HARRIS - Harris Interactive Inc. 14 - AS10445 2358 0.2% 336.9 -- HTG - Huntleigh Telcom 15 - AS3 313 0.0% 120.0 -- SUEZ-AS Elektrownia Polaniec SA Grupa GDF SUEZ Energia Polska 16 - AS39780 303 0.0% 303.0 -- TECNOCOM-NET AS for Tecnocom T&E 17 - AS20293 595 0.0% 297.5 -- WU - WESTERN UNION COMPANY 18 - AS45647 587 0.0% 293.5 -- LBCBANK-AS-AP LBC Development Bank 19 - AS41864 1641 0.1% 273.5 -- MIBA-AS SC MIBA TELECOM 2002 SRL 20 - AS38596 265 0.0% 265.0 -- INNODATA-MDE-AS-PH Innodata-ISOGEN, Inc TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 111.10.2.0/24 12326 0.8% AS9808 -- CMNET-GD Guangdong Mobile Communication Co.Ltd. 2 - 111.10.3.0/24 12324 0.8% AS9808 -- CMNET-GD Guangdong Mobile Communication Co.Ltd. 3 - 111.10.4.0/24 12316 0.8% AS9808 -- CMNET-GD Guangdong Mobile Communication Co.Ltd. 4 - 111.10.0.0/24 12316 0.8% AS9808 -- CMNET-GD Guangdong Mobile Communication Co.Ltd. 5 - 111.10.1.0/24 12315 0.8% AS9808 -- CMNET-GD Guangdong Mobile Communication Co.Ltd. 6 - 117.131.0.0/17 10820 0.7% AS24400 -- CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd. 7 - 120.204.0.0/16 10674 0.7% AS24400 -- CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd. 8 - 196.2.16.0/24 10277 0.7% AS10474 -- NETACTIVE 9 - 221.181.64.0/18 7639 0.5% AS24400 -- CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd. 10 - 117.136.8.0/24 7426 0.5% AS24400 -- CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd. 11 - 117.135.128.0/18 7103 0.5% AS24400 -- CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd. 12 - 117.135.0.0/17 7101 0.5% AS24400 -- CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd. 13 - 130.36.34.0/24 5974 0.4% AS32528 -- ABBOTT Abbot Labs 14 - 130.36.35.0/24 5972 0.4% AS32528 -- ABBOTT Abbot Labs 15 - 190.65.228.0/22 5796 0.4% AS3816 -- COLOMBIA TELECOMUNICACIONES S.A. ESP 16 - 198.140.43.0/24 5570 0.4% AS35931 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 17 - 85.185.26.0/24 5157 0.3% AS12880 -- DCI-AS DCI Autonomous System 18 - 202.141.157.0/24 4907 0.3% AS2697 -- ERX-ERNET-AS Education and Research Network 19 - 143.138.107.0/24 4126 0.3% AS747 -- TAEGU-AS - Headquarters, USAISC 20 - 63.211.68.0/22 3982 0.3% AS35931 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Jun 25 17:00:00 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 25 Jun 2010 22:00:00 GMT Subject: The Cidr Report Message-ID: <201006252200.o5PM00rG009654@wattle.apnic.net> This report has been generated at Fri Jun 25 21:11:44 2010 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 18-06-10 325632 201656 19-06-10 326044 201847 20-06-10 326275 201809 21-06-10 326227 202163 22-06-10 326263 201899 23-06-10 326578 202351 24-06-10 326853 202535 25-06-10 326998 202479 AS Summary 34702 Number of ASes in routing system 14744 Number of ASes announcing only one prefix 4468 Largest number of prefixes announced by an AS AS4323 : TWTC - tw telecom holdings, inc. 95976768 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 25Jun10 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 327010 202472 124538 38.1% All ASes AS6389 3910 293 3617 92.5% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS4323 4468 1746 2722 60.9% TWTC - tw telecom holdings, inc. AS4766 1847 496 1351 73.1% KIXS-AS-KR Korea Telecom AS22773 1165 70 1095 94.0% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4755 1313 245 1068 81.3% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS17488 1319 318 1001 75.9% HATHWAY-NET-AP Hathway IP Over Cable Internet AS6478 1283 325 958 74.7% ATT-INTERNET3 - AT&T WorldNet Services AS18566 1059 121 938 88.6% COVAD - Covad Communications Co. AS8151 1463 565 898 61.4% Uninet S.A. de C.V. AS19262 1130 274 856 75.8% VZGNI-TRANSIT - Verizon Internet Services Inc. AS10620 1057 234 823 77.9% Telmex Colombia S.A. AS7545 1346 570 776 57.7% TPG-INTERNET-AP TPG Internet Pty Ltd AS8452 1162 408 754 64.9% TEDATA TEDATA AS5668 872 131 741 85.0% AS-5668 - CenturyTel Internet Holdings, Inc. AS4808 829 234 595 71.8% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS4804 678 84 594 87.6% MPX-AS Microplex PTY LTD AS7303 746 179 567 76.0% Telecom Argentina S.A. AS35805 644 92 552 85.7% SILKNET-AS SILKNET AS AS7018 1506 959 547 36.3% ATT-INTERNET4 - AT&T WorldNet Services AS3356 1183 662 521 44.0% LEVEL3 Level 3 Communications AS4780 684 163 521 76.2% SEEDNET Digital United Inc. AS1785 1795 1292 503 28.0% AS-PAETEC-NET - PaeTec Communications, Inc. AS28573 1003 504 499 49.8% NET Servicos de Comunicao S.A. AS17676 572 81 491 85.8% GIGAINFRA Softbank BB Corp. AS9443 559 75 484 86.6% INTERNETPRIMUS-AS-AP Primus Telecommunications AS7552 613 130 483 78.8% VIETEL-AS-AP Vietel Corporation AS7011 1135 654 481 42.4% FRONTIER-AND-CITIZENS - Frontier Communications of America, Inc. AS7738 477 30 447 93.7% Telecomunicacoes da Bahia S.A. AS24560 923 486 437 47.3% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS36992 641 211 430 67.1% ETISALAT-MISR Total 37382 11632 25750 68.9% Top 30 total Possible Bogus Routes 31.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 31.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 31.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 41.222.79.0/24 AS36938 AMSCOTELECOMS Amsco Telecommunications Nigeria Limited 41.223.92.0/22 AS36936 CELTEL-GABON Celtel Gabon Internet Service 41.223.188.0/24 AS22351 INTELSAT Intelsat Global BGP Routing Policy 41.223.189.0/24 AS6453 GLOBEINTERNET TATA Communications 41.223.196.0/24 AS36990 41.223.197.0/24 AS36990 41.223.198.0/24 AS36990 41.223.199.0/24 AS36990 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 63.140.213.0/24 AS22555 UTC - Universal Talkware Corporation 63.143.251.0/24 AS22555 UTC - Universal Talkware Corporation 64.20.80.0/20 AS40028 SPD-NETWORK-1 - SPD NETWORK 64.21.192.0/20 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.212.0/22 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.216.0/21 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.82.128.0/19 AS16617 COMMUNITYISP - CISP 64.82.160.0/19 AS16617 COMMUNITYISP - CISP 66.128.38.0/24 AS15246 Telecomunicaciones Satelitales Telesat S.A. 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.206.32.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.33.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.34.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.35.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.47.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 66.207.32.0/20 AS23011 66.230.240.0/20 AS27286 66.241.112.0/20 AS21547 REVNETS - Revolution Networks 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 69.6.80.0/24 AS13442 69.6.81.0/24 AS13442 69.80.224.0/19 AS19166 ACRONOC - ACRONOC INC 71.19.134.0/23 AS3313 INET-AS I.NET S.p.A. 71.19.160.0/23 AS4648 NZIX-2 Netgate 72.22.32.0/19 AS33150 72.22.61.0/24 AS33150 72.22.62.0/24 AS33150 76.77.32.0/19 AS2828 XO-AS15 - XO Communications 80.88.10.0/24 AS33774 DJAWEB 80.88.12.0/24 AS33779 wataniya-telecom-as 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas 110.173.64.0/19 AS37963 CNNIC-ALIBABA-CN-NET-AP Alibaba (China) Technology Co., Ltd. 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 121.50.168.0/21 AS9931 CAT-AP The Communication Authoity of Thailand, CAT 158.222.70.0/23 AS6137 SISNA - SISNA, Inc. 158.222.72.0/23 AS6137 SISNA - SISNA, Inc. 158.222.224.0/20 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.224.0/22 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.229.0/24 AS19864 O1COMM - O1 COMMUNICATIONS 176.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 178.157.0.0/18 AS42163 IRANGATE Rasaneh Esfahan Net Autonomous System ( Irangate Internet Service Provider) 181.0.0.0/8 AS237 MERIT-AS-14 - Merit Network Inc. 190.102.32.0/20 AS30058 ACTIVO-SYSTEMS-AS30058 ACTIVO-SYSTEMS-AS30058 190.104.32.0/21 AS27882 Telef?nica Celular de Bolivia S.A. 192.9.0.0/16 AS11479 BRM-SUN-AS - Sun Microsystems, Inc 192.64.85.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.69.108.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.70.164.0/24 AS25689 NRCNET-AS - National Research Council of Canada 192.101.45.0/24 AS2905 TICSA-ASN 192.101.46.0/24 AS6503 Axtel, S.A.B. de C. V. 192.101.64.0/21 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.70.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.71.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.72.0/24 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.74.0/24 AS1239 SPRINTLINK - Sprint 192.124.248.0/23 AS680 DFN-IP service X-WiN 192.124.252.0/22 AS680 DFN-IP service X-WiN 192.131.233.0/24 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 192.139.3.0/24 AS23184 PERSONA - PERSONA COMMUNICATIONS INC. 192.154.32.0/19 AS81 NCREN - MCNC 192.154.64.0/19 AS81 NCREN - MCNC 192.188.208.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 196.2.224.0/22 AS24863 LINKdotNET-AS 196.6.108.0/24 AS5713 SAIX-NET 196.13.201.0/24 AS2018 TENET-1 196.13.202.0/24 AS2018 TENET-1 196.13.203.0/24 AS2018 TENET-1 196.13.204.0/24 AS2018 TENET-1 196.110.105.0/24 AS8513 SKYVISION SkyVision Network Services 196.201.248.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.249.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.250.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.251.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.253.0/24 AS30991 SAHANNET Sahannet AS Network 196.201.255.0/24 AS30991 SAHANNET Sahannet AS Network 196.202.224.0/21 AS8818 TELE Greenland Autonomous System 198.1.2.0/24 AS4761 INDOSAT-INP-AP INDOSAT Internet Network Provider 198.23.26.0/24 AS33052 VZUNET - Verizon Data Services LLC 198.51.100.0/24 AS16953 ASCENT-MEDIA-GROUP-LLC - Ascent Media Group, LLC 198.73.210.0/24 AS21570 ACI-1 - Accelerated Connections Inc. 198.74.38.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.39.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.40.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.97.72.0/21 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.97.96.0/19 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.97.240.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.99.241.0/24 AS11797 AC-NIELSEN-AS AC NIELSEN 198.135.236.0/24 AS4358 XNET - XNet Information Systems, Inc. 198.161.87.0/24 AS6539 GT-BELL - Bell Canada 198.163.214.0/24 AS21804 ACCESS-SK - Access Communications Co-operative Limited 198.167.0.0/16 AS7456 INTERHOP - Interhop Network SERVICES Inc. 198.168.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 198.169.0.0/16 AS803 SASKTEL - Saskatchewan Telecommunications 198.180.198.0/24 AS23715 SEOUL-INTGW-GXS-AP Global Exchange Services 198.182.235.0/24 AS3356 LEVEL3 Level 3 Communications 199.16.32.0/19 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 199.26.183.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 199.121.0.0/16 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.123.16.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.185.130.0/23 AS19662 UNISERVE-ONLINE - Uniserve On Line 199.202.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 199.202.216.0/21 AS577 BACOM - Bell Canada 199.233.92.0/24 AS26896 D102-ITC - Data 102, LLC 199.245.188.0/24 AS16582 NEXTLEVELINTERNET - NEXTLEVEL INTERNET, INC. 199.246.116.0/24 AS813 UUNET-CANADA - MCI Communications Services, Inc. d/b/a Verizon Business 199.248.230.0/24 AS16582 NEXTLEVELINTERNET - NEXTLEVEL INTERNET, INC. 200.1.112.0/24 AS29754 GO2TEL GO2TEL.COM INC. 202.9.55.0/24 AS2764 AAPT AAPT Limited 202.9.57.0/24 AS2764 AAPT AAPT Limited 202.38.63.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.58.113.0/24 AS19161 202.61.75.0/24 AS9927 PHILCOMNET-PH A Multihomed ISP Company 202.66.128.0/18 AS9584 GENESIS-AP Diyixian.com Limited 202.66.160.0/19 AS9584 GENESIS-AP Diyixian.com Limited 202.66.160.0/20 AS9584 GENESIS-AP Diyixian.com Limited 202.66.176.0/20 AS9584 GENESIS-AP Diyixian.com Limited 202.66.184.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.186.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.188.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.189.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.190.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.73.144.0/20 AS4788 TMNET-AS-AP TM Net, Internet Service Provider 202.80.192.0/20 AS2706 PI-HK Pacnet Internet (Hong Kong) Limited 202.86.252.0/22 AS4748 RESOLINK-AS-AP Resources Link Network Limited 202.86.252.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.253.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.254.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.255.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.133.37.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.133.70.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.133.73.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.136.254.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.136.255.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.150.227.0/24 AS17727 NAPINFO-AS-AP PT. NAP Info Lintas Nusa 202.174.70.0/24 AS21175 WIS Wind International Services SA 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.130.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.131.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.133.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 202.179.144.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.149.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.150.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.181.32.0/24 AS4645 ASN-HKNET-AP HKNet Co. Ltd 203.12.45.0/24 AS4854 NETSPACE-AS-AP Netspace Online Systems 203.62.0.0/17 AS7575 AARNET-AS-AP Australian Academic and Reasearch Network (AARNet) 203.78.48.0/20 AS9299 IPG-AS-AP Philippine Long Distance Telephone Company 203.80.136.0/21 AS4759 EVOSERVE-AS-AP EvoServe is a content and online access Internet provider company 203.112.111.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.113.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.114.0/24 AS4802 ASN-IINET iiNet Limited 203.112.116.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.117.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.118.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.119.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.120.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.121.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.127.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.128.128.0/24 AS23849 CNNIC-NET263-AP Beijing Capital-online science development Co.,Ltd. 203.142.219.0/24 AS45149 204.9.216.0/23 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 204.9.218.0/23 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 204.10.232.0/21 AS33150 204.19.14.0/23 AS577 BACOM - Bell Canada 204.28.104.0/21 AS25973 MZIMA - Mzima Networks, Inc. 204.89.214.0/24 AS4323 TWTC - tw telecom holdings, inc. 204.197.0.0/16 AS3356 LEVEL3 Level 3 Communications 204.209.114.0/24 AS13768 PEER1 - Peer 1 Network Inc. 205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 205.189.134.0/24 AS11814 DISTRIBUTEL-AS11814 - DISTRIBUTEL COMMUNICATIONS LTD. 205.196.24.0/22 AS33724 BIZNESSHOSTING - VOLICO 205.210.145.0/24 AS11814 DISTRIBUTEL-AS11814 - DISTRIBUTEL COMMUNICATIONS LTD. 206.180.240.0/20 AS12083 KNOLOGY-NET - Knology Holdings 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.188.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.189.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.190.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.191.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.73.4.0/22 AS27630 PREMIER - Premier Innovations, LLC 208.78.164.0/24 AS16565 208.78.165.0/24 AS16565 208.78.167.0/24 AS16565 208.92.196.0/22 AS10929 NETELLIGENT - Netelligent Hosting Services Inc. 208.92.199.0/24 AS26198 3MENATWORK - 3Men at Work Integrated Networks, Inc. 209.54.123.0/24 AS6062 NETPLEX - NETPLEX 209.105.224.0/19 AS20074 209.165.239.0/24 AS209 ASN-QWEST - Qwest Communications Company, LLC 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 209.213.1.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 209.213.4.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 210.5.128.0/20 AS4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 210.56.150.0/23 AS38138 INTECH-TRANSIT-BD InTech Online Limited, INTERNET SERVICE LIMITED 210.247.224.0/19 AS7496 WEBCENTRAL-AS WebCentral 216.21.196.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.201.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.202.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.206.0/23 AS12251 INVISION - Invision.com, Inc. 216.58.192.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.197.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.200.0/24 AS18530 ISOMEDIA-1 - Isomedia Inc. 216.172.198.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.172.199.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.250.112.0/20 AS7296 ALCHEMYNET - Alchemy Communications, Inc. 216.250.116.0/24 AS36066 UNI-MARKETING-ALLIANCE - Webhost4life.com Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From jul_bsd at yahoo.fr Sat Jun 26 02:48:13 2010 From: jul_bsd at yahoo.fr (jul) Date: Sat, 26 Jun 2010 09:48:13 +0200 Subject: Sources of network security templates or designs In-Reply-To: References: Message-ID: <4C25B0BD.6040502@yahoo.fr> http://www.team-cymru.org/ReadingRoom/Templates/ Sean Donelan wrote on 24/06/10 02:45: > While every network designer/architect with an emphasis on security has > his or her favorite design templates, I'm wondering what public sources > do people start with? > > Cisco SAFE and other published designs > IBM Redbooks > DOD Security Technical Implementation Guides (STIGs) > NIST Special Publications > O'Reilly series (specific books?) > > Of course, every designer customizes things based on the project and > preferences. So I'm not asking for what's best, or even what's wrong > with particular sources. Just where do you start? > From tomb at byrneit.net Sat Jun 26 10:57:05 2010 From: tomb at byrneit.net (Tomas L. Byrnes) Date: Sat, 26 Jun 2010 08:57:05 -0700 Subject: Sources of network security templates or designs In-Reply-To: References: Message-ID: <72F9A69DCF990443B2CEC064E605CE060857CA@Pascal.zaphodb.org> While the DISA STIGs are probably the archetype, you have to start with whatever the sponsoring or certifying authority uses, if you need to pass some audit later. Those almost always reference NIST docs: http://www.nist.gov/itl/publications.cfm?defaultSearch=false&authorlist= &keywords=&topics=309&seriesName=&journalName=&datepicker1=&datepicker2= # For generic sources, I agree with Cymru as a good resource, but my favorite is SANS. http://www.sans.org/reading_room/ > -----Original Message----- > From: Sean Donelan [mailto:sean at donelan.com] > Sent: Wednesday, June 23, 2010 5:45 PM > To: nanog at nanog.org > Subject: Sources of network security templates or designs > > While every network designer/architect with an emphasis on security has > his or her favorite design templates, I'm wondering what public sources > do people start with? > > Cisco SAFE and other published designs > IBM Redbooks > DOD Security Technical Implementation Guides (STIGs) > NIST Special Publications > O'Reilly series (specific books?) > > Of course, every designer customizes things based on the project and > preferences. So I'm not asking for what's best, or even what's wrong > with particular sources. Just where do you start? > From suess13 at cfl.rr.com Sat Jun 26 14:32:17 2010 From: suess13 at cfl.rr.com (suess13 at cfl.rr.com) Date: Sat, 26 Jun 2010 14:32:17 -0500 Subject: Penetration Test Vendors In-Reply-To: <4DA080251E9A214B8A3E876D5181E2E642B77444@EXMBSRV01.green-connection.ch> References: <5A6D953473350C4B9995546AFE9939EE09EA4D4A@RWC-EX1.corp.seven.com> <001201cb1262$84840290$8d8c07b0$@net> <4DA080251E9A214B8A3E876D5181E2E642B77444@EXMBSRV01.green-connection.ch> Message-ID: <01fe01cb1566$4a168b30$de43a190$@cfl.rr.com> Verizon Business ( purchased the cybertrust group) -----Original Message----- From: Chris Gravell [mailto:chris.gravell at green.ch] Sent: Thursday, June 24, 2010 2:39 PM To: nanog at nanog.org Subject: RE: Penetration Test Vendors Pen-testing for what? -----Original Message----- From: Scott Berkman [mailto:scott at sberkman.net] Sent: Wednesday, June 23, 2010 1:28 AM To: 'Ken Gilmour'; 'George Bonser' Cc: nanog at nanog.org Subject: RE: Penetration Test Vendors If I wanted someone to do this, I'd probably look at a security vendor instead of a general purpose consulting firm. Some examples off the top of my head might include IBM's ISS and SecureWorks. -Scott -----Original Message----- From: Ken Gilmour [mailto:ken.gilmour at gmail.com] Sent: Tuesday, June 22, 2010 4:58 PM To: George Bonser Cc: nanog at nanog.org Subject: Re: Penetration Test Vendors Depends on where you are... I've used Sysnet in Europe (www.sysnet.ie) and they are excellent. We used Deloitte ( http://www.deloitte.com/view/en_GX/global/services/enterprise-risk-services/ security-privacy-resiliency/pcidss/index.htm) in non-european countries, with not such a good result (but other people may have different experiences). Regards, Ken On 22 June 2010 14:48, George Bonser wrote: > Anyone have any suggestions for a decent vendor that provides network > penetration testing? We have a customer requirement for a third party > test for a certain facility. Have you used anyone that you thought did > a great job? Anyone you would suggest avoiding? > > Replies can be sent off list and I will summarize any feedback I might > get from the community if anyone is interested. > > George > > > From jf at feldman.org Sun Jun 27 08:03:47 2010 From: jf at feldman.org (Jonathan Feldman) Date: Sun, 27 Jun 2010 09:03:47 -0400 Subject: Broadband initiatives - impact to your network? Message-ID: I'm one of the reporters who covers broadband and cloud computing for InformationWeek magazine (www.informationweek.com), and it's interesting to me that one of the issues with cloud adoption has to do with the limited pipe networks available in this country. For example, it's not feasible to do a massive data load through the networks that are currently available -- you need to FedEx a hard drive to Amazon. Holy cow, it's SneakerNet for the 21st Century! Initiatives like the federal BTOP (Broadband Technology Opportunity Program) and Google's infamous (and so far invisible) fiber program promise to change, by orders of magnitude, the pipe that's available to most folks, and therefore change equations like SneakerNet for cloud loads. Surely the backbone will also need to be much more capacious, with middle mile changes like this. I am interested in hearing from folks on this list about the impacts that these programs are having on your network build-out and management plans. I'm also interested in hearing your perspective on real network management issues that could either be caused by or fixed by proposed FCC regulation of broadband. I don't have a political axe to grind, and I know that broadband is something of a political issue right now. But there are pragmatics that data center managers and CIOs have to deal with every day, and knowing what's coming up on the national broadband agenda is becoming more and more important. You can reply to me either on-list, or off-list (jf at feldman.org) if you want to remain anonymous. My deadline is Monday, close of business (5pm ET). Thanks so much for your perspective. --Jonathan Jonathan Feldman Contributing Editor, InformationWeek http://www.informationweek.com Twitter: @_jfeldman From markk at arin.net Sun Jun 27 08:07:04 2010 From: markk at arin.net (Mark Kosters) Date: Sun, 27 Jun 2010 09:07:04 -0400 Subject: Whois-RWS Release Update Message-ID: <20100627130704.GA3607@arin.net> ----- Forwarded message from Member Services ----- From: Member Services Date: Sun, 27 Jun 2010 07:11:54 -0400 To: "arin-announce at arin.net" Subject: [arin-announce] Whois-RWS Release Update On 26 June, ARIN rolled out Whois-RWS. Unfortunately, we experienced a very significant increase in traffic after rollout which exceeded our load capacity and caused the new service to degrade to an unacceptable level. To ensure customers could continue to access ARIN's Whois data, we have reverted to the old service which degrades more gracefully under load. We are examining the data gathered on the traffic patterns we experienced and are making the necessary changes to deploy Whois-RWS the near future. We thank you for your patience, and we look forward to making the Whois-RWS service available for community use very soon. Regards, Mark Kosters Chief Technical Officer American Registry for Internet Numbers (ARIN) ----- End forwarded message ----- From rsk at gsp.org Sun Jun 27 13:22:34 2010 From: rsk at gsp.org (Rich Kulawiec) Date: Sun, 27 Jun 2010 14:22:34 -0400 Subject: [Bruce Hoffman] Thank-you for your recent participation. In-Reply-To: <86k4pozfe2.fsf@seastrom.com> References: <86k4pozfe2.fsf@seastrom.com> Message-ID: <20100627182234.GB24403@gsp.org> On Thu, Jun 24, 2010 at 10:14:45AM -0400, Robert E. Seastrom wrote: > Amusingly, this was sent to me *after* I replied to abuse at internap > complaining about getting spammed. This spam came from the "icontact" spammers-for-hire: they're absolute filth who have been abusing individuals and mailing lists for years. I recommend blacklisting them permanently. ---Rsk From khatfield at socllc.net Sun Jun 27 16:22:51 2010 From: khatfield at socllc.net (khatfield at socllc.net) Date: Sun, 27 Jun 2010 17:22:51 -0400 (EDT) Subject: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic on system Message-ID: <1277673771.085423881@192.168.2.228> Folks, We have a strange situation occurring lately where we are getting some reports of TCP Sweeps from some one of our IP's, yet the IP is one of many specifically configured for inbound traffic and do not emit outbound traffic unless for response. Specifically, these are ddos mitigation IP's so they are attacked fairly frequently. With this in mind, the last few days one of the IP's being reported has been under constant attack. Here is an example report we received from AT&T: 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=23,dp=1024,min=212.1.185.6,max=212.1.191.127,Jun27-04:21:01,Jun27-04:29:26) (USI-amsxaid01) 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=16,dp=3072,min=212.1.189.1,max=212.1.188.118,Jun27-04:21:15,Jun27-04:29:09) (USI-amsxaid01) 04:36:44 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=16,dp=1024,min=212.1.188.1,max=212.1.185.126,Jun27-04:29:51,Jun27-04:35:53) (USI-amsxaid01) 04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=25,dp=1024,min=212.1.190.11,max=212.1.189.120,Jun27-04:12:37,Jun27-04:20:40) (USI-amsxaid01) 04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=18,dp=3072,min=212.1.189.3,max=212.1.186.118,Jun27-04:13:15,Jun27-04:20:37) (USI-amsxaid01) 04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=34,dp=1024,min=212.1.191.8,max=212.1.191.121,Jun27-03:56:28,Jun27-04:12:29) (USI-amsxaid01) 04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=28,dp=3072,min=212.1.186.6,max=213.244.176.119,Jun27-03:56:48,Jun27-04:11:45) (USI-amsxaid01) ------------------------ Report from DK*CERT: If nothing else mentioned below, timezone is believed to be UTC+0200(CEST) Destination address(es): Adresser i nettene 130.225.16.0/22 og 130.225.2.128/25 Security logs: #Jun 27 18:13:40 2010 .. Jun 27 18:58:13 2010 # Scan from x.x.x.x affecting at least # 81 addresses targeting TCP:1024, TCP:3072. # ------------------------ I have removed our IP and replaced it with x.x.x.x. To be a bit more clear, this is a reverse-proxy IP address. This IP is in a NAT type configuration where it is sent back to filtering clusters. No outbound traffic is configured on these IP's except where requests / responses flow through it. I know a year or two ago there was a bug in Cisco IOS that would report a sweep when extreme packet load occurred or a burst hit. At the time of this report we saw an attack burst to around 310,000PPS on this IP (inbound). Is it simply likely the networks reporting have several IP's being used in the attack and that is what they are seeing? That's what we originally thought but the port scans throw that theory off... Our security team has gone through all PCAPs during the mentioned time frames and we are not showing any sort of outbound scan traffic. Any ideas why this would be showing as a sweep? Our IDS systems do not scan requesting IP's originating systems. Any help is appreciated, we're simply trying to get to the bottom of the reports. Kevin From lists at beatmixed.com Sun Jun 27 16:36:40 2010 From: lists at beatmixed.com (Matt Hite) Date: Sun, 27 Jun 2010 14:36:40 -0700 Subject: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic on system In-Reply-To: <1277673771.085423881@192.168.2.228> References: <1277673771.085423881@192.168.2.228> Message-ID: Hi Kevin, Someone may want to throw RST traffic your way by spoofing their own source (as you) and machine gunning TCP ACK or SYN packets to Internet hosts such as this AT&T customer. Just a nice way of throwing traffic at you in a fairly undetectable manner. Just a guess, -M On Sun, Jun 27, 2010 at 2:22 PM, wrote: > Folks, > ?We have a strange situation occurring lately where we are getting some reports of TCP Sweeps from some one of our IP's, yet the IP is one of many specifically configured for inbound traffic and do not emit outbound traffic unless for response. Specifically, these are ddos mitigation IP's so they are attacked fairly frequently. With this in mind, the last few days one of the IP's being reported has been under constant attack. > > Here is an example report we received from AT&T: > 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=23,dp=1024,min=212.1.185.6,max=212.1.191.127,Jun27-04:21:01,Jun27-04:29:26) (USI-amsxaid01) > 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=16,dp=3072,min=212.1.189.1,max=212.1.188.118,Jun27-04:21:15,Jun27-04:29:09) (USI-amsxaid01) > 04:36:44 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=16,dp=1024,min=212.1.188.1,max=212.1.185.126,Jun27-04:29:51,Jun27-04:35:53) (USI-amsxaid01) > 04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=25,dp=1024,min=212.1.190.11,max=212.1.189.120,Jun27-04:12:37,Jun27-04:20:40) (USI-amsxaid01) > 04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=18,dp=3072,min=212.1.189.3,max=212.1.186.118,Jun27-04:13:15,Jun27-04:20:37) (USI-amsxaid01) > 04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=34,dp=1024,min=212.1.191.8,max=212.1.191.121,Jun27-03:56:28,Jun27-04:12:29) (USI-amsxaid01) > 04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=28,dp=3072,min=212.1.186.6,max=213.244.176.119,Jun27-03:56:48,Jun27-04:11:45) (USI-amsxaid01) > ------------------------ > Report from DK*CERT: > If nothing else mentioned below, timezone is believed to be UTC+0200(CEST) > Destination address(es): Adresser i nettene 130.225.16.0/22 og 130.225.2.128/25 > > Security logs: > #Jun 27 18:13:40 2010 .. Jun 27 18:58:13 2010 > # Scan from x.x.x.x affecting at least > # 81 addresses targeting TCP:1024, TCP:3072. > # > ------------------------ > I have removed our IP and replaced it with x.x.x.x. ?To be a bit more clear, this is a reverse-proxy IP address. This IP is in a NAT type configuration where it is sent back to filtering clusters. No outbound traffic is configured on these IP's except where requests / responses flow through it. > > I know a year or two ago there was a bug in Cisco IOS that would report a sweep when extreme packet load occurred or a burst hit. At the time of this report we saw an attack burst to around 310,000PPS on this IP (inbound). Is it simply likely the networks reporting have several IP's being used in the attack and that is what they are seeing? That's what we originally thought but the port scans throw that theory off... Our security team has gone through all PCAPs during the mentioned time frames and we are not showing any sort of outbound scan traffic. > > Any ideas why this would be showing as a sweep? Our IDS systems do not scan requesting IP's originating systems. Any help is appreciated, we're simply trying to get to the bottom of the reports. > > Kevin > > > From khatfield at socllc.net Sun Jun 27 16:41:16 2010 From: khatfield at socllc.net (khatfield at socllc.net) Date: Sun, 27 Jun 2010 17:41:16 -0400 (EDT) Subject: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic on system In-Reply-To: References: <1277673771.085423881@192.168.2.228> Message-ID: <1277674876.140214862@192.168.2.228> Thanks Matt, That's what we believe we're seeing at this point but we're trying to convince our upstream. :) We have seen this in the past but proving it is occurring seems to be the primary issue we're running into at this point. -Kevin -----Original Message----- From: "Matt Hite" Sent: Sunday, June 27, 2010 5:36pm To: khatfield at socllc.net Cc: nanog at nanog.org Subject: Re: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic on system Hi Kevin, Someone may want to throw RST traffic your way by spoofing their own source (as you) and machine gunning TCP ACK or SYN packets to Internet hosts such as this AT&T customer. Just a nice way of throwing traffic at you in a fairly undetectable manner. Just a guess, -M On Sun, Jun 27, 2010 at 2:22 PM, wrote: > Folks, > ?We have a strange situation occurring lately where we are getting some reports of TCP Sweeps from some one of our IP's, yet the IP is one of many specifically configured for inbound traffic and do not emit outbound traffic unless for response. Specifically, these are ddos mitigation IP's so they are attacked fairly frequently. With this in mind, the last few days one of the IP's being reported has been under constant attack. > > Here is an example report we received from AT&T: > 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=23,dp=1024,min=212.1.185.6,max=212.1.191.127,Jun27-04:21:01,Jun27-04:29:26) (USI-amsxaid01) > 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=16,dp=3072,min=212.1.189.1,max=212.1.188.118,Jun27-04:21:15,Jun27-04:29:09) (USI-amsxaid01) > 04:36:44 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=16,dp=1024,min=212.1.188.1,max=212.1.185.126,Jun27-04:29:51,Jun27-04:35:53) (USI-amsxaid01) > 04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=25,dp=1024,min=212.1.190.11,max=212.1.189.120,Jun27-04:12:37,Jun27-04:20:40) (USI-amsxaid01) > 04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=18,dp=3072,min=212.1.189.3,max=212.1.186.118,Jun27-04:13:15,Jun27-04:20:37) (USI-amsxaid01) > 04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=34,dp=1024,min=212.1.191.8,max=212.1.191.121,Jun27-03:56:28,Jun27-04:12:29) (USI-amsxaid01) > 04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=28,dp=3072,min=212.1.186.6,max=213.244.176.119,Jun27-03:56:48,Jun27-04:11:45) (USI-amsxaid01) > ------------------------ > Report from DK*CERT: > If nothing else mentioned below, timezone is believed to be UTC+0200(CEST) > Destination address(es): Adresser i nettene 130.225.16.0/22 og 130.225.2.128/25 > > Security logs: > #Jun 27 18:13:40 2010 .. Jun 27 18:58:13 2010 > # Scan from x.x.x.x affecting at least > # 81 addresses targeting TCP:1024, TCP:3072. > # > ------------------------ > I have removed our IP and replaced it with x.x.x.x. ?To be a bit more clear, this is a reverse-proxy IP address. This IP is in a NAT type configuration where it is sent back to filtering clusters. No outbound traffic is configured on these IP's except where requests / responses flow through it. > > I know a year or two ago there was a bug in Cisco IOS that would report a sweep when extreme packet load occurred or a burst hit. At the time of this report we saw an attack burst to around 310,000PPS on this IP (inbound). Is it simply likely the networks reporting have several IP's being used in the attack and that is what they are seeing? That's what we originally thought but the port scans throw that theory off... Our security team has gone through all PCAPs during the mentioned time frames and we are not showing any sort of outbound scan traffic. > > Any ideas why this would be showing as a sweep? Our IDS systems do not scan requesting IP's originating systems. Any help is appreciated, we're simply trying to get to the bottom of the reports. > > Kevin > > > From giulianocm at uol.com.br Sun Jun 27 20:32:27 2010 From: giulianocm at uol.com.br (GIULIANOCM (UOL)) Date: Sun, 27 Jun 2010 22:32:27 -0300 Subject: BGP Tool for Simulation Message-ID: <4C27FBAB.4050505@uol.com.br> People, I am looking for a tool (free or not) to simulate BGP full internet route table peering and injection using real CISCO and JUNIPER routers. We have found some power tools like Spirent or Agilent but they are a too expensive to acquire for now. The main idea is to have a software tool for unix or linux system, that supports to simulate a cloud a carrier or an ISP, to work with real routers, establishing connection using BGP protocol and injecting on this real routers the full internet routing table - ipv4 or ipv6. Do you know some collection of tools (software tools) that we can use to do this kind of work ? It is possible to collect full internet routing table and inject it to a real router using a software for simulate real conditions ? Besides, the tool will need some additional features in simulation like the set of communities, local preference, med and other BGP attributes. What do you recommend for this tasks ? Thanks a lot, Giuliano From jack at crepinc.com Sun Jun 27 21:04:54 2010 From: jack at crepinc.com (Jack Carrozzo) Date: Sun, 27 Jun 2010 22:04:54 -0400 Subject: BGP Tool for Simulation In-Reply-To: <4C27FBAB.4050505@uol.com.br> References: <4C27FBAB.4050505@uol.com.br> Message-ID: Roll quagga / BGPd on *nix and bring up sessions with whatever you like. For full tables, you can either hack up a few lines of perl to output a bunch of 'network a.b.c.d' lines from any of the available text looking glasses into the bgpd conf, or just bring up ebgp-multihop session with one of your borders or one of your friends. Prefix lists, communities, etc are all supported. -Jack Carrozzo On Sun, Jun 27, 2010 at 9:32 PM, GIULIANOCM (UOL) wrote: > People, > > I am looking for a tool (free or not) to simulate BGP full internet route > table peering and injection using real CISCO and JUNIPER routers. > > We have found some power tools like Spirent or Agilent but they are a too > expensive to acquire for now. > > The main idea is to have a software tool for unix or linux system, that > supports to simulate a cloud a carrier or an ISP, to work with real routers, > establishing connection using BGP protocol and injecting on this real > routers the full internet routing table - ipv4 or ipv6. > > Do you know some collection of tools (software tools) that we can use to do > this kind of work ? > > It is possible to collect full internet routing table and inject it to a > real router using a software for simulate real conditions ? > > Besides, the tool will need some additional features in simulation like the > set of communities, local preference, med and other BGP attributes. > > What do you recommend for this tasks ? > > Thanks a lot, > > Giuliano > > From jtk at cymru.com Sun Jun 27 21:32:41 2010 From: jtk at cymru.com (John Kristoff) Date: Sun, 27 Jun 2010 21:32:41 -0500 Subject: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic on system In-Reply-To: <1277673771.085423881@192.168.2.228> References: <1277673771.085423881@192.168.2.228> Message-ID: <20100627213241.0075f096@t61p> On Sun, 27 Jun 2010 17:22:51 -0400 (EDT) khatfield at socllc.net wrote: > Here is an example report we received from AT&T: > 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] > (total=23,dp=1024,min=212.1.185.6,max=212.1.191.127,Jun27-04:21:01,Jun27-04:29:26) > (USI-amsxaid01) 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] > (total=16,dp=3072,min=212.1.189.1,max=212.1.188.118,Jun27-04:21:15,Jun27-04:29:09) > (USI-amsxaid01) 04:36:44 x.x.x.x 0.0.0.0 [TCP-SWEEP] This looks like the trademark signature of back scatter as a result of someone using the juno.c or derivative code to SYN flood a host. You are most likely getting this traffic from a host that is getting attacked. In the junos.c code you'll see this: syn->sport = htons(1024 + (random() & 2048)); A random number is ANDed against 2048, the result is then added to 1024. What will be added is always either 0 or 2048, because 2048 has only one bit set. 1024 + 2048 = 3072. Therefore, syn-sport will only ever equal 1024 or 3072. Or in your case, it shows up as the dport on the way back. John From khatfield at socllc.net Sun Jun 27 22:02:36 2010 From: khatfield at socllc.net (khatfield at socllc.net) Date: Mon, 28 Jun 2010 03:02:36 +0000 Subject: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic onsystem Message-ID: <2079682679-1277694157-cardhu_decombobulator_blackberry.rim.net-2053321539-@bda903.bisx.prod.on.blackberry> Excellent! Thanks John. We have seen this sort of signature before but we couldn't find the reference source in our library. I don't believe this is one we had. Thanks! Kevin ------Original Message------ From: John Kristoff To: Kevin Hatfield Cc: nanog at nanog.org Subject: Re: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic onsystem Sent: Jun 27, 2010 9:32 PM On Sun, 27 Jun 2010 17:22:51 -0400 (EDT) khatfield at socllc.net wrote: > Here is an example report we received from AT&T: > 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] > (total=23,dp=1024,min=212.1.185.6,max=212.1.191.127,Jun27-04:21:01,Jun27-04:29:26) > (USI-amsxaid01) 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] > (total=16,dp=3072,min=212.1.189.1,max=212.1.188.118,Jun27-04:21:15,Jun27-04:29:09) > (USI-amsxaid01) 04:36:44 x.x.x.x 0.0.0.0 [TCP-SWEEP] This looks like the trademark signature of back scatter as a result of someone using the juno.c or derivative code to SYN flood a host. You are most likely getting this traffic from a host that is getting attacked. In the junos.c code you'll see this: syn->sport = htons(1024 + (random() & 2048)); A random number is ANDed against 2048, the result is then added to 1024. What will be added is always either 0 or 2048, because 2048 has only one bit set. 1024 + 2048 = 3072. Therefore, syn-sport will only ever equal 1024 or 3072. Or in your case, it shows up as the dport on the way back. John From lists at billfehring.com Sun Jun 27 23:37:17 2010 From: lists at billfehring.com (Bill Fehring) Date: Sun, 27 Jun 2010 21:37:17 -0700 Subject: BGP Tool for Simulation In-Reply-To: <4C27FBAB.4050505@uol.com.br> References: <4C27FBAB.4050505@uol.com.br> Message-ID: Oi Giulianao, I've used this in the past to dump a lot of routes into test networks: http://code.google.com/p/bgpsimple/ Tutorial: http://evilrouters.net/2009/08/21/getting-bgp-routes-into-dynamips-with-video/ There's a similar project written in python, but I can't find it right now. HTH, -Bill Fehring On Sun, Jun 27, 2010 at 18:32, GIULIANOCM (UOL) wrote: > People, > > I am looking for a tool (free or not) to simulate BGP full internet route > table peering and injection using real CISCO and JUNIPER routers. > > We have found some power tools like Spirent or Agilent but they are a too > expensive to acquire for now. > > The main idea is to have a software tool for unix or linux system, that > supports to simulate a cloud a carrier or an ISP, to work with real routers, > establishing connection using BGP protocol and injecting on this real > routers the full internet routing table - ipv4 or ipv6. > > Do you know some collection of tools (software tools) that we can use to do > this kind of work ? > > It is possible to collect full internet routing table and inject it to a > real router using a software for simulate real conditions ? > > Besides, the tool will need some additional features in simulation like the > set of communities, local preference, med and other BGP attributes. > > What do you recommend for this tasks ? > > Thanks a lot, > > Giuliano > > From vixie at isc.org Sun Jun 27 23:52:48 2010 From: vixie at isc.org (Paul Vixie) Date: Mon, 28 Jun 2010 04:52:48 +0000 Subject: [Bruce Hoffman] Thank-you for your recent participation. In-Reply-To: <20100627182234.GB24403@gsp.org> (Rich Kulawiec's message of "Sun, 27 Jun 2010 14:22:34 -0400") References: <86k4pozfe2.fsf@seastrom.com> <20100627182234.GB24403@gsp.org> Message-ID: Rich Kulawiec writes: >> Amusingly, this was sent to me *after* I replied to abuse at internap >> complaining about getting spammed. > > This spam came from the "icontact" spammers-for-hire: they're absolute > filth who have been abusing individuals and mailing lists for years. > I recommend blacklisting them permanently. domains and/or cidrs, plz? -- Paul Vixie KI6YSY From lists at billfehring.com Sun Jun 27 23:59:08 2010 From: lists at billfehring.com (Bill Fehring) Date: Sun, 27 Jun 2010 21:59:08 -0700 Subject: BGP Tool for Simulation In-Reply-To: References: <4C27FBAB.4050505@uol.com.br> Message-ID: Found it: http://caia.swin.edu.au/urp/bgp/tools.html On Sun, Jun 27, 2010 at 21:37, Bill Fehring wrote: > Oi Giulianao, > > I've used this in the past to dump a lot of routes into test networks: > > http://code.google.com/p/bgpsimple/ > > Tutorial: http://evilrouters.net/2009/08/21/getting-bgp-routes-into-dynamips-with-video/ > > There's a similar project written in python, but I can't find it right now. > > HTH, > > -Bill Fehring > > On Sun, Jun 27, 2010 at 18:32, GIULIANOCM (UOL) wrote: >> People, >> >> I am looking for a tool (free or not) to simulate BGP full internet route >> table peering and injection using real CISCO and JUNIPER routers. >> >> We have found some power tools like Spirent or Agilent but they are a too >> expensive to acquire for now. >> >> The main idea is to have a software tool for unix or linux system, that >> supports to simulate a cloud a carrier or an ISP, to work with real routers, >> establishing connection using BGP protocol and injecting on this real >> routers the full internet routing table - ipv4 or ipv6. >> >> Do you know some collection of tools (software tools) that we can use to do >> this kind of work ? >> >> It is possible to collect full internet routing table and inject it to a >> real router using a software for simulate real conditions ? >> >> Besides, the tool will need some additional features in simulation like the >> set of communities, local preference, med and other BGP attributes. >> >> What do you recommend for this tasks ? >> >> Thanks a lot, >> >> Giuliano >> >> > From patrick.lynchehaun at alcatel-lucent.com Mon Jun 28 05:32:09 2010 From: patrick.lynchehaun at alcatel-lucent.com (Lynchehaun, Patrick (Patrick)) Date: Mon, 28 Jun 2010 12:32:09 +0200 Subject: BGP Tool for Simulation In-Reply-To: References: , Message-ID: <1ED92D80BC227140AC59F299DF3CEAF4344CCA29F6@FRMRSSXCHMBSA2.dc-m.alcatel-lucent.com> You could use load sbgp/mrtd script to load route dumps. There is also bgpsimple http://code.google.com/p/bgpsimple/wiki/README This also brings up another question, anyone know of v6 rib tool on unix to load v6 route dumps. Tks, Patrick. Message: 8 Date: Sun, 27 Jun 2010 22:04:54 -0400 From: Jack Carrozzo Subject: Re: BGP Tool for Simulation To: giulianocm at uol.com.br Cc: North American Network Operators Group Message-ID: Content-Type: text/plain; charset=ISO-8859-1 Roll quagga / BGPd on *nix and bring up sessions with whatever you like. For full tables, you can either hack up a few lines of perl to output a bunch of 'network a.b.c.d' lines from any of the available text looking glasses into the bgpd conf, or just bring up ebgp-multihop session with one of your borders or one of your friends. Prefix lists, communities, etc are all supported. -Jack Carrozzo On Sun, Jun 27, 2010 at 9:32 PM, GIULIANOCM (UOL) wrote: > People, > > I am looking for a tool (free or not) to simulate BGP full internet > route table peering and injection using real CISCO and JUNIPER routers. > > We have found some power tools like Spirent or Agilent but they are a > too expensive to acquire for now. > > The main idea is to have a software tool for unix or linux system, > that supports to simulate a cloud a carrier or an ISP, to work with > real routers, establishing connection using BGP protocol and injecting > on this real routers the full internet routing table - ipv4 or ipv6. > > Do you know some collection of tools (software tools) that we can use > to do this kind of work ? > > It is possible to collect full internet routing table and inject it to > a real router using a software for simulate real conditions ? > > Besides, the tool will need some additional features in simulation > like the set of communities, local preference, med and other BGP attributes. > > What do you recommend for this tasks ? > > Thanks a lot, > > Giuliano > > ------------------------------ _______________________________________________ NANOG mailing list NANOG at nanog.org https://mailman.nanog.org/mailman/listinfo/nanog End of NANOG Digest, Vol 29, Issue 79 ************************************* From luigi at net.t-labs.tu-berlin.de Mon Jun 28 08:02:40 2010 From: luigi at net.t-labs.tu-berlin.de (Luigi Iannone) Date: Mon, 28 Jun 2010 15:02:40 +0200 Subject: BGP Tool for Simulation In-Reply-To: <1ED92D80BC227140AC59F299DF3CEAF4344CCA29F6@FRMRSSXCHMBSA2.dc-m.alcatel-lucent.com> References: , <1ED92D80BC227140AC59F299DF3CEAF4344CCA29F6@FRMRSSXCHMBSA2.dc-m.alcatel-lucent.com> Message-ID: <0701129F-F610-4C2A-A1C1-E684E839750C@net.t-labs.tu-berlin.de> I recently came across NetKit that seems to offer what you are looking for... http://wiki.netkit.org/index.php/Main_Page L. On Jun 28, 2010, at 12:32 , Lynchehaun, Patrick (Patrick) wrote: > > You could use load sbgp/mrtd script to load route dumps. There is also bgpsimple http://code.google.com/p/bgpsimple/wiki/README > This also brings up another question, anyone know of v6 rib tool on unix to load v6 route dumps. > > Tks, > Patrick. > > Message: 8 > Date: Sun, 27 Jun 2010 22:04:54 -0400 > From: Jack Carrozzo > Subject: Re: BGP Tool for Simulation > To: giulianocm at uol.com.br > Cc: North American Network Operators Group > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > Roll quagga / BGPd on *nix and bring up sessions with whatever you like. > > For full tables, you can either hack up a few lines of perl to output a bunch of 'network a.b.c.d' lines from any of the available text looking glasses into the bgpd conf, or just bring up ebgp-multihop session with one of your borders or one of your friends. Prefix lists, communities, etc are all supported. > > -Jack Carrozzo > > On Sun, Jun 27, 2010 at 9:32 PM, GIULIANOCM (UOL) wrote: > >> People, >> >> I am looking for a tool (free or not) to simulate BGP full internet >> route table peering and injection using real CISCO and JUNIPER routers. >> >> We have found some power tools like Spirent or Agilent but they are a >> too expensive to acquire for now. >> >> The main idea is to have a software tool for unix or linux system, >> that supports to simulate a cloud a carrier or an ISP, to work with >> real routers, establishing connection using BGP protocol and injecting >> on this real routers the full internet routing table - ipv4 or ipv6. >> >> Do you know some collection of tools (software tools) that we can use >> to do this kind of work ? >> >> It is possible to collect full internet routing table and inject it to >> a real router using a software for simulate real conditions ? >> >> Besides, the tool will need some additional features in simulation >> like the set of communities, local preference, med and other BGP attributes. >> >> What do you recommend for this tasks ? >> >> Thanks a lot, >> >> Giuliano >> >> > > > ------------------------------ > > _______________________________________________ > NANOG mailing list > NANOG at nanog.org > https://mailman.nanog.org/mailman/listinfo/nanog > > End of NANOG Digest, Vol 29, Issue 79 > ************************************* > From tom.pipes at t6mail.com Mon Jun 28 08:52:53 2010 From: tom.pipes at t6mail.com (Tom Pipes) Date: Mon, 28 Jun 2010 08:52:53 -0500 (CDT) Subject: BGP Tool for Simulation In-Reply-To: <19187488.1033521277732903856.JavaMail.root@zimbra> Message-ID: <3368983.1033751277733173382.JavaMail.root@zimbra> Hello Giuliano, Along with the recommendation of dynamips, I would suggest downloading gns3, which ties into dynamips.? You can run the same version of IOS that you are working with in production, and there are versions for Windows/*nix. http://www.gns3.net/ It acts more like an emulators at first glance, and does not seem to have the same limitations as some of the other simulators out there.? Just make sure you have the hardware to support it. Thanks, --- Tom Pipes T6 Broadband/ Essex Telcom Inc tom.pipes at t6mail.com ----- Original Message ----- From: "Bill Fehring" To: giulianocm at uol.com.br Cc: "North American Network Operators Group" Sent: Sunday, June 27, 2010 11:37:17 PM Subject: Re: BGP Tool for Simulation Oi Giulianao, I've used this in the past to dump a lot of routes into test networks: http://code.google.com/p/bgpsimple/ Tutorial: http://evilrouters.net/2009/08/21/getting-bgp-routes-into-dynamips-with-video/ There's a similar project written in python, but I can't find it right now. HTH, -Bill Fehring On Sun, Jun 27, 2010 at 18:32, GIULIANOCM (UOL) wrote: > People, > > I am looking for a tool (free or not) to simulate BGP full internet route > table peering and injection using real CISCO and JUNIPER routers. > > We have found some power tools like Spirent or Agilent but they are a too > expensive to acquire for now. > > The main idea is to have a software tool for unix or linux system, that > supports to simulate a cloud a carrier or an ISP, to work with real routers, > establishing connection using BGP protocol and injecting on this real > routers the full internet routing table - ipv4 or ipv6. > > Do you know some collection of tools (software tools) that we can use to do > this kind of work ? > > It is possible to collect full internet routing table and inject it to a > real router using a software for simulate real conditions ? > > Besides, the tool will need some additional features in simulation like the > set of communities, local preference, med and other BGP attributes. > > What do you recommend for this tasks ? > > Thanks a lot, > > Giuliano > > From gbonser at seven.com Mon Jun 28 10:01:37 2010 From: gbonser at seven.com (George Bonser) Date: Mon, 28 Jun 2010 08:01:37 -0700 Subject: Penetration test vendors Message-ID: <5A6D953473350C4B9995546AFE9939EE09EA4E70@RWC-EX1.corp.seven.com> I would like to thank everyone who provided their recommendations both on and off list. There was a lot of off-list response but not exactly what I had expected to see. I had expected to see a lot of different vendors but also expected to see a couple that several would recommend. That really didn't happen. Practically every single suggestion was a different vendor. There was one vendor that got multiple recommendations but it was also the only vendor that multiple people recommended avoiding. In fact, it was the only vendor that anyone recommended to avoid. As I now have a list of many vendors that I didn't know existed, I will sort through the mail later today or tomorrow and consolidate the list. The lesson seems to be that everyone seems to have someone different that they trust to test their network and that a more in-depth look at the recommendations is in order. Thanks again, everyone. George From chris at travelingtech.net Mon Jun 28 11:25:30 2010 From: chris at travelingtech.net (Christopher Gatlin) Date: Mon, 28 Jun 2010 11:25:30 -0500 Subject: BGP Tool for Simulation In-Reply-To: <3368983.1033751277733173382.JavaMail.root@zimbra> References: <19187488.1033521277732903856.JavaMail.root@zimbra> <3368983.1033751277733173382.JavaMail.root@zimbra> Message-ID: These folks make a tester that loads up BGP very nicely. http://www.spirent.com/ http://www.spirent.com/Solutions-Directory/Smartbits.aspx Chris On Mon, Jun 28, 2010 at 8:52 AM, Tom Pipes wrote: > > > Hello Giuliano, > > > > Along with the recommendation of dynamips, I would suggest downloading > gns3, which ties into dynamips. You can run the same version of IOS that > you are working with in production, and there are versions for Windows/*nix. > > > > http://www.gns3.net/ > > > > It acts more like an emulators at first glance, and does not seem to have > the same limitations as some of the other simulators out there. Just make > sure you have the hardware to support it. > > > > Thanks, > > > > --- > Tom Pipes > T6 Broadband/ > Essex Telcom Inc > tom.pipes at t6mail.com > > > ----- Original Message ----- > From: "Bill Fehring" > To: giulianocm at uol.com.br > Cc: "North American Network Operators Group" > Sent: Sunday, June 27, 2010 11:37:17 PM > Subject: Re: BGP Tool for Simulation > > Oi Giulianao, > > I've used this in the past to dump a lot of routes into test networks: > > http://code.google.com/p/bgpsimple/ > > Tutorial: > http://evilrouters.net/2009/08/21/getting-bgp-routes-into-dynamips-with-video/ > > There's a similar project written in python, but I can't find it right now. > > HTH, > > -Bill Fehring > > On Sun, Jun 27, 2010 at 18:32, GIULIANOCM (UOL) > wrote: > > People, > > > > I am looking for a tool (free or not) to simulate BGP full internet route > > table peering and injection using real CISCO and JUNIPER routers. > > > > We have found some power tools like Spirent or Agilent but they are a too > > expensive to acquire for now. > > > > The main idea is to have a software tool for unix or linux system, that > > supports to simulate a cloud a carrier or an ISP, to work with real > routers, > > establishing connection using BGP protocol and injecting on this real > > routers the full internet routing table - ipv4 or ipv6. > > > > Do you know some collection of tools (software tools) that we can use to > do > > this kind of work ? > > > > It is possible to collect full internet routing table and inject it to a > > real router using a software for simulate real conditions ? > > > > Besides, the tool will need some additional features in simulation like > the > > set of communities, local preference, med and other BGP attributes. > > > > What do you recommend for this tasks ? > > > > Thanks a lot, > > > > Giuliano > > > > > > From sfischer1967 at gmail.com Mon Jun 28 14:37:01 2010 From: sfischer1967 at gmail.com (Steven Fischer) Date: Mon, 28 Jun 2010 15:37:01 -0400 Subject: Global Crossing POC Message-ID: Can someone from Global Crossing contact me off-list regarding some routing anomolies we are seeing? Thanks. -- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy From morrowc.lists at gmail.com Mon Jun 28 16:46:00 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Mon, 28 Jun 2010 17:46:00 -0400 Subject: Broadband initiatives - impact to your network? In-Reply-To: References: Message-ID: On Sun, Jun 27, 2010 at 9:03 AM, Jonathan Feldman wrote: > I'm one of the reporters who covers broadband and cloud computing for > InformationWeek magazine (www.informationweek.com), and it's interesting to > me that one of the issues with cloud adoption has to do with the limited > pipe networks available in this country. For example, it's not feasible to > do a massive data load through the networks that are currently available -- > you need to FedEx a hard drive to Amazon. ?Holy cow, it's SneakerNet for the > 21st Century! is this a 'this country' bandwidth problem or the problem that moving 10tb of 'corporate data' in a 'secure fashion' from 'office' to 'cloud' really isn't a simple task? and that cutting a DB over at a point in time 'next tuesday!' is far easier done by shipping a point-in-time copy of the DB via sata-drive than 'holy cow copy this over the corp ds3, while we make sure not to kill it for mail/web/etc other corporate normal uses' ? The broadband plan stuff mostly covers consumers, not enterprises, most of the (amazon as the example here) cloud folks offer disk-delivery options for businesses. you seem to be comparing apples to oranges, no? -chris From nick at foobar.org Mon Jun 28 16:59:59 2010 From: nick at foobar.org (Nick Hilliard) Date: Mon, 28 Jun 2010 22:59:59 +0100 Subject: Broadband initiatives - impact to your network? In-Reply-To: References: Message-ID: <4C291B5F.5030708@foobar.org> On 27/06/2010 14:03, Jonathan Feldman wrote: > For example, it's not feasible to do a massive data load through the > networks that are currently available -- you need to FedEx a hard drive > to Amazon. Holy cow, it's SneakerNet for the 21st Century! Never underestimate the bandwidth of a stationwagon full of $current_high_density_storage_media. Nick From jf at feldman.org Mon Jun 28 17:26:41 2010 From: jf at feldman.org (Jonathan Feldman) Date: Mon, 28 Jun 2010 18:26:41 -0400 Subject: Broadband initiatives - impact to your network? In-Reply-To: References: Message-ID: <8B403135-63AC-4C32-A77A-5483AD6A4931@feldman.org> More than one person has pointed out that offline media will always be higher bandwidth than transmission lines (but nobody with such elegance and hilarity as Nick Hilliard's last post). Point taken. The question, in my mind, is whether it's reasonable to ask that regional providers reach the same bar as privately owned campus networks. I don't agree with you, Christopher, that the broadband plan won't affect corporate users. I know that this list _mostly_ consists of operators, but I've gotten some offline responses to my initial query that seem to indicate that enterprise users utilize SOHO (consumer grade, but with higher speeds) for various branch office needs. Also, when a technology gets "consumerized" it tends to create interesting effects in terms of features and price points. Think of it this way: where would corporate mobile phones be without the consumer effect? We'd still be carrying them around in bags and only corporate officers would have them. I appreciate everyone's response! On Jun 28, 2010, at 5:46 PM, Christopher Morrow wrote: > On Sun, Jun 27, 2010 at 9:03 AM, Jonathan Feldman > wrote: >> I'm one of the reporters who covers broadband and cloud computing for >> InformationWeek magazine (www.informationweek.com), and it's >> interesting to >> me that one of the issues with cloud adoption has to do with the >> limited >> pipe networks available in this country. For example, it's not >> feasible to >> do a massive data load through the networks that are currently >> available -- >> you need to FedEx a hard drive to Amazon. Holy cow, it's >> SneakerNet for the >> 21st Century! > > is this a 'this country' bandwidth problem or the problem that moving > 10tb of 'corporate data' in a 'secure fashion' from 'office' to > 'cloud' really isn't a simple task? and that cutting a DB over at a > point in time 'next tuesday!' is far easier done by shipping a > point-in-time copy of the DB via sata-drive than 'holy cow copy this > over the corp ds3, while we make sure not to kill it for mail/web/etc > other corporate normal uses' ? > > The broadband plan stuff mostly covers consumers, not enterprises, > most of the (amazon as the example here) cloud folks offer > disk-delivery options for businesses. > > you seem to be comparing apples to oranges, no? > > -chris From sgridelli at gmail.com Mon Jun 28 17:30:24 2010 From: sgridelli at gmail.com (Stefano Gridelli) Date: Mon, 28 Jun 2010 18:30:24 -0400 Subject: Broadband initiatives - impact to your network? In-Reply-To: <4C291B5F.5030708@foobar.org> References: <4C291B5F.5030708@foobar.org> Message-ID: ... as Andrew T teaches ... :D On Mon, Jun 28, 2010 at 5:59 PM, Nick Hilliard wrote: > On 27/06/2010 14:03, Jonathan Feldman wrote: > > For example, it's not feasible to do a massive data load through the > > networks that are currently available -- you need to FedEx a hard drive > > to Amazon. Holy cow, it's SneakerNet for the 21st Century! > > Never underestimate the bandwidth of a stationwagon full of > $current_high_density_storage_media. > > Nick > > From randy at psg.com Mon Jun 28 17:50:10 2010 From: randy at psg.com (Randy Bush) Date: Tue, 29 Jun 2010 07:50:10 +0900 Subject: Broadband initiatives - impact to your network? In-Reply-To: <8B403135-63AC-4C32-A77A-5483AD6A4931@feldman.org> References: <8B403135-63AC-4C32-A77A-5483AD6A4931@feldman.org> Message-ID: > The question, in my mind, is whether it's reasonable to ask that > regional providers reach the same bar as privately owned campus > networks. you are comparing LAN to WAN, never a bright idea randy From jf at feldman.org Mon Jun 28 18:13:55 2010 From: jf at feldman.org (Jonathan Feldman) Date: Mon, 28 Jun 2010 19:13:55 -0400 Subject: Broadband initiatives - impact to your network? In-Reply-To: References: <8B403135-63AC-4C32-A77A-5483AD6A4931@feldman.org> Message-ID: I've never claimed to be particularly bright, but I do like to challenge assumptions. I meant "privately owned campuses spanning many miles." Is that a WAN? LAN? "MAN"? Seriously, should there really be a difference? If so, why must there be a difference? Let's not forget that ADSL is distance limited. Should it have ever been classified as a WAN technology? Compare that to fiber-connected Ethernet, a so-called LAN technology that goes miles and miles. On Jun 28, 2010, at 6:50 PM, Randy Bush wrote: >> The question, in my mind, is whether it's reasonable to ask that >> regional providers reach the same bar as privately owned campus >> networks. > > you are comparing LAN to WAN, never a bright idea > > randy From gbonser at seven.com Mon Jun 28 18:46:37 2010 From: gbonser at seven.com (George Bonser) Date: Mon, 28 Jun 2010 16:46:37 -0700 Subject: Broadband initiatives - impact to your network? In-Reply-To: References: <8B403135-63AC-4C32-A77A-5483AD6A4931@feldman.org> Message-ID: <5A6D953473350C4B9995546AFE9939EE09EA4EB0@RWC-EX1.corp.seven.com> > -----Original Message----- > From: Jonathan Feldman > Sent: Monday, June 28, 2010 4:14 PM > To: Randy Bush > Cc: nanog at nanog.org > Subject: Re: Broadband initiatives - impact to your network? > > I've never claimed to be particularly bright, but I do like to > challenge assumptions. It isn't only the amount of bandwidth available but also in many cases the protocols used to transmit the data. It takes smarter than the average bear to figure out how to get data across a fat pipe over a long distance at a high rate. TCP protocols are limited by the number of packets allowed to be "in flight" according to how the stack is configured. One might need to go to unorthodox or rather new methods to use all the available bandwidth. There are many cases of someone being stymied as to why they can't even get anywhere near 10 megabits of throughput on a GigE path from Los Angeles to London using FTP, for example. In many cases the responsibility of getting data from point A to point B is handled by people who don't bring their network operators into the discussion where problems like this can be pointed out to them. Often the first time the enterprise network group hears about it is when someone complains that the "fast pipe" to $continent is "slow" and therefore must be broken and that is generally followed by the demand that it be fixed immediately if that demand is not included in the first email. That is when conversations bearing sounds like mpscp and uftp begin and then someone says "aw, screw it, just send them a disk". George From brandon.kim at brandontek.com Mon Jun 28 19:21:27 2010 From: brandon.kim at brandontek.com (Brandon Kim) Date: Mon, 28 Jun 2010 20:21:27 -0400 Subject: Broadband initiatives - impact to your network? In-Reply-To: <5A6D953473350C4B9995546AFE9939EE09EA4EB0@RWC-EX1.corp.seven.com> References: <8B403135-63AC-4C32-A77A-5483AD6A4931@feldman.org>, , <5A6D953473350C4B9995546AFE9939EE09EA4EB0@RWC-EX1.corp.seven.com> Message-ID: > That is when conversations bearing sounds like mpscp and uftp begin and > then someone says "aw, screw it, just send them a disk". LOL!!!! > Subject: RE: Broadband initiatives - impact to your network? > Date: Mon, 28 Jun 2010 16:46:37 -0700 > From: gbonser at seven.com > To: jf at feldman.org; randy at psg.com > CC: nanog at nanog.org > > > > > -----Original Message----- > > From: Jonathan Feldman > > Sent: Monday, June 28, 2010 4:14 PM > > To: Randy Bush > > Cc: nanog at nanog.org > > Subject: Re: Broadband initiatives - impact to your network? > > > > I've never claimed to be particularly bright, but I do like to > > challenge assumptions. > > It isn't only the amount of bandwidth available but also in many cases > the protocols used to transmit the data. It takes smarter than the > average bear to figure out how to get data across a fat pipe over a long > distance at a high rate. TCP protocols are limited by the number of > packets allowed to be "in flight" according to how the stack is > configured. One might need to go to unorthodox or rather new methods to > use all the available bandwidth. > > There are many cases of someone being stymied as to why they can't even > get anywhere near 10 megabits of throughput on a GigE path from Los > Angeles to London using FTP, for example. In many cases the > responsibility of getting data from point A to point B is handled by > people who don't bring their network operators into the discussion where > problems like this can be pointed out to them. Often the first time the > enterprise network group hears about it is when someone complains that > the "fast pipe" to $continent is "slow" and therefore must be broken and > that is generally followed by the demand that it be fixed immediately if > that demand is not included in the first email. > > That is when conversations bearing sounds like mpscp and uftp begin and > then someone says "aw, screw it, just send them a disk". > > George > > From morrowc.lists at gmail.com Mon Jun 28 19:27:22 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Mon, 28 Jun 2010 20:27:22 -0400 Subject: Broadband initiatives - impact to your network? In-Reply-To: <8B403135-63AC-4C32-A77A-5483AD6A4931@feldman.org> References: <8B403135-63AC-4C32-A77A-5483AD6A4931@feldman.org> Message-ID: On Mon, Jun 28, 2010 at 6:26 PM, Jonathan Feldman wrote: > I don't agree with you, Christopher, that the broadband plan won't affect > corporate users. ?I know that this list _mostly_ consists of operators, but (there are a fair number of consumer network operations folks on nanog as well...) There have been plans to offer 'business' connectivity (replacing T1/T3 last-mile type things) from the likes of Verizon (FiOS) for some time. To date you can't (and they don't seem to have plans really) get a last-mile tail on FiOS with BGP for routing information (like for a redundant connection setup, or for alternate provider paths: FiOS 50mbps link from VZ + 45mbps Ds3 from ATT using BGP to manage your redundancy needs). I don't know that you could not do the same on Comcast or Cox's deployments at this time, maybe someone from these alternatives have already spoken up privately on the matter. > I've gotten some offline responses to my initial query that seem to indicate > that enterprise users utilize SOHO (consumer grade, but with higher speeds) Sure, lots of folks use 'consumer grade' links for out-sites, that dish on top of the Mobil station being the cannonical example. These out-sites don't generally have the data concentration of the main office, nor the bandwidth needs, nor the redundancy/resiliency needs. Using a SOHO/Consumer link in the right place is a fine solution, using it at your core site, not so fine... > for various branch office needs. ?Also, when a technology gets > "consumerized" it tends to create interesting effects in terms of features > and price points. Still waiting for that on the FiOS space or the Comcast space (where's my 100mbps cable/FiOS link with BGP for redundancy?). I CAN get a 50mbps bidirectional FiOS link with static ip addresses (that I have to pay for the 'privilege' of having) but I can NOT use my own ip space, nor can I use a routing protocol to tell VZ or the rest of the world to prefer my alternate link to get to my office. That's suboptimal, and not 'business class' service. > Think of it this way: where would corporate mobile phones be without the > consumer effect? ?We'd still be carrying them around in bags and only > corporate officers would have them. I'm not sure that the corporate smartphone usage was driven by consumers, it seems (to me) to be the other way around actually... I'm not a mobile-maven so who knows :) -Chris > > I appreciate everyone's response! > > On Jun 28, 2010, at 5:46 PM, Christopher Morrow wrote: > >> On Sun, Jun 27, 2010 at 9:03 AM, Jonathan Feldman wrote: >>> >>> I'm one of the reporters who covers broadband and cloud computing for >>> InformationWeek magazine (www.informationweek.com), and it's interesting >>> to >>> me that one of the issues with cloud adoption has to do with the limited >>> pipe networks available in this country. For example, it's not feasible >>> to >>> do a massive data load through the networks that are currently available >>> -- >>> you need to FedEx a hard drive to Amazon. ?Holy cow, it's SneakerNet for >>> the >>> 21st Century! >> >> is this a 'this country' bandwidth problem or the problem that moving >> 10tb of 'corporate data' in a 'secure fashion' from 'office' to >> 'cloud' really isn't a simple task? and that cutting a DB over at a >> point in time 'next tuesday!' is far easier done ?by shipping a >> point-in-time copy of the DB via sata-drive than 'holy cow copy this >> over the corp ds3, while we make sure not to kill it for mail/web/etc >> other corporate normal uses' ? >> >> The broadband plan stuff mostly covers consumers, not enterprises, >> most of the (amazon as the example here) cloud folks offer >> disk-delivery options for businesses. >> >> you seem to be comparing apples to oranges, no? >> >> -chris > > From randy at psg.com Mon Jun 28 19:42:49 2010 From: randy at psg.com (Randy Bush) Date: Tue, 29 Jun 2010 09:42:49 +0900 Subject: Broadband initiatives - impact to your network? In-Reply-To: References: <8B403135-63AC-4C32-A77A-5483AD6A4931@feldman.org> Message-ID: is geoff's isp business 101 still the canonic reference for what this reporter needs for clue? doing it micro-incrementally on list is a major ton of . randy From brunner at nic-naa.net Mon Jun 28 19:42:43 2010 From: brunner at nic-naa.net (Eric Brunner-Williams) Date: Mon, 28 Jun 2010 20:42:43 -0400 Subject: Broadband initiatives - impact to your network? In-Reply-To: References: Message-ID: <4C294183.2030709@nic-naa.net> I wrote a first round BTOP application. No, the program doesn't quite promise to change, by orders of magnitude, the pipe that's available to most folks, and even if it did, that isn't a very strong promise. "Most folks" live in urban areas, adequately served by physics, if not the private, and the surviving public infrastructure. "Most folks" who reside in BTOP eligible area codes are not adequately served by physics, and BTOP is, IMHO, limited solutions to the physics problem, with possibly sustainable public incentive funding. The "orders of magnitude" claim, and the plural in "orders" is key, is both over blown and misses what is, IMHO, the most interesting aspect of revisiting the physics assumptions about the edge of service. Is unidirectional transport (monitized video streams) the rural service most absent and most valued, or are other characteristics of networks competitive with, or superior to, that service model? The sneaker net meme is worth holding on to, among others. Some of this was grist for the PILC WG. I went with Plan B, but then again, my application got zero funding, and folks that follow this may appreciate the relevance of the mapping portion of the BTOP/BIP package to selection, and the role of state government in selection. I suggest coverage of the lobbying of BTOP/BIP grants is at least as interesting as the problems various applicants attempt to state and provide solutions for. Held until after 5pm PDT, mostly so I could take a walk. Eric From richard.barnes at gmail.com Mon Jun 28 19:45:09 2010 From: richard.barnes at gmail.com (Richard Barnes) Date: Mon, 28 Jun 2010 20:45:09 -0400 Subject: ATT BGP - Advertising my network on accident In-Reply-To: References: Message-ID: So, as periodically happens to me, what started as an idle curiosity turned into an experiment. I took a look at a RIB snapshot from Friday, from one of the RouteViews collectors, to see how common it is that a block gets advertised by two different ASes, as a whole block by one, and as a set of smaller blocks by the other. It turns out there's a non-trivial amount out there -- 490 blocks broken up, adding 1,815 prefixes announced, accounting for 19,623 RIB entries. More details below; let me know if you're interested in even more. Seems kind of interesting, as a form of deaggregation that doesn't show up in things like the CIDR report (since it's not within a single AS). (Standard caveats apply: This is a quick pass, not controlled for things like two ASes belonging to the same entity.) --Richard Total number of deaggregated prefixes: 490 Total additional prefixes advertised: 1815 Total additional RIB entries: 19623 (0.5% out of 3530845 total entries) Total addresses affected: 78863360 (roughly 1,203 /16s) Extremal points: 1. Largest deaggregated block: 17.0.0.0/8, advertised by AS7018 (AT&T), deaggregated into two /9s by AS714 (Apple Engineering) 2. Most fractured block: 58.140.0.0/14, advertised by AS3786 (LG DACOM, KR), deaggregated into 69 prefixes (ranging from /17 to /24) by AS10036 (C&M Communication, KR). Distribution of the number of additional prefixes: Prefixes Count 2 343 3 13 4 80 5 5 6 1 7 4 8 17 9 5 10 1 11 1 14 1 15 1 16 6 17 1 20 2 32 7 34 1 69 1 Distribution of prefix lengths deaggregated: Len Count 8 1 11 1 12 3 13 9 14 17 15 22 16 47 17 25 18 29 19 65 20 52 21 56 22 69 23 92 24 2 Distribution of the number of addresses affected: Addresses Count 512 2 1024 92 2048 69 4096 56 8192 52 16384 65 32768 29 65536 25 131072 47 262144 22 524288 17 1048576 9 2097152 3 4194304 1 33554432 1 From randy at psg.com Mon Jun 28 19:50:43 2010 From: randy at psg.com (Randy Bush) Date: Tue, 29 Jun 2010 09:50:43 +0900 Subject: ATT BGP - Advertising my network on accident In-Reply-To: References: Message-ID: you may find http://archive.psg.com/jsac-deag.pdf of interest randy From pstewart at nexicomgroup.net Mon Jun 28 19:58:36 2010 From: pstewart at nexicomgroup.net (Paul Stewart) Date: Mon, 28 Jun 2010 20:58:36 -0400 Subject: Country Level BGP Data In-Reply-To: <5A6D953473350C4B9995546AFE9939EE09EA4CBE@RWC-EX1.corp.seven.com> References: <000001cb0f16$0db676b0$29236410$@org><1743249377-1276967398-cardhu_decombobulator_blackberry.rim.net-189068897-@bda028.bisx.prod.on.blackberry> <5A6D953473350C4B9995546AFE9939EE09EA4CBE@RWC-EX1.corp.seven.com> Message-ID: Does anyone know of BGP statistical data based on country? If I wanted to know "top 5 service providers in country XYZ based on number of BGP peers" for example, is there something that can tell me this information? I can manually run a list of AS numbers against tools like Renesys for example but someone has probably already done this? Thanks, Paul From cboyd at gizmopartners.com Mon Jun 28 20:00:28 2010 From: cboyd at gizmopartners.com (Chris Boyd) Date: Mon, 28 Jun 2010 20:00:28 -0500 Subject: Broadband initiatives - impact to your network? In-Reply-To: <4C294183.2030709@nic-naa.net> References: <4C294183.2030709@nic-naa.net> Message-ID: <38D7F174-8EBA-414D-B9EA-B1CD164F2F7E@gizmopartners.com> On Jun 28, 2010, at 7:42 PM, Eric Brunner-Williams wrote: > Is unidirectional transport (monitized video streams) the rural service most absent and most valued, or are other characteristics of networks competitive with, or superior to, that service model? If you drive around rural central and northeastern Texas, every ranch house and bunkhouse has a DirecTV or Dish installation. Surprisingly, many of these same houses also have DSL available from the (heavily subsidized) telephone coops in the area. The speeds aren't screaming, typically being in the 300-700 down/128-384 up ADSL-2+ range. So the demand is there, and so is the service in some areas. --Chris From woody at pch.net Mon Jun 28 21:06:06 2010 From: woody at pch.net (Bill Woodcock) Date: Mon, 28 Jun 2010 19:06:06 -0700 Subject: Country Level BGP Data In-Reply-To: References: <000001cb0f16$0db676b0$29236410$@org><1743249377-1276967398-cardhu_decombobulator_blackberry.rim.net-189068897-@bda028.bisx.prod.on.blackberry> <5A6D953473350C4B9995546AFE9939EE09EA4CBE@RWC-EX1.corp.seven.com> Message-ID: On Jun 28, 2010, at 5:58 PM, Paul Stewart wrote: > Does anyone know of BGP statistical data based on country? If I wanted > to know "top 5 service providers in country XYZ based on number of BGP > peers" for example, is there something that can tell me this > information? I can manually run a list of AS numbers against tools like > Renesys for example but someone has probably already done this? PCH has this internally, but the AS-to-country mappings are pretty fluid, so we don't hand it out without a lot of caveats... Otherwise policymakers would take it way more seriously than it should be taken, since they love them some rankings. If people generally think we should publish it every day, we'd be willing to, provided we think people are cognizant of the risks of policy folks misusing it. Or marketing folks. Or whatever. Otherwise, email me or Gaurab or Jonny, and we'll set you up with a current listing for whatever countries you're interested in. -Bill From steve at ipv6canada.com Mon Jun 28 21:15:41 2010 From: steve at ipv6canada.com (Steve Bertrand) Date: Mon, 28 Jun 2010 22:15:41 -0400 Subject: Country Level BGP Data In-Reply-To: References: <000001cb0f16$0db676b0$29236410$@org><1743249377-1276967398-cardhu_decombobulator_blackberry.rim.net-189068897-@bda028.bisx.prod.on.blackberry> <5A6D953473350C4B9995546AFE9939EE09EA4CBE@RWC-EX1.corp.seven.com> Message-ID: <4C29574D.7050704@ipv6canada.com> On 2010.06.28 22:06, Bill Woodcock wrote: > > On Jun 28, 2010, at 5:58 PM, Paul Stewart wrote: >> Does anyone know of BGP statistical data based on country? If I wanted >> to know "top 5 service providers in country XYZ based on number of BGP >> peers" for example, is there something that can tell me this >> information? I can manually run a list of AS numbers against tools like >> Renesys for example but someone has probably already done this? > > PCH has this internally, but the AS-to-country mappings are pretty fluid, so we don't hand it out without a lot of caveats... Otherwise policymakers would take it way more seriously than it should be taken, since they love them some rankings. > > If people generally think we should publish it every day, we'd be willing to, provided we think people are cognizant of the risks of policy folks misusing it. Or marketing folks. Or whatever. > > Otherwise, email me or Gaurab or Jonny, and we'll set you up with a current listing for whatever countries you're interested in. ...Canada, including v6. Sign me up. Steve From nenolod at systeminplace.net Mon Jun 28 21:44:47 2010 From: nenolod at systeminplace.net (William Pitcock) Date: Mon, 28 Jun 2010 21:44:47 -0500 Subject: Virbl: The First IPv6 enabled dnsbl? In-Reply-To: References: <757220502.276.1263619845706.JavaMail.root@lordsofacid.wiztech.biz> Message-ID: <1277779487.7682.96.camel@petrie> On Sun, 2010-01-17 at 19:16 +0000, Andy Davidson wrote: > On 16 Jan 2010, at 05:30, Tammy A. Wisdom wrote: > > > Mark Schouten wrote: > >> http://virbl.bit.nl/index.php#ipv6 > >> Comments on the listing method are appreciated. > > wow bind? thats gonna get slower and slower and slower. I hope you have a TON of ram for that box. for example > > if we loaded the current contents of the ahbl from rbldnsd to bind it would take up a TON of ram. bind would take forever to load and and would be screaming for its dear life. > > These problems tend to have a way of solving themselves... > > This dnsbl is trying to get experience handling v6 data in an anti-spam environment. We do not know how to do that today - and this is a problem which only reduces with experience. The problems of how to scale it, to me seem like a smaller challenge. There are enough clever people who understand how to scale specific dns issues. :-) > > Good luck to the team at Virbl ! Yes we do. We do it the same way we do it for IPv4... IP radix trees. The main thing required is to modify rbldnsd to make heads or tails of ipv6 dnsbl queries and build it into a prefix for looking up in the radix tree. The actual radix code of rbldnsd is AFAIK based on the BSD-licensed stuff Merit put out in the day. Pretty much everything uses that code... William From oberman at es.net Mon Jun 28 23:02:26 2010 From: oberman at es.net (Kevin Oberman) Date: Mon, 28 Jun 2010 21:02:26 -0700 Subject: Broadband initiatives - impact to your network? In-Reply-To: Your message of "Mon, 28 Jun 2010 16:46:37 PDT." <5A6D953473350C4B9995546AFE9939EE09EA4EB0@RWC-EX1.corp.seven.com> Message-ID: <20100629040226.5213A1CC41@ptavv.es.net> > Date: Mon, 28 Jun 2010 16:46:37 -0700 > From: "George Bonser" > > > -----Original Message----- > > From: Jonathan Feldman > > Sent: Monday, June 28, 2010 4:14 PM > > To: Randy Bush > > Cc: nanog at nanog.org > > Subject: Re: Broadband initiatives - impact to your network? > > > > I've never claimed to be particularly bright, but I do like to > > challenge assumptions. > > It isn't only the amount of bandwidth available but also in many cases > the protocols used to transmit the data. It takes smarter than the > average bear to figure out how to get data across a fat pipe over a long > distance at a high rate. TCP protocols are limited by the number of > packets allowed to be "in flight" according to how the stack is > configured. One might need to go to unorthodox or rather new methods to > use all the available bandwidth. > > There are many cases of someone being stymied as to why they can't even > get anywhere near 10 megabits of throughput on a GigE path from Los > Angeles to London using FTP, for example. In many cases the > responsibility of getting data from point A to point B is handled by > people who don't bring their network operators into the discussion where > problems like this can be pointed out to them. Often the first time the > enterprise network group hears about it is when someone complains that > the "fast pipe" to $continent is "slow" and therefore must be broken and > that is generally followed by the demand that it be fixed immediately if > that demand is not included in the first email. > > That is when conversations bearing sounds like mpscp and uftp begin and > then someone says "aw, screw it, just send them a disk". If you really want to improve on the performance of data transfers over long distances (e.g. across an ocean), take a look at http://fasterdata.es.net. The Department of Energy and ESnet provides this information primarily for researchers needing to over large volumes of data over many thousands of kilometers. While some of the information will be beyond the capabilities of the average network user and either end can cause the performance problems, the information can explain a bit about why the problems exists and does provide some simple changes that can greatly enhance transfer speed. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman at es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 From jcdill.lists at gmail.com Mon Jun 28 23:50:33 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Mon, 28 Jun 2010 21:50:33 -0700 Subject: Broadband initiatives - impact to your network? In-Reply-To: References: Message-ID: <4C297B99.3060007@gmail.com> Jonathan Feldman wrote: > I'm one of the reporters who covers broadband and cloud computing for > InformationWeek magazine (www.informationweek.com), and it's > interesting to me that one of the issues with cloud adoption has to do > with the limited pipe networks available in this country. For example, > it's not feasible to do a massive data load through the networks that > are currently available -- you need to FedEx a hard drive to Amazon. > Holy cow, it's SneakerNet for the 21st Century! What's wrong with this? It's not feasible to build a network that spans many ISPs and backbones, capable of doing massive data loads, if the demand for these loads (e.g. "upload all our data to a cloud computing system") is infrequent and usually one-time-only - which it seems to be. It's not as if there's a huge performance hit to using FedEx to solve this problem - what is the benefit to the customer in having it all happen within hours instead of 1-2 days? There are other, far more often desired or accessed services (e.g. video on demand, video teleconferencing) that absolutely need high performance big pipe bandwidth, whose needs can not be met with FedEx. Customers who need to access or offer video-on-demand are far more willing to pay, month after month, for access to a high performance backbone. Your average corporate customer isn't going to be willing to pay month-after-month for a super big super fast pipe (faster than they need for their everyday internet access purposes) just so that they can - once - upload their entire corporate database to "the cloud" faster than they can FedEx disks to their chosen cloud provider. Look at the business case (or lack thereof) for the service before you ask "why isn't this available". Unless/until there's a business case for many customers to pay for the service, there's not going to be any purpose in creating the product. jc From joelja at bogus.com Mon Jun 28 23:59:06 2010 From: joelja at bogus.com (joel jaeggli) Date: Mon, 28 Jun 2010 21:59:06 -0700 Subject: Broadband initiatives - impact to your network? In-Reply-To: <4C297B99.3060007@gmail.com> References: <4C297B99.3060007@gmail.com> Message-ID: <4C297D9A.7050701@bogus.com> If the data you need to preload is sufficiently large (e.g. 10s or hundreds of terabytes then yeah it should come as no surprise that it might be more convenient to move by shifting around disks. 100TB of raw disk is around $8000. On 2010-06-28 21:50, JC Dill wrote: > Jonathan Feldman wrote: >> I'm one of the reporters who covers broadband and cloud computing for >> InformationWeek magazine (www.informationweek.com), and it's >> interesting to me that one of the issues with cloud adoption has to do >> with the limited pipe networks available in this country. For example, >> it's not feasible to do a massive data load through the networks that >> are currently available -- you need to FedEx a hard drive to Amazon. >> Holy cow, it's SneakerNet for the 21st Century! > > What's wrong with this? It's not feasible to build a network that spans > many ISPs and backbones, capable of doing massive data loads, if the > demand for these loads (e.g. "upload all our data to a cloud computing > system") is infrequent and usually one-time-only - which it seems to be. > It's not as if there's a huge performance hit to using FedEx to solve > this problem - what is the benefit to the customer in having it all > happen within hours instead of 1-2 days? > There are other, far more often desired or accessed services (e.g. video > on demand, video teleconferencing) that absolutely need high performance > big pipe bandwidth, whose needs can not be met with FedEx. Customers who > need to access or offer video-on-demand are far more willing to pay, > month after month, for access to a high performance backbone. Your > average corporate customer isn't going to be willing to pay > month-after-month for a super big super fast pipe (faster than they need > for their everyday internet access purposes) just so that they can - > once - upload their entire corporate database to "the cloud" faster than > they can FedEx disks to their chosen cloud provider. > > Look at the business case (or lack thereof) for the service before you > ask "why isn't this available". Unless/until there's a business case for > many customers to pay for the service, there's not going to be any > purpose in creating the product. > > jc > > > From tme at americafree.tv Tue Jun 29 06:38:39 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Tue, 29 Jun 2010 07:38:39 -0400 Subject: Broadband initiatives - impact to your network? In-Reply-To: <4C297D9A.7050701@bogus.com> References: <4C297B99.3060007@gmail.com> <4C297D9A.7050701@bogus.com> Message-ID: <0CB2D93C-1AE2-4290-8D30-1E81E2BCB057@americafree.tv> On Jun 29, 2010, at 12:59 AM, joel jaeggli wrote: > > If the data you need to preload is sufficiently large (e.g. 10s or > hundreds of terabytes then yeah it should come as no surprise that > it might be more convenient to move by shifting around disks. 100TB > of raw disk is around $8000. > The cost of equipment is not the driver here, as you can presumably reuse it. Looking around, I can find a 2 Terabyte drive with a ship weight of 2 pounds. To ship this from Virginia to Cupertino, California overnight by FedEx is $ 53.46, and I can mail them back for $ 14.50. Assuming that "overnight" is a 24 hour delay, this is an effective bandwidth of 185 Mbps. If I do this every weekday for a month (20 days), I have shipped 40 Terabytes for $ 1359.20, so I have an effective "work week bandwidth cost" of $ 7.34 / Mbps / Month, which seems fairly competitive, especially as I can turn this on and off as needed (e.g., I don't have to pay for Holidays). So, depending on need, the shipment of physical media may be cost competitive, as well as merely convenient. Regards Marshall > > On 2010-06-28 21:50, JC Dill wrote: >> Jonathan Feldman wrote: >>> I'm one of the reporters who covers broadband and cloud computing >>> for >>> InformationWeek magazine (www.informationweek.com), and it's >>> interesting to me that one of the issues with cloud adoption has >>> to do >>> with the limited pipe networks available in this country. For >>> example, >>> it's not feasible to do a massive data load through the networks >>> that >>> are currently available -- you need to FedEx a hard drive to Amazon. >>> Holy cow, it's SneakerNet for the 21st Century! >> >> What's wrong with this? It's not feasible to build a network that >> spans >> many ISPs and backbones, capable of doing massive data loads, if the >> demand for these loads (e.g. "upload all our data to a cloud >> computing >> system") is infrequent and usually one-time-only - which it seems >> to be. >> It's not as if there's a huge performance hit to using FedEx to solve >> this problem - what is the benefit to the customer in having it all >> happen within hours instead of 1-2 days? >> There are other, far more often desired or accessed services (e.g. >> video >> on demand, video teleconferencing) that absolutely need high >> performance >> big pipe bandwidth, whose needs can not be met with FedEx. >> Customers who >> need to access or offer video-on-demand are far more willing to pay, >> month after month, for access to a high performance backbone. Your >> average corporate customer isn't going to be willing to pay >> month-after-month for a super big super fast pipe (faster than they >> need >> for their everyday internet access purposes) just so that they can - >> once - upload their entire corporate database to "the cloud" faster >> than >> they can FedEx disks to their chosen cloud provider. >> >> Look at the business case (or lack thereof) for the service before >> you >> ask "why isn't this available". Unless/until there's a business >> case for >> many customers to pay for the service, there's not going to be any >> purpose in creating the product. >> >> jc >> >> >> > > > From sean at donelan.com Tue Jun 29 07:45:39 2010 From: sean at donelan.com (Sean Donelan) Date: Tue, 29 Jun 2010 08:45:39 -0400 (EDT) Subject: Sources of network security templates or designs In-Reply-To: <72F9A69DCF990443B2CEC064E605CE060857CA@Pascal.zaphodb.org> References: <72F9A69DCF990443B2CEC064E605CE060857CA@Pascal.zaphodb.org> Message-ID: On Sat, 26 Jun 2010, Tomas L. Byrnes wrote: > While the DISA STIGs are probably the archetype, you have to start with > whatever the sponsoring or certifying authority uses, if you need to > pass some audit later. True, but even sponsoring and certifying authorities need to get information from somewhere. So where should they get it from? For example, amex/mastercard/visa/others created PCI security standards; and if all you want to do is achieve compliance with those security standards that's where you would stop. But where should the people creating the PCI security standards look beyond their own world to find better ideas to improve the next version? Replace "PCI" with whatever your favorite group is... CAG, SOX, FDCC, etc. > Those almost always reference NIST docs: > http://www.nist.gov/itl/publications.cfm?defaultSearch=false&authorlist= > &keywords=&topics=309&seriesName=&journalName=&datepicker1=&datepicker2= > # NIST documents are updated on a regular basis. If part of your job was helping to update NIST documents, are there other resources to consider when updating those documents? Are there things in NIST documents you think could be improved? > For generic sources, I agree with Cymru as a good resource, but my > favorite is SANS. > > http://www.sans.org/reading_room/ From stephen.tandy at trigenis.com Tue Jun 29 08:41:40 2010 From: stephen.tandy at trigenis.com (Stephen Tandy) Date: Tue, 29 Jun 2010 14:41:40 +0100 Subject: NANOG Digest, Vol 29, Issue 81 Message-ID: x Sent from my Windows? phone. -----Original Message----- From: nanog-request at nanog.org Sent: 28 June 2010 23:52 To: nanog at nanog.org Subject: NANOG Digest, Vol 29, Issue 81 Send NANOG mailing list submissions to nanog at nanog.org To subscribe or unsubscribe via the World Wide Web, visit https://mailman.nanog.org/mailman/listinfo/nanog or, via email, send a message with subject or body 'help' to nanog-request at nanog.org You can reach the person managing the list at nanog-owner at nanog.org When replying, please edit your Subject line so it is more specific than "Re: Contents of NANOG digest..." Today's Topics: 1. Re: BGP Tool for Simulation (Luigi Iannone) 2. Re: BGP Tool for Simulation (Tom Pipes) 3. Penetration test vendors (George Bonser) 4. Re: BGP Tool for Simulation (Christopher Gatlin) 5. Global Crossing POC (Steven Fischer) 6. Re: Broadband initiatives - impact to your network? (Christopher Morrow) 7. Re: Broadband initiatives - impact to your network? (Nick Hilliard) 8. Re: Broadband initiatives - impact to your network? (Jonathan Feldman) 9. Re: Broadband initiatives - impact to your network? (Stefano Gridelli) 10. Re: Broadband initiatives - impact to your network? (Randy Bush) ---------------------------------------------------------------------- Message: 1 Date: Mon, 28 Jun 2010 15:02:40 +0200 From: Luigi Iannone Subject: Re: BGP Tool for Simulation Cc: nanog at nanog.org Message-ID: <0701129F-F610-4C2A-A1C1-E684E839750C at net.t-labs.tu-berlin.de> Content-Type: text/plain; charset=us-ascii I recently came across NetKit that seems to offer what you are looking for... http://wiki.netkit.org/index.php/Main_Page L. On Jun 28, 2010, at 12:32 , Lynchehaun, Patrick (Patrick) wrote: > > You could use load sbgp/mrtd script to load route dumps. There is also bgpsimple http://code.google.com/p/bgpsimple/wiki/README > This also brings up another question, anyone know of v6 rib tool on unix to load v6 route dumps. > > Tks, > Patrick. > > Message: 8 > Date: Sun, 27 Jun 2010 22:04:54 -0400 > From: Jack Carrozzo > Subject: Re: BGP Tool for Simulation > To: giulianocm at uol.com.br > Cc: North American Network Operators Group > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > Roll quagga / BGPd on *nix and bring up sessions with whatever you like. > > For full tables, you can either hack up a few lines of perl to output a bunch of 'network a.b.c.d' lines from any of the available text looking glasses into the bgpd conf, or just bring up ebgp-multihop session with one of your borders or one of your friends. Prefix lists, communities, etc are all supported. > > -Jack Carrozzo > > On Sun, Jun 27, 2010 at 9:32 PM, GIULIANOCM (UOL) wrote: > >> People, >> >> I am looking for a tool (free or not) to simulate BGP full internet >> route table peering and injection using real CISCO and JUNIPER routers. >> >> We have found some power tools like Spirent or Agilent but they are a >> too expensive to acquire for now. >> >> The main idea is to have a software tool for unix or linux system, >> that supports to simulate a cloud a carrier or an ISP, to work with >> real routers, establishing connection using BGP protocol and injecting >> on this real routers the full internet routing table - ipv4 or ipv6. >> >> Do you know some collection of tools (software tools) that we can use >> to do this kind of work ? >> >> It is possible to collect full internet routing table and inject it to >> a real router using a software for simulate real conditions ? >> >> Besides, the tool will need some additional features in simulation >> like the set of communities, local preference, med and other BGP attributes. >> >> What do you recommend for this tasks ? >> >> Thanks a lot, >> >> Giuliano >> >> > > > ------------------------------ > > _______________________________________________ > NANOG mailing list > NANOG at nanog.org > https://mailman.nanog.org/mailman/listinfo/nanog > > End of NANOG Digest, Vol 29, Issue 79 > ************************************* > ------------------------------ Message: 2 Date: Mon, 28 Jun 2010 08:52:53 -0500 (CDT) From: Tom Pipes Subject: Re: BGP Tool for Simulation To: lists at billfehring.com, giulianocm at uol.com.br Cc: nanog at merit.edu Message-ID: <3368983.1033751277733173382.JavaMail.root at zimbra> Content-Type: text/plain; charset=utf-8 Hello Giuliano, Along with the recommendation of dynamips, I would suggest downloading gns3, which ties into dynamips.? You can run the same version of IOS that you are working with in production, and there are versions for Windows/*nix. http://www.gns3.net/ It acts more like an emulators at first glance, and does not seem to have the same limitations as some of the other simulators out there.? Just make sure you have the hardware to support it. Thanks, --- Tom Pipes T6 Broadband/ Essex Telcom Inc tom.pipes at t6mail.com ----- Original Message ----- From: "Bill Fehring" To: giulianocm at uol.com.br Cc: "North American Network Operators Group" Sent: Sunday, June 27, 2010 11:37:17 PM Subject: Re: BGP Tool for Simulation Oi Giulianao, I've used this in the past to dump a lot of routes into test networks: http://code.google.com/p/bgpsimple/ Tutorial: http://evilrouters.net/2009/08/21/getting-bgp-routes-into-dynamips-with-video/ There's a similar project written in python, but I can't find it right now. HTH, -Bill Fehring On Sun, Jun 27, 2010 at 18:32, GIULIANOCM (UOL) wrote: > People, > > I am looking for a tool (free or not) to simulate BGP full internet route > table peering and injection using real CISCO and JUNIPER routers. > > We have found some power tools like Spirent or Agilent but they are a too > expensive to acquire for now. > > The main idea is to have a software tool for unix or linux system, that > supports to simulate a cloud a carrier or an ISP, to work with real routers, > establishing connection using BGP protocol and injecting on this real > routers the full internet routing table - ipv4 or ipv6. > > Do you know some collection of tools (software tools) that we can use to do > this kind of work ? > > It is possible to collect full internet routing table and inject it to a > real router using a software for simulate real conditions ? > > Besides, the tool will need some additional features in simulation like the > set of communities, local preference, med and other BGP attributes. > > What do you recommend for this tasks ? > > Thanks a lot, > > Giuliano > > ------------------------------ Message: 3 Date: Mon, 28 Jun 2010 08:01:37 -0700 From: "George Bonser" Subject: Penetration test vendors To: Message-ID: <5A6D953473350C4B9995546AFE9939EE09EA4E70 at RWC-EX1.corp.seven.com> Content-Type: text/plain; charset="us-ascii" I would like to thank everyone who provided their recommendations both on and off list. There was a lot of off-list response but not exactly what I had expected to see. I had expected to see a lot of different vendors but also expected to see a couple that several would recommend. That really didn't happen. Practically every single suggestion was a different vendor. There was one vendor that got multiple recommendations but it was also the only vendor that multiple people recommended avoiding. In fact, it was the only vendor that anyone recommended to avoid. As I now have a list of many vendors that I didn't know existed, I will sort through the mail later today or tomorrow and consolidate the list. The lesson seems to be that everyone seems to have someone different that they trust to test their network and that a more in-depth look at the recommendations is in order. Thanks again, everyone. George ------------------------------ Message: 4 Date: Mon, 28 Jun 2010 11:25:30 -0500 From: Christopher Gatlin Subject: Re: BGP Tool for Simulation To: Tom Pipes Cc: nanog at merit.edu Message-ID: Content-Type: text/plain; charset=ISO-8859-1 These folks make a tester that loads up BGP very nicely. http://www.spirent.com/ http://www.spirent.com/Solutions-Directory/Smartbits.aspx Chris On Mon, Jun 28, 2010 at 8:52 AM, Tom Pipes wrote: > > > Hello Giuliano, > > > > Along with the recommendation of dynamips, I would suggest downloading > gns3, which ties into dynamips. You can run the same version of IOS that > you are working with in production, and there are versions for Windows/*nix. > > > > http://www.gns3.net/ > > > > It acts more like an emulators at first glance, and does not seem to have > the same limitations as some of the other simulators out there. Just make > sure you have the hardware to support it. > > > > Thanks, > > > > --- > Tom Pipes > T6 Broadband/ > Essex Telcom Inc > tom.pipes at t6mail.com > > > ----- Original Message ----- > From: "Bill Fehring" > To: giulianocm at uol.com.br > Cc: "North American Network Operators Group" > Sent: Sunday, June 27, 2010 11:37:17 PM > Subject: Re: BGP Tool for Simulation > > Oi Giulianao, > > I've used this in the past to dump a lot of routes into test networks: > > http://code.google.com/p/bgpsimple/ > > Tutorial: > http://evilrouters.net/2009/08/21/getting-bgp-routes-into-dynamips-with-video/ > > There's a similar project written in python, but I can't find it right now. > > HTH, > > -Bill Fehring > > On Sun, Jun 27, 2010 at 18:32, GIULIANOCM (UOL) > wrote: > > People, > > > > I am looking for a tool (free or not) to simulate BGP full internet route > > table peering and injection using real CISCO and JUNIPER routers. > > > > We have found some power tools like Spirent or Agilent but they are a too > > expensive to acquire for now. > > > > The main idea is to have a software tool for unix or linux system, that > > supports to simulate a cloud a carrier or an ISP, to work with real > routers, > > establishing connection using BGP protocol and injecting on this real > > routers the full internet routing table - ipv4 or ipv6. > > > > Do you know some collection of tools (software tools) that we can use to > do > > this kind of work ? > > > > It is possible to collect full internet routing table and inject it to a > > real router using a software for simulate real conditions ? > > > > Besides, the tool will need some additional features in simulation like > the > > set of communities, local preference, med and other BGP attributes. > > > > What do you recommend for this tasks ? > > > > Thanks a lot, > > > > Giuliano > > > > > > ------------------------------ Message: 5 Date: Mon, 28 Jun 2010 15:37:01 -0400 From: Steven Fischer Subject: Global Crossing POC To: NANOG list Message-ID: Content-Type: text/plain; charset=ISO-8859-1 Can someone from Global Crossing contact me off-list regarding some routing anomolies we are seeing? Thanks. -- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy ------------------------------ Message: 6 Date: Mon, 28 Jun 2010 17:46:00 -0400 From: Christopher Morrow Subject: Re: Broadband initiatives - impact to your network? To: Jonathan Feldman Cc: nanog at nanog.org Message-ID: Content-Type: text/plain; charset=ISO-8859-1 On Sun, Jun 27, 2010 at 9:03 AM, Jonathan Feldman wrote: > I'm one of the reporters who covers broadband and cloud computing for > InformationWeek magazine (www.informationweek.com), and it's interesting to > me that one of the issues with cloud adoption has to do with the limited > pipe networks available in this country. For example, it's not feasible to > do a massive data load through the networks that are currently available -- > you need to FedEx a hard drive to Amazon. ?Holy cow, it's SneakerNet for the > 21st Century! is this a 'this country' bandwidth problem or the problem that moving 10tb of 'corporate data' in a 'secure fashion' from 'office' to 'cloud' really isn't a simple task? and that cutting a DB over at a point in time 'next tuesday!' is far easier done by shipping a point-in-time copy of the DB via sata-drive than 'holy cow copy this over the corp ds3, while we make sure not to kill it for mail/web/etc other corporate normal uses' ? The broadband plan stuff mostly covers consumers, not enterprises, most of the (amazon as the example here) cloud folks offer disk-delivery options for businesses. you seem to be comparing apples to oranges, no? -chris ------------------------------ Message: 7 Date: Mon, 28 Jun 2010 22:59:59 +0100 From: Nick Hilliard Subject: Re: Broadband initiatives - impact to your network? To: nanog at nanog.org Message-ID: <4C291B5F.5030708 at foobar.org> Content-Type: text/plain; charset=ISO-8859-1 On 27/06/2010 14:03, Jonathan Feldman wrote: > For example, it's not feasible to do a massive data load through the > networks that are currently available -- you need to FedEx a hard drive > to Amazon. Holy cow, it's SneakerNet for the 21st Century! Never underestimate the bandwidth of a stationwagon full of $current_high_density_storage_media. Nick ------------------------------ Message: 8 Date: Mon, 28 Jun 2010 18:26:41 -0400 From: Jonathan Feldman Subject: Re: Broadband initiatives - impact to your network? To: Christopher Morrow Cc: nanog at nanog.org Message-ID: <8B403135-63AC-4C32-A77A-5483AD6A4931 at feldman.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes More than one person has pointed out that offline media will always be higher bandwidth than transmission lines (but nobody with such elegance and hilarity as Nick Hilliard's last post). Point taken. The question, in my mind, is whether it's reasonable to ask that regional providers reach the same bar as privately owned campus networks. I don't agree with you, Christopher, that the broadband plan won't affect corporate users. I know that this list _mostly_ consists of operators, but I've gotten some offline responses to my initial query that seem to indicate that enterprise users utilize SOHO (consumer grade, but with higher speeds) for various branch office needs. Also, when a technology gets "consumerized" it tends to create interesting effects in terms of features and price points. Think of it this way: where would corporate mobile phones be without the consumer effect? We'd still be carrying them around in bags and only corporate officers would have them. I appreciate everyone's response! On Jun 28, 2010, at 5:46 PM, Christopher Morrow wrote: > On Sun, Jun 27, 2010 at 9:03 AM, Jonathan Feldman > wrote: >> I'm one of the reporters who covers broadband and cloud computing for >> InformationWeek magazine (www.informationweek.com), and it's >> interesting to >> me that one of the issues with cloud adoption has to do with the >> limited >> pipe networks available in this country. For example, it's not >> feasible to >> do a massive data load through the networks that are currently >> available -- >> you need to FedEx a hard drive to Amazon. Holy cow, it's >> SneakerNet for the >> 21st Century! > > is this a 'this country' bandwidth problem or the problem that moving > 10tb of 'corporate data' in a 'secure fashion' from 'office' to > 'cloud' really isn't a simple task? and that cutting a DB over at a > point in time 'next tuesday!' is far easier done by shipping a > point-in-time copy of the DB via sata-drive than 'holy cow copy this > over the corp ds3, while we make sure not to kill it for mail/web/etc > other corporate normal uses' ? > > The broadband plan stuff mostly covers consumers, not enterprises, > most of the (amazon as the example here) cloud folks offer > disk-delivery options for businesses. > > you seem to be comparing apples to oranges, no? > > -chris ------------------------------ Message: 9 Date: Mon, 28 Jun 2010 18:30:24 -0400 From: Stefano Gridelli Subject: Re: Broadband initiatives - impact to your network? To: Nick Hilliard Cc: nanog at nanog.org Message-ID: Content-Type: text/plain; charset=ISO-8859-1 ... as Andrew T teaches ... :D On Mon, Jun 28, 2010 at 5:59 PM, Nick Hilliard wrote: > On 27/06/2010 14:03, Jonathan Feldman wrote: > > For example, it's not feasible to do a massive data load through the > > networks that are currently available -- you need to FedEx a hard drive > > to Amazon. Holy cow, it's SneakerNet for the 21st Century! > > Never underestimate the bandwidth of a stationwagon full of > $current_high_density_storage_media. > > Nick > > ------------------------------ Message: 10 Date: Tue, 29 Jun 2010 07:50:10 +0900 From: Randy Bush Subject: Re: Broadband initiatives - impact to your network? To: Jonathan Feldman Cc: nanog at nanog.org Message-ID: Content-Type: text/plain; charset=US-ASCII > The question, in my mind, is whether it's reasonable to ask that > regional providers reach the same bar as privately owned campus > networks. you are comparing LAN to WAN, never a bright idea randy ------------------------------ _______________________________________________ NANOG mailing list NANOG at nanog.org https://mailman.nanog.org/mailman/listinfo/nanog End of NANOG Digest, Vol 29, Issue 81 ************************************* From lowen at pari.edu Tue Jun 29 09:17:13 2010 From: lowen at pari.edu (Lamar Owen) Date: Tue, 29 Jun 2010 10:17:13 -0400 Subject: Broadband initiatives - impact to your network? In-Reply-To: References: Message-ID: <201006291017.13850.lowen@pari.edu> On Monday, June 28, 2010 06:50:10 pm Randy Bush wrote: > > The question, in my mind, is whether it's reasonable to ask that > > regional providers reach the same bar as privately owned campus > > networks. > > you are comparing LAN to WAN, never a bright idea Even ATM years ago blurred that arbitrary line. Why does there even need to be a line between local and wide in terms of networking? As far as IP is concerned, there is no difference. Even as far as Ethernet is concerned, there is no difference. It's ATM's promise all over again with people reinventing wheels that shouldn't have to be reinvented....WAN's exist for demarcation, typically, at least in the way I've used them (I used a POS OC3 over a 35 mile path for three years as a LANish link, with the WAN link that had BGP speakers attached being FastEthernet... talk about blurring a line; and now I use a L3VPN tunnel on a WANish Metro Ethernet link to replace the direct OC3 LAN link....)) The BTOP applications of which I'm familiar could just as easily carry traffic that would traditionally be classified as local area; or even storage area, for that matter, as fibre channel in particular does very well over long distances (run IP on FC, and get better than Ethernet throughput for less money, even.... :-)). Drop a wave mux in, hit it with intermediate reach optics, up the number of buffers (on FC, at least, and pay the license for the larger buffers, to vendor B at least), and drop your storage elsewhere. I'd rather get a wave than IP or even SONET transport any day. Wish it were an option here. And I see the BTOP ARRA apps having the potential, if done right, to extend the 'LAN' (as opposed to 'broadcast domain' even though I know many use the two terms synonymously) to a global reach. WAN's historically have been differentiated by lower bandwidth, greater segmentation/demarcation of traffic, and higher cost relative to LAN links; BTOP has the potential to eliminate that distinction. From lowen at pari.edu Tue Jun 29 09:19:40 2010 From: lowen at pari.edu (Lamar Owen) Date: Tue, 29 Jun 2010 10:19:40 -0400 Subject: Broadband initiatives - impact to your network? In-Reply-To: References: Message-ID: <201006291019.40553.lowen@pari.edu> On Monday, June 28, 2010 08:42:49 pm Randy Bush wrote: > is geoff's isp business 101 still the canonic reference for what this > reporter needs for clue? The reporter in question has plenty of clue. From jgreco at ns.sol.net Tue Jun 29 09:29:37 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Tue, 29 Jun 2010 09:29:37 -0500 (CDT) Subject: Broadband initiatives - impact to your network? In-Reply-To: from "Randy Bush" at Jun 29, 2010 07:50:10 AM Message-ID: <201006291429.o5TETbVo022830@aurora.sol.net> > > The question, in my mind, is whether it's reasonable to ask that > > regional providers reach the same bar as privately owned campus > > networks. > > you are comparing LAN to WAN, never a bright idea Today's residential internet speeds ("WAN") are greater than the LAN speeds of 20 years ago. Users generally don't care about "LAN" vs "WAN", and just want their stuff to work fast and well. I would counter your statement with a warning that it's never a bright idea to simply discount what people want to be able to do just because it would involve what us techies call a "WAN." It's too easy to forget what users want to be able to do; for example, maybe at&t didn't really properly predict that users would be downloading huge amounts of YouTube, pictures, app-driven data, and movies over their "3G" network, which is kind of the ultimate example of the general point I'm making. It's likely correct that WAN speeds will never match LAN speeds, so from that point of view, you're correct, but that doesn't mean that it might not be nice to be able to backup someone's PC over a SOHO cablemodem to a corporate backup server, and in fact some people try to do that, since the alternatives are not good. Bleh :-) ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From tariq198487 at hotmail.com Tue Jun 29 09:34:28 2010 From: tariq198487 at hotmail.com (Tarig Yassin) Date: Tue, 29 Jun 2010 17:34:28 +0300 Subject: Network Documentation In-Reply-To: <201006291019.40553.lowen@pari.edu> References: , <201006291019.40553.lowen@pari.edu> Message-ID: Hello every one I am curious as to how others are documenting their network; both visually and configurations. Is there any a software offers a database with web-based front end that can document in a very details. thanks -- Tarig Y. Adam CTO - SUIN www.suin.edu.sd _________________________________________________________________ Hotmail: Trusted email with Microsoft?s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 From lowen at pari.edu Tue Jun 29 09:41:50 2010 From: lowen at pari.edu (Lamar Owen) Date: Tue, 29 Jun 2010 10:41:50 -0400 Subject: Broadband initiatives - impact to your network? In-Reply-To: References: Message-ID: <201006291041.50394.lowen@pari.edu> On Monday, June 28, 2010 05:46:00 pm Christopher Morrow wrote: > The broadband plan stuff mostly covers consumers, not enterprises, > most of the (amazon as the example here) cloud folks offer > disk-delivery options for businesses. One successful BTOP application in North Carolina has more to do with enterprises (in this case, educational institutions) than with consumers. From streiner at cluebyfour.org Tue Jun 29 09:52:38 2010 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Tue, 29 Jun 2010 10:52:38 -0400 (EDT) Subject: Broadband initiatives - impact to your network? In-Reply-To: <201006291041.50394.lowen@pari.edu> References: <201006291041.50394.lowen@pari.edu> Message-ID: On Tue, 29 Jun 2010, Lamar Owen wrote: > On Monday, June 28, 2010 05:46:00 pm Christopher Morrow wrote: >> The broadband plan stuff mostly covers consumers, not enterprises, >> most of the (amazon as the example here) cloud folks offer >> disk-delivery options for businesses. > > One successful BTOP application in North Carolina has more to do with > enterprises (in this case, educational institutions) than with > consumers. Likewise in Pennsylvania. jms From LarrySheldon at cox.net Tue Jun 29 10:11:28 2010 From: LarrySheldon at cox.net (Larry Sheldon) Date: Tue, 29 Jun 2010 10:11:28 -0500 Subject: Broadband initiatives - impact to your network? In-Reply-To: <201006291017.13850.lowen@pari.edu> References: <201006291017.13850.lowen@pari.edu> Message-ID: <4C2A0D20.4050608@cox.net> On 6/29/2010 09:17, Lamar Owen wrote: > On Monday, June 28, 2010 06:50:10 pm Randy Bush wrote: >> you are comparing LAN to WAN, never a bright idea > > Even ATM years ago blurred that arbitrary line. > > Why does there even need to be a line between local and wide in terms of networking? As with most toe-drawn-lines-in-the-dirt the agendum here is not what the author wants you to think it is. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml From sthaug at nethelp.no Tue Jun 29 10:22:39 2010 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Tue, 29 Jun 2010 17:22:39 +0200 (CEST) Subject: Broadband initiatives - impact to your network? In-Reply-To: <201006291017.13850.lowen@pari.edu> References: <8B403135-63AC-4C32-A77A-5483AD6A4931@feldman.org> <201006291017.13850.lowen@pari.edu> Message-ID: <20100629.172239.74746812.sthaug@nethelp.no> > > you are comparing LAN to WAN, never a bright idea > > Even ATM years ago blurred that arbitrary line. > > Why does there even need to be a line between local and wide in > terms of networking? As far as IP is concerned, there is no > difference. Even as far as Ethernet is concerned, there is no > difference. I beg to differ. There is a big difference between a multipoint traffic within a small geographical area (typically realized with switches), and trying to realize the same multipoint topology/traffic across a national backbone, typically using VPLS and similar technologies. On the other hand, Ethernet used as a framing/encapsulation technology for point to point links works just fine across large distances. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From uri.joskovitch at telrad.com Tue Jun 29 10:29:39 2010 From: uri.joskovitch at telrad.com (Uri Joskovitch) Date: Tue, 29 Jun 2010 18:29:39 +0300 Subject: Huawei PTN 910 In-Reply-To: <51A20C9C-B20F-4DDC-9F19-19F666161DC6@gmail.com> References: <4C05458E.1050200@rollernet.us> <02755D474772E74E97471FC5BBE7641B031F4934@TLRD-MAIL1.Telrad.co.il> <51A20C9C-B20F-4DDC-9F19-19F666161DC6@gmail.com> Message-ID: <02755D474772E74E97471FC5BBE7641B0327DC2A@TLRD-MAIL1.Telrad.co.il> URGENT !!! I got into trouble with this product, any one has its user manual? Installation guide? , Other documentation? Thanks Uri From lists at quux.de Tue Jun 29 10:28:28 2010 From: lists at quux.de (Jens Link) Date: Tue, 29 Jun 2010 17:28:28 +0200 Subject: Network Documentation In-Reply-To: (Tarig Yassin's message of "Tue\, 29 Jun 2010 17\:34\:28 +0300") References: <201006291019.40553.lowen@pari.edu> Message-ID: <87tyolhn8j.fsf@oban.berlin.quux.de> Tarig Yassin writes: First: *PLEASE* do not start a new thread by replying to a mail an changing the subject. There is something called reference header which allows real mail clients (read: not Outlook or Notes) to do threading. This makes it much easier to read large amounts of mail > I am curious as to how others are documenting their network; both > visually and configurations. > > Is there any a software offers a database with web-based front end that > can document in a very details. Most people I know use a wiki for documentation and rancid for configuration management. If you want to access your configurations wia web you can use rancid + webcvs. There are also several database based tools for ip address management. Check the list archives for details. Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jenslink at guug.de | ------------------- | ------------------------------------------------------------------------- From patrick at zill.net Tue Jun 29 10:32:44 2010 From: patrick at zill.net (Patrick Giagnocavo) Date: Tue, 29 Jun 2010 11:32:44 -0400 Subject: Contract negotiations advice? Message-ID: <4C2A121C.60707@zill.net> I am dealing with a large telecom which purchased the small telecom I signed a contract with. Despite signing only 1 contract with them, the two racks, and the bandwidth which feeds 1 rack (I connect privately to the second rack at no charge) all have different termination dates. How signing one contract resulted in 3 different end of term dates, months apart, I can't quite figure out. Can anyone point me to a mailing list or discussion forum containing advice on dealing with such issues? And the wider issue of negotiating good rates with telecoms? Cordially Patrick Giagnocavo patrick at zill.net From brett at the-watsons.org Tue Jun 29 10:57:21 2010 From: brett at the-watsons.org (Brett Watson) Date: Tue, 29 Jun 2010 08:57:21 -0700 Subject: Network Documentation In-Reply-To: <87tyolhn8j.fsf@oban.berlin.quux.de> References: <201006291019.40553.lowen@pari.edu> <87tyolhn8j.fsf@oban.berlin.quux.de> Message-ID: <520B7563-79C8-4B70-B2FA-A4D6F4B62B36@the-watsons.org> On Jun 29, 2010, at 8:28 AM, Jens Link wrote: > >> I am curious as to how others are documenting their network; both >> visually and configurations. >> >> Is there any a software offers a database with web-based front end that >> can document in a very details. > > Most people I know use a wiki for documentation and rancid for > configuration management. If you want to access your configurations wia > web you can use rancid + webcvs. > > There are also several database based tools for ip address > management. Check the list archives for details. There was a pretty nifty presentation at NANOG49 that may be what you're looking for: https://netdot.uoregon.edu/ -b From heather.schiller at verizonbusiness.com Tue Jun 29 11:46:31 2010 From: heather.schiller at verizonbusiness.com (Schiller, Heather A (HeatherSkanks)) Date: Tue, 29 Jun 2010 16:46:31 +0000 Subject: Geolocation contact for Bing/Microsoft? Message-ID: Can someone from Bing/MS contact me about correcting Geolocation info for some IP's. Folks are erroneously getting redirected - and I can't find any info about how to get it fixed. Thanks, --Heather ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~* Heather Schiller Network Security - Verizon Business 1.800.900.0241 security at verizonbusiness.com From frnkblk at iname.com Tue Jun 29 11:55:49 2010 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Tue, 29 Jun 2010 11:55:49 -0500 Subject: Geolocation contact for Bing/Microsoft? In-Reply-To: References: Message-ID: This might help you: http://www.bing.com/community/forums/p/653511/9573859.aspx Frank -----Original Message----- From: Schiller, Heather A (HeatherSkanks) [mailto:heather.schiller at verizonbusiness.com] Sent: Tuesday, June 29, 2010 11:47 AM To: NANOG list Subject: Geolocation contact for Bing/Microsoft? Can someone from Bing/MS contact me about correcting Geolocation info for some IP's. Folks are erroneously getting redirected - and I can't find any info about how to get it fixed. Thanks, --Heather ~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~* Heather Schiller Network Security - Verizon Business 1.800.900.0241 security at verizonbusiness.com From morrowc.lists at gmail.com Tue Jun 29 13:39:56 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Tue, 29 Jun 2010 14:39:56 -0400 Subject: Huawei PTN 910 In-Reply-To: <02755D474772E74E97471FC5BBE7641B0327DC2A@TLRD-MAIL1.Telrad.co.il> References: <4C05458E.1050200@rollernet.us> <02755D474772E74E97471FC5BBE7641B031F4934@TLRD-MAIL1.Telrad.co.il> <51A20C9C-B20F-4DDC-9F19-19F666161DC6@gmail.com> <02755D474772E74E97471FC5BBE7641B0327DC2A@TLRD-MAIL1.Telrad.co.il> Message-ID: On Tue, Jun 29, 2010 at 11:29 AM, Uri Joskovitch wrote: > URGENT !!! > > I got into trouble with this product, any one has its user manual? > > Installation guide? , Other documentation? see like the 5th link down? > Thanks > > Uri > > > From jharper at first-american.net Tue Jun 29 14:18:26 2010 From: jharper at first-american.net (Jeff Harper) Date: Tue, 29 Jun 2010 14:18:26 -0500 Subject: =?utf-8?q?RE=3A_Huawei_PTN_910?= In-Reply-To: References: <4C05458E.1050200@rollernet.us><02755D474772E74E97471FC5BBE7641B031F4934@TLRD-MAIL1.Telrad.co.il><51A20C9C-B20F-4DDC-9F19-19F666161DC6@gmail.com><02755D474772E74E97471FC5BBE7641B0327DC2A@TLRD-MAIL1.Telrad.co.il> Message-ID: Lol, you must have way too much time on your hands to make that. ;) > -----Original Message----- > From: Christopher Morrow [mailto:morrowc.lists at gmail.com] > Sent: Tuesday, June 29, 2010 1:40 PM > To: Uri Joskovitch > Cc: nanog at nanog.org > Subject: Re: Huawei PTN 910 > > On Tue, Jun 29, 2010 at 11:29 AM, Uri Joskovitch > wrote: > > URGENT !!! > > > > I got into trouble with this product, any one has its user manual? > > > > Installation guide? , Other documentation? > > > > see like the 5th link down? > > > Thanks > > > > Uri > > > > > > From robertg at garlic.com Tue Jun 29 15:18:31 2010 From: robertg at garlic.com (Robert Glover) Date: Tue, 29 Jun 2010 13:18:31 -0700 Subject: Huawei PTN 910 In-Reply-To: References: <4C05458E.1050200@rollernet.us><02755D474772E74E97471FC5BBE7641B031F4934@TLRD-MAIL1.Telrad.co.il><51A20C9C-B20F-4DDC-9F19-19F666161DC6@gmail.com><02755D474772E74E97471FC5BBE7641B0327DC2A@TLRD-MAIL1.Telrad.co.il> Message-ID: <4C2A5517.7090403@garlic.com> Minimal time needed http://lmgtfy.com/ On 6/29/2010 12:18 PM, Jeff Harper wrote: > Lol, you must have way too much time on your hands to make that. ;) > > >> -----Original Message----- >> From: Christopher Morrow [mailto:morrowc.lists at gmail.com] >> Sent: Tuesday, June 29, 2010 1:40 PM >> To: Uri Joskovitch >> Cc: nanog at nanog.org >> Subject: Re: Huawei PTN 910 >> >> On Tue, Jun 29, 2010 at 11:29 AM, Uri Joskovitch >> wrote: >> >>> URGENT !!! >>> >>> I got into trouble with this product, any one has its user manual? >>> >>> Installation guide? , Other documentation? >>> >> >> >> see like the 5th link down? >> >> >>> Thanks >>> >>> Uri >>> >>> >>> >>> > > From jimi.thompson at gmail.com Tue Jun 29 16:20:10 2010 From: jimi.thompson at gmail.com (Jimi Thompson) Date: Tue, 29 Jun 2010 16:20:10 -0500 Subject: Contract negotiations advice? Message-ID: <4c2a637c.0350e70a.2c0f.ffffade0@mx.google.com> First thing is to be an educated consumer. Know what going rates and sla s cost for a given service. Also check the rep of the vendor. I find that competitive bids work well. Unless your a gov or something you dont have to take the lowest bid - take the best one. -----Original Message----- From: Patrick Giagnocavo Sent: Tuesday, June 29, 2010 10:32 AM To: NANOG Subject: Contract negotiations advice? I am dealing with a large telecom which purchased the small telecom I signed a contract with. Despite signing only 1 contract with them, the two racks, and the bandwidth which feeds 1 rack (I connect privately to the second rack at no charge) all have different termination dates. How signing one contract resulted in 3 different end of term dates, months apart, I can't quite figure out. Can anyone point me to a mailing list or discussion forum containing advice on dealing with such issues? And the wider issue of negotiating good rates with telecoms? Cordially Patrick Giagnocavo patrick at zill.net From adam.lafountain at googlemail.com Tue Jun 29 19:08:45 2010 From: adam.lafountain at googlemail.com (Adam LaFountain) Date: Tue, 29 Jun 2010 17:08:45 -0700 Subject: Contract negotiations advice? Message-ID: > > I am dealing with a large telecom which purchased the small telecom I > signed a contract with. > > Despite signing only 1 contract with them, the two racks, and the > bandwidth which feeds 1 rack (I connect privately to the second rack at > no charge) all have different termination dates. > > Check your billing. Did your first invoice have all of your services? How about the second one? If they didn't bill you on time, it's partially your fault. If they did bill you for everything, then you have empirical evidence showing when you started the term (by performance.. paying) and their dates are wrong. > How signing one contract resulted in 3 different end of term dates, > months apart, I can't quite figure out. > > Did your original vendor provide a turn-up or activation notice? This should indicate the date that would go in their system to indicate term expiration. > Can anyone point me to a mailing list or discussion forum containing > advice on dealing with such issues? And the wider issue of negotiating > good rates with telecoms? Typical economics, more volume leads to better deals; growth appeal; competitive reference, etc. From bill at herrin.us Tue Jun 29 19:30:53 2010 From: bill at herrin.us (William Herrin) Date: Tue, 29 Jun 2010 20:30:53 -0400 Subject: Contract negotiations advice? In-Reply-To: <4C2A121C.60707@zill.net> References: <4C2A121C.60707@zill.net> Message-ID: On Tue, Jun 29, 2010 at 11:32 AM, Patrick Giagnocavo wrote: > And the wider issue of negotiating > good rates with telecoms? Carrier neutral facility. When it's in their house its their rules and their rules aren't designed for your benefit. When it's somebody else's house, they have to compete for your business or lose it to somebody else. Also, find the back door. I don't know how true it is any more, but it used to be that you could hook up with someone else buying services from some carriers wholesale at a substantially lower price. MCI/Worldcom was notorious for this. The third party would make a small markup as the pass-through billing agent and your extra payment would help move them into a deeper discount class within the telcom's wholesale business. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From morrowc.lists at gmail.com Tue Jun 29 20:45:47 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Tue, 29 Jun 2010 21:45:47 -0400 Subject: Huawei PTN 910 In-Reply-To: References: <4C05458E.1050200@rollernet.us> <02755D474772E74E97471FC5BBE7641B031F4934@TLRD-MAIL1.Telrad.co.il> <51A20C9C-B20F-4DDC-9F19-19F666161DC6@gmail.com> <02755D474772E74E97471FC5BBE7641B0327DC2A@TLRD-MAIL1.Telrad.co.il> Message-ID: On Tue, Jun 29, 2010 at 3:18 PM, Jeff Harper wrote: > Lol, you must have way too much time on your hands to make that. ;) I actually couldn't easily think of a quicker way to get the 'see the searchy thingy can find it for you, look at that pdf linked there' :( is the 950, the 910 guide was in something Cyrillic (possibly russian) but translate.google offered to xlate it on the fly... -chris >> > Installation guide? , Other documentation? >> >> >> >> see like the 5th link down? From karnaugh at karnaugh.za.net Wed Jun 30 01:27:15 2010 From: karnaugh at karnaugh.za.net (Colin Alston) Date: Wed, 30 Jun 2010 08:27:15 +0200 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu> <14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca> Message-ID: On Thu, Jun 24, 2010 at 9:52 PM, Matthew Walster wrote: > On 23 June 2010 08:54, Colin Alston wrote: >> I dislike HP switches from a management point of view (and I think the >> VLAN config is nonsense), but they work fine. > > That's strange, I abhor the Cisco way of doing VLANs and love the > HP/Procurve method. > > What do you find so irritating? It just feels ass backwards alot of the time, especially trunking. That's more likely an "RTFM" problem, but the Cisco VLAN config has always just seemed more logical. From sthaug at nethelp.no Wed Jun 30 02:34:42 2010 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Wed, 30 Jun 2010 09:34:42 +0200 (CEST) Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: Message-ID: <20100630.093442.74688872.sthaug@nethelp.no> > > That's strange, I abhor the Cisco way of doing VLANs and love the > > HP/Procurve method. > > > > What do you find so irritating? > > It just feels ass backwards alot of the time, especially trunking. > That's more likely an "RTFM" problem, but the Cisco VLAN config has > always just seemed more logical. The Cisco default of allowing all VLANs on a trunk is dangerous in a service provider environment (not to mention VTP, DTP and other evils). The Cisco "interface-centric" method (adding VLANs to an interface instead of adding interfaces to a VLAN) is prone to typos which can have severe results (typing "switchport trunk allowed vlan 5" instead of ""switchport trunk allowed vlan add 5"). I'd definitely say "more logical" is in the eye of the beholder... Steinar Haug, Nethelp consulting, sthaug at nethelp.no From gbonser at seven.com Wed Jun 30 11:07:17 2010 From: gbonser at seven.com (George Bonser) Date: Wed, 30 Jun 2010 09:07:17 -0700 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu><14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca> Message-ID: <5A6D953473350C4B9995546AFE9939EE09EA4EFC@RWC-EX1.corp.seven.com> > -----Original Message----- > From: Colin Alston > Sent: Tuesday, June 29, 2010 11:27 PM > To: Matthew Walster > Cc: nanog at nanog.org > Subject: Re: Advice regarding Cisco/Juniper/HP > > On Thu, Jun 24, 2010 at 9:52 PM, Matthew Walster > wrote: > It just feels ass backwards alot of the time, especially trunking. > That's more likely an "RTFM" problem, but the Cisco VLAN config has > always just seemed more logical. I can sympathize. Some gear you add vlans to a port. Other gear you add ports to vlans. Personally, I prefer the Cisco configuration syntax because if I want to know which vlans a port is in, you look at the port config and there it is. Other gear you need to look through each vlan configuration and note which vlans the port appears in and hope you don't overlook one. George From gbonser at seven.com Wed Jun 30 11:11:28 2010 From: gbonser at seven.com (George Bonser) Date: Wed, 30 Jun 2010 09:11:28 -0700 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <20100630.093442.74688872.sthaug@nethelp.no> References: <20100630.093442.74688872.sthaug@nethelp.no> Message-ID: <5A6D953473350C4B9995546AFE9939EE09EA4EFD@RWC-EX1.corp.seven.com> > -----Original Message----- > From: sthaug > Sent: Wednesday, June 30, 2010 12:35 AM > Cc: nanog at nanog.org > Subject: Re: Advice regarding Cisco/Juniper/HP > > The Cisco default of allowing all VLANs on a trunk is dangerous in a > service provider environment (not to mention VTP, DTP and other evils). > I agree. In a perfect world, the default should be to not allow any vlans on a trunk unless explicitly configured. I think Cisco defaults are set so that someone not all that familiar with network gear can plug in a new switch, it will negotiate a trunk, and all vlans will be available on it without a lot of configuration. So like a lot of things, a piece of gear in the hands of someone who doesn't know exactly what they are doing can be dangerous. G From Greg.Whynott at oicr.on.ca Wed Jun 30 11:18:24 2010 From: Greg.Whynott at oicr.on.ca (Greg Whynott) Date: Wed, 30 Jun 2010 12:18:24 -0400 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <5A6D953473350C4B9995546AFE9939EE09EA4EFC@RWC-EX1.corp.seven.com> References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu><14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca> <5A6D953473350C4B9995546AFE9939EE09EA4EFC@RWC-EX1.corp.seven.com> Message-ID: <0C63EADB-39D9-474B-914F-0FC2C7EC4C4E@oicr.on.ca> On Jun 30, 2010, at 12:07 PM, George Bonser wrote: > if I want to > know which vlans a port is in, you look at the port config and there it > is. Other gear you need to look through each vlan configuration and > note which vlans the port appears in and hope you don't overlook one. or become familiar with some basic commands, which is after all, our job... on hp: show port vlan e1, which will show you all the vlans port E1 is a member of.. I like cisco, but i think the HP way is more logical and less prone to error. A previous poster gave an excelent example, i burnt myself not adding the "add" to a trunk config on our cisco switches. i went over the magical number (and I've no idea why you need to use another argument when you pass some threshold, it seems redundant and silly) of vlans and took out about 7 departments till I realized what I had done. thankfully you only need to do this once to learn. the trunking is more logical on HP config wise too, there is a line in the config which shows all the members and trunk type, on one line. not being able to issue commands while in config mode (without the 'do') is annoying as hell too.. its like not being able to do anything on a unix box while you are root without being asked "are you sure" every time you hit carriage return. the biggest think I don't like about the HP CLI is the lack of regx or the ablitly to string a few together on one line. some models have it, others don''t. that woudl be the second issue, the lack of consistency between devices. cisco owns that one. -g From nick at foobar.org Wed Jun 30 12:08:44 2010 From: nick at foobar.org (Nick Hilliard) Date: Wed, 30 Jun 2010 18:08:44 +0100 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <5A6D953473350C4B9995546AFE9939EE09EA4EFC@RWC-EX1.corp.seven.com> References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu><14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca> <5A6D953473350C4B9995546AFE9939EE09EA4EFC@RWC-EX1.corp.seven.com> Message-ID: <4C2B7A1C.2040600@foobar.org> On 30/06/2010 17:07, George Bonser wrote: > Some gear you add vlans to a port. Other gear you add ports to vlans. > Personally, I prefer the Cisco configuration syntax because if I want to > know which vlans a port is in, you look at the port config and there it > is. Other gear you need to look through each vlan configuration and > note which vlans the port appears in and hope you don't overlook one. Both syntax types (per port and per vlan) break in terms of readability at a certain stage. Unfortunately, that stage comes very quickly in terms of many configurations. There's just no way to be elegant on most complicated configurations. Nick From jfbeam at gmail.com Wed Jun 30 15:50:40 2010 From: jfbeam at gmail.com (Ricky Beam) Date: Wed, 30 Jun 2010 16:50:40 -0400 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <0C63EADB-39D9-474B-914F-0FC2C7EC4C4E@oicr.on.ca> References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu> <14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca> <5A6D953473350C4B9995546AFE9939EE09EA4EFC@RWC-EX1.corp.seven.com> <0C63EADB-39D9-474B-914F-0FC2C7EC4C4E@oicr.on.ca> Message-ID: On Wed, 30 Jun 2010 12:18:24 -0400, Greg Whynott wrote: > I like cisco, but i think the HP way is more logical and less prone to > error. A previous poster gave an excelent example, i burnt myself not > adding the "add" to a trunk config on our cisco switches. i went over > the magical number (and I've no idea why you need to use another > argument when you pass some threshold, it seems redundant and silly) of > vlans and took out about 7 departments till I realized what I had > done. thankfully you only need to do this once to learn. Education is education. If you don't know what you're doing (and paying attention), you eventually will do something stupid and break the whole internet. Every manufacturer has their own specific brand of brain damage. In the Cisco world, there are 3 modes... add vlans, remove vlans, and *specify* vlans. Leaving out a word changes the entire meaning. Typos are just as simple (even more simple) on an HP. There's no add/remove mode for vlan port membership. You specify the entire list every time. Migrating port vlan assignments gets messy fast. (that's when people reach for IE to click a few checkboxes.) Personally, I prefer a bit of both. I like the HP method of keeping VLAN configuration in one section. However, I'll give that up every time for Cisco's much simpler means of managing vlan port membership. (at least on anything supporting interface ranges :-)) > the trunking is more logical on HP config wise too, there is a line in > the config which shows all the members and trunk type, on one line. On the other hand, looking at the interface configuration, there's zero indication it's a member of a trunk. Cisco shows that in the interface config, and will immediately yell at you it you "unbalance" the port-group/etherchannel -- you shouldn't mess with the member interfaces directly once added to a port-group. > not being able to issue commands while in config mode (without the 'do') > is annoying as hell too.. This is a safety measure to keep your mind on the road. A typo in config mode can make a seriously royal mess. > ... that woudl be the second issue, the lack of consistency between > devices. cisco owns that one. No they don't. Which version of IOS are you running? Oh, right, that switch doesn't run IOS, it runs CatOS? Wait a min, that's a 1900... it uses a menu interface. I have three Cisco switches right here that are radically different. In fact, the 2948G-L3 confused a CCIE for several weeks. :-) Until I told him stop thinking "switch" and config it like a 48 port router. (and sadly, it doesn't support interface ranges. :-() --Ricky From swank206 at gmail.com Wed Jun 30 15:54:47 2010 From: swank206 at gmail.com (J Wytt) Date: Wed, 30 Jun 2010 13:54:47 -0700 Subject: Future of WiMax In-Reply-To: <4C193702.7050308@xyonet.com> References: <201006161940.o5GJetM3011674@metis.hicks-net.net> <4C193702.7050308@xyonet.com> Message-ID: They have not claimed this. The option to change is there if LTE becomes a better long term solution but no one has said it will happen (or even probably). Either way, both technologies will continue to develop and both will be viable players in the marketplace for quite some time. On Wed, Jun 16, 2010 at 1:41 PM, Curtis Maurand wrote: > > they've already claimed they'll probably switch to LTE. ?They said it was > just a software change to do that. ?Of course the standard for actually > placing a phone call on it (LTE) has yet to finalized. > > On 6/16/2010 3:40 PM, Gregory Hicks wrote: >> >> >>> >>> Date: Wed, 16 Jun 2010 12:35:16 -0700 >>> From: Seth Mattinen >>> >>> WiMax sounds promising, but I certainly don't hear a lot about it >>> >> >> other >> >>> >>> than Sprint/Clear. Is it just that everyone that's doing wireless is >>> sticking with relatively inexpensive 802.11 a/b/g/n products, or is >>> WiMax really a dead end? >>> >> >> Sprint/Clear certainly thinks it has promise. ?They just put up a >> wireless tower just next door to my house in San Jose... ?(Well, Clear >> actually received permission from the city zoning dept...) >> >> Regards, >> Gregory Hicks >> >> >>> >>> ~Seth >>> >>> >> >> --------------------------------------------------------------------- >> Gregory Hicks ? ? ? ? ? ? ? ? ? ? ? ? ? | Principal Systems Engineer >> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | Direct: ? 408.569.7928 >> >> People sleep peaceably in their beds at night only because rough men >> stand ready to do violence on their behalf -- George Orwell >> >> The price of freedom is eternal vigilance. ?-- Thomas Jefferson >> >> "The best we can hope for concerning the people at large is that they >> be properly armed." --Alexander Hamilton >> >> >> > > > From Greg.Whynott at oicr.on.ca Wed Jun 30 16:14:57 2010 From: Greg.Whynott at oicr.on.ca (Greg Whynott) Date: Wed, 30 Jun 2010 17:14:57 -0400 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu> <14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca> <5A6D953473350C4B9995546AFE9939EE09EA4EFC@RWC-EX1.corp.seven.com> <0C63EADB-39D9-474B-914F-0FC2C7EC4C4E@oicr.on.ca> Message-ID: <1FF3A969-475E-40C4-B3FB-5F9374FE6DC4@oicr.on.ca> On Jun 30, 2010, at 4:50 PM, Ricky Beam wrote: > Personally, I prefer a bit of both. same here. both have some things which I don't agree with. prime example again is adding more than X vlans to an interface, why the "add"? interface TenGigabitEthernet5/5 switchport trunk allowed vlan 20,30,40,50,60,100,121,124,125,128,334-336 switchport trunk allowed vlan add 500-505,509,510,513,515-518,530,532,540 that should all be able to go onto one line. I don't follow the logic. we could sit here all day nit picking I guess. It was more my managers rage on that fateful day that made me hate that 'method' so much. 8) >> not being able to issue commands while in config mode (without the 'do') >> is annoying as hell too.. > > This is a safety measure to keep your mind on the road. A typo in config > mode can make a seriously royal mess. I dis-agree with you on this. who might they be to determine my ability to not mess things up, and why are the so concerned? and how does this logic follow onto ASA/PIX/FWSM and WLC devices? when you are enabled and in config mode on those you can issue non elevated commands. there is much more potential for damage on an edge security device than an inter departmental switch/router I'd think. but i could be wrong?. > >> ... that woudl be the second issue, the lack of consistency between >> devices. cisco owns that one. > > No they don't. Which version of IOS are you running? Oh, right, that > switch doesn't run IOS, it runs CatOS? Wait a min, that's a 1900... it > uses a menu interface. haha. I have to agree with you there. i stand corrected. It been awhile since i used a "set" based IOS. > > I have three Cisco switches right here that are radically different. In > fact, the 2948G-L3 confused a CCIE for several weeks. :-) Until I told him > stop thinking "switch" and config it like a 48 port router. (and sadly, it > doesn't support interface ranges. :-() in closing, i have to say I love HP's "alias" command, I can rev my config and save it to a tftp server by typing "saveit" while enabled. Some IOS's allow you to do a "wr net" and get it there with a predefined tftp server, but as we discovered, this isn't available on all devices.. take care and have a great weekend, greg From jeff-kell at utc.edu Wed Jun 30 16:32:09 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Wed, 30 Jun 2010 17:32:09 -0400 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <1FF3A969-475E-40C4-B3FB-5F9374FE6DC4@oicr.on.ca> References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu> <14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca> <5A6D953473350C4B9995546AFE9939EE09EA4EFC@RWC-EX1.corp.seven.com> <0C63EADB-39D9-474B-914F-0FC2C7EC4C4E@oicr.on.ca> <1FF3A969-475E-40C4-B3FB-5F9374FE6DC4@oicr.on.ca> Message-ID: <4C2BB7D9.2020304@utc.edu> On 6/30/2010 5:14 PM, Greg Whynott wrote: > On Jun 30, 2010, at 4:50 PM, Ricky Beam wrote: >> No they don't. Which version of IOS are you running? Oh, right, that >> switch doesn't run IOS, it runs CatOS? Wait a min, that's a 1900... it >> uses a menu interface. Actually, before they went completely off the update radar, you could select between a menu, IOS-like CLI, or HTTP management thing on a 1900 (and perhaps 2820s?). They haven't been completely retired from here that long (may still have a couple in surplus...) Jeff From gbonser at seven.com Wed Jun 30 17:32:43 2010 From: gbonser at seven.com (George Bonser) Date: Wed, 30 Jun 2010 15:32:43 -0700 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <0C63EADB-39D9-474B-914F-0FC2C7EC4C4E@oicr.on.ca> References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu><14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca> <5A6D953473350C4B9995546AFE9939EE09EA4EFC@RWC-EX1.corp.seven.com> <0C63EADB-39D9-474B-914F-0FC2C7EC4C4E@oicr.on.ca> Message-ID: <5A6D953473350C4B9995546AFE9939EE09EA4F32@RWC-EX1.corp.seven.com> > -----Original Message----- > From: Greg Whynott > Sent: Wednesday, June 30, 2010 9:18 AM > To: George Bonser > Cc: Colin Alston; nanog at nanog.org > Subject: Re: Advice regarding Cisco/Juniper/HP > > or become familiar with some basic commands, which is after all, our > job... on hp: show port vlan e1, which will show you all the vlans > port E1 is a member of.. True if you happen to be logged on to the device. What I had in mind was reading config files which is an exercise I happen to have been doing recently. I can look at the config file for a Cisco unit and determine easily which ports are in which vlans by looking at the port config. Some other vendors I must parse the vlan config for port numbers. So yeah, on a Brocade unit one can do sho vlan if you are logged on to it and other vendors have their way. It isn't that big of an issue but if I could have a perfect world, I would rather specify vlans per interface than interfaces per vlan. G From jeroen at mompl.net Wed Jun 30 20:30:22 2010 From: jeroen at mompl.net (Jeroen van Aart) Date: Wed, 30 Jun 2010 18:30:22 -0700 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: <76AC4CFF-2E90-4BE4-BC12-6CAA72DB2229@jsyoung.net> References: <76AC4CFF-2E90-4BE4-BC12-6CAA72DB2229@jsyoung.net> Message-ID: <4C2BEFAE.6090009@mompl.net> Jeff Young wrote: > you'll need twice as much of Brand X and therefore, the deal isn't quite so > appealing. (By the way HP, Cisco and Juniper are pretty much > interchangeable in this discussion). If they are interchangeable then why bother getting into a war at all? It's very tiresome. :-| -- http://goldmark.org/jeff/stupid-disclaimers/ From muhammad_reza at biznetnetworks.com Wed Jun 30 22:33:09 2010 From: muhammad_reza at biznetnetworks.com (Muhammad Reza) Date: Thu, 1 Jul 2010 10:33:09 +0700 Subject: Metro-E Testing Parameter Message-ID: <01fe01cb18ce$205322c0$8100a8c0@jktmidntbtrans> Hi Everyone, Currently we are planning to doing POC for some Metro Ethernet product. Any one has testing parameter for Metro-E product ? It's ok even the testing parameter is basic parameter. Thanks in advance. Reza From dhubbard at dino.hostasaurus.com Wed Jun 30 22:48:59 2010 From: dhubbard at dino.hostasaurus.com (David Hubbard) Date: Wed, 30 Jun 2010 23:48:59 -0400 Subject: ASR vs 7604 for BGP border router? Message-ID: Curious if anyone can give me some real world thoughts on the Cisco ASR1004 w/RP2 & ESP5 versus a 7604 w/?? as a border router for web hosting environment. I'm looking to replace a pair of aging routers of a different make. Current config is four providers, two send full BGP on gigE to both of our routers for redundancy, two providers send full BGP on gigE to only one each, so basically each device receives three full feeds and then they talk to each other. Very simple network; border passes through firewalls to core using static routes, core has default route out to the border, all one physical location, nothing obscure or complicated. Cisco rep suggested looking at the ASR due to our interest in having the firewall functionality built in so we can get rid of the standalones, but that's not mandatory. A friend suggested the 7604 but I'm not sure what config as far as management, add-on cards, etc. The cumulative outbound traffic may burst up to 1 Gbit/sec during the business day, averages less. Only three things that really matter are reliable BGP, functional IPv6 (not using it yet but want to), won't fall down if a compromised server starts sending out line rate garbage packets it has to discard or similar things that don't happen in a test lab. Thanks, Dave From matthew at walster.org Wed Jun 30 23:02:43 2010 From: matthew at walster.org (Matthew Walster) Date: Thu, 1 Jul 2010 05:02:43 +0100 Subject: Advice regarding Cisco/Juniper/HP In-Reply-To: References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu> <14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca> <5A6D953473350C4B9995546AFE9939EE09EA4EFC@RWC-EX1.corp.seven.com> <0C63EADB-39D9-474B-914F-0FC2C7EC4C4E@oicr.on.ca> Message-ID: On 30 June 2010 21:50, Ricky Beam wrote: > Typos are just as simple (even more simple) on an HP. ?There's no add/remove > mode for vlan port membership. ?You specify the entire list every time. conf t vlan 1000 tag 1 tag 22 untag 44 exit exit write memory exit Result: vlan 1000 is tagged on ports 1 and 22, and the untagged (native) port is changed on port 44 to vlan 1000. HP is cumulative, typos generally don't matter. M From daniel.dib at reaper.nu Wed Jun 30 23:30:42 2010 From: daniel.dib at reaper.nu (Daniel Dib) Date: Thu, 1 Jul 2010 06:30:42 +0200 Subject: SV: Advice regarding Cisco/Juniper/HP In-Reply-To: <1FF3A969-475E-40C4-B3FB-5F9374FE6DC4@oicr.on.ca> References: <20100617092909.I713@evil.minions.com> <4C1A51BE.7090905@utah.edu><14864F23-2F32-4AA2-A1A0-2CE18B1EBA32@oicr.on.ca><5A6D953473350C4B9995546AFE9939EE09EA4EFC@RWC-EX1.corp.seven.com><0C63EADB-39D9-474B-914F-0FC2C7EC4C4E@oicr.on.ca> <1FF3A969-475E-40C4-B3FB-5F9374FE6DC4@oicr.on.ca> Message-ID: <3CDD276169544ACA897DE13D3DA2CC0E@sus> > in closing, i have to say I love HP's "alias" command, I can rev my > config and save it to a tftp server by typing "saveit" while enabled. > Some IOS's allow you to do a "wr net" and get it there with a predefined > tftp server, but as we discovered, this isn't available on all devices.. > take care and have a great weekend, > greg You can use alias for Cisco as well but default is to ask for TFTP IP etc but you can change this with file prompt quiet. Then you can do copy run tftp://1.2.3.4/router-conf and make an alias for that. Or you could write it in EEM like I did, you can trigger to save when someone changed the config or at a certain time etc. You could also use the archive command to upload configs. /Daniel From khatfield at socllc.net Wed Jun 30 23:49:09 2010 From: khatfield at socllc.net (khatfield at socllc.net) Date: Thu, 1 Jul 2010 04:49:09 +0000 Subject: ASR vs 7604 for BGP border router? Message-ID: <403072446-1277959750-cardhu_decombobulator_blackberry.rim.net-2131348700-@bda903.bisx.prod.on.blackberry> What kind of budget do you have? I think it really depends on what you're going after. Both would work... Is there something specific you want to do? Honestly, your current bandwidth utilization and need could be handled by an OpenBSD system. I think I may be missing your exact question. Are you asking which would work best? Or simply asking about reliability? In my opinion, I prefer the Juniper MX series over the ASR. However, there are plenty of fanboys for ASR's. I really don't think you could go wrong either way. Unless a deciding factor is budget or something along those lines... ------Original Message------ From: David Hubbard To: nanog at nanog.org Subject: ASR vs 7604 for BGP border router? Sent: Jun 30, 2010 10:48 PM Curious if anyone can give me some real world thoughts on the Cisco ASR1004 w/RP2 & ESP5 versus a 7604 w/?? as a border router for web hosting environment. I'm looking to replace a pair of aging routers of a different make. Current config is four providers, two send full BGP on gigE to both of our routers for redundancy, two providers send full BGP on gigE to only one each, so basically each device receives three full feeds and then they talk to each other. Very simple network; border passes through firewalls to core using static routes, core has default route out to the border, all one physical location, nothing obscure or complicated. Cisco rep suggested looking at the ASR due to our interest in having the firewall functionality built in so we can get rid of the standalones, but that's not mandatory. A friend suggested the 7604 but I'm not sure what config as far as management, add-on cards, etc. The cumulative outbound traffic may burst up to 1 Gbit/sec during the business day, averages less. Only three things that really matter are reliable BGP, functional IPv6 (not using it yet but want to), won't fall down if a compromised server starts sending out line rate garbage packets it has to discard or similar things that don't happen in a test lab. Thanks, Dave