In recent times, a lot of .mil have thrown up a whole bunch of null routes
to large sections of international address space. Good luck getting them
removed
as this means they have a different definition of the internet than
the one to which i, and i suspect others, are used, why should i
From: Stephen Kent [EMAIL PROTECTED]
Subject: Re: BGP to doom us all
Date: Wed, 2 Apr 2003 18:15:05 -0500
Folks,
I was not subscribed to the workshop list when Randy forwarded this message
at the beginning of last month. However, I would like to respond to the
issues raised in the text.
Steve
MX records are only required if you want to have more than one mail
exchange servers to serve your domain, e.g. if you want to have a
secondary mail server as a relay if the primary server goes down.
actually, i suspect the more common use is that one has a collector
server for a lot of local
Verio has a history of being a prefix length nazi, but were they
that way about route validity?
i can only speak in the quite past tense. but yes. due to
limitations of routers (ever try a really long acl on a cisco?)
and some large peers not registering, verio could not filter
large peers
you might want to look at http://psg.com/~randy/021028.zmao-nanog.pdf.
then again, you may not. it's depressing.
randy
You need at least three flaps to trigger dampening.
i guess you really need to look at that pdf.
randy
The problem is small mompop ISPs and companies where the NOC and the
senior secretary share a desk, and possibly a name.
maybe we should not encourage those who do not have time, talent,
and inclination to install bogon route filters that need to be
maintained?
It is offensive to many people (both male and female) when someone
automatically assumes that an unknown person is male.
though not offended, it does tell me a lot about the person making
the assumption. and it ain't positive.
but that nanog is yet another male dominated technical culture
How would the banana eaters screw up applying the same prefix-list
outbound to all neighbors?
by spending [some small part of] their time configuring routers as
opposed to building tools to configure routers demonstratably
correctly.
when fingers 'touch' routers, bad things are bound to
If you are not ready willing and able to keep your lists updated, you
probably shouldn't have applied them in the first place.
a poor but wise person who had the onerous task of managing me in the
late '60s said i had a talent for stating the obvious. it was meant
as a compliment.
randy
Look, there's no quick fix solution here.
so let's see how much of a kludge we can make to show how clever
we are.
randy
An electrical fire broke out in the basement of an office tower
in TriBeCa yesterday, four months after building inspectors said
they had discovered illegal diesel fuel tanks installed on the
upper floors of the tower.
basement. roof. what is it i am not getting here? osama bin
elevator?
Scanning is always a precursor to an attack
this is clearly not true, as scans are done for research and
other goals.
and conversely, all attacks are not preceded by scanning.
randy
What a crock of crap. Knowing who someone is doesn't stop them
from causing intentional or unintentional problems. In fact,
authentication is more likely to cause people to become
complacent wrt their filtering policies. Hey I've authenticated
that router so it's going to only send me
http://news.com.com/2100-1009-990608.html?tag=fd_lede1_hed
actually, the article is not all that far off reality as i see it.
the exception being that the ietf has NOT been diligently pursuing
sBGP but rather a lot of the effort is going into a 3/4 hack being
pushed by vendor laziness.
randy
I think the only problem with the comments is that they
over-estimate the benefit of that level of security relative
to the overhead it requires.
crypto hardware has become cheap.
randy
Cheap to buy, but the time for processing each certificate will
increase with the size of the routing table, and we just end up
replicating the problem of recalculating large routing tables,
but now with certification, no?
no. you *really* may want to read up on sbgp before attempting
to
The outcome of the discussions at the Address Policy SIG will be posted
to this list.
where, one hopes, discussion will continue, yes?
randy
could someone else please check the dns for www.united.com? the servers
for united.com seem to delegate www.united.com, but the delegatee seems
not to return an soa. i get very confusing results.
randy, feeling stoopid
btw, when querying bind9 and requesting
'any www.united.com', i get servfail, but when requesting
'A www.united.com', i do get a response.
that is the reaction to their misconfiguration.
i am in a dual-stack universe over here (iij/tokyo). so the
browser, looking for an A or , probably
ross? lazarus arises! wow!
could someone else please check the dns for www.united.com?
Doesn't look good...
they seem to be making similar messes with ual.com, ua2go, ...
and all the stuff that links from their pages.
but it probably 'works' if your host is not dual stack, could you
please
I'd be very interested in hearing how opeators feel about 'pushback'.
the only interesting thing i have seen in this space
randy
will anyone miss it? :-)
huh? i thought it was in eugene where we were streaming the dead
randy
instead of spending our time and energy putting down fools, let us
try to be constructive. let's put our money where our mouths are.
i am soliciting presentations for the eof meeting in barcelona.
of particular interest a presentations on operationally oriented
research, heretofor
anyone else getting postings (at least) twice? someone else told
me they were seeing the same thing. Anyone from Merit at the
wheel?
if we're talking repetitive content, the multiplication factor
seems to be a couple decimal orders of magnitude higher than a
mere doubling
After last weeks spam run on Iraq, the US military and NIPC are
concerned Iraq might be behind a rise in electronic attacks
against government and military networks.
and we are supposed to have sympathy for those who struck the first
blow? rofl!
randy
However, NOTA doesn't have either ATT or WorldCom...
so, did any of the much-ballyhooed florida (misnomered) naps actually
manage to attract the significant (== big tier-1) isps?
randy
so, did any of the much-ballyhooed florida (misnomered) naps actually
manage to attract the significant (== big tier-1) isps?
http://www.napoftheamericas.net/membersrepresentativecustomerlist.cfm
http://www.napoftheamericas.net/memberscarriers.cfm
are they connected and peering, i.e. packets
Where the same pseudo wire provider connects to say LINX, AMSIX,
DECIX your only a little way off having an interconnection of
multiple IXs, its possible this will occur by accident ..
and l2 networks scale s well, and are so well known for being
reliable. is no one worried about storms,
Well, first I think we need to agree that there are two different cases here:
1) interconnecting IXes operated by the same party, vs.
2) interconnecting IXes operated by different parties.
In the first case an IX operator can shoot himself in the foot, but there
is only one gun and one
This is also a very viable solution, provided the customer has
provisioned for this with lower ttls on their DNS records, which
ALOT of people (thankfully) don't do
actually, a bunch of research now shows that low ttls on A RRs
(that are not the A RRs of NS RRs) has little effect.
in the
Some prefixes in the Route Views routing table do not have a prefix
length specified. For example,
because they are their 'natural' length, i.e. old style A/B/C
This gets to the heart of the matter. It is now 8 years later and RADB is
not catching on. But during the same time period some other UMich people
worked on a more general purpose directory service called LDAP and that
one is catching on. LDAP technology can be made to do the job that we
This type of problem is likely to spur interest in more regional
registries. There's been talk of CIRA seting up a Canadian IP
there already has been a canadian ip address registry. there no
longer is. learn from history.
randy
I just don't see how an outside probe can determine the true topology of a
network.
you may want to gasp! *read* the paper
Would that friend be so kind as to name more than a handful places in
Africa with IP connectivity (multinational companies do not count).
fyi, all countries in africa are ip connected. dunno how big your
hands are, but there are over 50 countries in africa.
randy
Would that friend be so kind as to name more than a handful places in
Africa with IP connectivity (multinational companies do not count).
fyi, all countries in africa are ip connected. dunno how big your
hands are, but there are over 50 countries in africa.
Pardon me for not counting
last year we *measured* isp maps as part of a research project called
rocketfuel and found that the marketing maps can differ significantly from
the real ones quite a bit because of lack-of-detail, outdated-ness, or
optimistic-projections. a paper describing the methodology and the maps
None of the below events are related to network operations. Nordnog is.
If these are the dates that Nanog goes for, I assume that Nordnog will
have to reschedule. Nanog is large enough to attract people from all
over the world and the scheduling of Nanog influences a lot of peoples
The next NANOG meeting will be held February 9-11, 2003, in
Arizona, where it will be warm and sunny.
Is this date absolutely set in stone? First Halloween, now Valentine's
Day.
and it butts right against nordnog, essentially preventing attendance
at both.
randy
ripe-264 describes the blocks from which ripe is allocating and the
longest prefix they are allocating in that block.
what is the apnic equivalent of that document?
randy
i find it droll that using apnic's site and searching for prefix
yields zero hits.
randy
Please accept my apologies for loss of search services.
i demand a full refund!!!
randy
The real question isn't why J has moved a few miles to a different
Verisign building, but where in the world should J move?
i have been pushing bejing for a few years. except it would be
nice to have built some operational understanding and trust with
those folk first, perhaps by asking them
Why is it that the PGP keys with which the root zone cache file is
being signed aren't widely available? The files are signed with keyid
C1D27AF9 which I cannot retrieve from, for instance, the MIT PGP
keyserver. Given the importance of the file it would be nice to verify
the data.
that's
I was wondering if it would be possible to purchase an entire Class C
address range for use in Germany
http://ripe.net
randy
analogy games are fun, but it boils down to this... If I know the real
source of an attack, I can stop it within minutes.
the real source of the attack is the skript kitty who zombied the 10,000
hosts which are sourcing packets at you. the intermediate sources are the
10,000 zombies, and
draft-ymbk-arch-guidelines-05.txt
Yes, blocking spoofed packets helps. But it is not an end-game.
it's not even middle-game
It provides the identity of the party to sue for negligence,
should the damage elsewhere be severe.
and lawsuits have always been such a major contributor to internet
advances in the past. makes me
i am a bit confused here. seems to be that the major differences
between smb's scheme, for which you personally attacked me, and
yours are
o yours has centralized control, you, instead of isp control.
this is known not to have good layer nine properties, see
marinara del roi.
o we
Future attacks will be stronger and more organized. So how do we protect
the root servers from future attack?
protecting the servers is not the *critical* point. protecting the
service is. don't obsessed up on silly boxes.
of course, box/link protection is *one* aspect of protecting the
http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html
The heart of the Internet sustained its largest and most sophisticated
attack ever, starting late Monday, according to officials at key online
backbone organizations.
when uunet or att takes many customers out for many
does anybody see pitfalls, i.e. net.damage, if we used an aggregator to
mark some funny stuff in an announcement? i.e. there is a prefix being
announced that we would like to occasionally 'dye' with kinky values in
the aggregator attribute. can you see possible damage to others?
[
What is difficult about dropping packets sourced from RFC1918 addresses
before they leave your network?
But what's the point?
rfc 1918 sec 3
Because private addresses have no global meaning, routing information
about private networks shall not be propagated on inter-enterprise
Why is it hard to believe that a large amount of RFC-1918 sourced
traffic is floating around the net?
Because if 20% of all people generate this crap (which is a huge number)
it must be 90% of their traffic to get at 18%. How can someone generate so
much useless traffic and keep doing it,
For those with no prior experience in IP addressing, it can provide a nice
bit of historical background. While classful addressing may be passe,
knowing one's history never hurts.
especially as we see echos of mistakes past being made in the v6 model,
assigning large blocks, /64
The trouble is that not using WEP looks like you're not bothering
with the low level of security that's available in wireless. The
fact that WEP only adds a 15 second - 15 minute delay to full
access to the network both for legitimate and not-so-legitimate
users means it offers more
a prudent user does not ssh _from_ a machine they don't control or
prudent users don't get hacked.
as easily
I'm waiting for one of the professional security consulting firms
to issue their weekly press release screaming Network Operator
Meeting Fails Security Test.
The wireless networks at NANOG meetings never follow what the
security professionals say are mandatory, essential security
Hmm... $2400 is still in the pricey range to be throwing out
bunches of these across a network in wide distribution.
and why would one want to do so? run one strat 1, two at most (widely far
apart, like on different continents), and chime routers off them, chime
everything else off the
ISP's should actually block port 25 outgoing, or even better,
reroute/forward it to their own mail relay.
Agreed.
why not do it to port 80 as well? what the hell, why not do it to all
ports? who the hell needs an internet anyway, let's all have a telco
walled garden.
string of
% dig +norec a.root-servers.net. mil. ns
; DiG 9.3.0s20020722 +norec a.root-servers.net. mil. ns
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 17626
;; flags: qr aa; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 11
;; QUESTION SECTION:
;mil.
[jabley@peppermill]% for n in a b c d e f g h i j k l m; do
for dig ${n}.root-servers.net ns mil. | egrep -qi '^mil.*NS' \
for cmdand echo ${n}.root-servers.net provides a delegation for MIL.
for done
man doc
randy
If you are Joe Blow private citizen, why would you need to run a mail
server?
the internet is a peer network. this is not pay to be screwed.
randy
for research purposes. we want to send a periodic announce and a
withdraw of a specific prefix. but we don't want to hit folk's
damping policies. does anyone damp a swamp /24 which does an
announce / withdraw on a two hour cycle? i.e. announce at
0,2,4,... and withdraw at 1,3,5,..?
randy
AFAIK 12.0S only has the service provider feature set
i fear that the joke is on us. at least one other train seems to
have been merged into the ex-isp train. not sure how much. can't
get a straight answer. welcome back to 1997, and bye bye what
stability we had.
randy
Not a complete solution but a start:
IP Source Tracker:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120
limit/120s/120s21/ipst.htm
Available as of 12.0(22)S for 7500 and 12000 series Cisco routers.
ah yes. the new enterprise image. :-(
I had significant input in my life regarding the difference between can
and may. IMHO significant numbers of net citizens have forgotten that
difference.
therefore all of us need to give up our civil rights?
the terrorists have won.
randy
40mb/s isn't loaded for a DS3?
if you are measuring 40mb at five min intervals, micro peaks are pegged out
causing serious packet loss.
randy
a) QoS mechanisms are for the local-tail. Backbones should have enough
bandwidth (and bandwidth is cheap).
b) QoS was for customers with services like VoIP and VPN - and in most
cases they where needed becuase the end users refused to buy the bandwidth
they actually needed.
c) The
Hi, it's me again, Frank Rizzo.
give us a break, children, would ya?
Instead, you have increased depeering as everyone tries to
squeeze [non-existant] money out of everybody else.
some of the motivation is large players very consciously trying
to squeeze out smaller or competitive players in the chaos of
all the other noise.
randy
goto [Label A:];
ROFL! it's 1968!
if grandma is hosted on chinanet she is already blackholed by most western
civilization anyway
no, just by some self-marginalizing jingoists who don't know how to filter
http://nanogmrtg.grouptelecom.net/
ATM 2/0 is the OC-3c that connects the Hotel to the outside world.
cool!
any idea why the flat 750k? multicast beacon?
randy
I can get a global address.
i can now too!
it was the merit router.
randy
IPv6 became operational around 10:50. Let us know if you continue to see
problems.
i can see the dancing kame at http://www.kame.net
randy
now someone will surely step up to the plate in their defence and rant
about how this is all a good thing for NASC and how they will go on to
reemerge next year as a lean, mean, bigger better company.
I think at this point we are all long past the innocent stage and
rapidly approaching
Don't even get me started on typos in the delegation records at the TLD
servers (entered by the registrants at least) there are currently 112
domains in .com alone with at least one incorrect NS record pointing at
my nameservers.
MX0 lame.delegation.to.hostname.
* MX0
Has ICANN and NTIA worked out their operational issues so they can quickly
change the root zone to reflect changes in ccTLD nameservers if people
need to change which name servers are handling the ccTLDs. Last year,
some of the ccTLD operators were complaining it sometimes took weeks after
Given the current situation of KPNQwest and the possibility
of its services going offline sometime soon, the RIPE NCC in
agreement with KPNQwest will be temporally hosting this
server (ns.eu.net) in its premises.
nice emergency hack and sorry to whine. but i used them both
to get
as peers do not give eachother transit, you don't need to announce
the IX to eachother to get traceroute to work. you just carry it
in your own network.
randy
as peers do not give eachother transit, you don't need to announce
the IX to eachother to get traceroute to work. you just carry it
in your own network.
Weren't they talking about customers at a downstream ISPs which don't
connect directly to the exchange?
one gives transit customers the
Anyone able to outline a worst case scenario, on what the effect would be,
if the KPN network really goes down?
the world ends, we all die, and the universe goes dark
http://www.china.org.cn/english/2002/May/33528.htm Qungdag found
the outside world entirely different when he walked out of the
Prison of Tibet Autonomous Region after serving his 8-year term
there...Qungdag opened a teahouse in Lhasa, capital of Tibet
Autonomous Region. Business soon
what i did was negligible. many folk in za, vic shaw, jacot
guillarmod, alan barrett, chris pinkham, and then the whole uucp
crew up on the reef, did the real work. but mike did push it,
though with vastly excessive use of violence.
However, there is a larger arrogance he is battling - a
ISC has had very little in the way of problems as a .ZA slave
its the ac.za and co.za messes
The net worked before DNS existed
'cept we hit this little scaling problem
I'm more concerned about well-meaning people and Secure-BGP than
DNS.
run a few thousand zones, and you'll worry about the dns too
randy
I write in my capacity as the person who brought the Internet to
South Africa,
that must be mike lawrie. only he has such misplaced arrogance.
randy
Not to say you can't route well with a linux or bsd system you can but
at the high-end probably not as well.
Tell that to Juniper.
routing != forwarding
routers have two jobs, both critical
randy
A highly skilled gay is *VERY* different than a highly skilled guy... :-)
not at work
andy and others who don't have the will or technology to plonk this
clue-free troll, could you at least please not feed it? thanks.
randy
Date: Wed, 22 May 2002 12:22:06 -0400 (EDT)
From: Andy Dills [EMAIL PROTECTED]
To: Ralph Doncaster [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED] [EMAIL
if i was to take a newbie, i would much rather hire someone who has
taken algorithms and data structures, queuing, ... than someone who
has spent their time studying for whatever juniper and cisco call
their vendor certifications.
one can teach a monkey how to hack a router, as is demonstrated
An IRR not mirrored by the RADB (to act as a member) and not
mirroring every RR mirrored by the RADB (to hijack the top level)
seems pointless.
auto-config tools, such as ratoolset, do not use the mirrored data,
only the origin data. one specifies the list of registries to
search. so,
What do commercial network operators, who are required to use Microsoft,
use
their resumes
Well how am I supposed to arrange a payment on a Sunday afternoon?
As well I'd say I've already paid them more than enough to use
their IPs - I never brought up a BGP session with them and never
passed a single packet to them. I'm surprised to hear that such
extortion techniques are
Does anyone know if there is a web site or newsgroup I can get alerts and
updates about what is going on with UUNET ?
http://quotes.nasdaq.com/Quote.dll?mode=stocksymbol=wcomsymbol=symbol=symbol=symbol=symbol=symbol=symbol=symbol=symbol=quick.x=0quick.y=0
anybody use lucent's vitalsigns for snmp monitoring of a large scale ip
network? if so, i would appreciate useful gossip.
randy
now as to who's responsible, first off you have to understand that we
block rfc1918-sourced packets at our AS boundary. (otherwise these
numbers would be Much Higher
are you sure? i suspect they are windows 2000 systems behind NATs. so
the dynamic update is for the 1918 address, but the
901 - 1000 of 1002 matches
Mail list logo