Re: CEOlink
On 14 Mar 2002, Eric Brandwine wrote: > Actually, NANOG does great. Especially during Sept 11, information > was disseminated, help was offered and accepted, and except for a > couple of idiotic flames, the SNR was high. If NANOG fulfills such an important role, it's probably a good idea to make sure the list still works when there are wide spread outages. There is only a single MX for merit.edu, and as far as I can tell it's not even multihomed. Also, since this is email, it depends on the DNS. In theory, news would be more rebust than mail, because of its distributed nature and it should be possible to make news work without relying on the DNS.
Purpose of the Internet
> Actually, NANOG does great. Especially during Sept 11, information > was disseminated, help was offered and accepted, and except for a > couple of idiotic flames, the SNR was high. ARPA designed the thing > to withstand nuclear blasts, and while this was not nuclear, it stood > up well. I read through nanog around september 11th a few days ago and I concur that painful as it was to re-read, it is apparent that nanog served well as a useful communications medium. With regards to the purpose of the internet, I recall reading in the Prologue to _Where Wizards Stay Up Late_, by Katie Hafner and Matthew Lyon, a true anecdote about Bob Taylor. The authors quote Mr. Taylor as refuting that the purpose of the arpanet was to provide communications in spite of a nuclear attack. Rather, it is asserted, the purpose of the arpanet was to interconnect computers at various research/education facilities so as to allow researchers to share resources. We all heard that story too, but popular media tended to focus on the sensationalist nuclear story. Useful info from history. -alan ps -> thanks jeff for the book back in 1996 :-)
Re: CEOlink
> "b" == batz <[EMAIL PROTECTED]> writes: b> This is a complicated issue. Maybe I'm off base, but Nanog is actually b> really good. Combined with Bugtraq, Incidents, and a virus alert service, b> Nanog plays a vital role. Their only limitation is that they are on the b> Internet. :) Exactly! That's why we need control plane separation. Run SNMP, SSH, telnet, and SNTP (Simple NANOG Transport Protocol) across the management network, so we're sure we have them when we need them. Actually, NANOG does great. Especially during Sept 11, information was disseminated, help was offered and accepted, and except for a couple of idiotic flames, the SNR was high. ARPA designed the thing to withstand nuclear blasts, and while this was not nuclear, it stood up well. ericb -- Eric Brandwine | Apart from hydrogen, the most common thing in the UUNetwork Security | universe is stupidity. [EMAIL PROTECTED] | +1 703 886 6038| - Harlan Ellison Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E
Re: CEOlink
Also sprach Sean Donelan >On Wed, 13 Mar 2002, Steve Feldman wrote: >> On Wed, Mar 13, 2002 at 03:55:26PM -0500, William Allen Simpson >> wrote: >> > Once upon a time, kc had a MOO -- we used to hang out there and >> > discuss things in real time >> It's still there, but doesn't see much activity these days. >Yep, IPNMOO is still around, and some people use it. NANOG is the >closest thing we have to a "all-hands" channel, but lots of people >don't like the signal to noise ratio. I have my nocwire list, but its >mostly just interesting things sean saw on the net. Individual >engineers use IRC, AIM, etc to communicate with people they know. >Its informal, but so far it has served us well. It might be worthwhile to post a pointer to this MOO. There have been several posts about it, but no pointers on how to access it. I only have very limited experience with MUD's/MOO's/whatever, but I'm certainly willing to give it a shot if it helps inter-provider communication. -- Jeff McAdamsEmail: [EMAIL PROTECTED] Head Network Administrator Voice: (502) 966-3848 IgLou Internet Services(800) 436-4456
Re: CEOlink
On Wed, 13 Mar 2002, Steve Feldman wrote: > On Wed, Mar 13, 2002 at 03:55:26PM -0500, William Allen Simpson wrote: > > Once upon a time, kc had a MOO -- we used to hang out there and discuss > > things in real time > > It's still there, but doesn't see much activity these days. > Steve Yep, IPNMOO is still around, and some people use it. NANOG is the closest thing we have to a "all-hands" channel, but lots of people don't like the signal to noise ratio. I have my nocwire list, but its mostly just interesting things sean saw on the net. Individual engineers use IRC, AIM, etc to communicate with people they know. Its informal, but so far it has served us well.
Re: CEOlink
On Wed, 13 Mar 2002, Sean Donelan wrote: :http://www.newsbytes.com/news/02/175172.html : Leaders of the nation's largest corporations are designing a new : communications network that would alert them immediately to a terrorist : attack and enable them to instantly talk with one another and government : officials about how to respond. I get threat updates a few times a day from various sources as a part of my job, and what I have noticed is that the most valuble updates are the ones where someone has put a few hours worth of analysis into them. >From this article, the value of this service is a central point of co-ordination, not unlike CERT, FIRST or (I think) the NIPC at the FBI. Nanog is actually a pretty effective forum for these issues as, it is an ongoing way of maintaining connections between decision makers and subject matter experts. :Interesting idea. It would be nice if ISPs also had a way to :instantly talk with one another. :http://www.ntia.doc.gov/ntiahome/infrastructure/comments/Donelan.htm What if someone were to offer one of those CNN satellite video terminals at a reasonable rate with a package including a sat/cell phone, conference bridge numbers, with alternates and backups etc..? The service would have to be offered by someone with the credibility to assess threats, and be able to co-ordinate response once subscribers started calling in. It is one thing to get people on the phone, it is another to co-ordinate emergency management strategy with people who are busy, don't have security expertise, and may not have been briefed on the complexity of the situation. Personally, I think the NIPC is probably the only group with the mandate and access to expertise neccesary for something like this for the ISP and telcom world, outside the industries themselves. Could a service like this could sustain itself profitably? Could a private industry consortium have broad enough influence to be effective? This is a complicated issue. Maybe I'm off base, but Nanog is actually really good. Combined with Bugtraq, Incidents, and a virus alert service, Nanog plays a vital role. Their only limitation is that they are on the Internet. :) -- batz
Re: CEOlink
On Wed, Mar 13, 2002 at 03:55:26PM -0500, William Allen Simpson wrote: > > Once upon a time, kc had a MOO -- we used to hang out there and discuss > things in real time It's still there, but doesn't see much activity these days. Steve
Re: CEOlink
> > Once upon a time, kc had a MOO -- we used to hang out there and discuss > > things in real time > > Indeed. Once upon a time... one wonders why that is no longer the case. It > isn't as if a MOO (or any other flavor of favorite server) takes up much. > Is nobody offering, or is nobody using what's offered? > > If it's just a matter of nobody offering, after all, even I can fix that... I've actually had the MOO software compiled installed for a while, just haven't gotten around to had the time to play with it...If anyone wants to tell me how to set it up/secure it, i'll be glad to leave it there... Jeff
Re: CEOlink
On Wed, Mar 13, 2002 at 06:06:54PM -0700, Joel Baker wrote: > > On Wed, Mar 13, 2002 at 03:55:26PM -0500, William Allen Simpson wrote: > > > > Sean Donelan wrote: > > > Interesting idea. It would be nice if ISPs also had a way to > > > instantly talk with one another. > > > http://www.ntia.doc.gov/ntiahome/infrastructure/comments/Donelan.htm > > > > Once upon a time, kc had a MOO -- we used to hang out there and discuss > > things in real time > > Indeed. Once upon a time... one wonders why that is no longer the case. It > isn't as if a MOO (or any other flavor of favorite server) takes up much. > Is nobody offering, or is nobody using what's offered? > > If it's just a matter of nobody offering, after all, even I can fix that... Or just put up an IRC server, as long as you don't link it to EFNet noone will packet it. :) If thats too much trouble, try an AIM chat room. I don't think its worth making a whole mud over (no offense to MOO :P). -- Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Re: CEOlink
On Wed, Mar 13, 2002 at 03:55:26PM -0500, William Allen Simpson wrote: > > Sean Donelan wrote: > > Interesting idea. It would be nice if ISPs also had a way to > > instantly talk with one another. > > http://www.ntia.doc.gov/ntiahome/infrastructure/comments/Donelan.htm > > Once upon a time, kc had a MOO -- we used to hang out there and discuss > things in real time Indeed. Once upon a time... one wonders why that is no longer the case. It isn't as if a MOO (or any other flavor of favorite server) takes up much. Is nobody offering, or is nobody using what's offered? If it's just a matter of nobody offering, after all, even I can fix that... -- *** Joel Baker System Administrator - lightbearer.com [EMAIL PROTECTED] http://users.lightbearer.com/lucifer/
Anyone here at Sprint?
Looking for a Nevada Sprint NOC worker. please email me off list. thanks christopher Christopher K. Neitzert / 0xC10D222F / [EMAIL PROTECTED]
[Fwd: 10 years and no ubiquitous security]
In remembrance: Original Message Subject: 10 years and no ubiquitous security Date: Wed, 13 Mar 2002 18:49:35 -0500 From: William Allen Simpson <[EMAIL PROTECTED]> Organization: DayDreamer To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] 10 years ago this week, we had an IETF meeting in San Diego. 10 years ago on Tuesday, Phil Karn sprawled out across my hotel room bed and drew the packet header that became ESP. (Remember when we were small enough to have hotel room BOFs?) 10 years today, at a lunch meeting, Phil Karn gathered a group of us, and we agreed to pursue IP Security, as "the most important thing missing from the Internet". (Most real work was still done in lunch and dinner BOFs last time I attended IETF, and presumably that tradition continues now.) 10 years ago tomorrow, Brian Lloyd and I had a "rubber hose" lunch meeting with Steve Kent, who as a member of the IAB had refused to allow the PPP WG to publish CHAP in our RFC as an official authentication protocol. (He had previously mandated that we remove all security protocol negotiation.) He backed down, but we had to change the name from "cryptographic" to "challenge". Steve Kent refused to charter the IPSec WG. We had to reform the structure of the IAB (removing Steve Kent) -- which was good for many other reasons, although its efficacy was short-lived. After all these years, ESP itself is remarkably unchanged. (The sequence field is 32 bits instead of 16 bits, but we did that in 1993.) Remember, by 1995 we had multiple interoperable implementations. Roughly 5 years ago, IPSec was supposed to be disbanded, because its work was complete. Instead, somebody named Steve Kent secretly took over the WG editorship (with no consensus, or even WG discussion), and his "appointment" was enforced upon the new "reform" WG Chairs. For 5 more years, IPSec WG has slowly turned out unworkable documents, generating endless and fruitless discussion. Today, IPSec has insignificant deployment, and the WG goeth on forever. ... Should I remind folks that at that same San Diego IETF, JI and Phil and Steve Deering and others of us had a lunch BOF on Mobile-IP? -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
Re: Need Verio Contact
On Wed, 13 Mar 2002, Majdi S. Abbas wrote: > On Wed, Mar 13, 2002 at 10:37:37AM -0600, [EMAIL PROTECTED] wrote: > > Does anyone have current contact info for VERIO NOC or Engineering? > > "puck" data is completely out of date, as is my internal lists. > > [EMAIL PROTECTED] is out of date? To all of you who responded as above, I was [obviously] unclear: I needed telephone contact - the entry has been updated on puck. Thanks! > --msa > -- Yours, J.A. Terranson [EMAIL PROTECTED]
Re: Need Verio Contact
On Wed, Mar 13, 2002 at 10:37:37AM -0600, [EMAIL PROTECTED] wrote: > Does anyone have current contact info for VERIO NOC or Engineering? > "puck" data is completely out of date, as is my internal lists. [EMAIL PROTECTED] is out of date? --msa
Re: CEOlink
Sean Donelan wrote: > Interesting idea. It would be nice if ISPs also had a way to > instantly talk with one another. > http://www.ntia.doc.gov/ntiahome/infrastructure/comments/Donelan.htm Once upon a time, kc had a MOO -- we used to hang out there and discuss things in real time -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
Re: The view from the other side of the fence
On Wed, 13 Mar 2002, Sean Donelan wrote: :With convergence, do you think we will get the best security practices :from both worlds, or the worst? Most organizations security policies have grown organically, or by precedent, as opposed to being 'architected'. When convergence occurs, the company with the most existing security infrastructure 'wins'. By this I mean their practices are adopted by the less organized one. Also, I have seen some very elaborate, enterprise wide free software security solutions that were technically elegant, and very robust, but they were swept aside because the owners of these systems could not adequately communicate their business value. It has been my observation that convergence doesn't relate so much to the integration of technologies to provide new services, as it does the rationaliztion of differing business models into new ones. >From a big picture security perspective, the security challenges of a convergence between a telco and a satellite tv company aren't as much about integrating the various networking technologies and exposing ground station computers to the Internet, as they would be about DRM, fraud mitigation, subscriber privacy and infrastructure protection. The reason I'm mentioning this is because I have heard some security people talking about the problems with IP gateways to the PSTN, which is legitimately frightening to many, but the issue isn't about what will happen when some PBX manufacturer puts an IP stack and an ethernet card in their product without doing security QA testing. It is about whether the traditional telcom security models that look alot like corporate IT, where network people don't touch servers, and vice versa, will work when the line blurs between the network and the application. In corporate IT, I am one of those "Internet guys" that thinks he can manage systems _and_ networks, which is like saying to me that I play both kinds of music, country _and_ western. Worst case scenario, we get kafka'esque bureacracy with no standards or procedures. Best case, we get a hybrid of strong, auditable and enforcable policy, with an understanding of the systems and networks as a single service as presented to the customer. So, as for whether we will see better or worse security policy, I can garuntee we will see the most cost effective solutions, meeting the minimum legal requirements, which serve customers needs, and improve overall ROI for stakeholders. In other words, not much will change by virtue of convergence alone. It will take education, possibly regulation, and market incentives to create better security policy, and I think these things are independant of the features of new technologies. Cheers, -- batz
Re: CEOlink
On Wed, 13 Mar 2002, Sean Donelan wrote: > Interesting idea. It would be nice if ISPs also had a way to > instantly talk with one another. I thought that was NANOG ;-)
Re: Telco's write best practices for packet switching networks
On Wed, 13 Mar 2002, Sean Donelan wrote: > Although many of the principles are the same, there are differences > between running a corporate network and a public network. You can > have the same people doing both. In small ISPs its likely the same > people will be doing both. A larger company will have seperate groups > because they serve different masters and have different measures of > success. A company may not want to pay for the same levels of > reliablity and survivability for their corporate network as their > public IP network. The goals of the corporate network and the public IP network are often different, at best. The corporate network is inevitably focused around the needs of the business, including such irritations as file sharing, printing, calender services, video conferencing, and other notoriously secure (heh!) services. The public IP network is focused by and large on providing a limited number of services, and flinging packets around as fast as possible. The clue behind the public IP network is almost always focused on the network (often to the point of considering any systems involved to be second class citizens "Why should I care if there's a system down? It only matters if the network's down"[1]) The clue on the corporate network often doesn't care at all about the network (beyond "is it running") - but really cares that their services are deployed and accessible. I think that Sean's right about the goals being different - but it's more than just "reliability and survivability". The network and enterprise markets are notably different, with different goals and requirements. Most vendors seem to have a very clear grasp on that - and I suspect that it'll be another 5-10 years before we see any form of true convergance (if not longer). [1] This ignoring the fact that a down'd network monitoring system may cause all sorts of interesting side effects in viewing the network... == "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now."
Need Verio Contact
Does anyone have current contact info for VERIO NOC or Engineering? "puck" data is completely out of date, as is my internal lists. Thanks! -- Yours, J.A. Terranson [EMAIL PROTECTED]
CEOlink
http://www.newsbytes.com/news/02/175172.html Leaders of the nation's largest corporations are designing a new communications network that would alert them immediately to a terrorist attack and enable them to instantly talk with one another and government officials about how to respond. Interesting idea. It would be nice if ISPs also had a way to instantly talk with one another. http://www.ntia.doc.gov/ntiahome/infrastructure/comments/Donelan.htm
Re: The view from the other side of the fence
### On Wed, 13 Mar 2002 08:00:41 -0500 (EST), Sean Donelan ### <[EMAIL PROTECTED]> casually decided to expound upon Rajesh Talpade ### <[EMAIL PROTECTED]> the following thoughts about "Re: The view ### from the other side of the fence": SD> On Wed, 13 Mar 2002, Rajesh Talpade wrote: SD> > A network is only as secure as its weakest link SD> > SD> > sounds like a cliche, but am afraid this least-common-denominator rule SD> > will hold as networks converge. SD> SD> Is there anything we can do to improve this? How can we make sure SD> the people who "need-to-know" find out how to secure their weakest SD> links instead of waiting for each company to stumble along their SD> learning curve. That's a good question. Unlike the system's world where there seems to be quite a few free as well as commercial toolkits alongside stuff that gets distributed OEM to run security audits (many OSes are preconfigured as part of their installation process to generate periodic audits), there doesn't seem to be many such toolkits for auditting networks as a whole. I think this stems from several reasons (and I'm probably missing a few). [1] Diversity in network designs force security folks to tailor their auditing tools to a particular network. [2] Exposure of homegrown auditting methods and procedures viewed as a security breach so such things simply are kept in secrecy. I suspect however that no one has really developed a comprehensive generic auditting tool or toolkit but instead relies on a combination of handcrafted scripts and security policies to run manual audits instead of automated ones. Someone please prove me wrong. [3] Networks are not really thought of hollistically like a server is in the system's world. Security tools are targetted more towards auditting devices in an individual manner because modelling the entire network is too difficult. I suppose some of the folks doing IDS and/or distributed firewall (Oh Mr. Bellovin? |8^) development may be able to shed better light on the subject. But IDS seems to be a reactive measure rather than a proactive one and distributed firewalls may address some issues with device security but doesn't seem to really touch on enforcing sane routing practises. -- /*===[ Jake Khuon <[EMAIL PROTECTED]> ]==+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | +=*/
Re: The view from the other side of the fence
On Wed, 13 Mar 2002, Rajesh Talpade wrote: > A network is only as secure as its weakest link > > sounds like a cliche, but am afraid this least-common-denominator rule > will hold as networks converge. Is there anything we can do to improve this? How can we make sure the people who "need-to-know" find out how to secure their weakest links instead of waiting for each company to stumble along their learning curve. The usual answer is hire an expert (or SAIC :-). But there aren't enough qualified experts to go around in the best of circumstances. The problems include divergent cultures, technologies, and even generations. Until the technology crash, the so-called next generation networking companies didn't want to "converge" with the existing companies; they wanted to wipe them out. There wasn't a lot of sharing between the different groups, even within the same company. I'm not sure one security approach is better than the other, but they mix like oil and water when you combine traditional telephone security and Internet security methods.
NYT 3/13/02 on Worldcom and the SEC : "From Obscurity to Inquiry"
Well written, sobering. Free registration required. http://www.nytimes.com/2002/03/13/technology/13PHON.html regards, fletcher
Re: Telco's write best practices for packet switching networks
On Wed, 13 Mar 2002, Jake Khuon wrote: > emloyees access their infrastrcture. Do you seperate and outsource your > management infrastructure to your corporate IT support? Do you seperate but > control it within your production network engineering groups? If so, do you > have a special group within network engineering concentrating specifically > on management or do you have the same people designing the network also do > the management design? Although many of the principles are the same, there are differences between running a corporate network and a public network. You can have the same people doing both. In small ISPs its likely the same people will be doing both. A larger company will have seperate groups because they serve different masters and have different measures of success. A company may not want to pay for the same levels of reliablity and survivability for their corporate network as their public IP network.
Re: The view from the other side of the fence
A network is only as secure as its weakest link sounds like a cliche, but am afraid this least-common-denominator rule will hold as networks converge. rajesh. "--- begin message from Sean Donelan ---" > > > On Mon, 11 Mar 2002, Scott Madley wrote: > > Let's face it as the industry moves towards a more converged state, we > > haven't even really begun to consider the security implications that > > present themselves in this new enviroment. > > With convergence, do you think we will get the best security practices > from both worlds, or the worst? > >
Re: The view from the other side of the fence
### On Wed, 13 Mar 2002 05:51:46 -0500 (EST), Sean Donelan ### <[EMAIL PROTECTED]> casually decided to expound upon Scott Madley ### <[EMAIL PROTECTED]> the following thoughts about "Re: The view from the ### other side of the fence": SD> On Mon, 11 Mar 2002, Scott Madley wrote: SD> > Let's face it as the industry moves towards a more converged state, we SD> > haven't even really begun to consider the security implications that SD> > present themselves in this new enviroment. SD> SD> With convergence, do you think we will get the best security practices SD> from both worlds, or the worst? My off-the-cuff prediction is, as with any convergence process, it will be first the latter and then the former... but then again, I'm a cynic. -- /*===[ Jake Khuon <[EMAIL PROTECTED]> ]==+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | +=*/
Re: The view from the other side of the fence
On Mon, 11 Mar 2002, Scott Madley wrote: > Let's face it as the industry moves towards a more converged state, we > haven't even really begun to consider the security implications that > present themselves in this new enviroment. With convergence, do you think we will get the best security practices from both worlds, or the worst?
Re: Telco's write best practices for packet switching networks
### On Tue, 12 Mar 2002 12:23:51 -0800 (PST), Ratul Mahajan ### <[EMAIL PROTECTED]> casually decided to expound upon Sean Donelan ### <[EMAIL PROTECTED]> the following thoughts about "Re: Telco's write best ### practices for packet switching networks ": RM> On the downside -- this is yet another instance of conflict between RM> research and operations. Being able to address the (core) routers This may be a repeat discussion but I also wonder if there are some other social level conflicts derived from how one structures their management network. For instance, many providers have a seperate group which handles the corporate IT which is different from the group which handles the production provider network. One could take the stance that the production network should only be reachable from the corporate network and that the management network become an extension of the corporate network. I imagine that many network engineers on the side of the production network might take issue with that (I probably would). For better or worse, many of us have gotten used to managing our backbones under a single umbrella including control over how we design and run our management network. I'd be interested in hearing about some of the practises of bigger providers (assuming I'm not asking anyone to violate security) on how they let their emloyees access their infrastrcture. Do you seperate and outsource your management infrastructure to your corporate IT support? Do you seperate but control it within your production network engineering groups? If so, do you have a special group within network engineering concentrating specifically on management or do you have the same people designing the network also do the management design? -- /*===[ Jake Khuon <[EMAIL PROTECTED]> ]==+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | +=*/
