Re: WANTED: ISPs with DDoS defense solutions

[Petri Helenius]

Paul Vixie wrote:

lots of late night pondering tonight.

the anti-nat anti-firewall pure-end-to-end crowd has always argued in
favour of "every host for itself" but in a world with a hundred million
unmanaged but reprogrammable devices is that really practical?
 

The most popular applications today either prefer or require bidirectional
connectivity. Peer2peer traffic is about half of total and there can be only
so many "corporate sponsored"  SuperNodes .
Also, games and some other applications, like SIP and other VoIP stuff
require to be able to connect to the remote host. Obviously  you can 
engineer
around all this but then, fixing the host is also "just software".

if *all* dsl and cablemodem plants firewalled inbound SYN packets and/or
only permitted inbound UDP in direct response to prior valid outbound UDP,
would rob really have seen a ~140Khost botnet this year?
 

Sure. One late remote exploit requires just a embedded MIDI file on a web
page which MS's browser will be happy to download and "execute".  Or did you
think that the NAT box would allow only text based browsing and provide
HTTP to Gopher translation?
While you are at it, make sure all email-clients are safe and immune to 
viruses.

Pete

Re: WANTED: ISPs with DDoS defense solutions

[Paul Vixie]

> > 1) The OS/software/default settings for a lot of internet connected
> > machines are weak, making it easy to attack from multiple locations.
> >
> I´ll start looking for this to happen when Microsoft manages to release
> an OS version which does not contain remote exploitable flaw before
> the boxes hit the store self.

lots of late night pondering tonight.

the anti-nat anti-firewall pure-end-to-end crowd has always argued in
favour of "every host for itself" but in a world with a hundred million
unmanaged but reprogrammable devices is that really practical?

if *all* dsl and cablemodem plants firewalled inbound SYN packets and/or
only permitted inbound UDP in direct response to prior valid outbound UDP,
would rob really have seen a ~140Khost botnet this year?
-- 
Paul Vixie

Re: WANTED: ISPs with DDoS defense solutions

[Petri Helenius]

>
> 1) The OS/software/default settings for a lot of internet connected
> machines are weak, making it easy to attack from multiple locations.
>
I´ll start looking for this to happen when Microsoft manages to release
an OS version which does not contain remote exploitable flaw before
the boxes hit the store self.

Remember, security is not a process, it´s lifestyle.

Pete

public comment period for oisafety.org's vulnerability process

[Paul Vixie]

http://www.oisafety.org/ announced the GA version of "guidelines for security
vulnerability reporting and response process, v1.0", whose URL is
http://www.oisafety.org/reference/process.pdf

this is asynchronous to the NIAC presentation jim duncan gave at the
last nanog, but it's related/similar, and there's a public comment period,
and it's a worthwhile read, or an opportunity to flame somebody, or whatever.

oisafety.org is the organization for internet safety, btw.

Re: WANTED: ISPs with DDoS defense solutions

[Randy Bush]

>> Filtering the bogons does help, and everyone should perform anti-spoofing
>> in the appropriate places.  It isn't, however, a silver bullet.
> it's necessary but not sufficient.

anti-spoofing is useful, but vastly insufficient, and hence not necessary

randy

Re: WANTED: ISPs with DDoS defense solutions

[Henry Linneweh]

I agree with Pauls' position on anti-spoofing, without that, you are fighting A
losing battle.
 
Henry R LinnewehPaul Vixie <[EMAIL PROTECTED]> wrote:

> Filtering the bogons does help, and everyone should perform anti-spoofing> in the appropriate places. It isn't, however, a silver bullet.it's necessary but not sufficient. but if we knew the source addresses wereauthentic, then some pressure on the RIRs to make address block holdersreachable would yield entirely new echelons of accountability.with the current anonymity of ddos sources, it's not possible to file a classaction lawsuit against suppliers of the equipment, or software, or serviceswhich make highly damaging ddos's a fact of life for millions of potentialclass members.so please focus on "anti-spoofing"'s *necessity* and not on the fact that byitself it won't be sufficient. "anti-spoofing" will enable solutions whichare completely beyond consideration at this time.(we'll know the tide has turned when
 BCP38 certifications for ISPs areavailable from the equivilent of "big 8" ("big 2" now?) accounting firms,and these certifications will be prerequisite to getting BGP set up.)-- Paul Vixie

Re: WANTED: ISPs with DDoS defense solutions

[Paul Vixie]

> Filtering the bogons does help, and everyone should perform anti-spoofing
> in the appropriate places.  It isn't, however, a silver bullet.

it's necessary but not sufficient.  but if we knew the source addresses were
authentic, then some pressure on the RIRs to make address block holders
reachable would yield entirely new echelons of accountability.

with the current anonymity of ddos sources, it's not possible to file a class
action lawsuit against suppliers of the equipment, or software, or services
which make highly damaging ddos's a fact of life for millions of potential
class members.

so please focus on "anti-spoofing"'s *necessity* and not on the fact that by
itself it won't be sufficient.  "anti-spoofing" will enable solutions which
are completely beyond consideration at this time.

(we'll know the tide has turned when BCP38 certifications for ISPs are
available from the equivilent of "big 8" ("big 2" now?) accounting firms,
and these certifications will be prerequisite to getting BGP set up.)
-- 
Paul Vixie

Re: WANTED: ISPs with DDoS defense solutions

[Christopher L. Morrow]

On Wed, 30 Jul 2003, Rob Thomas wrote:

>
> ] Sure, trace my attacks to the linux box at UW, I didn't spoof the flood
> ] and you can prove I did the attacking how? You can't because I and 7 other
> ] hackers all are fighting eachother over ownership of the poor UW student
> ] schlep's computer...
>
> Only seven?  Must be a lame box.  :)
>

it was at UW and that damned computer security guy, old Mr.
What's-His-Name-Dietrich was watching :)

Re: Is there a technical solution to SPAM?

[Paul Vixie]

> Spammers are like roaches.  They are here to stay.  They are aggressive.
> They adapt.

spam is a drug, and spammers will do anything, anything at all, for a fix.

> We need to respond with a variety of mechanisms, preferably coordinated
> to maximize the aggregate effect.

i still disagree.  we need to call smtp a total loss and start over, from
the basic question: how can mutual consent be prerequisite to communication?

the difference between spam and ddos is a matter of statefulness -- but the
motives for sending it are essentially the same: asymmetric benefit to the
sender, and without consent of the recipients.

watching the growth of the anti-ddos and anti-spam industries makes the
internet look like a grade school science fair project run amok.
-- 
Paul Vixie

Re: Is there a technical solution to SPAM?

[Dave Crocker]

Michael,

MDrc> I'm betting that we get the biggest bang for the buck out of education and
MDrc> training. Part of it will come from teaching people network etiquette,
MDrc> part from teaching them that spam is not a way to make money, and part of
MDrc> it from teaching website owners how to provide effective advertising so

"Accountable" Spammers are willing to work within the rules. In the
absence of rules, they are aggressive. These are the folks of the DMA
and the rest of the real, commercial marketing world. They have, so far,
been entirely resistant to the many, vigorous efforts to pursue
discussion-based education. For these folks, legislation-based
"education" is more promising.

Unfortunately, there is another set of folks that I call "Rogue
Spammers".  For various reasons, they cannot be held accountable.  Some
work form unaccountable environments.  Some are simply crazy or nasty,
so they don't care about making money.

Spammers are like roaches.  They are here to stay.  They are aggressive.
They adapt.

We need to respond with a variety of mechanisms, preferably coordinated
to maximize the aggregate effect.


d/
--
 Dave Crocker 
 Brandenburg InternetWorking 
 Sunnyvale, CA  USA , 

Re: WANTED: ISPs with DDoS defense solutions

[Rob Thomas]

] Sure, trace my attacks to the linux box at UW, I didn't spoof the flood
] and you can prove I did the attacking how? You can't because I and 7 other
] hackers all are fighting eachother over ownership of the poor UW student
] schlep's computer...

Only seven?  Must be a lame box.  :)

-- 
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);

Re: WANTED: ISPs with DDoS defense solutions

[Rob Thomas]

Hi, NANOGers.

O, you just knew I'd have to chime in eventually.  :)

] 1) The OS/software/default settings for a lot of internet connected
] machines are weak, making it easy to attack from multiple locations.

Yep, quite true.  Vulnerable hosts are a commodity, not a scarce
resource.  There are 728958 entries in my hacked device database
since 01 JAN 2003 that attest to this fact.

] 2) A lot of networks have no customer or egress filtering and make it a
] lot more difficult to trace DDoS traffic because it generally uses faked
] source addresses.

I've tracked 1787 DDoS attacks since 01 JAN 2003.  Of that number,
only 32 used spoofed sources.  I rarely see spoofed attacks now.
When a miscreant has 140415 bots (the largest botnet I've seen
this year), spoofing the source really isn't a requirement.  :|

Filtering the bogons does help, and everyone should perform
anti-spoofing in the appropriate places.  It isn't, however, a
silver bullet.

Thanks,
Rob.
-- 
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);

Re: WANTED: ISPs with DDoS defense solutions

[Gary E. Miller]

Yo Omachonu!

I guess you have not read Kevin Mitnick's new book yet.  Better read
it before you make more statements like this.

RGDS
GARY
---
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
[EMAIL PROTECTED]  Tel:+1(541)382-8588 Fax: +1(541)382-8676

On Wed, 30 Jul 2003, Omachonu Ogali wrote:

> But in the telco world, how often do you have people's home phones
> trojanned and directed to 'DoS' another company? To pull that off
> with great magnitude, you need a whole lot of coordinated access
> to the physical plant, which is either impossible or extremely
> noticeable.

Re: WANTED: ISPs with DDoS defense solutions

[Mike Tancsa]

At 10:37 PM 30/07/2003 +, Christopher L. Morrow wrote:

Sure, trace my attacks to the linux box at UW, I didn't spoof the flood
and you can prove I did the attacking how?
You can at least TRY and see where the controlling traffic stream is 
originating from.   i.e. if crap is coming out of box X, all the effort is 
spent on dealing with the spew coming from X through clever filtering and 
null routing, rather than trying to figure out who is controlling X.  Good 
grief, is it really that difficult to put on an acl to log inbound tcp 
setup connections to the attacking host ?
"Proof" in a legal sense is probably impossible if its some kid in Kiev and 
highly cost prohibitive if its some kid in Boston and you are in New 
York.  But you know what, the odds are it is from a western country and 
odds are its not some politically motivated attack, its some emboldened kid 
due to the anonymity of the Internet, pissed off that someone questioned 
his manhood on IRC and decides to take it out via some ego enlarging 
attack. In the cases we have dealt with where it was one of our customers, 
contacting the parents and explaining that what was being done was against 
the law, was enough to stop the kid from continuing.   Even when the 
attacker was an adult, talking to the person, explaining its against our 
AUP and against the law was, in our cases, enough to stop the person. Its 
amazing how compliant and timid [EMAIL PROTECTED] becomes when you 
talk to [EMAIL PROTECTED]

Are all these incidents bored teenage kids ? No.  But I would put money on 
it the majority are.  Really, how many of the very  clever hackers you know 
are involved in DDoS attacks ?

You can't because I and 7 other
hackers all are fighting eachother over ownership of the poor UW student
schlep's computer...
Great, so of the 7 inbound streams, what effort is it to identify the IP 
address ? In our case
ipfw add 20 count log tcp from any to x.x.x.x setup

will it always work ? no.  But it will catch more attackers than clever 
routing and filtering, as that just copes with the issue and does nothing 
to deal with it.



The problem isn't the network, nor the filtering/lack-of-filtering, its a
basic end host security problem.


I would say all have some responsibility.  Its not just an end user 
problem, its not just a network operator problem.  I would say a DDoS would 
violate everyone's AUP on this list no ?  If you choose to not enforce your 
AUP, how are you not responsible ?  This is like the cops saying, "people 
are going to drive drunk and do stpid things. We cant stop them from 
doing this, so we give up"


Until that is resolved, the ability of
attackers to own boxes in remote locations and use them for malfeasance
will continue to haunt us. I would guess that the other owners of the
machines attacking Mike (assuming they got the emails he sent...
I sent email to the listed abuse contacts first. If that bounced (as it did 
with several korean networks) I contacted the AS, or RADB contacts. I even 
contacted the APNIC registrar to inform them that all contacts bounced for 
one of the Korean ISPs. I then asked a Korean friend to look around the 
website for a "real person" and emailed that address.  But the majority of 
the infected hosts were (surprise, surprise) in the largest networks e.g. 
AT&T, TW, Comcast, colo providers, and other resi broadband providers in 
Japan, Korea and Canada.  Not because they have the lion's hare of dumb 
users, but because they have the lion's share of users period.  Almost all 
had auto-responders saying "if spam, email here, if network abuse, email 
here"... If it was a different address, I then re-sent the complaints to 
the address instructed.



big
assumption) probably said: "Great another person getting attacked from
that joker's win2k machine, hurray:(" and moved on about thier business.
We dont do this. If a customer host is infected with virus/worm or is used 
in an attack, we contact the customer. If they dont do anything or choose 
to ignore us, we cut them off.



I'm all for raising the bar on attackers and having end networks implement
proper source filtering, but even with that 1000 nt machines pinging 2
packet per second is still enough to destroy a T1 customer, and likely
with 1500 byte packets a T3 customer as well. You can't stop this without
addressing the host security problem...


And kids will continue to attack / cause problems with impunity when there 
are no consequences for their actions.  If network operators would enforce 
their AUPs, I think we would go a long way to reduce these types of 
headaches.  This starts with putting *some* effort into identifying the 
controlling source.

---Mike 

Re: WANTED: ISPs with DDoS defense solutions

[Omachonu Ogali]

But in the telco world, how often do you have people's home phones
trojanned and directed to 'DoS' another company? To pull that off
with great magnitude, you need a whole lot of coordinated access
to the physical plant, which is either impossible or extremely
noticeable. But in a scenario like that, if a telco user gets their
access canned, it's most likely because the telco user themself was
abusing their privileges, not getting abused by some random fool
attacking another user/company via their facilities just to swing
their nuts around anonymously.

But don't get it twisted, I agree with your idea of cooperation and
tracking but this is like chasing suicide bombers. You can kill a
drone or two or fifty, but new ones will pop up in their place. You
can kill the drone controller, but the drones will continue to
execute their mission as they were doing before, but now, without
any method or controller to tell them to stop attacking.

Not to mention, by cutting off the drone's Internet access, regular
users get caught in the crosshairs of the drone hunters. At the
same time, if you tell a user their computer is trojanned, but you
would like to bait it to catch the culprit, they'll get worried
about their personal data and either go on a formatting campaign,
or abandon the computer altogether (trashing it, selling it, giving
it away, etc).

I think one way to definitely help is by user education. ISPs should
kick out newsletters or advisories to their users, informing them of
the latest scam, spam, or exploit and how to protect themselves from
it or how to determine if the user is a victim of the exploit in
question. This is where telcos (with fraud departments) are usually
successful, every now and then you'll get some sort of info on the
latest trend to watch out for. You either get it directly from the
telco, or from some other 3rd party source that got it from the
telco or another person (examples: news, community bulletins, office
e-mails, etc). Too often do new users get brand spanking new Internet
access, and maybe a trial version of anti-virus software and the ISP
calls it a day, then the user is left to wander through the
wilderness.

Another big plus is network cooperation. Too often have attacks gone
unnoticed until someone becomes a target of the DoS and then throws
a fit over how no one is doing anything. (No, I'm not singling anyone
out). Granted, the general response to Slammer was better than usual,
but how often do companies with small T1 customers getting smacked
with 10-200Mbps get to prosecute or even at the least, identify the
attacker before, during, or after the filtering?

Let me stop now, this e-mail is way too long.

Re: WANTED: ISPs with DDoS defense solutions

[Christopher L. Morrow]

On Wed, 30 Jul 2003 [EMAIL PROTECTED] wrote:

>
> On Wed, 30 Jul 2003, Mike Tancsa wrote:
>
> > I recall one of our users was involved in a DoS once a few years back
> > when the "giant pings" could crash MS boxes. The fact that his perceived
> > anonymity was removed was enough to keep him from repeating his
> > attacks
>
> If these issues are addressed then it becomes a lot harder to remain
> anonymous and starting DDoS attacks against targets that can trace you
> becomes a lot less attractive.
>

Sure, trace my attacks to the linux box at UW, I didn't spoof the flood
and you can prove I did the attacking how? You can't because I and 7 other
hackers all are fighting eachother over ownership of the poor UW student
schlep's computer...

The problem isn't the network, nor the filtering/lack-of-filtering, its a
basic end host security problem. Until that is resolved, the ability of
attackers to own boxes in remote locations and use them for malfeasance
will continue to haunt us. I would guess that the other owners of the
machines attacking Mike (assuming they got the emails he sent... big
assumption) probably said: "Great another person getting attacked from
that joker's win2k machine, hurray:(" and moved on about thier business.
They know that they can't get the end user to secure their machine and
they know that if the get him/her to reload the OS or 'clean' it of the
'virus' the problem will arise anew within 17 minutes :(

I'm all for raising the bar on attackers and having end networks implement
proper source filtering, but even with that 1000 nt machines pinging 2
packet per second is still enough to destroy a T1 customer, and likely
with 1500 byte packets a T3 customer as well. You can't stop this without
addressing the host security problem...

> Cheers,
>
> Rich
>

Re: WANTED: ISPs with DDoS defense solutions

[variable]

On Wed, 30 Jul 2003, Mike Tancsa wrote:

> I recall one of our users was involved in a DoS once a few years back
> when the "giant pings" could crash MS boxes. The fact that his perceived
> anonymity was removed was enough to keep him from repeating his
> attacks

That's the heart of the problem.  Anyone who's owned enough boxes can sit 
there happily running a DDoS anonymously against a target because:

1) The OS/software/default settings for a lot of internet connected 
machines are weak, making it easy to attack from multiple locations.

2) A lot of networks have no customer or egress filtering and make it a 
lot more difficult to trace DDoS traffic because it generally uses faked 
source addresses.

If these issues are addressed then it becomes a lot harder to remain 
anonymous and starting DDoS attacks against targets that can trace you 
becomes a lot less attractive.

Cheers,

Rich

Re: WANTED: ISPs with DDoS defense solutions

[Mike Tancsa]

At 03:19 PM 30/07/2003 -0400, Jared Mauch wrote:
On Wed, Jul 30, 2003 at 02:43:16PM -0400, Mike Tancsa wrote:
>
> At 10:58 AM 30/07/2003 -0400, Jared Mauch wrote:
>
> >If someone abuses the PSTN, or other networks they eventually
> >will get their service terminated.  If people abuse their access by
> >launching DoS attacks, we need to catch them and get their access
>
> Gee, wouldnt that be nice.  Having personally dealt with one that had ~ 
500
> hosts involved on several dozen networks, I can confirm that of all the
> repeated pleas for help to said networks to track down the controlling
> party, I had a grand total of ONE (yes, 1 as in one above zero) who
> actually responded with a response beyond the auto-responders And that
> was to let me know that the user in question had already formatted their
> hard drive before the admin could see what was on the machine and who 
might
> have been controlling the machine.
>
> It took several _weeks_ for all the attacking hosts to be killed off with
> several reminder messages to various networks.  So I dont hold much
> optimism for actually tracking down the actual attacker.

While I can have sympathy for this situation, you removed my
argument about the "DoS and forget".


I understand the point you are making, but I am speaking just to the side 
comment you made, "we need to catch them and get their access."  I totally 
agree with you.  But based on my recent experiences with organizational 
responses, it seems NO ONE agrees with it in practice.

It seems all the discussion around DDoSes center on ways of coping with 
DDoSes, or mitigating the effects and not making 'the solutions worse than 
the problem.'  However, there does not seem to be enough discussion and 
effort in to catching and prosecuting the people doing it.  I would be at 
least happy with the "catching part."  I recall one of our users was 
involved in a DoS once a few years back when the "giant pings" could crash 
MS boxes. The fact that his perceived anonymity was removed was enough to 
keep him from repeating his attacks

---Mike 

Re: WANTED: ISPs with DDoS defense solutions

[Jared Mauch]

On Wed, Jul 30, 2003 at 02:43:16PM -0400, Mike Tancsa wrote:
> 
> At 10:58 AM 30/07/2003 -0400, Jared Mauch wrote:
> 
> >If someone abuses the PSTN, or other networks they eventually
> >will get their service terminated.  If people abuse their access by
> >launching DoS attacks, we need to catch them and get their access
> 
> Gee, wouldnt that be nice.  Having personally dealt with one that had ~ 500 
> hosts involved on several dozen networks, I can confirm that of all the 
> repeated pleas for help to said networks to track down the controlling 
> party, I had a grand total of ONE (yes, 1 as in one above zero) who 
> actually responded with a response beyond the auto-responders And that 
> was to let me know that the user in question had already formatted their 
> hard drive before the admin could see what was on the machine and who might 
> have been controlling the machine.
> 
> It took several _weeks_ for all the attacking hosts to be killed off with 
> several reminder messages to various networks.  So I dont hold much 
> optimism for actually tracking down the actual attacker.

While I can have sympathy for this situation, you removed my
argument about the "DoS and forget".

Lets say I am running www.example.com.

I have it load-shared across a series of 5-10 machines, and
they all get DoS attacked via some worm, etc.. (ala the www1.whitehouse.gov)
with a large set of traffic.

I can't just deem that IP unusable on my ARIN justification and
have my providers absorb the cost of the traffic at zero cost to me or
them.  (well, unless they're getting the traffic on a customer link
and want to continue billing at that bandwidth overage rate ;-) )

The router ports my upstream has invested (for peering) and 
circuits for their network have a cost.

If an attack lasts 10 minutes, yes, the blackhole is easy
to move, but what if it is coded to follow dns entries, honor ttl,
and continue to pound on devices.

You can't just submit a route/form/whatnot to your provider
and have them leave in a null0/discard route indenfiately.

I'm sorry you had poor luck tracking them down, but without
the providers putting the access controls necessary to prevent the
route-leak misconfiguration, I don't want to think about the instability
you (or others) are speaking of introducing if there is the ability
to distribute a null0 route to your upstream and accidentally leak
it.  

(sorry LINX members but ..)

You should see the number of people who post to the LINX ops
list a month saying "whoops, we leaked routes, can you clear your
max prefix counters?"

Imagine someone accidentally leaking your routes to their
upstream and tagging them with the community due to misconfiguration.

- Jared

> >terminated.  It's a bit harder to trace than PSTN (or other netowrks)
> >but I feel of value to do so.
> >
> >- Jared
> >
> >--
> >Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
> >clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

-- 
Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

FW: User negligence?

[Genzoli, William]

Which goes back to the root of the *real* problem here. Banks are mainly
concerned with physical security. Internet security has always been handled
as more of an afterthought and mainly for reasons of due diligence. The real
problem is the banks have a known security flaw with a simple password login
for account access. That, as has been discussed here, is a significant flaw
in the overall design of what should be a secure system and access method.

The underlying issue here is that the bank, whom should be the subject
matter expert, clearly is not. They offer one way, and one way only to
access, arguably, our most sacred information. Furthermore, they offer very
little, if any, training to their clients, the end-user. A quick thirty
second blurb is not due diligence for an organization that values it's
customers.

The bottom line is if they offered a SecureID sort of setup, or any other of
a number of methods out there that *would* circumvent a key logger or
similar hack, the customer would more times than not, comply. Even at the
customer's expense. Customers may not be technically savvy overall, but they
value their own money above even the bank. If it's explained that the added
cost/benefit is there, and is a real, tangible issue, a ten or twenty dollar
nominal fee is just that, nominal.

Until banks realize this, they are undoubtedly and unequivocally at fault.

Bill G.

-Original Message-
From: Peter Galbavy [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2003 3:13 AM
To: ken emery; North American Noise and Off-topic Gripes
Subject: Re: User negligence?



ken emery wrote:
> I'm not sure what needs to be done, but the security as now
> implemented
> is not even close to enough IMHO.  Networkwise (to bring this back on
> topic) I'm not sure there is really much that can be done.

Don't forget the desperate need for user *and* staff education. I have now
multiple time got calls from my bank asking to discuss my account. Could I
just verify my details ? they asked. Er, you first, I said. They didn't get
it. They didn't understand why, as someone who is lightly paranoid and
understand more about security than they do, I was concerned that they
couldn't prove they were from the bank...

Peter

Re: WANTED: ISPs with DDoS defense solutions

[Mike Tancsa]

At 10:58 AM 30/07/2003 -0400, Jared Mauch wrote:

If someone abuses the PSTN, or other networks they eventually
will get their service terminated.  If people abuse their access by
launching DoS attacks, we need to catch them and get their access
Gee, wouldnt that be nice.  Having personally dealt with one that had ~ 500 
hosts involved on several dozen networks, I can confirm that of all the 
repeated pleas for help to said networks to track down the controlling 
party, I had a grand total of ONE (yes, 1 as in one above zero) who 
actually responded with a response beyond the auto-responders And that 
was to let me know that the user in question had already formatted their 
hard drive before the admin could see what was on the machine and who might 
have been controlling the machine.

It took several _weeks_ for all the attacking hosts to be killed off with 
several reminder messages to various networks.  So I dont hold much 
optimism for actually tracking down the actual attacker.

---Mike

terminated.  It's a bit harder to trace than PSTN (or other netowrks)
but I feel of value to do so.
- Jared

--
Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

Re: North America not interested in IP V6

[Bill Owens]

At 13:59 +0200 7/30/03, Marcel Lemmen wrote:
Well, now we are talking about IPv6, I can ask a question right here ;)

Does anyone have any experiences with the Cisco IPv6 IOS (T or S
releases)? Can be either good or bad experiences. I heard there were some
issues (router freezes etc) with the T releases...
We've been running 12.2(n)T for the past two years, always with both 
IPv4 multicast and IPv6 turned on. v6 support has always been good. 
We had problems early on with multicast bugs, including some that 
seemed to have been reintroduced into that train, but those have been 
squashed. And recent versions have improved v6 performance, at least 
on the 72xx and 75xx platforms (I haven't tested anything else).

Our current standard version is 12.2(15)T5 and we have no outstanding 
issues with it. Our customers who use v6 are running T train and 
12.3(1) on 75xx/72xx, and 12.0 S train on 12xxx. They all run v4 
multicast as well. I've a test router on 12.3(1a) and it seems OK, 
but no extensive testing yet.

BTW, we're an R&E network, not a commercial ISP, so we have different 
goals and different operational requirements. . .

Bill.
--
Bill Owens
Manager, Network Development
NYSERNet

Re: Transformer takes out datacenter (Reno, NV)?

[Scott Call]

On Wed, 30 Jul 2003, Bruce Robertson wrote:

> Power was indeed off to the entire building, and ATGs generator was involved
> in the explosion, so kudos to ATG and Worldcom for having enough batteries
> to last the night.
>

Hi Bruce-

Just a clarification, but ATG's generator was not involved in the
transformer explosion.  The fire department cut off all the generators in
the building for safety sake and would not let us turn them back on until
they made sure they wouldn't backfeed/cause more problems, so we were
stuck on battery until they cleared us (which makes sense, we certainly
don't want to cause more problems).  It was about 7:30 when we were
allowed to turn back on the generator.

For those who don't know, 200 South Virginia in Reno is one of the
few (if not only) "carrier hotel" in Reno, it has ATG, SBC, MCI, as well
as several local ISPs in it.  It also has (or had) a Genuity pop, although
I don't know if they're still there or not.

www.rgj.com has a few pictures of the building.

-Scott
ATG

Re: North America not interested in IP V6

[Jared Mauch]

On Wed, Jul 30, 2003 at 10:21:03AM -0700, Jeremy T. Bouse wrote:
> 
>   At work we implimented 12.2(T) on our IPv6 routers and there were some
> problems, can't recall specifics now, that meant we did do several IOS
> upgrades to try and fix. Now we have just finished upgrading to 12.3 on
> all our routers network-wide and only have the IPv6 functions turned on
> for those routers we have IPv6 traffic going through...
> 
> > Well, now we are talking about IPv6, I can ask a question right here ;)
> > 
> > Does anyone have any experiences with the Cisco IPv6 IOS (T or S
> > releases)? Can be either good or bad experiences. I heard there were some
> > issues (router freezes etc) with the T releases...
> > 
> > Have to convince the management :)


I've had very good luck with 12.2(14)S3 on the 7200
devices.

I can't currently recommend any software for the 7500
if you have a CT3 interface in your router (as most of the
ones I manage do) that supports IPv6.

The next Cisco release of 12.2S (it will likely be
called 12.2(18)S should have all the important IPv6 features
that would be necessary for a larger scale deployment (eg: OSPFv3)
of IPv6 services.

If you're a customer of AS2914 and interested in
IPv6, you should send us a note [EMAIL PROTECTED], and we can
get things configured fairly quickly.

I am seeing at peak 1Mb+ on some of our IPv6 locations
(mostly outside the US) but the trend does appear to be upwards.

I know that other providers (Sprint, Hurricane Electric [i keep
getting those yellow postcards at home], to name a few) have IPv6
services currently available to customers.  It seems fairly
easy to get a /48 allocation, so if you think you might go IPv6
in the next few years, it's worthwhile to set up a spare 26xx/36xx
at least to tunnel the traffic with.

(I have also had good results with 12.3(1a) releases).

- Jared

-- 
Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

Re: Transformer takes out datacenter (Reno, NV)?

[Bruce Robertson]

Actually, most of the data center was working just fine.  Advanced Telcom
Group was up and running (probably on battery), and MCI/Worldcom stayed
up as well.  We have a T3 going through that building to Worldcom, and it
stayed up all night.  A couple of the smaller ISPs were off the air all
night, though.

Power was indeed off to the entire building, and ATGs generator was involved
in the explosion, so kudos to ATG and Worldcom for having enough batteries
to last the night.

> After being informed that my website was unreachable from
> a few people, I verified that I couldn't query the DNS
> servers for it.  I waited a few hours and they still didn't
> respond.  A call to my domain registrar (who runs the DNS)
> was answered by an machine.  A call to the home of the DNS
> admin was answered.  He said that apparently a transformer
> had blown up in or near a datacenter near Reno and, basically,
> that nothing was working.  AFAICT, the datacenter itself had
> no connectivity to the Internet at large and everything there
> was inaccessible.  He said he'd heard three different times
> that things were supposed to be fixed:  Midnight, 2am, and
> 6am (GMT-8).
> 
> Does anybody have any more (detailed) information on this?
> 
> Thanks,
> j.
> 
> -- 
> Jeremy L. Gaddis   <[EMAIL PROTECTED]>
> 
> 
> 
> 

--
Bruce Robertson, President/CEO   +1-775-348-7299
Great Basin Internet Services, Inc. fax: +1-775-348-9412
http://www.greatbasin.net

Re: North America not interested in IP V6

[Jeremy T. Bouse]

At work we implimented 12.2(T) on our IPv6 routers and there were some
problems, can't recall specifics now, that meant we did do several IOS
upgrades to try and fix. Now we have just finished upgrading to 12.3 on
all our routers network-wide and only have the IPv6 functions turned on
for those routers we have IPv6 traffic going through...

Regards,
Jeremy

On Wed, Jul 30, 2003 at 01:59:18PM +0200, Marcel Lemmen wrote:
> 
> 
> Well, now we are talking about IPv6, I can ask a question right here ;)
> 
> Does anyone have any experiences with the Cisco IPv6 IOS (T or S
> releases)? Can be either good or bad experiences. I heard there were some
> issues (router freezes etc) with the T releases...
> 
> Have to convince the management :)
> 
> With kind regards,
> 
> Marcel Lemmen
> Support Net - Partner in Managed Internet Solutions
> 
> --= Try http://alt.binaries.nl =--
> 
> --- The previous message was something like this: ---
> 
> !>Date: Wed, 30 Jul 2003 13:12:38 +0200
> !>From: Alexander Koch <[EMAIL PROTECTED]>
> !>To: Neil J. McRae <[EMAIL PROTECTED]>
> !>Cc: "Nipper, Arnold" <[EMAIL PROTECTED]>,
> !> Peter Galbavy <[EMAIL PROTECTED]>, Roy <[EMAIL PROTECTED]>,
> !> [EMAIL PROTECTED]
> !>Subject: Re: North America not interested in IP V6
> !>
> !>
> !>Neil, all,
> !>
> !>On Wed, 30 July 2003 11:58:34 +0100, Neil J. McRae wrote:
> !>> > Here at DE-CIX (www.de-cix.net) I can see that more and more ISP are joining
> !>> > the IPv6 trial (http://www.de-cix.net/info/decix-ipv6/) . Currently already
> !>> > 20% of all ~120 ISP at DE-CIX have IPv6 enabled.
> !>>
> !>> I'd be more interested in seeing how many customer connections
> !>> are using IPV6.
> !>
> !>in fact we (Tiscali) have three customers in Europe that
> !>have their own /32 and are running v6 in parallel to v4, and
> !>we do transit for them. I do not like that 'full table
> !>everywhere' thing at all which is stil way too common in
> !>Europe, it does not help pushing v6.
> !>
> !>Regards,
> !>Alexander
> !>
> !>(AS-TISCALI-V6PEERS for whom it may concern)
> !>

Re: North America not interested in IP V6

[Marshall Eubanks]

On Wed, 30 Jul 2003 11:58:34 +0100 (BST)
 [EMAIL PROTECTED] (Neil J. McRae) wrote:
> 
> > Here at DE-CIX (www.de-cix.net) I can see that more and more ISP are
> joining
> > the IPv6 trial (http://www.de-cix.net/info/decix-ipv6/) . Currently already
> > 20% of all ~120 ISP at DE-CIX have IPv6 enabled.
> 
> I'd be more interested in seeing how many customer connections
> are using IPV6.
> 

This question came up in discussions at IETF-57, without a good answer. 

As some of you may know,
I keep track of various metrics concerning multicast (displayed at
http://www.multicasttech.com/status ). 
Does anyone do anything similar for IPv6 ? The only thing I am aware
of is in the I2 netflows, http://netflow.internet2.edu/weekly/ ,
which lately shows < a tenth of a % of Abilene traffic as IPv6.
Is there any more systematic IPv6 measurement work ?

Regards
Marshall Eubanks

> Regards,
> Neil.

RE: North America not interested in IP V6

[Michel Py]

> Does anyone have any experiences with the Cisco IPv6 IOS
> (T or S releases)? Can be either good or bad experiences.
> I heard there were some issues (router freezes etc) with
> the T releases...

In my experience with 12.2(T) the issues were not related to IPv6; I
have been running it for two years for IPv6 peering.  V6 is now part of
12.3 (non-T) anyway. On mid-range platforms (72xx) the IPv6 performance
is sucky compared to IPv4 (which is why lots of people I know have
separate routers for v6) but on 25xx/26xx/36xx no difference.

Michel.

Re: WANTED: ISPs with DDoS defense solutions

[Jared Mauch]

On Tue, Jul 29, 2003 at 04:33:28PM -0700, Lane Patterson wrote:
[ obnoxious text wordwrapped :) ]
> 
> We have some DDoS-sensitive customers asking us to refer them to the 
> best ISPs for "in-the-core" DDoS defense.  Other than UUnet (hi Chris!) 
> and MFN, I'm not aware of any ISPs in North America developing a 
> reputation for consistent DDoS defense.  Could folks contact me either 
> off-list or on-list?
> 
> It seems that large content providers and Tier2/3 bandwidth buyers 
> would do well to collaborate on group RFP's for this type of thing 
> to send the message to ISPs it is something to invest in (dare I 
> say productize?).  While UUnet's detection/blocking is great, it 
> would be wonderful to see some more intelligent filtering of DDoS 
> traffic ala RiverHead or similar approach that doesn't completely 
> blackhole victim IPs.

Well, there are a few things/issues here.

One is the "security" of such filtering.  As many times as
it's come up here saying "Filter your customers, it's important", how
many people out there have a strict policy for filtering them?
Would you want these same customers and providers that can not
get the filtering right in the first place to have the ability to
accidentally (or intentionally) leak a blackhole route to
your larger network?  Yes, there is the ability to log bgp
updates to have accountability amongst other things, but the
more serious issue is that people are not doing effective filtering
[of announcements] in the first place.

As far as I can tell these days, the US depends on
the Internet to be a utility.  Always-on, and there is (for the most
part) sufficent interconnection that the choice between the top few
providers isn't as much a technical decision, but more of a financial
one.  (There is no need to connect to MCI, Sprint and UUNet each to
avoid the peering congestion points as in the past).

Equinix itself is demonstrating this with your "change providers
monthly" service that you offer.

I think it will be some time before there will be
adoption of this across most of the networks.  We want people to contact
our security team instead of "blackhole and forget" type solutions.

If someone abuses the PSTN, or other networks they eventually
will get their service terminated.  If people abuse their access by
launching DoS attacks, we need to catch them and get their access
terminated.  It's a bit harder to trace than PSTN (or other netowrks)
but I feel of value to do so.

- Jared

-- 
Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

Re: North America not interested in IP V6

[Stephen J. Wilcox]

Hi Marcel,
 I tried 12.2(?)T last year and had problems, I put that down to problems in the 
12.2T IOS tho not specific to v6.

I'm currently running 12.2S on ao couple routers, ipv6 is not enabled yet but 
the IOS's have behaved well so far... the next step is to check it with ipv6 on

Steve


On Wed, 30 Jul 2003, Marcel Lemmen wrote:

> 
> 
> Well, now we are talking about IPv6, I can ask a question right here ;)
> 
> Does anyone have any experiences with the Cisco IPv6 IOS (T or S
> releases)? Can be either good or bad experiences. I heard there were some
> issues (router freezes etc) with the T releases...
> 
> Have to convince the management :)
> 
> With kind regards,
> 
> Marcel Lemmen
> Support Net - Partner in Managed Internet Solutions
> 
> --= Try http://alt.binaries.nl =--
> 
> --- The previous message was something like this: ---
> 
> !>Date: Wed, 30 Jul 2003 13:12:38 +0200
> !>From: Alexander Koch <[EMAIL PROTECTED]>
> !>To: Neil J. McRae <[EMAIL PROTECTED]>
> !>Cc: "Nipper, Arnold" <[EMAIL PROTECTED]>,
> !> Peter Galbavy <[EMAIL PROTECTED]>, Roy <[EMAIL PROTECTED]>,
> !> [EMAIL PROTECTED]
> !>Subject: Re: North America not interested in IP V6
> !>
> !>
> !>Neil, all,
> !>
> !>On Wed, 30 July 2003 11:58:34 +0100, Neil J. McRae wrote:
> !>> > Here at DE-CIX (www.de-cix.net) I can see that more and more ISP are joining
> !>> > the IPv6 trial (http://www.de-cix.net/info/decix-ipv6/) . Currently already
> !>> > 20% of all ~120 ISP at DE-CIX have IPv6 enabled.
> !>>
> !>> I'd be more interested in seeing how many customer connections
> !>> are using IPV6.
> !>
> !>in fact we (Tiscali) have three customers in Europe that
> !>have their own /32 and are running v6 in parallel to v4, and
> !>we do transit for them. I do not like that 'full table
> !>everywhere' thing at all which is stil way too common in
> !>Europe, it does not help pushing v6.
> !>
> !>Regards,
> !>Alexander
> !>
> !>(AS-TISCALI-V6PEERS for whom it may concern)
> !>
> 

New IPv6 block allocated to RIPE NCC

[leo vegoda]

Dear Colleagues,

The RIPE NCC received the IPv6 address range 2001:1600::/23
from the IANA in July 2003.
You may wish to adjust any filters you have in place accordingly.

More information on the IP space administered by the RIPE NCC
can be found on our web site at:
   

Kind regards,

--
leo vegoda
RIPE NCC
Registration Services Manager

Re: Transformer takes out datacenter (Reno, NV)?

[Sean Donelan]

http://www.rgj.com/news/stories/html/2003/07/29/48134.php?sp1=rgj&sp2=News&sp3=Local+News

Explosion rocks Reno office building

By Elaine Goodman, Carla Roccapriore and Marilyn Newton
RENO GAZETTE-JOURNAL
7/29/2003 09:19 pm

   Liz Margerum/Liz Margerum
Firefighters put water on 200 South Virginia St. after a transformer
explosion Tuesday in downtown Reno.



A transformer explosion Tuesday on the side of the Wells Fargo office
building in downtown Reno sent flaming oil through the streets, slightly
burning a woman and forcing the evacuation of more than 200 workers,
officials said.

Reno city spokesman Steve Frady said many workers had left for the day
before the explosion.

Crews were investigating what caused the transformer at 200 S. Virginia
St. to explode shortly after 4 p.m. The ensuing fire sent up a smoke plume
visible for miles and charred the outside of the eight-story building.

The oil used as a coolant for the transformer caught fire and sent flames
down Virginia Street toward Court Street, fire officials said.

Chris Christiansen said she was walking near the transformer when it
exploded, burning her face and neck.

Re: North America not interested in IP V6

[Marcel Lemmen]

Well, now we are talking about IPv6, I can ask a question right here ;)

Does anyone have any experiences with the Cisco IPv6 IOS (T or S
releases)? Can be either good or bad experiences. I heard there were some
issues (router freezes etc) with the T releases...

Have to convince the management :)

With kind regards,

Marcel Lemmen
Support Net - Partner in Managed Internet Solutions

--= Try http://alt.binaries.nl =--

--- The previous message was something like this: ---

!>Date: Wed, 30 Jul 2003 13:12:38 +0200
!>From: Alexander Koch <[EMAIL PROTECTED]>
!>To: Neil J. McRae <[EMAIL PROTECTED]>
!>Cc: "Nipper, Arnold" <[EMAIL PROTECTED]>,
!> Peter Galbavy <[EMAIL PROTECTED]>, Roy <[EMAIL PROTECTED]>,
!> [EMAIL PROTECTED]
!>Subject: Re: North America not interested in IP V6
!>
!>
!>Neil, all,
!>
!>On Wed, 30 July 2003 11:58:34 +0100, Neil J. McRae wrote:
!>> > Here at DE-CIX (www.de-cix.net) I can see that more and more ISP are joining
!>> > the IPv6 trial (http://www.de-cix.net/info/decix-ipv6/) . Currently already
!>> > 20% of all ~120 ISP at DE-CIX have IPv6 enabled.
!>>
!>> I'd be more interested in seeing how many customer connections
!>> are using IPV6.
!>
!>in fact we (Tiscali) have three customers in Europe that
!>have their own /32 and are running v6 in parallel to v4, and
!>we do transit for them. I do not like that 'full table
!>everywhere' thing at all which is stil way too common in
!>Europe, it does not help pushing v6.
!>
!>Regards,
!>Alexander
!>
!>(AS-TISCALI-V6PEERS for whom it may concern)
!>

Re: North America not interested in IP V6

[Neil J. McRae]

> in fact we (Tiscali) have three customers in Europe that
> have their own /32 and are running v6 in parallel to v4, and
> we do transit for them. I do not like that 'full table
> everywhere' thing at all which is stil way too common in
> Europe, it does not help pushing v6.
> 

Ok next question - does your IPV6 product have a business case
attached to it? how many customers will you have next year?

Neil.

Re: North America not interested in IP V6

[Alexander Koch]

Neil, all,

On Wed, 30 July 2003 11:58:34 +0100, Neil J. McRae wrote:
> > Here at DE-CIX (www.de-cix.net) I can see that more and more ISP are joining
> > the IPv6 trial (http://www.de-cix.net/info/decix-ipv6/) . Currently already
> > 20% of all ~120 ISP at DE-CIX have IPv6 enabled.
> 
> I'd be more interested in seeing how many customer connections
> are using IPV6.

in fact we (Tiscali) have three customers in Europe that
have their own /32 and are running v6 in parallel to v4, and
we do transit for them. I do not like that 'full table
everywhere' thing at all which is stil way too common in
Europe, it does not help pushing v6.

Regards,
Alexander

(AS-TISCALI-V6PEERS for whom it may concern)

Re: North America not interested in IP V6

[Neil J. McRae]

> Here at DE-CIX (www.de-cix.net) I can see that more and more ISP are joining
> the IPv6 trial (http://www.de-cix.net/info/decix-ipv6/) . Currently already
> 20% of all ~120 ISP at DE-CIX have IPv6 enabled.

I'd be more interested in seeing how many customer connections
are using IPV6.

Regards,
Neil.

Re: Is there a technical solution to SPAM?

[Matthew S. Hallacy]

On Tue, Jul 29, 2003 at 02:24:29PM +0100, [EMAIL PROTECTED] wrote:
> 
> Anyone who believes that SPAM can be solved by technical means should try 
> googling one of the following:
> 
> sms spam
> i-mode spam
> IM spam
> 

[snip]

AOL Instant Messenger has a 'warn' function, I wrote a nifty little plugin
for GAIM (A multi-IM-client available for various platforms) that simply
drops messages from unknown people with a warning level >10%.

If only everything else had a 'warn' function. (Although, to a degree razor
serves this purpose along with a whitelist in spamassassin)

-- 
Matthew S. HallacyFUBAR, LART, BOFH Certified
http://www.poptix.net   GPG public key 0x01938203

France Telecom/Open Transit

[variable]

Hi all,

Does anyone have any good/bad experiences to share about France 
Telecom/Open Transit?

Cheers,

Rich

Re: Is there a technical solution to spam?

[Bohdan Tashchuk]

> The solutions may well be found there but will be unimplementable
> without much needed support from the operators - particularly the
> major backbones - who currently turn a blind eye to protect their
> revenue.
Bingo. There's the crux of the problem. It needs to be elaborated on and 
emphasized, because most engineers have a blind spot about the business 
aspects of their industry (no matter what that industry is).

There's a lot of wailing and gnashing of teeth, a lot of soul searching, 
a lot of angst here. All for naught.

Many big network operators are selling bigger and bigger pipes to 
everyone so they can keep up with more and more spam. They make money on 
the increased traffic, even as they have these solemn terms and 
conditions in place about how they won't tolerate spam.

The big network operators don't need to allow spammers to connect 
directly to their backbones. They make money by selling transit to other 
networks who sell transit to still other networks who then allow 
spammers to connect.

Network operators are such a naive bunch of engineers. There's lots of 
money to be made just in transit for spam, and quite often the people 
who sign the paychecks for the engineers who post to this list are the 
very people who benefit. They understand this, why don't you?

Every network operator should first try to get their own company to get 
serious about stopping spam. Top management has to be willing to do what 
it takes. E.g. de-peer, stop selling transit, etc. Until that happens 
the spam problem will keep getting worse.

And if top management isn't interested, or won't agree to do anything 
meaningful, ask yourself why. And keep that in mind the next time you 
get paid.

RE: North America not interested in IP V6

[Ben Buxton]

> From: Nipper, Arnold [mailto:[EMAIL PROTECTED] 
> On Wednesday, July 30, 2003 9:00 AM, Peter Galbavy
> <[EMAIL PROTECTED]>
> wrote:
> > Regardless of the content of the above, let me say that 
> with the exception
> > of "the academic community" (including those in commercial 
> orgs) no one in
> > Europe is interested either.
> >
> 
> Here at DE-CIX (www.de-cix.net) I can see that more and more 
> ISP are joining
> the IPv6 trial (http://www.de-cix.net/info/decix-ipv6/) . 
> Currently already
> 20% of all ~120 ISP at DE-CIX have IPv6 enabled.

AMS-IX (amsterdam IX) is also an active IPv6 internet exchange with
around
25-30 IPv6 enable peers (based on my peers and a 'ping ff02::2' :).

>From what I've managed to determine, the problem with fast adoption of
IPv6
is not so much the networks, it's more the applications. How many
appications
arent coded to support IPv6 sockets? The opposite question would be more
appropriate. What about apps that use hardcoded data structures/file
format
that assume IPv4 style addressing? Do any databases support IPv6 as a
native
datatype? That is the  real hurdle. Turning IPv6 on in networks is
trivial.
Application support is not. And coders dont care about ipv6, just us
networking
people.

BB

Re: North America not interested in IP V6

[Nipper, Arnold]

On Wednesday, July 30, 2003 9:00 AM, Peter Galbavy
<[EMAIL PROTECTED]>
wrote:
> Roy wrote:
>> This article seems to imply that North American networks don't care
>> about IP V6 while the rest of the world is suffering great hardship
>>
>> http://www.msnbc.com/news/945119.asp
>>
>> PS.  Please don't shoot the messenger
>
> Regardless of the content of the above, let me say that with the exception
> of "the academic community" (including those in commercial orgs) no one in
> Europe is interested either.
>

Here at DE-CIX (www.de-cix.net) I can see that more and more ISP are joining
the IPv6 trial (http://www.de-cix.net/info/decix-ipv6/) . Currently already
20% of all ~120 ISP at DE-CIX have IPv6 enabled.


Arnold

Re: North America not interested in IP V6

[Mikael Abrahamsson]

On Wed, 30 Jul 2003, Peter Galbavy wrote:

> Regardless of the content of the above, let me say that with the exception
> of "the academic community" (including those in commercial orgs) no one in
> Europe is interested either.

I think it's a question of price to create the service.

Newer plattforms have built in IPv6 in hardware so performance isn't an 
issue, the code base is maturing which is also a very important step 
forward.

In a couple of years it won't be so much an issue of "purchasing equipment
that can do IPv6" but more "turning it on" which is a huge difference when 
it comes to creating a service and deploying it. When IPv6 is in almost 
all newer IOSes and these get phased into production environments, I think 
we'll see much more IPv6 than today.

I know that I am not alone in considering IPv6 ability of hardware I am 
about to purchase that I believe will be around for 3-5 years.

-- 
Mikael Abrahamssonemail: [EMAIL PROTECTED]