Re: peer/transit circuits
On Wed, 29 Oct 2003 [EMAIL PROTECTED] wrote: Hi folks, I am looking for some advice on how to place the peer/transit circuits on the edge routers. Would like to find the best practice that would provide enough diversity without having an operation nightmare. e.g. putting peer and transit circuits on different routers will make the routing policy easier since peer and transit will have different policies. however, if I lost the transit router then all transit is gone. It sounds like you might do well to investigate Vendor J's routers, as they can solve this in a single unit, rather than with multiple units. There are several reasons to separate Transit and peering routers, one of them being that if someone points default route at your peering router, the packets go to nowhere because that router doesn't have a full set of routes on it. Unfortunately, this has happened to a few list members and aquantances of mine so don't think this doesn't happen.
Re: [arin-announce] IPv4 Address Space (fwd)
Date: Tue, 28 Oct 2003 21:51:01 -0500 From: [EMAIL PROTECTED] The real problem is that we have an environment where the malware can figure out how to disable the firewall but the user can't. And part of why the current Internet has so much peer-to-peer traffic on it. ;-) Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: [arin-announce] IPv4 Address Space (fwd)
JB Date: Wed, 29 Oct 2003 15:27:27 -0600 JB From: Jack Bates JB I think the point that was being made was that NAT allows the JB filtering of the box to be more idiot proof. Firewall rules JB tend to be complex, which is why mistakes *do* get made and JB systems still get compromised. NAT interfaces and setups JB tend to be more simplistic, and the IP addresses of the JB device won't route publicly through the firewall or any JB unknown alternate routes. NAT security is a byproduct of NAT's stateful filtering. One can accomplish the same effect with check-state allow ip any any recv internal0 keep-state deny ip any any Such a default fw config would be equally idiot-proof with no IP obfuscation. Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: ISPs' willingness to take action
[EMAIL PROTECTED] wrote: So, tell me--are you willing to pay a premium for unfiltered access to the Internet?:) Yes, that's why I don't use AOL. Peter
Re: Content filter (was - Re: [arin-announce] IPv4 Address Space)
in On Wed, 29 Oct 2003, Booth, Michael (ENG) wrote: William, they might be rejecting your post for SPAM. Take a look at the link below: http://groups.google.com/groups?q=dns1.elan.nethl=enlr=ie=UTF-8oe=UTF-8safe=offsa=Ntab=wg Michael Booth That post was rejected because of the words porn site. This was quite clear from the type of filtering message. I'm sure this post will generate exactly the same reply back to me... I'm guessing you're are one of those people at nanog who tried to show me list of sites previously hosted at elan that generated abuse complaints back in 2001 (i.e. see above url). Those customers are all gone long ago and none of them actually sent email spam, so there are no filters on elan anywhere (except rhyolite, who can't distinguish between real spam and joe-job; using automated means is really not a way to keep long-term email filter list) nor were there in the past. On the other hand as26857 is an interesting character. I've listed you on completewhois for hijacking ip blocks under web design house name (one more ip block yet to be added, I'm sure you know which one, you will not have wait long now...). And there are clear evidence for as26857, wdh starlan involvement in emailcourier bulk email operation: http://groups.google.com/groups?q=as26857hl=enlr=ie=UTF-8oe=UTF-8selm=3F999398.1080708%40rogers.comrnum=2 http://groups.google.com/groups?hl=enlr=ie=UTF-8oe=UTF-8q=emailcourrier.comsa=Ntab=wg http://groups.google.com/groups?hl=enlr=ie=UTF-8oe=UTF-8q=starlan+email -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: 'Net security gets root-level boost
It is a little bit surreal - its not like anycast is some weird, new, or revolutionary technology. BGP is surely not a black art to the folks at Verisign - and little is required to do anycast, other than some minor routing configuration. Two possible solutions - Verisign is so big that institutional paralysis has set in, or, they now say this when asked about any configuration change. Either way, its unacceptable for them to be fulfilling their contract in this manner. -- Daniel Golding Network and Telecommunications Strategies Burton Group From: Barney Wolff [EMAIL PROTECTED] Date: Tue, 28 Oct 2003 10:41:56 -0500 To: [EMAIL PROTECTED] Subject: Re: 'Net security gets root-level boost On Tue, Oct 28, 2003 at 09:58:20AM +0200, Hank Nussbacher wrote: http://www.nwfusion.com/news/2003/1027ddos.html Love this quote from Verisign: We tested Anycast for about a year...to monitor its behavior, Silva says. These are important servers, and we didn't want to make any rash decisions about deploying it. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
Re: AOL fixing Microsoft default settings
Title: Re: AOL fixing Microsoft default settings Im not sure outrage is the appropriate way to describe this. AOL is probably looking at this from the support point of view. They get a certain number of support calls complaining about messenger service spam/trickery. The will get many fewer calls complaining that the messenger service has been shut off. The end result is that they save themselves a good bit of money, while helping out a large percentage of their customer base who has the bad luck of being saddled with an inferior OS good for them! It would be a mistake to confuse AOLs subscriber base with NANOGs subscriber base. That which would outrage some of us is seen as a great boon to other sets of users. There is no one size fits all here. When one connects to an online service (which AOL is, rather than being just an ISP, although they do that too) or when one connects to a corporate LAN with a VPN client, they have to accept that there may be some alterations of the local environment. This is a reality of todays security situation as it intersects with inferior desktop OSs. There are always other solutions for those who feel that these sort of alterations are unpalatable. -- Daniel Golding Network and Telecommunications Strategies Burton Group From: Henry Linneweh [EMAIL PROTECTED] Date: Tue, 28 Oct 2003 14:59:12 -0800 (PST) To: Sean Donelan [EMAIL PROTECTED], Fred Baker [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: AOL fixing Microsoft default settings I agree that changing one's computer is not the ISP or even the Corp IT departments job, and could compromise valuable work and or personal information for the individual user, depending on their setup, security software etc and other applications. I also would preceive that as a real threat to individual privacy for any individual in any country of the world who directly purchased and owns their own computer. For individuals who had their machines custom built to spec with software configured to meet a certain criterion this would be an outrage and considered hacking and tampering. -Henry Sean Donelan [EMAIL PROTECTED] wrote: On Tue, 28 Oct 2003, Fred Baker wrote: Personally, I don't ask my ISP or my IT department to randomly change the configuration of my computer. I am very happy for them to suggest changes, but *if* I agree, *I* want to install them when it is convenient for *me*, not when it is convenient for *them*. There is a difference. In most cases the corporate laptop is owned by the corporation, not the employee. Shouldn't the corporate organization be able to change its own computers whenever it chooses, regardless of the desire of its employees. On the other hand, the ISP does not own the customer's computer. And despite EULA which say it not sold only licensed to the customer, most people view their computer as their property not the ISP's.
Re: [arin-announce] IPv4 Address Space (fwd)
That was _exactly_ the point I was attempting to make. If you recall there was a case recently where a subcontractor at a power generation facility linked their system to an isolated network which gave unintentional global access to the isolated network. a NAT at the subcontrator's interface would have prevented this. Scott C. McGrath On Wed, 29 Oct 2003, Jack Bates wrote: David Raistrick wrote: You seem to be arguing that NAT is the only way to prevent inbound access. While it's true that most commercial IPv4 firewalls bundle NAT with packet filtering, the NAT is not required..and less-so with IPv6. I think the point that was being made was that NAT allows the filtering of the box to be more idiot proof. Firewall rules tend to be complex, which is why mistakes *do* get made and systems still get compromised. NAT interfaces and setups tend to be more simplistic, and the IP addresses of the device won't route publicly through the firewall or any unknown alternate routes. -Jack
Re: [arin-announce] IPv4 Address Space (fwd)
On Thu, 2003-10-30 at 09:22, Scott McGrath wrote: That was _exactly_ the point I was attempting to make. If you recall there was a case recently where a subcontractor at a power generation facility linked their system to an isolated network which gave unintentional global access to the isolated network. a NAT at the subcontrator's interface would have prevented this. So would have a stateful firewall set to keep state, default deny inbound. This is how customer grade firewall products should work with NAT disabled, although they probably don't. -Paul -- Paul Timmins [EMAIL PROTECTED]
RE: Fed. Govt and IEEE ban contributions to/from Cuba, Libya, Iran, Syria
Thought it might be useful to pass on a copy of a letter from the IEEE President that was published in the last issue of Spectrum - On Serving Members In Embargoed Countries In January of 2002, the IEEE took action to fulfill the U.S. Treasury Department trade regulations administered by the Office of Foreign Assets Control (OFAC). The IEEE informed members residing in several sanctioned countries that they were not able to take advantage of member benefits and services except for print subscriptions to IEEE publications. The IEEE has received numerous inquiries from members and others on this issue. In response, 2003 President Michael Adler offers the following open letter. Colleagues, I am writing this open letter to help IEEE members and our other colleagues around the world understand the IEEE position regarding the U.S. Department of Treasury's restrictions on serving members in embargoed countries and how the IEEE Board of Directors is dealing with this sensitive matter. This situation is now entering its third year. Stated concerns include criticism of the IEEE's handling of this issue, including the suggestion that the IEEE's actions have been arbitrary and in conflict with the IEEE Code of Ethics. For those of you who are directly impacted because you live in the embargoed countries, we understand that you are angry. For those members who have taken the time to share their views, we appreciate your concern. We do not like this situation either. The IEEE has been in contact with OFAC to resolve these difficulties. Until now, we have made few public statements on this matter. But given the slow pace of progress, it is now more important than ever for the IEEE to speak out publicly on our position. This message is a start. The IEEE believes in a world of unfettered exchange of scientific and technical information for educational and research purposes. Last February the IEEE Board of Directors voted to reaffirm its belief that no government should restrict the right of scientists, engineers, or academicians to exchange ideas and participate in scholarly activities on a global basis. In an effort to uphold our beliefs, the IEEE is investing considerable resources in aggressively trying to overcome the obstacles created by the OFAC regulations. In September 2002, we met with OFAC to discuss our concerns about the OFAC regulations and their impact on the IEEE. In December, the IEEE took the necessary steps to clarify the OFAC guidelines concerning our publishing activities. We stated the reasons that the IEEE firmly believes that the peer review and editing of technical journal articles should be permissible under the current regulations. We have asked that they agree with our interpretation outright, or at least issue us a license to permit these activities as an exception. While we are optimistic that OFAC will see the logic of our argument, they have not responded as of my writing of this letter, even though they have had more than nine months to consider our petition. It is important to note that our publishing activities are only one of several issues that the IEEE must address as we pursue resolution of this OFAC situation. The slow pace of the government's response is very frustrating, but unfortunately beyond our control. While the IEEE works to uphold its beliefs, we must also do what is necessary to protect the organization and its volunteers. OFAC regulations clearly state that violations can result in fines and other civil and criminal sanctions for the individuals involved and the officers of the sponsoring organization. The determination of OFAC to enforce its rules has been demonstrated on numerous occasions, with fines being assessed to both corporations and individuals. The IEEE must adhere to our obligation to abide by the laws of all the countries in which it does business. To that end, one thing is clear: the IEEE will continue to comply with U.S. laws. Our failure to do so would place the IEEE at risk and would subject the organization to penalties from the U.S. government that could dramatically affect our ability to service our members worldwide. The IEEE will see this difficult issue through, no matter how long it takes. In addition to current efforts, it may also be necessary to assemble a coalition of other professional organizations and interested parties to work and discuss these issues with the U.S. government in order to make changes to the OFAC regulations. The IEEE Board of Directors will consider this and other approaches in its ongoing deliberations about how best to resolve the current situation. I am asking IEEE members, as well as our other colleagues, to support the IEEE as we work to preserve the rights of its members and of the scientific and technical community worldwide to engage in open scholarly research and communications. It is only through
Re: IPv6 NAT
NAT also has the advantage that if packets do leak bogon filters at the border will drop them. NAT is simply an algorithm which causes a firewall to drop all traffic which doesn't match an entry in a set of internal state tables. The NAT algorithm sets up these state tables based on outgoing traffic and based on specific operator configurations, i.e. static NAT mappings. This algorithm can be implemented in a trivial piece of software that runs on cheap, low-power devices commonly used in things like DSL routers. The IPv6 folks are claiming that you can very easily implement the same type of algorithm on IPv6 routers to drop all traffic which doesn't match an entry in a set of internal state tables. The IPv6 algorithm would set up these state tables based on outgoing traffic and based on specific operator configurations, i.e. static enabled addresses. The only difference is that the IPv6 device never changes the packet contents, i.e. never replaces source or destination addresses in the headers. The IPv6 version can still drop traffic and can still dynamically enable certain incoming traffic based upon detection of an outgoing TCP session starting up. It could even do port redirection if that was still useful to people. It could also allow operator configuration to enable incoming traffic to specific addresses. The IPv6 version would be just as secure as an IPv4 NAT device but it would not interfere with protocol functioning. Now, I'm not claiming that every device capable of IPv4 NAT is currently able to function in this way, but there are no technical barriers to prevent manufacturers from making IPv6 devices that function in this way. The IPv6 vendor marketing folks can even invent terms like NAT (Network Authority Technology) to describe this simple IPv6 firewall function, i.e. IPv6 NAT. It wouldn't be the first time that acronyms have been reinvented, e.g. RED, GSM. --Michael Dillon
Re: IPv6 NAT
In fact, Michael, there is no reason someone can't do everything you describe with IPv4 if they are using unique address space. Owen --On Thursday, October 30, 2003 3:22 PM + [EMAIL PROTECTED] wrote: NAT also has the advantage that if packets do leak bogon filters at the border will drop them. NAT is simply an algorithm which causes a firewall to drop all traffic which doesn't match an entry in a set of internal state tables. The NAT algorithm sets up these state tables based on outgoing traffic and based on specific operator configurations, i.e. static NAT mappings. This algorithm can be implemented in a trivial piece of software that runs on cheap, low-power devices commonly used in things like DSL routers. The IPv6 folks are claiming that you can very easily implement the same type of algorithm on IPv6 routers to drop all traffic which doesn't match an entry in a set of internal state tables. The IPv6 algorithm would set up these state tables based on outgoing traffic and based on specific operator configurations, i.e. static enabled addresses. The only difference is that the IPv6 device never changes the packet contents, i.e. never replaces source or destination addresses in the headers. The IPv6 version can still drop traffic and can still dynamically enable certain incoming traffic based upon detection of an outgoing TCP session starting up. It could even do port redirection if that was still useful to people. It could also allow operator configuration to enable incoming traffic to specific addresses. The IPv6 version would be just as secure as an IPv4 NAT device but it would not interfere with protocol functioning. Now, I'm not claiming that every device capable of IPv4 NAT is currently able to function in this way, but there are no technical barriers to prevent manufacturers from making IPv6 devices that function in this way. The IPv6 vendor marketing folks can even invent terms like NAT (Network Authority Technology) to describe this simple IPv6 firewall function, i.e. IPv6 NAT. It wouldn't be the first time that acronyms have been reinvented, e.g. RED, GSM. --Michael Dillon -- If it wasn't signed, it probably didn't come from me. pgp0.pgp Description: PGP signature
hinet.net contact
Hello folks, I can tell you that hinet.net hosts being exploited by script kiddies and no one in hinet.net cares. And I really failed to get a contact of their abuse department, or any live person bothers to reply. All the complaints and report got no where. I need to report security issues about going DDoS attacks all the time by script kiddies from State of Kuwait using hinet.net as primary windows IRC servers to control the DDoS bots. If you know someone over there please help to get these issues resolved. Thanks, -J __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/
Verizon abuse contact
Hello folks, I reported exploited hosts in Verizon network to their abuse department since one week now. I only get auto reply but no real person did take action till this moment. If there is Verizon person who can help, please contact me off list. Thanks, -J __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/
Re: hinet.net contact
John Obi writes on 10/30/2003 12:22 PM: Hello folks, I can tell you that hinet.net hosts being exploited by script kiddies and no one in hinet.net cares. And I really failed to get a contact of their abuse department, or any live person bothers to reply. You might want to contact the TW-CERT people at http://www.cert.org.tw/eng/index.htm -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: IPv6 NAT
Thus spake [EMAIL PROTECTED] Now, I'm not claiming that every device capable of IPv4 NAT is currently able to function in this way, but there are no technical barriers to prevent manufacturers from making IPv6 devices that function in this way. The IPv6 vendor marketing folks can even invent terms like NAT (Network Authority Technology) to describe this simple IPv6 firewall function, i.e. IPv6 NAT. Or you could simply call it what it is -- a firewall -- since that's what most consumers think NAT is anyways. While I disagree with the general sentiment that NATs create security, the standard usage of such devices is certainly that of a stateful firewall. S Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking
RE: IPv6 NAT
Or you could simply call it what it is -- a firewall -- since that's what most consumers think NAT is anyways. While I disagree with the general sentiment that NATs create security, the standard usage of such devices is certainly that of a stateful firewall. All hairsplitting aside, given that the term NAT these days is mostly used in a PAT (particularly in a customer connecting to the I) context, what isn't secure about? * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers.61
Yankee Group declares core routing obsolete (was Re: Anybody using GBICs?)
On Tue, Oct 28, 2003 at 03:25:43PM -0500, Richard A Steenbergen wrote: On Tue, Oct 28, 2003 at 09:48:01AM -0800, [EMAIL PROTECTED] wrote: I'm looking into doing some research that will make use of GBICs(Gigabit Interface Converters), but I need to know how many of you are using GBICs in your networks? If you are using them, where do they fit into your topology? Hello, I am also doing some research and would like to know how many of you are using routers in your networks? I am considering making use of them, but first I need to know where they fit into your topology? http://story.news.yahoo.com/news?tmpl=storycid=75e=18u=/nf/22581 Plainly stated, routers no longer have a home in the core of the network. You might have found a router there five years ago, but most certainly you have a switch today, said Yankee Group vice president Zeus Kerravala. Whew, good thing I checked, I almost went out and bought routers for my network. :) -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: Yankee Group declares core routing obsolete (was Re: Anybody using GBICs?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Richard A Steenbergen wrote: | On Tue, Oct 28, 2003 at 03:25:43PM -0500, Richard A Steenbergen wrote: | |On Tue, Oct 28, 2003 at 09:48:01AM -0800, [EMAIL PROTECTED] wrote: | |I'm looking into doing some research that will make use of GBICs(Gigabit Interface Converters), |but I need to know how many of you are using GBICs in your networks? |If you are using them, where do they fit into your topology? | |Hello, | |I am also doing some research and would like to know how many of you are |using routers in your networks? I am considering making use of them, but |first I need to know where they fit into your topology? | | | http://story.news.yahoo.com/news?tmpl=storycid=75e=18u=/nf/22581 | | Plainly stated, routers no longer have a home in the core of the network. | You might have found a router there five years ago, but most certainly | you have a switch today, said Yankee Group vice president Zeus Kerravala. | | Whew, good thing I checked, I almost went out and bought routers for my | network. :) | Hmm, was that a news story or an advertisement for a certain N vendor disguised as one? = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (MingW32) iD8DBQE/oVUqE1XcgMgrtyYRAnaJAJ43oxMogei/SdvcdJQNLzPrRUptXgCfYH3b sQRR5ZpSZ/U14oNGV1Krj3A= =Rvna -END PGP SIGNATURE-
Re: Yankee Group declares core routing obsolete
and the Yankee Group has an unblemished history of understanding the Internet and ISPs Scott (ps - unblemished with accuracy that is)
Re: Yankee Group declares core routing obsolete (was Re: Anybody using GBICs?)
Richard A Steenbergen writes on 10/30/2003 1:08 PM: Plainly stated, routers no longer have a home in the core of the network. You might have found a router there five years ago, but most certainly you have a switch today, said Yankee Group vice president Zeus Kerravala. What brand of switch is this guy selling? And what is he smoking? Sure would be interesting to find out :) -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Yankee Group declares core routing obsolete (was Re: Anybody using GBICs?)
On Thu, 30 Oct 2003, Suresh Ramasubramanian wrote: : : Richard A Steenbergen writes on 10/30/2003 1:08 PM: : : Plainly stated, routers no longer have a home in the core of the network. : You might have found a router there five years ago, but most certainly : you have a switch today, said Yankee Group vice president Zeus Kerravala. : : What brand of switch is this guy selling? And what is he smoking? Sure : would be interesting to find out :) Vendor F scott
Re: 'Net security gets root-level boost
BW Date: Tue, 28 Oct 2003 10:41:56 -0500 BW From: Barney Wolff BW On Tue, Oct 28, 2003 at 09:58:20AM +0200, Hank Nussbacher wrote: BW BW http://www.nwfusion.com/news/2003/1027ddos.html BW BW Love this quote from Verisign: BW BW We tested Anycast for about a year...to monitor its behavior, BW Silva says. These are important servers, and we didn't want to BW make any rash decisions about deploying it. *gag* And wildcard entries? Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Yankee Group declares core routing obsolete (was Re: Anybody using GBICs?)
RAS Date: Thu, 30 Oct 2003 13:08:01 -0500 RAS From: Richard A Steenbergen RAS http://story.news.yahoo.com/news?tmpl=storycid=75e=18u=/nf/22581 RAS RAS Plainly stated, routers no longer have a home in the core of the network. RAS You might have found a router there five years ago, but most certainly RAS you have a switch today, said Yankee Group vice president Zeus Kerravala. RAS RAS Whew, good thing I checked, I almost went out and bought routers for my RAS network. :) So STP is now the control plane protocol of choice? ;-) Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Yankee Group declares core routing obsolete (was Re: Anybody using GBICs?)
SR Date: Thu, 30 Oct 2003 13:18:28 -0500 SR From: Suresh Ramasubramanian SR What brand of switch is this guy selling? And what is he SR smoking? Sure would be interesting to find out :) Maybe the Yankee Group is a subsidiary of Ncatal Ventures. Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Yankee Group declares core routing obsolete (was Re: Anybody using GBICs?)
Hmm. Don't you just love it when folks say things like Layer 3 Switches are better than routers. Its very illuminating as to clue level. I suppose what they were trying to say, is that products that were designed as switches, but are now running routing code, are superior to products that were designed as routers, and are running routing code. Of course, this is demonstrably false. Layer 3 Switch is like Tier 1 ISP - meaningless marketing drivel, divorced from any previous technical meaning. Sure, gigabit Ethernet switches are great. Sure, they can do some light routing tasks. But saying, essentially, that core routers are obsolete, and should be immediately replaced with somewhat less capable core routers is weak. Lets all be thankful they are now using ASICs, though! All that software based routing was making me nervous - five years ago :) - Daniel Golding On 10/30/03 1:18 PM, Suresh Ramasubramanian [EMAIL PROTECTED] wrote: Richard A Steenbergen writes on 10/30/2003 1:08 PM: Plainly stated, routers no longer have a home in the core of the network. You might have found a router there five years ago, but most certainly you have a switch today, said Yankee Group vice president Zeus Kerravala. What brand of switch is this guy selling? And what is he smoking? Sure would be interesting to find out :)
Re: Yankee Group declares core routing obsolete (was Re: Anybody using GBICs?)
Routers exists everywhere; Catalist 6509, for example, IS A ROUTER not less than A SWITCH. Perfectly, it is a router with extensive switching capabilities. Problem is that (1) most devices today support both L3 routuing and L2 switching (which is MAC level routing de facto), and (2) some devices implement routing, using L2 mechanisms (mlp routing on 6509). But., from network point of view, they do not stop to be a routers. You can - insert switch into traditional router, insert router card into traditional switch; in any case, you have _router_ and _switch_ (sometimes, in the same box). So, obsolete are not routers (esp. low end); obsolete is classification. Alexei Roudnev - Original Message - From: Richard A Steenbergen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, October 30, 2003 10:08 AM Subject: Yankee Group declares core routing obsolete (was Re: Anybody using GBICs?) On Tue, Oct 28, 2003 at 03:25:43PM -0500, Richard A Steenbergen wrote: On Tue, Oct 28, 2003 at 09:48:01AM -0800, [EMAIL PROTECTED] wrote: I'm looking into doing some research that will make use of GBICs(Gigabit Interface Converters), but I need to know how many of you are using GBICs in your networks? If you are using them, where do they fit into your topology? Hello, I am also doing some research and would like to know how many of you are using routers in your networks? I am considering making use of them, but first I need to know where they fit into your topology? http://story.news.yahoo.com/news?tmpl=storycid=75e=18u=/nf/22581 Plainly stated, routers no longer have a home in the core of the network. You might have found a router there five years ago, but most certainly you have a switch today, said Yankee Group vice president Zeus Kerravala. Whew, good thing I checked, I almost went out and bought routers for my network. :) -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: Yankee Group declares core routing obsolete (was Re: Anybody using GBICs?)
DG Date: Thu, 30 Oct 2003 13:52:54 -0500 DG From: Daniel Golding DG Lets all be thankful they are now using ASICs, though! All DG that software based routing was making me nervous - five DG years ago :) Routing or forwarding? Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: [Re: Yankee Group declares core routing obsolete (was Re: Anybody using GBICs?)]
E.B. Dreger [EMAIL PROTECTED] wrote: [cut] So STP is now the control plane protocol of choice? ;-) no, not at all - remember he said 'layer 3 switch', stp is no longer needed, just like those router things ;) /joshua Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Walk with me through the Universe, And along the way see how all of us are Connected. Feast the eyes of your Soul, On the Love that abounds. In all places at once, seemingly endless, Like your own existence. - Stephen Hawking -
Re: 'Net security gets root-level boost
BW Love this quote from Verisign: BW BW We tested Anycast for about a year...to monitor its behavior, BW Silva says. These are important servers, and we didn't want to BW make any rash decisions about deploying it. *gag* And wildcard entries? at the icann-secsac meeting in wdc on 15oct03, verisign said that they had turned the wildcard on several times, for a minute or two each time, without notice to the community, in order to ensure that there were no operational problems with it. so, apparently, testing is a way of life. (sadly for me personally, they didn't give dates or times that these tests had been run, nor did they say they would preannounce future tests, so nobody but verisign will be able to synchronize other measurements with these tests.) -- Paul Vixie
Re: Yankee Group declares core routing obsolete (was Re: Anybody using GBICs?)
On Thu, 30 Oct 2003, E.B. Dreger wrote: SR What brand of switch is this guy selling? And what is he SR smoking? Sure would be interesting to find out :) Maybe the Yankee Group is a subsidiary of Ncatal Ventures. That was my thought. Its Dood, Where's my Core? all over again!
Re: Yankee Group declares core routing obsolete (was Re: Anybody using GBICs?)
Maybe the Yankee Group is a subsidiary of Ncatal Ventures. That was my thought. Its Dood, Where's my Core? all over again! It got lost in san franCisco. Alex
traffic engineering (or lack of thereof)
And how many people here operate non-oversubscribed networks? The right question here should be How many people here operate non-super oversubscribed networks? Oversubscribed by a a few percents is one thing, oversubscribed the way certain cable company in NEPA does it is another.[1] So having 3 Gb of DoS traffic coming across a half dozen peering OC48s isn't that bad; but having it try to fit onto a pair of OC48s into the backbone that are already running at 40% capacity means you're SOL unless you filter some of that traffic out. Why does your backbone have only two OC48s that are 40% utilized if you have half a dozen peering OC48s that can easily take those 3Gb/sec? And I've been in that situation more times than I'd like to remember, because you can't justify increasing capacity internally from a remote peering point into the backbone simply to be able to handle a possible DoS attack. This means that the PNIs of such network are full already. So we are back to the super-oversubscribed issue. Even if you _do_ upgrade capacity there, and you carry the extra 3Gb of traffic from your peering links through your core backbone, and off to your access device, you suddenly realize that the gig port on your access device is now hosed. You can then filter the attack traffic out on the device just upstream of the access box, but then you're carrying it through your core only to throw it away after using up backbone capacity; why not discard it sooner rather than later, if you're going to have to discard it anyhow? Because you do not know what is the evil traffic and what is the good traffic. And under those circumstances, there is a strong preference to discard bad traffic rather than good traffic if at all possible. One technique we currently use for making those decisions is looking at the type of packets; are they 92 byte ICMP packets, are they TCP packets destined for port 1434, etc. And this technique presumes that the backbone routers know what are the packets that their customers are want to go through and which ones they do not. Again, this is not a job of backbone routers. It is a kluge that should be accepted as a kludge. I'd be curious to see what networks you know of where the IS component does *no* statistical aggregation of traffic whatsoever. :) The example that you are using is not based on statistical traffic aggregation. Rather it is based on an arbitrary decision of what is good and what is bad traffic (just like certain operators that claimed that DHS ordered them to block certain ports). Matt Alex [1] Bring three T1s of IP. Sell service to serveral hundred cable customers.
Re: [arin-announce] IPv4 Address Space (fwd)
Leave content filtering to the ES, and *force* ES to filter the content. Its not content filtering, I'm not filtering only certain html traffic (like access to porn sites), I'm filtering traffic that is causing harm to my network and if I know what traffic is causing problems for me, I'll filter it first chance I get. It is content filtering. You are filtering packets that you think are causing problems to the ES that you may not control. Alex
Re: Re: IPv6 NAT
insert rant on somewhere after observable trigger point Owen DeLong [EMAIL PROTECTED] wrote: In fact, Michael, there is no reason someone can't do everything you describe with IPv4 if they are using unique address space. Now this is the point where my annoyance level goes up with the rampant aversion to IPv6 I see even in a community proud of its adoption of technology. I realise the NA in nanog stands for an IP address and bandwidth rich region of the world, but frankly the IPv4 address policies and access levels are starting to get right up my nose. The premises *you* are working on simply do not hold in the nations where data comms is really starting to take off. Think Asia. Have a good hard look at how IP telephony on a large scale - even in NA and Au - is going to have to be rolled out: - encryption engines all over the place, with multiple encryption adds and removes - multiple identity verification checks - NAT and un-NAT points potentially at more than one place along the way - firewalls and filters changed everywhere - proprietary fixes and weird new stupid protocols migcom?? - multiple compression points when we should be looking at ways of flagging this in the headers and preserving type v6 *has* IPSec, QoS and the concept of any to any built in. It's *not* a work around. It's how it works. We are making things much harder for ourselves increment by increment. We are lining ourselves up for massive amounts of rework in a few years time. By that time I will be getting too old to think it through and by that time you children who have lived all your lives in a NATted v4 world won't understand what it's like to stroll down the information street or meet in a public place or library! Maybe you already don't! We need to stop pretending we live in a world of secured networks and build security back into the whole proposition! v6 gives us that opportunity. While I'm at it I'll remind people that extranets work much more nicely when in uniquely numbered space. So even in the quasi private space we've stuffed up. Yeah sure, MPLS partly fixes this, but it still causes unwanted complexity along the way. And these stupid little poxy - sorry pRoxy - home routers (1) that proxy everything fine one day and lose their configs, or goodness knows what the next, and you go from six (2) home computers connected to one or none, are absolute rubbish! I'm starting to think we're seriously missing out. end rant :-) Narelle Clark [EMAIL PROTECTED] getting in touch with her inner bofh (1) these things are bridges and they don't even bridge properly, regardless of what it says on the packaging, let alone terminate PPP over whatever it claims to be today. Can someone tell these fools that PPP stands for 'POINT to POINT' protocol? Not kludge over multiple media??? (2) six home computers does not mean a business, nor high bandwidth use. It means a *family*. We are a multilingual (OS wise) household. They are not new and the computers have more Internet experience than many techies I see.
Re: [arin-announce] IPv4 Address Space (fwd)
Recently, [EMAIL PROTECTED] (Alex Yuriev) wrote: Leave content filtering to the ES, and *force* ES to filter the content. Its not content filtering, I'm not filtering only certain html traffic (like access to porn sites), I'm filtering traffic that is causing harm to my network and if I know what traffic is causing problems for me, I'll filter it first chance I get. It is content filtering. You are filtering packets that you think are causing problems to the ES that you may not control. Alex Alex, please re-read the first paragraph. He said I'm filtering traffic that is causing harm to *my* network... (emphasis mine). He's not filtering out packets he thinks are causing problems to the ES, he's filtering out packets that are causing him problems directly, as the IS. Matt
Re: [arin-announce] IPv4 Address Space (fwd)
Alex, please re-read the first paragraph. He said I'm filtering traffic that is causing harm to *my* network... (emphasis mine). He's not filtering out packets he thinks are causing problems to the ES, he's filtering out packets that are causing him problems directly, as the IS. And since the IS is not the ES, it SHOULD NOT be filtering based on content since it is NOT IS's content. Again, *force* ES to filter and hold it responsible for not doing it. Alex
Re: [arin-announce] IPv4 Address Space (fwd)
At 02:41 PM 10/30/2003, Alex Yuriev wrote: Alex, please re-read the first paragraph. He said I'm filtering traffic that is causing harm to *my* network... (emphasis mine). He's not filtering out packets he thinks are causing problems to the ES, he's filtering out packets that are causing him problems directly, as the IS. And since the IS is not the ES, it SHOULD NOT be filtering based on content since it is NOT IS's content. Again, *force* ES to filter and hold it responsible for not doing it. Do you have a generator in your colo/server space? Why? To follow your logic out, should you not simply be *forcing* the Electric Company to provide power and hold it responsible for not doing so? ( Hmm, no that is slightly different as you are direct customer ). Better example if you are UPS and a package being shipped is emitting RF that is interferring with your plane avionics, should you not remove that package from the shipment ( filter it out, as it were )? Or do you simply carry on and crash the plane, destroying the other packages onboard and simply try to hold the sender of the bad package responsible? It is sound business logic that if something is impacting your ability to provide service *and* you are provided with the means to address the problem, that you should utilize those means ( w/ in the extent allowed by the law and your legal agreements ). -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net
Re: [arin-announce] IPv4 Address Space (fwd)
to the ES, he's filtering out packets that are causing him problems directly, as the IS. And since the IS is not the ES, it SHOULD NOT be filtering based on content since it is NOT IS's content. Again, *force* ES to filter and hold it responsible for not doing it. Do you have a generator in your colo/server space? Why? To follow your logic out, should you not simply be *forcing* the Electric Company to provide power and hold it responsible for not doing so? ( Hmm, no that is slightly different as you are direct customer ). I am so glad that you used that example. The way currently people propose everyone operates is equivalent to a company that transmits AC to customer deciding that some part of the AC waveform is harmful to its equipment, and therefore should be filtered out. Of course, no one bothers to tell the customer that the filter exists, or what is being filtered, or when, or how. Better example if you are UPS and a package being shipped is emitting RF that is interferring with your plane avionics, should you not remove that package from the shipment ( filter it out, as it were )? Another excellent example - UPS will not remove that. The shipper will. It is sound business logic that if something is impacting your ability to provide service *and* you are provided with the means to address the problem, that you should utilize those means ( w/ in the extent allowed by the law and your legal agreements ). The first part of any legal agreement establishes the parties subject to it. That is exactly what you are missing while being an IS. Alex
Re: [arin-announce] IPv4 Address Space (fwd)
At 03:25 PM 10/30/2003, Alex Yuriev wrote: to the ES, he's filtering out packets that are causing him problems directly, as the IS. And since the IS is not the ES, it SHOULD NOT be filtering based on content since it is NOT IS's content. Again, *force* ES to filter and hold it responsible for not doing it. Do you have a generator in your colo/server space? Why? To follow your logic out, should you not simply be *forcing* the Electric Company to provide power and hold it responsible for not doing so? ( Hmm, no that is slightly different as you are direct customer ). I am so glad that you used that example. The way currently people propose everyone operates is equivalent to a company that transmits AC to customer deciding that some part of the AC waveform is harmful to its equipment, and therefore should be filtered out. Of course, no one bothers to tell the customer that the filter exists, or what is being filtered, or when, or how. So, electric grids do not have any mechanisms to disconnect from other grids ( ie, stop transiting their electricity ) if one is doing something that causes problems on the local grid? As a customer I would very much like my provider to filter out waveforms that would prevent their ability to provide me with my service. If the issue is how to communicate what is being filtered to the customer, then simply need to find a way to do that. The solution to it is hard to communicate what is being filtered to the end-users is not oh well, we won't filter anything. At least not as I see it. Supposing a network *did* provide a way to inform customers what was being filtered. Would you still object to the filtering? Another excellent example - UPS will not remove that. The shipper will. How? I'm the shipper. I put the RF generating device into package and give it to UPS. They will do nothing to remove it or not ship it? It is only up to me to not do it? Al Qaeda would love that to be true I'm sure. :) The first part of any legal agreement establishes the parties subject to it. That is exactly what you are missing while being an IS. There is a chain of agreements connecting you to the source/dest of any traffic on your network. Even if it is a customer of a customer of a customer, you have a chain of agreements that establishes you as a party. In what scenario would there not be a chain of agreements to connect you as a party? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net
Re: more on filtering
Recently, [EMAIL PROTECTED] (Alex Yuriev) wrote: So, electric grids do not have any mechanisms to disconnect from other grids ( ie, stop transiting their electricity ) if one is doing something that causes problems on the local grid? As a customer I would very much like my provider to filter out waveforms that would prevent their ability to provide me with my service. They disconnect the SOURCE of the problem forcing the SOURCE to behave. That is equivalent of forcing the ES to behave. Unfortunately, as the Northeast seaboard of the US discovered not too long ago, the electrical system is somewhat like the Internet; it attempts to route around failures, meaning that simply shutting down the link along which the damaging waveform is propagating does not prevent it from entering your grid; it simply follows a different pathway in. And in shutting down the direct pathway, you may well cause more stability problems as the flow shifts onto alternate interconnects. Likewise, if I am network A, and a customer of mine is sending attack packets towards a customer of network B, simply shutting down the peering links between network A and network B does nothing to prevent the attack packets from entering network B. Network B would have to isolate itself completely from the rest of the Internet core in order to ensure my bad packets did not enter their network. Anything less, and as long as there is some transit path that can be used to get from my network to network B, the attack packets will still flow and enter network B. I don't think anyone here would defend isolating themselves from the rest of the Internet as being a better solution than say putting in filters to block port 1434 traffic. Traffic to port X cannot be specified as valid or invalid for any IS, because the IS does not know why such traffic exists. We're not saying the traffic is invalid; we're saying the traffic is causing us harm. As with most organisms, there is a strong instinct for self-preservation. If the traffic is causing extensive degredation to the IS, it's better for the IS to try to preserve itself by limiting the impact of the traffic, regardless of whether it is valid or not. I'm starting to get the sense that you've never actually been in the hot seat of a major network before, so for the sake of everyone who has, who is no doubt getting rather tired of your stubborn stance, I'll make this my last public response on the issue. Feel free to continue this via private email if you'd like. Alex Matt
Re: [arin-announce] IPv4 Address Space (fwd)
On Thu, 30 Oct 2003 12:12:22 EST, Alex Yuriev said: Leave content filtering to the ES, and *force* ES to filter the content. Its not content filtering, I'm not filtering only certain html traffic (like access to porn sites), I'm filtering traffic that is causing harm to my network and if I know what traffic is causing problems for me, I'll filter it first chance I get. It is content filtering. You are filtering packets that you think are causing problems to the ES that you may not control. No, he said quite clearly he's filtering packets (such as Nachi ICMP) that are causing harm to *his* network. He gets to make a choice - filter the known problem packets so the rest of the traffic can get through, or watch the network melt down and nobody gets anything. pgp0.pgp Description: PGP signature
RE: IPv6 NAT
Kuhtz, Christian wrote: ... All hairsplitting aside, given that the term NAT these days is mostly used in a PAT (particularly in a customer connecting to the I) context, what isn't secure about? mangling the header doesn't provide any security, and if you believe it does, do the following exercise: Configure a static NAT entry to map all packets from the public side to a single host on the private side. Show how that mapping provides any more security than what would exist by putting the public address on that host. A stateful filter that is automatically populated by traffic originated from the private side is what is providing 'security'. That function existed in routers long before NAT was specified by the IETF (see RFC1044 for vendor). Tony
Re: more on filtering
On Thu, 30 Oct 2003, Chris Parker wrote: The source of the problem of bad packets is where they ingress to my network. I disconnect the flow of bad packets thorugh filtering. What is the difference, other than I do not remove an entire interconnect, only the portion of packets that is affecting my ability to provide services? If the *content* of the packets is breaking your network: Your network is obviously broken.
RE: [arin-announce] IPv4 Address Space (fwd)
Christian: And I bet then still somebody will build an IPv6 NAT box for some bizarro reason. ftp://ftp.rfc-editor.org/in-notes/rfc2766.txt Gary Blankenship Foundry Networks (Japan)