Re: Yankee Group declares core routing obsolete (was Re: Anybody using GBICs?)
: Plainly stated, routers no longer have a home in the core of the network. : You might have found a router there five years ago, but most certainly : you have a switch today, said Yankee Group vice president Zeus Kerravala. : : What brand of switch is this guy selling? And what is he smoking? Sure : would be interesting to find out :) Vendor F *choke* *splutter* When will they learn that routers and switches are no longer differentiated by internal implementation details, i.e. software vs. hardware implementation? Nowadays both categories are implemented identically as a combination of hardware (where speed counts) and software (where flexibility and interoperability come first). Besides, there is no THE core of THE network. Different networks have different core characteristics to deal with (size, customer base) and therefore choose different products. The old Internet, where everyone used more or less the same devices, is gone. Todays Internet is much bigger, more diverse, and engineered by people who have a lot higher skill level based on hard-won experience. Why do businesses keep supporting these cheerleader analyst groups who want to treat everything as some sort of fashion fad? --Michael Dillon
Re: Yankee Group declares core routing obsolete (was Re: Anybody using GBICs?)
Date: Fri, 31 Oct 2003 09:53:09 + From: [EMAIL PROTECTED] Todays Internet is much bigger, more diverse, and engineered by people who have a lot higher skill level based on hard-won experience. Why do businesses keep supporting these cheerleader analyst groups who want to treat everything as some sort of fashion fad? Because it's easier than achieving a high skill level based on hard-won experience. Tier 1, layer 3 switch, et cetera. Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Yankee Group declares core routing obsolete (was Re: Anybodyusing GBICs?)
Thus spake Daniel Golding [EMAIL PROTECTED] Hmm. Don't you just love it when folks say things like Layer 3 Switches are better than routers. Its very illuminating as to clue level. I suppose what they were trying to say, is that products that were designed as switches, but are now running routing code, are superior to products that were designed as routers, and are running routing code. Of course, this is demonstrably false. Layer 3 Switch is like Tier 1 ISP - meaningless marketing drivel, divorced from any previous technical meaning. I've always stated that switch is a marketing term meaning fast. Thus a L2 switch is a fast bridge and a L3 switch is a fast router. In this light, the Yankee Group is just now catching on to something we all knew a decade ago -- slow (i.e. software) routers are dead. There's a more interesting level to the discussion if you look at what carriers are interested in for their backbone hardware today; while I'm obviously biased based on my employer, I've seen a lot more emphasis on $20k-per-10GE-port L3 switches than $200k-per-10GE-port core routers in the current economic climate. S Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking
The Cidr Report
This report has been generated at Fri Oct 31 21:48:28 2003 AEST. The report analyses the BGP Routing Table of an AS4637 (Reach) router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org/as4637 for a current version of this report. Recent Table History Date PrefixesCIDR Agg 24-10-03126836 89904 25-10-03126575 90050 25-10-03126891 90138 27-10-03126973 90190 28-10-03127076 90375 29-10-03127450 90327 30-10-03127375 90445 31-10-03128001 90054 AS Summary 16044 Number of ASes in routing system 6383 Number of ASes announcing only one prefix 2061 Largest number of prefixes announced by an AS AS209 : ASN-QWEST Qwest 73586432 Largest address span announced by an AS (/32s) AS568 : SUMNET-AS DISO-UNRRA Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 31Oct03 --- ASnumNetsNow NetsAggr NetGain % Gain Description Table 128193900373815629.8% All ASes AS209 2061 546 151573.5% ASN-QWEST Qwest AS4323 680 197 48371.0% TW-COMM Time Warner Communications, Inc. AS701 1424 990 43430.5% ALTERNET-AS UUNET Technologies, Inc. AS7018 1356 944 41230.4% ATT-INTERNET4 ATT WorldNet Services AS7843 532 132 40075.2% ADELPHIA-AS Adelphia Corp. AS6197 645 272 37357.8% BATI-ATL BellSouth Network Solutions, Inc AS6198 569 229 34059.8% BATI-MIA BellSouth Network Solutions, Inc AS22909 305 21 28493.1% DNEO-OSP1 Comcast Cable Communications, Inc. AS4355 389 109 28072.0% ERMS-EARTHLNK EARTHLINK, INC AS22773 297 19 27893.6% CCINET-2 Cox Communications Inc. Atlanta AS1221 958 681 27728.9% ASN-TELSTRA Telstra Pty Ltd AS6347 340 86 25474.7% DIAMOND SAVVIS Communications Corporation AS1239 921 669 25227.4% SPRINTLINK Sprint AS4134 359 120 23966.6% CHINANET-BACKBONE No.31,Jin-rong Street AS17676 276 39 23785.9% GIGAINFRA Softbank BB Corp. AS25844 243 11 23295.5% SKADDEN1 Skadden, Arps, Slate, Meagher Flom LLP AS27364 316 87 22972.5% ACS-INTERNET Armstrong Cable Services AS11305 230 38 19283.5% INTERLAND-NET1 Interland Incorporated AS9583 271 82 18969.7% SATYAMNET-AS Satyam Infoway Ltd., AS4519 189 10 17994.7% MAAS Maas Communications AS6140 337 160 17752.5% IMPSAT-USA ImpSat AS2386 385 209 17645.7% INS-AS ATT Data Communications Services AS6327 204 28 17686.3% SHAW Shaw Communications Inc. AS14654 1782 17698.9% WAYPORT Wayport AS9498 201 28 17386.1% BBIL-AP BHARTI BT INTERNET LTD. AS2048 252 86 16665.9% LANET-1 State of Louisiana AS15270 202 44 15878.2% AS-PAETEC-NET PaeTec.net -a division of PaeTecCommunications, Inc. AS705394 238 15639.6% ALTERNET-AS UUNET Technologies, Inc. AS5668 310 156 15449.7% CENTURY Century Telephone AS11172 192 42 15078.1% MX-SASC-LACNIC Servicios Alestra S.A de C.V Total 15016 6275 874158.2% Top 30 total Possible Bogus Routes 24.119.0.0/16AS11492 CABLEONE CABLE ONE 61.12.32.0/24AS7545 TPG-INTERNET-AP TPG Internet Pty Ltd 61.12.34.0/24AS7545 TPG-INTERNET-AP TPG Internet Pty Ltd 64.30.64.0/19
Re: IPv6 NAT
Thus spake Tony Hain [EMAIL PROTECTED] Kuhtz, Christian wrote: All hairsplitting aside, given that the term NAT these days is mostly used in a PAT (particularly in a customer connecting to the I) context, what isn't secure about? mangling the header doesn't provide any security, and if you believe it does, do the following exercise: Mangling the header does not, but the stateful inspection and blocking used by a dynamic NAT/NAPT certainly does. Configure a static NAT entry to map all packets from the public side to a single host on the private side. Show how that mapping provides any more security than what would exist by putting the public address on that host. You snipped my comment, which said: the standard usage of such devices is certainly that of a stateful firewall. Configuring a static mapping to a particular inside host is not the standard usage in my experience. Obviously if you intentionally create a hole in your security device, whether that be a NAT/NAPT or real firewall, that defeats some or even all of the protection offerred. A stateful filter that is automatically populated by traffic originated from the private side is what is providing 'security'. That function existed in routers long before NAT was specified by the IETF (see RFC1044 for vendor). True. But consumers can't buy a RFC1044 device off the shelf today; what they can buy are generic NAT/NAPT devices which provide a minimal firewalling function _iff_ the user doesn't intentionally create holes. While it'd be nice if these devices didn't _require_ NAT/NAPT for their minimal operating mode, that's the configuration that is most likely to work in the setting it's intended for. S Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking
RE: more on filtering
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Parker Sent: Thursday, October 30, 2003 9:01 PM To: Alex Yuriev Cc: [EMAIL PROTECTED] Subject: Re: more on filtering [...] I don't see how that is the same thing here. I have an agreement with cust X to provide services in accordance with my AUP. cust X resells that service to cust Y, etc. cust Y is bound to the terms and conditions of my agreement with cust X, despite that I do not have a direct agreement with cust Y. Oh christ...network engineers trying to be lawyers. I don't know much, but I do know that legal agreements in the US are NOT transitive in this way, unless each agreement is included by reference in the other. Daryl
RE: more on filtering
I don't see how that is the same thing here. I have an agreement with cust X to provide services in accordance with my AUP. cust X resells that service to cust Y, etc. cust Y is bound to the terms and conditions of my agreement with cust X, despite that I do not have a direct agreement with cust Y. Oh christ...network engineers trying to be lawyers. I don't know much, but I do know that legal agreements in the US are NOT transitive in this way, unless each agreement is included by reference in the other. Yes and no. If my agreement with cust X says that they take responsibility for ensuring that any customers to whom they resell my service (or any traffic they transit into my network, to be more specific) must conform to my AUP, then the fact that it is cust Y that originated the violating traffic has little effect. I can still hold cust X responsible. As a good guy and for good customer service, I will, instead, first ask X to hold Y accountable and rectify the situation. If that doesn't work, you bet X will get disconnected or filtered. Owen -- If it wasn't signed, it probably didn't come from me. pgp0.pgp Description: PGP signature
Re: more on filtering
[EMAIL PROTECTED] wrote: I don't see how that is the same thing here. I have an agreement with cust X to provide services in accordance with my AUP. cust X resells that service to cust Y, etc. cust Y is bound to the terms and conditions of my agreement with cust X, despite that I do not have a direct agreement with cust Y. Oh christ...network engineers trying to be lawyers. I don't know much, but I do know that legal agreements in the US are NOT transitive in this way, unless each agreement is included by reference in the other. They aren't legally, but they are effectively. If X must abide by your AUP, then any traffic they forward for Y must also abide by your AUP (or whatever penalties are in your contract with X will kick in) - it doesn't matter what X's contract with Y says, as your contract is with X and any penalties are to be applied to X; It is therefore in X's best interest to insist Y abides by the AUP or indemnifies X for any penalties, and/or negotiates with you to make sure only Y's traffic is cut off on breach of the AUP by Y, rather than all traffic from X.
RE: more on filtering
-Original Message- From: Owen DeLong [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 11:12 AM To: Daryl G. Jurbala; [EMAIL PROTECTED] Subject: RE: more on filtering [...] NOT transitive in this way, unless each agreement is included by reference in the other. Yes and no. If my agreement with cust X says that they take responsibility for ensuring that any customers to whom they resell my service (or any traffic they transit into my network, to be more specific) must conform to my AUP, then the fact that it is cust Y that originated the violating traffic has little effect. I can still hold cust X responsible. As a good guy and for good customer service, I will, instead, first ask X to hold Y accountable and rectify the situation. If that doesn't work, you bet X will get disconnected or filtered. I 100% agree with this (other than the first three words;) ). But legally, the agreement is not transitive. Legally it's YOUR customer only that is responsible to your AUP. It follows logically, but not legally, that your customer binds their customers to an AUP that is at least as restrictive as yours, or YOUR CUSTOMER will be in breach with you, if their customers exercise practices violating your AUP...whether they are allowed to in the contract with their upstream or not. I'm speaking legally only (yes, by random chance, I had my contract attorney on the phone when I first read this post). Logically, you're correctbut law != logic. Daryl
RE: more on filtering
I don't see how that is the same thing here. I have an agreement with cust X to provide services in accordance with my AUP. cust X resells that service to cust Y, etc. cust Y is bound to the terms and conditions of my agreement with cust X, despite that I do not have a direct agreement with cust Y. Oh christ...network engineers trying to be lawyers. Hey, it's only fair - I'm trying to be a network engineer. :-) The concept about which the original poster is speaking is probably that of either sub-licensees or third party beneficiaries (different things, but he is probably thinking of one of those two concepts). In the former, it means that his *users* are bound by the same criteria as is he if he makes a contract with someone (it was the concept we used at Habeas to bind ISP users if an ISP signed a license with Habeas). The latter, third party beneficiaries, is *actually* what one would need to bind a users' own customers to the users' contract, and that must be spelled out explicitly in the contract between ISP and customer X. Anne Anne P. Mitchell, Esq. President/CEO Institute for Spam Internet Public Policy Professor of Law, Lincoln Law School of SJ
Re: IPv6 NAT
-- On Friday, October 31, 2003 08:03 -0800 -- Owen DeLong [EMAIL PROTECTED] supposedly wrote: There is NO security benefit to NAT/PAT/NAPT. Disagree. None of the scanning / infecting viruses could get past a $50 NAT/PAT device which Joe User brings home and turns on without configuring. Do not talk about if they statically NAT Punching holes in stateful firewalls will cause just as much damage. There is a security benefit to stateful inspection. Agreed. And I doubt anyone on this list would say differently. NAT is harmful to many protocols. Stateful inspection is not. Possibly. But Joe User will never use those many protocols. Plus the overwhelming majority of protocols are not harmed by NAT. I would bet a statistically insignificant number of packets on the Internet (many places to the right of the decimal) are part of those protocols. This does not mean we should NAT everything, since I use some of those protocols. But if every Joe User had a DLink NAT box in front of his Winbloze box, the Internet would be a safer place. And you know it. -- TTFN, patrick
RE: Yankee Group declares core routing obsolete (was Re: Anybodyu sing GBICs?)
Stephen, I've always stated that switch is a marketing term meaning fast. Thus a L2 switch is a fast bridge and a L3 switch is a fast router. In this light, the Yankee Group is just now catching on to something we all knew a decade ago -- slow (i.e. software) routers are dead. As you are probably more aware than I, software-based-forwarding routers will die when people stop running the so-called desktop protocols, and even then, most next-gen routers will continue to need functions that can only be provided economically and perhaps thermodynamically (in terms of heat dissipation) in the form of sw services running on purpose-built and/or general-purpose CPUs. Examples are VOIP call processors, some FW ALGs as new protocols emerge, etc. The concept of L2 switching based on L3 information tends to be viable only when one can transparently bridge between the L2 protocols - otherwise, you are making L3-only decisions, and doing all sorts of L2 rewrite which many traditional Ethernet switches can't necessarily do. Things are getting better, but L3-switches pale in comparison to today's high-end routers on almost all fronts. If you take GigE out of the equation, modern L3 Switches are just as expensive as modern core routers - and routable, mpls-able L3 GE ports are _more_ expensive on switches than routers (see 4xGE OSM vs 4xGE GSR 'tetra' pricing). Media diversity, queuing performance, and FIB density is what really differentiates the two at this point, IMO. I am unaware of a traditional switch-turned-router (and I use these terms here as most do who draw a distinction) that can exceed the forwarding capacity of a core router when the media is largely WAN-based, there are complicated classification and filtering rules that are very dense, when complex queuing policy needs to be applied, and when the routing table is huge. Or perhaps my earlier experience with these switches-trying-to-be-routers has left me a bit jaded There's a more interesting level to the discussion if you look at what carriers are interested in for their backbone hardware today; while I'm obviously biased based on my employer, I've seen a lot more emphasis on $20k-per-10GE-port L3 switches than $200k-per-10GE-port core routers in the current economic climate. Of course, a routable 10GE port does NOT cost $20k - sure you can do MLS or whatver it is called - but things like label imposition/disposition is not possible. Also, last I saw, my MLS-enabled MSFCs weren't able to gather vlan interface statistics - they were all embedded in some L2 asic that I had to glean from the switch. Further, Ethernet has the worst OAM capabilities of any modern media. BFD will help detect failures when it is available, but will never be able to tell me why. SONET is clearly superior in the aspect. So, for enterprise switching, L3 switches are mostly fine - barring any funky bridging requirements (Blue protocols). But for carrier backbones, I suspect we will continue to see the majority of implementations usng modern core routers. And we haven't even begun talking ATM and FR, and what device better suits these applications. Judging from your company's position on this front, I suspect that core routers may be our best bet here, given that many who could do switching well were unable to bolt on a usable, stable routing implementation. But that is another religious discussion for another day! My .02 chris S Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking
Re: IPv6 NAT
On 31 Oct 2003, at 11:43, Patrick W. Gilmore wrote: There is NO security benefit to NAT/PAT/NAPT. Disagree. None of the scanning / infecting viruses could get past a $50 NAT/PAT device which Joe User brings home and turns on without configuring. It's not the NAT that those boxes are doing which protected Joe User (no relation). It's the firewall function of those boxes -- the function which stops certain traffic being permitted through the front door -- which stopped the viruses outside the front door infecting the windows box in the dining room. The $50 NAT device performs the firewall function as well as the NAT function. A $50 device which just provided the firewall function would protect Joe User just as well from viruses. The NAT function is required because Joe User requires multiple addresses, but his ISP will only give him one. That's orthogonal to the firewall function. Let's move on. Joe
Re: IPv6 NAT
This does not mean we should NAT everything, since I use some of those protocols. But if every Joe User had a DLink NAT box in front of his Winbloze box, the Internet would be a safer place. And you know it. You're forgetting Rob Thomas's peripatetic presentation in Chicago. Not to mention the guy whose SSH session was outed by a keylogger. Check http://www.safer-networking.org/ for more on spyware and trojans. If this was the only way the black hats could wreak havoc then we would be seeing a lot more of it. I think that the only thing which will make the Internet a safer place is time and hard work. We have to put in the effort to address *ALL* the weaknesses until we've raised the bar so high that only the toughest black hats have the time, skills and energy to break the weakest link. --Michael Dillon
Re: IPv6 NAT
Patrick W. Gilmore wrote: NAT is harmful to many protocols. Stateful inspection is not. Possibly. But Joe User will never use those many protocols. Plus the overwhelming majority of protocols are not harmed by NAT. Of course NAT causes all sorts of damage to all sorts of protocols, as the debate over VPN software demonstrated, nevermind voice applications and peer to peer networking. It also has substantial implications for mobility. This has all been well documented, as have workarounds. Having yet another argument about this on nanog is a waste of bits (to which I freely admit I'm contributing). Let me suggest we not bother with the rest of the argument, but just have people search the archives. Eliot
RE: more on filtering
I'm well aware that law!=logic. In fact, I have often said that there are two sayings which when recombined provide a more accurate picture of the true situation in the american legal system: 1. Possession is no excuse. 2. Ignorance is 9/10th of the low. (Fee free to run that past your attorney as well) I was stating that although legally, I can't do anything to X's customer directly, I certainly can, for example, block all traffic from Y at my ingress points if X won't get Y to correct their behavior. As such, while the agreement is not legally transitive, the authority it gives me allows me to effectively deal with Y indirectly. Obviously, it also provides an incentive for X to deal with Y directly, but, while I can't effect legal remedy against Y, the contract does allow me to effect network remedy against Y by dropping Y where X connects to me. Owen --On Friday, October 31, 2003 11:18 AM -0500 [EMAIL PROTECTED] wrote: -Original Message- From: Owen DeLong [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 11:12 AM To: Daryl G. Jurbala; [EMAIL PROTECTED] Subject: RE: more on filtering [...] NOT transitive in this way, unless each agreement is included by reference in the other. Yes and no. If my agreement with cust X says that they take responsibility for ensuring that any customers to whom they resell my service (or any traffic they transit into my network, to be more specific) must conform to my AUP, then the fact that it is cust Y that originated the violating traffic has little effect. I can still hold cust X responsible. As a good guy and for good customer service, I will, instead, first ask X to hold Y accountable and rectify the situation. If that doesn't work, you bet X will get disconnected or filtered. I 100% agree with this (other than the first three words;) ). But legally, the agreement is not transitive. Legally it's YOUR customer only that is responsible to your AUP. It follows logically, but not legally, that your customer binds their customers to an AUP that is at least as restrictive as yours, or YOUR CUSTOMER will be in breach with you, if their customers exercise practices violating your AUP...whether they are allowed to in the contract with their upstream or not. I'm speaking legally only (yes, by random chance, I had my contract attorney on the phone when I first read this post). Logically, you're correctbut law != logic. Daryl -- If it wasn't signed, it probably didn't come from me. pgp0.pgp Description: PGP signature
Re: [arin-announce] IPv4 Address Space (fwd)
Are you actually saying that providers in the middle should build their networks to accommodate any amount of DDOS traffic their ingress can support instead of filtering it at their edge? How do you expect them to pay for that? Do you really want $10,000/megabit transit costs? Owen --On Friday, October 31, 2003 7:43 AM -0500 Alex Yuriev [EMAIL PROTECTED] wrote: It is content filtering. You are filtering packets that you think are causing problems to the ES that you may not control. No, he said quite clearly he's filtering packets (such as Nachi ICMP) that are causing harm to *his* network. He gets to make a choice - filter the known problem packets so the rest of the traffic can get through, or watch the network melt down and nobody gets anything. He needs to fix his network so those 92 byte ICMP packets wont break it. Alex -- If it wasn't signed, it probably didn't come from me. pgp0.pgp Description: PGP signature
Re: IPv6 NAT
--On Friday, October 31, 2003 11:43 AM -0500 Patrick W. Gilmore [EMAIL PROTECTED] wrote: -- On Friday, October 31, 2003 08:03 -0800 -- Owen DeLong [EMAIL PROTECTED] supposedly wrote: There is NO security benefit to NAT/PAT/NAPT. Disagree. None of the scanning / infecting viruses could get past a $50 NAT/PAT device which Joe User brings home and turns on without configuring. Do not talk about if they statically NAT Punching holes in stateful firewalls will cause just as much damage. Actually, many of the viruses will because they are received via other mechanisms and create stateful outbound connections that go right past NAT. However, the scanners won't get past a STATEFUL INSPECTION firewall, with or without nat. You can get a $50 stateful inspection device without NAT too. Takes the same configuration effort and usually on the same devices. In fact, assuming you have a PC, you probably don't need to spend $50. You can get a stateful inspection firewall on your PC by downloading the ISOs from RedHat (or other LINUX source) for FREE. Admittedly, the free one takes a little bit of configuration, since you have to check the box that says high security. There is a security benefit to stateful inspection. Agreed. And I doubt anyone on this list would say differently. Right. There is NO security benefit to NAT/PAT/NAPT beyond the stateful inspection. NAT is harmful to many protocols. Stateful inspection is not. Possibly. But Joe User will never use those many protocols. Plus the overwhelming majority of protocols are not harmed by NAT. If you are telling me that Joe User will never use VOIP, then you are somking from a different internet hooka than the folks at Vonage. I don't know which of you is right, but, I know Vonage has enough customers to say that at least some number of Joe User's are using SIP and RTP which are among the protocols broken by NAT. Next? I would bet a statistically insignificant number of packets on the Internet (many places to the right of the decimal) are part of those protocols. I guess that depends on your measurement method. Shall we include or not include in the count the number of packets that are bogusly tunneled over other protocols in an attempt to circumvent NAT silliness because it has become an unfortunate fact of life? Also, depending on who you ask, P2P filesharing (regardless of your position on the legality, the technology isn't inherently a bad thing) does not constitute a statistically insignificant portion of the traffic mix. A number of P2P protocols incorporate significant workarounds to deal with NAT. Many of these workarounds do things which essentially eliminate the previously defined security benefit and often in a way which makes things less secure than they would have been without NAT with a good stateful inspection firewall. This does not mean we should NAT everything, since I use some of those protocols. But if every Joe User had a DLink NAT box in front of his Winbloze box, the Internet would be a safer place. And you know it. I disagree. I think the better solution to that problem is for every Joe user to spend that $50 suing Micr0$0ft for their exploding pinto in the local small claims court. If that happened, Micr0$0ft would get the message that there is a cost to doing business they way they have and they would be forced to change their strategy and fix some of these issues. That would be $50 much better spent. Even if Joe user loses his case in small claims (most likely), making Micr0$0ft play legal whack-a-mole would still have the desired effect. For Joe User to go out and get the NAT box requires that Joe User recognize some level of need for security. If we can teach Joe User that, then we ought to be able to teach him to secure the box directly without needing a $50 device. Even Windows now has stateful firewall capabilities on the box. It's just not that hard. -- TTFN, patrick Owen -- If it wasn't signed, it probably didn't come from me. pgp0.pgp Description: PGP signature
Re: [arin-announce] IPv4 Address Space (fwd)
Are you actually saying that providers in the middle should build their networks to accommodate any amount of DDOS traffic their ingress can support instead of filtering it at their edge? How do you expect them to pay for that? Do you really want $10,000/megabit transit costs? I remember GM saying something like that about this car that put Nader on political arena. Are we that dumb that we need to be taught the same lessons? Fix the networks. Force the customers to play by the rules. Alex
RE: more on filtering
Tell that to Cisco, Nortel, and any other vendor that can handle huge rates of traffic that conform to typical but, when the pattern of addresses (or options) in the packets cause the flow cache to thrash, die under loads far below line rate. (See Cisco's http://www.cisco.com/warp/public/63/ts_codred_worm.shtml as an example) Tell that to any router, switch, or end system vendor who recently found out what happened when a worm forces near-simultaneous arp requests for every possible address on a subnet. I'm afraid that those of us building actual networks are forced to do so using actual hardware that actually exists today, and using actual hardware that was actually purchased several years ago and which cannot be forklifted out. You call the network obviously broken, I call it the only one that can be built today. Matthew Kaufman [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Maxwell Sent: Thursday, October 30, 2003 7:48 PM To: Chris Parker Cc: Alex Yuriev; [EMAIL PROTECTED] Subject: Re: more on filtering On Thu, 30 Oct 2003, Chris Parker wrote: The source of the problem of bad packets is where they ingress to my network. I disconnect the flow of bad packets thorugh filtering. What is the difference, other than I do not remove an entire interconnect, only the portion of packets that is affecting my ability to provide services? If the *content* of the packets is breaking your network: Your network is obviously broken.
Re: more on filtering
I don't know much, but I do know that legal agreements in the US are NOT transitive in this way, unless each agreement is included by reference in the other. They aren't legally, but they are effectively. Ok, enough legal debate. Let me use a strictly US analogy: The death penalty for shooting a cop is a legal deterrent, but a wise cop still wears a bulletproof vest. Filter to protect your own network, and, when necessary and possible, your customers from each other and the Internet from your customers. Legalisms punish, after the fact. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
Re: IPv6 NAT
On Fri, 2003-10-31 at 12:26, Owen DeLong wrote: Even Windows now has stateful firewall capabilities on the box. It's just not that hard. Not only that, but it is also enabled by default on their IPv6 stack, last I messed with Windows and v6 anyway. -Paul -- Paul Timmins [EMAIL PROTECTED]
RE: more on filtering
On Fri, 31 Oct 2003, Matthew Kaufman wrote: [snip] I'm afraid that those of us building actual networks are forced to do so using actual hardware that actually exists today, and using actual hardware that was actually purchased several years ago and which cannot be forklifted out. You call the network obviously broken, I call it the only one that can be built today. It's interesting that many rather sizable networks have weathered these events without relying on filtering, NAT, or other such behavior. Even if you're right, that doesn't make me wrong. Any IP network conformant to Internet standards should be content transparent. Any network which isn't is broken. Breaking under abnormal conditions is unacceptable. I am well aware of reality, but the reality is: some things need to be improved. This isn't some fundamental law of nature causing these limits. We are simply seeing the results of the internet boom valuation of rapid growth and profit over correctness and stability. As the purchasers of this equipment we have the power to demand vendors produce products which are not broken. Doing so is our professional duty, settling on workarounds that break communications and fail to actually solve the problems is negligent. Suggesting that breaking end-to-endness is a long term solution to these kind of issues is socially irresponsible. -- The comments and opinions expressed herein are those of the author of this message and may not reflect the policies of the Martin County Board of County Commissioners.
RE: more on filtering
It's interesting that many rather sizable networks have weathered these events without relying on filtering, NAT, or other such behavior. What's more interesting is how many big networks have implemented 98-byte ICMP filters, blocks on port 135, and other filters on a temporary basis on one or more (but not all) interfaces, without anyone really noticing that they're doing that. It isn't something that's well-publicized, but I know several major ISPs/NSPs which have had such filters in place, at least briefly, on either congested edge interfaces or between core and access routers to prevent problems with devices like TNTs and Shastas. Even if you're right, that doesn't make me wrong. True enough. Any IP network conformant to Internet standards should be content transparent. Any network which isn't is broken. Then they're all broken, to one extent or another. Even a piece of wire can be subjected to a denial of service attack that prevents your content from transparently reaching the far end. Breaking under abnormal conditions is unacceptable. I am well aware of reality, but the reality is: some things need to be improved. That some thing need to be improved has been true since the very first day the Internet began operation. Of course, the users of the end systems were somewhat better behaved for the first few years, and managed to resist the temptation to deploy widespread worms until 1988. This isn't some fundamental law of nature causing these limits. We are simply seeing the results of the internet boom valuation of rapid growth and profit over correctness and stability. True. As the purchasers of this equipment we have the power to demand vendors produce products which are not broken. One can demand all one wants. Getting such a product can be nearly or totally impossible, depending on which features you need at the same time. Doing so is our professional duty, settling on workarounds that break communications and fail to actually solve the problems is negligent. But not using the workarounds that one has available in order to keep the network mostly working, and instead standing back and throwing up one's hands and saying well, all the hardware crashed, guess our network is down entirely today is even more negligent. It may also be a salary-reducing move. Suggesting that breaking end-to-endness is a long term solution to these kind of issues is socially irresponsible. Waiting until provably-correct routers are built, and cheap enough to deploy, may be socially irresponsible as well. There's a whole lot of good that has come out of cheap broadband access, and we'd still be waiting if we insisted on bug-free CPE and bug-free aggregation boxes that could handle any traffic pattern thrown at them. Do you actually believe that it was a BAD idea for Cisco to build a router that is more efficient (to the point of being able to handle high-rate interfaces at all) when presented with traffic flows that look like real sessions? Matthew Kaufman [EMAIL PROTECTED]
RE: [arin-announce] IPv4 Address Space (fwd)
I remember GM saying something like that about this car that put Nader on political arena. Are we that dumb that we need to be taught the same lessons? GM seems to still be building cars and trucks, and Nader lost a presidential election. Which lesson were we supposed to learn? Matthew Kaufman [EMAIL PROTECTED]
RE: more on filtering
Do you actually believe that it was a BAD idea for Cisco to build a router that is more efficient (to the point of being able to handle high-rate interfaces at all) when presented with traffic flows that look like real sessions? Why buy something that works well only sometimes (we are very efficient when it looks like 'real' traffic from Cisco) when you can buy (no one told us that we should have issues with some specific packets) Juniper? Alex
RE: [arin-announce] IPv4 Address Space (fwd)
I remember GM saying something like that about this car that put Nader on political arena. Are we that dumb that we need to be taught the same lessons? GM seems to still be building cars and trucks, and Nader lost a presidential election. GM seems to also have cut a very big check to pay the judgements. Alex
RE: more on filtering
Well, interestingly, in our network, Juniper makes all of our new core routers. Specifically because Cisco routers were melting down at an unacceptable rate. But there was no such thing as Juniper when we started building (so we still have a lot of Cisco routers in the network), and they don't make DSLAMs or DSL/ATM customer aggregation boxes, so we still get to deal with traffic-dependent performance. And I'm sure we're not the only network in this situation. Should I replace every box in the network with a Juniper and pass the cost along to the customers? (New line item on the bills: we won't filter worm traffic tax) Even if I had an all-Juniper network, I'd still need to decide what to do about DDOS attacks... Do I just call my circuit vendors and keep adding OC48s until the problem goes away? Matthew Kaufman [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Yuriev Sent: Friday, October 31, 2003 6:29 AM To: Matthew Kaufman Cc: 'Greg Maxwell'; 'Chris Parker'; [EMAIL PROTECTED] Subject: RE: more on filtering Do you actually believe that it was a BAD idea for Cisco to build a router that is more efficient (to the point of being able to handle high-rate interfaces at all) when presented with traffic flows that look like real sessions? Why buy something that works well only sometimes (we are very efficient when it looks like 'real' traffic from Cisco) when you can buy (no one told us that we should have issues with some specific packets) Juniper? Alex
CP INTERNET contacts
Hello, If anyone on the list works for or has a reliable contact at CP Internet (Duluth, MN)then please contact me off-list ASAP. I have tried the NOC and ABUSE to no avail. Thanks. Scott Vachon CNS-Salem Network Group Paymentech L.P. Learn more about Paymentech's payment processing services at www.paymentech.com THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer.
Re: IPv6 NAT
Agreed NAT's do not create security although many customers believe they do. NAT's _are_ extremely useful in hiding network topologies from casual inspection. What I usually recommend to those who need NAT is a stateful firewall in front of the NAT. The rationale being the NAT hides the topology and the stateful firewall provides the security boundary. Scott C. McGrath On Thu, 30 Oct 2003, Stephen Sprunk wrote: Thus spake [EMAIL PROTECTED] Now, I'm not claiming that every device capable of IPv4 NAT is currently able to function in this way, but there are no technical barriers to prevent manufacturers from making IPv6 devices that function in this way. The IPv6 vendor marketing folks can even invent terms like NAT (Network Authority Technology) to describe this simple IPv6 firewall function, i.e. IPv6 NAT. Or you could simply call it what it is -- a firewall -- since that's what most consumers think NAT is anyways. While I disagree with the general sentiment that NATs create security, the standard usage of such devices is certainly that of a stateful firewall. S Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking
Re: Yankee Group declares core routing obsolete (was Re: Anybodyusing GBICs?)
Funny I thought a switch was a multiport bridge... uses the MAC headers to flood. ahh makes me long for the days of Kalpana. Scott C. McGrath On Fri, 31 Oct 2003, Stephen Sprunk wrote: Thus spake Daniel Golding [EMAIL PROTECTED] Hmm. Don't you just love it when folks say things like Layer 3 Switches are better than routers. Its very illuminating as to clue level. I suppose what they were trying to say, is that products that were designed as switches, but are now running routing code, are superior to products that were designed as routers, and are running routing code. Of course, this is demonstrably false. Layer 3 Switch is like Tier 1 ISP - meaningless marketing drivel, divorced from any previous technical meaning. I've always stated that switch is a marketing term meaning fast. Thus a L2 switch is a fast bridge and a L3 switch is a fast router. In this light, the Yankee Group is just now catching on to something we all knew a decade ago -- slow (i.e. software) routers are dead. There's a more interesting level to the discussion if you look at what carriers are interested in for their backbone hardware today; while I'm obviously biased based on my employer, I've seen a lot more emphasis on $20k-per-10GE-port L3 switches than $200k-per-10GE-port core routers in the current economic climate. S Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking
new routeviews mailing lists
Folks, We have set up a few new mailing lists for the routeviews project; see http://routeviews.org/~majordom/rv-lists.html Thanks, Dave
Re: CP INTERNET contacts
--On Friday, October 31, 2003 1:27 PM -0500 Vachon, Scott [EMAIL PROTECTED] wrote: Learn more about Paymentech's payment processing services at www.paymentech.com THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer. I was not named in the recipient(s) list, so as per instructions I am notifying the sender.
RE: more on filtering
Even if I had an all-Juniper network, I'd still need to decide what to do about DDOS attacks... Do I just call my circuit vendors and keep adding OC48s until the problem goes away? But isn't this just trying to put a square peg into a round hole? Wouldn't it be better to let routers route, switches switch, and filter boxen filter? I know people like to have routers talk directly to each other, but there are certain high capacity upper layer filter boxen out there that, when inserted into the link, can handle this nastiness, so a router doesn't over-work its designed-to-be-lazy processor. -- Scanned for viruses and dangerous content at http://www.oneunified.net and is believed to be clean.
RE: Yankee Group declares core routing obsolete (was Re: Anybodyusing GBICs?)
. Things are getting better, but L3-switches pale in comparison to today's high-end routers on almost all fronts. If you take GigE out of the equation, modern L3 Switches are just as expensive as modern core routers - and routable, mpls-able L3 GE ports are _more_ expensive on switches than routers (see 4xGE OSM vs 4xGE GSR 'tetra' pricing). Media diversity, queuing performance, and FIB density is what really differentiates the two at this point, IMO. [stuff deleted all over the place] Christian, I think you make the point very clearly, if you leave GigE in the equation things change a lot. Without it, none of this stuff walks too far. GigE is being used in all kinds of IX, LAN, and Metro environments that WAN circuits or at best FE used to be used for. This reduces the number of low speed and short-haul interfaces on most core routers immediately. 10GE still isn't a very far reaching technology yet (meaning, I can't seem to find one stable at 26db) and SONET clearly wins in speed range for distance AFAIK. For networks that can engineer or re-engineer to GE or nxGE an L3 switch is going to do very well. Many support hardware rewrite for L2 forwarding, and newer ones are sporting real-router sized FIBs. Even in an IX environment, if you are only talking to peers, you can use an L3 switch with a 20,000 route FIB and know you'll never be defaulted to, and all of your BGP views at least 100 sessions can be aggregated on a little 1U box that costs $4000. You also protect your main router from a lot of nonsense that can be hw-filtered on the little box. If big routers could provide GE ports in higher densities at approximately the same price per port as a switch, the argument would be a dead one. Its expensive to privately (router) peer with 30 GE networks on a vendor J or vendor C router. Its relatively inexpensive to do it using an L3 switch. When talking about routers that need to aggregate lots of FR, ATM, or other WAN traffic -- or generally uplinking at greater than GE speed interfaces, you are probably better off [today] using a traditional router. I don't think anyone uplinking at 10GE speeds doesn't have a fair about of WAN connections. I don't think most people with lots of GE have many big core routers. I think its a self-selecting type of arrangement. Just my opinion, Deepak Jain AiNET
RE: Yankee Group declares core routing obsolete (was Re: Anybodyusing GBICs?)
Things are getting better, but L3-switches pale in comparison to today's high-end routers on almost all fronts. If you take GigE out of the equation, modern L3 Switches are just as expensive as modern core routers - and routable, mpls-able L3 GE ports are _more_ expensive on switches than routers (see 4xGE OSM vs 4xGE GSR 'tetra' pricing). In *my* Cisco GPL, 4GE-SFP-LC is listed at $75,000 while OSM-2+4GE-WAN+ is listed at $44,000. But then I tend to think of the 6500/7600 as a router... Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]
Blocked traffic from Canada to France
Hello, I'm not sure if it's the right place to post, but I found some related conversations in the archive, so I hope it'll be ok for me to post. Since yesterday morning, here in Montreal, all my traffic from 24.202.28.177 to 213.186.35.30 get stucked in New York (traceroute below). My ISP is looking at my problem, but problem is always here since one day now... I tried to contact cw.net but I just got a forward mail saying : Here is another routing issue which is also being affected through our peering point.. I always thought that Internet was a wonderful network where packet can't get lost and always find the good route ! Why is it so long ? Am I the only one with this problem ? tracert spidmail.net Détermination de l'itinéraire vers ovh.com [213.186.35.30] avec un maximum de 30 sauts : 175 ms12 ms11 ms 10.102.0.1 211 ms12 ms10 ms modemcable213.240-200-24.mtl.mc.videotron.ca [24.200.240.213] 314 ms13 ms11 ms 10.154.0.154 411 ms29 ms13 ms ia-piex-bb02-ge8-0.vtl.net [207.96.146.17] 532 ms29 ms34 ms iar2-so-3-3-0.Toronto.cw.net [208.175.169.117] 627 ms27 ms57 ms bcr1-so-2-2-0.Toronto.cw.net [208.175.171.137] 730 ms27 ms25 ms dcr2-so-3-0-0.NewYork.cw.net [206.24.207.209] 8 333 ms26 ms27 ms agr1-so-2-0-0.NewYork.cw.net [206.24.207.178] 925 ms48 ms50 ms iar1-loopback.NewYork.cw.net [206.24.194.23] 10 *** Délai d'attente de la demande dépassé. 11 *** Délai d'attente de la demande dépassé. Thanks -- Cordialement, Cedric Fontaine (Easy Soft) - mailto:[EMAIL PROTECTED] (DH/DSS)PGP-key Server ID: 0xBDD6E604
Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
http://groups.google.com/groups?hl=enlr=ie=UTF-8selm=Xns94258238F273Cbruns2mbitcom%40130.133.1.4 From my post to the NANAE newsgroup... My favorite quote is... BG: Until we had this concept of Web services, software on the Internet couldn't talk to other software on the Internet. The only thing that worked was you could move bits - that's TCP/IP - or you could put up screens - that's HTML - but software couldn't talk to software. Its good to know my Putty application can't talk to my OpenSSH server, or that my EXIM mail server can't actually talk to other mail servers. :-) -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org - Original Message - From: james [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 31, 2003 5:00 PM Subject: Fw: [Full-Disclosure] Gates: 'You don't need perfect code' for good security One word HA ! james - Original Message - From: Jeremiah Cornelius To: [EMAIL PROTECTED] Sent: Friday, October 31, 2003 11:32 AM Subject: [Full-Disclosure] Gates: 'You don't need perfect code' for good security : -BEGIN PGP SIGNED MESSAGE- : Hash: SHA1 : : FLAME ON! : : http://www.itbusiness.ca/index.asp?theaction=61sid=53897 : : But there are two other techniques: one is called firewalling and the other : is called keeping the software up to date. None of these problems (viruses : and worms) happened to people who did either one of those things. If you had : your firewall set up the right way - and when I say firewall I include : scanning e-mail and scanning file transfer -- you wouldn't have had a : problem. But did we have the tools that made that easy and automatic and that : you could really audit that you had done it? No. Microsoft in particular and : the industry in general didn't have it. : : The second is just the updating thing. Anybody who kept their software up to : date didn't run into any of those problems, because the fixes preceded the : exploit. Now the times between when the vulnerability was published and when : somebody has exploited it, those have been going down, but in every case at : this stage we've had the fix out before the exploit. So next is making it : easy to do the updating, not for general features but just for the very few : critical security things, and then reducing the size of those patches, and : reducing the frequency of the patches, which gets you back to the code : quality issues. We have to bring these things to bear, and the very dramatic : things that we can do in the short term have to do with the firewalls and the : updating infrastructure. : -BEGIN PGP SIGNATURE- : Version: GnuPG v1.2.3 (GNU/Linux) : : iD8DBQE/oqq3Ji2cv3XsiSARAlkdAJ0aGkBViYkoE193iZycTmQZohzwbQCg1KDA : SjPLY1EEzamQCtIGKwJT1Vk= : =mIsY : -END PGP SIGNATURE- : : ___ : Full-Disclosure - We believe in it. : Charter: http://lists.netsys.com/full-disclosure-charter.html James Edwards Routing and Security Administrator [EMAIL PROTECTED] At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
RE: Yankee Group declares core routing obsolete (was Re: Anybodyu sing GBICs?)
Steinar, Yes, the PL has pricing that has changed for us at least, and will be changing for others as well. Expect Tetra to be selling for less in short time (if not already). Looks as if the GE OSM has dropped in price too. As Deepak pointed out, YMMV based on application. For me, I must look across the gamut of services and cards, like 4-port OC-12c ATM, 4-port CHOC-12 to DS1, 4x OC-48 ports, while considering chassis density, etc. In the time I've spent with the 7609, and admittedly that has been fleeting, I have come away disappointed more than impressed, but I have a wider array of services to support. For many applications, I think it is phenomenal - for example, security services. But those aren't core routing services. I would be interested in seeing, say, a 7609-GSR or better yet 7609-T640 bakeoff. I think that would prove 2 things - 1) you get what you pay for, and 2) purpose-built routers are still better at routing heavy loads with diverse media. Sure, the loaded 640 will be more expensive, but it will most definitely knock the power supplies off the 7609 in general performance. Perhaps the SUP-720 will change that - I look forward to seeing it in our lab, where I may be reconvinced... c -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 4:08 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Yankee Group declares core routing obsolete (was Re: Anybodyusing GBICs?) Things are getting better, but L3-switches pale in comparison to today's high-end routers on almost all fronts. If you take GigE out of the equation, modern L3 Switches are just as expensive as modern core routers - and routable, mpls-able L3 GE ports are _more_ expensive on switches than routers (see 4xGE OSM vs 4xGE GSR 'tetra' pricing). In *my* Cisco GPL, 4GE-SFP-LC is listed at $75,000 while OSM-2+4GE-WAN+ is listed at $44,000. But then I tend to think of the 6500/7600 as a router... Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]
RE: IPv6 NAT
Scott McGrath wrote: Agreed NAT's do not create security although many customers believe they do. NAT's _are_ extremely useful in hiding network topologies from casual inspection. This is another bogus argument, and clearly you have not done the math on how long it takes to scan a /64 worth of subnet space. Start by assuming a /16 per second (which is well beyond what I have found as current technology) and see how long 2^48 seconds is. What I usually recommend to those who need NAT is a stateful firewall in front of the NAT. The rationale being the NAT hides the topology and the stateful firewall provides the security boundary. Obscuring the topology provides absolutely no security either. You are not alone, as it is frequently a recommended practice, but obscurity != security no matter how much it is sold as such. Tony
Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
You guys missed it, Gates is utterly right. There is no such thing as perfect code. Where he errs is that his code is utter and unremarkable crap based on poorly conceived designs based on a percieved difficulty of use problem. The simple solution was to design it for the average person and then tell anyone who couldn't figure it out to get stuffed. Sadly that didn't happen here, or when dcom came out, or when activex sucked, or when dcom came out again, or every time they release Outlook (Express). On Fri, 31 Oct 2003 17:43:16 -0500 Brian Bruns [EMAIL PROTECTED] wrote: http://groups.google.com/groups?hl=enlr=ie=UTF-8selm=Xns94258238F273Cbruns2mbitcom%40130.133.1.4 From my post to the NANAE newsgroup... My favorite quote is... BG: Until we had this concept of Web services, software on the Internet couldn't talk to other software on the Internet. The only thing that worked was you could move bits - that's TCP/IP - or you could put up screens - that's HTML - but software couldn't talk to software. Its good to know my Putty application can't talk to my OpenSSH server, or that my EXIM mail server can't actually talk to other mail servers. :-) -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org - Original Message - From: james [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 31, 2003 5:00 PM Subject: Fw: [Full-Disclosure] Gates: 'You don't need perfect code' for good security One word HA ! james - Original Message - From: Jeremiah Cornelius To: [EMAIL PROTECTED] Sent: Friday, October 31, 2003 11:32 AM Subject: [Full-Disclosure] Gates: 'You don't need perfect code' for good security : -BEGIN PGP SIGNED MESSAGE- : Hash: SHA1 : : FLAME ON! : : http://www.itbusiness.ca/index.asp?theaction=61sid=53897 : : But there are two other techniques: one is called firewalling and the other : is called keeping the software up to date. None of these problems (viruses : and worms) happened to people who did either one of those things. If you had : your firewall set up the right way - and when I say firewall I include : scanning e-mail and scanning file transfer -- you wouldn't have had a : problem. But did we have the tools that made that easy and automatic and that : you could really audit that you had done it? No. Microsoft in particular and : the industry in general didn't have it. : : The second is just the updating thing. Anybody who kept their software up to : date didn't run into any of those problems, because the fixes preceded the : exploit. Now the times between when the vulnerability was published and when : somebody has exploited it, those have been going down, but in every case at : this stage we've had the fix out before the exploit. So next is making it : easy to do the updating, not for general features but just for the very few : critical security things, and then reducing the size of those patches, and : reducing the frequency of the patches, which gets you back to the code : quality issues. We have to bring these things to bear, and the very dramatic : things that we can do in the short term have to do with the firewalls and the : updating infrastructure. : -BEGIN PGP SIGNATURE- : Version: GnuPG v1.2.3 (GNU/Linux) : : iD8DBQE/oqq3Ji2cv3XsiSARAlkdAJ0aGkBViYkoE193iZycTmQZohzwbQCg1KDA : SjPLY1EEzamQCtIGKwJT1Vk= : =mIsY : -END PGP SIGNATURE- : : ___ : Full-Disclosure - We believe in it. : Charter: http://lists.netsys.com/full-disclosure-charter.html James Edwards Routing and Security Administrator [EMAIL PROTECTED] At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965 -- Andrew D Kirch | [EMAIL PROTECTED]| Security Admin | Summit Open Source Development Group | www.sosdg.org
RE: Yankee Group declares core routing obsolete (was Re: Anybodyusing GBICs?)
I would be interested in seeing, say, a 7609-GSR or better yet 7609-T640 bakeoff. I think that would prove 2 things - 1) you get what you pay for, and 2) purpose-built routers are still better at routing heavy loads with diverse media. Sure, the loaded 640 will be more expensive, but it will most definitely knock the power supplies off the 7609 in general performance. Perhaps the SUP-720 will change that - I look forward to seeing it in our lab, where I may be reconvinced... If you check out the PDF at this URL: www.eantc.de/press/pressreleases/sep03/EANTC-Summary-Report-Cisco-GigE-Catal yst6500-Supervisor720.pdf (I am sure its available elsewhere) You might be surprised about the SUP720 vs T640 performance for general routing loads. Obviously if you have a lot of WAN interfaces the 7600/6500 just doesn't have all of them, but this performance analysis seemed reasonably complete. I have not seen a similar one for the T640. Deepak Jain AiNET
Re: Yankee Group declares core routing obsolete (was Re: Anybodyu
Recently, [EMAIL PROTECTED] (Martin Christian) wrote: Things are getting better, but L3-switches pale in comparison to today's high-end routers on almost all fronts. If you take GigE out of the equation, modern L3 Switches are just as expensive as modern core routers - and routable, mpls-able L3 GE ports are _more_ expensive on switches than routers (see 4xGE OSM vs 4xGE GSR 'tetra' pricing). Media *cough* Please do note, however, that the overall capacity of the cards being compared should also be considered. Remember, the 4xGE GSR tetra card is a 2.5 gig OC48 engine, so your gig ports are rather oversubscribed. Just making sure apples get compared to like-sized apples :) Matt A very, VERY happy user of OSRs for quite some time.
Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
On Fri, 2003-10-31 at 18:35, Andrew D Kirch wrote: You guys missed it, Gates is utterly right. There is no such thing as perfect code. Hmmm, I think that is a given. Even my ponytail knows that ! Gates just has a talent with spin. Where he errs is that his code is utter and unremarkable crap based on poorly conceived designs based on a percieved difficulty of use problem. The simple solution was to design it for the average person and then tell anyone who couldn't figure it out to get stuffed. Sadly that didn't happen here, or when dcom came out, or when activex sucked, or when dcom came out again, or every time they release Outlook (Express). Yep, change the prompt, shoehorn 32 bits onto 8 bits and we are done here. -- James Edwards Routing and Security [EMAIL PROTECTED] At the Santa Fe Office: Internet at Cyber Mesa 505-988-9200 SIP:747-669-1965
OT: Midco.net
Sorry for the off topic post, but has anyone dealt with Midco.net? I recently reported a Scan from a node belonging there and have met with nothing but side steps. Please contact me off list if you have any contacts there. Would like to get this resolved. http://www.rocknyou.com/midco.html Cheers -Joe
Re: OT: Midco.net
Hmmm, so this is up there with SPAM right? do nothing about it cause its just life. Thats just how Spam has gotta to be such a problem. No one reports it because its a fact of life, which is the reason why its now such a problem. Instead of reporting it and getting ISPs to enforce AUP/TOS the answer is to just deal with it? lol, not. After years working and dealing in this industry I'm not about to just give in to the AOL/Microsoft ways and means. Well enough said, just a little frustrated at this point, sorry all. -Joe - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, October 31, 2003 11:54 PM Subject: Re: OT: Midco.net
Re: OT: Midco.net
[EMAIL PROTECTED] wrote: Sorry for the off topic post, but has anyone dealt with Midco.net? I recently reported a Scan from a node belonging there and have met with nothing but side steps. Please contact me off list if you have any contacts there. Would like to get this resolved. http://www.rocknyou.com/midco.html On your site you say your server functions to: resolve names for Rocknyou.com, log scans and evil-do-ers attempting to breakin, and sometimes for fun I run nmap http://www.insecure.org/nmap/index.html back at those bad nodes. (http://www.rocknyou.com/aboutme.html) So since tonight is Halloween (GMT -6), would you prefer to be Pot or Kettle? :) There are perfectly valid reasons to get scanned, especially by a well known white-hat tool like Nessus. Script-kiddies and spammers have much more robust/directed tools than a general purpose (slow) tool like Nessus. And from the link you sent about Midco, it looks like they did a fine job responding to your request; probably better than most *SP's would do. -davidu