Re: Need some info on network management

[Sean Donelan]

On Tue, 10 Feb 2004, [iso-8859-1] Savitha Kumar wrote:
> them, accounting management which is one of the FCAPS
> functionality is not supported on any of the NMS's.

I think you have your networking models confused.

FCAPS is part of the ITU model for TMN-layers.  You
need to look at ITU networks, such as the telephone
network, which extensively collects accounting data.

Trying to apply ITU network models to the Internet
will just make your head hurt.


> So I thought it would make sense if I contact a
> network operations group regarding this. Can you
> please throw some light on the following -
>  1. Why is "accounting" not part of most of the NMS's?
>  2. What do service providers use for billing their
>  customers?

Because most Internet providers have a different billing
model.  In the Internet, accounting is usually part
of AAA systems not NMS systems.

Of course, on the Internet NMS systems are not the same
thing as NMS in the ITU model either.  I'm not arguing one
model is better than the other, but its a bad idea to
try to apply the wrong model to the wrong network.

Re: Where can I find a list of IPs and their regions.

[Arnold Nipper]

On 10.02.2004 02:50 Matthew Crocker wrote:
On 10.02.2004 01:43 Matthew Crocker wrote:

I've look at IANA but it doesn't give enough detailed information.  I 
would like to find a list of /8 or /16s and what geographic region 
the exist in.  I know it isn't an exact science but something close 
would be nice.  I know 210/8 & 211/8 are APNIC, I likes to know stuff 
like 210.100/16 is Korea and 210.120/16 is China, etc.   Does anyone 
have a list I can pull from?


Have a look at http://www.aso.icann.org/stats/index.html and retrieve 
up-to-date files from APNIC, ARIN, LACNIC and RIPE.

This is exactly what I want,  thank you very much :)

I wonder why APNIC & ARIN have delegated-*-latest files but LACNIC & 
RIPE do not.  grrr.  This data should be accurate enough for what I'm 
trying to accomplish

Hmmm ... ftp://ftp.ripe.net/ripe/stats/delegated-ripencc-latest exists 
and ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest as 
well ...



Arnold

Need some info on network management

[Savitha Kumar]

Hi,

I am a Post Graduate student from India and network
management is my area of interest. I have been
browsing through the net on different network
management tools available in the market. In all of
them, accounting management which is one of the FCAPS
functionality is not supported on any of the NMS's.

So I thought it would make sense if I contact a
network operations group regarding this. Can you
please throw some light on the following -
 1. Why is "accounting" not part of most of the NMS's?
 2. What do service providers use for billing their
 customers?

It would be great if you could help me on this.

Thanks a lot for your valuable time!

Regards,
Savitha





Yahoo! India Education Special: Study in the UK now.
Go to http://in.specials.yahoo.com/index1.html

Microsoft Messenger sign-on issues

[Sean Donelan]

I do not know why Messenger is having difficulties.  But if you are
looking for status updates to feed your front desk folks, the MSN
network status web page for Messenger is


http://support.msn.com/networkstatusresults.aspx?ProductNum=100&ProductName=Messenger

Messenger
Feature: Sign In

The .NET Messenger Service is temporarily experiencing difficulty. You may
be unable to sign in. Please try again later.
Location: N/A
Last Update: Monday, 09 February 2004 21:15:00 GMT
Next Update: Monday, 09 February 2004 23:15:00 GMT

WG Last Call: draft-ietf-v6ops-isp-scenarios-analysis-01.txt (fwd)

[Pekka Savola]

FYI,

Feedback is welcome, either to the list ([EMAIL PROTECTED]) or to me 
and the document editor (in Cc:) directly.

-- Forwarded message --
Date: Fri, 6 Feb 2004 07:58:44 +0200 (EET)
From: Pekka Savola <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: WG Last Call: draft-ietf-v6ops-isp-scenarios-analysis-01.txt

Hi all,

This is a WG Last Call for comments on sending
draft-ietf-v6ops-isp-scenarios-analysis-01.txt, " Scenarios and
Analysis for Introducing IPv6 into ISP Networks" to the IESG for
consideration as BCP:

http://www.ietf.org/internet-drafts/draft-ietf-v6ops-isp-scenarios-analysis-01.txt

Please review these documents carefully, and send your feedback to the
list.  Please also indicate whether or not you believe that this document
is ready to go to the IESG.

There has been a lack of extensive reviews from the start, so 
reviewing this document would be especially welcome.

The last call will end in about 2.5 weeks, on 24th February.

Pekka & Jonne

Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls

[Scott Savage]

: this is [EMAIL PROTECTED]  if you think sitefinder poses an operational problem
: then please describe it (dispassionately).  if you think there is an
: operational thing that ought to be done in response to sitefinder, then
: please describe that (dispassionately).  the response you included...

I brought this issue up (dispassionately) offline at the last NANOG
conference.

As most everyone knows, the Windows resolver has its share of
problems under the hood. Well, we ran into a rather interesting glitch
when Verisign did away with the NXDOMAIN. In our internal enterprise, we
have DNS search suffixes defined on client workstations. If a user enters
a plain hostname it will impute the suffixes automatically to find a
matching winner within the various internal subdomains. Never had a
problem with it prior to this.

However, Microsoft's imputing implementation has an undocumented flaw (at
least from the command line that we could determine). If you enter more
than 5 search suffixes, the MS resolver, at least in NT and 2000,
demonstrates irrational behavior. In this scenario, the resolver will
actually append all of the search suffixes, instead of just one at a time,
and make one big request with all the domains separated by commas. In our
case we had 6 search suffix entries for internal subdomains and the root
domain. When a request was made for a plain hostname, the client would
send a request that looked like:

plainhostname.a.domain.com,b.domain.com,c.domain.com,d.domain.com.e.domain.com,domain.com

When our internal DNS server received the request it parsed the root
domain as com,domain.com. Our DNS servers, of course, would end up
forwarding the request out to the root servers and then receive back the
lovely Sitefinder IP address, instead of NXDOMAIN.

We actually lost quite a bit of time in remote troubleshooting during an
application test out of Amsterdam the day Sitefinder came online because
of this issue. We were making internal DNS changes for a test and using
dynamic DNS. We were having a user run nslookups from the command line and
they kept getting back the bogus Sitefinder address, which we couldn't
figure out where it was coming from. (It can pay to stay current on this
list) Oddly, the browser still resolved the name correctly in the end and
was able to function, even though command line still showed this very
strange behavior.

When NXDOMAIN returned, the issue disappeared and we haven't tested it
again.

-- 
 Scott Savage
 scott(at)thewaystation.com
 www.thewaystation.com

  Random Quote:
Strange Laws:
It is against the law for a monster to enter the corporate limits of
Urbana, Illinois.

Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls

[Michael Loftis]

--On Tuesday, February 10, 2004 10:21 +0530 Suresh Ramasubramanian 
<[EMAIL PROTECTED]> wrote:

<>
You are of course right.  The problem posed by sitefinder in its previous
form has been discussed already, and our bind / djbdns resolvers have
been patched appropriately to ignore the aberrant behavior introduced by
verisign.

There ends the operational impact of verisign's decision, till such time
as they revive sitefinder, and till such time as resolver patches in
existence are modified if necessary to cope with the new edition of
sitefinder.
But that's a HUGE operational impact.  Now we're all expected to go around 
and run patched versions of our resolvers or nameservers to get around a 
company using shady tactics to just increase it's bottom line!  Lets say it 
takes on average about 10 minutes per machine to do the necessary changes, 
I'll have to spend several hours installing patched software for something 
that is harmful.  They remove the ONLY method for testing if a domain 
exists or not, and certainly the only 'lightweight' method.

Not to mention there is no guarantee the patch will continue to work.  Well 
already know of a few ways in which it can break, and anything we do to get 
around those surely introduces maintenance or other headaches.  Who's going 
to pay me to maintain these parts of systems that until now just worked? 
Who's going to pay any of us?  Not VeriSign.  But they'll be making quite 
likely millions off of the hijacked hits.

So I ask again, who's going to pay for my time to that?  Last time they 
turned this thing on globally I also spent at least two hours on the phone 
trying to explain it to various users.  And what about the systems or 
platforms that *CAN'T* be patched?  What about systems that have long 
depended on the way things are supposed to work?

--
Michael Loftis

Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls

[David Lesher]

Speaking on Deep Background, the Press Secretary whispered:
> 
> 
> 
> why?  that is, why kill sitefinder?  there's been plenty of invective
> on both sides, and a lot of unprofessional behaviour toward verisign
> employees at a recent nanog meeting, which tends to bolster verisign's
> claim that only the outlying whackos are actually opposed to sitefinder.

Well, as I got my name in lights for saying at the 2nd meeting...

Of the ?8 problems they admitted to, Verisign would have to fix
two, and the rest of us six.

Thus, SiteFinder was an unfunded mandate on us.

I suggest you bill VS for your time, each and every one of us...



-- 
A host is a host from coast to [EMAIL PROTECTED]
& no one will talk to a host that's close[v].(301) 56-LINUX
Unless the host (that isn't close).pob 1433
is busy, hung or dead20915-1433

Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls

[Valdis . Kletnieks]

On Tue, 10 Feb 2004 04:37:09 GMT, Paul Vixie <[EMAIL PROTECTED]>  said:

> this is [EMAIL PROTECTED]  if you think sitefinder poses an operational problem
> then please describe it (dispassionately).  if you think there is an
> operational thing that ought to be done in response to sitefinder, then
> please describe that (dispassionately).  the response you included...

Has Verisign published a in-depth technical discussion of what they
are thinking of deploying, including details such as what happens to
MX entries, what they intend to do with mail misrouted to them, and so on?

(Yes, that's an operational issue - if they are harvesting and selling a
list of known-good From: addresses on misrouted mail, this will eventually
end up adding to spam - and that's operational)


pgp0.pgp
Description: PGP signature

Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls

[Suresh Ramasubramanian]

Paul Vixie wrote:

why?  that is, why kill sitefinder?  there's been plenty of invective
on both sides, and a lot of unprofessional behaviour toward verisign
As I said, the measure may or may not be feasible - in fact, given that 
the domains are not registered, it most certainly is not feasible.

this is [EMAIL PROTECTED]  if you think sitefinder poses an operational problem
then please describe it (dispassionately).  if you think there is an
operational thing that ought to be done in response to sitefinder, then
please describe that (dispassionately).  the response you included...
You are of course right.  The problem posed by sitefinder in its 
previous form has been discussed already, and our bind / djbdns 
resolvers have been patched appropriately to ignore the aberrant 
behavior introduced by verisign.

There ends the operational impact of verisign's decision, till such time 
as they revive sitefinder, and till such time as resolver patches in 
existence are modified if necessary to cope with the new edition of 
sitefinder.

regards
-srs

Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls

[Paul Vixie]

> This is an interesting suggestion that I saw on another list.  It may
> or may not be feasible, but it is certainly interesting, I must say.

why?  that is, why kill sitefinder?  there's been plenty of invective
on both sides, and a lot of unprofessional behaviour toward verisign
employees at a recent nanog meeting, which tends to bolster verisign's
claim that only the outlying whackos are actually opposed to sitefinder.

this is [EMAIL PROTECTED]  if you think sitefinder poses an operational problem
then please describe it (dispassionately).  if you think there is an
operational thing that ought to be done in response to sitefinder, then
please describe that (dispassionately).  the response you included...

> > There's an easy way to kill sitefinder stone cold dead.
> > ...
> > It would be trivial to create a bot to start walking through every
> > possible 20 letter domain name - and if ICANN held them to the rules,
> > Verisign would be rather poorer in short order.

...does not describe an operational problem, and gives a financial remedy.
-- 
Paul Vixie

Re: Where can I find a list of IPs and their regions.

[Andy Smith]

On Mon, Feb 09, 2004 at 07:43:02PM -0500, Matthew Crocker wrote:
> I've look at IANA but it doesn't give enough detailed information.  I 
> would like to find a list of /8 or /16s and what geographic region the 
> exist in.  I know it isn't an exact science but something close would 
> be nice.  I know 210/8 & 211/8 are APNIC, I likes to know stuff like 
> 210.100/16 is Korea and 210.120/16 is China, etc.   Does anyone have a 
> list I can pull from?

If ISO country code is enough detail,
http://countries.nerd.dk/more.html

Re: Root Servers Request

[Paul Vixie]

[EMAIL PROTECTED] (Donovan Hill) writes:

> > thanks for your vote of confidence.  here are some facts you should know:
> >
> > 1. there are 13 root servers, not one.
> 
> gah! I did mean plural. 

in that case i disagree.  no single entity should control all of the servers.

> > 2. isc already runs one (f-root).
> 
> You should be the authority IMO.

i think the selection of the authority needs to be made by a wider
audience.  for example, by some assembly of icann.  the community
of interest in root name service is world wide, not north american.

> > 3. icann doesn't formally read nanog.
> 
> Yeah. I think I'll send a letter.

or go to the next icann meeting in rome.  or both.
-- 
Paul Vixie

Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls technologists "biased"

[Suresh Ramasubramanian]

> "Gregory" == Gregory Hicks <[EMAIL PROTECTED]> writes:

Gregory>  From Dave Farber's IP list...
Gregory> VeriSign Reconsiders Search Service

This is an interesting suggestion that I saw on another list.  It may
or may not be feasible, but it is certainly interesting, I must say.

   srs

> There's an easy way to kill sitefinder stone cold dead.
> 
> ICANN is entitled to a cut of every domain registered - IIRC it's about $5
> 
> By wildcarding *.com, every typoed domain is being created by Verisign
> on the fly - and ICANN should be entitled to their pound of flesh.
> 
> It would be trivial to create a bot to start walking through every
> possible 20 letter domain name - and if ICANN held them to the rules,
> Verisign would be rather poorer in short order.
> 
> This should be rather easier than trying to litigate sitefinder out of
> existance and I feel it would work within the existing contract
> structure.

Re: Root Servers Request

[Donovan Hill]

On Monday 09 February 2004 04:37 pm, Paul Vixie wrote:
> donovan hill wrote:
> > This is a formal request to ICANN that they hand over the root server to
> > a not-for-profit organization. I nominate ISC for this task.
>
> thanks for your vote of confidence.  here are some facts you should know:
>
> 1. there are 13 root servers, not one.

gah! I did mean plural. 

> 2. isc already runs one (f-root).

You should be the authority IMO.

> 3. icann doesn't formally read nanog.

Yeah. I think I'll send a letter.

-- 
Donovan Hill
Electronics Engineering Technologist, CCNA
www.lazyeyez.net, www.gwsn.com

Re: Root Servers Request

[Donovan Hill]

On Monday 09 February 2004 04:37 pm, Philip J. Nesser II wrote:
> Seems to be a pretty informal "formal" request.

It is. But it's still a nice thought. Dunno what ISC thinks about the idea 
though.

>
> --->  Phil
>
> On Mon, 9 Feb 2004, Donovan Hill wrote:
> > This is a formal request to ICANN that they hand over the root server to
> > a not-for-profit organization. I nominate ISC for this task.
> >
> > --
> > Donovan Hill
> > Electronics Engineering Technologist, CCNA
> > www.lazyeyez.net, www.gwsn.com

-- 
Donovan Hill
Electronics Engineering Technologist, CCNA
www.lazyeyez.net, www.gwsn.com

Re: Root Servers Request

[Todd Vierling]

On Mon, 9 Feb 2004, bill wrote:

: Nope.  VSGN   - A, J
:ISI/EP - B
:Cogent - C
:UMD- D
:NASA   - E
:ISC- F
:DISA   - G
:USArmy - H
:Autonomica - I  (se)
:RIPE   - K  (nl)
:ICANN  - L
:WIDE   - M  (jp)

There isn't major vested commercial interest, which was what I was
attempting to convey.  While there are some for-profit corporations here,
their involvement is not paramount over the whole of the group.

-- 
-- Todd Vierling <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>

Re: Where can I find a list of IPs and their regions.

[just me]

I think I have what you are looking for; at least for the APNIC region
so far:

http://mrtg.snark.net/apnic.php

It updates weekly from data on the APNIC web site.

matto


On Mon, 9 Feb 2004, Matthew Crocker wrote:

  I've look at IANA but it doesn't give enough detailed information.  I
  would like to find a list of /8 or /16s and what geographic region the
  exist in.  I know it isn't an exact science but something close would
  be nice.  I know 210/8 & 211/8 are APNIC, I likes to know stuff like
  210.100/16 is Korea and 210.120/16 is China, etc.   Does anyone have a
  list I can pull from?

  -Matt



[EMAIL PROTECTED]<
   Flowers on the razor wire/I know you're here/We are few/And far
   between/I was thinking about her skin/Love is a many splintered
   thing/Don't be afraid now/Just walk on in. #include 

Re: Where can I find a list of IPs and their regions.

[williamelan.net]

http://www.completewhois.com/statistics/data/ips-bycountry/rirstats/

Updated daily, but old data currently not archived and project is considered 
to be in alpha-state for now. But URL will probably not change in the future
even when fully since I've already given it out to number of people.

On Mon, 9 Feb 2004, Matthew Crocker wrote:

> 
> I've look at IANA but it doesn't give enough detailed information.  I 
> would like to find a list of /8 or /16s and what geographic region the 
> exist in.  I know it isn't an exact science but something close would 
> be nice.  I know 210/8 & 211/8 are APNIC, I likes to know stuff like 
> 210.100/16 is Korea and 210.120/16 is China, etc.   Does anyone have a 
> list I can pull from?
> 
> -Matt

Re: Where can I find a list of IPs and their regions.

[George Michaelson]

On Mon, 9 Feb 2004 20:50:10 -0500 Matthew Crocker <[EMAIL PROTECTED]> wrote:

>
>> On 10.02.2004 01:43 Matthew Crocker wrote:
>>> I've look at IANA but it doesn't give enough detailed information.  I 
>>> would like to find a list of /8 or /16s and what geographic region 
>>> the exist in.  I know it isn't an exact science but something close 
>>> would be nice.  I know 210/8 & 211/8 are APNIC, I likes to know stuff 
>>> like 210.100/16 is Korea and 210.120/16 is China, etc.   Does anyone 
>>> have a list I can pull from?
>>
>> Have a look at http://www.aso.icann.org/stats/index.html and retrieve 
>> up-to-date files from APNIC, ARIN, LACNIC and RIPE.
>>
>This is exactly what I want,  thank you very much :)
>
>I wonder why APNIC & ARIN have delegated-*-latest files but LACNIC & 
>RIPE do not.  grrr.  This data should be accurate enough for what I'm 
>trying to accomplish

LACNIC and RIPE-NCC do.

Please see:

http://www.apnic.net/mailing-lists/apnic-announce/archive/2004/01/msg2.html

this has the URL for all 4 current RIR paths to the files.

-George

>
>Thanks again
>
>-Matt


-- 
George Michaelson   |  APNIC
Email: [EMAIL PROTECTED]|  PO Box 2131 Milton QLD 4064
Phone: +61 7 3858 3150  |  Australia
  Fax: +61 7 3858 3199  |  http://www.apnic.net

Re: Where can I find a list of IPs and their regions.

[Matthew Crocker]

On 10.02.2004 01:43 Matthew Crocker wrote:
I've look at IANA but it doesn't give enough detailed information.  I 
would like to find a list of /8 or /16s and what geographic region 
the exist in.  I know it isn't an exact science but something close 
would be nice.  I know 210/8 & 211/8 are APNIC, I likes to know stuff 
like 210.100/16 is Korea and 210.120/16 is China, etc.   Does anyone 
have a list I can pull from?
Have a look at http://www.aso.icann.org/stats/index.html and retrieve 
up-to-date files from APNIC, ARIN, LACNIC and RIPE.

This is exactly what I want,  thank you very much :)

I wonder why APNIC & ARIN have delegated-*-latest files but LACNIC & 
RIPE do not.  grrr.  This data should be accurate enough for what I'm 
trying to accomplish

Thanks again

-Matt

Re: Where can I find a list of IPs and their regions.

[sgorman1]

Best bet is probably to use CAIDA's Netgeo:

http://www.caida.org/tools/utilities/netgeo/

It can give some squirely answers, and is not actively maintained, but good stuff for 
being free

- Original Message -
From: Arnold Nipper <[EMAIL PROTECTED]>
Date: Monday, February 9, 2004 7:53 pm
Subject: Re: Where can I find a list of IPs and their regions.

> 
> On 10.02.2004 01:43 Matthew Crocker wrote:
> > 
> > I've look at IANA but it doesn't give enough detailed 
> information.  I 
> > would like to find a list of /8 or /16s and what geographic 
> region the 
> > exist in.  I know it isn't an exact science but something close 
> would be 
> > nice.  I know 210/8 & 211/8 are APNIC, I likes to know stuff 
> like 
> > 210.100/16 is Korea and 210.120/16 is China, etc.   Does anyone 
> have a 
> > list I can pull from?
> 
> Have a look at http://www.aso.icann.org/stats/index.html and 
> retrieve 
> up-to-date files from APNIC, ARIN, LACNIC and RIPE.
> 
> 
> 
> -- Arnold
> 
> 
> 

Re: Root Servers Request

[bill]

> 
> 
> On Mon, 9 Feb 2004, Donovan Hill wrote:
> 
> : This is a formal request to ICANN that they hand over the root server to a
> : not-for-profit organization. I nominate ISC for this task.
> 
> And here, I had thought that most of *.ROOT-SERVERS.NET. were ISC-sponsored,
> mostly not-for-profit/academic/subsidized servers as it was.  To be sure,
> VeriSign does not control the majority of such servers.  8-)

Nope.  VSGN   - A, J
   ISI/EP - B
   Cogent - C
   UMD- D
   NASA   - E
   ISC- F
   DISA   - G
   USArmy - H
   Autonomica - I  (se)
   RIPE   - K  (nl)
   ICANN  - L
   WIDE   - M  (jp)

ISC controls -one- instance.  With anycast, they have lots of 
copies of "F", but ISC does not sponser any of the other operators
or their operations.


> 
> You're probably confused that ROOT-SERVERS.NET. != GTLD-SERVERS.NET.  The
> latter hosts COM. and NET. and is run exclusively by VeriSign.
> 
> -- 
> -- Todd Vierling <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
> 

Re: Cisco Router best for full BGP on a sub 5K bidget 7500 7200 or other vendor ?

[Robert E. Seastrom]

"Tom (UnitedLayer)" <[EMAIL PROTECTED]> writes:

> On Sun, 8 Feb 2004, Alexander Hagen wrote:
> > The PA-2FE-TX is about 1600.00- better to get a second PA-FE-TX with
> > second VIP2-50
> >
> > Now why is the CX-FEIP-2TX so much cheaper than the PA-2FE-TX ?
> 
> I believe because the CX-FEIP-2TX is a full length card.
> The PA-2FE-TX also isn't able to handle a full 100Mbps per port, so don't
> be suprised if it doesn't work well :)
> 
> VIP2/50 is a much better combo.

The reason that the CX-FEIP-2TX is so inexpensive is that it is
interesting mainly as a curiousity of transitional technology.

A CX-FEIP-2TX is VIP1, not a VIP2 (even a 2-15 or 2-20), and is
incapable of being upgraded to do distributed anything, (cef, flow,
whatever).  It barely does full-duplex at line rate on one port, let
alone two.

Its sole use, if you happen to like to keep old hardware around, is
that it will work in a 7000/7010 with RP/[S]SP, (ie, not an RSP).  You
can use them in a 7500 (or a 7000 with an RSP7k), but why would you
want to?

---Rob

Re: Where can I find a list of IPs and their regions.

[Arnold Nipper]

On 10.02.2004 01:43 Matthew Crocker wrote:
I've look at IANA but it doesn't give enough detailed information.  I 
would like to find a list of /8 or /16s and what geographic region the 
exist in.  I know it isn't an exact science but something close would be 
nice.  I know 210/8 & 211/8 are APNIC, I likes to know stuff like 
210.100/16 is Korea and 210.120/16 is China, etc.   Does anyone have a 
list I can pull from?
Have a look at http://www.aso.icann.org/stats/index.html and retrieve 
up-to-date files from APNIC, ARIN, LACNIC and RIPE.



-- Arnold

Where can I find a list of IPs and their regions.

[Matthew Crocker]

I've look at IANA but it doesn't give enough detailed information.  I 
would like to find a list of /8 or /16s and what geographic region the 
exist in.  I know it isn't an exact science but something close would 
be nice.  I know 210/8 & 211/8 are APNIC, I likes to know stuff like 
210.100/16 is Korea and 210.120/16 is China, etc.   Does anyone have a 
list I can pull from?

-Matt

Re: Root Servers Request

[Paul Vixie]

donovan hill wrote:

> This is a formal request to ICANN that they hand over the root server to
> a not-for-profit organization. I nominate ISC for this task.

thanks for your vote of confidence.  here are some facts you should know:

1. there are 13 root servers, not one.
2. isc already runs one (f-root).
3. icann doesn't formally read nanog.
-- 
Paul Vixie
President
ISC

Re: Root Servers Request

[Deepak Jain]

How does ISC pick these sites/subsidizers?

Thanks,

DJ

Todd Vierling wrote:

On Mon, 9 Feb 2004, Donovan Hill wrote:

: This is a formal request to ICANN that they hand over the root server to a
: not-for-profit organization. I nominate ISC for this task.
And here, I had thought that most of *.ROOT-SERVERS.NET. were ISC-sponsored,
mostly not-for-profit/academic/subsidized servers as it was.  To be sure,
VeriSign does not control the majority of such servers.  8-)
You're probably confused that ROOT-SERVERS.NET. != GTLD-SERVERS.NET.  The
latter hosts COM. and NET. and is run exclusively by VeriSign.

Re: Root Servers Request

[Todd Vierling]

On Mon, 9 Feb 2004, Donovan Hill wrote:

: This is a formal request to ICANN that they hand over the root server to a
: not-for-profit organization. I nominate ISC for this task.

And here, I had thought that most of *.ROOT-SERVERS.NET. were ISC-sponsored,
mostly not-for-profit/academic/subsidized servers as it was.  To be sure,
VeriSign does not control the majority of such servers.  8-)

You're probably confused that ROOT-SERVERS.NET. != GTLD-SERVERS.NET.  The
latter hosts COM. and NET. and is run exclusively by VeriSign.

-- 
-- Todd Vierling <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>

Re: Network and security experts (was Re: Dumb users spread viruses)

[doug]

In their defense, Microsoft hired a convention specialist to handle their
booth.  That company in turned hired some random integrator to supply and
configure the Windows machines.

Doug



On Mon, 9 Feb 2004, Kevin Oberman wrote:

>
> > Date: Mon, 9 Feb 2004 12:41:26 -0500 (EST)
> > From: Sean Donelan <[EMAIL PROTECTED]>
> > Sender: [EMAIL PROTECTED]
> >
> >
> > On Mon, 9 Feb 2004, John Payne wrote:
> > > --On Sunday, February 8, 2004 10:46 PM + Paul Vixie <[EMAIL PROTECTED]>
> > > wrote:
> > > > There is nothing wrong with a user who thinks they should not have to know
> > > > how to protect their computer from virus infections.
> > > However, someone attending NANOG should at least have cleaned up slammer
> > > before connecting to the wireless...
> >
> > I have never seen any evidence that security experts or network operators
> > are any better at practicing security than any other user group.  In every
> > forum I've been at, the infection rates have been similar regardless of
> > the attendees security experience.
> >
> > Sometimes the attendees know about the issue, but do not have the power
> > to fix it, e.g. corporate IT deparment controls the laptop they are
> > required to use.  Other times, they are oblivious to the equipment being
> > infected.
> >
> > I wouldn't be surprised if I went to a meeting at the Department of
> > Homeland Security or NSA, their infection rates are similar.
>
> At a recent large (last 6 months) trade show, the show network saw a
> bunch infected systems pop up at once. The problem was tracked (fairly
> quickly) to machines brought up by a vendor in their booth that lacked a
> number of recent Microsoft Windows Critical Updates. I can't say who the
> vendor was, but they REALLY should have been the FIRST to install any
> patches.
>
> If this happens, what hope do we have for "normal" users.
> --
> R. Kevin Oberman, Network Engineer
> Energy Sciences Network (ESnet)
> Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
> E-mail: [EMAIL PROTECTED] Phone: +1 510 486-8634
>

Re: Root Servers Request

[Philip J. Nesser II]

Seems to be a pretty informal "formal" request.

--->  Phil

On Mon, 9 Feb 2004, Donovan Hill wrote:

>
> This is a formal request to ICANN that they hand over the root server to a
> not-for-profit organization. I nominate ISC for this task.
>
> --
> Donovan Hill
> Electronics Engineering Technologist, CCNA
> www.lazyeyez.net, www.gwsn.com
>

Root Servers Request

[Donovan Hill]

This is a formal request to ICANN that they hand over the root server to a 
not-for-profit organization. I nominate ISC for this task.

-- 
Donovan Hill
Electronics Engineering Technologist, CCNA
www.lazyeyez.net, www.gwsn.com

Re: question on ptr rr

[Paul Vixie]

> > Imagine a world in which only ISPs run SMTP servers which only talk
> > directly to other servers with which they have an offline relationship.
> 
> 70K user. 40M .coms.  N*M.  Gee thanks.  That's too damned many
> relationships to negotiate.  And I think we learned our lesson with
> 'ADMD= PRMD=', didn't we?

it's a real shame that exponential growth can only occur in wormnets,
and that there's no such thing as transitive trust amongst humans.

otherwise we could build a trusted "smtp web" out of multilateral trust
relationships and existing X.509 technology, and it would become possible
to know from the SSL whether an smtp initiator has signed a loyalty oath
similar to your own, and if they then misbehave it would be possible to
find out who let them in and prune the whole branch.  six degrees of
separation and all that.

but i guess i'm still a few years ahead of myself on this one.
-- 
Paul Vixie

Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls technologists "biased"

[Chris Yarnell]

and this helps fix thed "biased technologists" image, how?

>  Again, the close knit community responds:

[ ... ]

Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls technologists "biased"

[williamelan.net]

If they give us 90 days headstart, by the time its supposed to start
it'd be blocked everywhere and Microsoft and Netscape would have released 
a fix to redirect users to the page of their choice. If 90 days is not 
enough to release such updates to software, lawyers can make sure its 
delayed in court long enough so that everyone is ready to block it.

But I don't think we need to spend OUR resources to create application
workaround for the problem that does not need to exist in the first place!

On Mon, 9 Feb 2004, Gregory Hicks wrote:

> 
>  From Dave Farber's IP list...
>  
>  ---
> 
> 
> http://www.washingtonpost.com/wp-dyn/articles/A25819-2004Feb9_2.html
> 
> VeriSign Reconsiders Search Service
> 
> "Site Finder was not controversial with users, 84 percent of whom said
> they liked it as a helpful navigation service," said Tom Galvin,
> VeriSign's vice president of government relations. "We continue to look
> at ways we can offer the service while addressing the concerns that
> were raised by a segment of the technical community."
> 
> Galvin said that the continued opposition stems from "an ideological
> belief by a narrow section of the technological community who don't
> believe you should innovate the core infrastructure of the Internet."
> 
> Critics also claim that VeriSign must run the domains as a public
> trust, not a profit-making opportunity. VeriSign is the sole operator
> of the dot-com and dot-net registries under a contract with ICANN.
> 
> "I don't begrudge them their profit, but someone in an effectively
> regulated monopoly position shouldn't use their power for their own
> profit, beyond the terms under which the community gave it to them,"
> said Steven Bellovin, co-director of the Internet Engineering Task
> Force's Security Area.
> 
> Paul Rothstein a law professor at Georgetown University and a paid
> VeriSign consultant, said that the critics have some legitimate
> objections but others are motivated by the scientific and technology
> communities' "bias on policy."
> 
> Still, he added, it would be tough for VeriSign to win the public
> relations war because its opponents are highly regarded technologists.
> 
> ICANN will reserve judgment until VeriSign decides to relaunch Site
> Finder, said General Counsel John Jeffrey. VeriSign assured ICANN that
> it would give 60 to 90 days' warning to resolve any remaining
> technological problems, Jeffrey said.
> 
> In the meantime, ICANN is waiting for a final report on Site Finder
> from its Security and Stability Advisory Committee. Committee Chairman
> Steve Crocker said he doubts that Site Finder can be changed enough
> that it won't threaten the Internet's underlying infrastructure.
> 
> "I thought people were relieved that they took it down and it's hard to
> believe that there would be any quietness if they brought it back,"
> Crocker said.
> 
> 
> 
> _Related Coverage_
> • 
> 
> VeriSign Service Spawns More Criticism 
> (washingtonpost.com, Oct 7, 2003)
> 
> 
> VeriSign Agrees To Shut Down Search Service 
> (The Washington Post, Oct 4, 2003)
> • 
> 
> With Site Finder, VeriSign Sparks Internet-wide Criticism
> (washingtonpost.com, Sep 25, 2003)
> 
> _ICANN Headlines_
> 
> 
> Congress Eyes Internet Fraud Crackdown 
> (washingtonpost.com, Feb 4, 2004)
> 
> 
> XO Owner Again Bids For Telecom 
> (The Washington Post, Jan 17, 2004)
> 
> 
> U.N. Sets Aside Debate Over Control of Internet 
> (The Washington Post,Dec 9, 2003)
> 
> 
> Tech Policy Section
> 
> -
> 
> Archives at: http://www.interesting-people.org/archives/interesting-people/
> 
> 
> - End Forwarded Message -
> 
> 
> ---
> Gregory Hicks| Principal Systems Engineer
> Cadence Design Systems   | Direct:   408.576.3609
> 555 River Oaks Pkwy M/S 6B1  | Fax:  408.894.3400
> San Jose, CA 95134   | Internet: [EMAIL PROTECTED]
> 
> "The trouble with doing anything right the first time is that nobody
> appreciates how difficult it was."
> 
> When a team of dedicated individuals makes a commitment to act as
> one...  the sky's the limit.
> 
> Just because "We've always done it that way" is not necessarily a good
> reason to continue to do so...  Grace Hopper, Rear Admiral, United
> States Navy

Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls technologists "biased"

[Alex Kamantauskas]

>Galvin said that the continued opposition stems from "an ideological
>belief by a narrow section of the technological community who don't
>believe you should innovate the core infrastructure of the Internet."

 Again, the close knit community responds:



_  INNOVATE THIS! _
   |_|   |_|
   | | /^^^\ | |
  _| |_  (| "o" |)  _| |_
_| | | | _(_---_)_ | | | |_
   | | | | |' |_| |_| `| | | | |
   |  |   / \   |  |
\/  / /(. .)\ \  \/
  \/  / /  | . |  \ \  \/
\  \/ /||Y||\ \/  /
 \__/  || ||  \__/
   () ()
   || ||
  ooO Ooo

Re: Monumentous task of making a list of all DDoS Zombies.

[Scott A Crosby]

On Sun, 8 Feb 2004 18:12:46 +0100, Iljitsch van Beijnum <[EMAIL PROTECTED]> writes:

> But how are you going to infect a million boxes if you can
> only scan one address per second?

With a random scanning worm, the expected time could be as low as
about a day.

Assuming the random scanning model from the paper[1], I get:
0 time: 1 infected host.
   11 hours to infect 1000 hosts.
   25 hours to infect 800k hosts
   31 hours to infect 996k hosts.

This model assumes one scan per second per infected host. It is
because if a million boxes are vulnerable, then one in 4096 IP
addresses should be vulnerable. A random scan would find one such
every 4096 seconds, implying a doubling time of about 70 minutes.

Scott

[1] http://www.icir.org/vern/papers/cdc-usenix-sec02/

[IP] VeriSign prepares to relaunch "Site Finder" -- calls technologists "biased"

[Gregory Hicks]

 From Dave Farber's IP list...
 
 ---


http://www.washingtonpost.com/wp-dyn/articles/A25819-2004Feb9_2.html

VeriSign Reconsiders Search Service

"Site Finder was not controversial with users, 84 percent of whom said
they liked it as a helpful navigation service," said Tom Galvin,
VeriSign's vice president of government relations. "We continue to look
at ways we can offer the service while addressing the concerns that
were raised by a segment of the technical community."

Galvin said that the continued opposition stems from "an ideological
belief by a narrow section of the technological community who don't
believe you should innovate the core infrastructure of the Internet."

Critics also claim that VeriSign must run the domains as a public
trust, not a profit-making opportunity. VeriSign is the sole operator
of the dot-com and dot-net registries under a contract with ICANN.

"I don't begrudge them their profit, but someone in an effectively
regulated monopoly position shouldn't use their power for their own
profit, beyond the terms under which the community gave it to them,"
said Steven Bellovin, co-director of the Internet Engineering Task
Force's Security Area.

Paul Rothstein a law professor at Georgetown University and a paid
VeriSign consultant, said that the critics have some legitimate
objections but others are motivated by the scientific and technology
communities' "bias on policy."

Still, he added, it would be tough for VeriSign to win the public
relations war because its opponents are highly regarded technologists.

ICANN will reserve judgment until VeriSign decides to relaunch Site
Finder, said General Counsel John Jeffrey. VeriSign assured ICANN that
it would give 60 to 90 days' warning to resolve any remaining
technological problems, Jeffrey said.

In the meantime, ICANN is waiting for a final report on Site Finder
from its Security and Stability Advisory Committee. Committee Chairman
Steve Crocker said he doubts that Site Finder can be changed enough
that it won't threaten the Internet's underlying infrastructure.

"I thought people were relieved that they took it down and it's hard to
believe that there would be any quietness if they brought it back,"
Crocker said.



_Related Coverage_
• 

VeriSign Service Spawns More Criticism 
(washingtonpost.com, Oct 7, 2003)


VeriSign Agrees To Shut Down Search Service 
(The Washington Post, Oct 4, 2003)
• 

With Site Finder, VeriSign Sparks Internet-wide Criticism
(washingtonpost.com, Sep 25, 2003)

_ICANN Headlines_


Congress Eyes Internet Fraud Crackdown 
(washingtonpost.com, Feb 4, 2004)


XO Owner Again Bids For Telecom 
(The Washington Post, Jan 17, 2004)


U.N. Sets Aside Debate Over Control of Internet 
(The Washington Post,Dec 9, 2003)


Tech Policy Section

-

Archives at: http://www.interesting-people.org/archives/interesting-people/


- End Forwarded Message -


---
Gregory Hicks| Principal Systems Engineer
Cadence Design Systems   | Direct:   408.576.3609
555 River Oaks Pkwy M/S 6B1  | Fax:  408.894.3400
San Jose, CA 95134   | Internet: [EMAIL PROTECTED]

"The trouble with doing anything right the first time is that nobody
appreciates how difficult it was."

When a team of dedicated individuals makes a commitment to act as
one...  the sky's the limit.

Just because "We've always done it that way" is not necessarily a good
reason to continue to do so...  Grace Hopper, Rear Admiral, United
States Navy

Re: question on ptr rr

[Paul Vixie]

> ...

Agreed.  However, this...

> We need to start with an Email Service Consortium with a code of email
> server practices in which the larger ISPs agree to stop accepting SMTP
> connections from anyone who is not in the consortium or a customer. This
> will get everyone implementing a set of well-known and consistent controls.

...is not practical.  Remember the true street-level definition of spam:
"spam is e-mail you didn't want that wasn't sent by me or my customers."
Trying to form an E-S-C under those conditions is unthinkable or useless.
-- 
Paul Vixie

IPSEC server at NANOG30 (fwd)

[Susan Harris]

Hi everyone - here's a note from Duane Wessels, who handles many of our
critical services at NANOG meetings (DNS, DHCP, caching, etc.)  If
you're interested in beta testing and would like to talk FTF, he's wearing
a really really bright orange T-shirt and sitting in the front of the
ballroom.

-- Forwarded message --
Date: Mon, 9 Feb 2004 14:52:00 -0700 (MST)
From: Duane Wessels <[EMAIL PROTECTED]>

Hi,

We are experimenting with an IPSEC service that NANOG attendees may
be interested in using to encrypt and secure their wireless traffic
during the meeting.  We have an IPSEC server on the meeting network
and are looking for a few beta testers to try it out.

We can currently work only with Linux and *BSD systems.  In order
to use the IPSEC server with Linux, you must have FreeS/WAN and
iptables installed.  BSD users should have isakmpd installed.

If you'd like to try it out, or have any qwestions, please send a
message to Duane Wessels, wessels at packet-pushers.com.

Yahoo DNS issue

[bcm]

I need to get into contact with someone from Yahoo 
with a DNS related issue affecting Yahoo mail users' ability to send to a domain 
I manage.  Any contact info off-list would be greatly 
appreciated!

Re: Dumb users spread viruses

[Eric A. Hall]

On 2/8/2004 4:46 PM, Paul Vixie wrote:

> In this past year's tour of my friends and family, I've taken to
> removing their antivirus software at the same time I remove their
> spyware, and I've taken to installing Mozilla (with its IMAP client) as
> a way to keep the machine from having any dependency on anti-virus
> software.

I switched to Communicator (and then Mozilla) a long time ago, and I also
use older versions of Word or alternative products that are less prone to
worms/viruses. I also run anti-virus scans on my mail server.

But I still use virus checkers locally and I don't think it's a good idea
for folks to be discounting their usefulness. There are too many other
paths for infection -- web downloads, infected CD-ROMs (yes this still
happens), and so forth. If performance is a problem then scan writes only,
instead of writes+reads (you won't get infected if you scan every write to
disk, while scanning reads is only going to produce a hit if you are
already infected).


-- 
Eric A. Hallhttp://www.ehsco.com/
Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/

RE: Cisco Router best for full BGP on a sub 5K bidget 7500 7200 or other vendor ?

[Tom (UnitedLayer)]

On Sun, 8 Feb 2004, Alexander Hagen wrote:
> The PA-2FE-TX is about 1600.00- better to get a second PA-FE-TX with
> second VIP2-50
>
> Now why is the CX-FEIP-2TX so much cheaper than the PA-2FE-TX ?

I believe because the CX-FEIP-2TX is a full length card.
The PA-2FE-TX also isn't able to handle a full 100Mbps per port, so don't
be suprised if it doesn't work well :)

VIP2/50 is a much better combo.

Re: Dumb users spread viruses

[Tom (UnitedLayer)]

On 8 Feb 2004, Paul Vixie wrote:
> In this past year's tour of my friends and family, I've taken to removing
> their antivirus software at the same time I remove their spyware, and I've
> taken to installing Mozilla (with its IMAP client) as a way to keep the
> machine from having any dependency on anti-virus software.

A friend of mine did that for his mom's law office about 4-5 years ago.
Instead of MS Word + Outlook, they used Word Perfect and Eudora.
They've never had a macro virus or email virus outbreak, and so far have
managed to stay fairly virus free.
I don't think not having MS Word or Outlook have slowed them down in the
least.

RE: SECURITY: Abuse & upnormal traffic in 207.218.250.181 [ev1.net]

[John Obi]

Hello folks,

I would like to thank everyone who helped out to get
this issue resolved.

Many thanks go to Mr. Alif Terranson the OpSec
Engineering Manager from Savvis Communications
Corporation.

Thanks,

-J

__
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html

RE: Dumb users spread viruses

[Michel Py]

> Robert Boyle wrote:
> Please help me resist the siren song of Outlook 2003.

What I retain from your very good post is that if _you_ are having
trouble resisting the siren song, there is nothing to do for the typical
non-technical CEO, as all they care about is feature and ease of use.
Microsoft may be crap, but as long as the users are screaming for it, no
problemo. After you've shown them that they can have their email,
calendaring, contacts, etc in their cell phone, that their
administrative assistant can manage it from the office, and that it fits
in their shirt pocket and is updated quasi real-time, the sale is over.

Real story: A month ago I had a non-technical customer that used her
windoze cell phone to open a critical m$ word file from the basement of
capitol hill. One can whine all they want about Outlook, if one does not
provide a solution that looks as good IN THE USER'S MIND, one will
continue so see Outlook being the dominant app and Windows being the
dominant OS.

Michel.

Re: Network and security experts (was Re: Dumb users spread viruses)

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, "Wayne E. Bouchard" writes:
>
>On Mon, Feb 09, 2004 at 12:41:26PM -0500, Sean Donelan wrote:
>> 
>> On Mon, 9 Feb 2004, John Payne wrote:
>> > --On Sunday, February 8, 2004 10:46 PM + Paul Vixie <[EMAIL PROTECTED]>
>> > wrote:
>> > > There is nothing wrong with a user who thinks they should not have to kn
>ow
>> > > how to protect their computer from virus infections.
>> > However, someone attending NANOG should at least have cleaned up slammer
>> > before connecting to the wireless...
>> 
>> I have never seen any evidence that security experts or network operators
>> are any better at practicing security than any other user group.  In every
>> forum I've been at, the infection rates have been similar regardless of
>> the attendees security experience.
>
>This is dramatically demonstrated by the number of NANOG attendees
>that do not utilize encrypted paths to communicate back to their
>offices and who do not maintain at least passable password standards
>for their own accounts. It always astonishes me to see passwords such
>as "asdfg", "microsoft", and "password" come up on that list.
>

Yah -- and you see that on telnets and snmp queries to live routers, 
on the nanog wireless net.  That's *after* the demonstration that a few 
of us did last time...

--Steve Bellovin, http://www.research.att.com/~smb

Hardening a control plane

[Frank P. Troy]

Hey Folks,

I'm looking for information on various core network architectures that
could harden a control plane or prevent/isolate the propagation of say a
malformed packet/control plane issue.  I know that a part of the problem
can be solved with edge filtering, ebgp, defense in depth and MD5 auth,
but I am looking for a solution that might involve multi-level IS-IS.

Any pointers would be a help.

Thanks
Frank
-- 
=
 Frank P. Troy
 [EMAIL PROTECTED]
=

OT - Special Interest Texas Reunion

[Timothy Brown]

If you don't know what i'm talking about, just ignore this!

Those of you who are interested in another Texas Reunion, in the vein of
Toronto and last night,  drop me a line privately today.

Tim

Re: Network and security experts (was Re: Dumb users spread viruses)

[Valdis . Kletnieks]

On Mon, 09 Feb 2004 11:12:58 MST, "Wayne E. Bouchard" said:

> This is dramatically demonstrated by the number of NANOG attendees
> that do not utilize encrypted paths to communicate back to their
> offices and who do not maintain at least passable password standards
> for their own accounts. It always astonishes me to see passwords such
> as "asdfg", "microsoft", and "password" come up on that list.

Been there, done that.

We hosted a SANS-EDU event a while back, and had about 300 people in a
lecture hall, most of whom had wireless access.  I ran a small tcpdump
on the wireless, grabbing only outbound SYN packets for port 110, 995,
and the ports IMAP lives on.  About lunchtime, I announced that I'd seen
some 50 or so people using encrypted POP on 995, and 65 or so using it
in plaintext.  Somebody asked what data I was gathering, and I said "I'm
a white hat, I only looked at SYN packets enough to make this announcement."
Suddenly, we have 65 relieved looking people.  Then I added "But I have no
idea at all what people sitting out in the atrium are grabbing off the
wire" - and we had 65 worried looking people. ;)

I didn't see very many SYN packets on port 110 in the afternoon session. :)



pgp0.pgp
Description: PGP signature

Re: Stopping open proxies and open relays

[Simon Waters]

NANOG Digest wrote:
> 
> It would help if systems would only execute code that is signed 
> properly. This would make malware traceable. However the current way of 
> getting your code signed is in many cases too costly for the casual open 
> source developer so people are used to running unsigned or selfsigned 
> application even when the facilities to check signatures would already 
> exist in the system. (though for example in Windows, signatures are only 
> checked at install, not runtime)

My supply of free software is signed by the developer/maintainer and the
trust relationship established through GnuPG, and Keyservers. The OS has
facilities to check these at install time if you want. You'd only need
to check at run time if root had altered the executables - and he is a
pretty solid chap here ;)

Similarly when I distribute free software it is always accompanied by
signed MD5 hash of each file distributed.

So I don't think it is costly to do if you pick a suitable model.

The certificate authority approach is pointless until they provide
proper support for revocation, which most didn't last time I looked, but
I believe it is getting better. (I'm in the cynical group who believes
that the Certificate Authorities are a conspiracy to tax encryption).

But typically signing only proves the authorship, it doesn't tell you
anything about how well written (and thus compromisable) the code is, or
how trustworthy the recipient is ('anyone the certificate authority will
accept money off' - to paraphrase a comment), or how well protected
their keys are.

Signing is a fine approach, but I think sandboxing should take priority.
 Here even if the code is subverted by malformed data, the key stolen,
etc etc - the damage is limited.

Lots of installed copies of IE seem happy to run any "signed ActiveX"
plugin - even when it is Spyware. Although I'm not clear if this is down
to a bad choice of defaults, or users not understanding that even signed
cheques bounce (indeed unsigned cheques don't get that far usually). One
more to check and switch to 'prompt' if you still use IE. Popular
spyware seems to go under inspiring names like spy.exe, trojan.exe etc,
but relatively knowledgable Internet users still manage to get it
installed against their wishes.

I'm sure there is a more appropriate forum - but then there are probably
web pages discussing it in great details. Of course neither approach
excludes the other.



pgp0.pgp
Description: PGP signature

Re: Dumb users spread viruses

[Robert Boyle]

At 12:24 PM 2/9/2004, you wrote:
Do you honestly think that any IT manager is going to be successful getting 
an entire company to dump Outlook/Exchange and stop using anti-virus 
software?  Do you have an example (within the North American area of 
interest to NANOG members) where this has actually happened?

IMHO, if you can convince an Outlook/Exchange using company to dump MS for 
email, you can convince them to dump MS/Windoze OSs entirely, which is a 
much more complete way to solve this problem.
I have been using Eudora for Windows since v1.3. I am now using 6.011. It 
works flawlessly and I have all my email for the past 10 years (3+GB in 
100s of mailboxes). This is our corporate standard for email. We turn off 
inline images, MS's HTML viewer and we don't allow automatic html downloads 
and we don't allow executable HTML content. We strip all useless 
executables on the mail server (com,exe,vbs,scr,shs,js, etc.) and all other 
attachments  are renamed so they must be renamed THEN opened. We have mail 
server AV (AVAST - no bogus infected message replies) and desktop/server AV 
(Norton AV Corp Ed) on all workstations. We have never had a single virus 
or worm infection since 1995. I banned Outlook years ago. However, as we 
grow and as Outlook adds more and more features, I am getting lots of 
pressure to allow it. I allowed a few people to use it for calendaring and 
task management (One-note) and they LOVE it and want to use it for 
everything. I am VERY hesitant to allow this. I have been focused on 
security for 10+ years. I am an engineer and I am also CEO of the company 
and even I am wondering if it might make sense to allow use of Outlook for 
email at this point. Microsoft has made a lot of progress with Office XP 
and most features which caused problems in the past are off by default - 
until the next exploit of course. :( Oulook simply has the features and the 
usability that people want. As much as you may hate Microsoft for making 
security an afterthought, their software is powerful, feature-rich and VERY 
intuitive for people to use. So I guess my point is that after years of 
resistance to Outlook, even I am reconsidering due to high user demand and 
a void in the market for a robust group calendaring and task management 
application. Does anyone have any pointers for me. Something that fills the 
organizations needs and that will work with Eudora? Please help me resist 
the siren song of Outlook 2003.

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: Network and security experts (was Re: Dumb users spread viruses)

[Wayne E. Bouchard]

On Mon, Feb 09, 2004 at 12:41:26PM -0500, Sean Donelan wrote:
> 
> On Mon, 9 Feb 2004, John Payne wrote:
> > --On Sunday, February 8, 2004 10:46 PM + Paul Vixie <[EMAIL PROTECTED]>
> > wrote:
> > > There is nothing wrong with a user who thinks they should not have to know
> > > how to protect their computer from virus infections.
> > However, someone attending NANOG should at least have cleaned up slammer
> > before connecting to the wireless...
> 
> I have never seen any evidence that security experts or network operators
> are any better at practicing security than any other user group.  In every
> forum I've been at, the infection rates have been similar regardless of
> the attendees security experience.

This is dramatically demonstrated by the number of NANOG attendees
that do not utilize encrypted paths to communicate back to their
offices and who do not maintain at least passable password standards
for their own accounts. It always astonishes me to see passwords such
as "asdfg", "microsoft", and "password" come up on that list.

---
Wayne Bouchard
[EMAIL PROTECTED]
Network Dude
http://www.typo.org/~web/

Re: Dumb users spread viruses

[Mike Jezierski - BOFH]

At 02:46 PM 2/8/2004, Paul Vixie wrote:
In this past year's tour of my friends and family, I've taken to removing
their antivirus software at the same time I remove their spyware, and I've
taken to installing Mozilla (with its IMAP client) as a way to keep the
machine from having any dependency on anti-virus software.  IT managers are
encouraged to consider a similar move next time they're asked to approve
the renewal costs of a campus-wide anti-virus license.
Do you honestly think that any IT manager is going to be successful 
getting an entire company to dump Outlook/Exchange and stop using 
anti-virus software?  Do you have an example (within the North 
American area of interest to NANOG members) where this has actually 
happened?

IMHO, if you can convince an Outlook/Exchange using company to dump 
MS for email, you can convince them to dump MS/Windoze OSs entirely, 
which is a much more complete way to solve this problem.

jc
As much as I respect Paul's opinions, are you sure Mozilla is viable 
as a solution to the virus problem? I still fell it's an OS problem. 
And yes even with Mozilla I still leave the AV software on a client's 
PC. Lusers still like to click on things and having the mail client 
/dev/null attachments is not viable as they want their family to send 
attached pictures of the grandkids.

And JC, yes I am working on getting this company to move from Windows 
to Mac. Windows users know better than to come to me with their 
latest Windows Woes. I gently pat my iMac and say "Gee, I don't have 
that problem" with a Smug BOFH grin :-)

--
Mike Jezierski
[EMAIL PROTECTED]

Re: Network and security experts (was Re: Dumb users spread viruses)

[Kevin Oberman]

> Date: Mon, 9 Feb 2004 12:41:26 -0500 (EST)
> From: Sean Donelan <[EMAIL PROTECTED]>
> Sender: [EMAIL PROTECTED]
> 
> 
> On Mon, 9 Feb 2004, John Payne wrote:
> > --On Sunday, February 8, 2004 10:46 PM + Paul Vixie <[EMAIL PROTECTED]>
> > wrote:
> > > There is nothing wrong with a user who thinks they should not have to know
> > > how to protect their computer from virus infections.
> > However, someone attending NANOG should at least have cleaned up slammer
> > before connecting to the wireless...
> 
> I have never seen any evidence that security experts or network operators
> are any better at practicing security than any other user group.  In every
> forum I've been at, the infection rates have been similar regardless of
> the attendees security experience.
> 
> Sometimes the attendees know about the issue, but do not have the power
> to fix it, e.g. corporate IT deparment controls the laptop they are
> required to use.  Other times, they are oblivious to the equipment being
> infected.
> 
> I wouldn't be surprised if I went to a meeting at the Department of
> Homeland Security or NSA, their infection rates are similar.

At a recent large (last 6 months) trade show, the show network saw a
bunch infected systems pop up at once. The problem was tracked (fairly
quickly) to machines brought up by a vendor in their booth that lacked a
number of recent Microsoft Windows Critical Updates. I can't say who the
vendor was, but they REALLY should have been the FIRST to install any
patches.

If this happens, what hope do we have for "normal" users.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: [EMAIL PROTECTED]   Phone: +1 510 486-8634

Re: Applying HD Ratio to all IPv4 allocations

[williamelan.net]

I would change it from requirement for HD Ration to optional choice to 
use HD ratio to determine utilization when requesting additional ips.
Here  is what I would prefer for text for that policy proposal:

--- 
  1. All requests for additional IPv4 address space shall require the 
 efficient utilization of the sum total of all existing allocations 
 including all space reassigned to customers, if any. 

  2. When requesting additional ip blocks ISP Members and other organizations
 with direct ARIN allocations and assigments may choose to have its 
 utilization counted by means of HD Ratio, otherwise RFC2050 utilization
 guidelines should be used by ARIN

  3. The HD ratio is calculated as log(utilized IPv4 addresses) divided
 by log(total addresses in all previous allocations). In this formula, 
 log refers to the natural logarithm.

  4. Efficient Utilization per RFC2050 guidelines requires 80% utilization
 of ip blocks, ARIN will verify this by requesting utilization statistics
 for one or more previously assigned or allocated ip blocks.
---

This way we do not all of a sudden change everything and at the same time
those that want to use HD Ratio would be free to do so. ARIN may also try 
to promote HD ratio if it likes it by informing whoever requests ip block
that they have this choice, etc.

On Mon, 9 Feb 2004 [EMAIL PROTECTED] wrote:

> 
> I'm going to present the following policy change at the ARIN
> meeting in April. In a few days I have to submit the exact wording
> to ARIN and I'm looking for comments before I do this.
> Basically this policy loosens the rigid 80% utilization 
> requirement in a progressive fashion to recognize the
> inevitable overhead of hierarchy in larger networks.
> 
> 1. All requests for additional IPv4 address space shall require the 
>efficient utilization of the sum total of all existing allocations 
>including all space reassigned to customers, if any.
> 
> 2. The HD(Host Density) ratio of the sum total of all previous allocations 
> 
>shall be greater than or equal to .966 and the HD ratio of the most 
>recent allocation shall be greater than or equal to .930 in order to 
>receive additional space.
> 
> 3. The HD ratio is calculated as log(utilized IPv4 addresses) divided
>by log(total addresses in all previous allocations). In this formula, 
>log refers to the natural logarithm.
> 
> Rationale: 
> 
> The HD ratio was proposed as a way to determine allocation usage 
> thresholds
> for IPv6 address allocations. For more details on this, please refer to 
> RFC 3194 . There is some detailed 
> background discussion about applying the HD ratio to IPv4 allocations in a 
> 
> proposal by Paul Wilson posted to the APNIC mailing list on Aug 7, 2003 
> 
> http://www.apnic.net/mailing-lists/sig-policy/archive/2003/08/msg0.html
> and he presented the it to the annual APNIC policy meeting using these 
> slides
> http://www.apnic.net/meetings/16/programme/sigs/docs/policy/addpol-pres-wilson-hd-ratio.pdf
> I am not suggesting that ARIN should adopt the APNIC proposal and although
> Paul invents a new name for the HD ratio, I prefer to keep the original 
> term.
> 
> The basic thrust of this proposal is to replace the rigid 80% usage 
> criterion 
> by the more flexible HD ratio and to shift the emphasis away from the last 
> 
> allocated block to include the total allocated address space. To that end, 
> 
> the .930 criterion for the last block is a lot looser than the existing 
> requirements for the last block. This is because the utilization threshold 
> 
> establishes a time buffer between the beginning of an ARIN application for 
> 
> additional addresses and the final deployment of new addresses in the 
> operational network. By using a looser criterion as network size grows, we 
> 
> are also expanding this time buffer. This recognizes that the economy is 
> more dependent than ever on the smooth running of our networks and we 
> should not artificially force larger members to operate with virtually 
> no safety buffers for implementing new addresses. This safety buffer size 
> is important because larger networks have more involved processes for 
> changes to their network and these processes take time.
> 
> Paul Wilson's paper contains ample discussions of the technical 
> justification 
> for using the HD ratio. I have proposed that we use the .966 number that 
> he 
> suggests, I believe there may be valid arguments for reducing this 
> slightly, 
> perhaps to .960.
> 
> ---
> Michael Dillon
> Capacity Planning, Prescot St., London, UK
> Mobile: +44 7900 823 672Internet: [EMAIL PROTECTED]
> Phone: +44 20 7650 9493Fax: +44 20 7650 9030

Network and security experts (was Re: Dumb users spread viruses)

[Sean Donelan]

On Mon, 9 Feb 2004, John Payne wrote:
> --On Sunday, February 8, 2004 10:46 PM + Paul Vixie <[EMAIL PROTECTED]>
> wrote:
> > There is nothing wrong with a user who thinks they should not have to know
> > how to protect their computer from virus infections.
> However, someone attending NANOG should at least have cleaned up slammer
> before connecting to the wireless...

I have never seen any evidence that security experts or network operators
are any better at practicing security than any other user group.  In every
forum I've been at, the infection rates have been similar regardless of
the attendees security experience.

Sometimes the attendees know about the issue, but do not have the power
to fix it, e.g. corporate IT deparment controls the laptop they are
required to use.  Other times, they are oblivious to the equipment being
infected.

I wouldn't be surprised if I went to a meeting at the Department of
Homeland Security or NSA, their infection rates are similar.

RE: abusereporting

[Andy Warner]

On Sun, 8 Feb 2004, Stephen Gill wrote:

>
> Hi Mikael,
>
> Aside from the standardization issue, some of the problems with reports as
> they stand are that they can be routed to the wrong people, there is no
> clear way of verifying the authenticity of the data, and the sheer number of
> reports can inundate a given abuse helpdesk such that they are tempted not
> to take any action at all.
>
- snip -

I hesitate to post anything on this thread, but figured the comments would
likely outweigh any flames sent my direction. I'll start by saying this is
operational, but only tangentially.

At one time I was one of the folks running a moderately large corporate
network. These days I'm in grad school at GA Tech. While I'm there I'm
getting my MBA and happen to be competing in business plan competitions.

Starting in the Fall, with a group of classmates, I've been working on a
concept called AbuseButler (http://www.abusebutler.com/) to tackle many
of the issues that have come up in this thread. While it is mostly an
academic exercise at this point, we'd love to see it have some small-scale
commercial success. A functional prototype currently exists, but some
features that would be nice to have are completely lacking still.

The essential concept is a follows:

- Network operators are overwhelmed by the volume of spam and
abuse notifications they receive each day.
- The variety of formats reports come in is troublesome as it means each
one needs human interpretation to be fully understood (garbage in /
garbage out)
- The folks submitting reports often aren't as clueful as we'd all like,
thus they often contact the wrong networks. (crying wolf syndrome)

To address these issues we're building a central notification clearing
house. Subscriber networks would forward a copy of all abuse@,
postmaster@, and other role accounts to our centralized parsing system.
The centralized parsing system handles a number of tasks:

- Automatically parse standard format messages (SpamCop, myNetWatchman,
a native format, etc...) If the message cannot be parsed and appears to
come from an actual user respond asking them to reply using the native
format (send an empty template). Low-level pseudo-AI would be nice to
attempt to parse free form messages and respond to the submitter with an
is the correct message instead of a please fill this out message.

- Once the data is parsed a number of things take place such as:
--- Is the address source address actually from the network contacted (if
not send polite brush off message)
--- Aggregate a duplicate reports and assign a problem weight (i.e. one
entry instead 300 SpamCop messages about the same open relay).
--- Templated output to make the information usable to non-English
speakers.

Instead of dealing with all sorts of free form messages you simply point
your abuse desk folks at an abuse dashboard listing the items with the
highest scores.

Feel free to bash away, but remember, this project started out purely as a
proof of concept for a business plan competition, not the technical
solution to all the world's spam and abuse troubles. Think any large abuse
desks would subscribe to such a solution? Would they accept the ASP model
or want to run it in-house?

If anybody is interested in more detail I'd be happy to follow-up directly,
make available a copy of the existing business plan for comments, etc...

--
Andy Warner
[EMAIL PROTECTED]

Re: Dumb users spread viruses

[JC Dill]

At 02:46 PM 2/8/2004, Paul Vixie wrote:
In this past year's tour of my friends and family, I've taken to removing
their antivirus software at the same time I remove their spyware, and I've
taken to installing Mozilla (with its IMAP client) as a way to keep the
machine from having any dependency on anti-virus software.  IT managers are
encouraged to consider a similar move next time they're asked to approve
the renewal costs of a campus-wide anti-virus license.
Do you honestly think that any IT manager is going to be successful getting 
an entire company to dump Outlook/Exchange and stop using anti-virus 
software?  Do you have an example (within the North American area of 
interest to NANOG members) where this has actually happened?

IMHO, if you can convince an Outlook/Exchange using company to dump MS for 
email, you can convince them to dump MS/Windoze OSs entirely, which is a 
much more complete way to solve this problem.

jc

p.s.  Please do not cc me on replies to the list.  Please reply to the list 
only, or to me only (as you prefer) but not to both.

Re: question on ptr rr

[Daniel Senie]

At 08:40 AM 2/9/2004, Robert E. Seastrom wrote:


[EMAIL PROTECTED] writes:

> We need to add email sending capability to both POP
> and IMAP so that eventually we can all block port 25
> entirely from broadband/dialup edges.
What's wrong with port 587 (rfc 2476 sec. 3.1) and requiring SMTP AUTH
(rfc 2554), as people have widely deployed today?  The problem is
education; the technology is already widely available and deployed.
It'd be really nice is mail client programs had an easy way for users to 
configure these settings. We have to walk our clients through the advanced 
settings in Outlook Express, Eudora, and other programs often.

Re: question on ptr rr

[Arnold Nipper]

On 09.02.2004 17:59 [EMAIL PROTECTED] wrote:

On Mon, 09 Feb 2004 10:38:20 GMT, [EMAIL PROTECTED]  said:


Imagine a world in which only ISPs run SMTP servers
which only talk directly to other servers with which
they have an offline relationship.


70K user. 40M .coms.  N*M.  Gee thanks.  That's too damned many relationships
to negotiate.  And I think we learned our lesson with 'ADMD= PRMD=', didn't
we?


Moreover: which ISP would take responsibility that the email is 
delivered properly to the destination. Today all ISP just do best-effort.

This model won't work ...



Arnold

Re: Stopping open proxies and open relays

[Jeff Shultz]

** Reply to message from Adi Linden <[EMAIL PROTECTED]> on Fri, 6 Feb
2004 23:00:12 -0600 (CST)

> > > There are valid reasons not to run antivirus software,
> > 
> > And they are?
> 
> P90w/32MB running Win95 used for email only... or insufficient finances 
> to purchase anti virus software... to name a couple.
> 
> Adi

That's not a valid reason. That's an excuse. http://www.grisoft.com -
AVG has a very nice free version for personal use.  And they obviously
have the means to afford an internet connection 

Next?

-- 
Jeff Shultz
Loose nut behind the wheel. 

Re: question on ptr rr

[Valdis . Kletnieks]

On Mon, 09 Feb 2004 10:38:20 GMT, [EMAIL PROTECTED]  said:

> Imagine a world in which only ISPs run SMTP servers
> which only talk directly to other servers with which
> they have an offline relationship.

70K user. 40M .coms.  N*M.  Gee thanks.  That's too damned many relationships
to negotiate.  And I think we learned our lesson with 'ADMD= PRMD=', didn't
we?


pgp0.pgp
Description: PGP signature

Re: P2P open source blocking project

[Michael . Dillon]

>> For those you want to kill the various p2p programs..there is a 
>> promising project at the following address:

>I'd like to further reduce the functionality of my internet transport 
>because why?

In order to spur the development of more sophisticated
P2P protocols and encourage users to switch over to using
them. The net *IS* an ecosystem, after all.

Read up on eigentrust and "emergent behavior" and
"complex adaptive systems". The current crop of popular
P2P networks are quite crude and deserve to be killed
off in favor of more robust models.

--Michael Dillon

Re: Dumb users spread viruses

[Roland Perry]

In article <[EMAIL PROTECTED]>, Niels Bakker 
<[EMAIL PROTECTED]> writes
Can a driver reach the fuel injector controls during normal operation of
the vehicle?
No, because safety laws prevent this possibility (due to dumb drivers).
--
Roland Perry

Re: Dumb users spread viruses

[Todd Vierling]

On Mon, 9 Feb 2004, Paul Vixie wrote:

: > Uneducated users should live with the slowness.  It's protecting the rest of
: > the world from their blissful ignorance.
:
: if it protected them or anybody else i'd say you were right, but since it's
: a pattern matcher it always takes 2 to 24 hours for a new pattern file to
: be developed and distributed after a new worm is released.  why even bother?

Because the updates do, in most cases, remove the infection automatically
after the update is in place.  It's a better situation than sitting on our
hands watching Swen, Nimda, Sobig, and friends continue pounding at our
doors for months on end.

: > The average Windows user CANNOT BE TRUSTED TO DO THE RIGHT THING because
: > they are blindly trusting the (1) operating system's security, and (2)
: > non-malicious intent of the things they view or download.

: once you add a particular operating system to the equation i can't disagree
: (mostly due to lack of facts i've actually gathered or checked personally.)
: however, in the situation you describe, the fault is still with the OS, not
: with the end user.

"Good luck" getting the OS manufacturer in question to fix things.  I'd be
happy to file or join an amicus brief if you're looking to take them to
court.  This, however, has not happened yet and probably will not happen for
some time.

Antivirus software is an imperfect solution where there would be *no*
solution otherwise.  It's the digital adulterer's condom.

: as i said before, if we (the creators and distributors of the products and
: services these users depend on) can't make them safe, then the fault is
: with us, not with the people using them.
:
: it's as if not knowing how the fuel injectors work on my car could make it
: blow up on the freeway.  we'd blame the manufacturer, not the driver, right?

Computers provide much more control to the end-user, which leads to an
increased level of confused ignorance.  Even if you turn off the
system-supplied mail client and Web browser and somehow manage to disable
all things using that Web browser's embedded component, people will still
download and run trojans.  It happens all the damned time.

To extend the automobile metaphor but add the control/confusion level I
described:  Let's say the driver sees the "PUT IN YOUR CAR EVERY 2-3
MONTHS!" tagline on a bottle of motor oil.  Knowing this should go in the
car, but without knowing what an oil change is, s/he happily pours it into
the gas tank.  Now who's liable when the head gasket blows or the engine
catches fire from overheating?

-- 
-- Todd Vierling <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>

Re: P2P open source blocking project

[Joel Jaeggli]

I'd like to further reduce the functionality of my internet transport 
because why?

joelja

On Mon, 9 Feb 2004, William Warren wrote:

> 
> For those you want to kill the various p2p programs..there is a 
> promising project at the following address:
> 
> http://www.lowth.com/p2pwall/ftwall/
> 
> William
> 

-- 
-- 
Joel Jaeggli   Unix Consulting [EMAIL PROTECTED]
GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2

Re: Dumb users spread viruses

[Niels Bakker]

>> Uneducated users should live with the slowness [caused by a virus
>> scanner].  It's protecting the rest of the world from their blissful
>> ignorance.

* [EMAIL PROTECTED] (Paul Vixie) [Mon 09 Feb 2004, 16:30 CET]:
> if it protected them or anybody else i'd say you were right, but since it's
> a pattern matcher it always takes 2 to 24 hours for a new pattern file to
> be developed and distributed after a new worm is released.  why even bother?

Because we're all still seeing Slammer, Nimda etc. infections occur.


> it's as if not knowing how the fuel injectors work on my car could make it
> blow up on the freeway.  we'd blame the manufacturer, not the driver, right?

Can a driver reach the fuel injector controls during normal operation of
the vehicle?  Ignorance of operation needn't always pose an acute danger.


-- Niels.

Re: Dumb users spread viruses

[Roland Perry]

In article <[EMAIL PROTECTED]>, Petri Helenius <[EMAIL PROTECTED]> 
writes
You get millions of people calling asking how to disable the annoying 
feature that they got when they updated the computer. In addition they 
will tell other people not to upgrade because it gets more annoying to 
use email and the earlier way was more convinient.
That's a user interface design issue. People seem happy enough with 
popups from virus checkers saying "suchandsuch a file is infected - what 
do you want to do about it", all I'm proposing is something similar for 
"potentially harmful files".

You already get something similar for (eg) driver files not signed as 
XP-compatible. Does that put people [support desks, users, potential 
upgraders] off XP?

I agree there may be a scaling issue, although I see fewer 
wanted-executables annually than I have non-XP drivers installed, which 
is also pretty much an annual exercise.

Of course, if it did gain acceptance maybe the black hats would simply 
deliver their infections differently.
--
Roland Perry

P2P open source blocking project

[William Warren]

For those you want to kill the various p2p programs..there is a 
promising project at the following address:

http://www.lowth.com/p2pwall/ftwall/

William
--
May God Bless you and everything you touch.
My "foundation" verse:
Isaiah 54:17 No weapon that is formed against thee shall prosper; and 
every tongue that shall rise against thee in judgment thou shalt 
condemn. This is the heritage of the servants of the LORD, and their 
righteousness is of me, saith the LORD.

Re: Dumb users spread viruses

[Petri Helenius]

Roland Perry wrote:

It doesn't cost the user any extra to include such a feature in the 
next version of Windows, and in all the Critical Updates downloaded 
starting tomorrow. [Obviously it costs MS something to do the software 
development.]
It does if you provide free support. You get millions of people calling 
asking how to disable the annoying feature that they got when they 
updated the computer. In addition they will tell other people not to 
upgrade because it gets more annoying to use email and the earlier way 
was more convinient.

You missed my point earlier.

Pete

Re: Dumb users spread viruses

[Paul Vixie]

> Uneducated users should live with the slowness.  It's protecting the rest of
> the world from their blissful ignorance.

if it protected them or anybody else i'd say you were right, but since it's
a pattern matcher it always takes 2 to 24 hours for a new pattern file to
be developed and distributed after a new worm is released.  why even bother?

> The average Windows user CANNOT BE TRUSTED TO DO THE RIGHT THING because
> they are blindly trusting the (1) operating system's security, and (2)
> non-malicious intent of the things they view or download.
> 
> This is established fact, with oodles of hard-earned stats to back it up.

once you add a particular operating system to the equation i can't disagree
(mostly due to lack of facts i've actually gathered or checked personally.)
however, in the situation you describe, the fault is still with the OS, not
with the end user.  as i said before, if we (the creators and distributors
of the products and services these users depend on) can't make them safe,
then the fault is with us, not with the people using them.

it's as if not knowing how the fuel injectors work on my car could make it
blow up on the freeway.  we'd blame the manufacturer, not the driver, right?

Re: Dumb users spread viruses

[John Payne]

Apparently this went out twice.  Apologies for that - the wireless net went 
away before my mail client claimed the smtp transaction finished.

Re: Dumb users spread viruses

[John Payne]

--On Sunday, February 8, 2004 10:46 PM + Paul Vixie <[EMAIL PROTECTED]> 
wrote:

There is nothing wrong with a user who thinks they should not have to know
how to protect their computer from virus infections.


However, someone attending NANOG should at least have cleaned up slammer 
before connecting to the wireless...

Re: Dumb users spread viruses

[John Payne]

--On Sunday, February 8, 2004 10:46 PM + Paul Vixie <[EMAIL PROTECTED]> 
wrote:

There is nothing wrong with a user who thinks they should not have to know
how to protect their computer from virus infections.


However, someone attending NANOG should at least have cleaned up slammer 
before connecting to the wireless...

Re: question on ptr rr

[Randy Bush]

>> buy a 1U, put it in a colo center (should cost you about $50/month) and
>> proxy all your outbound mail from there.  stop thinking of broadband as
>> anything other than a lastmile protocol between your house and your own
>> piece of the internet core.
> This is darn good advice.

no, it's sorely broken, as it breaks the e2e internet

Applying HD Ratio to all IPv4 allocations

[Michael . Dillon]

I'm going to present the following policy change at the ARIN
meeting in April. In a few days I have to submit the exact wording
to ARIN and I'm looking for comments before I do this.
Basically this policy loosens the rigid 80% utilization 
requirement in a progressive fashion to recognize the
inevitable overhead of hierarchy in larger networks.

1. All requests for additional IPv4 address space shall require the 
   efficient utilization of the sum total of all existing allocations 
   including all space reassigned to customers, if any.

2. The HD(Host Density) ratio of the sum total of all previous allocations 

   shall be greater than or equal to .966 and the HD ratio of the most 
   recent allocation shall be greater than or equal to .930 in order to 
   receive additional space.

3. The HD ratio is calculated as log(utilized IPv4 addresses) divided
   by log(total addresses in all previous allocations). In this formula, 
   log refers to the natural logarithm.

Rationale: 

The HD ratio was proposed as a way to determine allocation usage 
thresholds
for IPv6 address allocations. For more details on this, please refer to 
RFC 3194 . There is some detailed 
background discussion about applying the HD ratio to IPv4 allocations in a 

proposal by Paul Wilson posted to the APNIC mailing list on Aug 7, 2003 

http://www.apnic.net/mailing-lists/sig-policy/archive/2003/08/msg0.html
and he presented the it to the annual APNIC policy meeting using these 
slides
http://www.apnic.net/meetings/16/programme/sigs/docs/policy/addpol-pres-wilson-hd-ratio.pdf
I am not suggesting that ARIN should adopt the APNIC proposal and although
Paul invents a new name for the HD ratio, I prefer to keep the original 
term.

The basic thrust of this proposal is to replace the rigid 80% usage 
criterion 
by the more flexible HD ratio and to shift the emphasis away from the last 

allocated block to include the total allocated address space. To that end, 

the .930 criterion for the last block is a lot looser than the existing 
requirements for the last block. This is because the utilization threshold 

establishes a time buffer between the beginning of an ARIN application for 

additional addresses and the final deployment of new addresses in the 
operational network. By using a looser criterion as network size grows, we 

are also expanding this time buffer. This recognizes that the economy is 
more dependent than ever on the smooth running of our networks and we 
should not artificially force larger members to operate with virtually 
no safety buffers for implementing new addresses. This safety buffer size 
is important because larger networks have more involved processes for 
changes to their network and these processes take time.

Paul Wilson's paper contains ample discussions of the technical 
justification 
for using the HD ratio. I have proposed that we use the .966 number that 
he 
suggests, I believe there may be valid arguments for reducing this 
slightly, 
perhaps to .960.

---
Michael Dillon
Capacity Planning, Prescot St., London, UK
Mobile: +44 7900 823 672Internet: [EMAIL PROTECTED]
Phone: +44 20 7650 9493Fax: +44 20 7650 9030

Re: Stopping open proxies and open relays

[William Allen Simpson]

Gregh wrote:
> 
> Optus in Australia have taken the line of blocking port 25 to anything at
> all excepting contact with their own servers. Seems to work. Some pissed off
> customers with their own smtp progs etc but my guess is that this would fit
> your bill.
> 
Earthlink and many others have been doing this in the US for a long time. 

But, they don't require any "authorization" in sending, despite that 
being available built-in to NetScape/Mozilla for many years, and they 
don't seem to actually scan their outgoing email for virii and cut off 
the user.

I'm not sure this is the answer.
-- 
William Allen Simpson
Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32

Re: question on ptr rr

[Robert E. Seastrom]

[EMAIL PROTECTED] writes:

> We need to add email sending capability to both POP
> and IMAP so that eventually we can all block port 25
> entirely from broadband/dialup edges. 

What's wrong with port 587 (rfc 2476 sec. 3.1) and requiring SMTP AUTH
(rfc 2554), as people have widely deployed today?  The problem is
education; the technology is already widely available and deployed.

> And we need to reinstate the use of SMTP relays in 
> order for smaller ISPs to have access to the core of
> the email system. 

This is obviously some use of the term "need" to which I am heretofore
unaccustomed.

---Rob

RE: Cisco Router best for full BGP on a sub 5K bidget 7500 7200 or other vendor ?

[jlewis]

On Sun, 8 Feb 2004, Alexander Hagen wrote:

> Now why is the CX-FEIP-2TX so much cheaper than the PA-2FE-TX ?

I can't say why cisco charges so much for the PA-2FE, but the CX-FEIP-2TX
is cheap because it's ancient (EOL'd some time ago) and probably not
capable of running both ports at line-rate anyway.  Don't buy them unless
you're hooking up very low traffic LANs.  Your best bet is PA-FE's and
enough VIP2-50's for the number of PA-FE's you need.

Also, watch out for PA-2FEISL-TX's.  They're also not capable of handling 
both interfaces at line-rate.  That's why they're available for just a few 
hundred $.

http://www.cisco.com/warp/public/cc/pd/ifaa/ifpz/prodlit/969_pp.htm
 
--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: Dumb users spread viruses

[Roland Perry]

In article <[EMAIL PROTECTED]>, Petri Helenius <[EMAIL PROTECTED]> 
writes
The users that are the problem anyway will vote for convinience with 
their wallets. If they wouldn´t, they would not be buying the systems 
that conviniently allow them to execute and install code in the first 
place. It would be financially suicidal to make a piece of software to 
bother the user.
It doesn't cost the user any extra to include such a feature in the next 
version of Windows, and in all the Critical Updates downloaded starting 
tomorrow. [Obviously it costs MS something to do the software 
development.]
--
Roland Perry

Re: question on ptr rr

[Niels Bakker]

* [EMAIL PROTECTED] ([EMAIL PROTECTED]) [Mon 09 Feb 2004, 11:40 CET]:
> Imagine a world in which only ISPs run SMTP servers
> which only talk directly to other servers with which
> they have an offline relationship. A world in which
> everybody hands over their email to an ISP for onward
> delivery in order to get it into the system. A world
> in which it is virtually impossible to send anonymous
> or forged email without the cooperation of an ISP.

Yuck.

(I'm getting flashbacks to a certain Dr. Strangelove scene right now.
 And to some from Brazil, too.)


-- Niels.

-- 
Blessed are the Watchmakers, for they shall inherit the earth.

Re: Stopping open proxies and open relays

[Gregh]

- Original Message -
From: "Adi Linden" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, February 07, 2004 3:43 PM
Subject: Stopping open proxies and open relays


>
> I am looking for ideas to stop the spam created by compromised Windows
> PC's. This is not about the various worms and viruses replicating but
> these boxes acting as open relays or open proxies.
>
> There are valid reasons not to run antivirus software, coupled with
> clueless users, this results in machines that SPAM again just a few hours
> after having been cleaned.
>

Optus in Australia have taken the line of blocking port 25 to anything at
all excepting contact with their own servers. Seems to work. Some pissed off
customers with their own smtp progs etc but my guess is that this would fit
your bill.

Greg.

Re: question on ptr rr

[Michael . Dillon]

>buy a 1U, put it in a colo center (should cost you about $50/month) and
>proxy all your outbound mail from there.  stop thinking of broadband as
>anything other than a lastmile protocol between your house and your own
>piece of the internet core.

This is darn good advice. And to expand on it further,
it is time to stop thinking of Simple Mail Transport
Protocol (SMTP) as the way for everybody to send email.
For some strange reason we have managed to develop
two protocols for end users to use in talking to their
mail service provider (POP and IMAP) but neither of
them allow the end user to send email. One would think
that an authenticated session with an email service
provider would be the natural protocol to use for
injecting end user email into the system.

Imagine a world in which only ISPs run SMTP servers
which only talk directly to other servers with which
they have an offline relationship. A world in which
everybody hands over their email to an ISP for onward
delivery in order to get it into the system. A world
in which it is virtually impossible to send anonymous
or forged email without the cooperation of an ISP.

To get to this world we have to stop trying to fix 
the SPAM problem. Instead, we have to fix the email
architecture problems which have created the environment
in which SPAM can thrive. A new architecture might
not prevent SPAM but if it makes spamming hard to
do and has rate limits that make it very hard to do
high volumes of unauthorized email then most people
will not care about the small volume of SPAM.

We need to start with an Email Service Consortium with
a code of email server practices in which the larger 
ISPs agree to stop accepting SMTP connections from anyone
who is not in the consortium or a customer. This will get 
everyone implementing a set of well-known and consistent 
controls.

We need to add email sending capability to both POP
and IMAP so that eventually we can all block port 25
entirely from broadband/dialup edges. 

And we need to reinstate the use of SMTP relays in 
order for smaller ISPs to have access to the core of
the email system. 

--Michael Dillon

Re: Stopping open proxies and open relays

[Michael . Dillon]

>Force all SMTP outbound connections from users thru a SMTP proxy. On that
>proxy, force users to do SMTP Authentication; I've heard only once of a 
spam
>code that will use the user's configuration info or dispatch e-mail thru
>them. Even if they do, you can rate-limit messages/hour, unique mail
>to/hour, disable mail service after a threshold, whatever sounds a good
>policy to you.

This is the most sensible message I've read about SPAM in 
a long time. And it is even highly relevant to network
operators who service end users. Now if only we could
come up with something similar for ISP server-to-server
mail transfers then we might actually reduce SPAM to
a dull roar receding into the distance.

--Michael Dillon

Re: Are SW upgrades needed in MPLS core networks?

[Michael . Dillon]

>Just to be sure, my point here is not where the effective IPv6 
performance
>suits one needs or not, but wether a router that can forward  
Mpps
>of IPv4/MPLS packets can also forward the same amount of IPv6 packets per
>second.

Wouldn't a network with an MPLS core use 6PE to implement
IPv6 rather than routing v6 natively in the core? In that
case wouldn't the forwarding performance of native v6 be
irrelevant?

--Michael Dillon

RE: Cisco Router best for full BGP on a sub 5K bidget 7500 7200 or other vendor ?

[Alexander Hagen]

Well this has been quite a stimulating discussion!

It appears the sweet spot would be as follows:

7507 Dual A/C Power.~ 750
Dual RSP4 with 256 MEM .~900
VIP2-50 with 128 MB RAM.~400

Now this can all be obtained for about 2000.00 perhaps...


The problem is the Fast Ethernet Interfaces

CX-FEIP-2TX  ( 400?)
PA-FE-TX (250)
 

The PA-2FE-TX is about 1600.00- better to get a second PA-FE-TX with
second VIP2-50

Now why is the CX-FEIP-2TX so much cheaper than the PA-2FE-TX ?



Alexander Hagen
Etheric Networks Incorporated, A California Corporation
527 Sixth Street No 371261
Montara CA 94037
Main Line: (650)-728-3375
Direct Line: (650) 728-3086
Cell: (650) 740-0650 (Does not work at our office in Montara)
Home: (Emgcy or weekends) 650-728-5820
fax: (650) 240-1750
http://www.etheric.net

-Original Message-
From: Roldan, Brad [mailto:[EMAIL PROTECTED] 
Sent: Sunday, February 08, 2004 12:40 PM
To: Alexander Hagen
Subject: RE: Cisco Router best for full BGP on a sub 5K bidget 7500 7200
or other vendor ?

Alex,

   I used the RS3000 extensively in a previous life for a Metro E
provider. These are great Layer 2 switches. When it comes to Layer 3
services, Riverstone has been lacking. The last firmware revision I
looked at was in the 9.x series. At that time, routing protocols, such
as BGP, were still evolving in terms of basic support. For instance, at
the time BGP communities were not supported. I don't know hoe
Riverstone's support for Layer 3 routing has evolved since 9.x.

   Hope this helps.

Brad
--
Covad Communications
2510 Zanker Road
San Jose, CA 95131
+1-408-434-2048
[EMAIL PROTECTED]


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Alexander Hagen
Sent: Saturday, February 07, 2004 5:49 AM
To: [EMAIL PROTECTED]
Subject: RE: Cisco Router best for full BGP on a sub 5K bidget 7500 7200
or other vendor ?



Montara is between Pacifica and Half Moon Bay. 

Everyone has a different perspective - but all valid. However I would
say if you are going to go Cisco - and you have no other BGP gear under
Smartnet - you might look at the 3725 maxed out. It is new and you will
get support and available for 5,000.00 online, equipped with two onboard
Fast Ethernet ports.

You are likely to buy only single FE modules at 350.00 rather than 2FE's
which are hard to find for cheap, and upgrading memory to 256 Megs DRAM
is only an addl 150.00. 

With that said

I found a rather stupid article that gave the Riverstone high marks.

http://www.nwfusion.com/reviews/2003/0714rev.html?page=1

http://research.mwjournal.com/data/jspdetail?id=1025118725_252&type=PROD
&src=mwave&x=841473789

The RS 3000 has 20 gbps non blocking.


I am likely to go with the Riverstone. I think I can get it for under 2K
with 24 10/100 ports, 256 MB of memory, and 20 gbps non blocking
switching fabric.

Although I will likely place a Cisco box behind it (eventually) for
IPSec and the like.
 
Platform Features
Feature-rich Wire-speed Services
* IP routing, unicast, and multicast
* Routing in hardware on each line card
* LSR and LER MPLS support in hardware
* RSVP-TE and LDP label distribution and signaling
* MPLS traffic engineering support
* Security (ACLs, L2 filters)
* Layer 4 application-flow switching and QoS
* Network Address Translation (NAT)
* Hardware-based Rate Limiting
* Jumbo Frame support
* VLANs based on port or protocol
* Server Load Balancing (LSNAT)
Highly Fault Tolerant
* Redundant power supplies (RS 3000)
* Hot-swappable media modules
* Standards-based VRRP
* Layer 2 and 3 redundant protocol support
Extensive Management
* Wire-speed full RMON/RMON2
* SNMP manageable
* SSH
* RADIUS
* TACACS+
* RS-232 (out-of-band management)
* Command Line Interface (CLI)
Interfaces
10/100 Base-TX 100 Base-FX 1000 Base-SX
1000 Base-LX 1000 Base-TX 1000 Base-LH (70Km)
T1/E1 T3/E3 ATM-OC-3c
Up to 4,096 VLANs
Up to 256,000 routes
Up to 20,000 security/access control filters
Up to 512,000 Layer 4 application flows
Up to 256,000 Layer 2 MAC addresses
RS 1000: 12 Gbps non-blocking switching fabric
RS 1000: 4.6 million packets per second routing throughput
RS 3000: 20 Gbps non-blocking switching fabric
RS 3000: 9.5 million packets per second routing throughput
MTBF (predicted) > 200,000 hours
Physical
Dimensions: 3.25" H x 17" W x 18.5" D
(8.25 cm x 43.2 cm x 47 cm)
Weight: 20 lbs. (9.1 kg)
Environmental Specifications
Operating Temp: +0º to +40ºC (32º to 104ºF)
Non-operating Temp: -40º to +70ºC (-40º to 158ºF)
Operating Relative 10% to 90% (non-condensing)
Humidity:
Non-operating 5% to 95% maximum
Relative Humidity: (non-condensing)
Altitude, Operating 10,000 ft (3,000 m) maximum
and Non-operating:
Shock and Vibration:GR63
Power Requirements
AC Input current: 3.0 A - 1.5 A
AC Input voltage: 100 to 240 VAC
AC Frequency: 50 to 60 Hz
DC Input current: 8.0 A
DC Input voltage: -48 to -60 VAC
Agency Standards and Specifications
Safety: Certified UL1950, CSA C22.2 No. 950,
EN60950, IEC950, and 72/73/EEC
El

Re: Dumb users spread viruses

[Petri Helenius]

Roland Perry wrote:

As for this business of "opening" (aka executing etc) files which 
users have been sent. One useful first line of defence would be for 
client software to insist that the name of the sender be typed into a 
box, as some kind of confirmation that the sender was known to the user.
The users that are the problem anyway will vote for convinience with 
their wallets. If they wouldn´t, they would not be buying the systems 
that conviniently allow them to execute and install code in the first 
place. It would be financially suicidal to make a piece of software to 
bother the user.

Pete