Re: DNS cache poisoning attacks -- are they real?

[Florian Weimer]

* Brad Knowles:

 At 1:08 PM +0200 2005-03-29, Florian Weimer wrote:

  BIND accepts non-authoritative answers if their additional section
  looks a bit like a referral.  I don't tink that this check is
  deliberately lax, but stricter checks are simply harder to do on this
  particular code path.

   BIND explicitly assumes that there might be upstream nameservers 
 you may talk to that may be answering from cache.

Really?  I can't get it to work reliably.  Can you share an example
where delegation to a non-authoritative caching resolver works,
without the need for special seeding of the caching resolver?

Your posts to nanog@merit.edu aren't distributed by the mailing list,
BTW.

Re: DNS cache poisoning attacks -- are they real?

[Joe Maimon]

Florian Weimer wrote:
* Joe Maimon:

How do spammers make step 5 succeed?

They delegate www.example.com instead of example.com?

I suspect I am some distance over the cliff here but nevertheless, onward.
I dont get it. That has nothing to do with the registrar, or dodging
forced deactivation of a domain. All it does is make it appear to
anti-spammers that www.example.com nameservers are the seeded resolvers.
Thats not quite the described problem in the URL that chris included.
http://cert.uni-stuttgart.de/archive/bugtraq/2003/09/msg00164.html

Next the spammer goes back to their registry authority and changes their
authoritative name servers to be the recursive name servers they
populated in the last step. Since it appears that registry authorities
no longer validate if a customer has permission to use the name server
they specify (note that this used to be done way back when domain names
were free), the record is quickly updated and users on the Internet are
directed to this populated name server when querying information about
the spammer's domain. The spammer is now free to push out their spam and
if the Internet community decides to attack, the name server being
attacked actually belongs to someone else.

SO if the extent of the problem is that the victim nameserver may become
blocklisted/attacked due to its apparent hosting of a spam URL, than the 
answer is that anti-spammers need to be a whole lot more carefull at 
which nameservers they direct their ire at. Specifically, they need to 
confine that to only certain trustworthy points in the delegation, such 
as delegation for .com. and .co.uk. but not any deeper.

IF the concern is that spammers may try to have their spamsite records
survive example.com termination, thats quite possible to attempt doing
without bothering to directly attempt to seed any other resolvers cache, 
all they need are their trojan pcs to host the domain and to hand out 
NS/A records with very large TTL values.

SURBL and others will helpfully prime the resolvers all over the world.
Its quite possible that going after the DNS for spammers may not/should 
not be the quick fix to abusive spam that people would hope for. If all 
this activity is confined to domain names that they have originally 
registered and paid for and belonged to them, I might find it quite 
reasonable declaring this to be strictly a registrar problem.

And a resolver ought to be able to tell that www.example.com delegation
is lame.

Vonage Hits ISP Resistance

[Fergie (Paul Ferguson)]

Intersting article on ISP issues regarding competitive
VoIP services:

http://www.lightreading.com/document.asp?site=lightreadingdoc_id=71020

- ferg

--
Fergie, a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 [EMAIL PROTECTED] or [EMAIL PROTECTED]

Re: T1 vs. T2 [WAS: Apology: [Tier-2 reachability and multihoming]]

[Leo Bicknell]

In a message written on Tue, Mar 29, 2005 at 02:27:56PM -0600, John Dupuy wrote:
 I was looking at it from a route announcement point of view. Transit is 
 where AS A advertises full routes to AS B. Thus, AS B is getting transit 
 from A. Peering is where A  B only advertise their network and, possibly, 
 the networks that stub or purchase transit from them.

This is oversimplistic.  Transit does not have to be full routes.
Don't confuse the business case with the technical configuration.
That is, all combinations of:

{paid,settlement free}-{customer routes only, full routes, no routes,
you leak mine, I leak yours}

exist.  Some are more common than others.  Sometimes multiple
combinations exist between the same two parties.

 It is my understanding that the top ISPs trade transit. They provide full 
 routes to each other without payment, regardless of how or where the route 
 was learned from. They are willing to pass some traffic without 
 compensation because it makes for better connectivity. From an announcement 
 POV they are not peering.

The top of the food chain is a full mesh of customer routes only.
I have never seen anyone at the top of the food chain trade full
routing tables, something that would likely be obvious from time
to time in various outage scenarios.  There is no business case to
provide free transit on that level.  It would be too easily abused.

That's not limited to top ISP's either.  Full tables are not done
on a peering level, ever.  If anything wonky is being done it's
done with selective leaking of routes in one or both directions,
never ever ever with a full table.

-- 
   Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - [EMAIL PROTECTED], www.tmbg.org


pgp8b8FCskV7P.pgp
Description: PGP signature

MD5 for TCP/BGP Sessions

[Doug Legge]

NANOG,

I'm currently writing a paper for submission, as part of a MSc in Data
Communications, and would appreciate if anyone could update me as to the
implementation of MD5 for TCP authentication in BGP.

Following the alerts last year:
http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml
http://www.us-cert.gov/cas/techalerts/TA04-111A.html
http://www.cisco.com/en/US/products/products_security_advisory09186a00803be7
d9.shtml
http://www.foundrynet.com/solutions/security/TCP_Vulnerability_v1_3.pdf
http://www.kb.cert.org/vuls/id/415294
http://isc.sans.org/diary.php?date=2004-04-20

What has been the general effect in the ISP/Enterprise community following
the warnings?
- Have people applied MD5?
- If not what other technologies were implemented (IPSec AH transport mode
for BGP sessions/ACL/rate limiting etc)?
- Has there been any performance impacts seen since implementation?
- Has the support of the BGP environment been increased because of this
implementation (What policies regards changing the MD5 keys were
implemented)?
- Was this seen as a valid fix or a knee-jerk reaction (Having re-read the
exchanges on NANOG regards the actual mathematical probability of generating
this attack, what did the ISP community actually do (compared to what the
academic/vendor community were suggesting)?

Whilst I've had some response from bgp-info and bgp-security, it's not
really been sufficient to draw any real conclusions. From your knowledge and
experience are you aware, either internally or with customers the take up of
MD5 implementations and had anyone actually suffered an attack prior to
implementation


Please do not supply confidential information or anything that would be
commercially sensitive, if you want to contact me off-line or from a private
account please do


Yours

Doug Legge
MDC Student
Kingston University
London /UK

Re: Re: T1 vs. T2 [WAS: Apology: [Tier-2 reachability and multihoming]]

[jmalcolm]

[EMAIL PROTECTED] writes:
Again, I'd be interested in hearing from one of the bigger ones on this: 
UUNet, ATT, Sprint, Level3, QWest If you can't say anything, I 
understand. 

You don't need them to say anything - just look at what they are
advertising. Are they advertising each other's routes? If not, then
they aren't given each other transit.

Re: outage/maintenance window opinion

[Luke Parrish]

The event I stated in my first email was an example, not an actual incident.
I think from the 30+ emails I have received I have had 2 responses that 
said I should start my SLA credits and outage minutes from the beginning of 
the window and the rest that feel the outage minutes start ticking when the 
planned outage was over...

Regarding Change Management procedures, we do have had deadlines for 
backing out, verification, etc etc. But you are right...

luke
At 11:59 AM 3/28/2005, Eric Gauthier wrote:
Heya,
I disagree as this entire event wasn't a planned outage.  The planned part
was what you intended to do and, if its anything like the maintenance reports
that I send and receive, you typically state how long you expect the impact
will be and that it will take place within your maintenance window.  I'd 
argue
that you should start the clock ticking when the outage first happened and
then take off from that whatever you annouced as the impact duration.

For example, if you said that the impact would be a ten-minute outage 
sometime
during your window from 2am to 5am and your outage started at 2am, I'd count
this as an unplanned outage starting from 2:10am.  That's just my $0.02...

On another note, you had a 3 hour window and a 6 hour outage.  It sounds like
someone didn't seriously consider the back out part of your change 
management
planning.  You really should have that as part of your process and have a hard
deadline within the window after which you revert the network to its previous
state.

Eric :)
Luke Parrish
Centurytel Internet Operations
318-330-6661

Re: outage/maintenance window opinion

[Luke Parrish]

In this situation we were expecting to be done for the majority of the 
maintenance window, but yes I see your point. However I block out a 3 hour 
window for maintenance because the activities I am performing on the 
network could easily cause a longer service outage than planned as we all 
know. So if I plan for a 4 hour window but only expect 20 minutes of 
downtime that actually turns into 3 hours, as long as it is inside the 
maintenance window specified then it should not go against outage minutes. 
It was done in the window for a reason...

??
Luke
At 02:05 PM 3/28/2005, Pete Templin wrote:
Luke Parrish wrote:
Trying to get clarification on an issue.
Maintenance/outage window is 2:00AM to 5:00AM, during the window the 
router we are working on fails and does not come back online until 8:00AM.
 From a outage reporting/documentation standpoint is the outage start 
time 2:00AM or 5:01AM since 5:01AM is when the maintenance window and 
planned outage was over...
To a small degree, it depends on how long you anticipated the outage to 
be.  Were you expecting a three-hour tour^h^h^h^houtage, or something 
shorter but opened a big window to give you flexibility on when to do 
it?  I would say that a fifteen-minute expected impact means the outage 
started at 2:15AM (or fifteen minutes after your work interrupted services).

My $0.005,
pt
Luke Parrish
Centurytel Internet Operations
318-330-6661

Re: MD5 for TCP/BGP Sessions

[John Kristoff]

On Wed, 30 Mar 2005 16:50:38 +0100
Doug Legge [EMAIL PROTECTED] wrote:

 What has been the general effect in the ISP/Enterprise community following
 the warnings?
 - Have people applied MD5?

Without question more BGP sessions suddenly became 'MD5-enabled'
across the net.  It has been debated whether this was a necessary
or even if it was a good thing.  You should find some references,
including some on this list where BGP peer sessions were being
reconfigured with MD5 applied during the last TCP sequence number
scare.

 - If not what other technologies were implemented (IPSec AH transport mode
 for BGP sessions/ACL/rate limiting etc)?

I don't know of any widespread use of IPsec for BGP sessions even
after that last round of alerts, but I am sure some exists.  I
would be interested in hearing from those that have implemented it
in production.

ACLs are often used, but vary widely depending on organization.
It can be difficult to manage ACLs on a box with a large number
of peers that uses many local BGP peering addresses.  I'm sure
some organizations reviewed and updated their ACLs as a result
of the last scare, but that is a local, private decision and it
would probably be hard to get good sample of who and what changed.

 - Has there been any performance impacts seen since implementation?

Not real world cases that I've heard, but I believe a number of
sites prefer not implement MD5 in part because of the potential
performance/DoS issues with it enabled.

 - Has the support of the BGP environment been increased because of this
 implementation (What policies regards changing the MD5 keys were
 implemented)?

Not in my case.  We use a simple algorithm to come up with the shared
secret, then document it in our peering contact database, which is in
a secure, internal location that we can reference if we ever need it.
In our case it is just relatively simple additional step when
configuring or reconfiguring a BGP session.  Although I have seen some
compatibility issues between platforms.  For example, relatively long
length passphrases were not properly supported.

In my experience, I haven't seen much practice of changing MD5 keys
on BGP sessions except when an organization makes major changes or
hasn't kept a record of the shared secret during changes.  That is
probably the most common time it will get changed.  I suppose some
organizations may change it when employees who knew it leave the
organization, but I've not seen much evidence of that.

 - Was this seen as a valid fix or a knee-jerk reaction (Having re-read the
 exchanges on NANOG regards the actual mathematical probability of generating
 this attack, what did the ISP community actually do (compared to what the
 academic/vendor community were suggesting)?

I think that has probably been discussed enough already and will
probably be again now so I'll leave it to others to re-hash that.

Do note that at least a two specific and related solutions have
appeared in the last few years.  One is the Generalized TTL Security
Mechanism (GTSM) as defined in RFC 3682.  It was originally written
with BGP in mind, but is also useful for things like MSDP peering.
See the RFC for details and why this might be used on BGP sessions.
Another is smooth transition between shared secret changes or when
applying authentication where none existed.  I don't have references
handy, but I seem to recall this was still vendor-specific and not
fully implemented.  Perhaps others will step in with updated info.

MD5 can mitigate a risk, but it can come with some operational
costs.  Some operators prefer one side of the risk equation over
the other.  Some place a higher weight on one side of the equation
than the other depending on the organization and the network.  In
my experience most will do MD5 if asked and only a small number
would actually refuse.

 Whilst I've had some response from bgp-info and bgp-security, it's not
 really been sufficient to draw any real conclusions. From your knowledge and
 experience are you aware, either internally or with customers the take up of
 MD5 implementations and had anyone actually suffered an attack prior to
 implementation

Not that I'm aware of, but I've almost always used it and other
knobs when I could so maybe I just didn't notice?

John

drone armies CC report - March/2005

[Gadi Evron]

Below is a periodic public report from the drone armies / botnets
research and mitigation mailing list.
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources.
According to our incomplete analysis of information we have thus far, we
now publish two reports.
The ISP's that are most often plagued with botnet CC's (command 
control) are, by the order listed:
--
Top 13 with open non-resolved suspect CCs
ASN Responsible Party   Unique IPs  Open-unresolved
21840   SAGONET-TPA - Sago Networks 31-40  11-15
25761   STAMINUS-COMM - Staminus Commu  16-20  11-15
27595   ATRIVO-AS - Atrivo  6-10   6-10
27654   ASN-NA-MSG-01 - Managed Soluti  6-10   3-5
17676   JPNIC-JP-ASN-BLOCK Japan Netwo  6-10   3-5
16625   LEASEWEB LEASEWEB AS3-5   3-5
4713OCN NTT Communications Corpora  6-10   3-5
8551BEZEQ-INTERNATIONAL-AS Bezeqin  3-5   3-5
13749   EVERYONES-INTERNET - Everyones  3-5   3-5
4766KIXS-AS-KR Korea Telecom6-10   3-5
21788   NOC - Network Operations Cente  6-10   3-5
13301   UNITEDCOLO-AS Autonomous Syste  3-5   3-5
6517YIPESCOM - Yipes Communication  6-10   3-5
Top 10 frequently listed without regard to state
ASN Responsible Party   Unique IPs
21840   SAGONET-TPA - Sago Networks 31-40
25761   STAMINUS-COMM - Staminus Commu  16-20
{10913,13790,19024,14744}   INTERNAP Internap   11-15
{13884,21844}   THEPLANET-AS - THE PLANET   11-15
27654   ASN-NA-MSG-01 - Managed Soluti  6-10
4766KIXS-AS-KR Korea Telecom6-10
4713OCN NTT Communications Corpora  6-10
17676   JPNIC-JP-ASN-BLOCK Japan Netwo  6-10
3356LEVEL3 Level 3 Communications   6-10
Unresolved open IPs for top 10.
ASN Responsible Party   Open-unresolved.
21840   SAGONET-TPA - Sago Networks 11-15
25761   STAMINUS-COMM - Staminus Commu  6-10
{10913,13790,19024,14744}   INTERNAP Internap   1-3
{13884,21844}   THEPLANET-AS - THE PLANET   1-3
27654   ASN-NA-MSG-01 - Managed Soluti  3-5
4766KIXS-AS-KR Korea Telecom3-5
4713OCN NTT Communications Corpora  3-5
17676   JPNIC-JP-ASN-BLOCK Japan Netwo  3-5
3356LEVEL3 Level 3 Communications   1-3
* We would gladly like to establish a trusted relationship with
  these and any organizations to help them in the future.
* We would especially like to note the serious and prompt response by
  PNAP, as well as the serious efforts made by The Planet.
* By previous requests here is an explanation of what ASN is, by Joe
  St Sauver:
  http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf
* Clarification: the definition of count is how many CC servers are
  located at said AS. We replaced it to be called Unique IPs and
  Open-unresolved accordingly.
The Trojan horses most used in botnets:
---
1. Korgobot.
2. SpyBot.
3. Optix Pro.
4. rBot.
5. Other SpyBot variants and strains (AgoBot, PhatBot, actual SDbots,
   etc.).
* There seems to be an increase in Energymechs used for botnets running
  on *nix machines.
--
Gadi Evron,
Information Security Manager, Project Tehila -
Israeli Government Internet Security.
Ministry of Finance, Israel.
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Office: +972-2-5317890
Fax: +972-2-5317801
http://www.tehila.gov.il
The opinions, views, facts or anything else expressed in this email
message are not necessarily those of the Israeli Government.

Re: Vonage Hits ISP Resistance

[Greg Boehnlein]

On Wed, 30 Mar 2005, Fergie (Paul Ferguson) wrote:
 
 Intersting article on ISP issues regarding competitive
 VoIP services:
 
 http://www.lightreading.com/document.asp?site=lightreadingdoc_id=71020

Hmm.. I was quoted in it.

-- 
Vice President of N2Net, a New Age Consulting Service, Inc. Company
 http://www.n2net.net Where everything clicks into place!
 KP-216-121-ST

Is everyone ready for April 12?

[Hank Nussbacher]

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2aumng.mspx
Should be a very interesting period of April 12-15 :-)
-Hank

Re: Intradomain DNS Anycast revisited

[Bill Woodcock]

  On Fri, 25 Mar 2005, Joe Shen wrote:
 Do you mean Quagga's OSPF route has higher priority
 than static route?  or even there is static default
 route configured, once Quagga detects link to default
 router is down it will replace  0.0.0.0/0.0.0.0  in
 host routing table?

If you're using dynamic routing (whether it be OSPF or iBGP) to distribute 
default routes for fail-over, yes, you need to make sure that any statics 
you also have are at lower priority.  One way of playing it safe would be 
to not have static _defaults_, but to only have static routes to your 
internal management networks.

  Nope, no problem, particularly so long as the two
  routers are iBGP peers, 
  so they'll both (for the most part) have the same
  idea of what selected 
  paths are.
 
 I don't understand why should both routers be iBGP
 peers.  In fact, iBGP does not run on that two
 routers; the two routers are only members of  OSPF
 backbone area who only run OSPF; only  border router (
 at the edge of our network) runs BGP and enject
 default route into OSPF backbone area. 

Ah, you're correct, there's no requirement for the routers to be iBGP 
peers or to run BGP at all...  If you're doing this principally as an 
intranet thing, you might not have any BGP speakers nearby, or any need 
for BGP.  I've usually done it as a service provider, which meant that the 
point was to have the servers as close to the rest of the world as 
possible, which means directly adjacent to an AS-edge BGP speaker.  But 
you're quite right.

 if that possible that router3 or router-1 dispers
 packets of the same TCP connection to different path? 

Depends upon the equal-cost-path load-balancing algorithm that the routers 
are using.  You want to select a source-destination-hash one, to avoid 
that issue.

 Is there possibility that a DNS requests are divided
 into multiple UDP packets?

No.  Not unless they hit an undetected MTU below 576 bytes, or whatever it 
is...  Any DNS packet which can't fit inside a single UDP packet is 
supposed to be sent via TCP instead.  Note that I'm a network guy, not a 
DNS guy, so this is possibly an oversimplification.

 Do I only need to configure BIND to origin request
 from administration IP address ( configured on NIC and
 different from DNS service address)?

You mean for requests that the anycast server is making of other servers?  
If it needs to originate a zone transfer, or perform recursive lookups?  
Yes, those need to originate from the unique/administration address, as 
opposed to the shared/service address.

-Bill

[bill.st.arnaud@canarie.ca: [CAnet - news] A new vision for the future of the Internet]

[k claffy]

- Forwarded message from Bill St.Arnaud [EMAIL PROTECTED] -

  Date: Wed, 30 Mar 2005 15:27:53 -0500
  From: Bill St.Arnaud [EMAIL PROTECTED]
  Subject: [CAnet - news] A new vision for the future of the Internet
  To: [EMAIL PROTECTED]
  X-Mailer: Microsoft Outlook, Build 10.0.6626
  
  Making the world (of communications) a different place
  Report of a working session of the End-to-End Research Group
  For more information on this item please visit the CANARIE CA*net 4 Optical
  Internet program web site at http://www.canarie.ca/canet4/library/list.html
  ---
  
  http://www.ir.bbn.com/~craig/e2e-vision.pdf
  
  January, 2005
  Version 4 3/24/05
  This version for preliminary release
  
  David D. Clark, Craig Partridge, Robert T. Braden (chair), Bruce Davie
  Sally Floyd, Van Jacobson, Dina Katabi, Greg Minshall,
  K.K. Ramakrishnan, Timothy Roscoe, Ion Stoica,
  John Wroclawski and Lixia Zhang
  
  This report is the product of a discussion held at the January 2005 meeting
  of the End-to-End Research Group, which is part of the Internet Research
  Task Force. The challenge presented to the group for this discussion was the
  following:
  
  How might the computing and communications world be materially different in
  10 to 15 years, and how might we define a research agenda that would get us
  to that world?
  
  There were a number of motivations for this discussion. The Internet itself
  arose because of a visionary answer to a question such as this one. Through
  an alignment of visionary leaders, the research community, and funding
  agencies, there was a coherent, long-term effort to build a running
  prototype of a major new communications system. That effort led to a number
  of new research results; results that substantially expanded and changed
  our understanding of the communications field.
  
  The networking field does not have a shared vision of the future today.
  Perhaps as a result, much of the research we see today lacks a motivation to
  deepen or broaden our understanding of communications. Much of today's
  research is felt to be incremental (in the sense of least publishable
  increment) and lacking a long-term motivation.
  
  At the same time, the United States' National Science Foundation is
  interested in hearing about important focus areas that they might fund.
  While focus areas are some steps short of a shared vision, we thought that a
  discussion of visions of the future would help refine what the focus areas
  might be, and could even be a vehicle to bring the research community to a
  common objective.
  
  In this context, the participants at the meeting speculated about possible
  visions of the future, and whether the time was right for a focused research
  push to move us toward that future. The next several sections talk about
  some of the visions. The report concludes with some thoughts about
  directions we might take.
  
  []
  
  -
  To SUBSCRIBE:
  send a blank e-mail message to
  [EMAIL PROTECTED]
  
  To UNSUBSCRIBE:
  send a blank email message to
  [EMAIL PROTECTED]
  -
  
  These news items and comments are mine alone and do not necessarily reflect
  those  of the CANARIE board or management.
  
  ---
  [EMAIL PROTECTED]
  
  
  ___
  news mailing list
  [EMAIL PROTECTED]
  http://lists.canarie.ca/mailman/listinfo/news

- End forwarded message -

RE: outage/maintenance window opinion

[Howard, W. Lee]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
 Behalf Of Luke Parrish
 Sent: Wednesday, March 30, 2005 11:29 AM
 To: Pete Templin
 Cc: [EMAIL PROTECTED]
 Subject: Re: outage/maintenance window opinion
 
 
 
 In this situation we were expecting to be done for the 
 majority of the 
 maintenance window, but yes I see your point. However I block 
 out a 3 hour 
 window for maintenance because the activities I am performing on the 
 network could easily cause a longer service outage than 
 planned as we all 
 know. So if I plan for a 4 hour window but only expect 20 minutes of 
 downtime that actually turns into 3 hours, as long as it is 
 inside the 
 maintenance window specified then it should not go against 
 outage minutes. 
 It was done in the window for a reason...
 
 ??
 Luke

I'd agree that as long as it's back up before the end of the window,
you're covered.  However, if the outage extends beyond the end of the
window, I would take the the position that made me look worst.  That
shows how seriously you take your maintenance window, and I think this
kind of integrity gives you credibility later.

Lee


 
 
 At 02:05 PM 3/28/2005, Pete Templin wrote:
 Luke Parrish wrote:
 Trying to get clarification on an issue.
 Maintenance/outage window is 2:00AM to 5:00AM, during the window the
 router we are working on fails and does not come back 
 online until 8:00AM.
   From a outage reporting/documentation standpoint is the 
 outage start 
  time 2:00AM or 5:01AM since 5:01AM is when the maintenance 
 window and 
  planned outage was over...
 
 To a small degree, it depends on how long you anticipated 
 the outage to
 be.  Were you expecting a three-hour tour^h^h^h^houtage, or 
 something 
 shorter but opened a big window to give you flexibility on 
 when to do 
 it?  I would say that a fifteen-minute expected impact means 
 the outage 
 started at 2:15AM (or fifteen minutes after your work 
 interrupted services).
 
 My $0.005,
 
 pt
 
 Luke Parrish
 Centurytel Internet Operations
 318-330-6661
 

Re: MD5 for TCP/BGP Sessions

[Pekka Savola]

On Wed, 30 Mar 2005, John Kristoff wrote:
[on bgp/md5 and acl's]
ACLs are often used, but vary widely depending on organization.
It can be difficult to manage ACLs on a box with a large number
of peers that uses many local BGP peering addresses.  I'm sure
some organizations reviewed and updated their ACLs as a result
of the last scare, but that is a local, private decision and it
would probably be hard to get good sample of who and what changed.
I would be double careful here, just to make sure everybody 
understands what you're protecting.

iBGP sessions?  ACLs are trivial if you have your borders secured.
eBGP sessions?  GTSM is your friend (if supported).  Practically, if 
you know your peer and you also protect your borders, ACLs are rather 
trivial as well.

What you seem to be saying is using ACLs to enumerate the valid 
endpoints for eBGP sessions.  That goes further than the above but 
indeed is also a pain to set up and maintain.

There are other attacks you can make against TCP sessions (protected 
by MD5 or not) using ICMP, though. (see 
draft-gont-tcpm-icmp-attacks-03.txt).

--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

RE: Clearwire May Block VoIP Competitors

[Howard, W. Lee]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
 Behalf Of Robert Bonomi
 Sent: Monday, March 28, 2005 7:05 AM
 To: nanog@merit.edu
 Subject: Re: Clearwire May Block VoIP Competitors
 
 
 Dunno where you got the 'more than 2 subscribers' bit as 
 defining over- subscribed.  Unless you 
 mis-read/mis-interpreted my remark about 50% 
 utilization for VoIP data.   Active VoIP transmission is 
 about 80kbps.

Depends on the codec.  Yes, most people default to G.711, but
my experience with G.729 and header compression has been good,
and closer to 12Kbps.

I definitely agree that it's much more symmetrical than web
traffic, and could therefore mess with someone's capacity
planning.  Denying traffic that doesn't conform to your engineering
is one response.  Re-engineering is another.  Do what you will
with your network, I know what I'd do with mine.

Lee

Re: Vonage Hits ISP Resistance

[Greg Boehnlein]

On Thu, 31 Mar 2005, Adrian Chadd wrote:

 
 On Wed, Mar 30, 2005, Greg Boehnlein wrote:
 
  That is fairly entertaining. Perhaps you could provide the financial 
  breakdown for ANY DSL business model that doesn't rely on 
  over-subscription?
  
  Q. How many, full-on 6 Meg DSL subscribers can you put on a 45 meg ATM 
  connection without oversubscription? ;)
 
 A. Depends on how many local services they're using. :)

Hehehe... full-on means full capacity. Could be one service, but 6 megs is 
6 megs! ;)

-- 
Vice President of N2Net, a New Age Consulting Service, Inc. Company
 http://www.n2net.net Where everything clicks into place!
 KP-216-121-ST

Re: Vonage Hits ISP Resistance

[Adrian Chadd]

On Wed, Mar 30, 2005, Greg Boehnlein wrote:

   Q. How many, full-on 6 Meg DSL subscribers can you put on a 45 meg ATM 
   connection without oversubscription? ;)
  
  A. Depends on how many local services they're using. :)
 
 Hehehe... full-on means full capacity. Could be one service, but 6 megs is 
 6 megs! ;)

Ah, if you were referring to a 45meg ATM connection to the DSL cloud,
sure, I get it. But heck, even Australian ISPs have bigger ATM connections
to Telstra for onselling ADSL.




Adrian

-- 
Adrian ChaddTo believe with certainty we must first
[EMAIL PROTECTED] begin by doubting.

Re: Vonage Hits ISP Resistance

[Adrian Chadd]

On Wed, Mar 30, 2005, Greg Boehnlein wrote:

 That is fairly entertaining. Perhaps you could provide the financial 
 breakdown for ANY DSL business model that doesn't rely on 
 over-subscription?
 
 Q. How many, full-on 6 Meg DSL subscribers can you put on a 45 meg ATM 
 connection without oversubscription? ;)

A. Depends on how many local services they're using. :)





adrian

-- 
Adrian ChaddTo believe with certainty we must first
[EMAIL PROTECTED] begin by doubting.

Re: Clearwire May Block VoIP Competitors

[John Osmon]

On Wed, Mar 30, 2005 at 07:05:44PM -0500, Jared Mauch wrote:
[...]
   I think one of the major problems is that very few people know
 how to, or are capable of sending larger g711 frames (at increased
 delay, but more data per packet) because they can't set these more granular
 settings on their systems.. this means you have a lot higher pps
 rates which I think is the problem with the radio gear, it's just not
 designed for high pps rates..

So, how are the WISP folk dealing with VOIP traffic as it becomes a
larger piece of their customer's traffic?  Does anyone have a way
to force a given VOIP endpoint to use larger data frames?  Or are
the WISPs forced to deal with with a shredded business plan because
their gear is optimized for large packets?  (Or am I simply
missing something?)

Or do you write a TOS that says: Customer is not allowed to send and
receive lots of small packets quickly?  :-)

Re: Vonage Hits ISP Resistance

[Chris Adams]

Once upon a time, Eric A. Hall [EMAIL PROTECTED] said:
 Do you also block NNTP so that customers have to use your servers?

Change that to SMTP and you'll get a bunch of yes answers.  Why is one
right and the other wrong?
-- 
Chris Adams [EMAIL PROTECTED]
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

Re: Vonage Hits ISP Resistance

[Jamie Norwood]

On Wed, 30 Mar 2005 21:36:19 -0600, Chris Adams [EMAIL PROTECTED] wrote:
 
 Once upon a time, Eric A. Hall [EMAIL PROTECTED] said:
  Do you also block NNTP so that customers have to use your servers?
 
 Change that to SMTP and you'll get a bunch of yes answers.  Why is one
 right and the other wrong?

Heard of a little thing called 'spam'?

Jamie

 --
 Chris Adams [EMAIL PROTECTED]
 Systems and Network Administrator - HiWAAY Internet Services
 I don't speak for anybody but myself - that's enough trouble.

Re: Vonage Hits ISP Resistance

[Bill Nash]

On Thu, 31 Mar 2005, Jamie Norwood wrote:
On Wed, 30 Mar 2005 21:36:19 -0600, Chris Adams [EMAIL PROTECTED] wrote:
Once upon a time, Eric A. Hall [EMAIL PROTECTED] said:
Do you also block NNTP so that customers have to use your servers?
Change that to SMTP and you'll get a bunch of yes answers.  Why is one
right and the other wrong?
Heard of a little thing called 'spam'?
SMTP and NNTP are an apples / oranges comparison. Email is well nigh 
ubiquitous, when people think about the Internet. NNTP, like IRC, is a 
niche subset compared to HTTP, SMTP, and IM.

The long and short, is that popular services will remain largely 
unregulated, by ISPs or by government, until it's clear that they're being 
abused. Many ISPs did this with NNTP before they did it with SMTP, largely 
with the advent of higher speed connections facilitating shorter 
turnaround on warez traffic. Once spam took off, same deal.

If ISPs can't play nice with third party service providers, I predict 
things will get ugly. Regulators are already sniffing around, both locally 
and internationally. VOIP is quickly becoming a hot item, and 
anti-competitive tactics that limit or remove the consumers choices are 
going to be blood in the water for politicos looking for something to gnaw 
on.

Obviously VOIP needs QoS to function well on oversold, commodity broadband 
networks. Why not just paint VOIP with a broad QoS brush (as in, 
prioritize all of it, not just your own service) and defang the folks just 
looking for an excuse to step in and take the option away from you?

- billn

APRICOT 2006 withdrawn from Bangalore, India - moves to Perth

[Suresh Ramasubramanian]

 Original Message 
Subject: [APRICOT-INFO] APRICOT 2006 News!
Date: Thu, 31 Mar 2005 13:59:07 +1000
From: Philip Smith [EMAIL PROTECTED]

(apologies for duplicates)

Dear Colleagues,

Due to unforeseen circumstances the APIA Board has reluctantly agreed to 
set aside the award of APRICOT to Bangalore, India for 2006.

APRICOT 2006 now will be held in Perth, Australia from Wednesday 22nd 
February to Friday 3rd March 2006. The host organisation for APRICOT 
2006 will be the Western Australian Internet Association (WAIA), the 
runner up bid for APRICOT 2006. The venue will be the Perth Convention 
and Exhibition Centre.

More information will be on the website for APRICOT 2006, 
www.2006.apricot.net, which will be available shortly.

best wishes!

Philip Smith
Secretary, APIA Board
___
Apricot-info mailing list
[EMAIL PROTECTED]
http://mailman.apnic.net/mailman/listinfo/apricot-info

Re: DNS cache poisoning attacks -- are they real?

[John Payne]

On Mar 29, 2005, at 5:37 AM, Simon Waters wrote:
The answers from a recursive servers won't be marked authoritative (AA 
bit not
set), and so correct behaviour is to discard (BIND will log a lame 
server
message as well by default) these records.
As others have pointed out, BT
If your recursive resolver doesn't discard these records, suggest you 
get one
that works ;)
Yeah, problem is, it ain't my recursive resolver that's the problem... 
I don't actually follow links in spam (shock, horror), just pointing 
out the problem.

AOL's brains on the floor?

[Michael Loftis]

Anyone else confirm?  Looks like AIM, www.aol.com...maybe more, are all 
down form various POPs here.

Re: AOL's brains on the floor?

[Michael Loftis]

OK got quite a few confirmations of their IM services being out and one or 
two others who noticed www.aol.com being out.

Noticed a few complaints about mail server issues at another site I admin, 
but all from AOL subscribers, and it's cleared up now except for IM 
services.

Thanks for the feedback folks, nice to know I'm not entirely insane.

Contact from ACM?

[Mark Newton]

I need to talk to someone who can update the bogon filters on www.acm.org.
Attempts to reach technical contacts via the website have failed, which
is a bit surprising given the nature of the org.

If anyone reading this is an ACM member who can pass this message along
to someone who cares I'd appreciate it.

Thanks,

  - mark

--
Mark Newton   Email:  [EMAIL PROTECTED] (W)
Network Engineer  Email:  [EMAIL PROTECTED]  (H)
Internode Systems Pty Ltd Desk:   +61-8-82282999
Network Man - Anagram of Mark Newton  Mobile: +61-416-202-223

Re: MD5 for TCP/BGP Sessions

[Christopher L. Morrow]

On Wed, 30 Mar 2005, vijay gill wrote:

 Christopher L. Morrow wrote:
 
  provided your gear supports it an acl (this is one reason layered acls
  would be nice on routers) per peer with:
  permit /30 eq 179 /30
  permit /30 /30 eq 179
  deny all-network-gear-ip-space (some folks call it backbone ip space, Paul
  Quinn at cisco says: Infrastructure ip space)
 
  no more traffic to the peer except BGP from the peer /30. No more ping, no
  more traceroute of interface... (downsides perhaps?) and the 'customer'
  can still DoS himself :( (or his compromised machine can DoS him)
 

 or forge the source ip on the neighbors /30 or /31 (why aren't you using
 /31s anyway) and call it done.

curse you and your new-fangled /31's! :) Yes, someone inside the customer
could dos the customer... if the customer cared, they could acl their side
as well though since they aren't doing egress filtering I'm betting they
aren't going to do this either ;(

-Chris

Re: Vonage Hits ISP Resistance

[Owen DeLong]

--On Wednesday, March 30, 2005 21:36 -0600 Chris Adams [EMAIL PROTECTED] 
wrote:

Once upon a time, Eric A. Hall [EMAIL PROTECTED] said:
Do you also block NNTP so that customers have to use your servers?
Change that to SMTP and you'll get a bunch of yes answers.  Why is one
right and the other wrong?
Because by and large ISPs would rather not block SMTP, but, they basically
have to to try and prevent massive DDOS.  NNTP is not so widely abused
as SMTP.  Also, I would not patronize an ISP where the SMTP block was not
optional, and, I encourage any of my consulting customers who encounter this
and are unable to get their ISP to remove the block for them to find another
ISP.
Owen

--
If this message was not signed with gpg key 0FE2AA3D, it's probably
a forgery.


pgp3YozVCC4GV.pgp
Description: PGP signature

Re: MD5 for TCP/BGP Sessions

[Pekka Savola]

On Thu, 31 Mar 2005, Stephen J. Wilcox wrote:
without wishing to repeat what can be googled for.. putting acls on your edge to
protect your ebgp sessions wont work for obvious reasons -- to spoof data and
disrupt a session you have to spoof the srcip which of course the acl will allow
in
This is why this helps for eBGP sessions only the peer is also 
protecting its borders. I.e., if you know the peer's network has 
spoofing-prevention enabled, nobody is able to spoof the srcip the 
peer uses.

--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Re: Contact from ACM?

[Vicky Rode]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Mark,
You are not alone. I've had problems even as a member :-)
I'll try and ping someone there and see what I can do.
Feel free to contact me directly if need be.
regards,
/virendra
Mark Newton wrote:
| I need to talk to someone who can update the bogon filters on www.acm.org.
| Attempts to reach technical contacts via the website have failed, which
| is a bit surprising given the nature of the org.
|
| If anyone reading this is an ACM member who can pass this message along
| to someone who cares I'd appreciate it.
|
| Thanks,
|
|   - mark
|
| --
| Mark Newton   Email:
[EMAIL PROTECTED] (W)
| Network Engineer  Email:
[EMAIL PROTECTED]  (H)
| Internode Systems Pty Ltd Desk:   +61-8-82282999
| Network Man - Anagram of Mark Newton  Mobile: +61-416-202-223
|
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCS5e4pbZvCIJx1bcRAsAYAKCN6n2N+sKOzgHQetns9brTgW45ngCeIJk2
oGn49qTY90KMFdTaEdRe12M=
=dg//
-END PGP SIGNATURE-

Re: Vonage Hits ISP Resistance

[Alexei Roudnev]

 On Wed, 30 Mar 2005 21:36:19 -0600, Chris Adams [EMAIL PROTECTED]
wrote:
 
  Once upon a time, Eric A. Hall [EMAIL PROTECTED] said:
   Do you also block NNTP so that customers have to use your servers?
 
  Change that to SMTP and you'll get a bunch of yes answers.  Why is one
  right and the other wrong?

 Heard of a little thing called 'spam'?

So what? You can use your car as a weapon; should we prohibit you from car
driving?


 Jamie

  --
  Chris Adams [EMAIL PROTECTED]
  Systems and Network Administrator - HiWAAY Internet Services
  I don't speak for anybody but myself - that's enough trouble.

Re: Vonage Hits ISP Resistance

[Jamie Norwood]

On Wed, 30 Mar 2005 22:33:49 -0800, Alexei Roudnev [EMAIL PROTECTED] wrote:
 
  Heard of a little thing called 'spam'?
 
 So what? You can use your car as a weapon; should we prohibit you from car
 driving?

No, but if your car doesn't have seat belts, we don't let you drive
it. Basic SMTP lacks safety features that are needed, ergo,
retrictions were placed on it.

As was mentioned, my point was just that the question posited was
flawed. SMTP isn't restricted for competition and money-making
reasons, but because to not restrict it can have quite undesired
implications. The question was why was one ok, and the other not. The
answer is because of spam.

Jamie

Re: Vonage Hits ISP Resistance

[Steve Gibbard]

On Thu, 31 Mar 2005, Jamie Norwood wrote:
On Wed, 30 Mar 2005 22:33:49 -0800, Alexei Roudnev [EMAIL PROTECTED] wrote:

Heard of a little thing called 'spam'?
So what? You can use your car as a weapon; should we prohibit you from car
driving?
No, but if your car doesn't have seat belts, we don't let you drive
it. Basic SMTP lacks safety features that are needed, ergo,
retrictions were placed on it.
As was mentioned, my point was just that the question posited was
flawed. SMTP isn't restricted for competition and money-making
reasons, but because to not restrict it can have quite undesired
implications. The question was why was one ok, and the other not. The
answer is because of spam.
Ah NANOG, where people ask rhetorical questions and get answers...
It seems a bit simplistic (and misses the point of the original rhetorical 
question) to say that it's common to block the SMTP port because of 
spam.  Having been involved in weighing that business decision a few 
times, it's tended to be more a matter of balancing the direct and 
indirect effects of being a spam source on an ISP's operations (lots of 
staff time dealing with spam complaints, bad reputations, ending up on 
blackhole lists) with the effects of turning off a service some customers 
find useful.  In general, the people who will be upset by an ISP not 
blocking outbound spam are not the ISP's customers, while those upset 
about the ISP blocking legitimate outbound SMTP are.  But ISPs sometimes 
decide they can't afford to make the customers who want outbound SMTP 
happy.

That's why the rhetorical question asked earlier made some sense.  ISPs 
aren't going to be blocking VOIP because of spam, at least not until 
they start getting bombarded with complaints about their customers using 
VOIP services for automated telemarketing.  But they may block it because 
they think the benefits of blocking it (reducing traffic, keeping VOIP 
business to themselves) outweigh the costs of customers getting annoyed. 
If it's ok to block SMTP for that reason, why not VOIP, or why not the 
web?

I'll note again that these are rhetorical questions.  They don't need to 
be answered.

Personally, if the colo provider who hosts my mail server were to block 
outbound SMTP, the service would become pretty useless to me and I'd have 
to take my (non-paying) business elsewhere.  If my GPRS provider were to 
block it, I probably wouldn't notice.  Likewise, if the colo provider 
blocked VOIP, I probably wouldn't notice, but if my DSL provider did, it 
would be a problem.

An ISP who blocks VOIP is going to have some customers get upset, just 
like an ISP that blocks outbound SMTP.  They may even lose some business. 
But will they lose enough business to offset whatever gain they think 
they're getting?  I think I can guess the answer, but actual numbers from 
those who've tried it would be far more interesting than the speculation 
we've been seeing here.

-Steve

Re: MD5 for TCP/BGP Sessions

[Stephen J. Wilcox]

without wishing to repeat what can be googled for.. putting acls on your edge 
to 
protect your ebgp sessions wont work for obvious reasons -- to spoof data and 
disrupt a session you have to spoof the srcip which of course the acl will 
allow 
in

Steve

On Thu, 31 Mar 2005, Pekka Savola wrote:

 
 On Wed, 30 Mar 2005, John Kristoff wrote:
 [on bgp/md5 and acl's]
  ACLs are often used, but vary widely depending on organization.
  It can be difficult to manage ACLs on a box with a large number
  of peers that uses many local BGP peering addresses.  I'm sure
  some organizations reviewed and updated their ACLs as a result
  of the last scare, but that is a local, private decision and it
  would probably be hard to get good sample of who and what changed.
 
 I would be double careful here, just to make sure everybody 
 understands what you're protecting.
 
 iBGP sessions?  ACLs are trivial if you have your borders secured.
 
 eBGP sessions?  GTSM is your friend (if supported).  Practically, if 
 you know your peer and you also protect your borders, ACLs are rather 
 trivial as well.
 
 What you seem to be saying is using ACLs to enumerate the valid 
 endpoints for eBGP sessions.  That goes further than the above but 
 indeed is also a pain to set up and maintain.
 
 There are other attacks you can make against TCP sessions (protected 
 by MD5 or not) using ICMP, though. (see 
 draft-gont-tcpm-icmp-attacks-03.txt).
 
 

Re: Clearwire May Block VoIP Competitors

[Paul Vixie]

the bigger issue with 802.11 and VoIP is that wireless ethernet tends to be
half duplex whereas codecs tend to run both directions at once.  who's getting
good service over 802.11 using G.711 or G.729?  (no fair if your wireless
handset has its own proprietary halfdup codec, i'm talking real SIP here.)
-- 
Paul Vixie

Re: Clearwire May Block VoIP Competitors

[Stephen J. Wilcox]

On 30 Mar 2005, Paul Vixie wrote:

 
 the bigger issue with 802.11 and VoIP is that wireless ethernet tends to be
 half duplex whereas codecs tend to run both directions at once.  who's getting
 good service over 802.11 using G.711 or G.729?  (no fair if your wireless
 handset has its own proprietary halfdup codec, i'm talking real SIP here.)

hmm running g711 on a wifi handset or a lan phone with wifi bridging in the 
middle results in decent quality.

at 2x80kbps vs 11mbps or 54mbps there should be plenty room for both directions 
to communicate without too much delay

Steve

Re: MD5 for TCP/BGP Sessions

[vijay gill]

Stephen J. Wilcox wrote:
without wishing to repeat what can be googled for.. putting acls on your edge to 
protect your ebgp sessions wont work for obvious reasons -- to spoof data and 
disrupt a session you have to spoof the srcip which of course the acl will allow 
in

This is why you either have a stateful firewall in your router that 
pushes a dynamic acl down to the linecard (or equivalent forwarding 
place where the for_us vs through_us decision is made), and filter it 
there. That makes guessing the correct 5 tuple a bit harder. Obviously 
GTSM is the closest we have yet to hardening (note I did not use 
securing) the session.

On average, the stateful filter will cause the attacker to to try 32000 
times to find correct 4-tuple. Conversely, attacker resources will need 
to be on average 32000 times greater to adversely affect a router. The 
cost of attacking infrastructure has risen, but the cost to defender is 
minor.

Each configured BGP session already has all the state needed above to 
populate the filter.

/vijay

RE: Clearwire May Block VoIP Competitors

[Christopher L. Morrow]

On Wed, 30 Mar 2005, Howard, W. Lee wrote:
 planning.  Denying traffic that doesn't conform to your engineering
 is one response.  Re-engineering is another.  Do what you will
 with your network, I know what I'd do with mine.

I could be 1) over simplifying, 2) misunderstanding, the problem, but all
of the networks that make up 'the Internet' are really just private
networks. there is nothing that says any of these private networks have to
transport all bits in all streams from end to end, yes?

Given that, certainly some networks might choose to NOT transport VOIP or
HTTP or BitTorennt across their networks. There are market reasons why
this will, or could, eventually force them to re-evaluate their practices
or face the consequences.

I don't find it shocking at all that ISP-Y decides to block VOIP,
especially if they have their own VOIP service offering. It might not be
the BEST plan in the long run for them, but certainly it makes some sense
to them... Just don't use their network(s), and complain to their support
organization(s) about the failures on their networks.

-Chris

Re: Clearwire May Block VoIP Competitors

[Jared Mauch]

On Wed, Mar 30, 2005 at 11:32:33PM +, Paul Vixie wrote:
 
 the bigger issue with 802.11 and VoIP is that wireless ethernet tends to be
 half duplex whereas codecs tend to run both directions at once.  who's getting
 good service over 802.11 using G.711 or G.729?  (no fair if your wireless
 handset has its own proprietary halfdup codec, i'm talking real SIP here.)

you didn't ask for the size of the wireless network(1), in my
experience i've not had any (major) problems with this, the key is to
insure that the packets are somehow QoS'ed at the edge, even if your
provider won't do QoS to you, you can do some neat artifical QoS on
your upstream/uplink interfaces..

What i've done is rate-limit TCP inbound to be around 75-80%
of the link speed to force things to back-off and leave space for
my UDP packet streams.

I think one of the major problems is that very few people know
how to, or are capable of sending larger g711 frames (at increased
delay, but more data per packet) because they can't set these more granular
settings on their systems.. this means you have a lot higher pps
rates which I think is the problem with the radio gear, it's just not
designed for high pps rates..

big thing i've noticed in operational experience is that
not all 802.11 handsets handle AP roaming seamlessly, some want to
disconnect then re-dhcp for what is the same ssid/network domain.

- jared

(1) - i'm speaking for a single-ssid network with more than one AP that
covers long-distance clients at 1Mb/s speeds on 802.11b (250meter+ one way)

-- 
Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

Re: MD5 for TCP/BGP Sessions

[Christopher L. Morrow]

 On Thu, 31 Mar 2005, Pekka Savola wrote:

 
  On Wed, 30 Mar 2005, John Kristoff wrote:
  [on bgp/md5 and acl's]
   ACLs are often used, but vary widely depending on organization.

(and equipment in use)

   It can be difficult to manage ACLs on a box with a large number
   of peers that uses many local BGP peering addresses.  I'm sure

provided your gear supports it an acl (this is one reason layered acls
would be nice on routers) per peer with:
permit /30 eq 179 /30
permit /30 /30 eq 179
deny all-network-gear-ip-space (some folks call it backbone ip space, Paul
Quinn at cisco says: Infrastructure ip space)

no more traffic to the peer except BGP from the peer /30. No more ping, no
more traceroute of interface... (downsides perhaps?) and the 'customer'
can still DoS himself :( (or his compromised machine can DoS him)

   some organizations reviewed and updated their ACLs as a result
   of the last scare, but that is a local, private decision and it
   would probably be hard to get good sample of who and what changed.
 

some people still use 'cisco' for their password, even on non-cisco
platforms :( this md5 discussion isn't the only security problem :(

  I would be double careful here, just to make sure everybody
  understands what you're protecting.
 
  iBGP sessions?  ACLs are trivial if you have your borders secured.
 

ibgp, provided your infrastructure space is seperate from 'customer' space
is simpler... but keep in mind the possible downsides (no ping, no
traceroute, harder troubleshooting for the customers, perhaps)

  eBGP sessions?  GTSM is your friend (if supported).  Practically, if
  you know your peer and you also protect your borders, ACLs are rather
  trivial as well.
 

borders, for some folks, are wide, varied and complex :( So, for some
folks with limited border size/breadth making these things trivial is, of
course, easy.

  What you seem to be saying is using ACLs to enumerate the valid
  endpoints for eBGP sessions.  That goes further than the above but
  indeed is also a pain to set up and maintain.
 

and impossible to implement on some hardware. Note: Some/all of that
hardware is going away as time makes it fade into the background...
sometimes not fast enough though.

-Chris

Re: Sympatico / Nexxia (as577) smtp issues ?

[Richard Danielli]

I saw this earlier today ...
hope it helps to know you're not alone
-rd-
Mike Tancsa wrote:

Anyone know whats up with Sympatico / Bell's mail servers ?  My 
customers are asking me why their mail is not getting there nor mail 
from sympatico is not getting to us.  Most mail does not seem to be 
going through although network connectivity seems fine. I tried from 2 
other networks and the issue seems to be the same.

  host -tmx sympatico.ca
sympatico.ca mail is handled by 5 toip6.bellnexxia.net.
sympatico.ca mail is handled by 5 toip7.bellnexxia.net.
sympatico.ca mail is handled by 5 toip8.bellnexxia.net.
sympatico.ca mail is handled by 5 toip1.bellnexxia.net.
sympatico.ca mail is handled by 5 toip2.bellnexxia.net.
sympatico.ca mail is handled by 5 toip3.bellnexxia.net.
sympatico.ca mail is handled by 5 toip4.bellnexxia.net.
sympatico.ca mail is handled by 5 toip5.bellnexxia.net.
 
  telnet toip6.bellnexxia.net smtp
Trying 209.226.175.174...
telnet: Unable to connect to remote host: Connection refused
  telnet toip1.bellnexxia.net smtp
Trying 209.226.175.84...
telnet: Unable to connect to remote host: Connection refused
  telnet toip2.bellnexxia.net smtp
Trying 209.226.175.85...
telnet: Unable to connect to remote host: Connection refused
  telnet toip3.bellnexxia.net smtp
Trying 209.226.175.86...
telnet: Unable to connect to remote host: Connection refused
  telnet toip4.bellnexxia.net smtp
Trying 209.226.175.87...
Connected to toip4.bellnexxia.net.
Escape character is '^]'.
421 #4.4.5 Too many connections to this host.
Connection closed by foreign host.
  telnet toip5.bellnexxia.net smtp
Trying 209.226.175.88...
telnet: Unable to connect to remote host: Connection timed out
  telnet toip6.bellnexxia.net smtp
Trying 209.226.175.174...
telnet: Unable to connect to remote host: Connection refused
  telnet toip7.bellnexxia.net smtp
Trying 209.226.175.175...
telnet: Unable to connect to remote host: Connection refused
 

Mike Tancsa,  tel +1 519 651 3400
Sentex Communications,[EMAIL PROTECTED]
Providing Internet since 1994www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
--
Richard Danielli
President, eSubnet
(416) 203-5253
www.eSubnet.com

Re: Sympatico / Nexxia (as577) smtp issues ?

[Christopher L. Morrow]

On Wed, 30 Mar 2005, Mike Tancsa wrote:



 Anyone know whats up with Sympatico / Bell's mail servers ?  My customers
 are asking me why their mail is not getting there nor mail from sympatico
 is not getting to us.  Most mail does not seem to be going through although
 network connectivity seems fine. I tried from 2 other networks and the
 issue seems to be the same.


 421 #4.4.5 Too many connections to this host.
 Connection closed by foreign host.

sometimes new email-bourne virii do this :( Suresh might know of a new
virus running rampant in the email world? or perhaps others watching
mailqueues do?

Re: MD5 for TCP/BGP Sessions

[vijay gill]

Christopher L. Morrow wrote:
provided your gear supports it an acl (this is one reason layered acls
would be nice on routers) per peer with:
permit /30 eq 179 /30
permit /30 /30 eq 179
deny all-network-gear-ip-space (some folks call it backbone ip space, Paul
Quinn at cisco says: Infrastructure ip space)
no more traffic to the peer except BGP from the peer /30. No more ping, no
more traceroute of interface... (downsides perhaps?) and the 'customer'
can still DoS himself :( (or his compromised machine can DoS him)
or forge the source ip on the neighbors /30 or /31 (why aren't you using 
/31s anyway) and call it done.

/vijay

Sympatico / Nexxia (as577) smtp issues ?

[Mike Tancsa]

Anyone know whats up with Sympatico / Bell's mail servers ?  My customers 
are asking me why their mail is not getting there nor mail from sympatico 
is not getting to us.  Most mail does not seem to be going through although 
network connectivity seems fine. I tried from 2 other networks and the 
issue seems to be the same.

 host -tmx sympatico.ca
sympatico.ca mail is handled by 5 toip6.bellnexxia.net.
sympatico.ca mail is handled by 5 toip7.bellnexxia.net.
sympatico.ca mail is handled by 5 toip8.bellnexxia.net.
sympatico.ca mail is handled by 5 toip1.bellnexxia.net.
sympatico.ca mail is handled by 5 toip2.bellnexxia.net.
sympatico.ca mail is handled by 5 toip3.bellnexxia.net.
sympatico.ca mail is handled by 5 toip4.bellnexxia.net.
sympatico.ca mail is handled by 5 toip5.bellnexxia.net.

 telnet toip6.bellnexxia.net smtp
Trying 209.226.175.174...
telnet: Unable to connect to remote host: Connection refused
 telnet toip1.bellnexxia.net smtp
Trying 209.226.175.84...
telnet: Unable to connect to remote host: Connection refused
 telnet toip2.bellnexxia.net smtp
Trying 209.226.175.85...
telnet: Unable to connect to remote host: Connection refused
 telnet toip3.bellnexxia.net smtp
Trying 209.226.175.86...
telnet: Unable to connect to remote host: Connection refused
 telnet toip4.bellnexxia.net smtp
Trying 209.226.175.87...
Connected to toip4.bellnexxia.net.
Escape character is '^]'.
421 #4.4.5 Too many connections to this host.
Connection closed by foreign host.
 telnet toip5.bellnexxia.net smtp
Trying 209.226.175.88...
telnet: Unable to connect to remote host: Connection timed out
 telnet toip6.bellnexxia.net smtp
Trying 209.226.175.174...
telnet: Unable to connect to remote host: Connection refused
 telnet toip7.bellnexxia.net smtp
Trying 209.226.175.175...
telnet: Unable to connect to remote host: Connection refused


Mike Tancsa,  tel +1 519 651 3400
Sentex Communications,[EMAIL PROTECTED]
Providing Internet since 1994www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike

Re: Vonage Hits ISP Resistance

[Eric A. Hall]

On 3/30/2005 11:27 AM, Greg Boehnlein wrote:
 On Wed, 30 Mar 2005, Fergie (Paul Ferguson) wrote:
 
Intersting article on ISP issues regarding competitive
VoIP services:

http://www.lightreading.com/document.asp?site=lightreadingdoc_id=71020
 
 Hmm.. I was quoted in it.

Oh good, maybe you can clarify some things:

| As much as I want to see VOIP survive and thrive, I also don't want
| to bear the additional cost of my customers choosing to use a
| competitor's VOIP service over my own, says Greg Boehnlein, who
| operates Cleveland, Ohio-based ISP N2Net.
|
| Without control of the last mile, we're screwed, Boehnlein says,
| which is why I can identify with Clearwire's decision and say
| more power to them.

Do you also block NNTP so that customers have to use your servers?

And if some other service used higher cumulative bandwidth than VoIP (say,
Apple's music service) and didn't ~reimburse you for the use of your
network, would|do you block that service too? For that matter, do you
block the various P2P systems that don't make money but that generate
massive traffic?

What don't you plan on blocking exactly?

-- 
Eric A. Hallhttp://www.ehsco.com/
Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/

IANA IPv4 allocations and bogon update: 73/8

[Rob Thomas]

-BEGIN PGP SIGNED MESSAGE-
[ Apologies to those of you who receive this note in multiple forums. ]
Hi, team.
The numerous Team Cymru bogon projects have been updated as of 30 MAR
2005 to reflect the following IANA allocation made on 30 MAR 2005:
 073/8   Mar 05   ARIN   (whois.arin.net)
IANA allocations change over time, so please check regularly to ensure
you have the latest filters if you are not using the bogon BGP feed(s).
We do announce updates to the bogon projects to sundry lists, such as
the bogon-announce list.  We can not stress this point strongly
enough - these allocations change. If you do not adjust your filters,
you will be unable to access perhaps large portions of the Internet.
Worse yet, you may end up blocking access for people who transit
through you.
Please do not apply any filters or blocks to your network without
carefully considering the ramifications of doing so.
As a point of reference, the Team Cymru master Bogon Reference Page
can be found here:
 http://www.cymru.com/Bogons/
A quick summary of the documents and projects that have been updated
include the following:
 HTTP
The Bogon List
 - http://www.cymru.com/Documents/bogon-list.html
The Text Bogon Lists
 - http://www.cymru.com/Documents/bogon-bn-nonagg.txt
 - http://www.cymru.com/Documents/bogon-bn-agg.txt
Secure BIND Template
 - http://www.cymru.com/Documents/secure-bind-template.html
Secure IOS Template (Cisco)
 - http://www.cymru.com/Documents/secure-ios-template.html
Secure BGP Template (Cisco)
 - http://www.cymru.com/Documents/secure-bgp-template.html
Secure JUNOS Template (Juniper)
 - http://www.cymru.com/gillsr/documents/junos-template.htm
Secure JUNOS BGP Template (Juniper)
 - http://www.cymru.com/gillsr/documents/junos-bgp-template.htm
Ingress Prefix Filter Templates, Loose and Strict (Cisco)
 -  
ftp://ftp-eng.cisco.com/cons/isp/security/Ingress-Prefix-Filter-Templates/
Ingress Prefix Filter Template, Loose (Juniper)
 -  
http://www.cymru.com/gillsr/documents/junos-isp-prefix-filter-loose.htm
Ingress Prefix Filter Template, Strict (Juniper)
 -  
http://www.cymru.com/gillsr/documents/junos-isp-prefix-filter-strict.htm
 BGP
Bogon route-server for AUTOMATED updates of bogon filters
 - All bogon route-server peers have already received the
   appropriate BGP prefix updates.
 - http://www.cymru.com/BGP/bogon-rs.html
 RADb
fltr-unallocated
fltr-martian
fltr-bogons
 - http://www.cymru.com/Bogons/index.html#radb
 RIPE NCC
fltr-unallocated
fltr-martian
fltr-bogons
 - http://www.cymru.com/Bogons/index.html#ripe
 DNS
Bogon (bogons.cymru.com) zone
 - http://www.cymru.com/Bogons/index.html#dns
 Monitoring
Bogon prefix monitoring
 - http://www.cymru.com/BGP/robbgp-bogon.html
Bogus ASN monitoring
 - http://www.cymru.com/BGP/asnbogusrep.html
Please feel free to contact Team Cymru [EMAIL PROTECTED] with any
comments, questions, or concerns.
Thank you for your continued support.
Rob, for Team Cymru.
- -- 
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2
iQCVAwUBQks9clkX3QAo5sgJAQFCHgP/V6mR3gVMiNQ5bvkfSgsT5nkIw0bn2BJA
nE4qKGQrB22WL6t83PMsMONjW7GvHJA7Ds4DVgVggTUBJ/SqupM1xQ3SBwEokHcW
oydTMiUrsS1dmZMdoLoSHNdGC6hLciTgYayIO/EBI9IGoQYdR/swzgjzHXkLWghO
0C67MWkIT7M=
=+ixP
-END PGP SIGNATURE-

Re: Vonage Hits ISP Resistance

[Bill Nash]

On Wed, 30 Mar 2005, Eric A. Hall wrote:
| to bear the additional cost of my customers choosing to use a
| competitor's VOIP service over my own, says Greg Boehnlein, who
| operates Cleveland, Ohio-based ISP N2Net.
|
| Without control of the last mile, we're screwed, Boehnlein says,
| which is why I can identify with Clearwire's decision and say
| more power to them.
Do you also block NNTP so that customers have to use your servers?
And if some other service used higher cumulative bandwidth than VoIP (say,
Apple's music service) and didn't ~reimburse you for the use of your
network, would|do you block that service too? For that matter, do you
block the various P2P systems that don't make money but that generate
massive traffic?
I find this to be entertaining, since as a VOIP consumer, I'm reimbursing 
my ISP for the cost of the traffic as part of my monthly tithe. Why 
exactly are networks taking this stance to QoS VOIP traffic, generated by 
their customers, into uselessness?

This will all be especially hysterical when it's done by an ISP that 
comprises 100% of it's local market's internet connectivity. Munn vs. 
Illinois, round 2!

- billn

Re: Vonage Hits ISP Resistance

[Greg Boehnlein]

On Wed, 30 Mar 2005, Eric A. Hall wrote:

 
 On 3/30/2005 11:27 AM, Greg Boehnlein wrote:
  On Wed, 30 Mar 2005, Fergie (Paul Ferguson) wrote:
  
 Intersting article on ISP issues regarding competitive
 VoIP services:
 
 http://www.lightreading.com/document.asp?site=lightreadingdoc_id=71020
  
  Hmm.. I was quoted in it.
 
 Oh good, maybe you can clarify some things:
 
 | “As much as I want to see VOIP survive and thrive, I also don't want
 | to bear the additional cost of my customers choosing to use a
 | competitor's VOIP service over my own,” says Greg Boehnlein, who
 | operates Cleveland, Ohio-based ISP N2Net.
 |
 | “Without control of the last mile, we're screwed,” Boehnlein says,
 | “which is why I can identify with Clearwire's decision and say
 | ‘more power to them’.”
 
 Do you also block NNTP so that customers have to use your servers?

Where the RBOC has us by the balls (ATM DSL Transport as an Example, where 
they refuse to provide Multi-Lata ATM interconnects and require us to put 
ATM circuits in each LATA that we want to service) we apply, at our 
discretion, rate-limits and IP Access lists to preserve and tightly 
control those resources. We attempt to balance the experience and 
utilzation for ALL the customers on those circuits against the one or two 
users who are beating the crap out of the interconnect w/ Peer to Peer or 
Usenet traffic. So yes, in some cases, we'll apply NNTP and other 
traffic shaping policies as neccessary to ensure that we are able to 
maintain low latency and a more equal sharing of bandwidth on those links. 
This really only applies to residential DSL subscribers.

On DS1, Ethernet and DS3 circuits, we don't do anything. Those are treated 
as a different class of service, with a Service Level Agreement, and as 
such are only shaped at the customer's request.

 And if some other service used higher cumulative bandwidth than VoIP (say,
 Apple's music service) and didn't ~reimburse you for the use of your
 network, would|do you block that service too? For that matter, do you
 block the various P2P systems that don't make money but that generate
 massive traffic?
 
 What don't you plan on blocking exactly?

The press always bends quotes to fit their story, and are easily taken out 
of context. You only have the benefit of seeing the quotes they chose to 
publish, and not the entire context of the discussion. ;)

So, to clarify my position I don't block anything on my network for 
customers that are under a Service Level Agreement. In fact, we actually 
apply higher preference to VoIP traffic. However, it is MY network and 
I'll do whatever I please with it. If customers have an issue, they are 
free to contact me about it.

However, If the FCC is able to dictate the types of traffic and the 
filtering policies of ISPs, this could have much broader, far-reaching 
impact on what we CAN do with our networks. Take the following ridiculous 
example; Assume that some SPAMMER is able to get the FCC to pass 
regulation that makes it illegal to block SMTP traffic, use RBLs etc. How 
well do you think that would go over?

I'm all for network service providers having the ability to control what 
enters and exits their network. I'm against the Government stepping in and 
dictating what we can/cannot do with our networks.

I'm an avid and active Asterisk developer. I want to see VoIP flourish and 
grow. However, anyone who has gotten into the ITSP business (Read Vonage 
et all) and has based their business plan on delivering service over a 
network they don't control has to have their head examined. VoIP makes a 
lot of sense, but over the public Internet? Pretty bad business judgement 
in my opinion. If you can't QOS both sides of the connection and control 
the packets between the PSTN and the End User, then you WILL have outages 
and problems that are beyond your control. That may be good enough for 
most people, but not for me. I wouldn't trust my family's life to a VoIP 
service when that 911 call has to transit the public Internet.

-- 
Vice President of N2Net, a New Age Consulting Service, Inc. Company
 http://www.n2net.net Where everything clicks into place!
 KP-216-121-ST

Re: Sympatico / Nexxia (as577) smtp issues ?

[Suresh Ramasubramanian]

On Thu, 31 Mar 2005 00:19:18 + (GMT), Christopher L. Morrow
[EMAIL PROTECTED] wrote:
 
 
  421 #4.4.5 Too many connections to this host.
  Connection closed by foreign host.
 
 sometimes new email-bourne virii do this :( Suresh might know of a new
 virus running rampant in the email world? or perhaps others watching
 mailqueues do?

Well could be a virus outbreak or an extensive spam run that's bogging
the servers down

Could also be  our hardware is old, tired and melting down, we need
to buy some more time :)

-- 
Suresh Ramasubramanian ([EMAIL PROTECTED])

Re: Vonage Hits ISP Resistance

[Greg Boehnlein]

On Wed, 30 Mar 2005, Bill Nash wrote:

 On Wed, 30 Mar 2005, Eric A. Hall wrote:
 
  | to bear the additional cost of my customers choosing to use a
  | competitor's VOIP service over my own, says Greg Boehnlein, who
  | operates Cleveland, Ohio-based ISP N2Net.
  |
  | Without control of the last mile, we're screwed, Boehnlein says,
  | which is why I can identify with Clearwire's decision and say
  | more power to them.
 
  Do you also block NNTP so that customers have to use your servers?
 
  And if some other service used higher cumulative bandwidth than VoIP (say,
  Apple's music service) and didn't ~reimburse you for the use of your
  network, would|do you block that service too? For that matter, do you
  block the various P2P systems that don't make money but that generate
  massive traffic?
 
 
 I find this to be entertaining, since as a VOIP consumer, I'm reimbursing 
 my ISP for the cost of the traffic as part of my monthly tithe. Why 
 exactly are networks taking this stance to QoS VOIP traffic, generated by 
 their customers, into uselessness?

Well, there is a whole other side to the arguement, which is why is your 
local ISP even providing you the DSL service when they don't own the last 
mile copper and pay 98% of the revenue that you pay them to an RBOC? :)

Believe me, I ask myself this question every day: Why did I agree to 
provide DSL services through SBC and Alltel knowing how anticompetitive 
they are?. And the only anwer that I can come up with is: You are an 
idiot. ;)

This gets at a bigger issue really, which is why anyone in their right 
mind is actually re-selling RBOC DSL products, but that isn't your 
concern. ;)

As an ISP, I'd love to charge you (the consumer) on a per-packet or 
per-byte level for your DSL so that it would actually reflect the true 
cost of the service. Then, I'd like to charge you for all the technical 
support and billing overhead involved.

At the same time, I'd like to see the RBOC's relegated to nothing more 
than wire-carriers and get them completely out of the Telecommunications 
industry. Let them run the COs and the Copper/Fiber networks, but truly 
deregulate the Telecom industry so that everyone is on a level playing 
field. Fat chance of that happening, though! ;)
 
 This will all be especially hysterical when it's done by an ISP that 
 comprises 100% of it's local market's internet connectivity. Munn vs. 
 Illinois, round 2!

Why are RBOC's even providing Internet Transport to their customers in the 
first place? :)

-- 
Vice President of N2Net, a New Age Consulting Service, Inc. Company
 http://www.n2net.net Where everything clicks into place!
 KP-216-121-ST

Re: Vonage Hits ISP Resistance

[Greg Boehnlein]

On Thu, 31 Mar 2005, Brad Knowles wrote:

 At 5:06 PM -0800 2005-03-30, Bill Nash wrote:
 
   I find this to be entertaining, since as a VOIP consumer, I'm
   reimbursing my ISP for the cost of the traffic as part of my monthly
   tithe.
 
   No, that's not true.  Not if your ISP has oversold their upstream 
 bandwidth, and a lot of people start using VOIP.
 
   In that case, your ISP is dependant on keeping you fat, dumb, 
 happy, barefoot, and pregnant in the kitchen, taking whatever 
 semidigested pabulum they choose to feed you, and if you start 
 getting uppity by actually thinking for yourself and using something 
 like VOIP, then they're going to have to bitch-slap you back into 
 your rightful place under their thumb.

That is fairly entertaining. Perhaps you could provide the financial 
breakdown for ANY DSL business model that doesn't rely on 
over-subscription?

Q. How many, full-on 6 Meg DSL subscribers can you put on a 45 meg ATM 
connection without oversubscription? ;)

-- 
Vice President of N2Net, a New Age Consulting Service, Inc. Company
 http://www.n2net.net Where everything clicks into place!
 KP-216-121-ST