Re: Spam (un)blocking
At 06:43 PM 06-04-05 -0400, Daniel Senie wrote: Since the uptake on IRT has been slow, and after much internal discussion, RIPE has decided to add an "abuse-mailbox" attribute. For further details see: https://www.ripe.net/ripe/maillists/archives/db-wg/2005/msg00015.html -Hank At 06:10 PM 4/6/2005, JP Velders wrote: > Date: Wed, 6 Apr 2005 14:54:08 -0400 > From: Adam Jacob Muller <[EMAIL PROTECTED]> > Subject: Spam (un)blocking > [ ... ] > Second, is there some way to mark my block of addresses is owned by > responsible responsive system administrators. Over here in "RIPE land" so to speak, several ISP's (most notably FIRST members) have put a lot of effort in getting 'IRT' objects in the RipeDB. $ whois -h whois.ripe.net -r 194.171.31.0 | egrep '^(inetnum|remarks|mnt-irt):' inetnum: 194.171.31.0 - 194.171.31.255 remarks: utilized by 802.1x authenticated guests utilizing EduRoam remarks: see http://www.eduroam.nl/ for more information remarks: in case of abuse: [EMAIL PROTECTED] and [EMAIL PROTECTED] mnt-irt: irt-SURFnet-CERT And this is MUCH appreciated. When trying to figure out where to send spam complaints, a network that's taken the time to put their abuse address in their records certainly appears to at least care, and so gets better treatment. That IRT object (I believe there were efforts underway for a similar system in the ARINdb, but I haven't followed it for over a year :( ) is an object to identify the "Incident Response Team" which can be contacted regarding certain blocks of space. $ whois -h whois.ripe.net -r irt-SURFnet-CERT | egrep '^(irt|signature|encryption|remarks|mnt-by):' irt: irt-SURFNET-CERT signature:PGPKEY-A6D57ECE encryption: PGPKEY-A6D57ECE remarks: SURFNET-CERT is the Computer Emergency remarks: Response Team of SURFnet remarks: This is a TI accredited CSIRT remarks: (see http://www.ti.terena.nl/teams/level2.html) mnt-by: TRUSTED-INTRODUCER-MNT More information can be found in Google, or on the FAQ by Jan Meijer: http://www.surfnetters.nl/meijer/tf-csirt/irt-object-faq.html > We have tech support on duty 24/7 and abuse complaints are dealt > with in a timely manner, so I am wondering if there is a way to > communicate our willingness to help in the fight against spam. Replace spam with abuse and you have something like the IRT object. ;D No doubt someone on NANOG knows what's happening with the ARIN version ;) (or if there will be one, if people want it, etc.) SWIPs can hold abuse contact info. Again, this is a good thing for folks to do. +++ This Mail Was Scanned By Mail-seCure System at the Tel-Aviv University CC.
Re: The power of default configurations
In article <[EMAIL PROTECTED]> you write: > > >On 4/6/2005 5:00 PM, Sean Donelan wrote: > >> Why does BIND forward lookups for RFC1918 addresses by default? > >As has been pointed out already, caches need to be able to ask other >(local) servers for the PTRs. > >OTOH, it might make a good feature (and eventually maybe a BCP) to block >PTR queries for 1918 space from going to the roots and TLD servers. > >-- >Eric A. Hallhttp://www.ehsco.com/ >Internet Core Protocols http://www.oreilly.com/catalog/coreprot/ The first step in getting these sorts queries stomped on in the right places is coming with the rewording of the ULA draft DNS Issues section which allows nameservers to default to returning rcode 3 (NXDOMAIN/Name Error). The next step is to do this as a general draft which covers all the different suffixes. Mark 4.4 DNS Issues At the present time and PTR records for locally assigned local IPv6 addresses are not recommended to be installed in the global DNS. For background on this recommendation, one of the concerns about adding and PTR records to the global DNS for locally assigned Local IPv6 addresses stems from the lack of complete assurance that the prefixes are unique. There is a small possibility that the same locally assigned IPv6 Local addresses will be used by two different organizations both claiming to be authoritative with different contents. In this scenario, it is likely there will be a connection attempt to the closest host with the corresponding locally assigned IPv6 Local address. This may result in connection timeouts, connection failures indicated by ICMP Destination Unreachable messages, or successful connections to the wrong host. Due to this concern, adding records for these addresses to the global DNS is thought to be unwise. Reverse (address-to-name) queries for locally assigned IPv6 Local addresses MUST NOT be sent to name servers for the global DNS, due to the load that such queries would create for the authoritative name servers for the ip6.arpa zone. This form of query load is not specific to locally assigned Local IPv6 addresses; any current form of local addressing creates additional load of this kind, due to reverse queries leaking out of the site. However, since allowing such queries to escape from the site serves no useful purpose, there is no good reason to make the existing load problems worse. The recommended way to avoid sending such queries to nameservers for the global DNS is for recursive name server implementations to act as if they were authoritative for an empty d.f.ip6.arpa zone and return RCODE 3 for any such query. Implementations that choose this strategy should allow it to be overridden, but returning an RCODE 3 response for such queries should be the default, both because this will reduce the query load problem and also because, if the site administrator has not set up the reverse tree corresponding to the locally assigned IPv6 Local addresses in use, returning RCODE 3 is in fact the correct answer.
Re: The power of default configurations
On Thu, 7 Apr 2005, Florian Weimer wrote: > > Why isn't the default not to forward RFC1918 addresses (and martian > > addresses). > > Is the fraction of PTR lookups for RFC 1918 space really that high? Ask the ASN 112 folks how many queries their servers handle. http://www.as112.net/
RE: BGP Anywhere - Global Redundancy
On Wed, 6 Apr 2005, Vandy Hamidi wrote: I definitely want 100% of traffic going towards the Primary Site during normal operation. LocalPref/MED can be controlled by community strings with my direct peers. As you said, I'm paying them for the service, but how will the advertisement behave after it propagates to their upstream peers? At that point AS Path should be the only determining factor, yes? Nope. You're at the mercy of whatever traffic engineering or local-preffing other networks decide to do, and you won't have any control over it. Are ISP to ISP transit routes manipulated at MED or LocalPref levels? I suppose some ISPs may mark some peer with a preferential MED. Yes. I was turned on to BGP anywhere when reading up on UltraDNS. Looks like they use it for Global load balancing in which a DNS server on the East Coast will respond to DNS queries to my East Coast DC and the same for the west coast. They guarantee 100% DNS response, so I imagine it works for them. Has anyone on the list performed BGP Anywhere? There has to be someone on Nanog that has done this. This is more often known as Anycast. I run the network infrastructure for the PCH Anycast DNS network. It works well for trying to get traffic to come into multiple places. When we have a site go down, we withdraw the routing announcements from that location. Trying to get traffic to go to only one place while sourcing BGP announcements from multiple places won't work very well. -Steve
RE: BGP Anywhere - Global Redundancy
I definitely want 100% of traffic going towards the Primary Site during normal operation. LocalPref/MED can be controlled by community strings with my direct peers. As you said, I'm paying them for the service, but how will the advertisement behave after it propagates to their upstream peers? At that point AS Path should be the only determining factor, yes? Are ISP to ISP transit routes manipulated at MED or LocalPref levels? I suppose some ISPs may mark some peer with a preferential MED. I was turned on to BGP anywhere when reading up on UltraDNS. Looks like they use it for Global load balancing in which a DNS server on the East Coast will respond to DNS queries to my East Coast DC and the same for the west coast. They guarantee 100% DNS response, so I imagine it works for them. Has anyone on the list performed BGP Anywhere? There has to be someone on Nanog that has done this. Anyone from UltraDNS? -=Vandy=- -Original Message- From: Steve Gibbard [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 06, 2005 5:48 PM To: Vandy Hamidi Cc: nanog@merit.edu Subject: Re: BGP Anywhere - Global Redundancy On Wed, 6 Apr 2005, Vandy Hamidi wrote: > > All, > We're an ASP and are considering adding a secondary Backup Datacenter > (BDC) in the US to protect our web presence. > > My goal is to ensure automatic failover of my Primary DC's (IP) traffic > to the BDC in the event of a catastrophic failure of the PDC. > > I'm considering geographic load balancing and BGP Anywhere as the two > options. I'm clear on how the Geo LB works, but have some doubts about > BGPAW as I've never implemented it before and documentation online is > pretty weak to non-existent. > > Below is how I believe it should be done. >> From PDC: > -Advertise CIDR block to all peers w/good metric (0 hop count) >> From BDC: > -Advertise same CIDR block to all peers w/poor metric (+20 hop > count) To clarify, you want no traffic coming into the backup site when the primary site is up, right? Assuming a random set of peers and upstreams, this won't actually do what I think you're trying to do. Since local-preference overrides MEDs and AS path lengths, and since you don't have control over what goes on in other networks, you'll likely get some traffic coming into your backup site even when you don't intend it to. You could *maybe* get around this by having the same transit provider (probably just one in this case, which is scary for other reasons) in both locations. If you're paying somebody money, you have a much better chance of getting them to follow your desired routing policy. Still, it's really not good to be making a routing announcement somewhere where you don't want to receive traffic. You'd probably be better off looking into Cisco's "conditional routing" feature (I assume other vendors do something similar). This allows you to set a router to make an announcement only if it stops receiving some route, so you could have your backup site look for the primary site to go away and then start sourcing the route. Failover time would probably be at most a minute or two, maybe better. You could also look into various DNS-based ways of doing this. -Steve
Re: The power of default configurations
On 4/6/2005 5:00 PM, Sean Donelan wrote: > Why does BIND forward lookups for RFC1918 addresses by default? As has been pointed out already, caches need to be able to ask other (local) servers for the PTRs. OTOH, it might make a good feature (and eventually maybe a BCP) to block PTR queries for 1918 space from going to the roots and TLD servers. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: The power of default configurations
* Sean Donelan: > On Mon, 4 Apr 2005, Paul Vixie wrote: >> adding more. oh and as long as you're considering whether to restrict >> things to your LAN/campus/ISP, i'm ready to see rfc1918 filters deployed... > > Why does BIND forward lookups for RFC1918 addresses by default? I think Paul complained about DNS queries with source addresses from RFC 1918 space. It's hard to stop this without using connected UDP sockets. > Why isn't the default not to forward RFC1918 addresses (and martian > addresses). Is the fraction of PTR lookups for RFC 1918 space really that high? > If a sysadmin is using BIND in a local network which uses RFC1918 > address, those sysdmins can change their configuration? They already have to, otherwise the queries won't hit their authoritative servers.
Re: BGP Anywhere - Global Redundancy
On Wed, 6 Apr 2005, Vandy Hamidi wrote: All, We're an ASP and are considering adding a secondary Backup Datacenter (BDC) in the US to protect our web presence. My goal is to ensure automatic failover of my Primary DC's (IP) traffic to the BDC in the event of a catastrophic failure of the PDC. I'm considering geographic load balancing and BGP Anywhere as the two options. I'm clear on how the Geo LB works, but have some doubts about BGPAW as I've never implemented it before and documentation online is pretty weak to non-existent. Below is how I believe it should be done. From PDC: -Advertise CIDR block to all peers w/good metric (0 hop count) From BDC: -Advertise same CIDR block to all peers w/poor metric (+20 hop count) To clarify, you want no traffic coming into the backup site when the primary site is up, right? Assuming a random set of peers and upstreams, this won't actually do what I think you're trying to do. Since local-preference overrides MEDs and AS path lengths, and since you don't have control over what goes on in other networks, you'll likely get some traffic coming into your backup site even when you don't intend it to. You could *maybe* get around this by having the same transit provider (probably just one in this case, which is scary for other reasons) in both locations. If you're paying somebody money, you have a much better chance of getting them to follow your desired routing policy. Still, it's really not good to be making a routing announcement somewhere where you don't want to receive traffic. You'd probably be better off looking into Cisco's "conditional routing" feature (I assume other vendors do something similar). This allows you to set a router to make an announcement only if it stops receiving some route, so you could have your backup site look for the primary site to go away and then start sourcing the route. Failover time would probably be at most a minute or two, maybe better. You could also look into various DNS-based ways of doing this. -Steve
BGP Anywhere - Global Redundancy
All, We're an ASP and are considering adding a secondary Backup Datacenter (BDC) in the US to protect our web presence. My goal is to ensure automatic failover of my Primary DC's (IP) traffic to the BDC in the event of a catastrophic failure of the PDC. I'm considering geographic load balancing and BGP Anywhere as the two options. I'm clear on how the Geo LB works, but have some doubts about BGPAW as I've never implemented it before and documentation online is pretty weak to non-existent. Below is how I believe it should be done. >From PDC: -Advertise CIDR block to all peers w/good metric (0 hop count) >From BDC: -Advertise same CIDR block to all peers w/poor metric (+20 hop count) During normal operation, all ASes will route production traffic to PDC. In the event of catastrophic failure at PDC; PDC advertisements will cease, BDC route will become the only one on the net and traffic will route to the BDC. Questions: 1) Will this work? 2) Other suggestions or alternatives? 3) Any chance that traffic could flow to BDC for any reason? 4) Any internet etiquette I could be ignoring? 5) What would you estimate the failover time would be? 6) Assuming the routers at PDC and BDC pull down full routing table, how will the receipt of the PDC CIDR advertisement be treated? BGP rules say it will be dropped as a routing loop. What alternatives would I have if I want to be able to route that CIDR block traffic from the BDC to the PDC. Confed? Cisco conditional advertisements? Thanks all. This is the only place I can think of that would have the expertise to comment. -=Vandy=-
Re: Router choice for medium size hosting provider
> Do you need BGP? That's going to make a big difference in what you > want to use. An idea on the number/type of interfaces you need would > be helpful as well. A 2811 will do BGP just fine... 760mb of RAM and plenty of CPU. In terms of interfaces, it can nominally take four GigE and eighteen 100Base-T interfaces, though I believe it's only rated for 4.8gbps total throughput. How real that number actually is I don't guess we'll know until someone tries it in the lab. I haven't had time yet. -Bill
Re: Router choice for medium size hosting provider
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alex Campbell wrote: | | Hi everyone, | | I'm looking for a new router to connect our data center to our tier | 1 ISP via a 50mbps fibre link. Does anyone have any advice about | what level of Cisco router would be required to saturate this link? | | | We're looking at the 2811 but I can't get any real world data about | whether it can route packets at 50mbps - this seems doubtful | although unclear from the information on the Cisco data sheets. | | (I'm aware that a cheap PC running Linux could provide similar | throughput to a $2 Cisco router but for a variety of reasons | I'm reluctant to follow this path). | | Thanks, | | Alex | Do you need BGP? That's going to make a big difference in what you want to use. An idea on the number/type of interfaces you need would be helpful as well. Mark Radabaugh -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCVHtNg0PQSWMG2wsRArOOAKCWwM70hEx2dxGDBU/yWK1Jn+4AnACdFGpD 7fJ9wZFncJ2Mq4OJPDyqWPQ= =TQfK -END PGP SIGNATURE-
Router choice for medium size hosting provider
Hi everyone, I'm looking for a new router to connect our data center to our tier 1 ISP via a 50mbps fibre link. Does anyone have any advice about what level of Cisco router would be required to saturate this link? We're looking at the 2811 but I can't get any real world data about whether it can route packets at 50mbps - this seems doubtful although unclear from the information on the Cisco data sheets. (I'm aware that a cheap PC running Linux could provide similar throughput to a $2 Cisco router but for a variety of reasons I'm reluctant to follow this path). Thanks, Alex
Re: Spam (un)blocking
At 06:10 PM 4/6/2005, JP Velders wrote: > Date: Wed, 6 Apr 2005 14:54:08 -0400 > From: Adam Jacob Muller <[EMAIL PROTECTED]> > Subject: Spam (un)blocking > [ ... ] > Second, is there some way to mark my block of addresses is owned by > responsible responsive system administrators. Over here in "RIPE land" so to speak, several ISP's (most notably FIRST members) have put a lot of effort in getting 'IRT' objects in the RipeDB. $ whois -h whois.ripe.net -r 194.171.31.0 | egrep '^(inetnum|remarks|mnt-irt):' inetnum: 194.171.31.0 - 194.171.31.255 remarks: utilized by 802.1x authenticated guests utilizing EduRoam remarks: see http://www.eduroam.nl/ for more information remarks: in case of abuse: [EMAIL PROTECTED] and [EMAIL PROTECTED] mnt-irt: irt-SURFnet-CERT And this is MUCH appreciated. When trying to figure out where to send spam complaints, a network that's taken the time to put their abuse address in their records certainly appears to at least care, and so gets better treatment. That IRT object (I believe there were efforts underway for a similar system in the ARINdb, but I haven't followed it for over a year :( ) is an object to identify the "Incident Response Team" which can be contacted regarding certain blocks of space. $ whois -h whois.ripe.net -r irt-SURFnet-CERT | egrep '^(irt|signature|encryption|remarks|mnt-by):' irt: irt-SURFNET-CERT signature:PGPKEY-A6D57ECE encryption: PGPKEY-A6D57ECE remarks: SURFNET-CERT is the Computer Emergency remarks: Response Team of SURFnet remarks: This is a TI accredited CSIRT remarks: (see http://www.ti.terena.nl/teams/level2.html) mnt-by: TRUSTED-INTRODUCER-MNT More information can be found in Google, or on the FAQ by Jan Meijer: http://www.surfnetters.nl/meijer/tf-csirt/irt-object-faq.html > We have tech support on duty 24/7 and abuse complaints are dealt > with in a timely manner, so I am wondering if there is a way to > communicate our willingness to help in the fight against spam. Replace spam with abuse and you have something like the IRT object. ;D No doubt someone on NANOG knows what's happening with the ARIN version ;) (or if there will be one, if people want it, etc.) SWIPs can hold abuse contact info. Again, this is a good thing for folks to do.
Re: The power of default configurations
> Date: Wed, 6 Apr 2005 18:00:05 -0400 (EDT) > From: Sean Donelan <[EMAIL PROTECTED]> > To: nanog@merit.edu > Subject: The power of default configurations > On Mon, 4 Apr 2005, Paul Vixie wrote: > > adding more. oh and as long as you're considering whether to restrict > > things to your LAN/campus/ISP, i'm ready to see rfc1918 filters deployed... > Why does BIND forward lookups for RFC1918 addresses by default? Why isn't > the default not to forward RFC1918 addresses (and martian addresses). If > a sysadmin is using BIND in a local network which uses RFC1918 address, > those sysdmins can change their configuration? RFC1918 space is space you can use inside of an organization in the same way you could use non-RFC1918 space. If a program would treat it differently that would only make sense if that program could only be used in such a way that it would *have* to treat it differently. Regards, JP Velders
Re: Spam (un)blocking
> Date: Wed, 6 Apr 2005 14:54:08 -0400 > From: Adam Jacob Muller <[EMAIL PROTECTED]> > Subject: Spam (un)blocking > [ ... ] > Second, is there some way to mark my block of addresses is owned by > responsible responsive system administrators. Over here in "RIPE land" so to speak, several ISP's (most notably FIRST members) have put a lot of effort in getting 'IRT' objects in the RipeDB. $ whois -h whois.ripe.net -r 194.171.31.0 | egrep '^(inetnum|remarks|mnt-irt):' inetnum: 194.171.31.0 - 194.171.31.255 remarks: utilized by 802.1x authenticated guests utilizing EduRoam remarks: see http://www.eduroam.nl/ for more information remarks: in case of abuse: [EMAIL PROTECTED] and [EMAIL PROTECTED] mnt-irt: irt-SURFnet-CERT That IRT object (I believe there were efforts underway for a similar system in the ARINdb, but I haven't followed it for over a year :( ) is an object to identify the "Incident Response Team" which can be contacted regarding certain blocks of space. $ whois -h whois.ripe.net -r irt-SURFnet-CERT | egrep '^(irt|signature|encryption|remarks|mnt-by):' irt: irt-SURFNET-CERT signature:PGPKEY-A6D57ECE encryption: PGPKEY-A6D57ECE remarks: SURFNET-CERT is the Computer Emergency remarks: Response Team of SURFnet remarks: This is a TI accredited CSIRT remarks: (see http://www.ti.terena.nl/teams/level2.html) mnt-by: TRUSTED-INTRODUCER-MNT More information can be found in Google, or on the FAQ by Jan Meijer: http://www.surfnetters.nl/meijer/tf-csirt/irt-object-faq.html > We have tech support on duty 24/7 and abuse complaints are dealt > with in a timely manner, so I am wondering if there is a way to > communicate our willingness to help in the fight against spam. Replace spam with abuse and you have something like the IRT object. ;D No doubt someone on NANOG knows what's happening with the ARIN version ;) (or if there will be one, if people want it, etc.) Regards, JP Velders
The power of default configurations
On Mon, 4 Apr 2005, Paul Vixie wrote: > adding more. oh and as long as you're considering whether to restrict > things to your LAN/campus/ISP, i'm ready to see rfc1918 filters deployed... Why does BIND forward lookups for RFC1918 addresses by default? Why isn't the default not to forward RFC1918 addresses (and martian addresses). If a sysadmin is using BIND in a local network which uses RFC1918 address, those sysdmins can change their configuration?
ping from the arone armies list
Okay, we have slowly expanded our monthly reports to include more details. From what vendors actually do something about the problem, their success rates, numbers, etc. We intend to release more information in the future. This is a ping, to see what kind of other information you'd like to see. We'd appreciate your input. Gadi Evron.
Re: Spam (un)blocking
On Wednesday 06 April 2005 13:54, Adam Jacob Muller wrote: > Hi, > I'm a network operator at a small hosting company that has about a /20 > slice of IP addresses. Recently we have suffered a few break-ins (and > some fraud) which caused a large quantity of spam to find it's way onto > the internet. > This has resulted in some of our network space being listed in several > DNS blacklists, and being blacklisted by individual ISPs. > So my question is this. > Firstly, what is the best way to remove myself from each of these > blacklists, if there is anything aside from going to each one > individually and saying "i'm not spamming anymore". > Second, is there some way to mark my block of addresses is owned by > responsible responsive system administrators. > We have tech support on duty 24/7 and abuse complaints are dealt with > in a timely manner, so I am wondering if there is a way to communicate > our willingness to help in the fight against spam. > > > Thanks, > Adam Jacob Muller Adam, As JD already mentioned, many will most probably go away within a few days if there is not other "spam" from the IP space to keep the entry active. Quite a few have web space, so if you know the BL that is blocking, you might look and see if there are "remove" instructions/capability. Only other thing I can think of would be to register your domain(s) with abuse.net. Personally that is one of the first places I check domains against (if they have a "valid" abuse address) then I report first and block second or third. (meaning if the spam continues after reporting)... -- Larry Smith SysAd ECSIS.NET [EMAIL PROTECTED]
Re: Spam (un)blocking
On 04/06/05, Adam Jacob Muller <[EMAIL PROTECTED]> wrote: > Firstly, what is the best way to remove myself from each of these > blacklists, if there is anything aside from going to each one > individually and saying "i'm not spamming anymore". Right now, that's about it -- but many folks only do temporary blocking based on recent traffic patterns, so you can also just wait a few days and I bet some of the problem will go away. > Second, is there some way to mark my block of addresses is owned by > responsible responsive system administrators. If there was, the spammers would be the first to adopt it. > We have tech support on duty 24/7 and abuse complaints are dealt with > in a timely manner, so I am wondering if there is a way to communicate > our willingness to help in the fight against spam. http://www.maawg.org/ is probably the best industry group focused on these issues right now. -- J.D. Falk As a carpenter bends the seat of a chariot <[EMAIL PROTECTED]>I bend this frenzy round my heart.
Spam (un)blocking
Hi, I'm a network operator at a small hosting company that has about a /20 slice of IP addresses. Recently we have suffered a few break-ins (and some fraud) which caused a large quantity of spam to find it's way onto the internet. This has resulted in some of our network space being listed in several DNS blacklists, and being blacklisted by individual ISPs. So my question is this. Firstly, what is the best way to remove myself from each of these blacklists, if there is anything aside from going to each one individually and saying "i'm not spamming anymore". Second, is there some way to mark my block of addresses is owned by responsible responsive system administrators. We have tech support on duty 24/7 and abuse complaints are dealt with in a timely manner, so I am wondering if there is a way to communicate our willingness to help in the fight against spam. Thanks, Adam Jacob Muller
Cisco Security Advisory: Vulnerabilities in Cisco IOS Secure Shell Server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: === Vulnerabilities in Cisco IOS Secure Shell Server Revision 1.0 For Public Release 2005 April 06 1600 UTC (GMT) - --- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - --- Summary === Certain release trains of Cisco Internetwork Operating System (IOS), when configured to use the IOS Secure Shell (SSH) server in combination with Terminal Access Controller Access Control System Plus (TACACS+) as a means to perform remote management tasks on IOS devices, may contain two vulnerabilities that can potentially cause IOS devices to exhaust resources and reload. Repeated exploitation of these vulnerabilities can result in a Denial of Service (DoS) condition. Use of SSH with Remote Authentication Dial In User Service (RADIUS) is not affected by these vulnerabilities. Cisco has made free software available to address these vulnerabilities for all affected customers. There are workarounds available to mitigate the effects of the vulnerability (see the Workarounds section.) This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml. Affected Products = Vulnerable Products +-- These issues affect any Cisco device running an unfixed version of Cisco IOS that supports, and is configured to use, the SSH server functionality. To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS Software will identify itself as "Internetwork Operating System Software" or simply "IOS." The image name will be displayed between parentheses shortly after this identification (possibly in the next line), followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco device running IOS release 12.2(15)T14 (release train label "12.2T") with an installed image name of C806-K9OSY6-M: Router1>show version Cisco Internetwork Operating System Software IOS (tm) C806 Software (C806-K9OSY6-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4) [...] The next example shows a device running IOS release 12.3(10) (release train label "12.3 mainline") with an image name of C2600-IK9OS3-M: Router2>show version Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(10), RELEASE SOFTWARE (fc3) [...] Additional information about Cisco IOS release naming can be found at http://www.cisco.com/warp/public/620/1.html. SSH protocol was introduced in the following IOS release trains: * IOS 12.0S (SSH version 1) * IOS 12.1T (SSH version 1) * IOS 12.2 (SSH version 1) * IOS 12.2T (SSH version 1) * IOS 12.3T (SSH version 2) To determine if the IOS image that your IOS device is running supports the server side of the SSH protocol, whether it is enabled (if supported), and the SSH protocol version being used (if SSH is supported and enabled), use the show ip ssh command in global mode: Router>show ip ssh SSH Enabled - version 1.5 Authentication timeout: 120 secs; Authentication retries: 3 The previous output shows that SSH is enabled on this device and that the SSH protocol major version that is being supported is 1. Possible values for the SSH protocol version reported by IOS are: * 1.5: only SSH protocol version 1 is enabled. * 1.99: SSH protocol version 2 with SSH protocol version 1 compatibility enabled. * 2.0: only SSH protocol version 2 is enabled. For more information about SSH versions in IOS, please check the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/gt_ssh2.htm. Note: SSH protocols versions 1 and 2 cannot interoperate, but usually a SSH server knows how to handle connections from clients using either version of the protocol, but in most cases the server has to be explicitly configured to do this. The latest revision of protocol version 1 is "1.5", which is documented in a now expired Internet Engineering Task Force (IETF) draft. The show ip ssh command was introduced in IOS release 12.1(1)T. If this command is not available then the IOS image in use does not have SSH server support and therefore it is not vulnerable to the issues discussed in this advisory. As you will see in the Details section, the behavio
Cisco Security Advisory: Vulnerabilities in the Internet Key Exchange Xauth Implementation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Vulnerabilities in the Internet Key Exchange Xauth Implementation = Revision 1.0 For Public Release 2005 April 6 1600 UTC - --- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - --- Summary === Cisco Internetwork Operating System (IOS) Software release trains 12.2T, 12.3 and 12.3T may contain vulnerabilities in processing certain Internet Key Exchange (IKE) Xauth messages when configured to be an Easy VPN Server. Successful exploitation of these vulnerabilities may permit an unauthorized user to complete authentication and potentially access network resources. This advisory will be posted to http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml Cisco has made free software available to address this vulnerability for affected customers. Affected Products = Vulnerable Products +-- This issue affects all Cisco devices running any unfixed version of Cisco IOS that supports, and is configured for, Cisco Easy VPN Server Xauth version 6 authentication. A Cisco device running Easy VPN Server and configured for Xauth authentication will have the following line in the configuration: crypto map client authentication list The Easy VPN Server XAUTH feature may also be enabled underneath an ISAKMP profile via a configuration similar to: crypto isakmp profile match identity group client authentication list isakmp authentication list client configuration address respond qos-group 2 To determine the software running on a Cisco product, log in to the device and issue the 'show version' command to display the system banner. Cisco IOS Software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running IOS release 12.3(6) with an installed image name of C3640-I-M: Cisco Internetwork Operating System Software IOS (tm) 3600 Software (C3640-I-M), Version 12.3(6), RELEASE SOFTWARE (fc3) The next example shows a product running IOS release 12.3(11)T3 with an image name of C3845-ADVIPSERVICESK9-M: Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.3(11)T3, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Additional information about Cisco IOS release naming can be found at http://www.cisco.com/warp/public/620/1.html. Cisco Easy VPN Server is an IOS-only feature. Devices that do not run IOS are not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details === IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer allowing for data to be transmitted across a public network without fear of observation, modification, or spoofing, thus enabling applications such as Virtual Private Networks (VPNs). IPSec uses the Internet Key Exchange (IKE) protocol to provide authentication of the IPSec peers, negotiate IPSec security associations (SA), and establish IPSec keys. Extended Authentication (XAUTH) is an extension to IKE defined in an expired Internet Engineering Task Force (IETF) Internet Draft, draft-ietf-ipsec-isakmp-xauth-06.txt, which allows for organizations to utilize existing legacy authentication methods in order to manage remote access. Successful VPN establishment consists of two levels of SA's known as phases. Phase 1 authentication establishes session keys. Using the Xauth feature, the client waits for a "username/password" challenge after the IKE Phase 1 SA has been established. When the end user responds to the challenge, the response is forwarded to the IPsec peers for an additional level of authentication. The Cisco IOS Easy VPN Server feature introduced in IOS 12.2(8)T allows an IOS device to act as a VPN concentrator, providing authentication and encrypted access to network resources. To determine if Cisco's Easy VPN Server XAUTH feature is enabled, check the device's configuration
Re: rack-mount tool drawers/chests?
Depends on your choice of tools but these are handy - http://www.canford.co.uk/commerce/resources/catdetails/2458.pdf http://www.canford.co.uk/commerce/resources/catdetails/2457.pdf http://www.canford.co.uk/commerce/resources/catdetails/2628.pdf
Re: rack-mount tool drawers/chests?
http://www.middleatlantic.com/ Eric A. Hall wrote: anybody recommend any 19" rackmount tool drawers or chests? like, a Snap-On red metal tool chest with locking drawers and such? I've looked around but can't find anything, although I'm probably not looking in the right places. thanks
RE: rack-mount tool drawers/chests?
> anybody recommend any 19" rackmount tool drawers or chests? like, a > Snap-On red metal tool chest with locking drawers and such? > I've looked > around but can't find anything, although I'm probably not > looking in the > right places. > Chatsworth has some accessories that might suit your requirement. For example: http://www.chatsworth.com/catalog/section2/sec2pgQ.asp
rack-mount tool drawers/chests?
anybody recommend any 19" rackmount tool drawers or chests? like, a Snap-On red metal tool chest with locking drawers and such? I've looked around but can't find anything, although I'm probably not looking in the right places. thanks -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: RIPE50: Peering BoF
Hi Cara, > Since quite a few of you are also attending the RIPE meetings Susan > though it would be a good idea for me to mention that a (European) > Peering BoF will take place in Stockholm at RIPE50 on Sunday 1st May > 2005 and from 18.00 to around 21.00. Unfortunately for me, this comes a little late. I'll join the mob on monday. Have fun discussing peerings and remember to announce earlier next time. Elmar.
Keeping up with daylight savings time, datacenter style
http://www.inovadisplays.com/clocks/poe.php -Bill
