Re: SPF Loses Mindshare?
>There's an article by John Levine "SUBJ: line is the title) >over on CircleID that might be intersting some folks in the >e-mail authentication jihad: > >http://www.circleid.com/article/1157_0_1_0_C/ > >For your perusal. Don't miss the comments from Suresh (the postmaster at Outblaze, who yanked his SPF records quite a while ago) and Wayne (the deputy high priest of the SPF cabal who apparently thinks that lots of piddly little domains publishing SPF records is more important than Earthlink and Outblaze deleting theirs.) By the way, CircleID mirrored it from the original in my blog at http://weblog.taugh.com/ R's, John
SPF Loses Mindshare?
I don't want to seed a flaming napalm-laden e-mail exchange on the list with this, but I fugured the folks running networks who haven't seen this, probably should. There's an article by John Levine "SUBJ: line is the title) over on CircleID that might be intersting some folks in the e-mail authentication jihad: http://www.circleid.com/article/1157_0_1_0_C/ For your perusal. - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Telecoms Struggle As FCC e911 Compliance Deadline Nears
Operationally relevent, methinks. W. David Gardner writes in TechWeb News: [snip] In the race to meet FCC emergency 911 (e911) requirements, two firms log some progress, while another seeks a waiver. Under pressure to meet the FCC mandate to activate 911 service by the end of the year, Vonage and Telecommunication Systems (TCS) said Tuesday they will send VoIP E911 kits to provide vital communication information to thousands of Public Safety Answering Points (PSAPs) beginning in mid-August. At the same time, Nextel has informed the FCC that it would seek a waiver from the FCC mandate that 95 percent of handsets be in compliance with location pinpointing regulations by Dec. 31, the Reuters news agency reported Monday. Nextel said 70 percent of its customers phone will be in compliance by the deadline, but it could take as much as two more years for the FCC goal to be fully met. [snip] http://www.techweb.com/wire/networking/167100209 - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
RE: "Cisco gate" - Payload Versus Vector
On Tue, 2005-08-02 at 15:29 -0700, Dan Hollis wrote: > On Tue, 2 Aug 2005, Randy Bush wrote: > > even without stiffling the heap check via crashing_already (i.e. a > > 'fix' is developed for that weakness), is the 30-60 second window > > sufficient to do serious operational damage. i.e. what could an > > attacker do with a code injection with a mean life as short as > > 15-30 seconds? > > change the passwords and write to nvram, and come back later? some more that come to mind as ssh/enable pw changes wouldn't go unnoticed for too long. change snmptrap dest change snmp r/w comstrs (most monitoring would only use r/o comstrs) change ACLs on snmp access to allow public IPs change the ip address of the host that is used for tftp boots lots of things can be done in a 1/10 of the 30-60 second window. -Jim P.
RE: "Cisco gate" - Payload Versus Vector
On Tue, 2 Aug 2005, Randy Bush wrote: > even without stiffling the heap check via crashing_already (i.e. a > 'fix' is developed for that weakness), is the 30-60 second window > sufficient to do serious operational damage. i.e. what could an > attacker do with a code injection with a mean life as short as > 15-30 seconds? change the passwords and write to nvram, and come back later? -Dan
Re: "Cisco gate" and "Meet the Fed" at Defcon....
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 no, but I'd like to... since I'm upgrading and all (for security reasons and ipv6 is so much better for security, right? :) ) It has quality of service, too! Let's not forget that! I'd be happy with ssh. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (FreeBSD) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQFC7+otTs2s3OoD6D8RAnugAJ44Pf9RRIHR26iXVn2bcGi2OBdkiACfdpFh jnHI1sqm6qsGIV+/QY1gASo= =8nrN -END PGP SIGNATURE-
RE: "Cisco gate" - Payload Versus Vector
very helpful analysis. some questions: even without stiffling the heap check via crashing_already (i.e. a 'fix' is developed for that weakness), is the 30-60 second window sufficient to do serious operational damage. i.e. what could an attacker do with a code injection with a mean life as short as 15-30 seconds? that seems a bit short for a direct routing injection of much worth. but how about a damping attack (flap the victim's route enough to cause everyone to damp them), or would mrai stiffle that? could it be used to cascade to a neighbor? i suppose that diverting the just the right 15-30 seconds of traffic could be profitable. secondly, is there reason not to believe that the attack vectors might be at layer two, mpls, as well as layer three, ip? i.e. the "internet-free core" gambit does not reduce exposure to this one? > The "bad guys" are discussing the issues and we should think long > and hard before we muzzle the "good guys". http://rip.psg.com/~randy/draft-ymbk-obscurity-00.txt is a bit old, but seems relevant. randy
RE: "Cisco gate" and "Meet the Fed" at Defcon....
> The "nanog problem" was clearly stated. It had nothing to do with the > specific discussion, but more that the discussion contained instances > where folks were being insulting and crude. then address the insults and crudeness. randy
Re: "Cisco gate" and "Meet the Fed" at Defcon....
> I forget who suggested it actually, i was first, but others have followed > but I like the request to move this to cisco-nsp. Any reason > that isn't a better place than NANOG at this stage? i would guess that, if useful discussion is started on cisco-nsp, that the momentum will move there and attenuate here. but, imiho, shutting folk down here first is not a useful social path. randy
RE: "Cisco gate" and "Meet the Fed" at Defcon....
The "nanog problem" was clearly stated. It had nothing to do with the specific discussion, but more that the discussion contained instances where folks were being insulting and crude. Tim Rainier Randy Bush <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/02/2005 03:39 PM To "Chris Ranch" <[EMAIL PROTECTED]> cc Bjørn Mork <[EMAIL PROTECTED]>, "Christopher L. Morrow" <[EMAIL PROTECTED]>, Subject RE: "Cisco gate" and "Meet the Fed" at Defcon > But the vulnerability applies for only ipv6-enabled devices... > http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml the general problem is definitely wider than the v6 hole. i believe, but of course could be wrong, that the april fix was a bit wider than v6. the blackhat/nanog problem is that, if we are not allowed to discuss these things openly, all is conjecturbation. randy
RE: "Cisco gate" and "Meet the Fed" at Defcon....
> But the vulnerability applies for only ipv6-enabled devices... > http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml the general problem is definitely wider than the v6 hole. i believe, but of course could be wrong, that the april fix was a bit wider than v6. the blackhat/nanog problem is that, if we are not allowed to discuss these things openly, all is conjecturbation. randy
RE: "Cisco gate" and "Meet the Fed" at Defcon....
>> no, but I'd like to... since I'm upgrading and all (for >> security reasons and ipv6 is so much better for security, right? :) ) > ok so your issue is totally irrelvant to the recent "ciscogate" > paranoia? see the smiley? randy
RE: "Cisco gate" and "Meet the Fed" at Defcon....
Hi Randy, > > I might be wrong, but I thought an image with IPv6 support required > > 16 MB flash on the 2500? > > could be. don't care. don't need ipv6 on terminal servers > for oob access. But the vulnerability applies for only ipv6-enabled devices... http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml Why don't you care? Chris
Re: "Cisco gate" and "Meet the Fed" at Defcon....
> I might be wrong, but I thought an image with IPv6 support required > 16 MB flash on the 2500? could be. don't care. don't need ipv6 on terminal servers for oob access. > Anyway, the upgrade path is there not really. randy
Re: "Cisco gate" and "Meet the Fed" at Defcon....
> note image size of 11/12/16 mb... note that many (most?) 2500's don't have > 16M flash :( many, many referenced before (term servers for instance) are > 2mb flash boxes. It's possible that Randy's referring to this sort of > 2500. Kindly using himself for a whipping boy instead of the rest of us > with 2500 term servers with 2mb flash :) I suspect the same thing goes for > the 1700's as well in many cases. bingo! though i have 8mb in the term server. randy
Re: "Cisco gate" and "Meet the Fed" at Defcon....
> Current remote directory is /cisco. > ncftp /cisco > dir ios/12.3/12.3.15a/2500/ > -rw-rw-r--1 518 11013444 Jul 25 14:50 c2500-c-l.123-15a.bin > -rw-rw-r--1 518 12303148 Jul 25 15:17 c2500-i-l.123-15a.bin > -rw-rw-r--1 518 16191744 Jul 25 14:34 c2500-is-l.123-15a.bin > ncftp /cisco > dir ios2.3.15a/1700/ > -rw-rw-r--1 518 9779944 Jul 25 15:03 c1700-bnr2sy7-mz.123-15a.bin > -rw-rw-r--1 518 9186836 Jul 25 14:56 c1700-entbase-mz.123-15a.bin > -rw-rw-r--1 518 7758064 Jul 25 14:46 c1700-ipbase-mz.123-15a.bin > -rw-rw-r--1 518 12504136 Jul 25 14:32 c1700-ipvoice-mz.123-15a.bin > -rw-rw-r--1 518 10068088 Jul 25 15:05 c1700-sv3y-mz.123-15a.bin > -rw-rw-r--1 518 12826128 Jul 25 15:05 c1700-sv8y7-mz.123-15a.bin > -rw-rw-r--1 518 8568756 Jul 25 15:06 c1700-sy7-mz.123-15a.bin > -rw-rw-r--1 518 6992208 Jul 25 15:13 c1700-y7-mz.123-15a.bin > -rw-rw-r--1 518 5911432 Jul 25 14:49 c1700-y-mz.123-15a.bin those of us who are not suicidal need crypto/ssh, e.g. upgrades to c2500-k4p-l.120-21.S1 c1700-k9sv8y7-mz.122-15.T5.bin and they have to fit in 8mb flash for 2511s etc. but perhaps this part of the discussion should move to cisco-nsp? randy
Re: [Administrivia]: Please end this Thread: RE: "Cisco gate" and "Me et the Fed" at Defcon....
I suspect the problem is not the operation aspects of the discussion, but rather the nasty and sometimes personal invectives flying around. They were particularly prevalent in the "Cisco gate" thread, and generally absent in the other threads. Just my 2 cents. YMMV - Dan On 8/2/05 11:28 AM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > On Tue, 02 Aug 2005 08:28:58 CDT, "Malayter, Christopher" said: >> Perhaps Susan was not clear enough yesterday. The mailing list >> administrative committee would request that you allow this thread to stop. >> It has certainly outlived its operational usefulness. I am now reiterating >> that request. > > Unfortunately, there's enough places where this touches on operational issues > (such as getting enough information about a new release of router software so > you > can make informed decisions affecting your customers). And obviously, a > number > of people think this is an important subject. > > I suspect that adding a "This would be more on-topic/relevant on the XYZ list" > would help kill it here... > > Any suggestions where it would be more relevant?
Lynn Interview
Haven't seen Furgie post this one yet (may have missed it deleting some of the noise in those threads, though). Wired's interview with Mike Lynn. His side of the story, timeline, and motives for the rather climatic ending for what should have been a rather routine Black Hat presentation: http://www.wired.com/news/privacy/0,1848,68365,00.html -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
Re: NETGEAR in the core...
On Sat, Jul 30, 2005 at 09:41:54PM -0400, Robert E.Seastrom wrote: > "Cisco 1700 series" or "Cisco 2600XM" would be nice answers if their > price had the decimal point moved one place to the left. Looks like a Cisco 1760 is $1086.65 'on the street' (well, online actually). Whereas the Cisco 837 is $448.96 'on the street'. Supports both NAT and DMZ interface (if you're running a new enough IOS), access-lists, easy to administer VPNs; in fact everything that we'd like them to at our smaller branch offices... Sadly not a decimal point shift, but much more affordable. -a
Re: [Administrivia]: Please end this Thread: RE: "Cisco gate" and "Me et the Fed" at Defcon....
On Tue, 2 Aug 2005 [EMAIL PROTECTED] wrote: I suspect that adding a "This would be more on-topic/relevant on the XYZ list" would help kill it here... Any suggestions where it would be more relevant? how about cisco-nsp? -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: [Administrivia]: Please end this Thread: RE: "Cisco gate" and "Me et the Fed" at Defcon....
On Tue, 02 Aug 2005 08:28:58 CDT, "Malayter, Christopher" said: > Perhaps Susan was not clear enough yesterday. The mailing list > administrative committee would request that you allow this thread to stop. > It has certainly outlived its operational usefulness. I am now reiterating > that request. Unfortunately, there's enough places where this touches on operational issues (such as getting enough information about a new release of router software so you can make informed decisions affecting your customers). And obviously, a number of people think this is an important subject. I suspect that adding a "This would be more on-topic/relevant on the XYZ list" would help kill it here... Any suggestions where it would be more relevant? pgpEtJ8MFRJRK.pgp Description: PGP signature
Re: VOIP provider
Shane Owens wrote: Not really an operational question, but an engineering question non-the-less. This may also not be the most suitable forum, but there is a large brain trust here that can probably answer my questions. Oh, it does. It probably is the only way you get all those ip-phones distrubuted all over the globe into working. We are looking at a business plan to launch a large VOIP carrier globally. My questions are: 1: Does it make sense to scatter nodes around the globe to limit latency on intraregional calls? If so how many? We were thinking about 7 placed at strategic points around the globe. The atlantic ocean is a problem. May be it is because my ISP throws in an artificial delay of about 80 msec to keep us from P2P or to sell us a more expensive rate. Maybe it is the delay or the contention around the "ferry ports". My forward from http://www.ipkall.com/ stopped working as soon as my ip-phone moved from Newyork to Frankfurt. With traceroute I have seen packets summersalting in London. The third packed arrived before the first. So you would need a node in London and another one in Amsterdam. DTAG.de has routing problems between Amsterdam and Frankfurt or Darmstadt so you might need another node in Frankfurt. I dont know about the rest of Europe. Within germany nobody noticed a difference between my ISDN and my Grandstream ATA-486. Here my traceroute when it routes: traceroute to p54a7f56f.dip.t-dialin.net (84.167.245.111), 30 hops max, 38 byte packets 1 gw1.cyberbunker.net (84.22.100.1) 0.949 ms 0.765 ms 0.639 ms 2 cb-sr1-e0.cb3rob.net (84.22.96.245) 36.322 ms 34.720 ms 37.676 ms 3 ams-tr2-t0.cb3rob.net (84.22.96.249) 9.817 ms 11.200 ms 13.317 ms 4 gate1.deltaland.nl (213.201.229.1) 24.710 ms 15.491 ms 14.228 ms 5 amx-gw2.nl.dtag.de (195.69.145.211) 41.802 ms 12.689 ms 15.209 ms 6 da-ea1.DA.DE.net.DTAG.DE (62.153.179.54) 22.044 ms 19.521 ms 21.177 ms 7 217.0.67.97 (217.0.67.97) 20.324 ms 20.462 ms 30.761 ms 8 p54A7F56F.dip.t-dialin.net (84.167.245.111) 76.950 ms 74.830 ms 73.890 ms and here when it does not: traceroute to p54a7f56f.dip.t-dialin.net (84.167.245.111), 30 hops max, 40 byte packets 1 gw1.cyberbunker.net (84.22.100.1) 0.198 ms 0.186 ms 0.158 ms 2 cb-sr1-e0.cb3rob.net (84.22.96.245) 115.892 ms 117.430 ms 116.859 ms 3 ams-tr2-t0.cb3rob.net (84.22.96.249) 44.379 ms 42.748 ms 41.447 ms 4 gate1.deltaland.nl (213.201.229.1) 40.069 ms 38.394 ms 36.923 ms 5 amx-gw2.nl.dtag.de (195.69.145.211) 37.144 ms 35.848 ms 35.178 ms 6 da-ea1.DA.DE.net.DTAG.DE (62.153.179.54) 40.176 ms 38.547 ms 39.933 ms 7 217.0.67.105 54.372 ms 54.171 ms 52.435 ms 8 * * * The problem is DTAG.DE using ip addresses from 84.xxx.xxx.xxx and at the same time believing them to be bogons. 2: Is a softswitch architecture preferred to a proxy server/Media Gateway (Vonage) only type architecture? 3: What protocols should be used for firmware upgrades to ATA devices? We are thinking HTTPS or SFTP, or HTTP if those aren't available on selected devices. I am trying to stay away from TFTP for security reasons. TFTP is no problem with linux people running their own server locally. But never let it be seen from the outside. There a TFTP servers for windows too My Grandstream uses TFTP but I have never seen an update. I guess HTTP to get the software to your customers should do. HTTPS is fine. Who knows SFTP? 4: Anyone have any vendor recommendations? We currently use Metaswitch for our Softswitch, but I'm not sure it would be the best choice for a large scale deployment although I am going to research it. They are very popular in Germany. Dont ask me the other countries: http://www.avm.de/en/ 5: Should I work with large wholesalers (L3, GX, etc) or try to penetrate markets in some other way? There are a lot of VoIP providers in Germany. Many of them have their networks interconnected to offer free calls between the networks. Some providers operate in more than one european countries. It seems like a jungle. Europe is even more complicated: There are things like 110 or 112 or some other funny number for emergency calls. There are geographic phonenumbers that must reflect where your ip-phone is located. Do you really want to know :) DTAG AG wants to move all their pots and isdn phones to VoIP in the long run and without any benefit for their customers. Maybe you should talk to them. 6: Are there any wholesalers (DID Origination) outside of the US that anyone knows of? Have a look at them: http://www.united-internet.com/ Maybe they are not a wholesaler but they are moderately big. They provide both VoIP and aDSL but they still depend on the DTAG.DE network mostly. Sorry to have so many questions. Many of these I already have ideas on the answers however I acknowledge there are far smarter people than myself in the world. So I figure it's a good idea to ask and get opinions
RE: "Cisco gate" and "Meet the Fed" at Defcon....
So yes then. > no... not really, not originally, it got morphed into > something different :( So, the ciscogate paranoia, as near as > I saw, got down to: "cisco wont tell people about vulns as > soon as they know about them" (or some version of I don't get > to know fast enough about vulns from a vendor, while we > currently bash on cisco) > > With that in mind, the example 2500 above is a cisco box, > running old code because it can't be upgraded to current > code. Cisco is reluctant to tell folks in public about > vulnerabilities without there beig fixes for the problem in > as much running code as possible. > > -Chris >
[Administrivia]: Please end this Thread: RE: "Cisco gate" and "Me et the Fed" at Defcon....
Good Morning, Perhaps Susan was not clear enough yesterday. The mailing list administrative committee would request that you allow this thread to stop. It has certainly outlived its operational usefulness. I am now reiterating that request. Regards, Chris Malayter NANOG Mailing List Administration Team > -Original Message- > From: Geo. [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 02, 2005 1:10 PM > To: nanog@merit.edu > Subject: RE: "Cisco gate" and "Meet the Fed" at Defcon > > > > >> ok so your issue is totally irrelvant to the recent "ciscogate" > >> paranoia? > > That would depend on what other exploits cisco has slipstream > patched wouldn't it? (honest question as I don't know but it > would be nice if cisco would clarify the situation) > > Geo. > > George Roettger > Netlink Services >
Re: NETGEAR in the core...
On 7/31/2005 9:06 AM, Janet Sullivan wrote: Does anyone here have experiences to share (good/bad) about m0n0wall on soekris devices? I've used m0n0wall to great effect, and with pleasure, but alas not on a soekris box -- just on an old dell hanging out in the office. It worked like a champ. //jbaltz -- jerry b. altzman[EMAIL PROTECTED] KE3ML thank you for contributing to the heat death of the universe.
RE: "Cisco gate" and "Meet the Fed" at Defcon....
>> ok so your issue is totally irrelvant to the recent "ciscogate" >> paranoia? That would depend on what other exploits cisco has slipstream patched wouldn't it? (honest question as I don't know but it would be nice if cisco would clarify the situation) Geo. George Roettger Netlink Services
RE: "Cisco gate" and "Meet the Fed" at Defcon....
On Tue, 2 Aug 2005, Neil J. McRae wrote: > > > no, but I'd like to... since I'm upgrading and all (for > > security reasons and ipv6 is so much better for security, right? :) ) > > ok so your issue is totally irrelvant to the recent "ciscogate" > paranoia? no... not really, not originally, it got morphed into something different :( So, the ciscogate paranoia, as near as I saw, got down to: "cisco wont tell people about vulns as soon as they know about them" (or some version of I don't get to know fast enough about vulns from a vendor, while we currently bash on cisco) With that in mind, the example 2500 above is a cisco box, running old code because it can't be upgraded to current code. Cisco is reluctant to tell folks in public about vulnerabilities without there beig fixes for the problem in as much running code as possible. -Chris
Re: "Cisco gate" and "Meet the Fed" at Defcon....
On 2 Aug 2005, at 08:24, Christopher L. Morrow wrote: no, but I'd like to... since I'm upgrading and all (for security reasons and ipv6 is so much better for security, right? :) ) It has quality of service, too! Let's not forget that!
RE: "Cisco gate" and "Meet the Fed" at Defcon....
> no, but I'd like to... since I'm upgrading and all (for > security reasons and ipv6 is so much better for security, right? :) ) ok so your issue is totally irrelvant to the recent "ciscogate" paranoia? Neil.
RE: "Cisco gate" and "Meet the Fed" at Defcon....
On Tue, 2 Aug 2005, Neil J. McRae wrote: > > > > > cons uptime is 1 week, 10 hours, 42 minutes System restarted > > by power-on System image file is "flash:igs-i-l.111-9", > > booted via flash > > > > cisco 2511 (68030) processor (revision D) with 2048K/2048K > > bytes of memory. > > > > > > lather/rinse/repeat... where are the images that fit in my > > 2501's 2mb ram/2mbflash? (current, non-vulnerable, ipv6 capable even) > > So are you running IPV6 code on this box now? no, but I'd like to... since I'm upgrading and all (for security reasons and ipv6 is so much better for security, right? :) )
VOIP provider
Not really an operational question, but an engineering question non-the-less. This may also not be the most suitable forum, but there is a large brain trust here that can probably answer my questions. We are looking at a business plan to launch a large VOIP carrier globally. My questions are: 1: Does it make sense to scatter nodes around the globe to limit latency on intraregional calls? If so how many? We were thinking about 7 placed at strategic points around the globe. 2: Is a softswitch architecture preferred to a proxy server/Media Gateway (Vonage) only type architecture? 3: What protocols should be used for firmware upgrades to ATA devices? We are thinking HTTPS or SFTP, or HTTP if those aren't available on selected devices. I am trying to stay away from TFTP for security reasons. 4: Anyone have any vendor recommendations? We currently use Metaswitch for our Softswitch, but I'm not sure it would be the best choice for a large scale deployment although I am going to research it. 5: Should I work with large wholesalers (L3, GX, etc) or try to penetrate markets in some other way? 6: Are there any wholesalers (DID Origination) outside of the US that anyone knows of? Sorry to have so many questions. Many of these I already have ideas on the answers however I acknowledge there are far smarter people than myself in the world. So I figure it's a good idea to ask and get opinions from others before I make a final decision. Shane Shaneowensdna-communications.com
Re: Tiscali switches to Public-Root?? What do you think?
On Mon, 1 Aug 2005, Stephen J. Wilcox wrote: > > On Mon, 1 Aug 2005, Bjørn Mork wrote: > > > The poor guy/gal at the other end of the line will need a really good > > answer. Does anyone here have one? > > to avoid being technical i guess the only answer would be to say this is a > private service offered to tiscali users and is not available to any non > tiscali > users (you might want to point out this is 99.9% of the world in case $cust > feels like switching) > > > Not to mention the answers we need for the market droids... > > > > "Hey, I heard that Tiscali is offering more Internet than us at no > > extra cost, and they make a lot of money on it too. How soon can we > > start doing the same?" > > tell them you've been able to do it all along, its your network and you can > provide any unique content that you like, providing they understand this is > unique for your custs only .. think intranet > > > This puts a lot of pressure on other European ISPs, and eventually also > > North > > American ISPs (to make this on-topic :-) I hope the rest of us can stand > > together against it. A good start would be to come up with a common > > response > > to the two pressure groups outlined above. > > a better worded explanation on a webpage would be good i guess... > > anyway, i'm off the the UNIDT website, i hear '.tiscali' hasnt been > registered > yet ;p replying to myself. bad :) had this pointed out.. these are "official" according to inaic http://inaic.com/index.php?p=faq006 and resolving "all known tlds" seems a bit of a stretch, i think they've missed my '.foobar' tld on my local nameservers.. http://inaic.com/index.php?p=faq014 also for added humour, from the press release http://inaic.com/index.php?p=tiscali-introduces following the link: http://home.tiscali/ doesnt seem to work for me, hmm.. not great to have a broken link in a public press release ;) Steve
RE: "Cisco gate" and "Meet the Fed" at Defcon....
> > cons uptime is 1 week, 10 hours, 42 minutes System restarted > by power-on System image file is "flash:igs-i-l.111-9", > booted via flash > > cisco 2511 (68030) processor (revision D) with 2048K/2048K > bytes of memory. > > > lather/rinse/repeat... where are the images that fit in my > 2501's 2mb ram/2mbflash? (current, non-vulnerable, ipv6 capable even) So are you running IPV6 code on this box now?
Re: "Cisco gate" and "Meet the Fed" at Defcon....
On Tue, 2 Aug 2005, [iso-8859-1] Bjørn Mork wrote: > "Christopher L. Morrow" <[EMAIL PROTECTED]> writes: > > On Tue, 2 Aug 2005, [iso-8859-1] Bjørn Mork wrote: > >> Randy Bush <[EMAIL PROTECTED]> writes: > >> > >> > fred, seeing as there is not now, and likely never will be fixed > >> > versions for many of our routers (25xx, 17xx, ..., and i can't > >> > >> No? > >> > >> Logged in to ftp.cisco.com. > >> Current remote directory is /cisco. > >> ncftp /cisco > dir ios/12.3/12.3.15a/2500/ > >> -rw-rw-r--1 518 1 11013444 Jul 25 14:50 > >> c2500-c-l.123-15a.bin > >> -rw-rw-r--1 518 1 12303148 Jul 25 15:17 > >> c2500-i-l.123-15a.bin > >> -rw-rw-r--1 518 1 16191744 Jul 25 14:34 > >> c2500-is-l.123-15a.bin > > > > note image size of 11/12/16 mb... note that many (most?) 2500's don't have > > 16M flash :( many, many referenced before (term servers for instance) are > > 2mb flash boxes. It's possible that Randy's referring to this sort of > > 2500. > > I might be wrong, but I thought an image with IPv6 support required > 16 MB flash on the 2500? Anyway, the upgrade path is there although and in order to get 30k devices (more actually) upgraded I'll have to spend 30k+X dollars? I'm fairly certain that's not going to happen. This gets back to 2 things: 1) no (practical) upgrade path under security vulnerabilities (hence reluctance of vendors to release info without fix) 2) possibly unhappy customers and vulnerabilities silently fixed in other code trains. Oh well...
RE: "Cisco gate" and "Meet the Fed" at Defcon....
On Tue, 2 Aug 2005, Neil J. McRae wrote: > > > note image size of 11/12/16 mb... note that many (most?) > > 2500's don't have 16M flash :( many, many referenced before > > (term servers for instance) are 2mb flash boxes. It's > > possible that Randy's referring to this sort of 2500. Kindly > > using himself for a whipping boy instead of the rest of us > > with 2500 term servers with 2mb flash :) I suspect the same > > thing goes for the 1700's as well in many cases. > > IIRC the 2500 has an end of support date of 2009 so I expect images > to be available. cons uptime is 1 week, 10 hours, 42 minutes System restarted by power-on System image file is "flash:igs-i-l.111-9", booted via flash cisco 2511 (68030) processor (revision D) with 2048K/2048K bytes of memory. lather/rinse/repeat... where are the images that fit in my 2501's 2mb ram/2mbflash? (current, non-vulnerable, ipv6 capable even)
RIPE NCC to begin allocating from new IPv4 range
Dear Colleagues, This announcement is being sent to multiple lists. I apologise for duplicates. The RIPE NCC received the IPv4 address range 89.0.0.0 - 91.255.255.255 (89.0.0.0/8 and 90.0.0.0/7) from the IANA in June 2005. We expect to start making allocations from this range in the near future. We have started announcing two prefixes from each /8, which originate in AS12654. They are: 89.192.0.0/16 89.255.248.0/21 90.192.0.0/16 90.255.248.0/21 91.192.0.0/16 91.255.248.0/21 Details of target names and addresses, reachability tools and other information are available on our web site at: http://www.ris.ripe.net/debogon/debogon.html You may want to update any filters you have in place. Kind regards, -- leo vegoda Registration Services Manager RIPE NCC
Re: "Cisco gate" and "Meet the Fed" at Defcon....
"Christopher L. Morrow" <[EMAIL PROTECTED]> writes: > On Tue, 2 Aug 2005, [iso-8859-1] Bjørn Mork wrote: >> Randy Bush <[EMAIL PROTECTED]> writes: >> >> > fred, seeing as there is not now, and likely never will be fixed >> > versions for many of our routers (25xx, 17xx, ..., and i can't >> >> No? >> >> Logged in to ftp.cisco.com. >> Current remote directory is /cisco. >> ncftp /cisco > dir ios/12.3/12.3.15a/2500/ >> -rw-rw-r--1 518 1 11013444 Jul 25 14:50 >> c2500-c-l.123-15a.bin >> -rw-rw-r--1 518 1 12303148 Jul 25 15:17 >> c2500-i-l.123-15a.bin >> -rw-rw-r--1 518 1 16191744 Jul 25 14:34 >> c2500-is-l.123-15a.bin > > note image size of 11/12/16 mb... note that many (most?) 2500's don't have > 16M flash :( many, many referenced before (term servers for instance) are > 2mb flash boxes. It's possible that Randy's referring to this sort of > 2500. I might be wrong, but I thought an image with IPv6 support required 16 MB flash on the 2500? Anyway, the upgrade path is there although it may include a flash (and possibly boot prom) upgrade. Bjørn
RE: "Cisco gate" and "Meet the Fed" at Defcon....
> note image size of 11/12/16 mb... note that many (most?) > 2500's don't have 16M flash :( many, many referenced before > (term servers for instance) are 2mb flash boxes. It's > possible that Randy's referring to this sort of 2500. Kindly > using himself for a whipping boy instead of the rest of us > with 2500 term servers with 2mb flash :) I suspect the same > thing goes for the 1700's as well in many cases. IIRC the 2500 has an end of support date of 2009 so I expect images to be available. Regards, Neil.
Re: "Cisco gate" and "Meet the Fed" at Defcon....
On Tue, 2 Aug 2005, [iso-8859-1] Bjørn Mork wrote: > > Randy Bush <[EMAIL PROTECTED]> writes: > > > fred, seeing as there is not now, and likely never will be fixed > > versions for many of our routers (25xx, 17xx, ..., and i can't > > No? > > Logged in to ftp.cisco.com. > Current remote directory is /cisco. > ncftp /cisco > dir ios/12.3/12.3.15a/2500/ > -rw-rw-r--1 518 1 11013444 Jul 25 14:50 c2500-c-l.123-15a.bin > -rw-rw-r--1 518 1 12303148 Jul 25 15:17 c2500-i-l.123-15a.bin > -rw-rw-r--1 518 1 16191744 Jul 25 14:34 > c2500-is-l.123-15a.bin note image size of 11/12/16 mb... note that many (most?) 2500's don't have 16M flash :( many, many referenced before (term servers for instance) are 2mb flash boxes. It's possible that Randy's referring to this sort of 2500. Kindly using himself for a whipping boy instead of the rest of us with 2500 term servers with 2mb flash :) I suspect the same thing goes for the 1700's as well in many cases.
Re: "Cisco gate" and "Meet the Fed" at Defcon....
Randy Bush <[EMAIL PROTECTED]> writes: > fred, seeing as there is not now, and likely never will be fixed > versions for many of our routers (25xx, 17xx, ..., and i can't No? Logged in to ftp.cisco.com. Current remote directory is /cisco. ncftp /cisco > dir ios/12.3/12.3.15a/2500/ -rw-rw-r--1 518 1 11013444 Jul 25 14:50 c2500-c-l.123-15a.bin -rw-rw-r--1 518 1 12303148 Jul 25 15:17 c2500-i-l.123-15a.bin -rw-rw-r--1 518 1 16191744 Jul 25 14:34 c2500-is-l.123-15a.bin ncftp /cisco > dir ios/12.3/12.3.15a/1700/ -rw-rw-r--1 518 1 9779944 Jul 25 15:03 c1700-bnr2sy7-mz.123-15a.bin -rw-rw-r--1 518 1 9186836 Jul 25 14:56 c1700-entbase-mz.123-15a.bin -rw-rw-r--1 518 1 7758064 Jul 25 14:46 c1700-ipbase-mz.123-15a.bin -rw-rw-r--1 518 1 12504136 Jul 25 14:32 c1700-ipvoice-mz.123-15a.bin -rw-rw-r--1 518 1 10068088 Jul 25 15:05 c1700-sv3y-mz.123-15a.bin -rw-rw-r--1 518 1 12826128 Jul 25 15:05 c1700-sv8y7-mz.123-15a.bin -rw-rw-r--1 518 1 8568756 Jul 25 15:06 c1700-sy7-mz.123-15a.bin -rw-rw-r--1 518 1 6992208 Jul 25 15:13 c1700-y7-mz.123-15a.bin -rw-rw-r--1 518 1 5911432 Jul 25 14:49 c1700-y-mz.123-15a.bin Bjørn
