Re: LA power outage?

[Hank Nussbacher]

At 02:08 AM 14-09-05 +, [EMAIL PROTECTED] wrote:

And reported Oct 2004:


-Hank



threat models for huricanes are different that earthquakes.
(or is that one of those "disaster+geography" equations?)

--bill

Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)

[Dave Crocker]

Application layer firewalls have existed for at least 6 years.


Make that 15


I suspect that claiming to that they existed farther back than 1990 would 
require careful debate about the functionality.


Taking it at its most general: a boundary barrier service that mediated 
particular application exchanges between an "interior" Administrative 
Environment, versus the rest of the public network.  One can reasonably argue 
than any such mediation has a security component to it.


Therefore one could argue that firewall functionality was around at least 25 
years ago -- there were a number of email boundary gateway mediating services 
by then -- and very probably back to 1973.  (I just know that some MIT type is 
going to claim pre-1970, given the generality of the definition I offered.)


d/
--

 Dave Crocker
 Brandenburg InternetWorking
 +1.408.246.8253
 dcrocker  a t ...
 WE'VE MOVED to:  www.bbiw.net

Re: Multi-6 [WAS: OT - Vint Cerf joins Google]

[Jason Schiller]

on Sat Sep 10 03:39:59 2005 Christopher L. Morrow writes


On Sat, 10 Sep 2005, Patrick W. Gilmore wrote:

>
> [Perhaps this thread should migrate to Multi6?]
>

perhaps... then jason can argue this instead of me :)



The most basic question is if there will be a problem if we solve the 
multihoming question in the traditional IPv4 way?  And if so, should we 
solve the problem by throwing hardware at it and hoping that when it 
becomes a problem the hardware will be sufficiently advanced to be able to 
solve it?


We can solve the multihoming question in the traditional IPv4 way, 
de-aggregation.  We can argue if that means give end sites a /32, or allow 
provider independent /48s, but the fact of the matter is a prefix whatever 
size creates routing state.  The sheer size of the IPv6 space allows for 
lots of routing state.


On the other side, if you remove the routing state then you have a trade 
off where the information you previously attained through routing state 
must now be detected in the forwarding plane.  We are seeing this now with 
respect to how end systems detect an outage.


draft-ietf-shim6-reach-detect-00.txt

The problem as I see it is that the IETF community is focused on the 
protocol design, how end hosts signal shim6 capabilities, and failure 
detection.


They are not focused on operational requirements such as
1.  The ability to inter-AS traffic engineering polices
2.	To be able to configure and manage inter-AS traffic engineering 
polices at the network level and not on each individual host

3.  The need for transit ASes to leverage traffic engineering.

This is evident by the fact that the language in RFC-3582 that attempted 
to document traffic engineering requirements was down graded to .goals. in 
order to get adopted.


The problem as I see it, is that there are only a few providers making 
this claim that these requirements are indeed requirements and need to be 
solved before there will be wide spread adoption of IPv6.  Most people 
involved in IETF either don.t care about multihoming, feel that simple 
fail-over will solve the problem for 90% of the Internet, or only are 
concerned with things that affect the protocol, and they believe 
multihoming isn.t one of them.


The process to define how these things work will be done in the IETF, 
in the shim6 working group... if this might be important to you, perhaps 
you will want to join the discussion and make your 
rerquirements/views/issues well known now, before the protocol is 
specified.


___Jason

Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)

[Joseph S D Yao]

On Tue, Sep 13, 2005 at 04:31:05PM -0700, william(at)elan.net wrote:
> On Wed, 14 Sep 2005, Roy Badami wrote:
> 
> >   william(at)elan> Could you elaborate on how firewall will
> >   william(at)elan> determine if the connection is from mail server
> >   william(at)elan> or from telnet on port 25?
> >
> >Perhaps because most telnet clients will attempt telnet option
> >negotiation?  If so one could avoid this by using a client such as
> >netcat...
> 
> Telnet option negotiation is at Layer 7 after TCP connection has been
> established. Firewalls typically don't operate at this level (TCP session
> is Layer 4 if I remember right) and would refuse or reject (difference
> type of ICMP response) based solely on attempt to connect to certain
> ip or certain TCP/UDP port.


You're talking about the packet filters that marketeers sell as
"firewalls".  The best firewalls operate at the application layer.  And,
yes, that's an OPINION, no need to rave.


-- 
Joe Yao
---
   This message is not an official statement of OSIS Center policies.

Re: CAT5 surge/lightning strike protection recommendations?

[Todd Vierling]

On Tue, 13 Sep 2005, David Lesher wrote:

> Put a fiber transceiver in building A. At least 10 foot away,
> put in a 2nd transceiver and connect THAT to the CAT5 going to
> building B.  Connect A & B wallwarts to different breakers, with
> surge protectorsand stock spares.o

That's an amazingly expensive optoisolator.

Seriously, though, that's exactly what you're describing, and about what I'd
suggest in a no-other-option scenario -- but if it's possible to pull fiber
through the conduits, it would probably be far less expensive long term, or
even medium term if the physical fiber spools can be bought cheaply enough.

-- 
-- Todd Vierling <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>

Re: CAT5 surge/lightning strike protection recommendations?

[Mark Radabaugh]

David Lesher wrote:

>
>Surge protectors can not protect you from ground differential issues.
>  
>
True enough - but 10/100 Ethernet is normally isolated by the
transformer on the Ethernet transceiver.  AFAIK there is not a
connection between the signal lines and ground.  Isolation is 1500V for
the magnetics I checked.

Off course all bets are off when lightning strikes since the voltage
tends to be just a tad higher than 1500 volts.

Mark Radabaugh

Re: LA power outage?

[bmanning]

> BTW - care to speculate what will happen if cat5 hurricane hits LA? :)
> Or maybe we should be thinking of 8+ earthquake 
> 
> -- 
> William Leibzon

threat models for huricanes are different that earthquakes.
(or is that one of those "disaster+geography" equations?)

--bill

Re: CAT5 surge/lightning strike protection recommendations?

[David Lesher]

Speaking on Deep Background, the Press Secretary whispered:

> 
> 
> I have a bunch of cat5 buried about 1 ft below the surface connecting multiple
> buildings on a campus (short runs) and lightning strikes nearby have caused
> surges along one or more of the cables and burnt out switch ports. I would
> like to protect the switch ports -- there seem to be lots of products on the
> market.
> 
> Anyone have recommendations 

A) Don't.

B) Don't

C)...

Surge protectors can not protect you from ground differential issues.

Your answer is

1) Pull fiber with that CAT5 pullrope.

2) If you REALLY, REALLY can't

Put a fiber transceiver in building A. At least 10 foot away,
put in a 2nd transceiver and connect THAT to the CAT5 going to
building B.  Connect A & B wallwarts to different breakers, with
surge protectorsand stock spares.o

{Extra help; power B from a small hospital-grade isolation
transformer -- low leakage, hi breakdown voltage.}

Hopefully, you'll merely lose transceivers & wallwarts on the
B-side, with nothing in building B being zorched. 




-- 
A host is a host from coast to [EMAIL PROTECTED]
& no one will talk to a host that's close[v].(301) 56-LINUX
Unless the host (that isn't close).pob 1433
is busy, hung or dead20915-1433

Re: LA power outage?

[Todd Underwood]

folx,

On Wed, Sep 14, 2005 at 01:28:09AM +, Fergie (Paul Ferguson) wrote:
> 
> It's also interesting to note that, at least by some estimates,
> the brief power outage in L.A. yesterday took down more networks
> than Hurrucane Katrina:
> 
>  http://www.techweb.com/showArticle.jhtml?articleID=170702966

fyi, yes, during the power outages in Los Angeles, at their peak,
there were 301 outages (highly localised partitionings with the
Internet on one side and the rest of the world on the other :-),
according to our peerset at renesys.  other views may vary, but
probably not by much.

[insert aimless debate about the meaning of 'outage' here.]

that's a significant, and visible outage, but it's not outrageous.
tranmission to and through the region doesn't appear to have blipped
at all, as the majority of power redundancy worked.

> Of course, So. California is pretty "network-dense", but what does
> that say about the level of seriousness that network operators place
> on their "uptime"?

i don't know.  a *big* chunk of the visible failures were caused by a
very small number of facilities with supposedly redundant power where
generators and UPSes failed.  people who are in those faciliites are,
no doubt, working with building management to obtain RFOs,  request
SLA credits, and consider breaking leases in the extreme cases.  i
wish the affected parties luck with those efforts.  

most stuff just stayed up.  

t.

-- 
_
todd underwood
director of operations & security
renesys - interdomain intelligence
[EMAIL PROTECTED]   www.renesys.com

Re: LA power outage?

[Fergie (Paul Ferguson)]

"william(at)elan.net" <[EMAIL PROTECTED]> wrote:

>I think there is a difference as to network going down for 3 hours
>and network going down for 3 months...
>

Semantics. :-)

>BTW - care to speculate what will happen if cat5 hurricane hits LA? :)
>Or maybe we should be thinking of 8+ earthquake 

No -- I wouldn't want to be accused of instigating an off-topic
thread. ,-)

- ferg

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 [EMAIL PROTECTED] or [EMAIL PROTECTED]
 ferg's tech blog: http://fergdawg.blogspot.com/

RE: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)

[Hannigan, Martin]

> >
> >Application layer firewalls have existed for at least 6 years.
> >
> Make that 15


Socks, fwtk (before it went commercial) to name a few.

-M<

Re: LA power outage?

[william(at)elan.net]

On Wed, 14 Sep 2005, Fergie (Paul Ferguson) wrote:


It's also interesting to note that, at least by some estimates,
the brief power outage in L.A. yesterday took down more networks
than Hurrucane Katrina:

http://www.techweb.com/showArticle.jhtml?articleID=170702966

Of course, So. California is pretty "network-dense", but what does
that say about the level of seriousness that network operators place
on their "uptime"?


I think there is a difference as to network going down for 3 hours
and network going down for 3 months...

BTW - care to speculate what will happen if cat5 hurricane hits LA? :)
Or maybe we should be thinking of 8+ earthquake 

--
William Leibzon
Elan Networks
[EMAIL PROTECTED]

Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, Adam McKenna writes:
>
>On Tue, Sep 13, 2005 at 04:31:05PM -0700, william(at)elan.net wrote:
>> Telnet option negotiation is at Layer 7 after TCP connection has been
>> established. Firewalls typically don't operate at this level (TCP session
>> is Layer 4 if I remember right) and would refuse or reject (difference
>> type of ICMP response) based solely on attempt to connect to certain
>> ip or certain TCP/UDP port.
>
>Application layer firewalls have existed for at least 6 years.
>
Make that 15

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Re: LA power outage?

[Fergie (Paul Ferguson)]

It's also interesting to note that, at least by some estimates,
the brief power outage in L.A. yesterday took down more networks
than Hurrucane Katrina:

 http://www.techweb.com/showArticle.jhtml?articleID=170702966

Of course, So. California is pretty "network-dense", but what does
that say about the level of seriousness that network operators place
on their "uptime"?

- ferg

-- Steve Sobol <[EMAIL PROTECTED]> wrote:


[EMAIL PROTECTED] wrote:
> On Mon, 12 Sep 2005 21:21:59 -, "Reeves, Rob" said:
> 
>>We've been told by our field tech in LA that One Wilshire had lost power
>>for a bit, but it is now restored.  I don't know the duration of the
>>outage, but our equipment there is on DC and did not go down.
> 
> 
> So - who in LA is going to be telling Santa they want a new data-center sized
> diesel UPS genset for Christmas? ;)

More like, "which manager is telling Santa they want a new, clue-imbued 
employee for Christmas?"

I'm not too close to the story and I don't live in Los Angeles (I live and 
work 55-65 miles northeast of downtown), but it seems to me that the problem 
could have been avoided with a little more caution on the part of the person 
who cut the wires.

-- 
Steve Sobol, Professional Geek   888-480-4638   PGP: 0xE3AE35ED
Company website: http://JustThe.net/
Personal blog, resume, portfolio: http://SteveSobol.com/
E: [EMAIL PROTECTED] Snail: 22674 Motnocab Road, Apple Valley, CA 92307

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 [EMAIL PROTECTED] or [EMAIL PROTECTED]
 ferg's tech blog: http://fergdawg.blogspot.com/

Re: Computer systems blamed for feeble hurricane response?

[Randy Bush]

> >$ dig mx fema.gov
> >;; ANSWER SECTION:
> >fima.org.   3600IN  MX  0 smtp.secureserver.net.
> >fima.org.   3600IN  MX  10 
> >mailstore1.secureserver.net
> 
> That's interesting -- I'm not getting that response.

from tokyo

roam.psg.com:/usr/home/randy> dig mx fema.gov.

; <<>> DiG 9.3.1 <<>> mx fema.gov.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9180
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;fema.gov.  IN  MX

;; AUTHORITY SECTION:
fema.gov.   1797IN  SOA ns.fema.gov. root.ns2.fema.gov. 
2005090901 10800 3600 604800 1800

;; Query time: 0 msec
;; SERVER: 202.232.15.98#53(202.232.15.98)
;; WHEN: Wed Sep 14 10:23:20 2005
;; MSG SIZE  rcvd: 74



and


roam.psg.com:/usr/home/randy> doc -p -w fema.gov
Doc-2.2.3: doc -p -w fema.gov
Doc-2.2.3: Starting test of fema.gov.   parent is gov.
Doc-2.2.3: Test date - Wed Sep 14 10:23:48 JST 2005
ERROR: NS list from fema.gov. authoritative servers does not
  === match NS list from parent (gov.) servers
ERROR: nse.algx.net. claims to be authoritative, but does not appear in
NS list from authoritative servers
ERROR: nsf.algx.net. claims to be authoritative, but does not appear in
NS list from authoritative servers
Summary:
   ERRORS found for fema.gov. (count: 3)
Done testing fema.gov.  Wed Sep 14 10:23:52 JST 200
5

Re: LA power outage?

[Steve Sobol]

[EMAIL PROTECTED] wrote:

On Mon, 12 Sep 2005 21:21:59 -, "Reeves, Rob" said:


We've been told by our field tech in LA that One Wilshire had lost power
for a bit, but it is now restored.  I don't know the duration of the
outage, but our equipment there is on DC and did not go down.



So - who in LA is going to be telling Santa they want a new data-center sized
diesel UPS genset for Christmas? ;)


More like, "which manager is telling Santa they want a new, clue-imbued 
employee for Christmas?"


I'm not too close to the story and I don't live in Los Angeles (I live and 
work 55-65 miles northeast of downtown), but it seems to me that the problem 
could have been avoided with a little more caution on the part of the person 
who cut the wires.


--
Steve Sobol, Professional Geek   888-480-4638   PGP: 0xE3AE35ED
Company website: http://JustThe.net/
Personal blog, resume, portfolio: http://SteveSobol.com/
E: [EMAIL PROTECTED] Snail: 22674 Motnocab Road, Apple Valley, CA 92307

Re: rate limiting bandwidth

[John Kinsella]

I'm pretty fond of the the Packeteer gear.  The API is pretty decent,
I can get a pretty good range of stats off the box in flexible formats
(tab or comma delimited, or in an XML format).  Config-wise, I believe
I can change just about anything on the box, including running commands
remotely, and uploading/downloading files.  The box's ability to sniff
traffic for a few days and know what protocols are in use is pretty
spiffy, from what I've seen.

I've used the Peribit gear as well, but not as heavily and I don't
know of an API (not saying one doesn't exist, I just don't know of it).
It seems to be decent at what it does, but doesn't have as rich a
featureset as the Packeteer.

John

On Tue, Sep 13, 2005 at 04:32:25PM -0700, Micah McNelly wrote:
> 
> Does anyone have any recommendations concerning hardware rate limiting 
> solutions with extensive API's?  I remember packeteer from back in the
> day and have been looking at some of their newer solutions that have XML 
> API's.  Comments?  Alternatives?
> 
> I would appreciate any feedback that can be provided.
> 
> Thanks,
> 
> /m
> 
> "I bet the human brain is a kludge."  - Marvin Minsky

Re: CAT5 surge/lightning strike protection recommendations?

[Mark Radabaugh]

R.P. Aditya wrote:

>I have a bunch of cat5 buried about 1 ft below the surface connecting multiple
>buildings on a campus (short runs) and lightning strikes nearby have caused
>surges along one or more of the cables and burnt out switch ports. I would
>like to protect the switch ports -- there seem to be lots of products on the
>market.
>
>Anyone have recommendations (tested/practical is best :-)?
>
>The APC Protectnet PNET1 and PRM24 seem quite nice and not too expensive --
>if they workpros? cons?
>
>Thanks,
>Adi
>  
>
I'll go with the fiber recommendation but that's not what you asked :-)

We use quite a few of the Motorola 300SS surge suppressors.  They are
made for use with Motorola's fixed wireless Internet platform and go on
the Ethernet cable before it enters the building. 

They do a good job of protecting the ports on near misses.  Direct
strikes and they are toast along with anything attached to them - but
that's just the way it goes :-)

http://www.tessco.com/products/headerProductSearch.do?searchType=1&searchText=300ss&searchField=1

-- 
Mark Radabaugh

Amplex
[EMAIL PROTECTED]
419.837.5015

Re: CAT5 surge/lightning strike protection recommendations?

[Marshall Eubanks]

On Wed, 14 Sep 2005 12:24:39 +1200 (NZST)
 "Mark Foster" <[EMAIL PROTECTED]> wrote:
> 
> >
> > I have a bunch of cat5 buried about 1 ft below the surface connecting
> > multiple
> > buildings on a campus (short runs) and lightning strikes nearby have
> > caused
> > surges along one or more of the cables and burnt out switch ports. I would
> > like to protect the switch ports -- there seem to be lots of products on
> > the
> > market.
> >
> > Anyone have recommendations (tested/practical is best :-)?
> >
> > The APC Protectnet PNET1 and PRM24 seem quite nice and not too expensive
> > --
> > if they workpros? cons?
> >
> 
> Adi,
> 
> Is there a reason that your between-building runs aren't being done with
> Fibre?
> It being non-conductive is one immediate advantage

I would agree with Mark. Even buried copper can make an
excellent guide for lightning to come right into your equipment, and it can 
only be
isolated so much. (Remember, the electrical  potential of the ground can vary 
over
a cable  run, and will vary if there are elevation changes.) Fiber is the way 
to go.

Regards
Marshall Eubanks


> 
> Also if your grounding is inadequate you may like to take a squiz at the
> ISO or TIA Standards as they pertain to cabling.
> In NZ we have a variety of standards which all point back to ISO, the ANSI
> equivalents are TIA/EIA 568-B (Cabling), TIA/EIA-569-A (Pathways and
> Spaces) and TIA/EIA-607-A (Electrical Wiring, relevant as it pertains to
> Earthing etc).
> 
> Even for short runs, If I need to run between buildings externally I won't
> even look at copper.
> 
> Mark.
> 

Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)

[Crist Clark]

Adam McKenna wrote:

On Tue, Sep 13, 2005 at 04:31:05PM -0700, william(at)elan.net wrote:


Telnet option negotiation is at Layer 7 after TCP connection has been
established. Firewalls typically don't operate at this level (TCP session
is Layer 4 if I remember right) and would refuse or reject (difference
type of ICMP response) based solely on attempt to connect to certain
ip or certain TCP/UDP port.



Application layer firewalls have existed for at least 6 years.


AAAGGHH!

But the point is that you would still establish a TCP connection
before a MTA, firewall, IPS, or whatever could know it was telnet!
The FEMA address that started this whole thing was timing out. You
can tell the difference between a telnet filter and something
completely, silently blocking 25/tcp.

CAN THIS DIE NOW? Pueese...
--
Crist J. Clark   [EMAIL PROTECTED]
Globalstar Communications(408) 933-4387

Re: CAT5 surge/lightning strike protection recommendations?

[Mark Foster]

>
> I have a bunch of cat5 buried about 1 ft below the surface connecting
> multiple
> buildings on a campus (short runs) and lightning strikes nearby have
> caused
> surges along one or more of the cables and burnt out switch ports. I would
> like to protect the switch ports -- there seem to be lots of products on
> the
> market.
>
> Anyone have recommendations (tested/practical is best :-)?
>
> The APC Protectnet PNET1 and PRM24 seem quite nice and not too expensive
> --
> if they workpros? cons?
>

Adi,

Is there a reason that your between-building runs aren't being done with
Fibre?
It being non-conductive is one immediate advantage

Also if your grounding is inadequate you may like to take a squiz at the
ISO or TIA Standards as they pertain to cabling.
In NZ we have a variety of standards which all point back to ISO, the ANSI
equivalents are TIA/EIA 568-B (Cabling), TIA/EIA-569-A (Pathways and
Spaces) and TIA/EIA-607-A (Electrical Wiring, relevant as it pertains to
Earthing etc).

Even for short runs, If I need to run between buildings externally I won't
even look at copper.

Mark.

Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)

[Adam McKenna]

On Tue, Sep 13, 2005 at 04:31:05PM -0700, william(at)elan.net wrote:
> Telnet option negotiation is at Layer 7 after TCP connection has been
> established. Firewalls typically don't operate at this level (TCP session
> is Layer 4 if I remember right) and would refuse or reject (difference
> type of ICMP response) based solely on attempt to connect to certain
> ip or certain TCP/UDP port.

Application layer firewalls have existed for at least 6 years.

--Adam

OMB: No new money for IPv6 [Was: Re: Multi-6]

[Fergie (Paul Ferguson)]

Although I know you're speaking metaphorically, to top it off, see SUBJ: line.

 http://www.fcw.com/article90779-09-13-05-Web

"Upgrade to v6 by 2008 -- no new money."

- ferg


-- Tony Li <[EMAIL PROTECTED]> wrote:

Moore's Law has not, and does not apply to routers.  Thus, costs are
going up non-trivially.


Tony

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 [EMAIL PROTECTED] or [EMAIL PROTECTED]
 ferg's tech blog: http://fergdawg.blogspot.com/

rate limiting bandwidth

[Micah McNelly]

Does anyone have any recommendations concerning hardware rate limiting 
solutions with extensive API's?  I remember packeteer from back in the
day and have been looking at some of their newer solutions that have XML 
API's.  Comments?  Alternatives?


I would appreciate any feedback that can be provided.

Thanks,

/m

"I bet the human brain is a kludge."  - Marvin Minsky

Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)

[william(at)elan.net]

On Wed, 14 Sep 2005, Roy Badami wrote:


   william(at)elan> Could you elaborate on how firewall will
   william(at)elan> determine if the connection is from mail server
   william(at)elan> or from telnet on port 25?

Perhaps because most telnet clients will attempt telnet option
negotiation?  If so one could avoid this by using a client such as
netcat...


Telnet option negotiation is at Layer 7 after TCP connection has been
established. Firewalls typically don't operate at this level (TCP session
is Layer 4 if I remember right) and would refuse or reject (difference
type of ICMP response) based solely on attempt to connect to certain
ip or certain TCP/UDP port.

--
William Leibzon
Elan Networks
[EMAIL PROTECTED]

mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)

[Roy Badami]

william(at)elan> Could you elaborate on how firewall will
william(at)elan> determine if the connection is from mail server
william(at)elan> or from telnet on port 25?

Perhaps because most telnet clients will attempt telnet option
negotiation?  If so one could avoid this by using a client such as
netcat...

-roy

mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)

[william(at)elan.net]

On Tue, 13 Sep 2005, Joseph S D Yao wrote:


There is no requirement - even in this century - for MX records.  It is
a Good Idea(tm).  But not a requirement.  Lack of MX records does NOT
mean that you lose the store-and-forward capability of SMTP.  Lack of a
secondary server, while equally not a Good Idea(tm), does NOT mean that
you lose the store-and-forward capability, only that you exercise it
more often.


I don't disagree but it so happens not all mail software is fully RFC2821
compliant - that maybe either by choice or by ignorance of the authors
or simply not reading RFC closely enough. If you ever wonder how bad it
is - try looking at your Received header lines and compare to what RFC2821
says about them. So yes, I'll say it again - there are mail servers that 
don't respond appropriately when there is no MX record.


Besides what RFC2821 says, it is also well-known that use of 'A' if
there is no 'MX' is feature to support legacy [pre-1990] systems/domains 
and for individual hosts that don't usually used to receive email (but 
still have working postmaster address, etc). And every recent manual, 
book, etc for mail server software says that when setting up *domain*

to receive email MX record must be setup.


Oh, and also ... please consider that some firewalls try to discern
whether the connection on port 25 is from a mail server or from Telnet.


Could you elaborate on how firewall will determine if the connection is
from mail server or from telnet on port 25?

They both will have the same destination TCP port, both will use random 
source TCP port number, etc. I really don't see how L4 device (like 
most firewalls are) can do this unless they keep list of known mail 
servers ip addresses - and with millions of them I don't think anyone

is crazy enough to compile that into their firewall.

--
William Leibzon
Elan Networks
[EMAIL PROTECTED]

Re: Computer systems blamed for feeble hurricane response?

[Eric A. Hall]

On 9/13/2005 5:23 PM, Joseph S D Yao wrote:

> "SEF [is] unique in that it can detect what appear to be telnet
> connections to Port 25 and drop the connection. This is probably because
> telnet connections send one character at a time whereas real SMTP
> clients send all the strings at once."

While we're beating a dead tangent, TELNET clients are often configurable
to use line-mode (preferred for those of us with fat fingers, where we
need backspace to work on the local line buffer before it is transmitted).
Many of them will also avoid sending TELNET options when the non-default
port is used (they've learned by now that there's little reason to do so,
and lots of reasons not to).


-- 
Eric A. Hallhttp://www.ehsco.com/
Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/

Re: Computer systems blamed for feeble hurricane response?

[William Allen Simpson]

For "contact us", I'm now getting a 403 error:

Forbidden
You don't have permission to access /feedback/ on this server.

Apache/1.3.33 Server at www.fema.gov Port 80


--
William Allen Simpson
Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32

Re: Computer systems blamed for feeble hurricane response?

[Joseph S D Yao]

On Tue, Sep 13, 2005 at 05:54:03PM -0400, Steven M. Bellovin wrote:
> In message <[EMAIL PROTECTED]>, Joseph S D Yao writes
> :
> >On Tue, Sep 13, 2005 at 04:56:58PM -0400, Joseph S D Yao wrote:
> >> On Tue, Sep 13, 2005 at 04:28:41PM -0400, Steven M. Bellovin wrote:
> >> ...
> >> > Telnet options, and for that matter speed, happen after the 3-way 
> >> > handshake.  We're not getting that far.
> >> > 
> >> >  --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
> >> 
> >> Steve, I defer to your expertise, as always.  ;-]
> >
> >
> >Nevertheless ... I went looking for comments on how this was being done,
> >and found the following specualtion by a small number of different
> >people.
> >
> >"SEF [is] unique in that it can detect what appear to be telnet
> >connections to Port 25 and drop the connection. This is probably because
> >telnet connections send one character at a time whereas real SMTP
> >clients send all the strings at once."
> >
> >This would not require the 3WH, ISTM.
> 
> Sure it would -- until the 3-way handshake, there's no application data 
> flowing, and hence no characters being sent one at a time.

Right.  Doh.  Me go home lie down rest.

> We'll leave to another mailing list the question of what security 
> benefit there is to such a feature...

;-)

-- 
Joe Yao
---
   This message is not an official statement of OSIS Center policies.

Re: Computer systems blamed for feeble hurricane response?

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, Joseph S D Yao writes
:
>On Tue, Sep 13, 2005 at 04:56:58PM -0400, Joseph S D Yao wrote:
>> On Tue, Sep 13, 2005 at 04:28:41PM -0400, Steven M. Bellovin wrote:
>> ...
>> > Telnet options, and for that matter speed, happen after the 3-way 
>> > handshake.  We're not getting that far.
>> > 
>> >--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
>> 
>> Steve, I defer to your expertise, as always.  ;-]
>
>
>Nevertheless ... I went looking for comments on how this was being done,
>and found the following specualtion by a small number of different
>people.
>
>"SEF [is] unique in that it can detect what appear to be telnet
>connections to Port 25 and drop the connection. This is probably because
>telnet connections send one character at a time whereas real SMTP
>clients send all the strings at once."
>
>This would not require the 3WH, ISTM.
>

Sure it would -- until the 3-way handshake, there's no application data 
flowing, and hence no characters being sent one at a time.

We'll leave to another mailing list the question of what security 
benefit there is to such a feature...

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

RE: CAT5 surge/lightning strike protection recommendations?

[Hannigan, Martin]

> 
> Anyone have recommendations (tested/practical is best :-)?
> 
> The APC Protectnet PNET1 and PRM24 seem quite nice and not 
> too expensive --
> if they workpros? cons?


It sounds like you're either out of NEC, or, you are grounding them
to waterpipe. I believe NEC calls for grounding via earth. You 
could strike some rod into the ground several feet deep, attach
to the pipe with conductive screw+locknut+washer, and a proper gauge
for distance cable. Theoretically, that should solve your problem.

What did you electricians say?


-M<

Re: Computer systems blamed for feeble hurricane response?

[Joseph S D Yao]

OBTW, this discussion of how SEF tells the difference between SMTP and
telnet is rather beside the point.  Most of what I wrote was, read
RFC 2821.  It's a little different from the RFC 821 that some of us have
always cited, but I believe the points I noted are the same.  AND it's a
bit more OT, I suspect.  ;->

-- 
Joe Yao
---
   This message is not an official statement of OSIS Center policies.

Re: Computer systems blamed for feeble hurricane response?

[Joseph S D Yao]

On Tue, Sep 13, 2005 at 04:56:58PM -0400, Joseph S D Yao wrote:
> On Tue, Sep 13, 2005 at 04:28:41PM -0400, Steven M. Bellovin wrote:
> ...
> > Telnet options, and for that matter speed, happen after the 3-way 
> > handshake.  We're not getting that far.
> > 
> > --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
> 
> Steve, I defer to your expertise, as always.  ;-]


Nevertheless ... I went looking for comments on how this was being done,
and found the following specualtion by a small number of different
people.

"SEF [is] unique in that it can detect what appear to be telnet
connections to Port 25 and drop the connection. This is probably because
telnet connections send one character at a time whereas real SMTP
clients send all the strings at once."

This would not require the 3WH, ISTM.

-- 
Joe Yao
---
   This message is not an official statement of OSIS Center policies.

Re: Computer systems blamed for feeble hurricane response?

[Mike Tancsa]

At 05:10 PM 13/09/2005, kent crispin wrote:


Port 587?


Not everyone implements that. You would make a large part of the 
internet unreachable via email


vinyl# telnet mx2.mail.yahoo.com 587
Trying 67.28.114.36...
telnet: connect to address 67.28.114.36: Connection refused
Trying 4.79.181.13...


---Mike 

Re: Multi-6 [WAS: OT - Vint Cerf joins Google]

[Tony Li]

> The rules today have not resulted in and overly huge number of
> multihomers.


I suspect that is a matter of perspective.  Even if 10% of all sites are
multihomed, and we continue in the IPv4 multihoming model, then we will
end up with slow exponential growth of the routing table which
eventually overtakes and buries us.


> The IPv6 crowd evangelists on the one hand insist there's
> no need for NAT, while on the other hand provided no solution to
> multihoming, and what's been evolving in the various "fixes" for that
> are less palatable than running a multiport NAT box. The choice is
> simple: live with NAT or provide portable address space. The marketplace
> is not likely, IMO, to accept shim6.


Why not?

I should point out that another perspective on shim6 that should be more
to your liking: in actuallity, shim6 is just another incarnation of NAT.
 It turns each host into a NAT that sits just underneath the transport
layer.

This seems like a fine compromise to running a multiport NAT or (worse)
a distributed multiport NAT.


> End systems should not be making decisions on where packets go beyond
> the local network segment. This has been tried before. It was called
> Token Ring Source Route Bridging. It was a bad idea then, and it's a bad
> idea now to have end stations deal with routing. SRB came into being to
> save the network elements from the burden of keeping track of the
> functioning of the network. Then Ethernet switches came along, spanning
> tree, and so forth.


That would fly in the face of other requests already made here.  I tend
to agree that routing should stay in the routing subsystem and that
those asking for routing features would be most likely to get them if
they asked routing to provide the functionality.


> That's true today. Router memory complement has increased over time. So
> what? Cost of processing power and memory are a tiny fraction of what
> they were when the routing table was in the 20,000 prefix range.


Flatly not true.  Paid for a line card lately?


> Processors in current routers are well below the fastest on the market.
> There's plenty of horsepower headroom. There's plenty of opportunity to
> expand the amount of memory.


Processors are not just for protocol processing.  There are also impacts
 on the costs of forwarding, as each prefix ends up in the high speed
static RAM associated with your forwarding engine.  Such silicon is not
cheap, and while we are currently ahead of the problem, we can easily
let the problem grow without bound and leave ourselves in a very bad spot.

Scaling the routing subsystem is in everyone's best interest.



> That multihoming was not properly addressed as a core goal to solve in
> IPv6 is one of the failings in the whole effort. 


No doubt.  However, the fact of the matter is that we are where we are.


> The shim6 approach is,
> IMO, not going to fly. A multiported NAT box for $179 or less (present
> product in the marketplace) provides a simple solution without the end
> stations being involved. Sure, it uses NAT.


If, in fact, this is the choice of the market, then the issue is solved
and PI space is unnecessary.  A fine outcome in my book.


> Relying on Moore's Law to continue to make
> routing equipment keep up is going to be a necessity.


Moore's Law has not, and does not apply to routers.  Thus, costs are
going up non-trivially.


Tony

Katrina Recovery Post: techs looking for bandwidth in Bay St. Louis, MS

[Dave Curado]

Apologies in advance if this posting is not operational enough.

I received a call from a friend who is part of a team who are putting
together some wireless networks in the affected areas.  They are in
need of an internet connection, a link of any kind, in Bay St. Louis, MS.

GPS = N 30 22.375", W 89 26.900"

I was told they can use T1, bundled T1s, wet string, whatever...
If you can supply connectivity to this location, please unicast mail 
to me and I will forward contact info.

Thanks very much.

Re: CAT5 surge/lightning strike protection recommendations?

[james edwards]

Fiber would be my choice. Not only will it solve the lightening strike
problem; you will not have to worry about
ground potentials being different on each side of the cable run.

James
Routing and Security Administrator
At the Santa Fe Office: Cyber Mesa Telecom
[EMAIL PROTECTED]  [EMAIL PROTECTED]
http://www.cybermesa.com/ContactCM
(505) 795-7101

Re: CAT5 surge/lightning strike protection recommendations?

[Jay Hennigan]

On Tue, 13 Sep 2005, R.P. Aditya wrote:

> I have a bunch of cat5 buried about 1 ft below the surface connecting multiple
> buildings on a campus (short runs) and lightning strikes nearby have caused
> surges along one or more of the cables and burnt out switch ports.

Don't do that, then.

> I would like to protect the switch ports -- there seem to be lots of
> products on the market.
>
> Anyone have recommendations (tested/practical is best :-)?

Use the cat5 as a pull rope, install fiber.

> The APC Protectnet PNET1 and PRM24 seem quite nice and not too expensive --
> if they workpros? cons?

Seriously, this is a battle against Mother Nature that you aren't going to
win.  Differences in ground potential as well as induced currents into the
UTP will continue to cause equipment failure as well as possibly kill you
or someone else.

--
Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED]
WestNet:  Connecting you to the planet.  805 884-6323  WB6RDV
NetLojix Communications, Inc.  -  http://www.netlojix.com/

Re: Multi-6 [WAS: OT - Vint Cerf joins Google]

[Christopher L. Morrow]

On Tue, 13 Sep 2005, Iljitsch van Beijnum wrote:

> On 13-sep-2005, at 0:22, Igor Gashinsky wrote:
>
> > (firmly in the shim6 does not adress *most* of the issues camp)
>
> So where were you the past years in multi6 and months in shim6?
> Please be part of the solution and not part of the problem. (That
> goes for John Payne and Daniel Senie too.)
>

pleas don't slam Igor, daniel nor John... I'm of the opinion (possibly
wrong and these three can correct me if so) that they thought this would
get sorted out because people knew multihoming is important to business...
(which I was too until his last IETF :( ) So, my post 1 month ago about
this and the followup on this topic were tries to get operators involved
in the problem/process. that's happened with atleast john/Patrick/igor and
that's a GOOD THING, yes?

> I'll be happy to continue any and all discussions of multihoming in
> IPv6 off-list, but having them on the NANOG list doesn't seem to be
> very productive.
>

it is because it's highlighting the problem of lack of support... and need
for NANOG-ish operators to GET INVOLVED before they get stuck with
something that will not work for them.

-Chris

Re: Computer systems blamed for feeble hurricane response?

[Joseph S D Yao]

On Tue, Sep 13, 2005 at 04:28:41PM -0400, Steven M. Bellovin wrote:
...
> Telnet options, and for that matter speed, happen after the 3-way 
> handshake.  We're not getting that far.
> 
>   --Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Steve, I defer to your expertise, as always.  ;-]

-- 
Joe Yao
---
   This message is not an official statement of OSIS Center policies.

Re: Multi-6 [WAS: OT - Vint Cerf joins Google]

[Iljitsch van Beijnum]

On 13-sep-2005, at 21:58, Daniel Senie wrote:


So where were you the past years in multi6 and months in shim6?
Please be part of the solution and not part of the problem. (That
goes for John Payne and Daniel Senie too.)


I was there in the beginning for Multi6. When I saw the direction 
(s) that were being considered, I decided the whole concept was a  
non-starter and spent my budget of IETF hours on other areas that  
had a chance of being useful.


Which is of course your good right.

However, in your message earlier today you were spreading FUD about  
the IPv6 address length, a ship that sailed a decade ago. In my book,  
that's being part of the problem. Especially since a subset of the  
NANOG membership may not be familiar enough with the issues to be  
able to see through all of this.



Just how many IETF groups do you participate in?


There is one that I always make time for, about four others depending  
on time constraints.



In how many different IETF areas?


Never counted.


Do you also get other work done?


Look up my name on Amazon...

Most folks (perhaps including you) have limited amounts of time to  
spend on IETF work. Some folks get paid to do such work by their  
employers, while others don't.


Well, I don't have an "employer" so that doesn't apply in my case.  :-)

At what point does it make sense as a participant in a working  
group to look at the direction and sense of the room and decide  
that no amount of arguing is going to keep a trainwreck from  
occurring?


At some point after the requirements discussion, I'd say.

I'm not saying everyone and their dog should co-design the protocol,  
but I think it's reasonable to ask people to take 15 minutes to write  
down their requirements in a message to the list at that point,  
rather than whine later.


Something similar is happening with the RIR policies. People "just  
want PI" but they don't want to come up with a policy that makes it  
possible to give people who really need PI or a PA block one, while  
at the same time making sure the routing tables aren't going to  
explode in the future.


I don't know why I bother, but let me tell all of you that the size  
of the v4 table TODAY is a problem. A customer of mine wanted to load  
balance over two BGP sessions to the same AS, but his linecards  
crashed because this required two copies of every route in the FIB,  
which didn't fit in the linecard's memory. These were fairly  
reasonable Cisco 12000 linecards with 512 MB RAM.


Now in v4 the minimum prefix you'll see is a /24. Since a lot of  
address space is already used in larger blocks, and you need to show  
decent utilization, there are natural limits to the numbers of /24s  
in the routing table. However, in v6 these limits don't apply, so  
ANYONE can get a /48 (I have 3 currently). If you accept those in  
your routing table that table is going to explode at some point.


So just ignoring the issue is not an option. Still, many people just  
want their own portable block, and don't even want to bother THINKING  
about the issue.

RE: CAT5 surge/lightning strike protection recommendations?

[Wallace Keith]

I've had good luck with Oneac products, such as RJELP100. That being
said, it's probably not a good idea to connect switches and/or pc's  in
different buildings with  copper. I'd use fiber between buildings if at
all possible . Differences in ground potential between buildings
(especially during electrical storms) can not only wipe out a switch
port or nic card, but could be lethal to the poor soul with one hand on
a mouse and the other on some nearby grounded object...
Regards,
Keith



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
R.P. Aditya
Sent: Tuesday, September 13, 2005 4:25 PM
To: nanog@merit.edu
Subject: CAT5 surge/lightning strike protection recommendations?


I have a bunch of cat5 buried about 1 ft below the surface connecting
multiple buildings on a campus (short runs) and lightning strikes nearby
have caused surges along one or more of the cables and burnt out switch
ports. I would like to protect the switch ports -- there seem to be lots
of products on the market.

Anyone have recommendations (tested/practical is best :-)?

The APC Protectnet PNET1 and PRM24 seem quite nice and not too expensive
-- if they workpros? cons?

Thanks,
Adi

Re: Multi-6 [WAS: OT - Vint Cerf joins Google]

[Tony Li]

> Waitaminute - isn't the whole *purpose* of layer 3
> that the network makes these routing decisions?  
> 
> If there are N routers in an ISP, I would expect the
> ISP to connect to X endsystems, where 10N < X < 1000N.
> How does knowing about X endsystems scale better than
> knowing about N intermediate systems?
> 
> Am I missing something here?


I think there's some misunderstanding.  Nothing has to know about X
endsystems.  Nor did anything have to know about N routers before.

In the shim6 approach, a host only needs to know about its correspondent
hosts.  From a scalability perspective, this is unchanged from
previously, only the constants are bigger.

Tony

Re: Computer systems blamed for feeble hurricane response?

[Valdis . Kletnieks]

On Tue, 13 Sep 2005 15:50:12 EDT, Joseph S D Yao said:

> Oh, and also ... please consider that some firewalls try to discern
> whether the connection on port 25 is from a mail server or from Telnet.

OK, I'll bite.  A long time ago, I saw code that would trap the fact that many
telnet binaries would send option negotiation on ports other than 21.  What
are they keying off now? Since the host in question gave a 'Connection Refused',
it obviously made its decision based on the initial SYN packet.  So what are
they looking at?  TCP options? initial window? other?

16:25:37.240700 IP h80ad2467.async.vt.edu.43404 > listserv.vt.edu.smtp: S 
1026334142:1026334142(0) win 5840 
16:25:57.420455 IP h80ad2467.async.vt.edu.45093 > listserv.vt.edu.smtp: S 
1074086420:1074086420(0) win 5840 

One was a telnet connection, one was Sendmail.  Damned if I can tell.. ;)

Of course, a busticated firewall trying to tell the difference *would* explain 
why
they aren't accepting mail. :)


pgpqpvDjw52Hj.pgp
Description: PGP signature

Re: Computer systems blamed for feeble hurricane response?

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, Joseph S D Yao writes
:
>
>On Tue, Sep 13, 2005 at 04:15:29PM -0400, Mike Tancsa wrote:
>> At 03:50 PM 13/09/2005, Joseph S D Yao wrote:
>> 
>> >Oh, and also ... please consider that some firewalls try to discern
>> >whether the connection on port 25 is from a mail server or from Telnet.
>> >While I mourn the simplicity of manual debugging of such sites, it
>> >remains that: the fact that you can't TELNET HOST.DOMAIN 25 doesn't mean
>> >that there's no mail service there.
>> 
>> Making a network connection using the application "telnet" vs the 
>> application "sendmail" (or whatever MTA one uses) seems to be the 
>> same when doing a tcpdump on the data.  I am not sure how a firewall 
>> would know -- purely at the network layer -- what the other side's 
>> application was/is that initiated the connection.  Yes, the other end 
>> could try and connect back to the host, but there is no 2 way traffic 
>> as the 3way handshake is not completing and I dont see any other 
>> traffic coming back from that host attempting to discern any info.
>
>
>I don't know, myself.  I said they try.  Perhaps they succeed.  Perhaps
>they check the speed of incoming queries.  Perhaps they try to use a
>Telnet OPTION.  I don't know.  Perhaps it's a sales gag.  [I think it
>was a telnet OPTION, actually.]
>

Telnet options, and for that matter speed, happen after the 3-way 
handshake.  We're not getting that far.

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Re: Multi-6 [WAS: OT - Vint Cerf joins Google]

[John Payne]

On Sep 13, 2005, at 3:19 PM, Iljitsch van Beijnum wrote:



On 13-sep-2005, at 0:22, Igor Gashinsky wrote:

:: I must be missing something, but there's a good chance that the 
requester is
:: going to have to wait for a timeout on their SYN packets before 
failing over
:: to another address to try.   Or is the requester supposed to send 
SYNs to all

:: addresses for a hostname and race them off?


This aspect isn't nailed down yet, but basically there are two 
options: depend on the application do try all addresses (which apps 
should do anyway, but I for one wouldn't want to wait for all these 
timeouts), or have the shim detect that the first address doesn't work 
and repair the failure. This adds additional complexity, though, and 
there is still a timeout, although it isn't a full TCP SYN timeout.


So, move to IPv6 and watch your initial connect times according to 
keynote et al. increase?



Or, on top of that, how traffic engineering can be performed with 
shim6..


For outgoing traffic there is no difference with the current situation 
(as long as there are nog ingress filtering issues). For incoming 
traffic, it basically starts with DNS load balancing, and the shim 
itself will have priority mechanisms to choose between different 
address pairs but this will generally not come into play because the 
idea is that the shim doesn't do anything unless there is an outage.


Mmmm, DNS load balancing.   As a shareholder in my current employer, I 
am happy to see that market increase.   As a network engineer, I keep 
getting the feeling I'm missing out on some great drugs.



So where were you the past years in multi6 and months in shim6? Please 
be part of the solution and not part of the problem. (That goes for 
John Payne and Daniel Senie too.)


I was in denial that multihoming would get this broken.   I've joined 
the mailing list... I'll note that the mailing list archive is not 
linked anywhere useful, so to save others the guesswork:  

CAT5 surge/lightning strike protection recommendations?

[R.P. Aditya]

I have a bunch of cat5 buried about 1 ft below the surface connecting multiple
buildings on a campus (short runs) and lightning strikes nearby have caused
surges along one or more of the cables and burnt out switch ports. I would
like to protect the switch ports -- there seem to be lots of products on the
market.

Anyone have recommendations (tested/practical is best :-)?

The APC Protectnet PNET1 and PRM24 seem quite nice and not too expensive --
if they workpros? cons?

Thanks,
Adi

Re: Computer systems blamed for feeble hurricane response?

[Joseph S D Yao]

On Tue, Sep 13, 2005 at 04:15:29PM -0400, Mike Tancsa wrote:
> At 03:50 PM 13/09/2005, Joseph S D Yao wrote:
> 
> >Oh, and also ... please consider that some firewalls try to discern
> >whether the connection on port 25 is from a mail server or from Telnet.
> >While I mourn the simplicity of manual debugging of such sites, it
> >remains that: the fact that you can't TELNET HOST.DOMAIN 25 doesn't mean
> >that there's no mail service there.
> 
> Making a network connection using the application "telnet" vs the 
> application "sendmail" (or whatever MTA one uses) seems to be the 
> same when doing a tcpdump on the data.  I am not sure how a firewall 
> would know -- purely at the network layer -- what the other side's 
> application was/is that initiated the connection.  Yes, the other end 
> could try and connect back to the host, but there is no 2 way traffic 
> as the 3way handshake is not completing and I dont see any other 
> traffic coming back from that host attempting to discern any info.


I don't know, myself.  I said they try.  Perhaps they succeed.  Perhaps
they check the speed of incoming queries.  Perhaps they try to use a
Telnet OPTION.  I don't know.  Perhaps it's a sales gag.  [I think it
was a telnet OPTION, actually.]


-- 
Joe Yao
---
   This message is not an official statement of OSIS Center policies.

Re: Computer systems blamed for feeble hurricane response?

[Mike Tancsa]

At 03:50 PM 13/09/2005, Joseph S D Yao wrote:


Oh, and also ... please consider that some firewalls try to discern
whether the connection on port 25 is from a mail server or from Telnet.
While I mourn the simplicity of manual debugging of such sites, it
remains that: the fact that you can't TELNET HOST.DOMAIN 25 doesn't mean
that there's no mail service there.


Making a network connection using the application "telnet" vs the 
application "sendmail" (or whatever MTA one uses) seems to be the 
same when doing a tcpdump on the data.  I am not sure how a firewall 
would know -- purely at the network layer -- what the other side's 
application was/is that initiated the connection.  Yes, the other end 
could try and connect back to the host, but there is no 2 way traffic 
as the 3way handshake is not completing and I dont see any other 
traffic coming back from that host attempting to discern any info.


---Mike 

Re: Multi-6 [WAS: OT - Vint Cerf joins Google]

[Daniel Senie]

At 03:19 PM 9/13/2005, you wrote:

So where were you the past years in multi6 and months in shim6?
Please be part of the solution and not part of the problem. (That
goes for John Payne and Daniel Senie too.)


I was there in the beginning for Multi6. When I saw the direction(s) 
that were being considered, I decided the whole concept was a 
non-starter and spent my budget of IETF hours on other areas that had 
a chance of being useful.


Just how many IETF groups do you participate in? In how many 
different IETF areas? Do you also get other work done? Most folks 
(perhaps including you) have limited amounts of time to spend on IETF 
work. Some folks get paid to do such work by their employers, while 
others don't.


At what point does it make sense as a participant in a working group 
to look at the direction and sense of the room and decide that no 
amount of arguing is going to keep a trainwreck from occurring?


Rereading the paragraph I responded to, however, I'm starting to 
wonder how close it, and possibly also my response, are to ad hominum 
territory. I'm not sure I should be having to defend my choices in 
where to spend or not spend my time on IETF activities. 

Re: Computer systems blamed for feeble hurricane response?

[Joseph S D Yao]

On Tue, Sep 13, 2005 at 07:23:33AM -0700, william(at)elan.net wrote:
...
> Which indeed means they have no MX servers listed and that MAY be a 
> problem for some mail servers (though normally mail servers are supposed 
> to send email based on A record then).
> 
> Obviously not having MX record is not considered to be good email
> service setup in this century and it also means if they receive
> too many messages and their mail server can not handle all the
> connections, the mail will bounce (since there is no secondary
> mail server to go to).
...

Wrong ...

On Tue, Sep 13, 2005 at 09:36:39AM -0500, Larry Smith wrote:
...
> Actually it is worse than that.  fema.gov has an IP (205.128.1.44) which does 
> not respond for mail so most MTA will try the IP first, meaning that most 
> mail will fail even is ns.fema.gov or ns2.fema.gov do answer for mail.
...

Wrong ... in detail, anyway ...

On Tue, Sep 13, 2005 at 10:39:21AM -0400, Christian Kuhtz wrote:
...
> Uh, which mainstream mail server out there is ignorant enough not to 
> send to A record?
...

None, one may hope, although MS keeps amazing me ...

On Tue, Sep 13, 2005 at 10:44:56AM -0400, Mike Tancsa wrote:
...
> SOA said root.ns2.fema.gov. It might be someone actually read's roots mail ?
...

This [deliberate human intervention] is the ONLY WAY that mail might be
delivered to ns2.fema.gov ...

On Tue, Sep 13, 2005 at 08:06:57AM -0700, william(at)elan.net wrote:
...
> So having no MX server is really not such a good idea nowdays...
> 
> Obviously FEMA's problems are a lot worth since ip address 205.128.1.44
> is behind firewall and does not accept port 25 connections.
...

*sigh*

On Tue, Sep 13, 2005 at 11:51:27AM -0700, David Ulevitch wrote:
...

I want to comment that Dave's observations about backup reliable comms
opportunities seemed quite right.  If "the people who should" don't,
there should be some backup way for others with not quite the right
"in" to get through.


Mostly, I would like to invite all of the above to read RFC 2821, which
has specific comments on all of the above.  Any alleged mail server that
dosn't conform to RFC 2821 isn't doing its job.


If there are MX records, the server must try all IP addresses (from A
records) of all hosts listed in the MX records.  If there are no MX
records, the server must try all IP addresses associated with A records
of that domain.  If there are no MX records and no A records, no
delivery may be attempted.  NS records do NOT name candidates for mail
delivery.

If one of the mail servers responds, and indicates a permanent failure,
then a failure response gets delivered right away.  Otherwise, if the
delivery does not succeed right away, the message must be stored and
attempts made at reasonable intervals for a reasonable amount of time.
No distinction is made between addresses from MX record hosts or from A
records.

There is no requirement - even in this century - for MX records.  It is
a Good Idea(tm).  But not a requirement.  Lack of MX records does NOT
mean that you lose the store-and-forward capability of SMTP.  Lack of a
secondary server, while equally not a Good Idea(tm), does NOT mean that
you lose the store-and-forward capability, only that you exercise it
more often.

I know that there are books somewhere that expound in more literary
language on the concepts in RFC2821.  But this is the source.  Please
read it and refer to it during any discussion of e-mail service.

Thanks.

Oh, and also ... please consider that some firewalls try to discern
whether the connection on port 25 is from a mail server or from Telnet.
While I mourn the simplicity of manual debugging of such sites, it
remains that: the fact that you can't TELNET HOST.DOMAIN 25 doesn't mean
that there's no mail service there.  (It could also be temporarily
down.)


-- 
Joe Yao
---
   This message is not an official statement of OSIS Center policies.

Re: Multi-6 [WAS: OT - Vint Cerf joins Google]

[Iljitsch van Beijnum]

On 13-sep-2005, at 0:22, Igor Gashinsky wrote:

:: I must be missing something, but there's a good chance that the  
requester is
:: going to have to wait for a timeout on their SYN packets before  
failing over
:: to another address to try.   Or is the requester supposed to  
send SYNs to all

:: addresses for a hostname and race them off?


This aspect isn't nailed down yet, but basically there are two  
options: depend on the application do try all addresses (which apps  
should do anyway, but I for one wouldn't want to wait for all these  
timeouts), or have the shim detect that the first address doesn't  
work and repair the failure. This adds additional complexity, though,  
and there is still a timeout, although it isn't a full TCP SYN timeout.


Or, on top of that, how traffic engineering can be performed with  
shim6..


For outgoing traffic there is no difference with the current  
situation (as long as there are nog ingress filtering issues). For  
incoming traffic, it basically starts with DNS load balancing, and  
the shim itself will have priority mechanisms to choose between  
different address pairs but this will generally not come into play  
because the idea is that the shim doesn't do anything unless there is  
an outage.


And people wonder why more "content" isn't available for v6. Maybe  
when
content providers start asking for a /32 *per datacenter* (ie a /26  
or so

of initial allocation) those issues might get solved... then again,
probably not.


So how is that going to help? The whole idea behind shim6 is that we  
can't give people all the independent address blocks that they may  
possibly ask for.



(firmly in the shim6 does not adress *most* of the issues camp)


So where were you the past years in multi6 and months in shim6?  
Please be part of the solution and not part of the problem. (That  
goes for John Payne and Daniel Senie too.)


I'll be happy to continue any and all discussions of multihoming in  
IPv6 off-list, but having them on the NANOG list doesn't seem to be  
very productive.

On-topicness and FEMA's mail server

[Steve Gibbard]

Extensive troubleshooting of somebody else's mail server seems a bit 
off-topic for the NANOG list.  That's the sort of thing that, once the 
problem has been pointed out, will need to be fixed by people internal to 
the organization that runs the mail server.


-Steve
NANOG list administration group

Re: Multi-6 [WAS: OT - Vint Cerf joins Google]

[Daniel Senie]

At 10:17 AM 9/10/2005, Joe Abley wrote:



On 10-Sep-2005, at 09:18, Patrick W. Gilmore wrote:


[Perhaps this thread should migrate to Multi6?]


multi6 hasn't existed for some time. The "level-3 shim" approach to
multi-homing that was the primary output of multi6 is being discussed
in shim6.


Suppose they not only have no plan but couldn't really put together
a plan to support 200 customers?  Does this mean Google, or any
other content provider, is "unworthy" of globally routeable space?


Yes, according to the current RIR policies. [So the determination of
"unworthy" above has been made, in effect, by RIR members.]


IPv6 is a nice idea, and as soon as people realize that ISPs are
not the only organizations who have a need to multi-home - and I
mean really multi-home, not stupid work-arounds - then it might
actually start to happen.


It's not as though this line of thinking hasn't been followed many,
many times before. The counter-argument goes like this:

1. There is more v6 space than there is v4 space, by virtue of the
fact that the address is 96 bits wider.


Could the IPv6 proponents get their stories straight?

On the one hand, the talk is of 128 bit address space, then on the 
other hand the talk is of security-by-obscurity by handing out /48's 
to everyone and having networks really sparsely populated. So given 
the address space is so massive that 1/2 of the bits are effectively 
a local subaddress, perhaps the talk should be of doubling the number 
of bits, not quadrupling. Yes, I understand you can slice and dice 
however desired, but it sure seems like the proponents play fast and 
loose with the numbers when making their arguments, and it's tiresome.




2. Because there is vastly more v6 space than v4 space, if
entitlement to PI space in v6 was opened up the chances are many more
people would have v6 PI space than currently have v4 PI space.


The rules today have not resulted in and overly huge number of 
multihomers. The IPv6 crowd evangelists on the one hand insist 
there's no need for NAT, while on the other hand provided no solution 
to multihoming, and what's been evolving in the various "fixes" for 
that are less palatable than running a multiport NAT box. The choice 
is simple: live with NAT or provide portable address space. The 
marketplace is not likely, IMO, to accept shim6.


End systems should not be making decisions on where packets go beyond 
the local network segment. This has been tried before. It was called 
Token Ring Source Route Bridging. It was a bad idea then, and it's a 
bad idea now to have end stations deal with routing. SRB came into 
being to save the network elements from the burden of keeping track 
of the functioning of the network. Then Ethernet switches came along, 
spanning tree, and so forth.



3. Every PI assignment/allocation takes up a routing slot in every
router in the DFZ.


That's true today. Router memory complement has increased over time. 
So what? Cost of processing power and memory are a tiny fraction of 
what they were when the routing table was in the 20,000 prefix range.




4. Given 2 and 3, there is potential for the amount of state in the
DFZ to exceed the capabilities of the network to hold and process it
(e.g. enormous RIBs, soaring processor requirements for dealing with
updates, etc).


Processors in current routers are well below the fastest on the 
market. There's plenty of horsepower headroom. There's plenty of 
opportunity to expand the amount of memory.




It's possible that the number of PI assignments might not be that
high, and the scaling properties in practice might not be so bad.
However, you only get to find this out after you've opened the
floodgates, and if it turns out that it doesn't scale, it's hard to
push the water back into the reservoir.


What floodgates? Are we flooded today? The rules today for getting 
portable space are NOT all that difficult to meet.




The goal in shim6 is to find a mechanism which provides all the
functional benefits of multi-homing without holding all the state in
DFZ routers.


That multihoming was not properly addressed as a core goal to solve 
in IPv6 is one of the failings in the whole effort. The shim6 
approach is, IMO, not going to fly. A multiported NAT box for $179 or 
less (present product in the marketplace) provides a simple solution 
without the end stations being involved. Sure, it uses NAT.



There seems to be some ongoing perception that various protocol/ 
research organisations have no idea about the value of multi-homing

for enterprises in the real network, and hence ignore it. While that
might have once been the case (I certainly remember thinking so
around 1997 whilst shouting on the ipng list), I don't believe it's
the case today.


Sadly, because folks wouldn't listen then, IPv6 lacks a useful 
multihoming solution beyond what we have in IPv4. Gluing on band-aids 
is not going to solve it. Relying on Moore's Law to continue to make 
routing equipment keep 

Re: Computer systems blamed for feeble hurricane response?

[David Ulevitch]

On Sep 13, 2005, at 11:13 AM, Hannigan, Martin wrote:


ObOp: Email is NOT a reliable form of communication.


^^^ unrelated and I disagree...


  DHS shouldn't start to think so either. NANOG
  shouldn't worry about if someones email is working
  as a byproduct, but sure worry if the store and forward
  function of an ISP is. '


   ^^^ There exist networks and operators who do not run ISPs.   
People often forget.



  Perhaps there are reasons some corporate or volunteer
  mail service is not working i.e. blocked, disallowed on port,
  etc.


   ^^^ I'm sure there is a reason.  My first guess is that it's  
broken.  My second is that it was never intended to be a domain used  
for email and the website techs never got the memo.



ObNotOp:

Anyone who needs to contact FEMA, already knows how. If they
are using a web page address, they probably shouldn't be contacting
FEMA directly, but working through their own government hierarchy.


In dealing with incidents it is possible to cover many areas of  
failure.  There are many cases where the chain of command, the  
hierarchy process and many other elements fail.  In those times,  
sometimes getting to a website and finding a contact address serve as  
a real means of communication and should be regarded as such.   
History proves the point that out of band comms and other forms of  
handling are often used during an emergency that were not expected.


Right now if I go to http://www.fema.gov and click on "How to get  
help" and then "Contact us" I get a 404 forbidden.  That's a  
failure.  It's narrow-sighted to underestimate the importance of  
things like FEMAs website in dealing with national disaster and  
incident response.


-david

Re: Multi-6 [WAS: OT - Vint Cerf joins Google]

[David Barak]

--- Mikael Abrahamsson <[EMAIL PROTECTED]> wrote:

> The "shimming" model is a way to solve this by the
> endsystems knowing 
> about multihoming, instead of the network. I
> personally think this is a 
> better idea and scales much better. Let's have the
> network moving packets 
> as its primary goal, not solving "how do I reach
> this prefix" equations.

Waitaminute - isn't the whole *purpose* of layer 3
that the network makes these routing decisions?  

If there are N routers in an ISP, I would expect the
ISP to connect to X endsystems, where 10N < X < 1000N.
How does knowing about X endsystems scale better than
knowing about N intermediate systems?

Am I missing something here?

David Barak
http://www.listentothefranchise.com



__ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

RE: Computer systems blamed for feeble hurricane response?

[Hannigan, Martin]

> 
> http://www.fema.gov/staff/extended.jsp
> 
> Lists an "IT Services Division" that has ~250 possible points of  
> contact.
> 
> Surely one of them has some clue... :-/  I think this sort of 
> problem  
> shows the endemic disease currently in place at FEMA.  It's not just  
> an "IT gaffe" or firewall mistake.  It's a failure much more 
> serious,  
> sadly.


ObOp: Email is NOT a reliable form of communication.

  DHS shouldn't start to think so either. NANOG 
  shouldn't worry about if someones email is working
  as a byproduct, but sure worry if the store and forward
  function of an ISP is. '

Anything below that is the individual SP's problem, IMO.
  Perhaps there are reasons some corporate or volunteer
  mail service is not working i.e. blocked, disallowed on port,
  etc. 

 


ObNotOp:

Anyone who needs to contact FEMA, already knows how. If they
are using a web page address, they probably shouldn't be contacting
FEMA directly, but working through their own government hierarchy.

Re: Multi-6 [WAS: OT - Vint Cerf joins Google]

[Valdis . Kletnieks]

On Tue, 13 Sep 2005 14:45:31 +0300, Joe Abley said:

> And with many peer-to-peer applications, isn't the traffic  
> engineering already effectively performed at the edge?

"already performed ineffectively at the edge" is probably a better
description of the true state of affairs.   Remember that usually these
things bias their behavior in favor of the person running the program,
not for the benefit of the ISP who's moving the packets


pgpBULKwOkfCk.pgp
Description: PGP signature

Re: Computer systems blamed for feeble hurricane response?

[Christian Kuhtz]

[EMAIL PROTECTED] wrote:


On Tue, 13 Sep 2005 10:39:21 EDT, Christian Kuhtz said:
 


william(at)elan.net wrote:

   

Which indeed means they have no MX servers listed and that MAY be a 
problem for some mail servers (though normally mail servers are 
supposed to send email based on A record then).
 

Uh, which mainstream mail server out there is ignorant enough not to 
send to A record?
   



There's no MX record for fema.gov.  The *single* A record doesn't answer on
port 25.  And there's no mail server I know of that's on enough crack that it
thinks trying the 2 NS entries is acceptable
 

That wasn't the question, I'm well aware of the situation.  But thanks 
for playing ;-)

Re: Computer systems blamed for feeble hurricane response?

[David Ulevitch]

On Sep 13, 2005, at 1:13 PM, Fergie (Paul Ferguson) wrote:



Attempts by agencies to spur the Federal Emergency Management  
Agency into urgent action were met with bouncing emails, the  
Journal said.


http://www.fema.gov/staff/extended.jsp

Lists an "IT Services Division" that has ~250 possible points of  
contact.


Surely one of them has some clue... :-/  I think this sort of problem  
shows the endemic disease currently in place at FEMA.  It's not just  
an "IT gaffe" or firewall mistake.  It's a failure much more serious,  
sadly.


-David

Re: Computer systems blamed for feeble hurricane response?

[Valdis . Kletnieks]

On Tue, 13 Sep 2005 10:39:21 EDT, Christian Kuhtz said:
> 
> william(at)elan.net wrote:
> 
> >
> > Which indeed means they have no MX servers listed and that MAY be a 
> > problem for some mail servers (though normally mail servers are 
> > supposed to send email based on A record then).
> 
> Uh, which mainstream mail server out there is ignorant enough not to 
> send to A record?

There's no MX record for fema.gov.  The *single* A record doesn't answer on
port 25.  And there's no mail server I know of that's on enough crack that it
thinks trying the 2 NS entries is acceptable



pgpW8EUuxY7fa.pgp
Description: PGP signature

Re: Computer systems blamed for feeble hurricane response?

[Aaron Glenn]

On 9/13/05, Fergie (Paul Ferguson) <[EMAIL PROTECTED]> wrote:
> 
> Attempts by agencies to spur the Federal Emergency Management Agency into 
> urgent action were met with bouncing emails, the Journal said.
> 

while the lot of you can debate proper DNS records and what OS their
mail server might be running, does anyone else find it highly odd and
worrisome that they're sending emails to alert FEMA of a crisis,
instead of, I don't know - phone calls? if I'm a federal agency and I
require FEMA's resources immediately, I'm going to pick up the phone
and call them; not fire off an email marked "urgent".

aaron.glenn

Re: Computer systems blamed for feeble hurricane response?

[william(at)elan.net]

On Tue, 13 Sep 2005, Christian Kuhtz wrote:


william(at)elan.net wrote:



Which indeed means they have no MX servers listed and that MAY be a problem 
for some mail servers (though normally mail servers are supposed to send 
email based on A record then).


Uh, which mainstream mail server out there is ignorant enough not to send to 
A record?


I came around windows mail server that ddnt (not exchange, some small
one that I don't remember now). There are also unix php scripts that
don't work properly with it.

Also earlier versions of postfix did not properly retry delivery if the 
domain had no MX and connection to they server did not work. Other mail 
server may also have various types of "unusual" behavior when they see

no MX. Also some servers like exim have option not to send email if
there is no MX record (or rather turn off default behavior of falling
back to A record if MX is not there).

So having no MX server is really not such a good idea nowdays...

Obviously FEMA's problems are a lot worth since ip address 205.128.1.44
is behind firewall and does not accept port 25 connections.

--
William Leibzon
Elan Networks
[EMAIL PROTECTED]

Re: Computer systems blamed for feeble hurricane response?

[Mike Tancsa]

At 10:29 AM 13/09/2005, Steven Champeon wrote:


on Tue, Sep 13, 2005 at 09:54:42AM -0400, Mike Tancsa wrote:
>
>
> Looks Solaris'ish
>
> # telnet ns2.fema.gov smtp
> Trying 162.83.67.144...
> Connected to ns2.fema.gov.
> Escape character is '^]'.
> 220 ns2.fema.gov ESMTP Sendmail 8.11.7p1+Sun/8.11.7; Tue, 13 Sep 2005
> 09:49:36 -0400 (EDT)

Well, how is any automated system supposed to find it? Sheesh.




Apparently, that host accepts mail to postmaster; we'll see if it is
actually delivered/read/responded to.



SOA said root.ns2.fema.gov. It might be someone actually read's roots mail ?

I will cc that addr so if its read, they can see the thread at

http://www.merit.edu/mail.archives/nanog/msg11505.html

and perhaps comment.

---Mike




--
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/

Re: Computer systems blamed for feeble hurricane response?

[Christian Kuhtz]

william(at)elan.net wrote:



Which indeed means they have no MX servers listed and that MAY be a 
problem for some mail servers (though normally mail servers are 
supposed to send email based on A record then).


Uh, which mainstream mail server out there is ignorant enough not to 
send to A record?

Re: Computer systems blamed for feeble hurricane response?

[Larry Smith]

On Tuesday 13 September 2005 09:23, william(at)elan.net wrote:
> Which indeed means they have no MX servers listed and that MAY be a
> problem for some mail servers (though normally mail servers are supposed
> to send email based on A record then).
>
> Obviously not having MX record is not considered to be good email
> service setup in this century and it also means if they receive
> too many messages and their mail server can not handle all the
> connections, the mail will bounce (since there is no secondary
> mail server to go to).

Actually it is worse than that.  fema.gov has an IP (205.128.1.44) which does 
not respond for mail so most MTA will try the IP first, meaning that most 
mail will fail even is ns.fema.gov or ns2.fema.gov do answer for mail.

-- 
Larry Smith
SysAd ECSIS.NET
[EMAIL PROTECTED]

Re: Multi-6 [WAS: OT - Vint Cerf joins Google]

[Christopher L. Morrow]

On Tue, 13 Sep 2005, Christian Kuhtz wrote:
> Marshall Eubanks wrote:
> >On Mon, 12 Sep 2005 17:41:51 -0400
> > John Payne <[EMAIL PROTECTED]> wrote:
> >>On Sep 12, 2005, at 6:58 AM, Iljitsch van Beijnum wrote:
> I'll be blunt.  As long as that question is up in the air, none of
> the major content providers are going to do anything serious in the
> IPv6 arena.
> >>>Well, I have no evidence of them doing anything with IPv6 anyway, so I
> >>>don't know if this makes a difference.
> >>I have a very strong feeling that part of the lack of content providers
> >>on IPv6 is due to the lack of multihoming.
> >
> >No, I would say it is due to the lack of an audience that can _only_  be 
> >reached
> >(or even _best_ be reached) using IPv6.
> >
> >Once the audience is there, the content providers will follow.
> >
> Same issue really.  Audience isn't going to mature until those issues
> are sorted.

so 'chicken and egg' problem, which was why a month ago I said: "why
don't some content providers put up some form of their content on a
sidelined v6 path?" Perhaps a 'testing' path or a 'not wholey production'
path?

Some of the answers were enligtening (to me atleast)...

anyway, this has been some good discussion, and 2 more people are now on
shim6 :)

Re: Computer systems blamed for feeble hurricane response?

[Steven Champeon]

on Tue, Sep 13, 2005 at 09:54:42AM -0400, Mike Tancsa wrote:
> 
> At 09:31 AM 13/09/2005, Steven Champeon wrote:
> 
> >Does anyone know what their mail infrastructure looks like? From what I
> >can see, they don't even have an MX record for fema.gov...
> 
> No MX record, and the A record for fema.gov does not accept smtp traffic.
> 
> # telnet fema.gov smtp
> Trying 205.128.1.44...
> telnet: connect to address 205.128.1.44: Operation timed out
> telnet: Unable to connect to remote host
> #
> Then again, it might be that they use different email addresses ? @dhs.gov ?

Their "contact us" page on fema.gov lists several @fema.gov addresses, so
I doubt it.

> fema.govnameserver = ns.fema.gov
> fema.govnameserver = ns2.fema.gov
> ns.fema.gov internet address = 166.112.200.142
> ns2.fema.govinternet address = 162.83.67.144
> 
> Looks Solaris'ish
> 
> # telnet ns2.fema.gov smtp
> Trying 162.83.67.144...
> Connected to ns2.fema.gov.
> Escape character is '^]'.
> 220 ns2.fema.gov ESMTP Sendmail 8.11.7p1+Sun/8.11.7; Tue, 13 Sep 2005 
> 09:49:36 -0400 (EDT)

Well, how is any automated system supposed to find it? Sheesh.
Apparently, that host accepts mail to postmaster; we'll see if it is
actually delivered/read/responded to.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/

Re: Computer systems blamed for feeble hurricane response?

[william(at)elan.net]

The newspaper did not say which computer systems FEMA uses.


$ dig mx fema.gov
;; ANSWER SECTION:
fima.org.   3600IN  MX  0 smtp.secureserver.net.
fima.org.   3600IN  MX  10 mailstore1.secureserver.net


That's interesting -- I'm not getting that response.


Sorry about that, as you could probably get from dig, I did it on
fima.gov instead ...

correct one is:

-
;; QUESTION SECTION:
;fema.gov.  IN  MX

;; AUTHORITY SECTION:
fema.gov.   1642IN  SOA ns.fema.gov. 
root.ns2.fema.gov. 2005090901 10800 3600 604800 1800

-


Which indeed means they have no MX servers listed and that MAY be a 
problem for some mail servers (though normally mail servers are supposed 
to send email based on A record then).


Obviously not having MX record is not considered to be good email
service setup in this century and it also means if they receive
too many messages and their mail server can not handle all the
connections, the mail will bounce (since there is no secondary
mail server to go to).

--
William Leibzon
Elan Networks
[EMAIL PROTECTED]

Re: Computer systems blamed for feeble hurricane response?

[Suresh Ramasubramanian]

On 13/09/05, Steven M. Bellovin <[EMAIL PROTECTED]> wrote:
> >$ dig mx fema.gov
> >;; ANSWER SECTION:
> >fima.org.   3600IN  MX  0 smtp.secureserver.net.
> >fima.org.   3600IN  MX  10 
> >mailstore1.secureserver.net
> 
> That's interesting -- I'm not getting that response.

Er, who is fIma.org and were you looking for fEma.org instead?

-- 
Suresh Ramasubramanian ([EMAIL PROTECTED])

Re: Computer systems blamed for feeble hurricane response?

[John Kinsella]

On Tue, Sep 13, 2005 at 10:08:59AM -0400, Steven M. Bellovin wrote:
> In message <[EMAIL PROTECTED]>, "william(at)elan
> .net" writes:
> >;; ANSWER SECTION:
> >fima.org.   3600IN  MX  0 smtp.secureserver.net.
> >fima.org.   3600IN  MX  10 
> >mailstore1.secureserver.net
> That's interesting -- I'm not getting that response.

Second that.  Just glanced at the fema website - their contact us
section lists a mixture of @dhs.gov as well as @fema.gov addresses.

John

Re: Computer systems blamed for feeble hurricane response?

[Christian Kuhtz]

Steven M. Bellovin wrote:


In message <[EMAIL PROTECTED]>, "william(at)elan
.net" writes:
 


not say which computer systems FEMA uses.
 


$ dig mx fema.gov
;; ANSWER SECTION:
fima.org.   3600IN  MX  0 smtp.secureserver.net.
fima.org.   3600IN  MX  10 mailstore1.secureserver.net
   



That's interesting -- I'm not getting that response.
 

Sure you will.  If you dig fima.org and not fema.gov as it appears 
above.  Fema.gov doesn't have any mx.


Thanks,
Christian

Re: Computer systems blamed for feeble hurricane response?

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, "william(at)elan
.net" writes:
>
>
>On Tue, 13 Sep 2005, Fergie (Paul Ferguson) wrote:
>
>> It quoted a Department of Health official as saying every email it had 
>> sent to FEMA staff bounced. "They need a better internet provider during 
>> disasters," the Journal quoted her or him as saying.
>>
>> A number of US agencies made desperate calls to the Department of 
>> Homeland Security and to Congresswomen and men, the article claimed. 
>>
>> The newspaper did not say which computer systems FEMA uses.
>
>$ dig mx fema.gov
>;; ANSWER SECTION:
>fima.org.   3600IN  MX  0 smtp.secureserver.net.
>fima.org.   3600IN  MX  10 mailstore1.secureserver.net

That's interesting -- I'm not getting that response.

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Re: Katrina Network Damage Report

[Suresh Ramasubramanian]

On 13/09/05, Scott A Crosby <[EMAIL PROTECTED]> wrote:
> 
> When the number of open print servers exceeds a threshold, I predict
> that 'innovative marketers' will start using zombied toasters to send
> advertisements to all open print servers they can find.
> 
> And at that point, security matters very much.
> 

There's a whole lot of servers that are printers + plain paper fax
machines, that come with a fax and print server bundled.

And junk faxes are about as old as faxes are ..

Convergence, convergence ...

-- 
Suresh Ramasubramanian ([EMAIL PROTECTED])

Re: Multi-6 [WAS: OT - Vint Cerf joins Google]

[Christian Kuhtz]

Marshall Eubanks wrote:


On Mon, 12 Sep 2005 17:41:51 -0400
John Payne <[EMAIL PROTECTED]> wrote:
 


On Sep 12, 2005, at 6:58 AM, Iljitsch van Beijnum wrote:

   

I'll be blunt.  As long as that question is up in the air, none of 
the major content providers are going to do anything serious in the 
IPv6 arena.
   

Well, I have no evidence of them doing anything with IPv6 anyway, so I 
don't know if this makes a difference.
 

I have a very strong feeling that part of the lack of content providers 
on IPv6 is due to the lack of multihoming.


   



No, I would say it is due to the lack of an audience that can _only_  be reached
(or even _best_ be reached) using IPv6.

Once the audience is there, the content providers will follow.
 

Same issue really.  Audience isn't going to mature until those issues 
are sorted.

Re: Computer systems blamed for feeble hurricane response?

[william(at)elan.net]

On Tue, 13 Sep 2005, Fergie (Paul Ferguson) wrote:

It quoted a Department of Health official as saying every email it had 
sent to FEMA staff bounced. "They need a better internet provider during 
disasters," the Journal quoted her or him as saying.


A number of US agencies made desperate calls to the Department of 
Homeland Security and to Congresswomen and men, the article claimed. 


The newspaper did not say which computer systems FEMA uses.


$ dig mx fema.gov
;; ANSWER SECTION:
fima.org.   3600IN  MX  0 smtp.secureserver.net.
fima.org.   3600IN  MX  10 mailstore1.secureserver.net.

;; AUTHORITY SECTION:
fima.org.   3600IN  NS  PARK5.secureserver.net.
fima.org.   3600IN  NS  PARK6.secureserver.net.

[This is Godaddy and their datacenter is obviously in Arizona]

$ dig fima.org
[snip]
$ ;; ANSWER SECTION:
fema.gov.   1800IN  A   205.128.1.44

;; AUTHORITY SECTION:
fema.gov.   1800IN  NS  ns.fema.gov.
fema.gov.   1800IN  NS  ns2.fema.gov.

$ whois -h completewhois.com 205.128.1.44
[snip]
Level 3 Communications, Inc. LVLT-ORG-205-128 (NET-205-128-0-0-1)
  205.128.0.0 - 205.131.255.255
Federal Emergency Management Agency FEDEMERGENCY-1-18 (NET-205-128-1-0-1)
  205.128.1.0 - 205.128.1.127

Note: They also have 192.206.40.0/24 (not routed), 205.142.100.0/22
(not routed), 64.119.224.0/20 (not in bgp) and 166.112.0.0/16
(announced by 2828 - XO).

While its possible that L3 or XO could have been down with one of
their southern links, I really dont think it would effect their
Washington, DC customers.

--
William Leibzon
Elan Networks
[EMAIL PROTECTED]

Re: need help regarding portmaster 2E as a dialin server

[Mark Rogaski]

An entity claiming to be Md. kamal Hossain ([EMAIL PROTECTED]) wrote:
: Dear all I have portmaster 2E with 30 asyn port.I try to
: configure it as dialin server.But when i dial it can't
: authenticate. can anyone help regarding this configuration


Kamal,

I'd recommend signing up for some of the mailing lists on portmasters.com.  

http://portmasters.com/mailman/listinfo

And, before posting, take a look at their docs at
http://portmasters.com/tech/docs/manuals.html . 

Specifically, you'll want to look at
http://portmasters.com/tech/docs/trb/admin.fm.html#7225 .

Mark

-- 
[]|  A locked gun cabinet and a primaeval Macintosh
[] Mark Rogaski   |  desktop-publishing system, green with age, attested
[] [EMAIL PROTECTED]  |  to the owner's previous forays into officially
[] [EMAIL PROTECTED]  |  discouraged realms of behavior. -- Neil Stephenson
[]|


signature.asc
Description: Digital signature

Re: Computer systems blamed for feeble hurricane response?

[Mike Tancsa]

At 09:31 AM 13/09/2005, Steven Champeon wrote:


Does anyone know what their mail infrastructure looks like? From what I
can see, they don't even have an MX record for fema.gov...


No MX record, and the A record for fema.gov does not accept smtp traffic.

# telnet fema.gov smtp
Trying 205.128.1.44...
telnet: connect to address 205.128.1.44: Operation timed out
telnet: Unable to connect to remote host
#
Then again, it might be that they use different email addresses ? @dhs.gov ?

> set type=soa
> fema.gov
Server:  ns.fema.gov
Address:  166.112.200.142

fema.gov
origin = ns.fema.gov
mail addr = root.ns2.fema.gov
serial = 2005090901
refresh = 10800 (3H)
retry   = 3600 (1H)
expire  = 604800 (1W)
minimum ttl = 1800 (30M)
fema.govnameserver = ns.fema.gov
fema.govnameserver = ns2.fema.gov
ns.fema.gov internet address = 166.112.200.142
ns2.fema.govinternet address = 162.83.67.144

Looks Solaris'ish

# telnet ns2.fema.gov smtp
Trying 162.83.67.144...
Connected to ns2.fema.gov.
Escape character is '^]'.
220 ns2.fema.gov ESMTP Sendmail 8.11.7p1+Sun/8.11.7; Tue, 13 Sep 2005 
09:49:36 -0400 (EDT)


---Mike 

Re: Computer systems blamed for feeble hurricane response?

[Steven Champeon]

on Tue, Sep 13, 2005 at 01:13:19PM +, Fergie (Paul Ferguson) quoth:
> Attempts by agencies to spur the Federal Emergency Management Agency
> into urgent action were met with bouncing emails, the Journal said.
> 
> It quoted a Department of Health official as saying every email it had
> sent to FEMA staff bounced. "They need a better internet provider
> during disasters," the Journal quoted her or him as saying.

Does anyone know what their mail infrastructure looks like? From what I
can see, they don't even have an MX record for fema.gov...

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/

Computer systems blamed for feeble hurricane response?

[Fergie (Paul Ferguson)]

This is the first I've heard of this... 

Via The Inquirer:

[snip]

REPORTERS at the Wall Street Journal said they have seen documents which show 
that a swift response by the US federal government to Hurricane Katrina was 
hampered because FEMA computer servers crashed.

Michael Brown, FEMA's head, resigned yesterday after being recalled by the 
Department of Homeland Security to Washington DC.

Attempts by agencies to spur the Federal Emergency Management Agency into 
urgent action were met with bouncing emails, the Journal said.

It quoted a Department of Health official as saying every email it had sent to 
FEMA staff bounced. "They need a better internet provider during disasters," 
the Journal quoted her or him as saying.

A number of US agencies made desperate calls to the Department of Homeland 
Security and to Congresswomen and men, the article claimed. [Subscription 
required.]

The newspaper did not say which computer systems FEMA uses.

[snip]

http://www.theinquirer.net/?article=26125

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 [EMAIL PROTECTED] or [EMAIL PROTECTED]
 ferg's tech blog: http://fergdawg.blogspot.com/

AOL whitelisting - a heads-up and a request for assistance

[Omar Thameen]

Hi Folks,

This is both a request for assistance and a warning which I hope
will benefit others.  We've been on AOL's whitelist for more than
5 years.  We've been reorganizing our delivery servers in the past
month or so with no problems.  A recent spike in complaints from
one of our clients' lists (which we've isolated) has alerted us to
the fact that our historically whitelisted IP addresses are no
longer whitelisted.  A call to AOL's postmaster line confirms that
no IPs are listed for our company, either whitelisted or blacklisted.
That is, our IPs have been dropped from the whitelist database or
lost.

In re-applying for whitelisting, I do see that AOL requires a 
minimum of 100 emails/month to maintain a whitelist entry.  This
is new to me, and would be worth nothing for others who may be
adding or removing servers.

The postmaster line informed me that it would be 3-5 business days
for the whitelisting to be updated.  AOL deliveries are critical
to our business, so even a day of disruption is too long.  I would
be very greatful if someone could help expedite our request.  Please
contact me off-list.

Omar Thameen
[EMAIL PROTECTED]
212-686-2140

Re: Multi-6 [WAS: OT - Vint Cerf joins Google]

[Joe Abley]

On 13-Sep-2005, at 03:28, Crist Clark wrote:


Igor Gashinsky wrote:
[snip]


Moving everything to the end-hosts is simply not a good idea imho.


But isn't that what IP is supposed to be about? Smart endpoints, dumb
network (a.k.a. the stupid network)?


And with many peer-to-peer applications, isn't the traffic  
engineering already effectively performed at the edge?



Joe

Re: Katrina Network Damage Report

[Scott A Crosby]

On Mon, 12 Sep 2005 12:47:00 +0200, Iljitsch van Beijnum <[EMAIL PROTECTED]> 
writes:

> On 12-sep-2005, at 2:47, [EMAIL PROTECTED] wrote:
>
>> Amazingly enough, the *single* biggest problem in trying to get Joe
>> Sixpack to secure their systems is "But I don't have anything
>> they'd be interested in..."
>
> Security isn't an end in itself. For instance, I don't care enough
> about people using up my paper and ink to secure my print server
> against remote printing.

When the number of open print servers exceeds a threshold, I predict
that 'innovative marketers' will start using zombied toasters to send
advertisements to all open print servers they can find.

And at that point, security matters very much.

Scott

need help regarding portmaster 2E as a dialin server

[Md. kamal Hossain]

Dear all
 
I have portmaster 2E with 30 asyn port.I try to 
configure it as dialin server.But when i dial it can't 
authenticate.
 
can anyone help regarding this 
configuration
 
 
best of luck
 
kamal-- 
This message has been scanned for viruses and
dangerous content and is believed to be clean.