Re: Tor and network security/administration
On Wed, Jun 21, 2006 at 02:53:06PM -0700, Jeremy Chadwick wrote: > On Wed, Jun 21, 2006 at 05:02:47PM -0400, Todd Vierling wrote: >> If the point of the technology is to add a degree of anonymity, you >> can be pretty sure that a marker expressly designed to state the >> message "Hi, I'm anonymous!" will never be a standard feature of >> said technology. That's a pretty obvious non-starter. > Which begs the original question of this thread which I started: > with that said, how exactly does one filter this technology? The list of IP addresses of tor nodes is *public*. If tor users can get it, you can, too. Some IRC networks already run a stripped-down tor client to always tag connections from tor as such, and permit channel operators to ban such connections from their channel should they wish so. -- Lionel
Re: Tor and network security/administration
On Thu, Jun 22, 2006 at 11:58:34AM +1000, Matthew Sullivan wrote: > Jeremy Chadwick wrote: >> On Wed, Jun 21, 2006 at 05:02:47PM -0400, Todd Vierling wrote: >>> If the point of the technology is to add a degree of anonymity, >>> you can be pretty sure that a marker expressly designed to state >>> the message "Hi, I'm anonymous!" will never be a standard feature >>> of said technology. That's a pretty obvious non-starter. >> Which begs the original question of this thread which I started: >> with that said, how exactly does one filter this technology? > Of course SORBS' position is actually this - if you are allowing > Trojan traffic over the Tor network you will get listed (regardless > of whether the Trojans can talk to port 25 or not) How an open proxy that will not connect to port 25 is relevant for an *email* blacklist is beyond me. > ...and for what it's worth, I have no problems with anonymous > networks for idealistic reasons, however they are always abused, > they will continue to be abused, Tor is being abused, and I should > be able to allow or deny traffic into my networks as I see fit > All of my discussions with Tor people have indicated [they] do not > think I should have the right to deny traffic based on IP address, > and that I should find other methods of authenticating traffic into > my networks. Isn't it rather that they think that filtering on the base of IP address is broken in today's Internet, even if tor didn't exist? Open proxies, trojans, multi-user computers, dynamic IPs, ... all this makes that substituting IP address for people is very, very, imprecise. -- Lionel
Re: Tor and network security/administration
Lionel Elie Mamane wrote: On Thu, Jun 22, 2006 at 11:58:34AM +1000, Matthew Sullivan wrote: Jeremy Chadwick wrote: On Wed, Jun 21, 2006 at 05:02:47PM -0400, Todd Vierling wrote: If the point of the technology is to add a degree of anonymity, you can be pretty sure that a marker expressly designed to state the message "Hi, I'm anonymous!" will never be a standard feature of said technology. That's a pretty obvious non-starter. Which begs the original question of this thread which I started: with that said, how exactly does one filter this technology? Of course SORBS' position is actually this - if you are allowing Trojan traffic over the Tor network you will get listed (regardless of whether the Trojans can talk to port 25 or not) How an open proxy that will not connect to port 25 is relevant for an *email* blacklist is beyond me. Perhaps because SORBS is not just an email blacklist? Perhaps because it is also used for webmail and other things... ...and for what it's worth, I have no problems with anonymous networks for idealistic reasons, however they are always abused, they will continue to be abused, Tor is being abused, and I should be able to allow or deny traffic into my networks as I see fit All of my discussions with Tor people have indicated [they] do not think I should have the right to deny traffic based on IP address, and that I should find other methods of authenticating traffic into my networks. Isn't it rather that they think that filtering on the base of IP address is broken in today's Internet, even if tor didn't exist? Open proxies, trojans, multi-user computers, dynamic IPs, ... all this makes that substituting IP address for people is very, very, imprecise. and that is your opinion, which you are entitled to, others feel filtering by IP address is still valid and needed which is why they do it... Surely they are entitled to their opinions? Regards, Mat
Re: Tor and network security/administration
On Thu, Jun 22, 2006 at 05:37:25PM +1000, Matthew Sullivan wrote: > Lionel Elie Mamane wrote: >> How an open proxy that will not connect to port 25 is relevant for >> an *email* blacklist is beyond me. > Perhaps because SORBS is not just an email blacklist? My bad. I must have misunderstood its tagline. > Perhaps because it is also used for webmail and other things... Someone running a webmail that doesn't ask for authentication before accepting mail is asking for trouble. You know it, and I'm fairly sure you would list him. If the user has authenticated himself on the webmail, why care whether the TCP connection came from an open TCP or HTTP proxy? The user has identified himself, so you know who it is. >>> All of my discussions with Tor people have indicated [they] do not >>> think I should have the right to deny traffic based on IP address, >>> and that I should find other methods of authenticating traffic >>> into my networks. >> Isn't it rather that they think that filtering on the base of IP >> address is broken in today's Internet, even if tor didn't exist? >> Open proxies, trojans, multi-user computers, dynamic IPs, ... all >> this makes that substituting IP address for people is very, very, >> imprecise. > and that is your opinion, Actually, no. It is what I understand the tor people's opinion to be from their public statements. As for my opinion, I think IP-based is the best you've got when you are dealing with the world at large and not just with a finite, known group of users. As with an MX. As with a webshop. But IP-based authentication should be avoided if you can, and does get over-used in contexts where it is worse than other solutions. A prime example is the scientific journals publishers blindly trusting the whole IP space of universities. We do give shell accounts on some of our machines to externals: Other scientists from abroad, high school students that can make good use of surplus computing resources for a project, ... -- Lionel
af.mil contact
If anyone has a contact for the dns folks over at af.mil could you please inform them that their authorative DNS servers have no A records so their zone is failing to resolve for many people who have enabled anti-dnscache poisoning features. George Roettger Netlink Services
Re: af.mil contact
We're notifying them via JTF-GNO (DOD-CERT). As it relates to .mil's you can get to their site here: http://www.jtfgno.mil/ On government or .gov's you can reach us at www.us-cert.gov Jerry -Original Message- From: Geo. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 22, 2006 08:42 AM To: 'nanog list' Subject: af.mil contact If anyone has a contact for the dns folks over at af.mil could you please inform them that their authorative DNS servers have no A records so their zone is failing to resolve for many people who have enabled anti-dnscache poisoning features. George Roettger Netlink Services
multimode LC-LC fiber jumpers
If you know where I could lay my hands on a few (5 at most) 5 meter multimode duplex LC-LC jumpers in the Pittsburgh, PA area, please shoot me a note off-list. Thanks jms
RE: Comcast.net, Usa.net, Verizon
Sending your email to all three -Dennis > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Elijah Savage [EMAIL PROTECTED] > Sent: Wednesday, June 21, 2006 12:50 PM > To: [EMAIL PROTECTED] > Subject: Comcast.net, Usa.net, Verizon > > Are there anyone on the list from these organizations that > could possibly put me in contact with the postmasters please? > > Thank you
RE: Comcast.net, Usa.net, Verizon
hey guys, any luck? i actually need to find someone at comcast with clue as well. any help you could provide would be most appreciated. /blax On Thu, 22 Jun 2006, Dennis Dayman wrote: > Date: Thu, 22 Jun 2006 09:39:20 -0500 > From: Dennis Dayman <[EMAIL PROTECTED]> > To: 'Elijah Savage' <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Subject: RE: Comcast.net, Usa.net, Verizon > > > Sending your email to all three > > -Dennis > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of Elijah Savage [EMAIL PROTECTED] > > Sent: Wednesday, June 21, 2006 12:50 PM > > To: [EMAIL PROTECTED] > > Subject: Comcast.net, Usa.net, Verizon > > > > Are there anyone on the list from these organizations that > > could possibly put me in contact with the postmasters please? > > > > Thank you > >
Re: Tor and network security/administration
On 6/22/06, Lionel Elie Mamane <[EMAIL PROTECTED]> wrote: > All of my discussions with Tor people have indicated [they] do not > think I should have the right to deny traffic based on IP address, > and that I should find other methods of authenticating traffic into > my networks. Isn't it rather that they think that filtering on the base of IP address is broken in today's Internet, even if tor didn't exist? This has been part of my point throughout this thread, in that: substituting IP address for people is very, very, imprecise. Tor just happens to point this out very vividly, and makes the formerly small distinction between social and technological problems a bit moer noticeable. Anti-spam folk face a lot of the same issues. Ideally, there should be zero need for content-based mail filtering, because that doesn't reflect the intent of blocking spam (which is *really* based on "solicited" status). However, the *social* issues of today's spam abuse often make content-based filtering a necessary evil. -- -- Todd Vierling <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Re: key change for TCP-MD5
On Thu, 22 Jun 2006 13:18:35 -0400, Ron Bonica <[EMAIL PROTECTED]> wrote: > Steve, > > In Section 1 of your draft, you say: > >"The proper solution involves some sort of key management protocol. >Apart from the complexity of such things, RFC 2385 was not written >with key changes in mind. In particular, there is no KeyID field in >the option, which means that even a key management protocol would run >into the same problem. > >Fortunately, a heuristic permits key change despite this protocol >deficiency." > > Why not correct the protocol deficiency by introducing a new option that > includes a KeyID? Wouldn't that approach provide a more comprehensive > solution to the problem? > That's a much better long-term strategy, though the exact mechanism still has to be defined. But it's literally years before that will be usable, especially because both ends of a connection need to be upgraded before it delivers any benefits. That is especially problematic for the interISP case. We both agree that key change is (a) necessary, and (b) very difficult with 2385. The longer-term issue is where "there" his, and that's what your draft addresses; my draft is about how to get from "here" to "there". --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: key change for TCP-MD5
On 22-jun-2006, at 23:17, Steven M. Bellovin wrote: Why not correct the protocol deficiency by introducing a new option that includes a KeyID? Wouldn't that approach provide a more comprehensive solution to the problem? That's a much better long-term strategy, though the exact mechanism still has to be defined. But it's literally years before that will be usable, especially because both ends of a connection need to be upgraded before it delivers any benefits. If you want benefits when only one end is upgraded, your mechanism for concurrent keys could be used like this: - the upgraded side installs the new key - the upgraded side keeps using the old key - the non-upgraded side installs the new key - the upgraded side detects that the other side uses the new key and switches over itself - the old key is removed from the upgraded side This way, it all goes down when the non-upgraded side installs the key: they can immediately see the problem if there is some kind of issue with the key (for instance someone entered it incorrectly). It still makes sense to add stuff that allows both ends to manage the key rollover when they're both upgraded, since in that case something like the above won't work. I think something like this would work well: - announce key rollover capability at session connect - when a new key is configured, send a hash of it to the other side - other side doesn't have the key yet so says "reject" - other side is also configured with the new key, sends a hash - first side sees hashes match, starts sending with the new key and says "accept" Bonus points: when no key is configured, one of the routers generates one at session start and sends it over in the clear. This protects equally well against session reset attacks as a preconfigured key, but obviously it can be sniffed by someone with access to the infrastructure. We both agree that key change is (a) necessary, and (b) very difficult with 2385. How often do you think keys should change? I've never had anyone ask to change keys for about 50 session-years.
RE: key change for TCP-MD5
> How often do you think keys should change? Arguably, any time someone who had access to the key is no longer supposed to have such access. > I've never had anyone ask > to change keys for about 50 session-years. I guess the question the question is whether that's because they really never needed to, really didn't think about, or really didn't want to suffer the hassle and so just accepted the risk. DS
Who wants to be in charge of the Internet today?
http://online.wsj.com/article/SB115102893799688389.html In Event of Big Web Disruption, U.S. Is Ill-Prepared, Study Says By VAUHINI VARA June 23, 2006; Page B2 The U.S. is poorly prepared for a major disruption of the Internet, according to a study that an influential group of chief executives will publish today. The Business Roundtable, composed of the CEOs of 160 large U.S. companies, said neither the government nor the private sector has a coordinated plan to respond to an attack, natural disaster or other disruption of the Internet. While individual government agencies and companies have their own emergency plans in place, little coordination exists between the groups, according to the study. "It's a matter of more clearly defining who has responsibility," said Edward Rust Jr., CEO of State Farm Mutual Automobile Insurance Co., who leads the Roundtable's Internet-security effort. [...]
Re: Who wants to be in charge of the Internet today?
On Jun 23, 2006, at 12:45 AM, Sean Donelan wrote: The U.S. is poorly prepared for a major disruption of the Internet, according to a study that an influential group of chief executives will publish today. The Business Roundtable, composed of the CEOs of 160 large U.S. companies, said neither the government nor the private sector has a coordinated plan to respond to an attack, natural disaster or other disruption of the Internet. While individual government agencies and companies have their own emergency plans in place, little coordination exists between the groups, according to the study. "It's a matter of more clearly defining who has responsibility," said Edward Rust Jr., CEO of State Farm Mutual Automobile Insurance Co., who leads the Roundtable's Internet-security effort. Isn't the point of the Internet that no one is in charge? I shudder to think what would happen under large scale attack if one of the CEOs in that room had "responsibility" for the correct functioning of the "Internet". This definitely falls into the "Just Doesn't Get It" category. -- TTFN, patrick
