BGP Update Report
BGP Update Report Interval: 23-Jun-06 -to- 06-Jul-06 (14 days) Observation Point: BGP Peering with AS4637 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS947618088 1.6% 14.4 -- INTRAPOWER-AS-AP Intrapower 2 - AS17974 16546 1.5% 39.0 -- TELKOMNET-AS2-AP PT TELEKOMUNIKASI INDONESIA 3 - AS17557 11650 1.0% 29.0 -- PKTELECOM-AS-AP Pakistan Telecom 4 - AS815111401 1.0% 5.4 -- Uninet S.A. de C.V. 5 - AS432311169 1.0% 8.4 -- TWTC - Time Warner Telecom, Inc. 6 - AS17451 10456 0.9% 209.1 -- BIZNET-AS-AP BIZNET ISP 7 - AS475510292 0.9% 22.3 -- VSNL-AS Videsh Sanchar Nigam Ltd. Autonomous System 8 - AS580310228 0.9% 112.4 -- DDN-ASNBLK - DoD Network Information Center 9 - AS337839885 0.9% 94.1 -- EEPAD 10 - AS3475 8989 0.8% 691.5 -- LANT-AFLOAT - NCTAMS LANT DET HAMPTON ROADS 11 - AS702 8555 0.8% 11.5 -- AS702 MCI EMEA - Commercial IP service provider in Europe 12 - AS255438244 0.7% 242.5 -- FASONET-AS ONATEL/FasoNet's Autonomous System 13 - AS114927802 0.7% 12.9 -- CABLEONE - CABLE ONE 14 - AS111397139 0.6% 29.7 -- CWRIN CW BARBADOS 15 - AS4621 6779 0.6% 50.6 -- UNSPECIFIED UNINET-TH 16 - AS7633 6613 0.6% 44.7 -- SOFTNET-AS-AP Software Technology Parks of India 17 - AS5387 6566 0.6% 437.7 -- Akademgorodok Internet Project 18 - AS239186542 0.6% 49.9 -- CBB-BGP-IBARAKI Connexion By Boeing Ibaraki AS 19 - AS126546351 0.6% 167.1 -- RIPE-NCC-RIS-AS RIPE NCC RIS Project. 20 - AS9899 5907 0.5% 140.6 -- ICARE-AP iCare.com Ltd. TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name 1 - AS210274284 0.4%4284.0 -- ASN-PARADORES PARADORES Autonomous System 2 - AS3043 3244 0.3%3244.0 -- AMPHIB-AS - Amphibian Media Corporation 3 - AS4678 2643 0.2%2643.0 -- FINE CANON NETWORK COMMUNICATIONS INC. 4 - AS353792896 0.3%1448.0 -- EASYNET EASYNET s.c. 5 - AS199823767 0.3%1255.7 -- TOWERSTREAM-PROV - Towerstream 6 - AS260152194 0.2%1097.0 -- THINKORSWIM - Thinkorswim inc 7 - AS12506 987 0.1% 987.0 -- JTCGN Jamestown US-Immobilien GmbH 8 - AS12408 981 0.1% 981.0 -- BIKENT-AS Bikent Ltd. Autonomous system 9 - AS34378 941 0.1% 941.0 -- RUG-AS Razguliay-UKRROS Group 10 - AS144104099 0.4% 819.8 -- DALTON - MCM, Inc., DBA: [EMAIL PROTECTED] 11 - AS23986 809 0.1% 809.0 -- MR-AS-AP-HK Mediaring HK 12 - AS34441 801 0.1% 801.0 -- SIBNK-AS Novokuibyshevsk branch of Siberian Internet Company 13 - AS141693110 0.3% 777.5 -- MEAD - MEAD CORPORATION 14 - AS364131421 0.1% 710.5 -- ASN-COF-IT - Council on Foundations 15 - AS36565 705 0.1% 705.0 -- COUNTY-OF-MONTGOMERY-PA - County of Montgomery 16 - AS3475 8989 0.8% 691.5 -- LANT-AFLOAT - NCTAMS LANT DET HAMPTON ROADS 17 - AS7544 1352 0.1% 676.0 -- NASIONET-AS-AP NasionCom Sdn. Bhd. 18 - AS143611990 0.2% 663.3 -- HOPONE-DCA - HopOne Internet Corporation 19 - AS195291215 0.1% 607.5 -- RAZOR-PHL - Razor Inc. 20 - AS2609 5636 0.5% 563.6 -- TN-BB-AS Tunisia BackBone AS TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 61.4.0.0/195734 0.4% AS9899 -- ICARE-AP iCare.com Ltd. 2 - 203.112.154.0/24 5136 0.4% AS17783 -- SRILRPG-AS SRIL RPG Autonomous System AS9476 -- INTRAPOWER-AS-AP Intrapower 3 - 62.81.240.0/24 4284 0.3% AS21027 -- ASN-PARADORES PARADORES Autonomous System 4 - 152.74.0.0/16 4135 0.3% AS11340 -- Red Universitaria Nacional 5 - 209.140.24.0/243244 0.2% AS3043 -- AMPHIB-AS - Amphibian Media Corporation 6 - 61.0.0.0/8 3205 0.2% AS4678 -- FINE CANON NETWORK COMMUNICATIONS INC. AS9476 -- INTRAPOWER-AS-AP Intrapower 7 - 159.124.160.0/19 2879 0.2% AS14169 -- MEAD - MEAD CORPORATION 8 - 202.169.38.0/242839 0.2% AS17451 -- BIZNET-AS-AP BIZNET ISP AS9476 -- INTRAPOWER-AS-AP Intrapower 9 - 198.92.192.0/212480 0.2% AS16559 -- REALCONNECT-01 - RealConnect, Inc 10 - 65.175.45.0/24 2193 0.2% AS26015 -- THINKORSWIM - Thinkorswim inc 11 - 209.160.56.0/221988 0.1% AS14361 -- HOPONE-DCA - HopOne Internet Corporation 12 - 206.251.163.0/24 1974 0.1% AS4314 -- I-55-INTERNET-SERVICES-INC - I-55 INTERNET SERVICES 13 - 64.17.232.0/21 1881 0.1% AS19982
The Cidr Report
This report has been generated at Fri Jul 7 21:47:42 2006 AEST. The report analyses the BGP Routing Table of an AS4637 (Reach) router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org/as4637 for a current version of this report. Recent Table History Date PrefixesCIDR Agg 30-06-06188207 123669 01-07-06188810 123615 02-07-06188725 123709 03-07-0614 123740 04-07-06188856 123858 05-07-06189081 123809 06-07-06189295 123756 07-07-06189292 123704 AS Summary 22507 Number of ASes in routing system 9443 Number of ASes announcing only one prefix 1471 Largest number of prefixes announced by an AS AS7018 : ATT-INTERNET4 - ATT WorldNet Services 91702272 Largest address span announced by an AS (/32s) AS721 : DISA-ASNBLK - DoD Network Information Center Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 07Jul06 --- ASnumNetsNow NetsAggr NetGain % Gain Description Table 189203 1238426536134.5% All ASes AS4323 1327 275 105279.3% TWTC - Time Warner Telecom, Inc. AS4134 1215 275 94077.4% CHINANET-BACKBONE No.31,Jin-rong Street AS18566 945 158 78783.3% COVAD - Covad Communications Co. AS4755 944 222 72276.5% VSNL-AS Videsh Sanchar Nigam Ltd. Autonomous System AS721 1026 316 71069.2% DISA-ASNBLK - DoD Network Information Center AS22773 671 47 62493.0% CCINET-2 - Cox Communications Inc. AS9498 712 177 53575.1% BBIL-AP BHARTI BT INTERNET LTD. AS6197 1017 486 53152.2% BATI-ATL - BellSouth Network Solutions, Inc AS7018 1471 944 52735.8% ATT-INTERNET4 - ATT WorldNet Services AS855573 74 49987.1% CANET-ASN-4 - Aliant Telecom AS19916 563 65 49888.5% ASTRUM-0001 - OLM LLC AS19262 678 191 48771.8% VZGNI-TRANSIT - Verizon Internet Services Inc. AS17488 519 56 46389.2% HATHWAY-NET-AP Hathway IP Over Cable Internet AS3602 525 104 42180.2% AS3602-RTI - Rogers Telecom Inc. AS18101 422 28 39493.4% RIL-IDC Reliance Infocom Ltd Internet Data Centre, AS11492 654 264 39059.6% CABLEONE - CABLE ONE AS17676 490 110 38077.6% JPNIC-JP-ASN-BLOCK Japan Network Information Center AS6198 600 243 35759.5% BATI-MIA - BellSouth Network Solutions, Inc AS15270 435 81 35481.4% AS-PAETEC-NET - PaeTec.net -a division of PaeTecCommunications, Inc. AS4766 656 306 35053.4% KIXS-AS-KR Korea Telecom AS22047 432 85 34780.3% VTR BANDA ANCHA S.A. AS812370 30 34091.9% ROGERS-CABLE - Rogers Cable Inc. AS6467 388 49 33987.4% ESPIRECOMM - Xspedius Communications Co. AS16852 357 51 30685.7% FOCAL-CHICAGO - Focal Data Communications of Illinois AS16814 329 29 30091.2% NSS S.A. AS3352 304 33 27189.1% TELEFONICA-DATA-ESPANA Internet Access Network of TDE AS6167 362 91 27174.9% CELLCO-PART - Cellco Partnership AS14654 281 15 26694.7% WAYPORT - Wayport AS19115 349 86 26375.4% CHARTER-LEBANON - Charter Communications AS9583 908
Re: Best practices inquiry: tracking SSH host keys
--On Thursday, July 06, 2006 18:22:48 -0700 Jeremy Chadwick [EMAIL PROTECTED] wrote: Speaking purely from a system administration point of view, Kerberos is also a nightmare. Not only does the single-point-of-failure induce red flags in most SAs I know (myself included), If a deployed kerberos environment has a single point of failure then its been deployed poorly. Kerberos has replication mechanisms to provide redundancy. The only think you can't replicate in K5 is the actual master, meaning that if the master is down you can't change passwords, create users, etc. While thats a single point of failure its not typically a real-time critical one. but having to kerberise every authentication-oriented binary on the system that you have is also a total nightmare. As you pointed out, one trivial rebuttal to that is PAM, another is GSSAPI and SASL. Authentication oriented systems shouldn't be hard coding a single auth method these days, they should be using an abstraction layer GSSAPI or SASL. If they are then the GSSAPI Kerberos auth mechanisms should just work. GSSAPI/SASL enabled versions of many major applications are available (Thunderbird, Mail.app, openssh, putty, oracle calendar). (Sadly Microsoft applications are fairly lacking in this category, which is surprising considering that AD servers use Kerberos heavily under the hood.) Kerberos 4 is also completely incompatible with 5. Not true. With a correctly setup environment K5 tickets can be used to get K4 ticket automatically for those few legacy applications that require K4. But really there are very few K4 only applications left. Let's also not bring up the issue of globally-readable Kerberos tickets laying around /tmp on machines which use Kerberos, okay? ;-) Again, thats an indicator of a poorly setup system. Ticket files should be readable only by the user. If they're readable by anyone else except root something isn't setup right. And on OS'es that support it the tickets are often stored in a more protected location. i.e. on OSX the tickets are stored in a memory-based credential cache. The bottom line is that SSH is easier, so more people will use it. That may not be the best attitude, I'll admit, but that's reality. I think the bottom line for the original poster was that ssh was the only secure mechanism support by the devices he was using. For network switches this is common. I think the only answer there is to either make gathering the ssh key from the device part of your build/deployment process, or design your network in a way that reduces the opportunity for man-in-the-middle ssh key exchange attacks and pray. -David
MCI - Toronto Routing Issues
Is anyone aware of routing problems within MCI/WC/UUNET? link shows packets going out, but nothing coming back -rd- -- Richard Danielli
Re: Best practices inquiry: tracking SSH host keys
If a deployed kerberos environment has a single point of failure then its been deployed poorly. Kerberos has replication mechanisms to provide redundancy. This concentrates on the what if it fails worst case scenario of a single point of failure. This doesn't answer the what if it is subverted worst case scenario of a single point of failure. (Other posters have noted the requirement to lock down the kerberos server tightly, but seemingly more with a view to keeping the server functioning, rather than keeping its data safe from exposure and corruption. The lock down mechanisms probably do both, but you need to keep both views in mind.) --Sandy
Re: MCI - Toronto Routing Issues
On Fri, 7 Jul 2006, Richard Danielli wrote: Is anyone aware of routing problems within MCI/WC/UUNET? link shows packets going out, but nothing coming back ping off list please, unless someone already asked you to do same... perhaps we're not accepting your routes so we'd not send things back to you? -Chris
Weekly Routing Table Report
This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to [EMAIL PROTECTED] If you have any comments please contact Philip Smith [EMAIL PROTECTED]. Routing Table Report 04:00 +10GMT Sat 08 Jul, 2006 Analysis Summary BGP routing table entries examined: 191740 Prefixes after maximum aggregation: 105525 Unique aggregates announced to Internet: 93774 Total ASes present in the Internet Routing Table: 22613 Origin-only ASes present in the Internet Routing Table: 19679 Origin ASes announcing only one prefix:9443 Transit ASes present in the Internet Routing Table:2934 Transit-only ASes present in the Internet Routing Table: 66 Average AS path length visible in the Internet Routing Table: 3.5 Max AS path length visible: 24 Max AS path prepend of ASN (34527) 16 Prefixes from unregistered ASNs in the Routing Table: 2 Unregistered ASNs in the Routing Table: 2 Special use prefixes present in the Routing Table:1 Prefixes being announced from unallocated address space: 9 Number of addresses announced to Internet: 1540931304 Equivalent to 91 /8s, 216 /16s and 190 /24s Percentage of available address space announced: 41.6 Percentage of allocated address space announced: 60.1 Percentage of available address space allocated: 69.1 Total number of prefixes smaller than registry allocations: 94814 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes:41334 Total APNIC prefixes after maximum aggregation: 16992 Prefixes being announced from the APNIC address blocks: 39038 Unique aggregates announced from the APNIC address blocks:18380 APNIC Region origin ASes present in the Internet Routing Table:2619 APNIC Region origin ASes announcing only one prefix:739 APNIC Region transit ASes present in the Internet Routing Table:399 Average APNIC Region AS path length visible:3.5 Max APNIC Region AS path length visible: 18 Number of APNIC addresses announced to Internet: 235934304 Equivalent to 14 /8s, 16 /16s and 18 /24s Percentage of available APNIC address space announced: 73.8 APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911 APNIC Address Blocks 58/7, 60/7, 121/8, 122/7, 124/7, 126/8, 202/7 210/7, 218/7, 220/7 and 222/8 ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes: 97821 Total ARIN prefixes after maximum aggregation:58116 Prefixes being announced from the ARIN address blocks:71625 Unique aggregates announced from the ARIN address blocks: 27058 ARIN Region origin ASes present in the Internet Routing Table:10823 ARIN Region origin ASes announcing only one prefix:4089 ARIN Region transit ASes present in the Internet Routing Table: 992 Average ARIN Region AS path length visible: 3.3 Max ARIN Region AS path length visible: 18 Number of ARIN addresses announced to Internet: 295333632 Equivalent to 17 /8s, 154 /16s and 111 /24s Percentage of available ARIN address space announced: 76.5 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959 ARIN Address Blocks24/8, 63/8, 64/5, 72/6, 76/8, 199/8, 204/6, 208/7 and 216/8 RIPE Region Analysis Summary Prefixes being announced by RIPE Region ASes: 38397 Total RIPE prefixes after maximum aggregation:25770 Prefixes being announced from the RIPE address blocks:35459 Unique aggregates announced from the RIPE address blocks: 23944 RIPE Region origin ASes present in the Internet Routing Table: 8242 RIPE Region origin ASes announcing only one prefix:4334 RIPE Region transit ASes present in the Internet Routing Table:1354 Average RIPE Region AS path
Re: MCI - Toronto Routing Issues
Thanks to Christopher for his time in working on this with me Chris, if you are ever in Toronto, I owe you a beer... -rd- Christopher L. Morrow wrote: On Fri, 7 Jul 2006, Richard Danielli wrote: someone here has found out that BCE - who owns the last mile is at fault.. bummer it's nice to see folks get help when they ask... thanks for your time and concern on this.. no problem, it's what they pay me for, sorta :) -rd- Christopher L. Morrow wrote: -- Richard Danielli President - eSubnet 416.203.5253 http://www.eSubnet.com
IP Address allocation/asigment tools
Hi, Would like to know about any off the shelf or freeware software application/tools out there to manage IP address (allocate/assign both for IPv4 and IPv6) in a SP network environment. Pros and Cons are welcome. Thanx -- Arvind.
Copper thefts in california
In addition to the traditional backhoe threat, as the price of copper increased so has the threat of people stealing telephone trunk cables containing copper wire. http://www.dailybulletin.com/news/ci_4021500 Since Jan. 1, there have been 148 reports of copper wire theft in San Bernardino County, said sheriff's spokeswoman Jodi Miller. [...] Per pound, the metal has risen in price from about 70 cents in July 2001 to $3.60 this month, according to Kitco Inc., an international retailer of precious metals. [...] Anyone with information on the Verizon theft may call the Verizon Security Control Center, 1-800-997-3287. For the ATT thefts, people may call security at (213) 633-2558 or (213) 633-2405. People with information on copper thefts may also contact their local law enforcement agencies.
Re: Copper thefts in california
In addition to the traditional backhoe threat, as the price of copper increased so has the threat of people stealing telephone trunk cables containing copper wire. Indeed. Here's a story from five years back: [http://www.berkeley.edu/news/berkeleyan/2001/03/02_fiber.html} Fiber optic cut disrupts network access for hill facilities Vandals severed wires in effort to take copper cabling in underground conduit By Cathy Cockrell, Public Affairs 02 March 2001 | An underground fiber optic cable connecting the campus with facilities in the Berkeley hills was severed during the early morning hours of Tuesday, Feb. 27. The incident disrupted network connections for hundreds of employees at Lawrence Berkeley National Laboratory, Lawrence Hall of Science, the Samuel L. Silver Space Sciences Laboratory and other Strawberry Canyon operations. Campus officials believe the cut was the work of thieves, who forced open a manhole cover on the hillside above Memorial Stadium to remove high-voltage copper cabling from an underground conduit. The fiber cable apparently was in the way; they just chopped it out, said Berkeley lab Manager of Communications Facilities Ed Ritenour, who spent much of the next few days running up and down the hillside in a lot of mud to oversee repairs. ...
Re: Copper thefts in california
In addition to the traditional backhoe threat, as the price of copper increased so has the threat of people stealing telephone trunk cables containing copper wire. Someone fried themselves a couple of months ago in a Vancouver suburb, trying to steal a chunk of (live) power cable. http://www.canada.com/globaltv/bc/news/story.html?id=23300fcd-ae18-48dc-bef1-43935f702213k=99395 --lyndon
Re: Copper thefts in california
On Fri, 7 Jul 2006, Sean Donelan wrote: In addition to the traditional backhoe threat, as the price of copper increased so has the threat of people stealing telephone trunk cables containing copper wire. Yup. One of the most recent San Bernardino County thefts was right here in the Victor Valley... about 25 minutes west of my house IIRC. Since Jan. 1, there have been 148 reports of copper wire theft in San Bernardino County, said sheriff's spokeswoman Jodi Miller. Given the sheer size of San Bernardino County (it's the largest county in the US - about 2 1/2 hours from eastern border to western border, and at least that far from north to south) - as well as the fact that much of the county consists of uninhabited desert areas - I'm surprised it doesn't happen more often here. -- Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows Apple Valley, California PGP:0xE3AE35ED It's all fun and games until someone starts a bonfire in the living room.
Fridays are always good for shock headlines...
Nothing new here, but just an FYI -- I figured some of you might want to be aware new pressures being exerted in the CALEA arena. Via C|Net. [snip] The FBI has drafted sweeping legislation that would require Internet service providers to create wiretapping hubs for police surveillance and force makers of networking gear to build in backdoors for eavesdropping, CNET News.com has learned. [snip] More: http://news.com.com/2100-1028_3-6091942.html - ferg p.s. When did the FBI start drafting legislation? ;-) -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Fridays are always good for shock headlines...
On Sat, 8 Jul 2006, Fergie wrote: Nothing new here, but just an FYI -- I figured some of you might want to be aware new pressures being exerted in the CALEA arena. Via C|Net. [snip] The FBI has drafted sweeping legislation that would require Internet service providers to create wiretapping hubs for police surveillance and force makers of networking gear to build in backdoors for eavesdropping, CNET News.com has learned. [snip] More: http://news.com.com/2100-1028_3-6091942.html It be far from me to suggest this isn't done as some kind of usual conspiracy G-Man US thing, but as already discussed, these facilities make sense to ISP's, and in my opinion, also to law enforcement: Whether it is to avoid the inconvinience or potential damages to the ISP, to make actionable intelligence viable quickly or to abuse the legality of wiretaps, these make sense. Potential abuse means a lot of things, and it certainly dictates prudence and vigilence by citizens and the Gov. That said, I think this may really be a win-win for both the LEO's and the ISP's. Than again, if an ISP is approached once every 20 years, I hope the FBI will be covering the costs. Someone always says they do? Gadi. - ferg p.s. When did the FBI start drafting legislation? ;-) -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Fridays are always good for shock headlines...
Well, the thing that really got my attention was ...forcing equipment manaufacturers.. -- which is somewhat of a broad brush- stroke. Having said that, this has been discussed ad nauseum, has had the FCC rule on it, etc., and has -- at first blush-- seen U.S. courts support it. But the Internet is _not_ the U.S., and contrary to LEA and U.S. agency opinion, does not require everyone on the planet to comply. This presents a bunch of problems -- and submitting to arbitrary logic along the lines of (paraphrased) Well, what's the problem? doesn't even come close to illustrating that the problem is understood. That's the only point I was trying (and probably unsuccessfuly) to make. :-) And this: We work in a world where we're trying to keep bits flowing between various points in the Internet, and compliance to a basic set of accepted standards seems to be an environment which is becoming more and more clouded by foo -- where foo is your various garden variety scare tactic of the day. What a mess. - ferg -- Gadi Evron [EMAIL PROTECTED] wrote: [snip] The FBI has drafted sweeping legislation that would require Internet service providers to create wiretapping hubs for police surveillance and force makers of networking gear to build in backdoors for eavesdropping, CNET News.com has learned. [snip] Potential abuse means a lot of things, and it certainly dictates prudence and vigilence by citizens and the Gov. That said, I think this may really be a win-win for both the LEO's and the ISP's. Than again, if an ISP is approached once every 20 years, I hope the FBI will be covering the costs. Someone always says they do? Gadi. [snip] -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/